summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Paroulek <pavel.paroulek@orange.com>2018-10-26 15:49:22 +0200
committerPavel Paroulek <pavel.paroulek@orange.com>2018-10-26 15:49:22 +0200
commit01f888fbcffb8b113b8e921f04182e3b7d129811 (patch)
treea3dfae73fccd635cf47422d7f49ca63b6640ad76
parent530f8ee2e901e36e27b481c9319f0551ceaae5a0 (diff)
Changing interpretation of role1.3.1
Letting users with advanced roles run non-gremlin queries. Adding logging. Change-Id: Ib584d2442c167d71983c974260d6db3c60989f78 Issue-ID: AAI-1762 Signed-off-by: Pavel Paroulek <pavel.paroulek@orange.com>
-rw-r--r--aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java23
-rw-r--r--aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java5
2 files changed, 24 insertions, 4 deletions
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
index af5f399..9382946 100644
--- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
@@ -19,6 +19,8 @@
*/
package org.onap.aai.config.aaf;
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
import org.apache.commons.io.IOUtils;
import org.onap.aai.Profiles;
import org.springframework.beans.factory.annotation.Value;
@@ -43,6 +45,8 @@ import java.nio.charset.StandardCharsets;
@PropertySource("file:${server.local.startpath}/aaf/permissions.properties")
public class AafAuthorizationFilter extends OrderedRequestContextFilter {
+ private static final EELFLogger logger = EELFManager.getInstance().getLogger(AafAuthorizationFilter.class.getName());
+
private static final String ADVANCED = "advanced";
private static final String BASIC = "basic";
private static final String ECHO_ENDPOINT = "^.*/util/echo$";
@@ -68,11 +72,22 @@ public class AafAuthorizationFilter extends OrderedRequestContextFilter {
String payload = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.name());
boolean containsWordGremlin = payload.contains("\"gremlin\"");
- //if the request contains the word "gremlin" it's an advanced query
- String queryType = containsWordGremlin ? ADVANCED : BASIC;
- String permission = String.format("%s|%s|%s", type, instance, queryType);
- if(!request.isUserInRole(permission)){
+ //if the request contains the word "gremlin" it's an "advanced" query needing an "advanced" role
+ String permissionBasic = String.format("%s|%s|%s", type, instance, ADVANCED);
+ String permissionAdvanced = String.format("%s|%s|%s", type, instance, BASIC);
+
+ boolean isAuthorized;
+
+ if(containsWordGremlin){
+ isAuthorized = request.isUserInRole(permissionAdvanced);
+ }else{
+ isAuthorized = request.isUserInRole(permissionAdvanced) || request.isUserInRole(permissionBasic);
+ }
+
+ if(!isAuthorized){
+ String name = request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "unknown";
+ logger.info("User " + name + " does not have a role for " + (containsWordGremlin ? "gremlin" : "non-gremlin") + " query" );
response.setStatus(403);
}else{
filterChain.doFilter(request,response);
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
index 4a20fe8..51e0c17 100644
--- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
@@ -19,6 +19,8 @@
*/
package org.onap.aai.config.aaf;
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.filter.CadiFilter;
import org.onap.aai.Profiles;
@@ -44,6 +46,8 @@ import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse;
@Profile(Profiles.AAF_AUTHENTICATION)
public class AafFilter extends OrderedRequestContextFilter {
+ private static final EELFLogger log = EELFManager.getInstance().getLogger(AafFilter.class.getName());
+
private final CadiFilter cadiFilter;
public AafFilter() throws IOException, ServletException {
@@ -58,6 +62,7 @@ public class AafFilter extends OrderedRequestContextFilter {
if(!request.getRequestURI().matches("^.*/util/echo$")) {
cadiFilter.doFilter(request, response, filterChain);
if (response.getStatus() == 401 || response.getStatus() == 403) {
+ log.info("User does not have permissions to run the query" );
errorResponse(request, response);
}
}