From 6d469611d86642bc0b74ce51af72cc36d2af962d Mon Sep 17 00:00:00 2001 From: Instrumental Date: Mon, 26 Mar 2018 12:04:27 -0700 Subject: Remove Code from cadi, it is now in authz Issue-ID: AAF-193 Change-Id: Ib7abdb15ba8a7445a3875cf8c6bb48b7d563f424 Signed-off-by: Instrumental --- .../java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java | 207 ----------- .../java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java | 396 --------------------- .../org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java | 224 ------------ .../org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java | 187 ---------- .../org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java | 221 ------------ .../java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java | 167 --------- .../onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java | 116 ------ .../java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java | 269 -------------- 8 files changed, 1787 deletions(-) delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java (limited to 'aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0') diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java deleted file mode 100644 index 6d6d947..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java +++ /dev/null @@ -1,207 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.io.IOException; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.GetCred; -import org.onap.aaf.cadi.Hash; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.lur.ConfigPrincipal; - -import com.att.aft.dme2.api.DME2Exception; -import org.onap.aaf.inno.env.APIException; - -public class AAFAuthn extends AbsUserCache { - private AAFCon con; - private String realm; - - /** - * Configure with Standard AAF properties, Stand alone - * @param con - * @throws Exception - */ - // Package on purpose - AAFAuthn(AAFCon con) throws Exception { - super(con.access,con.cleanInterval,con.highCount,con.usageRefreshTriggerCount); - this.con = con; - - try { - setRealm(); - } catch (APIException e) { - if(e.getCause() instanceof DME2Exception) { - // Can't contact AAF, assume default - realm=con.access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); - } - } - } - - /** - * Configure with Standard AAF properties, but share the Cache (with AAF Lur) - * @param con - * @throws Exception - */ - // Package on purpose - AAFAuthn(AAFCon con, AbsUserCache cache) throws Exception { - super(cache); - this.con = con; - try { - setRealm(); - } catch (Exception e) { - if(e.getCause() instanceof DME2Exception) { - access.log(e); - // Can't contact AAF, assume default - realm=con.access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); - } - } - } - - private void setRealm() throws Exception { - // Make a call without security set to get the 401 response, which - // includes the Realm of the server - // This also checks on Connectivity early on. - Future fp = con.client(AAFCon.AAF_LATEST_VERSION).read("/authn/basicAuth", "text/plain"); - if(fp.get(con.timeout)) { - throw new Exception("Do not preset Basic Auth Information for AAFAuthn"); - } else { - if(fp.code()==401) { - realm = fp.header("WWW-Authenticate"); - if(realm!=null && realm.startsWith("Basic realm=\"")) { - realm = realm.substring(13, realm.length()-1); - } else { - realm = "unknown.com"; - } - } - } - } - - /** - * Return Native Realm of AAF Instance. - * - * @return - */ - public String getRealm() { - return realm; - } - - /** - * Returns null if ok, or an Error String; - * - * @param user - * @param password - * @return - * @throws IOException - * @throws CadiException - * @throws Exception - */ - public String validate(String user, String password) throws IOException, CadiException { - User usr = getUser(user); - if(password.startsWith("enc:???")) { - password = access.decrypt(password, true); - } - - byte[] bytes = password.getBytes(); - if(usr != null && usr.principal != null && usr.principal.getName().equals(user) - && usr.principal instanceof GetCred) { - - if(Hash.isEqual(((GetCred)usr.principal).getCred(),bytes)) { - return null; - } else { - remove(usr); - usr = null; - } - } - - AAFCachedPrincipal cp = new AAFCachedPrincipal(this,con.app, user, bytes, con.cleanInterval); - // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch - // Statement - switch(cp.revalidate()) { - case REVALIDATED: - if(usr!=null) { - usr.principal = cp; - } else { - addUser(new User(cp,con.timeout)); - } - return null; - case INACCESSIBLE: - return "AAF Inaccessible"; - case UNVALIDATED: - return "User/Pass combo invalid for " + user; - case DENIED: - return "AAF denies API for " + user; - default: - return "AAFAuthn doesn't handle Principal " + user; - } - } - - private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal { - private long expires,timeToLive; - - public AAFCachedPrincipal(AAFAuthn aaf, String app, String name, byte[] pass, int timeToLive) { - super(name,pass); - this.timeToLive = timeToLive; - expires = timeToLive + System.currentTimeMillis(); - } - - public Resp revalidate() { - if(con.isDisabled()) { - return Resp.DENIED; - } - try { - Miss missed = missed(getName()); - if(missed==null || missed.mayContinue(getCred())) { - Rcli client = con.client(AAFCon.AAF_LATEST_VERSION).forUser(con.basicAuth(getName(), new String(getCred()))); - Future fp = client.read( - "/authn/basicAuth", - "text/plain" - ); - if(fp.get(con.timeout)) { - expires = System.currentTimeMillis() + timeToLive; - addUser(new User(this, expires)); - return Resp.REVALIDATED; - } else { - addMiss(getName(), getCred()); - return Resp.UNVALIDATED; - } - } else { - return Resp.UNVALIDATED; - } - } catch (Exception e) { - con.access.log(e); - return Resp.INACCESSIBLE; - } - } - - public long expires() { - return expires; - } - }; - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java deleted file mode 100644 index 3ec6fed..