From 6d469611d86642bc0b74ce51af72cc36d2af962d Mon Sep 17 00:00:00 2001 From: Instrumental Date: Mon, 26 Mar 2018 12:04:27 -0700 Subject: Remove Code from cadi, it is now in authz Issue-ID: AAF-193 Change-Id: Ib7abdb15ba8a7445a3875cf8c6bb48b7d563f424 Signed-off-by: Instrumental --- .../java/org/onap/aaf/cadi/aaf/AAFPermission.java | 105 ----- .../java/org/onap/aaf/cadi/aaf/AAFTransmutate.java | 87 ---- .../org/onap/aaf/cadi/aaf/ConnectivityTest.java | 459 --------------------- .../main/java/org/onap/aaf/cadi/aaf/PermEval.java | 149 ------- .../aaf/cadi/aaf/cert/AAFListedCertIdentity.java | 179 -------- .../org/onap/aaf/cadi/aaf/client/ErrMessage.java | 98 ----- .../org/onap/aaf/cadi/aaf/client/Examples.java | 444 -------------------- .../org/onap/aaf/cadi/aaf/marshal/CertMarshal.java | 66 --- .../onap/aaf/cadi/aaf/marshal/CertsMarshal.java | 45 -- .../java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java | 207 ---------- .../java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java | 396 ------------------ .../org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java | 224 ---------- .../org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java | 187 --------- .../org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java | 221 ---------- .../java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java | 167 -------- .../onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java | 116 ------ .../java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java | 269 ------------ 17 files changed, 3419 deletions(-) delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFTransmutate.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/ConnectivityTest.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/PermEval.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/client/ErrMessage.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/client/Examples.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertMarshal.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertsMarshal.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java delete mode 100644 aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java (limited to 'aaf/src/main/java/org/onap/aaf/cadi/aaf') diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java deleted file mode 100644 index 7cefc26..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java +++ /dev/null @@ -1,105 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf; - -import org.onap.aaf.cadi.Permission; - -/** - * A Class that understands the AAF format of Permission (name/type/action) - * or String "name|type|action" - * - * - */ -public class AAFPermission implements Permission { - protected String type,instance,action,key; - - protected AAFPermission() {} - - public AAFPermission(String type, String instance, String action) { - this.type = type; - this.instance = instance; - this.action = action; - key = type + '|' + instance + '|' + action; - } - - /** - * Match a Permission - * if Permission is Fielded type "Permission", we use the fields - * otherwise, we split the Permission with '|' - * - * when the type or action starts with REGEX indicator character ( ! ), - * then it is evaluated as a regular expression. - * - * If you want a simple field comparison, it is faster without REGEX - */ - public boolean match(Permission p) { - if(p instanceof AAFPermission) { - AAFPermission ap = (AAFPermission)p; - // Note: In AAF > 1.0, Accepting "*" from name would violate multi-tenancy - // Current solution is only allow direct match on Type. - // 8/28/2014 - added REGEX ability - if(type.equals(ap.getName())) - if(PermEval.evalInstance(instance,ap.getInstance())) - if(PermEval.evalAction(action,ap.getAction())) - return true; - } else { - // Permission is concatenated together: separated by | - String[] aaf = p.getKey().split("[\\s]*\\|[\\s]*",3); - if(aaf.length>0 && type.equals(aaf[0])) - if(PermEval.evalInstance(instance,aaf.length>1?aaf[1]:"*")) - if(PermEval.evalAction(action,aaf.length>2?aaf[2]:"*")) - return true; - } - return false; - } - - public String getName() { - return type; - } - - public String getInstance() { - return instance; - } - - public String getAction() { - return action; - } - - public String getKey() { - return key; - } - - /* (non-Javadoc) - * @see com.att.cadi.Permission#permType() - */ - public String permType() { - return "AAF"; - } - - public String toString() { - return "AAFPermission:\n\tType: " + type + - "\n\tInstance: " + instance + - "\n\tAction: " + action + - "\n\tKey: " + key; - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFTransmutate.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFTransmutate.java deleted file mode 100644 index 2d1b88f..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFTransmutate.java +++ /dev/null @@ -1,87 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf; - -import java.security.Principal; -import java.util.regex.Pattern; - -import org.onap.aaf.cadi.Transmutate; -import org.onap.aaf.cadi.lur.ConfigPrincipal; -import org.onap.aaf.cadi.principal.BasicPrincipal; -import org.onap.aaf.cadi.principal.CSPPrincipal_T; - -/** - * AAFTransmutate - * - * Each System determines the mechanisms for which one Principal is transmutated to another, such as whether it is created - * independently, etc. - * - * For AAF, the only important thing is that these are valid ATTUID/mechIDs, to avoid unnecessary user hits - * - * attUIDs look like ab1234 or AB1234 or AZ123a - * mechids look like m12345 - * - * - */ -public final class AAFTransmutate implements Transmutate { - private Pattern pattern = Pattern.compile("[a-zA-Z]\\w\\d\\d\\d\\w"); - - public Principal mutate(Principal p) { - // Accept these three internal kinds of Principals - if(p instanceof CSPPrincipal_T - || p instanceof BasicPrincipal - || p instanceof ConfigPrincipal) { - return p; - } else { - - final String name = p.getName(); - final int idx = name.indexOf('@'); - String shortName; - if(idx>0) { // strip off any domain - shortName = name.substring(0,idx); - } else { - shortName = name; - } - - // Check for ATTUID specs before creating CSP_T - return pattern.matcher(shortName).matches()? - new CSP_T(name): // Note: use REAL name, short name for CSP_T - null; - } - } - - /** - * Essential Principal reflecting CSP Principal - * - * - */ - private final class CSP_T implements CSPPrincipal_T { - private String name; - public CSP_T(String name) { - this.name = name; - } - public String getName() { - return name; - } - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/ConnectivityTest.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/ConnectivityTest.java deleted file mode 100644 index daac0c3..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/ConnectivityTest.java +++ /dev/null @@ -1,459 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf; - -import java.io.IOException; -import java.io.PrintStream; -import java.lang.reflect.Field; -import java.net.HttpURLConnection; -import java.net.InetAddress; -import java.net.InetSocketAddress; -import java.net.Socket; -import java.net.URI; -import java.net.UnknownHostException; -import java.util.Date; - -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.Locator; -import org.onap.aaf.cadi.LocatorException; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.TrustChecker; -import org.onap.aaf.cadi.Locator.Item; -import org.onap.aaf.cadi.aaf.v2_0.AAFCon; -import org.onap.aaf.cadi.aaf.v2_0.AAFConDME2; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfoC; -import org.onap.aaf.cadi.http.HBasicAuthSS; -import org.onap.aaf.cadi.http.HClient; -import org.onap.aaf.cadi.http.HX509SS; -import org.onap.aaf.cadi.locator.DME2Locator; -import org.onap.aaf.cadi.locator.PropertyLocator; - -import com.att.aft.dme2.api.DME2Client; -import com.att.aft.dme2.api.DME2Manager; -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.rosetta.env.RosettaDF; -import org.onap.aaf.rosetta.env.RosettaEnv; - -import aaf.v2_0.Perms; - -public class ConnectivityTest { - private static final String PROD = "PROD"; - private static final String SRV_RESOLVE = "https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=%s/routeOffer=%s"; - private static final String GW_RESOLVE = "https://DME2RESOLVE/service=com.att.authz.authz-gw/version=2.0/envContext=%s/routeOffer=%s"; - - public static void main(String[] args) { - if(args.length<2) { - System.out.println("Usage: ConnectivityTester "); - } else { - print(true,"START OF CONNECTIVITY TESTS",new Date().toString(),System.getProperty("user.name"), - "Note: All API Calls are /authz/perms/user/"); - - final String aaf_env = args[0]; - args[1]=Config.CADI_PROP_FILES+'='+args[1]; - - PropAccess pa = new PropAccess(args); - String user = pa.getProperty(Config.AAF_MECHID); - String pass = pa.getProperty(Config.AAF_MECHPASS); - String alias = pa.getProperty(Config.CADI_ALIAS); - if(user==null) { - user=alias; - } - RosettaEnv env = new RosettaEnv(pa.getProperties()); - - try { - RosettaDF permsDF = env.newDataFactory(Perms.class); - SecurityInfoC si = new SecurityInfoC(pa); - HBasicAuthSS hbass = new HBasicAuthSS(pa,si); - if(hbass.getID()==null) { - hbass=null; // not configured with ID. - } - HX509SS hxss=null; - AAFCon aafcon; - - try { - hxss = new HX509SS(user,si); - } catch(Exception e) { - e.printStackTrace(); - print(false,"Continuing"); - } - String aafurl; - if(user==null || (pass==null && alias==null)) { - System.out.printf("ERROR: DME2 Client cannot be tested with out %s and %s properties" - , Config.AAF_MECHID, Config.AAF_MECHPASS ); - } else { - if("TEST".equals(aaf_env) || "IST".equals(aaf_env) || "PROD".equals(aaf_env)) { - DME2Manager dm = null; - print(false,"Attempt DME2Manager Load"); - if(Class.forName("com.att.aft.dme2.api.DME2Manager")==null) { - print(true,"DME2 jar is not available: Skipping DME2 Tests"); - } else { // DME2 Client Tests - pass=pa.decrypt(pass,false); - // Out of the box DME2 - aafurl = String.format(SRV_RESOLVE, aaf_env, PROD.equals(aaf_env)?"DEFAULT":"BAU_SE"); - print(true,"TEST CADI Config",aafurl); - aafcon = testConfig(pa,aafurl); - test(aafcon,permsDF,user); - - print(true,"Find and TEST Connections with DME2Locator",aafurl); - DME2Locator dl = new DME2Locator(pa,dm,aafurl); - connectTest(dl); - - dm = new DME2Manager("DME2Manager",pa.getProperties()); - - dme2RawTest(dm, aafurl,user,pass); - - // URL specific Variant - if((aafurl = specificDME2URL(dl, aafurl))!=null) { - print(true,"TEST Specific DME2 CADI Config",aafurl); - aafcon = testConfig(pa,aafurl); - test(aafcon,permsDF,user); - - dme2RawTest(dm,aafurl,user,pass); - } - - print(true,"CADI Direct AAFConDME2 Object Usage",aafurl); - try { - pa.setProperty(Config.AAF_URL,aafurl); - aafcon = new AAFConDME2(pa); - test(aafcon,permsDF,user); - } catch(Throwable t) { - t.printStackTrace(); - } - - // find a direct client to code a Direct HTTP with - // - if(hbass!