diff options
Diffstat (limited to 'src/main/java/org/onap/dmaap/dmf/mr/security')
6 files changed, 693 insertions, 0 deletions
diff --git a/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAAFAuthenticator.java b/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAAFAuthenticator.java new file mode 100644 index 0000000..a7f2376 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAAFAuthenticator.java @@ -0,0 +1,39 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * + *******************************************************************************/ +package org.onap.dmaap.dmf.mr.security; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.dmaap.dmf.mr.CambriaApiException; + + + + +/** + * + * @author sneha.d.desai + * + */ +public interface DMaaPAAFAuthenticator { + boolean aafAuthentication( HttpServletRequest req , String role); + String aafPermissionString(String permission, String action) throws CambriaApiException; +} diff --git a/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAAFAuthenticatorImpl.java b/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAAFAuthenticatorImpl.java new file mode 100644 index 0000000..25644a7 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAAFAuthenticatorImpl.java @@ -0,0 +1,80 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * + *******************************************************************************/ +package org.onap.dmaap.dmf.mr.security; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.dmaap.dmf.mr.CambriaApiException; +import org.onap.dmaap.dmf.mr.constants.CambriaConstants; + + +/** + * + * @author sneha.d.desai + * + */ +public class DMaaPAAFAuthenticatorImpl implements DMaaPAAFAuthenticator { + + /** + * @param req + * @param role + */ + @Override + public boolean aafAuthentication(HttpServletRequest req, String role) { + boolean auth = false; + if(req.isUserInRole(role)) + { + + auth = true; + } + + return auth; + } + + @Override + public String aafPermissionString(String topicName, String action) throws CambriaApiException { + + + String permission = ""; + String nameSpace =""; + if(topicName.contains(".") && topicName.contains("org.onap")) { + + nameSpace = topicName.substring(0,topicName.lastIndexOf(".")); + } + else { + nameSpace = null; + nameSpace= com.att.ajsc.filemonitor.AJSCPropertiesMap.getProperty(CambriaConstants.msgRtr_prop,"defaultNSforUEB"); + + if(null==nameSpace)nameSpace="org.onap.dmaap.mr"; + + + + } + + permission = nameSpace+".topic|:topic."+topicName+"|"+action; + return permission; + + } + + + +} diff --git a/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAuthenticator.java b/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAuthenticator.java new file mode 100644 index 0000000..e6ff30f --- /dev/null +++ b/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAuthenticator.java @@ -0,0 +1,61 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * + *******************************************************************************/ +package org.onap.dmaap.dmf.mr.security; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.dmaap.dmf.mr.beans.DMaaPContext; +import com.att.nsa.security.NsaApiKey; + + +/** + * An interface for authenticating an inbound request. + * @author nilanjana.maity + * + * @param <K> NsaApiKey + */ +public interface DMaaPAuthenticator<K extends NsaApiKey> { + + /** + * Qualify a request as possibly using the authentication method that this class implements. + * @param req + * @return true if the request might be authenticated by this class + */ + boolean qualify ( HttpServletRequest req ); + + /** + * Check for a request being authentic. If it is, return the API key. If not, return null. + * @param req An inbound web request + * @return the API key for an authentic request, or null + */ + K isAuthentic ( HttpServletRequest req ); + /** + * Check for a ctx being authenticate. If it is, return the API key. If not, return null. + * @param ctx + * @return the API key for an authentication request, or null + */ + K authenticate ( DMaaPContext ctx ); + + + void addAuthenticator(DMaaPAuthenticator<K> a); + +} diff --git a/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAuthenticatorImpl.java b/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAuthenticatorImpl.java