5 files changed, 582 insertions, 0 deletions
diff --git a/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java b/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java
new file mode 100644
index 0000000..03a7961
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import com.att.cadi.GetCred;
+import com.att.cadi.Symm;
+
+public class ConfigPrincipal implements Principal, GetCred {
+	private String name;
+	private byte[] cred;
+	private String content;
+
+	public ConfigPrincipal(String name, String passwd) {
+		this.name = name;
+		this.cred = passwd.getBytes();
+		content = null;
+	}
+
+	public ConfigPrincipal(String name, byte[] cred) {
+		this.name = name;
+		this.cred = cred;
+		content = null;
+	}
+
+	public String getName() {
+		return name;
+	}
+	
+	public byte[] getCred() {
+		return cred;
+	}
+
+	public String toString() {
+		return name;
+	}
+	
+	public String getAsBasicAuthHeader() throws IOException {
+		if(content ==null) {
+			String s = name + ':' + new String(cred);
+			content = "Basic " + Symm.base64.encode(s);  
+		} else if(!content.startsWith("Basic ")) { // content is the saved password from construction
+			String s = name + ':' + content;
+			content = "Basic " + Symm.base64.encode(s);  
+		}
+		return content;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/lur/EpiLur.java b/core/src/main/java/com/att/cadi/lur/EpiLur.java
new file mode 100644
index 0000000..de6c057
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/EpiLur.java
@@ -0,0 +1,168 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import java.security.Principal;
+import java.util.List;
+
+import com.att.cadi.CachingLur;
+import com.att.cadi.CadiException;
+import com.att.cadi.CredVal;
+import com.att.cadi.Lur;
+import com.att.cadi.Permission;
+
+/**
+ * EpiLUR
+ * 
+ * Short for "Epic LUR". Be able to run through a series of LURs to obtain the validation needed.
+ * 
+ * The pun is better for the other pattern... "TAF" (aka EpiTaf), but it's still the larger picture of 
+ * LURs that will be accomplished.
+ * 
+ * FYI, the reason we separate LURs, rather than combine, is that Various User Repository Resources have
+ * different Caching requirements.  For instance, the Local User Repo (with stand alone names), never expire, but might be
+ * refreshed with a change in Configuration File, while the Remote Service based LURs will need to expire at prescribed intervals 
+ * 
+ *
+ */
+public final class EpiLur implements Lur {
+	private final Lur[] lurs;
+	
+	/**
+	 * EpiLur constructor
+	 * 
+	 * Construct the EpiLur from variable TAF parameters
+	 * @param lurs
+	 * @throws CadiException
+	 */
+	public EpiLur(Lur ... lurs) throws CadiException{
+		this.lurs = lurs;
+		if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor");
+	}
+
+	public boolean fish(Principal bait, Permission pond) {
+		if(pond==null) {
+			return false;
+		}
+		boolean rv = false;
+		Lur lur;
+		for(int i=0;!rv && i<lurs.length;++i) {
+			rv = (lur = lurs[i]).fish(bait, pond);
+			if(!rv && lur.handlesExclusively(pond)) break;
+		}
+		return rv;
+	}
+
+	public void fishAll(Principal bait, List<Permission> permissions) {
+		for(Lur lur : lurs) {
+			lur.fishAll(bait, permissions);
+		}
+	}
+
+	public void destroy() {
+		for(Lur lur : lurs) {
+			lur.destroy();
+		}
+	}
+
+	/**
+	 * Return the first Lur (if any) which also implements UserPass 
+	 * @return
+	 */
+	public CredVal getUserPassImpl() {
+		for(Lur lur : lurs) {
+			if(lur instanceof CredVal) {
+				return (CredVal)lur;
+			}
+		}
+		return null;
+	}
+
+	// Never needed... Only EpiLur uses...
