From 6d469611d86642bc0b74ce51af72cc36d2af962d Mon Sep 17 00:00:00 2001 From: Instrumental Date: Mon, 26 Mar 2018 12:04:27 -0700 Subject: Remove Code from cadi, it is now in authz Issue-ID: AAF-193 Change-Id: Ib7abdb15ba8a7445a3875cf8c6bb48b7d563f424 Signed-off-by: Instrumental --- core/src/main/java/org/onap/aaf/cadi/AES.java | 127 ---- .../java/org/onap/aaf/cadi/AbsCachedPrincipal.java | 33 - .../main/java/org/onap/aaf/cadi/AbsUserCache.java | 408 ----------- core/src/main/java/org/onap/aaf/cadi/Access.java | 172 ----- .../src/main/java/org/onap/aaf/cadi/BasicCred.java | 36 - .../java/org/onap/aaf/cadi/BufferedCadiWrap.java | 80 -- .../onap/aaf/cadi/BufferedServletInputStream.java | 214 ------ .../java/org/onap/aaf/cadi/CachedPrincipal.java | 47 -- .../main/java/org/onap/aaf/cadi/CachingLur.java | 35 - .../main/java/org/onap/aaf/cadi/CadiException.java | 50 -- core/src/main/java/org/onap/aaf/cadi/CadiWrap.java | 193 ----- .../src/main/java/org/onap/aaf/cadi/Capacitor.java | 240 ------ core/src/main/java/org/onap/aaf/cadi/CmdLine.java | 356 --------- .../src/main/java/org/onap/aaf/cadi/Connector.java | 27 - core/src/main/java/org/onap/aaf/cadi/CredVal.java | 42 -- core/src/main/java/org/onap/aaf/cadi/GetCred.java | 27 - core/src/main/java/org/onap/aaf/cadi/Hash.java | 202 ----- core/src/main/java/org/onap/aaf/cadi/Locator.java | 36 - .../java/org/onap/aaf/cadi/LocatorException.java | 47 -- core/src/main/java/org/onap/aaf/cadi/Lur.java | 94 --- .../main/java/org/onap/aaf/cadi/Permission.java | 29 - .../main/java/org/onap/aaf/cadi/PropAccess.java | 321 -------- .../main/java/org/onap/aaf/cadi/Revalidator.java | 35 - .../main/java/org/onap/aaf/cadi/SLF4JAccess.java | 100 --- .../java/org/onap/aaf/cadi/SecuritySetter.java | 44 -- .../org/onap/aaf/cadi/ServletContextAccess.java | 69 -- core/src/main/java/org/onap/aaf/cadi/StrLur.java | 56 -- core/src/main/java/org/onap/aaf/cadi/Symm.java | 811 -------------------- core/src/main/java/org/onap/aaf/cadi/Taf.java | 57 -- .../main/java/org/onap/aaf/cadi/Transmutate.java | 45 -- .../main/java/org/onap/aaf/cadi/TrustChecker.java | 53 -- core/src/main/java/org/onap/aaf/cadi/User.java | 144 ---- .../src/main/java/org/onap/aaf/cadi/UserChain.java | 43 -- .../main/java/org/onap/aaf/cadi/config/Config.java | 815 --------------------- .../main/java/org/onap/aaf/cadi/config/Get.java | 97 --- .../java/org/onap/aaf/cadi/config/GetAccess.java | 63 -- .../java/org/onap/aaf/cadi/config/MultiGet.java | 43 -- .../org/onap/aaf/cadi/config/SecurityInfo.java | 243 ------ .../org/onap/aaf/cadi/config/SecurityInfoC.java | 44 -- .../java/org/onap/aaf/cadi/config/UsersDump.java | 158 ---- .../main/java/org/onap/aaf/cadi/filter/AUTHZ.java | 37 - .../org/onap/aaf/cadi/filter/AUTHZServlet.java | 100 --- .../org/onap/aaf/cadi/filter/AccessGetter.java | 37 - .../java/org/onap/aaf/cadi/filter/CadiAccess.java | 243 ------ .../java/org/onap/aaf/cadi/filter/CadiFilter.java | 305 -------- .../org/onap/aaf/cadi/filter/CadiHTTPManip.java | 227 ------ .../main/java/org/onap/aaf/cadi/filter/FCGet.java | 77 -- .../org/onap/aaf/cadi/filter/MapPermConverter.java | 55 -- .../onap/aaf/cadi/filter/NullPermConverter.java | 43 -- .../java/org/onap/aaf/cadi/filter/PathFilter.java | 183 ----- .../org/onap/aaf/cadi/filter/PermConverter.java | 32 - .../org/onap/aaf/cadi/filter/RolesAllowed.java | 55 -- .../java/org/onap/aaf/cadi/filter/ServletImpl.java | 55 -- .../org/onap/aaf/cadi/lur/ConfigPrincipal.java | 70 -- .../main/java/org/onap/aaf/cadi/lur/EpiLur.java | 167 ----- .../main/java/org/onap/aaf/cadi/lur/LocalLur.java | 201 ----- .../org/onap/aaf/cadi/lur/LocalPermission.java | 51 -- .../main/java/org/onap/aaf/cadi/lur/NullLur.java | 88 --- .../onap/aaf/cadi/principal/BasicPrincipal.java | 117 --- .../onap/aaf/cadi/principal/BearerPrincipal.java | 36 - .../onap/aaf/cadi/principal/CSPPrincipal_T.java | 33 - .../aaf/cadi/principal/CachedBasicPrincipal.java | 65 -- .../onap/aaf/cadi/principal/TGuardPrincipal.java | 80 -- .../onap/aaf/cadi/principal/TGuardPrincipal_T.java | 33 - .../onap/aaf/cadi/principal/TrustPrincipal.java | 67 -- .../org/onap/aaf/cadi/principal/X509Principal.java | 92 --- .../java/org/onap/aaf/cadi/taf/AbsTafResp.java | 116 --- .../main/java/org/onap/aaf/cadi/taf/EpiTaf.java | 84 --- .../java/org/onap/aaf/cadi/taf/HttpEpiTaf.java | 185 ----- .../main/java/org/onap/aaf/cadi/taf/HttpTaf.java | 60 -- .../org/onap/aaf/cadi/taf/LoginPageTafResp.java | 87 --- .../main/java/org/onap/aaf/cadi/taf/NullTaf.java | 64 -- .../java/org/onap/aaf/cadi/taf/NullTafResp.java | 73 -- .../java/org/onap/aaf/cadi/taf/PuntTafResp.java | 71 -- .../java/org/onap/aaf/cadi/taf/Redirectable.java | 32 - .../main/java/org/onap/aaf/cadi/taf/TafResp.java | 94 --- .../org/onap/aaf/cadi/taf/TrustNotTafResp.java | 77 -- .../java/org/onap/aaf/cadi/taf/TrustTafResp.java | 79 -- .../org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java | 159 ---- .../onap/aaf/cadi/taf/basic/BasicHttpTafResp.java | 63 -- .../org/onap/aaf/cadi/taf/cert/CertIdentity.java | 46 -- .../onap/aaf/cadi/taf/cert/X509HttpTafResp.java | 52 -- .../java/org/onap/aaf/cadi/taf/cert/X509Taf.java | 257 ------- .../onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java | 370 ---------- .../aaf/cadi/taf/dos/DenialOfServiceTafResp.java | 48 -- .../onap/aaf/cadi/taf/localhost/LocalhostTaf.java | 130 ---- .../aaf/cadi/taf/localhost/LocalhostTafResp.java | 81 -- .../main/java/org/onap/aaf/cadi/util/Chmod.java | 63 -- .../org/onap/aaf/cadi/util/JsonOutputStream.java | 90 --- .../onap/aaf/cadi/util/MaskFormatException.java | 32 - .../java/org/onap/aaf/cadi/util/MyConsole.java | 29 - .../main/java/org/onap/aaf/cadi/util/NetMask.java | 100 --- .../main/java/org/onap/aaf/cadi/util/Split.java | 91 --- .../org/onap/aaf/cadi/util/SubStandardConsole.java | 63 -- .../java/org/onap/aaf/cadi/util/TheConsole.java | 48 -- .../org/onap/aaf/cadi/util/UserChainManip.java | 78 -- .../src/main/java/org/onap/aaf/cadi/util/Vars.java | 121 --- .../main/java/org/onap/aaf/cadi/wsse/Action.java | 37 - .../main/java/org/onap/aaf/cadi/wsse/Match.java | 130 ---- .../java/org/onap/aaf/cadi/wsse/WSSEParser.java | 86 --- .../main/java/org/onap/aaf/cadi/wsse/XEvent.java | 135 ---- .../main/java/org/onap/aaf/cadi/wsse/XReader.java | 416 ----------- 102 files changed, 12032 deletions(-) delete mode 100644 core/src/main/java/org/onap/aaf/cadi/AES.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/AbsCachedPrincipal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Access.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/BasicCred.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/BufferedCadiWrap.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/CachedPrincipal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/CachingLur.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/CadiException.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/CadiWrap.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Capacitor.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/CmdLine.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Connector.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/CredVal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/GetCred.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Hash.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Locator.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/LocatorException.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Lur.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Permission.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/PropAccess.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Revalidator.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/SLF4JAccess.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/StrLur.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Symm.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Taf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/Transmutate.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/TrustChecker.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/User.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/UserChain.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/config/Config.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/config/Get.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/AUTHZ.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/CadiAccess.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/CSPPrincipal_T.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal_T.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/Chmod.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/MaskFormatException.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/MyConsole.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/NetMask.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/Split.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/util/Vars.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/Action.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/Match.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java delete mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java (limited to 'core/src/main/java/org/onap/aaf/cadi') diff --git a/core/src/main/java/org/onap/aaf/cadi/AES.java b/core/src/main/java/org/onap/aaf/cadi/AES.java deleted file mode 100644 index 515fc27..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/AES.java +++ /dev/null @@ -1,127 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; - -import javax.crypto.BadPaddingException; -import javax.crypto.Cipher; -import javax.crypto.CipherInputStream; -import javax.crypto.CipherOutputStream; -import javax.crypto.IllegalBlockSizeException; -import javax.crypto.KeyGenerator; -import javax.crypto.NoSuchPaddingException; -import javax.crypto.SecretKey; -import javax.crypto.spec.SecretKeySpec; - -import org.onap.aaf.cadi.util.Chmod; - -public class AES { - public static final String AES = AES.class.getSimpleName(); - public static final int AES_KEY_SIZE = 128; // 256 isn't supported on all JDKs. - - private Cipher aesCipher; - private SecretKeySpec aeskeySpec; - - public AES() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException { - aesCipher = Cipher.getInstance(AES); - aeskeySpec = new SecretKeySpec(newKey().getEncoded(), AES); - } - - public static SecretKey newKey() throws NoSuchAlgorithmException { - KeyGenerator kgen = KeyGenerator.getInstance(AES); - kgen.init(AES_KEY_SIZE); - return kgen.generateKey(); - } - - public AES(File keyfile) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException { - aesCipher = Cipher.getInstance(AES); - byte[] aesKey = new byte[AES_KEY_SIZE/8]; - FileInputStream fis = new FileInputStream(keyfile); - try { - fis.read(aesKey); - } finally { - fis.close(); - } - aeskeySpec = new SecretKeySpec(aesKey,AES); - } - - public AES(byte[] aeskey, int offset, int len) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException { - aesCipher = Cipher.getInstance(AES); - aeskeySpec = new SecretKeySpec(aeskey,offset,len,AES); - } - - public byte[] encrypt(byte[] in) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException { - aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec); - return aesCipher.doFinal(in); - } - - public byte[] decrypt(byte[] in) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException { - aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec); - return aesCipher.doFinal(in); - } - - public void save(File keyfile) throws IOException { - FileOutputStream fis = new FileOutputStream(keyfile); - try { - fis.write(aeskeySpec.getEncoded()); - } finally { - fis.close(); - } - Chmod.to400.chmod(keyfile); - } - - public CipherOutputStream outputStream(OutputStream os, boolean encrypt) { - try { - if(encrypt) { - aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec); - } else { - aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec); - } - } catch (InvalidKeyException e) { - // KeySpec created earlier... no chance being wrong. - } - return new CipherOutputStream(os,aesCipher); - } - - public CipherInputStream inputStream(InputStream is, boolean encrypt) { - try { - if(encrypt) { - aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec); - } else { - aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec); - } - } catch (InvalidKeyException e) { - // KeySpec created earlier... no chance being wrong. - } - - return new CipherInputStream(is,aesCipher); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/AbsCachedPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/AbsCachedPrincipal.java deleted file mode 100644 index ceb6ca3..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/AbsCachedPrincipal.java +++ /dev/null @@ -1,33 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - - -public abstract class AbsCachedPrincipal implements CachedPrincipal { - protected TAF taf; - - protected AbsCachedPrincipal(TAF taf) { - this.taf = taf; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java b/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java deleted file mode 100644 index 1846793..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java +++ /dev/null @@ -1,408 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - - -import java.security.Principal; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.Timer; -import java.util.TimerTask; -import java.util.TreeMap; -import java.util.concurrent.ConcurrentHashMap; - -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; - -/** - * Implement Fast lookup and Cache for Local User Info - * - * Include ability to add and remove Users - * - * Also includes a Timer Thread (when necessary) to invoke cleanup on expiring Credentials - * - * - */ -public abstract class AbsUserCache { - static final int MIN_INTERVAL = 15000; - static final int MAX_INTERVAL = 1000*60*5; // 5 mins - private static Timer timer; - // Map of userName to User - private final Map> userMap; - private final Map missMap; - private Clean clean; - protected Access access; -// private final static Permission teaser = new LocalPermission("***NoPERM****"); - - protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) { - this.access = access; - userMap = new ConcurrentHashMap>(); - missMap = new TreeMap(); - if(cleanInterval>0) { - cleanInterval = Math.max(MIN_INTERVAL, cleanInterval); - synchronized(AbsUserCache.class) { // Lazy instantiate.. in case there is no cleanup needed - if(timer==null) { - timer = new Timer("CADI Cleanup Timer",true); - } - - timer.schedule(clean = new Clean(access, cleanInterval, highCount, usageCount), cleanInterval, cleanInterval); - access.log(Access.Level.INIT, "Cleaning Thread initialized with interval of",cleanInterval, "ms and max objects of", highCount); - } - } - } - - @SuppressWarnings("unchecked") - public AbsUserCache(AbsUserCache cache) { - this.access = cache.access; - userMap = cache.userMap; - missMap = cache.missMap; - synchronized(AbsUserCache.class) { - if(cache.clean!=null && cache.clean.lur==null && this instanceof CachingLur) { - cache.clean.lur=(CachingLur)this; - } - } - } - - protected void setLur(CachingLur lur) { - if(clean!=null)clean.lur = lur; - - } - - protected void addUser(User user) { - userMap.put(user.principal.getName(), user); - } - - // Useful for looking up by WebToken, etc. - protected void addUser(String key, User user) { - userMap.put(key, user); - } - - /** - * Add miss to missMap. If Miss exists, or too many tries, returns false. - * - * otherwise, returns true to allow another attempt. - * - * @param key - * @param bs - * @return - */ - protected boolean addMiss(String key, byte[] bs) { - Miss miss = missMap.get(key); - if(miss==null) { - synchronized(missMap) { - missMap.put(key, new Miss(bs,clean==null?MIN_INTERVAL:clean.timeInterval)); - } - return true; - } - return miss.add(bs); - } - - protected Miss missed(String key) { - return missMap.get(key); - } - - protected User getUser(String userName) { - User u = userMap.get(userName); - if(u!=null) { - u.incCount(); - } - return u; - } - - protected User getUser(Principal principal) { - return getUser(principal.getName()); - } - - /** - * Removes User from the Cache - * @param user - */ - protected void remove(User user) { - userMap.remove(user.principal.getName()); - } - - /** - * Removes user from the Cache - * - * @param user - */ - public void remove(String user) { - Object o = userMap.remove(user); - if(o!=null) { - access.log(Level.INFO, user,"removed from Client Cache by Request"); - } - } - - /** - * Clear all users from the Client Cache - */ - public void clearAll() { - userMap.clear(); - } - - public final List dumpInfo() { - List rv = new ArrayList(); - for(User user : userMap.values()) { - rv.add(new DumpInfo(user)); - } - return rv; - } - - /** - * The default behavior of a LUR is to not handle something exclusively. - */ - public boolean handlesExclusively(Permission pond) { - return false; - } - - /** - * Container calls when cleaning up... - * - * If overloading in Derived class, be sure to call "super.destroy()" - */ - public void destroy() { - if(timer!=null) { - timer.purge(); - timer.cancel(); - } - } - - - - // Simple map of Group name to a set of User Names - // private Map> groupMap = new HashMap>(); - - /** - * Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects - */ - public final class DumpInfo { - public String user; - public List perms; - - public DumpInfo(User user) { - this.user = user.principal.getName(); - perms = new ArrayList(user.perms.keySet()); - } - } - - /** - * Clean will examine resources, and remove those that have expired. - * - * If "highs" have been exceeded, then we'll expire 10% more the next time. This will adjust after each run - * without checking contents more than once, making a good average "high" in the minimum speed. - * - * - */ - private final class Clean extends TimerTask { - private final Access access; - private CachingLur lur; - - // The idea here is to not be too restrictive on a high, but to Expire more items by - // shortening the time to expire. This is done by judiciously incrementing "advance" - // when the "highs" are exceeded. This effectively reduces numbers of cached items quickly. - private final int high; - private long advance; - private final long timeInterval; - private final int usageTriggerCount; - - public Clean(Access access, long cleanInterval, int highCount, int usageTriggerCount) { - this.access = access; - lur = null; - high = highCount; - timeInterval = cleanInterval; - advance = 0; - this.usageTriggerCount=usageTriggerCount; - } - public void run() { - int renewed = 0; - int count = 0; - int total = 0; - try { - // look at now. If we need to expire more by increasing "now" by "advance" - ArrayList> al = new ArrayList>(userMap.values().size()); - al.addAll(0, userMap.values()); - long now = System.currentTimeMillis() + advance; - for(User user : al) { - ++total; - if(user.count>usageTriggerCount) { - // access.log(Level.AUDIT, "Checking Thread", new Date(now)); - boolean touched = false, removed=false; - if(user.principal instanceof CachedPrincipal) { - CachedPrincipal cp = (CachedPrincipal)user.principal; - if(cp.expires() < now) { - switch(cp.revalidate()) { - case INACCESSIBLE: - access.log(Level.AUDIT, "AAF Inaccessible. Keeping credentials"); - break; - case REVALIDATED: - user.resetCount(); - // access.log(Level.AUDIT, "CACHE revalidated credentials"); - touched = true; - break; - default: - user.resetCount(); - remove(user); - ++count; - removed = true; - break; - } - } - } - - // access.log(Level.AUDIT, "User Perm Expires", new Date(user.permExpires)); - if(!removed && lur!=null && user.permExpires<= now ) { - // access.log(Level.AUDIT, "Reloading"); - if(lur.reload(user).equals(Resp.REVALIDATED)) { - user.renewPerm(); - access.log(Level.DEBUG, "Reloaded Perms for",user); - touched = true; - } - } - user.resetCount(); - if(touched) { - ++renewed; - } - - } else { - if(user.permExpired()) { - remove(user); - ++count; - } - } - } - - // Clean out Misses - int missTotal = missMap.keySet().size(); - int miss = 0; - if(missTotal>0) { - ArrayList keys = new ArrayList(missTotal); - keys.addAll(missMap.keySet()); - for(String key : keys) { - Miss m = missMap.get(key); - if(m!=null && m.timestamp0) { - access.log(Level.INFO, (lur==null?"Cache":lur.getClass().getSimpleName()), "removed",count, - "and renewed",renewed,"expired Permissions out of", total,"and removed", miss, "password misses out of",missTotal); - } - - // If High (total) is reached during this period, increase the number of expired services removed for next time. - // There's no point doing it again here, as there should have been cleaned items. - if(total>high) { - // advance cleanup by 10%, without getting greater than timeInterval. - advance = Math.min(timeInterval, advance+(timeInterval/10)); - } else { - // reduce advance by 10%, without getting lower than 0. - advance = Math.max(0, advance-(timeInterval/10)); - } - } catch (Exception e) { - access.log(Level.ERROR,e.getMessage()); - } - } - } - - public static class Miss { - private static final int MAX_TRIES = 3; - - long timestamp; - byte[][] array; - - private long timetolive; - - private int tries; - - public Miss(byte[] first, long timeInterval) { - array = new byte[MAX_TRIES][]; - array[0]=first; - timestamp = System.currentTimeMillis() + timeInterval; - this.timetolive = timeInterval; - tries = 1; - } - - public boolean mayContinue(byte[] bs) { - if(++tries > MAX_TRIES) return false; - for(byte[] a : array) { - if(a==null)return true; - if(equals(a,bs)) { - return false; - } - } - return true; - } - - public synchronized boolean add(byte[] bc) { - if(++tries>MAX_TRIES)return false; - timestamp = System.currentTimeMillis()+timetolive; - for(int i=0;i=0) { - capacitor.put((byte)value); - } - break; - case READ: - value = capacitor.read(); - if(value<0) { - capacitor.done(); - capacitor=null; // all done with buffer - value = is.read(); - } - } - } - return value; - } - - // @Override - public int read(byte[] b) throws IOException { - return read(b,0,b.length); - } - - - // @Override - public int read(byte[] b, int off, int len) throws IOException { - int count = -1; - if(capacitor==null) { - count = is.read(b,off,len); - } else { - switch(state) { - case STORE: - count = is.read(b, off, len); - if(count>0) { - capacitor.put(b, off, count); - } - break; - case READ: - count = capacitor.read(b, off, len); -// System.out.println("Capacitor read " + count); - if(count<=0) { - capacitor.done(); - capacitor=null; // all done with buffer - } - if(count0) { // watch for -1 - count+=temp; - } else { - if(count<=0)count = temp; // must account for Stream coming back -1 - } - } - break; - } - } -// System.out.println("read reports " + count); - return count; - } - - // @Override - public long skip(long n) throws IOException { - long skipped = capacitor.skip(n); - if(skipped extends Lur { - public abstract void remove(String user); - public abstract Resp reload(User user); - public abstract void setDebug(String commaDelimIDsOrNull); - public abstract void clear(Principal p, StringBuilder sb); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/CadiException.java b/core/src/main/java/org/onap/aaf/cadi/CadiException.java deleted file mode 100644 index f8b06ce..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/CadiException.java +++ /dev/null @@ -1,50 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -/** - * CADI Specific Exception - */ -public class CadiException extends Exception { - /** - * Generated ID - */ - private static final long serialVersionUID = -4180145363107742619L; - - public CadiException() { - super(); - } - - public CadiException(String message) { - super(message); - } - - public CadiException(Throwable cause) { - super(cause); - } - - public CadiException(String message, Throwable cause) { - super(message, cause); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java b/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java deleted file mode 100644 index 6cf5694..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java +++ /dev/null @@ -1,193 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.security.Principal; -import java.util.ArrayList; -import java.util.List; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; - -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.filter.NullPermConverter; -import org.onap.aaf.cadi.filter.PermConverter; -import org.onap.aaf.cadi.lur.EpiLur; -import org.onap.aaf.cadi.taf.TafResp; - - - -/** - * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but - * overload the key security mechanisms with CADI mechanisms - * - * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters) - * - * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may - * need something similar. See AppServer specific code (i.e. tomcat) for these. - * - * - */ -public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred { - private Principal principal; - private Lur lur; - private String user; // used to set user/pass from brain-dead protocols like WSSE - private byte[] password; - private PermConverter pconv; - private Access access; - - /** - * Standard Wrapper constructor for Delegate pattern - * @param request - */ - public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) { - super(request); - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - pconv = NullPermConverter.singleton(); - } - - /** - * Standard Wrapper constructor for Delegate pattern, with PermConverter - * @param request - */ - public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) { - super(request); - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - pconv = pc; - } - - - /** - * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction. - * CADI does this by reporting the name associated with the Principal obtained, if any. - */ -// @Override - public String getRemoteUser() { - return principal==null?null:principal.getName(); - } - - /** - * Part of the HTTP Security API. Return the User Principal associated with this HTTP - * Transaction. - */ -// @Override - public Principal getUserPrincipal() { - return principal; - } - - /** - * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user - * associated with this HTTP Transaction allowed to function in this Role? - * - * For CADI, we pass the responsibility for determining this to the "LUR", which may be - * determined by the Enterprise. - * - * Note: Role check is also done in "CadiRealm" in certain cases... - * - * - */ -// @Override - public boolean isUserInRole(String perm) { - return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm); - } - - public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) { - if(principal== null) { - access.log(Level.AUDIT,caller, "No Principal in Transaction"); - return false; - } else { - perm = pconv.convert(perm); - if(lur.fish(principal,lur.createPerm(perm))) { - access.log(Level.DEBUG,caller, principal.getName(), "has", perm); - return true; - } else { - access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm); - return false; - } - } - - } - - /** - * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc - * as implemented with lur.fishAll - * - * To utilize, the Request must be a "CadiWrap" object, then call. - */ - public List getPermissions(Principal p) { - List perms = new ArrayList(); - lur.fishAll(p, perms); - return perms; - } - /** - * Allow setting of tafResp and lur after construction - * - * This can happen if the CadiWrap is constructed in a Valve other than CadiValve - */ - public void set(TafResp tafResp, Lur lur) { - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - } - - public String getUser() { - if(user==null && principal!=null) { - user = principal.getName(); - } - return user; - } - - public byte[] getCred() { - return password; - } - - public void setUser(String user) { - this.user = user; - } - - public void setCred(byte[] passwd) { - password = passwd; - } - - public CadiWrap setPermConverter(PermConverter pc) { - pconv = pc; - return this; - } - - // Add a feature - public void invalidate(String id) { - if(lur instanceof EpiLur) { - ((EpiLur)lur).remove(id); - } else if(lur instanceof CachingLur) { - ((CachingLur)lur).remove(id); - } - } - - public Lur getLur() { - return lur; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Capacitor.java b/core/src/main/java/org/onap/aaf/cadi/Capacitor.java deleted file mode 100644 index a7aa4f6..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Capacitor.java +++ /dev/null @@ -1,240 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.nio.ByteBuffer; -import java.util.ArrayList; - -/** - * Capacitor - * - * Storage mechanism for read data, specifically designed for InputStreams. - * - * The Standard BufferedInputStream requires a limit to be set for buffered reading, which is - * impractical for reading SOAP headers, which can be quite large. - * - */ -public class Capacitor { - private static final int DEFAULT_CHUNK = 256; - private ArrayList bbs = new ArrayList(); - private ByteBuffer curr = null; - private int idx; - - // Maintain a private RingBuffer for Memory, for efficiency - private static ByteBuffer[] ring = new ByteBuffer[16]; - private static int start, end; - - - public void put(byte b) { - if(curr == null || curr.remaining()==0) { // ensure we have a "curr" buffer ready for data - curr = ringGet(); - bbs.add(curr); - } - curr.put(b); - } - - public int read() { - if(curr!