2 * Copyright (c) 2013 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
9 package org.opendaylight.controller.usermanager.internal;
11 import java.io.BufferedReader;
13 import java.io.FileNotFoundException;
14 import java.io.FileReader;
15 import java.io.IOException;
16 import java.io.ObjectInputStream;
17 import java.util.ArrayList;
18 import java.util.Collections;
19 import java.util.EnumSet;
20 import java.util.HashMap;
21 import java.util.HashSet;
22 import java.util.List;
25 import java.util.concurrent.ConcurrentHashMap;
26 import java.util.concurrent.ConcurrentMap;
28 import org.apache.commons.lang3.StringUtils;
29 import org.eclipse.osgi.framework.console.CommandInterpreter;
30 import org.eclipse.osgi.framework.console.CommandProvider;
31 import org.opendaylight.controller.clustering.services.CacheConfigException;
32 import org.opendaylight.controller.clustering.services.CacheExistException;
33 import org.opendaylight.controller.clustering.services.IClusterGlobalServices;
34 import org.opendaylight.controller.clustering.services.IClusterServices;
35 import org.opendaylight.controller.configuration.ConfigurationObject;
36 import org.opendaylight.controller.configuration.IConfigurationAware;
37 import org.opendaylight.controller.configuration.IConfigurationService;
38 import org.opendaylight.controller.containermanager.IContainerAuthorization;
39 import org.opendaylight.controller.sal.authorization.AuthResultEnum;
40 import org.opendaylight.controller.sal.authorization.IResourceAuthorization;
41 import org.opendaylight.controller.sal.authorization.UserLevel;
42 import org.opendaylight.controller.sal.utils.IObjectReader;
43 import org.opendaylight.controller.sal.utils.Status;
44 import org.opendaylight.controller.sal.utils.StatusCode;
45 import org.opendaylight.controller.usermanager.AuthResponse;
46 import org.opendaylight.controller.usermanager.AuthenticatedUser;
47 import org.opendaylight.controller.usermanager.AuthorizationConfig;
48 import org.opendaylight.controller.usermanager.IAAAProvider;
49 import org.opendaylight.controller.usermanager.ISessionManager;
50 import org.opendaylight.controller.usermanager.IUserManager;
51 import org.opendaylight.controller.usermanager.ServerConfig;
52 import org.opendaylight.controller.usermanager.UserConfig;
53 import org.opendaylight.controller.usermanager.security.SessionManager;
54 import org.opendaylight.controller.usermanager.security.UserSecurityContextRepository;
55 import org.osgi.framework.BundleContext;
56 import org.osgi.framework.BundleException;
57 import org.osgi.framework.FrameworkUtil;
58 import org.slf4j.Logger;
59 import org.slf4j.LoggerFactory;
60 import org.springframework.security.authentication.AuthenticationProvider;
61 import org.springframework.security.authentication.AuthenticationServiceException;
62 import org.springframework.security.authentication.BadCredentialsException;
63 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
64 import org.springframework.security.core.Authentication;
65 import org.springframework.security.core.AuthenticationException;
66 import org.springframework.security.core.userdetails.User;
67 import org.springframework.security.core.userdetails.UserDetails;
68 import org.springframework.security.core.userdetails.UsernameNotFoundException;
69 import org.springframework.security.web.context.SecurityContextRepository;
72 * The internal implementation of the User Manager.
