diff options
Diffstat (limited to 'src/main/java/com/att/nsa/cambria/security')
6 files changed, 0 insertions, 683 deletions
diff --git a/src/main/java/com/att/nsa/cambria/security/DMaaPAAFAuthenticator.java b/src/main/java/com/att/nsa/cambria/security/DMaaPAAFAuthenticator.java deleted file mode 100644 index fa4fe17..0000000 --- a/src/main/java/com/att/nsa/cambria/security/DMaaPAAFAuthenticator.java +++ /dev/null @@ -1,39 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START======================================================= - * org.onap.dmaap - * ================================================================================ - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - * - * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * - *******************************************************************************/ -package com.att.nsa.cambria.security; - -import javax.servlet.http.HttpServletRequest; - -import com.att.nsa.cambria.CambriaApiException; - - - - -/** - * - * @author author - * - */ -public interface DMaaPAAFAuthenticator { - boolean aafAuthentication( HttpServletRequest req , String role); - String aafPermissionString(String permission, String action) throws CambriaApiException; -} diff --git a/src/main/java/com/att/nsa/cambria/security/DMaaPAAFAuthenticatorImpl.java b/src/main/java/com/att/nsa/cambria/security/DMaaPAAFAuthenticatorImpl.java deleted file mode 100644 index e8f697e..0000000 --- a/src/main/java/com/att/nsa/cambria/security/DMaaPAAFAuthenticatorImpl.java +++ /dev/null @@ -1,67 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START======================================================= - * org.onap.dmaap - * ================================================================================ - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - * - * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * - *******************************************************************************/ -package com.att.nsa.cambria.security; - - -import javax.servlet.http.HttpServletRequest; - - -import com.att.nsa.cambria.CambriaApiException; -import com.att.nsa.cambria.constants.CambriaConstants; - - -/** - * - * @author author - * - */ -public class DMaaPAAFAuthenticatorImpl implements DMaaPAAFAuthenticator { - - /** - * @param req - * @param role - */ - @Override - public boolean aafAuthentication(HttpServletRequest req, String role) { - boolean auth = false; - if(req.isUserInRole(role)) - { - - auth = true; - } - return auth; - } - - @Override - public String aafPermissionString(String topicName, String action) throws CambriaApiException { - - - String mrNameS = com.att.ajsc.beans.PropertiesMapBean.getProperty(CambriaConstants.msgRtr_prop, - "msgRtr.namespace.aaf"); - String permission = mrNameS+"|:topic."+topicName+"|"+action; - return permission; - - } - - - -} diff --git a/src/main/java/com/att/nsa/cambria/security/DMaaPAuthenticator.java b/src/main/java/com/att/nsa/cambria/security/DMaaPAuthenticator.java deleted file mode 100644 index 5e7073d..0000000 --- a/src/main/java/com/att/nsa/cambria/security/DMaaPAuthenticator.java +++ /dev/null @@ -1,61 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START======================================================= - * org.onap.dmaap - * ================================================================================ - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - * - * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * - *******************************************************************************/ -package com.att.nsa.cambria.security; - -import javax.servlet.http.HttpServletRequest; - -import com.att.nsa.cambria.beans.DMaaPContext; -import com.att.nsa.security.NsaApiKey; - - -/** - * An interface for authenticating an inbound request. - * @author author - * - * @param <K> NsaApiKey - */ -public interface DMaaPAuthenticator<K extends NsaApiKey> { - - /** - * Qualify a request as possibly using the authentication method that this class