From 4a51a8f96715ffb2a42189b93b9fa91b453b8530 Mon Sep 17 00:00:00 2001 From: sg481n Date: Thu, 3 Aug 2017 17:39:12 -0400 Subject:  [AAF-21] Initial code import MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: Ia1dd196befd061f6ba0c2be6bf4456a30ea50f97 Signed-off-by: sg481n --- .../com/att/cadi/taf/localhost/LocalhostTaf.java | 131 +++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java (limited to 'core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java') diff --git a/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java b/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java new file mode 100644 index 0000000..89500a6 --- /dev/null +++ b/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java @@ -0,0 +1,131 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aai + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * Copyright © 2017 Amdocs + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * * + ******************************************************************************/ +package com.att.cadi.taf.localhost; + +import java.net.InetAddress; +import java.net.NetworkInterface; +import java.net.SocketException; +import java.net.UnknownHostException; +import java.util.Enumeration; +import java.util.TreeSet; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import com.att.cadi.Access; +import com.att.cadi.Access.Level; +import com.att.cadi.CachedPrincipal; +import com.att.cadi.CachedPrincipal.Resp; +import com.att.cadi.Taf; +import com.att.cadi.taf.HttpTaf; +import com.att.cadi.taf.TafResp; +import com.att.cadi.taf.TafResp.RESP; + +/** + * Implement the ability to utilize LocalHost as a TAF. + * + * Configure with two properties, + * localhost.deny + * localhost.accept + * + * 1) If localhost.deny==true, then no localhost requests are allowed + * 2) If localhost.deny==false, but accept==false, return "Try Another TAF" (i.e. allow further checking of the + * chain, but don't treat localhost as an acceptable credential) + * 3) If localhost.deny=false and accept=true, then the processes coming from the same machine, given logins are needed, + * to run, are treated as validated. This is primarily for Developer purposes. + * + * + * + */ +public class LocalhostTaf implements HttpTaf { + private TafResp isLocalHost,isNotLocalHost; + private static final TreeSet addrSet; + + static { + addrSet = new TreeSet(); + try { + for(Enumeration en = NetworkInterface.getNetworkInterfaces();en.hasMoreElements();) { + NetworkInterface ni = en.nextElement(); + for(Enumeration eia = ni.getInetAddresses();eia.hasMoreElements();) { + InetAddress ia = eia.nextElement(); + addrSet.add(ia.getHostAddress()); + } + } + } catch (SocketException e) { + } + + } + + public LocalhostTaf(Access access, boolean accept, boolean isDenied) { + String hostname = access.getProperty("hostname",null); + if(hostname !=null) { + try { + addrSet.add(InetAddress.getByName(hostname).getHostAddress()); + } catch (UnknownHostException e) { + access.log(e,"Unknown Host"); + } + } + + if(isDenied) { + access.log(Level.INFO,"LocalhostTaf will deny all localhost traffic"); + } else { + access.log(Level.INFO,"LocalhostTaf will not deny localhost requests, ", + (accept?"and will treat them as authenticated":"but will require other authentication")); + } + // Set the appropriate behavior for when ID coming in is from localhost + isLocalHost = isDenied? + new LocalhostTafResp(access, RESP.NO_FURTHER_PROCESSING,"Localhost is denied"): + accept? + new LocalhostTafResp(access, RESP.IS_AUTHENTICATED,"Localhost is allowed"): + new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Localhost is allowed"); + isNotLocalHost = new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Address is not Localhost"); + } + +// @Override + public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + String remote = req.getRemoteAddr(); + return addrSet.contains(remote) + ?isLocalHost + :isNotLocalHost; + } + + /** + * This function used for other TAFs (i.e. CSP, which can't work on localhost address) + * + * @param address + * @return + */ + public static boolean isLocalAddress(String address) { + return addrSet.contains(address); + } + + public String toString() { + return "Localhost TAF activated: " + isLocalHost.desc(); + } + + public Resp revalidate(CachedPrincipal prin) { + // shouldn't get here, since there's no need to Cache, but if so, LocalHost is always valid... + return Resp.REVALIDATED; + } +} -- cgit 1.2.3-korg