74 public class UserManager implements IUserManager, IObjectReader,
75 IConfigurationAware, CommandProvider, AuthenticationProvider {
76 private static final Logger logger = LoggerFactory.getLogger(UserManager.class);
77 private static final String DEFAULT_ADMIN = "admin";
78 private static final String DEFAULT_ADMIN_PASSWORD = "admin";
79 private static final String DEFAULT_ADMIN_ROLE = UserLevel.NETWORKADMIN.toString();
80 private static final String USERS_FILE_NAME = "users.conf";
81 private static final String SERVERS_FILE_NAME = "servers.conf";
82 private static final String AUTH_FILE_NAME = "authorization.conf";
83 private static final String RECOVERY_FILE = "NETWORK_ADMIN_PASSWORD_RECOVERY";
84 private static final boolean DISALLOW_DEFAULT_ADMIN_PASSWORD =
85 Boolean.getBoolean("usermanager.disable-default-admin-password");
86 private ConcurrentMap<String, UserConfig> localUserConfigList;
87 private ConcurrentMap<String, ServerConfig> remoteServerConfigList;
88 // local authorization info for remotely authenticated users
89 private ConcurrentMap<String, AuthorizationConfig> authorizationConfList;
90 private ConcurrentMap<String, AuthenticatedUser> activeUsers;
91 private ConcurrentMap<String, IAAAProvider> authProviders;
92 private IClusterGlobalServices clusterGlobalService = null;
93 private IConfigurationService configurationService;
94 private SecurityContextRepository securityContextRepo = new UserSecurityContextRepository();
95 private IContainerAuthorization containerAuthorizationClient;
96 private Set<IResourceAuthorization> applicationAuthorizationClients;
97 private ISessionManager sessionMgr = new SessionManager();
98 protected enum Command {
100 MODIFY("modify", "modified"),
101 REMOVE("remove", "removed");
102 private final String action;
103 private final String postAction;
104 private Command(String action, String postAction) {
105 this.action = action;
106 this.postAction = postAction;
109 public String getAction() {
113 public String getPostAction() {
118 public boolean addAAAProvider(IAAAProvider provider) {
119 if (provider == null || provider.getName() == null
120 || provider.getName().trim().isEmpty()) {
123 if (authProviders.get(provider.getName()) != null) {
127 authProviders.put(provider.getName(), provider);
131 public void removeAAAProvider(IAAAProvider provider) {
132 authProviders.remove(provider.getName());
135 public IAAAProvider getAAAProvider(String name) {
136 return authProviders.get(name);
140 public Set<String> getAAAProviderNames() {
141 return authProviders.keySet();
144 private void allocateCaches() {
145 this.applicationAuthorizationClients = Collections.synchronizedSet(new HashSet<IResourceAuthorization>());
146 if (clusterGlobalService == null) {
147 logger.error("un-initialized clusterGlobalService, can't create cache");
152 clusterGlobalService.createCache("usermanager.localUserConfigList",
153 EnumSet.of(IClusterServices.cacheMode.TRANSACTIONAL));
155 clusterGlobalService.createCache(
156 "usermanager.remoteServerConfigList",
157 EnumSet.of(IClusterServices.cacheMode.TRANSACTIONAL));
159 clusterGlobalService.createCache(
160 "usermanager.authorizationConfList",
161 EnumSet.of(IClusterServices.cacheMode.TRANSACTIONAL));
163 clusterGlobalService.createCache("usermanager.activeUsers",
164 EnumSet.of(IClusterServices.cacheMode.TRANSACTIONAL));
165 } catch (CacheConfigException cce) {
166 logger.error("Cache configuration invalid - check cache mode");
167 } catch (CacheExistException ce) {
168 logger.debug("Skipping cache creation as already present");
172 @SuppressWarnings({ "unchecked" })
173 private void retrieveCaches() {
174 if (clusterGlobalService == null) {
175 logger.error("un-initialized clusterService, can't retrieve cache");
179 activeUsers = (ConcurrentMap<String, AuthenticatedUser>) clusterGlobalService
180 .getCache("usermanager.activeUsers");
181 if (activeUsers == null) {
182 logger.error("Failed to get cache for activeUsers");
185 localUserConfigList = (ConcurrentMap<String, UserConfig>) clusterGlobalService
186 .getCache("usermanager.localUserConfigList");
187 if (localUserConfigList == null) {
188 logger.error("Failed to get cache for localUserConfigList");
191 remoteServerConfigList = (ConcurrentMap<String, ServerConfig>) clusterGlobalService
192 .getCache("usermanager.remoteServerConfigList");
193 if (remoteServerConfigList == null) {
194 logger.error("Failed to get cache for remoteServerConfigList");
197 authorizationConfList = (ConcurrentMap<String, AuthorizationConfig>) clusterGlobalService
198 .getCache("usermanager.authorizationConfList");
199 if (authorizationConfList == null) {
200 logger.error("Failed to get cache for authorizationConfList");
204 private void loadConfigurations() {
205 // To encode and decode user and server configuration objects
208 * Do not load local startup file if we are not the coordinator
215 private void loadSecurityKeys() {
219 private void checkDefaultNetworkAdmin(String newPass) {
220 boolean usingFactoryPassword = false;
221 // network admin already configured.
