From ca76fbda94492f1b0c895ff0f4070381f17472f0 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Mon, 2 Jul 2018 21:41:55 -0500 Subject: Add ability for BAuth by domain Issue-ID: AAF-361 Change-Id: I6f437ffcfef5555f44acfb32fd6020f86f8cf403 Signed-off-by: Instrumental --- .../aaf/cadi/aaf/cert/AAFListedCertIdentity.java | 2 +- .../main/java/org/onap/aaf/cadi/sso/AAFSSO.java | 1 + .../main/java/org/onap/aaf/cadi/CredValDomain.java | 25 ++++++++++++ .../main/java/org/onap/aaf/cadi/config/Config.java | 37 ++++++++++++------ .../onap/aaf/cadi/principal/BasicPrincipal.java | 13 +++++-- .../org/onap/aaf/cadi/principal/X509Principal.java | 19 +++++---- .../org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java | 45 +++++++++++++++++++--- .../java/org/onap/aaf/cadi/taf/cert/X509Taf.java | 21 ++++++++-- .../aaf/cadi/principal/test/JU_X509Principal.java | 10 ++--- 9 files changed, 135 insertions(+), 38 deletions(-) create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java (limited to 'cadi') diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java index e336042a..bc1f94d9 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java @@ -93,7 +93,7 @@ public class AAFListedCertIdentity implements CertIdentity { byte[] fingerprint = X509Taf.getFingerPrint(certBytes); String id = certs.get(new ByteArrayHolder(fingerprint)); if(id!=null) { // Caller is Validated - return new X509Principal(id,cert,certBytes); + return new X509Principal(id,cert,certBytes,null); } return null; } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java index c197be26..f2fb7057 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java @@ -186,6 +186,7 @@ public class AAFSSO { char[] password = cons.readPassword("Password for %s: ", appID); String app_pass = access.encrypt(new String(password)); access.setProperty(Config.AAF_APPPASS,app_pass); + diskprops.setProperty(Config.AAF_APPPASS, app_pass); } String keystore=access.getProperty(Config.CADI_KEYSTORE); diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java new file mode 100644 index 00000000..e8a5c54b --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java @@ -0,0 +1,25 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi; + +public interface CredValDomain extends CredVal { + public String domain(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java index 9a0a53cf..b74ccb36 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -42,6 +42,7 @@ import org.onap.aaf.cadi.CachingLur; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.Connector; import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.CredValDomain; import org.onap.aaf.cadi.Locator; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.Lur; @@ -111,13 +112,6 @@ public class Config { public static final String CADI_OAUTH2_URL="cadi_oauth2_url"; public static final String CADI_TOKEN_DIR = "cadi_token_dir"; - public static final String CSP_DOMAIN = "csp_domain"; - public static final String CSP_HOSTNAME = "csp_hostname"; - public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost"; - public static final String CSP_USER_HEADER = "CSP_USER"; - public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf"; - public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file"; - public static final String HTTPS_PROTOCOLS = "https.protocols"; public static final String HTTPS_CIPHER_SUITES = "https.cipherSuites"; public static final String HTTPS_CLIENT_PROTOCOLS="jdk.tls.client.protocols"; @@ -277,7 +271,7 @@ public class Config { ///////////////////////////////////////////////////// // Configure Client Cert TAF ///////////////////////////////////////////////////// - + X509Taf x509TAF = null; String truststore = logProp(access, CADI_TRUSTSTORE,null); if(truststore!=null) { String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null); @@ -290,7 +284,7 @@ public class Config { } } try { - htlist.add(new X509Taf(access,lur)); + htlist.add(x509TAF=new X509Taf(access,lur)); access.log(Level.INIT,"Certificate Authorization enabled"); } catch (SecurityException e) { access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e); @@ -339,7 +333,16 @@ public class Config { if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.", " There will be no additional warning if Basic Auth is used on an insecure channel" ); - htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn)); + BasicHttpTaf bht = new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn); + for(Object o : additionalTafLurs) { + if(o instanceof CredValDomain) { + bht.add((CredValDomain)o); + } + } + if(x509TAF!=null) { + x509TAF.add(bht); + } + htlist.add(bht); access.log(Level.INIT,"Basic Authorization is enabled"); } } else { @@ -443,8 +446,18 @@ public class Config { ///////////////////////////////////////////////////// if(additionalTafLurs!