summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java40
-rw-r--r--aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java7
-rw-r--r--aai-traversal/src/main/java/org/onap/aai/config/aaf/PayloadBufferingRequestWrapper.java49
-rw-r--r--aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java11
-rw-r--r--aai-traversal/src/main/resources/aaf/org.onap.aai.props2
-rw-r--r--aai-traversal/src/main/resources/logback.xml1
6 files changed, 93 insertions, 17 deletions
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
index a64d3e5..9382946 100644
--- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
@@ -19,6 +19,9 @@
*/
package org.onap.aai.config.aaf;
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
+import org.apache.commons.io.IOUtils;
import org.onap.aai.Profiles;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.filter.OrderedRequestContextFilter;
@@ -31,9 +34,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
-import java.util.stream.Collectors;
-
-import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse;
+import java.nio.charset.StandardCharsets;
/**
* AAF authorization filter
@@ -44,8 +45,11 @@ import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse;
@PropertySource("file:${server.local.startpath}/aaf/permissions.properties")
public class AafAuthorizationFilter extends OrderedRequestContextFilter {
+ private static final EELFLogger logger = EELFManager.getInstance().getLogger(AafAuthorizationFilter.class.getName());
+
private static final String ADVANCED = "advanced";
private static final String BASIC = "basic";
+ private static final String ECHO_ENDPOINT = "^.*/util/echo$";
@Value("${permission.type}")
String type;
@@ -58,19 +62,33 @@ public class AafAuthorizationFilter extends OrderedRequestContextFilter {
}
@Override
- protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+ protected void doFilterInternal(HttpServletRequest req, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
- if(request.getRequestURI().matches("^.*/util/echo$")){
+ PayloadBufferingRequestWrapper request = new PayloadBufferingRequestWrapper(req);
+
+ if(request.getRequestURI().matches(ECHO_ENDPOINT)){
filterChain.doFilter(request, response);
}
- boolean containsWordGremlin = request.getReader().lines().collect(Collectors.joining(System.lineSeparator())).contains("\"gremlin\"");
- //if the request contains the word "gremlin" it's an advanced query
- String queryType = containsWordGremlin ? ADVANCED : BASIC;
- String permission = String.format("%s|%s|%s", type, instance, queryType);
+ String payload = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.name());
+ boolean containsWordGremlin = payload.contains("\"gremlin\"");
+
+ //if the request contains the word "gremlin" it's an "advanced" query needing an "advanced" role
+ String permissionBasic = String.format("%s|%s|%s", type, instance, ADVANCED);
+ String permissionAdvanced = String.format("%s|%s|%s", type, instance, BASIC);
+
+ boolean isAuthorized;
+
+ if(containsWordGremlin){
+ isAuthorized = request.isUserInRole(permissionAdvanced);
+ }else{
+ isAuthorized = request.isUserInRole(permissionAdvanced) || request.isUserInRole(permissionBasic);
+ }
- if(!request.isUserInRole(permission)){
- errorResponse(request, response);
+ if(!isAuthorized){
+ String name = request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "unknown";
+ logger.info("User " + name + " does not have a role for " + (containsWordGremlin ? "gremlin" : "non-gremlin") + " query" );
+ response.setStatus(403);
}else{
filterChain.doFilter(request,response);
}
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
index 6295c8e..51e0c17 100644
--- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
@@ -19,6 +19,8 @@
*/
package org.onap.aai.config.aaf;
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.filter.CadiFilter;
import org.onap.aai.Profiles;
@@ -44,6 +46,8 @@ import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse;
@Profile(Profiles.AAF_AUTHENTICATION)
public class AafFilter extends OrderedRequestContextFilter {
+ private static final EELFLogger log = EELFManager.getInstance().getLogger(AafFilter.class.getName());
+
private final CadiFilter cadiFilter;
public AafFilter() throws IOException, ServletException {
@@ -57,7 +61,8 @@ public class AafFilter extends OrderedRequestContextFilter {
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
if(!request.getRequestURI().matches("^.*/util/echo$")) {
cadiFilter.doFilter(request, response, filterChain);
- if (response.getStatus() >= 400 && response.getStatus() < 500) {
+ if (response.getStatus() == 401 || response.getStatus() == 403) {
+ log.info("User does not have permissions to run the query" );
errorResponse(request, response);
}
}
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/PayloadBufferingRequestWrapper.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/PayloadBufferingRequestWrapper.java
new file mode 100644
index 0000000..ea0260c
--- /dev/null
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/PayloadBufferingRequestWrapper.java
@@ -0,0 +1,49 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.config.aaf;
+
+import org.apache.commons.io.IOUtils;
+import org.onap.aaf.cadi.BufferedServletInputStream;
+
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import java.io.*;
+
+/**
+ * This class buffers the payload of the servlet request. The reason is that we access the payload multiple times,
+ * which is not supported by the request per se.
+ */
+
+class PayloadBufferingRequestWrapper extends HttpServletRequestWrapper {
+
+ private byte[] buffer;
+
+ PayloadBufferingRequestWrapper(HttpServletRequest req) throws IOException {
+ super(req);
+ this.buffer = IOUtils.toByteArray(req.getInputStream());
+ }
+
+ @Override
+ public ServletInputStream getInputStream() {
+ ByteArrayInputStream bais = new ByteArrayInputStream(this.buffer);
+ return new BufferedServletInputStream(bais);
+ }
+}
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java
index 9e09827..0fc64bc 100644
--- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java
@@ -34,12 +34,15 @@ class ResponseFormatter {
private static final String ACCEPT_HEADER = "accept";
static void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException {
+ if (response.isCommitted()){
+ return;
+ }
+
String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER);
AAIException aaie = new AAIException("AAI_3300");
response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode());
- response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>()));
- response.getWriter().flush();
- response.getWriter().close();
+ response.resetBuffer();
+ response.getOutputStream().print(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>()));
+ response.flushBuffer();
}
-
}
diff --git a/aai-traversal/src/main/resources/aaf/org.onap.aai.props b/aai-traversal/src/main/resources/aaf/org.onap.aai.props
index b981493..f9a0789 100644
--- a/aai-traversal/src/main/resources/aaf/org.onap.aai.props
+++ b/aai-traversal/src/main/resources/aaf/org.onap.aai.props
@@ -10,5 +10,5 @@ cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5
cadi_alias=aai@aai.onap.org
cadi_truststore=aai-traversal/src/main/resources/aaf/truststoreONAPall.jks
cadi_truststore_password=enc:s77wlnZFoQ08NhnU3OSeWO6uKgRwC6sAK-wTvVubNz2
-cadi_loglevel=INFO
+cadi_loglevel=DEBUG
cadi_bath_convert=aai-traversal/src/main/resources/aaf/bath_config.csv
diff --git a/aai-traversal/src/main/resources/logback.xml b/aai-traversal/src/main/resources/logback.xml
index 7947f8f..3a6dae4 100644
--- a/aai-traversal/src/main/resources/logback.xml
+++ b/aai-traversal/src/main/resources/logback.xml
@@ -281,6 +281,7 @@
<logger name="org.apache.commons" level="WARN" />
<logger name="org.apache.coyote" level="WARN" />
<logger name="org.apache.jasper" level="WARN" />
+ <logger name="org.onap.aaf" level="DEBUG" />
<!-- Camel Related Loggers (including restlet/servlet/jaxrs/cxf logging.
May aid in troubleshooting) -->