From 41a7776b97a40d9784cbaae6fa63da90c2be4d38 Mon Sep 17 00:00:00 2001 From: Michael DÜrre Date: Wed, 3 Nov 2021 14:17:33 +0100 Subject: mirgate features to sr2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fix oauth provider and its aaa deps Issue-ID: CCSDK-3515 Signed-off-by: Michael DÜrre Change-Id: I5e964958f323483e593563f5f19cee6100108b21 Signed-off-by: Michael DÜrre --- sdnr/wt/oauth-provider/pom.xml | 2 +- sdnr/wt/oauth-provider/provider-jar/pom.xml | 4 +- .../sdnr/wt/oauthprovider/OAuth2Realm.java | 2 +- .../sdnr/wt/oauthprovider/data/OAuthToken.java | 2 +- .../filters/AnyRoleHttpAuthenticationFilter.java | 75 ++++++++++++ .../BearerAndBasicHttpAuthenticationFilter.java | 134 +++++++++++++++++++++ .../wt/oauthprovider/http/AuthHttpServlet.java | 2 +- .../wt/oauthprovider/providers/AuthService.java | 2 +- .../wt/oauthprovider/providers/TokenCreator.java | 2 +- .../wt/oauthprovider/test/TestAuthHttpServlet.java | 2 +- .../sdnr/wt/oauthprovider/test/TestRealm.java | 2 +- sdnr/wt/oauth-provider/provider-osgi/pom.xml | 9 +- 12 files changed, 224 insertions(+), 14 deletions(-) create mode 100644 sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/AnyRoleHttpAuthenticationFilter.java create mode 100644 sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/BearerAndBasicHttpAuthenticationFilter.java (limited to 'sdnr/wt/oauth-provider') diff --git a/sdnr/wt/oauth-provider/pom.xml b/sdnr/wt/oauth-provider/pom.xml index 801c1abc2..1391a2f92 100755 --- a/sdnr/wt/oauth-provider/pom.xml +++ b/sdnr/wt/oauth-provider/pom.xml @@ -28,7 +28,7 @@ org.onap.ccsdk.parent odlparent-lite - 2.2.2 + 2.2.3 diff --git a/sdnr/wt/oauth-provider/provider-jar/pom.xml b/sdnr/wt/oauth-provider/provider-jar/pom.xml index e0aa4ef76..da4708b6c 100644 --- a/sdnr/wt/oauth-provider/provider-jar/pom.xml +++ b/sdnr/wt/oauth-provider/provider-jar/pom.xml @@ -28,7 +28,7 @@ org.onap.ccsdk.parent binding-parent - 2.2.2 + 2.2.3 @@ -65,7 +65,7 @@ java-jwt - com.highstreet-technologies.aaa + org.opendaylight.aaa aaa-shiro diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/OAuth2Realm.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/OAuth2Realm.java index 0a40e8ddc..6dbed1f85 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/OAuth2Realm.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/OAuth2Realm.java @@ -34,7 +34,7 @@ import org.apache.shiro.subject.PrincipalCollection; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator; import org.opendaylight.aaa.api.shiro.principal.ODLPrincipal; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.opendaylight.aaa.shiro.realm.TokenAuthRealm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthToken.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthToken.java index 1a695f2b0..b05d3948a 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthToken.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthToken.java @@ -23,7 +23,7 @@ package org.onap.ccsdk.features.sdnr.wt.oauthprovider.data; import com.auth0.jwt.JWT; import com.auth0.jwt.interfaces.DecodedJWT; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; public class OAuthToken { private final String access_token; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/AnyRoleHttpAuthenticationFilter.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/AnyRoleHttpAuthenticationFilter.java new file mode 100644 index 000000000..0dc58efff --- /dev/null +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/AnyRoleHttpAuthenticationFilter.java @@ -0,0 +1,75 @@ +/* + * ============LICENSE_START======================================================= + * ONAP : ccsdk features + * ================================================================================ + * Copyright (C) 2020 highstreet technologies GmbH Intellectual Property. + * All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + */ +package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters; + +import java.util.Arrays; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import org.apache.shiro.subject.Subject; +import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +/** + * Requires the requesting user to be {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} for the + * request to continue, and if they're not, requires the user to login via the HTTP Bearer protocol-specific challenge. + * Upon successful login, they're allowed to continue on to the requested resource/url. + *