=null) { for(Object additional : additionalTafLurs) { - if(additional instanceof HttpTaf) { - htlist.add((HttpTaf)additional); + if(additional instanceof BasicHttpTaf) { + BasicHttpTaf ht = (BasicHttpTaf)additional; + for(Object cv : additionalTafLurs) { + if(cv instanceof CredValDomain) { + ht.add((CredValDomain)cv); + access.printf(Level.INIT,"%s Authentication is enabled",cv); + } + } + htlist.add(ht); + } else if(additional instanceof HttpTaf) { + HttpTaf ht = (HttpTaf)additional; + htlist.add(ht); access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName()); } else if(hasOAuthDirectTAF) { Class daupCls; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java index 22ba702c..a235f1d4 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java @@ -36,11 +36,12 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred { private String name = null; private String shortName = null; + private String domain; private byte[] cred = null; - private long created; - public BasicPrincipal(String content,String domain) throws IOException { + + public BasicPrincipal(String content,String defaultDomain) throws IOException { created = System.currentTimeMillis(); ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes()); // Read past "Basic ", ensuring it starts with it. @@ -61,13 +62,15 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred { shortName=name.substring(0, at); } else { shortName = name; - name = name + '@' + domain; + domain=defaultDomain; + name = name + '@' + defaultDomain; } } public BasicPrincipal(BasicCred bc, String domain) { name = bc.getUser(); cred = bc.getCred(); + this.domain = domain; } private class BasicOS extends OutputStream { @@ -102,6 +105,10 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred { return shortName; } + public String getDomain() { + return domain; + } + public byte[] getCred() { return cred; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java index 16f62171..200b8174 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java @@ -26,31 +26,30 @@ import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.regex.Pattern; -import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.GetCred; +import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; public class X509Principal extends BearerPrincipal implements GetCred { private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*"); private final X509Certificate cert; private final String name; - private TagLookup tagLookup; - private byte[] content; + private byte[] content; + private BasicHttpTaf bht; public X509Principal(String identity, X509Certificate cert) { name = identity; content = null; this.cert = cert; - tagLookup = null; } - public X509Principal(String identity, X509Certificate cert, byte[] content) { + public X509Principal(String identity, X509Certificate cert, byte[] content, BasicHttpTaf bht) { name = identity; this.content = content; this.cert = cert; - tagLookup = null; + this.bht = bht; } - public X509Principal(X509Certificate cert, byte[] content) throws IOException { + public X509Principal(X509Certificate cert, byte[] content, BasicHttpTaf bht) throws IOException { this.content=content; this.cert = cert; String _name = null; @@ -70,7 +69,7 @@ public class X509Principal extends BearerPrincipal implements GetCred { throw new IOException("X509 does not have Identity as CN"); } name = _name; - tagLookup = null; + this.bht = bht; } public String getAsHeader() throws IOException { @@ -106,4 +105,8 @@ public class X509Principal extends BearerPrincipal implements GetCred { return "x509"; } + public BasicHttpTaf getBasicHttpTaf() { + return bht; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java index 6d516f00..ac824d0a 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java @@ -23,18 +23,21 @@ package org.onap.aaf.cadi.taf.basic; import java.io.IOException; import java.security.Principal; +import java.util.Map; +import java.util.TreeMap; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.BasicCred; import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.CredVal; -import org.onap.aaf.cadi.Taf; -import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.CredVal; import org.onap.aaf.cadi.CredVal.Type; +import org.onap.aaf.cadi.CredValDomain; +import org.onap.aaf.cadi.Taf; import org.onap.aaf.cadi.principal.BasicPrincipal; import org.onap.aaf.cadi.principal.CachedBasicPrincipal; import org.onap.aaf.cadi.taf.HttpTaf; @@ -60,6 +63,7 @@ public class BasicHttpTaf implements HttpTaf { private Access access; private String realm; private CredVal rbac; + private Map rbacs = new TreeMap<>(); private boolean warn; private long timeToLive; @@ -71,6 +75,10 @@ public class BasicHttpTaf implements HttpTaf { this.timeToLive = timeToLive; } + public void add(final CredValDomain cvd) { + rbacs.put(cvd.domain(), cvd); + } + /** * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms. * @see Taf @@ -84,10 +92,16 @@ public class BasicHttpTaf implements HttpTaf { return DenialOfServiceTaf.respDenyID(access,bc.getUser()); } CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive); + + // Be able to do Organizational specific lookups by Domain + CredVal cv = rbacs.get(bp.getDomain()); + if(cv==null) { + cv = rbac; + } + // ONLY FOR Last Ditch DEBUGGING... // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred())); - - if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) { + if(cv.