summaryrefslogtreecommitdiffstats
path: root/src/main/java/com/att/dmf/mr/security
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/java/com/att/dmf/mr/security')
-rw-r--r--src/main/java/com/att/dmf/mr/security/DMaaPAAFAuthenticator.java39
-rw-r--r--src/main/java/com/att/dmf/mr/security/DMaaPAAFAuthenticatorImpl.java80
-rw-r--r--src/main/java/com/att/dmf/mr/security/DMaaPAuthenticator.java61
-rw-r--r--src/main/java/com/att/dmf/mr/security/DMaaPAuthenticatorImpl.java133
-rw-r--r--src/main/java/com/att/dmf/mr/security/impl/DMaaPMechIdAuthenticator.java87
-rw-r--r--src/main/java/com/att/dmf/mr/security/impl/DMaaPOriginalUebAuthenticator.java293
6 files changed, 0 insertions, 693 deletions
diff --git a/src/main/java/com/att/dmf/mr/security/DMaaPAAFAuthenticator.java b/src/main/java/com/att/dmf/mr/security/DMaaPAAFAuthenticator.java
deleted file mode 100644
index 59196d2..0000000
--- a/src/main/java/com/att/dmf/mr/security/DMaaPAAFAuthenticator.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START=======================================================
- * org.onap.dmaap
- * ================================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * http://www.apache.org/licenses/LICENSE-2.0
-*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- *
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- *
- *******************************************************************************/
-package com.att.dmf.mr.security;
-
-import javax.servlet.http.HttpServletRequest;
-
-import com.att.dmf.mr.CambriaApiException;
-
-
-
-
-/**
- *
- * @author sneha.d.desai
- *
- */
-public interface DMaaPAAFAuthenticator {
- boolean aafAuthentication( HttpServletRequest req , String role);
- String aafPermissionString(String permission, String action) throws CambriaApiException;
-}
diff --git a/src/main/java/com/att/dmf/mr/security/DMaaPAAFAuthenticatorImpl.java b/src/main/java/com/att/dmf/mr/security/DMaaPAAFAuthenticatorImpl.java
deleted file mode 100644
index e4e24cd..0000000
--- a/src/main/java/com/att/dmf/mr/security/DMaaPAAFAuthenticatorImpl.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START=======================================================
- * org.onap.dmaap
- * ================================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * http://www.apache.org/licenses/LICENSE-2.0
-*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- *
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- *
- *******************************************************************************/
-package com.att.dmf.mr.security;
-
-import javax.servlet.http.HttpServletRequest;
-
-import com.att.dmf.mr.CambriaApiException;
-import com.att.dmf.mr.constants.CambriaConstants;
-
-
-/**
- *
- * @author sneha.d.desai
- *
- */
-public class DMaaPAAFAuthenticatorImpl implements DMaaPAAFAuthenticator {
-
- /**
- * @param req
- * @param role
- */
- @Override
- public boolean aafAuthentication(HttpServletRequest req, String role) {
- boolean auth = false;
- if(req.isUserInRole(role))
- {
-
- auth = true;
- }
-
- return auth;
- }
-
- @Override
- public String aafPermissionString(String topicName, String action) throws CambriaApiException {
-
-
- String permission = "";
- String nameSpace ="";
- if(topicName.contains(".") && topicName.contains("org.onap")) {
-
- nameSpace = topicName.substring(0,topicName.lastIndexOf("."));
- }
- else {
- nameSpace = null;
- nameSpace= com.att.ajsc.filemonitor.AJSCPropertiesMap.getProperty(CambriaConstants.msgRtr_prop,"defaultNSforUEB");
-
- if(null==nameSpace)nameSpace="org.onap.dmaap.mr";
-
-
-
- }
-
- permission = nameSpace+".topic|:topic."+topicName+"|"+action;
- return permission;
-
- }
-
-
-
-}
diff --git a/src/main/java/com/att/dmf/mr/security/DMaaPAuthenticator.java b/src/main/java/com/att/dmf/mr/security/DMaaPAuthenticator.java
deleted file mode 100644
index 848d4cc..0000000
--- a/src/main/java/com/att/dmf/mr/security/DMaaPAuthenticator.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START=======================================================
- * org.onap.dmaap
- * ================================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * http://www.apache.org/licenses/LICENSE-2.0
-*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- *
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- *
- *******************************************************************************/
-package com.att.dmf.mr.security;
-
-import javax.servlet.http.HttpServletRequest;
-
-import com.att.dmf.mr.beans.DMaaPContext;
-import com.att.nsa.security.NsaApiKey;
-
-
-/**
- * An interface for authenticating an inbound request.