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java +++ /dev/null @@ -1,396 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.net.URI; -import java.security.Principal; -import java.util.Map; -import java.util.concurrent.ConcurrentHashMap; - -import javax.servlet.ServletRequest; -import javax.servlet.http.HttpServletRequest; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.CadiWrap; -import org.onap.aaf.cadi.Connector; -import org.onap.aaf.cadi.LocatorException; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.aaf.marshal.CertsMarshal; -import org.onap.aaf.cadi.client.AbsBasicAuth; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.client.Retryable; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfoC; -import org.onap.aaf.cadi.lur.EpiLur; -import org.onap.aaf.cadi.principal.BasicPrincipal; -import org.onap.aaf.cadi.util.Vars; - -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.inno.env.Data.TYPE; -import org.onap.aaf.inno.env.util.Split; -import org.onap.aaf.rosetta.env.RosettaDF; -import org.onap.aaf.rosetta.env.RosettaEnv; - -import aaf.v2_0.Certs; -import aaf.v2_0.Error; -import aaf.v2_0.Perms; -import aaf.v2_0.Users; - -public abstract class AAFCon implements Connector { - public static final String AAF_LATEST_VERSION = "2.0"; - - final public PropAccess access; - // Package access - final public int timeout, cleanInterval, connTimeout; - final public int highCount, userExpires, usageRefreshTriggerCount; - private Map> clients = new ConcurrentHashMap>(); - final public RosettaDF permsDF; - final public RosettaDF certsDF; - final public RosettaDF usersDF; - final public RosettaDF errDF; - private String realm; - public final String app; - protected SecuritySetter ss; - protected SecurityInfoC si; - - private DisableCheck disableCheck; - - private AAFLurPerm lur; - - private RosettaEnv env; - protected abstract URI initURI(); - protected abstract void setInitURI(String uriString) throws CadiException; - - /** - * Use this call to get the appropriate client based on configuration (DME2, HTTP, future) - * - * @param apiVersion - * @return - * @throws CadiException - */ - public Rcli client(String apiVersion) throws CadiException { - Rcli client = clients.get(apiVersion); - if(client==null) { - client = rclient(initURI(),ss); - client.apiVersion(apiVersion) - .readTimeout(connTimeout); - clients.put(apiVersion, client); - } - return client; - } - - /** - * Use this API when you have permission to have your call act as the end client's ID. - * - * Your calls will get 403 errors if you do not have this permission. it is a special setup, rarely given. - * - * @param apiVersion - * @param req - * @return - * @throws CadiException - */ - public Rcli clientAs(String apiVersion, ServletRequest req) throws CadiException { - Rcli cl = client(apiVersion); - return cl.forUser(transferSS(((HttpServletRequest)req).getUserPrincipal())); - } - - protected AAFCon(AAFCon copy) { - access = copy.access; - timeout = copy.timeout; - cleanInterval = copy.cleanInterval; - connTimeout = copy.connTimeout; - highCount = copy.highCount; - userExpires = copy.userExpires; - usageRefreshTriggerCount = copy.usageRefreshTriggerCount; - permsDF = copy.permsDF; - certsDF = copy.certsDF; - usersDF = copy.usersDF; - errDF = copy.errDF; - app = copy.app; - ss = copy.ss; - si = copy.si; - env = copy.env; - disableCheck = copy.disableCheck; - realm = copy.realm; - } - - protected AAFCon(PropAccess access, String tag, SecurityInfoC si) throws CadiException{ - if(tag==null) { - throw new CadiException("AAFCon cannot be constructed with a tag=null"); - } - try { - this.access = access; - this.si = si; - this.ss = si.defSS; - if(ss==null) { - String mechid = access.getProperty(Config.AAF_MECHID, null); - String encpass = access.getProperty(Config.AAF_MECHPASS, null); - if(encpass==null) { - String alias = access.getProperty(Config.CADI_ALIAS, mechid); - if(alias==null) { - throw new CadiException(Config.CADI_ALIAS + " or " + Config.AAF_MECHID + " required."); - } - set(si.defSS=x509Alias(alias)); - } else { - if(mechid!=null && encpass !=null) { - set(si.defSS=basicAuth(mechid, encpass)); - } else { - set(si.defSS=new SecuritySetter() { - - @Override - public String getID() { - return ""; - } - - @Override - public void setSecurity(CLIENT client) throws CadiException { - throw new CadiException("AAFCon has not been initialized with Credentials (SecuritySetter)"); - } - - @Override - public int setLastResponse(int respCode) { - return 0; - } - }); - } - } - } - - timeout = Integer.parseInt(access.getProperty(Config.AAF_READ_TIMEOUT, Config.AAF_READ_TIMEOUT_DEF)); - cleanInterval = Integer.parseInt(access.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)); - highCount = Integer.parseInt(access.getProperty(Config.AAF_HIGH_COUNT, Config.AAF_HIGH_COUNT_DEF).trim()); - connTimeout = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF).trim()); - userExpires = Integer.parseInt(access.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF).trim()); - usageRefreshTriggerCount = Integer.parseInt(access.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF).trim())-1; // zero based - - String str = access.getProperty(tag,null); - if(str==null) { - throw new CadiException(tag + " property is required."); - } - setInitURI(str); - - app=reverseDomain(ss.getID()); - realm="openecomp.org"; - - env = new RosettaEnv(); - permsDF = env.newDataFactory(Perms.class); - usersDF = env.newDataFactory(Users.class); - certsDF = env.newDataFactory(Certs.class); - certsDF.rootMarshal(new CertsMarshal()); // Speedier Marshaling - errDF = env.newDataFactory(Error.class); - } catch (APIException e) { - throw new CadiException("AAFCon cannot be configured",e); - } - } - - public RosettaEnv env() { - return env; - } - - /** - * Return the backing AAFCon, if there is a Lur Setup that is AAF. - * - * If there is no AAFLur setup, it will return "null" - * @param servletRequest - * @return - */ - public static final AAFCon obtain(Object servletRequest) { - if(servletRequest instanceof CadiWrap) { - Lur lur = ((CadiWrap)servletRequest).getLur(); - if(lur != null) { - if(lur instanceof EpiLur) { - AbsAAFLur aal = (AbsAAFLur) ((EpiLur)lur).subLur(AbsAAFLur.class); - if(aal!