From b427536834654c1a2e8677496657276e7b6f5ec0 Mon Sep 17 00:00:00 2001 From: "Kajur, Harish (vk250x)" Date: Wed, 11 Apr 2018 00:14:14 -0400 Subject: Fix the basic auth issue which got broken with spring boot Issue-ID: AAI-1020 Change-Id: If99add1e401284c505bfebccfe82a94694da1a4b Signed-off-by: Kajur, Harish (vk250x) --- .../src/main/java/org/onap/aai/TraversalApp.java | 1 + .../interceptors/pre/OneWaySslAuthorization.java | 76 +++++++++++++++ .../org/onap/aai/service/AuthorizationService.java | 106 +++++++++++++++++++++ .../src/main/resources/etc/auth/realm.properties | 12 +++ aai-traversal/src/main/resources/realm.properties | 12 --- .../java/org/onap/aai/AAIGremlinQueryTest.java | 8 +- 6 files changed, 199 insertions(+), 16 deletions(-) create mode 100644 aai-traversal/src/main/java/org/onap/aai/interceptors/pre/OneWaySslAuthorization.java create mode 100644 aai-traversal/src/main/java/org/onap/aai/service/AuthorizationService.java create mode 100644 aai-traversal/src/main/resources/etc/auth/realm.properties delete mode 100644 aai-traversal/src/main/resources/realm.properties diff --git a/aai-traversal/src/main/java/org/onap/aai/TraversalApp.java b/aai-traversal/src/main/java/org/onap/aai/TraversalApp.java index 2740439..6fdf3b0 100644 --- a/aai-traversal/src/main/java/org/onap/aai/TraversalApp.java +++ b/aai-traversal/src/main/java/org/onap/aai/TraversalApp.java @@ -50,6 +50,7 @@ import java.util.UUID; "org.onap.aai.config", "org.onap.aai.web", "org.onap.aai.tasks", + "org.onap.aai.service", "org.onap.aai.rest", "com.att.ajsc.common" }) diff --git a/aai-traversal/src/main/java/org/onap/aai/interceptors/pre/OneWaySslAuthorization.java b/aai-traversal/src/main/java/org/onap/aai/interceptors/pre/OneWaySslAuthorization.java new file mode 100644 index 0000000..8fe2d6e --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/interceptors/pre/OneWaySslAuthorization.java @@ -0,0 +1,76 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.interceptors.pre; + +import org.onap.aai.exceptions.AAIException; +import org.onap.aai.interceptors.AAIContainerFilter; +import org.onap.aai.logging.ErrorLogHelper; +import org.onap.aai.service.AuthorizationService; +import org.springframework.beans.factory.annotation.Autowired; + +import javax.annotation.Priority; +import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.container.ContainerRequestFilter; +import javax.ws.rs.container.PreMatching; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; +import java.util.Optional; + +@PreMatching +@Priority(AAIRequestFilterPriority.AUTHORIZATION) +public class OneWaySslAuthorization extends AAIContainerFilter implements ContainerRequestFilter { + + @Autowired + private AuthorizationService authorizationService; + + @Override + public void filter(ContainerRequestContext containerRequestContext) throws IOException + { + + String basicAuth = containerRequestContext.getHeaderString("Authorization"); + List acceptHeaderValues = containerRequestContext.getAcceptableMediaTypes(); + + if(basicAuth == null || !basicAuth.startsWith("Basic ")){ + Optional responseOptional = errorResponse("AAI_3300", acceptHeaderValues); + containerRequestContext.abortWith(responseOptional.get()); + return; + } + + basicAuth = basicAuth.replaceAll("Basic ", ""); + + if(!authorizationService.checkIfUserAuthorized(basicAuth)){ + Optional responseOptional = errorResponse("AAI_3300", acceptHeaderValues); + containerRequestContext.abortWith(responseOptional.get()); + return; + } + + } + + private Optional errorResponse(String errorCode, List acceptHeaderValues) { + AAIException aaie = new AAIException(errorCode); + return Optional.of(Response.status(aaie.getErrorObject().getHTTPResponseCode()) + .entity(ErrorLogHelper.getRESTAPIErrorResponse(acceptHeaderValues, aaie, new ArrayList<>())) + .build()); + + } +} diff --git a/aai-traversal/src/main/java/org/onap/aai/service/AuthorizationService.java b/aai-traversal/src/main/java/org/onap/aai/service/AuthorizationService.java new file mode 100644 index 0000000..616bb9c --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/service/AuthorizationService.java @@ -0,0 +1,106 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.service; + +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; +import org.eclipse.jetty.util.security.Password; +import org.onap.aai.util.AAIConstants; +import org.springframework.stereotype.Service; + +import javax.annotation.PostConstruct; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; +import java.util.stream.Stream; + +@Service +public class AuthorizationService { + + private static