- * @author nilanjana.maity
- *
- * @param <K> NsaApiKey
- */
-public interface DMaaPAuthenticator<K extends NsaApiKey> {
-
- /**
- * Qualify a request as possibly using the authentication method that this class implements.
- * @param req
- * @return true if the request might be authenticated by this class
- */
- boolean qualify ( HttpServletRequest req );
-
- /**
- * Check for a request being authentic. If it is, return the API key. If not, return null.
- * @param req An inbound web request
- * @return the API key for an authentic request, or null
- */
- K isAuthentic ( HttpServletRequest req );
- /**
- * Check for a ctx being authenticate. If it is, return the API key. If not, return null.
- * @param ctx
- * @return the API key for an authentication request, or null
- */
- K authenticate ( DMaaPContext ctx );
-
-
- void addAuthenticator(DMaaPAuthenticator<K> a);
-
-}
diff --git a/src/main/java/com/att/dmf/mr/security/DMaaPAuthenticatorImpl.java b/src/main/java/com/att/dmf/mr/security/DMaaPAuthenticatorImpl.java
deleted file mode 100644
index 0ae0839..0000000
--- a/src/main/java/com/att/dmf/mr/security/DMaaPAuthenticatorImpl.java
+++ /dev/null
@@ -1,133 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START=======================================================
- * org.onap.dmaap
- * ================================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * http://www.apache.org/licenses/LICENSE-2.0
-*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- *
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- *
- *******************************************************************************/
-package com.att.dmf.mr.security;
-
-import java.util.LinkedList;
-
-import javax.servlet.http.HttpServletRequest;
-
-import com.att.dmf.mr.beans.DMaaPContext;
-import com.att.dmf.mr.security.impl.DMaaPOriginalUebAuthenticator;
-import com.att.nsa.security.NsaApiKey;
-import com.att.nsa.security.db.NsaApiDb;
-import com.att.nsa.security.db.simple.NsaSimpleApiKey;
-
-/**
- *
- * @author anowarul.islam
- *
- * @param <K>
- */
-public class DMaaPAuthenticatorImpl<K extends NsaApiKey> implements DMaaPAuthenticator<K> {
-
- private final LinkedList<DMaaPAuthenticator<K>> fAuthenticators;
-
-
-
- // Setting timeout to a large value for testing purpose.
-
- // 10 minutes
- private static final long kDefaultRequestTimeWindow = 1000 * 60 * 10 * 10 * 10 * 10 * 10;
-
- /**
- * Construct the security manager against an API key database
- *
- * @param db
- * the API key db
- */
- public DMaaPAuthenticatorImpl(NsaApiDb<K> db) {
- this(db, kDefaultRequestTimeWindow);
- }
-
-
-
-
- /**
- * Construct the security manager against an API key database with a
- * specific request time window size
- *
- * @param db
- * the API key db
- * @param authTimeWindowMs
- * the size of the time window for request authentication
- */
- public DMaaPAuthenticatorImpl(NsaApiDb<K> db, long authTimeWindowMs) {
- fAuthenticators = new LinkedList<>();
-
- fAuthenticators.add(new DMaaPOriginalUebAuthenticator<K>(db, authTimeWindowMs));
- }
-
- /**
- * Authenticate a user's request. This method returns the API key if the
- * user is authentic, null otherwise.
- *
- * @param ctx
- * @return an api key record, or null
- */
- public K authenticate(DMaaPContext ctx) {
- final HttpServletRequest req = ctx.getRequest();
- for (DMaaPAuthenticator<K> a : fAuthenticators) {
- if (a.qualify(req)) {
- final K k = a.isAuthentic(req);
- if (k != null)
- return k;
- }
- // else: this request doesn't look right to the authenticator
- }
- return null;
- }
-
- /**
- * Get the user associated with the incoming request, or null if the user is
- * not authenticated.