=null) { - return aal.aaf; - } - } else { - if(lur instanceof AbsAAFLur) { - return ((AbsAAFLur)lur).aaf; - } - } - } - } - return null; - } - - public abstract AAFCon clone(String url) throws CadiException; - - public AAFAuthn newAuthn() throws APIException { - try { - return new AAFAuthn(this); - } catch (APIException e) { - throw e; - } catch (Exception e) { - throw new APIException(e); - } - } - - public AAFAuthn newAuthn(AbsUserCache c) throws APIException { - try { - return new AAFAuthn(this,c); - } catch (APIException e) { - throw e; - } catch (Exception e) { - throw new APIException(e); - } - } - - public AAFLurPerm newLur() throws CadiException { - try { - if(lur==null) { - return new AAFLurPerm(this); - } else { - return new AAFLurPerm(this,lur); - } - } catch (CadiException e) { - throw e; - } catch (Exception e) { - throw new CadiException(e); - } - } - - public AAFLurPerm newLur(AbsUserCache c) throws APIException { - try { - return new AAFLurPerm(this,c); - } catch (APIException e) { - throw e; - } catch (Exception e) { - throw new APIException(e); - } - } - - /** - * Take a Fully Qualified User, and get a Namespace from it. - * @param user - * @return - */ - public static String reverseDomain(String user) { - StringBuilder sb = null; - String[] split = Split.split('.',user); - int at; - for(int i=split.length-1;i>=0;--i) { - if(sb == null) { - sb = new StringBuilder(); - } else { - sb.append('.'); - } - - if((at = split[i].indexOf('@'))>0) { - sb.append(split[i].subSequence(at+1, split[i].length())); - } else { - sb.append(split[i]); - } - } - - return sb==null?"":sb.toString(); - } - - protected abstract Rcli rclient(URI uri, SecuritySetter ss) throws CadiException; - - public abstract RET best(Retryable retryable) throws LocatorException, CadiException, APIException; - - - public abstract SecuritySetter basicAuth(String user, String password) throws CadiException; - - public abstract SecuritySetter transferSS(Principal principal) throws CadiException; - - public abstract SecuritySetter basicAuthSS(BasicPrincipal principal) throws CadiException; - - public abstract SecuritySetter x509Alias(String alias) throws APIException, CadiException; - - - public String getRealm() { - return realm; - - } - - public SecuritySetter set(final SecuritySetter ss) { - this.ss = ss; - if(ss instanceof AbsBasicAuth) { - disableCheck = (ss instanceof AbsBasicAuth)? - new DisableCheck() { - AbsBasicAuth aba = (AbsBasicAuth)ss; - @Override - public boolean isDisabled() { - return aba.isDenied(); - } - }: - new DisableCheck() { - @Override - public boolean isDisabled() { - return this.isDisabled(); - } - }; - } - for(Rcli client : clients.values()) { - client.setSecuritySetter(ss); - } - return ss; - } - - public SecurityInfoC securityInfo() { - return si; - } - - public String defID() { - if(ss!=null) { - return ss.getID(); - } - return "unknown"; - } - - public void invalidate() throws CadiException { - for(Rcli client : clients.values()) { - client.invalidate(); - clients.remove(client); - } - } - - public String readableErrMsg(Future f) { - String text = f.body(); - if(text==null || text.length()==0) { - text = f.code() + ": **No Message**"; - } else if(text.contains("%")) { - try { - Error err = errDF.newData().in(TYPE.JSON).load(f.body()).asObject(); - return Vars.convert(err.getText(),err.getVariables()); - } catch (APIException e){ - // just return the body below - } - } - return text; - } - - private interface DisableCheck { - public boolean isDisabled(); - }; - - public boolean isDisabled() { - return disableCheck.isDisabled(); - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java deleted file mode 100644 index 2757efc..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java +++ /dev/null @@ -1,224 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.io.IOException; -import java.net.ConnectException; -import java.net.URI; -import java.net.URISyntaxException; -import java.security.GeneralSecurityException; -import java.security.Principal; -import java.util.Properties; - -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.LocatorException; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.client.Retryable; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfoC; -import org.onap.aaf.cadi.dme2.DME2BasicAuth; -import org.onap.aaf.cadi.dme2.DME2TransferSS; -import org.onap.aaf.cadi.dme2.DME2x509SS; -import org.onap.aaf.cadi.dme2.DRcli; -import org.onap.aaf.cadi.principal.BasicPrincipal; - -import com.att.aft.dme2.api.DME2Client; -import com.att.aft.dme2.api.DME2Exception; -import com.att.aft.dme2.api.DME2Manager; -import org.onap.aaf.inno.env.APIException; - -public class AAFConDME2 extends AAFCon{ - private DME2Manager manager; - private boolean isProxy; - private URI initURI; - - public AAFConDME2(PropAccess access) throws CadiException, GeneralSecurityException, IOException{ - super(access,Config.AAF_URL,new SecurityInfoC (access)); - manager = newManager(access); - setIsProxy(); - } - - public AAFConDME2(PropAccess access, String url) throws CadiException, GeneralSecurityException, IOException{ - super(access,url,new SecurityInfoC (access)); - manager = newManager(access); - setIsProxy(); - } - - public AAFConDME2(PropAccess access, SecurityInfoC si) throws CadiException { - super(access,Config.AAF_URL,si); - manager = newManager(access); - setIsProxy(); - } - - public AAFConDME2(PropAccess access, String url, SecurityInfoC si) throws CadiException { - super(access,url,si); - manager = newManager(access); - setIsProxy(); - } - - /** - * Construct a Connector based on the AAF one. This is for remote access to OTHER than AAF, - * but using Credentials, etc - */ - private AAFConDME2(AAFCon aafcon, String url) throws CadiException { - super(aafcon); - try { - initURI = new URI(url); - } catch (URISyntaxException e) { - throw new CadiException(e); - } - manager = newManager(access); - } - - /** - * Create a Connector based on the AAF one. This is for remote access to OTHER than AAF, - * but using Credentials, etc - */ - public AAFCon clone(String url) throws CadiException { - return new AAFConDME2(this,url); - } - - private void setIsProxy() { - String str; - if((str=access.getProperty(Config.AAF_URL, null))!=null) { - isProxy = str.contains("service=com.att.authz.authz-gw/version="); - } - } - - private DME2Manager newManager(PropAccess access) throws CadiException { - Properties props = access.getDME2Properties(); - // Critical that TLS Settings not ignored - try { - return new DME2Manager("AAFCon",props); - } catch (DME2Exception e) { - throw new CadiException(e); - } - } - - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#basicAuth(java.lang.String, java.lang.String) - */ - @Override - public SecuritySetter basicAuth(String user, String password) throws CadiException { - if(password.startsWith("enc:???")) { - try { - password = access.decrypt(password, true); - } catch (IOException e) { - throw new CadiException("Error Decrypting Password",e); - } - } - - try { - return set(new DME2BasicAuth(user,password,si)); - } catch (IOException e) { - throw new CadiException("Error setting up DME2BasicAuth",e); - } - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#rclient(java.net.URI, com.att.cadi.SecuritySetter) - */ - @Override - protected Rcli rclient(URI uri, SecuritySetter ss) { - DRcli dc = new DRcli(uri, ss); - dc.setProxy(isProxy); - dc.setManager(manager); - return dc; - } - - @Override - public SecuritySetter transferSS(Principal principal) throws CadiException { - try { - return principal==null?ss:new DME2TransferSS(principal, app, si); - } catch (IOException e) { - throw new CadiException("Error creating DME2TransferSS",e); - } - } - - @Override - public SecuritySetter basicAuthSS(BasicPrincipal principal) throws CadiException { - try { - return new DME2BasicAuth(principal,si); - } catch (IOException e) { - throw new CadiException("Error creating DME2BasicAuth",e); - } - - } - - @Override - public SecuritySetter x509Alias(String alias) throws CadiException { - try { - presetProps(access, alias); - return new DME2x509SS(alias,si); - } catch (Exception e) { - throw new CadiException("Error creating DME2x509SS",e); - } - } - - @Override - public RET best(Retryable retryable) throws LocatorException, CadiException, APIException { - // NOTE: DME2 had Retry Logic embedded lower. - try { - return (retryable.code(rclient(initURI,ss))); - } catch (ConnectException e) { - // DME2 should catch - try { - manager.refresh(); - } catch (Exception e1) { - throw new CadiException(e1); - } - throw new CadiException(e); - } - } - - public static void presetProps(PropAccess access, String alias) throws IOException { - System.setProperty(Config.AFT_DME2_CLIENT_SSL_CERT_ALIAS, alias); - if(System.getProperty(Config.AFT_DME2_CLIENT_IGNORE_SSL_CONFIG)==null) { - access.getDME2Properties(); - } - - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#initURI() - */ - @Override - protected URI initURI() { - return initURI; - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#setInitURI(java.lang.String) - */ - @Override - protected void setInitURI(String uriString) throws CadiException { - try { - initURI = new URI(uriString); - } catch (URISyntaxException e) { - throw new CadiException(e); - } - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java deleted file mode 100644 index 5a38b0c..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java +++ /dev/null @@ -1,187 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.io.IOException; -import java.net.HttpURLConnection; -import java.net.URI; -import java.security.GeneralSecurityException; -import java.security.Principal; - -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.Locator; -import org.onap.aaf.cadi.LocatorException; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.Locator.Item; -import org.onap.aaf.cadi.client.AbsTransferSS; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.client.Retryable; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfoC; -import org.onap.aaf.cadi.http.HBasicAuthSS; -import org.onap.aaf.cadi.http.HMangr; -import org.onap.aaf.cadi.http.HRcli; -import org.onap.aaf.cadi.http.HTransferSS; -import org.onap.aaf.cadi.http.HX509SS; -import org.onap.aaf.cadi.principal.BasicPrincipal; - -import org.onap.aaf.inno.env.APIException; - -public class AAFConHttp extends AAFCon { - private final HMangr hman; - - public AAFConHttp(PropAccess access) throws CadiException, GeneralSecurityException, IOException { - super(access,Config.AAF_URL,new SecurityInfoC(access)); - hman = new HMangr(access,Config.loadLocator(access, access.getProperty(Config.AAF_URL,null))); - } - - public AAFConHttp(PropAccess access, String tag) throws CadiException, GeneralSecurityException, IOException { - super(access,tag,new SecurityInfoC(access)); - hman = new HMangr(access,Config.loadLocator(access, access.getProperty(tag,null))); - } - - public AAFConHttp(PropAccess access, String urlTag, SecurityInfoC si) throws CadiException { - super(access,urlTag,si); - hman = new HMangr(access,Config.loadLocator(access, access.getProperty(urlTag,null))); - } - - public