=null) { - if(curr.remaining()>0) { // have a buffer, use it! - return curr.get(); - } else if(idx0) { // loop through while there's data needed - if((len=curr.remaining())>length) { // if enough data in curr buffer, use this code - curr.get(array,offset,length); - count+=length; - length=0; - } else { // get data from curr, mark how much is needed to fulfil, and loop for next curr. - curr.get(array,offset,len); - count+=len; - offset+=len; - length-=len; - if(idx0) { - if((len=curr.remaining())>length) { - curr.put(array,offset,length); - length=0; - } else { -// System.out.println(new String(array)); - curr.put(array,offset,len); - length-=len; - offset+=len; - curr = ringGet(); - bbs.add(curr); - } - } - } - - /** - * Move state from Storage mode into Read mode, changing all internal buffers to read mode, etc - */ - public void setForRead() { - for(ByteBuffer bb : bbs) { - bb.flip(); - } - if(bbs.isEmpty()) { - curr = null; - idx = 0; - } else { - curr=bbs.get(0); - idx=1; - } - } - - /** - * reuse all the buffers - */ - public void done() { - for(ByteBuffer bb : bbs) { - ringPut(bb); - } - bbs.clear(); - curr = null; - } - - /** - * Declare amount of data available to be read at once. - * - * @return - */ - public int available() { - int count = 0; - for(ByteBuffer bb : bbs) { - count+=bb.remaining(); - } - return count; - } - - /** - * Returns how many are left that were not skipped - * @param n - * @return - */ - public long skip(long n) { - long skipped=0L; - int skip; - while(n>0) { - if(n<(skip=curr.remaining())) { - curr.position(curr.position()+(int)n); - skipped+=skip; - n=0; - } else { - curr.position(curr.limit()); - - skipped-=skip; - if(idx15)start=0; - } - if(bb==null) { - bb=ByteBuffer.allocate(DEFAULT_CHUNK); - } else { - bb.clear();// refresh reused buffer - } - return bb; - } - - private void ringPut(ByteBuffer bb) { - synchronized(ring) { - ring[end]=bb; // if null or not, BB will just be Garbage collected - if(++end>15)end=0; - } - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/CmdLine.java b/core/src/main/java/org/onap/aaf/cadi/CmdLine.java deleted file mode 100644 index b387c7a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/CmdLine.java +++ /dev/null @@ -1,356 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.FileReader; -import java.io.IOException; -import java.io.InputStreamReader; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.security.NoSuchAlgorithmException; - -import org.onap.aaf.cadi.util.Chmod; -import org.onap.aaf.cadi.util.JsonOutputStream; - - - -/** - * A Class to run on command line to determine suitability of environment for certain TAFs. - * - * For instance, CSP supports services only in certain domains, and while dynamic host - * lookups on the machine work in most cases, sometimes, names and IPs are unexpected (and - * invalid) for CSP because of multiple NetworkInterfaces, etc - * - * - */ -public class CmdLine { - - /** - * @param args - */ - public static void main(String[] args) { - if(args.length>0) { - if("digest".equalsIgnoreCase(args[0]) && (args.length>2 || (args.length>1 && System.console()!=null))) { - String keyfile; - String password; - if(args.length>2) { - password = args[1]; - keyfile = args[2]; - } else { - keyfile = args[1]; - password = new String(System.console().readPassword("Type here (keystrokes hidden): ")); - } - - try { - Symm symm; - FileInputStream fis = new FileInputStream(keyfile); - try { - symm = Symm.obtain(fis); - } finally { - fis.close(); - } - symm.enpass(password, System.out); - System.out.println(); - System.out.flush(); - return; - /* testing code... don't want it exposed - System.out.println(" ******** Testing *********"); - for(int i=0;i<100000;++i) { - System.out.println(args[1]); - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - b64.enpass(args[1], baos); - String pass; - System.out.println(pass=new String(baos.toByteArray())); - ByteArrayOutputStream reconstituted = new ByteArrayOutputStream(); - b64.depass(pass, reconstituted); - String r = reconstituted.toString(); - System.out.println(r); - if(!r.equals(args[1])) { - System.err.println("!!!!! STOP - ERROR !!!!!"); - return; - } - System.out.println(); - } - System.out.flush(); - */ - - } catch (IOException e) { - System.err.println("Cannot digest password"); - System.err.println(" \""+ e.getMessage() + '"'); - } -// . Oh, well, Deployment services need this behavior. I will put this code in, but leave it undocumented. -// One still needs access to the keyfile to read. -// July 2016 - thought of a tool "CMPass" to reguritate from properties, but only if allowed. - } else if("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) { - try { - Symm symm; - FileInputStream fis = new FileInputStream(args[2]); - try { - symm = Symm.obtain(fis); - } finally { - fis.close(); - } - boolean isFile = false; - if("-i".equals(args[1]) || (isFile="-f".equals(args[1]))) { - BufferedReader br; - if(isFile) { - if(args.length<4) { - System.err.println("Filename in 4th position"); - return; - } - br = new BufferedReader(new FileReader(args[3])); - } else { - br = new BufferedReader(new InputStreamReader(System.in)); - } - try { - String line; - boolean cont = false; - StringBuffer sb = new StringBuffer(); - JsonOutputStream jw = new JsonOutputStream(System.out); - while((line=br.readLine())!=null) { - if(cont) { - int end; - if((end=line.indexOf('"'))>=0) { - sb.append(line,0,end); - cont=false; - } else { - sb.append(line); - } - } else { - int idx; - if((idx = line.indexOf(' '))>=0 - && (idx = line.indexOf(' ',++idx))>0 - && (idx = line.indexOf('=',++idx))>0 - && (idx = line.indexOf('=',++idx))>0 - ) { - System.out.println(line.substring(0, idx-5)); - int start = idx+2; - int end; - if((end=line.indexOf('"',start))<0) { - end = line.length(); - cont = true; - } - sb.append(line,start,end); - } - } - if(sb.length()>0) { - symm.depass(sb.toString(),jw); - if(!cont) { - System.out.println(); - } - } - System.out.flush(); - sb.setLength(0); - if(!cont) { - jw.resetIndent(); - } - } - } finally { - if(isFile) { - br.close(); - } - } - } else { - symm.depass(args[1], System.out); - } - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot regurgitate password"); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("encode64".equalsIgnoreCase(args[0]) && args.length>1) { - try { - Symm.base64.encode(args[1], System.out); - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot encode Base64 with " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("decode64".equalsIgnoreCase(args[0]) && args.length>1) { - try { - Symm.base64.decode(args[1], System.out); - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot decode Base64 text from " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("encode64url".equalsIgnoreCase(args[0]) && args.length>1) { - try { - Symm.base64url.encode(args[1], System.out); - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot encode Base64url with " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("decode64url".equalsIgnoreCase(args[0]) && args.length>1) { - try { - Symm.base64url.decode(args[1], System.out); - System.out.println(); - System.out.flush(); - return; - } catch (IOException e) { - System.err.println("Cannot decode Base64url text from " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - } else if("md5".equalsIgnoreCase(args[0]) && args.length>1) { - try { - System.out.println(Hash.encryptMD5asStringHex(args[1])); - System.out.flush(); - } catch (NoSuchAlgorithmException e) { - System.err.println("Cannot hash MD5 from " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - return; - } else if("sha256".equalsIgnoreCase(args[0]) && args.length>1) { - try { - if(args.length>2) { - int salt = Integer.parseInt(args[2]); - System.out.println(Hash.hashSHA256asStringHex(args[1],salt)); - } else { - System.out.println(Hash.hashSHA256asStringHex(args[1])); - } - } catch (NoSuchAlgorithmException e) { - System.err.println("Cannot hash SHA256 text from " + args[1]); - System.err.println(" \""+ e.getMessage() + '"'); - } - System.out.flush(); - return; - } else if("keygen".equalsIgnoreCase(args[0])) { - try { - if(args.length>1) { - File f = new File(args[1]); - FileOutputStream fos = new FileOutputStream(f); - try { - fos.write(Symm.baseCrypt().keygen()); - fos.flush(); - } finally { - fos.close(); - Chmod.to400.chmod(f); - } - } else { - // create a Symmetric Key out of same characters found in base64 - System.out.write(Symm.baseCrypt().keygen()); - System.out.flush(); - } - return; - } catch (IOException e) { - System.err.println("Cannot create a key " + args[0]); - System.err.println(" \""+ e.getMessage() + '"'); - } - - } else if("passgen".equalsIgnoreCase(args[0])) { - int numDigits; - if(args.length <= 1) { - numDigits = 24; - } else { - numDigits = Integer.parseInt(args[1]); - if(numDigits<8)numDigits = 8; - } - String pass; - boolean noLower,noUpper,noDigits,noSpecial,repeats; - do { - pass = Symm.randomGen(numDigits); - noLower=noUpper=noDigits=noSpecial=true; - repeats=false; - int c=-1,last; - for(int i=0;i=0x61 && c<=0x7A); - continue; - } - if(noUpper) { - noUpper=!(c>=0x41 && c<=0x5A); - continue; - } - if(noDigits) { - noDigits=!(c>=0x30 && c<=0x39); - continue; - } - if(noSpecial) { - noSpecial = "+!@#$%^&*(){}[]?:;,.".indexOf(c)<0; - continue; - } - - break; - } - } while(noLower || noUpper || noDigits || noSpecial || repeats); - System.out.println(pass.substring(0,numDigits)); - } else if("urlgen".equalsIgnoreCase(args[0])) { - int numDigits; - if(args.length < 1) { - numDigits = 24; - } else { - numDigits = Integer.parseInt(args[1]); - } - System.out.println(Symm.randomGen(Symm.base64url.codeset, numDigits).substring(0,numDigits)); - - } else if("csptest".equalsIgnoreCase(args[0])) { - try { - System.out.println("CSP Compatibility test"); - - String hostName = InetAddress.getLocalHost().getCanonicalHostName(); - - System.out.println(" Your automatic hostname is reported as \"" + hostName + "\"\n"); - System.out.flush(); - return; - } catch (UnknownHostException e) { - e.printStackTrace(System.err); - } - } - } else { - System.out.println("Usage: java -jar ..."); - System.out.println(" keygen [] (Generates Key on file, or Std Out)"); - System.out.println(" digest (Encrypts to Key with \"keyfile\")"); - System.out.println(" passgen (Generate Password of given size)"); - System.out.println(" urlgen (Generate URL field of given size)"); - System.out.println(" csptest (Tests for CSP compatibility)"); - System.out.println(" encode64 (Encodes to Base64)"); - System.out.println(" decode64 (Decodes from Base64)"); - System.out.println(" encode64url (Encodes to Base64 URL charset)"); - System.out.println(" decode64url (Decodes from Base64 URL charset)"); - System.out.println(" sha256 (Digest String into SHA256 Hash)"); - System.out.println(" md5 (Digest String into MD5 Hash)"); - } - System.exit(1); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Connector.java b/core/src/main/java/org/onap/aaf/cadi/Connector.java deleted file mode 100644 index 0a55b0d..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Connector.java +++ /dev/null @@ -1,27 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -public interface Connector { - public Lur newLur() throws CadiException; -} diff --git a/core/src/main/java/org/onap/aaf/cadi/CredVal.java b/core/src/main/java/org/onap/aaf/cadi/CredVal.java deleted file mode 100644 index 324746b..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/CredVal.java +++ /dev/null @@ -1,42 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - - -/** - * UserPass - * - * The essential interface required by BasicAuth to determine if a given User/Password combination is - * valid. This is done as an interface. - * - */ -public interface CredVal { - public enum Type{PASSWORD}; - /** - * Validate if the User/Password combination matches records - * @param user - * @param pass - * @return - */ - public boolean validate(String user, Type type, byte[] cred); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/GetCred.java b/core/src/main/java/org/onap/aaf/cadi/GetCred.java deleted file mode 100644 index c0917a5..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/GetCred.java +++ /dev/null @@ -1,27 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -public interface GetCred { - byte[] getCred(); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Hash.java b/core/src/main/java/org/onap/aaf/cadi/Hash.java deleted file mode 100644 index 9d8719a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Hash.java +++ /dev/null @@ -1,202 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.nio.ByteBuffer; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; - -public class Hash { - private static char hexDigit[] = "0123456789abcdef".toCharArray(); - -///////////////////////////////// -// MD5 -///////////////////////////////// - /** - * Encrypt MD5 from Byte Array to Byte Array - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static byte[] encryptMD5 (byte[] input) throws NoSuchAlgorithmException { - MessageDigest md = MessageDigest.getInstance("MD5"); - md.update(input); - return md.digest(); - } - - /** - * Encrypt MD5 from Byte Array to Byte Array - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static byte[] encryptMD5 (byte[] input, int offset, int length) throws NoSuchAlgorithmException { - MessageDigest md = MessageDigest.getInstance("MD5"); - md.update(input,offset,length); - return md.digest(); - } - - - - /** - * Convenience Function: Encrypt MD5 from String to String Hex representation - * - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static String encryptMD5asStringHex(String input) throws NoSuchAlgorithmException { - byte[] output = encryptMD5(input.getBytes()); - StringBuilder sb = new StringBuilder("0x"); - for (byte b : output) { - sb.append(hexDigit[(b >> 4) & 0x0f]); - sb.append(hexDigit[b & 0x0f]); - } - return sb.toString(); - } - -///////////////////////////////// -// SHA256 -///////////////////////////////// - /** - * SHA256 Hashing - */ - public static byte[] hashSHA256(byte[] input) throws NoSuchAlgorithmException { - MessageDigest md = MessageDigest.getInstance("SHA-256"); - md.update(input); - return md.digest(); - } - - /** - * SHA256 Hashing - */ - public static byte[] hashSHA256(byte[] input, int offset, int length) throws NoSuchAlgorithmException { - MessageDigest md = MessageDigest.getInstance("SHA-256"); - md.update(input,offset,length); - return md.digest(); - } - - /** - * Convenience Function: Hash from String to String Hex representation - * - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static String hashSHA256asStringHex(String input) throws NoSuchAlgorithmException { - byte[] output = hashSHA256(input.getBytes()); - StringBuilder sb = new StringBuilder("0x"); - for (byte b : output) { - sb.append(hexDigit[(b >> 4) & 0x0f]); - sb.append(hexDigit[b & 0x0f]); - } - return sb.toString(); - } - - /** - * Convenience Function: Hash from String to String Hex representation - * - * @param input - * @return - * @throws NoSuchAlgorithmException - */ - public static String hashSHA256asStringHex(String input, int salt) throws NoSuchAlgorithmException { - byte[] in = input.getBytes(); - ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + in.length); - bb.putInt(salt); - bb.put(input.getBytes()); - byte[] output = Hash.hashSHA256(bb.array()); - StringBuilder sb = new StringBuilder("0x"); - for (byte b : output) { - sb.append(hexDigit[(b >> 4) & 0x0f]); - sb.append(hexDigit[b & 0x0f]); - } - return sb.toString(); - } - - /** - * Compare two byte arrays for equivalency - * @param ba1 - * @param ba2 - * @return - */ - public static boolean isEqual(byte ba1[], byte ba2[]) { - if(ba1.length!=ba2.length)return false; - for(int i = 0;i> 4) & 0x0f]); - sb.append(hexDigit[b & 0x0f]); - } - return sb.toString(); - } - - public static byte[] fromHex(String s) throws CadiException{ - if(!s.startsWith("0x")) { - throw new CadiException("HexString must start with \"0x\""); - } - boolean high = true; - int c; - byte b; - byte[] ba = new byte[(s.length()-2)/2]; - int idx; - for(int i=2;i=0x30 && c<=0x39) { - b=(byte)(c-0x30); - } else if(c>=0x61 && c<=0x66) { - b=(byte)(c-0x57); // account for "A" - } else if(c>=0x41 && c<=0x46) { - b=(byte)(c-0x37); - } else { - throw new CadiException("Invalid char '" + c + "' in HexString"); - } - idx = (i-2)/2; - if(high) { - ba[idx]=(byte)(b<<4); - high = false; - } else { - ba[idx]|=b; - high = true; - } - } - return ba; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Locator.java b/core/src/main/java/org/onap/aaf/cadi/Locator.java deleted file mode 100644 index 05b6442..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Locator.java +++ /dev/null @@ -1,36 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -public interface Locator { - public T get(Locator.Item item) throws LocatorException; - public boolean hasItems(); - public void invalidate(Locator.Item item) throws LocatorException; - public Locator.Item best() throws LocatorException; - public Item first() throws LocatorException; - public Item next(Item item) throws LocatorException; - public boolean refresh(); - public void destroy(); - - public interface Item {} -} diff --git a/core/src/main/java/org/onap/aaf/cadi/LocatorException.java b/core/src/main/java/org/onap/aaf/cadi/LocatorException.java deleted file mode 100644 index 43127ec..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/LocatorException.java +++ /dev/null @@ -1,47 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -public class LocatorException extends Exception { - /** - * - */ - private static final long serialVersionUID = -4267929804321134469L; - - public LocatorException(String arg0) { - super(arg0); - } - - public LocatorException(Throwable arg0) { - super(arg0); - } - - public LocatorException(String arg0, Throwable arg1) { - super(arg0, arg1); - } - - public LocatorException(CharSequence cs) { - super(cs.toString()); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Lur.java b/core/src/main/java/org/onap/aaf/cadi/Lur.java deleted file mode 100644 index afbf2dd..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Lur.java +++ /dev/null @@ -1,94 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.security.Principal; -import java.util.List; - - - -/** - * LUR: Local User Registry - * - * Concept by Robert Garskof, Implementation by Jonathan Gathman - * - * Where we can keep local copies of users and roles for faster Authorization when asked. - * - * Note: Author cannot resist the mental image of using a Fishing Lure to this LUR pattern - * - * - */ -public interface Lur { - /** - * Allow the Lur, which has correct Permission access, to create and hand back. - */ - public Permission createPerm(String p); - - /** - * Fish for Principals in a Pond - * - * or more boringly, is the User identified within a named collection representing permission. - * - * @param principalName - * @return - */ - public boolean fish(Principal bait, Permission pond); - - /** - * Fish all the Principals out a Pond - * - * For additional humor, pronounce the following with a Southern Drawl, "FishOil" - * - * or more boringly, load the List with Permissions found for Principal - * - * @param principalName - * @return - */ - public void fishAll(Principal bait, List permissions); - - /** - * Allow implementations to disconnect, or cleanup resources if unneeded - */ - public void destroy(); - - /** - * Does this LUR handle this pond exclusively? Important for EpiLUR to determine whether - * to try another (more expensive) LUR - * @param pond - * @return - */ - public boolean handlesExclusively(Permission pond); - - /** - * What domain of User does this LUR support? (used to avoid asking when not possible) - * - * @param bait - * @return - */ - public boolean supports(String userName); - - /** - * Clear: Clear any Caching, if exists - */ - public void clear(Principal p, StringBuilder report); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Permission.java b/core/src/main/java/org/onap/aaf/cadi/Permission.java deleted file mode 100644 index ac0ec46..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Permission.java +++ /dev/null @@ -1,29 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -public interface Permission { - public String permType(); - public String getKey(); - public boolean match(Permission p); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/PropAccess.java b/core/src/main/java/org/onap/aaf/cadi/PropAccess.java deleted file mode 100644 index d866e85..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/PropAccess.java +++ /dev/null @@ -1,321 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.PrintStream; -import java.text.SimpleDateFormat; -import java.util.ArrayList; -import java.util.Date; -import java.util.List; -import java.util.Map.Entry; - -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfo; - -import java.util.Properties; - -public class PropAccess implements Access { - private static final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"); - - public static Level DEFAULT = Level.AUDIT; - - private Symm symm; - private int level; - private Properties props; - private List recursionProtection = null; - private PrintStream out; - - private String name; - - public PropAccess() { - out=System.out; - init(null); - } - - /** - * This Constructor soley exists to instantiate Servlet Context Based Logging that will call "init" later. - * @param sc - */ - protected PropAccess(Object o) { - out=System.out; - props = new Properties(); - } - - public PropAccess(String ... args) { - this(System.out,args); - } - - public PropAccess(PrintStream ps, String[] args) { - out=ps==null?System.out:ps; - Properties nprops=new Properties(); - int eq; - for(String arg : args) { - if((eq=arg.indexOf('='))>0) { - nprops.setProperty(arg.substring(0, eq),arg.substring(eq+1)); - } - } - init(nprops); - } - - public PropAccess(Properties p) { - this(System.out,p); - } - - public PropAccess(PrintStream ps, Properties p) { - out=ps==null?System.out:ps; - init(p); - } - - protected void init(Properties p) { - // Make sure these two are set before any changes in Logging - name = "cadi"; - level=DEFAULT.maskOf(); - - props = new Properties(); - // First, load related System Properties - for(Entry es : System.getProperties().entrySet()) { - String key = es.getKey().toString(); - for(String start : new String[] {"cadi_","aaf_","cm_","csp_"}) { - if(key.startsWith(start)) { - props.put(key, es.getValue()); - } - } - } - // Second, overlay or fill in with Passed in Props - if(p!=null) { - props.putAll(p); - } - - // Third, load any Chained Property Files - load(props.getProperty(Config.CADI_PROP_FILES)); - - String sLevel = props.getProperty(Config.CADI_LOGLEVEL); - if(sLevel!=null) { - level=Level.valueOf(sLevel).maskOf(); - } - // Setup local Symmetrical key encryption - if(symm==null) { - symm = Symm.obtain(this); - } - - name = props.getProperty(Config.CADI_LOGNAME, name); - - // Critical - if no Security Protocols set, then set it. We'll just get messed up if not - if(props.get(Config.CADI_PROTOCOLS)==null) { - props.setProperty(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT); - } - } - - private void load(String cadi_prop_files) { - String prevKeyFile = props.getProperty(Config.CADI_KEYFILE); - - if(cadi_prop_files!=null) { - int prev = 0, end = cadi_prop_files.length(); - int idx; - String filename; - while(prev(); - recursionProtection.add(cadi_prop_files); - } - if(!recursionProtection.contains(chainProp)) { - recursionProtection.add(chainProp); - load(chainProp); // recurse - } - } - } finally { - fis.close(); - } - } catch (Exception e) { - log(e,filename,"cannot be opened"); - } - } else { - printf(Level.WARN,"Warning: recursive CADI Property %s does not exist",file.getAbsolutePath()); - } - prev = idx+1; - } - } - // Reset Symm if Keyfile Changes: - String newKeyFile = props.getProperty(Config.CADI_KEYFILE); - if((prevKeyFile==null && newKeyFile!=null) || (newKeyFile!=null && !newKeyFile.equals(prevKeyFile))) { - symm = Symm.obtain(this); - prevKeyFile=newKeyFile; - } - - String loglevel = props.getProperty(Config.CADI_LOGLEVEL); - if(loglevel!=null) { - try { - level=Level.valueOf(loglevel).maskOf(); - } catch (IllegalArgumentException e) { - printf(Level.ERROR,"%s=%s is an Invalid Log Level",Config.CADI_LOGLEVEL,loglevel); - } - } - } - - @Override - public void load(InputStream is) throws IOException { - props.load(is); - load(props.getProperty(Config.CADI_PROP_FILES)); - } - - @Override - public void log(Level level, Object ... elements) { - if(willLog(level)) { - StringBuilder sb = buildMsg(level, elements); - out.println(sb); - out.flush(); - } - } - - protected StringBuilder buildMsg(Level level, Object[] elements) { - StringBuilder sb = new StringBuilder(iso8601.format(new Date())); - sb.append(' '); - sb.append(level.name()); - sb.append(" ["); - sb.append(name); - - int end = elements.length; - if(end<=0) { - sb.append("] "); - } else { - int idx = 0; - if(elements[idx] instanceof Integer) { - sb.append('-'); - sb.append(elements[idx]); - ++idx; - } - sb.append("] "); - String s; - boolean first = true; - for(Object o : elements) { - if(o!=null) { - s=o.toString(); - if(first) { - first = false; - } else { - int l = s.length(); - if(l>0) { - switch(s.charAt(l-1)) { - case ' ': - break; - default: - sb.append(' '); - } - } - } - sb.append(s); - } - } - } - return sb; - } - - @Override - public void log(Exception e, Object... elements) { - log(Level.ERROR,e.getMessage(),elements); - e.printStackTrace(System.err); - } - - @Override - public void printf(Level level, String fmt, Object... elements) { - if(willLog(level)) { - log(level,String.format(fmt, elements)); - } - } - - @Override - public void setLogLevel(Level level) { - this.level = level.maskOf(); - } - - @Override - public boolean willLog(Level level) { - return level.inMask(this.level); - } - - @Override - public ClassLoader classLoader() { - return ClassLoader.getSystemClassLoader(); - } - - @Override - public String getProperty(String tag, String def) { - return props.getProperty(tag,def); - } - - @Override - public String decrypt(String encrypted, boolean anytext) throws IOException { - return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC))) - ? symm.depass(encrypted) - : encrypted; - } - - public String encrypt(String unencrypted) throws IOException { - return Symm.ENC+symm.enpass(unencrypted); - } - - ////////////////// - // Additional - ////////////////// - public String getProperty(String tag) { - return props.getProperty(tag); - } - - - public Properties getProperties() { - return props; - } - - public void setProperty(String tag, String value) { - if(value!=null) { - props.put(tag, value); - if(Config.CADI_KEYFILE.equals(tag)) { - // reset decryption too - symm = Symm.obtain(this); - } - } - } - - public Properties getDME2Properties() { - return Config.getDME2Props(this); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Revalidator.java b/core/src/main/java/org/onap/aaf/cadi/Revalidator.java deleted file mode 100644 index 68b2661..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Revalidator.java +++ /dev/null @@ -1,35 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - - -public interface Revalidator { - /** - * Re-Validate Credential - * - * @param prin - * @return - */ - public CachedPrincipal.Resp revalidate(TRANS trans, CachedPrincipal prin); - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/SLF4JAccess.java b/core/src/main/java/org/onap/aaf/cadi/SLF4JAccess.java deleted file mode 100644 index 33b7050..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/SLF4JAccess.java +++ /dev/null @@ -1,100 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.util.Properties; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class SLF4JAccess extends PropAccess { - private static final Logger slf4j = LoggerFactory.getLogger("AAF"); - - public SLF4JAccess(final Properties initial) throws CadiException { - super(initial); - } - - public void log(Level level, Object... elements) { - switch(level) { - case AUDIT: - slf4j.info(msg(elements).toString()); - break; - case DEBUG: - slf4j.debug(msg(elements).toString()); - break; - case ERROR: - slf4j.error(msg(elements).toString()); - break; - case INFO: - slf4j.info(msg(elements).toString()); - break; - case INIT: - slf4j.info(msg(elements).toString()); - break; - case WARN: - slf4j.warn(msg(elements).toString()); - break; - default: - slf4j.info(msg(elements).toString()); - break; - } - } - - /* (non-Javadoc) - * @see com.att.cadi.Access#willLog(com.att.cadi.Access.Level) - */ - @Override - public boolean willLog(Level level) { - switch(level) { - case DEBUG: - return slf4j.isDebugEnabled(); - case ERROR: - return slf4j.isErrorEnabled(); - case WARN: - return slf4j.isWarnEnabled(); -// case INFO: -// case INIT: -// case AUDIT: - default: - return slf4j.isInfoEnabled(); - } - } - - private StringBuilder msg(Object ... elements) { - StringBuilder sb = new StringBuilder(); - boolean first = true; - for(Object o : elements) { - if(first) first = false; - else { - sb.append(' '); - } - sb.append(o.toString()); - } - return sb; - } - - public void log(Exception e, Object... elements) { - slf4j.error(msg(elements).toString(),e); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java b/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java deleted file mode 100644 index 88c45b0..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java +++ /dev/null @@ -1,44 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - - -/** - * Apply any particular security mechanism - * - * This allows the definition of various mechanisms involved outside of DRcli jars - * - * - */ -public interface SecuritySetter { - public String getID(); - - public void setSecurity(CT client) throws CadiException; - - /** - * Returns number of bad logins registered - * @param respCode - * @return - */ - public int setLastResponse(int respCode); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java b/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java deleted file mode 100644 index 6c288d5..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java +++ /dev/null @@ -1,69 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; -import java.util.Enumeration; -import javax.servlet.FilterConfig; -import javax.servlet.ServletContext; - -import org.onap.aaf.cadi.config.Config; - -public class ServletContextAccess extends PropAccess { - - private ServletContext context; - - public ServletContextAccess(FilterConfig filterConfig) { - super(filterConfig); // protected contstructor... does not have "init" called. - context = filterConfig.getServletContext(); - - for(Enumeration en = filterConfig.getInitParameterNames();en.hasMoreElements();) { - String name = (String)en.nextElement(); - setProperty(name, filterConfig.getInitParameter(name)); - } - init(getProperties()); - Config.getDME2Props(this); - } - - /* (non-Javadoc) - * @see com.att.cadi.PropAccess#log(com.att.cadi.Access.Level, java.lang.Object[]) - */ - @Override - public void log(Level level, Object... elements) { - if(willLog(level)) { - StringBuilder sb = buildMsg(level, elements); - context.log(sb.toString()); - } - } - - /* (non-Javadoc) - * @see com.att.cadi.PropAccess#log(java.lang.Exception, java.lang.Object[]) - */ - @Override - public void log(Exception e, Object... elements) { - StringBuilder sb = buildMsg(Level.ERROR, elements); - context.log(sb.toString(),e); - } - - public ServletContext context() { - return context; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/StrLur.java b/core/src/main/java/org/onap/aaf/cadi/StrLur.java deleted file mode 100644 index 1a86c8e..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/StrLur.java +++ /dev/null @@ -1,56 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.util.List; - - - -/** - * StrLUR: Implements fish with String, skipping the need to be a Principal where it doesn't make sense. - * - * - */ -public interface StrLur extends Lur { - /** - * Fish for Principals in a Pond - * - * or more boringly, is the User identified within a named collection representing permission. - * - * @param principalName - * @return - */ - public boolean fish(String bait, Permission pond); - - /** - * Fish all the Principals out a Pond - * - * For additional humor, pronounce the following with a Southern Drawl, "FishOil" - * - * or more boringly, load the List with Permissions found for Principal - * - * @param principalName - * @return - */ - public void fishAll(String bait, List permissions); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Symm.java b/core/src/main/java/org/onap/aaf/cadi/Symm.java deleted file mode 100644 index beb0c40..