=null) { - print(true,"CADI Http DME2Locator Client Coding Methodology BasicAuth",aafurl); - hClientTest(dl,hbass,user); - } - if(hxss!=null) { - print(true,"CADI Http DME2Locator Client Coding Methodology X509",aafurl); - hClientTest(dl,hxss,user); - } - - // ##### PROXY CHECKS - aafurl = String.format(GW_RESOLVE, aaf_env, PROD.equals(aaf_env)?"DEFAULT":"BAU_SE"); - print(true,"TEST PROXY DME2 CADI Config",aafurl); - aafcon = testConfig(pa,aafurl); - test(aafcon,permsDF,user); - - - dme2RawTest(dm, aafurl,user,pass); - - // URL specific Variant - dl = new DME2Locator(pa,dm,aafurl); - if((aafurl = specificDME2URL(dl, aafurl))!=null) { - print(true,"TEST PROXY Specific DME2 CADI Config",aafurl); - aafcon = testConfig(pa,aafurl); - test(aafcon,permsDF,user); - - dme2RawTest(dm,aafurl,user,pass); - } - } - } - - // Prop Locator - PropertyLocator pl = servicePropLocator(aaf_env); - connectTest(pl); - URI uri = pl.get(pl.best()); - if(uri!=null) { - aafurl = uri.toString(); - print(true,"TEST Service PropertyLocator based Config",aafurl); - aafcon = testConfig(pa,aafurl); - test(aafcon,permsDF,user); - - if(hbass!=null) { - print(true,"CADI Service Http PropLocator Client Coding Methodology Basic Auth",aafurl); - hClientTest(pl,hbass, user); - print(true,"CADI Service Http PropLocator Client Coding Methodology /authn/basicAuth",aafurl); - basicAuthTest(pl,hbass); - } - if(hxss!=null) { - print(true,"CADI Service Http PropLocator Client Coding Methodology X509",aafurl); - hClientTest(pl,hxss, user); - } - } - pl = proxyPropLocator(aaf_env); - connectTest(pl); - uri = pl.get(pl.best()); - if(uri!=null) { - aafurl = uri.toString(); - print(true,"TEST PROXY PropertyLocator based Config",aafurl); - aafcon = testConfig(pa,aafurl); - test(aafcon,permsDF,user); - - if(hbass!=null) { - print(true,"CADI PROXY Http PropLocator Client Coding Methodology Basic Auth",aafurl); - hClientTest(pl,hbass, user); - print(true,"CADI PROXY Http PropLocator Client Coding Methodology /proxy/authn/basicAuth",aafurl); - basicAuthTest(pl,hbass); - } - if(hxss!=null) { - print(true,"CADI PROXY Http PropLocator Client Coding Methodology X509",aafurl); - hClientTest(pl,hxss, user); - } - } - } - - } catch(Exception e) { - e.printStackTrace(System.err); - } finally { - print(true,"END OF TESTS"); - } - } - } - - private static void print(Boolean strong, String ... args) { - PrintStream out = System.out; - out.println(); - if(strong) { - for(int i=0;i<70;++i) { - out.print('='); - } - out.println(); - } - for(String s : args) { - out.print(strong?"== ":"------ "); - out.print(s); - if(!strong) { - out.print(" ------"); - } - out.println(); - } - if(strong) { - for(int i=0;i<70;++i) { - out.print('='); - } - } - out.println(); - } - - private static void test(AAFCon aafcon,RosettaDF permsDF,String user) { - if(aafcon==null) { - print(false,"AAFCon is null"); - } else { - try { - print(false,"Calling with AAFCon"); - Future fp = aafcon.client("2.0").read("/authz/perms/user/"+user, Perms.class, permsDF); - if(fp.get(4000)) { - System.out.printf("Found %d Permission(s)\n",fp.value.getPerm().size()); - } else { - System.out.printf("Error: %d %s\n",fp.code(),fp.body()); - } - } catch (Throwable t) { - t.printStackTrace(); - } - } - } - - private static AAFCon testConfig(PropAccess pa, String aafurl) { - try { - pa.setProperty(Config.AAF_URL, aafurl); - Lur lur = Config.configLur(pa); - Config.configHttpTaf(pa, TrustChecker.NOTRUST, null, lur); - if(lur != null) { - Field f = null; - try { - f = lur.getClass().getField("aaf"); - return (AAFCon)f.get(lur); - } catch (Exception nsfe) { - } - } - - } catch(Throwable t) { - t.printStackTrace(); - } - return null; - } - - private static String specificDME2URL(Locator loc, String aafurl) throws LocatorException { - Item item = loc.best(); - if(item!=null) { - URI uri = loc.get(item); - return aafurl.replace("DME2RESOLVE", String.format("%s:%d",uri.getHost(),uri.getPort())); - } - return null; - } - - private static void connectTest(Locator dl) throws LocatorException { - URI uri; - Socket socket; - print(false,"TCP/IP Connect test to all Located Services"); - for(Item li = dl.first();li!=null;li=dl.next(li)) { - if((uri = dl.get(li)) == null) { - System.out.println("Locator Item empty"); - } else { - try { - socket = new Socket(); - socket.connect(new InetSocketAddress(uri.getHost(), uri.getPort()),3000); - System.out.printf("Can Connect a Socket to %s %d\n",uri.getHost(),uri.getPort()); - try { - socket.close(); - } catch (IOException e1) { - System.out.printf("Could not close Socket Connection: %s\n",e1.getMessage()); - } - } catch (IOException e) { - System.out.printf("Cannot Connect a Socket to %s %d: %s\n",uri.getHost(),uri.getPort(),e.getMessage()); - } - } - } - } - - private static PropertyLocator servicePropLocator(String env) throws LocatorException { - String purls; - switch(env) { - case "LOCAL": - try { - purls="https://"+InetAddress.getLocalHost().getHostName()+":8100"; - } catch (UnknownHostException e) { - throw new LocatorException(e); - } - break; - case "DEV": - purls="https://aaf.dev.att.com:8100,https://aaf.dev.att.com:8101"; - break; - case "TEST": - purls="https://aaftest.test.att.com:8100,https://aaftest.test.att.com:8101"; - break; - case "IST": - purls="https://aafist.test.att.com:8100,https://aafist.test.att.com:8101"; - break; - case PROD: - purls="https://aaf.it.att.com:8100,https://aaf.it.att.com:8101"; - break; - default: - if(env.contains(".")) { - purls="https://"+env+":8100"; - } else { - throw new LocatorException(ConnectivityTest.class.getSimpleName() + ": unknown Env"); - } - } - System.out.printf("Creating a PropertyLocator for %s\n",purls); - return new PropertyLocator(purls); - } - - private static PropertyLocator proxyPropLocator(String env) throws LocatorException { - String purls; - switch(env) { - case "LOCAL": - try { - purls="https://"+InetAddress.getLocalHost().getHostAddress()+":8100"; - } catch (UnknownHostException e) { - throw new LocatorException(e); - } - break; - case "DEV": - purls="https://aaf.dev.att.com:8095/proxy"; - break; - case "TEST": - purls="https://aaftest.test.att.com:8095/proxy"; - break; - case "IST": - purls="https://aafist.test.att.com:8095/proxy"; - break; - case PROD: - purls="https://aaf.it.att.com:8095/proxy"; - break; - default: - if(env.contains(".")) { - purls="https://"+env+":8095/proxy"; - } else { - throw new LocatorException(ConnectivityTest.class.getSimpleName() + ": unknown Env"); - } - - } - System.out.printf("Creating a PropertyLocator for %s\n",purls); - return new PropertyLocator(purls); - } - - - - - private static void hClientTest(Locator dl, SecuritySetter ss, String user) { - try { - URI uri = dl.get(dl.best()); - System.out.println("Resolved to: " + uri); - HClient client = new HClient(ss, uri, 3000); - client.setMethod("GET"); - client.setPathInfo("/authz/perms/user/"+user); - client.send(); - Future future = client.futureReadString(); - if(future.get(7000)) { - System.out.println(future.body()); - } else { - System.out.println(future.code() + ":" + future.body()); - } - } catch (CadiException | LocatorException | APIException e) { - e.printStackTrace(); - } - } - - - private static void basicAuthTest(PropertyLocator dl, SecuritySetter ss) { - try { - URI uri = dl.get(dl.best()); - System.out.println("Resolved to: " + uri); - HClient client = new HClient(ss, uri, 3000); - client.setMethod("GET"); - client.setPathInfo("/authn/basicAuth"); - client.addHeader("Accept", "text/plain"); - client.send(); - - - Future future = client.futureReadString(); - if(future.get(7000)) { - System.out.println("BasicAuth Validated"); - } else { - System.out.println("Failure " + future.code() + ":" + future.body()); - } - } catch (CadiException | LocatorException | APIException e) { - e.printStackTrace(); - } - } - - // Regular DME2Client Coding Style - private static void dme2RawTest(DME2Manager dm, String aafurl, String user, String pass) { - try { - if(dm==null) { - return; - } - URI uri = new URI(aafurl); - print(true,"DME2 Direct Client Coding Methodology",uri.toString()); - DME2Client client = dm.newClient( uri, 3000); - client.setMethod("GET"); // FYI, DME2 defaults to "POST" - client.setContext("/authz/perms/user/"+user); // DME2 direct requires separate setting of Context from URI - if(pass!=null) { // rely on Cert if no pass - client.setCredentials(user, pass); - } - client.setPayload(""); // DME2 will not send without something - String resp = client.sendAndWait(7000); - System.out.println(resp); - } catch(Throwable e) { - e.printStackTrace(); - } - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/PermEval.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/PermEval.java deleted file mode 100644 index 896d153..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/PermEval.java +++ /dev/null @@ -1,149 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf; - -import org.onap.aaf.inno.env.util.Split; - - -public class PermEval { - public static final char START_REGEX_CHAR = '!'; - public static final char START_INST_KEY_CHAR=':'; - public static final char ALT_START_INST_KEY_CHAR='/'; - - public static final char LIST_SEP = ','; - public static final String INST_KEY_REGEX = new StringBuilder().append(START_INST_KEY_CHAR).toString(); - public static final String ASTERIX = "*"; - - /** - * Evaluate Instance - * - * Instance can be more complex. It can be a string, a Regular Expression, or a ":" separated Key - * who's parts can also be a String, Regular Expression. - * - * sInst = Server's Instance - * In order to prevent false matches, keys must be the same length to count as equal - * Changing this will break existing users, like Cassandra. 9-4-2015 - */ - public static boolean evalInstance(String sInst, String pInst) { - if(sInst==null || pInst == null) { - return false; - } - if(ASTERIX.equals(sInst)) { - return true; // If Server's String is "*", then it accepts every Instance - } - char firstChar = pInst.charAt(0); - char startChar = firstChar==ALT_START_INST_KEY_CHAR?ALT_START_INST_KEY_CHAR:START_INST_KEY_CHAR; - switch(pInst.charAt(0)) { // First char - case START_REGEX_CHAR: // Evaluate as Regular Expression - String pItem = pInst.substring(1); - for(String sItem : Split.split(LIST_SEP,sInst)) { // allow for "," definition in Action - return sItem.matches(pItem); - } - - case START_INST_KEY_CHAR: // Evaluate a special Key field, i.e.:xyz:*:!df.* - case ALT_START_INST_KEY_CHAR: // Also allow '/' as special Key Field, i.e. /xyz/*/!.* - if(sInst.charAt(0)==startChar) { // To compare key-to-key, both strings must be keys - String[] skeys=Split.split(startChar,sInst); - String[] pkeys=Split.split(startChar,pInst); - if(skeys.length!