2 files changed, 380 insertions, 0 deletions
diff --git a/src/main/java/com/att/nsa/cambria/security/impl/DMaaPMechIdAuthenticator.java b/src/main/java/com/att/nsa/cambria/security/impl/DMaaPMechIdAuthenticator.java
new file mode 100644
index 0000000..c2a41cc
--- /dev/null
+++ b/src/main/java/com/att/nsa/cambria/security/impl/DMaaPMechIdAuthenticator.java
@@ -0,0 +1,89 @@
+/*******************************************************************************
+ *  ============LICENSE_START=======================================================
+ *  org.onap.dmaap
+ *  ================================================================================
+ *  Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ *  ================================================================================
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *  ============LICENSE_END=========================================================
+ *
+ *  ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ *  
+ *******************************************************************************/
+package com.att.nsa.cambria.security.impl;
+
+import javax.servlet.http.HttpServletRequest;
+
+
+
+import com.att.nsa.cambria.beans.DMaaPContext;
+import com.att.nsa.cambria.security.DMaaPAuthenticator;
+import com.att.nsa.security.NsaApiKey;
+import com.att.nsa.security.authenticators.MechIdAuthenticator;
+//import com.att.nsa.security.db.NsaApiDb;
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
+
+/**
+ * An authenticator for AT&T MechIds.
+ * 
+ * @author author
+ *
+ * @param <K>
+ */
+public class DMaaPMechIdAuthenticator <K extends NsaApiKey> implements DMaaPAuthenticator<K> {
+
+/**
+ * This is not yet implemented. by refault its returing false
+ * @param req HttpServletRequest
+ * @return false
+ */
+	public boolean qualify (HttpServletRequest req) {
+		// we haven't implemented anything here yet, so there's no qualifying request
+		return false;
+	}
+/**
+ * This metod authenticate the mech id 
+ * @param req
+ * @return APIkey or null
+ */
+	public K isAuthentic (HttpServletRequest req) {
+		final String remoteAddr = req.getRemoteAddr();
+		authLog ( "MechId auth is not yet implemented.", remoteAddr );
+		return null;
+	}
+
+	private static void authLog ( String msg, String remoteAddr )
+	{
+		log.info ( "AUTH-LOG(" + remoteAddr + "): " + msg );
+	}
+
+//	private final NsaApiDb<K> fDb;
+	//private static final Logger log = Logger.getLogger( MechIdAuthenticator.class.toString());
+	private static final EELFLogger log = EELFManager.getInstance().getLogger(MechIdAuthenticator.class);
+/**
+ * Curently its not yet implemented returning null
+ * @param ctx DMaaP context
+ * @return APIkey or null
+ */
+	@Override
+	public K authenticate(DMaaPContext ctx) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+@Override
+public void addAuthenticator(DMaaPAuthenticator<K> a) {
+	// TODO Auto-generated method stub
+	
+}
+
+}
+\ No newline at end of file
diff --git a/src/main/java/com/att/nsa/cambria/security/impl/DMaaPOriginalUebAuthenticator.java b/src/main/java/com/att/nsa/cambria/security/impl/DMaaPOriginalUebAuthenticator.java
new file mode 100644
index 0000000..fdcf7c1
--- /dev/null
+++ b/src/main/java/com/att/nsa/cambria/security/impl/DMaaPOriginalUebAuthenticator.java
@@ -0,0 +1,291 @@
+/*******************************************************************************
+ *  ============LICENSE_START=======================================================
+ *  org.onap.dmaap
+ *  ================================================================================
+ *  Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ *  ================================================================================
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *  ============LICENSE_END=========================================================
+ *
+ *  ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ *  
+ *******************************************************************************/
+package com.att.nsa.cambria.security.impl;
+
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
+import com.att.nsa.cambria.beans.DMaaPContext;
+import com.att.nsa.cambria.security.DMaaPAuthenticator;
+import com.att.nsa.configs.ConfigDbException;
+import com.att.nsa.drumlin.till.data.sha1HmacSigner;
+import com.att.nsa.security.NsaApiKey;
+import com.att.nsa.security.db.NsaApiDb;
+
+/**
+ * This authenticator handles an AWS-like authentication, originally used by the
+ * Cambria server (the API server for UEB).