new file mode 100644 index 0000000..f0d0d4d --- /dev/null +++ b/src/main/java/org/onap/dmaap/dmf/mr/security/DMaaPAuthenticatorImpl.java @@ -0,0 +1,133 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * + *******************************************************************************/ +package org.onap.dmaap.dmf.mr.security; + +import java.util.LinkedList; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.dmaap.dmf.mr.beans.DMaaPContext; +import org.onap.dmaap.dmf.mr.security.impl.DMaaPOriginalUebAuthenticator; +import com.att.nsa.security.NsaApiKey; +import com.att.nsa.security.db.NsaApiDb; +import com.att.nsa.security.db.simple.NsaSimpleApiKey; + +/** + * + * @author anowarul.islam + * + * @param <K> + */ +public class DMaaPAuthenticatorImpl<K extends NsaApiKey> implements DMaaPAuthenticator<K> { + + private final LinkedList<DMaaPAuthenticator<K>> fAuthenticators; + + + + // Setting timeout to a large value for testing purpose. + + // 10 minutes + private static final long kDefaultRequestTimeWindow = 1000 * 60 * 10 * 10 * 10 * 10 * 10; + + /** + * Construct the security manager against an API key database + * + * @param db + * the API key db + */ + public DMaaPAuthenticatorImpl(NsaApiDb<K> db) { + this(db, kDefaultRequestTimeWindow); + } + + + + + /** + * Construct the security manager against an API key database with a + * specific request time window size + * + * @param db + * the API key db + * @param authTimeWindowMs + * the size of the time window for request authentication + */ + public DMaaPAuthenticatorImpl(NsaApiDb<K> db, long authTimeWindowMs) { + fAuthenticators = new LinkedList<>(); + + fAuthenticators.add(new DMaaPOriginalUebAuthenticator<K>(db, authTimeWindowMs)); + } + + /** + * Authenticate a user's request. This method returns the API key if the + * user is authentic, null otherwise. + * + * @param ctx + * @return an api key record, or null + */ + public K authenticate(DMaaPContext ctx) { + final HttpServletRequest req = ctx.getRequest(); + for (DMaaPAuthenticator<K> a : fAuthenticators) { + if (a.qualify(req)) { + final K k = a.isAuthentic(req); + if (k != null) + return k; + } + // else: this request doesn't look right to the authenticator + } + return null; + } + + /** + * Get the user associated with the incoming request, or null if the user is + * not authenticated. + * + * @param ctx + * @return + */ + public static NsaSimpleApiKey getAuthenticatedUser(DMaaPContext ctx) { + final DMaaPAuthenticator<NsaSimpleApiKey> m = ctx.getConfigReader().getfSecurityManager(); + return m.authenticate(ctx); + } + + /** + * method by default returning false + * @param req + * @return false + */ + public boolean qualify(HttpServletRequest req) { + return false; + } +/** + * method by default returning null + * @param req + * @return null + */ + public K isAuthentic(HttpServletRequest req) { + return null; + } + + public void addAuthenticator ( DMaaPAuthenticator<K> a ) + { + this.fAuthenticators.add(a); + } + +} diff --git a/src/main/java/org/onap/dmaap/dmf/mr/security/impl/DMaaPMechIdAuthenticator.java b/src/main/java/org/onap/dmaap/dmf/mr/security/impl/DMaaPMechIdAuthenticator.java new file mode 100644 index 0000000..6f2ebac --- /dev/null +++ b/src/main/java/org/onap/dmaap/dmf/mr/security/impl/DMaaPMechIdAuthenticator.java @@ -0,0 +1,87 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * + *******************************************************************************/ +package org.onap.dmaap.dmf.mr.security.impl; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.dmaap.dmf.mr.beans.DMaaPContext; +import org.onap.dmaap.dmf.mr.security.DMaaPAuthenticator; + +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; +import com.att.nsa.security.NsaApiKey; +import com.att.nsa.security.authenticators.MechIdAuthenticator; + +/** + * An authenticator for AT&T MechIds. + * + * @author peter + * + * @param <K> + */ +public class DMaaPMechIdAuthenticator <K extends NsaApiKey> implements DMaaPAuthenticator<K> { + +/** + * This is not yet implemented. by refault its returing false + * @param req HttpServletRequest + * @return false + */ + public boolean qualify (HttpServletRequest req) { + // we haven't implemented anything here yet, so there's no qualifying request + return false; + } +/** + * This metod authenticate the mech id + * @param req + * @return APIkey or null + */ + public K isAuthentic (HttpServletRequest req) { + final String remoteAddr = req.getRemoteAddr(); + authLog ( "MechId auth is not yet implemented.", remoteAddr ); + return null; + } + + private static void authLog ( String msg, String remoteAddr ) + { + log.info ( "AUTH-LOG(" + remoteAddr + "): " + msg ); + } + + + //private static final Logger log = Logger.getLogger( MechIdAuthenticator.class.toString()); + private static final EELFLogger log = EELFManager.getInstance().getLogger(MechIdAuthenticator.class); +/** + * Curently its not yet implemented returning null + * @param ctx DMaaP context + * @return APIkey or null + */ + @Override + public K authenticate(DMaaPContext ctx) { + // TODO Auto-generated method stub + return null; + } +@Override +public void addAuthenticator(DMaaPAuthenticator<K> a) { + // TODO Auto-generated method stub + +} + +}
\ No newline at end of file diff --git a/src/main/java/org/onap/dmaap/dmf/mr/security/impl/DMaaPOriginalUebAuthenticator.java b/src/main/java/org/onap/dmaap/dmf/mr/security/impl/DMaaPOriginalUebAuthenticator.java new file mode 100644 index 0000000..f8cb066 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dmf/mr/security/impl/DMaaPOriginalUebAuthenticator.java @@ -0,0 +1,293 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * + *******************************************************************************/ +package org.onap.dmaap.dmf.mr.security.impl; + +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.Date; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.dmaap.dmf.mr.beans.DMaaPContext; +import org.onap.dmaap.dmf.mr.security.DMaaPAuthenticator; +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; +import com.att.nsa.configs.ConfigDbException; +import com.att.nsa.drumlin.till.data.sha1HmacSigner; +import com.att.nsa.security.NsaApiKey; +import com.att.nsa.security.db.NsaApiDb; + +/** + * This authenticator handles an AWS-like authentication, originally used by the + * Cambria server (the API server for UEB). + * + * @author peter + * + * @param <K> + */ +public class DMaaPOriginalUebAuthenticator<K extends NsaApiKey> implements DMaaPAuthenticator<K> { + /** + * constructor initialization + * + * @param db + * @param requestTimeWindowMs + */ + public DMaaPOriginalUebAuthenticator(NsaApiDb<K> db, long requestTimeWindowMs) { + fDb = db; + fRequestTimeWindowMs = requestTimeWindowMs; + + + + + } + + @Override + public boolean qualify(HttpServletRequest req) { + // accept anything that comes in with X-(Cambria)Auth in the header + final String xAuth = getFirstHeader(req, new String[] { "X-CambriaAuth", "X-Auth" }); + return xAuth != null; + } + + /** + * method for authentication + * + * @param req + * @return + */ + public K isAuthentic(HttpServletRequest req) { + final String remoteAddr = req.getRemoteAddr(); + // Cambria originally used "Cambria..." headers, but as the API key + // system is now more + // general, we take either form. + final String xAuth = getFirstHeader(req, new String[] { "X-CambriaAuth", "X-Auth" }); + final String xDate = getFirstHeader(req, new String[] { "X-CambriaDate", "X-Date" }); + + final String httpDate = req.getHeader("Date"); + + final String xNonce = getFirstHeader(req, new String[] { "X-Nonce" }); + return authenticate(remoteAddr, xAuth, xDate, httpDate, xNonce); + } + + /** + * Authenticate a user's request. This method returns the API key if the + * user is authentic, null otherwise. + * + * @param remoteAddr + * @param xAuth + * @param xDate + * @param httpDate + * @param nonce + * @return an api key record, or null + */ + public K authenticate(String remoteAddr, String xAuth, String xDate, String httpDate, String nonce) { + if (xAuth == null) { + authLog("No X-Auth header on request", remoteAddr); + return null; + } + + final String[] xAuthParts = xAuth.split(":"); + if (xAuthParts.length != 2) { + authLog("Bad X-Auth header format (" + xAuth + ")", remoteAddr); + return null; + } + + + // get the api key and signature + final String clientApiKey = xAuthParts[0]; + final String clientApiHash = xAuthParts[1]; + if (clientApiKey.length() == 0 || clientApiHash.length() == 