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Symm.java +++ /dev/null @@ -1,811 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.DataInputStream; -import java.io.DataOutputStream; -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.security.SecureRandom; -import java.util.ArrayList; -import java.util.Random; - -import javax.crypto.CipherInputStream; -import javax.crypto.CipherOutputStream; - -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.config.Config; - -/** - * Key Conversion, primarily "Base64" - * - * Base64 is required for "Basic Authorization", which is an important part of the overall CADI Package. - * - * Note: This author found that there is not a "standard" library for Base64 conversion within Java. - * The source code implementations available elsewhere were surprisingly inefficient, requiring, for - * instance, multiple string creation, on a transaction pass. Integrating other packages that might be - * efficient enough would put undue Jar File Dependencies given this Framework should have none-but-Java - * dependencies. - * - * The essential algorithm is good for a symmetrical key system, as Base64 is really just - * a symmetrical key that everyone knows the values. - * - * This code is quite fast, taking about .016 ms for encrypting, decrypting and even .08 for key - * generation. The speed quality, especially of key generation makes this a candidate for a short term token - * used for identity. - * - * It may be used to easily avoid placing Clear-Text passwords in configurations, etc. and contains - * supporting functions such as 2048 keyfile generation (see keygen). This keyfile should, of course, - * be set to "400" (Unix) and protected as any other mechanism requires. - * - * However, this algorithm has not been tested against hackers. Until such a time, utilize more tested - * packages to protect Data, especially sensitive data at rest (long term). - * - */ -public class Symm { - private static final byte[] DOUBLE_EQ = new byte[] {'=','='}; - public static final String ENC = "enc:"; - private static final SecureRandom random = new SecureRandom(); - - public final char[] codeset; - private final int splitLinesAt; - private final String encoding; - private final Convert convert; - private final boolean endEquals; - //Note: AES Encryption is not Thread Safe. It is Synchronized - private static AES aes = null; // only initialized from File, and only if needed for Passwords - - /** - * This is the standard base64 Key Set. - * RFC 2045 - */ - public static final Symm base64 = new Symm( - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() - ,76, Config.UTF_8,true); - - public static final Symm base64noSplit = new Symm( - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() - ,Integer.MAX_VALUE, Config.UTF_8,true); - - /** - * This is the standard base64 set suitable for URLs and Filenames - * RFC 4648 - */ - public static final Symm base64url = new Symm( - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray() - ,76, Config.UTF_8,true); - - /** - * A Password set, using US-ASCII - * RFC 4648 - */ - public static final Symm encrypt = new Symm(base64url.codeset,1024, "US-ASCII", false); - - /** - * A typical set of Password Chars - * Note, this is too large to fit into the algorithm. Only use with PassGen - */ - private static char passChars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+!@#$%^&*(){}[]?:;,.".toCharArray(); - - - - /** - * Use this to create special case Case Sets and/or Line breaks - * - * If you don't know why you need this, use the Singleton Method - * - * @param codeset - * @param split - */ - public Symm(char[] codeset, int split, String charset, boolean useEndEquals) { - this.codeset = codeset; - splitLinesAt = split; - encoding = charset; - endEquals = useEndEquals; - char prev = 0, curr=0, first = 0; - int offset=Integer.SIZE; // something that's out of range for integer array - - // There can be time efficiencies gained when the underlying keyset consists mainly of ordered - // data (i.e. abcde...). Therefore, we'll quickly analyze the keyset. If it proves to have - // too much entropy, the "Unordered" algorithm, which is faster in such cases is used. - ArrayList la = new ArrayList(); - for(int i=0;icodeset.length/3) { - convert = new Unordered(codeset); - } else { // too random to get speed enhancement from range algorithm - int[][] range = new int[la.size()][]; - la.toArray(range); - convert = new Ordered(range); - } - } - - public Symm copy(int lines) { - return new Symm(codeset,lines,encoding,endEquals); - } - - // Only used by keygen, which is intentionally randomized. Therefore, always use unordered - private Symm(char[] codeset, Symm parent) { - this.codeset = codeset; - splitLinesAt = parent.splitLinesAt; - endEquals = parent.endEquals; - encoding = parent.encoding; - convert = new Unordered(codeset); - } - - /** - * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc. - * @return - */ - @Deprecated - public static final Symm base64() { - return base64; - } - - /** - * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc. - * No Line Splitting - * @return - */ - @Deprecated - public static final Symm base64noSplit() { - return base64noSplit; - } - - /** - * Obtain the base64 "URL" behavior of this class, for use in File Names, etc. (no "/") - */ - @Deprecated - public static final Symm base64url() { - return base64url; - } - - /** - * Obtain a special ASCII version for Scripting, with base set of base64url use in File Names, etc. (no "/") - */ - public static final Symm baseCrypt() { - return encrypt; - } - - /* - * Note: AES Encryption is NOT thread-safe. Must surround entire use with synchronized - */ - private synchronized void exec(AESExec exec) throws IOException { - if(aes == null) { - try { - byte[] bytes = new byte[AES.AES_KEY_SIZE/8]; - int offset = (Math.abs(codeset[0])+47)%(codeset.length-bytes.length); - for(int i=0;i=0) { - if(line>=splitLinesAt) { - os.write('\n'); - line = 0; - } - switch(++idx) { // 1 based reading, slightly faster ++ - case 1: // ptr is the first 6 bits of read - os.write(codeset[read>>2]); - prev = read; - break; - case 2: // ptr is the last 2 bits of prev followed by the first 4 bits of read - os.write(codeset[((prev & 0x03)<<4) | (read>>4)]); - prev = read; - break; - default: //(3+) - // Char 1 is last 4 bits of prev plus the first 2 bits of read - // Char 2 is the last 6 bits of read - os.write(codeset[(((prev & 0xF)<<2) | (read>>6))]); - if(line==splitLinesAt) { // deal with line splitting for two characters - os.write('\n'); - line=0; - } - os.write(codeset[(read & 0x3F)]); - ++line; - idx = 0; - prev = 0; - } - ++line; - } else { // deal with any remaining bits from Prev, then pad - switch(idx) { - case 1: // just the last 2 bits of prev - os.write(codeset[(prev & 0x03)<<4]); - if(endEquals)os.write(DOUBLE_EQ); - break; - case 2: // just the last 4 bits of prev - os.write(codeset[(prev & 0xF)<<2]); - if(endEquals)os.write('='); - break; - } - idx = 0; - } - - } while(go); - } - - public void decode(InputStream is, OutputStream os, int skip) throws IOException { - is.skip(skip); - decode(is,os); - } - - /** - * Decode InputStream onto OutputStream - * @param is - * @param os - * @throws IOException - */ - public void decode(InputStream is, OutputStream os) throws IOException { - int read, idx=0; - int prev=0, index; - while((read = is.read())>=0) { - index = convert.convert(read); - if(index>=0) { - switch(++idx) { // 1 based cases, slightly faster ++ - case 1: // index goes into first 6 bits of prev - prev = index<<2; - break; - case 2: // write second 2 bits of into prev, write byte, last 4 bits go into prev - os.write((byte)(prev|(index>>4))); - prev = index<<4; - break; - case 3: // first 4 bits of index goes into prev, write byte, last 2 bits go into prev - os.write((byte)(prev|(index>>2))); - prev = index<<6; - break; - default: // (3+) | prev and last six of index - os.write((byte)(prev|(index&0x3F))); - idx = prev = 0; - } - } - }; - os.flush(); - } - - /** - * Interface to allow this class to choose which algorithm to find index of character in Key - * - */ - private interface Convert { - public int convert(int read) throws IOException; - } - - /** - * Ordered uses a range of orders to compare against, rather than requiring the investigation - * of every character needed. - * - */ - private static final class Ordered implements Convert { - private int[][] range; - public Ordered(int[][] range) { - this.range = range; - } - public int convert(int read) throws IOException { - switch(read) { - case -1: - case '=': - case '\n': - return -1; - } - for(int i=0;i= range[i][0] && read<=range[i][1]) { - return read-range[i][2]; - } - } - throw new IOException("Unacceptable Character in Stream"); - } - } - - /** - * Unordered, i.e. the key is purposely randomized, simply has to investigate each character - * until we find a match. - * - */ - private static final class Unordered implements Convert { - private char[] codec; - public Unordered(char[] codec) { - this.codec = codec; - } - public int convert(int read) throws IOException { - switch(read) { - case -1: - case '=': - case '\n': - return -1; - } - for(int i=0;i=0) { - index = o.next(); - if(index<0 || index>=codeset.length) { - System.out.println("uh, oh"); - } - if(right) { // alternate going left or right to find the next open slot (keeps it from taking too long to hit something) - for(int j=index;j=0;--j) { - if(seq[j]==0) { - seq[j]=codeset[filled]; - --filled; - break; - } - } - right = true; - } - } - return new Symm(seq,this); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Taf.java b/core/src/main/java/org/onap/aaf/cadi/Taf.java deleted file mode 100644 index d4b2211..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Taf.java +++ /dev/null @@ -1,57 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import org.onap.aaf.cadi.taf.TafResp; - - -/** - * TAF - Transmutative Assertion Framework. - * - * This main Interface embodies the essential of the assertion, where a number of different TAFs might be used to authenticate - * and that authentication to be recognized through other elements. - * - * Concept by Robert Garskof. Implemented by Jonathan Gathman - * - * - */ -public interface Taf { - enum LifeForm {CBLF, SBLF, LFN}; - /** - * The lifeForm param is a humorous way of describing whether the interaction is proceeding from direct Human Interaction via a browser - * or App which can directly query a memorized password, key sequence, bio-feedback, from that user, or a machine mechanism for which identity - * can more easily be determined by Certificate, Mechanical ID/Password etc. Popularized in modern culture and Science Fiction (especially - * Star Trek), we (starting with Robert Garskof) use the terms "Carbon Based Life Form" (CBLF) for mechanisms with people at the end of them, or - * "Silicon Based Life Forms" (SBLF) to indicate machine only interactions. I have added "LFN" for (Life-Form Neutral) to aid identifying - * processes for which it doesn't matter whether there is a human at the immediate end of the chain, or cannot be determined mechanically. - * - * The variable parameter is not necessarily ideal, but with too many unknown Tafs to be created, flexibility, - * is unfortunately required at this point. Future versions could lock this down more. JG 10/18/2012 - * - * @param lifeForm - * @param info - * @return - */ - public TafResp validate(LifeForm reading, String ... info); - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/Transmutate.java b/core/src/main/java/org/onap/aaf/cadi/Transmutate.java deleted file mode 100644 index 950f28f..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/Transmutate.java +++ /dev/null @@ -1,45 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.security.Principal; - -/** - * The unique element of TAF is that we establish the relationship/mechanism to mutate the Principal derived from - * one Authentication mechanism into a trustable Principal of another. The mechanism needs to be decided by system - * trusting. - * - * The Generic "T" is used so that the code used will be very specific for the implementation, enforced by Compiler - * - * This interface will allow differences of trusting Transmutation of Authentication - * - */ -public interface Transmutate { - /** - * Mutate the (assumed validated) Principal into the expected Principal name to be used to construct - * - * @param p - * @return - */ - public T mutate(Principal p); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java b/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java deleted file mode 100644 index feade74..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java +++ /dev/null @@ -1,53 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - - -import javax.servlet.http.HttpServletRequest; - -import org.onap.aaf.cadi.taf.TafResp; - -/** - * Change to another Principal based on Trust of caller and User Chain (if desired) - * - * - */ -public interface TrustChecker { - public TafResp mayTrust(TafResp tresp, HttpServletRequest req); - - /** - * A class that trusts no-one else, so just return same TResp - */ - public static TrustChecker NOTRUST = new TrustChecker() { - @Override - public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { - return tresp; - } - - @Override - public void setLur(Lur lur) { - } - }; - - public void setLur(Lur lur); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/User.java b/core/src/main/java/org/onap/aaf/cadi/User.java deleted file mode 100644 index 372e9bc..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/User.java +++ /dev/null @@ -1,144 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -import java.security.Principal; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.concurrent.ConcurrentHashMap; - -import org.onap.aaf.cadi.lur.LocalPermission; - -/** - * Class to hold info from the User Perspective. - * - * - */ -public final class User { - private static Map NULL_MAP = new HashMap(); - public Principal principal; - Map perms ; - long permExpires; - private final long interval; - int count; - - // Note: This should only be used for Local RBAC (in memory) - public User(Principal principal) { - this.principal = principal; - perms = NULL_MAP; - permExpires = Long.MAX_VALUE; // Never. Well, until 64 bits of millis since 1970 expires... - interval = 0L; - count = 0; - } - - public User(Principal principal, long expireInterval) { - this.principal = principal; - perms = NULL_MAP; - expireInterval = Math.max(expireInterval, 0); // avoid < 1 - interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL)); - permExpires = 0; - count = 0; - } - - public void renewPerm() { - permExpires = System.currentTimeMillis()+interval; - } - - public long permExpires() { - return permExpires; - } - - public boolean permExpired() { - return System.currentTimeMillis() > permExpires; - } - - public boolean noPerms() { - return perms==null || perms.values().size()==0; - } - - public void setNoPerms() { - perms=NULL_MAP; - permExpires = System.currentTimeMillis() + interval; - } - - public boolean permsUnloaded() { - return perms==null; - } - - public synchronized void incCount() { - ++count; - } - - public synchronized void resetCount() { - count=0; - } - - public Map newMap() { - return new ConcurrentHashMap(); - } - - public void add(LocalPermission permission) { - if(perms==NULL_MAP)perms=newMap(); - perms.put(permission.getKey(),permission); - } - - public void add(Map newMap, PERM permission) { - newMap.put(permission.getKey(),permission); - } - - public void setMap(Map newMap) { - perms = newMap; - } - - public boolean contains(Permission perm) { - for (Permission p : perms.values()) { - if (p.match(perm)) return true; - } - return false; - } - - public void copyPermsTo(List sink) { - sink.addAll(perms.values()); - } - - public String toString() { - StringBuilder sb = new StringBuilder(); - sb.append(principal.getName()); - sb.append('|'); - boolean first = true; - synchronized(perms) { - for(Permission gp : perms.values()) { - if(first) { - first = false; - sb.append(':'); - } else { - sb.append(','); - } - sb.append(gp.getKey()); - } - } - return sb.toString(); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/UserChain.java b/core/src/main/java/org/onap/aaf/cadi/UserChain.java deleted file mode 100644 index ac04792..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/UserChain.java +++ /dev/null @@ -1,43 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi; - -/** - * Interface to add a User Chain String to Principal - * - * - * - * Where - * APP is name suitable for Logging (i.e. official App Acronym) - * ID is official User or MechID, best if includes Identity Source (i.e. ab1234@csp.att.com) - * Protocol is the Security protocol, - * - * Format:::[:AS][,::]* - * - * - * - */ -public interface UserChain { - public enum Protocol {BasicAuth,Cookie,Cert,OAuth}; - public String userChain(); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/core/src/main/java/org/onap/aaf/cadi/config/Config.java deleted file mode 100644 index 4128665..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ /dev/null @@ -1,815 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.config; - -import java.io.IOException; -import java.lang.reflect.Constructor; -import java.lang.reflect.Field; -import java.lang.reflect.Method; -import java.net.InetAddress; -import java.net.URI; -import java.net.UnknownHostException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import java.util.ArrayList; -import java.util.List; -import java.util.Map.Entry; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CachingLur; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.CredVal; -import org.onap.aaf.cadi.Locator; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.Symm; -import org.onap.aaf.cadi.TrustChecker; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.lur.EpiLur; -import org.onap.aaf.cadi.lur.LocalLur; -import org.onap.aaf.cadi.lur.NullLur; -import org.onap.aaf.cadi.taf.HttpEpiTaf; -import org.onap.aaf.cadi.taf.HttpTaf; -import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; -import org.onap.aaf.cadi.taf.cert.X509Taf; -import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf; - -import java.util.Properties; -import java.util.TimerTask; - -/** - * Create a Consistent Configuration mechanism, even when configuration styles are as vastly different as - * Properties vs JavaBeans vs FilterConfigs... - * - * - */ -public class Config { - - private static final String HIDE_PASS = "***************"; - - public static final String UTF_8 = "UTF-8"; - - // Property Names associated with configurations. - // As of 1.0.2, these have had the dots removed so as to be compatible with JavaBean style - // configurations as well as property list style. - public static final String HOSTNAME = "hostname"; - public static final String CADI_PROP_FILES = "cadi_prop_files"; // Additional Properties files (separate with ;) - public static final String CADI_LOGLEVEL = "cadi_loglevel"; - public static final String CADI_LOGNAME = "cadi_logname"; - public static final String CADI_KEYFILE = "cadi_keyfile"; - public static final String CADI_KEYSTORE = "cadi_keystore"; - public static final String CADI_KEYSTORE_PASSWORD = "cadi_keystore_password"; - public static final String CADI_ALIAS = "cadi_alias"; - public static final String CADI_LOGINPAGE_URL = "cadi_loginpage_url"; - - public static final String CADI_KEY_PASSWORD = "cadi_key_password"; - public static final String CADI_TRUSTSTORE = "cadi_truststore"; - public static final String CADI_TRUSTSTORE_PASSWORD = "cadi_truststore_password"; - public static final String CADI_X509_ISSUERS = "cadi_x509_issuers"; - public static final String CADI_TRUST_MASKS="cadi_trust_masks"; - public static final String CADI_TRUST_PERM="cadi_trust_perm"; // IDs with this perm can utilize the "AS " user concept - public static final String CADI_PROTOCOLS = "cadi_protocols"; - public static final String CADI_NOAUTHN = "cadi_noauthn"; - public static final String CADI_LOC_LIST = "cadi_loc_list"; - - public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain"; - public static final String CADI_USER_CHAIN = "USER_CHAIN"; - - - - public static final String CSP_DOMAIN = "csp_domain"; - public static final String CSP_HOSTNAME = "csp_hostname"; - public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost"; - public static final String CSP_USER_HEADER = "CSP_USER"; - public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf"; - public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file"; - - - public static final String TGUARD_ENV="tguard_env"; - public static final String TGUARD_DOMAIN = "tguard_domain"; - public static final String TGUARD_TIMEOUT = "tguard_timeout"; - public static final String TGUARD_TIMEOUT_DEF = "5000"; - public static final String TGUARD_CERTS = "tguard_certs"; // comma delimited SHA-256 finger prints -// public static final String TGUARD_DEVL_LOCALHOST = "tguard_devl_localhost"; -// public static final String TGUARD_USER_HEADER = "TGUARD_USER"; - - public static final String LOCALHOST_ALLOW = "localhost_allow"; - public static final String LOCALHOST_DENY = "localhost_deny"; - - public static final String BASIC_REALM = "basic_realm"; // what is sent to the client - public static final String BASIC_WARN = "basic_warn"; // Warning of insecure channel - public static final String USERS = "local_users"; - public static final String GROUPS = "local_groups"; - public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use) - - public static final String AAF_ENV = "aaf_env"; - public static final String AAF_ROOT_NS = "aaf_root_ns"; - public static final String AAF_ROOT_COMPANY = "aaf_root_company"; - public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration - public static final String AAF_MECHID = "aaf_id"; - public static final String AAF_MECHPASS = "aaf_password"; - public static final String AAF_LUR_CLASS = "aaf_lur_class"; - public static final String AAF_TAF_CLASS = "aaf_taf_class"; - public static final String AAF_CONNECTOR_CLASS = "aaf_connector_class"; - public static final String AAF_LOCATOR_CLASS = "aaf_locator_class"; - public static final String AAF_CONN_TIMEOUT = "aaf_conn_timeout"; - public static final String AAF_CONN_TIMEOUT_DEF = "3000"; - public static final String AAF_READ_TIMEOUT = "aaf_timeout"; - public static final String AAF_READ_TIMEOUT_DEF = "5000"; - public static final String AAF_USER_EXPIRES = "aaf_user_expires"; - public static final String AAF_USER_EXPIRES_DEF = "600000"; // Default is 10 mins - public static final String AAF_CLEAN_INTERVAL = "aaf_clean_interval"; - public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds - public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count"; - public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins - - public static final String AAF_HIGH_COUNT = "aaf_high_count"; - public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries - public static final String AAF_PERM_MAP = "aaf_perm_map"; - public static final String AAF_DEPLOYED_VERSION = "DEPLOYED_VERSION"; - public static final String AAF_CERT_IDS = "aaf_cert_ids"; - public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited - - public static final String GW_URL = "gw_url"; - public static final String CM_URL = "cm_url"; - public static final String CM_TRUSTED_CAS = "cm_trusted_cas"; - - public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern"; - public static final String PATHFILTER_STACK = "pathfilter_stack"; - public static final String PATHFILTER_NS = "pathfilter_ns"; - public static final String PATHFILTER_NOT_AUTHORIZED_MSG = "pathfilter_not_authorized_msg"; - - public static final String AFT_DME2_TRUSTSTORE_PASSWORD = "AFT_DME2_TRUSTSTORE_PASSWORD"; - public static final String AFT_DME2_TRUSTSTORE = "AFT_DME2_TRUSTSTORE"; - public static final String AFT_DME2_KEYSTORE_PASSWORD = "AFT_DME2_KEYSTORE_PASSWORD"; - public static final String AFT_DME2_KEY_PASSWORD = "AFT_DME2_KEY_PASSWORD"; - public static final String AFT_DME2_KEYSTORE = "AFT_DME2_KEYSTORE"; - public static final String AFT_DME2_SSL_TRUST_ALL = "AFT_DME2_SSL_TRUST_ALL"; - public static final String AFT_DME2_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_SSL_INCLUDE_PROTOCOLS"; - - - // DME2 Client. First property must be set to "false", and the others set in order to use SSL Client - public static final String AFT_DME2_CLIENT_IGNORE_SSL_CONFIG="AFT_DME2_CLIENT_IGNORE_SSL_CONFIG"; - public static final String AFT_DME2_CLIENT_KEYSTORE = "AFT_DME2_CLIENT_KEYSTORE"; - public static final String AFT_DME2_CLIENT_KEYSTORE_PASSWORD = "AFT_DME2_CLIENT_KEYSTORE_PASSWORD"; - public static final String AFT_DME2_CLIENT_TRUSTSTORE = "AFT_DME2_CLIENT_TRUSTSTORE"; - public static final String AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD = "AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD"; - public static final String AFT_DME2_CLIENT_SSL_CERT_ALIAS = "AFT_DME2_CLIENT_SSL_CERT_ALIAS"; - public static final String AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS"; - - - // This one should go unpublic - public static final String AAF_DEFAULT_REALM = "aaf_default_realm"; - private static String defaultRealm="none"; - - public static final String AAF_DOMAIN_SUPPORT = "aaf_domain_support"; - //public static final String AAF_DOMAIN_SUPPORT_DEF = ".com"; - public static final String AAF_DOMAIN_SUPPORT_DEF = ".org"; - - - public static void setDefaultRealm(Access access) throws CadiException { - try { - boolean hasCSP; - try { - Class.forName("com.att.cadi.taf.csp.CSPTaf"); - hasCSP=true; - } catch(ClassNotFoundException e) { - hasCSP = logProp(access,Config.CSP_DOMAIN, null)!=null; - } - defaultRealm = logProp(access,Config.AAF_DEFAULT_REALM, - hasCSP?"csp.att.com": - logProp(access,Config.BASIC_REALM, - logProp(access,HOSTNAME,InetAddress.getLocalHost().getHostName()) - ) - ); - } catch (UnknownHostException e) { - //defaultRealm="none"; - } - } - - - public static HttpTaf configHttpTaf(Access access, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException { - ///////////////////////////////////////////////////// - // Setup AAFCon for any following - ///////////////////////////////////////////////////// - Object aafcon = null; - if(lur != null) { - Field f = null; - try { - f = lur.getClass().getField("aaf"); - aafcon = f.get(lur); - } catch (Exception nsfe) { - } - } - // IMPORTANT! Don't attempt to load AAF Connector if there is no AAF URL - String aafURL = access.getProperty(AAF_URL,null); - if(aafcon==null && aafURL!=null) { - aafcon = loadAAFConnector(access, aafURL); - } - - HttpTaf taf; - // Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc) - String hostname = logProp(access, HOSTNAME,null); - if(hostname==null) { - try { - hostname = InetAddress.getLocalHost().getHostName(); - } catch (UnknownHostException e1) { - throw new CadiException("Unable to determine Hostname",e1); - } - } - - access.log(Level.INIT, "Hostname set to",hostname); - // Get appropriate TAFs - ArrayList htlist = new ArrayList(); - - ///////////////////////////////////////////////////// - // Add a Denial of Service TAF - // Note: how IPs and IDs are added are up to service type. - // They call "DenialOfServiceTaf.denyIP(String) or denyID(String) - ///////////////////////////////////////////////////// - htlist.add(new DenialOfServiceTaf(access)); - - ///////////////////////////////////////////////////// - // Configure LocalHost - ///////////////////////////////////////////////////// - - String truststore = logProp(access, CADI_TRUSTSTORE, access.getProperty("AFT_DME2_TRUSTSTORE", null)); - if(truststore!=null) { - String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD, access.getProperty("AFT_DME2_TRUSTSTORE_PASSWORD",null)); - if(truststore_pwd!=null) { - if(truststore_pwd.startsWith(Symm.ENC)) { - try { - truststore_pwd = access.decrypt(truststore_pwd,false); - } catch (IOException e) { - throw new CadiException(CADI_TRUSTSTORE_PASSWORD + " cannot be decrypted",e); - } - } - try { - htlist.add(new X509Taf(access,lur)); - access.log(Level.INIT,"Certificate Authorization enabled"); - } catch (SecurityException e) { - access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e); - } catch (IllegalArgumentException e) { - access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e); - } catch (CertificateException e) { - access.log(Level.INIT,"Certificate Authorization failed, it is disabled",e); - } catch (NoSuchAlgorithmException e) { - access.log(Level.INIT,"Certificate Authorization failed, wrong Security Algorithm",e); - } - } - } else { - access.log(Level.INIT,"Certificate Authorization not enabled"); - } - - ///////////////////////////////////////////////////// - // Configure Basic Auth (local content) - ///////////////////////////////////////////////////// - String basic_realm = logProp(access, BASIC_REALM,null); - boolean basic_warn = "TRUE".equals(access.getProperty(BASIC_WARN,"FALSE")); - if(basic_realm!=null && up!=null) { - access.log(Level.INIT,"Basic Authorization is enabled using realm",basic_realm); - // Allow warning about insecure channel to be turned off - if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.", - " There will be no additional warning if Basic Auth is used on an insecure channel" - ); - String aafCleanup = logProp(access, AAF_USER_EXPIRES,AAF_USER_EXPIRES_DEF); // Default is 10 mins - long userExp = Long.parseLong(aafCleanup); - - htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn)); - } else { - access.log(Level.INIT,"Local Basic Authorization is disabled. Enable by setting basic_realm="); - } - - ///////////////////////////////////////////////////// - // Configure AAF Driven Basic Auth - ///////////////////////////////////////////////////// - boolean getRemoteAAF = true; - if(additionalTafLurs!=null) { - for(Object o : additionalTafLurs) { - if(o.getClass().getSimpleName().equals("DirectAAFLur")) { - getRemoteAAF = false; - break; - } - } - } - HttpTaf aaftaf=null; - if(getRemoteAAF) { - if(aafcon==null) { - access.log(Level.INIT,"AAF Connection (AAFcon) is null. Cannot create an AAF TAF"); - } else if(aafURL==null) { - access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF"); - } else {// There's an AAF_URL... try to configure an AAF - String defName = aafURL.contains("version=2.0")?"com.att.cadi.aaf.v2_0.AAFTaf":""; - String aafTafClassName = logProp(access, AAF_TAF_CLASS,defName); - // Only 2.0 available at this time - if("com.att.cadi.aaf.v2_0.AAFTaf".equals(aafTafClassName)) { - try { - Class aafTafClass = loadClass(access,aafTafClassName); - Class aafConClass = loadClass(access,"com.att.cadi.aaf.v2_0.AAFCon"); - - Constructor cstr = aafTafClass.getConstructor(aafConClass,boolean.class,AbsUserCache.class); - if(cstr!