summaryrefslogtreecommitdiffstats
path: root/core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java
blob: 7f6d9af92b1a7230764209dd02873885fa5ce05e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
/*******************************************************************************
 * ============LICENSE_START====================================================
 * * org.onap.aai
 * * ===========================================================================
 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
 * * Copyright © 2017 Amdocs
 * * ===========================================================================
 * * Licensed under the Apache License, Version 2.0 (the "License");
 * * you may not use this file except in compliance with the License.
 * * You may obtain a copy of the License at
 * * 
 *  *      http://www.apache.org/licenses/LICENSE-2.0
 * * 
 *  * Unless required by applicable law or agreed to in writing, software
 * * distributed under the License is distributed on an "AS IS" BASIS,
 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * * See the License for the specific language governing permissions and
 * * limitations under the License.
 * * ============LICENSE_END====================================================
 * *
 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
 * *
 ******************************************************************************/
package com.att.cadi.taf;

import java.net.URI;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.att.cadi.Access;
import com.att.cadi.CachedPrincipal;
import com.att.cadi.CachedPrincipal.Resp;
import com.att.cadi.CadiException;
import com.att.cadi.Locator;
import com.att.cadi.Taf.LifeForm;
import com.att.cadi.TrustChecker;

/**
 * HttpEpiTaf
 * 
 * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials
 * 
 *
 */
public class HttpEpiTaf implements HttpTaf {
	private HttpTaf[] tafs;
	private Access access;
	private Locator<URI> locator;
	private TrustChecker trustChecker;
	
	/**
	 * HttpEpiTaf constructor
	 * 
	 * Construct the HttpEpiTaf from variable Http specific TAF parameters

	 * @param tafs
	 * @throws CadiException
	 */
	public HttpEpiTaf(Access access, Locator<URI> locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{
		this.tafs = tafs;
		this.access = access;
		this.locator = locator;
		this.trustChecker = tc;
		// Establish what Header Property to look for UserChain/Trust Props 
//		trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT);

		if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor");
	}

	/**
	 * validate
	 * 
	 * Respond with the first Http specific TAF to authenticate user based on variable info 
	 * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol).
	 * 
	 * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can
	 * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP
	 * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm 
	 * submission
	 * 
	 * If no TAF declares either, respond with NullTafResp (which denies all questions)
	 */
	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
		// Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings
		if(reading==LifeForm.LFN) {
			reading = tricorderScan(req);
		}
		TafResp tresp=null, firstTry = null;
		List<Redirectable> redirectables = null;
		
		for(HttpTaf taf : tafs) {
			tresp = taf.validate(reading, req, resp);
			switch(tresp.isAuthenticated()) {
				case TRY_ANOTHER_TAF:
					break; // and loop
				case TRY_AUTHENTICATING:
					if(tresp instanceof Redirectable) {
						if(redirectables==null) {
							redirectables = new ArrayList<Redirectable>();
						}
						redirectables.add((Redirectable)tresp);
					} else if(firstTry==null) {
						firstTry = tresp;
					}
					break; 
				case IS_AUTHENTICATED:
					tresp = trustChecker.mayTrust(tresp, req);
					return tresp;
				default:
					return tresp;
			}
		}
		
		// If No TAFs configured, at this point.  It is safer at this point to be "not validated", 
		// rather than "let it go"
		// Note: if exists, there will always be more than 0 entries, according to above code
		if(redirectables==null) {
			return firstTry!=null?firstTry:NullTafResp.singleton();
		}
		
		// If there is one Tryable entry then return it
		if(redirectables.size()>1) {
			return LoginPageTafResp.create(access,locator,resp,redirectables);
		} else {
			return redirectables.get(0);
		}
	}
	
	public boolean revalidate(Principal prin) throws Exception {
		return false;
	}

	/*
	 * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind
	 * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical 
	 * id (SiliconBasedLifeForm)?  This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs
	 */
	private LifeForm tricorderScan(HttpServletRequest req) {
		// For simplicity's sake, we'll say Humans use FQDNs, not IPs.
		
		String auth = req.getParameter("Authentication");
		if(auth!=null) {
			if("BasicAuth".equals(auth)) {
				return LifeForm.SBLF;
			}
		}
		// Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are.
		// If mechanical frameworks are found that populate this, then more advanced analysis may be required
		//  1/22/2013
		String agent = req.getHeader("User-Agent");
		if(agent!=null && agent.startsWith("Mozilla")) // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent
			return LifeForm.CBLF;                      
		return LifeForm.SBLF;							// notably skips "curl","wget", (which is desired behavior.  We don't want to try CSP, etc on these)
	}

	public Resp revalidate(CachedPrincipal prin) {
		Resp resp;
		for(HttpTaf taf : tafs) {
			resp = taf.revalidate(prin);
			switch(resp) {
				case NOT_MINE:
					break;
				default:
					return resp;
			}
		}
		return Resp.NOT_MINE;
	}

	/**
	 * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE
	 * like Eclipse.
	 */
	public String toString() {
		StringBuilder sb = new StringBuilder();
		for(HttpTaf ht : tafs) {
			sb.append(ht.toString());
			sb.append(". ");
		}
		return sb.toString();
	}
}