Using new OwnerCheck implementation

- Bump up aai-common version

Issue-ID: AAI-3226
Signed-off-by: Mohammad Hosnidokht <mohammad.hosnidokht@yoppworks.com>
Change-Id: I7c74bf65a8a8218d172d865b19fb672a1b87e988

6 files changed, 30 insertions, 15 deletions

diff --git a/aai-resources/pom.xml b/aai-resources/pom.xml
index de6eaa4..b710d5e 100644
--- a/aai-resources/pom.xml
+++ b/aai-resources/pom.xml
@@ -28,7 +28,7 @@
     <parent>
         <groupId>org.onap.aai.resources</groupId>
         <artifactId>resources</artifactId>
-        <version>1.8.0-SNAPSHOT</version>
+        <version>1.8.1-SNAPSHOT</version>
     </parent>
     <properties>
         <java.version>1.8</java.version>
diff --git a/aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java b/aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java
index 4f7049d..d22252a 100644
--- a/aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java
+++ b/aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java
@@ -20,7 +20,7 @@
 package org.onap.aai.rest;
 
 import io.swagger.jaxrs.PATCH;
-import java.security.Principal;
+import org.apache.commons.lang3.ObjectUtils;
 import org.javatuples.Pair;
 import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount;
 import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
@@ -29,6 +29,7 @@ import org.onap.aai.config.SpringContextAware;
 import org.onap.aai.exceptions.AAIException;
 import org.onap.aai.introspection.Introspector;
 import org.onap.aai.introspection.Loader;
+import org.onap.aai.introspection.sideeffect.OwnerCheck;
 import org.onap.aai.parsers.query.QueryParser;
 import org.onap.aai.rest.db.DBRequest;
 import org.onap.aai.rest.db.HttpEntry;
@@ -48,6 +49,7 @@ import javax.ws.rs.*;
 import javax.ws.rs.core.*;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
+import java.security.Principal;
 import java.util.*;
 import java.util.stream.Collectors;
 
@@ -75,7 +77,7 @@ public class LegacyMoxyConsumer extends RESTAPI {
 	@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
 	@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
 	public Response update (String content, @PathParam("version")String versionParam, @PathParam("uri") @Encoded String uri, @Context HttpHeaders headers, @Context UriInfo info, @Context HttpServletRequest req) {
-      Set<String> roles = getRoles(req.getUserPrincipal());
+      Set<String> roles = getRoles(req.getUserPrincipal(), req.getMethod());
       MediaType mediaType = headers.getMediaType();
 		return this.handleWrites(mediaType, HttpMethod.PUT, content, versionParam, uri, headers, info, roles);
 	}
@@ -166,7 +168,7 @@ public class LegacyMoxyConsumer extends RESTAPI {
 	@Consumes({ "application/merge-patch+json" })
 	@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
 	public Response patch (String content, @PathParam("version")String versionParam, @PathParam("uri") @Encoded String uri, @Context HttpHeaders headers, @Context UriInfo info, @Context HttpServletRequest req) {
-      Set<String> roles = getRoles(req.getUserPrincipal());
+      Set<String> roles = getRoles(req.getUserPrincipal(), req.getMethod());
 		MediaType mediaType = MediaType.APPLICATION_JSON_TYPE;
 		return this.handleWrites(mediaType, HttpMethod.MERGE_PATCH, content, versionParam, uri, headers, info, roles);
 
@@ -190,7 +192,7 @@ public class LegacyMoxyConsumer extends RESTAPI {
 	@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
 	@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
 	public Response getLegacy (String content, @DefaultValue("-1") @QueryParam("resultIndex") String resultIndex, @DefaultValue("-1") @QueryParam("resultSize") String resultSize, @PathParam("version")String versionParam, @PathParam("uri") @Encoded String uri, @DefaultValue("all") @QueryParam("depth") String depthParam, @DefaultValue("false") @QueryParam("cleanup") String cleanUp, @Context HttpHeaders headers, @Context UriInfo info, @Context HttpServletRequest req) {
-      Set<String> roles = getRoles(req.getUserPrincipal());
+      Set<String> roles = getRoles(req.getUserPrincipal(), req.getMethod());
 
       return runner(AAIConstants.AAI_CRUD_TIMEOUT_ENABLED,
 				AAIConstants.AAI_CRUD_TIMEOUT_APP,
@@ -667,16 +669,31 @@ public class LegacyMoxyConsumer extends RESTAPI {
 		return "{}".equals(obj.marshal(false));
 	}
 
