aboutsummaryrefslogtreecommitdiffstats
path: root/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
diff options
context:
space:
mode:
Diffstat (limited to 'sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java')
-rw-r--r--sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java120
1 files changed, 65 insertions, 55 deletions
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
index f5d344d41..cd4239081 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
@@ -48,11 +48,12 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OdlPolicy;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.AuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.AuthService.PublicOAuthProviderConfig;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.MdSalAuthorizationStore;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.OAuthProviderFactory;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator;
-import org.opendaylight.aaa.api.IDMStoreException;
import org.opendaylight.aaa.api.IdMService;
import org.opendaylight.aaa.shiro.filters.backport.BearerToken;
+import org.opendaylight.mdsal.binding.api.DataBroker;
import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.ShiroConfiguration;
import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.configuration.Main;
import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.configuration.Urls;
@@ -68,11 +69,14 @@ public class AuthHttpServlet extends HttpServlet {
//private static final String LOGOUTURI = BASEURI + "/logout";
private static final String PROVIDERSURI = BASEURI + "/providers";
public static final String REDIRECTURI = BASEURI + "/redirect";
+ private static final String REDIRECTURI_FORMAT = REDIRECTURI + "/%s";
private static final String POLICIESURI = BASEURI + "/policies";
//private static final String PROVIDERID_REGEX = "^\\" + BASEURI + "\\/providers\\/([^\\/]+)$";
private static final String REDIRECTID_REGEX = "^\\" + BASEURI + "\\/redirect\\/([^\\/]+)$";
+ private static final String LOGIN_REDIRECT_REGEX = "^\\" + LOGINURI + "\\/([^\\/]+)$";
//private static final Pattern PROVIDERID_PATTERN = Pattern.compile(PROVIDERID_REGEX);
private static final Pattern REDIRECTID_PATTERN = Pattern.compile(REDIRECTID_REGEX);
+ private static final Pattern LOGIN_REDIRECT_PATTERN = Pattern.compile(LOGIN_REDIRECT_REGEX);
private static final String DEFAULT_DOMAIN = "sdn";
private static final String HEAEDER_AUTHORIZATION = "Authorization";
@@ -83,6 +87,7 @@ public class AuthHttpServlet extends HttpServlet {
"org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2";
private static final String CLASSNAME_ODLMDSALAUTH =
"org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter";
+ public static final String LOGIN_REDIRECT_FORMAT = LOGINURI + "/%s";
private final ObjectMapper mapper;
/* state <=> AuthProviderService> */
@@ -92,15 +97,17 @@ public class AuthHttpServlet extends HttpServlet {
private final TokenCreator tokenCreator;
private final Config config;
private ShiroConfiguration shiroConfiguration;
+ private DataBroker dataBroker;
+ private MdSalAuthorizationStore mdsalAuthStore;
public AuthHttpServlet() throws IOException {
- this.tokenCreator = TokenCreator.getInstance();
this.config = Config.getInstance();
+ this.tokenCreator = TokenCreator.getInstance(this.config);
this.mapper = new ObjectMapper();
this.providerStore = new HashMap<>();
for (OAuthProviderConfig pc : config.getProviders()) {
this.providerStore.put(pc.getId(), OAuthProviderFactory.create(pc.getType(), pc,
- this.config.getRedirectUri(), TokenCreator.getInstance()));
+ this.config.getRedirectUri(), TokenCreator.getInstance(this.config)));
}
}
@@ -117,12 +124,19 @@ public class AuthHttpServlet extends HttpServlet {
this.shiroConfiguration = shiroConfiguration;
}
+ public void setDataBroker(DataBroker dataBroker) {
+ this.dataBroker = dataBroker;
+ this.mdsalAuthStore = new MdSalAuthorizationStore(this.dataBroker);
+ }
+
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
LOG.debug("GET request for {}", req.getRequestURI());