- *
- * @param ctx
- * @return
- */
- public static NsaSimpleApiKey getAuthenticatedUser(DMaaPContext ctx) {
- final DMaaPAuthenticator<NsaSimpleApiKey> m = ctx.getConfigReader().getfSecurityManager();
- return m.authenticate(ctx);
- }
-
- /**
- * method by default returning false
- * @param req
- * @return false
- */
- public boolean qualify(HttpServletRequest req) {
- return false;
- }
-/**
- * method by default returning null
- * @param req
- * @return null
- */
- public K isAuthentic(HttpServletRequest req) {
- return null;
- }
-
- public void addAuthenticator ( DMaaPAuthenticator<K> a )
- {
- this.fAuthenticators.add(a);
- }
-
-}
diff --git a/src/main/java/com/att/dmf/mr/security/impl/DMaaPMechIdAuthenticator.java b/src/main/java/com/att/dmf/mr/security/impl/DMaaPMechIdAuthenticator.java
deleted file mode 100644
index 64dbc14..0000000
--- a/src/main/java/com/att/dmf/mr/security/impl/DMaaPMechIdAuthenticator.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START=======================================================
- * org.onap.dmaap
- * ================================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * http://www.apache.org/licenses/LICENSE-2.0
-*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- *
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- *
- *******************************************************************************/
-package com.att.dmf.mr.security.impl;
-
-import javax.servlet.http.HttpServletRequest;
-
-import com.att.dmf.mr.beans.DMaaPContext;
-import com.att.dmf.mr.security.DMaaPAuthenticator;
-
-import com.att.eelf.configuration.EELFLogger;
-import com.att.eelf.configuration.EELFManager;
-import com.att.nsa.security.NsaApiKey;
-import com.att.nsa.security.authenticators.MechIdAuthenticator;
-
-/**
- * An authenticator for AT&T MechIds.
- *
- * @author peter
- *
- * @param <K>
- */
-public class DMaaPMechIdAuthenticator <K extends NsaApiKey> implements DMaaPAuthenticator<K> {
-
-/**
- * This is not yet implemented. by refault its returing false
- * @param req HttpServletRequest
- * @return false
- */
- public boolean qualify (HttpServletRequest req) {
- // we haven't implemented anything here yet, so there's no qualifying request
- return false;
- }
-/**
- * This metod authenticate the mech id
- * @param req
- * @return APIkey or null
- */
- public K isAuthentic (HttpServletRequest req) {
- final String remoteAddr = req.getRemoteAddr();
- authLog ( "MechId auth is not yet implemented.", remoteAddr );
- return null;
- }
-
- private static void authLog ( String msg, String remoteAddr )
- {
- log.info ( "AUTH-LOG(" + remoteAddr + "): " + msg );
- }
-
-
- //private static final Logger log = Logger.getLogger( MechIdAuthenticator.class.toString());
- private static final EELFLogger log = EELFManager.getInstance().getLogger(MechIdAuthenticator.class);
-/**
- * Curently its not yet implemented returning null
- * @param ctx DMaaP context
- * @return APIkey or null
- */
- @Override
- public K authenticate(DMaaPContext ctx) {
- // TODO Auto-generated method stub
- return null;
- }
-@Override
-public void addAuthenticator(DMaaPAuthenticator<K> a) {
- // TODO Auto-generated method stub
-
-}
-
-} \ No newline at end of file
diff --git a/src/main/java/com/att/dmf/mr/security/impl/DMaaPOriginalUebAuthenticator.java b/src/main/java/com/att/dmf/mr/security/impl/DMaaPOriginalUebAuthenticator.java
deleted file mode 100644
index b1e28e7..0000000
--- a/src/main/java/com/att/dmf/mr/security/impl/DMaaPOriginalUebAuthenticator.java
+++ /dev/null
@@ -1,293 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START=======================================================
- * org.onap.dmaap
- * ================================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * http://www.apache.org/licenses/LICENSE-2.0
-*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- *
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- *
- *******************************************************************************/
-package com.att.dmf.mr.security.impl;
-
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
-import java.util.Date;
-
-import javax.servlet.http.HttpServletRequest;
-
-import com.att.dmf.mr.beans.DMaaPContext;
-import com.att.dmf.mr.security.DMaaPAuthenticator;
-import com.att.eelf.configuration.EELFLogger;
-import com.att.eelf.configuration.EELFManager;
-import com.att.nsa.configs.ConfigDbException;
-import com.att.nsa.drumlin.till.data.sha1HmacSigner;
-import com.att.nsa.security.NsaApiKey;
-import com.att.nsa.security.db.NsaApiDb;
-
-/**
- * This authenticator handles an AWS-like authentication, originally used by the
- * Cambria server (the API server for UEB).