=null) { - aaftaf = (HttpTaf)cstr.newInstance(aafcon,basic_warn,lur); - if(aaftaf==null) { - access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured"); - } else { - access.log(Level.INIT,"AAF TAF Configured to ",aafURL); - // Note: will add later, after all others configured - } - } - } catch(Exception e) { - access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured"); - } - } - } - } - - - String alias = logProp(access, CADI_ALIAS,null); - - ///////////////////////////////////////////////////// - // Configure tGuard... (AT&T Client Repo) - ///////////////////////////////////////////////////// - // TGUARD Environment, translated to any other remote Environment validation mechanism... - String tGuard_domain = logProp(access, TGUARD_DOMAIN,null); - String tGuard_env = logProp(access, TGUARD_ENV, null); - - if(!("PROD".equals(tGuard_env) || "STAGE".equals(tGuard_env))) { - access.log(Level.INIT, "tGuard Authorization is disabled. Enable by setting", TGUARD_ENV, "to \"PROD\" or \"STAGE\""); - } else if(tGuard_domain==null) { - access.log(Level.INIT,TGUARD_DOMAIN + " must be set: tGuard Authorization is disabled."); - } else if(alias == null) { - access.log(Level.INIT,CADI_ALIAS + " must be set: tGuard Authorization is disabled."); - } else { - try { - Class tGuardClass = loadClass(access,"com.att.cadi.tguard.TGuardHttpTaf"); - if(aaftaf!=null) { - Constructor tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, AbsUserCache.class}); - htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {access,aaftaf})); - access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain"); - } else { - Constructor tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, int.class, int.class, int.class}); - htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] { - access, - Integer.parseInt(logProp(access, AAF_CLEAN_INTERVAL,AAF_CLEAN_INTERVAL_DEF)), - Integer.parseInt(logProp(access, AAF_HIGH_COUNT, AAF_HIGH_COUNT_DEF)), - Integer.parseInt(logProp(access, AAF_REFRESH_TRIGGER_COUNT, AAF_REFRESH_TRIGGER_COUNT_DEF)) - })); - access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain"); - } - } catch(Exception e) { - access.log(e, Level.INIT,"tGuard Class cannot be loaded: tGuard Authorization is disabled."); - } - } - - ///////////////////////////////////////////////////// - // Adding BasicAuth (AAF) last, after other primary Cookie Based - // Needs to be before Cert... see below - ///////////////////////////////////////////////////// - if(aaftaf!=null) { - htlist.add(aaftaf); - } - - - ///////////////////////////////////////////////////// - // Any Additional Lurs passed in Constructor - ///////////////////////////////////////////////////// - if(additionalTafLurs!=null) { - for(Object additional : additionalTafLurs) { - if(additional instanceof HttpTaf) { - htlist.add((HttpTaf)additional); - access.log(Level.INIT,additional); - } - } - } - - ///////////////////////////////////////////////////// - // Create EpiTaf from configured TAFs - ///////////////////////////////////////////////////// - if(htlist.size()==1) { - // just return the one - taf = htlist.get(0); - } else { - HttpTaf[] htarray = new HttpTaf[htlist.size()]; - htlist.toArray(htarray); - Locator locator = loadLocator(access, logProp(access, CADI_LOGINPAGE_URL, null)); - - taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null - String level = logProp(access, CADI_LOGLEVEL, null); - if(level!=null) { - access.setLogLevel(Level.valueOf(level)); - } - } - - return taf; - } - - public static String logProp(Access access,String tag, String def) { - String rv = access.getProperty(tag, def); - if(rv == null) { - access.log(Level.INIT,tag,"is not set"); - } else { - access.log(Level.INIT,tag,"is set to",rv); - } - return rv; - } - - public static Lur configLur(Access access, Object ... additionalTafLurs) throws CadiException { - List lurs = new ArrayList(); - - ///////////////////////////////////////////////////// - // Configure a Local Property Based RBAC/LUR - ///////////////////////////////////////////////////// - try { - String users = access.getProperty(USERS,null); - String groups = access.getProperty(GROUPS,null); - - if(groups!=null || users!=null) { - LocalLur ll; - lurs.add(ll = new LocalLur(access, users, groups)); // note b64==null is ok.. just means no encryption. - - String writeto = access.getProperty(WRITE_TO,null); - if(writeto!=null) { - String msg = UsersDump.updateUsers(writeto, ll); - if(msg!=null) access.log(Level.INIT,"ERROR! Error Updating ",writeto,"with roles and users:",msg); - } - } - } catch (IOException e) { - throw new CadiException(e); - } - - ///////////////////////////////////////////////////// - // Configure the AAF Lur (if any) - ///////////////////////////////////////////////////// - String aafURL = logProp(access,AAF_URL,null); // Trigger Property - String aaf_env = access.getProperty(AAF_ENV,null); - if(aaf_env == null && aafURL!=null && access instanceof PropAccess) { // set AAF_ENV from AAF_URL - int ec = aafURL.indexOf("envContext="); - if(ec>0) { - ec += 11; // length of envContext= - int slash = aafURL.indexOf('/', ec); - if(slash>0) { - aaf_env = aafURL.substring(ec, slash); - ((PropAccess)access).setProperty(AAF_ENV, aaf_env); - access.printf(Level.INIT, "Setting aaf_env to %s from aaf_url value",aaf_env); - } - } - } - - if(aafURL==null) { - access.log(Level.INIT,"No AAF LUR properties, AAF will not be loaded"); - } else {// There's an AAF_URL... try to configure an AAF - String aafLurClassStr = logProp(access,AAF_LUR_CLASS,"com.att.cadi.aaf.v2_0.AAFLurPerm"); - ////////////AAF Lur 2.0 ///////////// - if(aafLurClassStr.startsWith("com.att.cadi.aaf.v2_0")) { - try { - Object aafcon = loadAAFConnector(access, aafURL); - if(aafcon==null) { - access.log(Level.INIT,"AAF LUR class,",aafLurClassStr,"cannot be constructed without valid AAFCon object."); - } else { - Class aafAbsAAFCon = loadClass(access, "com.att.cadi.aaf.v2_0.AAFCon"); - Method mNewLur = aafAbsAAFCon.getMethod("newLur"); - Object aaflur = mNewLur.invoke(aafcon); - - if(aaflur==null) { - access.log(Level.INIT,"ERROR! AAF LUR Failed construction. NOT Configured"); - } else { - access.log(Level.INIT,"AAF LUR Configured to ",aafURL); - lurs.add((Lur)aaflur); - String debugIDs = logProp(access,Config.AAF_DEBUG_IDS, null); - if(debugIDs !=null && aaflur instanceof CachingLur) { - ((CachingLur)aaflur).setDebug(debugIDs); - } - } - } - } catch (Exception e) { - access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors."); - } - } - } - - ///////////////////////////////////////////////////// - // Any Additional passed in Constructor - ///////////////////////////////////////////////////// - if(additionalTafLurs!=null) { - for(Object additional : additionalTafLurs) { - if(additional instanceof Lur) { - lurs.add((Lur)additional); - access.log(Level.INIT, additional); - } - } - } - - ///////////////////////////////////////////////////// - // Return a Lur based on how many there are... - ///////////////////////////////////////////////////// - switch(lurs.size()) { - case 0: - access.log(Level.INIT,"WARNING! No CADI LURs configured"); - // Return a NULL Lur that does nothing. - return new NullLur(); - case 1: - return lurs.get(0); // Only one, just return it, save processing - default: - // Multiple Lurs, use EpiLUR to handle - Lur[] la = new Lur[lurs.size()]; - lurs.toArray(la); - return new EpiLur(la); - } - } - - private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2 = "com.att.cadi.aaf.v2_0.AAFConDME2"; - private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP = "com.att.cadi.aaf.v2_0.AAFConHttp"; - public static Object loadAAFConnector(Access access, String aafURL) { - Object aafcon = null; - Class aafConClass = null; - - try { - if(aafURL!=null) { - String aafConnector = access.getProperty(AAF_CONNECTOR_CLASS, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP); - if(COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2.equals(aafConnector) || aafURL.contains("/service=")) { - aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2); - if(aafConClass!=null) { - Constructor cons = aafConClass.getConstructor(PropAccess.class); - aafcon = cons.newInstance(access); - } else { - access.log(Level.ERROR, "URL contains '/service=', which requires DME2"); - } - } else if(COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP.equals(aafConnector)) { - aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP); - for(Constructor c : aafConClass.getConstructors()) { - List lo = new ArrayList(); - for(Class pc : c.getParameterTypes()) { - if(pc.equals(PropAccess.class)) { - lo.add(access); - } else if(pc.equals(Locator.class)) { - lo.add(loadLocator(access, aafURL)); - } else { - continue; - } - } - if(c.getParameterTypes().length!=lo.size()) { - continue; // back to another Constructor - } else { - aafcon = c.newInstance(lo.toArray()); - } - break; - } - } - if(aafcon!=null) { - String mechid = logProp(access,Config.AAF_MECHID, null); - String pass = access.getProperty(Config.AAF_MECHPASS, null); - if(mechid!=null && pass!=null) { - try { - Method basicAuth = aafConClass.getMethod("basicAuth", String.class, String.class); - basicAuth.invoke(aafcon, mechid,pass); - } catch (NoSuchMethodException nsme) { - // it's ok, don't use - } - } - } - } - } catch (Exception e) { - access.log(e,"AAF Connector could not be constructed with given Constructors."); - } - - return aafcon; - } - - public static Class loadClass(Access access, String className) { - Class cls=null; - try { - cls = access.classLoader().loadClass(className); - } catch (ClassNotFoundException cnfe) { - try { - cls = access.getClass().getClassLoader().loadClass(className); - } catch (ClassNotFoundException cnfe2) { - // just return null - } - } - return cls; - } - - @SuppressWarnings("unchecked") - public static Locator loadLocator(Access access, String url) { - Locator locator = null; - if(url==null) { - access.log(Level.INIT,"No URL for AAF Login Page. Disabled"); - } else { - if(url.contains("DME2RESOLVE")) { - try { - Class lcls = loadClass(access,"com.att.cadi.locator.DME2Locator"); - Class dmcls = loadClass(access,"com.att.aft.dme2.api.DME2Manager"); - Constructor cnst = lcls.getConstructor(new Class[] {Access.class,dmcls,String.class}); - locator = (Locator)cnst.newInstance(new Object[] {access,null,url}); - access.log(Level.INFO, "DME2Locator enabled with " + url); - } catch (Exception e) { - access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires DME2. It is now disabled",e); - } - } else { - try { - Class cls = loadClass(access,"com.att.cadi.locator.PropertyLocator"); - Constructor cnst = cls.getConstructor(new Class[] {String.class}); - locator = (Locator)cnst.newInstance(new Object[] {url}); - access.log(Level.INFO, "PropertyLocator enabled with " + url); - } catch (Exception e) { - access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires PropertyLocator. It is now disabled",e); - } - } - } - return locator; - } - - /* - * DME2 can only read Passwords as clear text properties. Leaving in "System Properties" un-encrypted exposes these passwords - */ - public static class PasswordRemoval extends TimerTask { - private Access access; - - private final List pws; - - public PasswordRemoval(Access access) { - this.access = access; - pws = new ArrayList(); - } - - @Override - public void run() { - for(String key:pws) { - access.log(Level.INIT, "Scrubbing " + key); - System.clearProperty(key); - } - } - public void add(String key) { - pws.add(key); - } - } - - private static final String Y = "Y"; - - private static String[][] CONVERTER_STRINGS=new String[][] { - {AFT_DME2_KEYSTORE,CADI_KEYSTORE,null}, - {AFT_DME2_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null}, - {AFT_DME2_KEY_PASSWORD,CADI_KEY_PASSWORD,null}, - {AFT_DME2_TRUSTSTORE,CADI_TRUSTSTORE,null}, - {AFT_DME2_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null}, - {AFT_DME2_CLIENT_KEYSTORE,CADI_KEYSTORE,null}, - {AFT_DME2_CLIENT_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null}, - {AFT_DME2_CLIENT_TRUSTSTORE,CADI_TRUSTSTORE,null}, - {AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null}, - {AFT_DME2_CLIENT_SSL_CERT_ALIAS,CADI_ALIAS,null}, - {AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null}, - {"AFT_DME2_HOSTNAME",HOSTNAME,null}, - {"AFT_LATITUDE",null,Y}, - {"AFT_LONGITUDE",null,Y}, - {"AFT_ENVIRONMENT",null,Y}, - {"SCLD_PLATFORM",null,Y}, - {"DME2_EP_REGISTRY_CLASS",null,Y},// for Developer local access - {"AFT_DME2_EP_REGISTRY_FS_DIR",null,Y}, - {"DME2.DEBUG",null,null}, - {"AFT_DME2_HTTP_EXCHANGE_TRACE_ON",null,null}, - {"AFT_DME2_SSL_ENABLE",null,null}, - {"AFT_DME2_SSL_WANT_CLIENT_AUTH",null,null}, - {AFT_DME2_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null}, - {"AFT_DME2_SSL_VALIDATE_CERTS",null,null}, - {AFT_DME2_CLIENT_IGNORE_SSL_CONFIG,null,null}, - {"https.protocols",CADI_PROTOCOLS,Y}, - }; - - - - public static Properties getDME2Props(PropAccess access) { - Properties dprops = new Properties(); - String value = null; - boolean reqClientConfig = false; - for(String[] row : CONVERTER_STRINGS) { - value = access.getProperty(row[0],null); - if(value==null) { - value = System.getProperty(row[0]); - if(value==null && row[1]!=null) { - value = access.getProperty(row[1],null); - if(value == null) { - value = System.getProperty(row[1]); - } - } - } - if(value!=null) { - if(row[0].contains("_SSL_")) { - reqClientConfig = true; - } - if(row[0].startsWith("AFT") || row[0].startsWith("SCLD") || row[0].contains("DME2")) { - if(value.startsWith("enc:")) { - try { - value = access.decrypt(value, true); - } catch (IOException e) { - access.log(Level.ERROR, e); - } - System.setProperty(row[0], value); - } else if(Y.equals(row[2])) { - System.setProperty(row[0], value); - dprops.setProperty(row[0], value); - } else if(row[0].contains("PASSWORD") || row[0].contains("STORE")) { - System.setProperty(row[0], value); - } else { - dprops.setProperty(row[0], value); - } - } - - } - - } - - Properties sprops = System.getProperties(); - if(reqClientConfig && sprops.getProperty(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG)==null) { - sprops.put(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG, "false"); - replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE,AFT_DME2_TRUSTSTORE); - replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE_PASSWORD,AFT_DME2_TRUSTSTORE_PASSWORD); - replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE,AFT_DME2_CLIENT_TRUSTSTORE); - replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE_PASSWORD,AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD); - } - - if(sprops.getProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS)==null) { - sprops.setProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT)); - } - - if(sprops.getProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS)==null) { - sprops.setProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT)); - } - - if(access.willLog(Level.DEBUG)) { - if(access instanceof PropAccess) { - access.log(Level.DEBUG,"Access Properties"); - for(Entry es : ((PropAccess)access).getProperties().entrySet()) { - access.printf(Level.DEBUG," %s=%s",es.getKey().toString(),es.getValue().toString()); - } - } - access.log(Level.DEBUG,"DME2 Properties()"); - for(Entry es : dprops.entrySet()) { - value = es.getValue().toString(); - if(es.getKey().toString().contains("PASS")) { - if(value==null || !value.contains("enc:")) { - value = HIDE_PASS; - } - } - access.printf(Level.DEBUG," %s=%s",es.getKey().toString(),value); - } - - access.log(Level.DEBUG,"System (AFT) Properties"); - for(Entry es : System.getProperties().entrySet()) { - if(es.getKey().toString().startsWith("AFT")) { - value = es.getValue().toString(); - if(es.getKey().toString().contains("PASS")) { - if(value==null || !value.contains("enc:")) { - value = HIDE_PASS; - } - } - access.printf(Level.DEBUG," %s=%s",es.getKey().toString(),value); - } - } - } - // Cover any not specific AFT props - String key; - for(Entry es : access.getProperties().entrySet()) { - if((key=es.getKey().toString()).startsWith("AFT_") && - !key.contains("PASSWORD") && - dprops.get(key)==null) { - dprops.put(key, es.getValue()); - } - } - return dprops; - } - - private static void replaceKeyWithTrust(Properties props, String ks, String ts) { - String value; - if(props.get(ks)==null && (value=props.getProperty(ts))!=null) { - props.put(ks,value); - props.remove(ts); - } - } - // Set by CSP, or is hostname. - public static String getDefaultRealm() { - return defaultRealm; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/config/Get.java b/core/src/main/java/org/onap/aaf/cadi/config/Get.java deleted file mode 100644 index ea06c87..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/config/Get.java +++ /dev/null @@ -1,97 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.config; - -import java.lang.reflect.Method; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.Access.Level; - -public interface Get { - public String get(String name, String def, boolean print); - - - /** - * A class for Getting info out of "JavaBean" format - * - */ - public static class Bean implements Get { - private Object bean; - private Class bc; - private Class[] params; - private Object[] args; - - public Bean(Object bean) { - this.bean = bean; - bc = bean.getClass(); - params = new Class[0]; // note, this will allow to go out of scope after config - args = new Object[0]; - } - - public String get(String name, String def, boolean print) { - String str = null; - String gname = "get"+Character.toUpperCase(name.charAt(0))+name.substring(1); - try { - Method meth = bc.getMethod(gname, params); - Object obj = meth.invoke(bean, args); - str = obj==null?null:obj.toString(); // easy string convert... - } catch (Exception e) { - } - - // Take def if nothing else - if(str==null) { - str = def; - // don't log defaults - } else { - str = str.trim(); // this is vital in Property File based values, as spaces can hide easily - } - // Note: Can't log during configuration - return str; - } - } - - public static Get NULL = new Get() { - public String get(String name, String def, boolean print) { - return def; - } - }; - - public static class AccessGet implements Get { - private Access access; - public AccessGet(Access access) { - this.access = access; - } - public String get(String name, String def, boolean print) { - String gotten = access.getProperty(name, def); - if(print) { - if(gotten == null) { - access.log(Level.INIT,name, "is not set"); - } else { - access.log(Level.INIT,name, "is set to", gotten); - } - } - return gotten; - } - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java b/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java deleted file mode 100644 index dc5e4ef..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java +++ /dev/null @@ -1,63 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.config; - -import org.onap.aaf.cadi.PropAccess; - -public class GetAccess extends PropAccess { - private final Get getter; - - public GetAccess(Get getter) { - super(new String[]{"cadi_prop_files="+getter.get("cadi_prop_files", null, true)}); - this.getter = getter; - } - - /* (non-Javadoc) - * @see com.att.cadi.PropAccess#getProperty(java.lang.String, java.lang.String) - */ - @Override - public String getProperty(String tag, String def) { - String rv; - rv = super.getProperty(tag, null); - if(rv==null && getter!=null) { - rv = getter.get(tag, null, true); - } - return rv==null?def:rv; - } - /* (non-Javadoc) - * @see com.att.cadi.PropAccess#getProperty(java.lang.String) - */ - @Override - public String getProperty(String tag) { - String rv; - rv = super.getProperty(tag, null); - if(rv==null && getter!=null) { - rv = getter.get(tag, null, true); - } - return rv; - } - - public Get get() { - return getter; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java b/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java deleted file mode 100644 index 551018c..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java +++ /dev/null @@ -1,43 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.config; - -public class MultiGet implements Get { - private Get[] getters; - - public MultiGet(Get ... getters) { - this.getters = getters; - } - - @Override - public String get(String name, String def, boolean print) { - String str; - for(Get getter : getters) { - str = getter.get(name, null, print); - if(str!=null) - return str; - } - return def; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java b/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java deleted file mode 100644 index 4301d53..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java +++ /dev/null @@ -1,243 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.config; - -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.rmi.AccessException; -import java.security.GeneralSecurityException; -import java.security.KeyStore; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.ArrayList; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509KeyManager; -import javax.net.ssl.X509TrustManager; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.util.MaskFormatException; -import org.onap.aaf.cadi.util.NetMask; - -public class SecurityInfo { - private static final String SECURITY_ALGO = "RSA"; - private static final String HTTPS_PROTOCOLS = "https.protocols"; - private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols"; - - public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2"; - public static final String REGEX_COMMA = "\\s*,\\s*"; - public static final String SslKeyManagerFactoryAlgorithm; - - private SSLSocketFactory scf; - private X509KeyManager[] km; - private X509TrustManager[] tm; - public final String default_alias; - private NetMask[] trustMasks; - private SSLContext ctx; - private HostnameVerifier maskHV; - - // Change Key Algorithms for IBM's VM. Could put in others, if needed. - static { - if(System.getProperty("java.vm.vendor").equalsIgnoreCase("IBM Corporation")) { - SslKeyManagerFactoryAlgorithm = "IbmX509"; - } else { - SslKeyManagerFactoryAlgorithm = "SunX509"; - } - } - - - public SecurityInfo(final Access access) throws GeneralSecurityException, IOException { - // reuse DME2 Properties for convenience if specific Properties don't exist - String keyStore = access.getProperty(Config.CADI_KEYSTORE, - access.getProperty(Config.AFT_DME2_KEYSTORE,null)); - String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD, - access.getProperty(Config.AFT_DME2_KEYSTORE_PASSWORD, null)); - keyStorePasswd = keyStorePasswd==null?null:access.decrypt(keyStorePasswd,false); - String trustStore = access.getProperty(Config.CADI_TRUSTSTORE, - access.getProperty(Config.AFT_DME2_TRUSTSTORE, null)); - String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD, - access.getProperty(Config.AFT_DME2_TRUSTSTORE_PASSWORD,null)); - trustStorePasswd = trustStorePasswd==null?null:access.decrypt(trustStorePasswd,false); - default_alias = access.getProperty(Config.CADI_ALIAS, - access.getProperty(Config.AFT_DME2_CLIENT_SSL_CERT_ALIAS,null)); - - String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD,null); - keyPasswd = keyPasswd==null?keyStorePasswd:access.decrypt(keyPasswd,false); - String tips=access.getProperty(Config.CADI_TRUST_MASKS, null); - if(tips!=null) { - access.log(Level.INIT,"Explicitly accepting valid X509s from",tips); - String[] ipsplit = tips.split(REGEX_COMMA); - trustMasks = new NetMask[ipsplit.length]; - for(int i=0;i kmal = new ArrayList(); - for(String ksname : keyStore.split(REGEX_COMMA)) { - file = new File(ksname); - String keystoreFormat; - if(ksname.endsWith("pkcs12")) { - keystoreFormat = "PKCS12"; - } else { - keystoreFormat = "JKS"; - } - if(file.exists()) { - FileInputStream fis = new FileInputStream(file); - try { - KeyStore ks = KeyStore.getInstance(keystoreFormat); - ks.load(fis, keyStorePasswd.toCharArray()); - kmf.init(ks, keyPasswd.toCharArray()); - } finally { - fis.close(); - } - } - } - for(KeyManager km : kmf.getKeyManagers()) { - if(km instanceof X509KeyManager) { - kmal.add((X509KeyManager)km); - } - } - km = new X509KeyManager[kmal.size()]; - kmal.toArray(km); - } - - TrustManagerFactory tmf = TrustManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm); - if(trustStore!=null) { - for(String tsname : trustStore.split(REGEX_COMMA)) { - file = new File(tsname); - if(file.exists()) { - FileInputStream fis = new FileInputStream(file); - try { - KeyStore ts = KeyStore.getInstance("JKS"); - ts.load(fis, trustStorePasswd.toCharArray()); - tmf.init(ts); - } finally { - fis.close(); - } - } - } - TrustManager tms[] = tmf.getTrustManagers(); - tm = new X509TrustManager[tms==null?0:tms.length]; - for(int i=0;i extends SecurityInfo { - public SecuritySetter defSS; - - public SecurityInfoC(Access access) throws GeneralSecurityException, IOException { - super(access); - } - - public SecurityInfoC set(SecuritySetter defSS) { - this.defSS = defSS; - return this; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java b/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java deleted file mode 100644 index e0893e6..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java +++ /dev/null @@ -1,158 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.config; - -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.io.PrintStream; -import java.util.Date; -import java.util.HashSet; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.lur.LocalLur; - -public class UsersDump { - - /** - * @param args - */ - public static boolean write(OutputStream os, AbsUserCache lur) { - PrintStream ps; - if(os instanceof PrintStream) { - ps = (PrintStream)os; - } else { - ps = new PrintStream(os); - } - try { - ps.println(""); - ps.println(""); - ps.println(""); - - // We loop through Users, but want to write Groups first... therefore, save off print - StringBuilder sb = new StringBuilder(); - - // Obtain all unique role names - HashSet groups = new HashSet(); - for(AbsUserCache.DumpInfo di : lur.dumpInfo()) { - sb.append("\n "); - - } - - // Print roles - for(String group : groups) { - ps.print(" "); - } - - ps.println(sb); - - ps.println(""); - ps.flush(); - } catch (Throwable t) { - t.printStackTrace(ps); - return false; - } - return true; - } - - /** - * - * Note: This method returns a String if there's an error, or null if ok. - * This unusual style is necessitated by the fact that any Exceptions thrown are likely to - * be unlogged and hidden from view, making debugging almost impossible. - * - * @param writeto - * @param up - * @return - */ - public static String updateUsers(String writeto, LocalLur up) { - // Dump a Tomcat-user.xml lookalike (anywhere) - if(writeto!=null) { - // First read content - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - if(UsersDump.write(baos, up)) { - byte[] postulate = baos.toByteArray(); - // now get contents of file - File file = new File(writeto); - boolean writeIt; - if(file.exists()) { - try { - FileInputStream fis = new FileInputStream(file); - byte[] orig = new byte[(int)file.length()]; - try { - fis.read(orig); - } finally { - fis.close(); - } - // Starting at third "<" ( line) - int startA=0, startB=0; - for(int i=0;startA value(); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java b/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java deleted file mode 100644 index 871dee3..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java +++ /dev/null @@ -1,100 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -import java.io.IOException; - -import javax.servlet.Servlet; -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -/** - * - * - */ -public class AUTHZServlet implements Servlet { - private String[] roles; - private Servlet delegate; - - protected AUTHZServlet(Class cls) { - try { - delegate = cls.newInstance(); - } catch (Exception e) { - delegate = null; - } - RolesAllowed rolesAllowed = cls.getAnnotation(RolesAllowed.class); - if(rolesAllowed == null) { - roles = null; - } else { - roles = rolesAllowed.value(); - } - } - - public void init(ServletConfig sc) throws ServletException { - if(delegate == null) throw new ServletException("Invalid Servlet Delegate"); - delegate.init(sc); - } - - public ServletConfig getServletConfig() { - return delegate.getServletConfig(); - } - - public String getServletInfo() { - return delegate.getServletInfo(); - } - - public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException { - if(roles==null) { - delegate.service(req,resp); - } else { // Validate - try { - HttpServletRequest hreq = (HttpServletRequest)req; - boolean proceed = false; - for(String role : roles) { - if(hreq.isUserInRole(role)) { - proceed = true; - break; - } - } - if(proceed) { - delegate.service(req,resp); - } else { - //baseRequest.getServletContext().log(hreq.getUserPrincipal().getName()+" Refused " + roles); - ((HttpServletResponse)resp).sendError(403); // forbidden - } - } catch(ClassCastException e) { - throw new ServletException("JASPIServlet only supports HTTPServletRequest/HttpServletResponse"); - } - } - } - - public void destroy() { - delegate.destroy(); - } - - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java b/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java deleted file mode 100644 index 596afd2..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java +++ /dev/null @@ -1,37 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.config.Get; - -public class AccessGetter implements Get { - private final Access access; - public AccessGetter(Access access) { - this.access = access; - } - public String get(String name, String def, boolean print) { - return access.getProperty(name, def); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/CadiAccess.java b/core/src/main/java/org/onap/aaf/cadi/filter/CadiAccess.java deleted file mode 100644 index 2ccd29a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/CadiAccess.java +++ /dev/null @@ -1,243 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.util.Map; -import java.util.Map.Entry; -import java.util.Properties; - -import javax.servlet.ServletContext; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.Symm; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.Get; - -public class CadiAccess implements Access { - // constants for a couple of very commonly used strings. - protected static final String FROM = "from"; - protected static final String FOR = "for"; - - // Properties derived from sources (could be property files, Valve Configurations, Filter - // configs, etc. - protected Properties props; - - // Will we write Logs? - protected Level willWrite = Level.INFO; - - protected ServletContext context; - protected Get getter = Get.NULL; // replace with Derived Class getter - private Symm symm; - - public CadiAccess(Map map) { - if(map!