222 if (localUserConfigList.containsKey(DEFAULT_ADMIN)) {
223 UserConfig uc = localUserConfigList.get(DEFAULT_ADMIN);
224 if (!uc.isPasswordMatch(DEFAULT_ADMIN_PASSWORD)) {
227 usingFactoryPassword = true;
231 List<String> defaultRoles = new ArrayList<String>(1);
232 defaultRoles.add(DEFAULT_ADMIN_ROLE);
233 if (newPass == null) {
234 if (!localUserConfigList.containsKey(DEFAULT_ADMIN)) {
235 // Need to skip the strong password check for the default admin
236 UserConfig defaultAdmin = UserConfig.getUncheckedUserConfig(
237 UserManager.DEFAULT_ADMIN, UserManager.DEFAULT_ADMIN_PASSWORD,
239 localUserConfigList.put(UserManager.DEFAULT_ADMIN, defaultAdmin);
240 usingFactoryPassword = true;
243 // use new password for admin
244 Status status = UserConfig.validateClearTextPassword(newPass);
245 if (status.isSuccess()) {
246 localUserConfigList.put(UserManager.DEFAULT_ADMIN,
247 new UserConfig(UserManager.DEFAULT_ADMIN, newPass, defaultRoles));
248 logger.trace("Network Adminstrator password is reset.");
249 if (newPass.equals(DEFAULT_ADMIN_PASSWORD)) {
250 usingFactoryPassword = true;
253 logger.warn("Password is invalid - {}. Network Adminstrator password " +
254 "cannot be set.", status.getDescription());
258 if (usingFactoryPassword) {
259 if (DISALLOW_DEFAULT_ADMIN_PASSWORD) {
260 logger.warn("Network Administrator factory default password " +
261 "is disallowed. Please set the password prior to starting " +
262 "the controller. Shutting down now.");
265 BundleContext bundleContext = FrameworkUtil.getBundle(
266 getClass()).getBundleContext();
267 bundleContext.getBundle(0).stop();
268 } catch (BundleException e) {
269 logger.warn("Cannot stop framework ", e);
272 logger.warn("Network Administrator password is set to factory default. " +
273 "Please change the password as soon as possible.");
278 private String checkPasswordRecovery() {
279 final String fileDescription = "Default Network Administrator password recovery file";
280 File recoveryFile = new File(UserManager.RECOVERY_FILE);
281 if (!recoveryFile.exists()) return null;
282 // read the recovery file
285 BufferedReader reader = new BufferedReader(new FileReader(recoveryFile));
286 // read password from recovery file if it has one
287 pwd = reader.readLine();
288 if (pwd != null && pwd.trim().length() == 0) {
293 * Recovery file detected, remove current default network
294 * administrator entry from local users configuration list.
295 * Warn user and delete recovery file.
297 this.localUserConfigList.remove(UserManager.DEFAULT_ADMIN);
298 if (!recoveryFile.delete()) {
299 logger.warn("Failed to delete {}", fileDescription);
301 logger.trace("{} deleted", fileDescription);
303 } catch (IOException e) {
304 logger.warn("Failed to process file {}", fileDescription);
310 public AuthResultEnum authenticate(String userName, String password) {
311 IAAAProvider aaaClient;
312 AuthResponse rcResponse = null;
313 AuthenticatedUser result;
314 boolean remotelyAuthenticated = false;
315 boolean authorizationInfoIsPresent = false;
316 boolean authorized = false;
319 * Attempt remote authentication first if server is configured
321 for (ServerConfig aaaServer : remoteServerConfigList.values()) {
322 String protocol = aaaServer.getProtocol();
323 aaaClient = this.getAAAProvider(protocol);
324 if (aaaClient != null) {
325 rcResponse = aaaClient.authService(userName, password,
326 aaaServer.getAddress(), aaaServer.getSecret());
327 if (rcResponse.getStatus() == AuthResultEnum.AUTH_ACCEPT) {
329 "Remote Authentication Succeeded for User: \"{}\", by Server: {}",
330 userName, aaaServer.getAddress());
331 remotelyAuthenticated = true;
333 } else if (rcResponse.getStatus() == AuthResultEnum.AUTH_REJECT) {
335 "Remote Authentication Rejected User: \"{}\", from Server: {}, Reason:{}",
336 new Object[] { userName, aaaServer.getAddress(),
337 rcResponse.getStatus().toString() });
340 "Remote Authentication Failed for User: \"{}\", from Server: {}, Reason:{}",
341 new Object[] { userName, aaaServer.getAddress(),
342 rcResponse.getStatus().toString() });
347 if (!remotelyAuthenticated) {
348 UserConfig localUser = this.localUserConfigList.get(userName);
349 if (localUser == null) {
351 "Local Authentication Failed for User:\"{}\", Reason: "
352 + "user not found in Local Database", userName);
353 return (AuthResultEnum.AUTH_INVALID_LOC_USER);
355 rcResponse = localUser.authenticate(password);
356 if (rcResponse.getStatus() != AuthResultEnum.AUTH_ACCEPT_LOC) {
358 "Local Authentication Failed for User: \"{}\", Reason: {}",
359 userName, rcResponse.getStatus().toString());
361 return (rcResponse.getStatus());
363 logger.trace("Local Authentication Succeeded for User: \"{}\"",
368 * Authentication succeeded
370 result = new AuthenticatedUser(userName);
373 * Extract attributes from response All the information we are
374 * interested in is in the first Cisco VSA (vendor specific attribute).
