diff options
Diffstat (limited to 'core/src/main/java/org/onap/aaf/cadi/taf')
21 files changed, 0 insertions, 2228 deletions
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java deleted file mode 100644 index 6a7f15e..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java +++ /dev/null @@ -1,116 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import java.security.Principal;
-
-import org.onap.aaf.cadi.Access;
-
-/**
- * AbsTafResp
- *
- * Base class for TafResp (TAF Response Objects)
- *
- */
-public abstract class AbsTafResp implements TafResp {
-
- protected final String desc;
- protected final Principal principal;
- protected final Access access;
-
- /**
- * AbsTafResp
- *
- * Set and hold
- * Description (for logging)
- * Principal (as created by derived class)
- * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc)
- *
- * @param access
- * @param principal
- * @param description
- */
- public AbsTafResp(Access access, Principal principal, String description) {
- this.access = access;
- this.principal = principal;
- this.desc = description;
- }
-
- /**
- * isValid()
- *
- * Respond in the affirmative if the TAF was able to Authenticate
- */
- public boolean isValid() {
- return principal!=null;
- }
-
- /**
- * desc()
- *
- * Respond with description of response as given by the TAF
- */
- public String desc() {
- return desc;
- }
-
- /**
- * isAuthenticated()
- *
- * Respond with the TAF's code of whether Authenticated, or suggested next steps
- * default is either IS_AUTHENTICATED, or TRY_ANOTHER_TAF. The TAF can overload
- * and suggest others, such as "NO_FURTHER_PROCESSING", if it can detect that this
- * is some sort of security breach (i.e. Denial of Service)
- */
- public RESP isAuthenticated() {
- return principal==null?RESP.TRY_ANOTHER_TAF:RESP.IS_AUTHENTICATED;
- }
-
- /**
- * getPrincipal()
- *
- * Return the principal created by the TAF based on Authentication.
- *
- * Returns "null" if Authentication failed (no principal)
- */
- public Principal getPrincipal() {
- return principal;
- }
-
- /**
- * getAccess()
- *
- * Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated.
- */
- public Access getAccess() {
- return access;
- }
-
- /* (non-Javadoc)
- * @see com.att.cadi.taf.TafResp#isFailedAttempt()
- */
- public boolean isFailedAttempt() {
- return false;
- }
-
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java deleted file mode 100644 index 7cb40ed..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java +++ /dev/null @@ -1,84 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.Taf;
-
-/**
- * EpiTAF
- *
- * Short for "Epic TAF". Be able to run through a series of TAFs to obtain the validation needed.
- *
- * OK, the name could probably be better as "Tafs", like it was originally, but the pun was too
- * irresistible for this author to pass up.
- *
- *
- */
-public class EpiTaf implements Taf {
- private Taf[] tafs;
-
- /**
- * EpiTaf constructor
- *
- * Construct the EpiTaf from variable TAF parameters
- * @param tafs
- * @throws CadiException
- */
- public EpiTaf(Taf ... tafs) throws CadiException{
- this.tafs = tafs;
- if(tafs.length==0) throw new CadiException("Need at least one Taf implementation in constructor");
- }
-
- /**
- * validate
- *
- * Respond with the first TAF to authenticate user based on variable info and "LifeForm" (is it
- * a human behind an interface, or a server behind a protocol).
- *
- * If there is no TAF that can authenticate, respond with the first TAF that suggests it can
- * establish an Authentication conversation (TRY_AUTHENTICATING).
- *
- * If no TAF declares either, respond with NullTafResp (which denies all questions)
- */
- public TafResp validate(LifeForm reading, String... info) {
- TafResp tresp,firstTryAuth=null;
- for(Taf taf : tafs) {
- tresp = taf.validate(reading, info);
- switch(tresp.isAuthenticated()) {
- case TRY_ANOTHER_TAF:
- break;
- case TRY_AUTHENTICATING:
- if(firstTryAuth==null)firstTryAuth=tresp;
- break;
- default:
- return tresp;
- }
- }
-
- // No TAFs configured, at this point. It is safer at this point to be "not validated",
- // rather than "let it go"
- return firstTryAuth == null?NullTafResp.singleton():firstTryAuth;
- }
-
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java deleted file mode 100644 index 05832f7..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java +++ /dev/null @@ -1,185 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.Locator;
-import org.onap.aaf.cadi.TrustChecker;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
-import org.onap.aaf.cadi.Taf.LifeForm;
-
-/**
- * HttpEpiTaf
- *
- * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials
- *
- *
- */
-public class HttpEpiTaf implements HttpTaf {
- private HttpTaf[] tafs;
- private Access access;
- private Locator<URI> locator;
- private TrustChecker trustChecker;
-
- /**
- * HttpEpiTaf constructor
- *
- * Construct the HttpEpiTaf from variable Http specific TAF parameters
-
- * @param tafs
- * @throws CadiException
- */
- public HttpEpiTaf(Access access, Locator<URI> locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{
- this.tafs = tafs;
- this.access = access;
- this.locator = locator;
- this.trustChecker = tc;
- // Establish what Header Property to look for UserChain/Trust Props
-// trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT);
-
- if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor");
- }
-
- /**
- * validate
- *
- * Respond with the first Http specific TAF to authenticate user based on variable info
- * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol).