implements. - * @param req - * @return true if the request might be authenticated by this class - */ - boolean qualify ( HttpServletRequest req ); - - /** - * Check for a request being authentic. If it is, return the API key. If not, return null. - * @param req An inbound web request - * @return the API key for an authentic request, or null - */ - K isAuthentic ( HttpServletRequest req ); - /** - * Check for a ctx being authenticate. If it is, return the API key. If not, return null. - * @param ctx - * @return the API key for an authentication request, or null - */ - K authenticate ( DMaaPContext ctx ); - - - void addAuthenticator(DMaaPAuthenticator<K> a); - -} diff --git a/src/main/java/com/att/nsa/cambria/security/DMaaPAuthenticatorImpl.java b/src/main/java/com/att/nsa/cambria/security/DMaaPAuthenticatorImpl.java deleted file mode 100644 index 733daf7..0000000 --- a/src/main/java/com/att/nsa/cambria/security/DMaaPAuthenticatorImpl.java +++ /dev/null @@ -1,136 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START======================================================= - * org.onap.dmaap - * ================================================================================ - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - * - * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * - *******************************************************************************/ -package com.att.nsa.cambria.security; - -import java.util.LinkedList; - -import javax.servlet.http.HttpServletRequest; - -import com.att.nsa.cambria.beans.DMaaPContext; -import com.att.nsa.cambria.security.impl.DMaaPOriginalUebAuthenticator; -import com.att.nsa.security.NsaApiKey; -import com.att.nsa.security.NsaAuthenticator; -import com.att.nsa.security.authenticators.OriginalUebAuthenticator; -import com.att.nsa.security.db.NsaApiDb; -import com.att.nsa.security.db.simple.NsaSimpleApiKey; - -/** - * - * @author author - * - * @param <K> - */ -public class DMaaPAuthenticatorImpl<K extends NsaApiKey> implements DMaaPAuthenticator<K> { - - private final LinkedList<DMaaPAuthenticator<K>> fAuthenticators; - - - - // Setting timeout to a large value for testing purpose. - // private static final long kDefaultRequestTimeWindow = 1000 * 60 * 10; // - // 10 minutes - private static final long kDefaultRequestTimeWindow = (long)1000 * 60 * 10 * 10 * 10 * 10 * 10; - - /** - * Construct the security manager against an API key database - * - * @param db - * the API key db - */ - public DMaaPAuthenticatorImpl(NsaApiDb<K> db) { - this(db, kDefaultRequestTimeWindow); - } - - - - - /** - * Construct the security manager against an API key database with a - * specific request time window size - * - * @param db - * the API key db - * @param authTimeWindowMs - * the size of the time window for request authentication - */ - public DMaaPAuthenticatorImpl(NsaApiDb<K> db, long authTimeWindowMs) { - fAuthenticators = new LinkedList<DMaaPAuthenticator<K>>(); - - fAuthenticators.add(new DMaaPOriginalUebAuthenticator<K>(db, authTimeWindowMs)); - } - - /** - * Authenticate a user's request. This method returns the API key if the - * user is authentic, null otherwise. - * - * @param ctx - * @return an api key record, or null - */ - public K authenticate(DMaaPContext ctx) { - final HttpServletRequest req = ctx.getRequest(); - for (DMaaPAuthenticator<K> a : fAuthenticators) { - if (a.qualify(req)) { - final K k = a.isAuthentic(req); - if (k != null) - return k; - } - // else: this request doesn't look right to the authenticator - } - return null; - } - - /** - * Get the user associated with the incoming request, or null if the user is - * not authenticated. - * - * @param ctx - * @return - */ - public static NsaSimpleApiKey getAuthenticatedUser(DMaaPContext ctx) { - final DMaaPAuthenticator<NsaSimpleApiKey> m = ctx.getConfigReader().getfSecurityManager(); - return m.authenticate(ctx); - } - - /** - * method by default returning false - * @param req - * @return false - */ - public boolean qualify(HttpServletRequest