UI support for multiple host per port
[controller.git] / opendaylight / usermanager / implementation / src / main / java / org / opendaylight / controller / usermanager / internal / UserManager.java
1 /*
2  * Copyright (c) 2013 Cisco Systems, Inc. and others.  All rights reserved.
3  *
4  * This program and the accompanying materials are made available under the
5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6  * and is available at http://www.eclipse.org/legal/epl-v10.html
7  */
8
9 package org.opendaylight.controller.usermanager.internal;
10
11 import java.io.FileNotFoundException;
12 import java.io.IOException;
13 import java.io.ObjectInputStream;
14 import java.util.ArrayList;
15 import java.util.Collections;
16 import java.util.EnumSet;
17 import java.util.HashMap;
18 import java.util.HashSet;
19 import java.util.List;
20 import java.util.Map;
21 import java.util.Set;
22 import java.util.concurrent.ConcurrentHashMap;
23 import java.util.concurrent.ConcurrentMap;
24
25 import org.apache.commons.lang3.StringUtils;
26 import org.eclipse.osgi.framework.console.CommandInterpreter;
27 import org.eclipse.osgi.framework.console.CommandProvider;
28 import org.opendaylight.controller.clustering.services.CacheConfigException;
29 import org.opendaylight.controller.clustering.services.CacheExistException;
30 import org.opendaylight.controller.clustering.services.IClusterGlobalServices;
31 import org.opendaylight.controller.clustering.services.IClusterServices;
32 import org.opendaylight.controller.configuration.IConfigurationAware;
33 import org.opendaylight.controller.containermanager.IContainerAuthorization;
34 import org.opendaylight.controller.sal.authorization.AuthResultEnum;
35 import org.opendaylight.controller.sal.authorization.IResourceAuthorization;
36 import org.opendaylight.controller.sal.authorization.UserLevel;
37 import org.opendaylight.controller.sal.utils.StatusCode;
38 import org.opendaylight.controller.sal.utils.GlobalConstants;
39 import org.opendaylight.controller.sal.utils.IObjectReader;
40 import org.opendaylight.controller.sal.utils.ObjectReader;
41 import org.opendaylight.controller.sal.utils.ObjectWriter;
42 import org.opendaylight.controller.sal.utils.Status;
43 import org.opendaylight.controller.usermanager.AuthResponse;
44 import org.opendaylight.controller.usermanager.AuthenticatedUser;
45 import org.opendaylight.controller.usermanager.AuthorizationConfig;
46 import org.opendaylight.controller.usermanager.IAAAProvider;
47 import org.opendaylight.controller.usermanager.ISessionManager;
48 import org.opendaylight.controller.usermanager.IUserManager;
49 import org.opendaylight.controller.usermanager.ServerConfig;
50 import org.opendaylight.controller.usermanager.UserConfig;
51 import org.opendaylight.controller.usermanager.security.SessionManager;
52 import org.opendaylight.controller.usermanager.security.UserSecurityContextRepository;
53
54 import org.osgi.framework.BundleContext;
55 import org.osgi.framework.FrameworkUtil;
56 import org.slf4j.Logger;
57 import org.slf4j.LoggerFactory;
58 import org.springframework.security.authentication.AuthenticationProvider;
59 import org.springframework.security.authentication.AuthenticationServiceException;
60 import org.springframework.security.authentication.BadCredentialsException;
61 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
62 import org.springframework.security.core.Authentication;
63 import org.springframework.security.core.AuthenticationException;
64 import org.springframework.security.core.userdetails.User;
65 import org.springframework.security.core.userdetails.UserDetails;
66 import org.springframework.security.core.userdetails.UsernameNotFoundException;
67 import org.springframework.security.web.context.SecurityContextRepository;
68
69 /**
70  * The internal implementation of the User Manager.
71  */
72 public class UserManager implements IUserManager, IObjectReader,
73         IConfigurationAware, CommandProvider, AuthenticationProvider {
74     private static final Logger logger = LoggerFactory.getLogger(UserManager.class);
75     private static final String defaultAdmin = "admin";
76     private static final String defaultAdminPassword = "admin";
77     private static final String defaultAdminRole = UserLevel.NETWORKADMIN.toString();
78     private static final String ROOT = GlobalConstants.STARTUPHOME.toString();
79     private static final String usersFileName = ROOT + "users.conf";
80     private static final String serversFileName = ROOT + "servers.conf";
81     private static final String authFileName = ROOT + "authorization.conf";
82     private ConcurrentMap<String, UserConfig> localUserConfigList;
83     private ConcurrentMap<String, ServerConfig> remoteServerConfigList;
84     // local authorization info for remotely authenticated users
85     private ConcurrentMap<String, AuthorizationConfig> authorizationConfList;
86     private ConcurrentMap<String, AuthenticatedUser> activeUsers;
87     private ConcurrentMap<String, IAAAProvider> authProviders;
88     private IClusterGlobalServices clusterGlobalService = null;
89     private SecurityContextRepository securityContextRepo = new UserSecurityContextRepository();
90     private IContainerAuthorization containerAuthorizationClient;
91     private Set<IResourceAuthorization> applicationAuthorizationClients;
92     private ISessionManager sessionMgr = new SessionManager();
93
94     public boolean addAAAProvider(IAAAProvider provider) {
95         if (provider == null || provider.getName() == null
96                 || provider.getName().trim().isEmpty()) {
97             return false;
98         }
99         if (authProviders.get(provider.getName()) != null) {
100             return false;
101         }
102
103         authProviders.put(provider.getName(), provider);
104         return true;
105     }
106
107     public void removeAAAProvider(IAAAProvider provider) {
108         authProviders.remove(provider.getName());
109     }
110
111     public IAAAProvider getAAAProvider(String name) {
112         return authProviders.get(name);
113     }
114
115     @Override
116     public Set<String> getAAAProviderNames() {
117         return authProviders.keySet();
118     }
119
120     private void allocateCaches() {
121         this.applicationAuthorizationClients = Collections.synchronizedSet(new HashSet<IResourceAuthorization>());
122         if (clusterGlobalService == null) {
123             logger.error("un-initialized clusterGlobalService, can't create cache");
124             return;
125         }
126
127         try {
128             clusterGlobalService.createCache("usermanager.localUserConfigList",
129                     EnumSet.of(IClusterServices.cacheMode.TRANSACTIONAL));
130
131             clusterGlobalService.createCache(
132                     "usermanager.remoteServerConfigList",
133                     EnumSet.of(IClusterServices.cacheMode.TRANSACTIONAL));
134
135             clusterGlobalService.createCache(
136                     "usermanager.authorizationConfList",
137                     EnumSet.of(IClusterServices.cacheMode.TRANSACTIONAL));
138
139             clusterGlobalService.createCache("usermanager.activeUsers",
140                     EnumSet.of(IClusterServices.cacheMode.TRANSACTIONAL));
141         } catch (CacheConfigException cce) {
142             logger.error("Cache configuration invalid - check cache mode");
143         } catch (CacheExistException ce) {
144             logger.debug("Skipping cache creation as already present");
145         }
146     }
147
148     @SuppressWarnings({ "unchecked" })
149     private void retrieveCaches() {
150         if (clusterGlobalService == null) {
151             logger.error("un-initialized clusterService, can't retrieve cache");
152             return;
153         }
154
155         activeUsers = (ConcurrentMap<String, AuthenticatedUser>) clusterGlobalService
156                 .getCache("usermanager.activeUsers");
157         if (activeUsers == null) {
158             logger.error("Failed to get cache for activeUsers");
159         }
160
161         localUserConfigList = (ConcurrentMap<String, UserConfig>) clusterGlobalService
162                 .getCache("usermanager.localUserConfigList");
163         if (localUserConfigList == null) {
164             logger.error("Failed to get cache for localUserConfigList");
165         }
166
167         remoteServerConfigList = (ConcurrentMap<String, ServerConfig>) clusterGlobalService
168                 .getCache("usermanager.remoteServerConfigList");
169         if (remoteServerConfigList == null) {
170             logger.error("Failed to get cache for remoteServerConfigList");
171         }
172
173         authorizationConfList = (ConcurrentMap<String, AuthorizationConfig>) clusterGlobalService
174                 .getCache("usermanager.authorizationConfList");
175         if (authorizationConfList == null) {
176             logger.error("Failed to get cache for authorizationConfList");
177         }
178     }
179
180     private void loadConfigurations() {
181         // To encode and decode user and server configuration objects
182         loadSecurityKeys();
183
184         /*
185          * Do not load local startup file if we already got the configurations
186          * synced from another cluster node
187          */
188         if (localUserConfigList.isEmpty()) {
189             loadUserConfig();
190         }
191         if (remoteServerConfigList.isEmpty()) {
192             loadServerConfig();
193         }
194         if (authorizationConfList.isEmpty()) {
195             loadAuthConfig();
196         }
197     }
198
199     private void loadSecurityKeys() {
200
201     }
202
203     private void checkDefaultNetworkAdmin() {