- *
- * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can
- * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP
- * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm
- * submission
- *
- * If no TAF declares either, respond with NullTafResp (which denies all questions)
- */
- public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
- // Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings
- if(reading==LifeForm.LFN) {
- reading = tricorderScan(req);
- }
- TafResp tresp=null, firstTry = null;
- List<Redirectable> redirectables = null;
-
- for(HttpTaf taf : tafs) {
- tresp = taf.validate(reading, req, resp);
- switch(tresp.isAuthenticated()) {
- case TRY_ANOTHER_TAF:
- break; // and loop
- case TRY_AUTHENTICATING:
- if(tresp instanceof Redirectable) {
- if(redirectables==null) {
- redirectables = new ArrayList<Redirectable>();
- }
- redirectables.add((Redirectable)tresp);
- } else if(firstTry==null) {
- firstTry = tresp;
- }
- break;
- case IS_AUTHENTICATED:
- tresp = trustChecker.mayTrust(tresp, req);
- return tresp;
- default:
- return tresp;
- }
- }
-
- // If No TAFs configured, at this point. It is safer at this point to be "not validated",
- // rather than "let it go"
- // Note: if exists, there will always be more than 0 entries, according to above code
- if(redirectables==null) {
- return firstTry!=null?firstTry:NullTafResp.singleton();
- }
-
- // If there is one Tryable entry then return it
- if(redirectables.size()>1) {
- return LoginPageTafResp.create(access,locator,resp,redirectables);
- } else {
- return redirectables.get(0);
- }
- }
-
- public boolean revalidate(Principal prin) throws Exception {
- return false;
- }
-
- /*
- * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind
- * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical
- * id (SiliconBasedLifeForm)? This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs
- */
- private LifeForm tricorderScan(HttpServletRequest req) {
- // For simplicity's sake, we'll say Humans use FQDNs, not IPs.
-
- String auth = req.getParameter("Authentication");
- if(auth!=null) {
- if("BasicAuth".equals(auth)) {
- return LifeForm.SBLF;
- }
- }
- // Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are.
- // If mechanical frameworks are found that populate this, then more advanced analysis may be required
- // 1/22/2013
- String agent = req.getHeader("User-Agent");
- if(agent!=null && agent.startsWith("Mozilla")) // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent
- return LifeForm.CBLF;
- return LifeForm.SBLF; // notably skips "curl","wget", (which is desired behavior. We don't want to try CSP, etc on these)
- }
-
- public Resp revalidate(CachedPrincipal prin) {
- Resp resp;
- for(HttpTaf taf : tafs) {
- resp = taf.revalidate(prin);
- switch(resp) {
- case NOT_MINE:
- break;
- default:
- return resp;
- }
- }
- return Resp.NOT_MINE;
- }
-
- /**
- * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE
- * like Eclipse.
- */
- public String toString() {
- StringBuilder sb = new StringBuilder();
- for(HttpTaf ht : tafs) {
- sb.append(ht.toString());
- sb.append(". ");
- }
- return sb.toString();
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java deleted file mode 100644 index 325de6a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java +++ /dev/null @@ -1,60 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.Taf.LifeForm;
-
-/**
- * A TAF which is in a specific HTTP environment in which the engine implements
- * javax Servlet.
- *
- * Using the Http Request and Response interfaces takes the effort out of implementing in almost any kind of
- * HTTP Container or Engine.
- *
- *
- */
-public interface HttpTaf {
- /**
- * validate
- *
- * Validate the Request, and respond with created TafResp object.
- *
- * @param reading
- * @param req
- * @param resp
- * @return
- */
- public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp);
-
- /**
- * Re-Validate Credential
- *
- * @param prin
- * @return
- */
- public CachedPrincipal.Resp revalidate(CachedPrincipal prin);
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java deleted file mode 100644 index b6bb385..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java +++ /dev/null @@ -1,87 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import java.io.IOException;
-import java.net.URI;
-import java.util.List;
-
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.Locator;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.Locator.Item;
-
-public class LoginPageTafResp extends AbsTafResp {
- private final HttpServletResponse httpResp;
- private final String loginPageURL;
-
- private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) {
- super(access, null, "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page");
- httpResp = resp;
- this.loginPageURL = loginPageURL;
- }
-
- @Override
- public RESP authenticate() throws IOException {
- httpResp.sendRedirect(loginPageURL);
- return RESP.HTTP_REDIRECT_INVOKED;
- }
-
- @Override
- public RESP isAuthenticated() {
- return RESP.TRY_AUTHENTICATING;
- }
-
- public static TafResp create(Access access, Locator<URI> locator, final HttpServletResponse resp, List<Redirectable> redir) {
- if(locator!=null) {
- try {
- Item item = locator.best();
- URI uri = locator.get(item);
- if(uri!=null) {
- StringBuilder sb = new StringBuilder(uri.toString());
- String query = uri.getQuery();
- boolean first = query==null || query.length()==0;
- int count=0;
- for(Redirectable t : redir) {
- if(first) {
- sb.append('?');
- first=false;
- }
- else sb.append('&');
- sb.append(t.get());
- ++count;
- }
- if(count>0)return new LoginPageTafResp(access, resp, sb.toString());
- }
- } catch (Exception e) {
- access.log(e, "Error deriving Login Page location");
- }
- } else if(!redir.isEmpty()) {
- access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf");
- return redir.get(0);
- }
- return NullTafResp.singleton();
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java deleted file mode 100644 index fb1b930..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java +++ /dev/null @@ -1,64 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.Taf;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
-
-
-/**
- * This TAF is set at the very beginning of Filters and Valves so that if any configuration issues hit while
- * starting, the default behavior is to shut down traffic rather than leaving an open hole
- *
- *
- */
-public class NullTaf implements Taf, HttpTaf {
- // Singleton Pattern
- public NullTaf() {}
-
- /**
- * validate
- *
- * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized
- */
- public TafResp validate(LifeForm reading, String... info) {
- return NullTafResp.singleton();
- }
-
- /**
- * validate
- *
- * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized
- */
- public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
- return NullTafResp.singleton();
- }
-
- public Resp revalidate(CachedPrincipal prin) {
- return Resp.NOT_MINE;
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java deleted file mode 100644 index 97e49e0..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java +++ /dev/null @@ -1,73 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import org.onap.aaf.cadi.Access;
-
-/**
- * A Null Pattern for setting responses to "Deny" before configuration is setup.
