| Sai Gandham | d67a9de | 2018-05-25 15:48:11 +0000 | [diff] [blame] | 1 | .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| 2 | .. http://creativecommons.org/licenses/by/4.0 |
| 3 | |
| Instrumental | bbe7154 | 2018-05-25 12:29:38 -0500 | [diff] [blame] | 4 | Client Configuration |
| 5 | ==================== |
| Sai Gandham | d67a9de | 2018-05-25 15:48:11 +0000 | [diff] [blame] | 6 | |
| Sai Gandham | bd61eba | 2018-06-13 18:24:21 +0000 | [diff] [blame] | 7 | TEST version of "cadi.properties" |
| 8 | --------------------------------- |
| 9 | These properties point you to the ONAP TEST environment. |
| 10 | |
| 11 | Properties are separated into |
| 12 | |
| 13 | * etc |
| 14 | * main Property file which provides Client specific info. As a client, this could be put in container, or placed on Host Box |
| 15 | * The important thing is to LINK the property with Location and Certificate Properties, see "local" |
| 16 | * local |
| 17 | * where there is Machine specific information (i.e. GEO Location (Latitude/Longitude) |
| 18 | * where this is Machine specific Certificates (for running services) |
| 19 | * This is because the certificates used must match the Endpoint that the Container is running on |
| 20 | * Note Certificate Manager can Place all these components together in one place. |
| 21 | * For April, 2018, please write Jonathan.gathman@att.com for credentials until TEST Env with Certificate Manager is fully tested. Include |
| 22 | 1. AAF Namespace (you MUST be the owner for the request to be accepted) |
| 23 | 2. Fully Qualified App ID (ID + Namespace) |
| 24 | 3. Machine to be deployed on. |
| 25 | |
| 26 | Client Credentials |
| 27 | ------------------ |
| 28 | For Beijing, full TLS is expected among all components. AAF provides the "Certificate Manager" which can "Place" Certificate information |
| 29 | |
| 30 | Example Source Code |
| 31 | ------------------- |
| Sai Gandham | 4e6f7bc | 2018-06-15 08:37:30 -0500 | [diff] [blame] | 32 | Note the FULL class is available in the authz repo, cadi_aaf/org/onap/aaf/client/sample/Sample.java |
| 33 | |
| 34 | .. code-block:: java |
| 35 | |
| 36 | |
| 37 | /** |
| 38 | * ============LICENSE_START==================================================== |
| 39 | * org.onap.aaf |
| 40 | * =========================================================================== |
| 41 | * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. |
| 42 | * =========================================================================== |
| 43 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 44 | * you may not use this file except in compliance with the License. |
| 45 | * You may obtain a copy of the License at |
| 46 | * |
| 47 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 48 | * |
| 49 | * Unless required by applicable law or agreed to in writing, software |
| 50 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 51 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 52 | * See the License for the specific language governing permissions and |
| 53 | * limitations under the License. |
| 54 | * ============LICENSE_END==================================================== |
| 55 | * |
| 56 | */ |
| 57 | |
| 58 | package org.onap.aaf.client.sample; |
| 59 | |
| 60 | import java.io.IOException; |
| 61 | import java.security.Principal; |
| 62 | import java.util.ArrayList; |
| 63 | import java.util.List; |
| 64 | |
| 65 | import org.onap.aaf.cadi.Access; |
| 66 | import org.onap.aaf.cadi.CadiException; |
| 67 | import org.onap.aaf.cadi.LocatorException; |
| 68 | import org.onap.aaf.cadi.Permission; |
| 69 | import org.onap.aaf.cadi.PropAccess; |
| 70 | import org.onap.aaf.cadi.aaf.AAFPermission; |
| 71 | import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; |
| 72 | import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; |
| 73 | import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; |
| 74 | import org.onap.aaf.cadi.principal.UnAuthPrincipal; |
| 75 | import org.onap.aaf.cadi.util.Split; |
| 76 | import org.onap.aaf.misc.env.APIException; |
| 77 | |
| 78 | public class Sample { |
| 79 | private static Sample singleton; |
| 80 | final private AAFConHttp aafcon; |
| 81 | final private AAFLurPerm aafLur; |
| 82 | final private AAFAuthn<?> aafAuthn; |
| 83 | |
| 84 | /** |
| 85 | * This method is to emphasize the importance of not creating the AAFObjects over and over again. |
| 86 | * @return |
| 87 | */ |
| 88 | public static Sample singleton() { |
| 89 | return singleton; |
| 90 | } |
| 91 | |
| 92 | public Sample(Access myAccess) throws APIException, CadiException, LocatorException { |
| 93 | aafcon = new AAFConHttp(myAccess); |
| 94 | aafLur = aafcon.newLur(); |
| 95 | aafAuthn = aafcon.newAuthn(aafLur); |
| 96 | } |
| 97 | |
| 98 | /** |
| 99 | * Checking credentials outside of HTTP/S presents fewer options initially. There is not, for instance, |
| 100 | * the option of using 2-way TLS HTTP/S. |
| 101 | * |
