diff options
Diffstat (limited to 'aai-aaf-auth/src/main/java/org/onap')
15 files changed, 214 insertions, 201 deletions
diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AAIAuthCore.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AAIAuthCore.java index 0e170301..f591125c 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AAIAuthCore.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AAIAuthCore.java @@ -20,18 +20,11 @@ package org.onap.aai.aaf.auth; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import com.fasterxml.jackson.core.JsonProcessingException; import com.google.gson.JsonArray; import com.google.gson.JsonElement; import com.google.gson.JsonObject; import com.google.gson.JsonParser; -import org.eclipse.jetty.util.security.Password; -import org.onap.aai.aaf.auth.exceptions.AAIUnrecognizedFunctionException; -import org.onap.aai.logging.ErrorLogHelper; -import org.onap.aai.util.AAIConfig; -import org.onap.aai.util.AAIConstants; import java.io.File; import java.io.FileNotFoundException; @@ -43,6 +36,14 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; import java.util.stream.Collectors; +import org.eclipse.jetty.util.security.Password; +import org.onap.aai.aaf.auth.exceptions.AAIUnrecognizedFunctionException; +import org.onap.aai.logging.ErrorLogHelper; +import org.onap.aai.util.AAIConfig; +import org.onap.aai.util.AAIConstants; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + /** * The Class AAIAuthCore. */ @@ -69,14 +70,14 @@ public final class AAIAuthCore { this(basePath, AAIConstants.AAI_AUTH_CONFIG_FILENAME); } - public AAIAuthCore(String basePath, String filename){ + public AAIAuthCore(String basePath, String filename) { this.basePath = basePath; this.globalAuthFileName = filename; authPolicyPattern = Pattern.compile("^" + this.basePath + "/v\\d+/([\\w\\-]*)"); init(); } - public AAIAuthCore(String basePath, String filename, String pattern){ + public AAIAuthCore(String basePath, String filename, String pattern) { this.basePath = basePath; this.globalAuthFileName = filename; authPolicyPattern = Pattern.compile(pattern); @@ -364,7 +365,7 @@ public final class AAIAuthCore { * @return true, if successful */ private boolean authorize(AAIUser aaiUser, String aaiMethod, String httpMethod) { - if ("info".equalsIgnoreCase(aaiMethod)|| aaiUser.hasAccess(aaiMethod, httpMethod)) { + if ("info".equalsIgnoreCase(aaiMethod) || aaiUser.hasAccess(aaiMethod, httpMethod)) { LOGGER.debug("AUTH ACCEPTED: " + aaiUser.getUsername() + " on function " + aaiMethod + " request type " + httpMethod); return true; diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestFilter.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestFilter.java index 9a02fe2c..cfaa61be 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestFilter.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestFilter.java @@ -20,20 +20,21 @@ package org.onap.aai.aaf.auth; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.onap.aaf.cadi.filter.CadiFilter; +import static org.onap.aai.aaf.auth.ResponseFormatter.errorResponse; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Enumeration; import java.util.List; import java.util.Properties; -import static org.onap.aai.aaf.auth.ResponseFormatter.errorResponse; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.filter.CadiFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * The Class AafRequestFilter provides common auth filter methods diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestWrapper.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestWrapper.java index 0ecca679..f74ed3e4 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestWrapper.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestWrapper.java @@ -20,9 +20,10 @@ package org.onap.aai.aaf.auth; +import java.util.*; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; -import java.util.*; /** * The AafRequestWrapper sets the user in the principal name diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/CertUtil.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/CertUtil.java index 26273a6a..139e46c8 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/CertUtil.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/CertUtil.java @@ -20,18 +20,19 @@ package org.onap.aai.aaf.auth; +import java.io.FileInputStream; +import java.io.IOException; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Objects; import java.util.Properties; +import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; -import java.io.FileInputStream; -import java.io.IOException; -import java.security.cert.X509Certificate; -import java.util.stream.Collectors; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -39,8 +40,8 @@ import org.slf4j.LoggerFactory; * The Class CertUtil provides cert related utility methods. */ public class CertUtil { - public static final String DEFAULT_CADI_ISSUERS = "CN=ATT AAF CADI Test Issuing " + - "CA 01, OU=CSO, O=ATT, C=US:CN=ATT AAF CADI Test Issuing CA 02, OU=CSO, O=ATT, C=US"; + public static final String DEFAULT_CADI_ISSUERS = "CN=ATT AAF CADI Test Issuing " + + "CA 01, OU=CSO, O=ATT, C=US:CN=ATT AAF CADI Test Issuing CA 02, OU=CSO, O=ATT, C=US"; public static final String CADI_PROP_FILES = "cadi_prop_files"; public static final String CADI_ISSUERS_PROP_NAME = "cadi_x509_issuers"; public static final String CADI_ISSUERS_SEPARATOR = ":"; diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/ResponseFormatter.