375 * Just process the first VSA and return
377 String attributes = (rcResponse.getData() != null && !rcResponse
378 .getData().isEmpty()) ? rcResponse.getData().get(0) : null;
381 * Check if the authorization information is present
383 authorizationInfoIsPresent = checkAuthorizationInfo(attributes);
386 * The AAA server was only used to perform the authentication Look for
387 * locally stored authorization info for this user If found, add the
388 * data to the rcResponse
390 if (remotelyAuthenticated && !authorizationInfoIsPresent) {
392 "No Remote Authorization Info provided by Server for User: \"{}\"",
395 "Looking for Local Authorization Info for User: \"{}\"",
398 AuthorizationConfig resource = authorizationConfList.get(userName);
399 if (resource != null) {
400 logger.trace("Found Local Authorization Info for User: \"{}\"",
402 attributes = resource.getRolesString();
405 authorizationInfoIsPresent = checkAuthorizationInfo(attributes);
409 * Common response parsing for local & remote authenticated user Looking
410 * for authorized resources, detecting attributes' validity
412 if (authorizationInfoIsPresent) {
413 // Identifying the administrative role
414 result.setRoleList(attributes.split(" "));
417 logger.trace("Not able to find Authorization Info for User: \"{}\"",
422 * Add profile for authenticated user
424 putUserInActiveList(userName, result);
426 logger.trace("User \"{}\" authorized for the following role(s): {}",
427 userName, result.getUserRoles());
429 logger.trace("User \"{}\" Not Authorized for any role ", userName);
432 return rcResponse.getStatus();
435 // Check in the attributes string whether or not authorization information
437 private boolean checkAuthorizationInfo(String attributes) {
438 return (attributes != null && !attributes.isEmpty());
441 private void putUserInActiveList(String user, AuthenticatedUser result) {
442 activeUsers.put(user, result);
445 private void removeUserFromActiveList(String user) {
446 if (!activeUsers.containsKey(user)) {
447 // as cookie persists in cache, we can get logout for unexisting
451 activeUsers.remove(user);
455 public Status saveLocalUserList() {
456 return saveLocalUserListInternal();
459 private Status saveLocalUserListInternal() {
460 return configurationService.persistConfiguration(
461 new ArrayList<ConfigurationObject>(localUserConfigList.values()), USERS_FILE_NAME);
465 public Status saveAAAServerList() {
466 return saveAAAServerListInternal();
469 private Status saveAAAServerListInternal() {
470 return configurationService.persistConfiguration(
471 new ArrayList<ConfigurationObject>(remoteServerConfigList.values()), SERVERS_FILE_NAME);
475 public Status saveAuthorizationList() {
476 return saveAuthorizationListInternal();
479 private Status saveAuthorizationListInternal() {
480 return configurationService.persistConfiguration(
481 new ArrayList<ConfigurationObject>(authorizationConfList.values()), AUTH_FILE_NAME);
485 public Object readObject(ObjectInputStream ois)
486 throws FileNotFoundException, IOException, ClassNotFoundException {
487 // Perform the class deserialization locally, from inside the package
488 // where the class is defined
489 return ois.readObject();
492 private void loadUserConfig() {
493 for (ConfigurationObject conf : configurationService.retrieveConfiguration(this, USERS_FILE_NAME)) {
494 addRemoveLocalUserInternal((UserConfig) conf, false);
498 private void loadServerConfig() {
499 for (ConfigurationObject conf : configurationService.retrieveConfiguration(this, SERVERS_FILE_NAME)) {
500 addAAAServer((ServerConfig) conf);
504 private void loadAuthConfig() {
505 for (ConfigurationObject conf : configurationService.retrieveConfiguration(this, AUTH_FILE_NAME)) {
506 addAuthInfo((AuthorizationConfig) conf);
511 * Interaction with GUI START
513 private Status changeLocalUser(UserConfig AAAconf, Command command) {
514 // UserConfig Validation check
515 Status validCheck = AAAconf.validate();
516 if (!validCheck.isSuccess()) {
520 String user = AAAconf.getUser();
522 // Check default admin user
523 if (user.equals(UserManager.DEFAULT_ADMIN)) {
524 String msg = String.format("Invalid Request: Default Network Admin User cannot be %s", command.getPostAction());
526 return new Status(StatusCode.NOTALLOWED, msg);
529 // Check user presence/conflict
530 UserConfig currentAAAconf = localUserConfigList.get(user);
531 StatusCode statusCode = null;
532 String reason = null;
535 if (currentAAAconf != null) {
536 reason = "already present";