204         // If startup config is not there, it's old or it was deleted,
205         // need to add Default Network Admin User
206         if (!localUserConfigList.containsKey(defaultAdmin)) {
207             List<String> roles = new ArrayList<String>(1);
208             roles.add(defaultAdminRole);
209             localUserConfigList.put(defaultAdmin, new UserConfig(defaultAdmin, defaultAdminPassword, roles));
210         }
211     }
212
213     @Override
214     public AuthResultEnum authenticate(String userName, String password) {
215         IAAAProvider aaaClient;
216         AuthResponse rcResponse = null;
217         AuthenticatedUser result;
218         boolean remotelyAuthenticated = false;
219         boolean authorizationInfoIsPresent = false;
220         boolean authorized = false;
221
222         /*
223          * Attempt remote authentication first if server is configured
224          */
225         for (ServerConfig aaaServer : remoteServerConfigList.values()) {
226             String protocol = aaaServer.getProtocol();
227             aaaClient = this.getAAAProvider(protocol);
228             if (aaaClient != null) {
229                 rcResponse = aaaClient.authService(userName, password,
230                         aaaServer.getAddress(), aaaServer.getSecret());
231                 if (rcResponse.getStatus() == AuthResultEnum.AUTH_ACCEPT) {
232                     logger.info(
233                             "Remote Authentication Succeeded for User: \"{}\", by Server: {}",
234                             userName, aaaServer.getAddress());
235                     remotelyAuthenticated = true;
236                     break;
237                 } else if (rcResponse.getStatus() == AuthResultEnum.AUTH_REJECT) {
238                     logger.info(
239                             "Remote Authentication Rejected User: \"{}\", from Server: {}, Reason:{}",
240                             new Object[] { userName, aaaServer.getAddress(),
241                                     rcResponse.getStatus().toString() });
242                 } else {
243                     logger.info(
244                             "Remote Authentication Failed for User: \"{}\", from Server: {}, Reason:{}",
245                             new Object[] { userName, aaaServer.getAddress(),
246                                     rcResponse.getStatus().toString() });
247                 }
248             }
249         }
250
251         if (!remotelyAuthenticated) {
252             UserConfig localUser = this.localUserConfigList.get(userName);
253             if (localUser == null) {
254                 logger.info(
255                         "Local Authentication Failed for User:\"{}\", Reason: "
256                                 + "user not found in Local Database", userName);
257                 return (AuthResultEnum.AUTH_INVALID_LOC_USER);
258             }
259             rcResponse = localUser.authenticate(password);
260             if (rcResponse.getStatus() != AuthResultEnum.AUTH_ACCEPT_LOC) {
261                 logger.info(
262                         "Local Authentication Failed for User: \"{}\", Reason: {}",
263                         userName, rcResponse.getStatus().toString());
264
265                 return (rcResponse.getStatus());
266             }
267             logger.info("Local Authentication Succeeded for User: \"{}\"",
268                     userName);
269         }
270
271         /*
272          * Authentication succeeded
273          */
274         result = new AuthenticatedUser(userName);
275
276         /*
277          * Extract attributes from response All the information we are
278          * interested in is in the first Cisco VSA (vendor specific attribute).
279          * Just process the first VSA and return
280          */
281         String attributes = (rcResponse.getData() != null && !rcResponse
282                 .getData().isEmpty()) ? rcResponse.getData().get(0) : null;
283
284         /*
285          * Check if the authorization information is present
286          */
287         authorizationInfoIsPresent = checkAuthorizationInfo(attributes);
288
289         /*
290          * The AAA server was only used to perform the authentication Look for
291          * locally stored authorization info for this user If found, add the
292          * data to the rcResponse
293          */
294         if (remotelyAuthenticated && !authorizationInfoIsPresent) {
295             logger.info(
296                     "No Remote Authorization Info provided by Server for User: \"{}\"",
297                     userName);
298             logger.info(
299                     "Looking for Local Authorization Info for User: \"{}\"",
300                     userName);
301
302             AuthorizationConfig resource = authorizationConfList.get(userName);
303             if (resource != null) {
304                 logger.info("Found Local Authorization Info for User: \"{}\"",
305                         userName);
306                 attributes = resource.getRolesString();
307
308             }
309             authorizationInfoIsPresent = checkAuthorizationInfo(attributes);
310         }
311
312         /*
313          * Common response parsing for local & remote authenticated user Looking
314          * for authorized resources, detecting attributes' validity
315          */
316         if (authorizationInfoIsPresent) {
317             // Identifying the administrative role
318             result.setRoleList(attributes.split(" "));
319             authorized = true;
320         } else {
321             logger.info("Not able to find Authorization Info for User: \"{}\"",
322                     userName);
323         }
324
325         /*
326          * Add profile for authenticated user
327          */
328         putUserInActiveList(userName, result);
329         if (authorized) {
330             logger.info("User \"{}\" authorized for the following role(s): {}",
