diff options
Diffstat (limited to 'src/main/java/org/openecomp/dmaapbc/authentication')
4 files changed, 251 insertions, 157 deletions
diff --git a/src/main/java/org/openecomp/dmaapbc/authentication/ApiPermissionInterface.java b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPermissionInterface.java new file mode 100644 index 0000000..ac29cae --- /dev/null +++ b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPermissionInterface.java @@ -0,0 +1,28 @@ +/*- + * ============LICENSE_START======================================================= + * OpenECOMP - org.openecomp.dmaapbc + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.dmaapbc.authentication; + +import org.openecomp.dmaapbc.aaf.DmaapPerm; + +public interface ApiPermissionInterface { + public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException; + +} diff --git a/src/main/java/org/openecomp/dmaapbc/authentication/ApiPerms.java b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPerms.java new file mode 100644 index 0000000..54e90dd --- /dev/null +++ b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPerms.java @@ -0,0 +1,166 @@ +/*- + * ============LICENSE_START======================================================= + * OpenECOMP - org.openecomp.dmaapbc + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.dmaapbc.authentication; + +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; +import org.openecomp.dmaapbc.aaf.AafService; +import org.openecomp.dmaapbc.aaf.DmaapGrant; +import org.openecomp.dmaapbc.aaf.DmaapPerm; +import org.openecomp.dmaapbc.aaf.AafService.ServiceType; +import org.openecomp.dmaapbc.logging.BaseLoggingClass; +import org.openecomp.dmaapbc.logging.DmaapbcLogMessageEnum; +import org.openecomp.dmaapbc.model.Dmaap; +import org.openecomp.dmaapbc.service.DmaapService; +import org.openecomp.dmaapbc.util.DmaapConfig; + +public class ApiPerms extends BaseLoggingClass { + + private static class PermissionMap { + static final EELFLogger logger = EELFManager.getInstance().getLogger( PermissionMap.class ); + static final EELFLogger errorLogger = EELFManager.getInstance().getErrorLogger(); + String uri; + String action; + String[] roles; + + public String getUri() { + return uri; + } + public void setUri(String uri) { + this.uri = uri; + } + public String getAction() { + return action; + } + public void setAction(String action) { + this.action = action; + } + + public String[] getRoles() { + return roles; + } + public void setRoles(String[] roles) { + this.roles = roles; + } + + private PermissionMap( String u, String a, String[] r ) { + this.setUri(u); + this.setAction(a); + this.setRoles(r); + } + + static public void initMap( PermissionMap[] pmap, String instance ) { + + DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig(); + String api = p.getProperty("ApiNamespace", "apiNamespace.not.set"); + + // this is needed because PE AAF may be a different instance than AAF used by MR + String peEnv = p.getProperty("PeAafEnvironment", "notSet"); + String url = p.getProperty( new String( "PeAafUrl." + peEnv ), "URL.not.set" ); + logger.info( "PeAafEnvironment=" + peEnv + " using URL " + url); + AafService aaf = new AafService(ServiceType.AAF_Admin, url ); + + for ( int i = 0; i < pmap.length ; i++ ) { + String uri = new String( api + "." + pmap[i].getUri()); + DmaapPerm perm = new DmaapPerm( uri, instance, pmap[i].getAction() ); + int rc = aaf.addPerm( perm ); + if ( rc != 201 && rc != 409 ) { + errorLogger.error( DmaapbcLogMessageEnum.AAF_UNEXPECTED_RESPONSE, Integer.toString(rc), "add perm", perm.toString() ); + + } + for( String r: pmap[i].getRoles()) { + String fr = new String( api + "." + r ); + logger.debug( "i:" + i + " granting perm " + perm.toString()+ " to role=" + fr ); + DmaapGrant grant = new DmaapGrant( perm, fr ); + rc = aaf.addGrant( grant ); + if ( rc != 201 && rc != 409 ) { + errorLogger.error( DmaapbcLogMessageEnum.AAF_UNEXPECTED_RESPONSE, Integer.toString(rc), "grant perm", perm.toString() ); + } + } + + } + } + } + + static PermissionMap[] bootMap = { + new