+ * The {@link #onAccessDenied(ServletRequest, ServletResponse)} method will only be called if the subject making the + * request is not {@link org.apache.shiro.subject.Subject#isAuthenticated() authenticated} + * + * @see RFC 2617 + * @see OAuth2 Authorization Request Header Field + * @since 1.5 + */ + +public class AnyRoleHttpAuthenticationFilter extends RolesAuthorizationFilter { + + /** + * This class's private logger. + */ + private static final Logger LOG = LoggerFactory.getLogger(AnyRoleHttpAuthenticationFilter.class); + + @Override + public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { + final Subject subject = getSubject(request, response); + final String[] rolesArray = (String[]) mappedValue; + LOG.debug("isAccessAllowed {}", Arrays.asList(rolesArray)); + + if (rolesArray == null || rolesArray.length == 0) { + //no roles specified, so nothing to check - allow access. + LOG.debug("no role specified: access allowed"); + return true; + } + + for (String roleName : rolesArray) { + LOG.debug("checking role {}", roleName); + if (subject.hasRole(roleName)) { + LOG.debug("role matched to {}: access allowed", roleName); + return true; + } + } + LOG.debug("no role matched: access denied"); + return false; + } +} \ No newline at end of file diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/BearerAndBasicHttpAuthenticationFilter.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/BearerAndBasicHttpAuthenticationFilter.java new file mode 100644 index 000000000..6fb41d799 --- /dev/null +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/filters/BearerAndBasicHttpAuthenticationFilter.java @@ -0,0 +1,134 @@ +/* + * ============LICENSE_START======================================================= + * ONAP : ccsdk features + * ================================================================================ + * Copyright (C) 2020 highstreet technologies GmbH Intellectual Property. + * All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + */ +package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters; + +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import org.apache.shiro.authc.AuthenticationToken; +import org.apache.shiro.web.filter.authc.BearerHttpAuthenticationFilter; +import org.apache.shiro.web.util.WebUtils; +import org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class BearerAndBasicHttpAuthenticationFilter extends BearerHttpAuthenticationFilter{ + + // defined in lower-case for more efficient string comparison + private static final Logger LOG = LoggerFactory.getLogger(BearerAndBasicHttpAuthenticationFilter.class); + private ODLHttpAuthenticationHelperFilter basicAuthFilter; + + public BearerAndBasicHttpAuthenticationFilter() { + this.basicAuthFilter = new ODLHttpAuthenticationHelperFilter(); + } + + protected static final String OPTIONS_HEADER = "OPTIONS"; + + @Override + protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) { + final String authHeader = this.getAuthzHeader(request); + if (authHeader != null && authHeader.startsWith("Basic")) { + return this.createBasicAuthToken(request, response); + } + return super.createToken(request, response); + } + + @Override + protected String[] getPrincipalsAndCredentials(String scheme, String token) { + LOG.debug("getPrincipalsAndCredentials with scheme {} and token {}", scheme, token); + if (scheme.toLowerCase().equals("basic")) { + return this.basicAuthFilter.getPrincipalsAndCredentials(scheme, token); + } + return super.getPrincipalsAndCredentials(scheme, token); + } + + @Override + protected boolean isLoginAttempt(String authzHeader) { + LOG.debug("isLoginAttempt with header {}", authzHeader); + if (this.basicAuthFilter.isLoginAttempt(authzHeader)) { + return true; + } + return super.isLoginAttempt(authzHeader); + } + + @Override + protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { + final HttpServletRequest httpRequest = WebUtils.toHttp(request); + final String httpMethod = httpRequest.getMethod(); + if (OPTIONS_HEADER.equalsIgnoreCase(httpMethod)) { + return true; + } else { + if (this.basicAuthFilter.isAccessAllowed(httpRequest, response, mappedValue)) { + LOG.debug("isAccessAllowed succeeded on basicAuth"); + return true; + } + } + return super.isAccessAllowed(request, response, mappedValue); + } + + protected AuthenticationToken createBasicAuthToken(ServletRequest request, ServletResponse response) { + String authorizationHeader = getAuthzHeader(request); + if (authorizationHeader == null || authorizationHeader.length() == 0) { + // Create an empty authentication token since there is no + // Authorization header. + return createToken("", "", request, response); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("Attempting to execute login with headers [" + authorizationHeader + "]"); + } + + String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request); + if (prinCred == null || prinCred.length < 2) { + // Create an authentication token with an empty password, + // since one hasn't been provided in the request. + String username = prinCred == null || prinCred.length == 0 ? "" : prinCred[0]; + return createToken(username, "", request, response); + } + + String