From 4b5a7d721d994a49057e9bfb403c7bff1b376660 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Fri, 7 Sep 2018 12:21:34 -0500 Subject: Mass removal of all Tabs (Style Warnings) Issue-ID: AAF-473 Change-Id: Iaf0ef8120882937959bb0065f2f6ba74a021940f Signed-off-by: Instrumental --- cadi/core/src/main/java/org/onap/aaf/cadi/AES.java | 146 +- .../main/java/org/onap/aaf/cadi/AbsUserCache.java | 798 +++++------ .../src/main/java/org/onap/aaf/cadi/Access.java | 280 ++-- .../src/main/java/org/onap/aaf/cadi/BasicCred.java | 6 +- .../onap/aaf/cadi/BufferedServletInputStream.java | 298 ++-- .../java/org/onap/aaf/cadi/CachedPrincipal.java | 28 +- .../main/java/org/onap/aaf/cadi/CachingLur.java | 8 +- .../main/java/org/onap/aaf/cadi/CadiException.java | 32 +- .../src/main/java/org/onap/aaf/cadi/CadiWrap.java | 292 ++-- .../src/main/java/org/onap/aaf/cadi/Capacitor.java | 398 +++--- .../src/main/java/org/onap/aaf/cadi/CmdLine.java | 608 ++++---- .../src/main/java/org/onap/aaf/cadi/Connector.java | 2 +- .../src/main/java/org/onap/aaf/cadi/CredVal.java | 16 +- .../main/java/org/onap/aaf/cadi/CredValDomain.java | 2 +- .../src/main/java/org/onap/aaf/cadi/GetCred.java | 2 +- .../core/src/main/java/org/onap/aaf/cadi/Hash.java | 420 +++--- .../src/main/java/org/onap/aaf/cadi/Locator.java | 20 +- .../java/org/onap/aaf/cadi/LocatorException.java | 32 +- cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java | 94 +- .../main/java/org/onap/aaf/cadi/Permission.java | 6 +- .../main/java/org/onap/aaf/cadi/PropAccess.java | 682 ++++----- .../main/java/org/onap/aaf/cadi/Revalidator.java | 14 +- .../java/org/onap/aaf/cadi/SecuritySetter.java | 20 +- .../org/onap/aaf/cadi/ServletContextAccess.java | 62 +- .../core/src/main/java/org/onap/aaf/cadi/Symm.java | 1222 ++++++++-------- cadi/core/src/main/java/org/onap/aaf/cadi/Taf.java | 36 +- .../main/java/org/onap/aaf/cadi/Transmutate.java | 14 +- .../main/java/org/onap/aaf/cadi/TrustChecker.java | 30 +- .../core/src/main/java/org/onap/aaf/cadi/User.java | 274 ++-- .../src/main/java/org/onap/aaf/cadi/UserChain.java | 4 +- .../main/java/org/onap/aaf/cadi/config/Config.java | 1456 ++++++++++---------- .../main/java/org/onap/aaf/cadi/config/Get.java | 128 +- .../java/org/onap/aaf/cadi/config/GetAccess.java | 58 +- .../org/onap/aaf/cadi/config/SecurityInfo.java | 406 +++--- .../org/onap/aaf/cadi/config/SecurityInfoC.java | 108 +- .../org/onap/aaf/cadi/config/SecurityInfoInit.java | 2 +- .../java/org/onap/aaf/cadi/config/UsersDump.java | 236 ++-- .../main/java/org/onap/aaf/cadi/filter/AUTHZ.java | 2 +- .../org/onap/aaf/cadi/filter/AUTHZServlet.java | 102 +- .../org/onap/aaf/cadi/filter/AccessGetter.java | 14 +- .../java/org/onap/aaf/cadi/filter/CadiFilter.java | 526 +++---- .../org/onap/aaf/cadi/filter/CadiHTTPManip.java | 296 ++-- .../main/java/org/onap/aaf/cadi/filter/FCGet.java | 76 +- .../org/onap/aaf/cadi/filter/MapPermConverter.java | 44 +- .../onap/aaf/cadi/filter/NullPermConverter.java | 12 +- .../java/org/onap/aaf/cadi/filter/PathFilter.java | 256 ++-- .../org/onap/aaf/cadi/filter/PermConverter.java | 2 +- .../org/onap/aaf/cadi/filter/RolesAllowed.java | 12 +- .../java/org/onap/aaf/cadi/filter/ServletImpl.java | 12 +- .../org/onap/aaf/cadi/lur/ConfigPrincipal.java | 68 +- .../main/java/org/onap/aaf/cadi/lur/EpiLur.java | 222 +-- .../main/java/org/onap/aaf/cadi/lur/LocalLur.java | 344 ++--- .../org/onap/aaf/cadi/lur/LocalPermission.java | 40 +- .../main/java/org/onap/aaf/cadi/lur/NullLur.java | 94 +- .../onap/aaf/cadi/principal/BasicPrincipal.java | 180 +-- .../onap/aaf/cadi/principal/BearerPrincipal.java | 16 +- .../aaf/cadi/principal/CachedBasicPrincipal.java | 48 +- .../java/org/onap/aaf/cadi/principal/Kind.java | 52 +- .../aaf/cadi/principal/OAuth2FormPrincipal.java | 68 +- .../onap/aaf/cadi/principal/StringTagLookup.java | 16 +- .../onap/aaf/cadi/principal/TaggedPrincipal.java | 60 +- .../onap/aaf/cadi/principal/TrustPrincipal.java | 78 +- .../onap/aaf/cadi/principal/UnAuthPrincipal.java | 18 +- .../org/onap/aaf/cadi/principal/X509Principal.java | 140 +- .../java/org/onap/aaf/cadi/taf/AbsTafResp.java | 176 +-- .../main/java/org/onap/aaf/cadi/taf/EpiTaf.java | 84 +- .../java/org/onap/aaf/cadi/taf/HttpEpiTaf.java | 328 ++--- .../main/java/org/onap/aaf/cadi/taf/HttpTaf.java | 38 +- .../org/onap/aaf/cadi/taf/LoginPageTafResp.java | 116 +- .../main/java/org/onap/aaf/cadi/taf/NullTaf.java | 42 +- .../java/org/onap/aaf/cadi/taf/NullTafResp.java | 94 +- .../java/org/onap/aaf/cadi/taf/PuntTafResp.java | 90 +- .../java/org/onap/aaf/cadi/taf/Redirectable.java | 12 +- .../main/java/org/onap/aaf/cadi/taf/TafResp.java | 140 +- .../org/onap/aaf/cadi/taf/TrustNotTafResp.java | 110 +- .../java/org/onap/aaf/cadi/taf/TrustTafResp.java | 112 +- .../org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java | 262 ++-- .../onap/aaf/cadi/taf/basic/BasicHttpTafResp.java | 54 +- .../org/onap/aaf/cadi/taf/cert/CertIdentity.java | 28 +- .../onap/aaf/cadi/taf/cert/X509HttpTafResp.java | 40 +- .../java/org/onap/aaf/cadi/taf/cert/X509Taf.java | 418 +++--- .../onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java | 616 ++++----- .../aaf/cadi/taf/dos/DenialOfServiceTafResp.java | 48 +- .../main/java/org/onap/aaf/cadi/util/Chmod.java | 64 +- .../src/main/java/org/onap/aaf/cadi/util/FQI.java | 48 +- .../org/onap/aaf/cadi/util/JsonOutputStream.java | 112 +- .../onap/aaf/cadi/util/MaskFormatException.java | 6 +- .../java/org/onap/aaf/cadi/util/MyConsole.java | 6 +- .../main/java/org/onap/aaf/cadi/util/NetMask.java | 128 +- .../src/main/java/org/onap/aaf/cadi/util/Pool.java | 582 ++++---- .../main/java/org/onap/aaf/cadi/util/Split.java | 144 +- .../org/onap/aaf/cadi/util/SubStandardConsole.java | 72 +- .../java/org/onap/aaf/cadi/util/TheConsole.java | 40 +- .../main/java/org/onap/aaf/cadi/util/Timing.java | 6 +- .../org/onap/aaf/cadi/util/UserChainManip.java | 100 +- .../src/main/java/org/onap/aaf/cadi/util/Vars.java | 182 +-- .../main/java/org/onap/aaf/cadi/wsse/Action.java | 2 +- .../main/java/org/onap/aaf/cadi/wsse/Match.java | 160 +-- .../java/org/onap/aaf/cadi/wsse/WSSEParser.java | 74 +- .../main/java/org/onap/aaf/cadi/wsse/XEvent.java | 174 +-- .../main/java/org/onap/aaf/cadi/wsse/XReader.java | 732 +++++----- 101 files changed, 8239 insertions(+), 8239 deletions(-) (limited to 'cadi/core/src/main') diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/AES.java b/cadi/core/src/main/java/org/onap/aaf/cadi/AES.java index 3ef3355a..142dde26 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/AES.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/AES.java @@ -52,80 +52,80 @@ import org.onap.aaf.cadi.util.Chmod; * */ public class AES implements Encryption { - public static final String AES = AES.class.getSimpleName(); - public static final int AES_KEY_SIZE = 128; // 256 isn't supported on all JDKs. - - private SecretKeySpec aeskeySpec; + public static final String AES = AES.class.getSimpleName(); + public static final int AES_KEY_SIZE = 128; // 256 isn't supported on all JDKs. + + private SecretKeySpec aeskeySpec; - public static SecretKey newKey() throws NoSuchAlgorithmException { - KeyGenerator kgen = KeyGenerator.getInstance(AES); - kgen.init(AES_KEY_SIZE); - return kgen.generateKey(); - } + public static SecretKey newKey() throws NoSuchAlgorithmException { + KeyGenerator kgen = KeyGenerator.getInstance(AES); + kgen.init(AES_KEY_SIZE); + return kgen.generateKey(); + } - public AES(byte[] aeskey, int offset, int len) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException { - aeskeySpec = new SecretKeySpec(aeskey,offset,len,AES); - } - - public byte[] encrypt(byte[] in) throws CadiException { - try { - Cipher c = Cipher.getInstance(AES); - c.init(Cipher.ENCRYPT_MODE,aeskeySpec); - return c.doFinal(in); - } catch (InvalidKeyException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | NoSuchPaddingException e) { - throw new CadiException(e); - } - } - - public byte[] decrypt(byte[] in) throws CadiException { - try { - Cipher c = Cipher.getInstance(AES); - c.init(Cipher.DECRYPT_MODE,aeskeySpec); - return c.doFinal(in); - } catch (InvalidKeyException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | NoSuchPaddingException e) { - throw new CadiException(e); - } - } - - public void save(File keyfile) throws IOException { - FileOutputStream fis = new FileOutputStream(keyfile); - try { - fis.write(aeskeySpec.getEncoded()); - } finally { - fis.close(); - } - Chmod.to400.chmod(keyfile); - } + public AES(byte[] aeskey, int offset, int len) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException { + aeskeySpec = new SecretKeySpec(aeskey,offset,len,AES); + } + + public byte[] encrypt(byte[] in) throws CadiException { + try { + Cipher c = Cipher.getInstance(AES); + c.init(Cipher.ENCRYPT_MODE,aeskeySpec); + return c.doFinal(in); + } catch (InvalidKeyException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | NoSuchPaddingException e) { + throw new CadiException(e); + } + } + + public byte[] decrypt(byte[] in) throws CadiException { + try { + Cipher c = Cipher.getInstance(AES); + c.init(Cipher.DECRYPT_MODE,aeskeySpec); + return c.doFinal(in); + } catch (InvalidKeyException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | NoSuchPaddingException e) { + throw new CadiException(e); + } + } + + public void save(File keyfile) throws IOException { + FileOutputStream fis = new FileOutputStream(keyfile); + try { + fis.write(aeskeySpec.getEncoded()); + } finally { + fis.close(); + } + Chmod.to400.chmod(keyfile); + } - public CipherOutputStream outputStream(OutputStream os, boolean encrypt) { - try { - Cipher c = Cipher.getInstance(AES); - if(encrypt) { - c.init(Cipher.ENCRYPT_MODE,aeskeySpec); - } else { - c.init(Cipher.DECRYPT_MODE,aeskeySpec); - } - return new CipherOutputStream(os,c); - } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { - // Cannot add Exception to this API. throw Runtime - System.err.println("Error creating Aes CipherOutputStream"); - return null; // should never get here. - } - } - - public CipherInputStream inputStream(InputStream is, boolean encrypt) { - try { - Cipher c = Cipher.getInstance(AES); - if(encrypt) { - c.init(Cipher.ENCRYPT_MODE,aeskeySpec); - } else { - c.init(Cipher.DECRYPT_MODE,aeskeySpec); - } - return new CipherInputStream(is,c); - } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { - // Cannot add Exception to this API. throw Runtime - System.err.println("Error creating Aes CipherInputStream"); - return null; // should never get here. - } - } + public CipherOutputStream outputStream(OutputStream os, boolean encrypt) { + try { + Cipher c = Cipher.getInstance(AES); + if(encrypt) { + c.init(Cipher.ENCRYPT_MODE,aeskeySpec); + } else { + c.init(Cipher.DECRYPT_MODE,aeskeySpec); + } + return new CipherOutputStream(os,c); + } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { + // Cannot add Exception to this API. throw Runtime + System.err.println("Error creating Aes CipherOutputStream"); + return null; // should never get here. + } + } + + public CipherInputStream inputStream(InputStream is, boolean encrypt) { + try { + Cipher c = Cipher.getInstance(AES); + if(encrypt) { + c.init(Cipher.ENCRYPT_MODE,aeskeySpec); + } else { + c.init(Cipher.DECRYPT_MODE,aeskeySpec); + } + return new CipherInputStream(is,c); + } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { + // Cannot add Exception to this API. throw Runtime + System.err.println("Error creating Aes CipherInputStream"); + return null; // should never get here. + } + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java b/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java index 39631894..d9d4474d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java @@ -48,420 +48,420 @@ import org.onap.aaf.cadi.principal.CachedBasicPrincipal; * */ public abstract class AbsUserCache { - // Need an obvious key for when there is no Authentication Cred - private static final String NO_CRED = "NoCred"; - static final int MIN_INTERVAL = 1000*60; // Min 1 min - static final int MAX_INTERVAL = 1000*60*60*4; // 4 hour max - private static Timer timer; - // Map of userName to User - private final Map> userMap; - private static final Map missMap = new TreeMap<>(); - private final Symm missEncrypt; - - private Clean clean; - protected Access access; - - protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) { - this.access = access; - Symm s; - try { - byte[] gennedKey = Symm.keygen(); - s = Symm.obtain(new ByteArrayInputStream(gennedKey)); - } catch (IOException e) { - access.log(e); - s = Symm.base64noSplit; - } - missEncrypt = s; - - userMap = new ConcurrentHashMap<>(); + // Need an obvious key for when there is no Authentication Cred + private static final String NO_CRED = "NoCred"; + static final int MIN_INTERVAL = 1000*60; // Min 1 min + static final int MAX_INTERVAL = 1000*60*60*4; // 4 hour max + private static Timer timer; + // Map of userName to User + private final Map> userMap; + private static final Map missMap = new TreeMap<>(); + private final Symm missEncrypt; + + private Clean clean; + protected Access access; + + protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) { + this.access = access; + Symm s; + try { + byte[] gennedKey = Symm.keygen(); + s = Symm.obtain(new ByteArrayInputStream(gennedKey)); + } catch (IOException e) { + access.log(e); + s = Symm.base64noSplit; + } + missEncrypt = s; + + userMap = new ConcurrentHashMap<>(); - - if(cleanInterval>0) { - cleanInterval = Math.max(MIN_INTERVAL, cleanInterval); - synchronized(AbsUserCache.class) { // Lazy instantiate.. in case there is no cleanup needed - if(timer==null) { - timer = new Timer("CADI Cleanup Timer",true); - } - - timer.schedule(clean = new Clean(access, cleanInterval, highCount, usageCount), cleanInterval, cleanInterval); - access.log(Access.Level.INIT, "Cleaning Thread initialized with interval of",cleanInterval, "ms and max objects of", highCount); - } - } - } - - @SuppressWarnings("unchecked") - public AbsUserCache(AbsUserCache cache) { - this.access = cache.access; - userMap = cache.userMap; - missEncrypt = cache.missEncrypt; - - synchronized(AbsUserCache.class) { - if(cache.clean!=null && cache.clean.lur==null && this instanceof CachingLur) { - cache.clean.lur=(CachingLur)this; - } - } - } + + if(cleanInterval>0) { + cleanInterval = Math.max(MIN_INTERVAL, cleanInterval); + synchronized(AbsUserCache.class) { // Lazy instantiate.. in case there is no cleanup needed + if(timer==null) { + timer = new Timer("CADI Cleanup Timer",true); + } + + timer.schedule(clean = new Clean(access, cleanInterval, highCount, usageCount), cleanInterval, cleanInterval); + access.log(Access.Level.INIT, "Cleaning Thread initialized with interval of",cleanInterval, "ms and max objects of", highCount); + } + } + } + + @SuppressWarnings("unchecked") + public AbsUserCache(AbsUserCache cache) { + this.access = cache.access; + userMap = cache.userMap; + missEncrypt = cache.missEncrypt; + + synchronized(AbsUserCache.class) { + if(cache.clean!=null && cache.clean.lur==null && this instanceof CachingLur) { + cache.clean.lur=(CachingLur)this; + } + } + } - protected void setLur(CachingLur lur) { - if(clean!=null)clean.lur = lur; - - } - - protected void addUser(User user) { - Principal p = user.principal; - String key; - try { - if(p instanceof GetCred) { - key = missKey(p.getName(), ((GetCred)p).getCred()); - } else { - byte[] cred; - if((cred=user.getCred())==null) { - key = user.name + NO_CRED; - } else { - key = missKey(user.name,cred); - } - } - } catch (IOException e) { - access.log(e); - return; - } - userMap.put(key, user); - } + protected void setLur(CachingLur lur) { + if(clean!=null)clean.lur = lur; + + } + + protected void addUser(User user) { + Principal p = user.principal; + String key; + try { + if(p instanceof GetCred) { + key = missKey(p.getName(), ((GetCred)p).getCred()); + } else { + byte[] cred; + if((cred=user.getCred())==null) { + key = user.name + NO_CRED; + } else { + key = missKey(user.name,cred); + } + } + } catch (IOException e) { + access.log(e); + return; + } + userMap.put(key, user); + } - // Useful for looking up by WebToken, etc. - protected void addUser(String key, User user) { - userMap.put(key, user); - } - - /** - * Add miss to missMap. If Miss exists, or too many tries, returns false. - * - * otherwise, returns true to allow another attempt. - * - * @param key - * @param bs - * @return - * @throws IOException - */ - protected synchronized boolean addMiss(String key, byte[] bs) { - String mkey; - try { - mkey = missKey(key,bs); - } catch (IOException e) { - access.log(e); - return false; - } - Miss miss = missMap.get(mkey); - if(miss==null) { - missMap.put(mkey, new Miss(bs,clean==null?MIN_INTERVAL:clean.timeInterval,key)); - return true; - } - return miss.mayContinue(); - } + // Useful for looking up by WebToken, etc. + protected void addUser(String key, User user) { + userMap.put(key, user); + } + + /** + * Add miss to missMap. If Miss exists, or too many tries, returns false. + * + * otherwise, returns true to allow another attempt. + * + * @param key + * @param bs + * @return + * @throws IOException + */ + protected synchronized boolean addMiss(String key, byte[] bs) { + String mkey; + try { + mkey = missKey(key,bs); + } catch (IOException e) { + access.log(e); + return false; + } + Miss miss = missMap.get(mkey); + if(miss==null) { + missMap.put(mkey, new Miss(bs,clean==null?MIN_INTERVAL:clean.timeInterval,key)); + return true; + } + return miss.mayContinue(); + } - protected Miss missed(String key, byte[] bs) throws IOException { - return missMap.get(missKey(key,bs)); - } + protected Miss missed(String key, byte[] bs) throws IOException { + return missMap.get(missKey(key,bs)); + } - protected User getUser(Principal principal) { - String key; - if(principal instanceof GetCred) { - GetCred gc = (GetCred)principal; - try { - key = missKey(principal.getName(), gc.getCred()); - } catch (IOException e) { - access.log(e, "Error getting key from Principal"); - key = principal.getName(); - } - } else { - key = principal.getName()+NO_CRED; - } - User u = userMap.get(key); - if(u!=null) { - u.incCount(); - } - return u; - } - - protected User getUser(CachedBasicPrincipal cbp) { - return getUser(cbp.getName(), cbp.getCred()); - } - - protected User getUser(String user, byte[] cred) { - User u; - String key=null; - try { - key =missKey(user,cred); - } catch (IOException e) { - access.log(e); - return null; - } - u = userMap.get(key); - if(u!=null) { - if(u.permExpired()) { - userMap.remove(key); - u=null; - } else { - u.incCount(); - } - } - return u; - } - - /** - * Removes User from the Cache - * @param user - */ - protected void remove(User user) { - userMap.remove(user.principal.getName()); - } - - /** - * Removes user from the Cache - * - * @param user - */ - public void remove(String user) { - Object o = userMap.remove(user); - if(o!=null) { - access.log(Level.INFO, user,"removed from Client Cache by Request"); - } - } - - /** - * Clear all Users from the Client Cache - */ - public void clearAll() { - userMap.clear(); - } - - public final List dumpInfo() { - List rv = new ArrayList<>(); - for(User user : userMap.values()) { - rv.add(new DumpInfo(user)); - } - return rv; - } + protected User getUser(Principal principal) { + String key; + if(principal instanceof GetCred) { + GetCred gc = (GetCred)principal; + try { + key = missKey(principal.getName(), gc.getCred()); + } catch (IOException e) { + access.log(e, "Error getting key from Principal"); + key = principal.getName(); + } + } else { + key = principal.getName()+NO_CRED; + } + User u = userMap.get(key); + if(u!=null) { + u.incCount(); + } + return u; + } + + protected User getUser(CachedBasicPrincipal cbp) { + return getUser(cbp.getName(), cbp.getCred()); + } + + protected User getUser(String user, byte[] cred) { + User u; + String key=null; + try { + key =missKey(user,cred); + } catch (IOException e) { + access.log(e); + return null; + } + u = userMap.get(key); + if(u!=null) { + if(u.permExpired()) { + userMap.remove(key); + u=null; + } else { + u.incCount(); + } + } + return u; + } + + /** + * Removes User from the Cache + * @param user + */ + protected void remove(User user) { + userMap.remove(user.principal.getName()); + } + + /** + * Removes user from the Cache + * + * @param user + */ + public void remove(String user) { + Object o = userMap.remove(user); + if(o!=null) { + access.log(Level.INFO, user,"removed from Client Cache by Request"); + } + } + + /** + * Clear all Users from the Client Cache + */ + public void clearAll() { + userMap.clear(); + } + + public final List dumpInfo() { + List rv = new ArrayList<>(); + for(User user : userMap.values()) { + rv.add(new DumpInfo(user)); + } + return rv; + } - /** - * The default behavior of a LUR is to not handle something exclusively. - */ - public boolean handlesExclusively(Permission ... pond) { - return false; - } - - /** - * Container calls when cleaning up... - * - * If overloading in Derived class, be sure to call "super.destroy()" - */ - public void destroy() { - if(timer!=null) { - timer.purge(); - timer.cancel(); - } - } - - + /** + * The default behavior of a LUR is to not handle something exclusively. + */ + public boolean handlesExclusively(Permission ... pond) { + return false; + } + + /** + * Container calls when cleaning up... + * + * If overloading in Derived class, be sure to call "super.destroy()" + */ + public void destroy() { + if(timer!=null) { + timer.purge(); + timer.cancel(); + } + } + + - // Simple map of Group name to a set of User Names - // private Map> groupMap = new HashMap<>(); + // Simple map of Group name to a set of User Names + // private Map> groupMap = new HashMap<>(); - /** - * Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects - */ - public final class DumpInfo { - public String user; - public List perms; - - public DumpInfo(User user) { - this.user = user.principal.getName(); - perms = new ArrayList<>(user.perms.keySet()); - } - } - - /** - * Clean will examine resources, and remove those that have expired. - * - * If "highs" have been exceeded, then we'll expire 10% more the next time. This will adjust after each run - * without checking contents more than once, making a good average "high" in the minimum speed. - * - * @author Jonathan - * - */ - private final class Clean extends TimerTask { - private final Access access; - private CachingLur lur; - - // The idea here is to not be too restrictive on a high, but to Expire more items by - // shortening the time to expire. This is done by judiciously incrementing "advance" - // when the "highs" are exceeded. This effectively reduces numbers of cached items quickly. - private final int high; - private long advance; - private final long timeInterval; - private final int usageTriggerCount; - - public Clean(Access access, long cleanInterval, int highCount, int usageTriggerCount) { - this.access = access; - lur = null; - high = highCount; - timeInterval = cleanInterval; - advance = 0; - this.usageTriggerCount=usageTriggerCount; - } - public void run() { - int renewed = 0; - int count = 0; - int total = 0; - try { - // look at now. If we need to expire more by increasing "now" by "advance" - ArrayList> al = new ArrayList<>(userMap.values().size()); - al.addAll(0, userMap.values()); - long now = System.currentTimeMillis() + advance; - for(User user : al) { - ++total; - if(user.count>usageTriggerCount) { - boolean touched = false, removed=false; - if(user.principal instanceof CachedPrincipal) { - CachedPrincipal cp = (CachedPrincipal)user.principal; - if(cp.expires() < now) { - switch(cp.revalidate(null)) { - case INACCESSIBLE: - access.log(Level.AUDIT, "AAF Inaccessible. Keeping credentials"); - break; - case REVALIDATED: - user.resetCount(); - touched = true; - break; - default: - user.resetCount(); - remove(user); - ++count; - removed = true; - break; - } - } - } - - if(!removed && lur!=null && user.permExpires<= now ) { - if(lur.reload(user).equals(Resp.REVALIDATED)) { - user.renewPerm(); - access.log(Level.DEBUG, "Reloaded Perms for",user); - touched = true; - } - } - user.resetCount(); - if(touched) { - ++renewed; - } - - } else { - if(user.permExpired()) { - remove(user); - ++count; - } - } - } - - // Clean out Misses - int missTotal = missMap.keySet().size(); - int miss = 0; - if(missTotal>0) { - ArrayList keys = new ArrayList<>(missTotal); - keys.addAll(missMap.keySet()); - for(String key : keys) { - Miss m = missMap.get(key); - if(m!=null) { - long timeLeft = m.timestamp - System.currentTimeMillis(); - if(timeLeft<0) { - synchronized(missMap) { - missMap.remove(key); - } - access.log(Level.INFO, m.name, " has been removed from Missed Credential Map (" + m.tries + " invalid tries)"); - ++miss; - } else { - access.log(Level.INFO, m.name, " remains in Missed Credential Map (" + m.tries + " invalid tries) for " + (timeLeft/1000) + " more seconds"); - } - } - } - } - - if(count+renewed+miss>0) { - access.log(Level.INFO, (lur==null?"Cache":lur.getClass().getSimpleName()), "removed",count, - "and renewed",renewed,"expired Permissions out of", total,"and removed", miss, "password misses out of",missTotal); - } - - // If High (total) is reached during this period, increase the number of expired services removed for next time. - // There's no point doing it again here, as there should have been cleaned items. - if(total>high) { - // advance cleanup by 10%, without getting greater than timeInterval. - advance = Math.min(timeInterval, advance+(timeInterval/10)); - } else { - // reduce advance by 10%, without getting lower than 0. - advance = Math.max(0, advance-(timeInterval/10)); - } - } catch (Exception e) { - access.log(Level.ERROR,e.getMessage()); - } - } - } + /** + * Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects + */ + public final class DumpInfo { + public String user; + public List perms; + + public DumpInfo(User user) { + this.user = user.principal.getName(); + perms = new ArrayList<>(user.perms.keySet()); + } + } + + /** + * Clean will examine resources, and remove those that have expired. + * + * If "highs" have been exceeded, then we'll expire 10% more the next time. This will adjust after each run + * without checking contents more than once, making a good average "high" in the minimum speed. + * + * @author Jonathan + * + */ + private final class Clean extends TimerTask { + private final Access access; + private CachingLur lur; + + // The idea here is to not be too restrictive on a high, but to Expire more items by + // shortening the time to expire. This is done by judiciously incrementing "advance" + // when the "highs" are exceeded. This effectively reduces numbers of cached items quickly. + private final int high; + private long advance; + private final long timeInterval; + private final int usageTriggerCount; + + public Clean(Access access, long cleanInterval, int highCount, int usageTriggerCount) { + this.access = access; + lur = null; + high = highCount; + timeInterval = cleanInterval; + advance = 0; + this.usageTriggerCount=usageTriggerCount; + } + public void run() { + int renewed = 0; + int count = 0; + int total = 0; + try { + // look at now. If we need to expire more by increasing "now" by "advance" + ArrayList> al = new ArrayList<>(userMap.values().size()); + al.addAll(0, userMap.values()); + long now = System.currentTimeMillis() + advance; + for(User user : al) { + ++total; + if(user.count>usageTriggerCount) { + boolean touched = false, removed=false; + if(user.principal instanceof CachedPrincipal) { + CachedPrincipal cp = (CachedPrincipal)user.principal; + if(cp.expires() < now) { + switch(cp.revalidate(null)) { + case INACCESSIBLE: + access.log(Level.AUDIT, "AAF Inaccessible. Keeping credentials"); + break; + case REVALIDATED: + user.resetCount(); + touched = true; + break; + default: + user.resetCount(); + remove(user); + ++count; + removed = true; + break; + } + } + } + + if(!removed && lur!=null && user.permExpires<= now ) { + if(lur.reload(user).equals(Resp.REVALIDATED)) { + user.renewPerm(); + access.log(Level.DEBUG, "Reloaded Perms for",user); + touched = true; + } + } + user.resetCount(); + if(touched) { + ++renewed; + } + + } else { + if(user.permExpired()) { + remove(user); + ++count; + } + } + } + + // Clean out Misses + int missTotal = missMap.keySet().size(); + int miss = 0; + if(missTotal>0) { + ArrayList keys = new ArrayList<>(missTotal); + keys.addAll(missMap.keySet()); + for(String key : keys) { + Miss m = missMap.get(key); + if(m!=null) { + long timeLeft = m.timestamp - System.currentTimeMillis(); + if(timeLeft<0) { + synchronized(missMap) { + missMap.remove(key); + } + access.log(Level.INFO, m.name, " has been removed from Missed Credential Map (" + m.tries + " invalid tries)"); + ++miss; + } else { + access.log(Level.INFO, m.name, " remains in Missed Credential Map (" + m.tries + " invalid tries) for " + (timeLeft/1000) + " more seconds"); + } + } + } + } + + if(count+renewed+miss>0) { + access.log(Level.INFO, (lur==null?"Cache":lur.getClass().getSimpleName()), "removed",count, + "and renewed",renewed,"expired Permissions out of", total,"and removed", miss, "password misses out of",missTotal); + } + + // If High (total) is reached during this period, increase the number of expired services removed for next time. + // There's no point doing it again here, as there should have been cleaned items. + if(total>high) { + // advance cleanup by 10%, without getting greater than timeInterval. + advance = Math.min(timeInterval, advance+(timeInterval/10)); + } else { + // reduce advance by 10%, without getting lower than 0. + advance = Math.max(0, advance-(timeInterval/10)); + } + } catch (Exception e) { + access.log(Level.ERROR,e.getMessage()); + } + } + } - private String missKey(String name, byte[] bs) throws IOException { - return name + Hash.toHex(missEncrypt.encode(bs)); - } + private String missKey(String name, byte[] bs) throws IOException { + return name + Hash.toHex(missEncrypt.encode(bs)); + } - protected static class Miss { - private static final int MAX_TRIES = 3; + protected static class Miss { + private static final int MAX_TRIES = 3; - long timestamp; + long timestamp; - private long timetolive; + private long timetolive; - private long tries; + private long tries; - private final String name; - - public Miss(final byte[] first, final long timeInterval, final String name) { - timestamp = System.currentTimeMillis() + timeInterval; - this.timetolive = timeInterval; - tries = 0L; - this.name = name; - } - - - public synchronized boolean mayContinue() { - long ts = System.currentTimeMillis(); - if(ts>timestamp) { - tries = 0; - timestamp = ts + timetolive; - } else if(MAX_TRIES <= ++tries) { - return false; - } - return true; - } - - } - - /** - * Report on state - */ - public String toString() { - return getClass().getSimpleName() + - " Cache:\n Users Cached: " + - userMap.size() + - "\n Misses Saved: " + - missMap.size() + - '\n'; - - } + private final String name; + + public Miss(final byte[] first, final long timeInterval, final String name) { + timestamp = System.currentTimeMillis() + timeInterval; + this.timetolive = timeInterval; + tries = 0L; + this.name = name; + } + + + public synchronized boolean mayContinue() { + long ts = System.currentTimeMillis(); + if(ts>timestamp) { + tries = 0; + timestamp = ts + timetolive; + } else if(MAX_TRIES <= ++tries) { + return false; + } + return true; + } + + } + + /** + * Report on state + */ + public String toString() { + return getClass().getSimpleName() + + " Cache:\n Users Cached: " + + userMap.size() + + "\n Misses Saved: " + + missMap.size() + + '\n'; + + } - public void clear(Principal p, StringBuilder sb) { - sb.append(toString()); - userMap.clear(); - missMap.clear(); - access.log(Level.AUDIT, p.getName(),"has cleared User Cache in",getClass().getSimpleName()); - sb.append("Now cleared\n"); - } + public void clear(Principal p, StringBuilder sb) { + sb.append(toString()); + userMap.clear(); + missMap.clear(); + access.log(Level.AUDIT, p.getName(),"has cleared User Cache in",getClass().getSimpleName()); + sb.append("Now cleared\n"); + } } \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Access.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Access.java index 83127238..76d9bb2a 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Access.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Access.java @@ -35,146 +35,146 @@ import java.util.Properties; * */ public interface Access { - // levels to use - public enum Level { - DEBUG(0x1), INFO(0x10), AUDIT(0x100), WARN(0x2000), ERROR(0x4000), INIT(0x8000),TRACE(0x10000),NONE(0XFFFF); - private final int bit; - - Level(int ord) { - bit = ord; - } - - public boolean inMask(int mask) { - return (mask & bit) == bit; - } - - public int addToMask(int mask) { - return mask | bit; - } - - public int delFromMask(int mask) { - return mask & ~bit; - } - - public int toggle(int mask) { - if(inMask(mask)) { - return delFromMask(mask); - } else { - return addToMask(mask); - } - } - - - public int maskOf() { - int mask=0; - for(Level l : values()) { - if(ordinal()<=l.ordinal() && l!=NONE) { - mask|=l.bit; - } - } - return mask; - } - } - - /** - * Write a variable list of Object's text via the toString() method with appropriate space, etc. - * @param elements - */ - public void log(Level level, Object ... elements); - - /** - * Printf mechanism for Access - * @param level - * @param fmt - * @param elements - */ - public void printf(Level level, String fmt, Object ... elements); - - /** - * Check if message will log before constructing - * @param level - * @return - */ - public boolean willLog(Level level); - - /** - * Write the contents of an exception, followed by a variable list of Object's text via the - * toString() method with appropriate space, etc. - * - * The Loglevel is always "ERROR" - * - * @param elements - */ - public void log(Exception e, Object ... elements); - - /** - * Set the Level to compare logging too - */ - public void setLogLevel(Level level); - - /** - * It is important in some cases to create a class from within the same Classloader that created - * Security Objects. Specifically, it's pretty typical for Web Containers to separate classloaders - * so as to allow Apps with different dependencies. - * @return - */ - public ClassLoader classLoader(); - - public String getProperty(String string, String def); - - public Properties getProperties(); - - public void load(InputStream is) throws IOException; - - /** - * if "anytext" is true, then decryption will always be attempted. Otherwise, only if starts with - * Symm.ENC - * @param encrypted - * @param anytext - * @return - * @throws IOException - */ - public String decrypt(String encrypted, boolean anytext) throws IOException; - - public static final Access NULL = new Access() { - public void log(Level level, Object... elements) { - } - - @Override - public void printf(Level level, String fmt, Object... elements) { - } - - public void log(Exception e, Object... elements) { - } - - public ClassLoader classLoader() { - return ClassLoader.getSystemClassLoader(); - } - - public String getProperty(String string, String def) { - return null; - } - - public void load(InputStream is) throws IOException { - } - - public void setLogLevel(Level level) { - } - - public String decrypt(String encrypted, boolean anytext) throws IOException { - return encrypted; - } - - @Override - public boolean willLog(Level level) { - return false; - } - - @Override - public Properties getProperties() { - return new Properties(); - } - }; + // levels to use + public enum Level { + DEBUG(0x1), INFO(0x10), AUDIT(0x100), WARN(0x2000), ERROR(0x4000), INIT(0x8000),TRACE(0x10000),NONE(0XFFFF); + private final int bit; + + Level(int ord) { + bit = ord; + } + + public boolean inMask(int mask) { + return (mask & bit) == bit; + } + + public int addToMask(int mask) { + return mask | bit; + } + + public int delFromMask(int mask) { + return mask & ~bit; + } + + public int toggle(int mask) { + if(inMask(mask)) { + return delFromMask(mask); + } else { + return addToMask(mask); + } + } + + + public int maskOf() { + int mask=0; + for(Level l : values()) { + if(ordinal()<=l.ordinal() && l!=NONE) { + mask|=l.bit; + } + } + return mask; + } + } + + /** + * Write a variable list of Object's text via the toString() method with appropriate space, etc. + * @param elements + */ + public void log(Level level, Object ... elements); + + /** + * Printf mechanism for Access + * @param level + * @param fmt + * @param elements + */ + public void printf(Level level, String fmt, Object ... elements); + + /** + * Check if message will log before constructing + * @param level + * @return + */ + public boolean willLog(Level level); + + /** + * Write the contents of an exception, followed by a variable list of Object's text via the + * toString() method with appropriate space, etc. + * + * The Loglevel is always "ERROR" + * + * @param elements + */ + public void log(Exception e, Object ... elements); + + /** + * Set the Level to compare logging too + */ + public void setLogLevel(Level level); + + /** + * It is important in some cases to create a class from within the same Classloader that created + * Security Objects. Specifically, it's pretty typical for Web Containers to separate classloaders + * so as to allow Apps with different dependencies. + * @return + */ + public ClassLoader classLoader(); + + public String getProperty(String string, String def); + + public Properties getProperties(); + + public void load(InputStream is) throws IOException; + + /** + * if "anytext" is true, then decryption will always be attempted. Otherwise, only if starts with + * Symm.ENC + * @param encrypted + * @param anytext + * @return + * @throws IOException + */ + public String decrypt(String encrypted, boolean anytext) throws IOException; + + public static final Access NULL = new Access() { + public void log(Level level, Object... elements) { + } + + @Override + public void printf(Level level, String fmt, Object... elements) { + } + + public void log(Exception e, Object... elements) { + } + + public ClassLoader classLoader() { + return ClassLoader.getSystemClassLoader(); + } + + public String getProperty(String string, String def) { + return null; + } + + public void load(InputStream is) throws IOException { + } + + public void setLogLevel(Level level) { + } + + public String decrypt(String encrypted, boolean anytext) throws IOException { + return encrypted; + } + + @Override + public boolean willLog(Level level) { + return false; + } + + @Override + public Properties getProperties() { + return new Properties(); + } + }; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/BasicCred.java b/cadi/core/src/main/java/org/onap/aaf/cadi/BasicCred.java index b80cda89..ebb41aba 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/BasicCred.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/BasicCred.java @@ -30,7 +30,7 @@ package org.onap.aaf.cadi; * */ public interface BasicCred extends GetCred { - public void setUser(String user); - public void setCred(byte[] passwd); - public String getUser(); + public void setUser(String user); + public void setCred(byte[] passwd); + public String getUser(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java b/cadi/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java index 2df01cda..3f47351b 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java @@ -47,154 +47,154 @@ import javax.servlet.ServletInputStream; * */ public class BufferedServletInputStream extends ServletInputStream { - private static final int NONE = 0; - private static final int STORE = 1; - private static final int READ = 2; - - private InputStream is; - private int state = NONE; - private Capacitor capacitor; - - public BufferedServletInputStream(InputStream is) { - this.is = is; - capacitor = null; - } - - - public int read() throws IOException { - int value=-1; - if(capacitor==null) { - value=is.read(); - } else { - switch(state) { - case STORE: - value = is.read(); - if(value>=0) { - capacitor.put((byte)value); - } - break; - case READ: - value = capacitor.read(); - if(value<0) { - capacitor.done(); - capacitor=null; // all done with buffer - value = is.read(); - } - } - } - return value; - } - - public int read(byte[] b) throws IOException { - return read(b,0,b.length); - } - - - public int read(byte[] b, int off, int len) throws IOException { - int count = -1; - if(capacitor==null) { - count = is.read(b,off,len); - } else { - switch(state) { - case STORE: - count = is.read(b, off, len); - if(count>0) { - capacitor.put(b, off, count); - } - break; - case READ: - count = capacitor.read(b, off, len); - if(count<=0) { - capacitor.done(); - capacitor=null; // all done with buffer - } - if(count0) { // watch for -1 - count+=temp; - } else if(count<=0) { + private static final int NONE = 0; + private static final int STORE = 1; + private static final int READ = 2; + + private InputStream is; + private int state = NONE; + private Capacitor capacitor; + + public BufferedServletInputStream(InputStream is) { + this.is = is; + capacitor = null; + } + + + public int read() throws IOException { + int value=-1; + if(capacitor==null) { + value=is.read(); + } else { + switch(state) { + case STORE: + value = is.read(); + if(value>=0) { + capacitor.put((byte)value); + } + break; + case READ: + value = capacitor.read(); + if(value<0) { + capacitor.done(); + capacitor=null; // all done with buffer + value = is.read(); + } + } + } + return value; + } + + public int read(byte[] b) throws IOException { + return read(b,0,b.length); + } + + + public int read(byte[] b, int off, int len) throws IOException { + int count = -1; + if(capacitor==null) { + count = is.read(b,off,len); + } else { + switch(state) { + case STORE: + count = is.read(b, off, len); + if(count>0) { + capacitor.put(b, off, count); + } + break; + case READ: + count = capacitor.read(b, off, len); + if(count<=0) { + capacitor.done(); + capacitor=null; // all done with buffer + } + if(count0) { // watch for -1 + count+=temp; + } else if(count<=0) { count = temp; // must account for Stream coming back -1 - } - } - break; - } - } - return count; - } - - public long skip(long n) throws IOException { - long skipped = capacitor.skip(n); - if(skipped extends Lur { - public abstract void remove(String user); - public abstract Resp reload(User user); - public abstract void setDebug(String commaDelimIDsOrNull); - public abstract void clear(Principal p, StringBuilder sb); + public abstract void remove(String user); + public abstract Resp reload(User user); + public abstract void setDebug(String commaDelimIDsOrNull); + public abstract void clear(Principal p, StringBuilder sb); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiException.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiException.java index 0f250b36..96a55f93 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiException.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiException.java @@ -26,25 +26,25 @@ package org.onap.aaf.cadi; * @author Jonathan */ public class CadiException extends Exception { - /** - * Generated ID - */ - private static final long serialVersionUID = -4180145363107742619L; + /** + * Generated ID + */ + private static final long serialVersionUID = -4180145363107742619L; - public CadiException() { - super(); - } + public CadiException() { + super(); + } - public CadiException(String message) { - super(message); - } + public CadiException(String message) { + super(message); + } - public CadiException(Throwable cause) { - super(cause); - } + public CadiException(Throwable cause) { + super(cause); + } - public CadiException(String message, Throwable cause) { - super(message, cause); - } + public CadiException(String message, Throwable cause) { + super(message, cause); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java index 6f4d5cc7..647cd8a6 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java @@ -51,150 +51,150 @@ import org.onap.aaf.cadi.util.Timing; * */ public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred { - private TaggedPrincipal principal; - private Lur lur; - private String user; // used to set user/pass from brain-dead protocols like WSSE - private byte[] password; - private PermConverter pconv; - private Access access; - - /** - * Standard Wrapper constructor for Delegate pattern - * @param request - */ - public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) { - super(request); - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - pconv = NullPermConverter.singleton(); - } - - /** - * Standard Wrapper constructor for Delegate pattern, with PermConverter - * @param request - */ - public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) { - super(request); - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - pconv = pc; - } - - - /** - * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction. - * CADI does this by reporting the name associated with the Principal obtained, if any. - */ - @Override - public String getRemoteUser() { - return principal==null?null:principal.getName(); - } - - /** - * Part of the HTTP Security API. Return the User Principal associated with this HTTP - * Transaction. - */ - @Override - public Principal getUserPrincipal() { - return principal; - } - - /** - * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user - * associated with this HTTP Transaction allowed to function in this Role? - * - * For CADI, we pass the responsibility for determining this to the "LUR", which may be - * determined by the Enterprise. - * - * Note: Role check is also done in "CadiRealm" in certain cases... - * - * - */ - @Override - public boolean isUserInRole(String perm) { - return perm==null?false:checkPerm(access,"isUserInRole",principal,pconv,lur,perm); - } - - public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) { - if(principal== null) { - access.log(Level.AUDIT,caller, "No Principal in Transaction"); - return false; - } else { - final long start = System.nanoTime(); - perm = pconv.convert(perm); - if(lur.fish(principal,lur.createPerm(perm))) { - access.printf(Level.DEBUG,"%s: %s has %s, %f ms", caller, principal.getName(), perm, Timing.millis(start)); - return true; - } else { - access.printf(Level.DEBUG,"%s: %s does not have %s, %f ms", caller, principal.getName(), perm, Timing.millis(start)); - return false; - } - } - - } - - /** - * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc - * as implemented with lur.fishAll - * - * To utilize, the Request must be a "CadiWrap" object, then call. - */ - public List getPermissions(Principal p) { - List perms = new ArrayList<>(); - lur.fishAll(p, perms); - return perms; - } - /** - * Allow setting of tafResp and lur after construction - * - * This can happen if the CadiWrap is constructed in a Valve other than CadiValve - */ - public void set(TafResp tafResp, Lur lur) { - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - } - - public String getUser() { - if(user==null && principal!=null) { - user = principal.getName(); - } - return user; - } - - public byte[] getCred() { - return password; - } - - public void setUser(String user) { - this.user = user; - } - - public void setCred(byte[] passwd) { - password = passwd; - } - - public CadiWrap setPermConverter(PermConverter pc) { - pconv = pc; - return this; - } - - // Add a feature - public void invalidate(String id) { - if(lur instanceof EpiLur) { - ((EpiLur)lur).remove(id); - } else if(lur instanceof CachingLur) { - ((CachingLur)lur).remove(id); - } - } - - public Lur getLur() { - return lur; - } - - public Access access() { - return access; - } + private TaggedPrincipal principal; + private Lur lur; + private String user; // used to set user/pass from brain-dead protocols like WSSE + private byte[] password; + private PermConverter pconv; + private Access access; + + /** + * Standard Wrapper constructor for Delegate pattern + * @param request + */ + public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) { + super(request); + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + pconv = NullPermConverter.singleton(); + } + + /** + * Standard Wrapper constructor for Delegate pattern, with PermConverter + * @param request + */ + public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) { + super(request); + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + pconv = pc; + } + + + /** + * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction. + * CADI does this by reporting the name associated with the Principal obtained, if any. + */ + @Override + public String getRemoteUser() { + return principal==null?null:principal.getName(); + } + + /** + * Part of the HTTP Security API. Return the User Principal associated with this HTTP + * Transaction. + */ + @Override + public Principal getUserPrincipal() { + return principal; + } + + /** + * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user + * associated with this HTTP Transaction allowed to function in this Role? + * + * For CADI, we pass the responsibility for determining this to the "LUR", which may be + * determined by the Enterprise. + * + * Note: Role check is also done in "CadiRealm" in certain cases... + * + * + */ + @Override + public boolean isUserInRole(String perm) { + return perm==null?false:checkPerm(access,"isUserInRole",principal,pconv,lur,perm); + } + + public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) { + if(principal== null) { + access.log(Level.AUDIT,caller, "No Principal in Transaction"); + return false; + } else { + final long start = System.nanoTime(); + perm = pconv.convert(perm); + if(lur.fish(principal,lur.createPerm(perm))) { + access.printf(Level.DEBUG,"%s: %s has %s, %f ms", caller, principal.getName(), perm, Timing.millis(start)); + return true; + } else { + access.printf(Level.DEBUG,"%s: %s does not have %s, %f ms", caller, principal.getName(), perm, Timing.millis(start)); + return false; + } + } + + } + + /** + * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc + * as implemented with lur.fishAll + * + * To utilize, the Request must be a "CadiWrap" object, then call. + */ + public List getPermissions(Principal p) { + List perms = new ArrayList<>(); + lur.fishAll(p, perms); + return perms; + } + /** + * Allow setting of tafResp and lur after construction + * + * This can happen if the CadiWrap is constructed in a Valve other than CadiValve + */ + public void set(TafResp tafResp, Lur lur) { + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + } + + public String getUser() { + if(user==null && principal!=null) { + user = principal.getName(); + } + return user; + } + + public byte[] getCred() { + return password; + } + + public void setUser(String user) { + this.user = user; + } + + public void setCred(byte[] passwd) { + password = passwd; + } + + public CadiWrap setPermConverter(PermConverter pc) { + pconv = pc; + return this; + } + + // Add a feature + public void invalidate(String id) { + if(lur instanceof EpiLur) { + ((EpiLur)lur).remove(id); + } else if(lur instanceof CachingLur) { + ((CachingLur)lur).remove(id); + } + } + + public Lur getLur() { + return lur; + } + + public Access access() { + return access; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Capacitor.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Capacitor.java index 935e4f14..5ca1ce30 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Capacitor.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Capacitor.java @@ -35,207 +35,207 @@ import java.util.ArrayList; * */ public class Capacitor { - private static final int DEFAULT_CHUNK = 256; - private ArrayList bbs = new ArrayList<>(); - private ByteBuffer curr = null; - private int idx; - - // Maintain a private RingBuffer for Memory, for efficiency - private static ByteBuffer[] ring = new ByteBuffer[16]; - private static int start, end; - - - public void put(byte b) { - if(curr == null || curr.remaining()==0) { // ensure we have a "curr" buffer ready for data - curr = ringGet(); - bbs.add(curr); - } - curr.put(b); - } + private static final int DEFAULT_CHUNK = 256; + private ArrayList bbs = new ArrayList<>(); + private ByteBuffer curr = null; + private int idx; + + // Maintain a private RingBuffer for Memory, for efficiency + private static ByteBuffer[] ring = new ByteBuffer[16]; + private static int start, end; + + + public void put(byte b) { + if(curr == null || curr.remaining()==0) { // ensure we have a "curr" buffer ready for data + curr = ringGet(); + bbs.add(curr); + } + curr.put(b); + } - public int read() { - if(curr!=null) { - if(curr.remaining()>0) { // have a buffer, use it! - return curr.get(); - } else if(idx0) { // loop through while there's data needed - if((len=curr.remaining())>length) { // if enough data in curr buffer, use this code - curr.get(array,offset,length); - count+=length; - length=0; - } else { // get data from curr, mark how much is needed to fulfil, and loop for next curr. - curr.get(array,offset,len); - count+=len; - offset+=len; - length-=len; - if(idx0) { // have a buffer, use it! + return curr.get(); + } else if(idx0) { // loop through while there's data needed + if((len=curr.remaining())>length) { // if enough data in curr buffer, use this code + curr.get(array,offset,length); + count+=length; + length=0; + } else { // get data from curr, mark how much is needed to fulfil, and loop for next curr. + curr.get(array,offset,len); + count+=len; + offset+=len; + length-=len; + if(idx0) { - if((len=curr.remaining())>length) { - curr.put(array,offset,length); - length=0; - } else { -// System.out.println(new String(array)); - curr.put(array,offset,len); - length-=len; - offset+=len; - curr = ringGet(); - bbs.add(curr); - } - } - } - - /** - * Move state from Storage mode into Read mode, changing all internal buffers to read mode, etc - */ - public void setForRead() { - for(ByteBuffer bb : bbs) { - bb.flip(); - } - if(bbs.isEmpty()) { - curr = null; - idx = 0; - } else { - curr=bbs.get(0); - idx=1; - } - } - - /** - * reuse all the buffers - */ - public void done() { - for(ByteBuffer bb : bbs) { - ringPut(bb); - } - bbs.clear(); - curr = null; - } - - /** - * Declare amount of data available to be read at once. - * - * @return - */ - public int available() { - int count = 0; - for(ByteBuffer bb : bbs) { - count+=bb.remaining(); - } - return count; - } - - /** - * Returns how many are left that were not skipped - * @param n - * @return - */ - public long skip(long n) { - long skipped=0L; - int skip; - if(curr==null) { - return 0; - } - while(n>0) { - if(n<(skip=curr.remaining())) { - curr.position(curr.position()+(int)n); - skipped+=skip; - n=0; - } else { - curr.position(curr.limit()); - - skipped-=skip; - if(idx 0 ? skipped : 0; - } - /** - * Be able to re-read data that is stored that has already been re-read. This is not a standard Stream behavior, but can be useful - * in a standalone mode. - */ - public void reset() { - for(ByteBuffer bb : bbs) { - bb.position(0); - } - if(bbs.isEmpty()) { - curr = null; - idx = 0; - } else { - curr=bbs.get(0); - idx=1; - } - } + /** + * Put an array of data into Capacitor + * + * @param array + * @param offset + * @param length + */ + public void put(byte[] array, int offset, int length) { + if(curr == null || curr.remaining()==0) { + curr = ringGet(); + bbs.add(curr); + } + + int len; + while(length>0) { + if((len=curr.remaining())>length) { + curr.put(array,offset,length); + length=0; + } else { +// System.out.println(new String(array)); + curr.put(array,offset,len); + length-=len; + offset+=len; + curr = ringGet(); + bbs.add(curr); + } + } + } + + /** + * Move state from Storage mode into Read mode, changing all internal buffers to read mode, etc + */ + public void setForRead() { + for(ByteBuffer bb : bbs) { + bb.flip(); + } + if(bbs.isEmpty()) { + curr = null; + idx = 0; + } else { + curr=bbs.get(0); + idx=1; + } + } + + /** + * reuse all the buffers + */ + public void done() { + for(ByteBuffer bb : bbs) { + ringPut(bb); + } + bbs.clear(); + curr = null; + } + + /** + * Declare amount of data available to be read at once. + * + * @return + */ + public int available() { + int count = 0; + for(ByteBuffer bb : bbs) { + count+=bb.remaining(); + } + return count; + } + + /** + * Returns how many are left that were not skipped + * @param n + * @return + */ + public long skip(long n) { + long skipped=0L; + int skip; + if(curr==null) { + return 0; + } + while(n>0) { + if(n<(skip=curr.remaining())) { + curr.position(curr.position()+(int)n); + skipped+=skip; + n=0; + } else { + curr.position(curr.limit()); + + skipped-=skip; + if(idx 0 ? skipped : 0; + } + /** + * Be able to re-read data that is stored that has already been re-read. This is not a standard Stream behavior, but can be useful + * in a standalone mode. + */ + public void reset() { + for(ByteBuffer bb : bbs) { + bb.position(0); + } + if(bbs.isEmpty()) { + curr = null; + idx = 0; + } else { + curr=bbs.get(0); + idx=1; + } + } - /* - * Ring Functions. Reuse allocated memory - */ - private ByteBuffer ringGet() { - ByteBuffer bb = null; - synchronized(ring) { - bb=ring[start]; - ring[start]=null; - if(bb!