From 4a51a8f96715ffb2a42189b93b9fa91b453b8530 Mon Sep 17 00:00:00 2001 From: sg481n Date: Thu, 3 Aug 2017 17:39:12 -0400 Subject:  [AAF-21] Initial code import MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: Ia1dd196befd061f6ba0c2be6bf4456a30ea50f97 Signed-off-by: sg481n --- .../java/com/att/cadi/lur/ConfigPrincipal.java | 71 ++++++++ core/src/main/java/com/att/cadi/lur/EpiLur.java | 168 +++++++++++++++++ core/src/main/java/com/att/cadi/lur/LocalLur.java | 202 +++++++++++++++++++++ .../java/com/att/cadi/lur/LocalPermission.java | 52 ++++++ core/src/main/java/com/att/cadi/lur/NullLur.java | 89 +++++++++ 5 files changed, 582 insertions(+) create mode 100644 core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java create mode 100644 core/src/main/java/com/att/cadi/lur/EpiLur.java create mode 100644 core/src/main/java/com/att/cadi/lur/LocalLur.java create mode 100644 core/src/main/java/com/att/cadi/lur/LocalPermission.java create mode 100644 core/src/main/java/com/att/cadi/lur/NullLur.java (limited to 'core/src/main/java/com/att/cadi/lur') diff --git a/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java b/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java new file mode 100644 index 0000000..03a7961 --- /dev/null +++ b/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java @@ -0,0 +1,71 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aai + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * Copyright © 2017 Amdocs + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * * + ******************************************************************************/ +package com.att.cadi.lur; + +import java.io.IOException; +import java.security.Principal; + +import com.att.cadi.GetCred; +import com.att.cadi.Symm; + +public class ConfigPrincipal implements Principal, GetCred { + private String name; + private byte[] cred; + private String content; + + public ConfigPrincipal(String name, String passwd) { + this.name = name; + this.cred = passwd.getBytes(); + content = null; + } + + public ConfigPrincipal(String name, byte[] cred) { + this.name = name; + this.cred = cred; + content = null; + } + + public String getName() { + return name; + } + + public byte[] getCred() { + return cred; + } + + public String toString() { + return name; + } + + public String getAsBasicAuthHeader() throws IOException { + if(content ==null) { + String s = name + ':' + new String(cred); + content = "Basic " + Symm.base64.encode(s); + } else if(!content.startsWith("Basic ")) { // content is the saved password from construction + String s = name + ':' + content; + content = "Basic " + Symm.base64.encode(s); + } + return content; + } +} diff --git a/core/src/main/java/com/att/cadi/lur/EpiLur.java b/core/src/main/java/com/att/cadi/lur/EpiLur.java new file mode 100644 index 0000000..de6c057 --- /dev/null +++ b/core/src/main/java/com/att/cadi/lur/EpiLur.java @@ -0,0 +1,168 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aai + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * Copyright © 2017 Amdocs + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * * + ******************************************************************************/ +package com.att.cadi.lur; + +import java.security.Principal; +import java.util.List; + +import com.att.cadi.CachingLur; +import com.att.cadi.CadiException; +import com.att.cadi.CredVal; +import com.att.cadi.Lur; +import com.att.cadi.Permission; + +/** + * EpiLUR + * + * Short for "Epic LUR". Be able to run through a series of LURs to obtain the validation needed. + * + * The pun is better for the other pattern... "TAF" (aka EpiTaf), but it's still the larger picture of + * LURs that will be accomplished. + * + * FYI, the reason we separate LURs, rather than combine, is that Various User Repository Resources have + * different Caching requirements. For instance, the Local User Repo (with stand alone names), never expire, but might be + * refreshed with a change in Configuration File, while the Remote Service based LURs will need to expire at prescribed intervals + * + * + */ +public final class EpiLur implements Lur { + private final Lur[] lurs; + + /** + * EpiLur constructor + * + * Construct the EpiLur from variable TAF parameters + * @param lurs + * @throws CadiException + */ + public EpiLur(Lur ... lurs) throws CadiException{ + this.lurs = lurs; + if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor"); + } + + public boolean fish(Principal bait, Permission pond) { + if(pond==null) { + return false; + } + boolean rv = false; + Lur lur; + for(int i=0;!rv && i permissions) { + for(Lur lur : lurs) { + lur.fishAll(bait, permissions); + } + } + + public void destroy() { + for(Lur lur : lurs) { + lur.destroy(); + } + } + + /** + * Return