- *
- */
-class NullTafResp implements TafResp {
- private NullTafResp(){}
-
- private static TafResp singleton = new NullTafResp();
-
- public static TafResp singleton() {
- return singleton;
- }
-
- public boolean isValid() {
- return false;
- }
-
- public RESP isAuthenticated() {
- return RESP.NO_FURTHER_PROCESSING;
- }
-
- public String desc() {
- return "All Authentication denied";
- }
-
- public RESP authenticate() throws IOException {
- return RESP.NO_FURTHER_PROCESSING;
- }
-
- public Principal getPrincipal() {
- return null;
- }
-
- public Access getAccess() {
- return Access.NULL;
- }
-
- /* (non-Javadoc)
- * @see com.att.cadi.taf.TafResp#isFailedAttempt()
- */
- public boolean isFailedAttempt() {
- return true;
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java deleted file mode 100644 index 10c401a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java +++ /dev/null @@ -1,71 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import org.onap.aaf.cadi.Access;
-
-/**
- * A Punt Resp to make it fast and easy for a Taf to respond that it cannot handle a particular kind of
- * request. It is always the same object, so there is no cost for memory, etc.
- *
- */
-public class PuntTafResp implements TafResp {
- private PuntTafResp(){}
-
- private static TafResp singleton = new PuntTafResp();
-
- public static TafResp singleton() {
- return singleton;
- }
-
- public boolean isValid() {
- return false;
- }
-
- public RESP isAuthenticated() {
- return RESP.TRY_ANOTHER_TAF;
- }
-
- public String desc() {
- return "This Taf can or will not handle this authentication";
- }
-
- public RESP authenticate() throws IOException {
- return RESP.TRY_ANOTHER_TAF;
- }
-
- public Principal getPrincipal() {
- return null;
- }
-
- public Access getAccess() {
- return NullTafResp.singleton().getAccess();
- }
-
- public boolean isFailedAttempt() {
- return false;
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java b/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java deleted file mode 100644 index 6e20bab..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java +++ /dev/null @@ -1,32 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-public interface Redirectable extends TafResp {
- /**
- * Create a Redirectable URL entry prefaced by a URLEncoder.String for a Menu
- * example:
- * "Global Login=https://xxxx....."
- */
- public String get();
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java deleted file mode 100644 index cb0915a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java +++ /dev/null @@ -1,94 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.CadiException;
-
-/**
- * Response from Taf objects, which inform users what has happened and/or what should be done
- *
- *
- */
-public interface TafResp {
- public static enum RESP {
- IS_AUTHENTICATED,
- NO_FURTHER_PROCESSING,
- TRY_AUTHENTICATING,
- TRY_ANOTHER_TAF,
- FAIL,
- // A note was made to avoid the response REDIRECT. However, I have deemed that it is
- // unavoidable when the underlying TAF did do a REDIRECT, because it requires a HTTP
- // Service code to exit without modifying the Response any further.
- // Therefore, I have changed this to indicate what HAS happened, with should accommodate
- // both positions. JG 10/18/2012
-// public static final int HTTP_REDIRECT_INVOKED = 11;
- HTTP_REDIRECT_INVOKED,
- HAS_PROCESSED};
-
- /**
- * Basic success check
- * @return
- */
- public boolean isValid();
-
- /**
- * String description of what has occurred (for logging/exceptions)
- * @return
- */
- public String desc();
-
- /**
- * Check Response
- * @return
- */
- public RESP isAuthenticated();
-
- /**
- * Authenticate, returning FAIL or Other Valid indication
- *
- * HTTP implementations should watch for "HTTP_REDIRECT_INVOKED", and end the HTTP call appropriately.