| 102 | * However, Password Checks are still useful, and, if the Client Certificate could be obtained in other ways, the |
| 103 | * Interface can be expanded in the future to include Certificates. |
| 104 | * @throws CadiException |
| 105 | * @throws IOException |
| 106 | */ |
| 107 | public Principal checkUserPass(String fqi, String pass) throws IOException, CadiException { |
| 108 | String ok = aafAuthn.validate(fqi, pass); |
| 109 | if(ok==null) { |
| 110 | System.out.println("Success!"); |
| 111 | /* |
| 112 | UnAuthPrincipal means that it is not coming from the official Authorization chain. |
| 113 | This is useful for Security Plugins which don't use Principal as the tie between |
| 114 | Authentication and Authorization |
| 115 | |
| 116 | You can also use this if you want to check Authorization without actually Authenticating, as may |
| 117 | be the case with certain Onboarding Tooling. |
| 118 | */ |
| 119 | return new UnAuthPrincipal(fqi); |
| 120 | } else { |
| 121 | System.out.printf("Failure: %s\n",ok); |
| 122 | return null; |
| 123 | } |
| 124 | |
| 125 | |
| 126 | } |
| 127 | |
| 128 | /** |
| 129 | * An example of looking for One Permission within all the permissions user has. CADI does cache these, |
| 130 | * so the call is not expensive. |
| 131 | * |
| 132 | * Note: If you are using "J2EE" (Servlets), CADI ties this function to the method: |
| 133 | * HttpServletRequest.isUserInRole(String user) |
| 134 | * |
| 135 | * The J2EE user can expect that his servlet will NOT be called without a Validated Principal, and that |
| 136 | * "isUserInRole()" will validate if the user has the Permission designated. |
| 137 | * |
| 138 | */ |
| 139 | public boolean oneAuthorization(Principal fqi, Permission p) { |
| 140 | return aafLur.fish(fqi, p); |
| 141 | } |
| 142 | |
| 143 | public List<Permission> allAuthorization(Principal fqi) { |
| 144 | List<Permission> pond = new ArrayList<Permission>(); |
| 145 | aafLur.fishAll(fqi, pond); |
| 146 | return pond; |
| 147 | } |
| 148 | |
| 149 | |
| 150 | public static void main(String[] args) { |
| 151 | // Note: you can pick up Properties from Command line as well as VM Properties |
| 152 | // Code "user_fqi=... user_pass=..." (where user_pass can be encrypted) in the command line for this sample. |
| 153 | // Also code "perm=<perm type>|<instance>|<action>" to test a specific Permission |
| 154 | PropAccess myAccess = new PropAccess(args); |
| 155 | try { |
| 156 | /* |
| 157 | * NOTE: Do NOT CREATE new aafcon, aafLur and aafAuthn each transaction. They are built to be |
| 158 | * reused! |
| 159 | * |
| 160 | * This is why this code demonstrates "Sample" as a singleton. |
| 161 | */ |
| 162 | singleton = new Sample(myAccess); |
| 163 | String user = myAccess.getProperty("user_fqi"); |
| 164 | String pass= myAccess.getProperty("user_pass"); |
| 165 | |
| 166 | if(user==null || pass==null) { |
| 167 | System.err.println("This Sample class requires properties user_fqi and user_pass"); |
| 168 | } else { |
| 169 | pass = myAccess.decrypt(pass, false); // Note, with "false", decryption will only happen if starts with "enc:" |
| 170 | // See the CODE for Java Methods used |
| 171 | Principal fqi = Sample.singleton().checkUserPass(user,pass); |
| 172 | |
| 173 | if(fqi==null) { |
| 174 | System.out.println("OK, normally, you would cease processing for an " |
| 175 | + "unauthenticated user, but for the purpose of Sample, we'll keep going.\n"); |
| 176 | fqi=new UnAuthPrincipal(user); |
| 177 | } |
| 178 | |
| 179 | // AGAIN, NOTE: If your client fails Authentication, the right behavior 99.9% |
| 180 | // of the time is to drop the transaction. We continue for sample only. |
| 181 | |
| 182 | // note, default String for perm |
| 183 | String permS = myAccess.getProperty("perm","org.osaaf.aaf.access|*|read"); |
| 184 | String[] permA = Split.splitTrim('|', permS); |
| 185 | if(permA.length>2) { |
| 186 | final Permission perm = new AAFPermission(permA[0],permA[1],permA[2]); |
| 187 | // See the CODE for Java Methods used |
| 188 | if(singleton().oneAuthorization(fqi, perm)) { |
| 189 | System.out.printf("Success: %s has %s\n",fqi.getName(),permS); |
| 190 | } else { |
| 191 | System.out.printf("%s does NOT have %s\n",fqi.getName(),permS); |
| 192 | } |
| 193 | } |
| 194 | |
| 195 | |
| 196 | // Another form, you can get ALL permissions in a list |
| 197 | // See the CODE for Java Methods used |
| 198 | List<Permission> permL = singleton().allAuthorization(fqi); |
| 199 | if(permL.size()==0) { |
| 200 | System.out.printf("User %s has no Permissions THAT THE CALLER CAN SEE",fqi.getName()); |
| 201 | } else { |
| 202 | System.out.print("Success:\n"); |
| 203 | for(Permission p : permL) { |
| 204 | System.out.printf("\t%s has %s\n",fqi.getName(),p.getKey()); |
| 205 | } |
| 206 | } |
| 207 | } |
| 208 | } catch (APIException | CadiException | LocatorException | IOException e) { |
| 209 | e.printStackTrace(); |
| 210 | } |
| 211 | } |
| 212 | } |