=pkeys.length) return false; - - boolean pass = true; - for(int i=1;pass && i certs = null; - - // Did this to add other Trust Mechanisms - // Trust mechanism set by Property: - private static final String[] authMechanisms = new String[] {"tguard","basicAuth","csp"}; - private static String[] certIDs; - - private static Map> trusted =null; - - public AAFListedCertIdentity(Access access, AAFCon aafcon) throws APIException { - synchronized(AAFListedCertIdentity.class) { - if(certIDs==null) { - String cip = access.getProperty(Config.AAF_CERT_IDS, null); - if(cip!=null) { - certIDs = Split.split(',',cip); - } - } - if(certIDs!=null && certs==null) { - TimerTask cu = new CertUpdate(aafcon); - cu.run(); // want this to run in this thread first... - new Timer("AAF Identity Refresh Timer",true).scheduleAtFixedRate(cu, EIGHT_HOURS,EIGHT_HOURS); - } - } - } - - public static Set trusted(String authMech) { - return trusted.get(authMech); - } - - public Principal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException { - if(cert==null && certBytes==null)return null; - if(certBytes==null)certBytes = cert.getEncoded(); - byte[] fingerprint = X509Taf.getFingerPrint(certBytes); - String id = certs.get(new ByteArrayHolder(fingerprint)); - if(id!=null) { // Caller is Validated - return new X509Principal(id,cert,certBytes); - } - return null; - } - - private static class ByteArrayHolder implements Comparable { - private byte[] ba; - public ByteArrayHolder(byte[] ba) { - this.ba = ba; - } - public int compareTo(ByteArrayHolder b) { - return Hash.compareTo(ba, b.ba); - } - } - - private class CertUpdate extends TimerTask { - - private AAFCon aafcon; - public CertUpdate(AAFCon con) { - aafcon = con; - } - - @Override - public void run() { - try { - TreeMap newCertsMap = new TreeMap(); - Map> newTrustMap = new TreeMap>(); - Set userLookup = new HashSet(); - for(String s : certIDs) { - userLookup.add(s); - } - for(String authMech : authMechanisms) { - Future fusr = aafcon.client(AAF_VERSION).read("/authz/users/perm/org.onap.aaf.trust/"+authMech+"/authenticate", Users.class, aafcon.usersDF); - if(fusr.get(5000)) { - List users = fusr.value.getUser(); - if(users.isEmpty()) { - aafcon.access.log(Level.WARN, "AAF Lookup-No IDs in Role com.att.aaf.trustForID <> "+authMech); - } else { - aafcon.access.log(Level.INFO,"Loading Trust Authentication Info for",authMech); - Set hsUser = new HashSet(); - for(User u : users) { - userLookup.add(u.getId()); - hsUser.add(u.getId()); - } - newTrustMap.put(authMech,hsUser); - } - } else { - aafcon.access.log(Level.WARN, "Could not get Users in Perm com.att.trust|tguard|authenticate",fusr.code(),fusr.body()); - } - - } - - for(String u : userLookup) { - Future fc = aafcon.client(AAF_VERSION).read("/authn/cert/id/"+u, Certs.class, aafcon.certsDF); - XMLGregorianCalendar now = Chrono.timeStamp(); - if(fc.get(5000)) { - List certs = fc.value.getCert(); - if(certs.isEmpty()) { - aafcon.access.log(Level.WARN, "No Cert Associations for",u); - } else { - for(Cert c : fc.value.getCert()) { - XMLGregorianCalendar then =c.getExpires(); - if(then !=null && then.compare(now)>0) { - newCertsMap.put(new ByteArrayHolder(c.getFingerprint()), c.getId()); - aafcon.access.log(Level.INIT,"Associating "+ c.getId() + " expiring " + Chrono.dateOnlyStamp(c.getExpires()) + " with " + c.getX500()); - } - } - } - } else { - aafcon.access.log(Level.WARN, "Could not get Certificates for",u); - } - } - - certs = newCertsMap; - trusted = newTrustMap; - } catch(Exception e) { - aafcon.access.log(e, "Failure to update Certificate Identities from AAF"); - } - } - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/ErrMessage.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/ErrMessage.java deleted file mode 100644 index c49113d..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/ErrMessage.java +++ /dev/null @@ -1,98 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.client; - -import java.io.PrintStream; - -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.util.Vars; - -import aaf.v2_0.Error; - -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.inno.env.Data.TYPE; -import org.onap.aaf.rosetta.env.RosettaDF; -import org.onap.aaf.rosetta.env.RosettaEnv; - -public class ErrMessage { - private RosettaDF errDF; - - public ErrMessage(RosettaEnv env) throws APIException { - errDF = env.newDataFactory(Error.class); - } - - /** - * AT&T Requires a specific Error Format for RESTful Services, which AAF complies with. - * - * This code will create a meaningful string from this format. - * - * @param ps - * @param df - * @param r - * @throws APIException - */ - public void printErr(PrintStream ps, String attErrJson) throws APIException { - StringBuilder sb = new StringBuilder(); - Error err = errDF.newData().in(TYPE.JSON).load(attErrJson).asObject(); - ps.println(toMsg(sb,err)); - } - - /** - * AT&T Requires a specific Error Format for RESTful Services, which AAF complies with. - * - * This code will create a meaningful string from this format. - * - * @param sb - * @param df - * @param r - * @throws APIException - */ - public StringBuilder toMsg(StringBuilder sb, String attErrJson) throws APIException { - return toMsg(sb,errDF.newData().in(TYPE.JSON).load(attErrJson).asObject()); - } - - public StringBuilder toMsg(Future future) { - return toMsg(new StringBuilder(),future); - } - - public StringBuilder toMsg(StringBuilder sb, Future future) { - try { - toMsg(sb,errDF.newData().in(TYPE.JSON).load(future.body()).asObject()); - } catch(Exception e) { - //just print what we can - sb.append(future.code()); - sb.append(": "); - sb.append(future.body()); - } - return sb; - } - - public StringBuilder toMsg(StringBuilder sb, Error err) { - sb.append(err.getMessageId()); - sb.append(' '); - String[] vars = new String[err.getVariables().size()]; - err.getVariables().toArray(vars); - Vars.convert(sb, err.getText(),vars); - return sb; - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/Examples.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/Examples.java deleted file mode 100644 index 8867862..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/Examples.java +++ /dev/null @@ -1,444 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.client; - - -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; -import java.util.GregorianCalendar; - -import aaf.v2_0.Approval; -import aaf.v2_0.Approvals; -import aaf.v2_0.CredRequest; -import aaf.v2_0.Keys; -import aaf.v2_0.NsRequest; -import aaf.v2_0.Nss; -import aaf.v2_0.Nss.Ns; -import aaf.v2_0.Perm; -import aaf.v2_0.PermKey; -import aaf.v2_0.PermRequest; -import aaf.v2_0.Perms; -import aaf.v2_0.Pkey; -import aaf.v2_0.Request; -import aaf.v2_0.Role; -import aaf.v2_0.RoleKey; -import aaf.v2_0.RolePermRequest; -import aaf.v2_0.RoleRequest; -import aaf.v2_0.Roles; -import aaf.v2_0.UserRole; -import aaf.v2_0.UserRoleRequest; -import aaf.v2_0.UserRoles; -import aaf.v2_0.Users; -import aaf.v2_0.Users.User; - -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.inno.env.Data; -import org.onap.aaf.inno.env.Data.TYPE; -import org.onap.aaf.inno.env.util.Chrono; -import org.onap.aaf.rosetta.env.RosettaDF; -import org.onap.aaf.rosetta.env.RosettaEnv; - -public class Examples { - public static String print(RosettaEnv env, String nameOrContentType, boolean optional) throws APIException, SecurityException, NoSuchMethodException, IllegalArgumentException, IllegalAccessException, InvocationTargetException { - // Discover ClassName - String className = null; - String version = null; - TYPE type = TYPE.JSON; // default - if(nameOrContentType.startsWith("application/")) { - for(String ct : nameOrContentType.split("\\s*,\\s*")) { - for(String elem : ct.split("\\s*;\\s*")) { - if(elem.endsWith("+json")) { - type = TYPE.JSON; - className = elem.substring(elem.indexOf('/')+1, elem.length()-5); - } else if(elem.endsWith("+xml")) { - type = TYPE.XML; - className = elem.substring(elem.indexOf('/')+1, elem.length()-4); - } else if(elem.startsWith("version=")) { - version = elem.substring(8); - } - } - if(className!=null && version!=null)break; - } - if(className==null) { - throw new APIException(nameOrContentType + " does not contain Class Information"); - } - } else { - className = nameOrContentType; - } - - // No Void.class in aaf.v2_0 package causing errors when trying to use a newVoidv2_0 - // method similar to others in this class. This makes it work, but is it right? - if ("Void".equals(className)) return ""; - - if("1.1".equals(version)) { - version = "v1_0"; - } else if(version!=null) { - version = "v" + version.replace('.', '_'); - } else { - version = "v2_0"; - } - - Class cls; - try { - cls = Examples.class.getClassLoader().loadClass("aaf."+version+'.'+className); - } catch (ClassNotFoundException e) { - throw new APIException(e); - } - - Method meth; - try { - meth = Examples.class.getDeclaredMethod("new"+cls.getSimpleName()+version,boolean.class); - } catch (Exception e) { - throw new APIException("ERROR: " + cls.getName() + " does not have an Example in Code. Request from AAF Developers"); - } - - RosettaDF df = env.newDataFactory(cls); - df.option(Data.PRETTY); - - Object data = meth.invoke(null,optional); - - @SuppressWarnings("unchecked") - String rv = df.newData().load((C)data).out(type).asString(); -// Object obj = df.newData().in(type).load(rv).asObject(); - return rv; - } - - /* - * Set Base Class Request (easier than coding over and over) - */ - private static void setOptional(Request req) { - GregorianCalendar gc = new GregorianCalendar(); - req.setStart(Chrono.timeStamp(gc)); - gc.add(GregorianCalendar.MONTH, 6); - req.setEnd(Chrono.timeStamp(gc)); -// req.setForce("false"); - - } - - @SuppressWarnings("unused") - private static Request newRequestv2_0(boolean optional) { - Request r = new Request(); - setOptional(r); - return r; - } - @SuppressWarnings("unused") - private static RolePermRequest newRolePermRequestv2_0(boolean optional) { - RolePermRequest rpr = new RolePermRequest(); - Pkey pkey = new Pkey(); - pkey.setType("com.att.myns.mytype"); - pkey.setInstance("myInstance"); - pkey.setAction("myAction"); - rpr.setPerm(pkey); - rpr.setRole("com.att.myns.myrole"); - if(optional)setOptional(rpr); - return rpr; - } - - @SuppressWarnings("unused") - private static Roles newRolesv2_0(boolean optional) { - Role r; - Pkey p; - Roles rs = new Roles(); - rs.getRole().add(r = new Role()); - r.setName("com.att.myns.myRole"); - r.getPerms().add(p = new Pkey()); - p.setType("com.att.myns.myType"); - p.setInstance("myInstance"); - p.setAction("myAction"); - - r.getPerms().add(p = new Pkey()); - p.setType("com.att.myns.myType"); - p.setInstance("myInstance"); - p.setAction("myOtherAction"); - - rs.getRole().add(r = new Role()); - r.setName("com.att.myns.myOtherRole"); - r.getPerms().add(p = new Pkey()); - p.setType("com.att.myns.myOtherType"); - p.setInstance("myInstance"); - p.setAction("myAction"); - - r.getPerms().add(p = new Pkey()); - p.setType("com.att.myns.myOthertype"); - p.setInstance("myInstance"); - p.setAction("myOtherAction"); - - return