- * @return
- * @throws CadiException
- */
- public RESP authenticate() throws IOException;
-
- /**
- * Once authenticated, this object should hold a Principal created from the authorization
- * @return
- */
- public Principal getPrincipal();
-
- /**
- * get the Access object which created this object, allowing the responder to appropriate Log, etc
- */
- public Access getAccess();
-
- /**
- * Be able to check if part of a Failed attempt
- */
- public boolean isFailedAttempt();
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java deleted file mode 100644 index 2ab4a62..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java +++ /dev/null @@ -1,77 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import org.onap.aaf.cadi.Access;
-
-public class TrustNotTafResp implements TafResp {
- private final TafResp delegate;
- private final String desc;
-
- public TrustNotTafResp(final TafResp delegate, final String desc) {
- this.delegate = delegate;
- this.desc = desc;
- }
-
- @Override
- public boolean isValid() {
- return false;
- }
-
- @Override
- public String desc() {
- return desc;
- }
-
- @Override
- public RESP isAuthenticated() {
- return RESP.NO_FURTHER_PROCESSING;
- }
-
- @Override
- public RESP authenticate() throws IOException {
- return RESP.NO_FURTHER_PROCESSING;
- }
-
- @Override
- public Principal getPrincipal() {
- return delegate.getPrincipal();
- }
-
- @Override
- public Access getAccess() {
- return delegate.getAccess();
- }
-
- @Override
- public boolean isFailedAttempt() {
- return true;
- }
-
- public String toString() {
- return desc();
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java deleted file mode 100644 index cd4c92f..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java +++ /dev/null @@ -1,79 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import org.onap.aaf.cadi.Access;
-
-public class TrustTafResp implements TafResp {
- private final TafResp delegate;
- private final Principal principal;
- private final String desc;
-
- public TrustTafResp(final TafResp delegate, final Principal principal, final String desc) {
- this.delegate = delegate;
- this.principal = principal;
- this.desc = desc + ' ' + delegate.desc();
- }
-
- @Override
- public boolean isValid() {
- return delegate.isValid();
- }
-
- @Override
- public String desc() {
- return desc;
- }
-
- @Override
- public RESP isAuthenticated() {
- return delegate.isAuthenticated();
- }
-
- @Override
- public RESP authenticate() throws IOException {
- return delegate.authenticate();
- }
-
- @Override
- public Principal getPrincipal() {
- return principal;
- }
-
- @Override
- public Access getAccess() {
- return delegate.getAccess();
- }
-
- @Override
- public boolean isFailedAttempt() {
- return delegate.isFailedAttempt();
- }
-
- public String toString() {
- return principal.getName() + " by trust of " + desc();
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java deleted file mode 100644 index f6cc3a7..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java +++ /dev/null @@ -1,159 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.basic;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.BasicCred;
-import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CredVal;
-import org.onap.aaf.cadi.Taf;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
-import org.onap.aaf.cadi.CredVal.Type;
-import org.onap.aaf.cadi.principal.BasicPrincipal;
-import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
-import org.onap.aaf.cadi.taf.HttpTaf;
-import org.onap.aaf.cadi.taf.TafResp;
-import org.onap.aaf.cadi.taf.TafResp.RESP;
-import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;
-
-/**
- * BasicHttpTaf
- *
- * This TAF implements the "Basic Auth" protocol.
- *
- * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted.
- * This is because the expectation, when designed years ago, was that it would only be used in
- * conjunction with SSL (https). It is common, however, for users to ignore this on the assumption that
- * their internal network is secure, or just ignorance. Therefore, a WARNING will be printed
- * when the HTTP Channel is not encrypted (unless explicitly turned off).
- *
- *
- */
-public class BasicHttpTaf implements HttpTaf {
- private Access access;
- private String realm;
- private CredVal rbac;
- private boolean warn;
- private long timeToLive;
-
- public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) {
- this.access = access;
- this.realm = realm;
- this.rbac = rbac;
- this.warn = turnOnWarning;
- this.timeToLive = timeToLive;
- }
-
- /**
- * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.
- * @see Taf
- */
- public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
- // See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately
- if(req instanceof BasicCred) {
- BasicCred bc = (BasicCred)req;
- if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null
- if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) {
- return DenialOfServiceTaf.respDenyID(access,bc.getUser());
- }
- CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
- // ONLY FOR Last Ditch DEBUGGING...
- // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
- if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred())) {
- return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
- } else {
- //TODO may need timed retries in a given time period
- return new BasicHttpTafResp(access,null,buildMsg(bp,req,"User/Pass combo invalid for ",bc.getUser()),
- RESP.TRY_AUTHENTICATING,resp,realm,true);
- }
- }
- }
- // Get User/Password from Authorization Header value
- String authz = req.getHeader("Authorization");
- if(authz != null && authz.startsWith("Basic ")) {
- if(warn&&!req.isSecure()) {
- access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
- }
- try {
- CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive);
- if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
- return DenialOfServiceTaf.respDenyID(access,ba.getName());
- }
-
- // ONLY FOR Last Ditch DEBUGGING...
- // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
- if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())) {
- return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
- } else {
- //TODO may need timed retries in a given time period
- return new BasicHttpTafResp(access,null,buildMsg(ba,req,"User/Pass combo invalid"),
- RESP.TRY_AUTHENTICATING,resp,realm,true);
- }
- } catch (IOException e) {
- String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')');
- access.log(Level.INFO,msg);
- return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true);
- }
- }
- return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false);
- }
-
- protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {
- StringBuilder sb = new StringBuilder();
- for(Object s : msg) {
- sb.append(s.toString());
- }
- if(pr!=null) {
- sb.append(" for ");
- sb.append(pr.getName());
- }
- sb.append(" from ");
- sb.append(req.getRemoteAddr());
- sb.append(':');
- sb.append(req.getRemotePort());
- return sb.toString();
- }
-
- @Override
- public Resp revalidate(CachedPrincipal prin) {
- if(prin instanceof BasicPrincipal) {
- BasicPrincipal ba = (BasicPrincipal)prin;
- if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