AAFConHttp(PropAccess access, Locator locator) throws CadiException, GeneralSecurityException, IOException { - super(access,Config.AAF_URL,new SecurityInfoC(access)); - hman = new HMangr(access,locator); - } - - public AAFConHttp(PropAccess access, Locator locator, SecurityInfoC si) throws CadiException { - super(access,Config.AAF_URL,si); - hman = new HMangr(access,locator); - } - - public AAFConHttp(PropAccess access, Locator locator, SecurityInfoC si, String tag) throws CadiException { - super(access,tag,si); - hman = new HMangr(access, locator); - } - - private AAFConHttp(AAFCon aafcon, String url) { - super(aafcon); - hman = new HMangr(aafcon.access,Config.loadLocator(access, url)); - } - - @Override - public AAFCon clone(String url) { - return new AAFConHttp(this,url); - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#basicAuth(java.lang.String, java.lang.String) - */ - @Override - public SecuritySetter basicAuth(String user, String password) throws CadiException { - if(password.startsWith("enc:???")) { - try { - password = access.decrypt(password, true); - } catch (IOException e) { - throw new CadiException("Error decrypting password",e); - } - } - try { - return new HBasicAuthSS(user,password,si); - } catch (IOException e) { - throw new CadiException("Error creating HBasicAuthSS",e); - } - } - - public SecuritySetter x509Alias(String alias) throws APIException, CadiException { - try { - return set(new HX509SS(alias,si)); - } catch (Exception e) { - throw new CadiException("Error creating X509SS",e); - } - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#rclient(java.net.URI, com.att.cadi.SecuritySetter) - */ - @Override - protected Rcli rclient(URI ignoredURI, SecuritySetter ss) throws CadiException { - if(hman.loc==null) { - throw new CadiException("No Locator set in AAFConHttp"); - } - try { - return new HRcli(hman, hman.loc.best() ,ss); - } catch (Exception e) { - throw new CadiException(e); - } - } - - @Override - public AbsTransferSS transferSS(Principal principal) throws CadiException { - return new HTransferSS(principal, app,si); - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#basicAuthSS(java.security.Principal) - */ - @Override - public SecuritySetter basicAuthSS(BasicPrincipal principal) throws CadiException { - try { - return new HBasicAuthSS(principal,si); - } catch (IOException e) { - throw new CadiException("Error creating HBasicAuthSS",e); - } - } - - public HMangr hman() { - return hman; - } - - @Override - public RET best(Retryable retryable) throws LocatorException, CadiException, APIException { - return hman.best(ss, (Retryable)retryable); - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#initURI() - */ - @Override - protected URI initURI() { - try { - Item item = hman.loc.best(); - if(item!=null) { - return hman.loc.get(item); - } - } catch (LocatorException e) { - access.log(e, "Error in AAFConHttp obtaining initial URI"); - } - return null; - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#setInitURI(java.lang.String) - */ - @Override - protected void setInitURI(String uriString) throws CadiException { - // TODO Auto-generated method stub - - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java deleted file mode 100644 index 520d7ab..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java +++ /dev/null @@ -1,221 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.net.ConnectException; -import java.net.URISyntaxException; -import java.security.Principal; -import java.util.Map; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.Permission; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.client.Retryable; -import org.onap.aaf.cadi.lur.LocalPermission; - -import com.att.aft.dme2.api.DME2Exception; -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.inno.env.util.Split; - -import aaf.v2_0.Perm; -import aaf.v2_0.Perms; - -/** - * Use AAF Service as Permission Service. - * - * This Lur goes after AAF Permissions, which are elements of Roles, not the Roles themselves. - * - * If you want a simple Role Lur, use AAFRoleLur - * - * - */ -public class AAFLurPerm extends AbsAAFLur { - /** - * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this - * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". - * - * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid. - * Thus, we validate that the ID portion follows the rules before we waste time accessing AAF remotely - * @throws APIException - * @throws URISyntaxException - * @throws DME2Exception - */ - // Package on purpose - AAFLurPerm(AAFCon con) throws CadiException, DME2Exception, URISyntaxException, APIException { - super(con); - } - - // Package on purpose - AAFLurPerm(AAFCon con, AbsUserCache auc) throws DME2Exception, URISyntaxException, APIException { - super(con,auc); - } - - protected User loadUser(Principal p) { - // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't - // have domains. We are going to make the Transitive Class (see this.transmutative) to convert - Principal principal = transmutate.mutate(p); - if(principal==null)return null; // if not a valid Transmutated credential, don't bother calling... - return loadUser(p, p.getName()); - } - - protected User loadUser(String name) { - return loadUser((Principal)null, name); - } - - private User loadUser(final Principal prin, final String name) { - - //TODO Create a dynamic way to declare domains supported. - final long start = System.nanoTime(); - final boolean[] success = new boolean[]{false}; - -// new Exception("loadUser").printStackTrace(); - try { - return aaf.best(new Retryable>() { - @Override - public User code(Rcli client) throws CadiException, ConnectException, APIException { - Future fp = client.read("/authz/perms/user/"+name,aaf.permsDF); - - // In the meantime, lookup User, create if