4 files changed, 251 insertions, 157 deletions
diff --git a/src/main/java/org/openecomp/dmaapbc/authentication/ApiPermissionInterface.java b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPermissionInterface.java
new file mode 100644
index 0000000..ac29cae
--- /dev/null
+++ b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPermissionInterface.java
@@ -0,0 +1,28 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * OpenECOMP - org.openecomp.dmaapbc
+ * ================================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.dmaapbc.authentication;
+
+import org.openecomp.dmaapbc.aaf.DmaapPerm;
+
+public interface ApiPermissionInterface {
+	public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException;
+
+}
diff --git a/src/main/java/org/openecomp/dmaapbc/authentication/ApiPerms.java b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPerms.java
new file mode 100644
index 0000000..54e90dd
--- /dev/null
+++ b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPerms.java
@@ -0,0 +1,166 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * OpenECOMP - org.openecomp.dmaapbc
+ * ================================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.dmaapbc.authentication;
+
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
+import org.openecomp.dmaapbc.aaf.AafService;
+import org.openecomp.dmaapbc.aaf.DmaapGrant;
+import org.openecomp.dmaapbc.aaf.DmaapPerm;
+import org.openecomp.dmaapbc.aaf.AafService.ServiceType;
+import org.openecomp.dmaapbc.logging.BaseLoggingClass;
+import org.openecomp.dmaapbc.logging.DmaapbcLogMessageEnum;
+import org.openecomp.dmaapbc.model.Dmaap;
+import org.openecomp.dmaapbc.service.DmaapService;
+import org.openecomp.dmaapbc.util.DmaapConfig;
+
+public  class ApiPerms extends BaseLoggingClass {
+	
+	private static class PermissionMap {
+		static final EELFLogger logger = EELFManager.getInstance().getLogger( PermissionMap.class );
+		static final EELFLogger errorLogger = EELFManager.getInstance().getErrorLogger();
+		String uri;
+		String action;
+		String[] roles;
+		
+		public String getUri() {
+			return uri;
+		}
+		public void setUri(String uri) {
+			this.uri = uri;
+		}
+		public String getAction() {
+			return action;
+		}
+		public void setAction(String action) {
+			this.action = action;
+		}
+
+		public String[] getRoles() {
+			return roles;
+		}
+		public void setRoles(String[] roles) {
+			this.roles = roles;
+		}
+
+		private PermissionMap( String u, String a, String[] r ) {
+			this.setUri(u);
+			this.setAction(a);
+			this.setRoles(r);
+		}
+		
+		static public void initMap( PermissionMap[] pmap, String instance ) {
+
+			DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig();
+			String api = p.getProperty("ApiNamespace", "apiNamespace.not.set");
+			
+			// this is needed because PE AAF may be a different instance than AAF used by MR
+			String peEnv = p.getProperty("PeAafEnvironment", "notSet");
+			String url = p.getProperty( new String( "PeAafUrl." + peEnv ), "URL.not.set" );
+			logger.info( "PeAafEnvironment=" + peEnv + " using URL " + url);
+			AafService aaf = new AafService(ServiceType.AAF_Admin, url );
+			
+			for ( int i = 0; i < pmap.length ; i++ ) {
+				String uri = new String( api + "." + pmap[i].getUri());
+				DmaapPerm perm = new DmaapPerm( uri, instance, pmap[i].getAction() );
+				int rc = aaf.addPerm( perm );
+				if ( rc != 201 &&  rc != 409 ) {
+					errorLogger.error( DmaapbcLogMessageEnum.AAF_UNEXPECTED_RESPONSE,  Integer.toString(rc), "add perm",  perm.toString() );
+
+				}
+				for( String r: pmap[i].getRoles()) {
+					String fr = new String( api + "." + r );
+					logger.debug( "i:" + i + " granting perm " + perm.toString()+ " to role=" + fr );
+					DmaapGrant grant = new DmaapGrant( perm, fr );
+					rc = aaf.addGrant( grant );
+					if ( rc != 201 && rc != 409 ) {
+						errorLogger.error( DmaapbcLogMessageEnum.AAF_UNEXPECTED_RESPONSE,  Integer.toString(rc), "grant perm",  perm.toString() );
+					}
+				}
+				
+			}
+		}
+	}
+	
+	static PermissionMap[] bootMap = {
+		new PermissionMap( "dmaap", "GET", new String[] { "Controller" }),