- return Resp.UNVALIDATED;
- }
- return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())?Resp.REVALIDATED:Resp.UNVALIDATED;
- }
- return Resp.NOT_MINE;
- }
-
- public String toString() {
- return "Basic Auth enabled on realm: " + realm;
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java deleted file mode 100644 index 45eab48..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java +++ /dev/null @@ -1,63 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.basic;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.taf.AbsTafResp;
-import org.onap.aaf.cadi.taf.TafResp;
-
-public class BasicHttpTafResp extends AbsTafResp implements TafResp {
- private HttpServletResponse httpResp;
- private String realm;
- private RESP status;
- private final boolean wasFailed;
-
- public BasicHttpTafResp(Access access, Principal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) {
- super(access,principal, description);
- httpResp = resp;
- this.realm = realm;
- this.status = status;
- this.wasFailed = wasFailed;
- }
-
- public RESP authenticate() throws IOException {
- httpResp.setStatus(401); // Unauthorized
- httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"');
- return RESP.HTTP_REDIRECT_INVOKED;
- }
-
- public RESP isAuthenticated() {
- return status;
- }
-
- public boolean isFailedAttempt() {
- return wasFailed;
- }
-
-
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java deleted file mode 100644 index 1d84d67..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java +++ /dev/null @@ -1,46 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.cert;
-
-import java.security.Principal;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-import javax.servlet.http.HttpServletRequest;
-
-public interface CertIdentity {
- /**
- * identity from X509Certificate Object and/or certBytes
- *
- * If you have both, include them. If you only have one, leave the other null, and it will be generated if needed
- *
- * The Request is there to obtain Header or Attribute info of ultimate user
- *
- * @param req
- * @param cert
- * @param certBytes
- * @return
- * @throws CertificateException
- */
- public Principal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException;
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java deleted file mode 100644 index f301fc2..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java +++ /dev/null @@ -1,52 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.cert;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.taf.AbsTafResp;
-import org.onap.aaf.cadi.taf.TafResp;
-
-public class X509HttpTafResp extends AbsTafResp implements TafResp {
- private RESP status;
-
- public X509HttpTafResp(Access access, Principal principal, String description, RESP status) {
- super(access, principal, description);
- this.status = status;
- }
-
- public RESP authenticate() throws IOException {
- return RESP.TRY_ANOTHER_TAF;
- }
-
- public RESP isAuthenticated() {
- return status;
- }
-
- public String toString() {
- return status.name();
- }
-
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java deleted file mode 100644 index 36217cc..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java +++ /dev/null @@ -1,257 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.cert;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.Signature;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-
-import javax.net.ssl.TrustManagerFactory;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.Lur;
-import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
-import org.onap.aaf.cadi.Taf.LifeForm;
-import org.onap.aaf.cadi.config.Config;
-import org.onap.aaf.cadi.config.SecurityInfo;
-import org.onap.aaf.cadi.config.SecurityInfoC;
-import org.onap.aaf.cadi.lur.LocalPermission;
-import org.onap.aaf.cadi.principal.TGuardPrincipal;
-import org.onap.aaf.cadi.principal.X509Principal;
-import org.onap.aaf.cadi.taf.HttpTaf;
-import org.onap.aaf.cadi.taf.TafResp;
-import org.onap.aaf.cadi.taf.TafResp.RESP;
-import org.onap.aaf.cadi.util.Split;
-
-public class X509Taf implements HttpTaf {
-
- public static final CertificateFactory certFactory;
- public static final MessageDigest messageDigest;
- public static final TrustManagerFactory tmf;
- private Access access;
- private CertIdentity[] certIdents;
- private Lur lur;
- private ArrayList<String> cadiIssuers;
- private String env;
- private SecurityInfo si;
-
- static {
- try {
- certFactory = CertificateFactory.getInstance("X.509");
- messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone
- tmf = TrustManagerFactory.getInstance(SecurityInfoC.SslKeyManagerFactoryAlgorithm);
- } catch (Exception e) {
- throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e);
- }
- }
-
- public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException {
- this.access = access;
- env = access.getProperty(Config.AAF_ENV,null);
- if(env==null) {
- throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set.");
- }
- this.lur = lur;
- this.cadiIssuers = new ArrayList<String>();
- for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "CN=ATT CADI Issuing CA 01, OU=CSO, O=ATT, C=US:CN=ATT CADI Issuing CA 02, OU=CSO, O=ATT, C=US").split(":")) {
- cadiIssuers.add(ci);
- }
- try {
- Class<?> dci = access.classLoader().loadClass("com.att.authz.cadi.DirectCertIdentity");
- CertIdentity temp[] = new CertIdentity[cis.length+1];
- System.arraycopy(cis, 0, temp, 1, cis.length);
- temp[0] = (CertIdentity) dci.newInstance();
- certIdents=temp;
- } catch (Exception e) {
- certIdents = cis;
- }
-
- try {
- si = new SecurityInfo(access);
- } catch (GeneralSecurityException | IOException e1) {
- throw new CadiException(e1);
- }
- }
-
- public static final X509Certificate getCert(byte[] certBytes) throws CertificateException {
- ByteArrayInputStream bais = new ByteArrayInputStream(certBytes);
- return (X509Certificate)certFactory.generateCertificate(bais);
- }
-
- public static final byte[] getFingerPrint(byte[] ba) {
- MessageDigest md;
- try {
- md = (MessageDigest)messageDigest.clone();
- } catch (CloneNotSupportedException e) {
- // should never get here
- return new byte[0];
- }
- md.update(ba);
- return md.digest();
- }
-
- public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
- // Check for Mutual SSL
- try {
- X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
- if(certarr!=null && certarr.length>0) {
- si.checkClientTrusted(certarr);
- // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list
- if(cadiIssuers.contains(certarr[0].getIssuerDN().toString())) {
- String x500 = certarr[0].getSubjectDN().getName();
- int ou=x500.indexOf("OU=");
- if(ou>0) {
- ou+=3;
- int comma = x500.indexOf(',',ou);
- if(comma>0) {
- String id= x500.substring(ou,comma);
- String idenv[] = id.split(":");
- if(idenv.length==1 || (idenv.length>1 && env.equals(idenv[1]))) {
- return new X509HttpTafResp(access,
- new X509Principal(idenv[0], certarr[0],null),
- id + " validated by CADI x509", RESP.IS_AUTHENTICATED);
- }
- }
- }
- }
- }
-
- byte[] array = null;
- byte[] certBytes = null;
- X509Certificate cert=null;
- String responseText=null;
- String authHeader = req.getHeader("Authorization");
-
- if(certarr!=null) { // If cert !=null, Cert is Tested by Mutual Protocol.
