diff options
author | Pavel Paroulek <pavel.paroulek@orange.com> | 2018-10-26 15:49:22 +0200 |
---|---|---|
committer | Pavel Paroulek <pavel.paroulek@orange.com> | 2018-10-26 15:49:22 +0200 |
commit | 01f888fbcffb8b113b8e921f04182e3b7d129811 (patch) | |
tree | a3dfae73fccd635cf47422d7f49ca63b6640ad76 | |
parent | 530f8ee2e901e36e27b481c9319f0551ceaae5a0 (diff) |
Changing interpretation of role1.3.1
Letting users with advanced roles run non-gremlin queries. Adding logging.
Change-Id: Ib584d2442c167d71983c974260d6db3c60989f78
Issue-ID: AAI-1762
Signed-off-by: Pavel Paroulek <pavel.paroulek@orange.com>
-rw-r--r-- | aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java | 23 | ||||
-rw-r--r-- | aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java | 5 |
2 files changed, 24 insertions, 4 deletions
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java index af5f399..9382946 100644 --- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java @@ -19,6 +19,8 @@ */ package org.onap.aai.config.aaf; +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; import org.apache.commons.io.IOUtils; import org.onap.aai.Profiles; import org.springframework.beans.factory.annotation.Value; @@ -43,6 +45,8 @@ import java.nio.charset.StandardCharsets; @PropertySource("file:${server.local.startpath}/aaf/permissions.properties") public class AafAuthorizationFilter extends OrderedRequestContextFilter { + private static final EELFLogger logger = EELFManager.getInstance().getLogger(AafAuthorizationFilter.class.getName()); + private static final String ADVANCED = "advanced"; private static final String BASIC = "basic"; private static final String ECHO_ENDPOINT = "^.*/util/echo$"; @@ -68,11 +72,22 @@ public class AafAuthorizationFilter extends OrderedRequestContextFilter { String payload = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.name()); boolean containsWordGremlin = payload.contains("\"gremlin\""); - //if the request contains the word "gremlin" it's an advanced query - String queryType = containsWordGremlin ? ADVANCED : BASIC; - String permission = String.format("%s|%s|%s", type, instance, queryType); - if(!request.isUserInRole(permission)){ + //if the request contains the word "gremlin" it's an "advanced" query needing an "advanced" role + String permissionBasic = String.format("%s|%s|%s", type, instance, ADVANCED); + String permissionAdvanced = String.format("%s|%s|%s", type, instance, BASIC); + + boolean isAuthorized; + + if(containsWordGremlin){ + isAuthorized = request.isUserInRole(permissionAdvanced); + }else{ + isAuthorized = request.isUserInRole(permissionAdvanced) || request.isUserInRole(permissionBasic); + } + + if(!isAuthorized){ + String name = request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "unknown"; + logger.info("User " + name + " does not have a role for " + (containsWordGremlin ? "gremlin" : "non-gremlin") + " query" ); response.setStatus(403); }else{ filterChain.doFilter(request,response); diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java index 4a20fe8..51e0c17 100644 --- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java @@ -19,6 +19,8 @@ */ package org.onap.aai.config.aaf; +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.filter.CadiFilter; import org.onap.aai.Profiles; @@ -44,6 +46,8 @@ import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; @Profile(Profiles.AAF_AUTHENTICATION) public class AafFilter extends OrderedRequestContextFilter { + private static final EELFLogger log = EELFManager.getInstance().getLogger(AafFilter.class.getName()); + private final CadiFilter cadiFilter; public AafFilter() throws IOException, ServletException { @@ -58,6 +62,7 @@ public class AafFilter extends OrderedRequestContextFilter { if(!request.getRequestURI().matches("^.*/util/echo$")) { cadiFilter.doFilter(request, response, filterChain); if (response.getStatus() == 401 || response.getStatus() == 403) { + log.info("User does not have permissions to run the query" ); errorResponse(request, response); } } |