=null && ++start>15)start=0; - } - if(bb==null) { - bb=ByteBuffer.allocate(DEFAULT_CHUNK); - } else { - bb.clear();// refresh reused buffer - } - return bb; - } - - private void ringPut(ByteBuffer bb) { - synchronized(ring) { - ring[end]=bb; // if null or not, BB will just be Garbage collected - if(++end>15)end=0; - } - } + /* + * Ring Functions. Reuse allocated memory + */ + private ByteBuffer ringGet() { + ByteBuffer bb = null; + synchronized(ring) { + bb=ring[start]; + ring[start]=null; + if(bb!=null && ++start>15)start=0; + } + if(bb==null) { + bb=ByteBuffer.allocate(DEFAULT_CHUNK); + } else { + bb.clear();// refresh reused buffer + } + return bb; + } + + private void ringPut(ByteBuffer bb) { + synchronized(ring) { + ring[end]=bb; // if null or not, BB will just be Garbage collected + if(++end>15)end=0; + } + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java index 9444cfac..7ca9fac2 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java @@ -43,313 +43,313 @@ import org.onap.aaf.cadi.util.JsonOutputStream; */ public class CmdLine { - private static boolean systemExit = true; - /** - * @param args - */ - public static void main(String[] args) { - if(args.length>0) { - if("digest".equalsIgnoreCase(args[0]) && (args.length>2 || (args.length>1 && System.console()!=null))) { - String keyfile; - String password; - if(args.length>2) { - password = args[1]; - keyfile = args[2]; - if("-i".equals(password)) { - int c; - StringBuilder sb = new StringBuilder(); - try { - while((c=System.in.read())>=0) { - sb.append((char)c); - } - } catch (IOException e) { - e.printStackTrace(); - } - password = sb.toString(); - } - } else { - keyfile = args[1]; - password = new String(System.console().readPassword("Type here (keystrokes hidden): ")); - } + private static boolean systemExit = true; + /** + * @param args + */ + public static void main(String[] args) { + if(args.length>0) { + if("digest".equalsIgnoreCase(args[0]) && (args.length>2 || (args.length>1 && System.console()!=null))) { + String keyfile; + String password; + if(args.length>2) { + password = args[1]; + keyfile = args[2]; + if("-i".equals(password)) { + int c; + StringBuilder sb = new StringBuilder(); + try { + while((c=System.in.read())>=0) { + sb.append((char)c); + } + } catch (IOException e) { + e.printStackTrace(); + } + password = sb.toString(); + } + } else { + keyfile = args[1]; + password = new String(System.console().readPassword("Type here (keystrokes hidden): ")); + } - try { - Symm symm; - FileInputStream fis = new FileInputStream(keyfile); - try { - symm = Symm.obtain(fis); - } finally { - fis.close(); - } - symm.enpass(password, System.out); - System.out.println(); - System.out.flush(); - return; - /* testing code... don't want it exposed - System.out.println(" ******** Testing *********"); - for(int i=0;i<100000;++i) { - System.out.println(args[1]); - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - b64.enpass(args[1], baos); - String pass; - System.out.println(pass=new String(baos.toByteArray())); - ByteArrayOutputStream reconstituted = new ByteArrayOutputStream(); - b64.depass(pass, reconstituted); - String r = reconstituted.toString(); - System.out.println(r); - if(!r.equals(args[1])) { - System.err.println("!!!!! STOP - ERROR !!!!!"); - return; - } - System.out.println(); - } - System.out.flush(); - */ - - } catch (IOException e) { - System.err.println("Cannot digest password"); - System.err.println(" \""+ e.getMessage() + '"'); - } + try { + Symm symm; + FileInputStream fis = new FileInputStream(keyfile); + try { + symm = Symm.obtain(fis); + } finally { + fis.close(); + } + symm.enpass(password, System.out); + System.out.println(); + System.out.flush(); + return; + /* testing code... don't want it exposed + System.out.println(" ******** Testing *********"); + for(int i=0;i<100000;++i) { + System.out.println(args[1]); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + b64.enpass(args[1], baos); + String pass; + System.out.println(pass=new String(baos.toByteArray())); + ByteArrayOutputStream reconstituted = new ByteArrayOutputStream(); + b64.depass(pass, reconstituted); + String r = reconstituted.toString(); + System.out.println(r); + if(!r.equals(args[1])) { + System.err.println("!!!!! STOP - ERROR !!!!!"); + return; + } + System.out.println(); + } + System.out.flush(); + */ + + } catch (IOException e) { + System.err.println("Cannot digest password"); + System.err.println(" \""+ e.getMessage() + '"'); + } // DO NOT LEAVE THIS METHOD Compiled IN CODE... Do not want looking at passwords on disk too easy // Jonathan. Oh, well, Deployment services need this behavior. I will put this code in, but leave it undocumented. // One still needs access to the keyfile to read. // July 2016 - thought of a tool "CMPass" to regurgitate from properties, but only if allowed. - } else if("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) { - try { - Symm symm; - FileInputStream fis = new FileInputStream(args[2]); - try { - symm = Symm.obtain(fis); - } finally { - fis.close(); - } - boolean isFile = false; - if("-i".equals(args[1]) || (isFile="-f".equals(args[1]))) { - BufferedReader br; - if(isFile) { - if(args.length<4) { - System.err.println("Filename in 4th position"); - return; - } - br = new BufferedReader(new FileReader(args[3])); - } else { - br = new BufferedReader(new InputStreamReader(System.in)); - } - try { - String line; - boolean cont = false; - StringBuffer sb = new StringBuffer(); - JsonOutputStream jw = new JsonOutputStream(System.out); - while((line=br.readLine())!=null) { - if(cont) { - int end; - if((end=line.indexOf('"'))>=0) { - sb.append(line,0,end); - cont=false; - } else { - sb.append(line); - } - } else { - int idx; - if((idx = line.indexOf(' '))>=0 - && (idx = line.indexOf(' ',++idx))>0 - && (idx = line.indexOf('=',++idx))>0 - ) { - System.out.println(line.substring(0, idx-5)); - int start = idx+2; - int end; - if((end=line.indexOf('"',start))<0) { - end = line.length(); - cont = true; - } - sb.append(line,start,end); - } - } - if(sb.length()>0) { - symm.depass(sb.toString(),jw); - if(!cont) { - System.out.println(); - } - } - System.out.flush(); - sb.setLength(0); - if(!cont) { - jw.resetIndent(); - } - } - } finally { - if(isFile) { - br.close(); - } - } - } else { - symm.depass(args[1], System.out); - } - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot regurgitate password"); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("encode64".equalsIgnoreCase(args[0]) && args.length>1) { - try { - Symm.base64.encode(args[1], System.out); - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot encode Base64 with " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("decode64".equalsIgnoreCase(args[0]) && args.length>1) { - try { - Symm.base64.decode(args[1], System.out); - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot decode Base64 text from " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("encode64url".equalsIgnoreCase(args[0]) && args.length>1) { - try { - Symm.base64url.encode(args[1], System.out); - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot encode Base64url with " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("decode64url".equalsIgnoreCase(args[0]) && args.length>1) { - try { - Symm.base64url.decode(args[1], System.out); - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot decode Base64url text from " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("md5".equalsIgnoreCase(args[0]) && args.length>1) { - try { - System.out.println(Hash.hashMD5asStringHex(args[1])); - System.out.flush(); - } catch (NoSuchAlgorithmException e) { - System.err.println("Cannot hash MD5 from " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - return; - } else if("sha256".equalsIgnoreCase(args[0]) && args.length>1) { - try { - if(args.length>2) { - int max = args.length>7?7:args.length; - for(int i=2;i1) { - File f = new File(args[1]); - FileOutputStream fos = new FileOutputStream(f); - try { - fos.write(Symm.keygen()); - fos.flush(); - } finally { - fos.close(); - Chmod.to400.chmod(f); - } - } else { - // create a Symmetric Key out of same characters found in base64 - System.out.write(Symm.keygen()); - System.out.flush(); - } - return; - } catch (IOException e) { - System.err.println("Cannot create a key " + args[0]); - System.err.println(" \""+ e.getMessage() + '"'); - } - - } else if("passgen".equalsIgnoreCase(args[0])) { - int numDigits; - if(args.length <= 1) { - numDigits = 24; - } else { - numDigits = Integer.parseInt(args[1]); - if(numDigits<8)numDigits = 8; - } - String pass; - boolean noLower,noUpper,noDigits,noSpecial,repeatingChars,missingChars; - do { - pass = Symm.randomGen(numDigits); - missingChars=noLower=noUpper=noDigits=noSpecial=true; - repeatingChars=false; - int c=-1,last; - for(int i=0;i=0x61 && c<=0x7A); - } - if(noUpper) { - noUpper=!(c>=0x41 && c<=0x5A); - } - if(noDigits) { - noDigits=!(c>=0x30 && c<=0x39); - } - if(noSpecial) { - noSpecial = "+!@#$%^&*(){}[]?:;,.".indexOf(c)<0; - } - - missingChars = (noLower || noUpper || noDigits || noSpecial); - } - } while(missingChars || repeatingChars); - System.out.println(pass.substring(0,numDigits)); - } else if("urlgen".equalsIgnoreCase(args[0])) { - int numDigits; - if(args.length <= 1) { - numDigits = 24; - } else { - numDigits = Integer.parseInt(args[1]); - } - System.out.println(Symm.randomGen(Symm.base64url.codeset, numDigits).substring(0,numDigits)); - } - } else { - System.out.println("Usage: java -jar ..."); - System.out.println(" keygen [] (Generates Key on file, or Std Out)"); - System.out.println(" digest [|-i|] (Encrypts Password with \"keyfile\""); - System.out.println(" if passwd = -i, will read StdIn"); - System.out.println(" if passwd is blank, will ask securely)"); - System.out.println(" passgen (Generate Password of given size)"); - System.out.println(" urlgen (Generate URL field of given size)"); - System.out.println(" encode64 (Encodes to Base64)"); - System.out.println(" decode64 (Decodes from Base64)"); - System.out.println(" encode64url (Encodes to Base64 URL charset)"); - System.out.println(" decode64url (Decodes from Base64 URL charset)"); - System.out.println(" sha256 (Digest String into SHA256 Hash)"); - System.out.println(" md5 (Digest String into MD5 Hash)"); - } - if (systemExit) { - System.exit(1); - } - } - - public static void setSystemExit(boolean shouldExit) { - systemExit = shouldExit; - } - + } else if("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) { + try { + Symm symm; + FileInputStream fis = new FileInputStream(args[2]); + try { + symm = Symm.obtain(fis); + } finally { + fis.close(); + } + boolean isFile = false; + if("-i".equals(args[1]) || (isFile="-f".equals(args[1]))) { + BufferedReader br; + if(isFile) { + if(args.length<4) { + System.err.println("Filename in 4th position"); + return; + } + br = new BufferedReader(new FileReader(args[3])); + } else { + br = new BufferedReader(new InputStreamReader(System.in)); + } + try { + String line; + boolean cont = false; + StringBuffer sb = new StringBuffer(); + JsonOutputStream jw = new JsonOutputStream(System.out); + while((line=br.readLine())!=null) { + if(cont) { + int end; + if((end=line.indexOf('"'))>=0) { + sb.append(line,0,end); + cont=false; + } else { + sb.append(line); + } + } else { + int idx; + if((idx = line.indexOf(' '))>=0 + && (idx = line.indexOf(' ',++idx))>0 + && (idx = line.indexOf('=',++idx))>0 + ) { + System.out.println(line.substring(0, idx-5)); + int start = idx+2; + int end; + if((end=line.indexOf('"',start))<0) { + end = line.length(); + cont = true; + } + sb.append(line,start,end); + } + } + if(sb.length()>0) { + symm.depass(sb.toString(),jw); + if(!cont) { + System.out.println(); + } + } + System.out.flush(); + sb.setLength(0); + if(!cont) { + jw.resetIndent(); + } + } + } finally { + if(isFile) { + br.close(); + } + } + } else { + symm.depass(args[1], System.out); + } + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot regurgitate password"); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("encode64".equalsIgnoreCase(args[0]) && args.length>1) { + try { + Symm.base64.encode(args[1], System.out); + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot encode Base64 with " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("decode64".equalsIgnoreCase(args[0]) && args.length>1) { + try { + Symm.base64.decode(args[1], System.out); + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot decode Base64 text from " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("encode64url".equalsIgnoreCase(args[0]) && args.length>1) { + try { + Symm.base64url.encode(args[1], System.out); + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot encode Base64url with " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("decode64url".equalsIgnoreCase(args[0]) && args.length>1) { + try { + Symm.base64url.decode(args[1], System.out); + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot decode Base64url text from " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("md5".equalsIgnoreCase(args[0]) && args.length>1) { + try { + System.out.println(Hash.hashMD5asStringHex(args[1])); + System.out.flush(); + } catch (NoSuchAlgorithmException e) { + System.err.println("Cannot hash MD5 from " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + return; + } else if("sha256".equalsIgnoreCase(args[0]) && args.length>1) { + try { + if(args.length>2) { + int max = args.length>7?7:args.length; + for(int i=2;i1) { + File f = new File(args[1]); + FileOutputStream fos = new FileOutputStream(f); + try { + fos.write(Symm.keygen()); + fos.flush(); + } finally { + fos.close(); + Chmod.to400.chmod(f); + } + } else { + // create a Symmetric Key out of same characters found in base64 + System.out.write(Symm.keygen()); + System.out.flush(); + } + return; + } catch (IOException e) { + System.err.println("Cannot create a key " + args[0]); + System.err.println(" \""+ e.getMessage() + '"'); + } + + } else if("passgen".equalsIgnoreCase(args[0])) { + int numDigits; + if(args.length <= 1) { + numDigits = 24; + } else { + numDigits = Integer.parseInt(args[1]); + if(numDigits<8)numDigits = 8; + } + String pass; + boolean noLower,noUpper,noDigits,noSpecial,repeatingChars,missingChars; + do { + pass = Symm.randomGen(numDigits); + missingChars=noLower=noUpper=noDigits=noSpecial=true; + repeatingChars=false; + int c=-1,last; + for(int i=0;i=0x61 && c<=0x7A); + } + if(noUpper) { + noUpper=!(c>=0x41 && c<=0x5A); + } + if(noDigits) { + noDigits=!(c>=0x30 && c<=0x39); + } + if(noSpecial) { + noSpecial = "+!@#$%^&*(){}[]?:;,.".indexOf(c)<0; + } + + missingChars = (noLower || noUpper || noDigits || noSpecial); + } + } while(missingChars || repeatingChars); + System.out.println(pass.substring(0,numDigits)); + } else if("urlgen".equalsIgnoreCase(args[0])) { + int numDigits; + if(args.length <= 1) { + numDigits = 24; + } else { + numDigits = Integer.parseInt(args[1]); + } + System.out.println(Symm.randomGen(Symm.base64url.codeset, numDigits).substring(0,numDigits)); + } + } else { + System.out.println("Usage: java -jar ..."); + System.out.println(" keygen [] (Generates Key on file, or Std Out)"); + System.out.println(" digest [|-i|] (Encrypts Password with \"keyfile\""); + System.out.println(" if passwd = -i, will read StdIn"); + System.out.println(" if passwd is blank, will ask securely)"); + System.out.println(" passgen (Generate Password of given size)"); + System.out.println(" urlgen (Generate URL field of given size)"); + System.out.println(" encode64 (Encodes to Base64)"); + System.out.println(" decode64 (Decodes from Base64)"); + System.out.println(" encode64url (Encodes to Base64 URL charset)"); + System.out.println(" decode64url (Decodes from Base64 URL charset)"); + System.out.println(" sha256 (Digest String into SHA256 Hash)"); + System.out.println(" md5 (Digest String into MD5 Hash)"); + } + if (systemExit) { + System.exit(1); + } + } + + public static void setSystemExit(boolean shouldExit) { + systemExit = shouldExit; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Connector.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Connector.java index 7f47ce78..f88c3fbe 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Connector.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Connector.java @@ -22,5 +22,5 @@ package org.onap.aaf.cadi; public interface Connector { - public Lur newLur() throws CadiException; + public Lur newLur() throws CadiException; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CredVal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CredVal.java index 4e42a5fb..6019f551 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CredVal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CredVal.java @@ -31,12 +31,12 @@ package org.onap.aaf.cadi; * @author Jonathan */ public interface CredVal { - public enum Type{PASSWORD}; - /** - * Validate if the User/Password combination matches records - * @param user - * @param pass - * @return - */ - public boolean validate(String user, Type type, byte[] cred, Object state); + public enum Type{PASSWORD}; + /** + * Validate if the User/Password combination matches records + * @param user + * @param pass + * @return + */ + public boolean validate(String user, Type type, byte[] cred, Object state); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java index e8a5c54b..db5ab0f2 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java @@ -21,5 +21,5 @@ package org.onap.aaf.cadi; public interface CredValDomain extends CredVal { - public String domain(); + public String domain(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/GetCred.java b/cadi/core/src/main/java/org/onap/aaf/cadi/GetCred.java index e64f0dd4..039ba8f7 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/GetCred.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/GetCred.java @@ -22,5 +22,5 @@ package org.onap.aaf.cadi; public interface GetCred { - byte[] getCred(); + byte[] getCred(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Hash.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Hash.java index 6babb4c9..acd45019 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Hash.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Hash.java @@ -26,233 +26,233 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; public class Hash { - private static char hexDigit[] = "0123456789abcdef".toCharArray(); - + private static char hexDigit[] = "0123456789abcdef".toCharArray(); + ///////////////////////////////// // MD5 ///////////////////////////////// - /** - * Encrypt MD5 from Byte Array to Byte Array - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static byte[] hashMD5 (byte[] input) throws NoSuchAlgorithmException { - // Note: Protect against Multi-thread issues with new MessageDigest - MessageDigest md = MessageDigest.getInstance("MD5"); - md.update(input); - return md.digest(); - } + /** + * Encrypt MD5 from Byte Array to Byte Array + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static byte[] hashMD5 (byte[] input) throws NoSuchAlgorithmException { + // Note: Protect against Multi-thread issues with new MessageDigest + MessageDigest md = MessageDigest.getInstance("MD5"); + md.update(input); + return md.digest(); + } - /** - * Encrypt MD5 from Byte Array to Byte Array - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static byte[] hashMD5 (byte[] input, int offset, int length) throws NoSuchAlgorithmException { - // Note: Protect against Multi-thread issues with new MessageDigest - MessageDigest md = MessageDigest.getInstance("MD5"); - md.update(input,offset,length); - return md.digest(); - } + /** + * Encrypt MD5 from Byte Array to Byte Array + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static byte[] hashMD5 (byte[] input, int offset, int length) throws NoSuchAlgorithmException { + // Note: Protect against Multi-thread issues with new MessageDigest + MessageDigest md = MessageDigest.getInstance("MD5"); + md.update(input,offset,length); + return md.digest(); + } - /** - * Convenience Function: Encrypt MD5 from String to String Hex representation - * - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static String hashMD5asStringHex(String input) throws NoSuchAlgorithmException { - byte[] output = hashMD5(input.getBytes()); - StringBuilder sb = new StringBuilder("0x"); - for (byte b : output) { - sb.append(hexDigit[(b >> 4) & 0x0f]); - sb.append(hexDigit[b & 0x0f]); - } - return sb.toString(); - } + /** + * Convenience Function: Encrypt MD5 from String to String Hex representation + * + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static String hashMD5asStringHex(String input) throws NoSuchAlgorithmException { + byte[] output = hashMD5(input.getBytes()); + StringBuilder sb = new StringBuilder("0x"); + for (byte b : output) { + sb.append(hexDigit[(b >> 4) & 0x0f]); + sb.append(hexDigit[b & 0x0f]); + } + return sb.toString(); + } ///////////////////////////////// // SHA256 ///////////////////////////////// - /** - * SHA256 Hashing - */ - public static byte[] hashSHA256(byte[] input) throws NoSuchAlgorithmException { - // Note: Protect against Multi-thread issues with new MessageDigest - MessageDigest md = MessageDigest.getInstance("SHA-256"); - md.update(input); - return md.digest(); - } + /** + * SHA256 Hashing + */ + public static byte[] hashSHA256(byte[] input) throws NoSuchAlgorithmException { + // Note: Protect against Multi-thread issues with new MessageDigest + MessageDigest md = MessageDigest.getInstance("SHA-256"); + md.update(input); + return md.digest(); + } - /** - * SHA256 Hashing - */ - public static byte[] hashSHA256(byte[] input, int offset, int length) throws NoSuchAlgorithmException { - // Note: Protect against Multi-thread issues with new MessageDigest - MessageDigest md = MessageDigest.getInstance("SHA-256"); - md.update(input,offset,length); - return md.digest(); - } - - /** - * Convenience Function: Hash from String to String Hex representation - * - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static String hashSHA256asStringHex(String input) throws NoSuchAlgorithmException { - return toHex(hashSHA256(input.getBytes())); - } + /** + * SHA256 Hashing + */ + public static byte[] hashSHA256(byte[] input, int offset, int length) throws NoSuchAlgorithmException { + // Note: Protect against Multi-thread issues with new MessageDigest + MessageDigest md = MessageDigest.getInstance("SHA-256"); + md.update(input,offset,length); + return md.digest(); + } + + /** + * Convenience Function: Hash from String to String Hex representation + * + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static String hashSHA256asStringHex(String input) throws NoSuchAlgorithmException { + return toHex(hashSHA256(input.getBytes())); + } - /** - * Convenience Function: Hash from String to String Hex representation - * - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static String hashSHA256asStringHex(String input, int salt) throws NoSuchAlgorithmException { - byte[] in = input.getBytes(); - ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + in.length); - bb.putInt(salt); - bb.put(input.getBytes()); - return toHex(Hash.hashSHA256(bb.array())); - } - - /** - * Compare two byte arrays for equivalency - * @param ba1 - * @param ba2 - * @return - */ - public static boolean isEqual(byte ba1[], byte ba2[]) { - if(ba1.length!=ba2.length)return false; - for(int i = 0;i> 4) & 0x0f]); - sb.append(hexDigit[b & 0x0f]); - } - return sb.toString(); - } + public static String toHexNo0x(byte[] ba) { + StringBuilder sb = new StringBuilder(); + for (byte b : ba) { + sb.append(hexDigit[(b >> 4) & 0x0f]); + sb.append(hexDigit[b & 0x0f]); + } + return sb.toString(); + } - public static String toHex(byte[] ba) { - StringBuilder sb = new StringBuilder("0x"); - for (byte b : ba) { - sb.append(hexDigit[(b >> 4) & 0x0f]); - sb.append(hexDigit[b & 0x0f]); - } - return sb.toString(); - } - - public static String toHex(byte[] ba, int start, int length) { - StringBuilder sb = new StringBuilder("0x"); - for (int i=start;i> 4) & 0x0f]); - sb.append(hexDigit[ba[i] & 0x0f]); - } - return sb.toString(); - } + public static String toHex(byte[] ba) { + StringBuilder sb = new StringBuilder("0x"); + for (byte b : ba) { + sb.append(hexDigit[(b >> 4) & 0x0f]); + sb.append(hexDigit[b & 0x0f]); + } + return sb.toString(); + } + + public static String toHex(byte[] ba, int start, int length) { + StringBuilder sb = new StringBuilder("0x"); + for (int i=start;i> 4) & 0x0f]); + sb.append(hexDigit[ba[i] & 0x0f]); + } + return sb.toString(); + } - - public static byte[] fromHex(String s) throws CadiException{ - if(!s.startsWith("0x")) { - throw new CadiException("HexString must start with \"0x\""); - } - boolean high = true; - int c; - byte b; - byte[] ba = new byte[(s.length()-2)/2]; - int idx; - for(int i=2;i=0x30 && c<=0x39) { - b=(byte)(c-0x30); - } else if(c>=0x61 && c<=0x66) { - b=(byte)(c-0x57); // account for "A" - } else if(c>=0x41 && c<=0x46) { - b=(byte)(c-0x37); - } else { - throw new CadiException("Invalid char '" + c + "' in HexString"); - } - idx = (i-2)/2; - if(high) { - ba[idx]=(byte)(b<<4); - high = false; - } else { - ba[idx]|=b; - high = true; - } - } - return ba; - } + + public static byte[] fromHex(String s) throws CadiException{ + if(!s.startsWith("0x")) { + throw new CadiException("HexString must start with \"0x\""); + } + boolean high = true; + int c; + byte b; + byte[] ba = new byte[(s.length()-2)/2]; + int idx; + for(int i=2;i=0x30 && c<=0x39) { + b=(byte)(c-0x30); + } else if(c>=0x61 && c<=0x66) { + b=(byte)(c-0x57); // account for "A" + } else if(c>=0x41 && c<=0x46) { + b=(byte)(c-0x37); + } else { + throw new CadiException("Invalid char '" + c + "' in HexString"); + } + idx = (i-2)/2; + if(high) { + ba[idx]=(byte)(b<<4); + high = false; + } else { + ba[idx]|=b; + high = true; + } + } + return ba; + } - /** - * Does not expect to start with "0x" - * if Any Character doesn't match, it returns null; - * - * @param s - * @return - */ - public static byte[] fromHexNo0x(String s) { - int c; - byte b; - byte[] ba; - boolean high; - int start; - if(s.length()%2==0) { - ba = new byte[s.length()/2]; - high=true; - start=0; - } else { - ba = new byte[(s.length()/2)+1]; - high = false; - start=1; - } - int idx; - for(int i=start;i=0x30 && c<=0x39) { - b=(byte)(c-0x30); - } else if(c>=0x61 && c<=0x66) { - b=(byte)(c-0x57); // account for "A" - } else if(c>=0x41 && c<=0x46) { - b=(byte)(c-0x37); - } else { - return null; - } - idx = i/2; - if(high) { - ba[idx]=(byte)(b<<4); - high = false; - } else { - ba[idx]|=b; - high = true; - } - } - return ba; - } + /** + * Does not expect to start with "0x" + * if Any Character doesn't match, it returns null; + * + * @param s + * @return + */ + public static byte[] fromHexNo0x(String s) { + int c; + byte b; + byte[] ba; + boolean high; + int start; + if(s.length()%2==0) { + ba = new byte[s.length()/2]; + high=true; + start=0; + } else { + ba = new byte[(s.length()/2)+1]; + high = false; + start=1; + } + int idx; + for(int i=start;i=0x30 && c<=0x39) { + b=(byte)(c-0x30); + } else if(c>=0x61 && c<=0x66) { + b=(byte)(c-0x57); // account for "A" + } else if(c>=0x41 && c<=0x46) { + b=(byte)(c-0x37); + } else { + return null; + } + idx = i/2; + if(high) { + ba[idx]=(byte)(b<<4); + high = false; + } else { + ba[idx]|=b; + high = true; + } + } + return ba; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Locator.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Locator.java index 22258d12..c40cb998 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Locator.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Locator.java @@ -22,15 +22,15 @@ package org.onap.aaf.cadi; public interface Locator { - public T get(Locator.Item item) throws LocatorException; - public boolean hasItems(); - public void invalidate(Locator.Item item) throws LocatorException; - public Locator.Item best() throws LocatorException; - public Item first() throws LocatorException; - public Item next(Item item) throws LocatorException; - public boolean refresh(); - public void destroy(); - - public interface Item {} + public T get(Locator.Item item) throws LocatorException; + public boolean hasItems(); + public void invalidate(Locator.Item item) throws LocatorException; + public Locator.Item best() throws LocatorException; + public Item first() throws LocatorException; + public Item next(Item item) throws LocatorException; + public boolean refresh(); + public void destroy(); + + public interface Item {} } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/LocatorException.java b/cadi/core/src/main/java/org/onap/aaf/cadi/LocatorException.java index f14fba70..da56d4b2 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/LocatorException.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/LocatorException.java @@ -22,25 +22,25 @@ package org.onap.aaf.cadi; public class LocatorException extends Exception { - /** - * - */ - private static final long serialVersionUID = -4267929804321134469L; + /** + * + */ + private static final long serialVersionUID = -4267929804321134469L; - public LocatorException(String arg0) { - super(arg0); - } + public LocatorException(String arg0) { + super(arg0); + } - public LocatorException(Throwable arg0) { - super(arg0); - } + public LocatorException(Throwable arg0) { + super(arg0); + } - public LocatorException(String arg0, Throwable arg1) { - super(arg0, arg1); - } + public LocatorException(String arg0, Throwable arg1) { + super(arg0, arg1); + } - public LocatorException(CharSequence cs) { - super(cs.toString()); - } + public LocatorException(CharSequence cs) { + super(cs.toString()); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java index 0beb4856..bdc9f643 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java @@ -39,54 +39,54 @@ import java.util.List; * */ public interface Lur { - /** - * Allow the Lur, which has correct Permission access, to create and hand back. - */ - public Permission createPerm(String p); - - /** - * Fish for Principals in a Pond - * - * or more boringly, is the User identified within a named collection representing permission. - * - * @param principalName - * @return - */ - public boolean fish(Principal bait, Permission ... pond); + /** + * Allow the Lur, which has correct Permission access, to create and hand back. + */ + public Permission createPerm(String p); + + /** + * Fish for Principals in a Pond + * + * or more boringly, is the User identified within a named collection representing permission. + * + * @param principalName + * @return + */ + public boolean fish(Principal bait, Permission ... pond); - /** - * Fish all the Principals out a Pond - * - * For additional humor, pronounce the following with a Southern Drawl, "FishOil" - * - * or more boringly, load the List with Permissions found for Principal - * - * @param principalName - * @return - */ - public void fishAll(Principal bait, List permissions); + /** + * Fish all the Principals out a Pond + * + * For additional humor, pronounce the following with a Southern Drawl, "FishOil" + * + * or more boringly, load the List with Permissions found for Principal + * + * @param principalName + * @return + */ + public void fishAll(Principal bait, List permissions); - /** - * Allow implementations to disconnect, or cleanup resources if unneeded - */ - public void destroy(); + /** + * Allow implementations to disconnect, or cleanup resources if unneeded + */ + public void destroy(); - /** - * Does this LUR handle this pond exclusively? Important for EpiLUR to determine whether - * to try another (more expensive) LUR - * @param pond - * @return - */ - public boolean handlesExclusively(Permission ... pond); - - /** - * Does the LUR support a particular kind of Principal - * This can be used to check name's domain, like above, or Principal type - */ - public boolean handles(Principal principal); - - /** - * Clear: Clear any Caching, if exists - */ - public void clear(Principal p, StringBuilder report); + /** + * Does this LUR handle this pond exclusively? Important for EpiLUR to determine whether + * to try another (more expensive) LUR + * @param pond + * @return + */ + public boolean handlesExclusively(Permission ... pond); + + /** + * Does the LUR support a particular kind of Principal + * This can be used to check name's domain, like above, or Principal type + */ + public boolean handles(Principal principal); + + /** + * Clear: Clear any Caching, if exists + */ + public void clear(Principal p, StringBuilder report); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Permission.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Permission.java index f8061290..2537c386 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Permission.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Permission.java @@ -22,7 +22,7 @@ package org.onap.aaf.cadi; public interface Permission { - public String permType(); - public String getKey(); - public boolean match(Permission p); + public String permType(); + public String getKey(); + public boolean match(Permission p); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java b/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java index 3d15b09d..a35777f8 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java @@ -37,365 +37,365 @@ import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.config.SecurityInfo; public class PropAccess implements Access { - // Sonar says cannot be static... it's ok. not too many PropAccesses created. - private final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"); + // Sonar says cannot be static... it's ok. not too many PropAccesses created. + private final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"); - public static final Level DEFAULT = Level.AUDIT; - - private Symm symm; - private int level; - private Properties props; - private List recursionProtection = null; - private LogIt logIt; - private String name; + public static final Level DEFAULT = Level.AUDIT; + + private Symm symm; + private int level; + private Properties props; + private List recursionProtection = null; + private LogIt logIt; + private String name; - public PropAccess() { - logIt = new StreamLogIt(System.out); - init(null); - } - - /** - * This Constructor soly exists to instantiate Servlet Context Based Logging that will call "init" later. - * @param sc - */ - protected PropAccess(Object o) { - logIt = new StreamLogIt(System.out); - props = new Properties(); - } - - public PropAccess(String ... args) { - this(System.out,args); - } - - public PropAccess(PrintStream ps, String[] args) { - logIt = new StreamLogIt(ps==null?System.out:ps); - init(logIt,args); - } - - public PropAccess(LogIt logit, String[] args) { - init(logit, args); - } - - public PropAccess(Properties p) { - this(System.out,p); - } - - public PropAccess(PrintStream ps, Properties p) { - logIt = new StreamLogIt(ps==null?System.out:ps); - init(p); - } - - protected void init(final LogIt logIt, final String[] args) { - this.logIt = logIt; - Properties nprops=new Properties(); - int eq; - for(String arg : args) { - if((eq=arg.indexOf('='))>0) { - nprops.setProperty(arg.substring(0, eq),arg.substring(eq+1)); - } - } - init(nprops); - } - - protected void init(Properties p) { - // Make sure these two are set before any changes in Logging - name = "cadi"; - level=DEFAULT.maskOf(); - - props = new Properties(); - // First, load related System Properties - for(Entry es : System.getProperties().entrySet()) { - String key = es.getKey().toString(); - for(String start : new String[] {"cadi_","aaf_","cm_"}) { - if(key.startsWith(start)) { - props.put(key, es.getValue()); - } - } - } - // Second, overlay or fill in with Passed in Props - if(p!=null) { - props.putAll(p); - } - - // Third, load any Chained Property Files - load(props.getProperty(Config.CADI_PROP_FILES)); - - String sLevel = props.getProperty(Config.CADI_LOGLEVEL); - if(sLevel!=null) { - level=Level.valueOf(sLevel).maskOf(); - } - // Setup local Symmetrical key encryption - if(symm==null) { - try { - symm = Symm.obtain(this); - } catch (CadiException e) { - System.err.append("FATAL ERROR: Cannot obtain Key Information."); - e.printStackTrace(System.err); - System.exit(1); - } - } - - name = props.getProperty(Config.CADI_LOGNAME, name); - - specialConversions(); - } + public PropAccess() { + logIt = new StreamLogIt(System.out); + init(null); + } + + /** + * This Constructor soly exists to instantiate Servlet Context Based Logging that will call "init" later. + * @param sc + */ + protected PropAccess(Object o) { + logIt = new StreamLogIt(System.out); + props = new Properties(); + } + + public PropAccess(String ... args) { + this(System.out,args); + } + + public PropAccess(PrintStream ps, String[] args) { + logIt = new StreamLogIt(ps==null?System.out:ps); + init(logIt,args); + } + + public PropAccess(LogIt logit, String[] args) { + init(logit, args); + } + + public PropAccess(Properties p) { + this(System.out,p); + } + + public PropAccess(PrintStream ps, Properties p) { + logIt = new StreamLogIt(ps==null?System.out:ps); + init(p); + } + + protected void init(final LogIt logIt, final String[] args) { + this.logIt = logIt; + Properties nprops=new Properties(); + int eq; + for(String arg : args) { + if((eq=arg.indexOf('='))>0) { + nprops.setProperty(arg.substring(0, eq),arg.substring(eq+1)); + } + } + init(nprops); + } + + protected void init(Properties p) { + // Make sure these two are set before any changes in Logging + name = "cadi"; + level=DEFAULT.maskOf(); + + props = new Properties(); + // First, load related System Properties + for(Entry es : System.getProperties().entrySet()) { + String key = es.getKey().toString(); + for(String start : new String[] {"cadi_","aaf_","cm_"}) { + if(key.startsWith(start)) { + props.put(key, es.getValue()); + } + } + } + // Second, overlay or fill in with Passed in Props + if(p!=null) { + props.putAll(p); + } + + // Third, load any Chained Property Files + load(props.getProperty(Config.CADI_PROP_FILES)); + + String sLevel = props.getProperty(Config.CADI_LOGLEVEL); + if(sLevel!=null) { + level=Level.valueOf(sLevel).maskOf(); + } + // Setup local Symmetrical key encryption + if(symm==null) { + try { + symm = Symm.obtain(this); + } catch (CadiException e) { + System.err.append("FATAL ERROR: Cannot obtain Key Information."); + e.printStackTrace(System.err); + System.exit(1); + } + } + + name = props.getProperty(Config.CADI_LOGNAME, name); + + specialConversions(); + } - private void specialConversions() { - // Critical - if no Security Protocols set, then set it. We'll just get messed up if not - if(props.get(Config.CADI_PROTOCOLS)==null) { - props.setProperty(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT); - } - - Object temp; - temp=props.get(Config.CADI_PROTOCOLS); - if(props.get(Config.HTTPS_PROTOCOLS)==null && temp!=null) { - props.put(Config.HTTPS_PROTOCOLS, temp); - } - - if(temp!=null) { - if("1.7".equals(System.getProperty("java.specification.version")) - && (temp==null || (temp instanceof String && ((String)temp).contains("TLSv1.2")))) { - System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT); - } - } - } + private void specialConversions() { + // Critical - if no Security Protocols set, then set it. We'll just get messed up if not + if(props.get(Config.CADI_PROTOCOLS)==null) { + props.setProperty(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT); + } + + Object temp; + temp=props.get(Config.CADI_PROTOCOLS); + if(props.get(Config.HTTPS_PROTOCOLS)==null && temp!=null) { + props.put(Config.HTTPS_PROTOCOLS, temp); + } + + if(temp!=null) { + if("1.7".equals(System.getProperty("java.specification.version")) + && (temp==null || (temp instanceof String && ((String)temp).contains("TLSv1.2")))) { + System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT); + } + } + } - private void load(String cadi_prop_files) { - if(cadi_prop_files==null) { - return; - } - String prevKeyFile = props.getProperty(Config.CADI_KEYFILE); - int prev = 0, end = cadi_prop_files.length(); - int idx; - String filename; - while(prev(); - recursionProtection.add(cadi_prop_files); - } - if(!recursionProtection.contains(chainProp)) { - recursionProtection.add(chainProp); - load(chainProp); // recurse - } - } - } finally { - fis.close(); - } - } catch (Exception e) { - log(e,filename,"cannot be opened"); - } - } else { - printf(Level.WARN,"Warning: recursive CADI Property %s does not exist",file.getAbsolutePath()); - } - prev = idx+1; - } - - // Trim - for(Entry es : props.entrySet()) { - Object value = es.getValue(); - if(value instanceof String) { - String trim = ((String)value).trim(); - // Remove Beginning/End Quotes, which might be there if mixed with Bash Props - int s = 0, e=trim.length()-1; - if(s(); + recursionProtection.add(cadi_prop_files); + } + if(!recursionProtection.contains(chainProp)) { + recursionProtection.add(chainProp); + load(chainProp); // recurse + } + } + } finally { + fis.close(); + } + } catch (Exception e) { + log(e,filename,"cannot be opened"); + } + } else { + printf(Level.WARN,"Warning: recursive CADI Property %s does not exist",file.getAbsolutePath()); + } + prev = idx+1; + } + + // Trim + for(Entry es : props.entrySet()) { + Object value = es.getValue(); + if(value instanceof String) { + String trim = ((String)value).trim(); + // Remove Beginning/End Quotes, which might be there if mixed with Bash Props + int s = 0, e=trim.length()-1; + if(s0) { - switch(s.charAt(l-1)) { - case ' ': - break; - default: - sb.append(' '); - } - } - } - sb.append(s); - } - } - } - return sb; - } + public static StringBuilder buildMsg(final String name, final SimpleDateFormat sdf, Level level, Object[] elements) { + StringBuilder sb = new StringBuilder(sdf.format(new Date())); + sb.append(' '); + sb.append(level.name()); + sb.append(" ["); + sb.append(name); + + int end = elements.length; + if(end<=0) { + sb.append("] "); + } else { + int idx = 0; + if(elements[idx] instanceof Integer) { + sb.append('-'); + sb.append(elements[idx]); + ++idx; + } + sb.append("] "); + String s; + boolean first = true; + for(Object o : elements) { + if(o!=null) { + s=o.toString(); + if(first) { + first = false; + } else { + int l = s.length(); + if(l>0) { + switch(s.charAt(l-1)) { + case ' ': + break; + default: + sb.append(' '); + } + } + } + sb.append(s); + } + } + } + return sb; + } - @Override - public void log(Exception e, Object... elements) { - log(Level.ERROR,e.getMessage(),elements); - e.printStackTrace(System.err); - } + @Override + public void log(Exception e, Object... elements) { + log(Level.ERROR,e.getMessage(),elements); + e.printStackTrace(System.err); + } - @Override - public void printf(Level level, String fmt, Object... elements) { - if(willLog(level)) { - log(level,String.format(fmt, elements)); - } - } + @Override + public void printf(Level level, String fmt, Object... elements) { + if(willLog(level)) { + log(level,String.format(fmt, elements)); + } + } - @Override - public void setLogLevel(Level level) { - this.level = level.maskOf(); - } + @Override + public void setLogLevel(Level level) { + this.level = level.maskOf(); + } - @Override - public boolean willLog(Level level) { - return level.inMask(this.level); - } + @Override + public boolean willLog(Level level) { + return level.inMask(this.level); + } - @Override - public ClassLoader classLoader() { - return ClassLoader.getSystemClassLoader(); - } + @Override + public ClassLoader classLoader() { + return ClassLoader.getSystemClassLoader(); + } - @Override - public String getProperty(String tag, String def) { - return props.getProperty(tag,def); - } + @Override + public String getProperty(String tag, String def) { + return props.getProperty(tag,def); + } - @Override - public String decrypt(String encrypted, boolean anytext) throws IOException { - return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC))) - ? symm.depass(encrypted) - : encrypted; - } - - public String encrypt(String unencrypted) throws IOException { - return Symm.ENC+symm.enpass(unencrypted); - } + @Override + public String decrypt(String encrypted, boolean anytext) throws IOException { + return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC))) + ? symm.depass(encrypted) + : encrypted; + } + + public String encrypt(String unencrypted) throws IOException { + return Symm.ENC+symm.enpass(unencrypted); + } - ////////////////// - // Additional - ////////////////// - public String getProperty(String tag) { - return props.getProperty(tag); - } - + ////////////////// + // Additional + ////////////////// + public String getProperty(String tag) { + return props.getProperty(tag); + } + - public Properties getProperties() { - return props; - } + public Properties getProperties() { + return props; + } - public void setProperty(String tag, String value) { - if(value!=null) { - props.put(tag, value); - if(Config.CADI_KEYFILE.equals(tag)) { - // reset decryption too - try { - symm = Symm.obtain(this); - } catch (CadiException e) { - System.err.append("FATAL ERROR: Cannot obtain Key Information."); - e.printStackTrace(System.err); - System.exit(1); - } - } - } - } + public void setProperty(String tag, String value) { + if(value!=null) { + props.put(tag, value); + if(Config.CADI_KEYFILE.equals(tag)) { + // reset decryption too + try { + symm = Symm.obtain(this); + } catch (CadiException e) { + System.err.append("FATAL ERROR: Cannot obtain Key Information."); + e.printStackTrace(System.err); + System.exit(1); + } + } + } + } - public interface LogIt { - public void push(Level level, Object ... elements) ; - } - - private class StreamLogIt implements LogIt { - private PrintStream ps; - - public StreamLogIt(PrintStream ps) { - this.ps = ps; - } - @Override - public void push(Level level, Object ... elements) { - ps.println(buildMsg(level,elements)); - ps.flush(); - } - - } + public interface LogIt { + public void push(Level level, Object ... elements) ; + } + + private class StreamLogIt implements LogIt { + private PrintStream ps; + + public StreamLogIt(PrintStream ps) { + this.ps = ps; + } + @Override + public void push(Level level, Object ... elements) { + ps.println(buildMsg(level,elements)); + ps.flush(); + } + + } - public void set(LogIt logit) { - logIt = logit; - } + public void set(LogIt logit) { + logIt = logit; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Revalidator.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Revalidator.java index 125ac24c..66ba86ae 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Revalidator.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Revalidator.java @@ -23,12 +23,12 @@ package org.onap.aaf.cadi; public interface Revalidator { - /** - * Re-Validate Credential - * - * @param prin - * @return - */ - public CachedPrincipal.Resp revalidate(TRANS trans, CachedPrincipal prin); + /** + * Re-Validate Credential + * + * @param prin + * @return + */ + public CachedPrincipal.Resp revalidate(TRANS trans, CachedPrincipal prin); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java index 31563017..194712e0 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java @@ -31,14 +31,14 @@ package org.onap.aaf.cadi; * */ public interface SecuritySetter { - public String getID(); - - public void setSecurity(CT client) throws CadiException; - - /** - * Returns number of bad logins registered - * @param respCode - * @return - */ - public int setLastResponse(int respCode); + public String getID(); + + public void setSecurity(CT client) throws CadiException; + + /** + * Returns number of bad logins registered + * @param respCode + * @return + */ + public int setLastResponse(int respCode); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java b/cadi/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java index 38a01a09..518ea6dd 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java @@ -28,40 +28,40 @@ import javax.servlet.ServletContext; public class ServletContextAccess extends PropAccess { - private ServletContext context; + private ServletContext context; - public ServletContextAccess(FilterConfig filterConfig) { - super(filterConfig); // protected constructor... does not have "init" called. - context = filterConfig.getServletContext(); + public ServletContextAccess(FilterConfig filterConfig) { + super(filterConfig); // protected constructor... does not have "init" called. + context = filterConfig.getServletContext(); - for(Enumeration en = filterConfig.getInitParameterNames();en.hasMoreElements();) { - String name = (String)en.nextElement(); - setProperty(name, filterConfig.getInitParameter(name)); - } - init(getProperties()); - } + for(Enumeration en = filterConfig.getInitParameterNames();en.hasMoreElements();) { + String name = (String)en.nextElement(); + setProperty(name, filterConfig.getInitParameter(name)); + } + init(getProperties()); + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.PropAccess#log(org.onap.aaf.cadi.Access.Level, java.lang.Object[]) - */ - @Override - public void log(Level level, Object... elements) { - if(willLog(level)) { - StringBuilder sb = buildMsg(level, elements); - context.log(sb.toString()); - } - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.PropAccess#log(org.onap.aaf.cadi.Access.Level, java.lang.Object[]) + */ + @Override + public void log(Level level, Object... elements) { + if(willLog(level)) { + StringBuilder sb = buildMsg(level, elements); + context.log(sb.toString()); + } + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.PropAccess#log(java.lang.Exception, java.lang.Object[]) - */ - @Override - public void log(Exception e, Object... elements) { - StringBuilder sb = buildMsg(Level.ERROR, elements); - context.log(sb.toString(),e); - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.PropAccess#log(java.lang.Exception, java.lang.Object[]) + */ + @Override + public void log(Exception e, Object... elements) { + StringBuilder sb = buildMsg(Level.ERROR, elements); + context.log(sb.toString(),e); + } - public ServletContext context() { - return context; - } + public ServletContext context() { + return context; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java index afc1d979..fd60b0c1 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java @@ -69,184 +69,184 @@ import org.onap.aaf.cadi.config.Config; * */ public class Symm { - private static final byte[] DOUBLE_EQ = new byte[] {'=','='}; - public static final String ENC = "enc:"; - private static final Object LOCK = new Object(); - private static final SecureRandom random = new SecureRandom(); - - public final char[] codeset; - private final int splitLinesAt; - private final String encoding; - private final Convert convert; - private final boolean endEquals; - private byte[] keyBytes = null; - //Note: AES Encryption is not Thread Safe. It is Synchronized - //private AES aes = null; // only initialized from File, and only if needed for Passwords - - /** - * This is the standard base64 Key Set. - * RFC 2045 - */ - public static final Symm base64 = new Symm( - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() - ,76, Config.UTF_8,true); - - public static final Symm base64noSplit = new Symm( - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() - ,Integer.MAX_VALUE, Config.UTF_8,true); - - /** - * This is the standard base64 set suitable for URLs and Filenames - * RFC 4648 - */ - public static final Symm base64url = new Symm( - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray() - ,76, Config.UTF_8,true); - - /** - * A Password set, using US-ASCII - * RFC 4648 - */ - public static final Symm encrypt = new Symm(base64url.codeset,1024, "US-ASCII", false); - private static final byte[] EMPTY = new byte[0]; - - /** - * A typical set of Password Chars - * Note, this is too large to fit into the algorithm. Only use with PassGen - */ - private static char passChars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+!