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/ResponseFormatter.java index f5583b71..1748ed15 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/ResponseFormatter.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/ResponseFormatter.java @@ -20,15 +20,16 @@ package org.onap.aai.aaf.auth; -import org.onap.aai.exceptions.AAIException; -import org.onap.aai.logging.ErrorLogHelper; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collections; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.core.MediaType; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Collections; + +import org.onap.aai.exceptions.AAIException; +import org.onap.aai.logging.ErrorLogHelper; public class ResponseFormatter { @@ -43,9 +44,10 @@ public class ResponseFormatter { errorResponse(new AAIException("AAI_3300"), request, response); } - public static void errorResponse(AAIException exception, HttpServletRequest request, HttpServletResponse response) throws IOException { + public static void errorResponse(AAIException exception, HttpServletRequest request, HttpServletResponse response) + throws IOException { - if(response.isCommitted()){ + if (response.isCommitted()) { return; } @@ -62,7 +64,8 @@ public class ResponseFormatter { response.setStatus(exception.getErrorObject().getHTTPResponseCode().getStatusCode()); response.resetBuffer(); - String resp = ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), exception, new ArrayList<>()); + String resp = ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), + exception, new ArrayList<>()); response.getOutputStream().print(resp); response.flushBuffer(); } diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafAuthorizationFilter.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafAuthorizationFilter.java index 82651e9f..485fa7e3 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafAuthorizationFilter.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafAuthorizationFilter.java @@ -20,6 +20,17 @@ package org.onap.aai.aaf.filters; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.stream.Collectors; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.onap.aai.aaf.auth.ResponseFormatter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; @@ -28,16 +39,6 @@ import org.springframework.context.annotation.Profile; import org.springframework.context.annotation.PropertySource; import org.springframework.stereotype.Component; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; -import java.util.stream.Collectors; - /** * AAF authorization filter */ @@ -59,52 +60,49 @@ public class AafAuthorizationFilter extends OrderedRequestContextFilter { private List<String> advancedKeywordsList; @Autowired - public AafAuthorizationFilter( - GremlinFilter gremlinFilter, - @Value("${permission.type}") String type, - @Value("${permission.instance}") String instance, - @Value("${advanced.keywords.list:}") String advancedKeys - ) { + public AafAuthorizationFilter(GremlinFilter gremlinFilter, @Value("${permission.type}") String type, + @Value("${permission.instance}") String instance, + @Value("${advanced.keywords.list:}") String advancedKeys) { this.gremlinFilter = gremlinFilter; this.type = type; this.instance = instance; - if(advancedKeys == null || advancedKeys.isEmpty()){ + if (advancedKeys == null || advancedKeys.isEmpty()) { this.advancedKeywordsList = new ArrayList<>(); } else { - this.advancedKeywordsList = Arrays.stream(advancedKeys.split(",")) - .collect(Collectors.toList()); + this.advancedKeywordsList = Arrays.stream(advancedKeys.split(",")).collect(Collectors.toList()); } this.setOrder(FilterPriority.AAF_AUTHORIZATION.getPriority()); } @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { - if(request.getRequestURI().matches("^.*/util/echo$")){ - filterChain.doFilter(request, response); - } - if(request.getRequestURI().endsWith("/query")){ + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws IOException, ServletException { + if (request.getRequestURI().matches("^.