PermissionMap( "dmaap", "GET", new String[] { "Controller" }), + new PermissionMap( "dmaap", "POST", new String[] { "Controller" }), + new PermissionMap( "dmaap", "PUT", new String[] { "Controller" }), + new PermissionMap( "dmaap", "DELETE", new String[] { "Controller" }) + + }; + + static PermissionMap[] envMap = { + new PermissionMap( "dmaap", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }), + new PermissionMap( "dmaap", "POST", new String[] { "Controller" } ), + new PermissionMap( "dmaap", "PUT", new String[] { "Controller" }), + new PermissionMap( "dmaap", "DELETE", new String[] { "Controller" }), + new PermissionMap( "bridge", "GET", new String[] { "Metrics" }), + //new PermissionMap( "bridge", "POST", new String[] { "Metrics" } ), + //new PermissionMap( "bridge", "PUT", new String[] { "Metrics" }), + //new PermissionMap( "bridge", "DELETE", new String[] { "Metrics" }), + new PermissionMap( "dcaeLocations", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }), + new PermissionMap( "dcaeLocations", "POST", new String[] { "Controller" } ), + new PermissionMap( "dcaeLocations", "PUT", new String[] { "Controller" }), + new PermissionMap( "dcaeLocations", "DELETE", new String[] { "Controller" }), + new PermissionMap( "dr_nodes", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "PortalUser" }), + new PermissionMap( "dr_nodes", "POST", new String[] { "Controller" } ), + new PermissionMap( "dr_nodes", "PUT", new String[] { "Controller" }), + new PermissionMap( "dr_nodes", "DELETE", new String[] { "Controller" }), + new PermissionMap( "dr_pubs", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }), + new PermissionMap( "dr_pubs", "POST", new String[] { "Controller", "Orchestrator","PortalUser" } ), + new PermissionMap( "dr_pubs", "PUT", new String[] { "Controller", "Orchestrator","PortalUser" }), + new PermissionMap( "dr_pubs", "DELETE", new String[] { "Controller", "Orchestrator","PortalUser" }), + new PermissionMap( "dr_subs", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }), + new PermissionMap( "dr_subs", "POST", new String[] { "Controller", "Orchestrator","PortalUser" } ), + new PermissionMap( "dr_subs", "PUT", new String[] { "Controller", "Orchestrator","PortalUser" }), + new PermissionMap( "dr_subs", "DELETE", new String[] { "Controller", "Orchestrator","PortalUser" }), + new PermissionMap( "feeds", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }), + new PermissionMap( "feeds", "POST", new String[] { "Controller", "Orchestrator","PortalUser" } ), + new PermissionMap( "feeds", "PUT", new String[] { "Controller", "Orchestrator", "PortalUser" }), + new PermissionMap( "feeds", "DELETE", new String[] { "Controller", "PortalUser" }), + new PermissionMap( "mr_clients", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }), + new PermissionMap( "mr_clients", "POST", new String[] { "Controller","Orchestrator", "PortalUser" } ), + new PermissionMap( "mr_clients", "PUT", new String[] { "Controller", "Orchestrator","PortalUser" }), + new PermissionMap( "mr_clients", "DELETE", new String[] { "Controller","Orchestrator", "PortalUser" }), + new PermissionMap( "mr_clusters", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }), + new PermissionMap( "mr_clusters", "POST", new String[] { "Controller" } ), + new PermissionMap( "mr_clusters", "PUT", new String[] { "Controller" }), + new PermissionMap( "mr_clusters", "DELETE", new String[] { "Controller" }), + new PermissionMap( "topics", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }), + new PermissionMap( "topics", "POST", new String[] { "Controller", "Orchestrator" } ), + new PermissionMap( "topics", "PUT", new String[] { "Controller", "Orchestrator" }), + new PermissionMap( "topics", "DELETE", new String[] { "Controller", "Orchestrator" }) + }; + + public void setBootMap() { + String instance = "boot"; + PermissionMap.initMap( bootMap, instance ); + } + + public void setEnvMap() { + Dmaap dmaap = new DmaapService().getDmaap(); + String dmaap_name = dmaap.getDmaapName(); + PermissionMap.initMap( envMap, dmaap_name ); + } + + +} diff --git a/src/main/java/org/openecomp/dmaapbc/authentication/ApiPolicy.java b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPolicy.java new file mode 100644 index 0000000..d8be7a8 --- /dev/null +++ b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPolicy.java @@ -0,0 +1,57 @@ +/*- + * ============LICENSE_START======================================================= + * OpenECOMP - org.openecomp.dmaapbc + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.openecomp.dmaapbc.authentication; + +import org.openecomp.dmaapbc.aaf.DmaapPerm; +import org.openecomp.dmaapbc.logging.BaseLoggingClass; +import org.openecomp.dmaapbc.logging.DmaapbcLogMessageEnum; +import org.openecomp.dmaapbc.util.DmaapConfig; + +public class ApiPolicy extends BaseLoggingClass { + static String allow = "allow"; + String dClass = null; + ApiPermissionInterface perm = null; + + public ApiPolicy() { + DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig(); + dClass = p.getProperty( "ApiPermission.Class", allow ); + logger.info( "ApiPolicy implements " + dClass); + if ( dClass.equalsIgnoreCase( allow )) { + return; + } + + try { + perm = (ApiPermissionInterface) (Class.forName(dClass).newInstance()); + } catch (Exception ee ) { + errorLogger.error(DmaapbcLogMessageEnum.UNEXPECTED_CONDITION, "attempting to instantiate " + dClass ); + } + } + + public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException { + if ( dClass.equalsIgnoreCase( allow )) { + return; + } + + // execute check of loaded class + perm.check( mechid, pwd, p ); + + } + +} diff --git a/src/main/java/org/openecomp/dmaapbc/authentication/DecisionPolicy.java b/src/main/java/org/openecomp/dmaapbc/authentication/DecisionPolicy.java deleted file mode 100644 index 4384c56..0000000 --- a/src/main/java/org/openecomp/dmaapbc/authentication/DecisionPolicy.java +++ /dev/null @@ -1,157 +0,0 @@ -/*-
- * ============LICENSE_START======================================================= - * OpenECOMP - org.openecomp.dmaapbc - * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License. - * ============LICENSE_END=========================================================
- */
-
-package org.openecomp.dmaapbc.authentication;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.UUID;
-
-
-
-
-
-
-
-
-
-
-import org.apache.log4j.Logger;
-import org.openecomp.dmaapbc.aaf.DmaapPerm;
-import org.openecomp.dmaapbc.util.DmaapConfig;
-
-/* disable until available...
-import org.openecomp.policy.api.DecisionRequestParameters;
-import org.openecomp.policy.api.PolicyDecision;
-import org.openecomp.policy.api.DecisionResponse;
-import org.openecomp.policy.api.PolicyDecisionException;
-import org.openecomp.policy.api.PolicyEngine;
-import org.openecomp.policy.api.PolicyEngineException;
-*/
-
-public class DecisionPolicy {
- static final Logger logger = Logger.getLogger(DecisionPolicy.class);
- //PolicyEngine policyEngine = null;
- String aafEnvironment;
-
- public DecisionPolicy() {
- logger.info("Constructing DecisionPolicy using property");
- DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig();
- String config = p.getProperty("PolicyEngineProperties", "etc/PolicyEngineApi.properties");
- aafEnvironment = p.getProperty("PeAafEnvironment", "PROD"); // TEST= UAT, PROD = PROD, DEVL = TEST
- logger.info( "Initializing DecisionPolicy for env " + aafEnvironment + " using " + config);
- this.init( config );
- }
- public DecisionPolicy( String config ) {
- logger.info("Constructing DecisionPolicy using arg " + config );
- this.init( config );
- }
-
- public void init( String config ) {
- logger.info( "stubbed out PolicyEngine()" );
-/*
- try {
- policyEngine = new PolicyEngine( config );
- } catch (PolicyEngineException e) {
- logger.error( "Trying to read " + config + " and caught PolicyEngineException" + e );
- }
-*/
- }
- public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException {
- logger.debug( mechid + " Permitted to do action " + p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
-
-/*
- // Create a Decision Policy Request.