- fillHost(req);
+ getHost(req);
if (PROVIDERSURI.equals(req.getRequestURI())) {
this.sendResponse(resp, HttpServletResponse.SC_OK, getConfigs(this.providerStore.values()));
+ } else if (req.getRequestURI().startsWith(LOGINURI)) {
+ this.handleLoginRedirect(req, resp);
} else if (POLICIESURI.equals(req.getRequestURI())) {
this.sendResponse(resp, HttpServletResponse.SC_OK, this.getPoliciesForUser(req));
} else if (req.getRequestURI().startsWith(REDIRECTURI)) {
@@ -133,6 +147,22 @@ public class AuthHttpServlet extends HttpServlet {
}
+ private void handleLoginRedirect(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ final String uri = req.getRequestURI();
+ final Matcher matcher = LOGIN_REDIRECT_PATTERN.matcher(uri);
+ if (matcher.find()) {
+ final String id = matcher.group(1);
+ AuthService provider = this.providerStore.getOrDefault(id, null);
+ if (provider != null) {
+ //provider.setLocalHostUrl(getHost(req));
+ String redirectUrl = getHost(req) + String.format(REDIRECTURI_FORMAT, id);
+ provider.sendLoginRedirectResponse(resp, redirectUrl);
+ return;
+ }
+ }
+ this.sendResponse(resp, HttpServletResponse.SC_NOT_FOUND, "");
+ }
+
/**
* find out what urls can be accessed by user and which are forbidden
*
@@ -161,8 +191,13 @@ public class AuthHttpServlet extends HttpServlet {
try {
final String authClass = getAuthClass(matcher.group(1));
Optional<OdlPolicy> policy = Optional.empty();
- if (authClass.equals(CLASSNAME_ODLBASICAUTH)
- || authClass.equals(CLASSNAME_ODLBEARERANDBASICAUTH)) {
+ //anon access allowed
+ if (authClass == null) {
+ policy = Optional.of(OdlPolicy.allowAll(urlRule.getPairKey()));
+ } else if (authClass.equals(CLASSNAME_ODLBASICAUTH)) {
+ policy = isBasic(req) ? this.getTokenBasedPolicy(urlRule, matcher, data)
+ : Optional.of(OdlPolicy.denyAll(urlRule.getPairKey()));
+ } else if (authClass.equals(CLASSNAME_ODLBEARERANDBASICAUTH)) {
policy = this.getTokenBasedPolicy(urlRule, matcher, data);
} else if (authClass.equals(CLASSNAME_ODLMDSALAUTH)) {
policy = this.getMdSalBasedPolicy(urlRule, matcher, data);
@@ -172,6 +207,7 @@ public class AuthHttpServlet extends HttpServlet {
} else {
LOG.warn("unable to get policy for authClass {} for entry {}", authClass,
urlRule.getPairValue());
+ policies.add(OdlPolicy.denyAll(urlRule.getPairKey()));
}
} catch (NoDefinitionFoundException e) {
LOG.warn("unknown authClass: ", e);
@@ -188,20 +224,24 @@ public class AuthHttpServlet extends HttpServlet {
}
/**
- * extract policy rule for user from MD-SAL
- * not yet supported
+ * extract policy rule for user from MD-SAL not yet supported
+ *
* @param urlRule
* @param matcher
* @param data
* @return
*/
private Optional<OdlPolicy> getMdSalBasedPolicy(Urls urlRule, Matcher matcher, UserTokenPayload data) {
-
+ if (this.mdsalAuthStore != null) {
+ return data != null ? this.mdsalAuthStore.getPolicy(urlRule.getPairKey(), data.getRoles())
+ : Optional.of(OdlPolicy.denyAll(urlRule.getPairKey()));
+ }
return Optional.empty();
}
/**
* extract policy rule for user from url rules of config
+ *
* @param urlRule
* @param matcher
* @param data
@@ -209,25 +249,27 @@ public class AuthHttpServlet extends HttpServlet {
*/
private Optional<OdlPolicy> getTokenBasedPolicy(Urls urlRule, Matcher matcher, UserTokenPayload data) {
final String url = urlRule.getPairKey();
- if (!urlRule.getPairValue().contains(",")) {
+ final String rule = urlRule.getPairValue();
+ if (!rule.contains(",")) {
LOG.debug("found rule without roles for '{}'", matcher.group(1));
//not important if anon or authcXXX
if (data != null || "anon".equals(matcher.group(1))) {
return Optional.of(OdlPolicy.allowAll(url));
}
- } else if (data != null) {
+ }
+ if (data != null) {
LOG.debug("found rule with roles '{}'", matcher.group(4));
if ("roles".equals(matcher.group(2))) {
if (this.rolesMatch(data.getRoles(), Arrays.asList(matcher.group(4).split(",")), false)) {
- Optional.of(OdlPolicy.allowAll(url));
+ return Optional.of(OdlPolicy.allowAll(url));
} else {