*/util/echo$")) { + filterChain.doFilter(request, response); + } + if (request.getRequestURI().endsWith("/query")) { gremlinFilter.doBasicAuthFilter(request, response, filterChain); } else { String permission = null; - if(advancedKeywordsList == null || advancedKeywordsList.size() == 0) { + if (advancedKeywordsList == null || advancedKeywordsList.size() == 0) { permission = String.format("%s|%s|%s", type, instance, request.getMethod().toLowerCase()); } else { boolean isAdvanced = this.containsAdvancedKeywords(request); - //if the URI contains advanced.keywords it's an advanced query + // if the URI contains advanced.keywords it's an advanced query String queryType = isAdvanced ? ADVANCED : BASIC; permission = String.format("%s|%s|%s", type, instance, queryType); } boolean isAuthorized = request.isUserInRole(permission); - if(!isAuthorized){ + if (!isAuthorized) { ResponseFormatter.errorResponse(request, response); } else { - filterChain.doFilter(request,response); + filterChain.doFilter(request, response); } } @@ -112,7 +110,7 @@ public class AafAuthorizationFilter extends OrderedRequestContextFilter { private boolean containsAdvancedKeywords(HttpServletRequest request) { String uri = request.getRequestURI(); - for (String keyword: advancedKeywordsList) { + for (String keyword : advancedKeywordsList) { if (uri.contains(keyword)) { return true; } diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafCertAuthorizationFilter.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafCertAuthorizationFilter.java index e0adf191..56799f1c 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafCertAuthorizationFilter.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafCertAuthorizationFilter.java @@ -20,6 +20,17 @@ package org.onap.aai.aaf.filters; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.stream.Collectors; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.onap.aai.aaf.auth.AafRequestFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; @@ -28,18 +39,6 @@ import org.springframework.context.annotation.Profile; import org.springframework.context.annotation.PropertySource; import org.springframework.stereotype.Component; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; -import java.util.Properties; -import java.util.stream.Collectors; - - /** * AAF with client cert authorization filter */ @@ -62,42 +61,41 @@ public class AafCertAuthorizationFilter extends OrderedRequestContextFilter { private List<String> advancedKeywordsList; @Autowired - public AafCertAuthorizationFilter( - @Value("${permission.type}") String type, - @Value("${permission.instance}") String instance, - @Value("${advanced.keywords.list:}") String advancedKeys, - CadiProps cadiProps - ) { + public AafCertAuthorizationFilter(@Value("${permission.type}") String type, + @Value("${permission.instance}") String instance, @Value("${advanced.keywords.list:}") String advancedKeys, + CadiProps cadiProps) { this.type = type; this.instance = instance; this.cadiProps = cadiProps; - if(advancedKeys == null || advancedKeys.isEmpty()){ + if (advancedKeys == null || advancedKeys.isEmpty()) { this.advancedKeywordsList = new ArrayList<>(); } else { - this.advancedKeywordsList = Arrays.stream(advancedKeys.split(",")) - .collect(Collectors.toList()); + this.advancedKeywordsList = Arrays.stream(advancedKeys.split(",")).collect(Collectors.toList()); } this.setOrder(FilterPriority.AAF_CERT_AUTHORIZATION.getPriority()); } @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { - if(advancedKeywordsList == null || advancedKeywordsList.size() == 0){ + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws IOException, ServletException { + if (advancedKeywordsList == null || advancedKeywordsList.size() == 0) { String permission = String.format("%s|%s|%s", type, instance, request.getMethod().toLowerCase()); - AafRequestFilter.authorizationFilter(request, response, filterChain, permission, cadiProps.getCadiProperties()); + AafRequestFilter.authorizationFilter(request, response, filterChain, permission, + cadiProps.getCadiProperties()); } else { boolean isAdvanced = this.containsAdvancedKeywords(request); - //if the URI contains advanced.keywords it's an advanced query + // if the URI contains advanced.keywords it's an advanced query String queryType = isAdvanced ? ADVANCED : BASIC; String permission = String.format("%s|%s|%s", type, instance, queryType); - AafRequestFilter.authorizationFilter(request, response, filterChain, permission, cadiProps.getCadiProperties()); + AafRequestFilter.authorizationFilter(request, response, filterChain, permission, + cadiProps.getCadiProperties()); } } private boolean containsAdvancedKeywords(HttpServletRequest request) { String uri = request.getRequestURI(); - for (String keyword: advancedKeywordsList) { + for (String keyword : advancedKeywordsList) { if (uri.contains(keyword)) { return true; } diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafCertFilter.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafCertFilter.java index 7a47b972..e423dc0a 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafCertFilter.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafCertFilter.java @@ -20,11 +20,18 @@ package org.onap.aai.aaf.filters; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import java.io.IOException; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.filter.CadiFilter; import org.onap.aai.aaf.auth.AafRequestFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter; @@ -32,12 +39,6 @@ import org.springframework.context.annotation.Profile; import org.springframework.context.annotation.PropertySource; import org.springframework.stereotype.Component; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; - /** * AAF with client cert authentication filter */ @@ -57,12 +58,12 @@ public class AafCertFilter extends OrderedRequestContextFilter { private final CadiProps cadiProps; @Autowired - public AafCertFilter( @Value("${aaf.userchain.pattern}") String aafUserChainPattern, - CadiProps cadiProps) throws IOException, ServletException { + public AafCertFilter(@Value("${aaf.userchain.pattern}") String aafUserChainPattern, CadiProps cadiProps) + throws IOException, ServletException { this.aafUserChainPattern = aafUserChainPattern; this.cadiProps = cadiProps; - cadiFilter = new CadiFilter(new PropAccess((level,element)->{ + cadiFilter = new CadiFilter(new PropAccess((level, element) -> { switch (level) { case DEBUG: LOGGER.debug(buildMsg(element)); @@ -86,22 +87,24 @@ public class AafCertFilter extends OrderedRequestContextFilter { case NONE: break; } - }, new String[]{"cadi_prop_files=" + cadiProps.getCadiFileName()} )); + }, new String[] {"cadi_prop_files=" + cadiProps.getCadiFileName()})); this.setOrder(FilterPriority.AAF_CERT_AUTHENTICATION.getPriority()); } @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { - AafRequestFilter.authenticationFilter(request, response, filterChain, cadiFilter, cadiProps.getCadiProperties(), aafUserChainPattern); + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws IOException, ServletException { + AafRequestFilter.authenticationFilter(request, response, filterChain, cadiFilter, cadiProps.getCadiProperties(), + aafUserChainPattern); } + private String buildMsg(Object[] objects) { StringBuilder sb = new StringBuilder(); boolean first = true; - for ( Object o: objects ) { + for (Object o : objects) { if (first) { first = false; - } - else { + } else { sb.append(' '); } sb.append(o.toString()); diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafFilter.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafFilter.java index e6769dda..5dbc2e7a 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafFilter.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafFilter.java @@ -20,23 +20,23 @@ package org.onap.aai.aaf.filters; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import java.io.IOException; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.filter.CadiFilter; import org.onap.aai.aaf.auth.ResponseFormatter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter; import org.springframework.context.annotation.Profile; import org.springframework.stereotype.Component; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; - - /** * AAF authentication filter */ @@ -51,7 +51,7 @@ public class AafFilter extends OrderedRequestContextFilter { @Autowired public AafFilter(CadiProps cadiProps) throws IOException, ServletException { - cadiFilter = new CadiFilter(new PropAccess((level,element)->{ + cadiFilter = new CadiFilter(new PropAccess((level, element) -> { switch (level) { case DEBUG: LOGGER.debug(buildMsg(element)); @@ -75,12 +75,13 @@ public class AafFilter extends OrderedRequestContextFilter { case NONE: break; } - }, new String[]{"cadi_prop_files=" + cadiProps.getCadiFileName()} )); + }, new String[] {"cadi_prop_files=" + cadiProps.getCadiFileName()})); this.setOrder(FilterPriority.AAF_AUTHENTICATION.getPriority()); } @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws IOException, ServletException { if (!request.getRequestURI().matches("^.*/util/echo$")) { cadiFilter.doFilter(request, response, filterChain); if (response.getStatus() == 401 || response.getStatus() == 403) { @@ -94,11 +95,10 @@ public class AafFilter extends OrderedRequestContextFilter { private String buildMsg(Object[] objects) { StringBuilder sb = new StringBuilder(); boolean first = true; - for ( Object o: objects ) { + for (Object o : objects) { if (first) { first = false; - } - else { + } else { sb.append(' '); } sb.append(o.toString()); diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafProfiles.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafProfiles.java index b587716e..e87dc4a5 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafProfiles.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/AafProfiles.java @@ -17,17 +17,19 @@ * limitations under the License. * ============LICENSE_END========================================================= */ + package org.onap.aai.aaf.filters; public class AafProfiles { // AAF Basic Auth - public static final String AAF_AUTHENTICATION = "aaf-auth"; + public static final String AAF_AUTHENTICATION = "aaf-auth"; // AAF Auth with Client Certs - public static final String AAF_CERT_AUTHENTICATION = "aaf-cert-auth"; + public static final String AAF_CERT_AUTHENTICATION = "aaf-cert-auth"; - public static final String TWO_WAY_SSL = "two-way-ssl"; + public static final String TWO_WAY_SSL = "two-way-ssl"; - private AafProfiles(){} + private AafProfiles() { + } } diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/CadiProps.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/CadiProps.java index 35e88f5f..4bf9ea82 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/CadiProps.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/CadiProps.java @@ -17,8 +17,17 @@ * limitations under the License. * ============LICENSE_END========================================================= */ + package org.onap.aai.aaf.filters; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.Properties; + +import javax.annotation.PostConstruct; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -26,20 +35,9 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Profile; import org.springframework.stereotype.Component; -import javax.annotation.PostConstruct; -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.util.Properties; - // This component will be created if and only if any of the following profiles are active @Component -@Profile({ - AafProfiles.AAF_CERT_AUTHENTICATION, - AafProfiles.AAF_AUTHENTICATION, - AafProfiles.TWO_WAY_SSL -}) +@Profile({AafProfiles.AAF_CERT_AUTHENTICATION, AafProfiles.AAF_AUTHENTICATION, AafProfiles.TWO_WAY_SSL}) public class CadiProps { private static final Logger LOGGER = LoggerFactory.getLogger(CadiProps.class); @@ -49,18 +47,19 @@ public class CadiProps { private Properties cadiProperties; @Autowired - public CadiProps(@Value("${aaf.cadi.file:./resources/cadi.properties}") String filename){ - cadiFileName = filename; + public CadiProps(@Value("${aaf.cadi.file:./resources/cadi.properties}") String filename) { + cadiFileName = filename; cadiProperties = new Properties(); } @PostConstruct public void init() throws IOException { - File cadiFile = new File(cadiFileName); + File cadiFile = new File(cadiFileName); - if(!cadiFile.exists()){ - LOGGER.warn("Unable to find the cadi file in the given path {} so loading cadi.properties from classloader", cadiFileName); + if (!cadiFile.exists()) { + LOGGER.warn("Unable to find the cadi file in the given path {} so loading cadi.properties from classloader", + cadiFileName); InputStream is = this.getClass().getClassLoader().getResourceAsStream("cadi.properties"); cadiProperties.load(is); } else { @@ -72,10 +71,12 @@ public class CadiProps { } } + public String getCadiFileName() { return cadiFileName; } - public Properties getCadiProperties(){ + + public Properties getCadiProperties() { return cadiProperties; } } diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/FilterPriority.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/FilterPriority.java index 17b9f0e4..e2423425 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/FilterPriority.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/FilterPriority.java @@ -17,17 +17,18 @@ * limitations under the License. * ============LICENSE_END========================================================= */ + package org.onap.aai.aaf.filters; import org.springframework.core.Ordered; public enum FilterPriority { - AAF_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE), - AAF_AUTHORIZATION(Ordered.HIGHEST_PRECEDENCE + 1), //higher number = lower priority - AAF_CERT_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE + 2 ), - AAF_CERT_AUTHORIZATION(Ordered.HIGHEST_PRECEDENCE + 3), - TWO_WAY_SSL_AUTH(Ordered.HIGHEST_PRECEDENCE + 4); + AAF_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE), AAF_AUTHORIZATION(Ordered.HIGHEST_PRECEDENCE + 1), // higher number + // = lower + // priority + AAF_CERT_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE + 2), AAF_CERT_AUTHORIZATION( + Ordered.HIGHEST_PRECEDENCE + 3), TWO_WAY_SSL_AUTH(Ordered.HIGHEST_PRECEDENCE + 4); private final int priority; @@ -35,5 +36,7 @@ public enum FilterPriority { priority = p; } - public int getPriority() { return priority; } + public int getPriority() { + return priority; + } } diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/GremlinFilter.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/GremlinFilter.java index ce96acf1..dffa74ef 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/GremlinFilter.