aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Paroulek <pavel.paroulek@orange.com>2018-08-31 12:53:58 +0200
committerPavel Paroulek <pavel.paroulek@orange.com>2018-09-05 16:02:47 +0200
commit596968bb344d94a362c79a928a458e0b6f4da710 (patch)
treeb1ccc4c900863be1db0d84cce638baa09ae69ab1
parent4a9111a062a6286a8cdc3aeb740c567b33d0ba95 (diff)
Adding AAF authorization filter
Adding a AAF authorization filter. Authorization checks a preconfigured permission org.onap.aai.resources Change-Id: I83766fc79ef4d65ede73599408a1fce4353b6488 Issue-ID: AAI-32 Signed-off-by: Pavel Paroulek <pavel.paroulek@orange.com>
-rw-r--r--aai-resources/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java65
-rw-r--r--aai-resources/src/main/java/org/onap/aai/config/aaf/AafFilter.java (renamed from aai-resources/src/main/java/org/onap/aai/config/AafFilter.java)22
-rw-r--r--aai-resources/src/main/java/org/onap/aai/config/aaf/FilterPriority.java35
-rw-r--r--aai-resources/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java45
-rw-r--r--aai-resources/src/main/resources/aaf/permissions.properties2
5 files changed, 152 insertions, 17 deletions
diff --git a/aai-resources/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-resources/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
new file mode 100644
index 0000000..22cd2cc
--- /dev/null
+++ b/aai-resources/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
@@ -0,0 +1,65 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.config.aaf;
+
+import org.onap.aai.Profiles;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.filter.OrderedRequestContextFilter;
+import org.springframework.context.annotation.Profile;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse;
+
+/**
+ * AAF authorization filter
+ */
+
+@Component
+@Profile(Profiles.AAF_AUTHENTICATION)
+@PropertySource("file:${server.local.startpath}/aaf/permissions.properties")
+public class AafAuthorizationFilter extends OrderedRequestContextFilter {
+
+ @Value("${permission.type}")
+ String type;
+
+ @Value("${permission.instance}")
+ String instance;
+
+ public AafAuthorizationFilter() {
+ this.setOrder(FilterPriority.AAF_AUTHORIZATION.getPriority());
+ }
+
+ @Override
+ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+ String permission = String.format("%s|%s|%s", type, instance, request.getMethod().toLowerCase());
+ if(!request.isUserInRole(permission)){
+ errorResponse(request, response);
+ }else{
+ filterChain.doFilter(request,response);
+ }
+ }
+ }
diff --git a/aai-resources/src/main/java/org/onap/aai/config/AafFilter.java b/aai-resources/src/main/java/org/onap/aai/config/aaf/AafFilter.java
index 750540d..a1047e0 100644
--- a/aai-resources/src/main/java/org/onap/aai/config/AafFilter.java
+++ b/aai-resources/src/main/java/org/onap/aai/config/aaf/AafFilter.java
@@ -17,29 +17,25 @@
* limitations under the License.
* ============LICENSE_END=========================================================
*/
-package org.onap.aai.config;
+package org.onap.aai.config.aaf;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.filter.CadiFilter;
import org.onap.aai.Profiles;
import org.onap.aai.ResourcesApp;
-import org.onap.aai.exceptions.AAIException;
-import org.onap.aai.logging.ErrorLogHelper;
import org.springframework.boot.web.filter.OrderedRequestContextFilter;
import org.springframework.context.annotation.Profile;
-import org.springframework.core.Ordered;
import org.springframework.stereotype.Component;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.core.MediaType;
import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collections;
import java.util.Properties;
+import static org.onap.aai.config.aaf.ResponseFormatter.*;
+
/**
* AAF authentication filter
*/
@@ -48,14 +44,13 @@ import java.util.Properties;
@Profile(Profiles.AAF_AUTHENTICATION)
public class AafFilter extends OrderedRequestContextFilter {
- private static final String ACCEPT_HEADER = "accept";
private final CadiFilter cadiFilter;
public AafFilter() throws IOException, ServletException {
Properties cadiProperties = new Properties();
cadiProperties.load(ResourcesApp.class.getClassLoader().getResourceAsStream("cadi.properties"));
cadiFilter = new CadiFilter(new PropAccess(cadiProperties));
- this.setOrder(Ordered.HIGHEST_PRECEDENCE);
+ this.setOrder(FilterPriority.AAF_AUTHENTICATION.getPriority());
}
@Override
@@ -66,12 +61,5 @@ public class AafFilter extends OrderedRequestContextFilter {
}
}
- private void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException {
- String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER);
- AAIException aaie = new AAIException("AAI_3300");
- response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode());
- response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>()));
- response.getWriter().flush();
- response.getWriter().close();
- }
+
}
diff --git a/aai-resources/src/main/java/org/onap/aai/config/aaf/FilterPriority.java b/aai-resources/src/main/java/org/onap/aai/config/aaf/FilterPriority.java
new file mode 100644
index 0000000..910db69
--- /dev/null
+++ b/aai-resources/src/main/java/org/onap/aai/config/aaf/FilterPriority.java
@@ -0,0 +1,35 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.config.aaf;
+
+import org.springframework.core.Ordered;
+
+public enum FilterPriority {
+ AAF_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE),
+ AAF_AUTHORIZATION(Ordered.HIGHEST_PRECEDENCE + 1); //higher number = lower priority
+
+ private final int priority;
+
+ FilterPriority(final int p) {
+ priority = p;
+ }
+
+ public int getPriority() { return priority; }
+}
diff --git a/aai-resources/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java b/aai-resources/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java
new file mode 100644
index 0000000..9e09827
--- /dev/null
+++ b/aai-resources/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.config.aaf;
+
+import org.onap.aai.exceptions.AAIException;
+import org.onap.aai.logging.ErrorLogHelper;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.MediaType;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+
+class ResponseFormatter {
+
+ private static final String ACCEPT_HEADER = "accept";
+
+ static void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException {
+ String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER);
+ AAIException aaie = new AAIException("AAI_3300");
+ response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode());
+ response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>()));
+ response.getWriter().flush();
+ response.getWriter().close();
+ }
+
+}
diff --git a/aai-resources/src/main/resources/aaf/permissions.properties b/aai-resources/src/main/resources/aaf/permissions.properties
new file mode 100644
index 0000000..4234121
--- /dev/null
+++ b/aai-resources/src/main/resources/aaf/permissions.properties
@@ -0,0 +1,2 @@
+permission.type=org.onap.aai.resources
+permission.instance=* \ No newline at end of file