- if(authHeader!=null) { // This is only intended to be a Secure Connection, not an Identity
- return new X509HttpTafResp(access, null, "Certificate verified, but another Identity is presented", RESP.TRY_ANOTHER_TAF);
- }
- cert = certarr[0];
- responseText = ", validated by Mutual SSL Protocol";
- } else { // If cert == null, Get Declared Cert (in header), but validate by having them sign something
- if(authHeader != null && authHeader.startsWith("x509 ")) {
- ByteArrayOutputStream baos = new ByteArrayOutputStream(authHeader.length());
- try {
- array = authHeader.getBytes();
- ByteArrayInputStream bais = new ByteArrayInputStream(array);
- Symm.base64noSplit.decode(bais, baos, 5);
- certBytes = baos.toByteArray();
- cert = getCert(certBytes);
-
- /**
- * Identity from CERT if well know CA and specific encoded information
- */
- // If found Identity doesn't work, try SignedStuff Protocol
-// cert.checkValidity();
-// cert.--- GET FINGERPRINT?
- String stuff = req.getHeader("Signature");
- if(stuff==null)
- return new X509HttpTafResp(access, null, "Header entry 'Signature' required to validate One way X509 Certificate", RESP.TRY_ANOTHER_TAF);
- String data = req.getHeader("Data");
-// if(data==null)
-// return new X509HttpTafResp(access, null, "No signed Data to validate with X509 Certificate", RESP.TRY_ANOTHER_TAF);
-
- // Note: Data Pos shows is "<signatureType> <data>"
-// int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm
- // Get Signature
- bais = new ByteArrayInputStream(stuff.getBytes());
- baos = new ByteArrayOutputStream(stuff.length());
- Symm.base64noSplit.decode(bais, baos);
- array = baos.toByteArray();
-// Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature
-
- Signature sig = Signature.getInstance(cert.getSigAlgName());
- sig.initVerify(cert.getPublicKey());
- sig.update(data.getBytes());
- if(!sig.verify(array)) {
- access.log(Level.ERROR, "Signature doesn't Match");
- return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
- }
- responseText = ", validated by Signed Data";
- } catch (Exception e) {
- access.log(e, "Exception while validating Cert");
- return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
- }
-
- } else {
- return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF);
- }
- }
-
- // A cert has been found, match Identify
- Principal prin=null;
-
- for(int i=0;prin==null && i<certIdents.length;++i) {
- if((prin=certIdents[i].identity(req, cert, certBytes))!=null) {
- responseText = prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText;
-// xresp = new X509HttpTafResp(
-// access,
-// prin,
-// prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText,
-// RESP.IS_AUTHENTICATED);
-
- }
- }
-
- // if Principal is found, check for "AS_USER" and whether this entity is trusted to declare
- if(prin!=null) {
- String as_user=req.getHeader(Config.CADI_USER_CHAIN);
- if(as_user!=null) {
- if(as_user.startsWith("TGUARD ") && lur.fish(prin, new LocalPermission("com.att.aaf.trust|"+prin.getName()+"|tguard"))) {
- prin = new TGuardPrincipal(as_user.substring(7));
- responseText=prin.getName() + " set via trust of " + responseText;
- }
- }
- return new X509HttpTafResp(
- access,
- prin,
- responseText,
- RESP.IS_AUTHENTICATED);
- }
- } catch(Exception e) {
- return new X509HttpTafResp(access, null, e.getMessage(), RESP.TRY_ANOTHER_TAF);
- }
-
- return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
- }
-
- public Resp revalidate(CachedPrincipal prin) {
- return null;
- }
-
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java deleted file mode 100644 index c55b7eb..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java +++ /dev/null @@ -1,370 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.dos;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.FileReader;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
-import org.onap.aaf.cadi.Taf.LifeForm;
-import org.onap.aaf.cadi.taf.HttpTaf;
-import org.onap.aaf.cadi.taf.PuntTafResp;
-import org.onap.aaf.cadi.taf.TafResp;
-import org.onap.aaf.cadi.taf.TafResp.RESP;
-
-public class DenialOfServiceTaf implements HttpTaf {
- private static Map<String, Counter> deniedIP=null, deniedID=null;
- private Access access;
- private static File dosIP, dosID;
-
- /**
- *
- * @param hostname
- * @param prod
- * @throws CadiException
- */
- public DenialOfServiceTaf(Access access) throws CadiException {
- this.access = access;
- if(dosIP==null || dosID == null) {
- String dirStr;
- if((dirStr = access.getProperty("aaf_data_dir", null))!=null) {
- dosIP = new File(dirStr+"/dosIP");
- readIP();
- dosID = new File(dirStr+"/dosID");
- readID();
- }
- }
- }
-
- public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) {
- // Performance, when not needed
- if(deniedIP != null) {
- String ip;
- Counter c = deniedIP.get(ip=req.getRemoteAddr());
- if(c!=null) {
- c.inc();
- return respDenyIP(access,ip);
- }
- }
-
- // Note: Can't process Principal, because this is the first TAF, and no Principal is created.
- // Other TAFs use "isDenied()" on this Object to validate.
