1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters;
import com.google.common.collect.Iterables;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.opendaylight.mdsal.binding.api.*;
import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.HttpAuthorization;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies.Policies;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.permission.Permissions;
import org.opendaylight.yangtools.concepts.ListenerRegistration;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.Filter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.*;
import java.util.concurrent.ExecutionException;
import static com.google.common.base.Preconditions.checkArgument;
import static java.util.Objects.requireNonNull;
public class CustomizedMDSALDynamicAuthorizationFilter extends AuthorizationFilter
implements ClusteredDataTreeChangeListener<HttpAuthorization> {
private static final Logger LOG = LoggerFactory.getLogger(CustomizedMDSALDynamicAuthorizationFilter.class);
private static final DataTreeIdentifier<HttpAuthorization> AUTHZ_CONTAINER = DataTreeIdentifier.create(
LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(HttpAuthorization.class));
private final DataBroker dataBroker;
private ListenerRegistration<?> reg;
private volatile ListenableFuture<Optional<HttpAuthorization>> authContainer;
private static final ThreadLocal<DataBroker> DATABROKER_TL = new ThreadLocal<>();
public CustomizedMDSALDynamicAuthorizationFilter() {
dataBroker = requireNonNull(DATABROKER_TL.get());
}
@Override
public Filter processPathConfig(final String path, final String config) {
try (ReadTransaction tx = dataBroker.newReadOnlyTransaction()) {
authContainer = tx.read(AUTHZ_CONTAINER.getDatastoreType(), AUTHZ_CONTAINER.getRootIdentifier());
}
this.reg = dataBroker.registerDataTreeChangeListener(AUTHZ_CONTAINER, this);
return super.processPathConfig(path, config);
}
@Override
public void destroy() {
if (reg != null) {
reg.close();
reg = null;
}
super.destroy();
}
@Override
public void onDataTreeChanged(final Collection<DataTreeModification<HttpAuthorization>> changes) {
final HttpAuthorization newVal = Iterables.getLast(changes).getRootNode().getDataAfter();
LOG.debug("Updating authorization information to {}", newVal);
authContainer = Futures.immediateFuture(Optional.ofNullable(newVal));
}
@Override
public boolean isAccessAllowed(final ServletRequest request, final ServletResponse response,
final Object mappedValue) {
checkArgument(request instanceof HttpServletRequest, "Expected HttpServletRequest, received {}", request);
final boolean defaultReturnValue=false;
final Subject subject = getSubject(request, response);
final HttpServletRequest httpServletRequest = (HttpServletRequest)request;
final String requestURI = httpServletRequest.getRequestURI();
LOG.debug("isAccessAllowed for user={} to requestURI={}", subject, requestURI);
final Optional<HttpAuthorization> authorizationOptional;
try {
authorizationOptional = authContainer.get();
} catch (ExecutionException | InterruptedException e) {
// Something went completely wrong trying to read the authz container. Deny access.
LOG.warn("MDSAL attempt to read Http Authz Container failed, disallowing access", e);
return false;
}
if (!authorizationOptional.isPresent()) {
// The authorization container does not exist-- hence no authz rules are present
// Allow access.
LOG.debug("Authorization Container does not exist");
return defaultReturnValue;
}
final HttpAuthorization httpAuthorization = authorizationOptional.get();
final var policies = httpAuthorization.getPolicies();
List<Policies> policiesList = policies != null ? policies.getPolicies() : null;
if (policiesList == null || policiesList.isEmpty()) {
// The authorization container exists, but no rules are present. Allow access.
LOG.debug("Exiting early since no authorization rules exist");
sendError(response, 403, "");
return defaultReturnValue;
}
// Sort the Policies list based on index
policiesList = new ArrayList<>(policiesList);
policiesList.sort(Comparator.comparing(Policies::getIndex));
for (Policies policy : policiesList) {
final String resource = policy.getResource();
final boolean pathsMatch = pathsMatch(resource, requestURI);
if (pathsMatch) {
LOG.debug("paths match for policy {} pattern={} and requestURI={}", policy.getIndex(), resource, requestURI);
final String method = httpServletRequest.getMethod();
LOG.trace("method={}", method);
List<Permissions> permissions = policy.getPermissions();
LOG.trace("perm={}", permissions);
if(permissions !=null) {
for (Permissions permission : permissions) {
final String role = permission.getRole();
LOG.trace("role={}", role);
Set<Permissions.Actions> actions = permission.getActions();
if (actions != null) {
for (Permissions.Actions action : actions) {
LOG.trace("action={}", action.getName());
if (action.getName().equalsIgnoreCase(method)) {
final boolean hasRole = subject.hasRole(role);
LOG.trace("hasRole({})={}", role, hasRole);
if (hasRole) {
return true;
}
}
}
}
else{
LOG.trace("no actions found");
}
}
}
else {
LOG.trace("no permissions found");
}
LOG.debug("couldn't authorize the user for access");
sendError(response, 403, "");
return false;
}
}
LOG.debug("no path found that matches {}", requestURI);
sendError(response, 403, "");
return defaultReturnValue;
}
private void sendError(ServletResponse response, int code, String message) {
if(response instanceof HttpServletResponse){
try {
((HttpServletResponse)response).sendError(code, message);
} catch (IOException e) {
LOG.warn("unable to send {} {} response: ", code, message, e);
}
}
else{
LOG.warn("unable to send {} {} response", code, message);
}
}
}
|