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+	
+	/**
+	 * Get Lur for index.  Returns null if out of range
+	 * @param idx
+	 * @return
+	 */
+	public Lur get(int idx) {
+		if(idx>=0 && idx<lurs.length) {
+			return lurs[idx];
+		}
+		return null;
+	}
+
+	public boolean supports(String userName) {
+		for(Lur l : lurs) {
+			if(l.supports(userName))return true;
+		}
+		return false;
+	}
+
+	public void remove(String id) {
+		for(Lur l : lurs) {
+			if(l instanceof CachingLur) {
+				((CachingLur<?>)l).remove(id);
+			}
+		}
+	}
+	
+	public Lur subLur(Class<? extends Lur> cls ) {
+		for(Lur l : lurs) {
+			if(l.getClass().isAssignableFrom(cls)) {
+				return l;
+			}
+		}
+		return null;
+	}
+
+	@Override
+	public Permission createPerm(String p) {
+		return new LocalPermission(p);
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder)
+	 */
+	@Override
+	public void clear(Principal p, StringBuilder report) {
+		for(Lur lur : lurs) {
+			lur.clear(p, report);
+		}
+	}
+	
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		for(Lur lur : lurs) {
+			sb.append(lur.getClass().getSimpleName());
+			sb.append(": Report\n");
+			sb.append(lur.toString());
+			sb.append('\n');
+		}
+		return sb.toString();
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/lur/LocalLur.java b/core/src/main/java/com/att/cadi/lur/LocalLur.java
new file mode 100644
index 0000000..80b302a
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/LocalLur.java
@@ -0,0 +1,202 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeSet;
+
+import com.att.cadi.AbsUserCache;
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.CredVal;
+import com.att.cadi.Hash;
+import com.att.cadi.Permission;
+import com.att.cadi.StrLur;
+import com.att.cadi.User;
+import com.att.cadi.config.Config;
+
+
+/**
+ * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms.
+ * 
+ *
+ */
+public final class LocalLur extends AbsUserCache<LocalPermission> implements StrLur, CredVal {
+	public static final String SEMI = "\\s*;\\s*";
+	public static final String COLON = "\\s*:\\s*";
+	public static final String COMMA = "\\s*,\\s*";
+	public static final String PERCENT = "\\s*%\\s*";
+	
+	// Use to quickly determine whether any given group is supported by this LUR
+	private final Set<String> supportingGroups;
+	private String supportedRealm; 
+	
+	/**
+	 * Construct by building structure, see "build"
+	 * 
+	 * Reconstruct with "build"
+	 * 
+	 * @param userProperty
+	 * @param groupProperty
+	 * @param decryptor
+	 * @throws IOException
+	 */
+	public LocalLur(Access access, String userProperty, String groupProperty) throws IOException {
+		super(access, 0, 0, Integer.MAX_VALUE);  // data doesn't expire
+		supportedRealm = access.getProperty(Config.BASIC_REALM, "localized");
+		supportingGroups = new TreeSet<String>();
+		
+		if(userProperty!=null) {
+			// For each User name...
+			for(String user : userProperty.trim().split(SEMI)) {
+				String[] us = user.split(COLON,2);
+				String[] userpass = us[0].split(PERCENT,2);
+				String u;
+				User<LocalPermission> usr;
+				if(userpass.length>1) {
+					if(userpass.length>0 && userpass[0].indexOf('@')<0) {
+						userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
+					}
+
+					u = userpass[0];
+					byte[] pass = access.decrypt(userpass[1], true).getBytes();
+					usr = new User<LocalPermission>(new ConfigPrincipal(u, pass));
+				} else {
+					u = us[0];
+					usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null));
+				}
+				addUser(usr);
+				access.log(Level.INIT, "Local User:",usr.principal);
+				
+				if(us.length>1) {
+					Map<String, Permission> newMap = usr.newMap();
+					for(String group : us[1].split(COMMA)) {
+						supportingGroups.add(group);
+						usr.add(newMap,new LocalPermission(group));
+					}
+					usr.setMap(newMap);
+				}
+			}
+		}
+		if(groupProperty!=null) {
+			// For each Group name...