+		new PermissionMap( "dmaap", "POST", new String[] { "Controller" }),	
+		new PermissionMap( "dmaap", "PUT", new String[] { "Controller" }),
+		new PermissionMap( "dmaap", "DELETE", new String[] { "Controller" })
+	
+	};
+
+	static PermissionMap[] envMap = {
+		new PermissionMap( "dmaap", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }),
+		new PermissionMap( "dmaap", "POST", new String[] { "Controller" } ),		
+		new PermissionMap( "dmaap", "PUT", new String[] { "Controller" }),
+		new PermissionMap( "dmaap", "DELETE", new String[] { "Controller" }),
+		new PermissionMap( "bridge", "GET", new String[] {  "Metrics" }),
+		//new PermissionMap( "bridge", "POST", new String[] { "Metrics" } ),		
+		//new PermissionMap( "bridge", "PUT", new String[] { "Metrics" }),
+		//new PermissionMap( "bridge", "DELETE", new String[] { "Metrics" }),
+		new PermissionMap( "dcaeLocations", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }),
+		new PermissionMap( "dcaeLocations", "POST", new String[] { "Controller" } ),		
+		new PermissionMap( "dcaeLocations", "PUT", new String[] { "Controller" }),
+		new PermissionMap( "dcaeLocations", "DELETE", new String[] { "Controller" }),
+		new PermissionMap( "dr_nodes", "GET", new String[] { "Controller", "Orchestrator", "Inventory",  "PortalUser" }),
+		new PermissionMap( "dr_nodes", "POST", new String[] { "Controller" } ),		
+		new PermissionMap( "dr_nodes", "PUT", new String[] { "Controller" }),
+		new PermissionMap( "dr_nodes", "DELETE", new String[] { "Controller" }),
+		new PermissionMap( "dr_pubs", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }),
+		new PermissionMap( "dr_pubs", "POST", new String[] { "Controller", "Orchestrator","PortalUser" } ),		
+		new PermissionMap( "dr_pubs", "PUT", new String[] { "Controller", "Orchestrator","PortalUser" }),
+		new PermissionMap( "dr_pubs", "DELETE", new String[] { "Controller", "Orchestrator","PortalUser" }),
+		new PermissionMap( "dr_subs", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }),
+		new PermissionMap( "dr_subs", "POST", new String[] { "Controller", "Orchestrator","PortalUser" } ),		
+		new PermissionMap( "dr_subs", "PUT", new String[] { "Controller", "Orchestrator","PortalUser" }),
+		new PermissionMap( "dr_subs", "DELETE", new String[] { "Controller", "Orchestrator","PortalUser" }),
+		new PermissionMap( "feeds", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }),
+		new PermissionMap( "feeds", "POST", new String[] { "Controller", "Orchestrator","PortalUser" } ),		
+		new PermissionMap( "feeds", "PUT", new String[] { "Controller", "Orchestrator", "PortalUser" }),
+		new PermissionMap( "feeds", "DELETE", new String[] { "Controller", "PortalUser" }),
+		new PermissionMap( "mr_clients", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }),
+		new PermissionMap( "mr_clients", "POST", new String[] { "Controller","Orchestrator", "PortalUser" } ),		
+		new PermissionMap( "mr_clients", "PUT", new String[] { "Controller", "Orchestrator","PortalUser" }),
+		new PermissionMap( "mr_clients", "DELETE", new String[] { "Controller","Orchestrator", "PortalUser" }),
+		new PermissionMap( "mr_clusters", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }),
+		new PermissionMap( "mr_clusters", "POST", new String[] { "Controller" } ),		
+		new PermissionMap( "mr_clusters", "PUT", new String[] { "Controller" }),
+		new PermissionMap( "mr_clusters", "DELETE", new String[] { "Controller" }),
+		new PermissionMap( "topics", "GET", new String[] { "Controller", "Orchestrator", "Inventory", "Metrics", "PortalUser" }),
+		new PermissionMap( "topics", "POST", new String[] { "Controller", "Orchestrator" } ),		
+		new PermissionMap( "topics", "PUT", new String[] { "Controller", "Orchestrator" }),
+		new PermissionMap( "topics", "DELETE", new String[] { "Controller", "Orchestrator" })
+	};
+	
+	public void setBootMap() {
+		String instance = "boot";
+		PermissionMap.initMap( bootMap, instance );
+	}
+	
+	public void setEnvMap() {
+		Dmaap dmaap = new DmaapService().getDmaap();
+		String dmaap_name = dmaap.getDmaapName();
+		PermissionMap.initMap( envMap, dmaap_name );