req) { - return false; - } -/** - * method by default returning null - * @param req - * @return null - */ - public K isAuthentic(HttpServletRequest req) { - return null; - } - - public void addAuthenticator ( DMaaPAuthenticator<K> a ) - { - this.fAuthenticators.add(a); - } - - -} diff --git a/src/main/java/com/att/nsa/cambria/security/impl/DMaaPMechIdAuthenticator.java b/src/main/java/com/att/nsa/cambria/security/impl/DMaaPMechIdAuthenticator.java deleted file mode 100644 index c2a41cc..0000000 --- a/src/main/java/com/att/nsa/cambria/security/impl/DMaaPMechIdAuthenticator.java +++ /dev/null @@ -1,89 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START======================================================= - * org.onap.dmaap - * ================================================================================ - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - * - * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * - *******************************************************************************/ -package com.att.nsa.cambria.security.impl; - -import javax.servlet.http.HttpServletRequest; - - - -import com.att.nsa.cambria.beans.DMaaPContext; -import com.att.nsa.cambria.security.DMaaPAuthenticator; -import com.att.nsa.security.NsaApiKey; -import com.att.nsa.security.authenticators.MechIdAuthenticator; -//import com.att.nsa.security.db.NsaApiDb; -import com.att.eelf.configuration.EELFLogger; -import com.att.eelf.configuration.EELFManager; - -/** - * An authenticator for AT&T MechIds. - * - * @author author - * - * @param <K> - */ -public class DMaaPMechIdAuthenticator <K extends NsaApiKey> implements DMaaPAuthenticator<K> { - -/** - * This is not yet implemented. by refault its returing false - * @param req HttpServletRequest - * @return false - */ - public boolean qualify (HttpServletRequest req) { - // we haven't implemented anything here yet, so there's no qualifying request - return false; - } -/** - * This metod authenticate the mech id - * @param req - * @return APIkey or null - */ - public K isAuthentic (HttpServletRequest req) { - final String remoteAddr = req.getRemoteAddr(); - authLog ( "MechId auth is not yet implemented.", remoteAddr ); - return null; - } - - private static void authLog ( String msg, String remoteAddr ) - { - log.info ( "AUTH-LOG(" + remoteAddr + "): " + msg ); - } - -// private final NsaApiDb<K> fDb; - //private static final Logger log = Logger.getLogger( MechIdAuthenticator.class.toString()); - private static final EELFLogger log = EELFManager.getInstance().getLogger(MechIdAuthenticator.class); -/** - * Curently its not yet implemented returning null - * @param ctx DMaaP context - * @return APIkey or null - */ - @Override - public K authenticate(DMaaPContext ctx) { - // TODO Auto-generated method stub - return null; - } -@Override -public void addAuthenticator(DMaaPAuthenticator<K> a) { - // TODO Auto-generated method stub - -} - -}
\ No newline at end of file diff --git a/src/main/java/com/att/nsa/cambria/security/impl/DMaaPOriginalUebAuthenticator.java b/src/main/java/com/att/nsa/cambria/security/impl/DMaaPOriginalUebAuthenticator.java deleted file mode 100644 index fdcf7c1..0000000 --- a/src/main/java/com/att/nsa/cambria/security/impl/DMaaPOriginalUebAuthenticator.java +++ /dev/null @@ -1,291 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START======================================================= - * org.onap.dmaap - * ================================================================================ - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - * - * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * - *******************************************************************************/ -package com.att.nsa.cambria.security.impl; - -import java.text.ParseException; -import java.text.SimpleDateFormat; -import java.util.Date; -import javax.servlet.http.HttpServletRequest; -import com.att.eelf.configuration.EELFLogger; -import com.att.eelf.configuration.EELFManager; -import