rs; - } - - - @SuppressWarnings("unused") - private static PermRequest newPermRequestv2_0(boolean optional) { - PermRequest pr = new PermRequest(); - pr.setType("com.att.myns.myType"); - pr.setInstance("myInstance"); - pr.setAction("myAction"); - if(optional) { - pr.setDescription("Short and meaningful verbiage about the Permission"); - - setOptional(pr); - } - return pr; - } - - @SuppressWarnings("unused") - private static Perm newPermv2_0(boolean optional) { - Perm pr = new Perm(); - pr.setType("com.att.myns.myType"); - pr.setInstance("myInstance"); - pr.setAction("myAction"); - pr.getRoles().add("com.att.myns.myRole"); - pr.getRoles().add("com.att.myns.myRole2"); - pr.setDescription("This is my description, and I'm sticking with it"); - if(optional) { - pr.setDescription("Short and meaningful verbiage about the Permission"); - } - return pr; - } - - - @SuppressWarnings("unused") - private static PermKey newPermKeyv2_0(boolean optional) { - PermKey pr = new PermKey(); - pr.setType("com.att.myns.myType"); - pr.setInstance("myInstance"); - pr.setAction("myAction"); - return pr; - } - - @SuppressWarnings("unused") - private static Perms newPermsv2_0(boolean optional) { - Perms perms = new Perms(); - Perm p; - perms.getPerm().add(p=new Perm()); - p.setType("com.att.myns.myType"); - p.setInstance("myInstance"); - p.setAction("myAction"); - p.getRoles().add("com.att.myns.myRole"); - p.getRoles().add("com.att.myns.myRole2"); - - - perms.getPerm().add(p=new Perm()); - p.setType("com.att.myns.myOtherType"); - p.setInstance("myInstance"); - p.setAction("myOtherAction"); - p.getRoles().add("com.att.myns.myRole"); - p.getRoles().add("com.att.myns.myRole2"); - - return perms; - - } - - @SuppressWarnings("unused") - private static UserRoleRequest newUserRoleRequestv2_0(boolean optional) { - UserRoleRequest urr = new UserRoleRequest(); - urr.setRole("com.att.myns.myRole"); - urr.setUser("ab1234@csp.att.com"); - if(optional) setOptional(urr); - return urr; - } - - @SuppressWarnings("unused") - private static NsRequest newNsRequestv2_0(boolean optional) { - NsRequest nr = new NsRequest(); - nr.setName("com.att.myns"); - nr.getResponsible().add("ab1234@csp.att.com"); - nr.getResponsible().add("cd5678@csp.att.com"); - nr.getAdmin().add("zy9876@csp.att.com"); - nr.getAdmin().add("xw5432@csp.att.com"); - if(optional) { - nr.setDescription("This is my Namespace to set up"); - nr.setType("APP"); - setOptional(nr); - } - return nr; - } - - - @SuppressWarnings("unused") - private static Nss newNssv2_0(boolean optional) { - Ns ns; - - Nss nss = new Nss(); - nss.getNs().add(ns = new Nss.Ns()); - ns.setName("com.att.myns"); - ns.getResponsible().add("ab1234@csp.att.com"); - ns.getResponsible().add("cd5678@csp.att.com"); - ns.getAdmin().add("zy9876@csp.att.com"); - ns.getAdmin().add("xw5432@csp.att.com"); - ns.setDescription("This is my Namespace to set up"); - - nss.getNs().add(ns = new Nss.Ns()); - ns.setName("com.att.myOtherNs"); - ns.getResponsible().add("ab1234@csp.att.com"); - ns.getResponsible().add("cd5678@csp.att.com"); - ns.getAdmin().add("zy9876@csp.att.com"); - ns.getAdmin().add("xw5432@csp.att.com"); - - return nss; - } - @SuppressWarnings("unused") - private static RoleRequest newRoleRequestv2_0(boolean optional) { - RoleRequest rr = new RoleRequest(); - rr.setName("com.att.myns.myRole"); - if(optional) { - rr.setDescription("This is my Role"); - setOptional(rr); - } - return rr; - } - - @SuppressWarnings("unused") - private static CredRequest newCredRequestv2_0(boolean optional) { - CredRequest cr = new CredRequest(); - cr.setId("myID@fully.qualified.domain"); - if(optional) { - cr.setType(2); - cr.setEntry("0x125AB256344CE"); - } else { - cr.setPassword("This is my provisioned password"); - } - - return cr; - } - - @SuppressWarnings("unused") - private static Users newUsersv2_0(boolean optional) { - User user; - - Users users = new Users(); - users.getUser().add(user = new Users.User()); - user.setId("ab1234@csp.att.com"); - GregorianCalendar gc = new GregorianCalendar(); - user.setExpires(Chrono.timeStamp(gc)); - - users.getUser().add(user = new Users.User()); - user.setId("zy9876@csp.att.com"); - user.setExpires(Chrono.timeStamp(gc)); - - return users; - } - - @SuppressWarnings("unused") - private static Role newRolev2_0(boolean optional) { - Role r = new Role(); - Pkey p; - r.setName("com.att.myns.myRole"); - r.getPerms().add(p = new Pkey()); - p.setType("com.att.myns.myType"); - p.setInstance("myInstance"); - p.setAction("myAction"); - - return r; - } - - @SuppressWarnings("unused") - private static RoleKey newRoleKeyv2_0(boolean optional) { - RoleKey r = new RoleKey(); - Pkey p; - r.setName("com.att.myns.myRole"); - return r; - } - - @SuppressWarnings("unused") - private static Keys newKeysv2_0(boolean optional) { - Keys ks = new Keys(); - ks.getKey().add("Reponse 1"); - ks.getKey().add("Response 2"); - return ks; - } - - @SuppressWarnings("unused") - private static UserRoles newUserRolesv2_0(boolean optional) { - UserRoles urs = new UserRoles(); - UserRole ur = new UserRole(); - ur.setUser("xy1234"); - ur.setRole("com.test.myapp.myRole"); - ur.setExpires(Chrono.timeStamp()); - urs.getUserRole().add(ur); - - ur = new UserRole(); - ur.setUser("yx4321"); - ur.setRole("com.test.yourapp.yourRole"); - ur.setExpires(Chrono.timeStamp()); - urs.getUserRole().add(ur); - return urs; - } - - - @SuppressWarnings("unused") - private static Approvals newApprovalsv2_0(boolean optional) { - Approvals as = new Approvals(); - Approval a = new Approval(); - a.setApprover("MyApprover"); - a.setId("MyID"); - a.setMemo("My memo (and then some)"); - a.setOperation("MyOperation"); - a.setStatus("MyStatus"); - a.setTicket("MyTicket"); - a.setType("MyType"); - a.setUpdated(Chrono.timeStamp()); - a.setUser("MyUser"); - as.getApprovals().add(a); - a = new Approval(); - a.setApprover("MyApprover2"); - a.setId("MyID2"); - a.setMemo("My memo (and then some)2"); - a.setOperation("MyOperation2"); - a.setStatus("MyStatus2"); - a.setTicket("MyTicket2"); - a.setType("MyType2"); - a.setUpdated(Chrono.timeStamp()); - a.setUser("MyUser2"); - as.getApprovals().add(a); - return as; - } - - @SuppressWarnings("unused") - private static Approval newApprovalv2_0(boolean optional) { - Approval a = new Approval(); - a.setApprover("MyApprover"); - a.setId("MyID"); - a.setMemo("My memo (and then some)"); - a.setOperation("MyOperation"); - a.setStatus("MyStatus"); - a.setTicket("MyTicket"); - a.setType("MyType"); - a.setUpdated(Chrono.timeStamp()); - a.setUser("MyUser"); - return a; - } - - - - @SuppressWarnings("unused") - private static aaf.v2_0.Error newErrorv2_0(boolean optional) { - aaf.v2_0.Error err = new aaf.v2_0.Error(); - err.setMessageId("SVC1403"); - err.setText("MyText %s, %s: The last three digits are usually the HTTP Code"); - err.getVariables().add("Variable 1"); - err.getVariables().add("Variable 2"); - return err; - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertMarshal.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertMarshal.java deleted file mode 100644 index 8871969..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertMarshal.java +++ /dev/null @@ -1,66 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.marshal; - -import javax.xml.datatype.XMLGregorianCalendar; - -import aaf.v2_0.Certs.Cert; - -import org.onap.aaf.rosetta.marshal.FieldDateTime; -import org.onap.aaf.rosetta.marshal.FieldHexBinary; -import org.onap.aaf.rosetta.marshal.FieldString; -import org.onap.aaf.rosetta.marshal.ObjMarshal; - -public class CertMarshal extends ObjMarshal { - public CertMarshal() { - add(new FieldHexBinary("fingerprint") { - @Override - protected byte[] data(Cert t) { - return t.getFingerprint(); - } - }); - - add(new FieldString("id") { - @Override - protected String data(Cert t) { - return t.getId(); - } - }); - - add(new FieldString("x500") { - @Override - protected String data(Cert t) { - return t.getX500(); - } - }); - - add(new FieldDateTime("expires") { - @Override - protected XMLGregorianCalendar data(Cert t) { - return t.getExpires(); - } - }); - - - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertsMarshal.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertsMarshal.java deleted file mode 100644 index 70a1c96..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertsMarshal.java +++ /dev/null @@ -1,45 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.marshal; - -import java.util.List; - -import aaf.v2_0.Certs; -import aaf.v2_0.Certs.Cert; - -import org.onap.aaf.rosetta.marshal.ObjArray; -import org.onap.aaf.rosetta.marshal.ObjMarshal; - -public class CertsMarshal extends ObjMarshal { - - public CertsMarshal() { - add(new ObjArray("cert",new CertMarshal()) { - @Override - protected List data(Certs t) { - return t.getCert(); - } - }); - } - - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java deleted file mode 100644 index 6d6d947..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java +++ /dev/null @@ -1,207 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.io.IOException; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.GetCred; -import org.onap.aaf.cadi.Hash; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.lur.ConfigPrincipal; - -import com.att.aft.dme2.api.DME2Exception; -import org.onap.aaf.inno.env.APIException; - -public class AAFAuthn extends AbsUserCache { - private AAFCon con; - private String realm; - - /** - * Configure with Standard AAF properties, Stand alone - * @param con - * @throws Exception - */ - // Package on purpose - AAFAuthn(AAFCon con) throws Exception { - super(con.access,con.cleanInterval,con.highCount,con.usageRefreshTriggerCount); - this.con = con; - - try { - setRealm(); - } catch (APIException e) { - if(e.getCause() instanceof DME2Exception) { - // Can't contact AAF, assume default - realm=con.access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); - } - } - } - - /** - * Configure with Standard AAF properties, but share the Cache (with AAF Lur) - * @param con - * @throws Exception - */ - // Package on purpose - AAFAuthn(AAFCon con, AbsUserCache cache) throws Exception { - super(cache); - this.con = con; - try { - setRealm(); - } catch (Exception e) { - if(e.getCause() instanceof DME2Exception) { - access.log(e); - // Can't contact AAF, assume default - realm=con.access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); - } - } - } - - private void setRealm() throws Exception { - // Make a call without security set to get the 401 response, which - // includes the Realm of the server - // This also checks on Connectivity early on. - Future fp = con.client(AAFCon.AAF_LATEST_VERSION).read("/authn/basicAuth", "text/plain"); - if(fp.get(con.timeout)) { - throw new Exception("Do not preset Basic Auth Information for AAFAuthn"); - } else { - if(fp.code()==401) { - realm = fp.header("WWW-Authenticate"); - if(realm!