- Optional.of(OdlPolicy.denyAll(url));
+ return Optional.of(OdlPolicy.denyAll(url));
}
} else if ("anyroles".equals(matcher.group(2))) {
if (this.rolesMatch(data.getRoles(), Arrays.asList(matcher.group(4).split(",")), true)) {
- Optional.of(OdlPolicy.allowAll(url));
+ return Optional.of(OdlPolicy.allowAll(url));
} else {
- Optional.of(OdlPolicy.denyAll(url));
+ return Optional.of(OdlPolicy.denyAll(url));
}
} else {
LOG.warn("unable to detect url role value: {}", urlRule.getPairValue());
@@ -252,7 +294,7 @@ public class AuthHttpServlet extends HttpServlet {
private UserTokenPayload getUserInfo(HttpServletRequest req) {
if (isBearer(req)) {
- UserTokenPayload data = TokenCreator.getInstance().decode(req);
+ UserTokenPayload data = TokenCreator.getInstance(this.config).decode(req);
if (data != null) {
return data;
}
@@ -317,8 +359,8 @@ public class AuthHttpServlet extends HttpServlet {
}
- private void fillHost(HttpServletRequest req) {
- String hostUrl = this.config.getHost();
+ public String getHost(HttpServletRequest req) {
+ String hostUrl = this.config.getPublicUrl();
if (hostUrl == null) {
final String tmp = req.getRequestURL().toString();
final String regex = "^(http[s]{0,1}:\\/\\/[^\\/]+)";
@@ -326,16 +368,17 @@ public class AuthHttpServlet extends HttpServlet {
final Matcher matcher = pattern.matcher(tmp);
if (matcher.find()) {
hostUrl = matcher.group(1);
- this.config.setHost(hostUrl);
}
}
+ LOG.info("host={}", hostUrl);
+ return hostUrl;
}
private List<PublicOAuthProviderConfig> getConfigs(Collection<AuthService> values) {
List<PublicOAuthProviderConfig> configs = new ArrayList<>();
for (AuthService svc : values) {
- configs.add(svc.getConfig(this.config.getHost()));
+ configs.add(svc.getConfig());
}
return configs;
}
@@ -353,8 +396,8 @@ public class AuthHttpServlet extends HttpServlet {
if (matcher.find()) {
AuthService provider = this.providerStore.getOrDefault(matcher.group(1), null);
if (provider != null) {
- provider.setLocalHostUrl(this.config.getHost());
- provider.handleRedirect(req, resp);
+ //provider.setLocalHostUrl(getHost(req));
+ provider.handleRedirect(req, resp, getHost(req));
return;
}
}
@@ -382,33 +425,6 @@ public class AuthHttpServlet extends HttpServlet {
resp.sendError(HttpServletResponse.SC_NOT_FOUND);
}
- @Override
- protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- // final String uri = req.getRequestURI();
- // final Matcher matcher = PROVIDERID_PATTERN.matcher(uri);
- // if (matcher.find()) {
- // final String id = matcher.group(1);
- // final OAuthProviderConfig config = this.mapper.readValue(req.getInputStream(), OAuthProviderConfig.class);
- // //this.providerStore.put(id, config);
- // sendResponse(resp, HttpServletResponse.SC_OK, "");
- // return;
- // }
- resp.sendError(HttpServletResponse.SC_NOT_FOUND);
- }
-
- @Override
- protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- // final String uri = req.getRequestURI();
- // final Matcher matcher = PROVIDERID_PATTERN.matcher(uri);
- // if (matcher.find()) {
- // final String id = matcher.group(1);
- // this.providerStore.remove(id);
- // sendResponse(resp, HttpServletResponse.SC_OK, "");
- // return;
- // }
- resp.sendError(HttpServletResponse.SC_NOT_FOUND);
- }
-
private BearerToken doLogin(String username, String password, String domain) {
if (!username.contains("@")) {
username = String.format("%s@%s", username, domain);
@@ -416,12 +432,6 @@ public class AuthHttpServlet extends HttpServlet {
HttpServletRequest req = new HeadersOnlyHttpServletRequest(
Map.of("Authorization", BaseHTTPClient.getAuthorizationHeaderValue(username, password)));
if (this.odlAuthenticator.authenticate(req)) {
- try {
- LOG.info("userids={}", this.odlIdentityService.listUserIDs());
- LOG.info("domains={}", this.odlIdentityService.listDomains(username));
- } catch (IDMStoreException e) {
-
- }
List<String> roles = this.odlIdentityService.listRoles(username, domain);
UserTokenPayload data = new UserTokenPayload();
data.setPreferredUsername(username);