=null && !map.isEmpty()) { - props = new Properties(); - for(Entry es : map.entrySet()) { - Object v = es.getValue(); - if(v!=null) { - props.put(es.getKey(), v.toString()); - } - } - Object keyfile = props.get(Config.CADI_KEYFILE); - if(keyfile!=null) { - try { - FileInputStream fis = new FileInputStream(keyfile.toString()); - symm = Symm.obtain(fis); - } catch (Exception e) { - } - } - - } - } - - public Level willWrite() { - return willWrite; - } - - /* (non-Javadoc) - * @see com.att.cadi.Access#willLog(com.att.cadi.Access.Level) - */ - @Override - public boolean willLog(Level level) { - return willWrite.compareTo(level)<=0; - } - - /** - * Add the "Level" to the Buildline for Logging types that don't specify, or straight Streams, etc. Then buildline - * - * Build a line of code onto a StringBuilder based on Objects. Analyze whether - * spaces need including. - * - * @param level - * @param sb - * @param elements - * @return - */ - public final static StringBuilder buildLine(Level level, StringBuilder sb, Object[] elements) { - sb.append(level.name()); - return buildLine(sb,elements); - } - - /* - * Build a line of code onto a StringBuilder based on Objects. Analyze whether - * spaces need including. - * - * @param sb - * @param elements - * @return - */ - public final static StringBuilder buildLine(StringBuilder sb, Object[] elements) { - sb.append(' '); - String str; - boolean notFirst = false; - for(Object o : elements) { - if(o!=null) { - str = o.toString(); - - if(str.length()>0) { - if(notFirst && shouldAddSpace(str,true) && shouldAddSpace(sb,false)) { - sb.append(' '); - } else { - notFirst=true; - } - sb.append(str); - } - } - } - return sb; - } - - private static boolean shouldAddSpace(CharSequence c,boolean start) { - if(c.length()>0) - switch(c.charAt(start?0:c.length()-1)) { - case ' ': - case '\t': - case '\n': - case '\'': - case '"': - case '|': - return false; - } - return true; - } - - /** - * Standard mechanism for logging, given being within a Servlet Context - * - * Here, we treat - * - * if context exists, log to it, otherwise log to Std Out (The latter is usually for startup - * scenarios) - * - */ - public void log(Level level, Object... elements) { - if(willWrite.compareTo(level)<=0) { - StringBuilder sb = buildLine(level, new StringBuilder(),elements); - if(context==null) { - System.out.println(sb.toString()); - } else { - context.log(sb.toString()); - } - } - } - - /** - * Standard mechanism for logging an Exception, given being within a Servlet Context, etc - * - * if context exists, log to it, otherwise log to Std Out (The latter is usually for startup - * scenarios) - * - */ - public void log(Exception e, Object... elements) { - if(willWrite.compareTo(Level.ERROR)<=0) { - StringBuilder sb = buildLine(Level.ERROR, new StringBuilder(),elements); - - if(context==null) { - sb.append(e.toString()); - System.out.println(sb.toString()); - } else { - context.log(sb.toString(),e); - } - } - } - - public void setLogLevel(Level level) { - willWrite = level; - } - - /** - * Pass back the classloader of the Servlet Context, if it exists. Otherwise, get the classloader - * of this object. - */ - public ClassLoader classLoader() { // Use the Classloader that Context was created with - return (context==null?this:context).getClass().getClassLoader(); - } - - /** - * Get the Property from Context - */ - public String getProperty(String string, String def) { - String rv = null; - - if ( props != null ) - rv = props.getProperty( string, def ); - - if(rv==null) { - rv = context.getInitParameter(string); - } - return rv==null?def:rv; - - } - - public void load(InputStream is) throws IOException { - if(this.props==null) { - this.props = new Properties(); - } - this.props.load(is); - symm = Symm.obtain(this); - } - - public String decrypt(String encrypted, boolean anytext) throws IOException { - if(symm==null) { - String keyfile = getter.get(Config.CADI_KEYFILE, null, true); - if(keyfile!=null) { - FileInputStream fis = new FileInputStream(keyfile); - symm=Symm.obtain(fis); - fis.close(); - } - } - return (symm!=null && encrypted!=null && (anytext || encrypted.startsWith(Symm.ENC))) - ? symm.depass(encrypted) - : encrypted; - } - - @Override - public void printf(Level level, String fmt, Object[] elements) { - // TODO Auto-generated method stub - - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java b/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java deleted file mode 100644 index 0b8bb8f..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java +++ /dev/null @@ -1,305 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -import java.io.IOException; -import java.lang.reflect.Constructor; -import java.util.ArrayList; -import java.util.List; - -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.CadiWrap; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.ServletContextAccess; -import org.onap.aaf.cadi.TrustChecker; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.Get; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.taf.TafResp.RESP; - -/** - * CadiFilter - * - * This class implements Servlet Filter, and ties together CADI implementations - * - * This class can be used in a standard J2EE Servlet manner. Optimal usage is for POJO operations, where - * one can enforce this Filter being first and primary. Depending on the Container, it - * may be more effective, in some cases, to utilize features that allow earlier determination of - * AUTHN (Authorization). An example would be "Tomcat Valve". These implementations, however, should - * be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes. - * - * - * - */ -public class CadiFilter implements Filter { - private static CadiHTTPManip httpChecker; - private static String[] pathExceptions; - private static List mapPairs; - private Access access; - private Object[] additionalTafLurs; - private static int count=0; - - public Lur getLur() { - return httpChecker.getLur(); - } - - /** - * Construct a viable Filter - * - * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on - * them at a later time. Therefore, this object creates with an object that denies all access - * until appropriate Init happens, just in case the container lets something slip by in the meantime. - * - */ - public CadiFilter() { - additionalTafLurs = CadiHTTPManip.noAdditional; - } - - /** - * This constructor to be used when directly constructing and placing in HTTP Engine - * - * @param access - * @param moreTafLurs - * @throws ServletException - */ - public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException { - additionalTafLurs = moreTafLurs; - init(new AccessGetter(this.access = access)); - } - - - /** - * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it - * @param init - * @param access - * @param moreTafLurs - * @throws ServletException - */ - public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException { - this.access = access; - if(init) { - init(new AccessGetter(access)); - } - additionalTafLurs = moreTafLurs; - } - - /** - * Init - * - * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a - * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this - * mechanism already. - */ - //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions - public void init(FilterConfig filterConfig) throws ServletException { - // need the Context for Logging, instantiating ClassLoader, etc - ServletContextAccess sca=new ServletContextAccess(filterConfig); - if(access==null) { - access = sca; - } - - // Set Protected getter with base Access, for internal class instantiations - init(new FCGet(access, sca.context(), filterConfig)); - } - - - private void init(Get getter) throws ServletException { - // Start with the assumption of "Don't trust anyone". - TrustChecker tc = TrustChecker.NOTRUST; // default position - try { - @SuppressWarnings("unchecked") - Class ctc = (Class) Class.forName("com.att.cadi.aaf.v2_0.AAFTrustChecker"); - if(ctc!=null) { - Constructor contc = ctc.getConstructor(Access.class); - if(contc!=null) { - tc = contc.newInstance(access); - } - } - } catch (Exception e) { - access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); - } - - - // Synchronize, because some instantiations call init several times on the same object - // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice. - synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) { - ++count; - if(httpChecker == null) { - if(access==null) { - access = new PropAccess(); - } - try { - httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs); - } catch (CadiException e1) { - throw new ServletException(e1); - } - } else if(access==null) { - access= httpChecker.getAccess(); - } - - /* - * Setup Authn Path Exceptions - */ - if(pathExceptions==null) { - String str = getter.get(Config.CADI_NOAUTHN, null, true); - if(str!=null) { - pathExceptions = str.split("\\s*:\\s*"); - } - } - - /* - * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions - */ - if(mapPairs==null) { - String str = getter.get(Config.AAF_PERM_MAP, null, true); - if(str!=null) { - String mstr = getter.get(Config.AAF_PERM_MAP, null, true); - if(mstr!=null) { - String map[] = mstr.split("\\s*:\\s*"); - if(map.length>0) { - MapPermConverter mpc=null; - int idx; - mapPairs = new ArrayList(); - for(String entry : map) { - if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter - access.log(Level.INIT,"Loading Perm Conversions for:",entry); - mapPairs.add(new Pair(entry,mpc=new MapPermConverter())); - } else { - if(mpc!=null) { - mpc.map().put(entry.substring(0,idx),entry.substring(idx+1)); - } else { - access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped"); - } - } - } - } - } - } - } - } - - // Remove Getter - getter = Get.NULL; - } - - /** - * Containers call "destroy" when time to cleanup - */ - public void destroy() { - // Synchronize, in case multiCadiFilters are used. - synchronized(CadiHTTPManip.noAdditional) { - if(--count<=0 && httpChecker!=null) { - httpChecker.destroy(); - httpChecker=null; - access=null; - pathExceptions=null; - } - } - } - - /** - * doFilter - * - * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and - * only call the next item in the filterChain if request is suitably Authenticated. - */ - //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - try { - HttpServletRequest hreq = (HttpServletRequest)request; - if(noAuthn(hreq)) { - chain.doFilter(request, response); - } else { - HttpServletResponse hresp = (HttpServletResponse)response; - TafResp tresp = httpChecker.validate(hreq, hresp); - if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) { - CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq)); - if(httpChecker.notCadi(cw, hresp)) { - chain.doFilter(cw,response); - } - } - } - } catch (ClassCastException e) { - throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e); - } - } - - - /** - * If PathExceptions exist, report if these should not have Authn applied. - * @param hreq - * @return - */ - private boolean noAuthn(HttpServletRequest hreq) { - if(pathExceptions!=null) { - String pi = hreq.getPathInfo(); - if(pi==null) return false; // JBoss sometimes leaves null - for(String pe : pathExceptions) { - if(pi.startsWith(pe))return true; - } - } - return false; - } - - /** - * Get Converter by Path - */ - private PermConverter getConverter(HttpServletRequest hreq) { - if(mapPairs!=null) { - String pi = hreq.getPathInfo(); - if(pi!=null) { - for(Pair p: mapPairs) { - if(pi.startsWith(p.name))return p.pc; - } - } - } - return NullPermConverter.singleton(); - } - - /** - * store PermConverters by Path prefix - * - */ - private class Pair { - public Pair(String key, PermConverter pc) { - name = key; - this.pc = pc; - } - public String name; - public PermConverter pc; - } - -} - diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java b/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java deleted file mode 100644 index a3df1c0..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java +++ /dev/null @@ -1,227 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.List; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.CadiWrap; -import org.onap.aaf.cadi.Connector; -import org.onap.aaf.cadi.CredVal; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.Taf; -import org.onap.aaf.cadi.TrustChecker; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.lur.EpiLur; -import org.onap.aaf.cadi.taf.HttpTaf; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.util.UserChainManip; - -/** - * Encapsulate common HTTP Manipulation Behavior. It will appropriately set - * HTTPServletResponse for Redirect or Forbidden, as needed. - * - * Further, this is useful, because it avoids multiple creates of Connections, where some Filters - * are created and destroyed regularly. - * - * - * - */ -public class CadiHTTPManip { - private static final String ACCESS_CADI_CONTROL = ".access|cadi|control"; - private static final String METH = "OPTIONS"; - private static final String CADI = "/cadi/"; - private static final String CADI_CACHE_PRINT = "/cadi/cache/print"; - private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear"; - private static final String CADI_LOG_SET = "/cadi/log/set/"; - private Access access; - private HttpTaf taf; - private CredVal up; - private Lur lur; - private String thisPerm,companyPerm,aaf_id; - - public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems - - - public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException { - synchronized(CADI) { - this.access = access; -// Get getter = new AccessGetter(access); - Config.setDefaultRealm(access); - - aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID, null)); - if(aaf_id==null) { - access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_MECHID,Config.CADI_ALIAS); - } else { - access.printf(Level.INIT, "%s is set to %s",Config.AAF_MECHID,aaf_id); - } - String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id); - if(ns!=null) { - thisPerm = ns+ACCESS_CADI_CONTROL; - int dot = ns.indexOf('.'); - if(dot>=0) { - int dot2=ns.indexOf('.',dot+1); - if(dot2<0) { - dot2=dot; - } - companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL; - } else { - companyPerm = "com"+ACCESS_CADI_CONTROL; - } - } else { - thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL; - } - - if(con!=null) { // try to reutilize connector - List ll = null; - for(Object tl : additionalTafLurs) { - if(tl instanceof Lur) { - if(ll==null) { - ll = new ArrayList(); - ll.add(con.newLur()); - } - ll.add((Lur)tl); - } - } - if(ll==null) { - lur = con.newLur(); - } else { - lur = new EpiLur((Lur[])ll.toArray()); - } - } else { - lur = Config.configLur(access, additionalTafLurs); - } - tc.setLur(lur); - if(lur instanceof EpiLur) { - up = ((EpiLur)lur).getUserPassImpl(); - } else if(lur instanceof CredVal) { - up = (CredVal)lur; - } else { - up = null; - } - taf = Config.configHttpTaf(access, tc, up, lur, additionalTafLurs); - } - } - - public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp) throws IOException { - TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp); - switch(tresp.isAuthenticated()) { - case IS_AUTHENTICATED: - access.printf(Level.INFO,"Authenticated: %s from %s:%d" - , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - break; - case TRY_AUTHENTICATING: - switch (tresp.authenticate()) { - case IS_AUTHENTICATED: - access.printf(Level.INFO,"Authenticated: %s from %s:%d" - , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - break; - case HTTP_REDIRECT_INVOKED: - access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc()); - break; - case NO_FURTHER_PROCESSING: - access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d" - , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, tresp.desc()); // Forbidden - break; - - default: - access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" - , hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, tresp.desc()); // Forbidden - } - break; - case NO_FURTHER_PROCESSING: - access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", - tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, "Access Denied"); // FORBIDDEN - break; - default: - access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" - , hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, "Access Denied"); // FORBIDDEN - } - return tresp; - } - - public boolean notCadi(CadiWrap req, HttpServletResponse resp) { - - String pathInfo = req.getPathInfo(); - if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) { - if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) { - try { - if(pathInfo.contains(CADI_CACHE_PRINT)) { - resp.getOutputStream().println(lur.toString()); - resp.setStatus(200); - return false; - } else if(pathInfo.contains(CADI_CACHE_CLEAR)) { - StringBuilder report = new StringBuilder(); - lur.clear(req.getUserPrincipal(), report); - resp.getOutputStream().println(report.toString()); - resp.setStatus(200); - return false; - } else if(pathInfo.contains(CADI_LOG_SET)) { - Level l; - int slash = pathInfo.lastIndexOf('/'); - String level = pathInfo.substring(slash+1); - try { - l = Level.valueOf(level); - access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name()); - access.setLogLevel(l); - } catch (IllegalArgumentException e) { - access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level); - } - return false; - } - } catch (IOException e) { - access.log(e); - } - } - } - return true; - } - - public Lur getLur() { - return lur; - } - - public void destroy() { - access.log(Level.INFO,"CadiHttpChecker destroyed."); - if(lur!=null) { - lur.destroy(); - lur=null; - } - } - - public Access getAccess() { - return access; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java b/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java deleted file mode 100644 index e6912e7..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java +++ /dev/null @@ -1,77 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -import javax.servlet.FilterConfig; -import javax.servlet.ServletContext; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.config.Get; - -/* - * A private method to query the Filter config and if not exists, return the default. This - * cleans up the initialization code. - */ -class FCGet implements Get { - /** - * - */ - private final Access access; - private FilterConfig filterConfig; - private ServletContext context; - - public FCGet(Access access, ServletContext context, FilterConfig filterConfig) { - this.access = access; - this.context = context; - this.filterConfig = filterConfig; - } - - public String get(String name, String def, boolean print) { - String str = null; - // Try Server Context First - if(context!=null) { - str = context.getInitParameter(name); - } - - // Try Filter Context next - if(str==null && filterConfig != null) { - str = filterConfig.getInitParameter(name); - } - - if(str==null) { - str = access.getProperty(name, def); - } - // Take def if nothing else - if(str==null) { - str = def; - // don't log defaults - } else { - str = str.trim(); // this is vital in Property File based values, as spaces can hide easily - if(print) { - access.log(Level.INFO,"Setting", name, "to", str); - } - } - return str; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java b/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java deleted file mode 100644 index 933e6f9..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java +++ /dev/null @@ -1,55 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -import java.util.HashMap; -import java.util.Map; - -public class MapPermConverter implements PermConverter { - private HashMap map; - - /** - * Create with colon separated name value pairs - * i.e. teAdmin=com.att.myNS.myPerm|*|*:teUser=... - * - * @param value - */ - public MapPermConverter() { - map = new HashMap(); - } - - /** - * use to instantiate entries - * - * @return - */ - public Map map() { - return map; - } - - public String convert(String minimal) { - String rv = map.get(minimal); - return rv==null?minimal:rv; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java b/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java deleted file mode 100644 index 223e1a4..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java +++ /dev/null @@ -1,43 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - - -/** - * A NullPermConverter - * - * Obey the PermConverter Interface, but passed in "minimal" String is not converted. - * - * - */ -public class NullPermConverter implements PermConverter { - - private NullPermConverter() {} - private static final NullPermConverter singleton = new NullPermConverter(); - public static NullPermConverter singleton() {return singleton;} - - public String convert(String minimal) { - return minimal; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java b/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java deleted file mode 100644 index 87e3c78..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java +++ /dev/null @@ -1,183 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -import java.io.IOException; - -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.config.Config; - -/** - * PathFilter - * - * This class implements Servlet Filter, and uses AAF to validate access to a Path. - * - * This class can be used in a standard J2EE Servlet manner. - * - * - */ -public class PathFilter implements Filter { - private ServletContext context; - private String aaf_type; - private String not_authorized_msg; - private final Log log; - - /** - * Construct a viable Filter for installing in Container WEB.XML, etc. - * - */ - public PathFilter() { - log = new Log() { - public void info(String ... msg) { - context.log(build("INFO:",msg)); - } - public void audit(String ... msg) { - context.log(build("AUDIT:",msg)); - } - private String build(String type, String []msg) { - StringBuilder sb = new StringBuilder(type); - for(String s : msg) { - sb.append(' '); - sb.append(s); - } - return sb.toString(); - } - - }; - } - - /** - * Filter that can be constructed within Java - * @param access - */ - public PathFilter(final Access access) { - log = new Log() { - public void info(String ... msg) { - access.log(Level.INFO, (Object[])msg); - } - public void audit(String ... msg) { - access.log(Level.AUDIT, (Object[])msg); - } - }; - } - - /** - * Init - * - * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a - * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this - * mechanism already. - */ - public void init(FilterConfig filterConfig) throws ServletException { - // need the Context for Logging, instantiating ClassLoader, etc - context = filterConfig.getServletContext(); - StringBuilder sb = new StringBuilder(); - StringBuilder err = new StringBuilder(); - Object attr = context.getAttribute(Config.PATHFILTER_NS); - if(attr==null) { - err.append("PathFilter - pathfilter_ns is not set"); - } else { - sb.append(attr.toString()); - } - - attr = context.getAttribute(Config.PATHFILTER_STACK); - if(attr==null) { - log.info("PathFilter - No pathfilter_stack set, ignoring"); - } else { - sb.append('.'); - sb.append(attr.toString()); - } - - attr = context.getAttribute(Config.PATHFILTER_URLPATTERN); - if(attr==null) { - log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'"); - sb.append(".urlpattern"); - } else { - sb.append('.'); - sb.append(attr.toString()); - } - - log.info("PathFilter - AAF Permission Type is",sb.toString()); - - sb.append('|'); - - aaf_type = sb.toString(); - - attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG); - if(attr==null) { - not_authorized_msg = "Forbidden - Not Authorized to access this Path"; - } else { - not_authorized_msg = attr.toString(); - } - - if(err.length()>0) { - throw new ServletException(err.toString()); - } - } - - private interface Log { - public void info(String ... msg); - public void audit(String ... msg); - } - - /** - * doFilter - * - * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and - * only call the next item in the filterChain if request is suitably Authenticated. - */ - //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - HttpServletRequest hreq = (HttpServletRequest)request; - HttpServletResponse hresp = (HttpServletResponse)response; - String perm = aaf_type+hreq.getPathInfo()+'|'+hreq.getMethod(); - if(hreq.isUserInRole(perm)) { - chain.doFilter(request, response); - } else { - log.audit("PathFilter has denied",hreq.getUserPrincipal().getName(),"access to",perm); - hresp.sendError(403,not_authorized_msg); - } - } - - /** - * Containers call "destroy" when time to cleanup - */ - public void destroy() { - log.info("PathFilter destroyed."); - } - - - -} - diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java b/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java deleted file mode 100644 index 8f71e29..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java +++ /dev/null @@ -1,32 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.filter; - -/** - * Convert a simplistic, single string Permission into an Enterprise Scoped Perm - * - * - */ -public interface PermConverter { - public String convert(String minimal); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java b/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java deleted file mode 100644 index 0a5873e..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java +++ /dev/null @@ -1,55 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -/** - * RolesAllowed - * - * - * Similar to Java EE's Spec from Annotations 1.1, 2.8 - * - * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined - * sense of permissions hierarchy. The same mechanism, however, can easily be achieved on single Servlet/Handlers in - * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation - * - */ -package org.onap.aaf.cadi.filter; -import static java.lang.annotation.ElementType.TYPE; -import static java.lang.annotation.RetentionPolicy.RUNTIME; - -import java.lang.annotation.Retention; -import java.lang.annotation.Target; - -/** - * JASPI Style Annotation of RolesAllowed when the coding style is desired but actually including all - * JEE jars is not. If using actual JASPI, use official @interface classes, not this one... - * - */ -@Target({TYPE}) -@Retention(RUNTIME) -public @interface RolesAllowed { - /** - * Security role of the implementation, which doesn't have to be an EJB or CORBA like object. Can be just a - * Handler - * @return - */ - String[] value(); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java b/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java deleted file mode 100644 index f581c5f..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java +++ /dev/null @@ -1,55 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -/** - * RolesAllowed - * - * - * Similar to Java EE's Spec from Annotations 1.1, 2.8 - * - * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined - * sense of permissions hierarchy. The same mechanism, however, can easily be achieved on single Servlet/Handlers in - * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation - * - */ -package org.onap.aaf.cadi.filter; -import static java.lang.annotation.ElementType.TYPE; -import static java.lang.annotation.RetentionPolicy.RUNTIME; - -import java.lang.annotation.Retention; -import java.lang.annotation.Target; - -import javax.servlet.Servlet; - -/** - * - */ -@Target({TYPE}) -@Retention(RUNTIME) -public @interface ServletImpl { - /** - * Security role of the implementation, which doesn't have to be an EJB or CORBA like object. Can be just a - * Handler - * @return - */ - Class value(); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java deleted file mode 100644 index 32e4816..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java +++ /dev/null @@ -1,70 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.lur; - -import java.io.IOException; -import java.security.Principal; - -import org.onap.aaf.cadi.GetCred; -import org.onap.aaf.cadi.Symm; - -public class ConfigPrincipal implements Principal, GetCred { - private String name; - private byte[] cred; - private String content; - - public ConfigPrincipal(String name, String passwd) { - this.name = name; - this.cred = passwd.getBytes(); - content = null; - } - - public ConfigPrincipal(String name, byte[] cred) { - this.name = name; - this.cred = cred; - content = null; - } - - public String getName() { - return name; - } - - public byte[] getCred() { - return cred; - } - - public String toString() { - return name; - } - - public String getAsBasicAuthHeader() throws IOException { - if(content ==null) { - String s = name + ':' + new String(cred); - content = "Basic " + Symm.base64.encode(s); - } else if(!content.startsWith("Basic ")) { // content is the saved password from construction - String s = name + ':' + content; - content = "Basic " + Symm.base64.encode(s); - } - return content; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java b/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java deleted file mode 100644 index 0e612e9..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java +++ /dev/null @@ -1,167 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.lur; - -import java.security.Principal; -import java.util.List; - -import org.onap.aaf.cadi.CachingLur; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.CredVal; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.Permission; - -/** - * EpiLUR - * - * Short for "Epic LUR". Be able to run through a series of LURs to obtain the validation needed. - * - * The pun is better for the other pattern... "TAF" (aka EpiTaf), but it's still the larger picture of - * LURs that will be accomplished. - * - * FYI, the reason we separate LURs, rather than combine, is that Various User Repository Resources have - * different Caching requirements. For instance, the Local User Repo (with stand alone names), never expire, but might be - * refreshed with a change in Configuration File, while the Remote Service based LURs will need to expire at prescribed intervals - * - * - */ -public final class EpiLur implements Lur { - private final Lur[] lurs; - - /** - * EpiLur constructor - * - * Construct the EpiLur from variable TAF parameters - * @param lurs - * @throws CadiException - */ - public EpiLur(Lur ... lurs) throws CadiException{ - this.lurs = lurs; - if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor"); - } - - public boolean fish(Principal bait, Permission pond) { - if(pond==null) { - return false; - } - boolean rv = false; - Lur lur; - for(int i=0;!rv && i permissions) { - for(Lur lur : lurs) { - lur.fishAll(bait, permissions); - } - } - - public void destroy() { - for(Lur lur : lurs) { - lur.destroy(); - } - } - - /** - * Return the first Lur (if any) which also implements UserPass - * @return - */ - public CredVal getUserPassImpl() { - for(Lur lur : lurs) { - if(lur instanceof CredVal) { - return (CredVal)lur; - } - } - return null; - } - - // Never needed... Only EpiLur uses... - public boolean handlesExclusively(Permission pond) { - return false; - } - - /** - * Get Lur for index. Returns null if out of range - * @param idx - * @return - */ - public Lur get(int idx) { - if(idx>=0 && idx)l).remove(id); - } - } - } - - public Lur subLur(Class cls ) { - for(Lur l : lurs) { - if(l.getClass().isAssignableFrom(cls)) { - return l; - } - } - return null; - } - - @Override - public Permission createPerm(String p) { - return new LocalPermission(p); - } - - /* (non-Javadoc) - * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) - */ - @Override - public void clear(Principal p, StringBuilder report) { - for(Lur lur : lurs) { - lur.clear(p, report); - } - } - - public String toString() { - StringBuilder sb = new StringBuilder(); - for(Lur lur : lurs) { - sb.append(lur.getClass().getSimpleName()); - sb.append(": Report\n"); - sb.append(lur.toString()); - sb.append('\n'); - } - return sb.toString(); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java b/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java deleted file mode 100644 index 4086b51..