=null && realm.startsWith("Basic realm=\"")) { - realm = realm.substring(13, realm.length()-1); - } else { - realm = "unknown.com"; - } - } - } - } - - /** - * Return Native Realm of AAF Instance. - * - * @return - */ - public String getRealm() { - return realm; - } - - /** - * Returns null if ok, or an Error String; - * - * @param user - * @param password - * @return - * @throws IOException - * @throws CadiException - * @throws Exception - */ - public String validate(String user, String password) throws IOException, CadiException { - User usr = getUser(user); - if(password.startsWith("enc:???")) { - password = access.decrypt(password, true); - } - - byte[] bytes = password.getBytes(); - if(usr != null && usr.principal != null && usr.principal.getName().equals(user) - && usr.principal instanceof GetCred) { - - if(Hash.isEqual(((GetCred)usr.principal).getCred(),bytes)) { - return null; - } else { - remove(usr); - usr = null; - } - } - - AAFCachedPrincipal cp = new AAFCachedPrincipal(this,con.app, user, bytes, con.cleanInterval); - // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch - // Statement - switch(cp.revalidate()) { - case REVALIDATED: - if(usr!=null) { - usr.principal = cp; - } else { - addUser(new User(cp,con.timeout)); - } - return null; - case INACCESSIBLE: - return "AAF Inaccessible"; - case UNVALIDATED: - return "User/Pass combo invalid for " + user; - case DENIED: - return "AAF denies API for " + user; - default: - return "AAFAuthn doesn't handle Principal " + user; - } - } - - private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal { - private long expires,timeToLive; - - public AAFCachedPrincipal(AAFAuthn aaf, String app, String name, byte[] pass, int timeToLive) { - super(name,pass); - this.timeToLive = timeToLive; - expires = timeToLive + System.currentTimeMillis(); - } - - public Resp revalidate() { - if(con.isDisabled()) { - return Resp.DENIED; - } - try { - Miss missed = missed(getName()); - if(missed==null || missed.mayContinue(getCred())) { - Rcli client = con.client(AAFCon.AAF_LATEST_VERSION).forUser(con.basicAuth(getName(), new String(getCred()))); - Future fp = client.read( - "/authn/basicAuth", - "text/plain" - ); - if(fp.get(con.timeout)) { - expires = System.currentTimeMillis() + timeToLive; - addUser(new User(this, expires)); - return Resp.REVALIDATED; - } else { - addMiss(getName(), getCred()); - return Resp.UNVALIDATED; - } - } else { - return Resp.UNVALIDATED; - } - } catch (Exception e) { - con.access.log(e); - return Resp.INACCESSIBLE; - } - } - - public long expires() { - return expires; - } - }; - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java deleted file mode 100644 index 3ec6fed..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java +++ /dev/null @@ -1,396 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.net.URI; -import java.security.Principal; -import java.util.Map; -import java.util.concurrent.ConcurrentHashMap; - -import javax.servlet.ServletRequest; -import javax.servlet.http.HttpServletRequest; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.CadiWrap; -import org.onap.aaf.cadi.Connector; -import org.onap.aaf.cadi.LocatorException; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.aaf.marshal.CertsMarshal; -import org.onap.aaf.cadi.client.AbsBasicAuth; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.client.Retryable; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfoC; -import org.onap.aaf.cadi.lur.EpiLur; -import org.onap.aaf.cadi.principal.BasicPrincipal; -import org.onap.aaf.cadi.util.Vars; - -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.inno.env.Data.TYPE; -import org.onap.aaf.inno.env.util.Split; -import org.onap.aaf.rosetta.env.RosettaDF; -import org.onap.aaf.rosetta.env.RosettaEnv; - -import aaf.v2_0.Certs; -import aaf.v2_0.Error; -import aaf.v2_0.Perms; -import aaf.v2_0.Users; - -public abstract class AAFCon implements Connector { - public static final String AAF_LATEST_VERSION = "2.0"; - - final public PropAccess access; - // Package access - final public int timeout, cleanInterval, connTimeout; - final public int highCount, userExpires, usageRefreshTriggerCount; - private Map> clients = new ConcurrentHashMap>(); - final public RosettaDF permsDF; - final public RosettaDF certsDF; - final public RosettaDF usersDF; - final public RosettaDF errDF; - private String realm; - public final String app; - protected SecuritySetter ss; - protected SecurityInfoC si; - - private DisableCheck disableCheck; - - private AAFLurPerm lur; - - private RosettaEnv env; - protected abstract URI initURI(); - protected abstract void setInitURI(String uriString) throws CadiException; - - /** - * Use this call to get the appropriate client based on configuration (DME2, HTTP, future) - * - * @param apiVersion - * @return - * @throws CadiException - */ - public Rcli client(String apiVersion) throws CadiException { - Rcli client = clients.get(apiVersion); - if(client==null) { - client = rclient(initURI(),ss); - client.apiVersion(apiVersion) - .readTimeout(connTimeout); - clients.put(apiVersion, client); - } - return client; - } - - /** - * Use this API when you have permission to have your call act as the end client's ID. - * - * Your calls will get 403 errors if you do not have this permission. it is a special setup, rarely given. - * - * @param apiVersion - * @param req - * @return - * @throws CadiException - */ - public Rcli clientAs(String apiVersion, ServletRequest req) throws CadiException { - Rcli cl = client(apiVersion); - return cl.forUser(transferSS(((HttpServletRequest)req).getUserPrincipal())); - } - - protected AAFCon(AAFCon copy) { - access = copy.access; - timeout = copy.timeout; - cleanInterval = copy.cleanInterval; - connTimeout = copy.connTimeout; - highCount = copy.highCount; - userExpires = copy.userExpires; - usageRefreshTriggerCount = copy.usageRefreshTriggerCount; - permsDF = copy.permsDF; - certsDF = copy.certsDF; - usersDF = copy.usersDF; - errDF = copy.errDF; - app = copy.app; - ss = copy.ss; - si = copy.si; - env = copy.env; - disableCheck = copy.disableCheck; - realm = copy.realm; - } - - protected AAFCon(PropAccess access, String tag, SecurityInfoC si) throws CadiException{ - if(tag==null) { - throw new CadiException("AAFCon cannot be constructed with a tag=null"); - } - try { - this.access = access; - this.si = si; - this.ss = si.defSS; - if(ss==null) { - String mechid = access.getProperty(Config.AAF_MECHID, null); - String encpass = access.getProperty(Config.AAF_MECHPASS, null); - if(encpass==null) { - String alias = access.getProperty(Config.CADI_ALIAS, mechid); - if(alias==null) { - throw new CadiException(Config.CADI_ALIAS + " or " + Config.AAF_MECHID + " required."); - } - set(si.defSS=x509Alias(alias)); - } else { - if(mechid!=null && encpass !=null) { - set(si.defSS=basicAuth(mechid, encpass)); - } else { - set(si.defSS=new SecuritySetter() { - - @Override - public String getID() { - return ""; - } - - @Override - public void setSecurity(CLIENT client) throws CadiException { - throw new CadiException("AAFCon has not been initialized with Credentials (SecuritySetter)"); - } - - @Override - public int setLastResponse(int respCode) { - return 0; - } - }); - } - } - } - - timeout = Integer.parseInt(access.getProperty(Config.AAF_READ_TIMEOUT, Config.AAF_READ_TIMEOUT_DEF)); - cleanInterval = Integer.parseInt(access.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)); - highCount = Integer.parseInt(access.getProperty(Config.AAF_HIGH_COUNT, Config.AAF_HIGH_COUNT_DEF).trim()); - connTimeout = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF).trim()); - userExpires = Integer.parseInt(access.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF).trim()); - usageRefreshTriggerCount = Integer.parseInt(access.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF).trim())-1; // zero based - - String str = access.getProperty(tag,null); - if(str==null) { - throw new CadiException(tag + " property is required."); - } - setInitURI(str); - - app=reverseDomain(ss.getID()); - realm="openecomp.org"; - - env = new RosettaEnv(); - permsDF = env.newDataFactory(Perms.class); - usersDF = env.newDataFactory(Users.class); - certsDF = env.newDataFactory(Certs.class); - certsDF.rootMarshal(new CertsMarshal()); // Speedier Marshaling - errDF = env.newDataFactory(Error.class); - } catch (APIException e) { - throw new CadiException("AAFCon cannot be configured",e); - } - } - - public RosettaEnv env() { - return env; - } - - /** - * Return the backing AAFCon, if there is a Lur Setup that is AAF. - * - * If there is no AAFLur setup, it will return "null" - * @param servletRequest - * @return - */ - public static final AAFCon obtain(Object servletRequest) { - if(servletRequest instanceof CadiWrap) { - Lur lur = ((CadiWrap)servletRequest).getLur(); - if(lur != null) { - if(lur instanceof EpiLur) { - AbsAAFLur aal = (AbsAAFLur) ((EpiLur)lur).subLur(AbsAAFLur.class); - if(aal!=null) { - return aal.aaf; - } - } else { - if(lur instanceof AbsAAFLur) { - return ((AbsAAFLur)lur).aaf; - } - } - } - } - return null; - } - - public abstract AAFCon clone(String url) throws CadiException; - - public AAFAuthn newAuthn() throws APIException { - try { - return new AAFAuthn(this); - } catch (APIException e) { - throw e; - } catch (Exception e) { - throw new APIException(e); - } - } - - public AAFAuthn newAuthn(AbsUserCache c) throws APIException { - try { - return new AAFAuthn(this,c); - } catch (APIException e) { - throw e; - } catch (Exception e) { - throw new APIException(e); - } - } - - public AAFLurPerm newLur() throws CadiException { - try { - if(lur==null) { - return new AAFLurPerm(this); - } else { - return new AAFLurPerm(this,lur); - } - } catch (CadiException e) { - throw e; - } catch (Exception e) { - throw new CadiException(e); - } - } - - public AAFLurPerm newLur(AbsUserCache c) throws APIException { - try { - return new AAFLurPerm(this,c); - } catch (APIException e) { - throw e; - } catch (Exception e) { - throw new APIException(e); - } - } - - /** - * Take a Fully Qualified User, and get a Namespace from it. - * @param user - * @return - */ - public static String reverseDomain(String user) { - StringBuilder sb = null; - String[] split = Split.split('.',user); - int at; - for(int i=split.length-1;i>=0;--i) { - if(sb == null) { - sb = new StringBuilder(); - } else { - sb.append('.'); - } - - if((at = split[i].indexOf('@'))>0) { - sb.append(split[i].subSequence(at+1, split[i].length())); - } else { - sb.append(split[i]); - } - } - - return sb==null?"":sb.toString(); - } - - protected abstract Rcli rclient(URI uri, SecuritySetter ss) throws CadiException; - - public abstract RET best(Retryable retryable) throws LocatorException, CadiException, APIException; - - - public abstract SecuritySetter basicAuth(String user, String password) throws CadiException; - - public abstract SecuritySetter transferSS(Principal principal) throws CadiException; - - public abstract SecuritySetter basicAuthSS(BasicPrincipal principal) throws CadiException; - - public abstract SecuritySetter x509Alias(String alias) throws APIException, CadiException; - - - public String getRealm() { - return realm; - - } - - public SecuritySetter set(final SecuritySetter ss) { - this.ss = ss; - if(ss instanceof AbsBasicAuth) { - disableCheck = (ss instanceof AbsBasicAuth)? - new DisableCheck() { - AbsBasicAuth aba = (AbsBasicAuth)ss; - @Override - public boolean isDisabled() { - return aba.isDenied(); - } - }: - new DisableCheck() { - @Override - public boolean isDisabled() { - return this.isDisabled(); - } - }; - } - for(Rcli client : clients.values()) { - client.setSecuritySetter(ss); - } - return ss; - } - - public SecurityInfoC securityInfo() { - return si; - } - - public String defID() { - if(ss!