1 files changed, 179 insertions, 0 deletions

diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java
new file mode 100644
index 0000000..cf2b3a9
--- /dev/null
+++ b/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java
@@ -0,0 +1,179 @@
+/*******************************************************************************

+ * ============LICENSE_START====================================================

+ * * org.onap.aaf

+ * * ===========================================================================

+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.

+ * * ===========================================================================

+ * * Licensed under the Apache License, Version 2.0 (the "License");

+ * * you may not use this file except in compliance with the License.

+ * * You may obtain a copy of the License at

+ * * 

+ *  *      http://www.apache.org/licenses/LICENSE-2.0

+ * * 

+ *  * Unless required by applicable law or agreed to in writing, software

+ * * distributed under the License is distributed on an "AS IS" BASIS,

+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+ * * See the License for the specific language governing permissions and

+ * * limitations under the License.

+ * * ============LICENSE_END====================================================

+ * *

+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.

+ * *

+ ******************************************************************************/

+package org.onap.aaf.cadi.aaf.cert;

+

+

+import java.security.Principal;

+import java.security.cert.CertificateException;

+import java.security.cert.X509Certificate;

+import java.util.HashSet;

+import java.util.List;

+import java.util.Map;

+import java.util.Set;

+import java.util.Timer;

+import java.util.TimerTask;

+import java.util.TreeMap;

+

+import javax.servlet.http.HttpServletRequest;

+import javax.xml.datatype.XMLGregorianCalendar;

+

+import org.onap.aaf.cadi.Access;

+import org.onap.aaf.cadi.Hash;

+import org.onap.aaf.cadi.Access.Level;

+import org.onap.aaf.cadi.aaf.v2_0.AAFCon;

+import org.onap.aaf.cadi.client.Future;

+import org.onap.aaf.cadi.config.Config;

+import org.onap.aaf.cadi.principal.X509Principal;

+import org.onap.aaf.cadi.taf.cert.CertIdentity;

+import org.onap.aaf.cadi.taf.cert.X509Taf;

+

+import org.onap.aaf.inno.env.APIException;

+import org.onap.aaf.inno.env.util.Chrono;

+import org.onap.aaf.inno.env.util.Split;

+

+import aaf.v2_0.Certs;

+import aaf.v2_0.Certs.Cert;

+import aaf.v2_0.Users;

+import aaf.v2_0.Users.User;

+

+public class AAFListedCertIdentity implements CertIdentity {

+	//TODO should 8 hours be configurable? 

+	private static final long EIGHT_HOURS = 1000*60*60*8; 

+	private static final String AAF_VERSION = "2.0";

+			

+	private static Map<ByteArrayHolder,String> certs = null;

+	

+	// Did this to add other Trust Mechanisms

+	// Trust mechanism set by Property: 

+	private static final String[] authMechanisms = new String[] {"tguard","basicAuth","csp"};

+	private static String[] certIDs;

+	

+	private static Map<String,Set<String>> trusted =null;

+

+	public AAFListedCertIdentity(Access access, AAFCon<?> aafcon) throws APIException {

+		synchronized(AAFListedCertIdentity.class) {

+			if(certIDs==null) {

+				String cip = access.getProperty(Config.AAF_CERT_IDS, null);

+				if(cip!=null) {

+					certIDs = Split.split(',',cip);

+				}

+			}

+			if(certIDs!=null && certs==null) {

+				TimerTask cu = new CertUpdate(aafcon);

+				cu.run(); // want this to run in this thread first...

+				new Timer("AAF Identity Refresh Timer",true).scheduleAtFixedRate(cu, EIGHT_HOURS,EIGHT_HOURS);

+			}

+		}

+	}

+

+	public static Set<String> trusted(String authMech) {

+		return trusted.get(authMech);

+	}

+	

+	public Principal identity(HttpServletRequest req, X509Certificate cert,	byte[] certBytes) throws CertificateException {

+		if(cert==null && certBytes==null)return null;

+		if(certBytes==null)certBytes = cert.getEncoded();

+		byte[] fingerprint = X509Taf.getFingerPrint(certBytes);

+		String id = certs.get(new ByteArrayHolder(fingerprint));

+		if(id!=null) { // Caller is Validated

+			return new X509Principal(id,cert,certBytes);

+		}

+		return null;

+	}

+

+	private static class ByteArrayHolder implements Comparable<ByteArrayHolder> {

+		private byte[] ba;

+		public ByteArrayHolder(byte[] ba) {

+			this.ba = ba;

+		}

+		public int compareTo(ByteArrayHolder b) {

+			return Hash.compareTo(ba, b.ba);

+		}

+	}

+	

+	private class CertUpdate extends TimerTask {

+

+		private AAFCon<?> aafcon;

+		public CertUpdate(AAFCon<?> con) {

+			aafcon = con;

+		}

+		

+		@Override

+		public void run() {

+			try {

+				TreeMap<ByteArrayHolder, String> newCertsMap = new TreeMap<ByteArrayHolder,String>();

+				Map<String,Set<String>> newTrustMap = new TreeMap<String,Set<String>>();

+				Set<String> userLookup = new HashSet<String>();

+				for(String s : certIDs) {

+					userLookup.add(s);

+				}

+				for(String authMech : authMechanisms) {

+					Future<Users> fusr = aafcon.client(AAF_VERSION).read("/authz/users/perm/org.onap.aaf.trust/"+authMech+"/authenticate", Users.class, aafcon.usersDF);

+					if(fusr.get(5000)) {

+						List<User> users = fusr.value.getUser();

+						if(users.isEmpty()) {

+							aafcon.access.log(Level.WARN, "AAF Lookup-No IDs in Role com.att.aaf.trustForID <> "+authMech);

+						} else {

+							aafcon.access.log(Level.INFO,"Loading Trust Authentication Info for",authMech);

+							Set<String> hsUser = new HashSet<String>();

+							for(User u : users) {

+								userLookup.add(u.getId());

+								hsUser.add(u.getId());

+							}

+							newTrustMap.put(authMech,hsUser);

+						}

+					} else {

+						aafcon.access.log(Level.WARN, "Could not get Users in Perm com.att.trust|tguard|authenticate",fusr.code(),fusr.body());

+					}

+					

+				}

+				

+				for(String u : userLookup) {

+					Future<Certs> fc = aafcon.client(AAF_VERSION).read("/authn/cert/id/"+u, Certs.class, aafcon.certsDF);

+					XMLGregorianCalendar now = Chrono.timeStamp();

+					if(fc.get(5000)) {

+						List<Cert> certs = fc.value.getCert();

+						if(certs.isEmpty()) {

+							aafcon.access.log(Level.WARN, "No Cert Associations for",u);

+						} else {

+							for(Cert c : fc.value.getCert()) {

+								XMLGregorianCalendar then =c.getExpires();

+								if(then !=null && then.compare(now)>0) {

+									newCertsMap.put(new ByteArrayHolder(c.getFingerprint()), c.getId());

+									aafcon.access.log(Level.INIT,"Associating "+ c.getId() + " expiring " + Chrono.dateOnlyStamp(c.getExpires()) + " with " + c.getX500());

+								}

+							}

+						}

+					} else {

+						aafcon.access.log(Level.WARN, "Could not get Certificates for",u);

+					}

+				}

+

+				certs = newCertsMap;

+				trusted = newTrustMap;

+			} catch(Exception e) {

+				aafcon.access.log(e, "Failure to update Certificate Identities from AAF");

+			}

+		}

+	}

+}