diff options
author | Pavel Paroulek <pavel.paroulek@orange.com> | 2018-09-05 16:44:17 +0200 |
---|---|---|
committer | Pavel Paroulek <pavel.paroulek@orange.com> | 2018-09-05 16:44:17 +0200 |
commit | d5435943f5662dcd1affed6b54c99b48ffcd4f77 (patch) | |
tree | 92c6d15bd2ffe05f5d7b58ef8cc415fa2194c30e | |
parent | fa7573e7121cc92257bc02b438185668a07399a5 (diff) |
Adding AAF authorization filter
Adding a AAF authorization filter. Authorization checks a preconfigured permission org.onap.aai.traversal
Change-Id: I3459e08449f4caae187fbe31d3e7a245da06857a
Issue-ID: AAI-32
Signed-off-by: Pavel Paroulek <pavel.paroulek@orange.com>
-rw-r--r-- | aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java | 73 | ||||
-rw-r--r-- | aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java (renamed from aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java) | 28 | ||||
-rw-r--r-- | aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java | 35 | ||||
-rw-r--r-- | aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java | 45 | ||||
-rw-r--r-- | aai-traversal/src/main/resources/aaf/permissions.properties | 2 |
5 files changed, 163 insertions, 20 deletions
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java new file mode 100644 index 0000000..4191b06 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java @@ -0,0 +1,73 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.onap.aai.Profiles; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.web.filter.OrderedRequestContextFilter; +import org.springframework.context.annotation.Profile; +import org.springframework.context.annotation.PropertySource; +import org.springframework.stereotype.Component; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.stream.Collectors; + +import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; + +/** + * AAF authorization filter + */ + +@Component +@Profile(Profiles.AAF_AUTHENTICATION) +@PropertySource("file:${server.local.startpath}/aaf/permissions.properties") +public class AafAuthorizationFilter extends OrderedRequestContextFilter { + + private static final String ADVANCED = "advanced"; + private static final String BASIC = "basic"; + + @Value("${permission.type}") + String type; + + @Value("${permission.instance}") + String instance; + + public AafAuthorizationFilter() { + this.setOrder(FilterPriority.AAF_AUTHORIZATION.getPriority()); + } + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { + boolean containsWordGremlin = request.getReader().lines().collect(Collectors.joining(System.lineSeparator())).contains("\"gremlin\""); + //if the request contains the word "gremlin" it's an advanced query + String queryType = containsWordGremlin ? ADVANCED : BASIC; + String permission = String.format("%s|%s|%s", type, instance, queryType); + + if(!request.isUserInRole(permission)){ + errorResponse(request, response); + }else{ + filterChain.doFilter(request,response); + } + } +} diff --git a/aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java index d0c070f..ff86119 100644 --- a/aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java @@ -17,61 +17,49 @@ * limitations under the License. * ============LICENSE_END========================================================= */ -package org.onap.aai.config; +package org.onap.aai.config.aaf; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.filter.CadiFilter; import org.onap.aai.Profiles; import org.onap.aai.TraversalApp; -import org.onap.aai.exceptions.AAIException; -import org.onap.aai.logging.ErrorLogHelper; +import org.springframework.boot.web.filter.OrderedRequestContextFilter; import org.springframework.context.annotation.Profile; -import org.springframework.core.annotation.Order; import org.springframework.stereotype.Component; -import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.core.MediaType; import java.io.IOException; -import java.util.ArrayList; -import java.util.Collections; import java.util.Properties; +import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; + /** * AAF authentication filter */ -@Order(1) @Component @Profile(Profiles.AAF_AUTHENTICATION) -public class AafFilter extends OncePerRequestFilter { +public class AafFilter extends OrderedRequestContextFilter { - private static final String ACCEPT_HEADER = "accept"; private final CadiFilter cadiFilter; public AafFilter() throws IOException, ServletException { Properties cadiProperties = new Properties(); cadiProperties.load(TraversalApp.class.getClassLoader().getResourceAsStream("cadi.properties")); cadiFilter = new CadiFilter(new PropAccess(cadiProperties)); + this.setOrder(FilterPriority.AAF_AUTHENTICATION.getPriority()); } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { cadiFilter.doFilter(request, response, filterChain); if(response.getStatus() >=400 && response.getStatus() < 500){ - errorResponse(request, response); + errorResponse(request, response); } } - private void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException { - String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER); - AAIException aaie = new AAIException("AAI_3300"); - response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode()); - response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>())); - response.getWriter().flush(); - response.getWriter().close(); - } + } diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java new file mode 100644 index 0000000..910db69 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java @@ -0,0 +1,35 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.springframework.core.Ordered; + +public enum FilterPriority { + AAF_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE), + AAF_AUTHORIZATION(Ordered.HIGHEST_PRECEDENCE + 1); //higher number = lower priority + + private final int priority; + + FilterPriority(final int p) { + priority = p; + } + + public int getPriority() { return priority; } +} diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java new file mode 100644 index 0000000..9e09827 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java @@ -0,0 +1,45 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.onap.aai.exceptions.AAIException; +import org.onap.aai.logging.ErrorLogHelper; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.MediaType; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collections; + +class ResponseFormatter { + + private static final String ACCEPT_HEADER = "accept"; + + static void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException { + String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER); + AAIException aaie = new AAIException("AAI_3300"); + response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode()); + response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>())); + response.getWriter().flush(); + response.getWriter().close(); + } + +} diff --git a/aai-traversal/src/main/resources/aaf/permissions.properties b/aai-traversal/src/main/resources/aaf/permissions.properties new file mode 100644 index 0000000..d4956f5 --- /dev/null +++ b/aai-traversal/src/main/resources/aaf/permissions.properties @@ -0,0 +1,2 @@ +permission.type=org.onap.aai.traversal +permission.instance=*
\ No newline at end of file |