@#$%^&*(){}[]?:;,.".toCharArray(); - - - private static Symm internalOnly = null; - - /** - * Use this to create special case Case Sets and/or Line breaks - * - * If you don't know why you need this, use the Singleton Method - * - * @param codeset - * @param split - */ - public Symm(char[] codeset, int split, String charset, boolean useEndEquals) { - this.codeset = codeset; - splitLinesAt = split; - encoding = charset; - endEquals = useEndEquals; - char prev = 0, curr=0, first = 0; - int offset=Integer.SIZE; // something that's out of range for integer array - - // There can be time efficiencies gained when the underlying keyset consists mainly of ordered - // data (i.e. abcde...). Therefore, we'll quickly analyze the keyset. If it proves to have - // too much entropy, the "Unordered" algorithm, which is faster in such cases is used. - ArrayList la = new ArrayList<>(); - for(int i=0;icodeset.length/3) { - convert = new Unordered(codeset); - } else { // too random to get speed enhancement from range algorithm - int[][] range = new int[la.size()][]; - la.toArray(range); - convert = new Ordered(range); - } - } - - public Symm copy(int lines) { - return new Symm(codeset,lines,encoding,endEquals); - } - - // Only used by keygen, which is intentionally randomized. Therefore, always use unordered - private Symm(char[] codeset, Symm parent) { - this.codeset = codeset; - splitLinesAt = parent.splitLinesAt; - endEquals = parent.endEquals; - encoding = parent.encoding; - convert = new Unordered(codeset); - } - - /** - * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc. - * @return - */ - @Deprecated - public static final Symm base64() { - return base64; - } - - /** - * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc. - * No Line Splitting - * @return - */ - @Deprecated - public static final Symm base64noSplit() { - return base64noSplit; - } - - /** - * Obtain the base64 "URL" behavior of this class, for use in File Names, etc. (no "/") - */ - @Deprecated - public static final Symm base64url() { - return base64url; - } - - /** - * Obtain a special ASCII version for Scripting, with base set of base64url use in File Names, etc. (no "/") - */ - public static final Symm baseCrypt() { - return encrypt; - } - - public T exec(SyncExec exec) throws Exception { - synchronized(LOCK) { - if(keyBytes == null) { - keyBytes = new byte[AES.AES_KEY_SIZE/8]; - int offset = (Math.abs(codeset[0])+47)%(codeset.length-keyBytes.length); - for(int i=0;i { - public T exec(Encryption enc) throws IOException, Exception; - } - + private static final byte[] DOUBLE_EQ = new byte[] {'=','='}; + public static final String ENC = "enc:"; + private static final Object LOCK = new Object(); + private static final SecureRandom random = new SecureRandom(); + + public final char[] codeset; + private final int splitLinesAt; + private final String encoding; + private final Convert convert; + private final boolean endEquals; + private byte[] keyBytes = null; + //Note: AES Encryption is not Thread Safe. It is Synchronized + //private AES aes = null; // only initialized from File, and only if needed for Passwords + + /** + * This is the standard base64 Key Set. + * RFC 2045 + */ + public static final Symm base64 = new Symm( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() + ,76, Config.UTF_8,true); + + public static final Symm base64noSplit = new Symm( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() + ,Integer.MAX_VALUE, Config.UTF_8,true); + + /** + * This is the standard base64 set suitable for URLs and Filenames + * RFC 4648 + */ + public static final Symm base64url = new Symm( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray() + ,76, Config.UTF_8,true); + + /** + * A Password set, using US-ASCII + * RFC 4648 + */ + public static final Symm encrypt = new Symm(base64url.codeset,1024, "US-ASCII", false); + private static final byte[] EMPTY = new byte[0]; + + /** + * A typical set of Password Chars + * Note, this is too large to fit into the algorithm. Only use with PassGen + */ + private static char passChars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+!@#$%^&*(){}[]?:;,.".toCharArray(); + + + private static Symm internalOnly = null; + + /** + * Use this to create special case Case Sets and/or Line breaks + * + * If you don't know why you need this, use the Singleton Method + * + * @param codeset + * @param split + */ + public Symm(char[] codeset, int split, String charset, boolean useEndEquals) { + this.codeset = codeset; + splitLinesAt = split; + encoding = charset; + endEquals = useEndEquals; + char prev = 0, curr=0, first = 0; + int offset=Integer.SIZE; // something that's out of range for integer array + + // There can be time efficiencies gained when the underlying keyset consists mainly of ordered + // data (i.e. abcde...). Therefore, we'll quickly analyze the keyset. If it proves to have + // too much entropy, the "Unordered" algorithm, which is faster in such cases is used. + ArrayList la = new ArrayList<>(); + for(int i=0;icodeset.length/3) { + convert = new Unordered(codeset); + } else { // too random to get speed enhancement from range algorithm + int[][] range = new int[la.size()][]; + la.toArray(range); + convert = new Ordered(range); + } + } + + public Symm copy(int lines) { + return new Symm(codeset,lines,encoding,endEquals); + } + + // Only used by keygen, which is intentionally randomized. Therefore, always use unordered + private Symm(char[] codeset, Symm parent) { + this.codeset = codeset; + splitLinesAt = parent.splitLinesAt; + endEquals = parent.endEquals; + encoding = parent.encoding; + convert = new Unordered(codeset); + } + + /** + * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc. + * @return + */ + @Deprecated + public static final Symm base64() { + return base64; + } + + /** + * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc. + * No Line Splitting + * @return + */ + @Deprecated + public static final Symm base64noSplit() { + return base64noSplit; + } + + /** + * Obtain the base64 "URL" behavior of this class, for use in File Names, etc. (no "/") + */ + @Deprecated + public static final Symm base64url() { + return base64url; + } + + /** + * Obtain a special ASCII version for Scripting, with base set of base64url use in File Names, etc. (no "/") + */ + public static final Symm baseCrypt() { + return encrypt; + } + + public T exec(SyncExec exec) throws Exception { + synchronized(LOCK) { + if(keyBytes == null) { + keyBytes = new byte[AES.AES_KEY_SIZE/8]; + int offset = (Math.abs(codeset[0])+47)%(codeset.length-keyBytes.length); + for(int i=0;i { + public T exec(Encryption enc) throws IOException, Exception; + } + public byte[] encode(byte[] toEncrypt) throws IOException { - if(toEncrypt==null) { - return EMPTY; - } else { - ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(toEncrypt.length*1.25)); - encode(new ByteArrayInputStream(toEncrypt),baos); - return baos.toByteArray(); - } - } + if(toEncrypt==null) { + return EMPTY; + } else { + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(toEncrypt.length*1.25)); + encode(new ByteArrayInputStream(toEncrypt),baos); + return baos.toByteArray(); + } + } public byte[] decode(byte[] encrypted) throws IOException { - ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(encrypted.length*1.25)); - decode(new ByteArrayInputStream(encrypted),baos); - return baos.toByteArray(); - } + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(encrypted.length*1.25)); + decode(new ByteArrayInputStream(encrypted),baos); + return baos.toByteArray(); + } - /** + /** * Helper function for String API of "Encode" * use "getBytes" with appropriate char encoding, etc. * @@ -255,22 +255,22 @@ public class Symm { * @throws IOException */ public String encode(String str) throws IOException { - byte[] array; - boolean useDefaultEncoding = false; - try { - array = str.getBytes(encoding); - } catch (IOException e) { - array = str.getBytes(); // take default - useDefaultEncoding = true; - } - // Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code - ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*1.363)); // account for 4 bytes for 3 and a byte or two more - - encode(new ByteArrayInputStream(array),baos); - if (useDefaultEncoding) { - return baos.toString(); - } - return baos.toString(encoding); + byte[] array; + boolean useDefaultEncoding = false; + try { + array = str.getBytes(encoding); + } catch (IOException e) { + array = str.getBytes(); // take default + useDefaultEncoding = true; + } + // Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*1.363)); // account for 4 bytes for 3 and a byte or two more + + encode(new ByteArrayInputStream(array),baos); + if (useDefaultEncoding) { + return baos.toString(); + } + return baos.toString(encoding); } /** @@ -281,24 +281,24 @@ public class Symm { * @throws IOException */ public String decode(String str) throws IOException { - byte[] array; - boolean useDefaultEncoding = false; - try { - array = str.getBytes(encoding); - } catch (IOException e) { - array = str.getBytes(); // take default - useDefaultEncoding = true; - } - // Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code - ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*.76)); // Decoding is 3 bytes for 4. Allocate slightly more than 3/4s - decode(new ByteArrayInputStream(array), baos); - if (useDefaultEncoding) { - return baos.toString(); - } - return baos.toString(encoding); - } - - /** + byte[] array; + boolean useDefaultEncoding = false; + try { + array = str.getBytes(encoding); + } catch (IOException e) { + array = str.getBytes(); // take default + useDefaultEncoding = true; + } + // Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*.76)); // Decoding is 3 bytes for 4. Allocate slightly more than 3/4s + decode(new ByteArrayInputStream(array), baos); + if (useDefaultEncoding) { + return baos.toString(); + } + return baos.toString(encoding); + } + + /** * Convenience Function * * encode String into InputStream and call encode(InputStream, OutputStream) @@ -307,29 +307,29 @@ public class Symm { * @param out * @throws IOException */ - public void encode(String string, OutputStream out) throws IOException { - encode(new ByteArrayInputStream(string.getBytes()),out); - } - - /** - * Convenience Function - * - * encode String into InputStream and call decode(InputStream, OutputStream) - * - * @param string - * @param out - * @throws IOException - */ - public void decode(String string, OutputStream out) throws IOException { - decode(new ByteArrayInputStream(string.getBytes()),out); - } + public void encode(String string, OutputStream out) throws IOException { + encode(new ByteArrayInputStream(string.getBytes()),out); + } + + /** + * Convenience Function + * + * encode String into InputStream and call decode(InputStream, OutputStream) + * + * @param string + * @param out + * @throws IOException + */ + public void decode(String string, OutputStream out) throws IOException { + decode(new ByteArrayInputStream(string.getBytes()),out); + } public void encode(InputStream is, OutputStream os, byte[] prefix) throws IOException { - os.write(prefix); - encode(is,os); + os.write(prefix); + encode(is,os); } - /** + /** * encode InputStream onto Output Stream * * @param is @@ -338,95 +338,95 @@ public class Symm { * @throws IOException */ public void encode(InputStream is, OutputStream os) throws IOException { - // StringBuilder sb = new StringBuilder((int)(estimate*1.255)); // try to get the right size of StringBuilder from start.. slightly more than 1.25 times - int prev=0; - int read, idx=0, line=0; - boolean go; - do { - read = is.read(); - if(go = read>=0) { - if(line>=splitLinesAt) { - os.write('\n'); - line = 0; - } - switch(++idx) { // 1 based reading, slightly faster ++ - case 1: // ptr is the first 6 bits of read - os.write(codeset[read>>2]); - prev = read; - break; - case 2: // ptr is the last 2 bits of prev followed by the first 4 bits of read - os.write(codeset[((prev & 0x03)<<4) | (read>>4)]); - prev = read; - break; - default: //(3+) - // Char 1 is last 4 bits of prev plus the first 2 bits of read - // Char 2 is the last 6 bits of read - os.write(codeset[(((prev & 0xF)<<2) | (read>>6))]); - if(line==splitLinesAt) { // deal with line splitting for two characters - os.write('\n'); - line=0; - } - os.write(codeset[(read & 0x3F)]); - ++line; - idx = 0; - prev = 0; - } - ++line; - } else { // deal with any remaining bits from Prev, then pad - switch(idx) { - case 1: // just the last 2 bits of prev - os.write(codeset[(prev & 0x03)<<4]); - if(endEquals)os.write(DOUBLE_EQ); - break; - case 2: // just the last 4 bits of prev - os.write(codeset[(prev & 0xF)<<2]); - if(endEquals)os.write('='); - break; - } - idx = 0; - } - - } while(go); + // StringBuilder sb = new StringBuilder((int)(estimate*1.255)); // try to get the right size of StringBuilder from start.. slightly more than 1.25 times + int prev=0; + int read, idx=0, line=0; + boolean go; + do { + read = is.read(); + if(go = read>=0) { + if(line>=splitLinesAt) { + os.write('\n'); + line = 0; + } + switch(++idx) { // 1 based reading, slightly faster ++ + case 1: // ptr is the first 6 bits of read + os.write(codeset[read>>2]); + prev = read; + break; + case 2: // ptr is the last 2 bits of prev followed by the first 4 bits of read + os.write(codeset[((prev & 0x03)<<4) | (read>>4)]); + prev = read; + break; + default: //(3+) + // Char 1 is last 4 bits of prev plus the first 2 bits of read + // Char 2 is the last 6 bits of read + os.write(codeset[(((prev & 0xF)<<2) | (read>>6))]); + if(line==splitLinesAt) { // deal with line splitting for two characters + os.write('\n'); + line=0; + } + os.write(codeset[(read & 0x3F)]); + ++line; + idx = 0; + prev = 0; + } + ++line; + } else { // deal with any remaining bits from Prev, then pad + switch(idx) { + case 1: // just the last 2 bits of prev + os.write(codeset[(prev & 0x03)<<4]); + if(endEquals)os.write(DOUBLE_EQ); + break; + case 2: // just the last 4 bits of prev + os.write(codeset[(prev & 0xF)<<2]); + if(endEquals)os.write('='); + break; + } + idx = 0; + } + + } while(go); } public void decode(InputStream is, OutputStream os, int skip) throws IOException { - if(is.skip(skip)!=skip) { - throw new IOException("Error skipping on IOStream in Symm"); - } - decode(is,os); + if(is.skip(skip)!=skip) { + throw new IOException("Error skipping on IOStream in Symm"); + } + decode(is,os); } /** - * Decode InputStream onto OutputStream - * @param is - * @param os - * @throws IOException - */ + * Decode InputStream onto OutputStream + * @param is + * @param os + * @throws IOException + */ public void decode(InputStream is, OutputStream os) throws IOException { - int read, idx=0; - int prev=0, index; - while((read = is.read())>=0) { - index = convert.convert(read); - if(index>=0) { - switch(++idx) { // 1 based cases, slightly faster ++ - case 1: // index goes into first 6 bits of prev - prev = index<<2; - break; - case 2: // write second 2 bits of into prev, write byte, last 4 bits go into prev - os.write((byte)(prev|(index>>4))); - prev = index<<4; - break; - case 3: // first 4 bits of index goes into prev, write byte, last 2 bits go into prev - os.write((byte)(prev|(index>>2))); - prev = index<<6; - break; - default: // (3+) | prev and last six of index - os.write((byte)(prev|(index&0x3F))); - idx = prev = 0; - } - } - }; - os.flush(); + int read, idx=0; + int prev=0, index; + while((read = is.read())>=0) { + index = convert.convert(read); + if(index>=0) { + switch(++idx) { // 1 based cases, slightly faster ++ + case 1: // index goes into first 6 bits of prev + prev = index<<2; + break; + case 2: // write second 2 bits of into prev, write byte, last 4 bits go into prev + os.write((byte)(prev|(index>>4))); + prev = index<<4; + break; + case 3: // first 4 bits of index goes into prev, write byte, last 2 bits go into prev + os.write((byte)(prev|(index>>2))); + prev = index<<6; + break; + default: // (3+) | prev and last six of index + os.write((byte)(prev|(index&0x3F))); + idx = prev = 0; + } + } + }; + os.flush(); } /** @@ -435,7 +435,7 @@ public class Symm { * */ private interface Convert { - public int convert(int read) throws IOException; + public int convert(int read) throws IOException; } /** @@ -445,27 +445,27 @@ public class Symm { * */ private static final class Ordered implements Convert { - private int[][] range; - public Ordered(int[][] range) { - this.range = range; - } - public int convert(int read) throws IOException { - // System.out.print((char)read); - switch(read) { - case -1: - case '=': - case ' ': - case '\n': - case '\r': - return -1; - } - for(int i=0;i= range[i][0] && read<=range[i][1]) { - return read-range[i][2]; - } - } - throw new IOException("Unacceptable Character in Stream"); - } + private int[][] range; + public Ordered(int[][] range) { + this.range = range; + } + public int convert(int read) throws IOException { + // System.out.print((char)read); + switch(read) { + case -1: + case '=': + case ' ': + case '\n': + case '\r': + return -1; + } + for(int i=0;i= range[i][0] && read<=range[i][1]) { + return read-range[i][2]; + } + } + throw new IOException("Unacceptable Character in Stream"); + } } /** @@ -475,24 +475,24 @@ public class Symm { * */ private static final class Unordered implements Convert { - private char[] codec; - public Unordered(char[] codec) { - this.codec = codec; - } - public int convert(int read) throws IOException { - switch(read) { - case -1: - case '=': - case '\n': - case '\r': - return -1; - } - for(int i=0;i() { - @Override - public Void exec(Encryption enc) throws Exception { - CipherInputStream cis = enc.inputStream(new ByteArrayInputStream(baos.toByteArray()), true); - try { - encode(cis,os); - } finally { - os.flush(); - cis.close(); - } - return null; - } - }); - } catch (IOException e) { - throw e; - } catch (Exception e) { - throw new IOException(e); - } - } + if(password==null) { + throw new IOException("Invalid password passed"); + } + final ByteArrayOutputStream baos = new ByteArrayOutputStream(); + DataOutputStream dos = new DataOutputStream(baos); + byte[] bytes = password.getBytes(); + if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization + dos.write(bytes); + } else { + + Random r = new SecureRandom(); + int start = 0; + byte b; + for(int i=0;i<3;++i) { + dos.writeByte(b=(byte)r.nextInt()); + start+=Math.abs(b); + } + start%=0x7; + for(int i=0;i() { + @Override + public Void exec(Encryption enc) throws Exception { + CipherInputStream cis = enc.inputStream(new ByteArrayInputStream(baos.toByteArray()), true); + try { + encode(cis,os); + } finally { + os.flush(); + cis.close(); + } + return null; + } + }); + } catch (IOException e) { + throw e; + } catch (Exception e) { + throw new IOException(e); + } + } /** * Decrypt a password into a String @@ -733,10 +733,10 @@ public class Symm { * @throws IOException */ public String depass(String password) throws IOException { - if(password==null)return null; - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - depass(password,baos); - return new String(baos.toByteArray()); + if(password==null)return null; + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + depass(password,baos); + return new String(baos.toByteArray()); } /** @@ -750,68 +750,68 @@ public class Symm { * @throws IOException */ public long depass(final String password, final OutputStream os) throws IOException { - int offset = password.startsWith(ENC)?4:0; - final ByteArrayOutputStream baos = new ByteArrayOutputStream(); - final ByteArrayInputStream bais = new ByteArrayInputStream(password.getBytes(),offset,password.length()-offset); - try { - exec(new SyncExec() { - @Override - public Void exec(Encryption enc) throws IOException { - CipherOutputStream cos = enc.outputStream(baos, false); - decode(bais,cos); - cos.close(); // flush - return null; - } - }); - } catch (IOException e) { - throw e; - } catch (Exception e) { - throw new IOException(e); - } - - byte[] bytes = baos.toByteArray(); - DataInputStream dis = new DataInputStream(new ByteArrayInputStream(bytes)); - long time; - if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization - os.write(bytes); - time = 0L; - } else { - int start=0; - for(int i=0;i<3;++i) { - start+=Math.abs(dis.readByte()); - } - start%=0x7; - for(int i=0;i() { + @Override + public Void exec(Encryption enc) throws IOException { + CipherOutputStream cos = enc.outputStream(baos, false); + decode(bais,cos); + cos.close(); // flush + return null; + } + }); + } catch (IOException e) { + throw e; + } catch (Exception e) { + throw new IOException(e); + } + + byte[] bytes = baos.toByteArray(); + DataInputStream dis = new DataInputStream(new ByteArrayInputStream(bytes)); + long time; + if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization + os.write(bytes); + time = 0L; + } else { + int start=0; + for(int i=0;i<3;++i) { + start+=Math.abs(dis.readByte()); + } + start%=0x7; + for(int i=0;i=0) { - index = o.next(); - if(index<0 || index>=codeset.length) { - System.out.println("uh, oh"); - } - if(right) { // alternate going left or right to find the next open slot (keeps it from taking too long to hit something) - for(int j=index;j=0;--j) { - if(seq[j]==0) { - seq[j]=codeset[filled]; - --filled; - break; - } - } - right = true; - } - } - Symm newSymm = new Symm(seq,this); - // Set the KeyBytes - try { - newSymm.keyBytes = new byte[AES.AES_KEY_SIZE/8]; - int offset = (Math.abs(key[(47%key.length)])+137)%(key.length-newSymm.keyBytes.length); - for(int i=0;i=0) { + index = o.next(); + if(index<0 || index>=codeset.length) { + System.out.println("uh, oh"); + } + if(right) { // alternate going left or right to find the next open slot (keeps it from taking too long to hit something) + for(int j=index;j=0;--j) { + if(seq[j]==0) { + seq[j]=codeset[filled]; + --filled; + break; + } + } + right = true; + } + } + Symm newSymm = new Symm(seq,this); + // Set the KeyBytes + try { + newSymm.keyBytes = new byte[AES.AES_KEY_SIZE/8]; + int offset = (Math.abs(key[(47%key.length)])+137)%(key.length-newSymm.keyBytes.length); + for(int i=0;i { - /** - * Mutate the (assumed validated) Principal into the expected Principal name to be used to construct - * - * @param p - * @return - */ - public T mutate(Principal p); + /** + * Mutate the (assumed validated) Principal into the expected Principal name to be used to construct + * + * @param p + * @return + */ + public T mutate(Principal p); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java b/cadi/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java index fabec0b0..6b1433f4 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java @@ -32,21 +32,21 @@ import org.onap.aaf.cadi.taf.TafResp; * */ public interface TrustChecker { - public TafResp mayTrust(TafResp tresp, HttpServletRequest req); - - /** - * A class that trusts no-one else, so just return same TResp - */ - public static TrustChecker NOTRUST = new TrustChecker() { - @Override - public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { - return tresp; - } + public TafResp mayTrust(TafResp tresp, HttpServletRequest req); + + /** + * A class that trusts no-one else, so just return same TResp + */ + public static TrustChecker NOTRUST = new TrustChecker() { + @Override + public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { + return tresp; + } - @Override - public void setLur(Lur lur) { - } - }; + @Override + public void setLur(Lur lur) { + } + }; - public void setLur(Lur lur); + public void setLur(Lur lur); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/User.java b/cadi/core/src/main/java/org/onap/aaf/cadi/User.java index 34aaf170..512f2e6a 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/User.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/User.java @@ -36,142 +36,142 @@ import org.onap.aaf.cadi.lur.LocalPermission; * */ public final class User { - private static final Map NULL_MAP = new HashMap<>(); - public String name; - private byte[] cred; - public Principal principal; - Map perms ; - long permExpires; - private final long interval; - int count; - - // Note: This should only be used for Local RBAC (in memory) - public User(Principal principal) { - this.principal = principal; - name = principal.getName(); - perms = NULL_MAP; - permExpires = Long.MAX_VALUE; // Never. Well, until 64 bits of millis since 1970 expires... - interval = 0L; - count = 0; - } - - public User(String name, byte[] cred) { - this.principal = null; - this.name = name; - this.cred = cred; - perms = NULL_MAP; - permExpires = Long.MAX_VALUE; // Never. Well, until 64 bits of millis since 1970 expires... - interval = 0L; - count = 0; - } - - public User(Principal principal, long expireInterval) { - this.principal = principal; - this.name = principal.getName(); - perms = NULL_MAP; - expireInterval = Math.max(expireInterval, 0); // avoid < 1 - interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL)); - count = 0; - renewPerm(); - renewPerm(); - } - - public User(String name, byte[] cred, long expireInterval) { - this.principal = null; - this.name = name; - this.cred = cred; - perms = NULL_MAP; - expireInterval = Math.max(expireInterval, 0); // avoid < 1 - interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL)); - count = 0; - renewPerm(); - } - - public void renewPerm() { - permExpires = System.currentTimeMillis()+interval; - } - - public long permExpires() { - return permExpires; - } - - public boolean permExpired() { - return System.currentTimeMillis() > permExpires; - } - - public boolean noPerms() { - return perms==null || perms==NULL_MAP || perms.values().size()==0; - } - - public synchronized void setNoPerms() { - perms=NULL_MAP; - renewPerm(); - } - - public boolean permsUnloaded() { - return perms==null || perms==NULL_MAP; - } - - public synchronized void incCount() { - ++count; - } - - public synchronized void resetCount() { - count=0; - } - - public Map newMap() { - return new ConcurrentHashMap<>(); - } - - public void add(LocalPermission permission) { - if(perms==NULL_MAP) { - perms=newMap(); - } - perms.put(permission.getKey(),permission); - } - - public void add(Map newMap, PERM permission) { - newMap.put(permission.getKey(),permission); - } - - public synchronized void setMap(Map newMap) { - perms = newMap; - renewPerm(); - } - - public boolean contains(Permission perm) { - for (Permission p : perms.values()) { - if (p.match(perm)) return true; - } - return false; - } - - public void copyPermsTo(List sink) { - sink.addAll(perms.values()); - } - - public String toString() { - StringBuilder sb = new StringBuilder(); - sb.append(principal.getName()); - sb.append('|'); - boolean first = true; - synchronized(perms) { - for(Permission gp : perms.values()) { - if(first) { - first = false; - sb.append(':'); - } else { - sb.append(','); - } - sb.append(gp.getKey()); - } - } - return sb.toString(); - } - - public byte[] getCred() { - return cred; - } + private static final Map NULL_MAP = new HashMap<>(); + public String name; + private byte[] cred; + public Principal principal; + Map perms ; + long permExpires; + private final long interval; + int count; + + // Note: This should only be used for Local RBAC (in memory) + public User(Principal principal) { + this.principal = principal; + name = principal.getName(); + perms = NULL_MAP; + permExpires = Long.MAX_VALUE; // Never. Well, until 64 bits of millis since 1970 expires... + interval = 0L; + count = 0; + } + + public User(String name, byte[] cred) { + this.principal = null; + this.name = name; + this.cred = cred; + perms = NULL_MAP; + permExpires = Long.MAX_VALUE; // Never. Well, until 64 bits of millis since 1970 expires... + interval = 0L; + count = 0; + } + + public User(Principal principal, long expireInterval) { + this.principal = principal; + this.name = principal.getName(); + perms = NULL_MAP; + expireInterval = Math.max(expireInterval, 0); // avoid < 1 + interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL)); + count = 0; + renewPerm(); + renewPerm(); + } + + public User(String name, byte[] cred, long expireInterval) { + this.principal = null; + this.name = name; + this.cred = cred; + perms = NULL_MAP; + expireInterval = Math.max(expireInterval, 0); // avoid < 1 + interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL)); + count = 0; + renewPerm(); + } + + public void renewPerm() { + permExpires = System.currentTimeMillis()+interval; + } + + public long permExpires() { + return permExpires; + } + + public boolean permExpired() { + return System.currentTimeMillis() > permExpires; + } + + public boolean noPerms() { + return perms==null || perms==NULL_MAP || perms.values().size()==0; + } + + public synchronized void setNoPerms() { + perms=NULL_MAP; + renewPerm(); + } + + public boolean permsUnloaded() { + return perms==null || perms==NULL_MAP; + } + + public synchronized void incCount() { + ++count; + } + + public synchronized void resetCount() { + count=0; + } + + public Map newMap() { + return new ConcurrentHashMap<>(); + } + + public void add(LocalPermission permission) { + if(perms==NULL_MAP) { + perms=newMap(); + } + perms.put(permission.getKey(),permission); + } + + public void add(Map newMap, PERM permission) { + newMap.put(permission.getKey(),permission); + } + + public synchronized void setMap(Map newMap) { + perms = newMap; + renewPerm(); + } + + public boolean contains(Permission perm) { + for (Permission p : perms.values()) { + if (p.match(perm)) return true; + } + return false; + } + + public void copyPermsTo(List sink) { + sink.addAll(perms.values()); + } + + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append(principal.getName()); + sb.append('|'); + boolean first = true; + synchronized(perms) { + for(Permission gp : perms.values()) { + if(first) { + first = false; + sb.append(':'); + } else { + sb.append(','); + } + sb.append(gp.getKey()); + } + } + return sb.toString(); + } + + public byte[] getCred() { + return cred; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/UserChain.java b/cadi/core/src/main/java/org/onap/aaf/cadi/UserChain.java index 9d8f2b04..f6a98085 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/UserChain.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/UserChain.java @@ -38,6 +38,6 @@ package org.onap.aaf.cadi; * */ public interface UserChain { - public enum Protocol {BasicAuth,Cookie,Cert,OAuth}; - public String userChain(); + public enum Protocol {BasicAuth,Cookie,Cert,OAuth}; + public String userChain(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java index 8cb6ae06..4784d1ee 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -67,739 +67,739 @@ import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf; */ public class Config { - private static final String AAF_V2_0 = "org.onap.aaf.cadi.aaf.v2_0"; - private static final String AAF_V2_0_AAFCON = AAF_V2_0+".AAFCon"; - private static final String AAF_V2_0_AAF_LUR_PERM = AAF_V2_0+".AAFLurPerm"; - private static final String OAUTH = "org.onap.auth.oauth"; - private static final String OAUTH_TOKEN_MGR = OAUTH+".TokenMgr"; - private static final String OAUTH_HTTP_TAF = OAUTH+".OAuth2HttpTaf"; - private static final String OAUTH_DIRECT_TAF = OAUTH+".OAuthDirectTAF"; - public static final String UTF_8 = "UTF-8"; - - // Property Names associated with configurations. - // As of 1.0.2, these have had the dots removed so as to be compatible with JavaBean style - // configurations as well as property list style. - public static final String HOSTNAME = "hostname"; - public static final String CADI_PROP_FILES = "cadi_prop_files"; // Additional Properties files (separate with ;) - public static final String CADI_LOGLEVEL = "cadi_loglevel"; - public static final String CADI_LOGDIR = "cadi_log_dir"; - public static final String CADI_ETCDIR = "cadi_etc_dir"; - public static final String CADI_LOGNAME = "cadi_logname"; - public static final String CADI_KEYFILE = "cadi_keyfile"; - public static final String CADI_KEYSTORE = "cadi_keystore"; - public static final String CADI_KEYSTORE_PASSWORD = "cadi_keystore_password"; - public static final String CADI_ALIAS = "cadi_alias"; - public static final String CADI_LOGINPAGE_URL = "cadi_loginpage_url"; - public static final String CADI_LATITUDE = "cadi_latitude"; - public static final String CADI_LONGITUDE = "cadi_longitude"; - - - public static final String CADI_KEY_PASSWORD = "cadi_key_password"; - public static final String CADI_TRUSTSTORE = "cadi_truststore"; - public static final String CADI_TRUSTSTORE_PASSWORD = "cadi_truststore_password"; - public static final String CADI_X509_ISSUERS = "cadi_x509_issuers"; - public static final String CADI_TRUST_MASKS="cadi_trust_masks"; - public static final String CADI_TRUST_PERM="cadi_trust_perm"; // IDs with this perm can utilize the "AS " user concept - public static final String CADI_PROTOCOLS = "cadi_protocols"; - public static final String CADI_NOAUTHN = "cadi_noauthn"; - public static final String CADI_LOC_LIST = "cadi_loc_list"; - - public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain"; - public static final String CADI_USER_CHAIN = "USER_CHAIN"; - - public static final String CADI_OAUTH2_URL="cadi_oauth2_url"; - public static final String CADI_TOKEN_DIR = "cadi_token_dir"; + private static final String AAF_V2_0 = "org.onap.aaf.cadi.aaf.v2_0"; + private static final String AAF_V2_0_AAFCON = AAF_V2_0+".AAFCon"; + private static final String AAF_V2_0_AAF_LUR_PERM = AAF_V2_0+".AAFLurPerm"; + private static final String OAUTH = "org.onap.auth.oauth"; + private static final String OAUTH_TOKEN_MGR = OAUTH+".TokenMgr"; + private static final String OAUTH_HTTP_TAF = OAUTH+".OAuth2HttpTaf"; + private static final String OAUTH_DIRECT_TAF = OAUTH+".OAuthDirectTAF"; + public static final String UTF_8 = "UTF-8"; + + // Property Names associated with configurations. + // As of 1.0.2, these have had the dots removed so as to be compatible with JavaBean style + // configurations as well as property list style. + public static final String HOSTNAME = "hostname"; + public static final String CADI_PROP_FILES = "cadi_prop_files"; // Additional Properties files (separate with ;) + public static final String CADI_LOGLEVEL = "cadi_loglevel"; + public static final String CADI_LOGDIR = "cadi_log_dir"; + public static final String CADI_ETCDIR = "cadi_etc_dir"; + public static final String CADI_LOGNAME = "cadi_logname"; + public static final String CADI_KEYFILE = "cadi_keyfile"; + public static final String CADI_KEYSTORE = "cadi_keystore"; + public static final String CADI_KEYSTORE_PASSWORD = "cadi_keystore_password"; + public static final String CADI_ALIAS = "cadi_alias"; + public static final String CADI_LOGINPAGE_URL = "cadi_loginpage_url"; + public static final String CADI_LATITUDE = "cadi_latitude"; + public static final String CADI_LONGITUDE = "cadi_longitude"; + + + public static final String CADI_KEY_PASSWORD = "cadi_key_password"; + public static final String CADI_TRUSTSTORE = "cadi_truststore"; + public static final String CADI_TRUSTSTORE_PASSWORD = "cadi_truststore_password"; + public static final String CADI_X509_ISSUERS = "cadi_x509_issuers"; + public static final String CADI_TRUST_MASKS="cadi_trust_masks"; + public static final String CADI_TRUST_PERM="cadi_trust_perm"; // IDs with this perm can utilize the "AS " user concept + public static final String CADI_PROTOCOLS = "cadi_protocols"; + public static final String CADI_NOAUTHN = "cadi_noauthn"; + public static final String CADI_LOC_LIST = "cadi_loc_list"; + + public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain"; + public static final String CADI_USER_CHAIN = "USER_CHAIN"; + + public static final String CADI_OAUTH2_URL="cadi_oauth2_url"; + public static final String CADI_TOKEN_DIR = "cadi_token_dir"; public static final String HTTPS_PROTOCOLS = "https.protocols"; public static final String HTTPS_CIPHER_SUITES = "https.cipherSuites"; public static final String HTTPS_CLIENT_PROTOCOLS="jdk.tls.client.protocols"; public static final String HTTPS_CIPHER_SUITES_DEFAULT="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," - + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," - + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA," - + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA," - + "TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," - + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; - - - public static final String LOCALHOST_ALLOW = "localhost_allow"; - public static final String LOCALHOST_DENY = "localhost_deny"; - - public static final String BASIC_REALM = "basic_realm"; // what is sent to the client - public static final String BASIC_WARN = "basic_warn"; // Warning of insecure channel - public static final String USERS = "local_users"; - public static final String GROUPS = "local_groups"; - public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use) - - public static final String OAUTH_CLIENT_ID="client_id"; - public static final String OAUTH_CLIENT_SECRET="client_secret"; - - public static final String AAF_ENV = "aaf_env"; - public static final String AAF_ROOT_NS = "aaf_root_ns"; - public static final String AAF_ROOT_NS_DEF = "org.osaaf.aaf"; - public static final String AAF_ROOT_COMPANY = "aaf_root_company"; - public static final String AAF_LOCATE_URL = "aaf_locate_url"; //URL for AAF locator - private static final String AAF_LOCATE_URL_TAG = "AAF_LOCATE_URL"; // Name of Above for use in Config Variables. - public static final String AAF_DEFAULT_VERSION = "2.1"; - public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration - public static final String AAF_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.service:" + AAF_DEFAULT_VERSION; - public static final String GUI_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.gui:" + AAF_DEFAULT_VERSION; - public static final String CM_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.cm:" + AAF_DEFAULT_VERSION; - public static final String FS_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.fs:" + AAF_DEFAULT_VERSION; - public static final String HELLO_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.hello:" + AAF_DEFAULT_VERSION; - public static final String OAUTH2_TOKEN_URL = "https://AAF_LOCATE_URL/AAF_NS.token:" + AAF_DEFAULT_VERSION; - public static final String OAUTH2_INTROSPECT_URL = "https://AAF_LOCATE_URL/AAF_NS.introspect:" + AAF_DEFAULT_VERSION; - - public static final String AAF_REGISTER_AS = "aaf_register_as"; - public static final String AAF_APPID = "aaf_id"; - public static final String AAF_APPPASS = "aaf_password"; - public static final String AAF_LUR_CLASS = "aaf_lur_class"; - public static final String AAF_TAF_CLASS = "aaf_taf_class"; - public static final String AAF_CONNECTOR_CLASS = "aaf_connector_class"; - public static final String AAF_LOCATOR_CLASS = "aaf_locator_class"; - public static final String AAF_CONN_TIMEOUT = "aaf_conn_timeout"; - public static final String AAF_CONN_TIMEOUT_DEF = "3000"; - public static final String AAF_CONN_IDLE_TIMEOUT = "aaf_conn_idle_timeout"; // only for Direct Jetty Access. - public static final String AAF_CONN_IDLE_TIMEOUT_DEF = "10000"; // only for Direct Jetty Access. - - // Default Classes: These are for Class loading to avoid direct compile links - public static final String AAF_TAF_CLASS_DEF = "org.onap.aaf.cadi.aaf.v2_0.AAFTaf"; - public static final String AAF_LOCATOR_CLASS_DEF = "org.onap.aaf.cadi.aaf.v2_0.AAFLocator"; - public static final String CADI_OLUR_CLASS_DEF = "org.onap.aaf.cadi.olur.OLur"; - public static final String CADI_OBASIC_HTTP_TAF_DEF = "org.onap.aaf.cadi.obasic.OBasicHttpTaf"; - public static final String CADI_AAF_CON_DEF = "org.onap.aaf.cadi.aaf.v2_0.AAFCon"; - - public static final String AAF_CALL_TIMEOUT = "aaf_timeout"; - public static final String AAF_CALL_TIMEOUT_DEF = "5000"; - public static final String AAF_USER_EXPIRES = "aaf_user_expires"; - public static final String AAF_USER_EXPIRES_DEF = "600000"; // Default is 10 mins - public static final String AAF_CLEAN_INTERVAL = "aaf_clean_interval"; - public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds - public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count"; - public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins - - public static final String AAF_HIGH_COUNT = "aaf_high_count"; - public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries - public static final String AAF_PERM_MAP = "aaf_perm_map"; - public static final String AAF_COMPONENT = "aaf_component"; - public static final String AAF_CERT_IDS = "aaf_cert_ids"; - public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited - public static final String AAF_DATA_DIR = "aaf_data_dir"; // AAF processes and Components only. - - public static final String GW_URL = "gw_url"; - public static final String CM_URL = "cm_url"; - public static final String CM_TRUSTED_CAS = "cm_trusted_cas"; - - public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern"; - public static final String PATHFILTER_STACK = "pathfilter_stack"; - public static final String PATHFILTER_NS = "pathfilter_ns"; - public static final String PATHFILTER_NOT_AUTHORIZED_MSG = "pathfilter_not_authorized_msg"; - - // This one should go unpublic - public static final String AAF_DEFAULT_REALM = "aaf_default_realm"; - private static String defaultRealm="none"; - - public static final String AAF_DOMAIN_SUPPORT = "aaf_domain_support"; - public static final String AAF_DOMAIN_SUPPORT_DEF = ".com:.org"; - - // OAUTH2 - public static final String AAF_OAUTH2_TOKEN_URL = "aaf_oauth2_token_url"; - public static final String AAF_OAUTH2_INTROSPECT_URL = "aaf_oauth2_introspect_url"; - public static final String AAF_ALT_OAUTH2_TOKEN_URL = "aaf_alt_oauth2_token_url"; - public static final String AAF_ALT_OAUTH2_INTROSPECT_URL = "aaf_alt_oauth2_introspect_url"; - public static final String AAF_ALT_OAUTH2_DOMAIN = "aaf_alt_oauth2_domain"; - public static final String AAF_ALT_CLIENT_ID = "aaf_alt_oauth2_client_id"; - public static final String AAF_ALT_CLIENT_SECRET = "aaf_alt_oauth2_client_secret"; - public static final String AAF_OAUTH2_HELLO_URL = "aaf_oauth2_hello_url"; - - private static final String AAF_V2_0_AAF_CON_HTTP = "org.onap.aaf.cadi.aaf.v2_0.AAFConHttp"; - - - public static void setDefaultRealm(Access access) { - try { - defaultRealm = logProp(access,Config.AAF_DEFAULT_REALM, - logProp(access,Config.BASIC_REALM, - logProp(access,HOSTNAME,InetAddress.getLocalHost().getHostName()) - ) - ); - } catch (UnknownHostException e) { - access.log(Level.INIT, "Unable to determine Hostname",e); - } - } - - public static HttpTaf configHttpTaf(Connector con, SecurityInfoC si, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException, LocatorException { - Access access = si.access; - ///////////////////////////////////////////////////// - // Setup AAFCon for any following - ///////////////////////////////////////////////////// - Class aafConClass = loadClass(access,CADI_AAF_CON_DEF); - Object aafcon = null; - if(con!=null && aafConClass!=null && aafConClass.isAssignableFrom(con.getClass())) { - aafcon = con; - } else if(lur != null) { - Field f; - try { - f = lur.getClass().getField("aaf"); - aafcon = f.get(lur); - } catch (Exception e) { - access.log(Level.INIT, e); - } - } - - boolean hasDirectAAF = hasDirect("DirectAAFLur",additionalTafLurs); - // IMPORTANT! Don't attempt to load AAF Connector if there is no AAF URL - String aafURL = access.getProperty(AAF_URL,null); - if(!hasDirectAAF && aafcon==null && aafURL!=null) { - aafcon = loadAAFConnector(si, aafURL); - } - - HttpTaf taf; - // Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc) - String hostname = logProp(access, HOSTNAME,null); - if(hostname==null) { - try { - hostname = InetAddress.getLocalHost().getHostName(); - } catch (UnknownHostException e1) { - throw new CadiException("Unable to determine Hostname",e1); - } - } - - access.log(Level.INIT, "Hostname set to",hostname); - // Get appropriate TAFs - ArrayList htlist = new ArrayList<>(); - - ///////////////////////////////////////////////////// - // Add a Denial of Service TAF - // Note: how IPs and IDs are added are up to service type. - // They call "DenialOfServiceTaf.denyIP(String) or denyID(String) - ///////////////////////////////////////////////////// - htlist.add(new DenialOfServiceTaf(access)); - - ///////////////////////////////////////////////////// - // Configure Client Cert TAF - ///////////////////////////////////////////////////// - X509Taf x509TAF = null; - String truststore = logProp(access, CADI_TRUSTSTORE,null); - if(truststore!=null) { - String truststorePwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null); - if(truststorePwd!=null) { - if(truststorePwd.startsWith(Symm.ENC)) { - try { - access.decrypt(truststorePwd,false); - } catch (IOException e) { - throw new CadiException(CADI_TRUSTSTORE_PASSWORD + " cannot be decrypted",e); - } - } - try { - x509TAF=new X509Taf(access,lur); - htlist.add(x509TAF); - access.log(Level.INIT,"Certificate Authorization enabled"); - } catch (SecurityException | IllegalArgumentException e) { - access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e); - } catch (CertificateException e) { - access.log(Level.INIT,"Certificate Authorization failed, it is disabled",e); - } catch (NoSuchAlgorithmException e) { - access.log(Level.INIT,"Certificate Authorization failed, wrong Security Algorithm",e); - } - } - } else { - access.log(Level.INIT,"Certificate Authorization not enabled"); - } - - ///////////////////////////////////////////////////// - // Configure Basic Auth (local content) - ///////////////////////////////////////////////////// - boolean hasOAuthDirectTAF = hasDirect("DirectOAuthTAF", additionalTafLurs); - String basicRealm = logProp(access, BASIC_REALM,null); - String aafCleanup = logProp(access, AAF_USER_EXPIRES,AAF_USER_EXPIRES_DEF); // Default is 10 mins - long userExp = Long.parseLong(aafCleanup); - boolean basicWarn = "TRUE".equals(access.getProperty(BASIC_WARN,"FALSE")); - - if(!hasDirectAAF) { - HttpTaf aaftaf=null; - if(!hasOAuthDirectTAF) { - if(basicRealm!=null) { - @SuppressWarnings("unchecked") - Class obasicCls = (Class)loadClass(access,CADI_OBASIC_HTTP_TAF_DEF); - if(obasicCls!=null) { - try { - String tokenurl = logProp(access,Config.AAF_OAUTH2_TOKEN_URL, null); - String introspecturl = logProp(access,Config.AAF_OAUTH2_INTROSPECT_URL, null); - if(tokenurl==null || introspecturl==null) { - access.log(Level.INIT,"Both tokenurl and introspecturl are required. Oauth Authorization is disabled."); - } - Constructor obasicConst = obasicCls.getConstructor(PropAccess.class,String.class, String.class, String.class); - htlist.add(obasicConst.newInstance(access,basicRealm,tokenurl,introspecturl)); - access.log(Level.INIT,"Oauth supported Basic Authorization is enabled"); - } catch (NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { - access.log(Level.INIT, e); - } - } else if(up!=null) { - access.log(Level.INIT,"Basic Authorization is enabled using realm",basicRealm); - // Allow warning about insecure channel to be turned off - if(!basicWarn) { - access.log(Level.INIT, "WARNING! The basicWarn property has been set to false.", - " There will be no additional warning if Basic Auth is used on an insecure channel"); - } - BasicHttpTaf bht = new BasicHttpTaf(access, up, basicRealm, userExp, basicWarn); - for(Object o : additionalTafLurs) { - if(o instanceof CredValDomain) { - bht.add((CredValDomain)o); - } - } - if(x509TAF!=null) { - x509TAF.add(bht); - } - htlist.add(bht); - access.log(Level.INIT,"Basic Authorization is enabled"); - } - } else { - access.log(Level.INIT,"Local Basic Authorization is disabled. Enable by setting basicRealm="); - } - - ///////////////////////////////////////////////////// - // Configure AAF Driven Basic Auth - ///////////////////////////////////////////////////// - if(aafcon==null) { - access.log(Level.INIT,"AAF Connection (AAFcon) is null. Cannot create an AAF TAF"); - } else if(aafURL==null) { - access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF"); - } else {// There's an AAF_URL... try to configure an AAF - String aafTafClassName = logProp(access, AAF_TAF_CLASS,AAF_TAF_CLASS_DEF); - // Only 2.0 available at this time - if(AAF_TAF_CLASS_DEF.equals(aafTafClassName)) { - try { - Class aafTafClass = loadClass(access,aafTafClassName); - if(aafTafClass!=null) { - Constructor cstr = aafTafClass.getConstructor(Connector.class,boolean.class,AbsUserCache.class); - if(cstr!=null) { - if(lur instanceof AbsUserCache) { - aaftaf = (HttpTaf)cstr.newInstance(aafcon,basicWarn,lur); - } else { - cstr = aafTafClass.getConstructor(Connector.class,boolean.class); - if(cstr!=null) { - aaftaf = (HttpTaf)cstr.newInstance(aafcon,basicWarn); - } - } - if(aaftaf==null) { - access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured"); - } else { - access.log(Level.INIT,"AAF TAF Configured to ",aafURL); - // Note: will add later, after all others configured - } - } - } else { - access.log(Level.INIT, "There is no AAF TAF class available: %s. AAF TAF not configured.",aafTafClassName); - } - } catch(Exception e) { - access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured",e); - } - } - } - } - - ///////////////////////////////////////////////////// - // Configure OAuth TAF - ///////////////////////////////////////////////////// - if(!hasOAuthDirectTAF) { - String oauthTokenUrl = logProp(access,Config.AAF_OAUTH2_TOKEN_URL,null); - Class oadtClss; - try { - oadtClss = Class.forName(OAUTH_DIRECT_TAF); - } catch (ClassNotFoundException e1) { - oadtClss = null; - access.log(Level.INIT, e1); - } - if(additionalTafLurs!=null && additionalTafLurs.length>0 && (oadtClss!=null && additionalTafLurs[0].getClass().isAssignableFrom(oadtClss))) { - htlist.add((HttpTaf)additionalTafLurs[0]); - String[] array= new String[additionalTafLurs.length-1]; - if(array.length>0) { - System.arraycopy(htlist, 1, array, 0, array.length); - } - additionalTafLurs = array; - access.log(Level.INIT,"OAuth2 Direct is enabled"); - } else if(oauthTokenUrl!=null) { - String oauthIntrospectUrl = logProp(access,Config.AAF_OAUTH2_INTROSPECT_URL,null); - @SuppressWarnings("unchecked") - Class oaTCls = (Class)loadClass(access,OAUTH_HTTP_TAF); - if(oaTCls!=null) { - Class oaTTmgrCls = loadClass(access, OAUTH_TOKEN_MGR); - if(oaTTmgrCls!=null) { - try { - Method oaTTmgrGI = oaTTmgrCls.getMethod("getInstance",PropAccess.class,String.class,String.class); - Object oaTTmgr = oaTTmgrGI.invoke(null /*this is static method*/,access,oauthTokenUrl,oauthIntrospectUrl); - Constructor oaTConst = oaTCls.getConstructor(Access.class,oaTTmgrCls); - htlist.add(oaTConst.newInstance(access,oaTTmgr)); - access.log(Level.INIT,"OAuth2 TAF is enabled"); - } catch (NoSuchMethodException | SecurityException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | InstantiationException e) { - access.log(Level.INIT,"OAuth2HttpTaf cannot be instantiated. OAuth2 is disabled",e); - } - } - } - } else { - access.log(Level.INIT,"OAuth TAF is not configured"); - } - } - - ///////////////////////////////////////////////////// - // Adding BasicAuth (AAF) last, after other primary Cookie Based - // Needs to be before Cert... see below - ///////////////////////////////////////////////////// - if(aaftaf!=null) { - htlist.add(aaftaf); - } - } - - ///////////////////////////////////////////////////// - // Any Additional Lurs passed in Constructor - ///////////////////////////////////////////////////// - if(additionalTafLurs!=null) { - for(Object additional : additionalTafLurs) { - if(additional instanceof BasicHttpTaf) { - BasicHttpTaf ht = (BasicHttpTaf)additional; - for(Object cv : additionalTafLurs) { - if(cv instanceof CredValDomain) { - ht.add((CredValDomain)cv); - access.printf(Level.INIT,"%s Authentication is enabled",cv); - } - } - htlist.add(ht); - } else if(additional instanceof HttpTaf) { - HttpTaf ht = (HttpTaf)additional; - htlist.add(ht); - access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName()); - } else if(hasOAuthDirectTAF) { - Class daupCls; - try { - daupCls = Class.forName("org.onap.aaf.auth.direct.DirectAAFUserPass"); - } catch (ClassNotFoundException e) { - daupCls = null; - access.log(Level.INIT, e); - } - if(daupCls != null && additional.getClass().isAssignableFrom(daupCls)) { - htlist.add(new BasicHttpTaf(access, (CredVal)additional , basicRealm, userExp, basicWarn)); - access.printf(Level.INIT,"Direct BasicAuth Authentication is enabled",additional.getClass().getSimpleName()); - } - } - } - } - - // Add BasicAuth, if any, to x509Taf - if(x509TAF!=null) { - for( HttpTaf ht : htlist) { - if(ht instanceof BasicHttpTaf) { - x509TAF.add((BasicHttpTaf)ht); - } - } - } - ///////////////////////////////////////////////////// - // Create EpiTaf from configured TAFs - ///////////////////////////////////////////////////// - if(htlist.size()==1) { - // just return the one - taf = htlist.get(0); - } else { - HttpTaf[] htarray = new HttpTaf[htlist.size()]; - htlist.toArray(htarray); - Locator locator = loadLocator(si, logProp(access, AAF_LOCATE_URL, null)); - - taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null - String level = logProp(access, CADI_LOGLEVEL, null); - if(level!=null) { - access.setLogLevel(Level.valueOf(level)); - } - } - - return taf; - } - - public static String logProp(Access access,String tag, String def) { - String rv = access.getProperty(tag, def); - if(rv == null) { - access.log(Level.INIT,tag,"is not explicitly set"); - } else { - access.log(Level.INIT,tag,"is set to",rv); - } - return rv; - } - - public static Lur configLur(SecurityInfoC si, Connector con, Object ... additionalTafLurs) throws CadiException { - Access access = si.access; - List lurs = new ArrayList<>(); - - ///////////////////////////////////////////////////// - // Configure a Local Property Based RBAC/LUR - ///////////////////////////////////////////////////// - try { - String users = access.getProperty(USERS,null); - String groups = access.getProperty(GROUPS,null); - - if(groups!=null || users!=null) { - LocalLur ll = new LocalLur(access, users, groups); // note b64==null is ok.. just means no encryption. - lurs.add(ll); - - String writeto = access.getProperty(WRITE_TO,null); - if(writeto!=null) { - String msg = UsersDump.updateUsers(writeto, ll); - if(msg!=null) { - access.log(Level.INIT,"ERROR! Error Updating ",writeto,"with roles and users:",msg); - } - } - } - } catch (IOException e) { - throw new CadiException(e); - } - - ///////////////////////////////////////////////////// - // Configure the OAuth Lur (if any) - ///////////////////////////////////////////////////// - String tokenUrl = logProp(access,AAF_OAUTH2_TOKEN_URL, null); - String introspectUrl = logProp(access,AAF_OAUTH2_INTROSPECT_URL, null); - if(tokenUrl!=null && introspectUrl !=null) { - try { - Class olurCls = loadClass(access, CADI_OLUR_CLASS_DEF); - if(olurCls!=null) { - Constructor olurCnst = olurCls.getConstructor(PropAccess.class,String.class,String.class); - Lur olur = (Lur)olurCnst.newInstance(access,tokenUrl,introspectUrl); - lurs.add(olur); - access.log(Level.INIT, "OAuth2 LUR enabled"); - } else { - access.log(Level.INIT,"AAF/OAuth LUR plugin is not available."); - } - } catch (NoSuchMethodException| SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { - String msg = e.getMessage(); - if(msg==null && e.getCause()!=null) { - msg = e.getCause().getMessage(); - } - access.log(Level.INIT,"AAF/OAuth LUR is not instantiated.",msg,e); - } - } else { - access.log(Level.INIT, "OAuth2 Lur disabled"); - } - - if(con!=null) { // try to reutilize connector - lurs.add(con.newLur()); - } else { - ///////////////////////////////////////////////////// - // Configure the AAF Lur (if any) - ///////////////////////////////////////////////////// - String aafURL = logProp(access,AAF_URL,null); // Trigger Property - String aafEnv = access.getProperty(AAF_ENV,null); - if(aafEnv == null && aafURL!=null && access instanceof PropAccess) { // set AAF_ENV from AAF_URL - int ec = aafURL.indexOf("envContext="); - if(ec>0) { - ec += 11; // length of envContext= - int slash = aafURL.indexOf('/', ec); - if(slash>0) { - aafEnv = aafURL.substring(ec, slash); - ((PropAccess)access).setProperty(AAF_ENV, aafEnv); - access.printf(Level.INIT, "Setting aafEnv to %s from aaf_url value",aafEnv); - } - } - } - - // Don't configure AAF if it is using DirectAccess - if(!hasDirect("DirectAAFLur",additionalTafLurs)) { - if(aafURL==null) { - access.log(Level.INIT,"No AAF LUR properties, AAF will not be loaded"); - } else {// There's an AAF_URL... try to configure an AAF - String aafLurClassStr = logProp(access,AAF_LUR_CLASS,AAF_V2_0_AAF_LUR_PERM); - ////////////AAF Lur 2.0 ///////////// - if(aafLurClassStr!=null && aafLurClassStr.startsWith(AAF_V2_0)) { - try { - Object aafcon = loadAAFConnector(si, aafURL); - if(aafcon==null) { - access.log(Level.INIT,"AAF LUR class,",aafLurClassStr,"cannot be constructed without valid AAFCon object."); - } else { - Class aafAbsAAFCon = loadClass(access, AAF_V2_0_AAFCON); - if(aafAbsAAFCon!