- DecisionRequestParameters decisionRequestParameters = new DecisionRequestParameters();
- decisionRequestParameters.setECOMPComponentName("DMaaP"); // Required ECOMP Name
- decisionRequestParameters.setRequestID(UUID.randomUUID()); // Optional UUID Request
- // Put all the required Attributes into Decision Attributes.
-
- HashMap<String,String> decisionAttributes = new HashMap<String, String>();
- decisionAttributes.put("AAF_ID", mechid); // Fully qualified ID.
- decisionAttributes.put("AAF_PASS", pwd);
- decisionAttributes.put("AAF_TYPE", p.getPermission());
- decisionAttributes.put("AAF_INSTANCE", p.getPtype());
- decisionAttributes.put("AAF_ACTION", p.getAction());
- decisionAttributes.put("AAF_ENVIRONMENT", aafEnvironment); // TEST= UAT, PROD = PROD, DEVL = TEST
- decisionRequestParameters.setDecisionAttributes(decisionAttributes);
- // Send the request to Policy Engine and that returns a PolicyDecision Object.
- try {
- DecisionResponse response = policyEngine.getDecision(decisionRequestParameters);
- if(response.getDecision().equals(PolicyDecision.PERMIT)){
- logger.debug( mechid + " Permitted to do action " + p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
- }else{
- logger.debug( mechid + " NOT Permited to do action "+ p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
- logger.debug(response.getDetails());
- throw new AuthenticationErrorException();
- }
- } catch (PolicyDecisionException e) {
- System.err.println(e);
- logger.error(e);
- throw new AuthenticationErrorException();
- }
-*/
-
-
-
- }
-
-/*
- public static void main(String args[]){
- DecisionPolicy d = new DecisionPolicy();
- d.test();
- }
-
- public void test() {
-
- // TODO: pass in users and pwd from cmd line
- String[] ids = {"user1@namespace1",
- "user2@namespace2"};
- String[] pwds = {
- "pwd1",
- "pwd2"
- };
- List<DmaapPerm> perms = new ArrayList<DmaapPerm>();
-
-
- perms.add( new DmaapPerm("org.openecomp.dmaapBC.dmaap", "mtnje2", "POST"));
- perms.add( new DmaapPerm("org.openecomp.dmaapBC.dcaeLocations", "mtnje2", "POST"));
- perms.add( new DmaapPerm("org.openecomp.dmaapBC.dmaap", "mtnje2", "GET"));
- perms.add( new DmaapPerm("org.openecomp.dmaapBC.dmaap", "mtnje2", "PUT"));
- perms.add( new DmaapPerm("org.openecomp.dmaapBC.dmaap", "mtnje2", "DELETE"));
-
-
-
- for( DmaapPerm p : perms ) {
- for( int i = 0; i < ids.length; i++) {
- try {
- this.check( ids[i], pwds[i], p);
- System.out.println( "PERMIT! for "+ ids[i] + " " + p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
- } catch ( AuthenticationErrorException aee ) {
- System.out.println( "FAILED! for "+ ids[i] + " " + p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
- }
- }
- }
-
- }
-*/
-
-}
|