+	}
+	
+
+}
diff --git a/src/main/java/org/openecomp/dmaapbc/authentication/ApiPolicy.java b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPolicy.java
new file mode 100644
index 0000000..d8be7a8
--- /dev/null
+++ b/src/main/java/org/openecomp/dmaapbc/authentication/ApiPolicy.java
@@ -0,0 +1,57 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * OpenECOMP - org.openecomp.dmaapbc
+ * ================================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.openecomp.dmaapbc.authentication;
+
+import org.openecomp.dmaapbc.aaf.DmaapPerm;
+import org.openecomp.dmaapbc.logging.BaseLoggingClass;
+import org.openecomp.dmaapbc.logging.DmaapbcLogMessageEnum;
+import org.openecomp.dmaapbc.util.DmaapConfig;
+
+public class ApiPolicy extends BaseLoggingClass {
+	static String allow = "allow";
+	String dClass = null;
+	ApiPermissionInterface perm = null;
+	
+	public ApiPolicy() {
+		DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig();
+		dClass = p.getProperty( "ApiPermission.Class", allow );
+		logger.info( "ApiPolicy implements " + dClass);
+		if ( dClass.equalsIgnoreCase( allow )) {
+			return;
+		}
+
+		try {
+			perm = (ApiPermissionInterface) (Class.forName(dClass).newInstance());	
+		} catch (Exception ee ) {
+			errorLogger.error(DmaapbcLogMessageEnum.UNEXPECTED_CONDITION, "attempting to instantiate " + dClass  );		
+		}	
+	}
+	
+	public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException {
+		if ( dClass.equalsIgnoreCase( allow )) {
+			return;
+		}
+		
+		// execute check of loaded class
+		perm.check( mechid, pwd, p );
+	
+	}
+
+}
diff --git a/src/main/java/org/openecomp/dmaapbc/authentication/DecisionPolicy.java b/src/main/java/org/openecomp/dmaapbc/authentication/DecisionPolicy.java
deleted file mode 100644
index 4384c56..0000000
--- a/src/main/java/org/openecomp/dmaapbc/authentication/DecisionPolicy.java
+++ /dev/null
@@ -1,157 +0,0 @@
-/*-
- * ============LICENSE_START=======================================================
- * OpenECOMP - org.openecomp.dmaapbc
- * ================================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *      http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-package org.openecomp.dmaapbc.authentication;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.UUID;
- 
-
-
-
-
-
-
-
-
-
-import org.apache.log4j.Logger;
-import org.openecomp.dmaapbc.aaf.DmaapPerm;
-import org.openecomp.dmaapbc.util.DmaapConfig;
-
-/* disable until available...
-import org.openecomp.policy.api.DecisionRequestParameters;
-import org.openecomp.policy.api.PolicyDecision;
-import org.openecomp.policy.api.DecisionResponse;
-import org.openecomp.policy.api.PolicyDecisionException;
-import org.openecomp.policy.api.PolicyEngine;
-import org.openecomp.policy.api.PolicyEngineException;
-*/
- 
-public class DecisionPolicy {
-	static final Logger logger = Logger.getLogger(DecisionPolicy.class);
-	//PolicyEngine policyEngine = null;
-	String  aafEnvironment;
-	
-	public DecisionPolicy() {
-		logger.info("Constructing DecisionPolicy using property");
-		DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig();
-		String config = p.getProperty("PolicyEngineProperties", "etc/PolicyEngineApi.properties");
-		aafEnvironment = p.getProperty("PeAafEnvironment", "PROD"); // TEST= UAT, PROD = PROD, DEVL = TEST
-		logger.info( "Initializing DecisionPolicy for env " + aafEnvironment + " using " + config);
-		this.init( config );
-	}
-	public DecisionPolicy( String config ) {
-		logger.info("Constructing DecisionPolicy using arg " + config );
-		this.init( config );
-	}
-	
-	public void init( String config ) {
-		logger.info( "stubbed out PolicyEngine()" );
-/*
-		try {
-			policyEngine = new PolicyEngine( config );
-		} catch (PolicyEngineException e) {
-	        logger.error( "Trying to read " + config + " and caught PolicyEngineException" + e );
-			}
-*/
-	}
-	public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException {	
-		logger.debug( mechid + " Permitted to do action " + p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
-
-/*
-        // Create a Decision Policy Request.
