diff options
Diffstat (limited to 'aai-traversal')
4 files changed, 33 insertions, 188 deletions
diff --git a/aai-traversal/pom.xml b/aai-traversal/pom.xml index 3a74bca..ae9a333 100644 --- a/aai-traversal/pom.xml +++ b/aai-traversal/pom.xml @@ -28,7 +28,7 @@ <parent> <groupId>org.onap.aai.traversal</groupId> <artifactId>traversal</artifactId> - <version>1.7.0-SNAPSHOT</version> + <version>1.7.1-SNAPSHOT</version> </parent> <groupId>org.onap.aai.traversal</groupId> <artifactId>aai-traversal</artifactId> @@ -535,6 +535,10 @@ <artifactId>aai-core</artifactId> <exclusions> <exclusion> + <groupId>org.onap.aai.aai-common</groupId> + <artifactId>aai-aaf-auth</artifactId> + </exclusion> + <exclusion> <groupId>com.sun.jersey</groupId> <artifactId>jersey-core</artifactId> </exclusion> @@ -580,6 +584,12 @@ <dependency> <groupId>org.onap.aai.aai-common</groupId> <artifactId>aai-rest</artifactId> + <exclusions> + <exclusion> + <groupId>org.onap.aai.aai-common</groupId> + <artifactId>aai-aaf-auth</artifactId> + </exclusion> + </exclusions> </dependency> <dependency> <groupId>org.skyscreamer</groupId> diff --git a/aai-traversal/src/main/java/org/onap/aai/interceptors/pre/TwoWaySslAuthorization.java b/aai-traversal/src/main/java/org/onap/aai/interceptors/pre/TwoWaySslAuthorization.java deleted file mode 100644 index 58c7be6..0000000 --- a/aai-traversal/src/main/java/org/onap/aai/interceptors/pre/TwoWaySslAuthorization.java +++ /dev/null @@ -1,185 +0,0 @@ -/** - * ============LICENSE_START======================================================= - * org.onap.aai - * ================================================================================ - * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ -package org.onap.aai.interceptors.pre; - -import org.onap.aai.aaf.auth.AAIAuthCore; -import org.onap.aai.exceptions.AAIException; -import org.onap.aai.interceptors.AAIContainerFilter; -import org.onap.aai.interceptors.AAIHeaderProperties; -import org.onap.aai.logging.ErrorLogHelper; -import org.onap.aai.restcore.HttpMethod; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Profile; - -import javax.annotation.Priority; -import javax.security.auth.x500.X500Principal; -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.container.PreMatching; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; -import java.security.cert.X509Certificate; -import java.util.*; -import java.util.stream.Collectors; - -@PreMatching -@Priority(AAIRequestFilterPriority.AUTHORIZATION) -@Profile("two-way-ssl") -public class TwoWaySslAuthorization extends AAIContainerFilter implements ContainerRequestFilter { - - @Autowired - private HttpServletRequest httpServletRequest; - - @Autowired - private AAIAuthCore aaiAuthCore; - - @Override - public void filter(ContainerRequestContext requestContext) { - - Optional<Response> oResp; - - String uri = requestContext.getUriInfo().getAbsolutePath().getPath(); - String httpMethod = getHttpMethod(requestContext); - - List<MediaType> acceptHeaderValues = requestContext.getAcceptableMediaTypes(); - - Optional<String> authUser = getUser(this.httpServletRequest); - - if (authUser.isPresent()) { - oResp = this.authorize(uri, httpMethod, acceptHeaderValues, authUser.get(), - this.getHaProxyUser(this.httpServletRequest), getCertIssuer(this.httpServletRequest)); - if (oResp.isPresent()) { - requestContext.abortWith(oResp.get()); - return; - } - } else { - AAIException aaie = new AAIException("AAI_9107"); - requestContext - .abortWith(Response - .status(aaie.getErrorObject().getHTTPResponseCode()).entity(ErrorLogHelper - .getRESTAPIErrorResponseWithLogging(acceptHeaderValues, aaie, new ArrayList<>())) - .build()); - } - - } - - private String getCertIssuer(HttpServletRequest hsr) { - String issuer = hsr.getHeader("X-AAI-SSL-Issuer"); - if (issuer != null && !issuer.isEmpty()) { - // the haproxy header replaces the ', ' with '/' and reverses on the '/' need to undo that. - List<String> broken = Arrays.asList(issuer.split("/")); - broken = broken.stream().filter(s -> !s.isEmpty()).collect(Collectors.toList()); - Collections.reverse(broken); - issuer = String.join(", ", broken); - } else { - if (hsr.getAttribute("javax.servlet.request.cipher_suite") != null) { - X509Certificate[] certChain = (X509Certificate[]) hsr.getAttribute("javax.servlet.request.X509Certificate"); - if (certChain != null && certChain.length > 0) { - X509Certificate clientCert = certChain[0]; - issuer = clientCert.getIssuerX500Principal().getName(); - } - } - } - return issuer; - } - - private String getHttpMethod(ContainerRequestContext requestContext) { - String httpMethod = requestContext.getMethod(); - if ("POST".equalsIgnoreCase(httpMethod) - && "PATCH".equals(requestContext.getHeaderString(AAIHeaderProperties.HTTP_METHOD_OVERRIDE))) { - httpMethod = HttpMethod.MERGE_PATCH.toString(); - } - if (httpMethod.equalsIgnoreCase(HttpMethod.MERGE_PATCH.toString()) || "patch".equalsIgnoreCase(httpMethod)) { - httpMethod = HttpMethod.PUT.toString(); - } - return httpMethod; - } - - private Optional<String> getUser(HttpServletRequest hsr) { - String authUser = null; - if (hsr.getAttribute("javax.servlet.request.cipher_suite") != null) { - X509Certificate[] certChain = (X509Certificate[]) hsr.getAttribute("javax.servlet.request.X509Certificate"); - - /* - * If the certificate is null or the certificate chain length is zero Then - * retrieve the authorization in the request header Authorization Check that it - * is not null and that it starts with Basic and then strip the basic portion to - * get the base64 credentials Check if this is contained in the AAIBasicAuth - * Singleton class If it is, retrieve the username associated with that - * credentials and set to authUser Otherwise, get the principal from certificate - * and use that authUser - */ - - if (certChain == null || certChain.length == 0) { - - String authorization = hsr.getHeader("Authorization"); - - if (authorization != null && authorization.startsWith("Basic ")) { - authUser = authorization.replace("Basic ", ""); - } - - } else { - X509Certificate clientCert = certChain[0]; - X500Principal subjectDN = clientCert.getSubjectX500Principal(); - authUser = subjectDN.toString().toLowerCase(); - } - } - - return Optional.ofNullable(authUser); - } - - private String getHaProxyUser(HttpServletRequest hsr) { - String haProxyUser; - if (Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-CN")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-OU")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-O")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-L")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-ST")) - || Objects.isNull(hsr.getHeader("X-AAI-SSL-Client-C"))) { - haProxyUser = ""; - } else { - haProxyUser = String.format("CN=%s, OU=%s, O=\"%s\", L=%s, ST=%s, C=%s", - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-CN"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-OU"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-O"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-L"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-ST"), ""), - Objects.toString(hsr.getHeader("X-AAI-SSL-Client-C"), "")).toLowerCase(); - } - return haProxyUser; - } - - private Optional<Response> authorize(String uri, String httpMethod, List<MediaType> acceptHeaderValues, - String authUser, String haProxyUser, String issuer) { - Response response = null; - try { - if (!aaiAuthCore.authorize(authUser, uri, httpMethod, haProxyUser, issuer)) { - throw new AAIException("AAI_9101", "Request on " + httpMethod + " " + uri + " status is not OK"); - } - } catch (AAIException e) { - response = Response.status(e.getErrorObject().getHTTPResponseCode()) - .entity(ErrorLogHelper.getRESTAPIErrorResponseWithLogging(acceptHeaderValues, e, new ArrayList<>())) - .build(); - } - return Optional.ofNullable(response); - } - -} diff --git a/aai-traversal/src/main/java/org/onap/aai/rest/search/LocalCQConfig.java b/aai-traversal/src/main/java/org/onap/aai/rest/search/LocalCQConfig.java index 52957d4..42d88af 100644 --- a/aai-traversal/src/main/java/org/onap/aai/rest/search/LocalCQConfig.java +++ b/aai-traversal/src/main/java/org/onap/aai/rest/search/LocalCQConfig.java @@ -24,7 +24,6 @@ import org.onap.aai.logging.ErrorLogHelper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.att.eelf.configuration.EELFManager; -import org.onap.aai.aaf.auth.FileWatcher; import org.onap.aai.logging.LogFormatTools; import org.onap.aai.util.AAIConstants; import org.springframework.beans.factory.annotation.Value; @@ -89,4 +88,25 @@ public class LocalCQConfig extends CQConfig { } + abstract class FileWatcher extends TimerTask { + private long timeStamp; + private File file; + + public FileWatcher(File file) { + this.file = file; + this.timeStamp = file.lastModified(); + } + + public final void run() { + long timeStamp = this.file.lastModified(); + if (timeStamp - this.timeStamp > 500L) { + this.timeStamp = timeStamp; + this.onChange(this.file); + } + + } + + protected abstract void onChange(File var1); + } + } diff --git a/aai-traversal/src/main/resources/application.properties b/aai-traversal/src/main/resources/application.properties index a538a58..49c0489 100644 --- a/aai-traversal/src/main/resources/application.properties +++ b/aai-traversal/src/main/resources/application.properties @@ -35,7 +35,7 @@ server.ssl.client-auth=want server.ssl.key-store-type=JKS # Start of Internal Specific Properties -spring.profiles.active=production,one-way-ssl +spring.profiles.active=production,aaf-auth ### server.certs.location=${server.local.startpath}etc/auth/ server.keystore.name.pkcs12=aai_keystore |