the first Lur (if any) which also implements UserPass + * @return + */ + public CredVal getUserPassImpl() { + for(Lur lur : lurs) { + if(lur instanceof CredVal) { + return (CredVal)lur; + } + } + return null; + } + + // Never needed... Only EpiLur uses... + public boolean handlesExclusively(Permission pond) { + return false; + } + + /** + * Get Lur for index. Returns null if out of range + * @param idx + * @return + */ + public Lur get(int idx) { + if(idx>=0 && idx)l).remove(id); + } + } + } + + public Lur subLur(Class cls ) { + for(Lur l : lurs) { + if(l.getClass().isAssignableFrom(cls)) { + return l; + } + } + return null; + } + + @Override + public Permission createPerm(String p) { + return new LocalPermission(p); + } + + /* (non-Javadoc) + * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) + */ + @Override + public void clear(Principal p, StringBuilder report) { + for(Lur lur : lurs) { + lur.clear(p, report); + } + } + + public String toString() { + StringBuilder sb = new StringBuilder(); + for(Lur lur : lurs) { + sb.append(lur.getClass().getSimpleName()); + sb.append(": Report\n"); + sb.append(lur.toString()); + sb.append('\n'); + } + return sb.toString(); + } +} diff --git a/core/src/main/java/com/att/cadi/lur/LocalLur.java b/core/src/main/java/com/att/cadi/lur/LocalLur.java new file mode 100644 index 0000000..80b302a --- /dev/null +++ b/core/src/main/java/com/att/cadi/lur/LocalLur.java @@ -0,0 +1,202 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aai + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * Copyright © 2017 Amdocs + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * * + ******************************************************************************/ +package com.att.cadi.lur; + +import java.io.IOException; +import java.security.Principal; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.TreeSet; + +import com.att.cadi.AbsUserCache; +import com.att.cadi.Access; +import com.att.cadi.Access.Level; +import com.att.cadi.CredVal; +import com.att.cadi.Hash; +import com.att.cadi.Permission; +import com.att.cadi.StrLur; +import com.att.cadi.User; +import com.att.cadi.config.Config; + + +/** + * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms. + * + * + */ +public final class LocalLur extends AbsUserCache implements StrLur, CredVal { + public static final String SEMI = "\\s*;\\s*"; + public static final String COLON = "\\s*:\\s*"; + public static final String COMMA = "\\s*,\\s*"; + public static final String PERCENT = "\\s*%\\s*"; + + // Use to quickly determine whether any given group is supported by this LUR + private final Set supportingGroups; + private String supportedRealm; + + /** + * Construct by building structure, see "build" + * + * Reconstruct with "build" + * + * @param userProperty + * @param groupProperty + * @param decryptor + * @throws IOException + */ + public LocalLur(Access access, String userProperty, String groupProperty) throws IOException { + super(access, 0, 0, Integer.MAX_VALUE); // data doesn't expire + supportedRealm = access.getProperty(Config.BASIC_REALM, "localized"); + supportingGroups = new TreeSet(); + + if(userProperty!=null) { + // For each User name... + for(String user : userProperty.trim().split(SEMI)) { + String[] us = user.split(COLON,2); + String[] userpass = us[0].split(PERCENT,2); + String u; + User usr; + if(userpass.length>1) { + if(userpass.length>0 && userpass[0].indexOf('@')<0) { + userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm()); + } + + u = userpass[0]; + byte[] pass = access.decrypt(userpass[1], true).getBytes(); + usr = new User(new ConfigPrincipal(u, pass)); + } else { + u = us[0]; + usr = new User(new ConfigPrincipal(u, (byte[])null)); + } + addUser(usr); + access.log(Level.INIT, "Local User:",usr.principal); + + if(us.length>1) { + Map newMap = usr.newMap(); + for(String group : us[1].split(COMMA)) { + supportingGroups.add(group); + usr.add(newMap,new LocalPermission(group)); + } + usr.setMap(newMap); + } + } + } + if(groupProperty!=null) { + // For each Group name... + for(String group : groupProperty.trim().split(SEMI)) { + String[] gs = group.split(COLON,2); + if(gs.length>1) { + supportingGroups.add(gs[0]); + LocalPermission p = new LocalPermission(gs[0]); + // Add all users (known by comma separators) + + for(String grpMem : gs[1].split(COMMA)) { + // look for password, if so, put in passMap + String[] userpass = grpMem.split(PERCENT,2); + if(userpass.length>0 && userpass[0].indexOf('@')<0) { + userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm()); + } + User usr = getUser(userpass[0]); + if(userpass.length>1) { + byte[] pass = access.decrypt(userpass[1], true).getBytes(); + if(usr==null)addUser(usr=new User(new