- *
- * @author peter
- *
- * @param <K>
- */
-public class DMaaPOriginalUebAuthenticator<K extends NsaApiKey> implements DMaaPAuthenticator<K> {
- /**
- * constructor initialization
- *
- * @param db
- * @param requestTimeWindowMs
- */
- public DMaaPOriginalUebAuthenticator(NsaApiDb<K> db, long requestTimeWindowMs) {
- fDb = db;
- fRequestTimeWindowMs = requestTimeWindowMs;
-
-
-
-
- }
-
- @Override
- public boolean qualify(HttpServletRequest req) {
- // accept anything that comes in with X-(Cambria)Auth in the header
- final String xAuth = getFirstHeader(req, new String[] { "X-CambriaAuth", "X-Auth" });
- return xAuth != null;
- }
-
- /**
- * method for authentication
- *
- * @param req
- * @return
- */
- public K isAuthentic(HttpServletRequest req) {
- final String remoteAddr = req.getRemoteAddr();
- // Cambria originally used "Cambria..." headers, but as the API key
- // system is now more
- // general, we take either form.
- final String xAuth = getFirstHeader(req, new String[] { "X-CambriaAuth", "X-Auth" });
- final String xDate = getFirstHeader(req, new String[] { "X-CambriaDate", "X-Date" });
-
- final String httpDate = req.getHeader("Date");
-
- final String xNonce = getFirstHeader(req, new String[] { "X-Nonce" });
- return authenticate(remoteAddr, xAuth, xDate, httpDate, xNonce);
- }
-
- /**
- * Authenticate a user's request. This method returns the API key if the
- * user is authentic, null otherwise.
- *
- * @param remoteAddr
- * @param xAuth
- * @param xDate
- * @param httpDate
- * @param nonce
- * @return an api key record, or null
- */
- public K authenticate(String remoteAddr, String xAuth, String xDate, String httpDate, String nonce) {
- if (xAuth == null) {
- authLog("No X-Auth header on request", remoteAddr);
- return null;
- }
-
- final String[] xAuthParts = xAuth.split(":");
- if (xAuthParts.length != 2) {
- authLog("Bad X-Auth header format (" + xAuth + ")", remoteAddr);
- return null;
- }
-
-
- // get the api key and signature
- final String clientApiKey = xAuthParts[0];
- final String clientApiHash = xAuthParts[1];
- if (clientApiKey.length() == 0 || clientApiHash.length() == 0) {
- authLog("Bad X-Auth header format (" + xAuth + ")", remoteAddr);
- return null;
- }
- // if the user provided X-Date, use that. Otherwise, go for Date
- final String dateString = xDate != null ? xDate : httpDate;
- final Date clientDate = getClientDate(dateString);
- if (clientDate == null) {
- authLog("Couldn't parse client date '" + dateString + "'. Preferring X-Date over Date.", remoteAddr);
- return null;
- }
- // check the time range
- final long nowMs = System.currentTimeMillis();
- final long diffMs = Math.abs(nowMs - clientDate.getTime());
- if (diffMs > fRequestTimeWindowMs) {
- authLog("Client date is not in acceptable range of server date. Client:" + clientDate.getTime()
- + ", Server: " + nowMs + ", Threshold: " + fRequestTimeWindowMs + ".", remoteAddr);
- return null;
- }
- K apiRecord;
- try {
- apiRecord = fDb.loadApiKey(clientApiKey);
- if (apiRecord == null) {
- authLog("No such API key " + clientApiKey, remoteAddr);
- return null;
- }
- } catch (ConfigDbException e) {
- authLog("Couldn't load API key " + clientApiKey + ": " + e.getMessage(), remoteAddr);