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/GremlinFilter.java @@ -17,6 +17,7 @@ * limitations under the License. * ============LICENSE_END========================================================= */ + package org.onap.aai.aaf.filters; import java.io.IOException; @@ -38,10 +39,7 @@ import org.springframework.context.annotation.Profile; import org.springframework.stereotype.Component; @Component -@Profile({ - AafProfiles.AAF_CERT_AUTHENTICATION, - AafProfiles.AAF_AUTHENTICATION -}) +@Profile({AafProfiles.AAF_CERT_AUTHENTICATION, AafProfiles.AAF_AUTHENTICATION}) public class GremlinFilter { private static final Logger LOGGER = LoggerFactory.getLogger(GremlinFilter.class); @@ -57,44 +55,46 @@ public class GremlinFilter { private CadiProps cadiProps; @Autowired - public GremlinFilter( - @Value("${permission.type}") String type, - @Value("${permission.instance}") String instance, - CadiProps cadiProps - ) { + public GremlinFilter(@Value("${permission.type}") String type, @Value("${permission.instance}") String instance, + CadiProps cadiProps) { this.type = type; this.instance = instance; this.cadiProps = cadiProps; } - public void doBasicAuthFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { + public void doBasicAuthFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws IOException, ServletException { PayloadBufferingRequestWrapper requestBufferWrapper = new PayloadBufferingRequestWrapper(request); - if(ECHO_ENDPOINT.matcher(request.getRequestURI()).matches()){ + if (ECHO_ENDPOINT.matcher(request.getRequestURI()).matches()) { filterChain.doFilter(requestBufferWrapper, response); } String payload = IOUtils.toString(requestBufferWrapper.getInputStream(), StandardCharsets.UTF_8.name()); boolean containsWordGremlin = payload.contains("\"gremlin\""); - //if the requestBufferWrapper contains the word "gremlin" it's an "advanced" query needing an "advanced" role + // if the requestBufferWrapper contains the word "gremlin" it's an "advanced" query needing an "advanced" role String permissionBasic = String.format("%s|%s|%s", type, instance, BASIC); String permissionAdvanced = String.format("%s|%s|%s", type, instance, ADVANCED); boolean isAuthorized; - if(containsWordGremlin){ + if (containsWordGremlin) { isAuthorized = requestBufferWrapper.isUserInRole(permissionAdvanced); - }else{ - isAuthorized = requestBufferWrapper.isUserInRole(permissionAdvanced) || requestBufferWrapper.isUserInRole(permissionBasic); + } else { + isAuthorized = requestBufferWrapper.isUserInRole(permissionAdvanced) + || requestBufferWrapper.isUserInRole(permissionBasic); } - if(!isAuthorized){ - String name = requestBufferWrapper.getUserPrincipal() != null ? requestBufferWrapper.getUserPrincipal().getName() : "unknown"; - LOGGER.info("User " + name + " does not have a role for " + (containsWordGremlin ? "gremlin" : "non-gremlin") + " query" ); + if (!isAuthorized) { + String name = + requestBufferWrapper.getUserPrincipal() != null ? requestBufferWrapper.getUserPrincipal().getName() + : "unknown"; + LOGGER.info("User " + name + " does not have a role for " + + (containsWordGremlin ? "gremlin" : "non-gremlin") + " query"); ResponseFormatter.errorResponse(request, response); } else { - filterChain.doFilter(requestBufferWrapper,response); + filterChain.doFilter(requestBufferWrapper, response); } } } diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/PayloadBufferingRequestWrapper.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/PayloadBufferingRequestWrapper.java index 138189e4..e8c72dc3 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/PayloadBufferingRequestWrapper.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/PayloadBufferingRequestWrapper.java @@ -17,6 +17,7 @@ * limitations under the License. * ============LICENSE_END========================================================= */ + package org.onap.aai.aaf.filters; import java.io.ByteArrayInputStream; diff --git a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/TwoWaySslAuthorization.java b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/TwoWaySslAuthorization.java index 150802b8..3dad92df 100644 --- a/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/TwoWaySslAuthorization.java +++ b/aai-aaf-auth/src/main/java/org/onap/aai/aaf/filters/TwoWaySslAuthorization.java @@ -17,29 +17,31 @@ * limitations under the License. * ============LICENSE_END========================================================= */ + package org.onap.aai.aaf.filters; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import java.io.IOException; +import java.security.cert.X509Certificate; +import java.util.