331                     userName, result.getUserRoles());
332         } else {
333             logger.info("User \"{}\" Not Authorized for any role ", userName);
334         }
335
336         return rcResponse.getStatus();
337     }
338
339     // Check in the attributes string whether or not authorization information
340     // is present
341     private boolean checkAuthorizationInfo(String attributes) {
342         return (attributes != null && !attributes.isEmpty());
343     }
344
345     private void putUserInActiveList(String user, AuthenticatedUser result) {
346         activeUsers.put(user, result);
347     }
348
349     private void removeUserFromActiveList(String user) {
350         if (!activeUsers.containsKey(user)) {
351             // as cookie persists in cache, we can get logout for unexisting
352             // active users
353             return;
354         }
355         activeUsers.remove(user);
356     }
357
358     @Override
359     public Status saveLocalUserList() {
360         return saveLocalUserListInternal();
361     }
362
363     private Status saveLocalUserListInternal() {
364         ObjectWriter objWriter = new ObjectWriter();
365         return objWriter.write(new ConcurrentHashMap<String, UserConfig>(
366                 localUserConfigList), usersFileName);
367     }
368
369     @Override
370     public Status saveAAAServerList() {
371         return saveAAAServerListInternal();
372     }
373
374     private Status saveAAAServerListInternal() {
375         ObjectWriter objWriter = new ObjectWriter();
376         return objWriter.write(new ConcurrentHashMap<String, ServerConfig>(
377                 remoteServerConfigList), serversFileName);
378     }
379
380     @Override
381     public Status saveAuthorizationList() {
382         return saveAuthorizationListInternal();
383     }
384
385     private Status saveAuthorizationListInternal() {
386         ObjectWriter objWriter = new ObjectWriter();
387         return objWriter.write(
388                 new ConcurrentHashMap<String, AuthorizationConfig>(
389                         authorizationConfList), authFileName);
390     }
391
392     @Override
393     public Object readObject(ObjectInputStream ois)
394             throws FileNotFoundException, IOException, ClassNotFoundException {
395         // Perform the class deserialization locally, from inside the package
396         // where the class is defined
397         return ois.readObject();
398     }
399
400     @SuppressWarnings("unchecked")
401     private void loadUserConfig() {
402         ObjectReader objReader = new ObjectReader();
403         ConcurrentMap<String, UserConfig> confList = (ConcurrentMap<String, UserConfig>) objReader
404                 .read(this, usersFileName);
405
406         if (confList == null) {
407             return;
408         }
409
410         for (UserConfig conf : confList.values()) {
411             addRemoveLocalUserInternal(conf, false);
412         }
413     }
414
415     @SuppressWarnings("unchecked")
416     private void loadServerConfig() {
417         ObjectReader objReader = new ObjectReader();
418         ConcurrentMap<String, ServerConfig> confList = (ConcurrentMap<String, ServerConfig>) objReader
419                 .read(this, serversFileName);
420
421         if (confList == null) {
422             return;
423         }
424
425         for (ServerConfig conf : confList.values()) {
426             addAAAServer(conf);
427         }
428     }
429
430     @SuppressWarnings("unchecked")
431     private void loadAuthConfig() {
432         ObjectReader objReader = new ObjectReader();
433         ConcurrentMap<String, AuthorizationConfig> confList = (ConcurrentMap<String, AuthorizationConfig>) objReader
434                 .read(this, authFileName);
435
436         if (confList == null) {
437             return;
438         }
439
440         for (AuthorizationConfig conf : confList.values()) {
441             addAuthInfo(conf);
442         }
443     }
444
445     /*
446      * Interaction with GUI START
447      */
448     private Status addRemoveLocalUser(UserConfig AAAconf, boolean delete) {
449         // UserConfig Validation check
450         Status validCheck = AAAconf.validate();
451         if (!validCheck.isSuccess()) {
452             return validCheck;
453         }
454
455         String user = AAAconf.getUser();
456
457         // Check default admin user
458         if (user.equals(UserManager.defaultAdmin)) {
459             String msg = "Invalid Request: Default Network Admin  User cannot be " + ((delete)? "removed" : "added");
460             logger.debug(msg);
461             return new Status(StatusCode.NOTALLOWED, msg);
462         }
463
464         // Check user presence/conflict
465         StatusCode statusCode = null;
466         String reason = null;
467         if (delete && !localUserConfigList.containsKey(user)) {
468             reason = "not found";
469             statusCode = StatusCode.NOTFOUND;
470         } else if (!delete && localUserConfigList.containsKey(user)) {
471             reason = "already present";
472             statusCode = StatusCode.CONFLICT;
473         }
474         if (statusCode != null) {
475             String msg = String.format("User %s %s in configuration database", user, reason);
476             logger.debug(msg);
477             return new Status(statusCode, msg);
478         }
479
480         return addRemoveLocalUserInternal(AAAconf, delete);
481     }
482
483     private Status addRemoveLocalUserInternal(UserConfig AAAconf, boolean delete) {
484         // Update Config database
485         if (delete) {
486             localUserConfigList.remove(AAAconf.getUser());
487             /*
488              * A user account has been removed form local database, we assume
489              * admin does not want this user to stay connected, in case he has
490              * an open session. So we clean the active list as well.
