diff options
author | Pavel Paroulek <pavel.paroulek@orange.com> | 2018-08-31 12:53:58 +0200 |
---|---|---|
committer | Pavel Paroulek <pavel.paroulek@orange.com> | 2018-09-05 16:02:47 +0200 |
commit | 596968bb344d94a362c79a928a458e0b6f4da710 (patch) | |
tree | b1ccc4c900863be1db0d84cce638baa09ae69ab1 | |
parent | 4a9111a062a6286a8cdc3aeb740c567b33d0ba95 (diff) |
Adding AAF authorization filter
Adding a AAF authorization filter. Authorization checks a preconfigured permission org.onap.aai.resources
Change-Id: I83766fc79ef4d65ede73599408a1fce4353b6488
Issue-ID: AAI-32
Signed-off-by: Pavel Paroulek <pavel.paroulek@orange.com>
-rw-r--r-- | aai-resources/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java | 65 | ||||
-rw-r--r-- | aai-resources/src/main/java/org/onap/aai/config/aaf/AafFilter.java (renamed from aai-resources/src/main/java/org/onap/aai/config/AafFilter.java) | 22 | ||||
-rw-r--r-- | aai-resources/src/main/java/org/onap/aai/config/aaf/FilterPriority.java | 35 | ||||
-rw-r--r-- | aai-resources/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java | 45 | ||||
-rw-r--r-- | aai-resources/src/main/resources/aaf/permissions.properties | 2 |
5 files changed, 152 insertions, 17 deletions
diff --git a/aai-resources/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-resources/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java new file mode 100644 index 00000000..22cd2cc1 --- /dev/null +++ b/aai-resources/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java @@ -0,0 +1,65 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.onap.aai.Profiles; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.web.filter.OrderedRequestContextFilter; +import org.springframework.context.annotation.Profile; +import org.springframework.context.annotation.PropertySource; +import org.springframework.stereotype.Component; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; + +/** + * AAF authorization filter + */ + +@Component +@Profile(Profiles.AAF_AUTHENTICATION) +@PropertySource("file:${server.local.startpath}/aaf/permissions.properties") +public class AafAuthorizationFilter extends OrderedRequestContextFilter { + + @Value("${permission.type}") + String type; + + @Value("${permission.instance}") + String instance; + + public AafAuthorizationFilter() { + this.setOrder(FilterPriority.AAF_AUTHORIZATION.getPriority()); + } + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { + String permission = String.format("%s|%s|%s", type, instance, request.getMethod().toLowerCase()); + if(!request.isUserInRole(permission)){ + errorResponse(request, response); + }else{ + filterChain.doFilter(request,response); + } + } + } diff --git a/aai-resources/src/main/java/org/onap/aai/config/AafFilter.java b/aai-resources/src/main/java/org/onap/aai/config/aaf/AafFilter.java index 750540d2..a1047e01 100644 --- a/aai-resources/src/main/java/org/onap/aai/config/AafFilter.java +++ b/aai-resources/src/main/java/org/onap/aai/config/aaf/AafFilter.java @@ -17,29 +17,25 @@ * limitations under the License. * ============LICENSE_END========================================================= */ -package org.onap.aai.config; +package org.onap.aai.config.aaf; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.filter.CadiFilter; import org.onap.aai.Profiles; import org.onap.aai.ResourcesApp; -import org.onap.aai.exceptions.AAIException; -import org.onap.aai.logging.ErrorLogHelper; import org.springframework.boot.web.filter.OrderedRequestContextFilter; import org.springframework.context.annotation.Profile; -import org.springframework.core.Ordered; import org.springframework.stereotype.Component; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.core.MediaType; import java.io.IOException; -import java.util.ArrayList; -import java.util.Collections; import java.util.Properties; +import static org.onap.aai.config.aaf.ResponseFormatter.*; + /** * AAF authentication filter */ @@ -48,14 +44,13 @@ import java.util.Properties; @Profile(Profiles.AAF_AUTHENTICATION) public class AafFilter extends OrderedRequestContextFilter { - private static final String ACCEPT_HEADER = "accept"; private final CadiFilter cadiFilter; public AafFilter() throws IOException, ServletException { Properties cadiProperties = new Properties(); cadiProperties.load(ResourcesApp.class.getClassLoader().getResourceAsStream("cadi.properties")); cadiFilter = new CadiFilter(new PropAccess(cadiProperties)); - this.setOrder(Ordered.HIGHEST_PRECEDENCE); + this.setOrder(FilterPriority.AAF_AUTHENTICATION.getPriority()); } @Override @@ -66,12 +61,5 @@ public class AafFilter extends OrderedRequestContextFilter { } } - private void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException { - String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER); - AAIException aaie = new AAIException("AAI_3300"); - response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode()); - response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>())); - response.getWriter().flush(); - response.getWriter().close(); - } + } diff --git a/aai-resources/src/main/java/org/onap/aai/config/aaf/FilterPriority.java b/aai-resources/src/main/java/org/onap/aai/config/aaf/FilterPriority.java new file mode 100644 index 00000000..910db691 --- /dev/null +++ b/aai-resources/src/main/java/org/onap/aai/config/aaf/FilterPriority.java @@ -0,0 +1,35 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.springframework.core.Ordered; + +public enum FilterPriority { + AAF_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE), + AAF_AUTHORIZATION(Ordered.HIGHEST_PRECEDENCE + 1); //higher number = lower priority + + private final int priority; + + FilterPriority(final int p) { + priority = p; + } + + public int getPriority() { return priority; } +} diff --git a/aai-resources/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java b/aai-resources/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java new file mode 100644 index 00000000..9e09827c --- /dev/null +++ b/aai-resources/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java @@ -0,0 +1,45 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.onap.aai.exceptions.AAIException; +import org.onap.aai.logging.ErrorLogHelper; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.MediaType; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collections; + +class ResponseFormatter { + + private static final String ACCEPT_HEADER = "accept"; + + static void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException { + String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER); + AAIException aaie = new AAIException("AAI_3300"); + response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode()); + response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>())); + response.getWriter().flush(); + response.getWriter().close(); + } + +} diff --git a/aai-resources/src/main/resources/aaf/permissions.properties b/aai-resources/src/main/resources/aaf/permissions.properties new file mode 100644 index 00000000..4234121a --- /dev/null +++ b/aai-resources/src/main/resources/aaf/permissions.properties @@ -0,0 +1,2 @@ +permission.type=org.onap.aai.resources +permission.instance=*
\ No newline at end of file |