*; + +import javax.security.auth.x500.X500Principal; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.onap.aai.aaf.auth.AAIAuthCore; import org.onap.aai.aaf.auth.CertUtil; import org.onap.aai.aaf.auth.ResponseFormatter; import org.onap.aai.exceptions.AAIException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter; import org.springframework.context.annotation.Profile; import org.springframework.core.env.Environment; import org.springframework.stereotype.Component; -import javax.security.auth.x500.X500Principal; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.security.cert.X509Certificate; -import java.util.*; - @Component @Profile("two-way-ssl") public class TwoWaySslAuthorization extends OrderedRequestContextFilter { @@ -59,12 +61,13 @@ public class TwoWaySslAuthorization extends OrderedRequestContextFilter { @Autowired private CadiProps cadiProps; - public TwoWaySslAuthorization(){ + public TwoWaySslAuthorization() { this.setOrder(FilterPriority.TWO_WAY_SSL_AUTH.getPriority()); } @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws IOException, ServletException { String uri = request.getRequestURI(); String httpMethod = getHttpMethod(request); @@ -80,11 +83,11 @@ public class TwoWaySslAuthorization extends OrderedRequestContextFilter { ResponseFormatter.errorResponse(aaie, request, response); return; } - issuer = issuer.replaceAll("\\s+","").toUpperCase(); + issuer = issuer.replaceAll("\\s+", "").toUpperCase(); List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(cadiProperties); boolean isAafAuthProfileActive = this.isAafAuthProfileActive(); - if ((!isAafAuthProfileActive) || (!cadiConfiguredIssuers.contains(issuer)) ) { + if ((!isAafAuthProfileActive) || (!cadiConfiguredIssuers.contains(issuer))) { try { this.authorize(uri, httpMethod, authUser.get(), this.getHaProxyUser(request), issuer); } catch (AAIException e) { @@ -100,11 +103,9 @@ public class TwoWaySslAuthorization extends OrderedRequestContextFilter { filterChain.doFilter(request, response); } - private String getHttpMethod(HttpServletRequest request) { String httpMethod = request.getMethod(); - if ("POST".equalsIgnoreCase(httpMethod) - && "PATCH".equals(request.getHeader(HTTP_METHOD_OVERRIDE))) { + if ("POST".equalsIgnoreCase(httpMethod) && "PATCH".equals(request.getHeader(HTTP_METHOD_OVERRIDE))) { httpMethod = MERGE_PATCH; } if (httpMethod.equalsIgnoreCase(MERGE_PATCH) || "patch".equalsIgnoreCase(httpMethod)) { @@ -148,26 +149,26 @@ public class TwoWaySslAuthorization extends OrderedRequestContextFilter { private String getHaProxyUser(HttpServletRequest hsr) { String haProxyUser; - if (Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-CN")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-OU")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-O")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-L")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-ST")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-C"))) { + if (Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-CN")) || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-OU")) + || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-O")) + || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-L")) + || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-ST")) + || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-C"))) { haProxyUser = ""; } else { haProxyUser = String.format("CN=%s, OU=%s, O=\"%s\", L=%s, ST=%s, C=%s", - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-CN"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-OU"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-O"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-L"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-ST"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-C"), "")).toLowerCase(); + Objects.toString(hsr.getHeader("X-AAI-SSL-Client-CN"), ""), + Objects.toString(hsr.getHeader("X-AAI-SSL-Client-OU"), ""), + Objects.toString(hsr.getHeader("X-AAI-SSL-Client-O"), ""), + Objects.toString(hsr.getHeader("X-AAI-SSL-Client-L"), ""), + Objects.toString(hsr.getHeader("X-AAI-SSL-Client-ST"), ""), + Objects.toString(hsr.getHeader("X-AAI-SSL-Client-C"), "")).toLowerCase(); } return haProxyUser; } - private void authorize(String uri, String httpMethod, String authUser, String haProxyUser, String issuer) throws AAIException { + private void authorize(String uri, String httpMethod, String authUser, String haProxyUser, String issuer) + throws AAIException { if (!aaiAuthCore.authorize(authUser, uri, httpMethod, haProxyUser, issuer)) { throw new AAIException("AAI_9101", "Request on " + httpMethod + " " + uri + " status is not OK"); } @@ -176,8 +177,7 @@ public class TwoWaySslAuthorization extends OrderedRequestContextFilter { private boolean isAafAuthProfileActive() { String[] profiles = environment.getActiveProfiles(); if (profiles != null) { - if (Arrays.stream(profiles).anyMatch( - env -> (env.equalsIgnoreCase(AafProfiles.AAF_CERT_AUTHENTICATION)))) { + if (Arrays.stream(profiles).anyMatch(env -> (env.equalsIgnoreCase(AafProfiles.AAF_CERT_AUTHENTICATION)))) { return true; } } |