491              */
492             removeUserFromActiveList(AAAconf.getUser());
493         } else {
494             localUserConfigList.put(AAAconf.getUser(), AAAconf);
495         }
496
497         return new Status(StatusCode.SUCCESS);
498     }
499
500     private Status addRemoveAAAServer(ServerConfig AAAconf, boolean delete) {
501         // Validation check
502         if (!AAAconf.isValid()) {
503             String msg = "Invalid Server configuration";
504             logger.warn(msg);
505             return new Status(StatusCode.BADREQUEST, msg);
506         }
507
508         // Update configuration database
509         if (delete) {
510             remoteServerConfigList.remove(AAAconf.getAddress());
511         } else {
512             remoteServerConfigList.put(AAAconf.getAddress(), AAAconf);
513         }
514
515         return new Status(StatusCode.SUCCESS);
516     }
517
518     private Status addRemoveAuthInfo(AuthorizationConfig AAAconf, boolean delete) {
519         Status configCheck = AAAconf.validate();
520         if (!configCheck.isSuccess()) {
521             String msg = "Invalid Authorization configuration: "
522                     + configCheck.getDescription();
523             logger.warn(msg);
524             return new Status(StatusCode.BADREQUEST, msg);
525         }
526
527         // Update configuration database
528         if (delete) {
529             authorizationConfList.remove(AAAconf.getUser());
530         } else {
531             authorizationConfList.put(AAAconf.getUser(), AAAconf);
532         }
533
534         return new Status(StatusCode.SUCCESS);
535     }
536
537     @Override
538     public Status addLocalUser(UserConfig AAAconf) {
539         return addRemoveLocalUser(AAAconf, false);
540     }
541
542     @Override
543     public Status removeLocalUser(UserConfig AAAconf) {
544         return addRemoveLocalUser(AAAconf, true);
545     }
546
547     @Override
548     public Status removeLocalUser(String userName) {
549         if (userName == null || userName.trim().isEmpty()) {
550             return new Status(StatusCode.BADREQUEST, "Invalid user name");
551         }
552
553         if (!localUserConfigList.containsKey(userName)) {
554             return new Status(StatusCode.NOTFOUND, "User does not exist");
555         }
556
557         return addRemoveLocalUser(localUserConfigList.get(userName), true);
558     }
559
560     @Override
561     public Status addAAAServer(ServerConfig AAAconf) {
562         return addRemoveAAAServer(AAAconf, false);
563     }
564
565     @Override
566     public Status removeAAAServer(ServerConfig AAAconf) {
567         return addRemoveAAAServer(AAAconf, true);
568     }
569
570     @Override
571     public Status addAuthInfo(AuthorizationConfig AAAconf) {
572         return addRemoveAuthInfo(AAAconf, false);
573     }
574
575     @Override
576     public Status removeAuthInfo(AuthorizationConfig AAAconf) {
577         return addRemoveAuthInfo(AAAconf, true);
578     }
579
580     @Override
581     public List<UserConfig> getLocalUserList() {
582         return new ArrayList<UserConfig>(localUserConfigList.values());
583     }
584
585     @Override
586     public List<ServerConfig> getAAAServerList() {
587         return new ArrayList<ServerConfig>(remoteServerConfigList.values());
588     }
589
590     @Override
591     public List<AuthorizationConfig> getAuthorizationList() {
592         return new ArrayList<AuthorizationConfig>(
593                 authorizationConfList.values());
594     }
595
596     @Override
597     public Status changeLocalUserPassword(String user, String curPassword, String newPassword) {
598         UserConfig targetConfigEntry = null;
599
600         // update configuration entry
601         targetConfigEntry = localUserConfigList.get(user);
602         if (targetConfigEntry == null) {
603             return new Status(StatusCode.NOTFOUND, "User not found");
604         }
605         Status status = targetConfigEntry.update(curPassword, newPassword, null);
606         if (!status.isSuccess()) {
607             return status;
608         }
609         // Trigger cluster update
610         localUserConfigList.put(user, targetConfigEntry);
611
612         logger.info("Password changed for User \"{}\"", user);
613
614         return status;
615     }
616
617     @Override
618     public void userLogout(String userName) {
619         // TODO: if user was authenticated through AAA server, send
620         // Acct-Status-Type=stop message to server with logout as reason
621         removeUserFromActiveList(userName);
622         logger.info("User \"{}\" logged out", userName);
623     }
624
625     /*
626      * This function will get called by http session mgr when session times out
627      */
628     @Override
629     public void userTimedOut(String userName) {
630         // TODO: if user was authenticated through AAA server, send
631         // Acct-Status-Type=stop message to server with timeout as reason
632         removeUserFromActiveList(userName);
633         logger.info("User \"{}\" timed out", userName);
634     }
635