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) { return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false); } else { //TODO may need timed retries in a given time period @@ -107,10 +121,16 @@ public class BasicHttpTaf implements HttpTaf { if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { return DenialOfServiceTaf.respDenyID(access,ba.getName()); } + + final int at = ba.getName().indexOf('@'); + CredVal cv = rbacs.get(ba.getName().substring(at+1)); + if(cv==null) { + cv = rbac; // default + } // ONLY FOR Last Ditch DEBUGGING... // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred())); - if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) { + if(cv.validate(ba.getShortName(), Type.PASSWORD, ba.getCred(), req)) { return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false); } else { //TODO may need timed retries in a given time period @@ -146,7 +166,19 @@ public class BasicHttpTaf implements HttpTaf { } return sb.toString(); } + + public void addCredVal(final String realm, final CredVal cv) { + rbacs.put(realm, cv); + } + public CredVal getCredVal(String key) { + CredVal cv = rbacs.get(key); + if(cv==null) { + cv = rbac; + } + return cv; + } + @Override public Resp revalidate(CachedPrincipal prin, Object state) { if(prin instanceof BasicPrincipal) { @@ -162,4 +194,5 @@ public class BasicHttpTaf implements HttpTaf { public String toString() { return "Basic Auth enabled on realm: " + realm; } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java index 66683dcd..dc07bb90 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java @@ -36,12 +36,13 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CachedPrincipal.Resp; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.CredVal; import org.onap.aaf.cadi.Lur; import org.onap.aaf.cadi.Symm; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; import org.onap.aaf.cadi.Taf.LifeForm; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.config.SecurityInfo; @@ -51,6 +52,7 @@ import org.onap.aaf.cadi.principal.X509Principal; import org.onap.aaf.cadi.taf.HttpTaf; import org.onap.aaf.cadi.taf.TafResp; import org.onap.aaf.cadi.taf.TafResp.RESP; +import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; import org.onap.aaf.cadi.util.Split; public class X509Taf implements HttpTaf { @@ -65,6 +67,7 @@ public class X509Taf implements HttpTaf { private ArrayList cadiIssuers; private String env; private SecurityInfo si; + private BasicHttpTaf bht; static { try { @@ -150,7 +153,7 @@ public class X509Taf implements HttpTaf { String[] sa = Split.splitTrim(':', subject, temp+3,end); if(sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment return new X509HttpTafResp(access, - new X509Principal(sa[0], certarr[0],(byte[])null), + new X509Principal(sa[0], certarr[0],(byte[])null,bht), "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); } } @@ -259,4 +262,16 @@ public class X509Taf implements HttpTaf { return null; } + public void add(BasicHttpTaf bht) { + this.bht = bht; + } + + public CredVal getCredVal(final String key) { + if(bht==null) { + return null; + } else { + return bht.getCredVal(key); + } + } + } diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java index e62dda4f..0857a870 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java @@ -67,7 +67,7 @@ public class JU_X509Principal { @Test public void constructor2Test() throws IOException { - X509Principal x509 = new X509Principal(name, cert, cred); + X509Principal x509 = new X509Principal(name, cert, cred,null); // Call twice to hit both branches assertThat(x509.getAsHeader(), is("X509 " + cred)); assertThat(x509.toString(), is("X509 Authentication for " + name)); @@ -81,7 +81,7 @@ public class JU_X509Principal { final String longName = "name@domain"; when(subject.getName()).thenReturn("OU=" + longName + ",extra"); when(cert.getSubjectDN()).thenReturn(subject); - X509Principal x509 = new X509Principal(cert, cred); + X509Principal x509 = new X509Principal(cert, cred,null); // Call twice to hit both branches assertThat(x509.getAsHeader(), is("X509 " + cred)); assertThat(x509.toString(), is("X509 Authentication for " + longName)); @@ -91,7 +91,7 @@ public class JU_X509Principal { when(subject.getName()).thenReturn(longName + ",extra"); when(cert.getSubjectDN()).thenReturn(subject); try { - x509 = new X509Principal(cert, cred); + x509 = new X509Principal(cert, cred, null); fail("Should have thrown an Exception"); } catch(IOException e) { assertThat(e.getMessage(), is("X509 does not have Identity as CN")); @@ -100,7 +100,7 @@ public class JU_X509Principal { when(subject.getName()).thenReturn("OU=" + longName); when(cert.getSubjectDN()).thenReturn(subject); try { - x509 = new X509Principal(cert, cred); + x509 = new X509Principal(cert, cred, null); fail("Should have thrown an Exception"); } catch(IOException e) { assertThat(e.getMessage(), is("X509 does not have Identity as CN")); @@ -109,7 +109,7 @@ public class JU_X509Principal { when(subject.getName()).thenReturn("OU=" + name + ",exta"); when(cert.getSubjectDN()).thenReturn(subject); try { - x509 = new X509Principal(cert, cred); + x509 = new X509Principal(cert, cred, null); fail("Should have thrown an Exception"); } catch(IOException e) { assertThat(e.getMessage(), is("X509 does not have Identity as CN")); -- cgit 1.2.3-korg