537 statusCode = StatusCode.CONFLICT;
542 if (currentAAAconf == null) {
543 reason = "not found";
544 statusCode = StatusCode.NOTFOUND;
551 if (statusCode != null) {
552 String action = String.format("Failed to %s user %s: ", command.getAction(), user);
553 String msg = String.format("User %s %s in configuration database", user, reason);
554 logger.debug(action + msg);
555 return new Status(statusCode, msg);
560 return addRemoveLocalUserInternal(AAAconf, false);
562 addRemoveLocalUserInternal(currentAAAconf, true);
563 return addRemoveLocalUserInternal(AAAconf, false);
565 return addRemoveLocalUserInternal(AAAconf, true);
567 return new Status(StatusCode.INTERNALERROR, "Unknown action");
571 private Status addRemoveLocalUserInternal(UserConfig AAAconf, boolean delete) {
572 // Update Config database
574 localUserConfigList.remove(AAAconf.getUser());
576 * A user account has been removed form local database, we assume
577 * admin does not want this user to stay connected, in case he has
578 * an open session. So we clean the active list as well.
580 removeUserFromActiveList(AAAconf.getUser());
582 localUserConfigList.put(AAAconf.getUser(), AAAconf);
585 return new Status(StatusCode.SUCCESS);
588 private Status addRemoveAAAServer(ServerConfig AAAconf, boolean delete) {
590 if (!AAAconf.isValid()) {
591 String msg = "Invalid Server configuration";
593 return new Status(StatusCode.BADREQUEST, msg);
596 // Update configuration database
598 remoteServerConfigList.remove(AAAconf.getAddress());
600 remoteServerConfigList.put(AAAconf.getAddress(), AAAconf);
603 return new Status(StatusCode.SUCCESS);
606 private Status addRemoveAuthInfo(AuthorizationConfig AAAconf, boolean delete) {
607 Status configCheck = AAAconf.validate();
608 if (!configCheck.isSuccess()) {
609 String msg = "Invalid Authorization configuration: "
610 + configCheck.getDescription();
612 return new Status(StatusCode.BADREQUEST, msg);
615 // Update configuration database
617 authorizationConfList.remove(AAAconf.getUser());
619 authorizationConfList.put(AAAconf.getUser(), AAAconf);
622 return new Status(StatusCode.SUCCESS);
626 public Status addLocalUser(UserConfig AAAconf) {
627 return changeLocalUser(AAAconf, Command.ADD);
631 public Status modifyLocalUser(UserConfig AAAconf) {
632 return changeLocalUser(AAAconf, Command.MODIFY);
636 public Status removeLocalUser(UserConfig AAAconf) {
637 return changeLocalUser(AAAconf, Command.REMOVE);
641 public Status removeLocalUser(String userName) {
642 if (userName == null || userName.trim().isEmpty()) {
643 return new Status(StatusCode.BADREQUEST, "Invalid user name");
646 if (!localUserConfigList.containsKey(userName)) {
647 return new Status(StatusCode.NOTFOUND, "User does not exist");
650 return changeLocalUser(localUserConfigList.get(userName), Command.REMOVE);
654 public Status addAAAServer(ServerConfig AAAconf) {
655 return addRemoveAAAServer(AAAconf, false);
659 public Status removeAAAServer(ServerConfig AAAconf) {
660 return addRemoveAAAServer(AAAconf, true);
664 public Status addAuthInfo(AuthorizationConfig AAAconf) {
665 return addRemoveAuthInfo(AAAconf, false);
669 public Status removeAuthInfo(AuthorizationConfig AAAconf) {
670 return addRemoveAuthInfo(AAAconf, true);
674 public List<UserConfig> getLocalUserList() {
675 return new ArrayList<UserConfig>(localUserConfigList.values());
679 public List<ServerConfig> getAAAServerList() {
680 return new ArrayList<ServerConfig>(remoteServerConfigList.values());
684 public List<AuthorizationConfig> getAuthorizationList() {
685 return new ArrayList<AuthorizationConfig>(
686 authorizationConfList.values());
690 public Status changeLocalUserPassword(String user, String curPassword, String newPassword) {
691 UserConfig targetConfigEntry = null;
693 // update configuration entry
694 targetConfigEntry = localUserConfigList.get(user);
695 if (targetConfigEntry == null) {
696 return new Status(StatusCode.NOTFOUND, "User not found");
698 Status status = targetConfigEntry.update(curPassword, newPassword, null);
699 if (!status.isSuccess()) {
702 // Trigger cluster update
703 localUserConfigList.put(user, targetConfigEntry);
705 logger.trace("Password changed for User \"{}\"", user);
711 public void userLogout(String userName) {
712 // TODO: if user was authenticated through AAA server, send
713 // Acct-Status-Type=stop message to server with logout as reason
714 removeUserFromActiveList(userName);
715 logger.trace("User \"{}\" logged out", userName);