-    private Set<String> getRoles(Principal userPrincipal) {
+    private Set<String> getRoles(Principal userPrincipal, String method) {
         KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) userPrincipal;
-        if (token == null) {
+        if (ObjectUtils.isEmpty(token)) {
             return Collections.EMPTY_SET;
         }
         SimpleKeycloakAccount account = (SimpleKeycloakAccount) token.getDetails();
-        if (account == null) {
+        if (ObjectUtils.isEmpty(account)) {
             return Collections.EMPTY_SET;
         }
+        // When the request is not a GET, we need to exclude ReadOnly access roles
+        if (isNotGetRequest(method)) {
+			return getExcludedReadOnlyAccessRoles(account);
+		}
         return account.getRoles();
     }
+
+	private Set<String> getExcludedReadOnlyAccessRoles(SimpleKeycloakAccount account) {
+		return account.getRoles()
+				.stream()
+				.filter(role -> !role.endsWith(OwnerCheck.READ_ONLY_SUFFIX))
+				.collect(Collectors.toSet());
+	}
+
+	private boolean isNotGetRequest(String method) {
+		return !Action.GET.name().equalsIgnoreCase(method);
+	}
 }
 
diff --git a/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java b/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java
index 2b67c40..127a490 100644
--- a/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java
+++ b/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java
@@ -72,8 +72,6 @@ public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
         super.configure(http);
         http.authorizeRequests()
             .antMatchers("/**")
-            .hasAnyRole("admin")
-            .anyRequest()
             .permitAll().and().csrf().disable();
     }
 
diff --git a/aai-resources/src/main/resources/application-keycloak.properties b/aai-resources/src/main/resources/application-keycloak.properties
index c787d0b..d398256 100644
--- a/aai-resources/src/main/resources/application-keycloak.properties
+++ b/aai-resources/src/main/resources/application-keycloak.properties
@@ -3,7 +3,7 @@ spring.autoconfigure.exclude=\
   org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
   org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
 
-
+multi.tenancy.enabled=true
 keycloak.auth-server-url=http://localhost:8180/auth
 keycloak.realm=aai-resources
 keycloak.resource=aai-resources-app
diff --git a/pom.xml b/pom.xml
index 20ab910..2c49f8b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -26,11 +26,11 @@
     <parent>
         <groupId>org.onap.aai.aai-common</groupId>
         <artifactId>aai-parent</artifactId>
-        <version>1.7.2</version>
+        <version>1.8.1</version>
     </parent>
     <groupId>org.onap.aai.resources</groupId>
     <artifactId>resources</artifactId>
-    <version>1.8.0-SNAPSHOT</version>
+    <version>1.8.1-SNAPSHOT</version>
     <name>aai-resources</name>
     <packaging>pom</packaging>
     <modules>
@@ -48,7 +48,7 @@
         <staging.path>/content/repositories/staging/</staging.path>
         <!-- GMaven plugin uses this property to figure out the name of the docker tag -->
         <aai.project.version>${project.version}</aai.project.version>
-        <aai.common.version>1.7.2</aai.common.version>
+        <aai.common.version>1.8.1</aai.common.version>
         <aai.schema.service.version>1.7.9</aai.schema.service.version>
     </properties>
     <build>
diff --git a/version.properties b/version.properties
index 5403b8c..b40cc93 100644
--- a/version.properties
+++ b/version.properties
@@ -5,7 +5,7 @@
 
 major_version=1
 minor_version=8
-patch_version=0
+patch_version=1
 
 base_version=${major_version}.${minor_version}.${patch_version}