636     @Override
637     public String getAccessDate(String user) {
638         return this.activeUsers.get(user).getAccessDate();
639     }
640
641     @Override
642     public synchronized Map<String, List<String>> getUserLoggedIn() {
643         Map<String, List<String>> loggedInList = new HashMap<String, List<String>>();
644         for (Map.Entry<String, AuthenticatedUser> user : activeUsers.entrySet()) {
645             String userNameShow = user.getKey();
646             loggedInList.put(userNameShow, user.getValue().getUserRoles());
647         }
648         return loggedInList;
649     }
650
651     public void _umAddUser(CommandInterpreter ci) {
652         String userName = ci.nextArgument();
653         String password = ci.nextArgument();
654         String role = ci.nextArgument();
655
656         List<String> roles = new ArrayList<String>();
657         while (role != null) {
658             if (!role.trim().isEmpty()) {
659                 roles.add(role);
660             }
661             role = ci.nextArgument();
662         }
663
664         if (userName == null || userName.trim().isEmpty() || password == null || password.trim().isEmpty()
665                 || roles.isEmpty()) {
666             ci.println("Invalid Arguments");
667             ci.println("umAddUser <user_name> <password> <user_role>");
668             return;
669         }
670         ci.print(this.addLocalUser(new UserConfig(userName, password, roles)));
671     }
672
673     public void _umRemUser(CommandInterpreter ci) {
674         String userName = ci.nextArgument();
675
676         if (userName == null || userName.trim().isEmpty()) {
677             ci.println("Invalid Arguments");
678             ci.println("umRemUser <user_name>");
679             return;
680         }
681         UserConfig target = localUserConfigList.get(userName);
682         if (target == null) {
683             ci.println("User not found");
684             return;
685         }
686         ci.println(this.removeLocalUser(target));
687     }
688
689     public void _umGetUsers(CommandInterpreter ci) {
690         for (UserConfig conf : this.getLocalUserList()) {
691             ci.println(conf.getUser() + " " + conf.getRoles());
692         }
693     }
694
695     public void _addAAAServer(CommandInterpreter ci) {
696         String server = ci.nextArgument();
697         String secret = ci.nextArgument();
698         String protocol = ci.nextArgument();
699
700         if (server == null || secret == null || protocol == null) {
701             ci.println("Usage : addAAAServer <server> <secret> <protocol>");
702             return;
703         }
704         ServerConfig s = new ServerConfig(server, secret, protocol);
705         addAAAServer(s);
706     }
707
708     public void _removeAAAServer(CommandInterpreter ci) {
709         String server = ci.nextArgument();
710         String secret = ci.nextArgument();
711         String protocol = ci.nextArgument();
712
713         if (server == null || secret == null || protocol == null) {
714             ci.println("Usage : addAAAServer <server> <secret> <protocol>");
715             return;
716         }
717         ServerConfig s = new ServerConfig(server, secret, protocol);
718         removeAAAServer(s);
719     }
720
721     public void _printAAAServers(CommandInterpreter ci) {
722         for (ServerConfig aaaServer : remoteServerConfigList.values()) {
723             ci.println(aaaServer.getAddress() + "-" + aaaServer.getProtocol());
724         }
725     }
726
727     @Override
728     public String getHelp() {
729         StringBuffer help = new StringBuffer();
730         return help.toString();
731     }
732
733     void setClusterGlobalService(IClusterGlobalServices s) {
734         logger.debug("Cluster Service Global set");
735         this.clusterGlobalService = s;
736     }
737
738     void unsetClusterGlobalService(IClusterGlobalServices s) {
739         if (this.clusterGlobalService == s) {
740             logger.debug("Cluster Service Global removed!");
741             this.clusterGlobalService = null;
742         }
743     }
744
745     void unsetContainerAuthClient(IContainerAuthorization s) {
746         if (this.containerAuthorizationClient == s) {
747             this.containerAuthorizationClient = null;
748         }
749     }
750
751     void setContainerAuthClient(IContainerAuthorization s) {
752         this.containerAuthorizationClient = s;
753     }
754
755     void setAppAuthClient(IResourceAuthorization s) {
756         this.applicationAuthorizationClients.add(s);
757     }
758
759     void unsetAppAuthClient(IResourceAuthorization s) {
760         this.applicationAuthorizationClients.remove(s);
761     }
762
763     /**
764      * Function called by the dependency manager when all the required
765      * dependencies are satisfied
766      *
767      */
768     void init() {
769     }
770
771     /**
772      * Function called by the dependency manager when at least one dependency
773      * become unsatisfied or when the component is shutting down because for
774      * example bundle is being stopped.