=null) { - Method mNewLur = aafAbsAAFCon.getMethod("newLur"); - Object aaflur = mNewLur.invoke(aafcon); - - if(aaflur==null) { - access.log(Level.INIT,"ERROR! AAF LUR Failed construction. NOT Configured"); - } else { - access.log(Level.INIT,"AAF LUR Configured to ",aafURL); - lurs.add((Lur)aaflur); - String debugIDs = logProp(access,Config.AAF_DEBUG_IDS, null); - if(debugIDs !=null && aaflur instanceof CachingLur) { - ((CachingLur)aaflur).setDebug(debugIDs); - } - } - } - } - } catch (Exception e) { - access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors."); - } - } - } - } - } - - ///////////////////////////////////////////////////// - // Any Additional passed in Constructor - ///////////////////////////////////////////////////// - if(additionalTafLurs!=null) { - for(Object additional : additionalTafLurs) { - if(additional instanceof Lur) { - lurs.add((Lur)additional); - access.log(Level.INIT, additional); - } - } - } - - ///////////////////////////////////////////////////// - // Return a Lur based on how many there are... - ///////////////////////////////////////////////////// - switch(lurs.size()) { - case 0: - access.log(Level.INIT,"WARNING! No CADI LURs configured"); - // Return a NULL Lur that does nothing. - return new NullLur(); - case 1: - return lurs.get(0); // Only one, just return it, save processing - default: - // Multiple Lurs, use EpiLUR to handle - Lur[] la = new Lur[lurs.size()]; - lurs.toArray(la); - return new EpiLur(la); - } - } - - private static boolean hasDirect(String simpleClassName, Object[] additionalTafLurs) { - if(additionalTafLurs!=null) { - for(Object tf : additionalTafLurs) { - if(tf.getClass().getSimpleName().equals(simpleClassName)) { - return true; - } - } - } - return false; - } - - public static Object loadAAFConnector(SecurityInfoC si, String aafURL) { - Access access = si.access; - Object aafcon = null; - Class aafConClass = null; - - try { - if (aafURL!=null) { - String aafConnector = access.getProperty(AAF_CONNECTOR_CLASS, AAF_V2_0_AAF_CON_HTTP); - if (AAF_V2_0_AAF_CON_HTTP.equals(aafConnector)) { - aafConClass = loadClass(access, AAF_V2_0_AAF_CON_HTTP); - if (aafConClass != null) { - for (Constructor c : aafConClass.getConstructors()) { - List lo = new ArrayList<>(); - for (Class pc : c.getParameterTypes()) { - if (pc.equals(Access.class)) { - lo.add(access); - } else if (pc.equals(Locator.class)) { - lo.add(loadLocator(si, aafURL)); - } - } - if (c.getParameterTypes().length != lo.size()) { - continue; // back to another Constructor - } else { - aafcon = c.newInstance(lo.toArray()); - } - break; - } - } - } - if (aafcon != null) { - String mechid = logProp(access, Config.AAF_APPID, null); - String pass = access.getProperty(Config.AAF_APPPASS, null); - if (mechid != null && pass != null) { - try { - Method basicAuth = aafConClass.getMethod("basicAuth", String.class, String.class); - basicAuth.invoke(aafcon, mechid, pass); - } catch (NoSuchMethodException nsme) { - access.log(Level.NONE, nsme); - // it's ok, don't use - } - } - } - } - } catch (Exception e) { - access.log(e, "AAF Connector could not be constructed with given Constructors."); - } - - return aafcon; - } - - public static Class loadClass(Access access, String className) { - Class cls=null; - try { - cls = access.classLoader().loadClass(className); - } catch (ClassNotFoundException cnfe) { - access.log(Level.NONE, cnfe); - try { - cls = access.getClass().getClassLoader().loadClass(className); - } catch (ClassNotFoundException cnfe2) { - access.log(Level.NONE, cnfe2); - // just return null - } - } - return cls; - } - - @SuppressWarnings("unchecked") - public static Locator loadLocator(SecurityInfoC si, final String _url) throws LocatorException { - Access access = si.access; - Locator locator = null; - if(_url==null) { - access.log(Level.INIT,"No URL passed to 'loadLocator'. Disabled"); - } else { - String url = _url; - String replacement; - int idxAAFLocateUrl; - if((idxAAFLocateUrl=_url.indexOf(AAF_LOCATE_URL_TAG))>0 && ((replacement=access.getProperty(AAF_LOCATE_URL, null))!=null)) { - StringBuilder sb = new StringBuilder(replacement); - if(!replacement.endsWith("/locate")) { - sb.append("/locate"); - } - sb.append(_url,idxAAFLocateUrl+AAF_LOCATE_URL_TAG.length(),_url.length()); - url = sb.toString(); - } - - try { - Class lcls = loadClass(access,AAF_LOCATOR_CLASS_DEF); - if(lcls==null) { - throw new CadiException("Need to include aaf-cadi-aaf jar for AAFLocator"); - } - // First check for preloaded - try { - Method meth = lcls.getMethod("create",String.class); - locator = (Locator)meth.invoke(null,url); - } catch (Exception e) { - access.log(Level.INIT, e); - } - if(locator==null) { - URI locatorURI = new URI(url); - Constructor cnst = lcls.getConstructor(SecurityInfoC.class,URI.class); - locator = (Locator)cnst.newInstance(new Object[] {si,locatorURI}); - int port = locatorURI.getPort(); - String portS = port<0?"":(":"+locatorURI.getPort()); - - access.log(Level.INFO, "AAFLocator enabled using " + locatorURI.getScheme() +"://"+locatorURI.getHost() + portS); - } else { - access.log(Level.INFO, "AAFLocator enabled using preloaded " + locator.getClass().getSimpleName()); - } - } catch (InvocationTargetException e) { - if(e.getTargetException() instanceof LocatorException) { - throw (LocatorException)e.getTargetException(); - } - access.log(Level.INIT,e.getTargetException().getMessage(),"AAFLocator for",url,"could not be created.",e); - } catch (Exception e) { - access.log(Level.INIT,"AAFLocator for",url,"could not be created.",e); - } - } - return locator; - } - - // Set by CSP, or is hostname. - public static String getDefaultRealm() { - return defaultRealm; - } + + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA," + + "TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; + + + public static final String LOCALHOST_ALLOW = "localhost_allow"; + public static final String LOCALHOST_DENY = "localhost_deny"; + + public static final String BASIC_REALM = "basic_realm"; // what is sent to the client + public static final String BASIC_WARN = "basic_warn"; // Warning of insecure channel + public static final String USERS = "local_users"; + public static final String GROUPS = "local_groups"; + public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use) + + public static final String OAUTH_CLIENT_ID="client_id"; + public static final String OAUTH_CLIENT_SECRET="client_secret"; + + public static final String AAF_ENV = "aaf_env"; + public static final String AAF_ROOT_NS = "aaf_root_ns"; + public static final String AAF_ROOT_NS_DEF = "org.osaaf.aaf"; + public static final String AAF_ROOT_COMPANY = "aaf_root_company"; + public static final String AAF_LOCATE_URL = "aaf_locate_url"; //URL for AAF locator + private static final String AAF_LOCATE_URL_TAG = "AAF_LOCATE_URL"; // Name of Above for use in Config Variables. + public static final String AAF_DEFAULT_VERSION = "2.1"; + public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration + public static final String AAF_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.service:" + AAF_DEFAULT_VERSION; + public static final String GUI_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.gui:" + AAF_DEFAULT_VERSION; + public static final String CM_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.cm:" + AAF_DEFAULT_VERSION; + public static final String FS_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.fs:" + AAF_DEFAULT_VERSION; + public static final String HELLO_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.hello:" + AAF_DEFAULT_VERSION; + public static final String OAUTH2_TOKEN_URL = "https://AAF_LOCATE_URL/AAF_NS.token:" + AAF_DEFAULT_VERSION; + public static final String OAUTH2_INTROSPECT_URL = "https://AAF_LOCATE_URL/AAF_NS.introspect:" + AAF_DEFAULT_VERSION; + + public static final String AAF_REGISTER_AS = "aaf_register_as"; + public static final String AAF_APPID = "aaf_id"; + public static final String AAF_APPPASS = "aaf_password"; + public static final String AAF_LUR_CLASS = "aaf_lur_class"; + public static final String AAF_TAF_CLASS = "aaf_taf_class"; + public static final String AAF_CONNECTOR_CLASS = "aaf_connector_class"; + public static final String AAF_LOCATOR_CLASS = "aaf_locator_class"; + public static final String AAF_CONN_TIMEOUT = "aaf_conn_timeout"; + public static final String AAF_CONN_TIMEOUT_DEF = "3000"; + public static final String AAF_CONN_IDLE_TIMEOUT = "aaf_conn_idle_timeout"; // only for Direct Jetty Access. + public static final String AAF_CONN_IDLE_TIMEOUT_DEF = "10000"; // only for Direct Jetty Access. + + // Default Classes: These are for Class loading to avoid direct compile links + public static final String AAF_TAF_CLASS_DEF = "org.onap.aaf.cadi.aaf.v2_0.AAFTaf"; + public static final String AAF_LOCATOR_CLASS_DEF = "org.onap.aaf.cadi.aaf.v2_0.AAFLocator"; + public static final String CADI_OLUR_CLASS_DEF = "org.onap.aaf.cadi.olur.OLur"; + public static final String CADI_OBASIC_HTTP_TAF_DEF = "org.onap.aaf.cadi.obasic.OBasicHttpTaf"; + public static final String CADI_AAF_CON_DEF = "org.onap.aaf.cadi.aaf.v2_0.AAFCon"; + + public static final String AAF_CALL_TIMEOUT = "aaf_timeout"; + public static final String AAF_CALL_TIMEOUT_DEF = "5000"; + public static final String AAF_USER_EXPIRES = "aaf_user_expires"; + public static final String AAF_USER_EXPIRES_DEF = "600000"; // Default is 10 mins + public static final String AAF_CLEAN_INTERVAL = "aaf_clean_interval"; + public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds + public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count"; + public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins + + public static final String AAF_HIGH_COUNT = "aaf_high_count"; + public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries + public static final String AAF_PERM_MAP = "aaf_perm_map"; + public static final String AAF_COMPONENT = "aaf_component"; + public static final String AAF_CERT_IDS = "aaf_cert_ids"; + public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited + public static final String AAF_DATA_DIR = "aaf_data_dir"; // AAF processes and Components only. + + public static final String GW_URL = "gw_url"; + public static final String CM_URL = "cm_url"; + public static final String CM_TRUSTED_CAS = "cm_trusted_cas"; + + public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern"; + public static final String PATHFILTER_STACK = "pathfilter_stack"; + public static final String PATHFILTER_NS = "pathfilter_ns"; + public static final String PATHFILTER_NOT_AUTHORIZED_MSG = "pathfilter_not_authorized_msg"; + + // This one should go unpublic + public static final String AAF_DEFAULT_REALM = "aaf_default_realm"; + private static String defaultRealm="none"; + + public static final String AAF_DOMAIN_SUPPORT = "aaf_domain_support"; + public static final String AAF_DOMAIN_SUPPORT_DEF = ".com:.org"; + + // OAUTH2 + public static final String AAF_OAUTH2_TOKEN_URL = "aaf_oauth2_token_url"; + public static final String AAF_OAUTH2_INTROSPECT_URL = "aaf_oauth2_introspect_url"; + public static final String AAF_ALT_OAUTH2_TOKEN_URL = "aaf_alt_oauth2_token_url"; + public static final String AAF_ALT_OAUTH2_INTROSPECT_URL = "aaf_alt_oauth2_introspect_url"; + public static final String AAF_ALT_OAUTH2_DOMAIN = "aaf_alt_oauth2_domain"; + public static final String AAF_ALT_CLIENT_ID = "aaf_alt_oauth2_client_id"; + public static final String AAF_ALT_CLIENT_SECRET = "aaf_alt_oauth2_client_secret"; + public static final String AAF_OAUTH2_HELLO_URL = "aaf_oauth2_hello_url"; + + private static final String AAF_V2_0_AAF_CON_HTTP = "org.onap.aaf.cadi.aaf.v2_0.AAFConHttp"; + + + public static void setDefaultRealm(Access access) { + try { + defaultRealm = logProp(access,Config.AAF_DEFAULT_REALM, + logProp(access,Config.BASIC_REALM, + logProp(access,HOSTNAME,InetAddress.getLocalHost().getHostName()) + ) + ); + } catch (UnknownHostException e) { + access.log(Level.INIT, "Unable to determine Hostname",e); + } + } + + public static HttpTaf configHttpTaf(Connector con, SecurityInfoC si, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException, LocatorException { + Access access = si.access; + ///////////////////////////////////////////////////// + // Setup AAFCon for any following + ///////////////////////////////////////////////////// + Class aafConClass = loadClass(access,CADI_AAF_CON_DEF); + Object aafcon = null; + if(con!=null && aafConClass!=null && aafConClass.isAssignableFrom(con.getClass())) { + aafcon = con; + } else if(lur != null) { + Field f; + try { + f = lur.getClass().getField("aaf"); + aafcon = f.get(lur); + } catch (Exception e) { + access.log(Level.INIT, e); + } + } + + boolean hasDirectAAF = hasDirect("DirectAAFLur",additionalTafLurs); + // IMPORTANT! Don't attempt to load AAF Connector if there is no AAF URL + String aafURL = access.getProperty(AAF_URL,null); + if(!hasDirectAAF && aafcon==null && aafURL!=null) { + aafcon = loadAAFConnector(si, aafURL); + } + + HttpTaf taf; + // Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc) + String hostname = logProp(access, HOSTNAME,null); + if(hostname==null) { + try { + hostname = InetAddress.getLocalHost().getHostName(); + } catch (UnknownHostException e1) { + throw new CadiException("Unable to determine Hostname",e1); + } + } + + access.log(Level.INIT, "Hostname set to",hostname); + // Get appropriate TAFs + ArrayList htlist = new ArrayList<>(); + + ///////////////////////////////////////////////////// + // Add a Denial of Service TAF + // Note: how IPs and IDs are added are up to service type. + // They call "DenialOfServiceTaf.denyIP(String) or denyID(String) + ///////////////////////////////////////////////////// + htlist.add(new DenialOfServiceTaf(access)); + + ///////////////////////////////////////////////////// + // Configure Client Cert TAF + ///////////////////////////////////////////////////// + X509Taf x509TAF = null; + String truststore = logProp(access, CADI_TRUSTSTORE,null); + if(truststore!=null) { + String truststorePwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null); + if(truststorePwd!=null) { + if(truststorePwd.startsWith(Symm.ENC)) { + try { + access.decrypt(truststorePwd,false); + } catch (IOException e) { + throw new CadiException(CADI_TRUSTSTORE_PASSWORD + " cannot be decrypted",e); + } + } + try { + x509TAF=new X509Taf(access,lur); + htlist.add(x509TAF); + access.log(Level.INIT,"Certificate Authorization enabled"); + } catch (SecurityException | IllegalArgumentException e) { + access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e); + } catch (CertificateException e) { + access.log(Level.INIT,"Certificate Authorization failed, it is disabled",e); + } catch (NoSuchAlgorithmException e) { + access.log(Level.INIT,"Certificate Authorization failed, wrong Security Algorithm",e); + } + } + } else { + access.log(Level.INIT,"Certificate Authorization not enabled"); + } + + ///////////////////////////////////////////////////// + // Configure Basic Auth (local content) + ///////////////////////////////////////////////////// + boolean hasOAuthDirectTAF = hasDirect("DirectOAuthTAF", additionalTafLurs); + String basicRealm = logProp(access, BASIC_REALM,null); + String aafCleanup = logProp(access, AAF_USER_EXPIRES,AAF_USER_EXPIRES_DEF); // Default is 10 mins + long userExp = Long.parseLong(aafCleanup); + boolean basicWarn = "TRUE".equals(access.getProperty(BASIC_WARN,"FALSE")); + + if(!hasDirectAAF) { + HttpTaf aaftaf=null; + if(!hasOAuthDirectTAF) { + if(basicRealm!=null) { + @SuppressWarnings("unchecked") + Class obasicCls = (Class)loadClass(access,CADI_OBASIC_HTTP_TAF_DEF); + if(obasicCls!=null) { + try { + String tokenurl = logProp(access,Config.AAF_OAUTH2_TOKEN_URL, null); + String introspecturl = logProp(access,Config.AAF_OAUTH2_INTROSPECT_URL, null); + if(tokenurl==null || introspecturl==null) { + access.log(Level.INIT,"Both tokenurl and introspecturl are required. Oauth Authorization is disabled."); + } + Constructor obasicConst = obasicCls.getConstructor(PropAccess.class,String.class, String.class, String.class); + htlist.add(obasicConst.newInstance(access,basicRealm,tokenurl,introspecturl)); + access.log(Level.INIT,"Oauth supported Basic Authorization is enabled"); + } catch (NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { + access.log(Level.INIT, e); + } + } else if(up!=null) { + access.log(Level.INIT,"Basic Authorization is enabled using realm",basicRealm); + // Allow warning about insecure channel to be turned off + if(!basicWarn) { + access.log(Level.INIT, "WARNING! The basicWarn property has been set to false.", + " There will be no additional warning if Basic Auth is used on an insecure channel"); + } + BasicHttpTaf bht = new BasicHttpTaf(access, up, basicRealm, userExp, basicWarn); + for(Object o : additionalTafLurs) { + if(o instanceof CredValDomain) { + bht.add((CredValDomain)o); + } + } + if(x509TAF!=null) { + x509TAF.add(bht); + } + htlist.add(bht); + access.log(Level.INIT,"Basic Authorization is enabled"); + } + } else { + access.log(Level.INIT,"Local Basic Authorization is disabled. Enable by setting basicRealm="); + } + + ///////////////////////////////////////////////////// + // Configure AAF Driven Basic Auth + ///////////////////////////////////////////////////// + if(aafcon==null) { + access.log(Level.INIT,"AAF Connection (AAFcon) is null. Cannot create an AAF TAF"); + } else if(aafURL==null) { + access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF"); + } else {// There's an AAF_URL... try to configure an AAF + String aafTafClassName = logProp(access, AAF_TAF_CLASS,AAF_TAF_CLASS_DEF); + // Only 2.0 available at this time + if(AAF_TAF_CLASS_DEF.equals(aafTafClassName)) { + try { + Class aafTafClass = loadClass(access,aafTafClassName); + if(aafTafClass!=null) { + Constructor cstr = aafTafClass.getConstructor(Connector.class,boolean.class,AbsUserCache.class); + if(cstr!=null) { + if(lur instanceof AbsUserCache) { + aaftaf = (HttpTaf)cstr.newInstance(aafcon,basicWarn,lur); + } else { + cstr = aafTafClass.getConstructor(Connector.class,boolean.class); + if(cstr!=null) { + aaftaf = (HttpTaf)cstr.newInstance(aafcon,basicWarn); + } + } + if(aaftaf==null) { + access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured"); + } else { + access.log(Level.INIT,"AAF TAF Configured to ",aafURL); + // Note: will add later, after all others configured + } + } + } else { + access.log(Level.INIT, "There is no AAF TAF class available: %s. AAF TAF not configured.",aafTafClassName); + } + } catch(Exception e) { + access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured",e); + } + } + } + } + + ///////////////////////////////////////////////////// + // Configure OAuth TAF + ///////////////////////////////////////////////////// + if(!hasOAuthDirectTAF) { + String oauthTokenUrl = logProp(access,Config.AAF_OAUTH2_TOKEN_URL,null); + Class oadtClss; + try { + oadtClss = Class.forName(OAUTH_DIRECT_TAF); + } catch (ClassNotFoundException e1) { + oadtClss = null; + access.log(Level.INIT, e1); + } + if(additionalTafLurs!=null && additionalTafLurs.length>0 && (oadtClss!=null && additionalTafLurs[0].getClass().isAssignableFrom(oadtClss))) { + htlist.add((HttpTaf)additionalTafLurs[0]); + String[] array= new String[additionalTafLurs.length-1]; + if(array.length>0) { + System.arraycopy(htlist, 1, array, 0, array.length); + } + additionalTafLurs = array; + access.log(Level.INIT,"OAuth2 Direct is enabled"); + } else if(oauthTokenUrl!=null) { + String oauthIntrospectUrl = logProp(access,Config.AAF_OAUTH2_INTROSPECT_URL,null); + @SuppressWarnings("unchecked") + Class oaTCls = (Class)loadClass(access,OAUTH_HTTP_TAF); + if(oaTCls!=null) { + Class oaTTmgrCls = loadClass(access, OAUTH_TOKEN_MGR); + if(oaTTmgrCls!=null) { + try { + Method oaTTmgrGI = oaTTmgrCls.getMethod("getInstance",PropAccess.class,String.class,String.class); + Object oaTTmgr = oaTTmgrGI.invoke(null /*this is static method*/,access,oauthTokenUrl,oauthIntrospectUrl); + Constructor oaTConst = oaTCls.getConstructor(Access.class,oaTTmgrCls); + htlist.add(oaTConst.newInstance(access,oaTTmgr)); + access.log(Level.INIT,"OAuth2 TAF is enabled"); + } catch (NoSuchMethodException | SecurityException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | InstantiationException e) { + access.log(Level.INIT,"OAuth2HttpTaf cannot be instantiated. OAuth2 is disabled",e); + } + } + } + } else { + access.log(Level.INIT,"OAuth TAF is not configured"); + } + } + + ///////////////////////////////////////////////////// + // Adding BasicAuth (AAF) last, after other primary Cookie Based + // Needs to be before Cert... see below + ///////////////////////////////////////////////////// + if(aaftaf!=null) { + htlist.add(aaftaf); + } + } + + ///////////////////////////////////////////////////// + // Any Additional Lurs passed in Constructor + ///////////////////////////////////////////////////// + if(additionalTafLurs!=null) { + for(Object additional : additionalTafLurs) { + if(additional instanceof BasicHttpTaf) { + BasicHttpTaf ht = (BasicHttpTaf)additional; + for(Object cv : additionalTafLurs) { + if(cv instanceof CredValDomain) { + ht.add((CredValDomain)cv); + access.printf(Level.INIT,"%s Authentication is enabled",cv); + } + } + htlist.add(ht); + } else if(additional instanceof HttpTaf) { + HttpTaf ht = (HttpTaf)additional; + htlist.add(ht); + access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName()); + } else if(hasOAuthDirectTAF) { + Class daupCls; + try { + daupCls = Class.forName("org.onap.aaf.auth.direct.DirectAAFUserPass"); + } catch (ClassNotFoundException e) { + daupCls = null; + access.log(Level.INIT, e); + } + if(daupCls != null && additional.getClass().isAssignableFrom(daupCls)) { + htlist.add(new BasicHttpTaf(access, (CredVal)additional , basicRealm, userExp, basicWarn)); + access.printf(Level.INIT,"Direct BasicAuth Authentication is enabled",additional.getClass().getSimpleName()); + } + } + } + } + + // Add BasicAuth, if any, to x509Taf + if(x509TAF!=null) { + for( HttpTaf ht : htlist) { + if(ht instanceof BasicHttpTaf) { + x509TAF.add((BasicHttpTaf)ht); + } + } + } + ///////////////////////////////////////////////////// + // Create EpiTaf from configured TAFs + ///////////////////////////////////////////////////// + if(htlist.size()==1) { + // just return the one + taf = htlist.get(0); + } else { + HttpTaf[] htarray = new HttpTaf[htlist.size()]; + htlist.toArray(htarray); + Locator locator = loadLocator(si, logProp(access, AAF_LOCATE_URL, null)); + + taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null + String level = logProp(access, CADI_LOGLEVEL, null); + if(level!=null) { + access.setLogLevel(Level.valueOf(level)); + } + } + + return taf; + } + + public static String logProp(Access access,String tag, String def) { + String rv = access.getProperty(tag, def); + if(rv == null) { + access.log(Level.INIT,tag,"is not explicitly set"); + } else { + access.log(Level.INIT,tag,"is set to",rv); + } + return rv; + } + + public static Lur configLur(SecurityInfoC si, Connector con, Object ... additionalTafLurs) throws CadiException { + Access access = si.access; + List lurs = new ArrayList<>(); + + ///////////////////////////////////////////////////// + // Configure a Local Property Based RBAC/LUR + ///////////////////////////////////////////////////// + try { + String users = access.getProperty(USERS,null); + String groups = access.getProperty(GROUPS,null); + + if(groups!=null || users!=null) { + LocalLur ll = new LocalLur(access, users, groups); // note b64==null is ok.. just means no encryption. + lurs.add(ll); + + String writeto = access.getProperty(WRITE_TO,null); + if(writeto!=null) { + String msg = UsersDump.updateUsers(writeto, ll); + if(msg!=null) { + access.log(Level.INIT,"ERROR! Error Updating ",writeto,"with roles and users:",msg); + } + } + } + } catch (IOException e) { + throw new CadiException(e); + } + + ///////////////////////////////////////////////////// + // Configure the OAuth Lur (if any) + ///////////////////////////////////////////////////// + String tokenUrl = logProp(access,AAF_OAUTH2_TOKEN_URL, null); + String introspectUrl = logProp(access,AAF_OAUTH2_INTROSPECT_URL, null); + if(tokenUrl!=null && introspectUrl !=null) { + try { + Class olurCls = loadClass(access, CADI_OLUR_CLASS_DEF); + if(olurCls!=null) { + Constructor olurCnst = olurCls.getConstructor(PropAccess.class,String.class,String.class); + Lur olur = (Lur)olurCnst.newInstance(access,tokenUrl,introspectUrl); + lurs.add(olur); + access.log(Level.INIT, "OAuth2 LUR enabled"); + } else { + access.log(Level.INIT,"AAF/OAuth LUR plugin is not available."); + } + } catch (NoSuchMethodException| SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { + String msg = e.getMessage(); + if(msg==null && e.getCause()!=null) { + msg = e.getCause().getMessage(); + } + access.log(Level.INIT,"AAF/OAuth LUR is not instantiated.",msg,e); + } + } else { + access.log(Level.INIT, "OAuth2 Lur disabled"); + } + + if(con!=null) { // try to reutilize connector + lurs.add(con.newLur()); + } else { + ///////////////////////////////////////////////////// + // Configure the AAF Lur (if any) + ///////////////////////////////////////////////////// + String aafURL = logProp(access,AAF_URL,null); // Trigger Property + String aafEnv = access.getProperty(AAF_ENV,null); + if(aafEnv == null && aafURL!=null && access instanceof PropAccess) { // set AAF_ENV from AAF_URL + int ec = aafURL.indexOf("envContext="); + if(ec>0) { + ec += 11; // length of envContext= + int slash = aafURL.indexOf('/', ec); + if(slash>0) { + aafEnv = aafURL.substring(ec, slash); + ((PropAccess)access).setProperty(AAF_ENV, aafEnv); + access.printf(Level.INIT, "Setting aafEnv to %s from aaf_url value",aafEnv); + } + } + } + + // Don't configure AAF if it is using DirectAccess + if(!hasDirect("DirectAAFLur",additionalTafLurs)) { + if(aafURL==null) { + access.log(Level.INIT,"No AAF LUR properties, AAF will not be loaded"); + } else {// There's an AAF_URL... try to configure an AAF + String aafLurClassStr = logProp(access,AAF_LUR_CLASS,AAF_V2_0_AAF_LUR_PERM); + ////////////AAF Lur 2.0 ///////////// + if(aafLurClassStr!=null && aafLurClassStr.startsWith(AAF_V2_0)) { + try { + Object aafcon = loadAAFConnector(si, aafURL); + if(aafcon==null) { + access.log(Level.INIT,"AAF LUR class,",aafLurClassStr,"cannot be constructed without valid AAFCon object."); + } else { + Class aafAbsAAFCon = loadClass(access, AAF_V2_0_AAFCON); + if(aafAbsAAFCon!=null) { + Method mNewLur = aafAbsAAFCon.getMethod("newLur"); + Object aaflur = mNewLur.invoke(aafcon); + + if(aaflur==null) { + access.log(Level.INIT,"ERROR! AAF LUR Failed construction. NOT Configured"); + } else { + access.log(Level.INIT,"AAF LUR Configured to ",aafURL); + lurs.add((Lur)aaflur); + String debugIDs = logProp(access,Config.AAF_DEBUG_IDS, null); + if(debugIDs !=null && aaflur instanceof CachingLur) { + ((CachingLur)aaflur).setDebug(debugIDs); + } + } + } + } + } catch (Exception e) { + access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors."); + } + } + } + } + } + + ///////////////////////////////////////////////////// + // Any Additional passed in Constructor + ///////////////////////////////////////////////////// + if(additionalTafLurs!=null) { + for(Object additional : additionalTafLurs) { + if(additional instanceof Lur) { + lurs.add((Lur)additional); + access.log(Level.INIT, additional); + } + } + } + + ///////////////////////////////////////////////////// + // Return a Lur based on how many there are... + ///////////////////////////////////////////////////// + switch(lurs.size()) { + case 0: + access.log(Level.INIT,"WARNING! No CADI LURs configured"); + // Return a NULL Lur that does nothing. + return new NullLur(); + case 1: + return lurs.get(0); // Only one, just return it, save processing + default: + // Multiple Lurs, use EpiLUR to handle + Lur[] la = new Lur[lurs.size()]; + lurs.toArray(la); + return new EpiLur(la); + } + } + + private static boolean hasDirect(String simpleClassName, Object[] additionalTafLurs) { + if(additionalTafLurs!=null) { + for(Object tf : additionalTafLurs) { + if(tf.getClass().getSimpleName().equals(simpleClassName)) { + return true; + } + } + } + return false; + } + + public static Object loadAAFConnector(SecurityInfoC si, String aafURL) { + Access access = si.access; + Object aafcon = null; + Class aafConClass = null; + + try { + if (aafURL!=null) { + String aafConnector = access.getProperty(AAF_CONNECTOR_CLASS, AAF_V2_0_AAF_CON_HTTP); + if (AAF_V2_0_AAF_CON_HTTP.equals(aafConnector)) { + aafConClass = loadClass(access, AAF_V2_0_AAF_CON_HTTP); + if (aafConClass != null) { + for (Constructor c : aafConClass.getConstructors()) { + List lo = new ArrayList<>(); + for (Class pc : c.getParameterTypes()) { + if (pc.equals(Access.class)) { + lo.add(access); + } else if (pc.equals(Locator.class)) { + lo.add(loadLocator(si, aafURL)); + } + } + if (c.getParameterTypes().length != lo.size()) { + continue; // back to another Constructor + } else { + aafcon = c.newInstance(lo.toArray()); + } + break; + } + } + } + if (aafcon != null) { + String mechid = logProp(access, Config.AAF_APPID, null); + String pass = access.getProperty(Config.AAF_APPPASS, null); + if (mechid != null && pass != null) { + try { + Method basicAuth = aafConClass.getMethod("basicAuth", String.class, String.class); + basicAuth.invoke(aafcon, mechid, pass); + } catch (NoSuchMethodException nsme) { + access.log(Level.NONE, nsme); + // it's ok, don't use + } + } + } + } + } catch (Exception e) { + access.log(e, "AAF Connector could not be constructed with given Constructors."); + } + + return aafcon; + } + + public static Class loadClass(Access access, String className) { + Class cls=null; + try { + cls = access.classLoader().loadClass(className); + } catch (ClassNotFoundException cnfe) { + access.log(Level.NONE, cnfe); + try { + cls = access.getClass().getClassLoader().loadClass(className); + } catch (ClassNotFoundException cnfe2) { + access.log(Level.NONE, cnfe2); + // just return null + } + } + return cls; + } + + @SuppressWarnings("unchecked") + public static Locator loadLocator(SecurityInfoC si, final String _url) throws LocatorException { + Access access = si.access; + Locator locator = null; + if(_url==null) { + access.log(Level.INIT,"No URL passed to 'loadLocator'. Disabled"); + } else { + String url = _url; + String replacement; + int idxAAFLocateUrl; + if((idxAAFLocateUrl=_url.indexOf(AAF_LOCATE_URL_TAG))>0 && ((replacement=access.getProperty(AAF_LOCATE_URL, null))!=null)) { + StringBuilder sb = new StringBuilder(replacement); + if(!replacement.endsWith("/locate")) { + sb.append("/locate"); + } + sb.append(_url,idxAAFLocateUrl+AAF_LOCATE_URL_TAG.length(),_url.length()); + url = sb.toString(); + } + + try { + Class lcls = loadClass(access,AAF_LOCATOR_CLASS_DEF); + if(lcls==null) { + throw new CadiException("Need to include aaf-cadi-aaf jar for AAFLocator"); + } + // First check for preloaded + try { + Method meth = lcls.getMethod("create",String.class); + locator = (Locator)meth.invoke(null,url); + } catch (Exception e) { + access.log(Level.INIT, e); + } + if(locator==null) { + URI locatorURI = new URI(url); + Constructor cnst = lcls.getConstructor(SecurityInfoC.class,URI.class); + locator = (Locator)cnst.newInstance(new Object[] {si,locatorURI}); + int port = locatorURI.getPort(); + String portS = port<0?"":(":"+locatorURI.getPort()); + + access.log(Level.INFO, "AAFLocator enabled using " + locatorURI.getScheme() +"://"+locatorURI.getHost() + portS); + } else { + access.log(Level.INFO, "AAFLocator enabled using preloaded " + locator.getClass().getSimpleName()); + } + } catch (InvocationTargetException e) { + if(e.getTargetException() instanceof LocatorException) { + throw (LocatorException)e.getTargetException(); + } + access.log(Level.INIT,e.getTargetException().getMessage(),"AAFLocator for",url,"could not be created.",e); + } catch (Exception e) { + access.log(Level.INIT,"AAFLocator for",url,"could not be created.",e); + } + } + return locator; + } + + // Set by CSP, or is hostname. + public static String getDefaultRealm() { + return defaultRealm; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Get.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Get.java index dfb7b4d3..56ac4dd5 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Get.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Get.java @@ -27,71 +27,71 @@ import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.Access.Level; public interface Get { - public String get(String name, String def, boolean print); - - - /** - * A class for Getting info out of "JavaBean" format - * @author Jonathan - * - */ - public static class Bean implements Get { - private Object bean; - private Class bc; - private Class[] params; - private Object[] args; - - public Bean(Object bean) { - this.bean = bean; - bc = bean.getClass(); - params = new Class[0]; // note, this will allow to go out of scope after config - args = new Object[0]; - } - - public String get(String name, String def, boolean print) { - String str = null; - String gname = "get"+Character.toUpperCase(name.charAt(0))+name.substring(1); - try { - Method meth = bc.getMethod(gname, params); - Object obj = meth.invoke(bean, args); - str = obj==null?null:obj.toString(); // easy string convert... - } catch (Exception e) { - } - - // Take def if nothing else - if(str==null) { - str = def; - // don't log defaults - } else { - str = str.trim(); // this is vital in Property File based values, as spaces can hide easily - } - // Note: Can't log during configuration - return str; - } - } + public String get(String name, String def, boolean print); + + + /** + * A class for Getting info out of "JavaBean" format + * @author Jonathan + * + */ + public static class Bean implements Get { + private Object bean; + private Class bc; + private Class[] params; + private Object[] args; + + public Bean(Object bean) { + this.bean = bean; + bc = bean.getClass(); + params = new Class[0]; // note, this will allow to go out of scope after config + args = new Object[0]; + } + + public String get(String name, String def, boolean print) { + String str = null; + String gname = "get"+Character.toUpperCase(name.charAt(0))+name.substring(1); + try { + Method meth = bc.getMethod(gname, params); + Object obj = meth.invoke(bean, args); + str = obj==null?null:obj.toString(); // easy string convert... + } catch (Exception e) { + } + + // Take def if nothing else + if(str==null) { + str = def; + // don't log defaults + } else { + str = str.trim(); // this is vital in Property File based values, as spaces can hide easily + } + // Note: Can't log during configuration + return str; + } + } - public static Get NULL = new Get() { - public String get(String name, String def, boolean print) { - return def; - } - }; + public static Get NULL = new Get() { + public String get(String name, String def, boolean print) { + return def; + } + }; - public static class AccessGet implements Get { - private Access access; - public AccessGet(Access access) { - this.access = access; - } - public String get(String name, String def, boolean print) { - String gotten = access.getProperty(name, def); - if(print) { - if(gotten == null) { - access.log(Level.INIT,name, "is not set"); - } else { - access.log(Level.INIT,name, "is set to", gotten); - } - } - return gotten; - } - } + public static class AccessGet implements Get { + private Access access; + public AccessGet(Access access) { + this.access = access; + } + public String get(String name, String def, boolean print) { + String gotten = access.getProperty(name, def); + if(print) { + if(gotten == null) { + access.log(Level.INIT,name, "is not set"); + } else { + access.log(Level.INIT,name, "is set to", gotten); + } + } + return gotten; + } + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java index b44de05f..4655dfa1 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java @@ -24,34 +24,34 @@ package org.onap.aaf.cadi.config; import org.onap.aaf.cadi.PropAccess; public class GetAccess extends PropAccess { - private final Get getter; - - public GetAccess(Get getter) { - super(new String[]{"cadi_prop_files="+getter.get("cadi_prop_files", null, true)}); - this.getter = getter; - } - - /* (non-Javadoc) - * @see org.onap.aaf.cadi.PropAccess#getProperty(java.lang.String, java.lang.String) - */ - @Override - public String getProperty(String tag, String def) { - String rv; - rv = super.getProperty(tag, null); - if(rv==null && getter!=null) { - rv = getter.get(tag, null, true); - } - return rv==null?def:rv; - } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.PropAccess#getProperty(java.lang.String) - */ - @Override - public String getProperty(String tag) { - return getProperty(tag, null); - } + private final Get getter; + + public GetAccess(Get getter) { + super(new String[]{"cadi_prop_files="+getter.get("cadi_prop_files", null, true)}); + this.getter = getter; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.PropAccess#getProperty(java.lang.String, java.lang.String) + */ + @Override + public String getProperty(String tag, String def) { + String rv; + rv = super.getProperty(tag, null); + if(rv==null && getter!=null) { + rv = getter.get(tag, null, true); + } + return rv==null?def:rv; + } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.PropAccess#getProperty(java.lang.String) + */ + @Override + public String getProperty(String tag) { + return getProperty(tag, null); + } - public Get get() { - return getter; - } + public Get get() { + return getter; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java index f63de20c..bb9981bf 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java @@ -55,230 +55,230 @@ import org.onap.aaf.cadi.util.MaskFormatException; import org.onap.aaf.cadi.util.NetMask; public class SecurityInfo { - private static final String SECURITY_ALGO = "RSA"; - private static final String HTTPS_PROTOCOLS = "https.protocols"; - private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols"; + private static final String SECURITY_ALGO = "RSA"; + private static final String HTTPS_PROTOCOLS = "https.protocols"; + private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols"; - public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2"; - public static final String REGEX_COMMA = "\\s*,\\s*"; - public static final String SSL_KEY_MANAGER_FACTORY_ALGORITHM; - - private SSLSocketFactory socketFactory; - private X509KeyManager[] x509KeyManager; - private X509TrustManager[] x509TrustManager; - public final String defaultAlias; - private NetMask[] trustMasks; - private SSLContext context; - private HostnameVerifier maskHV; - public final Access access; + public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2"; + public static final String REGEX_COMMA = "\\s*,\\s*"; + public static final String SSL_KEY_MANAGER_FACTORY_ALGORITHM; + + private SSLSocketFactory socketFactory; + private X509KeyManager[] x509KeyManager; + private X509TrustManager[] x509TrustManager; + public final String defaultAlias; + private NetMask[] trustMasks; + private SSLContext context; + private HostnameVerifier maskHV; + public final Access access; - // Change Key Algorithms for IBM's VM. Could put in others, if needed. - static { - if ("IBM Corporation".equalsIgnoreCase(System.getProperty("java.vm.vendor"))) { - SSL_KEY_MANAGER_FACTORY_ALGORITHM = "IbmX509"; - } else { - SSL_KEY_MANAGER_FACTORY_ALGORITHM = "SunX509"; - } - } - + // Change Key Algorithms for IBM's VM. Could put in others, if needed. + static { + if ("IBM Corporation".equalsIgnoreCase(System.getProperty("java.vm.vendor"))) { + SSL_KEY_MANAGER_FACTORY_ALGORITHM = "IbmX509"; + } else { + SSL_KEY_MANAGER_FACTORY_ALGORITHM = "SunX509"; + } + } + - public SecurityInfo(final Access access) throws CadiException { - try { - this.access = access; - // reuse DME2 Properties for convenience if specific Properties don't exist - - initializeKeyManager(); - - initializeTrustManager(); - - defaultAlias = access.getProperty(Config.CADI_ALIAS, null); - - initializeTrustMasks(); + public SecurityInfo(final Access access) throws CadiException { + try { + this.access = access; + // reuse DME2 Properties for convenience if specific Properties don't exist + + initializeKeyManager(); + + initializeTrustManager(); + + defaultAlias = access.getProperty(Config.CADI_ALIAS, null); + + initializeTrustMasks(); - String httpsProtocols = Config.logProp(access, Config.CADI_PROTOCOLS, - access.getProperty(HTTPS_PROTOCOLS, HTTPS_PROTOCOLS_DEFAULT) - ); - System.setProperty(HTTPS_PROTOCOLS, httpsProtocols); - System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, httpsProtocols); - if ("1.7".equals(System.getProperty("java.specification.version")) && httpsProtocols.contains("TLSv1.2")) { - System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT); - } + String httpsProtocols = Config.logProp(access, Config.CADI_PROTOCOLS, + access.getProperty(HTTPS_PROTOCOLS, HTTPS_PROTOCOLS_DEFAULT) + ); + System.setProperty(HTTPS_PROTOCOLS, httpsProtocols); + System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, httpsProtocols); + if ("1.7".equals(System.getProperty("java.specification.version")) && httpsProtocols.contains("TLSv1.2")) { + System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT); + } - context = SSLContext.getInstance("TLS"); - context.init(x509KeyManager, x509TrustManager, null); - SSLContext.setDefault(context); - socketFactory = context.getSocketFactory(); - } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) { - throw new CadiException(e); - } - } + context = SSLContext.getInstance("TLS"); + context.init(x509KeyManager, x509TrustManager, null); + SSLContext.setDefault(context); + socketFactory = context.getSocketFactory(); + } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) { + throw new CadiException(e); + } + } - /** - * @return the scf - */ - public SSLSocketFactory getSSLSocketFactory() { - return socketFactory; - } + /** + * @return the scf + */ + public SSLSocketFactory getSSLSocketFactory() { + return socketFactory; + } - public SSLContext getSSLContext() { - return context; - } + public SSLContext getSSLContext() { + return context; + } - /** - * @return the km - */ - public X509KeyManager[] getKeyManagers() { - return x509KeyManager; - } + /** + * @return the km + */ + public X509KeyManager[] getKeyManagers() { + return x509KeyManager; + } - public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException { - for (X509TrustManager xtm : x509TrustManager) { - xtm.checkClientTrusted(certarr, SECURITY_ALGO); - } - } + public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException { + for (X509TrustManager xtm : x509TrustManager) { + xtm.checkClientTrusted(certarr, SECURITY_ALGO); + } + } - public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException { - for (X509TrustManager xtm : x509TrustManager) { - xtm.checkServerTrusted(certarr, SECURITY_ALGO); - } - } + public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException { + for (X509TrustManager xtm : x509TrustManager) { + xtm.checkServerTrusted(certarr, SECURITY_ALGO); + } + } - public void setSocketFactoryOn(HttpsURLConnection hsuc) { - hsuc.setSSLSocketFactory(socketFactory); - if (maskHV != null && !maskHV.equals(hsuc.getHostnameVerifier())) { - hsuc.setHostnameVerifier(maskHV); - } - } - - protected void initializeKeyManager() throws CadiException, IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException, UnrecoverableKeyException { - String keyStore = access.getProperty(Config.CADI_KEYSTORE, null); - if (keyStore != null && !new File(keyStore).exists()) { - throw new CadiException(keyStore + " does not exist"); - } + public void setSocketFactoryOn(HttpsURLConnection hsuc) { + hsuc.setSSLSocketFactory(socketFactory); + if (maskHV != null && !maskHV.equals(hsuc.getHostnameVerifier())) { + hsuc.setHostnameVerifier(maskHV); + } + } + + protected void initializeKeyManager() throws CadiException, IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException, UnrecoverableKeyException { + String keyStore = access.getProperty(Config.CADI_KEYSTORE, null); + if (keyStore != null && !new File(keyStore).exists()) { + throw new CadiException(keyStore + " does not exist"); + } - String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD, null); - keyStorePasswd = (keyStorePasswd == null) ? null : access.decrypt(keyStorePasswd, false); - if (keyStore == null || keyStorePasswd == null) { - x509KeyManager = new X509KeyManager[0]; - return; - } + String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD, null); + keyStorePasswd = (keyStorePasswd == null) ? null : access.decrypt(keyStorePasswd, false); + if (keyStore == null || keyStorePasswd == null) { + x509KeyManager = new X509KeyManager[0]; + return; + } - String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD, null); - keyPasswd = (keyPasswd == null) ? keyStorePasswd : access.decrypt(keyPasswd, false); + String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD, null); + keyPasswd = (keyPasswd == null) ? keyStorePasswd : access.decrypt(keyPasswd, false); - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM); - ArrayList keyManagers = new ArrayList<>(); - File file; - for (String ksname : keyStore.split(REGEX_COMMA)) { - String keystoreFormat; - if (ksname.endsWith(".p12") || ksname.endsWith(".pkcs12")) { - keystoreFormat = "PKCS12"; - } else { - keystoreFormat = "JKS"; - } + ArrayList keyManagers = new ArrayList<>(); + File file; + for (String ksname : keyStore.split(REGEX_COMMA)) { + String keystoreFormat; + if (ksname.endsWith(".p12") || ksname.endsWith(".pkcs12")) { + keystoreFormat = "PKCS12"; + } else { + keystoreFormat = "JKS"; + } - file = new File(ksname); - if (file.exists()) { - FileInputStream fis = new FileInputStream(file); - try { - KeyStore ks = KeyStore.getInstance(keystoreFormat); - ks.load(fis, keyStorePasswd.toCharArray()); - keyManagerFactory.init(ks, keyPasswd.toCharArray()); - } finally { - fis.close(); - } - } - } - for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) { - if (keyManager instanceof X509KeyManager) { - keyManagers.add((X509KeyManager)keyManager); - } - } - x509KeyManager = new X509KeyManager[keyManagers.size()]; - keyManagers.toArray(x509KeyManager); - } + file = new File(ksname); + if (file.exists()) { + FileInputStream fis = new FileInputStream(file); + try { + KeyStore ks = KeyStore.getInstance(keystoreFormat); + ks.load(fis, keyStorePasswd.toCharArray()); + keyManagerFactory.init(ks, keyPasswd.toCharArray()); + } finally { + fis.close(); + } + } + } + for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) { + if (keyManager instanceof X509KeyManager) { + keyManagers.add((X509KeyManager)keyManager); + } + } + x509KeyManager = new X509KeyManager[keyManagers.size()]; + keyManagers.toArray(x509KeyManager); + } - protected void initializeTrustManager() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, CadiException { - String trustStore = access.getProperty(Config.CADI_TRUSTSTORE, null); - if (trustStore != null && !new File(trustStore).exists()) { - throw new CadiException(trustStore + " does not exist"); - } + protected void initializeTrustManager() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, CadiException { + String trustStore = access.getProperty(Config.CADI_TRUSTSTORE, null); + if (trustStore != null && !new File(trustStore).exists()) { + throw new CadiException(trustStore + " does not exist"); + } - if (trustStore == null) { - return; - } + if (trustStore == null) { + return; + } - String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD, null); - trustStorePasswd = (trustStorePasswd == null) ? "changeit"/*defacto Java Trust Pass*/ : access.decrypt(trustStorePasswd, false); + String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD, null); + trustStorePasswd = (trustStorePasswd == null) ? "changeit"/*defacto Java Trust Pass*/ : access.decrypt(trustStorePasswd, false); - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM); - File file; - for (String trustStoreName : trustStore.split(REGEX_COMMA)) { - file = new File(trustStoreName); - if (file.exists()) { - FileInputStream fis = new FileInputStream(file); - try { - KeyStore ts = KeyStore.getInstance("JKS"); - ts.load(fis, trustStorePasswd.toCharArray()); - trustManagerFactory.init(ts); - } finally { - fis.close(); - } - } - } + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM); + File file; + for (String trustStoreName : trustStore.split(REGEX_COMMA)) { + file = new File(trustStoreName); + if (file.exists()) { + FileInputStream fis = new FileInputStream(file); + try { + KeyStore ts = KeyStore.getInstance("JKS"); + ts.load(fis, trustStorePasswd.toCharArray()); + trustManagerFactory.init(ts); + } finally { + fis.close(); + } + } + } - TrustManager trustManagers[] = trustManagerFactory.getTrustManagers(); - if (trustManagers == null || trustManagers.length == 0) { - return; - } + TrustManager trustManagers[] = trustManagerFactory.getTrustManagers(); + if (trustManagers == null || trustManagers.length == 0) { + return; + } - x509TrustManager = new X509TrustManager[trustManagers.length]; - for (int i = 0; i < trustManagers.length; ++i) { - try { - x509TrustManager[i] = (X509TrustManager)trustManagers[i]; - } catch (ClassCastException e) { - access.log(Level.WARN, "Non X509 TrustManager", x509TrustManager[i].getClass().getName(), "skipped in SecurityInfo"); - } - } - } - - protected void initializeTrustMasks() throws AccessException { - String tips = access.getProperty(Config.CADI_TRUST_MASKS, null); - if (tips == null) { - return; - } + x509TrustManager = new X509TrustManager[trustManagers.length]; + for (int i = 0; i < trustManagers.length; ++i) { + try { + x509TrustManager[i] = (X509TrustManager)trustManagers[i]; + } catch (ClassCastException e) { + access.log(Level.WARN, "Non X509 TrustManager", x509TrustManager[i].getClass().getName(), "skipped in SecurityInfo"); + } + } + } + + protected void initializeTrustMasks() throws AccessException { + String tips = access.getProperty(Config.CADI_TRUST_MASKS, null); + if (tips == null) { + return; + } - access.log(Level.INIT, "Explicitly accepting valid X509s from", tips); - String[] ipsplit = tips.split(REGEX_COMMA); - trustMasks = new NetMask[ipsplit.length]; - for (int i = 0; i < ipsplit.length; ++i) { - try { - trustMasks[i] = new NetMask(ipsplit[i]); - } catch (MaskFormatException e) { - throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS, e); - } - } - - final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier(); - maskHV = new HostnameVerifier() { - @Override - public boolean verify(final String urlHostName, final SSLSession session) { - try { - // This will pick up /etc/host entries as well as DNS - InetAddress ia = InetAddress.getByName(session.getPeerHost()); - for (NetMask tmask : trustMasks) { - if (tmask.isInNet(ia.getHostAddress())) { - return true; - } - } - } catch (UnknownHostException e) { - // It's ok. do normal Verify - } - return origHV.verify(urlHostName, session); - }; - }; - HttpsURLConnection.setDefaultHostnameVerifier(maskHV); - } - + access.log(Level.INIT, "Explicitly accepting valid X509s from", tips); + String[] ipsplit = tips.split(REGEX_COMMA); + trustMasks = new NetMask[ipsplit.length]; + for (int i = 0; i < ipsplit.length; ++i) { + try { + trustMasks[i] = new NetMask(ipsplit[i]); + } catch (MaskFormatException e) { + throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS, e); + } + } + + final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier(); + maskHV = new HostnameVerifier() { + @Override + public boolean verify(final String urlHostName, final SSLSession session) { + try { + // This will pick up /etc/host entries as well as DNS + InetAddress ia = InetAddress.getByName(session.getPeerHost()); + for (NetMask tmask : trustMasks) { + if (tmask.isInNet(ia.getHostAddress())) { + return true; + } + } + } catch (UnknownHostException e) { + // It's ok. do normal Verify + } + return origHV.verify(urlHostName, session); + }; + }; + HttpsURLConnection.setDefaultHostnameVerifier(maskHV); + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java index 8e5faf4c..45e1dd1c 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java @@ -31,64 +31,64 @@ import org.onap.aaf.cadi.SecuritySetter; public class SecurityInfoC extends SecurityInfo { - public static final String DEF_ID = "ID not Set"; - private static Map,SecurityInfoC> sicMap = new HashMap<>(); - public SecuritySetter defSS; + public static final String DEF_ID = "ID not Set"; + private static Map,SecurityInfoC> sicMap = new HashMap<>(); + public SecuritySetter defSS; - public SecurityInfoC(Access access) throws CadiException { - super(access); - defSS = new DEFSS(); - } - - @SuppressWarnings("unchecked") - public static synchronized SecurityInfoC instance(Access access, Class cls) throws CadiException { - SecurityInfoInit sii; - if(cls.isAssignableFrom(HttpURLConnection.class)) { - try { - @SuppressWarnings("rawtypes") - Class initCls = (Class)Class.forName("org.onap.aaf.cadi.http.HSecurityInfoInit"); - sii = initCls.newInstance(); - } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) { - throw new CadiException("CADI using HttpURLConnection requires cadi-client jar",e); - } - } else { - sii = new SecurityInfoInit() { - @Override - public SecuritySetter bestDefault(SecurityInfoC si) throws CadiException { - return new DEFSS(); - } - }; - } - - SecurityInfoC sic = (SecurityInfoC) sicMap.get(cls); - if(sic==null) { - sic = new SecurityInfoC(access); - sic.set(sii.bestDefault(sic)); - sicMap.put(cls, sic); - } - return sic; - } + public SecurityInfoC(Access access) throws CadiException { + super(access); + defSS = new DEFSS(); + } + + @SuppressWarnings("unchecked") + public static synchronized SecurityInfoC instance(Access access, Class cls) throws CadiException { + SecurityInfoInit sii; + if(cls.isAssignableFrom(HttpURLConnection.class)) { + try { + @SuppressWarnings("rawtypes") + Class initCls = (Class)Class.forName("org.onap.aaf.cadi.http.HSecurityInfoInit"); + sii = initCls.newInstance(); + } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) { + throw new CadiException("CADI using HttpURLConnection requires cadi-client jar",e); + } + } else { + sii = new SecurityInfoInit() { + @Override + public SecuritySetter bestDefault(SecurityInfoC si) throws CadiException { + return new DEFSS(); + } + }; + } + + SecurityInfoC sic = (SecurityInfoC) sicMap.get(cls); + if(sic==null) { + sic = new SecurityInfoC(access); + sic.set(sii.bestDefault(sic)); + sicMap.put(cls, sic); + } + return sic; + } - public SecurityInfoC set(SecuritySetter defSS) { - this.defSS = defSS; - return this; - } + public SecurityInfoC set(SecuritySetter defSS) { + this.defSS = defSS; + return this; + } - private static class DEFSS implements SecuritySetter { - @Override - public String getID() { - return DEF_ID; - } + private static class DEFSS implements SecuritySetter { + @Override + public String getID() { + return DEF_ID; + } - @Override - public void setSecurity(C client) throws CadiException { - throw new CadiException("No Client Credentials set."); - } + @Override + public void setSecurity(C client) throws CadiException { + throw new CadiException("No Client Credentials set."); + } - @Override - public int setLastResponse(int respCode) { - return 0; - } - }; + @Override + public int setLastResponse(int respCode) { + return 0; + } + }; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoInit.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoInit.java index d77a7196..614f363b 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoInit.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoInit.java @@ -24,5 +24,5 @@ import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.SecuritySetter; public interface SecurityInfoInit { - public SecuritySetter bestDefault(SecurityInfoC si) throws CadiException; + public SecuritySetter bestDefault(SecurityInfoC si) throws CadiException; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java index 5aea719e..de25cb7f 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java @@ -36,127 +36,127 @@ import org.onap.aaf.cadi.lur.LocalLur; public class UsersDump { - /** - * @param args - */ - public static boolean write(OutputStream os, AbsUserCache lur) { - PrintStream ps; - if(os instanceof PrintStream) { - ps = (PrintStream)os; - } else { - ps = new PrintStream(os); - } - try { - ps.println(""); - ps.println(""); - ps.println(""); + /** + * @param args + */ + public static boolean write(OutputStream os, AbsUserCache lur) { + PrintStream ps; + if(os instanceof PrintStream) { + ps = (PrintStream)os; + } else { + ps = new PrintStream(os); + } + try { + ps.println(""); + ps.println(""); + ps.println(""); - // We loop through Users, but want to write Groups first... therefore, save off print - StringBuilder sb = new StringBuilder(); - - // Obtain all unique role names - HashSet groups = new HashSet<>(); - for(AbsUserCache.DumpInfo di : lur.dumpInfo()) { - sb.append("\n "); + // We loop through Users, but want to write Groups first... therefore, save off print + StringBuilder sb = new StringBuilder(); + + // Obtain all unique role names + HashSet groups = new HashSet<>(); + for(AbsUserCache.DumpInfo di : lur.dumpInfo()) { + sb.append("\n "); - } + } - // Print roles - for(String group : groups) { - ps.print(" "); - } - - ps.println(sb); + // Print roles + for(String group : groups) { + ps.print(" "); + } + + ps.println(sb); - ps.println(""); - ps.flush(); - } catch (Exception t) { - t.printStackTrace(ps); - return false; - } - return true; - } - - /** - * - * Note: This method returns a String if there's an error, or null if ok. - * This unusual style is necessitated by the fact that any Exceptions thrown are likely to - * be unlogged and hidden from view, making debugging almost impossible. - * - * @param writeto - * @param up - * @return - */ - public static String updateUsers(String writeto, LocalLur up) { - // Dump a Tomcat-user.xml lookalike (anywhere) - if(writeto!=null) { - // First read content - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - if(UsersDump.write(baos, up)) { - byte[] postulate = baos.toByteArray(); - // now get contents of file - File file = new File(writeto); - boolean writeIt; - if(file.exists()) { - try { - FileInputStream fis = new FileInputStream(file); - byte[] orig = new byte[(int)file.length()]; - int read; - try { - read = fis.read(orig); - } finally { - fis.close(); - } - if(read<=0) { - writeIt = false; - } else { - // Starting at third "<" ( line) - int startA=0, startB=0; - for(int i=0;startA"); + ps.flush(); + } catch (Exception t) { + t.printStackTrace(ps); + return false; + } + return true; + } + + /** + * + * Note: This method returns a String if there's an error, or null if ok. + * This unusual style is necessitated by the fact that any Exceptions thrown are likely to + * be unlogged and hidden from view, making debugging almost impossible. + * + * @param writeto + * @param up + * @return + */ + public static String updateUsers(String writeto, LocalLur up) { + // Dump a Tomcat-user.xml lookalike (anywhere) + if(writeto!=null) { + // First read content + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + if(UsersDump.write(baos, up)) { + byte[] postulate = baos.toByteArray(); + // now get contents of file + File file = new File(writeto); + boolean writeIt; + if(file.exists()) { + try { + FileInputStream fis = new FileInputStream(file); + byte[] orig = new byte[(int)file.length()]; + int read; + try { + read = fis.read(orig); + } finally { + fis.close(); + } + if(read<=0) { + writeIt = false; + } else { + // Starting at third "<" ( line) + int startA=0, startB=0; + for(int i=0;startA value(); + Class value(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java index f72a99bf..0bd87d98 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java @@ -37,62 +37,62 @@ import javax.servlet.http.HttpServletResponse; * */ public class AUTHZServlet implements Servlet { - private String[] roles; - private Servlet delegate; + private String[] roles; + private Servlet delegate; - protected AUTHZServlet(Class cls) { - try { - delegate = cls.newInstance(); - } catch (Exception e) { - delegate = null; - } - RolesAllowed rolesAllowed = cls.getAnnotation(RolesAllowed.class); - if (rolesAllowed == null) { - roles = null; - } else { - roles = rolesAllowed.value(); - } - } - - public void init(ServletConfig sc) throws ServletException { - if (delegate == null) { - throw new ServletException("Invalid Servlet Delegate"); - } - delegate.init(sc); - } - - public ServletConfig getServletConfig() { - return delegate.getServletConfig(); - } + protected AUTHZServlet(Class cls) { + try { + delegate = cls.newInstance(); + } catch (Exception e) { + delegate = null; + } + RolesAllowed rolesAllowed = cls.getAnnotation(RolesAllowed.class); + if (rolesAllowed == null) { + roles = null; + } else { + roles = rolesAllowed.value(); + } + } + + public void init(ServletConfig sc) throws ServletException { + if (delegate == null) { + throw new ServletException("Invalid Servlet Delegate"); + } + delegate.init(sc); + } + + public ServletConfig getServletConfig() { + return delegate.getServletConfig(); + } - public String getServletInfo() { - return delegate.getServletInfo(); - } + public String getServletInfo() { + return delegate.getServletInfo(); + } - public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException { - if (roles == null) { - delegate.service(req, resp); - return; - } + public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException { + if (roles == null) { + delegate.service(req, resp); + return; + } - // Validate - try { - HttpServletRequest hreq = (HttpServletRequest)req; - for (String role : roles) { - if (hreq.isUserInRole(role)) { - delegate.service(req, resp); - return; - } - } + // Validate + try { + HttpServletRequest hreq = (HttpServletRequest)req; + for (String role : roles) { + if (hreq.isUserInRole(role)) { + delegate.service(req, resp); + return; + } + } - ((HttpServletResponse)resp).sendError(403); // forbidden - } catch (ClassCastException e) { - throw new ServletException("JASPIServlet only supports HTTPServletRequest/HttpServletResponse"); - } - } + ((HttpServletResponse)resp).sendError(403); // forbidden + } catch (ClassCastException e) { + throw new ServletException("JASPIServlet only supports HTTPServletRequest/HttpServletResponse"); + } + } - public void destroy() { - delegate.destroy(); - } + public void destroy() { + delegate.destroy(); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java index ab34a0a4..ae4347d3 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java @@ -24,12 +24,12 @@ import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.config.Get; public class AccessGetter implements Get { - private final Access access; - public AccessGetter(Access access) { - this.access = access; - } - public String get(String name, String def, boolean print) { - return access.getProperty(name, def); - } + private final Access access; + public AccessGetter(Access access) { + this.access = access; + } + public String get(String name, String def, boolean print) { + return access.getProperty(name, def); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java index 29234ed7..affb8f96 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java @@ -66,286 +66,286 @@ import org.onap.aaf.cadi.util.Timing; * */ public class CadiFilter implements Filter { - private static CadiHTTPManip httpChecker; - private static String[] pathExceptions; - private static List mapPairs; - private Access access; - private Object[] additionalTafLurs; - private Filter oauthFilter; - private static int count=0; - - public Lur getLur() { - return httpChecker.getLur(); - } - - /** - * Construct a viable Filter - * - * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on - * them at a later time. Therefore, this object creates with an object that denies all access - * until appropriate Init happens, just in case the container lets something slip by in the meantime. - * - */ - public CadiFilter() { - additionalTafLurs = CadiHTTPManip.noAdditional; - } + private static CadiHTTPManip httpChecker; + private static String[] pathExceptions; + private static List mapPairs; + private Access access; + private Object[] additionalTafLurs; + private Filter oauthFilter; + private static int count=0; + + public Lur getLur() { + return httpChecker.getLur(); + } + + /** + * Construct a viable Filter + * + * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on + * them at a later time. Therefore, this object creates with an object that denies all access + * until appropriate Init happens, just in case the container lets something slip by in the meantime. + * + */ + public CadiFilter() { + additionalTafLurs = CadiHTTPManip.noAdditional; + } - /** - * This constructor to be used when directly constructing and placing in HTTP Engine - * - * @param access - * @param moreTafLurs - * @throws ServletException - */ - public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException { - additionalTafLurs = moreTafLurs; - init(new AccessGetter(this.access = access)); - } + /** + * This constructor to be used when directly constructing and placing in HTTP Engine + * + * @param access + * @param moreTafLurs + * @throws ServletException + */ + public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException { + additionalTafLurs = moreTafLurs; + init(new AccessGetter(this.access = access)); + } - /** - * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it - * @param init - * @param access - * @param moreTafLurs - * @throws ServletException - */ - public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException { - this.access = access; - additionalTafLurs = moreTafLurs; - if(init) { - init(new AccessGetter(access)); - } - } + /** + * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it + * @param init + * @param access + * @param moreTafLurs + * @throws ServletException + */ + public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException { + this.access = access; + additionalTafLurs = moreTafLurs; + if(init) { + init(new AccessGetter(access)); + } + } - /** - * Init - * - * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a - * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this - * mechanism already. - */ - //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions - public void init(FilterConfig filterConfig) throws ServletException { - // need the Context for Logging, instantiating ClassLoader, etc - ServletContextAccess sca=new ServletContextAccess(filterConfig); - if(access==null) { - access = sca; - } - - // Set Protected getter with base Access, for internal class instantiations - init(new FCGet(access, sca.context(), filterConfig)); - } - + /** + * Init + * + * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a + * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this + * mechanism already. + */ + //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions + public void init(FilterConfig filterConfig) throws ServletException { + // need the Context for Logging, instantiating ClassLoader, etc + ServletContextAccess sca=new ServletContextAccess(filterConfig); + if(access==null) { + access = sca; + } + + // Set Protected getter with base Access, for internal class instantiations + init(new FCGet(access, sca.context(), filterConfig)); + } + - @SuppressWarnings("unchecked") - private void init(Get getter) throws ServletException { + @SuppressWarnings("unchecked") + private void init(Get getter) throws ServletException { // Start with the assumption of "Don't trust anyone". - TrustChecker tc = TrustChecker.NOTRUST; // default position - try { - Class ctc = (Class) Class.forName("org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker"); - if(ctc!=null) { - Constructor contc = ctc.getConstructor(Access.class); - if(contc!=null) { - tc = contc.newInstance(access); - } - } - } catch (Exception e) { - access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); - } - - try { - Class cf=null; - try { - cf= (Class) Class.forName("org.onap.aaf.cadi.oauth.OAuthFilter"); - oauthFilter = cf.newInstance(); - } catch (ClassNotFoundException e) { - oauthFilter = new Filter() { // Null Filter - @Override - public void destroy() { - } - - @Override - public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)throws IOException, ServletException { - chain.doFilter(req, resp); - } - - @Override - public void init(FilterConfig arg0) throws ServletException { - } - }; - } - } catch (Exception e) { - access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); - } + TrustChecker tc = TrustChecker.NOTRUST; // default position + try { + Class ctc = (Class) Class.forName("org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker"); + if(ctc!=null) { + Constructor contc = ctc.getConstructor(Access.class); + if(contc!=null) { + tc = contc.newInstance(access); + } + } + } catch (Exception e) { + access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); + } + + try { + Class cf=null; + try { + cf= (Class) Class.forName("org.onap.aaf.cadi.oauth.OAuthFilter"); + oauthFilter = cf.newInstance(); + } catch (ClassNotFoundException e) { + oauthFilter = new Filter() { // Null Filter + @Override + public void destroy() { + } + + @Override + public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)throws IOException, ServletException { + chain.doFilter(req, resp); + } + + @Override + public void init(FilterConfig arg0) throws ServletException { + } + }; + } + } catch (Exception e) { + access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); + } // Synchronize, because some instantiations call init several times on the same object // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice. - synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) { - ++count; - if(httpChecker == null) { - if(access==null) { - access = new PropAccess(); - } - try { - httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs); - } catch (CadiException | LocatorException e1) { - throw new ServletException(e1); - } - } else if(access==null) { - access= httpChecker.getAccess(); - } + synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) { + ++count; + if(httpChecker == null) { + if(access==null) { + access = new PropAccess(); + } + try { + httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs); + } catch (CadiException | LocatorException e1) { + throw new ServletException(e1); + } + } else if(access==null) { + access= httpChecker.getAccess(); + } - /* - * Setup Authn Path Exceptions - */ - if(pathExceptions==null) { - String str = getter.get(Config.CADI_NOAUTHN, null, true); - if(str!=null) { - pathExceptions = str.split("\\s*:\\s*"); - } - } - - /* - * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions - */ - if(mapPairs==null) { - String str = getter.get(Config.AAF_PERM_MAP, null, true); - if(str!=null) { - String mstr = getter.get(Config.AAF_PERM_MAP, null, true); - if(mstr!=null) { - String map[] = mstr.split("\\s*:\\s*"); - if(map.length>0) { - MapPermConverter mpc=null; - int idx; - mapPairs = new ArrayList<>(); - for(String entry : map) { - if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter - access.log(Level.INIT,"Loading Perm Conversions for:",entry); - mapPairs.add(new Pair(entry,mpc=new MapPermConverter())); - } else { - if(mpc!=null) { - mpc.map().put(entry.substring(0,idx),entry.substring(idx+1)); - } else { - access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped"); - } - } - } - } - } - } - } - } + /* + * Setup Authn Path Exceptions + */ + if(pathExceptions==null) { + String str = getter.get(Config.CADI_NOAUTHN, null, true); + if(str!=null) { + pathExceptions = str.split("\\s*:\\s*"); + } + } + + /* + * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions + */ + if(mapPairs==null) { + String str = getter.get(Config.AAF_PERM_MAP, null, true); + if(str!=null) { + String mstr = getter.get(Config.AAF_PERM_MAP, null, true); + if(mstr!=null) { + String map[] = mstr.split("\\s*:\\s*"); + if(map.length>0) { + MapPermConverter mpc=null; + int idx; + mapPairs = new ArrayList<>(); + for(String entry : map) { + if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter + access.log(Level.INIT,"Loading Perm Conversions for:",entry); + mapPairs.add(new Pair(entry,mpc=new MapPermConverter())); + } else { + if(mpc!=null) { + mpc.map().put(entry.substring(0,idx),entry.substring(idx+1)); + } else { + access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped"); + } + } + } + } + } + } + } + } - // Remove Getter + // Remove Getter getter = Get.NULL; - } + } - /** - * Containers call "destroy" when time to cleanup - */ - public void destroy() { - // Synchronize, in case multiCadiFilters are used. - synchronized(CadiHTTPManip.noAdditional) { - if(--count<=0 && httpChecker!=null) { - httpChecker.destroy(); - httpChecker=null; - access=null; - pathExceptions=null; - } - } - } + /** + * Containers call "destroy" when time to cleanup + */ + public void destroy() { + // Synchronize, in case multiCadiFilters are used. + synchronized(CadiHTTPManip.noAdditional) { + if(--count<=0 && httpChecker!=null) { + httpChecker.destroy(); + httpChecker=null; + access=null; + pathExceptions=null; + } + } + } - /** - * doFilter - * - * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and - * only call the next item in the filterChain if request is suitably Authenticated. - */ - //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - final long startAll = System.nanoTime(); - long startCode, startValidate; - float code=0f, validate=0f; - String user = "n/a"; - String tag = ""; - try { - HttpServletRequest hreq = (HttpServletRequest)request; - if(noAuthn(hreq)) { - startCode=System.nanoTime(); - chain.doFilter(request, response); - code = Timing.millis(startCode); - } else { - HttpServletResponse hresp = (HttpServletResponse)response; - startValidate=System.nanoTime(); - TafResp tresp = httpChecker.validate(hreq, hresp, hreq); - validate = Timing.millis(startValidate); - if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) { - user = tresp.getPrincipal().personalName(); - tag = tresp.getPrincipal().tag(); - CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq)); - if(httpChecker.notCadi(cw, hresp)) { - startCode=System.nanoTime(); - oauthFilter.doFilter(cw,response,chain); - code = Timing.millis(startCode); - } - } - } - } catch (ClassCastException e) { - throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e); - } finally { - access.printf(Level.WARN, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f", - user,tag,request.getRemoteAddr(), - Timing.millis(startAll),validate,code); - } - } + /** + * doFilter + * + * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and + * only call the next item in the filterChain if request is suitably Authenticated. + */ + //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + final long startAll = System.nanoTime(); + long startCode, startValidate; + float code=0f, validate=0f; + String user = "n/a"; + String tag = ""; + try { + HttpServletRequest hreq = (HttpServletRequest)request; + if(noAuthn(hreq)) { + startCode=System.nanoTime(); + chain.doFilter(request, response); + code = Timing.millis(startCode); + } else { + HttpServletResponse hresp = (HttpServletResponse)response; + startValidate=System.nanoTime(); + TafResp tresp = httpChecker.validate(hreq, hresp, hreq); + validate = Timing.millis(startValidate); + if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) { + user = tresp.getPrincipal().personalName(); + tag = tresp.getPrincipal().tag(); + CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq)); + if(httpChecker.notCadi(cw, hresp)) { + startCode=System.nanoTime(); + oauthFilter.doFilter(cw,response,chain); + code = Timing.millis(startCode); + } + } + } + } catch (ClassCastException e) { + throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e); + } finally { + access.printf(Level.WARN, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f", + user,tag,request.getRemoteAddr(), + Timing.millis(startAll),validate,code); + } + } - /** - * If PathExceptions exist, report if these should not have Authn applied. - * @param hreq - * @return - */ - private boolean noAuthn(HttpServletRequest hreq) { - if(pathExceptions!=null) { - String pi = hreq.getPathInfo(); - if(pi==null) return false; // JBoss sometimes leaves null - for(String pe : pathExceptions) { - if(pi.startsWith(pe))return true; - } - } - return false; - } - - /** - * Get Converter by Path - */ - private PermConverter getConverter(HttpServletRequest hreq) { - if(mapPairs!=null) { - String pi = hreq.getPathInfo(); - if(pi !=null) { - for(Pair p: mapPairs) { - if(pi.startsWith(p.name))return p.pc; - } - } - } - return NullPermConverter.singleton(); - } - - /** - * store PermConverters by Path prefix - * @author Jonathan - * - */ - private class Pair { - public Pair(String key, PermConverter pc) { - name = key; - this.pc = pc; - } - public String name; - public PermConverter pc; - } + /** + * If PathExceptions exist, report if these should not have Authn applied. + * @param hreq + * @return + */ + private boolean noAuthn(HttpServletRequest hreq) { + if(pathExceptions!=null) { + String pi = hreq.getPathInfo(); + if(pi==null) return false; // JBoss sometimes leaves null + for(String pe : pathExceptions) { + if(pi.startsWith(pe))return true; + } + } + return false; + } + + /** + * Get Converter by Path + */ + private PermConverter getConverter(HttpServletRequest hreq) { + if(mapPairs!=null) { + String pi = hreq.getPathInfo(); + if(pi !=null) { + for(Pair p: mapPairs) { + if(pi.startsWith(p.name))return p.pc; + } + } + } + return NullPermConverter.singleton(); + } + + /** + * store PermConverters by Path prefix + * @author Jonathan + * + */ + private class Pair { + public Pair(String key, PermConverter pc) { + name = key; + this.pc = pc; + } + public String name; + public PermConverter pc; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java index 9d1653fa..3c0f139b 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java @@ -55,159 +55,159 @@ import org.onap.aaf.cadi.util.UserChainManip; * */ public class CadiHTTPManip { - private static final String ACCESS_CADI_CONTROL = ".access|cadi|control"; - private static final String METH = "OPTIONS"; - private static final String CADI = "/cadi/"; - private static final String CADI_CACHE_PRINT = "/cadi/cache/print"; - private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear"; - private static final String CADI_LOG_SET = "/cadi/log/set/"; - private static final Object LOCK = new Object(); - private Access access; - private HttpTaf taf; - private CredVal up; - private Lur lur; - private String thisPerm,companyPerm,aaf_id; - - public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems + private static final String ACCESS_CADI_CONTROL = ".access|cadi|control"; + private static final String METH = "OPTIONS"; + private static final String CADI = "/cadi/"; + private static final String CADI_CACHE_PRINT = "/cadi/cache/print"; + private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear"; + private static final String CADI_LOG_SET = "/cadi/log/set/"; + private static final Object LOCK = new Object(); + private Access access; + private HttpTaf taf; + private CredVal up; + private Lur lur; + private String thisPerm,companyPerm,aaf_id; + + public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems - public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException, LocatorException { - synchronized(LOCK) { - this.access = access; -// Get getter = new AccessGetter(access); - Config.setDefaultRealm(access); - - aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID, null)); - if(aaf_id==null) { - access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_APPID,Config.CADI_ALIAS); - } else { - access.printf(Level.INIT, "%s is set to %s",Config.AAF_APPID,aaf_id); - } - String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id); - if(ns!=null) { - thisPerm = ns+ACCESS_CADI_CONTROL; - int dot = ns.indexOf('.'); - if(dot>=0) { - int dot2=ns.indexOf('.',dot+1); - if(dot2<0) { - dot2=dot; - } - companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL; - } else { - companyPerm = "com"+ACCESS_CADI_CONTROL; - } - } else { - thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL; - } - SecurityInfoC si; - si = SecurityInfoC.instance(access, HttpURLConnection.class); - - lur = Config.configLur(si, con, additionalTafLurs); - - tc.setLur(lur); - if(lur instanceof EpiLur) { - up = ((EpiLur)lur).getUserPassImpl(); - } else if(lur instanceof CredVal) { - up = (CredVal)lur; - } else { - up = null; - } - taf = Config.configHttpTaf(con,si, tc, up, lur, additionalTafLurs); - } - } + public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException, LocatorException { + synchronized(LOCK) { + this.access = access; +// Get getter = new AccessGetter(access); + Config.setDefaultRealm(access); + + aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID, null)); + if(aaf_id==null) { + access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_APPID,Config.CADI_ALIAS); + } else { + access.printf(Level.INIT, "%s is set to %s",Config.AAF_APPID,aaf_id); + } + String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id); + if(ns!=null) { + thisPerm = ns+ACCESS_CADI_CONTROL; + int dot = ns.indexOf('.'); + if(dot>=0) { + int dot2=ns.indexOf('.',dot+1); + if(dot2<0) { + dot2=dot; + } + companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL; + } else { + companyPerm = "com"+ACCESS_CADI_CONTROL; + } + } else { + thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL; + } + SecurityInfoC si; + si = SecurityInfoC.instance(access, HttpURLConnection.class); + + lur = Config.configLur(si, con, additionalTafLurs); + + tc.setLur(lur); + if(lur instanceof EpiLur) { + up = ((EpiLur)lur).getUserPassImpl(); + } else if(lur instanceof CredVal) { + up = (CredVal)lur; + } else { + up = null; + } + taf = Config.configHttpTaf(con,si, tc, up, lur, additionalTafLurs); + } + } - public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp, Object state) throws IOException { - TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp); - switch(tresp.isAuthenticated()) { - case IS_AUTHENTICATED: - access.printf(Level.INFO,"Authenticated: %s from %s:%d", - tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - break; - case TRY_AUTHENTICATING: - switch (tresp.authenticate()) { - case IS_AUTHENTICATED: - access.printf(Level.INFO,"Authenticated: %s from %s:%d", - tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - break; - case HTTP_REDIRECT_INVOKED: - access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc()); - break; - case NO_FURTHER_PROCESSING: - access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d" - , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, tresp.desc()); // Forbidden - break; + public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp, Object state) throws IOException { + TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp); + switch(tresp.isAuthenticated()) { + case IS_AUTHENTICATED: + access.printf(Level.INFO,"Authenticated: %s from %s:%d", + tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + break; + case TRY_AUTHENTICATING: + switch (tresp.authenticate()) { + case IS_AUTHENTICATED: + access.printf(Level.INFO,"Authenticated: %s from %s:%d", + tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + break; + case HTTP_REDIRECT_INVOKED: + access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc()); + break; + case NO_FURTHER_PROCESSING: + access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d" + , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + hresp.sendError(403, tresp.desc()); // Forbidden + break; - default: - access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" - , hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, tresp.desc()); // Forbidden - } - break; - case NO_FURTHER_PROCESSING: - access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", - tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, "Access Denied"); // FORBIDDEN - break; - default: - access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" - , hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, "Access Denied"); // FORBIDDEN - } - return tresp; - } - - public boolean notCadi(CadiWrap req, HttpServletResponse resp) { - - String pathInfo = req.getPathInfo(); - if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) { - if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) { - try { - if(pathInfo.contains(CADI_CACHE_PRINT)) { - resp.getOutputStream().println(lur.toString()); - resp.setStatus(200); - return false; - } else if(pathInfo.contains(CADI_CACHE_CLEAR)) { - StringBuilder report = new StringBuilder(); - lur.clear(req.getUserPrincipal(), report); - resp.getOutputStream().println(report.toString()); - resp.setStatus(200); - return false; - } else if(pathInfo.contains(CADI_LOG_SET)) { - Level l; - int slash = pathInfo.lastIndexOf('/'); - String level = pathInfo.substring(slash+1); - try { - l = Level.valueOf(level); - access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name()); - access.setLogLevel(l); - } catch (IllegalArgumentException e) { - access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level); - } - return false; - } - } catch (IOException e) { - access.log(e); - } - } - } - return true; - } + default: + access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" + , hreq.getRemoteAddr(), hreq.getRemotePort()); + hresp.sendError(403, tresp.desc()); // Forbidden + } + break; + case NO_FURTHER_PROCESSING: + access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", + tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + hresp.sendError(403, "Access Denied"); // FORBIDDEN + break; + default: + access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" + , hreq.getRemoteAddr(), hreq.getRemotePort()); + hresp.sendError(403, "Access Denied"); // FORBIDDEN + } + return tresp; + } + + public boolean notCadi(CadiWrap req, HttpServletResponse resp) { + + String pathInfo = req.getPathInfo(); + if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) { + if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) { + try { + if(pathInfo.contains(CADI_CACHE_PRINT)) { + resp.getOutputStream().println(lur.toString()); + resp.setStatus(200); + return false; + } else if(pathInfo.contains(CADI_CACHE_CLEAR)) { + StringBuilder report = new StringBuilder(); + lur.clear(req.getUserPrincipal(), report); + resp.getOutputStream().println(report.toString()); + resp.setStatus(200); + return false; + } else if(pathInfo.contains(CADI_LOG_SET)) { + Level l; + int slash = pathInfo.lastIndexOf('/'); + String level = pathInfo.substring(slash+1); + try { + l = Level.valueOf(level); + access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name()); + access.setLogLevel(l); + } catch (IllegalArgumentException e) { + access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level); + } + return false; + } + } catch (IOException e) { + access.log(e); + } + } + } + return true; + } - public Lur getLur() { - return lur; - } - - public void destroy() { - access.log(Level.INFO,"CadiHttpChecker destroyed."); - if(lur!=null) { - lur.destroy(); - lur=null; - } - } + public Lur getLur() { + return lur; + } + + public void destroy() { + access.log(Level.INFO,"CadiHttpChecker destroyed."); + if(lur!=null) { + lur.destroy(); + lur=null; + } + } - public Access getAccess() { - return access; - } + public Access getAccess() { + return access; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java index 9c4cca10..f56cbf27 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java @@ -33,44 +33,44 @@ import org.onap.aaf.cadi.config.Get; * cleans up the initialization code. */ class FCGet implements Get { - /** - * - */ - private final Access access; - private FilterConfig filterConfig; - private ServletContext context; + /** + * + */ + private final Access access; + private FilterConfig filterConfig; + private ServletContext context; - public FCGet(Access access, ServletContext context, FilterConfig filterConfig) { - this.access = access; - this.context = context; - this.filterConfig = filterConfig; - } + public FCGet(Access access, ServletContext context, FilterConfig filterConfig) { + this.access = access; + this.context = context; + this.filterConfig = filterConfig; + } - public String get(String name, String def, boolean print) { - String str = null; - // Try Server Context First - if(context!=null) { - str = context.getInitParameter(name); - } - - // Try Filter Context next - if(str==null && filterConfig != null) { - str = filterConfig.getInitParameter(name); - } - - if(str==null) { - str = access.getProperty(name, def); - } - // Take def if nothing else - if(str==null) { - str = def; - // don't log defaults - } else { - str = str.trim(); // this is vital in Property File based values, as spaces can hide easily - if(print) { - access.log(Level.INFO,"Setting", name, "to", str); - } - } - return str; - } + public String get(String name, String def, boolean print) { + String str = null; + // Try Server Context First + if(context!=null) { + str = context.getInitParameter(name); + } + + // Try Filter Context next + if(str==null && filterConfig != null) { + str = filterConfig.getInitParameter(name); + } + + if(str==null) { + str = access.getProperty(name, def); + } + // Take def if nothing else + if(str==null) { + str = def; + // don't log defaults + } else { + str = str.trim(); // this is vital in Property File based values, as spaces can hide easily + if(print) { + access.log(Level.INFO,"Setting", name, "to", str); + } + } + return str; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java index f0786b12..7953e076 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java @@ -25,30 +25,30 @@ import java.util.HashMap; import java.util.Map; public class MapPermConverter implements PermConverter { - private HashMap map; + private HashMap map; - /** - * Create with colon separated name value pairs - * i.e. teAdmin=com.att.myNS.myPerm|*|*:teUser=... - * - * @param value - */ - public MapPermConverter() { - map = new HashMap<>(); - } + /** + * Create with colon separated name value pairs + * i.e. teAdmin=com.att.myNS.myPerm|*|*:teUser=... + * + * @param value + */ + public MapPermConverter() { + map = new HashMap<>(); + } - /** - * use to instantiate entries - * - * @return - */ - public Map map() { - return map; - } + /** + * use to instantiate entries + * + * @return + */ + public Map map() { + return map; + } - public String convert(String minimal) { - String rv = map.get(minimal); - return (rv == null) ? minimal : rv; - } + public String convert(String minimal) { + String rv = map.get(minimal); + return (rv == null) ? minimal : rv; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java index 8b70d95d..bb63d097 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java @@ -32,14 +32,14 @@ package org.onap.aaf.cadi.filter; */ public class NullPermConverter implements PermConverter { - private static final NullPermConverter singleton = new NullPermConverter(); + private static final NullPermConverter singleton = new NullPermConverter(); - private NullPermConverter() {} + private NullPermConverter() {} - public static NullPermConverter singleton() { return singleton; } + public static NullPermConverter singleton() { return singleton; } - public String convert(String minimal) { - return minimal; - } + public String convert(String minimal) { + return minimal; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java index cf87c840..f0de0481 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java @@ -48,133 +48,133 @@ import org.onap.aaf.cadi.config.Config; * */ public class PathFilter implements Filter { - private final Log log; - - private ServletContext context; - private String aafType; - private String notAuthorizedMsg; - - /** - * Construct a viable Filter for installing in Container WEB.XML, etc. - * - */ - public PathFilter() { - log = new Log() { - public void info(String ... msg) { - context.log(build("INFO:", msg)); - } - public void audit(String ... msg) { - context.log(build("AUDIT:", msg)); - } - private String build(String type, String []msg) { - StringBuilder sb = new StringBuilder(type); - for (String s : msg) { - sb.append(' '); - sb.append(s); - } - return sb.toString(); - } - }; - } - - /** - * Filter that can be constructed within Java - * @param access - */ - public PathFilter(final Access access) { - log = new Log() { - public void info(String ... msg) { - access.log(Level.INFO, (Object[])msg); - } - public void audit(String ... msg) { - access.log(Level.AUDIT, (Object[])msg); - } - }; - } - - /** - * Init - * - * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a - * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this - * mechanism already. - */ - public void init(FilterConfig filterConfig) throws ServletException { - // need the Context for Logging, instantiating ClassLoader, etc - context = filterConfig.getServletContext(); - StringBuilder sb = new StringBuilder(); - StringBuilder err = new StringBuilder(); - Object attr = context.getAttribute(Config.PATHFILTER_NS); - if (attr == null) { - err.append("PathFilter - pathfilter_ns is not set"); - } else { - sb.append(attr.toString()); - } - - attr = context.getAttribute(Config.PATHFILTER_STACK); - if (attr == null) { - log.info("PathFilter - No pathfilter_stack set, ignoring"); - } else { - sb.append('.'); - sb.append(attr.toString()); - } - - attr = context.getAttribute(Config.PATHFILTER_URLPATTERN); - if (attr == null) { - log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'"); - sb.append(".urlpattern"); - } else { - sb.append('.'); - sb.append(attr.toString()); - } - - log.info("PathFilter - AAF Permission Type is", sb.toString()); - - sb.append('|'); - - aafType = sb.toString(); - - attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG); - if (attr == null) { - notAuthorizedMsg = "Forbidden - Not Authorized to access this Path"; - } else { - notAuthorizedMsg = attr.toString(); - } - - if (err.length() > 0) { - throw new ServletException(err.toString()); - } - } - - private interface Log { - public void info(String ... msg); - public void audit(String ... msg); - } - - /** - * doFilter - * - * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and - * only call the next item in the filterChain if request is suitably Authenticated. - */ - //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - HttpServletRequest hreq = (HttpServletRequest)request; - HttpServletResponse hresp = (HttpServletResponse)response; - String perm = aafType + hreq.getPathInfo() + '|' + hreq.getMethod(); - if (hreq.isUserInRole(perm)) { - chain.doFilter(request, response); - } else { - log.audit("PathFilter has denied", hreq.getUserPrincipal().getName(), "access to", perm); - hresp.sendError(403, notAuthorizedMsg); - } - } - - /** - * Containers call "destroy" when time to cleanup - */ - public void destroy() { - log.info("PathFilter destroyed."); - } + private final Log log; + + private ServletContext context; + private String aafType; + private String notAuthorizedMsg; + + /** + * Construct a viable Filter for installing in Container WEB.XML, etc. + * + */ + public PathFilter() { + log = new Log() { + public void info(String ... msg) { + context.log(build("INFO:", msg)); + } + public void audit(String ... msg) { + context.log(build("AUDIT:", msg)); + } + private String build(String type, String []msg) { + StringBuilder sb = new StringBuilder(type); + for (String s : msg) { + sb.append(' '); + sb.append(s); + } + return sb.toString(); + } + }; + } + + /** + * Filter that can be constructed within Java + * @param access + */ + public PathFilter(final Access access) { + log = new Log() { + public void info(String ... msg) { + access.log(Level.INFO, (Object[])msg); + } + public void audit(String ... msg) { + access.log(Level.AUDIT, (Object[])msg); + } + }; + } + + /** + * Init + * + * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a + * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this + * mechanism already. + */ + public void init(FilterConfig filterConfig) throws ServletException { + // need the Context for Logging, instantiating ClassLoader, etc + context = filterConfig.getServletContext(); + StringBuilder sb = new StringBuilder(); + StringBuilder err = new StringBuilder(); + Object attr = context.getAttribute(Config.PATHFILTER_NS); + if (attr == null) { + err.append("PathFilter - pathfilter_ns is not set"); + } else { + sb.append(attr.toString()); + } + + attr = context.getAttribute(Config.PATHFILTER_STACK); + if (attr == null) { + log.info("PathFilter - No pathfilter_stack set, ignoring"); + } else { + sb.append('.'); + sb.append(attr.toString()); + } + + attr = context.getAttribute(Config.PATHFILTER_URLPATTERN); + if (attr == null) { + log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'"); + sb.append(".urlpattern"); + } else { + sb.append('.'); + sb.append(attr.toString()); + } + + log.info("PathFilter - AAF Permission Type is", sb.toString()); + + sb.append('|'); + + aafType = sb.toString(); + + attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG); + if (attr == null) { + notAuthorizedMsg = "Forbidden - Not Authorized to access this Path"; + } else { + notAuthorizedMsg = attr.toString(); + } + + if (err.length() > 0) { + throw new ServletException(err.toString()); + } + } + + private interface Log { + public void info(String ... msg); + public void audit(String ... msg); + } + + /** + * doFilter + * + * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and + * only call the next item in the filterChain if request is suitably Authenticated. + */ + //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + HttpServletRequest hreq = (HttpServletRequest)request; + HttpServletResponse hresp = (HttpServletResponse)response; + String perm = aafType + hreq.getPathInfo() + '|' + hreq.getMethod(); + if (hreq.isUserInRole(perm)) { + chain.doFilter(request, response); + } else { + log.audit("PathFilter has denied", hreq.getUserPrincipal().getName(), "access to", perm); + hresp.sendError(403, notAuthorizedMsg); + } + } + + /** + * Containers call "destroy" when time to cleanup + */ + public void destroy() { + log.info("PathFilter destroyed."); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java index bb97894b..dfd0f64b 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java @@ -28,5 +28,5 @@ package org.onap.aaf.cadi.filter; * */ public interface PermConverter { - public String convert(String minimal); + public String convert(String minimal); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java index 5f709f12..ac61a5c6 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java @@ -47,10 +47,10 @@ import java.lang.annotation.Target; @Target({TYPE}) @Retention(RUNTIME) public @interface RolesAllowed { - /** - * Security role of the implementation, which doesn't have to be an EJB or CORBA like object. Can be just a - * Handler - * @return - */ - String[] value(); + /** + * Security role of the implementation, which doesn't have to be an EJB or CORBA like object. Can be just a + * Handler + * @return + */ + String[] value(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java index 02c2600f..5386eb2d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java @@ -47,10 +47,10 @@ import javax.servlet.Servlet; @Target({TYPE}) @Retention(RUNTIME) public @interface ServletImpl { - /** - * Security role of the implementation, which doesn't have to be an EJB or CORBA like object. Can be just a - * Handler - * @return - */ - Class value(); + /** + * Security role of the implementation, which doesn't have to be an EJB or CORBA like object. Can be just a + * Handler + * @return + */ + Class value(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java index 43dd1018..c1b477b1 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java @@ -28,42 +28,42 @@ import org.onap.aaf.cadi.GetCred; import org.onap.aaf.cadi.Symm; public class ConfigPrincipal implements Principal, GetCred { - private String name; - private byte[] cred; - private String content; + private String name; + private byte[] cred; + private String content; - public ConfigPrincipal(String name, String passwd) { - this.name = name; - this.cred = passwd.getBytes(); - content = null; - } + public ConfigPrincipal(String name, String passwd) { + this.name = name; + this.cred = passwd.getBytes(); + content = null; + } - public ConfigPrincipal(String name, byte[] cred) { - this.name = name; - this.cred = cred; - content = null; - } + public ConfigPrincipal(String name, byte[] cred) { + this.name = name; + this.cred = cred; + content = null; + } - public String getName() { - return name; - } - - public byte[] getCred() { - return cred; - } + public String getName() { + return name; + } + + public byte[] getCred() { + return cred; + } - public String toString() { - return name; - } - - public String getAsBasicAuthHeader() throws IOException { - if(content ==null) { - String s = name + ':' + new String(cred); - content = "Basic " + Symm.base64.encode(s); - } else if(!content.startsWith("Basic ")) { // content is the saved password from construction - String s = name + ':' + content; - content = "Basic " + Symm.base64.encode(s); - } - return content; - } + public String toString() { + return name; + } + + public String getAsBasicAuthHeader() throws IOException { + if(content ==null) { + String s = name + ':' + new String(cred); + content = "Basic " + Symm.base64.encode(s); + } else if(!content.startsWith("Basic ")) { // content is the saved password from construction + String s = name + ':' + content; + content = "Basic " + Symm.base64.encode(s); + } + return content; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java index b442c7d9..2c5e1957 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java @@ -46,124 +46,124 @@ import org.onap.aaf.cadi.Permission; * */ public final class EpiLur implements Lur { - private final Lur[] lurs; - - /** - * EpiLur constructor - * - * Construct the EpiLur from variable TAF parameters - * @param lurs - * @throws CadiException - */ - public EpiLur(Lur ... lurs) throws CadiException{ - this.lurs = lurs; - if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor"); - } + private final Lur[] lurs; + + /** + * EpiLur constructor + * + * Construct the EpiLur from variable TAF parameters + * @param lurs + * @throws CadiException + */ + public EpiLur(Lur ... lurs) throws CadiException{ + this.lurs = lurs; + if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor"); + } - public boolean fish(Principal bait, Permission ... pond) { - if(pond==null) { - return false; - } - boolean rv = false; - Lur lur; - for(int i=0;!rv && i permissions) { - for(Lur lur : lurs) { - lur.fishAll(bait, permissions); - } - } + public void fishAll(Principal bait, List permissions) { + for(Lur lur : lurs) { + lur.fishAll(bait, permissions); + } + } - public void destroy() { - for(Lur lur : lurs) { - lur.destroy(); - } - } + public void destroy() { + for(Lur lur : lurs) { + lur.destroy(); + } + } - /** - * Return the first Lur (if any) which also implements UserPass - * @return - */ - public CredVal getUserPassImpl() { - for(Lur lur : lurs) { - if(lur instanceof CredVal) { - return (CredVal)lur; - } - } - return null; - } + /** + * Return the first Lur (if any) which also implements UserPass + * @return + */ + public CredVal getUserPassImpl() { + for(Lur lur : lurs) { + if(lur instanceof CredVal) { + return (CredVal)lur; + } + } + return null; + } - // Never needed... Only EpiLur uses... - public boolean handlesExclusively(Permission ... pond) { - return false; - } - - /** - * Get Lur for index. Returns null if out of range - * @param idx - * @return - */ - public Lur get(int idx) { - if(idx>=0 && idx=0 && idx)l).remove(id); - } - } - } - - public Lur subLur(Class cls ) { - for(Lur l : lurs) { - if(l.getClass().isAssignableFrom(cls)) { - return l; - } - } - return null; - } + public void remove(String id) { + for(Lur l : lurs) { + if(l instanceof CachingLur) { + ((CachingLur)l).remove(id); + } + } + } + + public Lur subLur(Class cls ) { + for(Lur l : lurs) { + if(l.getClass().isAssignableFrom(cls)) { + return l; + } + } + return null; + } - @Override - public Permission createPerm(String p) { - return new LocalPermission(p); - } + @Override + public Permission createPerm(String p) { + return new LocalPermission(p); + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) - */ - @Override - public void clear(Principal p, StringBuilder report) { - for(Lur lur : lurs) { - lur.clear(p, report); - } - } - - public String toString() { - StringBuilder sb = new StringBuilder(); - for(Lur lur : lurs) { - sb.append(lur.getClass().getSimpleName()); - sb.append(": Report\n"); - sb.append(lur.toString()); - sb.append('\n'); - } - return sb.toString(); - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) + */ + @Override + public void clear(Principal p, StringBuilder report) { + for(Lur lur : lurs) { + lur.clear(p, report); + } + } + + public String toString() { + StringBuilder sb = new StringBuilder(); + for(Lur lur : lurs) { + sb.append(lur.getClass().getSimpleName()); + sb.append(": Report\n"); + sb.append(lur.toString()); + sb.append('\n'); + } + return sb.toString(); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java index e177a22f..d2b6f1aa 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java @@ -45,177 +45,177 @@ import org.onap.aaf.cadi.config.Config; * */ public final class LocalLur extends AbsUserCache implements Lur, CredVal { - public static final String SEMI = "\\s*;\\s*"; - public static final String COLON = "\\s*:\\s*"; - public static final String COMMA = "\\s*,\\s*"; - public static final String PERCENT = "\\s*%\\s*"; - - // Use to quickly determine whether any given group is supported by this LUR - private final Set supportingGroups; - private String supportedRealm; - - /** - * Construct by building structure, see "build" - * - * Reconstruct with "build" - * - * @param userProperties - * @param groupProperties - * @param decryptor - * @throws IOException - */ - public LocalLur(Access access, String userProperties, String groupProperties) throws IOException { - super(access, 0, 0, Integer.MAX_VALUE); // data doesn't expire - supportedRealm = access.getProperty(Config.BASIC_REALM, "localized"); - supportingGroups = new TreeSet<>(); - - if (userProperties != null) { - parseUserProperties(userProperties); - } - - if (groupProperties != null) { - parseGroupProperties(groupProperties); - } - } - - public boolean validate(String user, CredVal.Type type, byte[] cred, Object state) { - if (cred == null) { - return false; - } - User usr = getUser(user, cred); - if (usr == null) { - return false; - } - // covers null as well as bad pass - if ((type == Type.PASSWORD) && (usr.principal instanceof ConfigPrincipal)) {; - return Hash.isEqual(cred, ((ConfigPrincipal)usr.principal).getCred()); - } - return false; - } - - // @Override - public boolean fish(Principal bait, Permission ... pond) { - if (pond == null) { - return false; - } - for(Permission p : pond) { - if (handles(bait) && p instanceof LocalPermission) { // local Users only have LocalPermissions - User user = getUser(bait); - if (user != null) { - return user.contains((LocalPermission)p); - } - } - } - return false; - } - - // We do not want to expose the actual Group, so make a copy. - public void fishAll(Principal bait, List perms) { - if (handles(bait)) { - User user = getUser(bait); - if (user != null) { - user.copyPermsTo(perms); - } - } - } - - /* (non-Javadoc) - * @see org.onap.aaf.cadi.Lur#handles(java.security.Principal) - */ - @Override - public boolean handles(Principal principal) { - if (principal == null) { - return false; - } - return principal.getName().endsWith(supportedRealm); - } - - @Override - public boolean handlesExclusively(Permission ... pond) { - boolean rv = false; - for (Permission p : pond) { - if(rv=supportingGroups.contains(p.getKey())) { - break; - } - } - return rv; - } - - /* (non-Javadoc) - * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) - */ - @Override - public Permission createPerm(String p) { - return new LocalPermission(p); - } - - private void parseUserProperties(String userProperties) throws IOException { - // For each User name... - for (String userProperty : userProperties.trim().split(SEMI)) { - String[] userInfo = userProperty.split(COLON, 2); - String[] userPass = userInfo[0].split(PERCENT, 2); - String userName = userPass[0]; - - byte[] password = null; - if (userPass.length > 1) { - password = access.decrypt(userPass[1], true).getBytes(); - if (userName.indexOf('@') < 0) { - userName += '@' + access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); - } - } - User usr; - usr = new User<>(new ConfigPrincipal(userName, password)); - addUser(usr); - access.log(Level.INIT, "Local User:", usr.principal); - - if (userInfo.length > 1) { - Map newMap = usr.newMap(); - for (String group : userInfo[1].split(COMMA)) { - supportingGroups.add(group); - usr.add(newMap, new LocalPermission(group)); - } - usr.setMap(newMap); - } - } - } - - - private void parseGroupProperties(String groupProperties) throws IOException { - // For each Group name... - for (String group : groupProperties.trim().split(SEMI)) { - String[] groups = group.split(COLON, 2); - if (groups.length <= 1) { - continue; - } - supportingGroups.add(groups[0]); - LocalPermission p = new LocalPermission(groups[0]); - - // Add all users (known by comma separators) - for (String groupMember : groups[1].split(COMMA)) { - // look for password, if so, put in passMap - String[] userPass = groupMember.split(PERCENT, 2); - String userName = userPass[0]; - if (userName.indexOf('@') < 0) { - userName += '@' + access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); - } - - User usr = null; - byte[] password = null; - if (userPass.length > 1) { - password = access.decrypt(userPass[1], true).getBytes(); - } - usr = getUser(userName, password); - if (usr == null) { - usr = new User<>(new ConfigPrincipal(userName, password)); - addUser(usr); - } - else { - usr.principal = new ConfigPrincipal(userName, password); - } - usr.add(p); - access.log(Level.INIT, "Local User:", usr.principal); - } - } - } + public static final String SEMI = "\\s*;\\s*"; + public static final String