final EELFLogger logger = EELFManager.getInstance().getLogger(AuthorizationService.class); + + private final Map authorizedUsers = new HashMap<>(); + + private static final Base64.Encoder ENCODER = Base64.getEncoder(); + + @PostConstruct + public void init(){ + + String basicAuthFile = getBasicAuthFilePath(); + + try(Stream stream = Files.lines(Paths.get(basicAuthFile))){ + stream.filter(line -> !line.startsWith("#")).forEach(str -> { + byte [] bytes = null; + + String usernamePassword = null; + String accessType = null; + + try { + String [] userAccessType = str.split(","); + + if(userAccessType == null || userAccessType.length != 2){ + throw new RuntimeException("Please check the realm.properties file as it is not conforming to the basic auth"); + } + + usernamePassword = userAccessType[0]; + accessType = userAccessType[1]; + + String[] usernamePasswordArray = usernamePassword.split(":"); + + if(usernamePasswordArray == null || usernamePasswordArray.length != 3){ + throw new RuntimeException("Not a valid entry for the realm.properties entry: " + usernamePassword); + } + + String username = usernamePasswordArray[0]; + String password = null; + + if(str.contains("OBF:")){ + password = usernamePasswordArray[1] + ":" + usernamePasswordArray[2]; + password = Password.deobfuscate(password); + } + + bytes = ENCODER.encode((username + ":" + password).getBytes("UTF-8")); + + authorizedUsers.put(new String(bytes), accessType); + + } catch (UnsupportedEncodingException e) + { + logger.error("Unable to support the encoding of the file" + basicAuthFile); + } + + authorizedUsers.put(new String(ENCODER.encode(bytes)), accessType); + }); + } catch (IOException e) { + logger.error("IO Exception occurred during the reading of realm.properties", e); + } + } + + public boolean checkIfUserAuthorized(String authorization){ + return authorizedUsers.containsKey(authorization) && "admin".equals(authorizedUsers.get(authorization)); + } + + public String getBasicAuthFilePath(){ + return AAIConstants.AAI_HOME_ETC_AUTH + AAIConstants.AAI_FILESEP + "realm.properties"; + } +} diff --git a/aai-traversal/src/main/resources/etc/auth/realm.properties b/aai-traversal/src/main/resources/etc/auth/realm.properties new file mode 100644 index 0000000..fb692cc --- /dev/null +++ b/aai-traversal/src/main/resources/etc/auth/realm.properties @@ -0,0 +1,12 @@ +# format : username: password[,rolename ...] +# default username/password: AAI/AAI, MSO/MSO, ModelLoader/ModelLoader... +AAI:OBF:1gfr1ev31gg7,admin +MSO:OBF:1jzx1lz31k01,admin +SDNC:OBF:1itr1i0l1i151isv,admin +DCAE:OBF:1g8u1f9d1f991g8w,admin +POLICY:OBF:1mk61i171ima1im41i0j1mko,admin +ASDC:OBF:1f991j0u1j001f9d,admin +VID:OBF:1jm91i0v1jl9,admin +APPC:OBF:1f991ksf1ksf1f9d,admin +ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin +AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin diff --git a/aai-traversal/src/main/resources/realm.properties b/aai-traversal/src/main/resources/realm.properties deleted file mode 100644 index fb692cc..0000000 --- a/aai-traversal/src/main/resources/realm.properties +++ /dev/null @@ -1,12 +0,0 @@ -# format : username: password[,rolename ...] -# default username/password: AAI/AAI, MSO/MSO, ModelLoader/ModelLoader... -AAI:OBF:1gfr1ev31gg7,admin -MSO:OBF:1jzx1lz31k01,admin -SDNC:OBF:1itr1i0l1i151isv,admin -DCAE:OBF:1g8u1f9d1f991g8w,admin -POLICY:OBF:1mk61i171ima1im41i0j1mko,admin -ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin -ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin -AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin diff --git a/aai-traversal/src/test/java/org/onap/aai/AAIGremlinQueryTest.java b/aai-traversal/src/test/java/org/onap/aai/AAIGremlinQueryTest.java index 2a7f2c6..a2be3d0 100644 --- a/aai-traversal/src/test/java/org/onap/aai/AAIGremlinQueryTest.java +++ b/aai-traversal/src/test/java/org/onap/aai/AAIGremlinQueryTest.java @@ -38,10 +38,7 @@ import org.springframework.web.client.RestTemplate; import javax.ws.rs.core.Response; import java.io.UnsupportedEncodingException; -import java.util.Collections; -import java.util.HashMap; -import java.util.Map; -import java.util.UUID; +import java.util.*; import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.MatcherAssert.assertThat; @@ -105,6 +102,9 @@ public class AAIGremlinQueryTest { headers.add("X-FromAppId", "JUNIT"); headers.add("X-TransactionId", "JUNIT"); + String authorization = Base64.getEncoder().encodeToString("AAI:AAI".getBytes("UTF-8")); + headers.add("Authorization", "Basic " + authorization); + baseUrl = "https://localhost:" + randomPort; } -- cgit 1.2.3-korg