775      *
776      */
777     void destroy() {
778     }
779
780     /**
781      * Function called by dependency manager after "init ()" is called and after
782      * the services provided by the class are registered in the service registry
783      *
784      */
785     void start() {
786         authProviders = new ConcurrentHashMap<String, IAAAProvider>();
787         // Instantiate cluster synced variables
788         allocateCaches();
789         retrieveCaches();
790
791         // Read startup configuration and populate databases
792         loadConfigurations();
793
794         // Make sure default Network Admin account is there
795         checkDefaultNetworkAdmin();
796         BundleContext bundleContext = FrameworkUtil.getBundle(this.getClass())
797                 .getBundleContext();
798         bundleContext.registerService(CommandProvider.class.getName(), this,
799                 null);
800     }
801
802     /**
803      * Function called by the dependency manager before the services exported by
804      * the component are unregistered, this will be followed by a "destroy ()"
805      * calls
806      *
807      */
808     void stop() {
809     }
810
811     @Override
812     public List<String> getUserRoles(String userName) {
813         List<String> roles = null;
814         if (userName != null) {
815             /*
816              * First look in active users then in local configured users,
817              * finally in local authorized users
818              */
819             if (activeUsers.containsKey(userName)) {
820                 roles = activeUsers.get(userName).getUserRoles();
821             } else if (localUserConfigList.containsKey(userName)) {
822                 roles = localUserConfigList.get(userName).getRoles();
823             } else if (authorizationConfList.containsKey(userName)) {
824                 roles = authorizationConfList.get(userName).getRoles();
825             }
826         }
827         return (roles == null) ? new ArrayList<String>(0) : roles;
828     }
829
830     @Override
831     public UserLevel getUserLevel(String username) {
832         // Returns the highest controller user level for the passed user
833         List<String> rolesNames = getUserRoles(username);
834
835         if (rolesNames.isEmpty()) {
836             return UserLevel.NOUSER;
837         }
838
839         // Check against the well known controller roles first
840         if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
841             return UserLevel.SYSTEMADMIN;
842         }
843         if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
844             return UserLevel.NETWORKADMIN;
845         }
846         if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
847             return UserLevel.NETWORKOPERATOR;
848         }
849         // Check if container user now
850         if (containerAuthorizationClient != null) {
851             for (String roleName : rolesNames) {
852                 if (containerAuthorizationClient.isApplicationRole(roleName)) {
853                     return UserLevel.CONTAINERUSER;
854                 }
855             }
856         }
857         // Finally check if application user
858         if (applicationAuthorizationClients != null) {
859             for (String roleName : rolesNames) {
860                 for (IResourceAuthorization client : this.applicationAuthorizationClients) {
861                     if (client.isApplicationRole(roleName)) {
862                         return UserLevel.APPUSER;
863                     }
864                 }
865             }
866         }
867         return UserLevel.NOUSER;
868     }
869
870
871     @Override
872     public List<UserLevel> getUserLevels(String username) {
873         // Returns the controller user levels for the passed user
874         List<String> rolesNames =  getUserRoles(username);
875         List<UserLevel> levels = new ArrayList<UserLevel>();
876
877         if (rolesNames.isEmpty()) {
878             return levels;
879         }
880
881         // Check against the well known controller roles first
882         if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
883             levels.add(UserLevel.SYSTEMADMIN);
884         }
885         if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
886             levels.add(UserLevel.NETWORKADMIN);
887         }
888         if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
889             levels.add(UserLevel.NETWORKOPERATOR);
890         }
891         // Check if container user now
892         if (containerAuthorizationClient != null) {
893             for (String roleName : rolesNames) {
894                 if (containerAuthorizationClient.isApplicationRole(roleName)) {
895                     levels.add(UserLevel.CONTAINERUSER);
896                     break;
897                 }
898             }
899         }
900         // Finally check if application user
901         if (applicationAuthorizationClients != null) {
902             for (String roleName : rolesNames) {
903                 for (IResourceAuthorization client : this.applicationAuthorizationClients) {
904                     if (client.isApplicationRole(roleName)) {
905                         levels.add(UserLevel.APPUSER);
906                         break;
907                     }
908                 }
909             }
910         }
911         return levels;
912     }
913
914     @Override
915     public Status saveConfiguration() {
916         boolean success = true;
917         Status ret = saveLocalUserList();
918         if (!ret.isSuccess()) {
919             success = false;
920         }
921         ret = saveAAAServerList();
922         if (!ret.isSuccess()) {
923             success = false;
924         }
925         ret = saveAuthorizationList();