719 * This function will get called by http session mgr when session times out
722 public void userTimedOut(String userName) {
723 // TODO: if user was authenticated through AAA server, send
724 // Acct-Status-Type=stop message to server with timeout as reason
725 removeUserFromActiveList(userName);
726 logger.trace("User \"{}\" timed out", userName);
730 public String getAccessDate(String user) {
731 return this.activeUsers.get(user).getAccessDate();
735 public synchronized Map<String, List<String>> getUserLoggedIn() {
736 Map<String, List<String>> loggedInList = new HashMap<String, List<String>>();
737 for (Map.Entry<String, AuthenticatedUser> user : activeUsers.entrySet()) {
738 String userNameShow = user.getKey();
739 loggedInList.put(userNameShow, user.getValue().getUserRoles());
744 public void _umAddUser(CommandInterpreter ci) {
745 String userName = ci.nextArgument();
746 String password = ci.nextArgument();
747 String role = ci.nextArgument();
749 List<String> roles = new ArrayList<String>();
750 while (role != null) {
751 if (!role.trim().isEmpty()) {
754 role = ci.nextArgument();
757 if (userName == null || userName.trim().isEmpty() || password == null || password.trim().isEmpty()
758 || roles.isEmpty()) {
759 ci.println("Invalid Arguments");
760 ci.println("umAddUser <user_name> <password> <user_role>");
763 ci.print(this.addLocalUser(new UserConfig(userName, password, roles)));
766 public void _umRemUser(CommandInterpreter ci) {
767 String userName = ci.nextArgument();
769 if (userName == null || userName.trim().isEmpty()) {
770 ci.println("Invalid Arguments");
771 ci.println("umRemUser <user_name>");
774 UserConfig target = localUserConfigList.get(userName);
775 if (target == null) {
776 ci.println("User not found");
779 ci.println(this.removeLocalUser(target));
782 public void _umGetUsers(CommandInterpreter ci) {
783 for (UserConfig conf : this.getLocalUserList()) {
784 ci.println(conf.getUser() + " " + conf.getRoles());
788 public void _addAAAServer(CommandInterpreter ci) {
789 String server = ci.nextArgument();
790 String secret = ci.nextArgument();
791 String protocol = ci.nextArgument();
793 if (server == null || secret == null || protocol == null) {
794 ci.println("Usage : addAAAServer <server> <secret> <protocol>");
797 ServerConfig s = new ServerConfig(server, secret, protocol);
801 public void _removeAAAServer(CommandInterpreter ci) {
802 String server = ci.nextArgument();
803 String secret = ci.nextArgument();
804 String protocol = ci.nextArgument();
806 if (server == null || secret == null || protocol == null) {
807 ci.println("Usage : addAAAServer <server> <secret> <protocol>");
810 ServerConfig s = new ServerConfig(server, secret, protocol);
814 public void _printAAAServers(CommandInterpreter ci) {
815 for (ServerConfig aaaServer : remoteServerConfigList.values()) {
816 ci.println(aaaServer.getAddress() + "-" + aaaServer.getProtocol());
821 public String getHelp() {
822 StringBuffer help = new StringBuffer();
823 return help.toString();
826 void setClusterGlobalService(IClusterGlobalServices s) {
827 logger.debug("Cluster Service Global set");
828 this.clusterGlobalService = s;
831 void unsetClusterGlobalService(IClusterGlobalServices s) {
832 if (this.clusterGlobalService == s) {
833 logger.debug("Cluster Service Global removed!");
834 this.clusterGlobalService = null;
838 public void setConfigurationService(IConfigurationService service) {
839 logger.trace("Got configuration service set request {}", service);
840 this.configurationService = service;
843 public void unsetConfigurationService(IConfigurationService service) {
844 logger.trace("Got configuration service UNset request");
845 this.configurationService = null;
848 void unsetContainerAuthClient(IContainerAuthorization s) {
849 if (this.containerAuthorizationClient == s) {
850 this.containerAuthorizationClient = null;
854 void setContainerAuthClient(IContainerAuthorization s) {
855 this.containerAuthorizationClient = s;
858 void setAppAuthClient(IResourceAuthorization s) {
859 this.applicationAuthorizationClients.add(s);
862 void unsetAppAuthClient(IResourceAuthorization s) {
863 this.applicationAuthorizationClients.remove(s);
867 * Function called by the dependency manager when all the required
868 * dependencies are satisfied
875 * Function called by the dependency manager when at least one dependency
876 * become unsatisfied or when the component is shutting down because for
877 * example bundle is being stopped.
