diff options
-rwxr-xr-x | pom.xml | 8 | ||||
-rw-r--r-- | src/main/java/org/onap/aai/interceptors/pre/TwoWaySslAuthorization.java | 187 |
2 files changed, 6 insertions, 189 deletions
@@ -26,7 +26,7 @@ <parent> <groupId>org.onap.aai.aai-common</groupId> <artifactId>aai-parent</artifactId> - <version>1.7.0</version> + <version>1.7.2</version> </parent> <groupId>org.onap.aai.graphadmin</groupId> <artifactId>aai-graphadmin</artifactId> @@ -56,7 +56,7 @@ <docker.push.registry>localhost:5000</docker.push.registry> <aai.docker.version>1.0.0</aai.docker.version> <aai.schema.service.version>1.7.9</aai.schema.service.version> - <aai.common.version>1.7.0</aai.common.version> + <aai.common.version>1.7.2</aai.common.version> <aai.build.directory>${project.build.directory}/${project.artifactId}-${project.version}-build/ </aai.build.directory> <aai.docker.namespace>onap</aai.docker.namespace> @@ -346,6 +346,10 @@ <artifactId>aai-core</artifactId> <exclusions> <exclusion> + <groupId>org.onap.aai.aai-common</groupId> + <artifactId>aai-aaf-auth</artifactId> + </exclusion> + <exclusion> <groupId>com.sun.jersey</groupId> <artifactId>jersey-core</artifactId> </exclusion> diff --git a/src/main/java/org/onap/aai/interceptors/pre/TwoWaySslAuthorization.java b/src/main/java/org/onap/aai/interceptors/pre/TwoWaySslAuthorization.java deleted file mode 100644 index 8c973a1..0000000 --- a/src/main/java/org/onap/aai/interceptors/pre/TwoWaySslAuthorization.java +++ /dev/null @@ -1,187 +0,0 @@ -/** - * ============LICENSE_START======================================================= - * org.onap.aai - * ================================================================================ - * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ -package org.onap.aai.interceptors.pre; - -import org.onap.aai.aaf.auth.AAIAuthCore; -import org.onap.aai.exceptions.AAIException; -import org.onap.aai.interceptors.AAIContainerFilter; -import org.onap.aai.interceptors.AAIHeaderProperties; -import org.onap.aai.logging.ErrorLogHelper; -import org.onap.aai.restcore.HttpMethod; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Profile; - -import javax.annotation.Priority; -import javax.security.auth.x500.X500Principal; -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.container.PreMatching; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; -import javax.ws.rs.ext.Provider; -import java.security.cert.X509Certificate; -import java.util.*; -import java.util.stream.Collectors; - -@Provider -@PreMatching -@Priority(AAIRequestFilterPriority.AUTHORIZATION) -@Profile("two-way-ssl") -public class TwoWaySslAuthorization extends AAIContainerFilter implements ContainerRequestFilter { - - @Autowired - private HttpServletRequest httpServletRequest; - - @Autowired - private AAIAuthCore aaiAuthCore; - - @Override - public void filter(ContainerRequestContext requestContext) { - - Optional<Response> oResp; - - String uri = requestContext.getUriInfo().getAbsolutePath().getPath(); - String httpMethod = getHttpMethod(requestContext); - - List<MediaType> acceptHeaderValues = requestContext.getAcceptableMediaTypes(); - - Optional<String> authUser = getUser(this.httpServletRequest); - - if (authUser.isPresent()) { - oResp = this.authorize(uri, httpMethod, acceptHeaderValues, authUser.get(), - this.getHaProxyUser(this.httpServletRequest), getCertIssuer(this.httpServletRequest)); - if (oResp.isPresent()) { - requestContext.abortWith(oResp.get()); - return; - } - } else { - AAIException aaie = new AAIException("AAI_9107"); - requestContext - .abortWith(Response - .status(aaie.getErrorObject().getHTTPResponseCode()).entity(ErrorLogHelper - .getRESTAPIErrorResponseWithLogging(acceptHeaderValues, aaie, new ArrayList<>())) - .build()); - } - - } - - private String getCertIssuer(HttpServletRequest hsr) { - String issuer = hsr.getHeader("X-AAI-SSL-Issuer"); - if (issuer != null && !issuer.isEmpty()) { - // the haproxy header replaces the ', ' with '/' and reverses