diff options
Diffstat (limited to 'src/main/java/org/onap/clamp/authorization/AuthorizationController.java')
-rw-r--r-- | src/main/java/org/onap/clamp/authorization/AuthorizationController.java | 62 |
1 files changed, 19 insertions, 43 deletions
diff --git a/src/main/java/org/onap/clamp/authorization/AuthorizationController.java b/src/main/java/org/onap/clamp/authorization/AuthorizationController.java index 511b9509..4a35f458 100644 --- a/src/main/java/org/onap/clamp/authorization/AuthorizationController.java +++ b/src/main/java/org/onap/clamp/authorization/AuthorizationController.java @@ -5,6 +5,8 @@ * Copyright (C) 2019 AT&T Intellectual Property. All rights * reserved. * ================================================================================ + * Modifications Copyright (c) 2019 Samsung + * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -39,8 +41,6 @@ import org.onap.clamp.util.PrincipalUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.context.SecurityContext; -import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; /** @@ -57,12 +57,8 @@ public class AuthorizationController { @Autowired private ClampProperties refProp; - private SecurityContext securityContext = SecurityContextHolder.getContext(); - private static final String permPrefix = "security.permission.type."; - private static final String permInstance = "security.permission.instance"; - - public AuthorizationController() { - } + private static final String PERM_PREFIX = "security.permission.type."; + private static final String PERM_INSTANCE = "security.permission.instance"; /** * Insert authorize the api based on the permission @@ -77,8 +73,8 @@ public class AuthorizationController { * The action of the permissions. e.g. read */ public void authorize(Exchange camelExchange, String typeVar, String instanceVar, String action) { - String type = refProp.getStringValue(permPrefix + typeVar); - String instance = refProp.getStringValue(permInstance); + String type = refProp.getStringValue(PERM_PREFIX + typeVar); + String instance = refProp.getStringValue(PERM_INSTANCE); if (null == type || type.isEmpty()) { //authorization is turned off, since the permission is not defined @@ -93,9 +89,8 @@ public class AuthorizationController { LoggingUtils.setTargetContext("Clamp", "authorize"); LoggingUtils.setTimeContext(startTime, new Date()); securityLogger.debug("checking if {} has permission: {}", principalName, perm); - try { - isUserPermitted(perm); - } catch (NotAuthorizedException nae) { + + if (!isUserPermitted(perm)){ String msg = principalName + " does not have permission: " + perm; LoggingUtils.setErrorContext("100", "Authorization Error"); securityLogger.warn(msg); @@ -103,45 +98,26 @@ public class AuthorizationController { } } - private boolean isUserPermitted(SecureServicePermission inPermission) { - boolean authorized = false; + public boolean isUserPermitted(SecureServicePermission inPermission) { + String principalName = PrincipalUtils.getPrincipalName(); // check if the user has the permission key or the permission key with a // combination of all instance and/or all action. - if (hasRole(inPermission.getKey())) { - auditLogger.info("{} authorized because user has permission with * for instance: {}", - principalName, inPermission.getKey()); - authorized = true; + if (hasRole(inPermission.getKey()) || hasRole(inPermission.getKeyAllInstance())) { + auditLogger.info("{} authorized because user has permission with * for instance: {}", + principalName, inPermission.getKey()); + return true; // the rest of these don't seem to be required - isUserInRole method // appears to take * as a wildcard - } else if (hasRole(inPermission.getKeyAllInstance())) { - auditLogger.info("{} authorized because user has permission with * for instance: {}", - principalName, inPermission.getKey()); - authorized = true; } else if (hasRole(inPermission.getKeyAllInstanceAction())) { - auditLogger.info("{} authorized because user has permission with * for instance and * for action: {}", - principalName, inPermission.getKey()); - authorized = true; + auditLogger.info("{} authorized because user has permission with * for instance and * for action: {}", + principalName, inPermission.getKey()); + return true; } else if (hasRole(inPermission.getKeyAllAction())) { auditLogger.info("{} authorized because user has permission with * for action: {}", - principalName, inPermission.getKey()); - authorized = true; + principalName, inPermission.getKey()); + return true; } else { - throw new NotAuthorizedException(""); - } - return authorized; - } - - /** - * Verify whether the user has the permission. - * - * @param inPermission - * The permissions to verify - */ - public boolean isUserPermittedNoException(SecureServicePermission inPermission) { - try { - return isUserPermitted(inPermission); - } catch (NotAuthorizedException e) { return false; } } |