- return null;
- }
- // make the signed content
- final StringBuilder sb = new StringBuilder();
- sb.append(dateString);
- if (nonce != null) {
- sb.append(":");
- sb.append(nonce);
- }
- final String signedContent = sb.toString();
- // now check the signed date string
- final String serverCalculatedSignature = sha1HmacSigner.sign(signedContent, apiRecord.getSecret());
- if (serverCalculatedSignature == null || !serverCalculatedSignature.equals(clientApiHash)) {
- authLog("Signatures don't match. Rec'd " + clientApiHash + ", expect " + serverCalculatedSignature + ".",
- remoteAddr);
- return null;
- }
- authLog("authenticated " + apiRecord.getKey(), remoteAddr);
- return apiRecord;
- }
-
- /**
- * Get the first value of the first existing header from the headers list
- *
- * @param req
- * @param headers
- * @return a header value, or null if none exist
- */
- private static String getFirstHeader(HttpServletRequest req, String[] headers) {
- for (String header : headers) {
- final String result = req.getHeader(header);
- if (result != null)
- return result;
- }
- return null;
- }
-
- /**
- * Parse the date string into a Date using one of the supported date
- * formats.
- *
- * @param dateHeader
- * @return a date, or null
- */
- private static Date getClientDate(String dateString) {
- if (dateString == null) {
- return null;
- }
-
- // parse the date
- Date result = null;
- for (String dateFormat : kDateFormats) {
- final SimpleDateFormat parser = new SimpleDateFormat(dateFormat, java.util.Locale.US);
- if (!dateFormat.contains("z") && !dateFormat.contains("Z")) {
- parser.setTimeZone(TIMEZONE_GMT);
- }
-
- try {
- result = parser.parse(dateString);
- break;
- } catch (ParseException e) {
- // presumably wrong format
- }
- }
- return result;
- }
-
- private static void authLog(String msg, String remoteAddr) {
- log.info("AUTH-LOG(" + remoteAddr + "): " + msg);
- }
-
- private final NsaApiDb<K> fDb;
- private final long fRequestTimeWindowMs;
-
- private static final java.util.TimeZone TIMEZONE_GMT = java.util.TimeZone.getTimeZone("GMT");
-
- private static final String kDateFormats[] =
- {
- // W3C date format (RFC 3339).
- "yyyy-MM-dd'T'HH:mm:ssz",
- "yyyy-MM-dd'T'HH:mm:ssXXX", // as of Java 7, reqd to handle colon in TZ offset
-
- // Preferred HTTP date format (RFC 1123).
- "EEE, dd MMM yyyy HH:mm:ss zzz",
-
- // simple unix command line 'date' format
- "EEE MMM dd HH:mm:ss z yyyy",
-
- // Common date format (RFC 822).
- "EEE, dd MMM yy HH:mm:ss z",
- "EEE, dd MMM yy HH:mm z",
- "dd MMM yy HH:mm:ss z",
- "dd MMM yy HH:mm z",
-
- // Obsoleted HTTP date format (ANSI C asctime() format).
- "EEE MMM dd HH:mm:ss yyyy",
-
- // Obsoleted HTTP date format (RFC 1036).
- "EEEE, dd-MMM-yy HH:mm:ss zzz",
- };
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- // logger declaration
-
- private static final EELFLogger log = EELFManager.getInstance().getLogger(DMaaPOriginalUebAuthenticator.class);
- @Override
-
- // TODO Auto-generated method stub
-
- //}
-
- public K authenticate(DMaaPContext ctx) {
-
-
-
-
-
-
-
-
-
-
- return null;
- }
-
-
- public void addAuthenticator ( DMaaPAuthenticator<K> a )
- {
-
- }
-
-} \ No newline at end of file