COLON = "\\s*:\\s*"; + public static final String COMMA = "\\s*,\\s*"; + public static final String PERCENT = "\\s*%\\s*"; + + // Use to quickly determine whether any given group is supported by this LUR + private final Set supportingGroups; + private String supportedRealm; + + /** + * Construct by building structure, see "build" + * + * Reconstruct with "build" + * + * @param userProperties + * @param groupProperties + * @param decryptor + * @throws IOException + */ + public LocalLur(Access access, String userProperties, String groupProperties) throws IOException { + super(access, 0, 0, Integer.MAX_VALUE); // data doesn't expire + supportedRealm = access.getProperty(Config.BASIC_REALM, "localized"); + supportingGroups = new TreeSet<>(); + + if (userProperties != null) { + parseUserProperties(userProperties); + } + + if (groupProperties != null) { + parseGroupProperties(groupProperties); + } + } + + public boolean validate(String user, CredVal.Type type, byte[] cred, Object state) { + if (cred == null) { + return false; + } + User usr = getUser(user, cred); + if (usr == null) { + return false; + } + // covers null as well as bad pass + if ((type == Type.PASSWORD) && (usr.principal instanceof ConfigPrincipal)) {; + return Hash.isEqual(cred, ((ConfigPrincipal)usr.principal).getCred()); + } + return false; + } + + // @Override + public boolean fish(Principal bait, Permission ... pond) { + if (pond == null) { + return false; + } + for(Permission p : pond) { + if (handles(bait) && p instanceof LocalPermission) { // local Users only have LocalPermissions + User user = getUser(bait); + if (user != null) { + return user.contains((LocalPermission)p); + } + } + } + return false; + } + + // We do not want to expose the actual Group, so make a copy. + public void fishAll(Principal bait, List perms) { + if (handles(bait)) { + User user = getUser(bait); + if (user != null) { + user.copyPermsTo(perms); + } + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#handles(java.security.Principal) + */ + @Override + public boolean handles(Principal principal) { + if (principal == null) { + return false; + } + return principal.getName().endsWith(supportedRealm); + } + + @Override + public boolean handlesExclusively(Permission ... pond) { + boolean rv = false; + for (Permission p : pond) { + if(rv=supportingGroups.contains(p.getKey())) { + break; + } + } + return rv; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(String p) { + return new LocalPermission(p); + } + + private void parseUserProperties(String userProperties) throws IOException { + // For each User name... + for (String userProperty : userProperties.trim().split(SEMI)) { + String[] userInfo = userProperty.split(COLON, 2); + String[] userPass = userInfo[0].split(PERCENT, 2); + String userName = userPass[0]; + + byte[] password = null; + if (userPass.length > 1) { + password = access.decrypt(userPass[1], true).getBytes(); + if (userName.indexOf('@') < 0) { + userName += '@' + access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); + } + } + User usr; + usr = new User<>(new ConfigPrincipal(userName, password)); + addUser(usr); + access.log(Level.INIT, "Local User:", usr.principal); + + if (userInfo.length > 1) { + Map newMap = usr.newMap(); + for (String group : userInfo[1].split(COMMA)) { + supportingGroups.add(group); + usr.add(newMap, new LocalPermission(group)); + } + usr.setMap(newMap); + } + } + } + + + private void parseGroupProperties(String groupProperties) throws IOException { + // For each Group name... + for (String group : groupProperties.trim().split(SEMI)) { + String[] groups = group.split(COLON, 2); + if (groups.length <= 1) { + continue; + } + supportingGroups.add(groups[0]); + LocalPermission p = new LocalPermission(groups[0]); + + // Add all users (known by comma separators) + for (String groupMember : groups[1].split(COMMA)) { + // look for password, if so, put in passMap + String[] userPass = groupMember.split(PERCENT, 2); + String userName = userPass[0]; + if (userName.indexOf('@') < 0) { + userName += '@' + access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); + } + + User usr = null; + byte[] password = null; + if (userPass.length > 1) { + password = access.decrypt(userPass[1], true).getBytes(); + } + usr = getUser(userName, password); + if (usr == null) { + usr = new User<>(new ConfigPrincipal(userName, password)); + addUser(usr); + } + else { + usr.principal = new ConfigPrincipal(userName, password); + } + usr.add(p); + access.log(Level.INIT, "Local User:", usr.principal); + } + } + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java index 8d6f9698..ee7bab9c 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java @@ -24,27 +24,27 @@ package org.onap.aaf.cadi.lur; import org.onap.aaf.cadi.Permission; public class LocalPermission implements Permission { - private String key; - - public LocalPermission(String role) { - this.key = role; - } - - public String getKey() { - return key; - } + private String key; + + public LocalPermission(String role) { + this.key = role; + } + + public String getKey() { + return key; + } - public String toString() { - return key; - } + public String toString() { + return key; + } - public boolean match(Permission p) { - return key.equals(p.getKey()); - } + public boolean match(Permission p) { + return key.equals(p.getKey()); + } - public String permType() { - return "LOCAL"; - } - - + public String permType() { + return "LOCAL"; + } + + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java index b314f20e..fe9bbd30 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java @@ -28,60 +28,60 @@ import org.onap.aaf.cadi.Lur; import org.onap.aaf.cadi.Permission; public class NullLur implements Lur { - private static final Permission NULL = new Permission() { - @Override - public String permType() { - return ""; - } + private static final Permission NULL = new Permission() { + @Override + public String permType() { + return ""; + } - @Override - public String getKey() { - return ""; - } + @Override + public String getKey() { + return ""; + } - @Override - public boolean match(Permission p) { - return false; - }}; + @Override + public boolean match(Permission p) { + return false; + }}; - public boolean fish(Principal bait, Permission ... pond) { - // Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own -// System.err.println("CADI's LUR has not been configured, but is still being called. Access is being denied"); - return false; - } + public boolean fish(Principal bait, Permission ... pond) { + // Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own +// System.err.println("CADI's LUR has not been configured, but is still being called. Access is being denied"); + return false; + } - public void fishAll(Principal bait, List permissions) { - } + public void fishAll(Principal bait, List permissions) { + } - public void destroy() { - } + public void destroy() { + } - public boolean handlesExclusively(Permission ... pond) { - return false; - } + public boolean handlesExclusively(Permission ... pond) { + return false; + } - public boolean handles(Principal p) { - return false; - } + public boolean handles(Principal p) { + return false; + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) - */ - @Override - public Permission createPerm(String p) { - return NULL; - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(String p) { + return NULL; + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) - */ - @Override - public void clear(Principal p, StringBuilder report) { - report.append(NullLur.class.getSimpleName()); - report.append('\n'); - } - - public String toString() { - return NullLur.class.getSimpleName() + '\n'; - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) + */ + @Override + public void clear(Principal p, StringBuilder report) { + report.append(NullLur.class.getSimpleName()); + report.append('\n'); + } + + public String toString() { + return NullLur.class.getSimpleName() + '\n'; + } } \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java index a235f1d4..d3c1e236 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java @@ -32,102 +32,102 @@ import org.onap.aaf.cadi.GetCred; import org.onap.aaf.cadi.Symm; public class BasicPrincipal extends BearerPrincipal implements GetCred { - private static byte[] basic = "Basic ".getBytes(); + private static byte[] basic = "Basic ".getBytes(); - private String name = null; - private String shortName = null; - private String domain; - private byte[] cred = null; - private long created; + private String name = null; + private String shortName = null; + private String domain; + private byte[] cred = null; + private long created; - public BasicPrincipal(String content,String defaultDomain) throws IOException { - created = System.currentTimeMillis(); - ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes()); - // Read past "Basic ", ensuring it starts with it. - for(int i=0;i0) { - domain=name.substring(at+1); - shortName=name.substring(0, at); - } else { - shortName = name; - domain=defaultDomain; - name = name + '@' + defaultDomain; - } - } - - public BasicPrincipal(BasicCred bc, String domain) { - name = bc.getUser(); - cred = bc.getCred(); - this.domain = domain; - } + public BasicPrincipal(String content,String defaultDomain) throws IOException { + created = System.currentTimeMillis(); + ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes()); + // Read past "Basic ", ensuring it starts with it. + for(int i=0;i0) { + domain=name.substring(at+1); + shortName=name.substring(0, at); + } else { + shortName = name; + domain=defaultDomain; + name = name + '@' + defaultDomain; + } + } + + public BasicPrincipal(BasicCred bc, String domain) { + name = bc.getUser(); + cred = bc.getCred(); + this.domain = domain; + } - private class BasicOS extends OutputStream { - private boolean first = true; - private ByteArrayOutputStream baos; - - public BasicOS(int size) { - baos = new ByteArrayOutputStream(size); - } + private class BasicOS extends OutputStream { + private boolean first = true; + private ByteArrayOutputStream baos; + + public BasicOS(int size) { + baos = new ByteArrayOutputStream(size); + } - @Override - public void write(int b) throws IOException { - if(b==':' && first) { - first = false; - name = new String(baos.toByteArray()); - baos.reset(); // - } else { - baos.write(b); - } - } - - private byte[] toCred() { - return baos.toByteArray(); - } - } - - public String getName() { - return name; - } - - public String getShortName() { - return shortName; - } - - public String getDomain() { - return domain; - } - - public byte[] getCred() { - return cred; - } - - public long created() { - return created; - } + @Override + public void write(int b) throws IOException { + if(b==':' && first) { + first = false; + name = new String(baos.toByteArray()); + baos.reset(); // + } else { + baos.write(b); + } + } + + private byte[] toCred() { + return baos.toByteArray(); + } + } + + public String getName() { + return name; + } + + public String getShortName() { + return shortName; + } + + public String getDomain() { + return domain; + } + + public byte[] getCred() { + return cred; + } + + public long created() { + return created; + } - public String toString() { - return "Basic Authorization for " + name + " evaluated on " + new Date(created).toString(); - } + public String toString() { + return "Basic Authorization for " + name + " evaluated on " + new Date(created).toString(); + } - @Override - public String tag() { - return "BAth"; - } + @Override + public String tag() { + return "BAth"; + } - @Override - public String personalName() { - return name; // personalName not available with Basic Auth - } + @Override + public String personalName() { + return name; // personalName not available with Basic Auth + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java index ea0ff2fe..6fdcdc0d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java @@ -22,12 +22,12 @@ package org.onap.aaf.cadi.principal; public abstract class BearerPrincipal extends TaggedPrincipal { - private String bearer = null; - public BearerPrincipal setBearer(String bearer) { - this.bearer = bearer; - return this; - } - public String getBearer() { - return bearer; - } + private String bearer = null; + public BearerPrincipal setBearer(String bearer) { + this.bearer = bearer; + return this; + } + public String getBearer() { + return bearer; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java index 68229d3d..f81e160d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java @@ -34,32 +34,32 @@ import org.onap.aaf.cadi.taf.HttpTaf; * */ public class CachedBasicPrincipal extends BasicPrincipal implements CachedPrincipal { - private final HttpTaf creator; - private long timeToLive; - private long expires; + private final HttpTaf creator; + private long timeToLive; + private long expires; - public CachedBasicPrincipal(HttpTaf creator, BasicCred bc, String domain, long timeToLive) { - super(bc, domain); - this.creator = creator; - this.timeToLive = timeToLive; - expires = System.currentTimeMillis()+timeToLive; - } - - public CachedBasicPrincipal(HttpTaf creator, String content, String domain, long timeToLive) throws IOException { - super(content, domain); - this.creator = creator; - this.timeToLive = timeToLive; - expires = System.currentTimeMillis()+timeToLive; - } + public CachedBasicPrincipal(HttpTaf creator, BasicCred bc, String domain, long timeToLive) { + super(bc, domain); + this.creator = creator; + this.timeToLive = timeToLive; + expires = System.currentTimeMillis()+timeToLive; + } + + public CachedBasicPrincipal(HttpTaf creator, String content, String domain, long timeToLive) throws IOException { + super(content, domain); + this.creator = creator; + this.timeToLive = timeToLive; + expires = System.currentTimeMillis()+timeToLive; + } - public CachedPrincipal.Resp revalidate(Object state) { - Resp resp = creator.revalidate(this, state); - if(resp.equals(Resp.REVALIDATED))expires = System.currentTimeMillis()+timeToLive; - return resp; - } + public CachedPrincipal.Resp revalidate(Object state) { + Resp resp = creator.revalidate(this, state); + if(resp.equals(Resp.REVALIDATED))expires = System.currentTimeMillis()+timeToLive; + return resp; + } - public long expires() { - return expires; - } + public long expires() { + return expires; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/Kind.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/Kind.java index bb6dc673..8c75701f 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/Kind.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/Kind.java @@ -24,30 +24,30 @@ package org.onap.aaf.cadi.principal; import java.security.Principal; public class Kind { - public static final char X509 = 'X'; - public static final char OAUTH = 'O'; - public static final char AAF_OAUTH='A'; - public static final char BASIC_AUTH = 'B'; - public static final char UNKNOWN = 'U'; - - - public static char getKind(final Principal principal) { - Principal check; - if(principal instanceof TrustPrincipal) { - check = ((TrustPrincipal)principal).original(); - } else { - check = principal; - } - if(check instanceof X509Principal) { - return X509; - } - if(check instanceof OAuth2FormPrincipal) { - // Note: if AAF, will turn into 'A' - return OAUTH; - } - if(check instanceof BasicPrincipal) { - return BASIC_AUTH; - } - return UNKNOWN; - } + public static final char X509 = 'X'; + public static final char OAUTH = 'O'; + public static final char AAF_OAUTH='A'; + public static final char BASIC_AUTH = 'B'; + public static final char UNKNOWN = 'U'; + + + public static char getKind(final Principal principal) { + Principal check; + if(principal instanceof TrustPrincipal) { + check = ((TrustPrincipal)principal).original(); + } else { + check = principal; + } + if(check instanceof X509Principal) { + return X509; + } + if(check instanceof OAuth2FormPrincipal) { + // Note: if AAF, will turn into 'A' + return OAUTH; + } + if(check instanceof BasicPrincipal) { + return BASIC_AUTH; + } + return UNKNOWN; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/OAuth2FormPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/OAuth2FormPrincipal.java index 1df2bd3e..4d13de87 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/OAuth2FormPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/OAuth2FormPrincipal.java @@ -22,40 +22,40 @@ package org.onap.aaf.cadi.principal; public class OAuth2FormPrincipal extends TaggedPrincipal { - private final String username; - private final String client_id; - - /* - * Note: client_id and username might be the same, if only authenticating the Client_ID - */ - public OAuth2FormPrincipal(final String client_id, final String username) { - this.username = username; - this.client_id = client_id; - } - - @Override - public String getName() { - return username; - } - - public String client_id() { - return client_id; - } + private final String username; + private final String client_id; + + /* + * Note: client_id and username might be the same, if only authenticating the Client_ID + */ + public OAuth2FormPrincipal(final String client_id, final String username) { + this.username = username; + this.client_id = client_id; + } + + @Override + public String getName() { + return username; + } + + public String client_id() { + return client_id; + } - @Override - public String tag() { - return "OAuth"; - } + @Override + public String tag() { + return "OAuth"; + } - @Override - public String personalName() { - if(username!=null && username!=client_id) { - StringBuilder sb = new StringBuilder(); - sb.append(username); - sb.append('|'); - sb.append(client_id); - return sb.toString(); - } - return client_id; - } + @Override + public String personalName() { + if(username!=null && username!=client_id) { + StringBuilder sb = new StringBuilder(); + sb.append(username); + sb.append('|'); + sb.append(client_id); + return sb.toString(); + } + return client_id; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/StringTagLookup.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/StringTagLookup.java index a3927168..04bcf59a 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/StringTagLookup.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/StringTagLookup.java @@ -24,12 +24,12 @@ import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.principal.TaggedPrincipal.TagLookup; public class StringTagLookup implements TagLookup { - private String tag; - public StringTagLookup(final String tag) { - this.tag = tag; - } - @Override - public String lookup() throws CadiException { - return tag; - } + private String tag; + public StringTagLookup(final String tag) { + this.tag = tag; + } + @Override + public String lookup() throws CadiException { + return tag; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TaggedPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TaggedPrincipal.java index a3b07c6c..9dddcd63 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TaggedPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TaggedPrincipal.java @@ -26,35 +26,35 @@ import org.onap.aaf.cadi.CadiException; public abstract class TaggedPrincipal implements Principal { - public TaggedPrincipal() { - tagLookup = null; - } - - public TaggedPrincipal(final TagLookup tl) { - tagLookup = tl; - } - - public abstract String tag(); // String representing what kind of Authentication occurred. - - public interface TagLookup { - public String lookup() throws CadiException; - } - - private TagLookup tagLookup; - - public void setTagLookup(TagLookup tl) { - tagLookup = tl; - } - - public String personalName() { - if(tagLookup == null) { - return getName(); - } - try { - return tagLookup.lookup(); - } catch (CadiException e) { - return getName(); - } - } + public TaggedPrincipal() { + tagLookup = null; + } + + public TaggedPrincipal(final TagLookup tl) { + tagLookup = tl; + } + + public abstract String tag(); // String representing what kind of Authentication occurred. + + public interface TagLookup { + public String lookup() throws CadiException; + } + + private TagLookup tagLookup; + + public void setTagLookup(TagLookup tl) { + tagLookup = tl; + } + + public String personalName() { + if(tagLookup == null) { + return getName(); + } + try { + return tagLookup.lookup(); + } catch (CadiException e) { + return getName(); + } + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java index 09083316..5d4a0586 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java @@ -26,45 +26,45 @@ import java.security.Principal; import org.onap.aaf.cadi.UserChain; public class TrustPrincipal extends BearerPrincipal implements UserChain { - private final String name; - private final Principal original; - private String userChain; - - public TrustPrincipal(final Principal actual, final String asName) { - this.original = actual; - name = asName.trim(); - if(actual instanceof UserChain) { - UserChain uc = (UserChain)actual; - userChain = uc.userChain(); - } else if(actual instanceof TaggedPrincipal) { - userChain=((TaggedPrincipal)actual).tag(); - } else { - userChain = actual.getClass().getSimpleName(); - } - } - - @Override - public String getName() { - return name; - } - - @Override - public String userChain() { - return userChain; - } - - public Principal original() { - return original; - } + private final String name; + private final Principal original; + private String userChain; + + public TrustPrincipal(final Principal actual, final String asName) { + this.original = actual; + name = asName.trim(); + if(actual instanceof UserChain) { + UserChain uc = (UserChain)actual; + userChain = uc.userChain(); + } else if(actual instanceof TaggedPrincipal) { + userChain=((TaggedPrincipal)actual).tag(); + } else { + userChain = actual.getClass().getSimpleName(); + } + } + + @Override + public String getName() { + return name; + } + + @Override + public String userChain() { + return userChain; + } + + public Principal original() { + return original; + } - @Override - public String tag() { - return userChain; - } + @Override + public String tag() { + return userChain; + } - @Override - public String personalName() { - return original.getName() + '[' + userChain + ']'; - } - + @Override + public String personalName() { + return original.getName() + '[' + userChain + ']'; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/UnAuthPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/UnAuthPrincipal.java index 52f78e80..f0cacd8d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/UnAuthPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/UnAuthPrincipal.java @@ -24,14 +24,14 @@ package org.onap.aaf.cadi.principal; import java.security.Principal; public class UnAuthPrincipal implements Principal { - private String name; - - public UnAuthPrincipal(final String name) { - this.name = name; - } - @Override - public String getName() { - return name; - } + private String name; + + public UnAuthPrincipal(final String name) { + this.name = name; + } + @Override + public String getName() { + return name; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java index 200b8174..1cd114a0 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java @@ -30,83 +30,83 @@ import org.onap.aaf.cadi.GetCred; import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; public class X509Principal extends BearerPrincipal implements GetCred { - private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*"); - private final X509Certificate cert; - private final String name; - private byte[] content; - private BasicHttpTaf bht; + private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*"); + private final X509Certificate cert; + private final String name; + private byte[] content; + private BasicHttpTaf bht; - public X509Principal(String identity, X509Certificate cert) { - name = identity; - content = null; - this.cert = cert; - } + public X509Principal(String identity, X509Certificate cert) { + name = identity; + content = null; + this.cert = cert; + } - public X509Principal(String identity, X509Certificate cert, byte[] content, BasicHttpTaf bht) { - name = identity; - this.content = content; - this.cert = cert; - this.bht = bht; - } + public X509Principal(String identity, X509Certificate cert, byte[] content, BasicHttpTaf bht) { + name = identity; + this.content = content; + this.cert = cert; + this.bht = bht; + } - public X509Principal(X509Certificate cert, byte[] content, BasicHttpTaf bht) throws IOException { - this.content=content; - this.cert = cert; - String _name = null; - String subj = cert.getSubjectDN().getName(); - int cn = subj.indexOf("OU="); - if(cn>=0) { - cn+=3; - int space = subj.indexOf(',',cn); - if(space>=0) { - String id = subj.substring(cn, space); - if(pattern.matcher(id).matches()) { - _name = id; - } - } - } - if(_name==null) { - throw new IOException("X509 does not have Identity as CN"); - } - name = _name; - this.bht = bht; - } - - public String getAsHeader() throws IOException { - try { - if(content==null) { - content=cert.getEncoded(); - } - } catch (CertificateEncodingException e) { - throw new IOException(e); - } - return "X509 " + content; - } - - public String toString() { - return "X509 Authentication for " + name; - } + public X509Principal(X509Certificate cert, byte[] content, BasicHttpTaf bht) throws IOException { + this.content=content; + this.cert = cert; + String _name = null; + String subj = cert.getSubjectDN().getName(); + int cn = subj.indexOf("OU="); + if(cn>=0) { + cn+=3; + int space = subj.indexOf(',',cn); + if(space>=0) { + String id = subj.substring(cn, space); + if(pattern.matcher(id).matches()) { + _name = id; + } + } + } + if(_name==null) { + throw new IOException("X509 does not have Identity as CN"); + } + name = _name; + this.bht = bht; + } + + public String getAsHeader() throws IOException { + try { + if(content==null) { + content=cert.getEncoded(); + } + } catch (CertificateEncodingException e) { + throw new IOException(e); + } + return "X509 " + content; + } + + public String toString() { + return "X509 Authentication for " + name; + } - public byte[] getCred() { - try { - return content==null?(content=cert.getEncoded()):content; - } catch (CertificateEncodingException e) { - return null; - } - } + public byte[] getCred() { + try { + return content==null?(content=cert.getEncoded()):content; + } catch (CertificateEncodingException e) { + return null; + } + } - public String getName() { - return name; - } + public String getName() { + return name; + } - @Override - public String tag() { - return "x509"; - } + @Override + public String tag() { + return "x509"; + } - public BasicHttpTaf getBasicHttpTaf() { - return bht; - } + public BasicHttpTaf getBasicHttpTaf() { + return bht; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java index fb54abdb..b3ac0945 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java @@ -35,102 +35,102 @@ import org.onap.aaf.cadi.util.Timing; */ public abstract class AbsTafResp implements TafResp { - protected final Access access; - protected final String tafName; - protected final TaggedPrincipal principal; - protected final String desc; - private float timing; + protected final Access access; + protected final String tafName; + protected final TaggedPrincipal principal; + protected final String desc; + private float timing; - /** - * AbsTafResp - * - * Set and hold - * Description (for logging) - * Principal (as created by derived class) - * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc) - * - * @param access - * @param tafname - * @param principal - * @param description - */ - public AbsTafResp(Access access, String tafname, TaggedPrincipal principal, String description) { - this.access = access; - this.tafName = tafname; - this.principal = principal; - this.desc = description; - } + /** + * AbsTafResp + * + * Set and hold + * Description (for logging) + * Principal (as created by derived class) + * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc) + * + * @param access + * @param tafname + * @param principal + * @param description + */ + public AbsTafResp(Access access, String tafname, TaggedPrincipal principal, String description) { + this.access = access; + this.tafName = tafname; + this.principal = principal; + this.desc = description; + } - /** - * isValid() - * - * Respond in the affirmative if the TAF was able to Authenticate - */ - public boolean isValid() { - return principal != null; - } + /** + * isValid() + * + * Respond in the affirmative if the TAF was able to Authenticate + */ + public boolean isValid() { + return principal != null; + } - /** - * desc() - * - * Respond with description of response as given by the TAF - */ - public String desc() { - return desc; - } + /** + * desc() + * + * Respond with description of response as given by the TAF + */ + public String desc() { + return desc; + } - /** - * isAuthenticated() - * - * Respond with the TAF's code of whether Authenticated, or suggested next steps - * default is either IS_AUTHENTICATED, or TRY_ANOTHER_TAF. The TAF can overload - * and suggest others, such as "NO_FURTHER_PROCESSING", if it can detect that this - * is some sort of security breach (i.e. Denial of Service) - */ - public RESP isAuthenticated() { - return principal==null?RESP.TRY_ANOTHER_TAF:RESP.IS_AUTHENTICATED; - } + /** + * isAuthenticated() + * + * Respond with the TAF's code of whether Authenticated, or suggested next steps + * default is either IS_AUTHENTICATED, or TRY_ANOTHER_TAF. The TAF can overload + * and suggest others, such as "NO_FURTHER_PROCESSING", if it can detect that this + * is some sort of security breach (i.e. Denial of Service) + */ + public RESP isAuthenticated() { + return principal==null?RESP.TRY_ANOTHER_TAF:RESP.IS_AUTHENTICATED; + } - /** - * getPrincipal() - * - * Return the principal created by the TAF based on Authentication. - * - * Returns "null" if Authentication failed (no principal) - */ - public TaggedPrincipal getPrincipal() { - return principal; - } + /** + * getPrincipal() + * + * Return the principal created by the TAF based on Authentication. + * + * Returns "null" if Authentication failed (no principal) + */ + public TaggedPrincipal getPrincipal() { + return principal; + } - /** - * getAccess() - * - * Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated. - */ - public Access getAccess() { - return access; - } + /** + * getAccess() + * + * Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated. + */ + public Access getAccess() { + return access; + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.taf.TafResp#isFailedAttempt() - */ - public boolean isFailedAttempt() { - return false; - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.taf.TafResp#isFailedAttempt() + */ + public boolean isFailedAttempt() { + return false; + } - @Override - public float timing() { - return timing; - } - - @Override - public void timing(final long start) { - timing = Timing.millis(start); - } + @Override + public float timing() { + return timing; + } + + @Override + public void timing(final long start) { + timing = Timing.millis(start); + } - @Override - public String taf() { - return tafName; - } + @Override + public String taf() { + return tafName; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java index d772d493..b248e553 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java @@ -36,49 +36,49 @@ import org.onap.aaf.cadi.Taf; * */ public class EpiTaf implements Taf { - private Taf[] tafs; - - /** - * EpiTaf constructor - * - * Construct the EpiTaf from variable TAF parameters - * @param tafs - * @throws CadiException - */ - public EpiTaf(Taf ... tafs) throws CadiException{ - this.tafs = tafs; - if(tafs.length==0) throw new CadiException("Need at least one Taf implementation in constructor"); - } + private Taf[] tafs; + + /** + * EpiTaf constructor + * + * Construct the EpiTaf from variable TAF parameters + * @param tafs + * @throws CadiException + */ + public EpiTaf(Taf ... tafs) throws CadiException{ + this.tafs = tafs; + if(tafs.length==0) throw new CadiException("Need at least one Taf implementation in constructor"); + } - /** - * validate - * - * Respond with the first TAF to authenticate user based on variable info and "LifeForm" (is it - * a human behind an interface, or a server behind a protocol). - * - * If there is no TAF that can authenticate, respond with the first TAF that suggests it can - * establish an Authentication conversation (TRY_AUTHENTICATING). - * - * If no TAF declares either, respond with NullTafResp (which denies all questions) - */ - public TafResp validate(LifeForm reading, String... info) { - TafResp tresp,firstTryAuth=null; - for(Taf taf : tafs) { - tresp = taf.validate(reading, info); - switch(tresp.isAuthenticated()) { - case TRY_ANOTHER_TAF: - break; - case TRY_AUTHENTICATING: - if(firstTryAuth==null)firstTryAuth=tresp; - break; - default: - return tresp; - } - } + /** + * validate + * + * Respond with the first TAF to authenticate user based on variable info and "LifeForm" (is it + * a human behind an interface, or a server behind a protocol). + * + * If there is no TAF that can authenticate, respond with the first TAF that suggests it can + * establish an Authentication conversation (TRY_AUTHENTICATING). + * + * If no TAF declares either, respond with NullTafResp (which denies all questions) + */ + public TafResp validate(LifeForm reading, String... info) { + TafResp tresp,firstTryAuth=null; + for(Taf taf : tafs) { + tresp = taf.validate(reading, info); + switch(tresp.isAuthenticated()) { + case TRY_ANOTHER_TAF: + break; + case TRY_AUTHENTICATING: + if(firstTryAuth==null)firstTryAuth=tresp; + break; + default: + return tresp; + } + } - // No TAFs configured, at this point. It is safer at this point to be "not validated", - // rather than "let it go" - return firstTryAuth == null?NullTafResp.singleton():firstTryAuth; - } + // No TAFs configured, at this point. It is safer at this point to be "not validated", + // rather than "let it go" + return firstTryAuth == null?NullTafResp.singleton():firstTryAuth; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java index 1d7967e3..b0f56603 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java @@ -47,168 +47,168 @@ import org.onap.aaf.cadi.TrustChecker; * */ public class HttpEpiTaf implements HttpTaf { - private HttpTaf[] tafs; - private Access access; - private Locator locator; - private TrustChecker trustChecker; - - /** - * HttpEpiTaf constructor - * - * Construct the HttpEpiTaf from variable Http specific TAF parameters - - * @param tafs - * @throws CadiException - */ - public HttpEpiTaf(Access access, Locator locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{ - this.tafs = tafs; - this.access = access; - this.locator = locator; - this.trustChecker = tc; - // Establish what Header Property to look for UserChain/Trust Props - - if (tafs.length == 0) { - throw new CadiException("Need at least one HttpTaf implementation in constructor"); - } - } - - /** - * validate - * - * Respond with the first Http specific TAF to authenticate user based on variable info - * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol). - * - * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can - * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP - * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm - * submission - * - * If no TAF declares either, respond with NullTafResp (which denies all questions) - */ - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - // Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings - if (reading == LifeForm.LFN) { - reading = tricorderScan(req); - } - TafResp tresp = null; - TafResp firstTry = null; - List redirectables = null; - List log; - if(access.willLog(Level.DEBUG)) { - log = new ArrayList<>(); - } else { - log = null; - } - try { - for (HttpTaf taf : tafs) { - final long start = System.nanoTime(); - tresp = taf.validate(reading, req, resp); - addToLog(log, tresp, start); - switch(tresp.isAuthenticated()) { - case TRY_ANOTHER_TAF: - break; // and loop - case TRY_AUTHENTICATING: - if (tresp instanceof Redirectable) { - if (redirectables == null) { - redirectables = new ArrayList<>(); - } - redirectables.add((Redirectable)tresp); - } else if (firstTry == null) { - firstTry = tresp; - } - break; - case IS_AUTHENTICATED: - tresp = trustChecker.mayTrust(tresp, req); - return tresp; - default: - return tresp; - } - } - } finally { - printLog(log); - } - - // If No TAFs configured, at this point. It is safer at this point to be "not validated", - // rather than "let it go" - // Note: if exists, there will always be more than 0 entries, according to above code - if (redirectables == null) { - return (firstTry != null) ? firstTry : NullTafResp.singleton(); - } - - // If there is one Tryable entry then return it - if (redirectables.size() > 1) { - return LoginPageTafResp.create(access, locator, resp, redirectables); - } else { - return redirectables.get(0); - } - } - - public boolean revalidate(Principal prin) throws Exception { - return false; - } - - /* - * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind - * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical - * id (SiliconBasedLifeForm)? This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs - */ - private LifeForm tricorderScan(HttpServletRequest req) { - // For simplicity's sake, we'll say Humans use FQDNs, not IPs. - - // Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are. - // If mechanical frameworks are found that populate this, then more advanced analysis may be required - // Jonathan 1/22/2013 - String agent = req.getHeader("User-Agent"); - if (agent != null && agent.startsWith("Mozilla")) { // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent - return LifeForm.CBLF; - } - return LifeForm.SBLF; // notably skips "curl","wget", (which is desired behavior. We don't want to try CSP, etc on these) - } - - public Resp revalidate(CachedPrincipal prin, Object state) { - Resp resp; - for (HttpTaf taf : tafs) { - resp = taf.revalidate(prin, state); - if (resp != Resp.NOT_MINE) { - return resp; - } -// switch(resp) { -// case NOT_MINE: -// break; -// default: -// return resp; -// } - } - return Resp.NOT_MINE; - } - - private void addToLog(List log, final TafResp tresp, final long start) { - if (log == null) { - return; - } - tresp.timing(start); - log.add(tresp); - } - - private void printLog(List log) { - if (log == null) { - return; - } - for (TafResp tresp : log) { - access.printf(Level.DEBUG, "%s: %s, ms=%f", tresp.taf(), tresp.desc(), tresp.timing()); - } - } - - /** - * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE - * like Eclipse. - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - for (HttpTaf ht : tafs) { - sb.append(ht.toString()); - sb.append(". "); - } - return sb.toString(); - } + private HttpTaf[] tafs; + private Access access; + private Locator locator; + private TrustChecker trustChecker; + + /** + * HttpEpiTaf constructor + * + * Construct the HttpEpiTaf from variable Http specific TAF parameters + + * @param tafs + * @throws CadiException + */ + public HttpEpiTaf(Access access, Locator locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{ + this.tafs = tafs; + this.access = access; + this.locator = locator; + this.trustChecker = tc; + // Establish what Header Property to look for UserChain/Trust Props + + if (tafs.length == 0) { + throw new CadiException("Need at least one HttpTaf implementation in constructor"); + } + } + + /** + * validate + * + * Respond with the first Http specific TAF to authenticate user based on variable info + * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol). + * + * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can + * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP + * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm + * submission + * + * If no TAF declares either, respond with NullTafResp (which denies all questions) + */ + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + // Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings + if (reading == LifeForm.LFN) { + reading = tricorderScan(req); + } + TafResp tresp = null; + TafResp firstTry = null; + List redirectables = null; + List log; + if(access.willLog(Level.DEBUG)) { + log = new ArrayList<>(); + } else { + log = null; + } + try { + for (HttpTaf taf : tafs) { + final long start = System.nanoTime(); + tresp = taf.validate(reading, req, resp); + addToLog(log, tresp, start); + switch(tresp.isAuthenticated()) { + case TRY_ANOTHER_TAF: + break; // and loop + case TRY_AUTHENTICATING: + if (tresp instanceof Redirectable) { + if (redirectables == null) { + redirectables = new ArrayList<>(); + } + redirectables.add((Redirectable)tresp); + } else if (firstTry == null) { + firstTry = tresp; + } + break; + case IS_AUTHENTICATED: + tresp = trustChecker.mayTrust(tresp, req); + return tresp; + default: + return tresp; + } + } + } finally { + printLog(log); + } + + // If No TAFs configured, at this point. It is safer at this point to be "not validated", + // rather than "let it go" + // Note: if exists, there will always be more than 0 entries, according to above code + if (redirectables == null) { + return (firstTry != null) ? firstTry : NullTafResp.singleton(); + } + + // If there is one Tryable entry then return it + if (redirectables.size() > 1) { + return LoginPageTafResp.create(access, locator, resp, redirectables); + } else { + return redirectables.get(0); + } + } + + public boolean revalidate(Principal prin) throws Exception { + return false; + } + + /* + * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind + * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical + * id (SiliconBasedLifeForm)? This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs + */ + private LifeForm tricorderScan(HttpServletRequest req) { + // For simplicity's sake, we'll say Humans use FQDNs, not IPs. + + // Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are. + // If mechanical frameworks are found that populate this, then more advanced analysis may be required + // Jonathan 1/22/2013 + String agent = req.getHeader("User-Agent"); + if (agent != null && agent.startsWith("Mozilla")) { // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent + return LifeForm.CBLF; + } + return LifeForm.SBLF; // notably skips "curl","wget", (which is desired behavior. We don't want to try CSP, etc on these) + } + + public Resp revalidate(CachedPrincipal prin, Object state) { + Resp resp; + for (HttpTaf taf : tafs) { + resp = taf.revalidate(prin, state); + if (resp != Resp.NOT_MINE) { + return resp; + } +// switch(resp) { +// case NOT_MINE: +// break; +// default: +// return resp; +// } + } + return Resp.NOT_MINE; + } + + private void addToLog(List log, final TafResp tresp, final long start) { + if (log == null) { + return; + } + tresp.timing(start); + log.add(tresp); + } + + private void printLog(List log) { + if (log == null) { + return; + } + for (TafResp tresp : log) { + access.printf(Level.DEBUG, "%s: %s, ms=%f", tresp.taf(), tresp.desc(), tresp.timing()); + } + } + + /** + * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE + * like Eclipse. + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + for (HttpTaf ht : tafs) { + sb.append(ht.toString()); + sb.append(". "); + } + return sb.toString(); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java index 9484458c..77976ce2 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java @@ -38,23 +38,23 @@ import org.onap.aaf.cadi.Taf.LifeForm; * */ public interface HttpTaf { - /** - * validate - * - * Validate the Request, and respond with created TafResp object. - * - * @param reading - * @param req - * @param resp - * @return - */ - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp); - - /** - * Re-Validate Credential - * - * @param prin - * @return - */ - public CachedPrincipal.Resp revalidate(CachedPrincipal prin,Object state); + /** + * validate + * + * Validate the Request, and respond with created TafResp object. + * + * @param reading + * @param req + * @param resp + * @return + */ + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp); + + /** + * Re-Validate Credential + * + * @param prin + * @return + */ + public CachedPrincipal.Resp revalidate(CachedPrincipal prin,Object state); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java index c8abec0a..a5ce45b7 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java @@ -33,68 +33,68 @@ import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.Locator.Item; public class LoginPageTafResp extends AbsTafResp { - private final HttpServletResponse httpResp; - private final String loginPageURL; + private final HttpServletResponse httpResp; + private final String loginPageURL; - private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) { - super(access, "LoginPage", null, "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page"); - httpResp = resp; - this.loginPageURL = loginPageURL; - } + private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) { + super(access, "LoginPage", null, "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page"); + httpResp = resp; + this.loginPageURL = loginPageURL; + } - @Override - public RESP authenticate() throws IOException { - httpResp.sendRedirect(loginPageURL); - return RESP.HTTP_REDIRECT_INVOKED; - } - - @Override - public RESP isAuthenticated() { - return RESP.TRY_AUTHENTICATING; - } - - public static TafResp create(Access access, Locator locator, final HttpServletResponse resp, List redirectables) { - if (locator == null) { - if (!redirectables.isEmpty()) { - access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf"); - return redirectables.get(0); - } - return NullTafResp.singleton(); - } + @Override + public RESP authenticate() throws IOException { + httpResp.sendRedirect(loginPageURL); + return RESP.HTTP_REDIRECT_INVOKED; + } + + @Override + public RESP isAuthenticated() { + return RESP.TRY_AUTHENTICATING; + } + + public static TafResp create(Access access, Locator locator, final HttpServletResponse resp, List redirectables) { + if (locator == null) { + if (!redirectables.isEmpty()) { + access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf"); + return redirectables.get(0); + } + return NullTafResp.singleton(); + } - try { - Item item = locator.best(); - URI uri = locator.get(item); - if (uri == null) { - return NullTafResp.singleton(); - } + try { + Item item = locator.best(); + URI uri = locator.get(item); + if (uri == null) { + return NullTafResp.singleton(); + } - StringBuilder sb = new StringBuilder(uri.toString()); - String query = uri.getQuery(); - boolean first = ((query == null) || (query.length() == 0)); - for (Redirectable redir : redirectables) { - if (first) { - sb.append('?'); - first = false; - } - else { - sb.append('&'); - } - sb.append(redir.get()); - } - if (!redirectables.isEmpty()) { - return new LoginPageTafResp(access, resp, sb.toString()); - } - } catch (Exception e) { - access.log(e, "Error deriving Login Page location"); - } + StringBuilder sb = new StringBuilder(uri.toString()); + String query = uri.getQuery(); + boolean first = ((query == null) || (query.length() == 0)); + for (Redirectable redir : redirectables) { + if (first) { + sb.append('?'); + first = false; + } + else { + sb.append('&'); + } + sb.append(redir.get()); + } + if (!redirectables.isEmpty()) { + return new LoginPageTafResp(access, resp, sb.toString()); + } + } catch (Exception e) { + access.log(e, "Error deriving Login Page location"); + } - return NullTafResp.singleton(); - } - - @Override - public String taf() { - return "LoginPage"; - } + return NullTafResp.singleton(); + } + + @Override + public String taf() { + return "LoginPage"; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java index e8293faa..7e834794 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java @@ -37,28 +37,28 @@ import org.onap.aaf.cadi.CachedPrincipal.Resp; * */ public class NullTaf implements Taf, HttpTaf { - // Singleton Pattern - public NullTaf() {} + // Singleton Pattern + public NullTaf() {} - /** - * validate - * - * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized - */ - public TafResp validate(LifeForm reading, String... info) { - return NullTafResp.singleton(); - } + /** + * validate + * + * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized + */ + public TafResp validate(LifeForm reading, String... info) { + return NullTafResp.singleton(); + } - /** - * validate - * - * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized - */ - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - return NullTafResp.singleton(); - } + /** + * validate + * + * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized + */ + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + return NullTafResp.singleton(); + } - public Resp revalidate(CachedPrincipal prin, Object state) { - return Resp.NOT_MINE; - } + public Resp revalidate(CachedPrincipal prin, Object state) { + return Resp.NOT_MINE; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java index af6ef9cc..a3c8f5bb 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java @@ -32,57 +32,57 @@ import org.onap.aaf.cadi.principal.TaggedPrincipal; * */ class NullTafResp implements TafResp { - private NullTafResp(){} - - private static TafResp singleton = new NullTafResp(); - - public static TafResp singleton() { - return singleton; - } - - public boolean isValid() { - return false; - } - - public RESP isAuthenticated() { - return RESP.NO_FURTHER_PROCESSING; - } - - public String desc() { - return "All Authentication denied"; - } - - public RESP authenticate() throws IOException { - return RESP.NO_FURTHER_PROCESSING; - } + private NullTafResp(){} + + private static TafResp singleton = new NullTafResp(); + + public static TafResp singleton() { + return singleton; + } + + public boolean isValid() { + return false; + } + + public RESP isAuthenticated() { + return RESP.NO_FURTHER_PROCESSING; + } + + public String desc() { + return "All Authentication denied"; + } + + public RESP authenticate() throws IOException { + return RESP.NO_FURTHER_PROCESSING; + } - public TaggedPrincipal getPrincipal() { - return null; - } + public TaggedPrincipal getPrincipal() { + return null; + } - public Access getAccess() { - return Access.NULL; - } + public Access getAccess() { + return Access.NULL; + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.taf.TafResp#isFailedAttempt() - */ - public boolean isFailedAttempt() { - return true; - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.taf.TafResp#isFailedAttempt() + */ + public boolean isFailedAttempt() { + return true; + } - @Override - public float timing() { - return 0; - } + @Override + public float timing() { + return 0; + } - @Override - public void timing(long start) { - } - - @Override - public String taf() { - return "NULL"; - } + @Override + public void timing(long start) { + } + + @Override + public String taf() { + return "NULL"; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java index a38c8532..e6555051 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java @@ -34,56 +34,56 @@ import org.onap.aaf.cadi.util.Timing; * */ public class PuntTafResp implements TafResp { - private final String name; - private final String desc; - private float timing; + private final String name; + private final String desc; + private float timing; - public PuntTafResp(String name, String explanation) { - this.name = name; - desc = "Not processing this transaction: " + explanation; - } - - public boolean isValid() { - return false; - } - - public RESP isAuthenticated() { - return RESP.TRY_ANOTHER_TAF; - } - - public String desc() { - return desc; - } - - public RESP authenticate() throws IOException { - return RESP.TRY_ANOTHER_TAF; - } + public PuntTafResp(String name, String explanation) { + this.name = name; + desc = "Not processing this transaction: " + explanation; + } + + public boolean isValid() { + return false; + } + + public RESP isAuthenticated() { + return RESP.TRY_ANOTHER_TAF; + } + + public String desc() { + return desc; + } + + public RESP authenticate() throws IOException { + return RESP.TRY_ANOTHER_TAF; + } - public TaggedPrincipal getPrincipal() { - return null; - } + public TaggedPrincipal getPrincipal() { + return null; + } - public Access getAccess() { - return NullTafResp.singleton().getAccess(); - } + public Access getAccess() { + return NullTafResp.singleton().getAccess(); + } - public boolean isFailedAttempt() { - return false; - } + public boolean isFailedAttempt() { + return false; + } - @Override - public float timing() { - return timing; - } + @Override + public float timing() { + return timing; + } - @Override - public void timing(long start) { - timing = Timing.millis(start); - } - - @Override - public String taf() { - return name; - } + @Override + public void timing(long start) { + timing = Timing.millis(start); + } + + @Override + public String taf() { + return name; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java index 8dc5c118..47c262b0 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java @@ -22,10 +22,10 @@ package org.onap.aaf.cadi.taf; public interface Redirectable extends TafResp { - /** - * Create a Redirectable URL entry prefaced by a URLEncoder.String for a Menu - * example: - * "Global Login=https://xxxx....." - */ - public String get(); + /** + * Create a Redirectable URL entry prefaced by a URLEncoder.String for a Menu + * example: + * "Global Login=https://xxxx....." + */ + public String get(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java index acade37a..f3afde72 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java @@ -34,78 +34,78 @@ import org.onap.aaf.cadi.principal.TaggedPrincipal; * */ public interface TafResp { - public static enum RESP { - IS_AUTHENTICATED, - NO_FURTHER_PROCESSING, - TRY_AUTHENTICATING, - TRY_ANOTHER_TAF, - FAIL, - // A note was made to avoid the response REDIRECT. However, I have deemed that it is - // unavoidable when the underlying TAF did do a REDIRECT, because it requires a HTTP - // Service code to exit without modifying the Response any further. - // Therefore, I have changed this to indicate what HAS happened, with should accommodate - // both positions. Jonathan 10/18/2012 -// public static final int HTTP_REDIRECT_INVOKED = 11; - HTTP_REDIRECT_INVOKED, - HAS_PROCESSED}; - - /** - * Basic success check - * @return - */ - public boolean isValid(); - - /** - * String description of what has occurred (for logging/exceptions) - * @return - */ - public String desc(); - - /** - * Check Response - * @return - */ - public RESP isAuthenticated(); + public static enum RESP { + IS_AUTHENTICATED, + NO_FURTHER_PROCESSING, + TRY_AUTHENTICATING, + TRY_ANOTHER_TAF, + FAIL, + // A note was made to avoid the response REDIRECT. However, I have deemed that it is + // unavoidable when the underlying TAF did do a REDIRECT, because it requires a HTTP + // Service code to exit without modifying the Response any further. + // Therefore, I have changed this to indicate what HAS happened, with should accommodate + // both positions. Jonathan 10/18/2012 +// public static final int HTTP_REDIRECT_INVOKED = 11; + HTTP_REDIRECT_INVOKED, + HAS_PROCESSED}; + + /** + * Basic success check + * @return + */ + public boolean isValid(); + + /** + * String description of