com.att.nsa.cambria.beans.DMaaPContext; -import com.att.nsa.cambria.security.DMaaPAuthenticator; -import com.att.nsa.configs.ConfigDbException; -import com.att.nsa.drumlin.till.data.sha1HmacSigner; -import com.att.nsa.security.NsaApiKey; -import com.att.nsa.security.db.NsaApiDb; - -/** - * This authenticator handles an AWS-like authentication, originally used by the - * Cambria server (the API server for UEB). - * - * @author author - * - * @param <K> - */ -public class DMaaPOriginalUebAuthenticator<K extends NsaApiKey> implements DMaaPAuthenticator<K> { - /** - * constructor initialization - * - * @param db - * @param requestTimeWindowMs - */ - public DMaaPOriginalUebAuthenticator(NsaApiDb<K> db, long requestTimeWindowMs) { - fDb = db; - fRequestTimeWindowMs = requestTimeWindowMs; - //fAuthenticators = new LinkedList<DMaaPAuthenticator<K>>(); - - //fAuthenticators.add(new DMaaPOriginalUebAuthenticator<K>(db, requestTimeWindowMs)); - - } - - @Override - public boolean qualify(HttpServletRequest req) { - // accept anything that comes in with X-(Cambria)Auth in the header - final String xAuth = getFirstHeader(req, new String[] { "X-CambriaAuth", "X-Auth" }); - return xAuth != null; - } - - /** - * method for authentication - * - * @param req - * @return - */ - public K isAuthentic(HttpServletRequest req) { - final String remoteAddr = req.getRemoteAddr(); - // Cambria originally used "Cambria..." headers, but as the API key - // system is now more - // general, we take either form. - final String xAuth = getFirstHeader(req, new String[] { "X-CambriaAuth", "X-Auth" }); - final String xDate = getFirstHeader(req, new String[] { "X-CambriaDate", "X-Date" }); - - final String httpDate = req.getHeader("Date"); - - final String xNonce = getFirstHeader(req, new String[] { "X-Nonce" }); - return authenticate(remoteAddr, xAuth, xDate, httpDate, xNonce); - } - - /** - * Authenticate a user's request. This method returns the API key if the - * user is authentic, null otherwise. - * - * @param remoteAddr - * @param xAuth - * @param xDate - * @param httpDate - * @param nonce - * @return an api key record, or null - */ - public K authenticate(String remoteAddr, String xAuth, String xDate, String httpDate, String nonce) { - if (xAuth == null) { - authLog("No X-Auth header on request", remoteAddr); - return null; - } - - final String[] xAuthParts = xAuth.split(":"); - if (xAuthParts.length != 2) { - authLog("Bad X-Auth header format (" + xAuth + ")", remoteAddr); - return null; - } - - - // get the api key and signature - final String clientApiKey = xAuthParts[0]; - final String clientApiHash = xAuthParts[1]; - if (clientApiKey.length() == 0 || clientApiHash.length() == 0) { - authLog("Bad X-Auth header format (" + xAuth + ")", remoteAddr); - return null; - } - // if the user provided X-Date, use that. Otherwise, go for Date - final String dateString = xDate != null ? xDate : httpDate; - final Date clientDate = getClientDate(dateString); - if (clientDate == null) { - authLog("Couldn't parse client date '" + dateString + "'. Preferring X-Date over Date.", remoteAddr); - return null; - } - // check the time range - final long nowMs = System.currentTimeMillis(); - final long diffMs = Math.abs(nowMs - clientDate.getTime()); - if (diffMs > fRequestTimeWindowMs) { - authLog("Client date is not in acceptable range of server date. Client:" + clientDate.getTime() - + ", Server: " + nowMs + ", Threshold: " + fRequestTimeWindowMs + ".", remoteAddr); - return null; - } - K apiRecord; - try { - apiRecord = fDb.loadApiKey(clientApiKey); - if (apiRecord == null) { - authLog("No such API key " + clientApiKey, remoteAddr); - return null; - } - } catch (ConfigDbException e) { - authLog("Couldn't load API key " + clientApiKey + ": " + e.getMessage(), remoteAddr); - return null; - } - // make the signed content - final StringBuilder sb = new StringBuilder(); - sb.append(dateString); - if (nonce != null) { - sb.append(":"); - sb.append(nonce); - } - final String signedContent = sb.toString(); - // now check the signed date string - final String serverCalculatedSignature = sha1HmacSigner.sign(signedContent, apiRecord.getSecret()); - if (serverCalculatedSignature == null || !serverCalculatedSignature.equals(clientApiHash)) { - authLog("Signatures don't match. Rec'd " + clientApiHash + ", expect " + serverCalculatedSignature + ".", - remoteAddr); - return null; - } - authLog("authenticated " + apiRecord.getKey(), remoteAddr); - return apiRecord; - } - - /** - * Get the first value of the first existing header from the headers list - * - * @param req - * @param headers - * @return a header value, or null if none exist - */ - private static String getFirstHeader(HttpServletRequest req, String[] headers) { - for (String header : headers) { - final String result = req.getHeader(header); - if (result != null) - return result; - } - return null; - } - - /** - * Parse the date string into a Date using one of the supported date - * formats. - * - * @param dateHeader - * @return a date, or null - */ - private static Date getClientDate(String dateString) { - if (dateString == null) { - return null; - } - - // parse the date - Date result = null; - for (String dateFormat : kDateFormats) { - final SimpleDateFormat parser = new SimpleDateFormat(dateFormat, java.util.Locale.US); - if (!dateFormat.contains("z") && !dateFormat.contains("Z")) { - parser.setTimeZone(TIMEZONE_GMT); - } - - try { - result = parser.parse(dateString); - break; - } catch (ParseException e) { - // presumably wrong format - } - } - return result; - } - - private static void authLog(String msg, String remoteAddr) { - log.info("AUTH-LOG(" + remoteAddr + "): " + msg); - } - - private final NsaApiDb<K> fDb; - private final long fRequestTimeWindowMs; - - private static final java.util.TimeZone TIMEZONE_GMT = java.util.TimeZone.getTimeZone("GMT"); - - private static final String kDateFormats[] = - { - // W3C date format (RFC 3339). - "yyyy-MM-dd'T'HH:mm:ssz", - "yyyy-MM-dd'T'HH:mm:ssXXX", // as of Java 7, reqd to handle colon in TZ offset - - // Preferred HTTP date format (RFC 1123). - "EEE, dd MMM yyyy HH:mm:ss zzz", - - // simple unix command line 'date' format - "EEE MMM dd HH:mm:ss z yyyy", - - // Common date format (RFC 822). - "EEE, dd MMM yy HH:mm:ss z", - "EEE, dd MMM yy HH:mm z", - "dd MMM yy HH:mm:ss z", - "dd MMM yy HH:mm z", - - // Obsoleted HTTP date format (ANSI C asctime() format). - "EEE MMM dd HH:mm:ss yyyy", - - // Obsoleted HTTP date format (RFC 1036). - "EEEE, dd-MMM-yy HH:mm:ss zzz", - }; - - /*private static final String kDateFormats[] = { - // W3C date format (RFC 3339). - "yyyy-MM-dd'T'HH:mm:ssz", - - // Preferred HTTP date format (RFC 1123). - "EEE, dd MMM yyyy HH:mm:ss zzz", - - // simple unix command line 'date' format - "EEE MMM dd HH:mm:ss z yyyy", - - // Common date format (RFC 822). - "EEE, dd MMM yy HH:mm:ss z", "EEE, dd MMM yy HH:mm z", "dd MMM yy HH:mm:ss z", "dd MMM yy HH:mm z", - - // Obsoleted HTTP date format (ANSI C asctime() format). - "EEE MMM dd HH:mm:ss yyyy", - - // Obsoleted HTTP date format (RFC 1036). - "EEEE, dd-MMM-yy HH:mm:ss zzz", }; */ - // logger declaration - //private static final Logger log = Logger.getLogger(DMaaPOriginalUebAuthenticator.class.toString()); - private static final EELFLogger log = EELFManager.getInstance().getLogger(DMaaPOriginalUebAuthenticator.class); - @Override -// public K authenticate(DMaaPContext ctx) { - // TODO Auto-generated method stub - //return null; - //} - - public K authenticate(DMaaPContext ctx) { - - /*final HttpServletRequest req = ctx.getRequest(); - for (DMaaPAuthenticator<K> a : fAuthenticators) { - if (a.qualify(req)) { - final K k = a.isAuthentic(req); - if (k != null) - return k; - } - // else: this request doesn't look right to the authenticator - }*/ - return null; - } - - - public void addAuthenticator ( DMaaPAuthenticator<K> a ) - { - //this.fAuthenticators.add(a); - } - //private final LinkedList<DMaaPAuthenticator<K>> fAuthenticators; -}
\ No newline at end of file |