username = prinCred[0]; + String password = prinCred[1]; + + return createToken(username, password, request, response); + } + + + private static class ODLHttpAuthenticationHelperFilter extends ODLHttpAuthenticationFilter{ + + ODLHttpAuthenticationHelperFilter(){ + super(); + } + + @Override + protected boolean isLoginAttempt(String authzHeader) { + return super.isLoginAttempt(authzHeader); + } + @Override + protected String[] getPrincipalsAndCredentials(String scheme, String encoded) { + return super.getPrincipalsAndCredentials(scheme, encoded); + } + @Override + protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { + return super.isAccessAllowed(request, response, mappedValue); + } + } +} diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java index 85fe1ced2..686684f35 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java @@ -56,7 +56,7 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.MdSalAuthorizatio import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.OAuthProviderFactory; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator; import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.opendaylight.mdsal.binding.api.DataBroker; import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.ShiroConfiguration; import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.configuration.Main; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java index 56a62f5c1..f16975f6f 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java @@ -47,7 +47,7 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client.MappedBaseHttpResponse; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client.MappingBaseHttpClient; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java index cf8109ef0..c2515e2b9 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/TokenCreator.java @@ -33,7 +33,7 @@ import javax.servlet.http.HttpServletRequest; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestAuthHttpServlet.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestAuthHttpServlet.java index bf2a39b55..1fbe43a07 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestAuthHttpServlet.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestAuthHttpServlet.java @@ -57,7 +57,7 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.test.helper.OdlJsonMapper; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.test.helper.OdlXmlMapper; import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.opendaylight.mdsal.binding.api.DataBroker; import org.opendaylight.mdsal.binding.api.ReadTransaction; import org.opendaylight.mdsal.common.api.LogicalDatastoreType; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestRealm.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestRealm.java index fe9dae31d..4b2011836 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestRealm.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestRealm.java @@ -44,7 +44,7 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator; import org.opendaylight.aaa.api.shiro.principal.ODLPrincipal; -import org.opendaylight.aaa.shiro.filters.backport.BearerToken; +import org.apache.shiro.authc.BearerToken; import org.opendaylight.aaa.shiro.tokenauthrealm.auth.AuthenticationManager; import org.opendaylight.aaa.shiro.tokenauthrealm.auth.TokenAuthenticators; import org.opendaylight.aaa.shiro.web.env.ThreadLocals; diff --git a/sdnr/wt/oauth-provider/provider-osgi/pom.xml b/sdnr/wt/oauth-provider/provider-osgi/pom.xml index c2265deea..7c184d81c 100644 --- a/sdnr/wt/oauth-provider/provider-osgi/pom.xml +++ b/sdnr/wt/oauth-provider/provider-osgi/pom.xml @@ -28,7 +28,7 @@ org.onap.ccsdk.parent binding-parent - 2.2.2 + 2.2.3 @@ -61,7 +61,7 @@ aaa-shiro - com.highstreet-technologies.aaa + org.opendaylight.aaa aaa-shiro @@ -87,6 +87,7 @@ ${project.version} org.onap.ccsdk.features.sdnr.wt.oauthprovider;version=${project.version}, + org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters;version=${project.version}, org.onap.ccsdk.features.sdnr.wt.oauthprovider.http;version=${project.version}, org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client;version=${project.version}, org.onap.ccsdk.features.sdnr.wt.oauthprovider.data;version=${project.version}, @@ -116,7 +117,7 @@ org.opendaylight.aaa.api, org.opendaylight.aaa.api.shiro.principal, org.opendaylight.aaa.shiro.realm, - org.opendaylight.aaa.shiro.filters.backport, + org.opendaylight.aaa.shiro.filters, org.opendaylight.mdsal.binding.api, org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619, org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.configuration, @@ -136,7 +137,7 @@ *;scope=compile|runtime;inline=false *;scope=compile|runtime;artifactId=!shiro-core;inline=false true - org.apache.shiro.core + org.opendaylight.aaa.repackaged-shiro -- cgit 1.2.3-korg