diff options
author | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2019-04-17 10:10:30 +0200 |
---|---|---|
committer | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2019-04-18 11:04:53 +0200 |
commit | 5caf0800a080d3ac4fb9573b319336160b2ebcba (patch) | |
tree | fb115d6b4e0e35b3ec91e86f39de3d16992b2488 /src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java | |
parent | ff4bf8d97be17232187dfdbb5fc913d015b3b213 (diff) |
VES Collector - certBasicAuth1.4.4
https://jira.onap.org/browse/DCAEGEN2-1440
Issue-ID: DCAEGEN2-1440
Change-Id: I7976d03c65e261930533a49a6716fd6161124ad9
Signed-off-by: Zlatko Murgoski <zlatko.murgoski@nokia.com>
Diffstat (limited to 'src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java')
-rw-r--r-- | src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java | 64 |
1 files changed, 49 insertions, 15 deletions
diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index bb290575..7d3d2929 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -21,11 +21,14 @@ package org.onap.dcae.restapi; import io.vavr.control.Option; import java.io.IOException; +import java.security.cert.X509Certificate; import java.util.Base64; +import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; import org.onap.dcae.common.configuration.AuthMethodType; +import org.onap.dcae.common.configuration.SubjectMatcher; import org.onap.dcaegen2.services.sdk.security.CryptPassword; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,11 +37,12 @@ import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; final class ApiAuthInterceptor extends HandlerInterceptorAdapter { private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class); + private static final String CERTIFICATE_X_509 = "javax.servlet.request.X509Certificate"; + private static final String MESSAGE = "SubjectDN didn't match with any regexp from %s"; private final CryptPassword cryptPassword = new CryptPassword(); private final ApplicationSettings settings; private Logger errorLogger; - public ApiAuthInterceptor(ApplicationSettings applicationSettings, Logger errorLogger) { this.settings = applicationSettings; this.errorLogger = errorLogger; @@ -48,25 +52,55 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter { public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException { - if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value())){ - if (request.getAttribute("javax.servlet.request.X509Certificate") != null){ - LOG.info("Request is authorized by certificate "); - return true; - } + SubjectMatcher subjectMatcher = new SubjectMatcher(settings,(X509Certificate[]) request.getAttribute(CERTIFICATE_X_509)); + + if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value())){ + return validateCertRequest(response, subjectMatcher); + } + + if(isCertSubject(subjectMatcher)){ + return true; + } + + if (isBasicAuth() ) { + return validateBasicHeader(request, response); + } + return true; + } + + private boolean validateBasicHeader(HttpServletRequest request, HttpServletResponse response) + throws IOException { + String authorizationHeader = request.getHeader("Authorization"); + if (authorizationHeader == null || !isAuthorized(authorizationHeader)) { + response.setStatus(401); + errorLogger.error("EVENT_RECEIPT_FAILURE: Unauthorized user"); + response.getWriter().write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); + return false; } - if (isBasicAuth()) { - String authorizationHeader = request.getHeader("Authorization"); - if (authorizationHeader == null || !isAuthorized(authorizationHeader)) { - response.setStatus(401); - errorLogger.error("EVENT_RECEIPT_FAILURE: Unauthorized user"); - response.getWriter().write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); - return false; - } - LOG.info("Request is authorized by basic auth"); + LOG.info("Request is authorized by basic auth"); + return true; + } + + private boolean validateCertRequest(HttpServletResponse response, SubjectMatcher subjectMatcher) + throws IOException { + if (!isCertSubject(subjectMatcher)) { + response.setStatus(HttpServletResponse.SC_FORBIDDEN); + response.getWriter().write(String.format(MESSAGE, settings.certSubjectMatcher())); + return false; } + LOG.info("Cert and subjectDN is valid"); return true; } + private boolean isCertSubject(SubjectMatcher subjectMatcher) { + if(subjectMatcher.isCert() && subjectMatcher.match()){ + LOG.info("Cert and subjectDN is valid"); + return true; + } + LOG.info(String.format(MESSAGE, settings.certSubjectMatcher())); + return false; + } + private boolean isBasicAuth() { return settings.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) || settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); |