From a20accc73189d8e5454cd26049c0e6fae75da16f Mon Sep 17 00:00:00 2001 From: Instrumental Date: Mon, 26 Mar 2018 13:49:56 -0700 Subject: AT&T 2.0.19 Code drop, stage 2 Issue-ID: AAF-197 Change-Id: Ifc93308f52c10d6ad82e99cd3ff5ddb900bf219a Signed-off-by: Instrumental --- cadi/oauth-enduser/.gitignore | 6 + cadi/oauth-enduser/.settings/.gitignore | 2 + cadi/oauth-enduser/cadi.properties | 57 +++++ cadi/oauth-enduser/pom.xml | 112 ++++++++++ cadi/oauth-enduser/src/.gitignore | 1 + .../java/com/att/cadi/enduser/OAuthExample.java | 233 +++++++++++++++++++++ 6 files changed, 411 insertions(+) create mode 100644 cadi/oauth-enduser/.gitignore create mode 100644 cadi/oauth-enduser/.settings/.gitignore create mode 100644 cadi/oauth-enduser/cadi.properties create mode 100644 cadi/oauth-enduser/pom.xml create mode 100644 cadi/oauth-enduser/src/.gitignore create mode 100644 cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java (limited to 'cadi/oauth-enduser') diff --git a/cadi/oauth-enduser/.gitignore b/cadi/oauth-enduser/.gitignore new file mode 100644 index 00000000..ed10e327 --- /dev/null +++ b/cadi/oauth-enduser/.gitignore @@ -0,0 +1,6 @@ +/target/ +/.DS_Store +/.classpath +/tokens/ +/bin/ +/.project diff --git a/cadi/oauth-enduser/.settings/.gitignore b/cadi/oauth-enduser/.settings/.gitignore new file mode 100644 index 00000000..e2635f07 --- /dev/null +++ b/cadi/oauth-enduser/.settings/.gitignore @@ -0,0 +1,2 @@ +/org.eclipse.jdt.core.prefs +/org.eclipse.m2e.core.prefs diff --git a/cadi/oauth-enduser/cadi.properties b/cadi/oauth-enduser/cadi.properties new file mode 100644 index 00000000..fb497314 --- /dev/null +++ b/cadi/oauth-enduser/cadi.properties @@ -0,0 +1,57 @@ +############################################################ +# Properties for OAuth Example +# Jonathan Gathman +# on 2018-01-30 +# These properties are the BARE essentials for OAuth calling +############################################################ +# aaf_locate is the replacement whenever a URL is set to "AAF_LOCATE_URL" +# at this time, only AAF has this ability. +# +# This is, effectively, the Environment you will use for AAF Location +# TEST ENV +aaf_locate_url=https://aaftest.test.att.com + +# IST ENV +# aaf_locate_url=https://aafist.test.att.com + +# PROD ENV +# aaf_locate_url=https://aaf.it.att.com + +cadi_latitude= + +aaf_url=https://AAF_LOCATE_URL/locate/com.att.aaf.service:2.0 +cadi_keyfile=.jar keygen keyfile. chmod 400 keyfile> + +aaf_id= +aaf_password=enc:.jar digest keyfile> +# aaf_alias= + +# aaf_conn_timeout=6000 +# aaf_timeout=10000 + +# A Sample AAF OAuth Enabled Service +#aaf_oauth2_hello_url=https://AAF_LOCATE_URL/locate/com.att.aaf.hello:2.0/hello +aaf_oauth2_hello_url=http://135.46.170.156:32245/restservices/echo/v1/testCXF/testGet + +# OAuth2 +# AAF OAuth2 Service. +aaf_oauth2_token_url=https://AAF_LOCATE_URL/locate/com.att.aaf.token:2.0/token +aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/locate/com.att.aaf.introspect:2.0/introspect + +#ISAM +aaf_alt_oauth2_domain=isam.att.com +#aaf_alt_oauth2_client_id= +#aaf_alt_oauth2_domain=csp.att.com + +#ISAM TEST +#aaf_alt_oauth2_token_url=https://oauth.stage.elogin.att.com/mga/sps/oauth/oauth20/token +#aaf_alt_oauth2_introspect_url=https://oauthapp.stage.att.com/mga/sps/oauth/oauth20/introspect +#aaf_alt_oauth2_client_secret=enc: + +#ISAM PROD +#aaf_alt_oauth2_token_url=https://oauth.idp.elogin.att.com/mga/sps/oauth/oauth20/token +#aaf_alt_oauth2_introspect_url=https://oa-app.e-access.att.com/mga/sps/oauth/oauth20/introspect +#aaf_alt_oauth2_client_secret=enc: + + diff --git a/cadi/oauth-enduser/pom.xml b/cadi/oauth-enduser/pom.xml new file mode 100644 index 00000000..2423c530 --- /dev/null +++ b/cadi/oauth-enduser/pom.xml @@ -0,0 +1,112 @@ + + + + 4.0.0 + AAF CADI Sample OAuth EndUser + org.onap.aaf.cadi + 1.5.0-SNAPSHOT + aaf-cadi-oauth-enduser + + jar + + + + Jonathan Gathman + jonathan.gathman@att.com + ATT + + Architect + Lead Developer + + + + Gabe Maurer + gabe.maurer@att.com + ATT + + Developer + + + + Ian Howell + ian.howell@att.com + ATT + + Developer + + + + + + + org.onap.aaf.cadi + aaf-cadi-core + 1.5.0-SNAPSHOT + + + org.onap.aaf.cadi + aaf-cadi-aaf + 1.5.0-SNAPSHOT + + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 2.3.2 + + 1.8 + 1.8 + + + + + org.apache.maven.plugins + 2.4 + maven-jar-plugin + + target + + + + maven-assembly-plugin + 2.4 + + + + org.onap.aaf.cadi.enduser.OAuthExample + + + + src/main/assemble/cadi-oauth-enduser-assemble.xml + + + + + + + + diff --git a/cadi/oauth-enduser/src/.gitignore b/cadi/oauth-enduser/src/.gitignore new file mode 100644 index 00000000..9bb88d37 --- /dev/null +++ b/cadi/oauth-enduser/src/.gitignore @@ -0,0 +1 @@ +/.DS_Store diff --git a/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java b/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java new file mode 100644 index 00000000..9cb4b4af --- /dev/null +++ b/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java @@ -0,0 +1,233 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package com.att.cadi.enduser; + +import java.io.IOException; +import java.net.ConnectException; +import java.security.GeneralSecurityException; +import java.util.Date; +import java.util.GregorianCalendar; + +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.oauth.TimedToken; +import org.onap.aaf.cadi.oauth.TokenClient; +import org.onap.aaf.cadi.oauth.TokenClientFactory; +import org.onap.aaf.cadi.oauth.TzClient; +import org.onap.aaf.cadi.util.FQI; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Chrono; + +import aafoauth.v2_0.Introspect; +import aafoauth.v2_0.Token; + + +public class OAuthExample { + private static TokenClientFactory tcf; + private static PropAccess access; + + public final static void main(final String args[]) { + // These Objects are expected to be Long-Lived... Construct once + + // Property Access + // This method will allow you to set "cadi_prop_files" (or any other property) on Command line + access = new PropAccess(args); + + // access = PropAccess(); + // Note: This style will load "cadi_prop_files" from VM Args + + // Token aware Client Factory + try { + tcf = TokenClientFactory.instance(access); + } catch (APIException | GeneralSecurityException | IOException | CadiException e1) { + access.log(e1, "Unable to setup OAuth Client Factory, Fail Fast"); + System.exit(1); + } + + + // Obtain Endpoints for OAuth2 from Properties. Expected is "cadi.properties" file, pointed to by "cadi_prop_files" + String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL); + String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL); + + + // Get Properties + final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL); + + final int CALL_TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF)); + + try { + ////////////////////////////////////////////////////////////////////// + // Scenario 1: + // Get and use an OAuth Client, which understands Token Management + ////////////////////////////////////////////////////////////////////// + // Create a Token Client, that gets its tokens from expected OAuth Server + // In this example, it is AAF, but it can be the Alternate OAuth + + TokenClient tc = tcf.newClient(tokenServiceURL); // can set your own timeout here (url, timeoutMilliseconds) + // Set your Application (MicroService, whatever) Credentials here + // These are how your Application is known, particularly to the OAuth Server. + // If AAF Token server, then its just the same as your other AAF MechID creds + // If it is the Alternate OAUTH, you'll need THOSE credentials. See that tool's Onboarding procedures. + String client_id = access.getProperty(Config.AAF_APPID); + String client_secret = access.getProperty(Config.AAF_APPPASS); + tc.client_creds(client_id, client_secret); + + // If you are working with Credentials the End User, set username/password as appropriate to the OAuth Server + // tc.password(end_user_id, end_user_password); + // IMPORTANT: + // if you are setting client Credentials, you MAY NOT reuse this Client mid-transaction. You CAN reuse after setting + // tc.clearEndUser(); + // You may want to see "Pooled Client" example, using special CADI utility + + // With AAF, the Scopes you put in are the AAF Namespaces you want access to. Your Token will contain the + // AAF Permissions of the Namespaces (you can put in more than one), the user name (or client_id if no user_name), + // is allowed to see. + + // Here's a trick to get the namespace out of a Fully Qualified AAF Identity (your MechID) + String ns = FQI.reverseDomain(client_id); + System.out.printf("\nNote: The AAF Namespace of FQI (Fully Qualified Identity) %s is %s\n\n",client_id, ns); + + // Now, we can get a Token. Note: for "scope", use AAF Namespaces to get AAF Permissions embedded in + // Note: getToken checks if Token is expired, if so, then refreshes before handing back. + Result rtt = tc.getToken(ns,"org.onap.test"); + + // Note: you can clear a Token's Disk/Memory presence by + // 1) removing