884 * Function called by dependency manager after "init ()" is called and after
885 * the services provided by the class are registered in the service registry
889 authProviders = new ConcurrentHashMap<String, IAAAProvider>();
890 // Instantiate cluster synced variables
894 // Read startup configuration and populate databases
895 loadConfigurations();
897 // Check if a password recovery was triggered for default network admin user
898 String pwd = checkPasswordRecovery();
900 // Make sure default Network Admin account is there
901 checkDefaultNetworkAdmin(pwd);
903 BundleContext bundleContext = FrameworkUtil.getBundle(this.getClass()).getBundleContext();
904 bundleContext.registerService(CommandProvider.class.getName(), this, null);
908 * Function called by the dependency manager before the services exported by
909 * the component are unregistered, this will be followed by a "destroy ()"
917 public List<String> getUserRoles(String userName) {
918 List<String> roles = null;
919 if (userName != null) {
921 * First look in active users then in local configured users,
922 * finally in local authorized users
924 if (activeUsers.containsKey(userName)) {
925 roles = activeUsers.get(userName).getUserRoles();
926 } else if (localUserConfigList.containsKey(userName)) {
927 roles = localUserConfigList.get(userName).getRoles();
928 } else if (authorizationConfList.containsKey(userName)) {
929 roles = authorizationConfList.get(userName).getRoles();
932 return (roles == null) ? new ArrayList<String>(0) : roles;
936 public UserLevel getUserLevel(String username) {
937 // Returns the highest controller user level for the passed user
938 List<String> rolesNames = getUserRoles(username);
940 if (rolesNames.isEmpty()) {
941 return UserLevel.NOUSER;
944 // Check against the well known controller roles first
945 if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
946 return UserLevel.SYSTEMADMIN;
948 if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
949 return UserLevel.NETWORKADMIN;
951 if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
952 return UserLevel.NETWORKOPERATOR;
954 // Check if container user now
955 if (containerAuthorizationClient != null) {
956 for (String roleName : rolesNames) {
957 if (containerAuthorizationClient.isApplicationRole(roleName)) {
958 return UserLevel.CONTAINERUSER;
962 // Finally check if application user
963 if (applicationAuthorizationClients != null) {
964 for (String roleName : rolesNames) {
965 for (IResourceAuthorization client : this.applicationAuthorizationClients) {
966 if (client.isApplicationRole(roleName)) {
967 return UserLevel.APPUSER;
972 return UserLevel.NOUSER;
977 public List<UserLevel> getUserLevels(String username) {
978 // Returns the controller user levels for the passed user
979 List<String> rolesNames = getUserRoles(username);
980 List<UserLevel> levels = new ArrayList<UserLevel>();
982 if (rolesNames.isEmpty()) {
986 // Check against the well known controller roles first
987 if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
988 levels.add(UserLevel.SYSTEMADMIN);
990 if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
991 levels.add(UserLevel.NETWORKADMIN);
993 if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
994 levels.add(UserLevel.NETWORKOPERATOR);
996 // Check if container user now
997 if (containerAuthorizationClient != null) {
998 for (String roleName : rolesNames) {
999 if (containerAuthorizationClient.isApplicationRole(roleName)) {
1000 levels.add(UserLevel.CONTAINERUSER);
1005 // Finally check if application user
1006 if (applicationAuthorizationClients != null) {
1007 for (String roleName : rolesNames) {
1008 for (IResourceAuthorization client : this.applicationAuthorizationClients) {
1009 if (client.isApplicationRole(roleName)) {
1010 levels.add(UserLevel.APPUSER);
1020 public Status saveConfiguration() {
1021 boolean success = true;
1022 Status ret = saveLocalUserList();
