From d5435943f5662dcd1affed6b54c99b48ffcd4f77 Mon Sep 17 00:00:00 2001 From: Pavel Paroulek Date: Wed, 5 Sep 2018 16:44:17 +0200 Subject: Adding AAF authorization filter Adding a AAF authorization filter. Authorization checks a preconfigured permission org.onap.aai.traversal Change-Id: I3459e08449f4caae187fbe31d3e7a245da06857a Issue-ID: AAI-32 Signed-off-by: Pavel Paroulek --- .../main/java/org/onap/aai/config/AafFilter.java | 77 ---------------------- .../aai/config/aaf/AafAuthorizationFilter.java | 73 ++++++++++++++++++++ .../java/org/onap/aai/config/aaf/AafFilter.java | 65 ++++++++++++++++++ .../org/onap/aai/config/aaf/FilterPriority.java | 35 ++++++++++ .../org/onap/aai/config/aaf/ResponseFormatter.java | 45 +++++++++++++ 5 files changed, 218 insertions(+), 77 deletions(-) delete mode 100644 aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java create mode 100644 aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java create mode 100644 aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java create mode 100644 aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java create mode 100644 aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java (limited to 'aai-traversal/src/main/java/org/onap') diff --git a/aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java deleted file mode 100644 index d0c070f..0000000 --- a/aai-traversal/src/main/java/org/onap/aai/config/AafFilter.java +++ /dev/null @@ -1,77 +0,0 @@ -/** - * ============LICENSE_START======================================================= - * org.onap.aai - * ================================================================================ - * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ -package org.onap.aai.config; - -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.filter.CadiFilter; -import org.onap.aai.Profiles; -import org.onap.aai.TraversalApp; -import org.onap.aai.exceptions.AAIException; -import org.onap.aai.logging.ErrorLogHelper; -import org.springframework.context.annotation.Profile; -import org.springframework.core.annotation.Order; -import org.springframework.stereotype.Component; -import org.springframework.web.filter.OncePerRequestFilter; - -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.core.MediaType; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Properties; - -/** - * AAF authentication filter - */ - -@Order(1) -@Component -@Profile(Profiles.AAF_AUTHENTICATION) -public class AafFilter extends OncePerRequestFilter { - - private static final String ACCEPT_HEADER = "accept"; - private final CadiFilter cadiFilter; - - public AafFilter() throws IOException, ServletException { - Properties cadiProperties = new Properties(); - cadiProperties.load(TraversalApp.class.getClassLoader().getResourceAsStream("cadi.properties")); - cadiFilter = new CadiFilter(new PropAccess(cadiProperties)); - } - - @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { - cadiFilter.doFilter(request, response, filterChain); - if(response.getStatus() >=400 && response.getStatus() < 500){ - errorResponse(request, response); - } - } - - private void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException { - String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER); - AAIException aaie = new AAIException("AAI_3300"); - response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode()); - response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>())); - response.getWriter().flush(); - response.getWriter().close(); - } -} diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java new file mode 100644 index 0000000..4191b06 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java @@ -0,0 +1,73 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.onap.aai.Profiles; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.web.filter.OrderedRequestContextFilter; +import org.springframework.context.annotation.Profile; +import org.springframework.context.annotation.PropertySource; +import org.springframework.stereotype.Component; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.stream.Collectors; + +import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; + +/** + * AAF authorization filter + */ + +@Component +@Profile(Profiles.AAF_AUTHENTICATION) +@PropertySource("file:${server.local.startpath}/aaf/permissions.properties") +public class AafAuthorizationFilter extends OrderedRequestContextFilter { + + private static final String ADVANCED = "advanced"; + private static final String BASIC = "basic"; + + @Value("${permission.type}") + String type; + + @Value("${permission.instance}") + String instance; + + public AafAuthorizationFilter() { + this.setOrder(FilterPriority.AAF_AUTHORIZATION.getPriority()); + } + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { + boolean containsWordGremlin = request.getReader().lines().collect(Collectors.joining(System.lineSeparator())).contains("\"gremlin\""); + //if the request contains the word "gremlin" it's an advanced query + String queryType = containsWordGremlin ? ADVANCED : BASIC; + String permission = String.format("%s|%s|%s", type, instance, queryType); + + if(!request.isUserInRole(permission)){ + errorResponse(request, response); + }else{ + filterChain.doFilter(request,response); + } + } +} diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java new file mode 100644 index 0000000..ff86119 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java @@ -0,0 +1,65 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.onap.aai.Profiles; +import org.onap.aai.TraversalApp; +import org.springframework.boot.web.filter.OrderedRequestContextFilter; +import org.springframework.context.annotation.Profile; +import org.springframework.stereotype.Component; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Properties; + +import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse; + +/** + * AAF authentication filter + */ + +@Component +@Profile(Profiles.AAF_AUTHENTICATION) +public class AafFilter extends OrderedRequestContextFilter { + + private final CadiFilter cadiFilter; + + public AafFilter() throws IOException, ServletException { + Properties cadiProperties = new Properties(); + cadiProperties.load(TraversalApp.class.getClassLoader().getResourceAsStream("cadi.properties")); + cadiFilter = new CadiFilter(new PropAccess(cadiProperties)); + this.setOrder(FilterPriority.AAF_AUTHENTICATION.getPriority()); + } + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { + cadiFilter.doFilter(request, response, filterChain); + if(response.getStatus() >=400 && response.getStatus() < 500){ + errorResponse(request, response); + } + } + + +} diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java new file mode 100644 index 0000000..910db69 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/FilterPriority.java @@ -0,0 +1,35 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.springframework.core.Ordered; + +public enum FilterPriority { + AAF_AUTHENTICATION(Ordered.HIGHEST_PRECEDENCE), + AAF_AUTHORIZATION(Ordered.HIGHEST_PRECEDENCE + 1); //higher number = lower priority + + private final int priority; + + FilterPriority(final int p) { + priority = p; + } + + public int getPriority() { return priority; } +} diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java new file mode 100644 index 0000000..9e09827 --- /dev/null +++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/ResponseFormatter.java @@ -0,0 +1,45 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.config.aaf; + +import org.onap.aai.exceptions.AAIException; +import org.onap.aai.logging.ErrorLogHelper; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.MediaType; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collections; + +class ResponseFormatter { + + private static final String ACCEPT_HEADER = "accept"; + + static void errorResponse(HttpServletRequest request, HttpServletResponse response) throws IOException { + String accept = request.getHeader(ACCEPT_HEADER) == null ? MediaType.APPLICATION_XML : request.getHeader(ACCEPT_HEADER); + AAIException aaie = new AAIException("AAI_3300"); + response.setStatus(aaie.getErrorObject().getHTTPResponseCode().getStatusCode()); + response.getWriter().write(ErrorLogHelper.getRESTAPIErrorResponse(Collections.singletonList(MediaType.valueOf(accept)), aaie, new ArrayList<>())); + response.getWriter().flush(); + response.getWriter().close(); + } + +} -- cgit 1.2.3-korg