=null) { - return ss.getID(); - } - return "unknown"; - } - - public void invalidate() throws CadiException { - for(Rcli client : clients.values()) { - client.invalidate(); - clients.remove(client); - } - } - - public String readableErrMsg(Future f) { - String text = f.body(); - if(text==null || text.length()==0) { - text = f.code() + ": **No Message**"; - } else if(text.contains("%")) { - try { - Error err = errDF.newData().in(TYPE.JSON).load(f.body()).asObject(); - return Vars.convert(err.getText(),err.getVariables()); - } catch (APIException e){ - // just return the body below - } - } - return text; - } - - private interface DisableCheck { - public boolean isDisabled(); - }; - - public boolean isDisabled() { - return disableCheck.isDisabled(); - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java deleted file mode 100644 index 2757efc..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConDME2.java +++ /dev/null @@ -1,224 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.io.IOException; -import java.net.ConnectException; -import java.net.URI; -import java.net.URISyntaxException; -import java.security.GeneralSecurityException; -import java.security.Principal; -import java.util.Properties; - -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.LocatorException; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.client.Retryable; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfoC; -import org.onap.aaf.cadi.dme2.DME2BasicAuth; -import org.onap.aaf.cadi.dme2.DME2TransferSS; -import org.onap.aaf.cadi.dme2.DME2x509SS; -import org.onap.aaf.cadi.dme2.DRcli; -import org.onap.aaf.cadi.principal.BasicPrincipal; - -import com.att.aft.dme2.api.DME2Client; -import com.att.aft.dme2.api.DME2Exception; -import com.att.aft.dme2.api.DME2Manager; -import org.onap.aaf.inno.env.APIException; - -public class AAFConDME2 extends AAFCon{ - private DME2Manager manager; - private boolean isProxy; - private URI initURI; - - public AAFConDME2(PropAccess access) throws CadiException, GeneralSecurityException, IOException{ - super(access,Config.AAF_URL,new SecurityInfoC (access)); - manager = newManager(access); - setIsProxy(); - } - - public AAFConDME2(PropAccess access, String url) throws CadiException, GeneralSecurityException, IOException{ - super(access,url,new SecurityInfoC (access)); - manager = newManager(access); - setIsProxy(); - } - - public AAFConDME2(PropAccess access, SecurityInfoC si) throws CadiException { - super(access,Config.AAF_URL,si); - manager = newManager(access); - setIsProxy(); - } - - public AAFConDME2(PropAccess access, String url, SecurityInfoC si) throws CadiException { - super(access,url,si); - manager = newManager(access); - setIsProxy(); - } - - /** - * Construct a Connector based on the AAF one. This is for remote access to OTHER than AAF, - * but using Credentials, etc - */ - private AAFConDME2(AAFCon aafcon, String url) throws CadiException { - super(aafcon); - try { - initURI = new URI(url); - } catch (URISyntaxException e) { - throw new CadiException(e); - } - manager = newManager(access); - } - - /** - * Create a Connector based on the AAF one. This is for remote access to OTHER than AAF, - * but using Credentials, etc - */ - public AAFCon clone(String url) throws CadiException { - return new AAFConDME2(this,url); - } - - private void setIsProxy() { - String str; - if((str=access.getProperty(Config.AAF_URL, null))!=null) { - isProxy = str.contains("service=com.att.authz.authz-gw/version="); - } - } - - private DME2Manager newManager(PropAccess access) throws CadiException { - Properties props = access.getDME2Properties(); - // Critical that TLS Settings not ignored - try { - return new DME2Manager("AAFCon",props); - } catch (DME2Exception e) { - throw new CadiException(e); - } - } - - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#basicAuth(java.lang.String, java.lang.String) - */ - @Override - public SecuritySetter basicAuth(String user, String password) throws CadiException { - if(password.startsWith("enc:???")) { - try { - password = access.decrypt(password, true); - } catch (IOException e) { - throw new CadiException("Error Decrypting Password",e); - } - } - - try { - return set(new DME2BasicAuth(user,password,si)); - } catch (IOException e) { - throw new CadiException("Error setting up DME2BasicAuth",e); - } - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#rclient(java.net.URI, com.att.cadi.SecuritySetter) - */ - @Override - protected Rcli rclient(URI uri, SecuritySetter ss) { - DRcli dc = new DRcli(uri, ss); - dc.setProxy(isProxy); - dc.setManager(manager); - return dc; - } - - @Override - public SecuritySetter transferSS(Principal principal) throws CadiException { - try { - return principal==null?ss:new DME2TransferSS(principal, app, si); - } catch (IOException e) { - throw new CadiException("Error creating DME2TransferSS",e); - } - } - - @Override - public SecuritySetter basicAuthSS(BasicPrincipal principal) throws CadiException { - try { - return new DME2BasicAuth(principal,si); - } catch (IOException e) { - throw new CadiException("Error creating DME2BasicAuth",e); - } - - } - - @Override - public SecuritySetter x509Alias(String alias) throws CadiException { - try { - presetProps(access, alias); - return new DME2x509SS(alias,si); - } catch (Exception e) { - throw new CadiException("Error creating DME2x509SS",e); - } - } - - @Override - public RET best(Retryable retryable) throws LocatorException, CadiException, APIException { - // NOTE: DME2 had Retry Logic embedded lower. - try { - return (retryable.code(rclient(initURI,ss))); - } catch (ConnectException e) { - // DME2 should catch - try { - manager.refresh(); - } catch (Exception e1) { - throw new CadiException(e1); - } - throw new CadiException(e); - } - } - - public static void presetProps(PropAccess access, String alias) throws IOException { - System.setProperty(Config.AFT_DME2_CLIENT_SSL_CERT_ALIAS, alias); - if(System.getProperty(Config.AFT_DME2_CLIENT_IGNORE_SSL_CONFIG)==null) { - access.getDME2Properties(); - } - - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#initURI() - */ - @Override - protected URI initURI() { - return initURI; - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#setInitURI(java.lang.String) - */ - @Override - protected void setInitURI(String uriString) throws CadiException { - try { - initURI = new URI(uriString); - } catch (URISyntaxException e) { - throw new CadiException(e); - } - } -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java deleted file mode 100644 index 5a38b0c..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java +++ /dev/null @@ -1,187 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.io.IOException; -import java.net.HttpURLConnection; -import java.net.URI; -import java.security.GeneralSecurityException; -import java.security.Principal; - -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.Locator; -import org.onap.aaf.cadi.LocatorException; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.Locator.Item; -import org.onap.aaf.cadi.client.AbsTransferSS; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.client.Retryable; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfoC; -import org.onap.aaf.cadi.http.HBasicAuthSS; -import org.onap.aaf.cadi.http.HMangr; -import org.onap.aaf.cadi.http.HRcli; -import org.onap.aaf.cadi.http.HTransferSS; -import org.onap.aaf.cadi.http.HX509SS; -import org.onap.aaf.cadi.principal.BasicPrincipal; - -import org.onap.aaf.inno.env.APIException; - -public class AAFConHttp extends AAFCon { - private final HMangr hman; - - public AAFConHttp(PropAccess access) throws CadiException, GeneralSecurityException, IOException { - super(access,Config.AAF_URL,new SecurityInfoC(access)); - hman = new HMangr(access,Config.loadLocator(access, access.getProperty(Config.AAF_URL,null))); - } - - public AAFConHttp(PropAccess access, String tag) throws CadiException, GeneralSecurityException, IOException { - super(access,tag,new SecurityInfoC(access)); - hman = new HMangr(access,Config.loadLocator(access, access.getProperty(tag,null))); - } - - public AAFConHttp(PropAccess access, String urlTag, SecurityInfoC si) throws CadiException { - super(access,urlTag,si); - hman = new HMangr(access,Config.loadLocator(access, access.getProperty(urlTag,null))); - } - - public AAFConHttp(PropAccess access, Locator locator) throws CadiException, GeneralSecurityException, IOException { - super(access,Config.AAF_URL,new SecurityInfoC(access)); - hman = new HMangr(access,locator); - } - - public AAFConHttp(PropAccess access, Locator locator, SecurityInfoC si) throws CadiException { - super(access,Config.AAF_URL,si); - hman = new HMangr(access,locator); - } - - public AAFConHttp(PropAccess access, Locator locator, SecurityInfoC si, String tag) throws CadiException { - super(access,tag,si); - hman = new HMangr(access, locator); - } - - private AAFConHttp(AAFCon aafcon, String url) { - super(aafcon); - hman = new HMangr(aafcon.access,Config.loadLocator(access, url)); - } - - @Override - public AAFCon clone(String url) { - return new AAFConHttp(this,url); - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#basicAuth(java.lang.String, java.lang.String) - */ - @Override - public SecuritySetter basicAuth(String user, String password) throws CadiException { - if(password.startsWith("enc:???")) { - try { - password = access.decrypt(password, true); - } catch (IOException e) { - throw new CadiException("Error decrypting password",e); - } - } - try { - return new HBasicAuthSS(user,password,si); - } catch (IOException e) { - throw new CadiException("Error creating HBasicAuthSS",e); - } - } - - public SecuritySetter x509Alias(String alias) throws APIException, CadiException { - try { - return set(new HX509SS(alias,si)); - } catch (Exception e) { - throw new CadiException("Error creating X509SS",e); - } - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#rclient(java.net.URI, com.att.cadi.SecuritySetter) - */ - @Override - protected Rcli rclient(URI ignoredURI, SecuritySetter ss) throws CadiException { - if(hman.loc==null) { - throw new CadiException("No Locator set in AAFConHttp"); - } - try { - return new HRcli(hman, hman.loc.best() ,ss); - } catch (Exception e) { - throw new CadiException(e); - } - } - - @Override - public AbsTransferSS transferSS(Principal principal) throws CadiException { - return new HTransferSS(principal, app,si); - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#basicAuthSS(java.security.Principal) - */ - @Override - public SecuritySetter basicAuthSS(BasicPrincipal principal) throws CadiException { - try { - return new HBasicAuthSS(principal,si); - } catch (IOException e) { - throw new CadiException("Error creating HBasicAuthSS",e); - } - } - - public HMangr hman() { - return hman; - } - - @Override - public RET best(Retryable retryable) throws LocatorException, CadiException, APIException { - return hman.best(ss, (Retryable)retryable); - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#initURI() - */ - @Override - protected URI initURI() { - try { - Item item = hman.loc.best(); - if(item!