- return PuntTafResp.singleton();
- }
-
- public Resp revalidate(CachedPrincipal prin) {
- // We always return NOT MINE, because DOS Taf does not ever validate
- return Resp.NOT_MINE;
- }
-
- /*
- * for use in Other TAFs, before they attempt backend validation of
- */
- public static Counter isDeniedID(String identity) {
- if(deniedID!=null) {
- return deniedID.get(identity);
- }
- return null;
- }
-
- /**
- *
- */
- public static Counter isDeniedIP(String ipvX) {
- if(deniedID!=null) {
- return deniedID.get(ipvX);
- }
- return null;
- }
-
- /**
- * Return of "True" means IP has been added.
- * Return of "False" means IP already added.
- *
- * @param ip
- * @return
- */
- public static synchronized boolean denyIP(String ip) {
- boolean rv = false;
- if(deniedIP==null) {
- deniedIP = new HashMap<String,Counter>();
- deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent
- rv= true;
- } else if(deniedIP.get(ip)==null) {
- deniedIP.put(ip, new Counter(ip));
- rv = true;
- }
- if(rv) {
- writeIP();
- }
- return rv;
- }
-
- private static void writeIP() {
- if(dosIP!=null && deniedIP!=null) {
- if(deniedIP.isEmpty()) {
- if(dosIP.exists()) {
- dosIP.delete();
- }
- } else {
- PrintStream fos;
- try {
- fos = new PrintStream(new FileOutputStream(dosIP,false));
- try {
- for(String ip: deniedIP.keySet()) {
- fos.println(ip);
- }
- } finally {
- fos.close();
- }
- } catch (IOException e) {
- e.printStackTrace(System.err);
- }
- }
- }
- }
-
- private static void readIP() {
- if(dosIP!=null && dosIP.exists()) {
- BufferedReader br;
- try {
- br = new BufferedReader(new FileReader(dosIP));
- if(deniedIP==null) {
- deniedIP=new HashMap<String,Counter>();
- }
-
- try {
- String line;
- while((line=br.readLine())!=null) {
- deniedIP.put(line, new Counter(line));
- }
- } finally {
- br.close();
- }
- } catch (IOException e) {
- e.printStackTrace(System.err);
- }
- }
- }
-
-
- /**
- * Return of "True" means IP has was removed.
- * Return of "False" means IP wasn't being denied.
- *
- * @param ip
- * @return
- */
- public static synchronized boolean removeDenyIP(String ip) {
- if(deniedIP!=null && deniedIP.remove(ip)!=null) {
- writeIP();
- if(deniedIP.isEmpty()) {
- deniedIP=null;
- }
- return true;
- }
- return false;
- }
-
- /**
- * Return of "True" means ID has been added.
- * Return of "False" means ID already added.
- *
- * @param ip
- * @return
- */
- public static synchronized boolean denyID(String id) {
- boolean rv = false;
- if(deniedID==null) {
- deniedID = new HashMap<String,Counter>();
- deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent
- rv = true;
- } else if(deniedID.get(id)==null) {
- deniedID.put(id, new Counter(id));
- rv = true;
- }
- if(rv) {
- writeID();
- }
- return rv;
-
- }
-
- private static void writeID() {
- if(dosID!=null && deniedID!=null) {
- if(deniedID.isEmpty()) {
- if(dosID.exists()) {
- dosID.delete();
- }
- } else {
- PrintStream fos;
- try {
- fos = new PrintStream(new FileOutputStream(dosID,false));
- try {
- for(String ip: deniedID.keySet()) {
- fos.println(ip);
- }
- } finally {
- fos.close();
- }
- } catch (IOException e) {
- e.printStackTrace(System.err);
- }
- }
- }
- }
-
- private static void readID() {
- if(dosID!=null && dosID.exists()) {
- BufferedReader br;
- try {
- br = new BufferedReader(new FileReader(dosID));
- if(deniedID==null) {
- deniedID=new HashMap<String,Counter>();
- }
- try {
- String line;
- while((line=br.readLine())!=null) {
- deniedID.put(line, new Counter(line));
- }
- } finally {
- br.close();
- }
- } catch (IOException e) {
- e.printStackTrace(System.err);
- }
- }
- }
-
- /**
- * Return of "True" means ID has was removed.
- * Return of "False" means ID wasn't being denied.
- *
- * @param ip
- * @return
- */
- public static synchronized boolean removeDenyID(String id) {
- if(deniedID!=null && deniedID.remove(id)!=null) {
- writeID();
- if(deniedID.isEmpty()) {
- deniedID=null;
- }
-
- return true;
- }
- return false;
- }
-
- public List<String> report() {
- int initSize = 0;
- if(deniedIP!=null)initSize+=deniedIP.size();
- if(deniedID!=null)initSize+=deniedID.size();
- ArrayList<String> al = new ArrayList<String>(initSize);
- if(deniedID!=null) {
- for(Counter c : deniedID.values()) {
- al.add(c.toString());
- }
- }
- if(deniedIP!=null) {
- for(Counter c : deniedIP.values()) {
- al.add(c.toString());
- }
- }
- return al;
- }
-
- public static class Counter {
- private final String name;
- private int count = 0;
- private Date first;
- private long last; // note, we use "last" as long, to avoid popping useless dates on Heap.