926         if (!ret.isSuccess()) {
927             success = false;
928         }
929
930         if (success) {
931             return new Status(StatusCode.SUCCESS);
932         }
933
934         return new Status(StatusCode.INTERNALERROR, "Failed to save user configurations");
935     }
936
937     @Override
938     public UserDetails loadUserByUsername(String username)
939             throws UsernameNotFoundException {
940         AuthenticatedUser user = activeUsers.get(username);
941
942         if (user != null) {
943             boolean enabled = true;
944             boolean accountNonExpired = true;
945             boolean credentialsNonExpired = true;
946             boolean accountNonLocked = true;
947
948             return new User(username, localUserConfigList.get(username)
949                     .getPassword(), enabled, accountNonExpired,
950                     credentialsNonExpired, accountNonLocked,
951                     user.getGrantedAuthorities(getUserLevel(username)));
952         } else {
953             throw new UsernameNotFoundException("User not found " + username);
954         }
955     }
956
957     @Override
958     public boolean supports(Class<?> authentication) {
959         return UsernamePasswordAuthenticationToken.class
960                 .isAssignableFrom(authentication);
961
962     }
963
964     @Override
965     public SecurityContextRepository getSecurityContextRepo() {
966         return securityContextRepo;
967     }
968
969     public void setSecurityContextRepo(
970             SecurityContextRepository securityContextRepo) {
971         this.securityContextRepo = securityContextRepo;
972     }
973
974     @Override
975     public Authentication authenticate(Authentication authentication)
976             throws AuthenticationException {
977
978         if (StringUtils.isBlank((String) authentication.getCredentials())
979                 || StringUtils.isBlank((String) authentication.getPrincipal())) {
980             throw new BadCredentialsException(
981                     "Username or credentials did not match");
982         }
983
984         AuthResultEnum result = authenticate(
985                 (String) authentication.getPrincipal(),
986                 (String) authentication.getCredentials());
987         if (result.equals(AuthResultEnum.AUTHOR_PASS)
988                 || result.equals(AuthResultEnum.AUTH_ACCEPT_LOC)
989                 || result.equals(AuthResultEnum.AUTH_ACCEPT)) {
990
991             AuthenticatedUser user = activeUsers.get(authentication
992                     .getPrincipal().toString());
993
994             if (user == null) {
995                 throw new AuthenticationServiceException(
996                         "Authentication Failure");
997             }
998
999             authentication = new UsernamePasswordAuthenticationToken(
1000                     authentication.getPrincipal(),
1001                     authentication.getCredentials(),
1002                     user.getGrantedAuthorities(getUserLevel(authentication
1003                             .getName())));
1004             return authentication;
1005
1006         } else {
1007             throw new BadCredentialsException(
1008                     "Username or credentials did not match");
1009         }
1010
1011     }
1012
1013     // Following are setters for use in unit testing
1014     void setLocalUserConfigList(ConcurrentMap<String, UserConfig> ucl) {
1015         if (ucl != null) {
1016             this.localUserConfigList = ucl;
1017         }
1018     }
1019
1020     void setRemoteServerConfigList(ConcurrentMap<String, ServerConfig> scl) {
1021         if (scl != null) {
1022             this.remoteServerConfigList = scl;
1023         }
1024     }
1025
1026     void setAuthorizationConfList(ConcurrentMap<String, AuthorizationConfig> acl) {
1027         if (acl != null) {
1028             this.authorizationConfList = acl;
1029         }
1030     }
1031
1032     void setActiveUsers(ConcurrentMap<String, AuthenticatedUser> au) {
1033         if (au != null) {
1034             this.activeUsers = au;
1035         }
1036     }
1037
1038     void setAuthProviders(ConcurrentMap<String, IAAAProvider> ap) {
1039         if (ap != null) {
1040             this.authProviders = ap;
1041         }
1042     }
1043
1044     @Override
1045     public ISessionManager getSessionManager() {
1046         return this.sessionMgr;
1047     }
1048
1049     public void setSessionMgr(ISessionManager sessionMgr) {
1050         this.sessionMgr = sessionMgr;
1051     }
1052
1053     @Override
1054     public String getPassword(String username) {
1055         return localUserConfigList.get(username).getPassword();
1056     }
1057
1058     @Override
1059     public boolean isRoleInUse(String role) {
1060         if (role == null || role.isEmpty()) {
1061             return false;
1062         }
1063         // Check against controller roles
1064         if (role.equals(UserLevel.SYSTEMADMIN.toString())
1065                 || role.equals(UserLevel.NETWORKADMIN.toString())
1066                 || role.equals(UserLevel.NETWORKOPERATOR.toString())) {
1067             return true;
1068         }
1069         // Check if container roles
1070         if (containerAuthorizationClient != null) {
1071             if (containerAuthorizationClient.isApplicationRole(role)) {
1072                 return true;
1073             }
1074         }
1075         // Finally if application role
1076         if (applicationAuthorizationClients != null) {
1077             for (IResourceAuthorization client : this.applicationAuthorizationClients) {
1078                 if (client.isApplicationRole(role)) {
1079                     return true;
1080                 }
1081             }
1082         }
1083         return false;
1084     }
1085 }