=null) { - return hman.loc.get(item); - } - } catch (LocatorException e) { - access.log(e, "Error in AAFConHttp obtaining initial URI"); - } - return null; - } - - /* (non-Javadoc) - * @see com.att.cadi.aaf.v2_0.AAFCon#setInitURI(java.lang.String) - */ - @Override - protected void setInitURI(String uriString) throws CadiException { - // TODO Auto-generated method stub - - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java deleted file mode 100644 index 520d7ab..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java +++ /dev/null @@ -1,221 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.net.ConnectException; -import java.net.URISyntaxException; -import java.security.Principal; -import java.util.Map; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.Permission; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.client.Retryable; -import org.onap.aaf.cadi.lur.LocalPermission; - -import com.att.aft.dme2.api.DME2Exception; -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.inno.env.util.Split; - -import aaf.v2_0.Perm; -import aaf.v2_0.Perms; - -/** - * Use AAF Service as Permission Service. - * - * This Lur goes after AAF Permissions, which are elements of Roles, not the Roles themselves. - * - * If you want a simple Role Lur, use AAFRoleLur - * - * - */ -public class AAFLurPerm extends AbsAAFLur { - /** - * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this - * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". - * - * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid. - * Thus, we validate that the ID portion follows the rules before we waste time accessing AAF remotely - * @throws APIException - * @throws URISyntaxException - * @throws DME2Exception - */ - // Package on purpose - AAFLurPerm(AAFCon con) throws CadiException, DME2Exception, URISyntaxException, APIException { - super(con); - } - - // Package on purpose - AAFLurPerm(AAFCon con, AbsUserCache auc) throws DME2Exception, URISyntaxException, APIException { - super(con,auc); - } - - protected User loadUser(Principal p) { - // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't - // have domains. We are going to make the Transitive Class (see this.transmutative) to convert - Principal principal = transmutate.mutate(p); - if(principal==null)return null; // if not a valid Transmutated credential, don't bother calling... - return loadUser(p, p.getName()); - } - - protected User loadUser(String name) { - return loadUser((Principal)null, name); - } - - private User loadUser(final Principal prin, final String name) { - - //TODO Create a dynamic way to declare domains supported. - final long start = System.nanoTime(); - final boolean[] success = new boolean[]{false}; - -// new Exception("loadUser").printStackTrace(); - try { - return aaf.best(new Retryable>() { - @Override - public User code(Rcli client) throws CadiException, ConnectException, APIException { - Future fp = client.read("/authz/perms/user/"+name,aaf.permsDF); - - // In the meantime, lookup User, create if necessary - User user = getUser(name); - Principal p; - if(prin == null) { - p = new Principal() {// Create a holder for lookups - private String n = name; - public String getName() { - return n; - } - }; - } else { - p = prin; - } - - if(user==null) { - addUser(user = new User(p,aaf.userExpires)); // no password - } - - // OK, done all we can, now get content - if(fp.get(aaf.timeout)) { - success[0]=true; - Map newMap = user.newMap(); - boolean willLog = aaf.access.willLog(Level.DEBUG); - for(Perm perm : fp.value.getPerm()) { - user.add(newMap,new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction())); - if(willLog) { - aaf.access.log(Level.DEBUG, name,"has '",perm.getType(),'|',perm.getInstance(),'|',perm.getAction(),'\''); - } - } - user.setMap(newMap); - user.renewPerm(); - } else { - int code; - switch(code=fp.code()) { - case 401: - aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); - break; - default: - aaf.access.log(Access.Level.ERROR, code, fp.body()); - } - } - - return user; - } - }); - } catch (Exception e) { - aaf.access.log(e,"Calling","/authz/perms/user/"+name); - success[0]=false; - return null; - } finally { - float time = (System.nanoTime()-start)/1000000f; - aaf.access.log(Level.INFO, success[0]?"Loaded":"Load Failure",name,"from AAF in",time,"ms"); - } - } - - public Resp reload(User user) { - final String name = user.principal.getName(); - long start = System.nanoTime(); - boolean success = false; - try { - Future fp = aaf.client(AAFCon.AAF_LATEST_VERSION).read( - "/authz/perms/user/"+name, - aaf.permsDF - ); - - // OK, done all we can, now get content - if(fp.get(aaf.timeout)) { - success = true; - Map newMap = user.newMap(); - boolean willLog = aaf.access.willLog(Level.DEBUG); - for(Perm perm : fp.value.getPerm()) { - user.add(newMap, new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction())); - if(willLog) { - aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction()); - } - } - user.renewPerm(); - return Resp.REVALIDATED; - } else { - int code; - switch(code=fp.code()) { - case 401: - aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); - break; - default: - aaf.access.log(Access.Level.ERROR, code, fp.body()); - } - return Resp.UNVALIDATED; - } - } catch (Exception e) { - aaf.access.log(e,"Calling","/authz/perms/user/"+name); - return Resp.INACCESSIBLE; - } finally { - float time = (System.nanoTime()-start)/1000000f; - aaf.access.log(Level.AUDIT, success?"Reloaded":"Reload Failure",name,"from AAF in",time,"ms"); - } - } - - @Override - protected boolean isCorrectPermType(Permission pond) { - return pond instanceof AAFPermission; - } - - /* (non-Javadoc) - * @see com.att.cadi.Lur#createPerm(java.lang.String) - */ - @Override - public Permission createPerm(String p) { - String[] params = Split.split('|', p); - if(params.length==3) { - return new AAFPermission(params[0],params[1],params[2]); - } else { - return new LocalPermission(p); - } - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java deleted file mode 100644 index fb92108..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java +++ /dev/null @@ -1,167 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.io.IOException; -import java.security.Principal; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.GetCred; -import org.onap.aaf.cadi.Hash; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; -import org.onap.aaf.cadi.Taf.LifeForm; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.principal.BasicPrincipal; -import org.onap.aaf.cadi.principal.CachedBasicPrincipal; -import org.onap.aaf.cadi.taf.HttpTaf; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.taf.TafResp.RESP; -import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp; - -public class AAFTaf extends AbsUserCache implements HttpTaf { -// private static final String INVALID_AUTH_TOKEN = "Invalid Auth Token"; -// private static final String AUTHENTICATING_SERVICE_UNAVAILABLE = "Authenticating Service unavailable"; - private AAFCon aaf; - private boolean warn; - - public AAFTaf(AAFCon con, boolean turnOnWarning) { - super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount); - aaf = con; - warn = turnOnWarning; - } - - public AAFTaf(AAFCon con, boolean turnOnWarning, AbsUserCache other) { - super(other); - aaf = con; - warn = turnOnWarning; - } - - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - //TODO Do we allow just anybody to validate? - - // Note: Either Carbon or Silicon based LifeForms ok - String authz = req.getHeader("Authorization"); - if(authz != null && authz.startsWith("Basic ")) { - if(warn&&!req.isSecure())aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); - try { - CachedBasicPrincipal bp; - if(req.getUserPrincipal() instanceof CachedBasicPrincipal) { - bp = (CachedBasicPrincipal)req.getUserPrincipal(); - } else { - bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires); - } - // First try Cache - User usr = getUser(bp); - if(usr != null && usr.principal != null) { - if(usr.principal instanceof GetCred) { - if(Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) { - return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); - } - } - } - - Miss miss = missed(bp.getName()); - if(miss!=null && !miss.mayContinue(bp.getCred())) { - return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, - "User/Pass Retry limit exceeded"), - RESP.FAIL,resp,aaf.getRealm(),true); - } - - Rcli userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.basicAuthSS(bp)); - Future fp = userAAF.read("/authn/basicAuth", "text/plain"); - if(fp.get(aaf.timeout)) { - if(usr!=null) { - usr.principal = bp; - } else { - addUser(new User(bp,aaf.userExpires)); - } - return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); - } else { - // Note: AddMiss checks for miss==null, and is part of logic - boolean rv= addMiss(bp.getName(),bp.getCred()); - if(rv) { - return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, - "User/Pass combo invalid via AAF"), - RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true); - } else { - return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, - "User/Pass combo invalid via AAF - Retry limit exceeded"), - RESP.FAIL,resp,aaf.getRealm(),true); - } - } - } catch (IOException e) { - String msg = buildMsg(null,req,"Invalid Auth Token"); - aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')'); - return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true); - } catch (Exception e) { - String msg = buildMsg(null,req,"Authenticating Service unavailable"); - aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')'); - return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false); - } - } - return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false); - } - - private String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { - StringBuilder sb = new StringBuilder(); - for(Object s : msg) { - sb.append(s.toString()); - } - if(pr!