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java +++ /dev/null @@ -1,201 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.lur; - -import java.io.IOException; -import java.security.Principal; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.TreeSet; - -import org.onap.aaf.cadi.AbsUserCache; -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CredVal; -import org.onap.aaf.cadi.Hash; -import org.onap.aaf.cadi.Permission; -import org.onap.aaf.cadi.StrLur; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.config.Config; - - -/** - * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms. - * - * - */ -public final class LocalLur extends AbsUserCache implements StrLur, CredVal { - public static final String SEMI = "\\s*;\\s*"; - public static final String COLON = "\\s*:\\s*"; - public static final String COMMA = "\\s*,\\s*"; - public static final String PERCENT = "\\s*%\\s*"; - - // Use to quickly determine whether any given group is supported by this LUR - private final Set supportingGroups; - private String supportedRealm; - - /** - * Construct by building structure, see "build" - * - * Reconstruct with "build" - * - * @param userProperty - * @param groupProperty - * @param decryptor - * @throws IOException - */ - public LocalLur(Access access, String userProperty, String groupProperty) throws IOException { - super(access, 0, 0, Integer.MAX_VALUE); // data doesn't expire - supportedRealm = access.getProperty(Config.BASIC_REALM, "localized"); - supportingGroups = new TreeSet(); - - if(userProperty!=null) { - // For each User name... - for(String user : userProperty.trim().split(SEMI)) { - String[] us = user.split(COLON,2); - String[] userpass = us[0].split(PERCENT,2); - String u; - User usr; - if(userpass.length>1) { - if(userpass.length>0 && userpass[0].indexOf('@')<0) { - userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm()); - } - - u = userpass[0]; - byte[] pass = access.decrypt(userpass[1], true).getBytes(); - usr = new User(new ConfigPrincipal(u, pass)); - } else { - u = us[0]; - usr = new User(new ConfigPrincipal(u, (byte[])null)); - } - addUser(usr); - access.log(Level.INIT, "Local User:",usr.principal); - - if(us.length>1) { - Map newMap = usr.newMap(); - for(String group : us[1].split(COMMA)) { - supportingGroups.add(group); - usr.add(newMap,new LocalPermission(group)); - } - usr.setMap(newMap); - } - } - } - if(groupProperty!=null) { - // For each Group name... - for(String group : groupProperty.trim().split(SEMI)) { - String[] gs = group.split(COLON,2); - if(gs.length>1) { - supportingGroups.add(gs[0]); - LocalPermission p = new LocalPermission(gs[0]); - // Add all users (known by comma separators) - - for(String grpMem : gs[1].split(COMMA)) { - // look for password, if so, put in passMap - String[] userpass = grpMem.split(PERCENT,2); - if(userpass.length>0 && userpass[0].indexOf('@')<0) { - userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm()); - } - User usr = getUser(userpass[0]); - if(userpass.length>1) { - byte[] pass = access.decrypt(userpass[1], true).getBytes(); - if(usr==null)addUser(usr=new User(new ConfigPrincipal(userpass[0],pass))); - else usr.principal=new ConfigPrincipal(userpass[0],pass); - } else { - if(usr==null)addUser(usr=new User(new ConfigPrincipal(userpass[0],(byte[])null))); - } - usr.add(p); - access.log(Level.INIT, "Local User:",usr.principal); - } - } - } - } - } - - public boolean validate(String user, CredVal.Type type, byte[] cred) { - User usr = getUser(user); - switch(type) { - case PASSWORD: - // covers null as well as bad pass - if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) { - return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred()); - } - break; - } - return false; - } - - // @Override - public boolean fish(Principal bait, Permission pond) { - if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions - User user = getUser(bait); - return user==null?false:user.contains((LocalPermission)pond); - } - return false; - } - - public boolean fish(String bait, Permission pond) { - if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions - User user = getUser(bait); - return user==null?false:user.contains((LocalPermission)pond); - } - return false; - } - - // We do not want to expose the actual Group, so make a copy. - public void fishAll(Principal bait, List perms) { - if(supports(bait.getName())) { - User user = getUser(bait); - if(user!=null) { - user.copyPermsTo(perms); - } - } - } - - public void fishAll(String bait, List perms) { - if(supports(bait)) { - User user = getUser(bait); - if(user!=null) { - user.copyPermsTo(perms); - } - } - } - - public boolean supports(String userName) { - return userName!=null && userName.endsWith(supportedRealm); - } - - public boolean handlesExclusively(Permission pond) { - return supportingGroups.contains(pond.getKey()); - } - - /* (non-Javadoc) - * @see com.att.cadi.Lur#createPerm(java.lang.String) - */ - @Override - public Permission createPerm(String p) { - return new LocalPermission(p); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java b/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java deleted file mode 100644 index cccb74c..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java +++ /dev/null @@ -1,51 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.lur; - -import org.onap.aaf.cadi.Permission; - -public class LocalPermission implements Permission { - private String key; - - public LocalPermission(String role) { - this.key = role; - } - - public String getKey() { - return key; - } - - public String toString() { - return key; - } - - public boolean match(Permission p) { - return key.equals(p.getKey()); - } - - public String permType() { - return "LOCAL"; - } - - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java b/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java deleted file mode 100644 index 94080df..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java +++ /dev/null @@ -1,88 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.lur; - -import java.security.Principal; -import java.util.List; - -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.Permission; - -public class NullLur implements Lur { - private static final Permission NULL = new Permission() { - @Override - public String permType() { - return ""; - } - - @Override - public String getKey() { - return ""; - } - - @Override - public boolean match(Permission p) { - return false; - }}; - - public boolean fish(Principal bait, Permission pond) { - // Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own -// System.err.println("CADI's LUR has not been configured, but is still being called. Access is being denied"); - return false; - } - - public void fishAll(Principal bait, List permissions) { - } - - public void destroy() { - } - - public boolean handlesExclusively(Permission pond) { - return false; - } - - public boolean supports(String userName) { - return false; - } - - /* (non-Javadoc) - * @see com.att.cadi.Lur#createPerm(java.lang.String) - */ - @Override - public Permission createPerm(String p) { - return NULL; - } - - /* (non-Javadoc) - * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) - */ - @Override - public void clear(Principal p, StringBuilder report) { - report.append(NullLur.class.getSimpleName()); - report.append('\n'); - } - - public String toString() { - return NullLur.class.getSimpleName() + '\n'; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java deleted file mode 100644 index e84caeb..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java +++ /dev/null @@ -1,117 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.principal; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.util.Date; - -import org.onap.aaf.cadi.BasicCred; -import org.onap.aaf.cadi.GetCred; -import org.onap.aaf.cadi.Symm; - -public class BasicPrincipal extends BearerPrincipal implements GetCred { - private static byte[] basic = "Basic ".getBytes(); - - private String name = null; - private String shortName = null; - private byte[] cred = null; - - private long created; - - public BasicPrincipal(String content,String domain) throws IOException { - created = System.currentTimeMillis(); - ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes()); - // Read past "Basic ", ensuring it starts with it. - for(int i=0;i0) { - domain=name.substring(at+1); - shortName=name.substring(0, at); - } else { - shortName = name; - name = name + '@' + domain; - } - } - - public BasicPrincipal(BasicCred bc, String domain) { - name = bc.getUser(); - cred = bc.getCred(); - } - - private class BasicOS extends OutputStream { - private boolean first = true; - private ByteArrayOutputStream baos; - - public BasicOS(int size) { - baos = new ByteArrayOutputStream(size); - } - - @Override - public void write(int b) throws IOException { - if(b==':' && first) { - first = false; - name = new String(baos.toByteArray()); - baos.reset(); // - } else { - baos.write(b); - } - } - - private byte[] toCred() { - return baos.toByteArray(); - } - } - - public String getName() { - return name; - } - - public String getShortName() { - return shortName; - } - - public byte[] getCred() { - return cred; - } - - public long created() { - return created; - } - - public String toString() { - return "Basic Authorization for " + name + " evaluated on " + new Date(created).toString(); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java deleted file mode 100644 index 08793c5..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java +++ /dev/null @@ -1,36 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.principal; - -import java.security.Principal; - -public abstract class BearerPrincipal implements Principal { - private String bearer = null; - public BearerPrincipal setBearer(String bearer) { - this.bearer = bearer; - return this; - } - public String getBearer() { - return bearer; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/CSPPrincipal_T.java b/core/src/main/java/org/onap/aaf/cadi/principal/CSPPrincipal_T.java deleted file mode 100644 index 3694584..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/principal/CSPPrincipal_T.java +++ /dev/null @@ -1,33 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.principal; - -import java.security.Principal; - -/** - * Indicate a CSP Principal that is trusted as a CSPPrincipal. - * - */ -public interface CSPPrincipal_T extends Principal { - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java deleted file mode 100644 index 9a33dc6..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java +++ /dev/null @@ -1,65 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.principal; - -import java.io.IOException; - -import org.onap.aaf.cadi.BasicCred; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.taf.HttpTaf; - -/** - * Cached Principals need to be able to revalidate in the Background - * - * - */ -public class CachedBasicPrincipal extends BasicPrincipal implements CachedPrincipal { - private final HttpTaf creator; - private long timeToLive; - private long expires; - - public CachedBasicPrincipal(HttpTaf creator, BasicCred bc, String domain, long timeToLive) { - super(bc, domain); - this.creator = creator; - this.timeToLive = timeToLive; - expires = System.currentTimeMillis()+timeToLive; - } - - public CachedBasicPrincipal(HttpTaf creator, String content, String domain, long timeToLive) throws IOException { - super(content, domain); - this.creator = creator; - this.timeToLive = timeToLive; - expires = System.currentTimeMillis()+timeToLive; - } - - public CachedPrincipal.Resp revalidate() { - Resp resp = creator.revalidate(this); - if(resp.equals(Resp.REVALIDATED))expires = System.currentTimeMillis()+timeToLive; - return resp; - } - - public long expires() { - return expires; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal.java deleted file mode 100644 index b55f86a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal.java +++ /dev/null @@ -1,80 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.principal; - -public class TGuardPrincipal extends BearerPrincipal { - - private String name, tresp; - - public TGuardPrincipal(String tresp) { - this.tresp=tresp; - } - - /** - * TODO Need to figure out what Organizations TGuard entities should be part of. - * - */ - public String getName() { - if(name==null) { - String temp = get("iv-user"); - if(temp==null)return null; - StringBuilder sb = new StringBuilder(); - int at = temp.indexOf('@'); - if(at<0) { - sb.append(temp); - } else { - sb.append(temp.substring(0, at)); - } - if(temp.endsWith("@uverse.com"))sb.append("@uverse.tguard.att.com"); - else if(temp.endsWith("@att.com"))sb.append("@com.tguard.att.com"); - else if(temp.endsWith("@att.net"))sb.append("@net.tguard.att.com"); - else sb.append("@tguard.att.com"); - name = sb.toString(); - } - return name; - } - - /** - * Get a value from a named TGuard Property - * - * TGuard response info is very dynamic. They can add new properties at any time, so we dare not code field names for these values. - * @param key - * @return - */ - public String get(String key) { - if(key==null)return null; - int idx=0,equal=0,amp=0; - while(idx>=0 && (equal = tresp.indexOf('=',idx))>=0) { - amp = tresp.indexOf('&',equal); - if(key.regionMatches(0, tresp, idx, equal-idx)) { - return amp>=0?tresp.substring(equal+1, amp):tresp.substring(equal+1); - } - idx=amp+(amp>0?1:0); - } - return null; - } - - public String info() { - return tresp; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal_T.java b/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal_T.java deleted file mode 100644 index 235c74c..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal_T.java +++ /dev/null @@ -1,33 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.principal; - -import java.security.Principal; - -/** - * Indicate a TGuard Principal that is trusted as a TGuardPrincipal. - * - */ -public interface TGuardPrincipal_T extends Principal { - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java deleted file mode 100644 index 4add242..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java +++ /dev/null @@ -1,67 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.principal; - -import java.security.Principal; - -import org.onap.aaf.cadi.UserChain; - -public class TrustPrincipal extends BearerPrincipal implements UserChain { - private final String name; - private final Principal original; - private String userChain; - - public TrustPrincipal(final Principal actual, final String asName) { - this.original = actual; - name = asName.trim(); - if(actual instanceof UserChain) { - UserChain uc = (UserChain)actual; - userChain = uc.userChain(); - } else if(actual instanceof X509Principal) { - userChain="x509"; - } else if(actual instanceof BasicPrincipal) { - userChain="BAth"; - } else { - userChain = actual.getClass().getSimpleName(); - } - } - - @Override - public String getName() { - return name; - } - - public String getOrigName() { - return original.getName() + '[' + userChain + ']'; - } - - @Override - public String userChain() { - return userChain; - } - - public Principal original() { - return original; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java b/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java deleted file mode 100644 index 2f3fd28..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java +++ /dev/null @@ -1,92 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.principal; - -import java.io.IOException; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509Certificate; -import java.util.regex.Pattern; - -import org.onap.aaf.cadi.GetCred; - -public class X509Principal extends BearerPrincipal implements GetCred { - private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*"); - private byte[] content; - private X509Certificate cert; - private String name; - - public X509Principal(String identity, X509Certificate cert, byte[] content) { - name = identity; - this.content = content; - this.cert = cert; - } - - public X509Principal(X509Certificate cert, byte[] content) throws IOException { - this.content=content; - this.cert = cert; - String subj = cert.getSubjectDN().getName(); - int cn = subj.indexOf("OU="); - if(cn>=0) { - cn+=3; - int space = subj.indexOf(',',cn); - if(space>=0) { - String id = subj.substring(cn, space); - if(pattern.matcher(id).matches()) { - name = id; - } - } - } - if(name==null) - throw new IOException("X509 does not have Identity as CN"); - - } - - - public String getAsHeader() throws IOException { - try { - if(content==null) - content=cert.getEncoded(); - } catch (CertificateEncodingException e) { - throw new IOException(e); - } - return "X509 " + content; - } - - public String toString() { - return "X509 Authentication for " + name; - } - - - public byte[] getCred() { - try { - return content==null?(content=cert.getEncoded()):content; - } catch (CertificateEncodingException e) { - return null; - } - } - - - public String getName() { - return name; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java deleted file mode 100644 index 6a7f15e..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java +++ /dev/null @@ -1,116 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import java.security.Principal; - -import org.onap.aaf.cadi.Access; - -/** - * AbsTafResp - * - * Base class for TafResp (TAF Response Objects) - * - */ -public abstract class AbsTafResp implements TafResp { - - protected final String desc; - protected final Principal principal; - protected final Access access; - - /** - * AbsTafResp - * - * Set and hold - * Description (for logging) - * Principal (as created by derived class) - * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc) - * - * @param access - * @param principal - * @param description - */ - public AbsTafResp(Access access, Principal principal, String description) { - this.access = access; - this.principal = principal; - this.desc = description; - } - - /** - * isValid() - * - * Respond in the affirmative if the TAF was able to Authenticate - */ - public boolean isValid() { - return principal!=null; - } - - /** - * desc() - * - * Respond with description of response as given by the TAF - */ - public String desc() { - return desc; - } - - /** - * isAuthenticated() - * - * Respond with the TAF's code of whether Authenticated, or suggested next steps - * default is either IS_AUTHENTICATED, or TRY_ANOTHER_TAF. The TAF can overload - * and suggest others, such as "NO_FURTHER_PROCESSING", if it can detect that this - * is some sort of security breach (i.e. Denial of Service) - */ - public RESP isAuthenticated() { - return principal==null?RESP.TRY_ANOTHER_TAF:RESP.IS_AUTHENTICATED; - } - - /** - * getPrincipal() - * - * Return the principal created by the TAF based on Authentication. - * - * Returns "null" if Authentication failed (no principal) - */ - public Principal getPrincipal() { - return principal; - } - - /** - * getAccess() - * - * Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated. - */ - public Access getAccess() { - return access; - } - - /* (non-Javadoc) - * @see com.att.cadi.taf.TafResp#isFailedAttempt() - */ - public boolean isFailedAttempt() { - return false; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java deleted file mode 100644 index 7cb40ed..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java +++ /dev/null @@ -1,84 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.Taf; - -/** - * EpiTAF - * - * Short for "Epic TAF". Be able to run through a series of TAFs to obtain the validation needed. - * - * OK, the name could probably be better as "Tafs", like it was originally, but the pun was too - * irresistible for this author to pass up. - * - * - */ -public class EpiTaf implements Taf { - private Taf[] tafs; - - /** - * EpiTaf constructor - * - * Construct the EpiTaf from variable TAF parameters - * @param tafs - * @throws CadiException - */ - public EpiTaf(Taf ... tafs) throws CadiException{ - this.tafs = tafs; - if(tafs.length==0) throw new CadiException("Need at least one Taf implementation in constructor"); - } - - /** - * validate - * - * Respond with the first TAF to authenticate user based on variable info and "LifeForm" (is it - * a human behind an interface, or a server behind a protocol). - * - * If there is no TAF that can authenticate, respond with the first TAF that suggests it can - * establish an Authentication conversation (TRY_AUTHENTICATING). - * - * If no TAF declares either, respond with NullTafResp (which denies all questions) - */ - public TafResp validate(LifeForm reading, String... info) { - TafResp tresp,firstTryAuth=null; - for(Taf taf : tafs) { - tresp = taf.validate(reading, info); - switch(tresp.isAuthenticated()) { - case TRY_ANOTHER_TAF: - break; - case TRY_AUTHENTICATING: - if(firstTryAuth==null)firstTryAuth=tresp; - break; - default: - return tresp; - } - } - - // No TAFs configured, at this point. It is safer at this point to be "not validated", - // rather than "let it go" - return firstTryAuth == null?NullTafResp.singleton():firstTryAuth; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java deleted file mode 100644 index 05832f7..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java +++ /dev/null @@ -1,185 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import java.net.URI; -import java.security.Principal; -import java.util.ArrayList; -import java.util.List; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.Locator; -import org.onap.aaf.cadi.TrustChecker; -import org.onap.aaf.cadi.CachedPrincipal.Resp; -import org.onap.aaf.cadi.Taf.LifeForm; - -/** - * HttpEpiTaf - * - * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials - * - * - */ -public class HttpEpiTaf implements HttpTaf { - private HttpTaf[] tafs; - private Access access; - private Locator locator; - private TrustChecker trustChecker; - - /** - * HttpEpiTaf constructor - * - * Construct the HttpEpiTaf from variable Http specific TAF parameters - - * @param tafs - * @throws CadiException - */ - public HttpEpiTaf(Access access, Locator locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{ - this.tafs = tafs; - this.access = access; - this.locator = locator; - this.trustChecker = tc; - // Establish what Header Property to look for UserChain/Trust Props -// trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT); - - if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor"); - } - - /** - * validate - * - * Respond with the first Http specific TAF to authenticate user based on variable info - * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol). - * - * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can - * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP - * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm - * submission - * - * If no TAF declares either, respond with NullTafResp (which denies all questions) - */ - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - // Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings - if(reading==LifeForm.LFN) { - reading = tricorderScan(req); - } - TafResp tresp=null, firstTry = null; - List redirectables = null; - - for(HttpTaf taf : tafs) { - tresp = taf.validate(reading, req, resp); - switch(tresp.isAuthenticated()) { - case TRY_ANOTHER_TAF: - break; // and loop - case TRY_AUTHENTICATING: - if(tresp instanceof Redirectable) { - if(redirectables==null) { - redirectables = new ArrayList(); - } - redirectables.add((Redirectable)tresp); - } else if(firstTry==null) { - firstTry = tresp; - } - break; - case IS_AUTHENTICATED: - tresp = trustChecker.mayTrust(tresp, req); - return tresp; - default: - return tresp; - } - } - - // If No TAFs configured, at this point. It is safer at this point to be "not validated", - // rather than "let it go" - // Note: if exists, there will always be more than 0 entries, according to above code - if(redirectables==null) { - return firstTry!=null?firstTry:NullTafResp.singleton(); - } - - // If there is one Tryable entry then return it - if(redirectables.size()>1) { - return LoginPageTafResp.create(access,locator,resp,redirectables); - } else { - return redirectables.get(0); - } - } - - public boolean revalidate(Principal prin) throws Exception { - return false; - } - - /* - * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind - * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical - * id (SiliconBasedLifeForm)? This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs - */ - private LifeForm tricorderScan(HttpServletRequest req) { - // For simplicity's sake, we'll say Humans use FQDNs, not IPs. - - String auth = req.getParameter("Authentication"); - if(auth!=null) { - if("BasicAuth".equals(auth)) { - return LifeForm.SBLF; - } - } - // Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are. - // If mechanical frameworks are found that populate this, then more advanced analysis may be required - // 1/22/2013 - String agent = req.getHeader("User-Agent"); - if(agent!=null && agent.startsWith("Mozilla")) // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent - return LifeForm.CBLF; - return LifeForm.SBLF; // notably skips "curl","wget", (which is desired behavior. We don't want to try CSP, etc on these) - } - - public Resp revalidate(CachedPrincipal prin) { - Resp resp; - for(HttpTaf taf : tafs) { - resp = taf.revalidate(prin); - switch(resp) { - case NOT_MINE: - break; - default: - return resp; - } - } - return Resp.NOT_MINE; - } - - /** - * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE - * like Eclipse. - */ - public String toString() { - StringBuilder sb = new StringBuilder(); - for(HttpTaf ht : tafs) { - sb.append(ht.toString()); - sb.append(". "); - } - return sb.toString(); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java deleted file mode 100644 index 325de6a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java +++ /dev/null @@ -1,60 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.Taf.LifeForm; - -/** - * A TAF which is in a specific HTTP environment in which the engine implements - * javax Servlet. - * - * Using the Http Request and Response interfaces takes the effort out of implementing in almost any kind of - * HTTP Container or Engine. - * - * - */ -public interface HttpTaf { - /** - * validate - * - * Validate the Request, and respond with created TafResp object. - * - * @param reading - * @param req - * @param resp - * @return - */ - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp); - - /** - * Re-Validate Credential - * - * @param prin - * @return - */ - public CachedPrincipal.Resp revalidate(CachedPrincipal prin); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java deleted file mode 100644 index b6bb385..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java +++ /dev/null @@ -1,87 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import java.io.IOException; -import java.net.URI; -import java.util.List; - -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.Locator; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.Locator.Item; - -public class LoginPageTafResp extends AbsTafResp { - private final HttpServletResponse httpResp; - private final String loginPageURL; - - private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) { - super(access, null, "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page"); - httpResp = resp; - this.loginPageURL = loginPageURL; - } - - @Override - public RESP authenticate() throws IOException { - httpResp.sendRedirect(loginPageURL); - return RESP.HTTP_REDIRECT_INVOKED; - } - - @Override - public RESP isAuthenticated() { - return RESP.TRY_AUTHENTICATING; - } - - public static TafResp create(Access access, Locator locator, final HttpServletResponse resp, List redir) { - if(locator!=null) { - try { - Item item = locator.best(); - URI uri = locator.get(item); - if(uri!=null) { - StringBuilder sb = new StringBuilder(uri.toString()); - String query = uri.getQuery(); - boolean first = query==null || query.length()==0; - int count=0; - for(Redirectable t : redir) { - if(first) { - sb.append('?'); - first=false; - } - else sb.append('&'); - sb.append(t.get()); - ++count; - } - if(count>0)return new LoginPageTafResp(access, resp, sb.toString()); - } - } catch (Exception e) { - access.log(e, "Error deriving Login Page location"); - } - } else if(!redir.isEmpty()) { - access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf"); - return redir.get(0); - } - return NullTafResp.singleton(); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java deleted file mode 100644 index fb1b930..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java +++ /dev/null @@ -1,64 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.Taf; -import org.onap.aaf.cadi.CachedPrincipal.Resp; - - -/** - * This TAF is set at the very beginning of Filters and Valves so that if any configuration issues hit while - * starting, the default behavior is to shut down traffic rather than leaving an open hole - * - * - */ -public class NullTaf implements Taf, HttpTaf { - // Singleton Pattern - public NullTaf() {} - - /** - * validate - * - * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized - */ - public TafResp validate(LifeForm reading, String... info) { - return NullTafResp.singleton(); - } - - /** - * validate - * - * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized - */ - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - return NullTafResp.singleton(); - } - - public Resp revalidate(CachedPrincipal prin) { - return Resp.NOT_MINE; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java deleted file mode 100644 index 97e49e0..