the Token from the "token/outgoing" directory on the O/S + // 2) programmatically by calling "clearToken" with exact params as "getToken", when it has the same credentials set + // tc.clearToken("org.onap.aaf","org.onap.test"); + + // Result Object can be queried for success + if(rtt.isOK()) { + TimedToken token = rtt.value; + print(token); // Take a look at what's in a Token + + // Use this Token in your client calls with "Tokenized Client" (TzClient) + // These should NOT be used cross thread. + TzClient helloClient = tcf.newTzClient(endServicesURL); + helloClient.setToken(client_id, token); + + // This client call style, "best" call with "Retryable" inner class covers finding an available Service + // (when Multi-services exist) for the best service, based (currently) on distance. + // + // the "Generic" in Type gives a Return Value for the Code, which you can set on the "best" method + // Note that variables used in the inner class from this part of the code must be "final", see "CALL_TIMEOUT" + String rv = helloClient.best(new Retryable() { + @Override + public String code(Rcli client) throws CadiException, ConnectException, APIException { + Future future = client.read(null,"text/plain"); + // The "future" calling method allows you to do other processing, such as call more than one backend + // client before picking up the result + // If "get" matches the HTTP Code for the method (i.e. read HTTP Return value is 200), then + if(future.get(CALL_TIMEOUT)) { + // Client Returned expected value + return future.value; + } else { + throw new APIException(future.code() + future.body()); + } + } + }); + + // You want to do something with returned value. Here, we say "hello" + System.out.printf("\nPositive Response from Hello: %s\n",rv); + + + ////////////////////////////////////////////////////////////////////// + // Scenario 2: + // As a Service, read Introspection information as proof of Authenticated Authorization + ////////////////////////////////////////////////////////////////////// + // CADI Framework (i.e. CadiFilter) works with the Introspection to drive the J2EE interfaces ( + // i.e. if(isUserInRole("ns.perm|instance|action")) {... + // + // Here, however, is a way to introspect via Java + // + // now, call Introspect (making sure right URLs are set in properties) + // We need a Different Introspect TokenClient, because different Endpoint (and usually different Services) + TokenClient tci = tcf.newClient(tokenIntrospectURL); + tci.client_creds(client_id, client_secret); + Result is = tci.introspect(token.getAccessToken()); + if(is.isOK()) { + // Note that AAF will add JSON set of Permissions as part of "Content:", legitimate extension of OAuth Structure + print(is.value); // do something with Introspect Object + } else { + access.printf(Level.ERROR, "Unable to introspect OAuth Token %s: %d %s\n", + token.getAccessToken(),rtt.code,rtt.error); + } + } else { + access.printf(Level.ERROR, "Unable to obtain OAuth Token: %d %s\n",rtt.code,rtt.error); + } + + } catch (CadiException | LocatorException | APIException | IOException e) { + e.printStackTrace(); + } + } + + ///////////////////////////////////////////////////////////// + // Examples of Object Access + ///////////////////////////////////////////////////////////// + private static void print(Token t) { + GregorianCalendar exp_date = new GregorianCalendar(); + exp_date.add(GregorianCalendar.SECOND, t.getExpiresIn()); + System.out.printf("Access Token\n\tToken:\t\t%s\n\tToken Type:\t%s\n\tExpires In:\t%d (%s)\n\tScope:\t\t%s\n\tRefresh Token:\t%s\n", + t.getAccessToken(), + t.getTokenType(), + t.getExpiresIn(), + Chrono.timeStamp(new Date(System.currentTimeMillis()+(t.getExpiresIn()*1000))), + t.getScope(), + t.getRefreshToken()); + } + + private static void print(Introspect ti) { + if(ti==null || ti.getClientId()==null) { + System.out.println("Empty Introspect"); + return; + } + Date exp = new Date(ti.getExp()*1000); // seconds + System.out.printf("Introspect\n" + + "\tAccessToken:\t%s\n" + + "\tClient-id:\t%s\n" + + "\tClient Type:\t%s\n" + + "\tActive: \t%s\n" + + "\tUserName:\t%s\n" + + "\tExpires: \t%d (%s)\n" + + "\tScope:\t\t%s\n" + + "\tContent:\t\t%s\n", + ti.getAccessToken(), + ti.getClientId(), + ti.getClientType(), + ti.isActive()?Boolean.TRUE.toString():Boolean.FALSE.toString(), + ti.getUsername(), + ti.getExp(), + Chrono.timeStamp(exp), + ti.getScope(), + ti.getContent()==null?"":ti.getContent()); + + System.out.println(); + } + +} -- cgit 1.2.3-korg