diff options
-rw-r--r-- | aai-resources/pom.xml | 2 | ||||
-rw-r--r-- | aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java | 31 | ||||
-rw-r--r-- | aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java | 2 | ||||
-rw-r--r-- | aai-resources/src/main/resources/application-keycloak.properties | 2 | ||||
-rw-r--r-- | pom.xml | 6 | ||||
-rw-r--r-- | version.properties | 2 |
6 files changed, 30 insertions, 15 deletions
diff --git a/aai-resources/pom.xml b/aai-resources/pom.xml index de6eaa4..b710d5e 100644 --- a/aai-resources/pom.xml +++ b/aai-resources/pom.xml @@ -28,7 +28,7 @@ <parent> <groupId>org.onap.aai.resources</groupId> <artifactId>resources</artifactId> - <version>1.8.0-SNAPSHOT</version> + <version>1.8.1-SNAPSHOT</version> </parent> <properties> <java.version>1.8</java.version> diff --git a/aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java b/aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java index 4f7049d..d22252a 100644 --- a/aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java +++ b/aai-resources/src/main/java/org/onap/aai/rest/LegacyMoxyConsumer.java @@ -20,7 +20,7 @@ package org.onap.aai.rest; import io.swagger.jaxrs.PATCH; -import java.security.Principal; +import org.apache.commons.lang3.ObjectUtils; import org.javatuples.Pair; import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount; import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken; @@ -29,6 +29,7 @@ import org.onap.aai.config.SpringContextAware; import org.onap.aai.exceptions.AAIException; import org.onap.aai.introspection.Introspector; import org.onap.aai.introspection.Loader; +import org.onap.aai.introspection.sideeffect.OwnerCheck; import org.onap.aai.parsers.query.QueryParser; import org.onap.aai.rest.db.DBRequest; import org.onap.aai.rest.db.HttpEntry; @@ -48,6 +49,7 @@ import javax.ws.rs.*; import javax.ws.rs.core.*; import java.io.UnsupportedEncodingException; import java.net.URI; +import java.security.Principal; import java.util.*; import java.util.stream.Collectors; @@ -75,7 +77,7 @@ public class LegacyMoxyConsumer extends RESTAPI { @Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) public Response update (String content, @PathParam("version")String versionParam, @PathParam("uri") @Encoded String uri, @Context HttpHeaders headers, @Context UriInfo info, @Context HttpServletRequest req) { - Set<String> roles = getRoles(req.getUserPrincipal()); + Set<String> roles = getRoles(req.getUserPrincipal(), req.getMethod()); MediaType mediaType = headers.getMediaType(); return this.handleWrites(mediaType, HttpMethod.PUT, content, versionParam, uri, headers, info, roles); } @@ -166,7 +168,7 @@ public class LegacyMoxyConsumer extends RESTAPI { @Consumes({ "application/merge-patch+json" }) @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) public Response patch (String content, @PathParam("version")String versionParam, @PathParam("uri") @Encoded String uri, @Context HttpHeaders headers, @Context UriInfo info, @Context HttpServletRequest req) { - Set<String> roles = getRoles(req.getUserPrincipal()); + Set<String> roles = getRoles(req.getUserPrincipal(), req.getMethod()); MediaType mediaType = MediaType.APPLICATION_JSON_TYPE; return this.handleWrites(mediaType, HttpMethod.MERGE_PATCH, content, versionParam, uri, headers, info, roles); @@ -190,7 +192,7 @@ public class LegacyMoxyConsumer extends RESTAPI { @Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) public Response getLegacy (String content, @DefaultValue("-1") @QueryParam("resultIndex") String resultIndex, @DefaultValue("-1") @QueryParam("resultSize") String resultSize, @PathParam("version")String versionParam, @PathParam("uri") @Encoded String uri, @DefaultValue("all") @QueryParam("depth") String depthParam, @DefaultValue("false") @QueryParam("cleanup") String cleanUp, @Context HttpHeaders headers, @Context UriInfo info, @Context HttpServletRequest req) { - Set<String> roles = getRoles(req.getUserPrincipal()); + Set<String> roles = getRoles(req.getUserPrincipal(), req.getMethod()); return runner(AAIConstants.AAI_CRUD_TIMEOUT_ENABLED, AAIConstants.AAI_CRUD_TIMEOUT_APP, @@ -667,16 +669,31 @@ public class LegacyMoxyConsumer extends RESTAPI { return "{}".equals(obj.marshal(false)); } - private Set<String> getRoles(Principal userPrincipal) { + private Set<String> getRoles(Principal userPrincipal, String method) { KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) userPrincipal; - if (token == null) { + if (ObjectUtils.isEmpty(token)) { return Collections.EMPTY_SET; } SimpleKeycloakAccount account = (SimpleKeycloakAccount) token.getDetails(); - if (account == null) { + if (ObjectUtils.isEmpty(account)) { return Collections.EMPTY_SET; } + // When the request is not a GET, we need to exclude ReadOnly access roles + if (isNotGetRequest(method)) { + return getExcludedReadOnlyAccessRoles(account); + } return account.getRoles(); } + + private Set<String> getExcludedReadOnlyAccessRoles(SimpleKeycloakAccount account) { + return account.getRoles() + .stream() + .filter(role -> !role.endsWith(OwnerCheck.READ_ONLY_SUFFIX)) + .collect(Collectors.toSet()); + } + + private boolean isNotGetRequest(String method) { + return !Action.GET.name().equalsIgnoreCase(method); + } } diff --git a/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java b/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java index 2b67c40..127a490 100644 --- a/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java +++ b/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java @@ -72,8 +72,6 @@ public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter { super.configure(http); http.authorizeRequests() .antMatchers("/**") - .hasAnyRole("admin") - .anyRequest() .permitAll().and().csrf().disable(); } diff --git a/aai-resources/src/main/resources/application-keycloak.properties b/aai-resources/src/main/resources/application-keycloak.properties index c787d0b..d398256 100644 --- a/aai-resources/src/main/resources/application-keycloak.properties +++ b/aai-resources/src/main/resources/application-keycloak.properties @@ -3,7 +3,7 @@ spring.autoconfigure.exclude=\ org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration - +multi.tenancy.enabled=true keycloak.auth-server-url=http://localhost:8180/auth keycloak.realm=aai-resources keycloak.resource=aai-resources-app @@ -26,11 +26,11 @@ <parent> <groupId>org.onap.aai.aai-common</groupId> <artifactId>aai-parent</artifactId> - <version>1.7.2</version> + <version>1.8.1</version> </parent> <groupId>org.onap.aai.resources</groupId> <artifactId>resources</artifactId> - <version>1.8.0-SNAPSHOT</version> + <version>1.8.1-SNAPSHOT</version> <name>aai-resources</name> <packaging>pom</packaging> <modules> @@ -48,7 +48,7 @@ <staging.path>/content/repositories/staging/</staging.path> <!-- GMaven plugin uses this property to figure out the name of the docker tag --> <aai.project.version>${project.version}</aai.project.version> - <aai.common.version>1.7.2</aai.common.version> + <aai.common.version>1.8.1</aai.common.version> <aai.schema.service.version>1.7.9</aai.schema.service.version> </properties> <build> diff --git a/version.properties b/version.properties index 5403b8c..b40cc93 100644 --- a/version.properties +++ b/version.properties @@ -5,7 +5,7 @@ major_version=1 minor_version=8 -patch_version=0 +patch_version=1 base_version=${major_version}.${minor_version}.${patch_version} |