what has occurred (for logging/exceptions) + * @return + */ + public String desc(); + + /** + * Check Response + * @return + */ + public RESP isAuthenticated(); - /** - * Authenticate, returning FAIL or Other Valid indication - * - * HTTP implementations should watch for "HTTP_REDIRECT_INVOKED", and end the HTTP call appropriately. - * @return - * @throws CadiException - */ - public RESP authenticate() throws IOException; + /** + * Authenticate, returning FAIL or Other Valid indication + * + * HTTP implementations should watch for "HTTP_REDIRECT_INVOKED", and end the HTTP call appropriately. + * @return + * @throws CadiException + */ + public RESP authenticate() throws IOException; - /** - * Once authenticated, this object should hold a Principal created from the authorization - * @return - */ - public TaggedPrincipal getPrincipal(); + /** + * Once authenticated, this object should hold a Principal created from the authorization + * @return + */ + public TaggedPrincipal getPrincipal(); - /** - * get the Access object which created this object, allowing the responder to appropriate Log, etc - */ - public Access getAccess(); - - /** - * Be able to check if part of a Failed attempt - */ - public boolean isFailedAttempt(); - - /** - * report how long this took - * @return - */ - public float timing(); + /** + * get the Access object which created this object, allowing the responder to appropriate Log, etc + */ + public Access getAccess(); + + /** + * Be able to check if part of a Failed attempt + */ + public boolean isFailedAttempt(); + + /** + * report how long this took + * @return + */ + public float timing(); - /** - * Set end of timing in Millis, given Nanos - * @param start - */ - void timing(long start); - - /** - * Support Taf Name - */ - String taf(); + /** + * Set end of timing in Millis, given Nanos + * @param start + */ + void timing(long start); + + /** + * Support Taf Name + */ + String taf(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java index 98ead3ca..6b8adeb8 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java @@ -28,67 +28,67 @@ import org.onap.aaf.cadi.principal.TaggedPrincipal; import org.onap.aaf.cadi.util.Timing; public class TrustNotTafResp implements TafResp { - private final TafResp delegate; - private final String desc; - private float timing; - - public TrustNotTafResp(final TafResp delegate, final String desc) { - this.delegate = delegate; - this.desc = desc; - } - - @Override - public boolean isValid() { - return false; - } + private final TafResp delegate; + private final String desc; + private float timing; + + public TrustNotTafResp(final TafResp delegate, final String desc) { + this.delegate = delegate; + this.desc = desc; + } + + @Override + public boolean isValid() { + return false; + } - @Override - public String desc() { - return desc; - } + @Override + public String desc() { + return desc; + } - @Override - public RESP isAuthenticated() { - return RESP.NO_FURTHER_PROCESSING; - } + @Override + public RESP isAuthenticated() { + return RESP.NO_FURTHER_PROCESSING; + } - @Override - public RESP authenticate() throws IOException { - return RESP.NO_FURTHER_PROCESSING; - } + @Override + public RESP authenticate() throws IOException { + return RESP.NO_FURTHER_PROCESSING; + } - @Override - public TaggedPrincipal getPrincipal() { - return delegate.getPrincipal(); - } + @Override + public TaggedPrincipal getPrincipal() { + return delegate.getPrincipal(); + } - @Override - public Access getAccess() { - return delegate.getAccess(); - } + @Override + public Access getAccess() { + return delegate.getAccess(); + } - @Override - public boolean isFailedAttempt() { - return true; - } - @Override - public float timing() { - return timing; - } + @Override + public boolean isFailedAttempt() { + return true; + } + @Override + public float timing() { + return timing; + } - @Override - public void timing(long start) { - timing = Timing.millis(start); - } - - @Override - public String toString() { - return desc(); - } - - @Override - public String taf() { - return "TrustNot"; - } + @Override + public void timing(long start) { + timing = Timing.millis(start); + } + + @Override + public String toString() { + return desc(); + } + + @Override + public String taf() { + return "TrustNot"; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java index 9d3b28ca..91f9f8c4 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java @@ -28,68 +28,68 @@ import org.onap.aaf.cadi.principal.TaggedPrincipal; import org.onap.aaf.cadi.util.Timing; public class TrustTafResp implements TafResp { - private final TafResp delegate; - private final TaggedPrincipal principal; - private final String desc; - private float timing; - - public TrustTafResp(final TafResp delegate, final TaggedPrincipal principal, final String desc) { - this.delegate = delegate; - this.principal = principal; - this.desc = desc + ' ' + delegate.desc(); - } - - @Override - public boolean isValid() { - return delegate.isValid(); - } + private final TafResp delegate; + private final TaggedPrincipal principal; + private final String desc; + private float timing; + + public TrustTafResp(final TafResp delegate, final TaggedPrincipal principal, final String desc) { + this.delegate = delegate; + this.principal = principal; + this.desc = desc + ' ' + delegate.desc(); + } + + @Override + public boolean isValid() { + return delegate.isValid(); + } - @Override - public String desc() { - return desc; - } + @Override + public String desc() { + return desc; + } - @Override - public RESP isAuthenticated() { - return delegate.isAuthenticated(); - } + @Override + public RESP isAuthenticated() { + return delegate.isAuthenticated(); + } - @Override - public RESP authenticate() throws IOException { - return delegate.authenticate(); - } + @Override + public RESP authenticate() throws IOException { + return delegate.authenticate(); + } - @Override - public TaggedPrincipal getPrincipal() { - return principal; - } + @Override + public TaggedPrincipal getPrincipal() { + return principal; + } - @Override - public Access getAccess() { - return delegate.getAccess(); - } + @Override + public Access getAccess() { + return delegate.getAccess(); + } - @Override - public boolean isFailedAttempt() { - return delegate.isFailedAttempt(); - } - @Override - public float timing() { - return timing; - } + @Override + public boolean isFailedAttempt() { + return delegate.isFailedAttempt(); + } + @Override + public float timing() { + return timing; + } - @Override - public void timing(long start) { - timing = Timing.millis(start); - } - - public String toString() { - return principal.getName() + " by trust of " + desc(); - } - - @Override - public String taf() { - return "Trust"; - } + @Override + public void timing(long start) { + timing = Timing.millis(start); + } + + public String toString() { + return principal.getName() + " by trust of " + desc(); + } + + @Override + public String taf() { + return "Trust"; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java index 8fc985cf..21830b01 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java @@ -60,139 +60,139 @@ import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf; * */ public class BasicHttpTaf implements HttpTaf { - private Access access; - private String realm; - private CredVal rbac; - private Map rbacs = new TreeMap<>(); - private boolean warn; - private long timeToLive; - - public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) { - this.access = access; - this.realm = realm; - this.rbac = rbac; - this.warn = turnOnWarning; - this.timeToLive = timeToLive; - } + private Access access; + private String realm; + private CredVal rbac; + private Map rbacs = new TreeMap<>(); + private boolean warn; + private long timeToLive; + + public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) { + this.access = access; + this.realm = realm; + this.rbac = rbac; + this.warn = turnOnWarning; + this.timeToLive = timeToLive; + } - public void add(final CredValDomain cvd) { - rbacs.put(cvd.domain(), cvd); - } - - /** - * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms. - * @see Taf - */ - public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - // See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately - if(req instanceof BasicCred) { - BasicCred bc = (BasicCred)req; - if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null - if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) { - return DenialOfServiceTaf.respDenyID(access,bc.getUser()); - } - CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive); - - // Be able to do Organizational specific lookups by Domain - CredVal cv = rbacs.get(bp.getDomain()); - if(cv==null) { - cv = rbac; - } - - // ONLY FOR Last Ditch DEBUGGING... - // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred())); - if(cv.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) { - return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false); - } else { - //TODO may need timed retries in a given time period - return new BasicHttpTafResp(access,null,buildMsg(bp,req,"user/pass combo invalid for ",bc.getUser(),"from",req.getRemoteAddr()), - RESP.TRY_AUTHENTICATING,resp,realm,true); - } - } - } - // Get User/Password from Authorization Header value - String authz = req.getHeader("Authorization"); - if(authz != null && authz.startsWith("Basic ")) { - if(warn&&!req.isSecure()) { - access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); - } - try { - CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive); - if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { - return DenialOfServiceTaf.respDenyID(access,ba.getName()); - } - - final int at = ba.getName().indexOf('@'); - CredVal cv = rbacs.get(ba.getName().substring(at+1)); - if(cv==null) { - cv = rbac; // default - } + public void add(final CredValDomain cvd) { + rbacs.put(cvd.domain(), cvd); + } + + /** + * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms. + * @see Taf + */ + public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + // See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately + if(req instanceof BasicCred) { + BasicCred bc = (BasicCred)req; + if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null + if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) { + return DenialOfServiceTaf.respDenyID(access,bc.getUser()); + } + CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive); + + // Be able to do Organizational specific lookups by Domain + CredVal cv = rbacs.get(bp.getDomain()); + if(cv==null) { + cv = rbac; + } + + // ONLY FOR Last Ditch DEBUGGING... + // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred())); + if(cv.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) { + return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false); + } else { + //TODO may need timed retries in a given time period + return new BasicHttpTafResp(access,null,buildMsg(bp,req,"user/pass combo invalid for ",bc.getUser(),"from",req.getRemoteAddr()), + RESP.TRY_AUTHENTICATING,resp,realm,true); + } + } + } + // Get User/Password from Authorization Header value + String authz = req.getHeader("Authorization"); + if(authz != null && authz.startsWith("Basic ")) { + if(warn&&!req.isSecure()) { + access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); + } + try { + CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive); + if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { + return DenialOfServiceTaf.respDenyID(access,ba.getName()); + } + + final int at = ba.getName().indexOf('@'); + CredVal cv = rbacs.get(ba.getName().substring(at+1)); + if(cv==null) { + cv = rbac; // default + } - // ONLY FOR Last Ditch DEBUGGING... - // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred())); - if(cv.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) { - return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false); - } else { - //TODO may need timed retries in a given time period - return new BasicHttpTafResp(access,null,buildMsg(ba,req,"user/pass combo invalid"), - RESP.TRY_AUTHENTICATING,resp,realm,true); - } - } catch (IOException e) { - String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')'); - access.log(Level.INFO,msg); - return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true); - } - } - return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false); - } - - protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { - StringBuilder sb = new StringBuilder(); - if(pr!=null) { - sb.append("user="); - sb.append(pr.getName()); - sb.append(','); - } - sb.append("ip="); - sb.append(req.getRemoteAddr()); - sb.append(",port="); - sb.append(req.getRemotePort()); - if(msg.length>0) { - sb.append(",msg=\""); - for(Object s : msg) { - sb.append(s.toString()); - } - sb.append('"'); - } - return sb.toString(); - } - - public void addCredVal(final String realm, final CredVal cv) { - rbacs.put(realm, cv); - } + // ONLY FOR Last Ditch DEBUGGING... + // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred())); + if(cv.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) { + return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false); + } else { + //TODO may need timed retries in a given time period + return new BasicHttpTafResp(access,null,buildMsg(ba,req,"user/pass combo invalid"), + RESP.TRY_AUTHENTICATING,resp,realm,true); + } + } catch (IOException e) { + String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')'); + access.log(Level.INFO,msg); + return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true); + } + } + return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false); + } + + protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { + StringBuilder sb = new StringBuilder(); + if(pr!=null) { + sb.append("user="); + sb.append(pr.getName()); + sb.append(','); + } + sb.append("ip="); + sb.append(req.getRemoteAddr()); + sb.append(",port="); + sb.append(req.getRemotePort()); + if(msg.length>0) { + sb.append(",msg=\""); + for(Object s : msg) { + sb.append(s.toString()); + } + sb.append('"'); + } + return sb.toString(); + } + + public void addCredVal(final String realm, final CredVal cv) { + rbacs.put(realm, cv); + } - public CredVal getCredVal(String key) { - CredVal cv = rbacs.get(key); - if(cv==null) { - cv = rbac; - } - return cv; - } - - @Override - public Resp revalidate(CachedPrincipal prin, Object state) { - if(prin instanceof BasicPrincipal) { - BasicPrincipal ba = (BasicPrincipal)prin; - if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { - return Resp.UNVALIDATED; - } - return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), state)?Resp.REVALIDATED:Resp.UNVALIDATED; - } - return Resp.NOT_MINE; - } - - public String toString() { - return "Basic Auth enabled on realm: " + realm; - } + public CredVal getCredVal(String key) { + CredVal cv = rbacs.get(key); + if(cv==null) { + cv = rbac; + } + return cv; + } + + @Override + public Resp revalidate(CachedPrincipal prin, Object state) { + if(prin instanceof BasicPrincipal) { + BasicPrincipal ba = (BasicPrincipal)prin; + if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { + return Resp.UNVALIDATED; + } + return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), state)?Resp.REVALIDATED:Resp.UNVALIDATED; + } + return Resp.NOT_MINE; + } + + public String toString() { + return "Basic Auth enabled on realm: " + realm; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java index 643cf29e..d1acf5fe 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java @@ -31,31 +31,31 @@ import org.onap.aaf.cadi.taf.AbsTafResp; import org.onap.aaf.cadi.taf.TafResp; public class BasicHttpTafResp extends AbsTafResp implements TafResp { - private static final String tafName = BasicHttpTaf.class.getSimpleName(); - private HttpServletResponse httpResp; - private String realm; - private RESP status; - private final boolean wasFailed; - - public BasicHttpTafResp(Access access, TaggedPrincipal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) { - super(access, tafName, principal, description); - httpResp = resp; - this.realm = realm; - this.status = status; - this.wasFailed = wasFailed; - } - - public RESP authenticate() throws IOException { - httpResp.setStatus(401); // Unauthorized - httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"'); - return RESP.HTTP_REDIRECT_INVOKED; - } - - public RESP isAuthenticated() { - return status; - } - - public boolean isFailedAttempt() { - return wasFailed; - } + private static final String tafName = BasicHttpTaf.class.getSimpleName(); + private HttpServletResponse httpResp; + private String realm; + private RESP status; + private final boolean wasFailed; + + public BasicHttpTafResp(Access access, TaggedPrincipal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) { + super(access, tafName, principal, description); + httpResp = resp; + this.realm = realm; + this.status = status; + this.wasFailed = wasFailed; + } + + public RESP authenticate() throws IOException { + httpResp.setStatus(401); // Unauthorized + httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"'); + return RESP.HTTP_REDIRECT_INVOKED; + } + + public RESP isAuthenticated() { + return status; + } + + public boolean isFailedAttempt() { + return wasFailed; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java index 0da41b81..f597159e 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java @@ -29,18 +29,18 @@ import javax.servlet.http.HttpServletRequest; import org.onap.aaf.cadi.principal.TaggedPrincipal; public interface CertIdentity { - /** - * identity from X509Certificate Object and/or certBytes - * - * If you have both, include them. If you only have one, leave the other null, and it will be generated if needed - * - * The Request is there to obtain Header or Attribute info of ultimate user - * - * @param req - * @param cert - * @param certBytes - * @return - * @throws CertificateException - */ - public TaggedPrincipal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException; + /** + * identity from X509Certificate Object and/or certBytes + * + * If you have both, include them. If you only have one, leave the other null, and it will be generated if needed + * + * The Request is there to obtain Header or Attribute info of ultimate user + * + * @param req + * @param cert + * @param certBytes + * @return + * @throws CertificateException + */ + public TaggedPrincipal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java index c18f9036..d51cc86a 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java @@ -29,25 +29,25 @@ import org.onap.aaf.cadi.taf.AbsTafResp; import org.onap.aaf.cadi.taf.TafResp; public class X509HttpTafResp extends AbsTafResp implements TafResp { - private static final String tafName = X509Taf.class.getSimpleName(); - - private RESP status; - - public X509HttpTafResp(Access access, TaggedPrincipal principal, String description, RESP status) { - super(access, tafName, principal, description); - this.status = status; - } - - public RESP authenticate() throws IOException { - return RESP.TRY_ANOTHER_TAF; - } - - public RESP isAuthenticated() { - return status; - } - - public String toString() { - return status.name(); - } + private static final String tafName = X509Taf.class.getSimpleName(); + + private RESP status; + + public X509HttpTafResp(Access access, TaggedPrincipal principal, String description, RESP status) { + super(access, tafName, principal, description); + this.status = status; + } + + public RESP authenticate() throws IOException { + return RESP.TRY_ANOTHER_TAF; + } + + public RESP isAuthenticated() { + return status; + } + + public String toString() { + return status.name(); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java index 77efa956..d0034c76 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java @@ -56,221 +56,221 @@ import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; import org.onap.aaf.cadi.util.Split; public class X509Taf implements HttpTaf { - private static final String CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION = "Certificate NOT valid for Authentication"; - public static final CertificateFactory certFactory; - public static final MessageDigest messageDigest; - public static final TrustManagerFactory tmf; - private Access access; - private CertIdentity[] certIdents; -// private Lur lur; - private ArrayList cadiIssuers; - private String env; - private SecurityInfo si; - private BasicHttpTaf bht; + private static final String CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION = "Certificate NOT valid for Authentication"; + public static final CertificateFactory certFactory; + public static final MessageDigest messageDigest; + public static final TrustManagerFactory tmf; + private Access access; + private CertIdentity[] certIdents; +// private Lur lur; + private ArrayList cadiIssuers; + private String env; + private SecurityInfo si; + private BasicHttpTaf bht; - static { - try { - certFactory = CertificateFactory.getInstance("X.509"); - messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone - tmf = TrustManagerFactory.getInstance(SecurityInfoC.SSL_KEY_MANAGER_FACTORY_ALGORITHM); - } catch (Exception e) { - throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e); - } - } - - public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException { - this.access = access; - env = access.getProperty(Config.AAF_ENV,null); - if(env==null) { - throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set."); - } -// this.lur = lur; - this.cadiIssuers = new ArrayList<>(); - for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "").split(":")) { - access.printf(Level.INIT, "Trusting Identity for Certificates signed by \"%s\"",ci); - cadiIssuers.add(ci); - } - try { - Class dci = access.classLoader().loadClass("org.onap.aaf.auth.direct.DirectCertIdentity"); - if(dci==null) { - certIdents = cis; - } else { - CertIdentity temp[] = new CertIdentity[cis.length+1]; - System.arraycopy(cis, 0, temp, 1, cis.length); - temp[0] = (CertIdentity) dci.newInstance(); - certIdents=temp; - } - } catch (Exception e) { - certIdents = cis; - } - - si = new SecurityInfo(access); - } + static { + try { + certFactory = CertificateFactory.getInstance("X.509"); + messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone + tmf = TrustManagerFactory.getInstance(SecurityInfoC.SSL_KEY_MANAGER_FACTORY_ALGORITHM); + } catch (Exception e) { + throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e); + } + } + + public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException { + this.access = access; + env = access.getProperty(Config.AAF_ENV,null); + if(env==null) { + throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set."); + } +// this.lur = lur; + this.cadiIssuers = new ArrayList<>(); + for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "").split(":")) { + access.printf(Level.INIT, "Trusting Identity for Certificates signed by \"%s\"",ci); + cadiIssuers.add(ci); + } + try { + Class dci = access.classLoader().loadClass("org.onap.aaf.auth.direct.DirectCertIdentity"); + if(dci==null) { + certIdents = cis; + } else { + CertIdentity temp[] = new CertIdentity[cis.length+1]; + System.arraycopy(cis, 0, temp, 1, cis.length); + temp[0] = (CertIdentity) dci.newInstance(); + certIdents=temp; + } + } catch (Exception e) { + certIdents = cis; + } + + si = new SecurityInfo(access); + } - public static final X509Certificate getCert(byte[] certBytes) throws CertificateException { - ByteArrayInputStream bais = new ByteArrayInputStream(certBytes); - return (X509Certificate)certFactory.generateCertificate(bais); - } + public static final X509Certificate getCert(byte[] certBytes) throws CertificateException { + ByteArrayInputStream bais = new ByteArrayInputStream(certBytes); + return (X509Certificate)certFactory.generateCertificate(bais); + } - public static final byte[] getFingerPrint(byte[] ba) { - MessageDigest md; - try { - md = (MessageDigest)messageDigest.clone(); - } catch (CloneNotSupportedException e) { - // should never get here - return new byte[0]; - } - md.update(ba); - return md.digest(); - } + public static final byte[] getFingerPrint(byte[] ba) { + MessageDigest md; + try { + md = (MessageDigest)messageDigest.clone(); + } catch (CloneNotSupportedException e) { + // should never get here + return new byte[0]; + } + md.update(ba); + return md.digest(); + } - @Override - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - // Check for Mutual SSL - try { - X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate"); - if(certarr!=null && certarr.length>0) { - si.checkClientTrusted(certarr); - // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list - String issuer = certarr[0].getIssuerDN().toString(); - if(cadiIssuers.contains(issuer)) { - String subject = certarr[0].getSubjectDN().getName(); - // avoiding extra object creation, since this is validated EVERY transaction with a Cert - int at = subject.indexOf('@'); - if(at>=0) { - int start = subject.lastIndexOf(',', at); - if(start<0) { - start = 0; - } - int end = subject.indexOf(',', at); - if(end<0) { - end=subject.length(); - } - int temp; - if(((temp=subject.indexOf("OU=",start))>=0 && temp=0 && temp1 && env!=null && env.equals(sa[1]))) { // Check Environment - return new X509HttpTafResp(access, - new X509Principal(sa[0], certarr[0],(byte[])null,bht), - "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); - } - } - - } - } - } - + @Override + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + // Check for Mutual SSL + try { + X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate"); + if(certarr!=null && certarr.length>0) { + si.checkClientTrusted(certarr); + // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list + String issuer = certarr[0].getIssuerDN().toString(); + if(cadiIssuers.contains(issuer)) { + String subject = certarr[0].getSubjectDN().getName(); + // avoiding extra object creation, since this is validated EVERY transaction with a Cert + int at = subject.indexOf('@'); + if(at>=0) { + int start = subject.lastIndexOf(',', at); + if(start<0) { + start = 0; + } + int end = subject.indexOf(',', at); + if(end<0) { + end=subject.length(); + } + int temp; + if(((temp=subject.indexOf("OU=",start))>=0 && temp=0 && temp1 && env!=null && env.equals(sa[1]))) { // Check Environment + return new X509HttpTafResp(access, + new X509Principal(sa[0], certarr[0],(byte[])null,bht), + "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); + } + } + + } + } + } + - byte[] array = null; - byte[] certBytes = null; - X509Certificate cert=null; - String responseText=null; - String authHeader = req.getHeader("Authorization"); + byte[] array = null; + byte[] certBytes = null; + X509Certificate cert=null; + String responseText=null; + String authHeader = req.getHeader("Authorization"); - if(certarr!=null) { // If cert !=null, Cert is Tested by Mutual Protocol. - if(authHeader!=null) { // This is only intended to be a Secure Connection, not an Identity - for(String auth : Split.split(',',authHeader)) { - if(auth.startsWith("Bearer ")) { // Bearer = OAuth... Don't use as Authenication - return new X509HttpTafResp(access, null, "Certificate verified, but Bearer Token is presented", RESP.TRY_ANOTHER_TAF); - } - } - } - cert = certarr[0]; - responseText = ", validated by Mutual SSL Protocol"; - } else { // If cert == null, Get Declared Cert (in header), but validate by having them sign something - if(authHeader != null) { - for(String auth : Split.splitTrim(',',authHeader)) { - if(auth.startsWith("x509 ")) { - ByteArrayOutputStream baos = new ByteArrayOutputStream(auth.length()); - try { - array = auth.getBytes(); - ByteArrayInputStream bais = new ByteArrayInputStream(array); - Symm.base64noSplit.decode(bais, baos, 5); - certBytes = baos.toByteArray(); - cert = getCert(certBytes); - - /** - * Identity from CERT if well know CA and specific encoded information - */ - // If found Identity doesn't work, try SignedStuff Protocol - // cert.checkValidity(); - // cert.--- GET FINGERPRINT? - String stuff = req.getHeader("Signature"); - if(stuff==null) - return new X509HttpTafResp(access, null, "Header entry 'Signature' required to validate One way X509 Certificate", RESP.TRY_ANOTHER_TAF); - String data = req.getHeader("Data"); - // if(data==null) - // return new X509HttpTafResp(access, null, "No signed Data to validate with X509 Certificate", RESP.TRY_ANOTHER_TAF); - - // Note: Data Pos shows is " " - // int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm - // Get Signature - bais = new ByteArrayInputStream(stuff.getBytes()); - baos = new ByteArrayOutputStream(stuff.length()); - Symm.base64noSplit.decode(bais, baos); - array = baos.toByteArray(); - // Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature - - Signature sig = Signature.getInstance(cert.getSigAlgName()); - sig.initVerify(cert.getPublicKey()); - sig.update(data.getBytes()); - if(!sig.verify(array)) { - access.log(Level.ERROR, "Signature doesn't Match"); - return new X509HttpTafResp(access, null, CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION, RESP.TRY_ANOTHER_TAF); - } - responseText = ", validated by Signed Data"; - } catch (Exception e) { - access.log(e, "Exception while validating Cert"); - return new X509HttpTafResp(access, null, CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION, RESP.TRY_ANOTHER_TAF); - } - } - } - } - if(cert==null) { - return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF); - } - - // A cert has been found, match Identify - TaggedPrincipal prin=null; - - for(int i=0;prin==null && i " + // int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm + // Get Signature + bais = new ByteArrayInputStream(stuff.getBytes()); + baos = new ByteArrayOutputStream(stuff.length()); + Symm.base64noSplit.decode(bais, baos); + array = baos.toByteArray(); + // Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature + + Signature sig = Signature.getInstance(cert.getSigAlgName()); + sig.initVerify(cert.getPublicKey()); + sig.update(data.getBytes()); + if(!sig.verify(array)) { + access.log(Level.ERROR, "Signature doesn't Match"); + return new X509HttpTafResp(access, null, CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION, RESP.TRY_ANOTHER_TAF); + } + responseText = ", validated by Signed Data"; + } catch (Exception e) { + access.log(e, "Exception while validating Cert"); + return new X509HttpTafResp(access, null, CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION, RESP.TRY_ANOTHER_TAF); + } + } + } + } + if(cert==null) { + return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF); + } + + // A cert has been found, match Identify + TaggedPrincipal prin=null; + + for(int i=0;prin==null && i deniedIP=null, deniedID=null; - private Access access; - private final TafResp puntNotDenied; - private static File dosIP, dosID; - - /** - * - * @param hostname - * @param prod - * @throws CadiException - */ - public DenialOfServiceTaf(Access access) throws CadiException { - puntNotDenied = new PuntTafResp("DenialOfServiceTaf", "This Transaction is not denied"); - this.access = access; - if(dosIP==null || dosID == null) { - String dirStr; - if((dirStr = access.getProperty(Config.AAF_DATA_DIR, null))!=null) { - dosIP = new File(dirStr+"/dosIP"); - readIP(); - dosID = new File(dirStr+"/dosID"); - readID(); - } - } - } + private static Map deniedIP=null, deniedID=null; + private Access access; + private final TafResp puntNotDenied; + private static File dosIP, dosID; + + /** + * + * @param hostname + * @param prod + * @throws CadiException + */ + public DenialOfServiceTaf(Access access) throws CadiException { + puntNotDenied = new PuntTafResp("DenialOfServiceTaf", "This Transaction is not denied"); + this.access = access; + if(dosIP==null || dosID == null) { + String dirStr; + if((dirStr = access.getProperty(Config.AAF_DATA_DIR, null))!=null) { + dosIP = new File(dirStr+"/dosIP"); + readIP(); + dosID = new File(dirStr+"/dosID"); + readID(); + } + } + } - @Override - public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) { - // Performance, when not needed - if(deniedIP != null) { - String ip; - Counter c = deniedIP.get(ip=req.getRemoteAddr()); - if(c!=null) { - c.inc(); - return respDenyIP(access,ip); - } - } - - // Note: Can't process Principal, because this is the first TAF, and no Principal is created. - // Other TAFs use "isDenied()" on this Object to validate. - return puntNotDenied; - } + @Override + public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) { + // Performance, when not needed + if(deniedIP != null) { + String ip; + Counter c = deniedIP.get(ip=req.getRemoteAddr()); + if(c!=null) { + c.inc(); + return respDenyIP(access,ip); + } + } + + // Note: Can't process Principal, because this is the first TAF, and no Principal is created. + // Other TAFs use "isDenied()" on this Object to validate. + return puntNotDenied; + } - @Override - public Resp revalidate(CachedPrincipal prin, Object state) { - // We always return NOT MINE, because DOS Taf does not ever validate - return Resp.NOT_MINE; - } + @Override + public Resp revalidate(CachedPrincipal prin, Object state) { + // We always return NOT MINE, because DOS Taf does not ever validate + return Resp.NOT_MINE; + } - /* - * for use in Other TAFs, before they attempt backend validation of - */ - public static Counter isDeniedID(String identity) { - if(deniedID!=null) { - return deniedID.get(identity); - } - return null; - } - - /** - * - */ - public static Counter isDeniedIP(String ipvX) { - if(deniedIP!=null) { - return deniedIP.get(ipvX); - } - return null; - } + /* + * for use in Other TAFs, before they attempt backend validation of + */ + public static Counter isDeniedID(String identity) { + if(deniedID!=null) { + return deniedID.get(identity); + } + return null; + } + + /** + * + */ + public static Counter isDeniedIP(String ipvX) { + if(deniedIP!=null) { + return deniedIP.get(ipvX); + } + return null; + } - /** - * Return of "True" means IP has been added. - * Return of "False" means IP already added. - * - * @param ip - * @return - */ - public static synchronized boolean denyIP(String ip) { - boolean rv = false; - if(deniedIP==null) { - deniedIP = new HashMap<>(); - deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent - rv= true; - } else if(deniedIP.get(ip)==null) { - deniedIP.put(ip, new Counter(ip)); - rv = true; - } - if(rv) { - writeIP(); - } - return rv; - } - - private static void writeIP() { - if(dosIP!=null && deniedIP!=null) { - if(deniedIP.isEmpty()) { - if(dosIP.exists()) { - dosIP.delete(); - } - } else { - PrintStream fos; - try { - fos = new PrintStream(new FileOutputStream(dosIP,false)); - try { - for(String ip: deniedIP.keySet()) { - fos.println(ip); - } - } finally { - fos.close(); - } - } catch (IOException e) { - e.printStackTrace(System.err); - } - } - } - } - - private static void readIP() { - if(dosIP!=null && dosIP.exists()) { - BufferedReader br; - try { - br = new BufferedReader(new FileReader(dosIP)); - try { - if(deniedIP==null) { - deniedIP=new HashMap<>(); - } + /** + * Return of "True" means IP has been added. + * Return of "False" means IP already added. + * + * @param ip + * @return + */ + public static synchronized boolean denyIP(String ip) { + boolean rv = false; + if(deniedIP==null) { + deniedIP = new HashMap<>(); + deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent + rv= true; + } else if(deniedIP.get(ip)==null) { + deniedIP.put(ip, new Counter(ip)); + rv = true; + } + if(rv) { + writeIP(); + } + return rv; + } + + private static void writeIP() { + if(dosIP!=null && deniedIP!=null) { + if(deniedIP.isEmpty()) { + if(dosIP.exists()) { + dosIP.delete(); + } + } else { + PrintStream fos; + try { + fos = new PrintStream(new FileOutputStream(dosIP,false)); + try { + for(String ip: deniedIP.keySet()) { + fos.println(ip); + } + } finally { + fos.close(); + } + } catch (IOException e) { + e.printStackTrace(System.err); + } + } + } + } + + private static void readIP() { + if(dosIP!=null && dosIP.exists()) { + BufferedReader br; + try { + br = new BufferedReader(new FileReader(dosIP)); + try { + if(deniedIP==null) { + deniedIP=new HashMap<>(); + } - String line; - while((line=br.readLine())!=null) { - deniedIP.put(line, new Counter(line)); - } - } finally { - br.close(); - } - } catch (IOException e) { - e.printStackTrace(System.err); - } - } - } + String line; + while((line=br.readLine())!=null) { + deniedIP.put(line, new Counter(line)); + } + } finally { + br.close(); + } + } catch (IOException e) { + e.printStackTrace(System.err); + } + } + } - /** - * Return of "True" means IP has was removed. - * Return of "False" means IP wasn't being denied. - * - * @param ip - * @return - */ - public static synchronized boolean removeDenyIP(String ip) { - if(deniedIP!=null && deniedIP.remove(ip)!=null) { - writeIP(); - if(deniedIP.isEmpty()) { - deniedIP=null; - } - return true; - } - return false; - } + /** + * Return of "True" means IP has was removed. + * Return of "False" means IP wasn't being denied. + * + * @param ip + * @return + */ + public static synchronized boolean removeDenyIP(String ip) { + if(deniedIP!=null && deniedIP.remove(ip)!=null) { + writeIP(); + if(deniedIP.isEmpty()) { + deniedIP=null; + } + return true; + } + return false; + } - /** - * Return of "True" means ID has been added. - * Return of "False" means ID already added. - * - * @param ip - * @return - */ - public static synchronized boolean denyID(String id) { - boolean rv = false; - if(deniedID==null) { - deniedID = new HashMap<>(); - deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent - rv = true; - } else if(deniedID.get(id)==null) { - deniedID.put(id, new Counter(id)); - rv = true; - } - if(rv) { - writeID(); - } - return rv; + /** + * Return of "True" means ID has been added. + * Return of "False" means ID already added. + * + * @param ip + * @return + */ + public static synchronized boolean denyID(String id) { + boolean rv = false; + if(deniedID==null) { + deniedID = new HashMap<>(); + deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent + rv = true; + } else if(deniedID.get(id)==null) { + deniedID.put(id, new Counter(id)); + rv = true; + } + if(rv) { + writeID(); + } + return rv; - } + } - private static void writeID() { - if(dosID!=null && deniedID!=null) { - if(deniedID.isEmpty()) { - if(dosID.exists()) { - dosID.delete(); - } - } else { - PrintStream fos; - try { - fos = new PrintStream(new FileOutputStream(dosID,false)); - try { - for(String ip: deniedID.keySet()) { - fos.println(ip); - } - } finally { - fos.close(); - } - } catch (IOException e) { - e.printStackTrace(System.err); - } - } - } - } + private static void writeID() { + if(dosID!=null && deniedID!=null) { + if(deniedID.isEmpty()) { + if(dosID.exists()) { + dosID.delete(); + } + } else { + PrintStream fos; + try { + fos = new PrintStream(new FileOutputStream(dosID,false)); + try { + for(String ip: deniedID.keySet()) { + fos.println(ip); + } + } finally { + fos.close(); + } + } catch (IOException e) { + e.printStackTrace(System.err); + } + } + } + } - private static void readID() { - if(dosID!=null && dosID.exists()) { - BufferedReader br; - try { - br = new BufferedReader(new FileReader(dosID)); - try { - if(deniedID==null) { - deniedID=new HashMap<>(); - } - - String line; - while((line=br.readLine())!=null) { - deniedID.put(line, new Counter(line)); - } - } finally { - br.close(); - } - } catch (IOException e) { - e.printStackTrace(System.err); - } - } - } + private static void readID() { + if(dosID!=null && dosID.exists()) { + BufferedReader br; + try { + br = new BufferedReader(new FileReader(dosID)); + try { + if(deniedID==null) { + deniedID=new HashMap<>(); + } + + String line; + while((line=br.readLine())!=null) { + deniedID.put(line, new Counter(line)); + } + } finally { + br.close(); + } + } catch (IOException e) { + e.printStackTrace(System.err); + } + } + } - /** - * Return of "True" means ID has was removed. - * Return of "False" means ID wasn't being denied. - * - * @param ip - * @return - */ - public static synchronized boolean removeDenyID(String id) { - if(deniedID!=null && deniedID.remove(id)!=null) { - writeID(); - if(deniedID.isEmpty()) { - deniedID=null; - } + /** + * Return of "True" means ID has was removed. + * Return of "False" means ID wasn't being denied. + * + * @param ip + * @return + */ + public static synchronized boolean removeDenyID(String id) { + if(deniedID!=null && deniedID.remove(id)!=null) { + writeID(); + if(deniedID.isEmpty()) { + deniedID=null; + } - return true; - } - return false; - } - - public List report() { - int initSize = 0; - if(deniedIP!=null)initSize+=deniedIP.size(); - if(deniedID!=null)initSize+=deniedID.size(); - ArrayList al = new ArrayList<>(initSize); - if(deniedID!=null) { - for(Counter c : deniedID.values()) { - al.add(c.toString()); - } - } - if(deniedIP!=null) { - for(Counter c : deniedIP.values()) { - al.add(c.toString()); - } - } - return al; - } - - public static class Counter { - private final String name; - private int count = 0; - private Date first; - private long last; // note, we use "last" as long, to avoid popping useless dates on Heap. - - public Counter(String name) { - this.name = name; - first = null; - last = 0L; - count = 0; - } - - public String getName() { - return name; - } - - public int getCount() { - return count; - } + return true; + } + return false; + } + + public List report() { + int initSize = 0; + if(deniedIP!=null)initSize+=deniedIP.size(); + if(deniedID!=null)initSize+=deniedID.size(); + ArrayList al = new ArrayList<>(initSize); + if(deniedID!=null) { + for(Counter c : deniedID.values()) { + al.add(c.toString()); + } + } + if(deniedIP!=null) { + for(Counter c : deniedIP.values()) { + al.add(c.toString()); + } + } + return al; + } + + public static class Counter { + private final String name; + private int count = 0; + private Date first; + private long last; // note, we use "last" as long, to avoid popping useless dates on Heap. + + public Counter(String name) { + this.name = name; + first = null; + last = 0L; + count = 0; + } + + public String getName() { + return name; + } + + public int getCount() { + return count; + } - public long getLast() { - return last; - } - - /* - * Only allow Denial of ServiceTaf to increment - */ - private synchronized void inc() { - ++count; - last = System.currentTimeMillis(); - if(first==null) { - first = new Date(last); - } - } - - public String toString() { - if(count==0) - return name + " is on the denied list, but has not attempted Access"; - else - return - name + - " has been denied " + - count + - " times since " + - first + - ". Last denial was " + - new Date(last); - } - } + public long getLast() { + return last; + } + + /* + * Only allow Denial of ServiceTaf to increment + */ + private synchronized void inc() { + ++count; + last = System.currentTimeMillis(); + if(first==null) { + first = new Date(last); + } + } + + public String toString() { + if(count==0) + return name + " is on the denied list, but has not attempted Access"; + else + return + name + + " has been denied " + + count + + " times since " + + first + + ". Last denial was " + + new Date(last); + } + } - public static TafResp respDenyID(Access access, String identity) { - return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list"); - } - - public static TafResp respDenyIP(Access access, String ip) { - return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list"); - } + public static TafResp respDenyID(Access access, String identity) { + return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list"); + } + + public static TafResp respDenyIP(Access access, String ip) { + return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list"); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java index e5a336f7..2fcd1553 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java @@ -27,29 +27,29 @@ import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.taf.AbsTafResp; public class DenialOfServiceTafResp extends AbsTafResp { - private static final String tafName = DenialOfServiceTaf.class.getSimpleName(); - - private RESP ect; // Homage to Arethra Franklin - - public DenialOfServiceTafResp(Access access, RESP resp, String description ) { - super(access, tafName, null, description); - ect = resp; - } - - // Override base behavior of checking Principal and trying another TAF - @Override - public RESP isAuthenticated() { - return ect; - } - - - public RESP authenticate() throws IOException { - return ect; - } - - @Override - public String taf() { - return "DOS"; - } + private static final String tafName = DenialOfServiceTaf.class.getSimpleName(); + + private RESP ect; // Homage to Arethra Franklin + + public DenialOfServiceTafResp(Access access, RESP resp, String description ) { + super(access, tafName, null, description); + ect = resp; + } + + // Override base behavior of checking Principal and trying another TAF + @Override + public RESP isAuthenticated() { + return ect; + } + + + public RESP authenticate() throws IOException { + return ect; + } + + @Override + public String taf() { + return "DOS"; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java index 74bf805d..70fabd82 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java @@ -25,38 +25,38 @@ import java.io.File; import java.io.IOException; public interface Chmod { - public void chmod(File f) throws IOException; - - public static final Chmod to755 = new Chmod() { - public void chmod(File f) throws IOException { - f.setExecutable(true, false); - f.setExecutable(true, true); - f.setReadable(true, false); - f.setReadable(true, true); - f.setWritable(false, false); - f.setWritable(true, true); - } - }; + public void chmod(File f) throws IOException; + + public static final Chmod to755 = new Chmod() { + public void chmod(File f) throws IOException { + f.setExecutable(true, false); + f.setExecutable(true, true); + f.setReadable(true, false); + f.setReadable(true, true); + f.setWritable(false, false); + f.setWritable(true, true); + } + }; - public static final Chmod to644 = new Chmod() { - public void chmod(File f) throws IOException { - f.setExecutable(false, false); - f.setExecutable(false, true); - f.setReadable(true, false); - f.setReadable(true, true); - f.setWritable(false, false); - f.setWritable(true, true); - } - }; + public static final Chmod to644 = new Chmod() { + public void chmod(File f) throws IOException { + f.setExecutable(false, false); + f.setExecutable(false, true); + f.setReadable(true, false); + f.setReadable(true, true); + f.setWritable(false, false); + f.setWritable(true, true); + } + }; - public static final Chmod to400 = new Chmod() { - public void chmod(File f) throws IOException { - f.setExecutable(false, false); - f.setExecutable(false, true); - f.setReadable(false, false); - f.setReadable(true, true); - f.setWritable(false, false); - f.setWritable(false, true); - } - }; + public static final Chmod to400 = new Chmod() { + public void chmod(File f) throws IOException { + f.setExecutable(false, false); + f.setExecutable(false, true); + f.setReadable(false, false); + f.setReadable(true, true); + f.setWritable(false, false); + f.setWritable(false, true); + } + }; } \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/FQI.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/FQI.java index 4ea50a10..f0b8d38d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/FQI.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/FQI.java @@ -22,30 +22,30 @@ package org.onap.aaf.cadi.util; public class FQI { - /** - * Take a Fully Qualified User, and get a Namespace from it. - * @param fqi - * @return - */ - public final static String reverseDomain(final String fqi) { - StringBuilder sb = null; - String[] split = Split.split('.',fqi); - int at; - for(int i=split.length-1;i>=0;--i) { - if(sb == null) { - sb = new StringBuilder(); - } else { - sb.append('.'); - } + /** + * Take a Fully Qualified User, and get a Namespace from it. + * @param fqi + * @return + */ + public final static String reverseDomain(final String fqi) { + StringBuilder sb = null; + String[] split = Split.split('.',fqi); + int at; + for(int i=split.length-1;i>=0;--i) { + if(sb == null) { + sb = new StringBuilder(); + } else { + sb.append('.'); + } - if((at = split[i].indexOf('@'))>0) { - sb.append(split[i].subSequence(at+1, split[i].length())); - } else { - sb.append(split[i]); - } - } - - return sb==null?"":sb.toString(); - } + if((at = split[i].indexOf('@'))>0) { + sb.append(split[i].subSequence(at+1, split[i].length())); + } else { + sb.append(split[i]); + } + } + + return sb==null?"":sb.toString(); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java index 7b04942f..7c3ac30d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java @@ -25,65 +25,65 @@ import java.io.IOException; import java.io.OutputStream; public class JsonOutputStream extends OutputStream { - private static final byte[] TWO_SPACE = " ".getBytes(); - private OutputStream os; - private boolean closeable; - private int indent = 0; - private int prev,ret=0; + private static final byte[] TWO_SPACE = " ".getBytes(); + private OutputStream os; + private boolean closeable; + private int indent = 0; + private int prev,ret=0; - public JsonOutputStream(OutputStream os) { - // Don't close these, or dire consequences. - closeable = !os.equals(System.out) && !os.equals(System.err); - this.os = os; - } + public JsonOutputStream(OutputStream os) { + // Don't close these, or dire consequences. + closeable = !os.equals(System.out) && !os.equals(System.err); + this.os = os; + } - @Override - public void write(int b) throws IOException { - if(ret=='\n') { - ret = 0; - if(prev!=',' || (b!='{' && b!='[')) { - os.write('\n'); - for(int i=0;i=0?slash:str.length(); - int bits = slash>=0?Integer.parseInt(str.substring(slash+1)):32; - if(check && bits>32) { - throw new MaskFormatException("Invalid Mask Offset in IPV4 Address"); - } - int prev = 0; - long lbyte; - while(prev255 || lbyte<0)) { - throw new MaskFormatException("Invalid Byte in IPV4 Address"); - } - rv|=lbyte<>bits; - } - return rv; - } + if(idx<0) { // Not IPV6, so it's IPV4... Is there a mask of 123/254? + idx=str.indexOf('.'); + int offset = 24; + int end = slash>=0?slash:str.length(); + int bits = slash>=0?Integer.parseInt(str.substring(slash+1)):32; + if(check && bits>32) { + throw new MaskFormatException("Invalid Mask Offset in IPV4 Address"); + } + int prev = 0; + long lbyte; + while(prev255 || lbyte<0)) { + throw new MaskFormatException("Invalid Byte in IPV4 Address"); + } + rv|=lbyte<>bits; + } + return rv; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Pool.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Pool.java index 7cd7a633..156397b6 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Pool.