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java +++ /dev/null @@ -1,73 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import java.io.IOException; -import java.security.Principal; - -import org.onap.aaf.cadi.Access; - -/** - * A Null Pattern for setting responses to "Deny" before configuration is setup. - * - */ -class NullTafResp implements TafResp { - private NullTafResp(){} - - private static TafResp singleton = new NullTafResp(); - - public static TafResp singleton() { - return singleton; - } - - public boolean isValid() { - return false; - } - - public RESP isAuthenticated() { - return RESP.NO_FURTHER_PROCESSING; - } - - public String desc() { - return "All Authentication denied"; - } - - public RESP authenticate() throws IOException { - return RESP.NO_FURTHER_PROCESSING; - } - - public Principal getPrincipal() { - return null; - } - - public Access getAccess() { - return Access.NULL; - } - - /* (non-Javadoc) - * @see com.att.cadi.taf.TafResp#isFailedAttempt() - */ - public boolean isFailedAttempt() { - return true; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java deleted file mode 100644 index 10c401a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java +++ /dev/null @@ -1,71 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import java.io.IOException; -import java.security.Principal; - -import org.onap.aaf.cadi.Access; - -/** - * A Punt Resp to make it fast and easy for a Taf to respond that it cannot handle a particular kind of - * request. It is always the same object, so there is no cost for memory, etc. - * - */ -public class PuntTafResp implements TafResp { - private PuntTafResp(){} - - private static TafResp singleton = new PuntTafResp(); - - public static TafResp singleton() { - return singleton; - } - - public boolean isValid() { - return false; - } - - public RESP isAuthenticated() { - return RESP.TRY_ANOTHER_TAF; - } - - public String desc() { - return "This Taf can or will not handle this authentication"; - } - - public RESP authenticate() throws IOException { - return RESP.TRY_ANOTHER_TAF; - } - - public Principal getPrincipal() { - return null; - } - - public Access getAccess() { - return NullTafResp.singleton().getAccess(); - } - - public boolean isFailedAttempt() { - return false; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java b/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java deleted file mode 100644 index 6e20bab..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java +++ /dev/null @@ -1,32 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -public interface Redirectable extends TafResp { - /** - * Create a Redirectable URL entry prefaced by a URLEncoder.String for a Menu - * example: - * "Global Login=https://xxxx....." - */ - public String get(); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java deleted file mode 100644 index cb0915a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java +++ /dev/null @@ -1,94 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import java.io.IOException; -import java.security.Principal; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CadiException; - -/** - * Response from Taf objects, which inform users what has happened and/or what should be done - * - * - */ -public interface TafResp { - public static enum RESP { - IS_AUTHENTICATED, - NO_FURTHER_PROCESSING, - TRY_AUTHENTICATING, - TRY_ANOTHER_TAF, - FAIL, - // A note was made to avoid the response REDIRECT. However, I have deemed that it is - // unavoidable when the underlying TAF did do a REDIRECT, because it requires a HTTP - // Service code to exit without modifying the Response any further. - // Therefore, I have changed this to indicate what HAS happened, with should accommodate - // both positions. JG 10/18/2012 -// public static final int HTTP_REDIRECT_INVOKED = 11; - HTTP_REDIRECT_INVOKED, - HAS_PROCESSED}; - - /** - * Basic success check - * @return - */ - public boolean isValid(); - - /** - * String description of what has occurred (for logging/exceptions) - * @return - */ - public String desc(); - - /** - * Check Response - * @return - */ - public RESP isAuthenticated(); - - /** - * Authenticate, returning FAIL or Other Valid indication - * - * HTTP implementations should watch for "HTTP_REDIRECT_INVOKED", and end the HTTP call appropriately. - * @return - * @throws CadiException - */ - public RESP authenticate() throws IOException; - - /** - * Once authenticated, this object should hold a Principal created from the authorization - * @return - */ - public Principal getPrincipal(); - - /** - * get the Access object which created this object, allowing the responder to appropriate Log, etc - */ - public Access getAccess(); - - /** - * Be able to check if part of a Failed attempt - */ - public boolean isFailedAttempt(); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java deleted file mode 100644 index 2ab4a62..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java +++ /dev/null @@ -1,77 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import java.io.IOException; -import java.security.Principal; - -import org.onap.aaf.cadi.Access; - -public class TrustNotTafResp implements TafResp { - private final TafResp delegate; - private final String desc; - - public TrustNotTafResp(final TafResp delegate, final String desc) { - this.delegate = delegate; - this.desc = desc; - } - - @Override - public boolean isValid() { - return false; - } - - @Override - public String desc() { - return desc; - } - - @Override - public RESP isAuthenticated() { - return RESP.NO_FURTHER_PROCESSING; - } - - @Override - public RESP authenticate() throws IOException { - return RESP.NO_FURTHER_PROCESSING; - } - - @Override - public Principal getPrincipal() { - return delegate.getPrincipal(); - } - - @Override - public Access getAccess() { - return delegate.getAccess(); - } - - @Override - public boolean isFailedAttempt() { - return true; - } - - public String toString() { - return desc(); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java deleted file mode 100644 index cd4c92f..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java +++ /dev/null @@ -1,79 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf; - -import java.io.IOException; -import java.security.Principal; - -import org.onap.aaf.cadi.Access; - -public class TrustTafResp implements TafResp { - private final TafResp delegate; - private final Principal principal; - private final String desc; - - public TrustTafResp(final TafResp delegate, final Principal principal, final String desc) { - this.delegate = delegate; - this.principal = principal; - this.desc = desc + ' ' + delegate.desc(); - } - - @Override - public boolean isValid() { - return delegate.isValid(); - } - - @Override - public String desc() { - return desc; - } - - @Override - public RESP isAuthenticated() { - return delegate.isAuthenticated(); - } - - @Override - public RESP authenticate() throws IOException { - return delegate.authenticate(); - } - - @Override - public Principal getPrincipal() { - return principal; - } - - @Override - public Access getAccess() { - return delegate.getAccess(); - } - - @Override - public boolean isFailedAttempt() { - return delegate.isFailedAttempt(); - } - - public String toString() { - return principal.getName() + " by trust of " + desc(); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java deleted file mode 100644 index f6cc3a7..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java +++ /dev/null @@ -1,159 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf.basic; - -import java.io.IOException; -import java.security.Principal; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.BasicCred; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.CredVal; -import org.onap.aaf.cadi.Taf; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; -import org.onap.aaf.cadi.CredVal.Type; -import org.onap.aaf.cadi.principal.BasicPrincipal; -import org.onap.aaf.cadi.principal.CachedBasicPrincipal; -import org.onap.aaf.cadi.taf.HttpTaf; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.taf.TafResp.RESP; -import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf; - -/** - * BasicHttpTaf - * - * This TAF implements the "Basic Auth" protocol. - * - * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted. - * This is because the expectation, when designed years ago, was that it would only be used in - * conjunction with SSL (https). It is common, however, for users to ignore this on the assumption that - * their internal network is secure, or just ignorance. Therefore, a WARNING will be printed - * when the HTTP Channel is not encrypted (unless explicitly turned off). - * - * - */ -public class BasicHttpTaf implements HttpTaf { - private Access access; - private String realm; - private CredVal rbac; - private boolean warn; - private long timeToLive; - - public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) { - this.access = access; - this.realm = realm; - this.rbac = rbac; - this.warn = turnOnWarning; - this.timeToLive = timeToLive; - } - - /** - * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms. - * @see Taf - */ - public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - // See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately - if(req instanceof BasicCred) { - BasicCred bc = (BasicCred)req; - if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null - if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) { - return DenialOfServiceTaf.respDenyID(access,bc.getUser()); - } - CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive); - // ONLY FOR Last Ditch DEBUGGING... - // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred())); - if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred())) { - return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false); - } else { - //TODO may need timed retries in a given time period - return new BasicHttpTafResp(access,null,buildMsg(bp,req,"User/Pass combo invalid for ",bc.getUser()), - RESP.TRY_AUTHENTICATING,resp,realm,true); - } - } - } - // Get User/Password from Authorization Header value - String authz = req.getHeader("Authorization"); - if(authz != null && authz.startsWith("Basic ")) { - if(warn&&!req.isSecure()) { - access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); - } - try { - CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive); - if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { - return DenialOfServiceTaf.respDenyID(access,ba.getName()); - } - - // ONLY FOR Last Ditch DEBUGGING... - // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred())); - if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())) { - return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false); - } else { - //TODO may need timed retries in a given time period - return new BasicHttpTafResp(access,null,buildMsg(ba,req,"User/Pass combo invalid"), - RESP.TRY_AUTHENTICATING,resp,realm,true); - } - } catch (IOException e) { - String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')'); - access.log(Level.INFO,msg); - return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true); - } - } - return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false); - } - - protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { - StringBuilder sb = new StringBuilder(); - for(Object s : msg) { - sb.append(s.toString()); - } - if(pr!=null) { - sb.append(" for "); - sb.append(pr.getName()); - } - sb.append(" from "); - sb.append(req.getRemoteAddr()); - sb.append(':'); - sb.append(req.getRemotePort()); - return sb.toString(); - } - - @Override - public Resp revalidate(CachedPrincipal prin) { - if(prin instanceof BasicPrincipal) { - BasicPrincipal ba = (BasicPrincipal)prin; - if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { - return Resp.UNVALIDATED; - } - return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())?Resp.REVALIDATED:Resp.UNVALIDATED; - } - return Resp.NOT_MINE; - } - - public String toString() { - return "Basic Auth enabled on realm: " + realm; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java deleted file mode 100644 index 45eab48..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java +++ /dev/null @@ -1,63 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf.basic; - -import java.io.IOException; -import java.security.Principal; - -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.taf.AbsTafResp; -import org.onap.aaf.cadi.taf.TafResp; - -public class BasicHttpTafResp extends AbsTafResp implements TafResp { - private HttpServletResponse httpResp; - private String realm; - private RESP status; - private final boolean wasFailed; - - public BasicHttpTafResp(Access access, Principal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) { - super(access,principal, description); - httpResp = resp; - this.realm = realm; - this.status = status; - this.wasFailed = wasFailed; - } - - public RESP authenticate() throws IOException { - httpResp.setStatus(401); // Unauthorized - httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"'); - return RESP.HTTP_REDIRECT_INVOKED; - } - - public RESP isAuthenticated() { - return status; - } - - public boolean isFailedAttempt() { - return wasFailed; - } - - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java deleted file mode 100644 index 1d84d67..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java +++ /dev/null @@ -1,46 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf.cert; - -import java.security.Principal; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; - -import javax.servlet.http.HttpServletRequest; - -public interface CertIdentity { - /** - * identity from X509Certificate Object and/or certBytes - * - * If you have both, include them. If you only have one, leave the other null, and it will be generated if needed - * - * The Request is there to obtain Header or Attribute info of ultimate user - * - * @param req - * @param cert - * @param certBytes - * @return - * @throws CertificateException - */ - public Principal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException; -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java deleted file mode 100644 index f301fc2..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java +++ /dev/null @@ -1,52 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf.cert; - -import java.io.IOException; -import java.security.Principal; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.taf.AbsTafResp; -import org.onap.aaf.cadi.taf.TafResp; - -public class X509HttpTafResp extends AbsTafResp implements TafResp { - private RESP status; - - public X509HttpTafResp(Access access, Principal principal, String description, RESP status) { - super(access, principal, description); - this.status = status; - } - - public RESP authenticate() throws IOException { - return RESP.TRY_ANOTHER_TAF; - } - - public RESP isAuthenticated() { - return status; - } - - public String toString() { - return status.name(); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java deleted file mode 100644 index 36217cc..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java +++ /dev/null @@ -1,257 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf.cert; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.security.GeneralSecurityException; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.Principal; -import java.security.Signature; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; -import java.util.ArrayList; - -import javax.net.ssl.TrustManagerFactory; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.CadiException; -import org.onap.aaf.cadi.Lur; -import org.onap.aaf.cadi.Symm; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; -import org.onap.aaf.cadi.Taf.LifeForm; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.config.SecurityInfo; -import org.onap.aaf.cadi.config.SecurityInfoC; -import org.onap.aaf.cadi.lur.LocalPermission; -import org.onap.aaf.cadi.principal.TGuardPrincipal; -import org.onap.aaf.cadi.principal.X509Principal; -import org.onap.aaf.cadi.taf.HttpTaf; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.taf.TafResp.RESP; -import org.onap.aaf.cadi.util.Split; - -public class X509Taf implements HttpTaf { - - public static final CertificateFactory certFactory; - public static final MessageDigest messageDigest; - public static final TrustManagerFactory tmf; - private Access access; - private CertIdentity[] certIdents; - private Lur lur; - private ArrayList cadiIssuers; - private String env; - private SecurityInfo si; - - static { - try { - certFactory = CertificateFactory.getInstance("X.509"); - messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone - tmf = TrustManagerFactory.getInstance(SecurityInfoC.SslKeyManagerFactoryAlgorithm); - } catch (Exception e) { - throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e); - } - } - - public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException { - this.access = access; - env = access.getProperty(Config.AAF_ENV,null); - if(env==null) { - throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set."); - } - this.lur = lur; - this.cadiIssuers = new ArrayList(); - for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "CN=ATT CADI Issuing CA 01, OU=CSO, O=ATT, C=US:CN=ATT CADI Issuing CA 02, OU=CSO, O=ATT, C=US").split(":")) { - cadiIssuers.add(ci); - } - try { - Class dci = access.classLoader().loadClass("com.att.authz.cadi.DirectCertIdentity"); - CertIdentity temp[] = new CertIdentity[cis.length+1]; - System.arraycopy(cis, 0, temp, 1, cis.length); - temp[0] = (CertIdentity) dci.newInstance(); - certIdents=temp; - } catch (Exception e) { - certIdents = cis; - } - - try { - si = new SecurityInfo(access); - } catch (GeneralSecurityException | IOException e1) { - throw new CadiException(e1); - } - } - - public static final X509Certificate getCert(byte[] certBytes) throws CertificateException { - ByteArrayInputStream bais = new ByteArrayInputStream(certBytes); - return (X509Certificate)certFactory.generateCertificate(bais); - } - - public static final byte[] getFingerPrint(byte[] ba) { - MessageDigest md; - try { - md = (MessageDigest)messageDigest.clone(); - } catch (CloneNotSupportedException e) { - // should never get here - return new byte[0]; - } - md.update(ba); - return md.digest(); - } - - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - // Check for Mutual SSL - try { - X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate"); - if(certarr!=null && certarr.length>0) { - si.checkClientTrusted(certarr); - // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list - if(cadiIssuers.contains(certarr[0].getIssuerDN().toString())) { - String x500 = certarr[0].getSubjectDN().getName(); - int ou=x500.indexOf("OU="); - if(ou>0) { - ou+=3; - int comma = x500.indexOf(',',ou); - if(comma>0) { - String id= x500.substring(ou,comma); - String idenv[] = id.split(":"); - if(idenv.length==1 || (idenv.length>1 && env.equals(idenv[1]))) { - return new X509HttpTafResp(access, - new X509Principal(idenv[0], certarr[0],null), - id + " validated by CADI x509", RESP.IS_AUTHENTICATED); - } - } - } - } - } - - byte[] array = null; - byte[] certBytes = null; - X509Certificate cert=null; - String responseText=null; - String authHeader = req.getHeader("Authorization"); - - if(certarr!=null) { // If cert !=null, Cert is Tested by Mutual Protocol. - if(authHeader!=null) { // This is only intended to be a Secure Connection, not an Identity - return new X509HttpTafResp(access, null, "Certificate verified, but another Identity is presented", RESP.TRY_ANOTHER_TAF); - } - cert = certarr[0]; - responseText = ", validated by Mutual SSL Protocol"; - } else { // If cert == null, Get Declared Cert (in header), but validate by having them sign something - if(authHeader != null && authHeader.startsWith("x509 ")) { - ByteArrayOutputStream baos = new ByteArrayOutputStream(authHeader.length()); - try { - array = authHeader.getBytes(); - ByteArrayInputStream bais = new ByteArrayInputStream(array); - Symm.base64noSplit.decode(bais, baos, 5); - certBytes = baos.toByteArray(); - cert = getCert(certBytes); - - /** - * Identity from CERT if well know CA and specific encoded information - */ - // If found Identity doesn't work, try SignedStuff Protocol -// cert.checkValidity(); -// cert.--- GET FINGERPRINT? - String stuff = req.getHeader("Signature"); - if(stuff==null) - return new X509HttpTafResp(access, null, "Header entry 'Signature' required to validate One way X509 Certificate", RESP.TRY_ANOTHER_TAF); - String data = req.getHeader("Data"); -// if(data==null) -// return new X509HttpTafResp(access, null, "No signed Data to validate with X509 Certificate", RESP.TRY_ANOTHER_TAF); - - // Note: Data Pos shows is " " -// int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm - // Get Signature - bais = new ByteArrayInputStream(stuff.getBytes()); - baos = new ByteArrayOutputStream(stuff.length()); - Symm.base64noSplit.decode(bais, baos); - array = baos.toByteArray(); -// Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature - - Signature sig = Signature.getInstance(cert.getSigAlgName()); - sig.initVerify(cert.getPublicKey()); - sig.update(data.getBytes()); - if(!sig.verify(array)) { - access.log(Level.ERROR, "Signature doesn't Match"); - return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF); - } - responseText = ", validated by Signed Data"; - } catch (Exception e) { - access.log(e, "Exception while validating Cert"); - return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF); - } - - } else { - return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF); - } - } - - // A cert has been found, match Identify - Principal prin=null; - - for(int i=0;prin==null && i deniedIP=null, deniedID=null; - private Access access; - private static File dosIP, dosID; - - /** - * - * @param hostname - * @param prod - * @throws CadiException - */ - public DenialOfServiceTaf(Access access) throws CadiException { - this.access = access; - if(dosIP==null || dosID == null) { - String dirStr; - if((dirStr = access.getProperty("aaf_data_dir", null))!=null) { - dosIP = new File(dirStr+"/dosIP"); - readIP(); - dosID = new File(dirStr+"/dosID"); - readID(); - } - } - } - - public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) { - // Performance, when not needed - if(deniedIP != null) { - String ip; - Counter c = deniedIP.get(ip=req.getRemoteAddr()); - if(c!=null) { - c.inc(); - return respDenyIP(access,ip); - } - } - - // Note: Can't process Principal, because this is the first TAF, and no Principal is created. - // Other TAFs use "isDenied()" on this Object to validate. - return PuntTafResp.singleton(); - } - - public Resp revalidate(CachedPrincipal prin) { - // We always return NOT MINE, because DOS Taf does not ever validate - return Resp.NOT_MINE; - } - - /* - * for use in Other TAFs, before they attempt backend validation of - */ - public static Counter isDeniedID(String identity) { - if(deniedID!=null) { - return deniedID.get(identity); - } - return null; - } - - /** - * - */ - public static Counter isDeniedIP(String ipvX) { - if(deniedID!=null) { - return deniedID.get(ipvX); - } - return null; - } - - /** - * Return of "True" means IP has been added. - * Return of "False" means IP already added. - * - * @param ip - * @return - */ - public static synchronized boolean denyIP(String ip) { - boolean rv = false; - if(deniedIP==null) { - deniedIP = new HashMap(); - deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent - rv= true; - } else if(deniedIP.get(ip)==null) { - deniedIP.put(ip, new Counter(ip)); - rv = true; - } - if(rv) { - writeIP(); - } - return rv; - } - - private static void writeIP() { - if(dosIP!=null && deniedIP!=null) { - if(deniedIP.isEmpty()) { - if(dosIP.exists()) { - dosIP.delete(); - } - } else { - PrintStream fos; - try { - fos = new PrintStream(new FileOutputStream(dosIP,false)); - try { - for(String ip: deniedIP.keySet()) { - fos.println(ip); - } - } finally { - fos.close(); - } - } catch (IOException e) { - e.printStackTrace(System.err); - } - } - } - } - - private static void readIP() { - if(dosIP!=null && dosIP.exists()) { - BufferedReader br; - try { - br = new BufferedReader(new FileReader(dosIP)); - if(deniedIP==null) { - deniedIP=new HashMap(); - } - - try { - String line; - while((line=br.readLine())!=null) { - deniedIP.put(line, new Counter(line)); - } - } finally { - br.close(); - } - } catch (IOException e) { - e.printStackTrace(System.err); - } - } - } - - - /** - * Return of "True" means IP has was removed. - * Return of "False" means IP wasn't being denied. - * - * @param ip - * @return - */ - public static synchronized boolean removeDenyIP(String ip) { - if(deniedIP!=null && deniedIP.remove(ip)!=null) { - writeIP(); - if(deniedIP.isEmpty()) { - deniedIP=null; - } - return true; - } - return false; - } - - /** - * Return of "True" means ID has been added. - * Return of "False" means ID already added. - * - * @param ip - * @return - */ - public static synchronized boolean denyID(String id) { - boolean rv = false; - if(deniedID==null) { - deniedID = new HashMap(); - deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent - rv = true; - } else if(deniedID.get(id)==null) { - deniedID.put(id, new Counter(id)); - rv = true; - } - if(rv) { - writeID(); - } - return rv; - - } - - private static void writeID() { - if(dosID!=null && deniedID!=null) { - if(deniedID.isEmpty()) { - if(dosID.exists()) { - dosID.delete(); - } - } else { - PrintStream fos; - try { - fos = new PrintStream(new FileOutputStream(dosID,false)); - try { - for(String ip: deniedID.keySet()) { - fos.println(ip); - } - } finally { - fos.close(); - } - } catch (IOException e) { - e.printStackTrace(System.err); - } - } - } - } - - private static void readID() { - if(dosID!=null && dosID.exists()) { - BufferedReader br; - try { - br = new BufferedReader(new FileReader(dosID)); - if(deniedID==null) { - deniedID=new HashMap(); - } - try { - String line; - while((line=br.readLine())!=null) { - deniedID.put(line, new Counter(line)); - } - } finally { - br.close(); - } - } catch (IOException e) { - e.printStackTrace(System.err); - } - } - } - - /** - * Return of "True" means ID has was removed. - * Return of "False" means ID wasn't being denied. - * - * @param ip - * @return - */ - public static synchronized boolean removeDenyID(String id) { - if(deniedID!=null && deniedID.remove(id)!=null) { - writeID(); - if(deniedID.isEmpty()) { - deniedID=null; - } - - return true; - } - return false; - } - - public List report() { - int initSize = 0; - if(deniedIP!=null)initSize+=deniedIP.size(); - if(deniedID!=null)initSize+=deniedID.size(); - ArrayList al = new ArrayList(initSize); - if(deniedID!=null) { - for(Counter c : deniedID.values()) { - al.add(c.toString()); - } - } - if(deniedIP!=null) { - for(Counter c : deniedIP.values()) { - al.add(c.toString()); - } - } - return al; - } - - public static class Counter { - private final String name; - private int count = 0; - private Date first; - private long last; // note, we use "last" as long, to avoid popping useless dates on Heap. - - public Counter(String name) { - this.name = name; - first = null; - last = 0L; - count = 0; - } - - public String getName() { - return name; - } - - public int getCount() { - return count; - } - - public long getLast() { - return last; - } - - /* - * Only allow Denial of ServiceTaf to increment - */ - private synchronized void inc() { - ++count; - last = System.currentTimeMillis(); - if(first==null) { - first = new Date(last); - } - } - - public String toString() { - if(count==0) - return name + " is on the denied list, but has not attempted Access"; - else - return - name + - " has been denied " + - count + - " times since " + - first + - ". Last denial was " + - new Date(last); - } - } - - public static TafResp respDenyID(Access access, String identity) { - return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list"); - } - - public static TafResp respDenyIP(Access access, String ip) { - return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list"); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java deleted file mode 100644 index ac6c01a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java +++ /dev/null @@ -1,48 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf.dos; - -import java.io.IOException; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.taf.AbsTafResp; - -public class DenialOfServiceTafResp extends AbsTafResp { - private RESP ect; // Homage to Arethra Franklin - - public DenialOfServiceTafResp(Access access, RESP resp, String description ) { - super(access, null, description); - ect = resp; - } - - // Override base behavior of checking Principal and trying another TAF - @Override - public RESP isAuthenticated() { - return ect; - } - - - public RESP authenticate() throws IOException { - return ect; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java deleted file mode 100644 index af9554f..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java +++ /dev/null @@ -1,130 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf.localhost; - -import java.net.InetAddress; -import java.net.NetworkInterface; -import java.net.SocketException; -import java.net.UnknownHostException; -import java.util.Enumeration; -import java.util.TreeSet; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.Taf; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; -import org.onap.aaf.cadi.taf.HttpTaf; -import org.onap.aaf.cadi.taf.TafResp; -import org.onap.aaf.cadi.taf.TafResp.RESP; - -/** - * Implement the ability to utilize LocalHost as a TAF. - * - * Configure with two properties, - * localhost.deny - * localhost.accept - * - * 1) If localhost.deny==true, then no localhost requests are allowed - * 2) If localhost.deny==false, but accept==false, return "Try Another TAF" (i.e. allow further checking of the - * chain, but don't treat localhost as an acceptable credential) - * 3) If localhost.deny=false and accept=true, then the processes coming from the same machine, given logins are needed, - * to run, are treated as validated. This is primarily for Developer purposes. - * - * - * - */ -public class LocalhostTaf implements HttpTaf { - private TafResp isLocalHost,isNotLocalHost; - private static final TreeSet addrSet; - - static { - addrSet = new TreeSet(); - try { - for(Enumeration en = NetworkInterface.getNetworkInterfaces();en.hasMoreElements();) { - NetworkInterface ni = en.nextElement(); - for(Enumeration eia = ni.getInetAddresses();eia.hasMoreElements();) { - InetAddress ia = eia.nextElement(); - addrSet.add(ia.getHostAddress()); - } - } - } catch (SocketException e) { - } - - } - - public LocalhostTaf(Access access, boolean accept, boolean isDenied) { - String hostname = access.getProperty("hostname",null); - if(hostname !