necessary - User user = getUser(name); - Principal p; - if(prin == null) { - p = new Principal() {// Create a holder for lookups - private String n = name; - public String getName() { - return n; - } - }; - } else { - p = prin; - } - - if(user==null) { - addUser(user = new User(p,aaf.userExpires)); // no password - } - - // OK, done all we can, now get content - if(fp.get(aaf.timeout)) { - success[0]=true; - Map newMap = user.newMap(); - boolean willLog = aaf.access.willLog(Level.DEBUG); - for(Perm perm : fp.value.getPerm()) { - user.add(newMap,new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction())); - if(willLog) { - aaf.access.log(Level.DEBUG, name,"has '",perm.getType(),'|',perm.getInstance(),'|',perm.getAction(),'\''); - } - } - user.setMap(newMap); - user.renewPerm(); - } else { - int code; - switch(code=fp.code()) { - case 401: - aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); - break; - default: - aaf.access.log(Access.Level.ERROR, code, fp.body()); - } - } - - return user; - } - }); - } catch (Exception e) { - aaf.access.log(e,"Calling","/authz/perms/user/"+name); - success[0]=false; - return null; - } finally { - float time = (System.nanoTime()-start)/1000000f; - aaf.access.log(Level.INFO, success[0]?"Loaded":"Load Failure",name,"from AAF in",time,"ms"); - } - } - - public Resp reload(User user) { - final String name = user.principal.getName(); - long start = System.nanoTime(); - boolean success = false; - try { - Future fp = aaf.client(AAFCon.AAF_LATEST_VERSION).read( - "/authz/perms/user/"+name, - aaf.permsDF - ); - - // OK, done all we can, now get content - if(fp.get(aaf.timeout)) { - success = true; - Map newMap = user.newMap(); - boolean willLog = aaf.access.willLog(Level.DEBUG); - for(Perm perm : fp.value.getPerm()) { - user.add(newMap, new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction())); - if(willLog) { - aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction()); - } - } - user.renewPerm(); - return Resp.REVALIDATED; - } else { - int code; - switch(code=fp.code()) { - case 401: - aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); - break; - default: - aaf.access.log(Access.Level.ERROR, code, fp.body()); - } - return Resp.UNVALIDATED; - } - } catch (Exception e) { - aaf.access.log(e,"Calling","/authz/perms/user/"+name); - return Resp.INACCESSIBLE; - } finally { - float time = (System.nanoTime()-start)/1000000f; - aaf.access.log(Level.AUDIT, success?"Reloaded":"Reload Failure",name,"from AAF in",time,"ms"); - } - } - - @Override - protected boolean isCorrectPermType(Permission pond) { - return pond instanceof AAFPermission; - } - - /* (non-Javadoc) - * @see com.att.cadi.Lur#createPerm(java.lang.String) - */ - @Override - public Permission createPerm(String p) { - String[] params = Split.split('|', p); - if(params.length==3) { - return new AAFPermission(params[0],params[1],params[2]); - } else { - return new LocalPermission(p); - } - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java deleted file mode 100644 index fb92108..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java +++ /dev/null @@ -1,167 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.io.IOException; -import java.security.Principal; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.GetCred; -import org.onap.aaf.cadi.Hash; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; -import org.onap.aaf.cadi.Taf.LifeForm; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.principal.BasicPrincipal; -import org.onap.aaf.cadi.principal.CachedBasicPrincipal; -import org.onap.aaf.cadi.taf.HttpTaf; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.taf.TafResp.RESP; -import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp; - -public class AAFTaf extends AbsUserCache implements HttpTaf { -// private static final String INVALID_AUTH_TOKEN = "Invalid Auth Token"; -// private static final String AUTHENTICATING_SERVICE_UNAVAILABLE = "Authenticating Service unavailable"; - private AAFCon aaf; - private boolean warn; - - public AAFTaf(AAFCon con, boolean turnOnWarning) { - super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount); - aaf = con; - warn = turnOnWarning; - } - - public AAFTaf(AAFCon con, boolean turnOnWarning, AbsUserCache other) { - super(other); - aaf = con; - warn = turnOnWarning; - } - - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - //TODO Do we allow just anybody to validate? - - // Note: Either Carbon or Silicon based LifeForms ok - String authz = req.getHeader("Authorization"); - if(authz != null && authz.startsWith("Basic ")) { - if(warn&&!req.isSecure())aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); - try { - CachedBasicPrincipal bp; - if(req.getUserPrincipal() instanceof CachedBasicPrincipal) { - bp = (CachedBasicPrincipal)req.getUserPrincipal(); - } else { - bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires); - } - // First try Cache - User usr = getUser(bp); - if(usr != null && usr.principal != null) { - if(usr.principal instanceof GetCred) { - if(Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) { - return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); - } - } - } - - Miss miss = missed(bp.getName()); - if(miss!=null && !miss.mayContinue(bp.getCred())) { - return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, - "User/Pass Retry limit exceeded"), - RESP.FAIL,resp,aaf.getRealm(),true); - } - - Rcli userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.basicAuthSS(bp)); - Future fp = userAAF.read("/authn/basicAuth", "text/plain"); - if(fp.get(aaf.timeout)) { - if(usr!