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Pool.java @@ -61,322 +61,322 @@ import org.onap.aaf.cadi.CadiException; * @param */ public class Pool { - /** - * This is a constant which specified the default maximum number of unused - * objects to be held at any given time. - */ - private static final int MAX_RANGE = 6; // safety + /** + * This is a constant which specified the default maximum number of unused + * objects to be held at any given time. + */ + private static final int MAX_RANGE = 6; // safety - /** - * only Simple List needed. - * - * NOTE TO MAINTAINERS: THIS OBJECT DOES IT'S OWN SYNCHRONIZATION. All - * changes that touch list must account for correctly synchronizing list. - */ - private LinkedList> list; + /** + * only Simple List needed. + * + * NOTE TO MAINTAINERS: THIS OBJECT DOES IT'S OWN SYNCHRONIZATION. All + * changes that touch list must account for correctly synchronizing list. + */ + private LinkedList> list; - /** - * keep track of how many elements exist, to avoid asking list. - */ - private int count; + /** + * keep track of how many elements exist, to avoid asking list. + */ + private int count; - /** - * Spares are those Object that are primed and ready to go. - */ - private int spares; + /** + * Spares are those Object that are primed and ready to go. + */ + private int spares; - /** - * Actual MAX number of spares allowed to hang around. Can be set to - * something besides the default MAX_RANGE. - */ - private int max_range = MAX_RANGE; + /** + * Actual MAX number of spares allowed to hang around. Can be set to + * something besides the default MAX_RANGE. + */ + private int max_range = MAX_RANGE; - /** - * The Creator for this particular pool. It must work for type T. - */ - private Creator creator; + /** + * The Creator for this particular pool. It must work for type T. + */ + private Creator creator; - private Log logger; + private Log logger; - /** - * Create a new Pool, given the implementation of Creator, which must be - * able to create/destroy T objects at will. - * - * @param creator - */ - public Pool(Creator creator) { - count = spares = 0; - this.creator = creator; - list = new LinkedList<>(); - logger = Log.NULL; - } - - /** - * Attach Pool Logging activities to any other Logging Mechanism. - * @param logger - */ - public void setLogger(Log logger) { - this.logger = logger; - } - - public void log(Object ...objects) { - logger.log(objects); - } + /** + * Create a new Pool, given the implementation of Creator, which must be + * able to create/destroy T objects at will. + * + * @param creator + */ + public Pool(Creator creator) { + count = spares = 0; + this.creator = creator; + list = new LinkedList<>(); + logger = Log.NULL; + } + + /** + * Attach Pool Logging activities to any other Logging Mechanism. + * @param logger + */ + public void setLogger(Log logger) { + this.logger = logger; + } + + public void log(Object ...objects) { + logger.log(objects); + } - /** - * Preallocate a certain number of T Objects. Useful for services so that - * the first transactions don't get hit with all the Object creation costs - * - * @param lt - * @param prime - * @throws CadiException - */ - public void prime(int prime) throws CadiException { - for (int i = 0; i < prime; ++i) { - Pooled pt = new Pooled(creator.create(), this); - synchronized (list) { - list.addFirst(pt); - ++count; - } - } + /** + * Preallocate a certain number of T Objects. Useful for services so that + * the first transactions don't get hit with all the Object creation costs + * + * @param lt + * @param prime + * @throws CadiException + */ + public void prime(int prime) throws CadiException { + for (int i = 0; i < prime; ++i) { + Pooled pt = new Pooled(creator.create(), this); + synchronized (list) { + list.addFirst(pt); + ++count; + } + } - } + } - /** - * Destroy and remove all remaining objects. This is valuable for closing - * down all Allocated objects cleanly for exiting. It is also a good method - * for removing objects when, for instance, all Objects are invalid because - * of broken connections, etc. - */ - public void drain() { - synchronized (list) { - for (int i = 0; i < list.size(); ++i) { - Pooled pt = list.remove(); - creator.destroy(pt.content); - logger.log("Pool drained ", creator.toString()); - } - count = spares = 0; - } + /** + * Destroy and remove all remaining objects. This is valuable for closing + * down all Allocated objects cleanly for exiting. It is also a good method + * for removing objects when, for instance, all Objects are invalid because + * of broken connections, etc. + */ + public void drain() { + synchronized (list) { + for (int i = 0; i < list.size(); ++i) { + Pooled pt = list.remove(); + creator.destroy(pt.content); + logger.log("Pool drained ", creator.toString()); + } + count = spares = 0; + } - } + } - /** - * This is the essential function for Pool. Get an Object "T" inside a - * "Pooled" object. If there is a spare Object, then use it. If not, then - * create and pass back. - * - * This one uses a Null LogTarget - * - * IMPORTANT: When the use of this object is done (and the object is still - * in a valid state), then "done()" should be called immediately to allow - * the object to be reused. That is the point of the Pool... - * - * If the Object is in an invalid state, then "toss()" should be used so the - * Pool doesn't pass on invalid objects to others. - * - * @param lt - * @return - * @throws CadiException - */ - public Pooled get() throws CadiException { - Pooled pt; - synchronized (list) { - if (list.isEmpty()) { - pt = null; - } else { - pt = list.removeLast(); - --count; - creator.reuse(pt.content); - } - } - if (pt == null) { - if (spares < max_range) - ++spares; - pt = new Pooled(creator.create(), this); - } else { - if (spares > 1) - --spares; - } - return pt; - } + /** + * This is the essential function for Pool. Get an Object "T" inside a + * "Pooled" object. If there is a spare Object, then use it. If not, then + * create and pass back. + * + * This one uses a Null LogTarget + * + * IMPORTANT: When the use of this object is done (and the object is still + * in a valid state), then "done()" should be called immediately to allow + * the object to be reused. That is the point of the Pool... + * + * If the Object is in an invalid state, then "toss()" should be used so the + * Pool doesn't pass on invalid objects to others. + * + * @param lt + * @return + * @throws CadiException + */ + public Pooled get() throws CadiException { + Pooled pt; + synchronized (list) { + if (list.isEmpty()) { + pt = null; + } else { + pt = list.removeLast(); + --count; + creator.reuse(pt.content); + } + } + if (pt == null) { + if (spares < max_range) + ++spares; + pt = new Pooled(creator.create(), this); + } else { + if (spares > 1) + --spares; + } + return pt; + } - /** - * This function will validate whether the Objects are still in a usable - * state. If not, they are tossed from the Pool. This is valuable to have - * when Remote Connections go down, and there is a question on whether the - * Pooled Objects are still functional. - * - * @return - */ - public boolean validate() { - boolean rv = true; - synchronized (list) { - for (Iterator> iter = list.iterator(); iter.hasNext();) { - Pooled t = iter.next(); - if (!creator.isValid(t.content)) { - rv = false; - t.toss(); - iter.remove(); - } - } - } - return rv; - } + /** + * This function will validate whether the Objects are still in a usable + * state. If not, they are tossed from the Pool. This is valuable to have + * when Remote Connections go down, and there is a question on whether the + * Pooled Objects are still functional. + * + * @return + */ + public boolean validate() { + boolean rv = true; + synchronized (list) { + for (Iterator> iter = list.iterator(); iter.hasNext();) { + Pooled t = iter.next(); + if (!creator.isValid(t.content)) { + rv = false; + t.toss(); + iter.remove(); + } + } + } + return rv; + } - /** - * This is an internal method, used only by the Internal Pooled class. - * - * The Pooled class "offers" it's Object back after use. It is an - * "offer", because Pool will simply destroy and remove the object if it has - * more than enough spares. - * - * @param lt - * @param used - * @return - */ - // Used only by Pooled - private boolean offer(Pooled used) { - if (count < spares) { - synchronized (list) { - list.addFirst(used); - ++count; - } - logger.log("Pool recovered ", creator); - } else { - logger.log("Pool destroyed ", creator); - creator.destroy(used.content); - } - return false; - } + /** + * This is an internal method, used only by the Internal Pooled class. + * + * The Pooled class "offers" it's Object back after use. It is an + * "offer", because Pool will simply destroy and remove the object if it has + * more than enough spares. + * + * @param lt + * @param used + * @return + */ + // Used only by Pooled + private boolean offer(Pooled used) { + if (count < spares) { + synchronized (list) { + list.addFirst(used); + ++count; + } + logger.log("Pool recovered ", creator); + } else { + logger.log("Pool destroyed ", creator); + creator.destroy(used.content); + } + return false; + } - /** - * The Creator Interface give the Pool the ability to Create, Destroy and - * Validate the Objects it is maintaining. Thus, it is a specially written - * Implementation for each type. - * - * @author Jonathan - * - * @param - */ - public interface Creator { - public T create() throws CadiException; + /** + * The Creator Interface give the Pool the ability to Create, Destroy and + * Validate the Objects it is maintaining. Thus, it is a specially written + * Implementation for each type. + * + * @author Jonathan + * + * @param + */ + public interface Creator { + public T create() throws CadiException; - public void destroy(T t); + public void destroy(T t); - public boolean isValid(T t); + public boolean isValid(T t); - public void reuse(T t); - } + public void reuse(T t); + } - public interface Log { - public void log(Object ... o); - - public final static Log NULL = new Log() { - @Override - public void log(Object ... o) { - } - }; - } - /** - * The "Pooled" class is the transient class that wraps the actual Object - * T for API use/ It gives the ability to return ("done()", or "toss()") the - * Object to the Pool when processing is finished. - * - * For Safety, i.e. to avoid memory leaks and invalid Object States, there - * is a "finalize" method. It is strictly for when coder forgets to return - * the object, or perhaps hasn't covered the case during Exceptions or - * Runtime Exceptions with finally (preferred). This should not be - * considered normal procedure, as finalize() is called at an undetermined - * time during garbage collection, and is thus rather useless for a Pool. - * However, we don't want Coding Mistakes to put the whole program in an - * invalid state, so if something happened such that "done()" or "toss()" - * were not called, the resource is still cleaned up as well as possible. - * - * @author Jonathan - * - * @param - */ - public static class Pooled { - public final T content; - private Pool pool; + public interface Log { + public void log(Object ... o); + + public final static Log NULL = new Log() { + @Override + public void log(Object ... o) { + } + }; + } + /** + * The "Pooled" class is the transient class that wraps the actual Object + * T for API use/ It gives the ability to return ("done()", or "toss()") the + * Object to the Pool when processing is finished. + * + * For Safety, i.e. to avoid memory leaks and invalid Object States, there + * is a "finalize" method. It is strictly for when coder forgets to return + * the object, or perhaps hasn't covered the case during Exceptions or + * Runtime Exceptions with finally (preferred). This should not be + * considered normal procedure, as finalize() is called at an undetermined + * time during garbage collection, and is thus rather useless for a Pool. + * However, we don't want Coding Mistakes to put the whole program in an + * invalid state, so if something happened such that "done()" or "toss()" + * were not called, the resource is still cleaned up as well as possible. + * + * @author Jonathan + * + * @param + */ + public static class Pooled { + public final T content; + private Pool pool; - /** - * Create the Wrapping Object Pooled. - * - * @param t - * @param pool - * @param logTarget - */ - public Pooled(T t, Pool pool) { - content = t; - this.pool = pool; + /** + * Create the Wrapping Object Pooled. + * + * @param t + * @param pool + * @param logTarget + */ + public Pooled(T t, Pool pool) { + content = t; + this.pool = pool; - } + } - /** - * This is the key API for the Pool, as calling "done()" offers this - * object back to the Pool for reuse. - * - * Do not use the Pooled object again after calling "done()". - */ - public void done() { - if (pool != null) { - pool.offer(this); - } - } + /** + * This is the key API for the Pool, as calling "done()" offers this + * object back to the Pool for reuse. + * + * Do not use the Pooled object again after calling "done()". + */ + public void done() { + if (pool != null) { + pool.offer(this); + } + } - /** - * The user of the Object may discover that the Object t is no longer in - * a valid state. Don't put Garbage back in the Refrigerator... Toss it, - * if it's no longer valid. - * - * toss() is also used for draining the Pool, etc. - * - * toss() will attempt to destroy the Object by using the Creator - * Interface. - * - */ - public void toss() { - if (pool != null) { - pool.creator.destroy(content); - } - // Don't allow finalize to put it back in. - pool = null; - } + /** + * The user of the Object may discover that the Object t is no longer in + * a valid state. Don't put Garbage back in the Refrigerator... Toss it, + * if it's no longer valid. + * + * toss() is also used for draining the Pool, etc. + * + * toss() will attempt to destroy the Object by using the Creator + * Interface. + * + */ + public void toss() { + if (pool != null) { + pool.creator.destroy(content); + } + // Don't allow finalize to put it back in. + pool = null; + } - /** - * Just in case someone neglected to offer back object... Do not rely on - * this, as there is no specific time when finalize is called, which - * rather defeats the purpose of a Pool. - */ - @Override - protected void finalize() throws Throwable { - if (pool != null) { - done(); - pool = null; - } - } - } + /** + * Just in case someone neglected to offer back object... Do not rely on + * this, as there is no specific time when finalize is called, which + * rather defeats the purpose of a Pool. + */ + @Override + protected void finalize() throws Throwable { + if (pool != null) { + done(); + pool = null; + } + } + } - /** - * Get the maximum number of spare objects allowed at any moment - * - * @return - */ - public int getMaxRange() { - return max_range; - } + /** + * Get the maximum number of spare objects allowed at any moment + * + * @return + */ + public int getMaxRange() { + return max_range; + } - /** - * Set a Max Range for numbers of spare objects waiting to be used. - * - * No negative numbers are allowed - * - * @return - */ - public void setMaxRange(int max_range) { - // Do not allow negative numbers - this.max_range = Math.max(0, max_range); - } + /** + * Set a Max Range for numbers of spare objects waiting to be used. + * + * No negative numbers are allowed + * + * @return + */ + public void setMaxRange(int max_range) { + // Do not allow negative numbers + this.max_range = Math.max(0, max_range); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Split.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Split.java index 3fa9a3f1..a2c76967 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Split.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Split.java @@ -31,84 +31,84 @@ package org.onap.aaf.cadi.util; */ public class Split { - public static String[] split(char c, String value) { - return split(c,value,0,value.length()); - } + public static String[] split(char c, String value) { + return split(c,value,0,value.length()); + } - public static String[] split(char c, String value, int start, int end) { - if(value==null) { - return new String[0]; - } + public static String[] split(char c, String value, int start, int end) { + if(value==null) { + return new String[0]; + } - // Count items to preallocate Array (memory alloc is more expensive than counting twice) - int count,idx; - for(count=1,idx=value.indexOf(c,start);idx>=0 && idx=0 && idx=0 && idx=0 && idx=0 && idx=0 && idx=0 && idx=0 && idx=0 && count0) { - rv[++count]=value.substring(last,idx).trim(); - } else { - rv[++count]=value.substring(last).trim(); - } - } - return rv; - } + int idx; + String[] rv = new String[size]; + if(size==1) { + rv[0]=value.trim(); + } else { + int last=0; + int count=-1; + size-=2; + for(idx=value.indexOf(c);idx>=0 && count0) { + rv[++count]=value.substring(last,idx).trim(); + } else { + rv[++count]=value.substring(last).trim(); + } + } + return rv; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java index b7dd0148..5cab15f6 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java @@ -27,44 +27,44 @@ import java.io.InputStreamReader; // Substandard, because System.in doesn't do Passwords.. public class SubStandardConsole implements MyConsole { - private final static char[] BLANK = new char[0]; - private final BufferedReader br; + private final static char[] BLANK = new char[0]; + private final BufferedReader br; - public SubStandardConsole() { - br = new BufferedReader(new InputStreamReader(System.in)); - } - - @Override - public String readLine(String fmt, Object... args) { - String rv; - try { - System.out.printf(fmt,args); - rv = br.readLine(); - if(args.length==1 && rv.length()==0) { - rv = args[0].toString(); - } - } catch (IOException e) { - System.err.println("uh oh..."); - rv = ""; - } - return rv; - } + public SubStandardConsole() { + br = new BufferedReader(new InputStreamReader(System.in)); + } + + @Override + public String readLine(String fmt, Object... args) { + String rv; + try { + System.out.printf(fmt,args); + rv = br.readLine(); + if(args.length==1 && rv.length()==0) { + rv = args[0].toString(); + } + } catch (IOException e) { + System.err.println("uh oh..."); + rv = ""; + } + return rv; + } - @Override - public char[] readPassword(String fmt, Object... args) { - try { - System.out.printf(fmt,args); - String response = br.readLine(); - return response==null?BLANK:response.toCharArray(); + @Override + public char[] readPassword(String fmt, Object... args) { + try { + System.out.printf(fmt,args); + String response = br.readLine(); + return response==null?BLANK:response.toCharArray(); - } catch (IOException e) { - System.err.println("uh oh..."); - return BLANK; - } - } + } catch (IOException e) { + System.err.println("uh oh..."); + return BLANK; + } + } - @Override - public void printf(String fmt, Object... args) { - System.out.printf(fmt, args); - } + @Override + public void printf(String fmt, Object... args) { + System.out.printf(fmt, args); + } } \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java index 4c5d35b7..9ddd0626 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java @@ -22,26 +22,26 @@ package org.onap.aaf.cadi.util; public class TheConsole implements MyConsole { - @Override - public String readLine(String fmt, Object... args) { - String rv = System.console().readLine(fmt, args); - if(args.length>0 && args[0]!=null && rv.length()==0) { - rv = args[0].toString(); - } - return rv; - } + @Override + public String readLine(String fmt, Object... args) { + String rv = System.console().readLine(fmt, args); + if(args.length>0 && args[0]!=null && rv.length()==0) { + rv = args[0].toString(); + } + return rv; + } - @Override - public char[] readPassword(String fmt, Object... args) { - return System.console().readPassword(fmt, args); - } - - public static boolean implemented() { - return System.console()!=null; - } + @Override + public char[] readPassword(String fmt, Object... args) { + return System.console().readPassword(fmt, args); + } + + public static boolean implemented() { + return System.console()!=null; + } - @Override - public void printf(String fmt, Object... args) { - System.console().printf(fmt, args); - } + @Override + public void printf(String fmt, Object... args) { + System.console().printf(fmt, args); + } } \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Timing.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Timing.java index 82bd389a..529849de 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Timing.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Timing.java @@ -21,7 +21,7 @@ package org.onap.aaf.cadi.util; public class Timing { - public static float millis(final long start) { - return (System.nanoTime() - start) / 1000000f; - } + public static float millis(final long start) { + return (System.nanoTime() - start) / 1000000f; + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java index a8c0690f..ff74f39c 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java @@ -24,54 +24,54 @@ package org.onap.aaf.cadi.util; import org.onap.aaf.cadi.UserChain; public class UserChainManip { - /** - Build an element in the correct format for UserChain. - Format:::[:AS][,::]* - @see UserChain - */ - public static StringBuilder build(StringBuilder sb, String app, String id, UserChain.Protocol proto, boolean as) { - boolean mayAs; - if(!(mayAs=sb.length()==0)) { - sb.append(','); - } - sb.append(app); - sb.append(':'); - sb.append(id); - sb.append(':'); - sb.append(proto.name()); - if(as && mayAs) { - sb.append(":AS"); - } - return sb; - } - - public static String idToNS(String id) { - if(id==null) { - return ""; - } else { - StringBuilder sb = new StringBuilder(); - char c; - int end; - boolean first = true; - for(int idx = end = id.length()-1;idx>=0;--idx) { - if((c = id.charAt(idx))=='@' || c=='.') { - if(idx::[:AS][,::]* + @see UserChain + */ + public static StringBuilder build(StringBuilder sb, String app, String id, UserChain.Protocol proto, boolean as) { + boolean mayAs; + if(!(mayAs=sb.length()==0)) { + sb.append(','); + } + sb.append(app); + sb.append(':'); + sb.append(id); + sb.append(':'); + sb.append(proto.name()); + if(as && mayAs) { + sb.append(":AS"); + } + return sb; + } + + public static String idToNS(String id) { + if(id==null) { + return ""; + } else { + StringBuilder sb = new StringBuilder(); + char c; + int end; + boolean first = true; + for(int idx = end = id.length()-1;idx>=0;--idx) { + if((c = id.charAt(idx))=='@' || c=='.') { + if(idx vars) { - String[] array = new String[vars.size()]; - StringBuilder sb = new StringBuilder(); - convert(sb,text,vars.toArray(array)); - return sb.toString(); - } - /** - * Convert a format string with "%s" into AT&T RESTful Error %1 %2 (number) format - * If "holder" is passed in, it is built with full Message extracted (typically for Logging) - * @param holder - * @param text - * @param vars - * @return - */ - public static String convert(final StringBuilder holder, final String text, final String ... vars) { - StringBuilder sb = null; - int idx,index=0,prev = 0; - - if(text.contains("%s")) { - sb = new StringBuilder(); - } - - StringBuilder[] sbs = new StringBuilder[] {sb,holder}; - boolean replace, clearIndex = false; - int c; - while((idx=text.indexOf('%',prev))>=0) { - replace = false; - if(clearIndex) { - index=0; - } - if(sb!=null) { - sb.append(text,prev,idx); - } - if(holder!=null) { - holder.append(text,prev,idx); - } - - boolean go = true; - while(go) { - if(text.length()>++idx) { - switch(c=text.charAt(idx)) { - case '0': case '1': case '2': case '3': case '4': - case '5': case '6': case '7': case '8': case '9': - index *=10; - index +=(c-'0'); - clearIndex=replace=true; - continue; - case 's': - ++index; - replace = true; - continue; - default: - break; - } - } - prev = idx; - go=false; - if(replace) { - if(sb!=null) { - sb.append('%'); - sb.append(index); - } - if(index<=vars.length) { - if(holder!=null) { - holder.append(vars[index-1]); - } - } - } else { - for(StringBuilder s : sbs) { - if(s!=null) { - s.append("%"); - } - } - } - } - } - - if(sb!=null) { - sb.append(text,prev,text.length()); - } - if(holder!=null) { - holder.append(text,prev,text.length()); - } + /** + * Simplified Conversion based on typical use of getting AT&T style RESTful Error Messages + * @param text + * @param vars + * @return + */ + public static String convert(final String text, final List vars) { + String[] array = new String[vars.size()]; + StringBuilder sb = new StringBuilder(); + convert(sb,text,vars.toArray(array)); + return sb.toString(); + } + /** + * Convert a format string with "%s" into AT&T RESTful Error %1 %2 (number) format + * If "holder" is passed in, it is built with full Message extracted (typically for Logging) + * @param holder + * @param text + * @param vars + * @return + */ + public static String convert(final StringBuilder holder, final String text, final String ... vars) { + StringBuilder sb = null; + int idx,index=0,prev = 0; + + if(text.contains("%s")) { + sb = new StringBuilder(); + } + + StringBuilder[] sbs = new StringBuilder[] {sb,holder}; + boolean replace, clearIndex = false; + int c; + while((idx=text.indexOf('%',prev))>=0) { + replace = false; + if(clearIndex) { + index=0; + } + if(sb!=null) { + sb.append(text,prev,idx); + } + if(holder!=null) { + holder.append(text,prev,idx); + } + + boolean go = true; + while(go) { + if(text.length()>++idx) { + switch(c=text.charAt(idx)) { + case '0': case '1': case '2': case '3': case '4': + case '5': case '6': case '7': case '8': case '9': + index *=10; + index +=(c-'0'); + clearIndex=replace=true; + continue; + case 's': + ++index; + replace = true; + continue; + default: + break; + } + } + prev = idx; + go=false; + if(replace) { + if(sb!=null) { + sb.append('%'); + sb.append(index); + } + if(index<=vars.length) { + if(holder!=null) { + holder.append(vars[index-1]); + } + } + } else { + for(StringBuilder s : sbs) { + if(s!=null) { + s.append("%"); + } + } + } + } + } + + if(sb!=null) { + sb.append(text,prev,text.length()); + } + if(holder!=null) { + holder.append(text,prev,text.length()); + } - return sb==null?text:sb.toString(); - } + return sb==null?text:sb.toString(); + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java index dff18acd..ebcfa9f7 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java @@ -33,5 +33,5 @@ package org.onap.aaf.cadi.wsse; * @param */ interface Action { - public boolean content(OUTPUT output, String text); + public boolean content(OUTPUT output, String text); } \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java index 2582bc17..38322307 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java @@ -44,87 +44,87 @@ import javax.xml.stream.events.XMLEvent; */ //@SuppressWarnings("restriction") public class Match { - private QName qname; - private Match[] next; - private Match prev; - private Action action = null; - private boolean stopAfter; - private boolean exclusive; - + private QName qname; + private Match[] next; + private Match prev; + private Action action = null; + private boolean stopAfter; + private boolean exclusive; + - @SafeVarargs - public Match(String ns, String name, Match ... next) { - this.qname = new QName(ns,name); - this.next = next; - stopAfter = exclusive = false; - for(Match m : next) { // add the possible tags to look for - if(!m.stopAfter)m.prev = this; - } - } - - public Match onMatch(OUTPUT output, XReader reader) throws XMLStreamException { - while(reader.hasNext()) { - XEvent event = reader.nextEvent(); - switch(event.getEventType()) { - case XMLEvent.START_ELEMENT: - QName e_qname = event.asStartElement().getName(); - //System.out.println("Start - " + e_qname); - boolean match = false; - for(Match m : next) { - if(e_qname.equals(m.qname)) { - match=true; - if(m.onMatch(output, reader)==null) { - return null; // short circuit Parsing - } - break; - } - } - if(exclusive && !match) // When Tag MUST be present, i.e. the Root Tag, versus info we're not interested in - return null; - break; - case XMLEvent.CHARACTERS: - //System.out.println("Data - " +event.asCharacters().getData()); - if(action!=null) { - if(!action.content(output,event.asCharacters().getData())) { - return null; - } - } - break; - case XMLEvent.END_ELEMENT: - //System.out.println("End - " + event.asEndElement().getName()); - if(event.asEndElement().getName().equals(qname)) { - return prev; - } - break; - case XMLEvent.END_DOCUMENT: - return null; // Exit Chain - } - } - return this; - } + @SafeVarargs + public Match(String ns, String name, Match ... next) { + this.qname = new QName(ns,name); + this.next = next; + stopAfter = exclusive = false; + for(Match m : next) { // add the possible tags to look for + if(!m.stopAfter)m.prev = this; + } + } + + public Match onMatch(OUTPUT output, XReader reader) throws XMLStreamException { + while(reader.hasNext()) { + XEvent event = reader.nextEvent(); + switch(event.getEventType()) { + case XMLEvent.START_ELEMENT: + QName e_qname = event.asStartElement().getName(); + //System.out.println("Start - " + e_qname); + boolean match = false; + for(Match m : next) { + if(e_qname.equals(m.qname)) { + match=true; + if(m.onMatch(output, reader)==null) { + return null; // short circuit Parsing + } + break; + } + } + if(exclusive && !match) // When Tag MUST be present, i.e. the Root Tag, versus info we're not interested in + return null; + break; + case XMLEvent.CHARACTERS: + //System.out.println("Data - " +event.asCharacters().getData()); + if(action!=null) { + if(!action.content(output,event.asCharacters().getData())) { + return null; + } + } + break; + case XMLEvent.END_ELEMENT: + //System.out.println("End - " + event.asEndElement().getName()); + if(event.asEndElement().getName().equals(qname)) { + return prev; + } + break; + case XMLEvent.END_DOCUMENT: + return null; // Exit Chain + } + } + return this; + } - /** - * When this Matched Tag has completed, Stop parsing and end - * @return - */ - public Match stopAfter() { - stopAfter = true; - return this; - } - - /** - * Mark that this Object MUST be matched at this level or stop parsing and end - * - * @param action - * @return - */ - public Match exclusive() { - exclusive = true; - return this; - } + /** + * When this Matched Tag has completed, Stop parsing and end + * @return + */ + public Match stopAfter() { + stopAfter = true; + return this; + } + + /** + * Mark that this Object MUST be matched at this level or stop parsing and end + * + * @param action + * @return + */ + public Match exclusive() { + exclusive = true; + return this; + } - public Match set(Action action) { - this.action = action; - return this; - } + public Match set(Action action) { + this.action = action; + return this; + } } \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java index 017337b1..787f1b4b 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java @@ -42,42 +42,42 @@ import org.onap.aaf.cadi.BasicCred; * @author Jonathan */ public class WSSEParser { - private static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/"; - private static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; - private Match parseTree; + private static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/"; + private static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; + private Match parseTree; - public WSSEParser() { - // soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/[wsse:Password&wsse:Username] - parseTree = new Match(SOAP_NS,"root", // need a root level to start from... Doesn't matter what the tag is - new Match(SOAP_NS,"Envelope", - new Match(SOAP_NS,"Header", - new Match(WSSE_NS,"Security", - new Match(WSSE_NS,"UsernameToken", - new Match(WSSE_NS,"Password").set(new Action() { - public boolean content(BasicCred bc,String text) { - bc.setCred(text.getBytes()); - return true; - } - }), - new Match(WSSE_NS,"Username").set(new Action() { - public boolean content(BasicCred bc,String text) { - bc.setUser(text); - return true; - } - }) - ).stopAfter() // if found, end when UsernameToken ends (no further processing needed) - ) - ).stopAfter() // Stop Processing when Header Ends - ).exclusive()// Envelope must match Header, and no other. FYI, Body comes after Header short circuits (see above), so it's ok - ).exclusive(); // root must be Envelope - } - - public XMLStreamException parse(BasicCred bc, InputStream is) { - try { - parseTree.onMatch(bc, new XReader(is)); - return null; - } catch (XMLStreamException e) { - return e; - } - } + public WSSEParser() { + // soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/[wsse:Password&wsse:Username] + parseTree = new Match(SOAP_NS,"root", // need a root level to start from... Doesn't matter what the tag is + new Match(SOAP_NS,"Envelope", + new Match(SOAP_NS,"Header", + new Match(WSSE_NS,"Security", + new Match(WSSE_NS,"UsernameToken", + new Match(WSSE_NS,"Password").set(new Action() { + public boolean content(BasicCred bc,String text) { + bc.setCred(text.getBytes()); + return true; + } + }), + new Match(WSSE_NS,"Username").set(new Action() { + public boolean content(BasicCred bc,String text) { + bc.setUser(text); + return true; + } + }) + ).stopAfter() // if found, end when UsernameToken ends (no further processing needed) + ) + ).stopAfter() // Stop Processing when Header Ends + ).exclusive()// Envelope must match Header, and no other. FYI, Body comes after Header short circuits (see above), so it's ok + ).exclusive(); // root must be Envelope + } + + public XMLStreamException parse(BasicCred bc, InputStream is) { + try { + parseTree.onMatch(bc, new XReader(is)); + return null; + } catch (XMLStreamException e) { + return e; + } + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java index 12de366e..187d5b1e 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java @@ -38,98 +38,98 @@ import javax.xml.stream.events.XMLEvent; // @SuppressWarnings("restriction") public abstract class XEvent { - public abstract int getEventType(); + public abstract int getEventType(); - public StartElement asStartElement() { - return (StartElement)this; - } + public StartElement asStartElement() { + return (StartElement)this; + } - public Characters asCharacters() { - return (Characters)this; - } + public Characters asCharacters() { + return (Characters)this; + } - public EndElement asEndElement() { - return (EndElement)this; - } + public EndElement asEndElement() { + return (EndElement)this; + } public static abstract class NamedXEvent extends XEvent { - private QName qname; - - public NamedXEvent(QName qname) { - this.qname = qname; - } - - public QName getName() { - return qname; - } + private QName qname; + + public NamedXEvent(QName qname) { + this.qname = qname; + } + + public QName getName() { + return qname; + } + } + public static class StartElement extends NamedXEvent { + + public StartElement(String ns, String tag) { + super(new QName(ns,tag)); + } + + @Override + public int getEventType() { + return XMLEvent.START_ELEMENT; + } + } + + public static class EndElement extends NamedXEvent { + public EndElement(String ns, String tag) { + super(new QName(ns,tag)); + } + + @Override + public int getEventType() { + return XMLEvent.END_ELEMENT; + } + } + + public static class Characters extends XEvent { + private String data; + + public Characters(String data) { + this.data = data; + } + @Override + public int getEventType() { + return XMLEvent.CHARACTERS; + } + + public String getData() { + return data; + } + } + + public static class StartDocument extends XEvent { + + @Override + public int getEventType() { + return XMLEvent.START_DOCUMENT; + } + + } + + public static class EndDocument extends XEvent { + + @Override + public int getEventType() { + return XMLEvent.END_DOCUMENT; + } + + } + public static class Comment extends XEvent { + public final String value; + public Comment(String value) { + this.value = value; + } + + @Override + public int getEventType() { + return XMLEvent.COMMENT; + } + } - public static class StartElement extends NamedXEvent { - - public StartElement(String ns, String tag) { - super(new QName(ns,tag)); - } - - @Override - public int getEventType() { - return XMLEvent.START_ELEMENT; - } - } - - public static class EndElement extends NamedXEvent { - public EndElement(String ns, String tag) { - super(new QName(ns,tag)); - } - - @Override - public int getEventType() { - return XMLEvent.END_ELEMENT; - } - } - - public static class Characters extends XEvent { - private String data; - - public Characters(String data) { - this.data = data; - } - @Override - public int getEventType() { - return XMLEvent.CHARACTERS; - } - - public String getData() { - return data; - } - } - - public static class StartDocument extends XEvent { - - @Override - public int getEventType() { - return XMLEvent.START_DOCUMENT; - } - - } - - public static class EndDocument extends XEvent { - - @Override - public int getEventType() { - return XMLEvent.END_DOCUMENT; - } - - } - public static class Comment extends XEvent { - public final String value; - public Comment(String value) { - this.value = value; - } - - @Override - public int getEventType() { - return XMLEvent.COMMENT; - } - - } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java index 78265e4b..b7cc40ad 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java @@ -49,379 +49,379 @@ import javax.xml.stream.XMLStreamException; */ // @SuppressWarnings("restriction") public class XReader { - private XEvent curr,another; - private InputStream is; - private ByteArrayOutputStream baos; - private int state, count, last; - - private Stack> nsses; - - public XReader(InputStream is) { - this.is = is; - curr = another = null; - baos = new ByteArrayOutputStream(); - state = BEGIN_DOC; - count = 0; - nsses = new Stack>(); - } - - public boolean hasNext() throws XMLStreamException { - if(curr==null) { - curr = parse(); - } - return curr!=null; - } + private XEvent curr,another; + private InputStream is; + private ByteArrayOutputStream baos; + private int state, count, last; + + private Stack> nsses; + + public XReader(InputStream is) { + this.is = is; + curr = another = null; + baos = new ByteArrayOutputStream(); + state = BEGIN_DOC; + count = 0; + nsses = new Stack>(); + } + + public boolean hasNext() throws XMLStreamException { + if(curr==null) { + curr = parse(); + } + return curr!=null; + } - public XEvent nextEvent() { - XEvent xe = curr; - curr = null; - return xe; - } + public XEvent nextEvent() { + XEvent xe = curr; + curr = null; + return xe; + } - // - // State Flags - // - // Note: The State of parsing XML can be complicated. There are too many to cleanly keep in "booleans". Additionally, - // there are certain checks that can be better made with Bitwise operations within switches - // Keeping track of state this way also helps us to accomplish logic without storing any back characters except one - private final static int BEGIN_DOC= 0x000001; - private final static int DOC_TYPE= 0x000002; - private final static int QUESTION_F= 0x000004; - private final static int QUESTION = 0x000008; - private final static int START_TAG = 0x000010; - private final static int END_TAG = 0x000020; - private final static int VALUE= 0x000040; - private final static int COMMENT = 0x001000; - private final static int COMMENT_E = 0x002000; - private final static int COMMENT_D1 =0x010000; - private final static int COMMENT_D2 =0x020000; - private final static int COMMENT_D3 =0x040000; - private final static int COMMENT_D4 =0x080000; - // useful combined Comment states - private final static int IN_COMMENT=COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2; - private final static int COMPLETE_COMMENT = COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3|COMMENT_D4; - - - private XEvent parse() throws XMLStreamException { - Map nss = nsses.isEmpty()?null:nsses.peek(); + // + // State Flags + // + // Note: The State of parsing XML can be complicated. There are too many to cleanly keep in "booleans". Additionally, + // there are certain checks that can be better made with Bitwise operations within switches + // Keeping track of state this way also helps us to accomplish logic without storing any back characters except one + private final static int BEGIN_DOC= 0x000001; + private final static int DOC_TYPE= 0x000002; + private final static int QUESTION_F= 0x000004; + private final static int QUESTION = 0x000008; + private final static int START_TAG = 0x000010; + private final static int END_TAG = 0x000020; + private final static int VALUE= 0x000040; + private final static int COMMENT = 0x001000; + private final static int COMMENT_E = 0x002000; + private final static int COMMENT_D1 =0x010000; + private final static int COMMENT_D2 =0x020000; + private final static int COMMENT_D3 =0x040000; + private final static int COMMENT_D4 =0x080000; + // useful combined Comment states + private final static int IN_COMMENT=COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2; + private final static int COMPLETE_COMMENT = COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3|COMMENT_D4; + + + private XEvent parse() throws XMLStreamException { + Map nss = nsses.isEmpty()?null:nsses.peek(); - XEvent rv; - if((rv=another)!=null) { // "another" is a tag that may have needed to be created, but not - // immediately returned. Save for next parse. If necessary, this could be turned into - // a FIFO storage, but a single reference is enough for now. - another = null; // "rv" is now set for the Event, and will be returned. Set to Null. - } else { - boolean go = true; - int c=0; - - try { - while(go && (c=is.read())>=0) { - ++count; - switch(c) { - case '<': // Tag is opening - state|=~BEGIN_DOC; // remove BEGIN_DOC flag, this is possibly an XML Doc - XEvent cxe = null; - if(baos.size()>0) { // If there are any characters between tags, we send as Character Event - String chars = baos.toString().trim(); // Trim out WhiteSpace before and after - if(chars.length()>0) { // don't send if Characters were only whitespace - cxe = new XEvent.Characters(chars); - baos.reset(); - go = false; - } - } - last = c; // make sure "last" character is set for use in "ParseTag" - Tag t = parseTag(); // call subroutine to process the tag as a unit - String ns; - switch(t.state&(START_TAG|END_TAG)) { - case START_TAG: - nss = getNss(nss,t); // Only Start Tags might have NS Attributes - // Get any NameSpace elements from tag. If there are, nss will become - // a new Map with all the previous NSs plus the new. This provides - // scoping behavior when used with the Stack - // drop through on purpose - case END_TAG: - ns = t.prefix==null||nss==null?"":nss.get(t.prefix); // Get the namespace from prefix (if exists) - break; - default: - ns = ""; - } - if(ns==null) - throw new XMLStreamException("Invalid Namespace Prefix at " + count); - go = false; - switch(t.state) { // based on - case DOC_TYPE: - rv = new XEvent.StartDocument(); - break; - case COMMENT: - rv = new XEvent.Comment(t.value); - break; - case START_TAG: - rv = new XEvent.StartElement(ns,t.name); - nsses.push(nss); // Change potential scope for Namespace - break; - case END_TAG: - rv = new XEvent.EndElement(ns,t.name); - nss = nsses.pop(); // End potential scope for Namespace - break; - case START_TAG|END_TAG: // This tag is both start/end aka - rv = new XEvent.StartElement(ns,t.name); - if(last=='/')another = new XEvent.EndElement(ns,t.name); - } - if(cxe!=null) { // if there is a Character Event, it actually should go first. ow. - another = rv; // Make current Event the "another" or next event, and - rv = cxe; // send Character Event now - } - break; - case ' ': - case '\t': - case '\n': - if((state&BEGIN_DOC)==BEGIN_DOC) { // if Whitespace before doc, just ignore - break; - } - // fallthrough on purpose - default: - if((state&BEGIN_DOC)==BEGIN_DOC) { // if there is any data at the start other than XML Tag, it's not XML - throw new XMLStreamException("Parse Error: This is not an XML Doc"); - } - baos.write(c); // save off Characters - } - last = c; // Some processing needs to know what the last character was, aka Escaped characters... ex \" - } - } catch (IOException e) { - throw new XMLStreamException(e); // all errors parsing will be treated as XMLStreamErrors (like StAX) - } - if(c==-1 && (state&BEGIN_DOC)==BEGIN_DOC) { // Normally, end of stream is ok, however, we need to know if the - throw new XMLStreamException("Premature End of File"); // document isn't an XML document, so we throw exception if it - } // hasn't yet been determined to be an XML Doc - } - return rv; - } - - /** - * parseTag - * - * Parsing a Tag is somewhat complicated, so it's helpful to separate this process from the - * higher level Parsing effort - * @return - * @throws IOException - * @throws XMLStreamException - */ - private Tag parseTag() throws IOException, XMLStreamException { - Tag tag = null; - boolean go = true; - state = 0; - int c, quote=0; // If "quote" is 0, then we're not in a quote. We set ' (in pretag) or " in attribs accordingly to denote quoted - String prefix=null,name=null,value=null; - baos.reset(); - - while(go && (c=is.read())>=0) { - ++count; - if(quote!=0) { // If we're in a quote, we only end if we hit another quote of the same time, not preceded by \ - if(c==quote && last!='\\') { - quote=0; - } else { - baos.write(c); - } - } else if((state&COMMENT)==COMMENT) { // similar to Quote is being in a comment - switch(c) { - case '-': - switch(state) { // XML has a complicated Quote set... ... we keep track if each has been met with flags. - case COMMENT|COMMENT_E: - state|=COMMENT_D1; - break; - case COMMENT|COMMENT_E|COMMENT_D1: - state|=COMMENT_D2; - baos.reset(); // clear out "!--", it's a Comment - break; - case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2: - state|=COMMENT_D3; - baos.write(c); - break; - case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3: - state|=COMMENT_D4; - baos.write(c); - break; - } - break; - case '>': // Tag indicator has been found, do we have all the comment characters in line? - if((state&COMPLETE_COMMENT)==COMPLETE_COMMENT) { - byte ba[] = baos.toByteArray(); - tag = new Tag(null,null, new String(ba,0,ba.length-2)); - baos.reset(); - go = false; - break; - } - // fall through on purpose - default: - state&=~(COMMENT_D3|COMMENT_D4); - if((state&IN_COMMENT)!=IN_COMMENT) state&=~IN_COMMENT; // false alarm, it's not actually a comment - baos.write(c); - } - } else { // Normal Tag Processing loop - switch(c) { - case '?': - switch(state & (QUESTION_F|QUESTION)) { // Validate the state of Doc tag... - case QUESTION_F: - state |= DOC_TYPE; - state &= ~QUESTION_F; - break; - case 0: - state |=QUESTION_F; - break; - default: - throw new IOException("Bad character [?] at " + count); - } - break; - case '!': - if(last=='<') { - state|=COMMENT|COMMENT_E; // likely a comment, continue processing in Comment Loop - } - baos.write(c); - break; - case '/': - state|=(last=='<'?END_TAG:(END_TAG|START_TAG)); // end tag indicator , ,or both - break; - case ':': - prefix=baos.toString(); // prefix indicator - baos.reset(); - break; - case '=': // used in Attributes - name=baos.toString(); - baos.reset(); - state|=VALUE; - break; - case '>': // end the tag, which causes end of this subprocess as well as formulation of the found data - go = false; - // passthrough on purpose - case ' ': - case '\t': - case '\n': // white space indicates change in internal tag state, ex between name and between attributes - if((state&VALUE)==VALUE) { - value = baos.toString(); // we're in VALUE state, add characters to Value - } else if(name==null) { - name = baos.toString(); // we're in Name state (default) add characters to Name - } - baos.reset(); // we've assigned chars, reset buffer - if(name!=null) { // Name is not null, there's a tag in the offing here... - Tag t = new Tag(prefix,name,value); - if(tag==null) { // Set as the tag to return, if not exists - tag = t; - } else { // if we already have a Tag, then we'll treat this one as an attribute - tag.add(t); - } - } - prefix=name=value=null; // reset these values in case we loop for attributes. - break; - case '\'': // is the character one of two kinds of quote? - case '"': - if(last!='\\') { - quote=c; - break; - } - // Fallthrough ok - default: - baos.write(c); // write any unprocessed bytes into buffer - - } - } - last = c; - } - int type = state&(DOC_TYPE|COMMENT|END_TAG|START_TAG); // get just the Tag states and turn into Type for Tag - if(type==0) { - type=START_TAG; - } - if(tag!=null) { - tag.state|=type; // add the appropriate Tag States - } - return tag; - } + XEvent rv; + if((rv=another)!=null) { // "another" is a tag that may have needed to be created, but not + // immediately returned. Save for next parse. If necessary, this could be turned into + // a FIFO storage, but a single reference is enough for now. + another = null; // "rv" is now set for the Event, and will be returned. Set to Null. + } else { + boolean go = true; + int c=0; + + try { + while(go && (c=is.read())>=0) { + ++count; + switch(c) { + case '<': // Tag is opening + state|=~BEGIN_DOC; // remove BEGIN_DOC flag, this is possibly an XML Doc + XEvent cxe = null; + if(baos.size()>0) { // If there are any characters between tags, we send as Character Event + String chars = baos.toString().trim(); // Trim out WhiteSpace before and after + if(chars.length()>0) { // don't send if Characters were only whitespace + cxe = new XEvent.Characters(chars); + baos.reset(); + go = false; + } + } + last = c; // make sure "last" character is set for use in "ParseTag" + Tag t = parseTag(); // call subroutine to process the tag as a unit + String ns; + switch(t.state&(START_TAG|END_TAG)) { + case START_TAG: + nss = getNss(nss,t); // Only Start Tags might have NS Attributes + // Get any NameSpace elements from tag. If there are, nss will become + // a new Map with all the previous NSs plus the new. This provides + // scoping behavior when used with the Stack + // drop through on purpose + case END_TAG: + ns = t.prefix==null||nss==null?"":nss.get(t.prefix); // Get the namespace from prefix (if exists) + break; + default: + ns = ""; + } + if(ns==null) + throw new XMLStreamException("Invalid Namespace Prefix at " + count); + go = false; + switch(t.state) { // based on + case DOC_TYPE: + rv = new XEvent.StartDocument(); + break; + case COMMENT: + rv = new XEvent.Comment(t.value); + break; + case START_TAG: + rv = new XEvent.StartElement(ns,t.name); + nsses.push(nss); // Change potential scope for Namespace + break; + case END_TAG: + rv = new XEvent.EndElement(ns,t.name); + nss = nsses.pop(); // End potential scope for Namespace + break; + case START_TAG|END_TAG: // This tag is both start/end aka + rv = new XEvent.StartElement(ns,t.name); + if(last=='/')another = new XEvent.EndElement(ns,t.name); + } + if(cxe!=null) { // if there is a Character Event, it actually should go first. ow. + another = rv; // Make current Event the "another" or next event, and + rv = cxe; // send Character Event now + } + break; + case ' ': + case '\t': + case '\n': + if((state&BEGIN_DOC)==BEGIN_DOC) { // if Whitespace before doc, just ignore + break; + } + // fallthrough on purpose + default: + if((state&BEGIN_DOC)==BEGIN_DOC) { // if there is any data at the start other than XML Tag, it's not XML + throw new XMLStreamException("Parse Error: This is not an XML Doc"); + } + baos.write(c); // save off Characters + } + last = c; // Some processing needs to know what the last character was, aka Escaped characters... ex \" + } + } catch (IOException e) { + throw new XMLStreamException(e); // all errors parsing will be treated as XMLStreamErrors (like StAX) + } + if(c==-1 && (state&BEGIN_DOC)==BEGIN_DOC) { // Normally, end of stream is ok, however, we need to know if the + throw new XMLStreamException("Premature End of File"); // document isn't an XML document, so we throw exception if it + } // hasn't yet been determined to be an XML Doc + } + return rv; + } + + /** + * parseTag + * + * Parsing a Tag is somewhat complicated, so it's helpful to separate this process from the + * higher level Parsing effort + * @return + * @throws IOException + * @throws XMLStreamException + */ + private Tag parseTag() throws IOException, XMLStreamException { + Tag tag = null; + boolean go = true; + state = 0; + int c, quote=0; // If "quote" is 0, then we're not in a quote. We set ' (in pretag) or " in attribs accordingly to denote quoted + String prefix=null,name=null,value=null; + baos.reset(); + + while(go && (c=is.read())>=0) { + ++count; + if(quote!=0) { // If we're in a quote, we only end if we hit another quote of the same time, not preceded by \ + if(c==quote && last!='\\') { + quote=0; + } else { + baos.write(c); + } + } else if((state&COMMENT)==COMMENT) { // similar to Quote is being in a comment + switch(c) { + case '-': + switch(state) { // XML has a complicated Quote set... ... we keep track if each has been met with flags. + case COMMENT|COMMENT_E: + state|=COMMENT_D1; + break; + case COMMENT|COMMENT_E|COMMENT_D1: + state|=COMMENT_D2; + baos.reset(); // clear out "!--", it's a Comment + break; + case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2: + state|=COMMENT_D3; + baos.write(c); + break; + case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3: + state|=COMMENT_D4; + baos.write(c); + break; + } + break; + case '>': // Tag indicator has been found, do we have all the comment characters in line? + if((state&COMPLETE_COMMENT)==COMPLETE_COMMENT) { + byte ba[] = baos.toByteArray(); + tag = new Tag(null,null, new String(ba,0,ba.length-2)); + baos.reset(); + go = false; + break; + } + // fall through on purpose + default: + state&=~(COMMENT_D3|COMMENT_D4); + if((state&IN_COMMENT)!=IN_COMMENT) state&=~IN_COMMENT; // false alarm, it's not actually a comment + baos.write(c); + } + } else { // Normal Tag Processing loop + switch(c) { + case '?': + switch(state & (QUESTION_F|QUESTION)) { // Validate the state of Doc tag... + case QUESTION_F: + state |= DOC_TYPE; + state &= ~QUESTION_F; + break; + case 0: + state |=QUESTION_F; + break; + default: + throw new IOException("Bad character [?] at " + count); + } + break; + case '!': + if(last=='<') { + state|=COMMENT|COMMENT_E; // likely a comment, continue processing in Comment Loop + } + baos.write(c); + break; + case '/': + state|=(last=='<'?END_TAG:(END_TAG|START_TAG)); // end tag indicator , ,or both + break; + case ':': + prefix=baos.toString(); // prefix indicator + baos.reset(); + break; + case '=': // used in Attributes + name=baos.toString(); + baos.reset(); + state|=VALUE; + break; + case '>': // end the tag, which causes end of this subprocess as well as formulation of the found data + go = false; + // passthrough on purpose + case ' ': + case '\t': + case '\n': // white space indicates change in internal tag state, ex between name and between attributes + if((state&VALUE)==VALUE) { + value = baos.toString(); // we're in VALUE state, add characters to Value + } else if(name==null) { + name = baos.toString(); // we're in Name state (default) add characters to Name + } + baos.reset(); // we've assigned chars, reset buffer + if(name!=null) { // Name is not null, there's a tag in the offing here... + Tag t = new Tag(prefix,name,value); + if(tag==null) { // Set as the tag to return, if not exists + tag = t; + } else { // if we already have a Tag, then we'll treat this one as an attribute + tag.add(t); + } + } + prefix=name=value=null; // reset these values in case we loop for attributes. + break; + case '\'': // is the character one of two kinds of quote? + case '"': + if(last!='\\') { + quote=c; + break; + } + // Fallthrough ok + default: + baos.write(c); // write any unprocessed bytes into buffer + + } + } + last = c; + } + int type = state&(DOC_TYPE|COMMENT|END_TAG|START_TAG); // get just the Tag states and turn into Type for Tag + if(type==0) { + type=START_TAG; + } + if(tag!=null) { + tag.state|=type; // add the appropriate Tag States + } + return tag; + } - /** - * getNSS - * - * If the tag contains some Namespace attributes, create a new nss from the passed in one, copy all into it, then add - * This provides Scoping behavior - * - * if Nss is null in the first place, create an new nss, so we don't have to deal with null Maps. - * - * @param nss - * @param t - * @return - */ - private Map getNss(Map nss, Tag t) { - Map newnss = null; - if(t.attribs!=null) { - for(Tag tag : t.attribs) { - if("xmlns".equals(tag.prefix)) { - if(newnss==null) { - newnss = new HashMap<>(); - if(nss!=null)newnss.putAll(nss); - } - newnss.put(tag.name, tag.value); - } - } - } - //return newnss==null?(nss==null?new HashMap():nss):newnss; - if(newnss==null) { - if(nss==null) { - newnss = new HashMap<>(); - } else { - newnss = nss; - } - } - return newnss; - } + /** + * getNSS + * + * If the tag contains some Namespace attributes, create a new nss from the passed in one, copy all into it, then add + * This provides Scoping behavior + * + * if Nss is null in the first place, create an new nss, so we don't have to deal with null Maps. + * + * @param nss + * @param t + * @return + */ + private Map getNss(Map nss, Tag t) { + Map newnss = null; + if(t.attribs!=null) { + for(Tag tag : t.attribs) { + if("xmlns".equals(tag.prefix)) { + if(newnss==null) { + newnss = new HashMap<>(); + if(nss!=null)newnss.putAll(nss); + } + newnss.put(tag.name, tag.value); + } + } + } + //return newnss==null?(nss==null?new HashMap():nss):newnss; + if(newnss==null) { + if(nss==null) { + newnss = new HashMap<>(); + } else { + newnss = nss; + } + } + return newnss; + } - /** - * The result of the parseTag method - * - * Data is split up into prefix, name and value portions. "Tags" with Values that are inside a Tag are known in XLM - * as Attributes. - * - * @author Jonathan - * - */ - public class Tag { - public int state; - public String prefix,name,value; - public List attribs; + /** + * The result of the parseTag method + * + * Data is split up into prefix, name and value portions. "Tags" with Values that are inside a Tag are known in XLM + * as Attributes. + * + * @author Jonathan + * + */ + public class Tag { + public int state; + public String prefix,name,value; + public List attribs; - public Tag(String prefix, String name, String value) { - this.prefix = prefix; - this.name = name; - this.value = value; - attribs = null; - } + public Tag(String prefix, String name, String value) { + this.prefix = prefix; + this.name = name; + this.value = value; + attribs = null; + } - /** - * add an attribute - * Not all tags need attributes... lazy instantiate to save time and memory - * @param tag - */ - public void add(Tag attrib) { - if(attribs == null) { - attribs = new ArrayList<>(); - } - attribs.add(attrib); - } - - public String toString() { - StringBuffer sb = new StringBuffer(); - if(prefix!=null) { - sb.append(prefix); - sb.append(':'); - } - sb.append(name==null?"!!ERROR!!":name); + /** + * add an attribute + * Not all tags need attributes... lazy instantiate to save time and memory + * @param tag + */ + public void add(Tag attrib) { + if(attribs == null) { + attribs = new ArrayList<>(); + } + attribs.add(attrib); + } + + public String toString() { + StringBuffer sb = new StringBuffer(); + if(prefix!=null) { + sb.append(prefix); + sb.append(':'); + } + sb.append(name==null?"!!ERROR!!":name); - char quote = ((state&DOC_TYPE)==DOC_TYPE)?'\'':'"'; - if(value!=null) { - sb.append('='); - sb.append(quote); - sb.append(value); - sb.append(quote); - } - return sb.toString(); - } - } + char quote = ((state&DOC_TYPE)==DOC_TYPE)?'\'':'"'; + if(value!=null) { + sb.append('='); + sb.append(quote); + sb.append(value); + sb.append(quote); + } + return sb.toString(); + } + } } -- cgit 1.2.3-korg