1023 if (!ret.isSuccess()) {
1026 ret = saveAAAServerList();
1027 if (!ret.isSuccess()) {
1030 ret = saveAuthorizationList();
1031 if (!ret.isSuccess()) {
1036 return new Status(StatusCode.SUCCESS);
1039 return new Status(StatusCode.INTERNALERROR, "Failed to save user configurations");
1043 public UserDetails loadUserByUsername(String username)
1044 throws UsernameNotFoundException {
1045 AuthenticatedUser user = activeUsers.get(username);
1048 boolean enabled = true;
1049 boolean accountNonExpired = true;
1050 boolean credentialsNonExpired = true;
1051 boolean accountNonLocked = true;
1053 return new User(username, localUserConfigList.get(username)
1054 .getPassword(), enabled, accountNonExpired,
1055 credentialsNonExpired, accountNonLocked,
1056 user.getGrantedAuthorities(getUserLevel(username)));
1058 throw new UsernameNotFoundException("User not found " + username);
1063 public boolean supports(Class<?> authentication) {
1064 return UsernamePasswordAuthenticationToken.class
1065 .isAssignableFrom(authentication);
1070 public SecurityContextRepository getSecurityContextRepo() {
1071 return securityContextRepo;
1074 public void setSecurityContextRepo(
1075 SecurityContextRepository securityContextRepo) {
1076 this.securityContextRepo = securityContextRepo;
1080 public Authentication authenticate(Authentication authentication)
1081 throws AuthenticationException {
1083 if (StringUtils.isBlank((String) authentication.getCredentials())
1084 || StringUtils.isBlank((String) authentication.getPrincipal())) {
1085 throw new BadCredentialsException(
1086 "Username or credentials did not match");
1089 AuthResultEnum result = authenticate(
1090 (String) authentication.getPrincipal(),
1091 (String) authentication.getCredentials());
1092 if (result.equals(AuthResultEnum.AUTHOR_PASS)
1093 || result.equals(AuthResultEnum.AUTH_ACCEPT_LOC)
1094 || result.equals(AuthResultEnum.AUTH_ACCEPT)) {
1096 AuthenticatedUser user = activeUsers.get(authentication
1097 .getPrincipal().toString());
1100 throw new AuthenticationServiceException(
1101 "Authentication Failure");
1104 authentication = new UsernamePasswordAuthenticationToken(
1105 authentication.getPrincipal(),
1106 authentication.getCredentials(),
1107 user.getGrantedAuthorities(getUserLevel(authentication
1109 return authentication;
1112 throw new BadCredentialsException(
1113 "Username or credentials did not match");
1118 // Following are setters for use in unit testing
1119 void setLocalUserConfigList(ConcurrentMap<String, UserConfig> ucl) {
1121 this.localUserConfigList = ucl;
1125 void setRemoteServerConfigList(ConcurrentMap<String, ServerConfig> scl) {
1127 this.remoteServerConfigList = scl;
1131 void setAuthorizationConfList(ConcurrentMap<String, AuthorizationConfig> acl) {
1133 this.authorizationConfList = acl;
1137 void setActiveUsers(ConcurrentMap<String, AuthenticatedUser> au) {
1139 this.activeUsers = au;
1143 void setAuthProviders(ConcurrentMap<String, IAAAProvider> ap) {
1145 this.authProviders = ap;
1150 public ISessionManager getSessionManager() {
1151 return this.sessionMgr;
1154 public void setSessionMgr(ISessionManager sessionMgr) {
1155 this.sessionMgr = sessionMgr;
1159 public String getPassword(String username) {
1160 return localUserConfigList.get(username).getPassword();
1164 public boolean isRoleInUse(String role) {
1165 if (role == null || role.isEmpty()) {
1168 // Check against controller roles
1169 if (role.equals(UserLevel.SYSTEMADMIN.toString())
1170 || role.equals(UserLevel.NETWORKADMIN.toString())
1171 || role.equals(UserLevel.NETWORKOPERATOR.toString())) {
1174 // Check if container roles
1175 if (containerAuthorizationClient != null) {
1176 if (containerAuthorizationClient.isApplicationRole(role)) {
1180 // Finally if application role
1181 if (applicationAuthorizationClients != null) {
1182 for (IResourceAuthorization client : this.applicationAuthorizationClients) {
1183 if (client.isApplicationRole(role)) {