=null) { - usr.principal = bp; - } else { - addUser(new User(bp,aaf.userExpires)); - } - return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); - } else { - // Note: AddMiss checks for miss==null, and is part of logic - boolean rv= addMiss(bp.getName(),bp.getCred()); - if(rv) { - return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, - "User/Pass combo invalid via AAF"), - RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true); - } else { - return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, - "User/Pass combo invalid via AAF - Retry limit exceeded"), - RESP.FAIL,resp,aaf.getRealm(),true); - } - } - } catch (IOException e) { - String msg = buildMsg(null,req,"Invalid Auth Token"); - aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')'); - return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true); - } catch (Exception e) { - String msg = buildMsg(null,req,"Authenticating Service unavailable"); - aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')'); - return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false); - } - } - return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false); - } - - private String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { - StringBuilder sb = new StringBuilder(); - for(Object s : msg) { - sb.append(s.toString()); - } - if(pr!=null) { - sb.append(" for "); - sb.append(pr.getName()); - } - sb.append(" from "); - sb.append(req.getRemoteAddr()); - sb.append(':'); - sb.append(req.getRemotePort()); - return sb.toString(); - } - - - - public Resp revalidate(CachedPrincipal prin) { - // !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal - if(prin instanceof BasicPrincipal) { - Future fp; - try { - Rcli userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.transferSS(prin)); - fp = userAAF.read("/authn/basicAuth", "text/plain"); - return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED; - } catch (Exception e) { - aaf.access.log(e, "Cannot Revalidate",prin.getName()); - return Resp.INACCESSIBLE; - } - } - return Resp.NOT_MINE; - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java deleted file mode 100644 index c7644a5..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java +++ /dev/null @@ -1,116 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import javax.servlet.http.HttpServletRequest ; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.TrustChecker; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.principal.TrustPrincipal; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.taf.TrustNotTafResp; -import org.onap.aaf.cadi.taf.TrustTafResp; - -import org.onap.aaf.inno.env.Env; -import org.onap.aaf.inno.env.util.Split; - -public class AAFTrustChecker implements TrustChecker { - private final String tag, id; - private final AAFPermission perm; - private Lur lur; - - /** - * - * Instance will be replaced by Identity - * @param lur - * - * @param tag - * @param perm - */ - public AAFTrustChecker(final Env env) { - tag = env.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); - id = env.getProperty(Config.CADI_ALIAS,env.getProperty(Config.AAF_MECHID)); // share between components - String str = env.getProperty(Config.CADI_TRUST_PERM); - AAFPermission temp=null; - if(str!=null) { - String[] sp = Split.splitTrim('|', str); - if(sp.length==3) { - temp = new AAFPermission(sp[0],sp[1],sp[2]); - } - } - perm=temp; - } - - public AAFTrustChecker(final Access access) { - tag = access.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); - id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID,null)); // share between components - String str = access.getProperty(Config.CADI_TRUST_PERM,null); - AAFPermission temp=null; - if(str!=null) { - String[] sp = Split.splitTrim('|', str); - if(sp.length==3) { - temp = new AAFPermission(sp[0],sp[1],sp[2]); - } - } - perm=temp; - } - - /* (non-Javadoc) - * @see com.att.cadi.TrustChecker#setLur(com.att.cadi.Lur) - */ - @Override - public void setLur(Lur lur) { - this.lur = lur; - } - - @Override - public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { - String user_info = req.getHeader(tag); - if(user_info !=null ) { - String[] info = Split.split(',', user_info); - if(info.length>0) { - String[] flds = Split.splitTrim(':',info[0]); - if(flds.length>3 && "AS".equals(flds[3])) { // is it set for "AS" - String pn = tresp.getPrincipal().getName(); - if(pn.equals(id) // We do trust our own App Components: if a trust entry is made with self, always accept - || lur.fish(tresp.getPrincipal(), perm)) { // Have Perm set by Config.CADI_TRUST_PERM - return new TrustTafResp(tresp, - new TrustPrincipal(tresp.getPrincipal(), flds[0]), - " " + flds[0] + " validated using " + flds[2] + " by " + flds[1] + ',' - ); - } else if(pn.equals(flds[0])) { // Ignore if same identity - return tresp; - } else { - return new TrustNotTafResp(tresp, tresp.getPrincipal().getName() + " requested trust as " - + flds[0] + ", but does not have Authorization"); - } - } - } - } - return tresp; - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java deleted file mode 100644 index 5bcf527..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java +++ /dev/null @@ -1,269 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.net.URISyntaxException; -import java.security.Principal; -import java.util.ArrayList; -import java.util.Date; -import java.util.List; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.CachingLur; -import org.onap.aaf.cadi.Permission; -import org.onap.aaf.cadi.StrLur; -import org.onap.aaf.cadi.Transmutate; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.aaf.AAFTransmutate; -import org.onap.aaf.cadi.config.Config; - -import com.att.aft.dme2.api.DME2Exception; -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.inno.env.util.Split; - -public abstract class AbsAAFLur extends AbsUserCache implements StrLur, CachingLur { - protected static final byte[] BLANK_PASSWORD = new byte[0]; - protected static final Transmutate transmutate = new AAFTransmutate(); - private String[] debug = null; - public AAFCon