diff options
author | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2019-06-07 18:09:53 +0200 |
---|---|---|
committer | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2019-06-07 18:53:41 +0200 |
commit | 28144714a27e0463e181924ac51fa74c48810489 (patch) | |
tree | 8f478580478b800d5fd972407d16e94e3ebdc050 /src | |
parent | 5caf0800a080d3ac4fb9573b319336160b2ebcba (diff) |
Basic auth not working
https://jira.onap.org/browse/DCAEGEN2-1541
Issue-ID: DCAEGEN2-1541
Change-Id: I61211b7a4693fea60b6da4bc460c2be47a41efa7
Signed-off-by: Zlatko Murgoski <zlatko.murgoski@nokia.com>
Diffstat (limited to 'src')
3 files changed, 49 insertions, 90 deletions
diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index 7d3d2929..3da37c61 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -23,7 +23,11 @@ import io.vavr.control.Option; import java.io.IOException; import java.security.cert.X509Certificate; import java.util.Base64; -import java.util.stream.Collectors; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; @@ -32,9 +36,10 @@ import org.onap.dcae.common.configuration.SubjectMatcher; import org.onap.dcaegen2.services.sdk.security.CryptPassword; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; +import org.springframework.stereotype.Component; -final class ApiAuthInterceptor extends HandlerInterceptorAdapter { +@Component +public class ApiAuthInterceptor implements Filter { private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class); private static final String CERTIFICATE_X_509 = "javax.servlet.request.X509Certificate"; @@ -48,24 +53,32 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter { this.errorLogger = errorLogger; } - @Override - public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) - throws IOException { + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { SubjectMatcher subjectMatcher = new SubjectMatcher(settings,(X509Certificate[]) request.getAttribute(CERTIFICATE_X_509)); if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value())){ - return validateCertRequest(response, subjectMatcher); + if( validateCertRequest((HttpServletResponse )response, subjectMatcher)){ + chain.doFilter(request, response); + return; + } + return; } if(isCertSubject(subjectMatcher)){ - return true; + chain.doFilter(request, response); + return; } if (isBasicAuth() ) { - return validateBasicHeader(request, response); + if(validateBasicHeader((HttpServletRequest)request, (HttpServletResponse)response)){ + chain.doFilter(request, response); + return; + } + return; } - return true; + chain.doFilter(request, response); } private boolean validateBasicHeader(HttpServletRequest request, HttpServletResponse response) diff --git a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java deleted file mode 100644 index c44e0d45..00000000 --- a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * PROJECT - * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. - * Copyright (C) 2018 Nokia. All rights reserved.s - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.onap.dcae.restapi; - -import org.onap.dcae.ApplicationSettings; -import org.slf4j.Logger; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Configuration; -import org.springframework.web.servlet.config.annotation.EnableWebMvc; -import org.springframework.web.servlet.config.annotation.InterceptorRegistry; -import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; - -@EnableWebMvc -@Configuration -public class ApiConfiguration implements WebMvcConfigurer { - - private final ApplicationSettings applicationSettings; - private Logger errorLogger; - - @Autowired - ApiConfiguration(ApplicationSettings applicationSettings, Logger errorLogger) { - this.applicationSettings = applicationSettings; - this.errorLogger = errorLogger; - } - - @Override - public void addInterceptors(InterceptorRegistry registry) { - registry.addInterceptor(new ApiAuthInterceptor(applicationSettings, errorLogger)); - } -} diff --git a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java index c0a06a07..4398faad 100644 --- a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java +++ b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java @@ -20,8 +20,18 @@ package org.onap.dcae.restapi; +import static org.mockito.Mockito.atLeastOnce; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + import io.vavr.collection.HashMap; import io.vavr.collection.Map; +import java.io.IOException; +import java.io.PrintWriter; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.InjectMocks; @@ -35,16 +45,6 @@ import org.springframework.http.HttpStatus; import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.io.PrintWriter; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - @RunWith(MockitoJUnitRunner.Silent.class) public class ApiAuthInterceptionTest { private static final String USERNAME = "Foo"; @@ -61,7 +61,7 @@ public class ApiAuthInterceptionTest { private HttpServletResponse response; @Mock - private Object obj; + private FilterChain obj; @Mock private PrintWriter writer; @@ -86,21 +86,21 @@ public class ApiAuthInterceptionTest { } @Test - public void shouldSucceedWhenAuthorizationIsDisabled() throws IOException { + public void shouldSucceedWhenAuthorizationIsDisabled() throws IOException, ServletException { // given final HttpServletRequest request = createEmptyRequest(); when(settings.authMethod()).thenReturn(AuthMethodType.NO_AUTH.value()); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); + sut.doFilter(request, response, obj); // then - assertTrue(isAuthorized); + verify(obj, atLeastOnce()).doFilter(request, response); } @Test - public void shouldFailDueToEmptyBasicAuthorizationHeader() throws IOException { + public void shouldFailDueToEmptyBasicAuthorizationHeader() throws IOException, ServletException { // given final HttpServletRequest request = createEmptyRequest(); @@ -108,18 +108,16 @@ public class ApiAuthInterceptionTest { when(response.getWriter()).thenReturn(writer); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); - + sut.doFilter(request, response, obj); // then - assertFalse(isAuthorized); - verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } @Test - public void shouldFailDueToBasicAuthenticationUserMissingFromSettings() throws IOException { + public void shouldFailDueToBasicAuthenticationUserMissingFromSettings() + throws IOException, ServletException { // given final HttpServletRequest request = createRequestWithAuthorizationHeader(); @@ -127,17 +125,15 @@ public class ApiAuthInterceptionTest { when(response.getWriter()).thenReturn(writer); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); + sut.doFilter(request, response, obj); // then - assertFalse(isAuthorized); - verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } @Test - public void shouldSucceed() throws IOException { + public void shouldSucceed() throws IOException, ServletException { // given final HttpServletRequest request = createRequestWithAuthorizationHeader(); when(settings.authMethod()).thenReturn(AuthMethodType.BASIC_AUTH.value()); @@ -146,14 +142,15 @@ public class ApiAuthInterceptionTest { when(response.getWriter()).thenReturn(writer); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); + sut.doFilter(request, response, obj); // then - assertTrue(isAuthorized); + verify(obj, atLeastOnce()).doFilter(request, response); } @Test - public void shouldFailDueToInvalidBasicAuthorizationHeaderValue() throws IOException { + public void shouldFailDueToInvalidBasicAuthorizationHeaderValue() + throws IOException, ServletException { // given final HttpServletRequest request = MockMvcRequestBuilders @@ -166,11 +163,9 @@ public class ApiAuthInterceptionTest { when(response.getWriter()).thenReturn(writer); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); - - // then - assertFalse(isAuthorized); + sut.doFilter(request, response, obj); + //then verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } |