diff options
6 files changed, 93 insertions, 17 deletions
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java index a64d3e5..9382946 100644 --- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java @@ -19,6 +19,9 @@ */ package org.onap.aai.config.aaf; +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; +import org.apache.commons.io.IOUtils; import org.onap.aai.Profiles; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.web.filter.OrderedRequestContextFilter; @@ -31,9 +34,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; -import java.util.stream.Collectors; - -import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; +import java.nio.charset.StandardCharsets; /** * AAF authorization filter @@ -44,8 +45,11 @@ import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; @PropertySource("file:${server.local.startpath}/aaf/permissions.properties") public class AafAuthorizationFilter extends OrderedRequestContextFilter { + private static final EELFLogger logger = EELFManager.getInstance().getLogger(AafAuthorizationFilter.class.getName()); + private static final String ADVANCED = "advanced"; private static final String BASIC = "basic"; + private static final String ECHO_ENDPOINT = "^.*/util/echo$"; @Value("${permission.type}") String type; @@ -58,19 +62,33 @@ public class AafAuthorizationFilter extends OrderedRequestContextFilter { } @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { + protected void doFilterInternal(HttpServletRequest req, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { - if(request.getRequestURI().matches("^.*/util/echo$")){ + PayloadBufferingRequestWrapper request = new PayloadBufferingRequestWrapper(req); + + if(request.getRequestURI().matches(ECHO_ENDPOINT)){ filterChain.doFilter(request, response); } - boolean containsWordGremlin = request.getReader().lines().collect(Collectors.joining(System.lineSeparator())).contains("\"gremlin\""); - //if the request contains the word "gremlin" it's an advanced query - String queryType = containsWordGremlin ? ADVANCED : BASIC; - String permission = String.format("%s|%s|%s", type, instance, queryType); + String payload = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.name()); + boolean containsWordGremlin = payload.contains("\"gremlin\""); + + //if the request contains the word "gremlin" it's an "advanced" query needing an "advanced" role + String permissionBasic = String.format("%s|%s|%s", type, instance, ADVANCED); + String permissionAdvanced = String.format("%s|%s|%s", type, instance, BASIC); + + boolean isAuthorized; + + if(containsWordGremlin){ + isAuthorized = request.isUserInRole(permissionAdvanced); + }else{ + isAuthorized = request.isUserInRole(permissionAdvanced) || request.isUserInRole(permissionBasic); + } - if(!request.isUserInRole(permission)){ - errorResponse(request, response); + if(!isAuthorized){ + String name = request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "unknown"; + logger.info("User " + name + " does not have a role for " + (containsWordGremlin ? "gremlin" : "non-gremlin") + " query" ); + response.setStatus(403); }else{ filterChain.doFilter(request,response); } diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java index 6295c8e..51e0c17 100644 --- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java @@ -19,6 +19,8 @@ */ package org.onap.aai.config.aaf; +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.filter.CadiFilter; import org.onap.aai.Profiles; @@ -44,6 +46,8 @@ import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; @Profile(Profiles.AAF_AUTHENTICATION) public class AafFilter extends OrderedRequestContextFilter { + private static final EELFLogger log = EELFManager.getInstance().getLogger(AafFilter.class.getName()); + private final CadiFilter cadiFilter; public AafFilter() throws IOException, ServletException { @@ -57,7 +61,8 @@ public class AafFilter extends OrderedRequestContextFilter { protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { if(!request.getRequestURI().matches("^.*/util/echo$")) { cadiFilter.doFilter(request, response, filterChain); - if (response.getStatus() >= 400 && response.getStatus() < 500) { + if (response.getStatus() == 401 || response.getStatus() == 403) { + log.info("User does not have permissions to run the query" ); errorResponse(request, response); } } diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/PayloadBufferingRequestWrapper.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/PayloadBufferingRequestWrapper.java new file mode 100644 index 0000000..ea0260c --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/PayloadBufferingRequestWrapper.java @@ -0,0 +1,49 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.apache.commons.io.IOUtils; +import org.onap.aaf.cadi.BufferedServletInputStream; + +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; +import java.io.*; + +/** + * This class buffers the payload of the servlet request. The reason is that we access the payload multiple times, + * which is not supported by the request per se. + */ + +class PayloadBufferingRequestWrapper extends HttpServletRequestWrapper { + + private byte[] buffer; + + PayloadBufferingRequestWrapper(HttpServletRequest req) throws IOException { + super(req); + this.buffer = IOUtils.toByteArray(req.getInputStream()); + } + + @Override + public ServletInputStream getInputStream() { + ByteArrayInputStream bais = new ByteArrayInputStream(this.buffer); + return new BufferedServletInputStream(bais); + } +} diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java index 9e09827..0fc64bc 100644 --- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java @@ -34,12 +34,15 @@ class ResponseFormatter { private static final String ACCEPT_HEADER = "accept"; static void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException { + if (response.isCommitted()){ + return; + } + String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER); AAIException aaie = new AAIException("AAI_3300"); response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode()); - response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>())); - response.getWriter().flush(); - response.getWriter().close(); + response.resetBuffer(); + response.getOutputStream().print(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>())); + response.flushBuffer(); } - } diff --git a/aai-traversal/src/main/resources/aaf/org.onap.aai.props b/aai-traversal/src/main/resources/aaf/org.onap.aai.props index b981493..f9a0789 100644 --- a/aai-traversal/src/main/resources/aaf/org.onap.aai.props +++ b/aai-traversal/src/main/resources/aaf/org.onap.aai.props @@ -10,5 +10,5 @@ cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5 cadi_alias=aai@aai.onap.org cadi_truststore=aai-traversal/src/main/resources/aaf/truststoreONAPall.jks cadi_truststore_password=enc:s77wlnZFoQ08NhnU3OSeWO6uKgRwC6sAK-wTvVubNz2 -cadi_loglevel=INFO +cadi_loglevel=DEBUG cadi_bath_convert=aai-traversal/src/main/resources/aaf/bath_config.csv diff --git a/aai-traversal/src/main/resources/logback.xml b/aai-traversal/src/main/resources/logback.xml index 7947f8f..3a6dae4 100644 --- a/aai-traversal/src/main/resources/logback.xml +++ b/aai-traversal/src/main/resources/logback.xml @@ -281,6 +281,7 @@ <logger name="org.apache.commons" level="WARN" /> <logger name="org.apache.coyote" level="WARN" /> <logger name="org.apache.jasper" level="WARN" /> + <logger name="org.onap.aaf" level="DEBUG" /> <!-- Camel Related Loggers (including restlet/servlet/jaxrs/cxf logging. May aid in troubleshooting) --> |