-        DecisionRequestParameters decisionRequestParameters = new DecisionRequestParameters();
-        decisionRequestParameters.setECOMPComponentName("DMaaP"); // Required ECOMP Name
-        decisionRequestParameters.setRequestID(UUID.randomUUID());  // Optional UUID Request
-        // Put all the required Attributes into Decision Attributes.
-   
-        HashMap<String,String> decisionAttributes = new HashMap<String, String>();
-        decisionAttributes.put("AAF_ID", mechid);    // Fully qualified ID. 
-        decisionAttributes.put("AAF_PASS", pwd);
-        decisionAttributes.put("AAF_TYPE", p.getPermission());
-        decisionAttributes.put("AAF_INSTANCE", p.getPtype());
-        decisionAttributes.put("AAF_ACTION", p.getAction());
-        decisionAttributes.put("AAF_ENVIRONMENT", aafEnvironment); // TEST= UAT, PROD = PROD, DEVL = TEST
-        decisionRequestParameters.setDecisionAttributes(decisionAttributes);
-        // Send the request to Policy Engine and that returns a PolicyDecision Object.
-        try {
-            DecisionResponse response = policyEngine.getDecision(decisionRequestParameters);
-            if(response.getDecision().equals(PolicyDecision.PERMIT)){
-                logger.debug( mechid + " Permitted to do action " + p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
-            }else{
-                logger.debug( mechid + " NOT Permited to do action "+ p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
-                logger.debug(response.getDetails());
-                throw  new AuthenticationErrorException();
-            }
-        } catch (PolicyDecisionException e) {
-            System.err.println(e);
-            logger.error(e);
-            throw  new AuthenticationErrorException();
-        }
-*/
-        
-	     
-    
-    }
-
-/*
-    public static void main(String args[]){
-    	DecisionPolicy d = new DecisionPolicy();
-    	d.test();
-    }
-    	
-    public  void test() {
-    
-		// TODO: pass in users and pwd from cmd line	
-    	String[] ids = {"user1@namespace1",
-    					"user2@namespace2"};
-    	String[] pwds = {
-    			"pwd1",
-    			"pwd2"
-    	};
-    	List<DmaapPerm> perms = new ArrayList<DmaapPerm>();
-    	
-    	
-    	perms.add( new DmaapPerm("org.openecomp.dmaapBC.dmaap", "mtnje2", "POST"));
-    	perms.add( new DmaapPerm("org.openecomp.dmaapBC.dcaeLocations", "mtnje2", "POST"));
-    	perms.add( new DmaapPerm("org.openecomp.dmaapBC.dmaap", "mtnje2", "GET"));
-    	perms.add( new DmaapPerm("org.openecomp.dmaapBC.dmaap", "mtnje2", "PUT"));
-    	perms.add( new DmaapPerm("org.openecomp.dmaapBC.dmaap", "mtnje2", "DELETE"));
-    	
-    
-    	
-    	for( DmaapPerm p : perms ) {
-    		for( int i = 0; i < ids.length; i++) {
-    			try {
-    				this.check( ids[i], pwds[i], p);
-    				System.out.println( "PERMIT! for "+ ids[i] + "  " + p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
-    			} catch ( AuthenticationErrorException aee ) {
-    				System.out.println( "FAILED! for "+ ids[i] + "  " + p.getPermission() + "|" + p.getPtype() + "|" + p.getAction());
-    			} 
-    		}
-    	}
-    
-    }
-*/
-    
-}