diff options
Diffstat (limited to 'src/main/java/org')
4 files changed, 267 insertions, 10 deletions
diff --git a/src/main/java/org/onap/clamp/authorization/AuthorizationController.java b/src/main/java/org/onap/clamp/authorization/AuthorizationController.java new file mode 100644 index 00000000..20610275 --- /dev/null +++ b/src/main/java/org/onap/clamp/authorization/AuthorizationController.java @@ -0,0 +1,147 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2019 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * + */ + +package org.onap.clamp.authorization; + +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; + +import java.util.Date; + +import javax.ws.rs.NotAuthorizedException; + +import org.apache.camel.Exchange; +import org.onap.clamp.clds.config.ClampProperties; +import org.onap.clamp.clds.service.SecureServiceBase; +import org.onap.clamp.clds.service.SecureServicePermission; +import org.onap.clamp.clds.util.LoggingUtils; +import org.onap.clamp.util.PrincipalUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.stereotype.Component; + +/** + * Create CLDS Event. + */ +@Component +public class AuthorizationController { + + protected static final EELFLogger logger = EELFManager.getInstance().getLogger(SecureServiceBase.class); + protected static final EELFLogger auditLogger = EELFManager.getInstance().getMetricsLogger(); + protected static final EELFLogger securityLogger = EELFManager.getInstance().getSecurityLogger(); + + // By default we'll set it to a default handler + @Autowired + private ClampProperties refProp; + + private SecurityContext securityContext = SecurityContextHolder.getContext(); + private final static String permPrefix = "security.permission.type."; + private final static String permInstance = "security.permission.instance"; + + public AuthorizationController() { + } + /** + * Insert event using process variables. + * + * @param camelExchange + * The Camel Exchange object containing the properties + * @param actionState + * The action state that is used instead of the one in exchange property + */ + + public void authorize (Exchange camelExchange, String typeVar, String instanceVar, String action) { + String type = refProp.getStringValue(permPrefix + typeVar); + String instance = refProp.getStringValue(permInstance); + + if (null == type || type.isEmpty()) { + //authorization is turned off, since the permission is not defined + return; + } + if (null != instanceVar && !instanceVar.isEmpty()) { + instance = instanceVar; + } + String principalName = PrincipalUtils.getPrincipalName(); + SecureServicePermission perm = SecureServicePermission.create(type, instance, action); + Date startTime = new Date(); + LoggingUtils.setTargetContext("Clamp", "authorize"); + LoggingUtils.setTimeContext(startTime, new Date()); + securityLogger.debug("checking if {} has permission: {}", principalName, perm); + try { + isUserPermitted(perm); + } catch (NotAuthorizedException nae) { + String msg = principalName + " does not have permission: " + perm; + LoggingUtils.setErrorContext("100", "Authorization Error"); + securityLogger.warn(msg); + throw new NotAuthorizedException(msg); + } + } + + private boolean isUserPermitted(SecureServicePermission inPermission) { + boolean authorized = false; + String principalName = PrincipalUtils.getPrincipalName(); + // check if the user has the permission key or the permission key with a + // combination of all instance and/or all action. + if (hasRole(inPermission.getKey())) { + auditLogger.info("{} authorized because user has permission with * for instance: {}", principalName, inPermission.getKey()); + authorized = true; + // the rest of these don't seem to be required - isUserInRole method + // appears to take * as a wildcard + } else if (hasRole(inPermission.getKeyAllInstance())) { + auditLogger.info("{} authorized because user has permission with * for instance: {}", principalName, inPermission.getKey()); + authorized = true; + } else if (hasRole(inPermission.getKeyAllInstanceAction())) { + auditLogger.info("{} authorized because user has permission with * for instance and * for action: {}", principalName, inPermission.getKey()); + authorized = true; + } else if (hasRole(inPermission.getKeyAllAction())) { + auditLogger.info("{} authorized because user has permission with * for action: {}", principalName, inPermission.getKey()); + authorized = true; + } else { + throw new NotAuthorizedException(""); + } + return authorized; + } + + public boolean isUserPermittedNoException(SecureServicePermission inPermission) { + try { + return isUserPermitted (inPermission); + } catch (NotAuthorizedException e) { + return false; + } + } + + protected boolean hasRole(String role) { + Authentication authentication = PrincipalUtils.getSecurityContext().getAuthentication(); + if (authentication == null) { + return false; + } + for (GrantedAuthority auth : authentication.getAuthorities()) { + if (role.equals(auth.getAuthority())) + return true; + } + return false; + } + +} diff --git a/src/main/java/org/onap/clamp/loop/LoopController.java b/src/main/java/org/onap/clamp/loop/LoopController.java index 7e451749..2bcce1e3 100644 --- a/src/main/java/org/onap/clamp/loop/LoopController.java +++ b/src/main/java/org/onap/clamp/loop/LoopController.java @@ -24,6 +24,8 @@ package org.onap.clamp.loop; import com.google.gson.JsonArray; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; import com.google.gson.reflect.TypeToken; import java.lang.reflect.Type; @@ -60,13 +62,17 @@ public class LoopController { public Loop updateOperationalPolicies(String loopName, JsonArray operationalPoliciesJson) { List<OperationalPolicy> operationalPolicies = JsonUtils.GSON .fromJson(operationalPoliciesJson, OPERATIONAL_POLICY_TYPE); - return loopService.updateOperationalPolicies(loopName, operationalPolicies); + return loopService.updateAndSaveOperationalPolicies(loopName, operationalPolicies); } public Loop updateMicroservicePolicies(String loopName, JsonArray microServicePoliciesJson) { List<MicroServicePolicy> microservicePolicies = JsonUtils.GSON .fromJson(microServicePoliciesJson, MICROSERVICE_POLICY_TYPE); - return loopService.updateMicroservicePolicies(loopName, microservicePolicies); + return loopService.updateAndSaveMicroservicePolicies(loopName, microservicePolicies); + } + + public Loop updateGlobalPropertiesJson(String loopName, JsonObject globalProperties){ + return loopService.updateAndSaveGlobalPropertiesJson(loopName, globalProperties); } public String getSVGRepresentation(String loopName) { diff --git a/src/main/java/org/onap/clamp/loop/LoopService.java b/src/main/java/org/onap/clamp/loop/LoopService.java index 91b4bdf8..cf2f4c66 100644 --- a/src/main/java/org/onap/clamp/loop/LoopService.java +++ b/src/main/java/org/onap/clamp/loop/LoopService.java @@ -26,6 +26,8 @@ package org.onap.clamp.loop; import java.util.List; import java.util.Set; import javax.persistence.EntityNotFoundException; + +import com.google.gson.JsonObject; import org.onap.clamp.policy.microservice.MicroservicePolicyService; import org.onap.clamp.policy.operational.OperationalPolicyService; import org.onap.clamp.policy.microservice.MicroServicePolicy; @@ -66,22 +68,42 @@ public class LoopService { return closedLoopByName.getSvgRepresentation(); } - Loop updateOperationalPolicies(String loopName, List<OperationalPolicy> newOperationalPolicies) { + Loop updateAndSaveOperationalPolicies(String loopName, List<OperationalPolicy> newOperationalPolicies) { Loop loop = findClosedLoopByName(loopName); - Set<OperationalPolicy> newPolicies = operationalPolicyService - .updatePolicies(loop, newOperationalPolicies); + updateOperationalPolicies(loop, newOperationalPolicies); + return loopsRepository.save(loop); + } - loop.setOperationalPolicies(newPolicies); + Loop updateAndSaveMicroservicePolicies(String loopName, List<MicroServicePolicy> newMicroservicePolicies) { + Loop loop = findClosedLoopByName(loopName); + updateMicroservicePolicies(loop, newMicroservicePolicies); return loopsRepository.save(loop); } - Loop updateMicroservicePolicies(String loopName, List<MicroServicePolicy> newMicroservicePolicies) { + Loop updateAndSaveGlobalPropertiesJson(String loopName, JsonObject newGlobalPropertiesJson) { Loop loop = findClosedLoopByName(loopName); - Set<MicroServicePolicy> newPolicies = microservicePolicyService - .updatePolicies(loop, newMicroservicePolicies); + updateGlobalPropertiesJson(loop, newGlobalPropertiesJson); + return loopsRepository.save(loop); + } + private Loop updateOperationalPolicies(Loop loop, List<OperationalPolicy> newOperationalPolicies) { + Set<OperationalPolicy> newPolicies = operationalPolicyService + .updatePolicies(loop, newOperationalPolicies); + + loop.setOperationalPolicies(newPolicies); + return loop; + } + + private Loop updateMicroservicePolicies(Loop loop, List<MicroServicePolicy> newMicroservicePolicies) { + Set<MicroServicePolicy> newPolicies = microservicePolicyService + .updatePolicies(loop, newMicroservicePolicies); loop.setMicroServicePolicies(newPolicies); - return loopsRepository.save(loop); + return loop; + } + + private Loop updateGlobalPropertiesJson(Loop loop, JsonObject newGlobalPropertiesJson) { + loop.setGlobalPropertiesJson(newGlobalPropertiesJson); + return loop; } private Loop findClosedLoopByName(String loopName) { diff --git a/src/main/java/org/onap/clamp/util/PrincipalUtils.java b/src/main/java/org/onap/clamp/util/PrincipalUtils.java new file mode 100644 index 00000000..ec089834 --- /dev/null +++ b/src/main/java/org/onap/clamp/util/PrincipalUtils.java @@ -0,0 +1,82 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2019 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * Modifications copyright (c) 2018 Nokia + * =================================================================== + * + */ + +package org.onap.clamp.util; + +import java.util.Date; + +import org.onap.clamp.clds.service.DefaultUserNameHandler; +import org.onap.clamp.clds.service.UserNameHandler; +import org.onap.clamp.clds.util.LoggingUtils; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.UserDetails; + +public class PrincipalUtils { + private static UserNameHandler userNameHandler = new DefaultUserNameHandler(); + private static SecurityContext securityContext = SecurityContextHolder.getContext(); + + /** + * Get the Full name. + * + * @return + */ + public static String getUserName() { + String name = userNameHandler.retrieveUserName(securityContext); + Date startTime = new Date(); + LoggingUtils.setTargetContext("CLDS", "getUserName"); + LoggingUtils.setTimeContext(startTime, new Date()); + return name; + } + + /** + * Get the userId from AAF/CSP. + * + * @return + */ + public static String getUserId() { + return getUserName(); + } + + /** + * Get the principal name. + * + * @return + */ + public static String getPrincipalName() { + String principal = ((UserDetails)securityContext.getAuthentication().getPrincipal()).getUsername(); + String name = "Not found"; + if (principal != null) { + name = principal; + } + return name; + } + public static void setSecurityContext(SecurityContext securityContext) { + PrincipalUtils.securityContext = securityContext; + } + + public static SecurityContext getSecurityContext() { + return securityContext; + } +} |