=null) { - try { - addrSet.add(InetAddress.getByName(hostname).getHostAddress()); - } catch (UnknownHostException e) { - access.log(e,"Unknown Host"); - } - } - - if(isDenied) { - access.log(Level.INFO,"LocalhostTaf will deny all localhost traffic"); - } else { - access.log(Level.INFO,"LocalhostTaf will not deny localhost requests, ", - (accept?"and will treat them as authenticated":"but will require other authentication")); - } - // Set the appropriate behavior for when ID coming in is from localhost - isLocalHost = isDenied? - new LocalhostTafResp(access, RESP.NO_FURTHER_PROCESSING,"Localhost is denied"): - accept? - new LocalhostTafResp(access, RESP.IS_AUTHENTICATED,"Localhost is allowed"): - new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Localhost is allowed"); - isNotLocalHost = new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Address is not Localhost"); - } - -// @Override - public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - String remote = req.getRemoteAddr(); - return addrSet.contains(remote) - ?isLocalHost - :isNotLocalHost; - } - - /** - * This function used for other TAFs (i.e. CSP, which can't work on localhost address) - * - * @param address - * @return - */ - public static boolean isLocalAddress(String address) { - return addrSet.contains(address); - } - - public String toString() { - return "Localhost TAF activated: " + isLocalHost.desc(); - } - - public Resp revalidate(CachedPrincipal prin) { - // shouldn't get here, since there's no need to Cache, but if so, LocalHost is always valid... - return Resp.REVALIDATED; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java deleted file mode 100644 index bda5484..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java +++ /dev/null @@ -1,81 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.taf.localhost; - -import java.security.Principal; - -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.taf.TafResp; - -public class LocalhostTafResp implements TafResp { - private RESP action; - private String description; - private final static Principal principal = new Principal() { - private String name = System.getProperty("user.name")+"@localhost"; -// @Override - public String getName() { - return name; - } - }; - - private Access access; - - public LocalhostTafResp(Access access, RESP state, String desc) { - action = state; - description = desc; - this.access = access; - } - -// @Override - public boolean isValid() { - return action == RESP.IS_AUTHENTICATED; - } - -// @Override - public String desc() { - return description; - } - -// @Override - public RESP authenticate() { - return action; - } - - public RESP isAuthenticated() { - return action; - } - -// @Override - public Principal getPrincipal() { - return principal; - } - - public Access getAccess() { - return access; - } - - public boolean isFailedAttempt() { - return false; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java b/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java deleted file mode 100644 index f999a11..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java +++ /dev/null @@ -1,63 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.util; - -import java.io.File; -import java.io.IOException; - -public interface Chmod { - public void chmod(File f) throws IOException; - - public static final Chmod to755 = new Chmod() { - public void chmod(File f) throws IOException { - f.setExecutable(true, false); - f.setExecutable(true, true); - f.setReadable(true, false); - f.setReadable(true, true); - f.setWritable(false, false); - f.setWritable(true, true); - } - }; - - public static final Chmod to644 = new Chmod() { - public void chmod(File f) throws IOException { - f.setExecutable(false, false); - f.setExecutable(false, true); - f.setReadable(true, false); - f.setReadable(true, true); - f.setWritable(false, false); - f.setWritable(true, true); - } - }; - - public static final Chmod to400 = new Chmod() { - public void chmod(File f) throws IOException { - f.setExecutable(false, false); - f.setExecutable(false, true); - f.setReadable(false, false); - f.setReadable(true, true); - f.setWritable(false, false); - f.setWritable(false, true); - } - }; -} diff --git a/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java b/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java deleted file mode 100644 index 546292e..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java +++ /dev/null @@ -1,90 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.util; - -import java.io.IOException; -import java.io.OutputStream; - -public class JsonOutputStream extends OutputStream { - private static final byte[] TWO_SPACE = " ".getBytes(); - private OutputStream os; - private boolean closeable; - private int indent = 0; - private int prev,ret=0; - - public JsonOutputStream(OutputStream os) { - // Don't close these, or dire consequences. - closeable = !os.equals(System.out) && !os.equals(System.err); - this.os = os; - } - - @Override - public void write(int b) throws IOException { - if(ret=='\n') { - ret = 0; - if(prev!=',' || (b!='{' && b!='[')) { - os.write('\n'); - for(int i=0;i=0?slash:str.length(); - int bits = slash>=0?Integer.parseInt(str.substring(slash+1)):32; - if(check && bits>32) { - throw new MaskFormatException("Invalid Mask Offset in IPV4 Address"); - } - int prev = 0; - long lbyte; - while(prev255 || lbyte<0)) { - throw new MaskFormatException("Invalid Byte in IPV4 Address"); - } - rv|=lbyte<>bits; - } - return rv; - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/util/Split.java b/core/src/main/java/org/onap/aaf/cadi/util/Split.java deleted file mode 100644 index c3b37dc..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/util/Split.java +++ /dev/null @@ -1,91 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.util; - -/** - * Split by Char, optional Trim - * - * Note: Copied from Inno to avoid linking issues. - * Note: I read the String split and Pattern split code, and we can do this more efficiently for a single Character - * - * 8/20/2015 - */ - -public class Split { - public static String[] split(char c, String value) { - // Count items to preallocate Array (memory alloc is more expensive than counting twice) - int count,idx; - for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count); - String[] rv = new String[count]; - if(count==1) { - rv[0]=value; - } else { - int last=0; - count=-1; - for(idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,idx)) { - rv[++count]=value.substring(last,idx); - last = ++idx; - } - rv[++count]=value.substring(last); - } - return rv; - } - - public static String[] splitTrim(char c, String value) { - // Count items to preallocate Array (memory alloc is more expensive than counting twice) - int count,idx; - for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count); - String[] rv = new String[count]; - if(count==1) { - rv[0]=value.trim(); - } else { - int last=0; - count=-1; - for(idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,idx)) { - rv[++count]=value.substring(last,idx).trim(); - last = ++idx; - } - rv[++count]=value.substring(last).trim(); - } - return rv; - } - - public static String[] splitTrim(char c, String value, int size) { - int idx; - String[] rv = new String[size]; - if(size==1) { - rv[0]=value.trim(); - } else { - int last=0; - int count=-1; - size-=2; - for(idx=value.indexOf(c);idx>=0 && count0 && args[0]!=null && rv.length()==0) { - rv = args[0].toString(); - } - return rv; - } - - @Override - public char[] readPassword(String fmt, Object... args) { - return System.console().readPassword(fmt, args); - } - - public static boolean implemented() { - return System.console()!=null; - } - - @Override - public void printf(String fmt, Object... args) { - System.console().printf(fmt, args); - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java b/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java deleted file mode 100644 index 5f945f3..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java +++ /dev/null @@ -1,78 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.util; - -import org.onap.aaf.cadi.UserChain; - -public class UserChainManip { - /** - Build an element in the correct format for UserChain. - Format:::[:AS][,::]* - @see UserChain - */ - public static StringBuilder build(StringBuilder sb, String app, String id, UserChain.Protocol proto, boolean as) { - boolean mayAs; - if(!(mayAs=sb.length()==0)) { - sb.append(','); - } - sb.append(app); - sb.append(':'); - sb.append(id); - sb.append(':'); - sb.append(proto.name()); - if(as && mayAs) { - sb.append(":AS"); - } - return sb; - } - - public static String idToNS(String id) { - if(id==null) { - return ""; - } else { - StringBuilder sb = new StringBuilder(); - char c; - int end; - boolean first = true; - for(int idx = end = id.length()-1;idx>=0;--idx) { - if((c = id.charAt(idx))=='@' || c=='.') { - if(idx vars) { - String[] array = new String[vars.size()]; - StringBuilder sb = new StringBuilder(); - convert(sb,text,vars.toArray(array)); - return sb.toString(); - } - /** - * Convert a format string with "%s" into AT&T RESTful Error %1 %2 (number) format - * If "holder" is passed in, it is built with full Message extracted (typically for Logging) - * @param holder - * @param text - * @param vars - * @return - */ - public static String convert(final StringBuilder holder, final String text, final String ... vars) { - StringBuilder sb = null; - int idx,index=0,prev = 0; - - if(text.contains("%s")) { - sb = new StringBuilder(); - } - - StringBuilder[] sbs = new StringBuilder[] {sb,holder}; - boolean replace, clearIndex = false; - int c; - while((idx=text.indexOf('%',prev))>=0) { - replace = false; - if(clearIndex) { - index=0; - } - if(sb!=null) { - sb.append(text,prev,idx); - } - if(holder!=null) { - holder.append(text,prev,idx); - } - - boolean go = true; - while(go) { - if(text.length()>++idx) { - switch(c=text.charAt(idx)) { - case '0': case '1': case '2': case '3': case '4': - case '5': case '6': case '7': case '8': case '9': - index *=10; - index +=(c-'0'); - clearIndex=replace=true; - continue; - case 's': - ++index; - replace = true; - continue; - default: - break; - } - } - prev = idx; - go=false; - if(replace) { - if(sb!=null) { - sb.append('%'); - sb.append(index); - } - if(index<=vars.length) { - if(holder!=null) { - holder.append(vars[index-1]); - } - } - } else { - for(StringBuilder s : sbs) { - if(s!=null) { - s.append("%"); - } - } - } - } - } - - if(sb!=null) { - sb.append(text,prev,text.length()); - } - if(holder!=null) { - holder.append(text,prev,text.length()); - } - - return sb==null?text:sb.toString(); - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java b/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java deleted file mode 100644 index e95337f..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java +++ /dev/null @@ -1,37 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.wsse; - -/** - * Interface to specify an action deep within a parsing tree on a local object - * - * We use a Generic so as to be flexible on create what that object actually is. This is passed in at the - * root "parse" call of Match. Similar to a "Visitor" Pattern, this object is passed upon reaching the right - * point in a parse tree. - * - * - * @param - */ -interface Action { - public boolean content(OUTPUT output, String text); -} diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java b/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java deleted file mode 100644 index bffe447..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java +++ /dev/null @@ -1,130 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.wsse; - -import javax.xml.namespace.QName; -import javax.xml.stream.XMLStreamException; -import javax.xml.stream.events.XMLEvent; - -/** - * Match Class allows you to build an automatic Tree of StAX (or StAX like) - * Objects for frequent use. - * - * OBJECT is a type which you which to do some end Actions on, similar to a Visitor pattern, see Action - * - * Note: We have implemented with XReader and XEvent, rather than StAX for performance reasons. - * - * @see Action - * @see Match - * @see XEvent - * @see XReader - * - * - * @param - */ -//@SuppressWarnings("restriction") -public class Match { - private QName qname; - private Match[] next; - private Match prev; - private Action action = null; - private boolean stopAfter; - private boolean exclusive; - - - @SafeVarargs - public Match(String ns, String name, Match ... next) { - this.qname = new QName(ns,name); - this.next = next; - stopAfter = exclusive = false; - for(Match m : next) { // add the possible tags to look for - if(!m.stopAfter)m.prev = this; - } - } - - public Match onMatch(OUTPUT output, XReader reader) throws XMLStreamException { - while(reader.hasNext()) { - XEvent event = reader.nextEvent(); - switch(event.getEventType()) { - case XMLEvent.START_ELEMENT: - QName e_qname = event.asStartElement().getName(); - //System.out.println("Start - " + e_qname); - boolean match = false; - for(Match m : next) { - if(e_qname.equals(m.qname)) { - match=true; - if(m.onMatch(output, reader)==null) { - return null; // short circuit Parsing - } - break; - } - } - if(exclusive && !match) // When Tag MUST be present, i.e. the Root Tag, versus info we're not interested in - return null; - break; - case XMLEvent.CHARACTERS: - //System.out.println("Data - " +event.asCharacters().getData()); - if(action!=null) { - if(!action.content(output,event.asCharacters().getData())) { - return null; - } - } - break; - case XMLEvent.END_ELEMENT: - //System.out.println("End - " + event.asEndElement().getName()); - if(event.asEndElement().getName().equals(qname)) { - return prev; - } - break; - case XMLEvent.END_DOCUMENT: - return null; // Exit Chain - } - } - return this; - } - - /** - * When this Matched Tag has completed, Stop parsing and end - * @return - */ - public Match stopAfter() { - stopAfter = true; - return this; - } - - /** - * Mark that this Object MUST be matched at this level or stop parsing and end - * - * @param action - * @return - */ - public Match exclusive() { - exclusive = true; - return this; - } - - public Match set(Action action) { - this.action = action; - return this; - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java b/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java deleted file mode 100644 index 760020a..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java +++ /dev/null @@ -1,86 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.wsse; - -import java.io.IOException; -import java.io.InputStream; - -import javax.xml.stream.XMLStreamException; - -import org.onap.aaf.cadi.BasicCred; - - -/** - * WSSE Parser - * - * Read the User and Password from WSSE Formatted SOAP Messages - * - * This class uses StAX so that processing is stopped as soon as the Security User/Password are read into BasicCred, or the Header Ends - * - * This class is intended to be created once (or very few times) and reused as much as possible. - * - * It is as thread safe as StAX parsing is. - * - */ -public class WSSEParser { - private static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/"; - private static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; - private Match parseTree; - //private XMLInputFactory inputFactory; - - public WSSEParser() { - // soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/[wsse:Password&wsse:Username] - parseTree = new Match(SOAP_NS,"root", // need a root level to start from... Doesn't matter what the tag is - new Match(SOAP_NS,"Envelope", - new Match(SOAP_NS,"Header", - new Match(WSSE_NS,"Security", - new Match(WSSE_NS,"UsernameToken", - new Match(WSSE_NS,"Password").set(new Action() { - public boolean content(BasicCred bc,String text) { - bc.setCred(text.getBytes()); - return true; - } - }), - new Match(WSSE_NS,"Username").set(new Action() { - public boolean content(BasicCred bc,String text) { - bc.setUser(text); - return true; - } - }) - ).stopAfter() // if found, end when UsernameToken ends (no further processing needed) - ) - ).stopAfter() // Stop Processing when Header Ends - ).exclusive()// Envelope must match Header, and no other. FYI, Body comes after Header short circuits (see above), so it's ok - ).exclusive(); // root must be Envelope - //inputFactory = XMLInputFactory.newInstance(); - } - - public XMLStreamException parse(BasicCred bc, InputStream is) throws IOException { - try { - parseTree.onMatch(bc, new XReader(is)); - return null; - } catch (XMLStreamException e) { - return e; - } - } -} diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java b/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java deleted file mode 100644 index e5af256..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java +++ /dev/null @@ -1,135 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.wsse; - -import javax.xml.namespace.QName; -import javax.xml.stream.events.XMLEvent; - -/** - * XEvent - * - * This mechanism mimics a minimal portion of StAX "XMLEvent", enough to work with minimal XReader. - * - * We implement the same interface, as much as minimally necessary, as XMLEvent for these small usages so as to - * be interchangeable in the future, if so desired - * - * - */ -// @SuppressWarnings("restriction") -public abstract class XEvent { - - public abstract int getEventType(); - - public StartElement asStartElement() { - return (StartElement)this; - } - - public Characters asCharacters() { - return (Characters)this; - } - - public EndElement asEndElement() { - return (EndElement)this; - } - - public static abstract class NamedXEvent extends XEvent { - private QName qname; - - public NamedXEvent(QName qname) { - this.qname = qname; - } - - public QName getName() { - return qname; - } - } - public static class StartElement extends NamedXEvent { - - public StartElement(String ns, String tag) { - super(new QName(ns,tag)); - } - - @Override - public int getEventType() { - return XMLEvent.START_ELEMENT; - } - } - - public static class EndElement extends NamedXEvent { - public EndElement(String ns, String tag) { - super(new QName(ns,tag)); - } - - @Override - public int getEventType() { - return XMLEvent.END_ELEMENT; - } - } - - public static class Characters extends XEvent { - private String data; - - public Characters(String data) { - this.data = data; - } - @Override - public int getEventType() { - return XMLEvent.CHARACTERS; - } - - public String getData() { - return data; - } - } - - public static class StartDocument extends XEvent { - - @Override - public int getEventType() { - return XMLEvent.START_DOCUMENT; - } - - } - - public static class EndDocument extends XEvent { - - @Override - public int getEventType() { - return XMLEvent.END_DOCUMENT; - } - - } - public static class Comment extends XEvent { - public final String value; - public Comment(String value) { - this.value = value; - } - - @Override - public int getEventType() { - return XMLEvent.COMMENT; - } - - } - -} diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java b/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java deleted file mode 100644 index 8fa8113..0000000 --- a/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java +++ /dev/null @@ -1,416 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START==================================================== - * * org.onap.aaf - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ -package org.onap.aaf.cadi.wsse; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Stack; - -import javax.xml.stream.XMLStreamException; - -/** - * XReader - * This class works similarly as StAX, except StAX has more behavior than is needed. That would be ok, but - * StAX also was Buffering in their code in such as way as to read most if not all the incoming stream into memory, - * defeating the purpose of pre-reading only the Header - * - * This Reader does no back-tracking, but is able to create events based on syntax and given state only, leaving the - * Read-ahead mode of the InputStream up to the other classes. - * - * At this time, we only implement the important events, though if this is good enough, it could be expanded, perhaps to - * replace the original XMLReader from StAX. - * - * - */ -// @SuppressWarnings("restriction") -public class XReader { - private XEvent curr,another; - private InputStream is; - private ByteArrayOutputStream baos; - private int state, count, last; - - private Stack> nsses; - - public XReader(InputStream is) { - this.is = is; - curr = another = null; - baos = new ByteArrayOutputStream(); - state = BEGIN_DOC; - count = 0; - nsses = new Stack>(); - } - - public boolean hasNext() throws XMLStreamException { - if(curr==null) { - curr = parse(); - } - return curr!=null; - } - - public XEvent nextEvent() { - XEvent xe = curr; - curr = null; - return xe; - } - - // - // State Flags - // - // Note: The State of parsing XML can be complicated. There are too many to cleanly keep in "booleans". Additionally, - // there are certain checks that can be better made with Bitwise operations within switches - // Keeping track of state this way also helps us to accomplish logic without storing any back characters except one - private final static int BEGIN_DOC= 0x000001; - private final static int DOC_TYPE= 0x000002; - private final static int QUESTION_F= 0x000004; - private final static int QUESTION = 0x000008; - private final static int START_TAG = 0x000010; - private final static int END_TAG = 0x000020; - private final static int VALUE= 0x000040; - private final static int COMMENT = 0x001000; - private final static int COMMENT_E = 0x002000; - private final static int COMMENT_D1 =0x010000; - private final static int COMMENT_D2 =0x020000; - private final static int COMMENT_D3 =0x040000; - private final static int COMMENT_D4 =0x080000; - // useful combined Comment states - private final static int IN_COMMENT=COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2; - private final static int COMPLETE_COMMENT = COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3|COMMENT_D4; - - - private XEvent parse() throws XMLStreamException { - Map nss = nsses.isEmpty()?null:nsses.peek(); - - XEvent rv; - if((rv=another)!=null) { // "another" is a tag that may have needed to be created, but not - // immediately returned. Save for next parse. If necessary, this could be turned into - // a FIFO storage, but a single reference is enough for now. - another = null; // "rv" is now set for the Event, and will be returned. Set to Null. - } else { - boolean go = true; - int c=0; - - try { - while(go && (c=is.read())>=0) { - ++count; - switch(c) { - case '<': // Tag is opening - state|=~BEGIN_DOC; // remove BEGIN_DOC flag, this is possibly an XML Doc - XEvent cxe = null; - if(baos.size()>0) { // If there are any characters between tags, we send as Character Event - String chars = baos.toString().trim(); // Trim out WhiteSpace before and after - if(chars.length()>0) { // don't send if Characters were only whitespace - cxe = new XEvent.Characters(chars); - baos.reset(); - go = false; - } - } - last = c; // make sure "last" character is set for use in "ParseTag" - Tag t = parseTag(); // call subroutine to process the tag as a unit - String ns; - switch(t.state&(START_TAG|END_TAG)) { - case START_TAG: - nss = getNss(nss,t); // Only Start Tags might have NS Attributes - // Get any NameSpace elements from tag. If there are, nss will become - // a new Map with all the previous NSs plus the new. This provides - // scoping behavior when used with the Stack - // drop through on purpose - case END_TAG: - ns = t.prefix==null?"":nss.get(t.prefix); // Get the namespace from prefix (if exists) - break; - default: - ns = ""; - } - if(ns==null) - throw new XMLStreamException("Invalid Namespace Prefix at " + count); - go = false; - switch(t.state) { // based on - case DOC_TYPE: - rv = new XEvent.StartDocument(); - break; - case COMMENT: - rv = new XEvent.Comment(t.value); - break; - case START_TAG: - rv = new XEvent.StartElement(ns,t.name); - nsses.push(nss); // Change potential scope for Namespace - break; - case END_TAG: - rv = new XEvent.EndElement(ns,t.name); - nss = nsses.pop(); // End potential scope for Namespace - break; - case START_TAG|END_TAG: // This tag is both start/end aka - rv = new XEvent.StartElement(ns,t.name); - if(last=='/')another = new XEvent.EndElement(ns,t.name); - } - if(cxe!=null) { // if there is a Character Event, it actually should go first. ow. - another = rv; // Make current Event the "another" or next event, and - rv = cxe; // send Character Event now - } - break; - case ' ': - case '\t': - case '\n': - if((state&BEGIN_DOC)==BEGIN_DOC) { // if Whitespace before doc, just ignore - break; - } - // fallthrough on purpose - default: - if((state&BEGIN_DOC)==BEGIN_DOC) { // if there is any data at the start other than XML Tag, it's not XML - throw new XMLStreamException("Parse Error: This is not an XML Doc"); - } - baos.write(c); // save off Characters - } - last = c; // Some processing needs to know what the last character was, aka Escaped characters... ex \" - } - } catch (IOException e) { - throw new XMLStreamException(e); // all errors parsing will be treated as XMLStreamErrors (like StAX) - } - if(c==-1 && (state&BEGIN_DOC)==BEGIN_DOC) { // Normally, end of stream is ok, however, we need to know if the - throw new XMLStreamException("Premature End of File"); // document isn't an XML document, so we throw exception if it - } // hasn't yet been determined to be an XML Doc - } - return rv; - } - - /** - * parseTag - * - * Parsing a Tag is somewhat complicated, so it's helpful to separate this process from the - * higher level Parsing effort - * @return - * @throws IOException - * @throws XMLStreamException - */ - private Tag parseTag() throws IOException, XMLStreamException { - Tag tag = null; - boolean go = true; - state = 0; - int c, quote=0; // If "quote" is 0, then we're not in a quote. We set ' (in pretag) or " in attribs accordingly to denote quoted - String prefix=null,name=null,value=null; - baos.reset(); - - while(go && (c=is.read())>=0) { - ++count; - if(quote!=0) { // If we're in a quote, we only end if we hit another quote of the same time, not preceded by \ - if(c==quote && last!='\\') { - quote=0; - } else { - baos.write(c); - } - } else if((state&COMMENT)==COMMENT) { // similar to Quote is being in a comment - switch(c) { - case '-': - switch(state) { // XML has a complicated Quote set... ... we keep track if each has been met with flags. - case COMMENT|COMMENT_E: - state|=COMMENT_D1; - break; - case COMMENT|COMMENT_E|COMMENT_D1: - state|=COMMENT_D2; - baos.reset(); // clear out "!--", it's a Comment - break; - case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2: - state|=COMMENT_D3; - baos.write(c); - break; - case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3: - state|=COMMENT_D4; - baos.write(c); - break; - } - break; - case '>': // Tag indicator has been found, do we have all the comment characters in line? - if((state&COMPLETE_COMMENT)==COMPLETE_COMMENT) { - byte ba[] = baos.toByteArray(); - tag = new Tag(null,null, new String(ba,0,ba.length-2)); - baos.reset(); - go = false; - break; - } - // fall through on purpose - default: - state&=~(COMMENT_D3|COMMENT_D4); - if((state&IN_COMMENT)!=IN_COMMENT) state&=~IN_COMMENT; // false alarm, it's not actually a comment - baos.write(c); - } - } else { // Normal Tag Processing loop - switch(c) { - case '?': - switch(state & (QUESTION_F|QUESTION)) { // Validate the state of Doc tag... - case QUESTION_F: - state |= DOC_TYPE; - state &= ~QUESTION_F; - break; - case 0: - state |=QUESTION_F; - break; - default: - throw new IOException("Bad character [?] at " + count); - } - break; - case '!': - if(last=='<') { - state|=COMMENT|COMMENT_E; // likely a comment, continue processing in Comment Loop - } - baos.write(c); - break; - case '/': - state|=(last=='<'?END_TAG:(END_TAG|START_TAG)); // end tag indicator , ,or both - break; - case ':': - prefix=baos.toString(); // prefix indicator - baos.reset(); - break; - case '=': // used in Attributes - name=baos.toString(); - baos.reset(); - state|=VALUE; - break; - case '>': // end the tag, which causes end of this subprocess as well as formulation of the found data - go = false; - // passthrough on purpose - case ' ': - case '\t': - case '\n': // white space indicates change in internal tag state, ex between name and between attributes - if((state&VALUE)==VALUE) { - value = baos.toString(); // we're in VALUE state, add characters to Value - } else if(name==null) { - name = baos.toString(); // we're in Name state (default) add characters to Name - } - baos.reset(); // we've assigned chars, reset buffer - if(name!=null) { // Name is not null, there's a tag in the offing here... - Tag t = new Tag(prefix,name,value); - if(tag==null) { // Set as the tag to return, if not exists - tag = t; - } else { // if we already have a Tag, then we'll treat this one as an attribute - tag.add(t); - } - } - prefix=name=value=null; // reset these values in case we loop for attributes. - break; - case '\'': // is the character one of two kinds of quote? - case '"': - if(last!='\\') { - quote=c; - break; - } - // Fallthrough ok - default: - baos.write(c); // write any unprocessed bytes into buffer - - } - } - last = c; - } - int type = state&(DOC_TYPE|COMMENT|END_TAG|START_TAG); // get just the Tag states and turn into Type for Tag - if(type==0) { - type=START_TAG; - } - tag.state|=type; // add the appropriate Tag States - return tag; - } - - /** - * getNSS - * - * If the tag contains some Namespace attributes, create a new nss from the passed in one, copy all into it, then add - * This provides Scoping behavior - * - * if Nss is null in the first place, create an new nss, so we don't have to deal with null Maps. - * - * @param nss - * @param t - * @return - */ - private Map getNss(Map nss, Tag t) { - Map newnss = null; - if(t.attribs!=null) { - for(Tag tag : t.attribs) { - if("xmlns".equals(tag.prefix)) { - if(newnss==null) { - newnss = new HashMap(); - if(nss!=null)newnss.putAll(nss); - } - newnss.put(tag.name, tag.value); - } - } - } - return newnss==null?(nss==null?new HashMap():nss):newnss; - } - - /** - * The result of the parseTag method - * - * Data is split up into prefix, name and value portions. "Tags" with Values that are inside a Tag are known in XLM - * as Attributes. - * - * - */ - public class Tag { - public int state; - public String prefix,name,value; - public List attribs; - - public Tag(String prefix, String name, String value) { - this.prefix = prefix; - this.name = name; - this.value = value; - attribs = null; - } - - /** - * add an attribute - * Not all tags need attributes... lazy instantiate to save time and memory - * @param tag - */ - public void add(Tag attrib) { - if(attribs == null) { - attribs = new ArrayList(); - } - attribs.add(attrib); - } - - public String toString() { - StringBuffer sb = new StringBuffer(); - if(prefix!=null) { - sb.append(prefix); - sb.append(':'); - } - sb.append(name==null?"!!ERROR!!":name); - - char quote = ((state&DOC_TYPE)==DOC_TYPE)?'\'':'"'; - if(value!=null) { - sb.append('='); - sb.append(quote); - sb.append(value); - sb.append(quote); - } - return sb.toString(); - } - } - -} -- cgit 1.2.3-korg