aaf; - private String[] supports; - - public AbsAAFLur(AAFCon con) throws DME2Exception, URISyntaxException, APIException { - super(con.access, con.cleanInterval, con.highCount, con.usageRefreshTriggerCount); - aaf = con; - setLur(this); - supports = con.access.getProperty(Config.AAF_DOMAIN_SUPPORT, Config.AAF_DOMAIN_SUPPORT_DEF).split("\\s*:\\s*"); - } - - public AbsAAFLur(AAFCon con, AbsUserCache auc) throws DME2Exception, URISyntaxException, APIException { - super(auc); - aaf = con; - setLur(this); - supports = con.access.getProperty(Config.AAF_DOMAIN_SUPPORT, Config.AAF_DOMAIN_SUPPORT_DEF).split("\\s*:\\s*"); - } - - @Override - public void setDebug(String ids) { - this.debug = ids==null?null:Split.split(',', ids); - } - - protected abstract User loadUser(Principal bait); - protected abstract User loadUser(String name); - public final boolean supports(String userName) { - if(userName!=null) { - for(String s : supports) { - if(userName.endsWith(s)) - return true; - } - } - return false; - } - - protected abstract boolean isCorrectPermType(Permission pond); - - // This is where you build AAF CLient Code. Answer the question "Is principal "bait" in the "pond" - public boolean fish(Principal bait, Permission pond) { - return fish(bait.getName(), pond); - } - - public void fishAll(Principal bait, List perms) { - fishAll(bait.getName(),perms); - } - - // This is where you build AAF CLient Code. Answer the question "Is principal "bait" in the "pond" - public boolean fish(String bait, Permission pond) { - if(isDebug(bait)) { - boolean rv = false; - StringBuilder sb = new StringBuilder("Log for "); - sb.append(bait); - if(supports(bait)) { - User user = getUser(bait); - if(user==null) { - sb.append("\n\tUser is not in Cache"); - } else { - if(user.noPerms())sb.append("\n\tUser has no Perms"); - if(user.permExpired()) { - sb.append("\n\tUser's perm expired ["); - sb.append(new Date(user.permExpires())); - sb.append(']'); - } else { - sb.append("\n\tUser's perm expires ["); - sb.append(new Date(user.permExpires())); - sb.append(']'); - } - } - if(user==null || (user.noPerms() && user.permExpired())) { - user = loadUser(bait); - sb.append("\n\tloadUser called"); - } - if(user==null) { - sb.append("\n\tUser was not Loaded"); - } else if(user.contains(pond)) { - sb.append("\n\tUser contains "); - sb.append(pond.getKey()); - rv = true; - } else { - sb.append("\n\tUser does not contain "); - sb.append(pond.getKey()); - List perms = new ArrayList(); - user.copyPermsTo(perms); - for(Permission p : perms) { - sb.append("\n\t\t"); - sb.append(p.getKey()); - } - } - } else { - sb.append("AAF Lur does not support ["); - sb.append(bait); - sb.append("]"); - } - aaf.access.log(Level.INFO, sb); - return rv; - } else { - if(supports(bait)) { - User user = getUser(bait); - if(user==null || (user.noPerms() && user.permExpired())) { - user = loadUser(bait); - } - return user==null?false:user.contains(pond); - } - return false; - } - } - - public void fishAll(String bait, List perms) { - if(isDebug(bait)) { - StringBuilder sb = new StringBuilder("Log for "); - sb.append(bait); - if(supports(bait)) { - User user = getUser(bait); - if(user==null) { - sb.append("\n\tUser is not in Cache"); - } else { - if(user.noPerms())sb.append("\n\tUser has no Perms"); - if(user.permExpired()) { - sb.append("\n\tUser's perm expired ["); - sb.append(new Date(user.permExpires())); - sb.append(']'); - } else { - sb.append("\n\tUser's perm expires ["); - sb.append(new Date(user.permExpires())); - sb.append(']'); - } - } - if(user==null || (user.noPerms() && user.permExpired())) { - user = loadUser(bait); - sb.append("\n\tloadUser called"); - } - if(user==null) { - sb.append("\n\tUser was not Loaded"); - } else { - sb.append("\n\tCopying Perms "); - user.copyPermsTo(perms); - for(Permission p : perms) { - sb.append("\n\t\t"); - sb.append(p.getKey()); - } - } - } else { - sb.append("AAF Lur does not support ["); - sb.append(bait); - sb.append("]"); - } - aaf.access.log(Level.INFO, sb); - } else { - if(supports(bait)) { - User user = getUser(bait); - if(user==null || (user.noPerms() && user.permExpired())) user = loadUser(bait); - if(user!=null) { - user.copyPermsTo(perms); - } - } - } - } - - @Override - public void remove(String user) { - super.remove(user); - } - - private boolean isDebug(String bait) { - if(debug!=null) { - if(debug.length==1 && "all".equals(debug[0]))return true; - for(String s : debug) { - if(s.equals(bait))return true; - } - } - return false; - } - /** - * This special case minimizes loops, avoids multiple Set hits, and calls all the appropriate Actions found. - * - * @param bait - * @param obj - * @param type - * @param instance - * @param actions - */ - public void fishOneOf(String bait, A obj, String type, String instance, List> actions) { - User user = getUser(bait); - if(user==null || (user.noPerms() && user.permExpired()))user = loadUser(bait); -// return user==null?false:user.contains(pond); - if(user!=null) { - ReuseAAFPermission perm = new ReuseAAFPermission(type,instance); - for(Action action : actions) { - perm.setAction(action.getName()); - if(user.contains(perm)) { - if(action.exec(obj))return; - } - } - } - } - - public static interface Action { - public String getName(); - /** - * Return false to continue, True to end now - * @return - */ - public boolean exec(A a); - } - - private class ReuseAAFPermission extends AAFPermission { - public ReuseAAFPermission(String type, String instance) { - super(type,instance,null); - } - - public void setAction(String s) { - action = s; - } - - /** - * This function understands that AAF Keys are hierarchical, :A:B:C, - * Cassandra follows a similar method, so we'll short circuit and do it more efficiently when there isn't a first hit - * @return - */ - } -} -- cgit 1.2.3-korg