summaryrefslogtreecommitdiffstats
path: root/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java
blob: 67754a96d8b6b741e79d11fbaabf64024dc35d9e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
/*******************************************************************************
 * ============LICENSE_START====================================================
 * * org.onap.aaf
 * * ===========================================================================
 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
 * * ===========================================================================
 * * Licensed under the Apache License, Version 2.0 (the "License");
 * * you may not use this file except in compliance with the License.
 * * You may obtain a copy of the License at
 * * 
 *  *      http://www.apache.org/licenses/LICENSE-2.0
 * * 
 *  * Unless required by applicable law or agreed to in writing, software
 * * distributed under the License is distributed on an "AS IS" BASIS,
 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * * See the License for the specific language governing permissions and
 * * limitations under the License.
 * * ============LICENSE_END====================================================
 * *
 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
 * *
 ******************************************************************************/
package com.att.cadi.taf.localhost;

import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.UnknownHostException;
import java.util.Enumeration;
import java.util.TreeSet;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.att.cadi.Access;
import com.att.cadi.Access.Level;
import com.att.cadi.CachedPrincipal;
import com.att.cadi.CachedPrincipal.Resp;
import com.att.cadi.Taf;
import com.att.cadi.taf.HttpTaf;
import com.att.cadi.taf.TafResp;
import com.att.cadi.taf.TafResp.RESP;

/**
 * Implement the ability to utilize LocalHost as a TAF.
 * 
 * Configure with two properties, 
 * 	localhost.deny
 *  localhost.accept
 *  
 * 1) If localhost.deny==true, then no localhost requests are allowed
 * 2) If localhost.deny==false, but accept==false, return "Try Another TAF" (i.e. allow further checking of the
 *   chain, but don't treat localhost as an acceptable credential)
 * 3) If localhost.deny=false and accept=true, then the processes coming from the same machine, given logins are needed, 
 * to run, are treated as validated.  This is primarily for Developer purposes.
 *   
 * 
 *
 */
public class LocalhostTaf implements HttpTaf {
	private TafResp isLocalHost,isNotLocalHost;
	private static final TreeSet<String> addrSet;
	
	static {
		addrSet = new TreeSet<String>();
		try {
			for(Enumeration<NetworkInterface> en = NetworkInterface.getNetworkInterfaces();en.hasMoreElements();) {
				NetworkInterface ni = en.nextElement();
				for(Enumeration<InetAddress> eia = ni.getInetAddresses();eia.hasMoreElements();) {
					InetAddress ia = eia.nextElement();
					addrSet.add(ia.getHostAddress());
				}
			}
		} catch (SocketException e) {
		}
		
	}

	public LocalhostTaf(Access access, boolean accept, boolean isDenied) {
		String hostname = access.getProperty("hostname",null);
		if(hostname !=null) {
			try {
				addrSet.add(InetAddress.getByName(hostname).getHostAddress());
			} catch (UnknownHostException e) {
				access.log(e,"Unknown Host");
			}
		}
		
		if(isDenied) {
			access.log(Level.INFO,"LocalhostTaf will deny all localhost traffic");
		} else {
			access.log(Level.INFO,"LocalhostTaf will not deny localhost requests, ",
					(accept?"and will treat them as authenticated":"but will require other authentication"));
		}
		// Set the appropriate behavior for when ID coming in is from localhost
		isLocalHost = isDenied?	
			new LocalhostTafResp(access, RESP.NO_FURTHER_PROCESSING,"Localhost is denied"):
			accept?
				new LocalhostTafResp(access, RESP.IS_AUTHENTICATED,"Localhost is allowed"):
				new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Localhost is allowed");
		isNotLocalHost = new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Address is not Localhost");
	}

//	@Override
	public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
		String remote = req.getRemoteAddr();
		return addrSet.contains(remote)
			?isLocalHost
			:isNotLocalHost;
	}

	/** 
	 * This function used for other TAFs (i.e. CSP, which can't work on localhost address)
	 * 
	 * @param address
	 * @return
	 */
	public static boolean isLocalAddress(String address) {
		return addrSet.contains(address);
	}
	
	public String toString() {
		return "Localhost TAF activated: " + isLocalHost.desc();
	}

	public Resp revalidate(CachedPrincipal prin) {
		// shouldn't get here, since there's no need to Cache, but if so, LocalHost is always valid...
		return Resp.REVALIDATED;
	}
}