1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters;
import static com.google.common.base.Preconditions.checkArgument;
import static java.util.Objects.requireNonNull;
import com.google.common.collect.Iterables;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.IOException;
import java.util.*;
import java.util.concurrent.ExecutionException;
import javax.servlet.Filter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.opendaylight.mdsal.binding.api.ClusteredDataTreeChangeListener;
import org.opendaylight.mdsal.binding.api.DataBroker;
import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
import org.opendaylight.mdsal.binding.api.DataTreeModification;
import org.opendaylight.mdsal.binding.api.ReadTransaction;
import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.HttpAuthorization;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies.Policies;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.permission.Permissions;
import org.opendaylight.yangtools.concepts.ListenerRegistration;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@SuppressWarnings("checkstyle:AbbreviationAsWordInName")
public class CustomizedMDSALDynamicAuthorizationFilter extends AuthorizationFilter
implements ClusteredDataTreeChangeListener<HttpAuthorization> {
private static final Logger LOG = LoggerFactory.getLogger(CustomizedMDSALDynamicAuthorizationFilter.class);
private static final DataTreeIdentifier<HttpAuthorization> AUTHZ_CONTAINER = DataTreeIdentifier.create(
LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(HttpAuthorization.class));
private static DataBroker dataBroker;
public static void setDataBroker(DataBroker dataBroker2){
dataBroker = dataBroker2;
}
private ListenerRegistration<?> reg;
private volatile ListenableFuture<Optional<HttpAuthorization>> authContainer;
public CustomizedMDSALDynamicAuthorizationFilter() {
}
@Override
public Filter processPathConfig(final String path, final String config) {
/*if (dataBroker == null){
throw new RuntimeException("dataBroker is not initialized");
}*/
return super.processPathConfig(path, config);
}
@Override
public void destroy() {
if (reg != null) {
reg.close();
reg = null;
}
super.destroy();
}
@Override
public void onDataTreeChanged(final Collection<DataTreeModification<HttpAuthorization>> changes) {
final HttpAuthorization newVal = Iterables.getLast(changes).getRootNode().getDataAfter();
LOG.debug("Updating authorization information to {}", newVal);
authContainer = Futures.immediateFuture(Optional.ofNullable(newVal));
}
@Override
public boolean isAccessAllowed(final ServletRequest request, final ServletResponse response,
final Object mappedValue) {
if (dataBroker == null){
throw new RuntimeException("dataBroker is not initialized");
}
if(reg == null){
try (ReadTransaction tx = dataBroker.newReadOnlyTransaction()) {
authContainer = tx.read(AUTHZ_CONTAINER.getDatastoreType(), AUTHZ_CONTAINER.getRootIdentifier());
}
reg = dataBroker.registerDataTreeChangeListener(AUTHZ_CONTAINER, this);
}
checkArgument(request instanceof HttpServletRequest, "Expected HttpServletRequest, received {}", request);
final boolean defaultReturnValue=false;
final Subject subject = getSubject(request, response);
final HttpServletRequest httpServletRequest = (HttpServletRequest)request;
final String requestURI = httpServletRequest.getRequestURI();
LOG.debug("isAccessAllowed for user={} to requestURI={}", subject, requestURI);
final Optional<HttpAuthorization> authorizationOptional;
try {
authorizationOptional = authContainer.get();
} catch (ExecutionException | InterruptedException e) {
// Something went completely wrong trying to read the authz container. Deny access.
LOG.warn("MDSAL attempt to read Http Authz Container failed, disallowing access", e);
return false;
}
if (!authorizationOptional.isPresent()) {
// The authorization container does not exist-- hence no authz rules are present
// Allow access.
LOG.debug("Authorization Container does not exist");
return defaultReturnValue;
}
final HttpAuthorization httpAuthorization = authorizationOptional.get();
final var policies = httpAuthorization.getPolicies();
List<Policies> policiesList = policies != null ? policies.getPolicies() : null;
if (policiesList == null || policiesList.isEmpty()) {
// The authorization container exists, but no rules are present. Allow access.
LOG.debug("Exiting early since no authorization rules exist");
sendError(response, 403, "");
return defaultReturnValue;
}
// Sort the Policies list based on index
policiesList = new ArrayList<>(policiesList);
policiesList.sort(Comparator.comparing(Policies::getIndex));
for (Policies policy : policiesList) {
final String resource = policy.getResource();
final boolean pathsMatch = pathsMatch(resource, requestURI);
if (pathsMatch) {
LOG.debug("paths match for policy {} pattern={} and requestURI={}", policy.getIndex(), resource, requestURI);
final String method = httpServletRequest.getMethod();
LOG.trace("method={}", method);
List<Permissions> permissions = policy.getPermissions();
LOG.trace("perm={}", permissions);
if(permissions !=null) {
for (Permissions permission : permissions) {
final String role = permission.getRole();
LOG.trace("role={}", role);
Set<Permissions.Actions> actions = permission.getActions();
if (actions != null) {
for (Permissions.Actions action : actions) {
LOG.trace("action={}", action.getName());
if (action.getName().equalsIgnoreCase(method)) {
final boolean hasRole = subject.hasRole(role);
LOG.trace("hasRole({})={}", role, hasRole);
if (hasRole) {
return true;
}
}
}
}
else{
LOG.trace("no actions found");
}
}
}
else {
LOG.trace("no permissions found");
}
LOG.debug("couldn't authorize the user for access");
sendError(response, 403, "");
return false;
}
}
LOG.debug("no path found that matches {}", requestURI);
sendError(response, 403, "");
return defaultReturnValue;
}
private void sendError(ServletResponse response, int code, String message) {
if(response instanceof HttpServletResponse){
try {
((HttpServletResponse)response).sendError(code, message);
} catch (IOException e) {
LOG.warn("unable to send {} {} response: ", code, message, e);
}
}
else{
LOG.warn("unable to send {} {} response", code, message);
}
}
}
|