+ * 
+ * @author author
+ *
+ * @param <K>
+ */
+public class DMaaPOriginalUebAuthenticator<K extends NsaApiKey> implements DMaaPAuthenticator<K> {
+	/**
+	 * constructor initialization
+	 * 
+	 * @param db
+	 * @param requestTimeWindowMs
+	 */
+	public DMaaPOriginalUebAuthenticator(NsaApiDb<K> db, long requestTimeWindowMs) {
+		fDb = db;
+		fRequestTimeWindowMs = requestTimeWindowMs;
+		//fAuthenticators = new LinkedList<DMaaPAuthenticator<K>>();
+
+		//fAuthenticators.add(new DMaaPOriginalUebAuthenticator<K>(db, requestTimeWindowMs));
+
+	}
+
+	@Override
+	public boolean qualify(HttpServletRequest req) {
+		// accept anything that comes in with X-(Cambria)Auth in the header
+		final String xAuth = getFirstHeader(req, new String[] { "X-CambriaAuth", "X-Auth" });
+		return xAuth != null;
+	}
+
+	/**
+	 * method for authentication
+	 * 
+	 * @param req
+	 * @return
+	 */
+	public K isAuthentic(HttpServletRequest req) {
+		final String remoteAddr = req.getRemoteAddr();
+		// Cambria originally used "Cambria..." headers, but as the API key
+		// system is now more
+		// general, we take either form.
+		final String xAuth = getFirstHeader(req, new String[] { "X-CambriaAuth", "X-Auth" });
+		final String xDate = getFirstHeader(req, new String[] { "X-CambriaDate", "X-Date" });
+
+		final String httpDate = req.getHeader("Date");
+
+		final String xNonce = getFirstHeader(req, new String[] { "X-Nonce" });
+		return authenticate(remoteAddr, xAuth, xDate, httpDate, xNonce);
+	}
+
+	/**
+	 * Authenticate a user's request. This method returns the API key if the
+	 * user is authentic, null otherwise.
+	 * 
+	 * @param remoteAddr
+	 * @param xAuth
+	 * @param xDate
+	 * @param httpDate
+	 * @param nonce
+	 * @return an api key record, or null
+	 */
+	public K authenticate(String remoteAddr, String xAuth, String xDate, String httpDate, String nonce) {
+		if (xAuth == null) {
+			authLog("No X-Auth header on request", remoteAddr);
+			return null;
+		}
+		
+		final String[] xAuthParts = xAuth.split(":");
+		if (xAuthParts.length != 2) {
+			authLog("Bad X-Auth header format (" + xAuth + ")", remoteAddr);
+			return null;
+		}
+
+
+		// get the api key and signature
+		final String clientApiKey = xAuthParts[0];
+		final String clientApiHash = xAuthParts[1];
+		if (clientApiKey.length() == 0 || clientApiHash.length() == 0) {
+			authLog("Bad X-Auth header format (" + xAuth + ")", remoteAddr);
+			return null;
+		}
+		// if the user provided X-Date, use that. Otherwise, go for Date
+		final String dateString = xDate != null ? xDate : httpDate;
+		final Date clientDate = getClientDate(dateString);
+		if (clientDate == null) {
+			authLog("Couldn't parse client date '" + dateString + "'. Preferring X-Date over Date.", remoteAddr);
+			return null;
+		}
+		// check the time range
+		final long nowMs = System.currentTimeMillis();
+		final long diffMs = Math.abs(nowMs - clientDate.getTime());
+		if (diffMs > fRequestTimeWindowMs) {
+			authLog("Client date is not in acceptable range of server date. Client:" + clientDate.getTime()
+					+ ", Server: " + nowMs + ", Threshold: " + fRequestTimeWindowMs + ".", remoteAddr);
+			return null;
+		}
+		K apiRecord;
+		try {
+			apiRecord = fDb.loadApiKey(clientApiKey);
+			if (apiRecord == null) {
+				authLog("No such API key " + clientApiKey, remoteAddr);
+				return null;
+			}
+		} catch (ConfigDbException e) {
+			authLog("Couldn't load API key " + clientApiKey + ": " + e.getMessage(), remoteAddr);
+			return null;
+		}
+				// make the signed content
+		final StringBuilder sb = new StringBuilder();
+		sb.append(dateString);
+		if (nonce != null) {
+			sb.append(":");
+			sb.append(nonce);
+		}
+		final String signedContent = sb.toString();
+		// now check the signed date string
+		final String serverCalculatedSignature = sha1HmacSigner.sign(signedContent, apiRecord.getSecret());
+		if (serverCalculatedSignature == null || !serverCalculatedSignature.equals(clientApiHash)) {
+			authLog("Signatures don't match. Rec'd " + clientApiHash + ", expect " + serverCalculatedSignature + ".",
+					remoteAddr);
+			return null;
+		}
+		authLog("authenticated " + apiRecord.getKey(), remoteAddr);
+		return apiRecord;
+	}
+
+	/**
+	 * Get the first value of the first existing header from the headers list
+	 * 
+	 * @param req
+	 * @param headers
+	 * @return a header value, or null if none exist
+	 */
+	private static String getFirstHeader(HttpServletRequest req, String[] headers) {
+		for (String header : headers) {
+			final String result = req.getHeader(header);
+			if (result != null)
+				return result;
+		}
+		return null;
+	}
+
+	/**
+	 * Parse the date string into a Date using one of the supported date
+	 * formats.