+			for(String group : groupProperty.trim().split(SEMI)) {
+				String[] gs = group.split(COLON,2);
+				if(gs.length>1) {
+					supportingGroups.add(gs[0]);
+					LocalPermission p = new LocalPermission(gs[0]);
+					// Add all users (known by comma separators)	
+					
+					for(String grpMem : gs[1].split(COMMA)) {
+						// look for password, if so, put in passMap
+						String[] userpass = grpMem.split(PERCENT,2);
+						if(userpass.length>0 && userpass[0].indexOf('@')<0) {
+							userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
+						}
+						User<LocalPermission> usr = getUser(userpass[0]);
+						if(userpass.length>1) {
+							byte[] pass = access.decrypt(userpass[1], true).getBytes();
+							if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass)));
+							else usr.principal=new ConfigPrincipal(userpass[0],pass);
+						} else {
+							if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null)));
+						}
+						usr.add(p);
+						access.log(Level.INIT, "Local User:",usr.principal);
+					}
+				}
+			}
+		}
+	}
+	
+	public boolean validate(String user, CredVal.Type type, byte[] cred) {
+		User<LocalPermission> usr = getUser(user);
+		switch(type) {
+			case PASSWORD:
+				// covers null as well as bad pass
+				if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) {
+					return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred());
+				}
+				break;
+		}
+		return false;
+	}
+
+	//	@Override
+	public boolean fish(Principal bait, Permission pond) {
+		if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
+				User<LocalPermission> user = getUser(bait);
+				return user==null?false:user.contains((LocalPermission)pond);
+			}
+		return false;
+	}
+
+	public boolean fish(String bait, Permission pond) {
+		if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
+			User<LocalPermission> user = getUser(bait);
+			return user==null?false:user.contains((LocalPermission)pond);
+		}
+		return false;
+	}
+
+	// We do not want to expose the actual Group, so make a copy.
+	public void fishAll(Principal bait, List<Permission> perms) {
+		if(supports(bait.getName())) {
+			User<LocalPermission> user = getUser(bait);
+			if(user!=null) {
+				user.copyPermsTo(perms);
+			}
+		}
+	}
+
+	public void fishAll(String bait, List<Permission> perms) {
+		if(supports(bait)) {
+			User<LocalPermission> user = getUser(bait);
+			if(user!=null) {
+				user.copyPermsTo(perms);
+			}
+		}
+	}
+
+	public boolean supports(String userName) {
+		return userName!=null && userName.endsWith(supportedRealm);
+	}
+
+	public boolean handlesExclusively(Permission pond) {
+		return supportingGroups.contains(pond.getKey());
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#createPerm(java.lang.String)
+	 */
+	@Override
+	public Permission createPerm(String p) {
+		return new LocalPermission(p);
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/lur/LocalPermission.java b/core/src/main/java/com/att/cadi/lur/LocalPermission.java
new file mode 100644
index 0000000..8fdaec2
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/LocalPermission.java
@@ -0,0 +1,52 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import com.att.cadi.Permission;
+
+public class LocalPermission implements Permission {
+	private String key;
+	
+	public LocalPermission(String role) {
+		this.key = role;
+	}
+	
+	public String getKey() {
+		return key;
+	}
+
+	public String toString() {
+		return key;
+	}
+
+	public boolean match(Permission p) {
+		return key.equals(p.getKey());
+	}
+
+	public String permType() {
+		return "LOCAL";
+	}
+	
+	
+}
diff --git a/core/src/main/java/com/att/cadi/lur/NullLur.java b/core/src/main/java/com/att/cadi/lur/NullLur.java
new file mode 100644
index 0000000..91fb7bb
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/NullLur.java
@@ -0,0 +1,89 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import java.security.Principal;
+import java.util.List;
+
+import com.att.cadi.Lur;
+import com.att.cadi.Permission;
+
+public class NullLur implements Lur {
+	private static final Permission NULL = new Permission() {
+		@Override
+		public String permType() {
+			return "";
+		}
+
+		@Override
+		public String getKey() {
+			return "";
+		}
+
+		@Override
+		public boolean match(Permission p) {
+			return false;
+		}};
+
+	public boolean fish(Principal bait, Permission pond) {
+		// Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own
+//		System.err.println("CADI's LUR has not been configured, but is still being called.  Access is being denied");
+		return false;
+	}
+
+	public void fishAll(Principal bait,	List<Permission> permissions) {
+	}
+
+	public void destroy() {
+	}
+
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+
+	public boolean supports(String userName) {
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#createPerm(java.lang.String)
+	 */
+	@Override
+	public Permission createPerm(String p) {
+		return NULL;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder)
+	 */
+	@Override
+	public void clear(Principal p, StringBuilder report) {
+		report.append(NullLur.class.getSimpleName());
+		report.append('\n');
+	}
+	
+	public String toString() {
+		return NullLur.class.getSimpleName() + '\n';
+	}
+}