=null) { - sb.append(" for "); - sb.append(pr.getName()); - } - sb.append(" from "); - sb.append(req.getRemoteAddr()); - sb.append(':'); - sb.append(req.getRemotePort()); - return sb.toString(); - } - - - - public Resp revalidate(CachedPrincipal prin) { - // !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal - if(prin instanceof BasicPrincipal) { - Future fp; - try { - Rcli userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.transferSS(prin)); - fp = userAAF.read("/authn/basicAuth", "text/plain"); - return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED; - } catch (Exception e) { - aaf.access.log(e, "Cannot Revalidate",prin.getName()); - return Resp.INACCESSIBLE; - } - } - return Resp.NOT_MINE; - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java deleted file mode 100644 index c7644a5..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java +++ /dev/null @@ -1,116 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import javax.servlet.http.HttpServletRequest ; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.TrustChecker; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.principal.TrustPrincipal; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.taf.TrustNotTafResp; -import org.onap.aaf.cadi.taf.TrustTafResp; - -import org.onap.aaf.inno.env.Env; -import org.onap.aaf.inno.env.util.Split; - -public class AAFTrustChecker implements TrustChecker { - private final String tag, id; - private final AAFPermission perm; - private Lur lur; - - /** - * - * Instance will be replaced by Identity - * @param lur - * - * @param tag - * @param perm - */ - public AAFTrustChecker(final Env env) { - tag = env.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); - id = env.getProperty(Config.CADI_ALIAS,env.getProperty(Config.AAF_MECHID)); // share between components - String str = env.getProperty(Config.CADI_TRUST_PERM); - AAFPermission temp=null; - if(str!=null) { - String[] sp = Split.splitTrim('|', str); - if(sp.length==3) { - temp = new AAFPermission(sp[0],sp[1],sp[2]); - } - } - perm=temp; - } - - public AAFTrustChecker(final Access access) { - tag = access.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); - id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID,null)); // share between components - String str = access.getProperty(Config.CADI_TRUST_PERM,null); - AAFPermission temp=null; - if(str!=null) { - String[] sp = Split.splitTrim('|', str); - if(sp.length==3) { - temp = new AAFPermission(sp[0],sp[1],sp[2]); - } - } - perm=temp; - } - - /* (non-Javadoc) - * @see com.att.cadi.TrustChecker#setLur(com.att.cadi.Lur) - */ - @Override - public void setLur(Lur lur) { - this.lur = lur; - } - - @Override - public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { - String user_info = req.getHeader(tag); - if(user_info !=null ) { - String[] info = Split.split(',', user_info); - if(info.length>0) { - String[] flds = Split.splitTrim(':',info[0]); - if(flds.length>3 && "AS".equals(flds[3])) { // is it set for "AS" - String pn = tresp.getPrincipal().getName(); - if(pn.equals(id) // We do trust our own App Components: if a trust entry is made with self, always accept - || lur.fish(tresp.getPrincipal(), perm)) { // Have Perm set by Config.CADI_TRUST_PERM - return new TrustTafResp(tresp, - new TrustPrincipal(tresp.getPrincipal(), flds[0]), - " " + flds[0] + " validated using " + flds[2] + " by " + flds[1] + ',' - ); - } else if(pn.equals(flds[0])) { // Ignore if same identity - return tresp; - } else { - return new TrustNotTafResp(tresp, tresp.getPrincipal().getName() + " requested trust as " - + flds[0] + ", but does not have Authorization"); - } - } - } - } - return tresp; - } - -} diff --git a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java b/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java deleted file mode 100644 index 5bcf527..0000000 --- a/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java +++ /dev/null @@ -1,269 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.aaf.v2_0; - -import java.net.URISyntaxException; -import java.security.Principal; -import java.util.ArrayList; -import java.util.Date; -import java.util.List; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.CachingLur; -import org.onap.aaf.cadi.Permission; -import org.onap.aaf.cadi.StrLur; -import org.onap.aaf.cadi.Transmutate; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.aaf.AAFPermission; -import org.onap.aaf.cadi.aaf.AAFTransmutate; -import org.onap.aaf.cadi.config.Config; - -import com.att.aft.dme2.api.DME2Exception; -import org.onap.aaf.inno.env.APIException; -import org.onap.aaf.inno.env.util.Split; - -public abstract class AbsAAFLur extends AbsUserCache implements StrLur, CachingLur { - protected static final byte[] BLANK_PASSWORD = new byte[0]; - protected static final Transmutate transmutate = new AAFTransmutate(); - private String[] debug = null; - public AAFCon aaf; - private String[] supports; - - public AbsAAFLur(AAFCon con) throws DME2Exception, URISyntaxException, APIException { - super(con.access, con.cleanInterval, con.highCount, con.usageRefreshTriggerCount); - aaf = con; - setLur(this); - supports = con.access.getProperty(Config.AAF_DOMAIN_SUPPORT, Config.AAF_DOMAIN_SUPPORT_DEF).split("\\s*:\\s*"); - } - - public AbsAAFLur(AAFCon con, AbsUserCache auc) throws DME2Exception, URISyntaxException, APIException { - super(auc); - aaf = con; - setLur(this); - supports = con.access.getProperty(Config.AAF_DOMAIN_SUPPORT, Config.AAF_DOMAIN_SUPPORT_DEF).split("\\s*:\\s*"); - } - - @Override - public void setDebug(String ids) { - this.debug = ids==null?null:Split.split(',', ids); - } - - protected abstract User loadUser(Principal bait); - protected abstract User loadUser(String name); - public final boolean supports(String userName) { - if(userName!=null) { - for(String s : supports) { - if(userName.endsWith(s)) - return true; - } - } - return false; - } - - protected abstract boolean isCorrectPermType(Permission pond); - - // This is where you build AAF CLient Code. Answer the question "Is principal "bait" in the "pond" - public boolean fish(Principal bait, Permission pond) { - return fish(bait.getName(), pond); - } - - public void fishAll(Principal bait, List perms) { - fishAll(bait.getName(),perms); - } - - // This is where you build AAF CLient Code. Answer the question "Is principal "bait" in the "pond" - public boolean fish(String bait, Permission pond) { - if(isDebug(bait)) { - boolean rv = false; - StringBuilder sb = new StringBuilder("Log for "); - sb.append(bait); - if(supports(bait)) { - User user = getUser(bait); - if(user==null) { - sb.append("\n\tUser is not in Cache"); - } else { - if(user.noPerms())sb.append("\n\tUser has no Perms"); - if(user.permExpired()) { - sb.append("\n\tUser's perm expired ["); - sb.append(new Date(user.permExpires())); - sb.append(']'); - } else { - sb.append("\n\tUser's perm expires ["); - sb.append(new Date(user.permExpires())); - sb.append(']'); - } - } - if(user==null || (user.noPerms() && user.permExpired())) { - user = loadUser(bait); - sb.append("\n\tloadUser called"); - } - if(user==null) { - sb.append("\n\tUser was not Loaded"); - } else if(user.contains(pond)) { - sb.append("\n\tUser contains "); - sb.append(pond.getKey()); - rv = true; - } else { - sb.append("\n\tUser does not contain "); - sb.append(pond.getKey()); - List perms = new ArrayList(); - user.copyPermsTo(perms); - for(Permission p : perms) { - sb.append("\n\t\t"); - sb.append(p.getKey()); - } - } - } else { - sb.append("AAF Lur does not support ["); - sb.append(bait); - sb.append("]"); - } - aaf.access.log(Level.INFO, sb); - return rv; - } else { - if(supports(bait)) { - User user = getUser(bait); - if(user==null || (user.noPerms() && user.permExpired())) { - user = loadUser(bait); - } - return user==null?false:user.contains(pond); - } - return false; - } - } - - public void fishAll(String bait, List perms) { - if(isDebug(bait)) { - StringBuilder sb = new StringBuilder("Log for "); - sb.append(bait); - if(supports(bait)) { - User user = getUser(bait); - if(user==null) { - sb.append("\n\tUser is not in Cache"); - } else { - if(user.noPerms())sb.append("\n\tUser has no Perms"); - if(user.permExpired()) { - sb.append("\n\tUser's perm expired ["); - sb.append(new Date(user.permExpires())); - sb.append(']'); - } else { - sb.append("\n\tUser's perm expires ["); - sb.append(new Date(user.permExpires())); - sb.append(']'); - } - } - if(user==null || (user.noPerms() && user.permExpired())) { - user = loadUser(bait); - sb.append("\n\tloadUser called"); - } - if(user==null) { - sb.append("\n\tUser was not Loaded"); - } else { - sb.append("\n\tCopying Perms "); - user.copyPermsTo(perms); - for(Permission p : perms) { - sb.append("\n\t\t"); - sb.append(p.getKey()); - } - } - } else { - sb.append("AAF Lur does not support ["); - sb.append(bait); - sb.append("]"); - } - aaf.access.log(Level.INFO, sb); - } else { - if(supports(bait)) { - User user = getUser(bait); - if(user==null || (user.noPerms() && user.permExpired())) user = loadUser(bait); - if(user!=null) { - user.copyPermsTo(perms); - } - } - } - } - - @Override - public void remove(String user) { - super.remove(user); - } - - private boolean isDebug(String bait) { - if(debug!=null) { - if(debug.length==1 && "all".equals(debug[0]))return true; - for(String s : debug) { - if(s.equals(bait))return true; - } - } - return false; - } - /** - * This special case minimizes loops, avoids multiple Set hits, and calls all the appropriate Actions found. - * - * @param bait - * @param obj - * @param type - * @param instance - * @param actions - */ - public void fishOneOf(String bait, A obj, String type, String instance, List> actions) { - User user = getUser(bait); - if(user==null || (user.noPerms() && user.permExpired()))user = loadUser(bait); -// return user==null?false:user.contains(pond); - if(user!=null) { - ReuseAAFPermission perm = new ReuseAAFPermission(type,instance); - for(Action action : actions) { - perm.setAction(action.getName()); - if(user.contains(perm)) { - if(action.exec(obj))return; - } - } - } - } - - public static interface Action { - public String getName(); - /** - * Return false to continue, True to end now - * @return - */ - public boolean exec(A a); - } - - private class ReuseAAFPermission extends AAFPermission { - public ReuseAAFPermission(String type, String instance) { - super(type,instance,null); - } - - public void setAction(String s) { - action = s; - } - - /** - * This function understands that AAF Keys are hierarchical, :A:B:C, - * Cassandra follows a similar method, so we'll short circuit and do it more efficiently when there isn't a first hit - * @return - */ - } -} -- cgit 1.2.3-korg