+	 * 
+	 * @param dateHeader
+	 * @return a date, or null
+	 */
+	private static Date getClientDate(String dateString) {
+		if (dateString == null) {
+			return null;
+		}
+
+		// parse the date
+		Date result = null;
+		for (String dateFormat : kDateFormats) {
+			final SimpleDateFormat parser = new SimpleDateFormat(dateFormat, java.util.Locale.US);
+			if (!dateFormat.contains("z") && !dateFormat.contains("Z")) {
+				parser.setTimeZone(TIMEZONE_GMT);
+			}
+
+			try {
+				result = parser.parse(dateString);
+				break;
+			} catch (ParseException e) {
+				// presumably wrong format
+			}
+		}
+		return result;
+	}
+
+	private static void authLog(String msg, String remoteAddr) {
+		log.info("AUTH-LOG(" + remoteAddr + "): " + msg);
+	}
+
+	private final NsaApiDb<K> fDb;
+	private final long fRequestTimeWindowMs;
+
+	private static final java.util.TimeZone TIMEZONE_GMT = java.util.TimeZone.getTimeZone("GMT");
+	
+	private static final String kDateFormats[] =
+		{
+		    // W3C date format (RFC 3339).
+		    "yyyy-MM-dd'T'HH:mm:ssz",
+		    "yyyy-MM-dd'T'HH:mm:ssXXX",		// as of Java 7, reqd to handle colon in TZ offset
+
+		    // Preferred HTTP date format (RFC 1123).
+		    "EEE, dd MMM yyyy HH:mm:ss zzz",
+
+		    // simple unix command line 'date' format
+		    "EEE MMM dd HH:mm:ss z yyyy",
+
+		    // Common date format (RFC 822).
+		    "EEE, dd MMM yy HH:mm:ss z",
+		    "EEE, dd MMM yy HH:mm z",
+		    "dd MMM yy HH:mm:ss z",
+		    "dd MMM yy HH:mm z",
+
+			// Obsoleted HTTP date format (ANSI C asctime() format).
+		    "EEE MMM dd HH:mm:ss yyyy",
+
+		    // Obsoleted HTTP date format (RFC 1036).
+		    "EEEE, dd-MMM-yy HH:mm:ss zzz",
+		};
+
+	/*private static final String kDateFormats[] = {
+			// W3C date format (RFC 3339).
+			"yyyy-MM-dd'T'HH:mm:ssz",
+
+			// Preferred HTTP date format (RFC 1123).
+			"EEE, dd MMM yyyy HH:mm:ss zzz",
+
+			// simple unix command line 'date' format
+			"EEE MMM dd HH:mm:ss z yyyy",
+
+			// Common date format (RFC 822).
+			"EEE, dd MMM yy HH:mm:ss z", "EEE, dd MMM yy HH:mm z", "dd MMM yy HH:mm:ss z", "dd MMM yy HH:mm z",
+
+			// Obsoleted HTTP date format (ANSI C asctime() format).
+			"EEE MMM dd HH:mm:ss yyyy",
+
+			// Obsoleted HTTP date format (RFC 1036).
+			"EEEE, dd-MMM-yy HH:mm:ss zzz", }; */
+	// logger declaration
+	//private static final Logger log = Logger.getLogger(DMaaPOriginalUebAuthenticator.class.toString());
+	private static final EELFLogger log = EELFManager.getInstance().getLogger(DMaaPOriginalUebAuthenticator.class);
+	@Override
+//	public K authenticate(DMaaPContext ctx) {
+		// TODO Auto-generated method stub
+		//return null;
+	//}
+	
+	public K authenticate(DMaaPContext ctx) {
+		
+		/*final HttpServletRequest req = ctx.getRequest();
+		for (DMaaPAuthenticator<K> a : fAuthenticators) {
+			if (a.qualify(req)) {
+				final K k = a.isAuthentic(req);
+				if (k != null)
+					return k;
+			}
+			// else: this request doesn't look right to the authenticator
+		}*/
+		return null;
+	}
+
+
+	public void addAuthenticator ( DMaaPAuthenticator<K> a )
+	{
+		//this.fAuthenticators.add(a);
+	}
+	//private final LinkedList<DMaaPAuthenticator<K>> fAuthenticators;
+}
+\ No newline at end of file