From d5435943f5662dcd1affed6b54c99b48ffcd4f77 Mon Sep 17 00:00:00 2001
From: Pavel Paroulek <pavel.paroulek@orange.com>
Date: Wed, 5 Sep 2018 16:44:17 +0200
Subject: Adding AAF authorization filter

Adding a AAF authorization filter. Authorization checks a preconfigured permission org.onap.aai.traversal

Change-Id: I3459e08449f4caae187fbe31d3e7a245da06857a
Issue-ID: AAI-32
Signed-off-by: Pavel Paroulek <pavel.paroulek@orange.com>
---
 .../main/java/org/onap/aai/config/AafFilter.java   | 77 ----------------------
 .../aai/config/aaf/AafAuthorizationFilter.java     | 73 ++++++++++++++++++++
 .../java/org/onap/aai/config/aaf/AafFilter.java    | 65 ++++++++++++++++++
 .../org/onap/aai/config/aaf/FilterPriority.java    | 35 ++++++++++
 .../org/onap/aai/config/aaf/ResponseFormatter.java | 45 +++++++++++++
 .../src/main/resources/aaf/permissions.properties  |  2 +
 6 files changed, 220 insertions(+), 77 deletions(-)
 delete mode 100644 aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java
 create mode 100644 aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
 create mode 100644 aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
 create mode 100644 aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java
 create mode 100644 aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java
 create mode 100644 aai-traversal/src/main/resources/aaf/permissions.properties

diff --git a/aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java
deleted file mode 100644
index d0c070f..0000000
--- a/aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * ============LICENSE_START=======================================================
- * org.onap.aai
- * ================================================================================
- * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-package org.onap.aai.config;
-
-import org.onap.aaf.cadi.PropAccess;
-import org.onap.aaf.cadi.filter.CadiFilter;
-import org.onap.aai.Profiles;
-import org.onap.aai.TraversalApp;
-import org.onap.aai.exceptions.AAIException;
-import org.onap.aai.logging.ErrorLogHelper;
-import org.springframework.context.annotation.Profile;
-import org.springframework.core.annotation.Order;
-import org.springframework.stereotype.Component;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.core.MediaType;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Properties;
-
-/**
- * AAF authentication filter
- */
-
-@Order(1)
-@Component
-@Profile(Profiles.AAF_AUTHENTICATION)
-public class AafFilter extends OncePerRequestFilter {
-
-    private static final String ACCEPT_HEADER = "accept";
-    private final CadiFilter cadiFilter;
-
-    public AafFilter() throws IOException, ServletException {
-        Properties cadiProperties = new Properties();
-        cadiProperties.load(TraversalApp.class.getClassLoader().getResourceAsStream("cadi.properties"));
-        cadiFilter = new CadiFilter(new PropAccess(cadiProperties));
-    }
-
-    @Override
-    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
-        cadiFilter.doFilter(request, response, filterChain);
-        if(response.getStatus() >=400 && response.getStatus() < 500){
-                errorResponse(request, response);
-        }
-    }
-
-    private void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException {
-        String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER);
-        AAIException aaie = new AAIException("AAI_3300");
-        response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode());
-        response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>()));
-        response.getWriter().flush();
-        response.getWriter().close();
-    }
-}
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
new file mode 100644
index 0000000..4191b06
--- /dev/null
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
@@ -0,0 +1,73 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.config.aaf;
+
+import org.onap.aai.Profiles;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.filter.OrderedRequestContextFilter;
+import org.springframework.context.annotation.Profile;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.stream.Collectors;
+
+import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse;
+
+/**
+ * AAF authorization filter
+ */
+
+@Component
+@Profile(Profiles.AAF_AUTHENTICATION)
+@PropertySource("file:${server.local.startpath}/aaf/permissions.properties")
+public class AafAuthorizationFilter extends OrderedRequestContextFilter {
+
+    private static final String ADVANCED = "advanced";
+    private static final String BASIC = "basic";
+
+    @Value("${permission.type}")
+    String type;
+
+    @Value("${permission.instance}")
+    String instance;
+
+    public AafAuthorizationFilter() {
+        this.setOrder(FilterPriority.AAF_AUTHORIZATION.getPriority());
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+        boolean containsWordGremlin = request.getReader().lines().collect(Collectors.joining(System.lineSeparator())).contains("\"gremlin\"");
+        //if the request contains the word "gremlin" it's an advanced query
+        String queryType = containsWordGremlin ? ADVANCED : BASIC;
+        String permission = String.format("%s|%s|%s", type, instance, queryType);
+
+        if(!request.isUserInRole(permission)){
+            errorResponse(request, response);
+        }else{
+            filterChain.doFilter(request,response);
+        }
+    }
+}
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
new file mode 100644
index 0000000..ff86119
--- /dev/null
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
@@ -0,0 +1,65 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.config.aaf;
+
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.filter.CadiFilter;
+import org.onap.aai.Profiles;
+import org.onap.aai.TraversalApp;
+import org.springframework.boot.web.filter.OrderedRequestContextFilter;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Properties;
+
+import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse;
+
+/**
+ * AAF authentication filter
+ */
+
+@Component
+@Profile(Profiles.AAF_AUTHENTICATION)
+public class AafFilter extends OrderedRequestContextFilter {
+
+    private final CadiFilter cadiFilter;
+
+    public AafFilter() throws IOException, ServletException {
+        Properties cadiProperties = new Properties();
+        cadiProperties.load(TraversalApp.class.getClassLoader().getResourceAsStream("cadi.properties"));
+        cadiFilter = new CadiFilter(new PropAccess(cadiProperties));
+        this.setOrder(FilterPriority.AAF_AUTHENTICATION.getPriority());
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+        cadiFilter.doFilter(request, response, filterChain);
+        if(response.getStatus() >=400 && response.getStatus() < 500){
+            errorResponse(request, response);
+        }
+    }
+
+
+}
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java
new file mode 100644
index 0000000..910db69
--- /dev/null
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java
@@ -0,0 +1,35 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.config.aaf;
+
+import org.springframework.core.Ordered;
+
+public enum FilterPriority {
+    AAF_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE),
+    AAF_AUTHORIZATION(Ordered.HIGHEST_PRECEDENCE + 1); //higher number = lower priority
+
+    private final int priority;
+
+    FilterPriority(final int p) {
+        priority = p;
+    }
+
+    public int getPriority() { return priority; }
+}
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java
new file mode 100644
index 0000000..9e09827
--- /dev/null
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.config.aaf;
+
+import org.onap.aai.exceptions.AAIException;
+import org.onap.aai.logging.ErrorLogHelper;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.MediaType;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+
+class ResponseFormatter {
+
+    private static final String ACCEPT_HEADER = "accept";
+
+    static void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER);
+        AAIException aaie = new AAIException("AAI_3300");
+        response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode());
+        response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>()));
+        response.getWriter().flush();
+        response.getWriter().close();
+    }
+
+}
diff --git a/aai-traversal/src/main/resources/aaf/permissions.properties b/aai-traversal/src/main/resources/aaf/permissions.properties
new file mode 100644
index 0000000..d4956f5
--- /dev/null
+++ b/aai-traversal/src/main/resources/aaf/permissions.properties
@@ -0,0 +1,2 @@
+permission.type=org.onap.aai.traversal
+permission.instance=*
\ No newline at end of file
-- 
cgit 1.2.3-korg