on the '/' need to undo that. - List<String> broken = Arrays.asList(issuer.split("/")); - broken = broken.stream().filter(s -> !s.isEmpty()).collect(Collectors.toList()); - Collections.reverse(broken); - issuer = String.join(", ", broken); - } else { - if (hsr.getAttribute("javax.servlet.request.cipher_suite") != null) { - X509Certificate[] certChain = (X509Certificate[]) hsr.getAttribute("javax.servlet.request.X509Certificate"); - if (certChain != null && certChain.length > 0) { - X509Certificate clientCert = certChain[0]; - issuer = clientCert.getIssuerX500Principal().getName(); - } - } - } - return issuer; - } - - private String getHttpMethod(ContainerRequestContext requestContext) { - String httpMethod = requestContext.getMethod(); - if ("POST".equalsIgnoreCase(httpMethod) - && "PATCH".equals(requestContext.getHeaderString(AAIHeaderProperties.HTTP_METHOD_OVERRIDE))) { - httpMethod = HttpMethod.MERGE_PATCH.toString(); - } - if (httpMethod.equalsIgnoreCase(HttpMethod.MERGE_PATCH.toString()) || "patch".equalsIgnoreCase(httpMethod)) { - httpMethod = HttpMethod.PUT.toString(); - } - return httpMethod; - } - - private Optional<String> getUser(HttpServletRequest hsr) { - String authUser = null; - if (hsr.getAttribute("javax.servlet.request.cipher_suite") != null) { - X509Certificate[] certChain = (X509Certificate[]) hsr.getAttribute("javax.servlet.request.X509Certificate"); - - /* - * If the certificate is null or the certificate chain length is zero Then - * retrieve the authorization in the request header Authorization Check that it - * is not null and that it starts with Basic and then strip the basic portion to - * get the base64 credentials Check if this is contained in the AAIBasicAuth - * Singleton class If it is, retrieve the username associated with that - * credentials and set to authUser Otherwise, get the principal from certificate - * and use that authUser - */ - - if (certChain == null || certChain.length == 0) { - - String authorization = hsr.getHeader("Authorization"); - - if (authorization != null && authorization.startsWith("Basic ")) { - authUser = authorization.replace("Basic ", ""); - } - - } else { - X509Certificate clientCert = certChain[0]; - X500Principal subjectDN = clientCert.getSubjectX500Principal(); - authUser = subjectDN.toString().toLowerCase(); - } - } - - return Optional.ofNullable(authUser); - } - - private String getHaProxyUser(HttpServletRequest hsr) { - String haProxyUser; - if (Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-CN")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-OU")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-O")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-L")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-ST")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-C"))) { - haProxyUser = ""; - } else { - haProxyUser = String.format("CN=%s, OU=%s, O=\"%s\", L=%s, ST=%s, C=%s", - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-CN"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-OU"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-O"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-L"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-ST"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-C"), "")).toLowerCase(); - } - return haProxyUser; - } - - private Optional<Response> authorize(String uri, String httpMethod, List<MediaType> acceptHeaderValues, - String authUser, String haProxyUser, String issuer) { - Response response = null; - try { - if (!aaiAuthCore.authorize(authUser, uri, httpMethod, haProxyUser, issuer)) { - throw new AAIException("AAI_9101", "Request on " + httpMethod + " " + uri + " status is not OK"); - } - } catch (AAIException e) { - response = Response.status(e.getErrorObject().getHTTPResponseCode()) - .entity(ErrorLogHelper.getRESTAPIErrorResponseWithLogging(acceptHeaderValues, e, new ArrayList<>())) - .build(); - } - return Optional.ofNullable(response); - } - -} |