ConfigPrincipal(userpass[0],pass))); + else usr.principal=new ConfigPrincipal(userpass[0],pass); + } else { + if(usr==null)addUser(usr=new User(new ConfigPrincipal(userpass[0],(byte[])null))); + } + usr.add(p); + access.log(Level.INIT, "Local User:",usr.principal); + } + } + } + } + } + + public boolean validate(String user, CredVal.Type type, byte[] cred) { + User usr = getUser(user); + switch(type) { + case PASSWORD: + // covers null as well as bad pass + if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) { + return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred()); + } + break; + } + return false; + } + + // @Override + public boolean fish(Principal bait, Permission pond) { + if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions + User user = getUser(bait); + return user==null?false:user.contains((LocalPermission)pond); + } + return false; + } + + public boolean fish(String bait, Permission pond) { + if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions + User user = getUser(bait); + return user==null?false:user.contains((LocalPermission)pond); + } + return false; + } + + // We do not want to expose the actual Group, so make a copy. + public void fishAll(Principal bait, List perms) { + if(supports(bait.getName())) { + User user = getUser(bait); + if(user!=null) { + user.copyPermsTo(perms); + } + } + } + + public void fishAll(String bait, List perms) { + if(supports(bait)) { + User user = getUser(bait); + if(user!=null) { + user.copyPermsTo(perms); + } + } + } + + public boolean supports(String userName) { + return userName!=null && userName.endsWith(supportedRealm); + } + + public boolean handlesExclusively(Permission pond) { + return supportingGroups.contains(pond.getKey()); + } + + /* (non-Javadoc) + * @see com.att.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(String p) { + return new LocalPermission(p); + } + +} diff --git a/core/src/main/java/com/att/cadi/lur/LocalPermission.java b/core/src/main/java/com/att/cadi/lur/LocalPermission.java new file mode 100644 index 0000000..8fdaec2 --- /dev/null +++ b/core/src/main/java/com/att/cadi/lur/LocalPermission.java @@ -0,0 +1,52 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aai + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * Copyright © 2017 Amdocs + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * * + ******************************************************************************/ +package com.att.cadi.lur; + +import com.att.cadi.Permission; + +public class LocalPermission implements Permission { + private String key; + + public LocalPermission(String role) { + this.key = role; + } + + public String getKey() { + return key; + } + + public String toString() { + return key; + } + + public boolean match(Permission p) { + return key.equals(p.getKey()); + } + + public String permType() { + return "LOCAL"; + } + + +} diff --git a/core/src/main/java/com/att/cadi/lur/NullLur.java b/core/src/main/java/com/att/cadi/lur/NullLur.java new file mode 100644 index 0000000..91fb7bb --- /dev/null +++ b/core/src/main/java/com/att/cadi/lur/NullLur.java @@ -0,0 +1,89 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aai + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * Copyright © 2017 Amdocs + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * * + ******************************************************************************/ +package com.att.cadi.lur; + +import java.security.Principal; +import java.util.List; + +import com.att.cadi.Lur; +import com.att.cadi.Permission; + +public class NullLur implements Lur { + private static final Permission NULL = new Permission() { + @Override + public String permType() { + return ""; + } + + @Override + public String getKey() { + return ""; + } + + @Override + public boolean match(Permission p) { + return false; + }}; + + public boolean fish(Principal bait, Permission pond) { + // Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own +// System.err.println("CADI's LUR has not been configured, but is still being called. Access is being denied"); + return false; + } + + public void fishAll(Principal bait, List permissions) { + } + + public void destroy() { + } + + public boolean handlesExclusively(Permission pond) { + return false; + } + + public boolean supports(String userName) { + return false; + } + + /* (non-Javadoc) + * @see com.att.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(String p) { + return NULL; + } + + /* (non-Javadoc) + * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) + */ + @Override + public void clear(Principal p, StringBuilder report) { + report.append(NullLur.class.getSimpleName()); + report.append('\n'); + } + + public String toString() { + return NullLur.class.getSimpleName() + '\n'; + } +} -- cgit 1.2.3-korg