0) { + authLog("Bad X-Auth header format (" + xAuth + ")", remoteAddr); + return null; + } + // if the user provided X-Date, use that. Otherwise, go for Date + final String dateString = xDate != null ? xDate : httpDate; + final Date clientDate = getClientDate(dateString); + if (clientDate == null) { + authLog("Couldn't parse client date '" + dateString + "'. Preferring X-Date over Date.", remoteAddr); + return null; + } + // check the time range + final long nowMs = System.currentTimeMillis(); + final long diffMs = Math.abs(nowMs - clientDate.getTime()); + if (diffMs > fRequestTimeWindowMs) { + authLog("Client date is not in acceptable range of server date. Client:" + clientDate.getTime() + + ", Server: " + nowMs + ", Threshold: " + fRequestTimeWindowMs + ".", remoteAddr); + return null; + } + K apiRecord; + try { + apiRecord = fDb.loadApiKey(clientApiKey); + if (apiRecord == null) { + authLog("No such API key " + clientApiKey, remoteAddr); + return null; + } + } catch (ConfigDbException e) { + authLog("Couldn't load API key " + clientApiKey + ": " + e.getMessage(), remoteAddr); + return null; + } + // make the signed content + final StringBuilder sb = new StringBuilder(); + sb.append(dateString); + if (nonce != null) { + sb.append(":"); + sb.append(nonce); + } + final String signedContent = sb.toString(); + // now check the signed date string + final String serverCalculatedSignature = sha1HmacSigner.sign(signedContent, apiRecord.getSecret()); + if (serverCalculatedSignature == null || !serverCalculatedSignature.equals(clientApiHash)) { + authLog("Signatures don't match. Rec'd " + clientApiHash + ", expect " + serverCalculatedSignature + ".", + remoteAddr); + return null; + } + authLog("authenticated " + apiRecord.getKey(), remoteAddr); + return apiRecord; + } + + /** + * Get the first value of the first existing header from the headers list + * + * @param req + * @param headers + * @return a header value, or null if none exist + */ + private static String getFirstHeader(HttpServletRequest req, String[] headers) { + for (String header : headers) { + final String result = req.getHeader(header); + if (result != null) + return result; + } + return null; + } + + /** + * Parse the date string into a Date using one of the supported date + * formats. + * + * @param dateHeader + * @return a date, or null + */ + private static Date getClientDate(String dateString) { + if (dateString == null) { + return null; + } + + // parse the date + Date result = null; + for (String dateFormat : kDateFormats) { + final SimpleDateFormat parser = new SimpleDateFormat(dateFormat, java.util.Locale.US); + if (!dateFormat.contains("z") && !dateFormat.contains("Z")) { + parser.setTimeZone(TIMEZONE_GMT); + } + + try { + result = parser.parse(dateString); + break; + } catch (ParseException e) { + // presumably wrong format + } + } + return result; + } + + private static void authLog(String msg, String remoteAddr) { + log.info("AUTH-LOG(" + remoteAddr + "): " + msg); + } + + private final NsaApiDb<K> fDb; + private final long fRequestTimeWindowMs; + + private static final java.util.TimeZone TIMEZONE_GMT = java.util.TimeZone.getTimeZone("GMT"); + + private static final String kDateFormats[] = + { + // W3C date format (RFC 3339). + "yyyy-MM-dd'T'HH:mm:ssz", + "yyyy-MM-dd'T'HH:mm:ssXXX", // as of Java 7, reqd to handle colon in TZ offset + + // Preferred HTTP date format (RFC 1123). + "EEE, dd MMM yyyy HH:mm:ss zzz", + + // simple unix command line 'date' format + "EEE MMM dd HH:mm:ss z yyyy", + + // Common date format (RFC 822). + "EEE, dd MMM yy HH:mm:ss z", + "EEE, dd MMM yy HH:mm z", + "dd MMM yy HH:mm:ss z", + "dd MMM yy HH:mm z", + + // Obsoleted HTTP date format (ANSI C asctime() format). + "EEE MMM dd HH:mm:ss yyyy", + + // Obsoleted HTTP date format (RFC 1036). + "EEEE, dd-MMM-yy HH:mm:ss zzz", + }; + + + + + + + + + + + + + + + + + + + + // logger declaration + + private static final EELFLogger log = EELFManager.getInstance().getLogger(DMaaPOriginalUebAuthenticator.class); + @Override + + // TODO Auto-generated method stub + + //} + + public K authenticate(DMaaPContext ctx) { + + + + + + + + + + + return null; + } + + + public void addAuthenticator ( DMaaPAuthenticator<K> a ) + { + + } + +}
\ No newline at end of file |