-
- public Counter(String name) {
- this.name = name;
- first = null;
- last = 0L;
- count = 0;
- }
-
- public String getName() {
- return name;
- }
-
- public int getCount() {
- return count;
- }
-
- public long getLast() {
- return last;
- }
-
- /*
- * Only allow Denial of ServiceTaf to increment
- */
- private synchronized void inc() {
- ++count;
- last = System.currentTimeMillis();
- if(first==null) {
- first = new Date(last);
- }
- }
-
- public String toString() {
- if(count==0)
- return name + " is on the denied list, but has not attempted Access";
- else
- return
- name +
- " has been denied " +
- count +
- " times since " +
- first +
- ". Last denial was " +
- new Date(last);
- }
- }
-
- public static TafResp respDenyID(Access access, String identity) {
- return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list");
- }
-
- public static TafResp respDenyIP(Access access, String ip) {
- return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list");
- }
-
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java deleted file mode 100644 index ac6c01a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java +++ /dev/null @@ -1,48 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.dos;
-
-import java.io.IOException;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.taf.AbsTafResp;
-
-public class DenialOfServiceTafResp extends AbsTafResp {
- private RESP ect; // Homage to Arethra Franklin
-
- public DenialOfServiceTafResp(Access access, RESP resp, String description ) {
- super(access, null, description);
- ect = resp;
- }
-
- // Override base behavior of checking Principal and trying another TAF
- @Override
- public RESP isAuthenticated() {
- return ect;
- }
-
-
- public RESP authenticate() throws IOException {
- return ect;
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java deleted file mode 100644 index af9554f..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java +++ /dev/null @@ -1,130 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.localhost;
-
-import java.net.InetAddress;
-import java.net.NetworkInterface;
-import java.net.SocketException;
-import java.net.UnknownHostException;
-import java.util.Enumeration;
-import java.util.TreeSet;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.Taf;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
-import org.onap.aaf.cadi.taf.HttpTaf;
-import org.onap.aaf.cadi.taf.TafResp;
-import org.onap.aaf.cadi.taf.TafResp.RESP;
-
-/**
- * Implement the ability to utilize LocalHost as a TAF.
- *
- * Configure with two properties,
- * localhost.deny
- * localhost.accept
- *
- * 1) If localhost.deny==true, then no localhost requests are allowed
- * 2) If localhost.deny==false, but accept==false, return "Try Another TAF" (i.e. allow further checking of the
- * chain, but don't treat localhost as an acceptable credential)
- * 3) If localhost.deny=false and accept=true, then the processes coming from the same machine, given logins are needed,
- * to run, are treated as validated. This is primarily for Developer purposes.
- *
- *
- *
- */
-public class LocalhostTaf implements HttpTaf {
- private TafResp isLocalHost,isNotLocalHost;
- private static final TreeSet<String> addrSet;
-
- static {
- addrSet = new TreeSet<String>();
- try {
- for(Enumeration<NetworkInterface> en = NetworkInterface.getNetworkInterfaces();en.hasMoreElements();) {
- NetworkInterface ni = en.nextElement();
- for(Enumeration<InetAddress> eia = ni.getInetAddresses();eia.hasMoreElements();) {
- InetAddress ia = eia.nextElement();
- addrSet.add(ia.getHostAddress());
- }
- }
- } catch (SocketException e) {
- }
-
- }
-
- public LocalhostTaf(Access access, boolean accept, boolean isDenied) {
- String hostname = access.getProperty("hostname",null);
- if(hostname !=null) {
- try {
- addrSet.add(InetAddress.getByName(hostname).getHostAddress());
- } catch (UnknownHostException e) {
- access.log(e,"Unknown Host");
- }
- }
-
- if(isDenied) {
- access.log(Level.INFO,"LocalhostTaf will deny all localhost traffic");
- } else {
- access.log(Level.INFO,"LocalhostTaf will not deny localhost requests, ",
- (accept?"and will treat them as authenticated":"but will require other authentication"));
- }
- // Set the appropriate behavior for when ID coming in is from localhost
- isLocalHost = isDenied?
- new LocalhostTafResp(access, RESP.NO_FURTHER_PROCESSING,"Localhost is denied"):
- accept?
- new LocalhostTafResp(access, RESP.IS_AUTHENTICATED,"Localhost is allowed"):
- new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Localhost is allowed");
- isNotLocalHost = new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Address is not Localhost");
- }
-
-// @Override
- public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
- String remote = req.getRemoteAddr();
- return addrSet.contains(remote)
- ?isLocalHost
- :isNotLocalHost;
- }
-
- /**
- * This function used for other TAFs (i.e. CSP, which can't work on localhost address)
- *
- * @param address
- * @return
- */
- public static boolean isLocalAddress(String address) {
- return addrSet.contains(address);
- }
-
- public String toString() {
- return "Localhost TAF activated: " + isLocalHost.desc();
- }
-
- public Resp revalidate(CachedPrincipal prin) {
- // shouldn't get here, since there's no need to Cache, but if so, LocalHost is always valid...
- return Resp.REVALIDATED;
- }
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java deleted file mode 100644 index bda5484..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java +++ /dev/null @@ -1,81 +0,0 @@ -/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.localhost;
-
-import java.security.Principal;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.taf.TafResp;
-
-public class LocalhostTafResp implements TafResp {
- private RESP action;
- private String description;
- private final static Principal principal = new Principal() {
- private String name = System.getProperty("user.name")+"@localhost";
-// @Override
- public String getName() {
- return name;
- }
- };
-
- private Access access;
-
- public LocalhostTafResp(Access access, RESP state, String desc) {
- action = state;
- description = desc;
- this.access = access;
- }
-
-// @Override
- public boolean isValid() {
- return action == RESP.IS_AUTHENTICATED;
- }
-
-// @Override
- public String desc() {
- return description;
- }
-
-// @Override
- public RESP authenticate() {
- return action;
- }
-
- public RESP isAuthenticated() {
- return action;
- }
-
-// @Override
- public Principal getPrincipal() {
- return principal;
- }
-
- public Access getAccess() {
- return access;
- }
-
- public boolean isFailedAttempt() {
- return false;
- }
-
-}
|