From bed349adecc488eb04ea413b8f06d7d3d032a907 Mon Sep 17 00:00:00 2001 From: Zlatko Murgoski Date: Fri, 7 Jun 2019 18:09:53 +0200 Subject: Basic auth not working https://jira.onap.org/browse/DCAEGEN2-1541 Issue-ID: DCAEGEN2-1541 Change-Id: I61211b7a4693fea60b6da4bc460c2be47a41efa7 Signed-off-by: Zlatko Murgoski --- pom.xml | 2 +- .../org/onap/dcae/restapi/ApiAuthInterceptor.java | 33 +++++++++---- .../org/onap/dcae/restapi/ApiConfiguration.java | 49 ------------------- .../onap/dcae/restapi/ApiAuthInterceptionTest.java | 57 ++++++++++------------ version.properties | 2 +- 5 files changed, 51 insertions(+), 92 deletions(-) delete mode 100644 src/main/java/org/onap/dcae/restapi/ApiConfiguration.java diff --git a/pom.xml b/pom.xml index 304221a6..d00a4013 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ org.onap.dcaegen2.collectors.ves VESCollector - 1.4.4-SNAPSHOT + 1.4.5-SNAPSHOT dcaegen2-collectors-ves VESCollector diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index 7d3d2929..3da37c61 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -23,7 +23,11 @@ import io.vavr.control.Option; import java.io.IOException; import java.security.cert.X509Certificate; import java.util.Base64; -import java.util.stream.Collectors; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; @@ -32,9 +36,10 @@ import org.onap.dcae.common.configuration.SubjectMatcher; import org.onap.dcaegen2.services.sdk.security.CryptPassword; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; +import org.springframework.stereotype.Component; -final class ApiAuthInterceptor extends HandlerInterceptorAdapter { +@Component +public class ApiAuthInterceptor implements Filter { private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class); private static final String CERTIFICATE_X_509 = "javax.servlet.request.X509Certificate"; @@ -48,24 +53,32 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter { this.errorLogger = errorLogger; } - @Override - public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) - throws IOException { + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { SubjectMatcher subjectMatcher = new SubjectMatcher(settings,(X509Certificate[]) request.getAttribute(CERTIFICATE_X_509)); if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value())){ - return validateCertRequest(response, subjectMatcher); + if( validateCertRequest((HttpServletResponse )response, subjectMatcher)){ + chain.doFilter(request, response); + return; + } + return; } if(isCertSubject(subjectMatcher)){ - return true; + chain.doFilter(request, response); + return; } if (isBasicAuth() ) { - return validateBasicHeader(request, response); + if(validateBasicHeader((HttpServletRequest)request, (HttpServletResponse)response)){ + chain.doFilter(request, response); + return; + } + return; } - return true; + chain.doFilter(request, response); } private boolean validateBasicHeader(HttpServletRequest request, HttpServletResponse response) diff --git a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java deleted file mode 100644 index c44e0d45..00000000 --- a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * PROJECT - * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. - * Copyright (C) 2018 Nokia. All rights reserved.s - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.onap.dcae.restapi; - -import org.onap.dcae.ApplicationSettings; -import org.slf4j.Logger; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Configuration; -import org.springframework.web.servlet.config.annotation.EnableWebMvc; -import org.springframework.web.servlet.config.annotation.InterceptorRegistry; -import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; - -@EnableWebMvc -@Configuration -public class ApiConfiguration implements WebMvcConfigurer { - - private final ApplicationSettings applicationSettings; - private Logger errorLogger; - - @Autowired - ApiConfiguration(ApplicationSettings applicationSettings, Logger errorLogger) { - this.applicationSettings = applicationSettings; - this.errorLogger = errorLogger; - } - - @Override - public void addInterceptors(InterceptorRegistry registry) { - registry.addInterceptor(new ApiAuthInterceptor(applicationSettings, errorLogger)); - } -} diff --git a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java index c0a06a07..4398faad 100644 --- a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java +++ b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java @@ -20,8 +20,18 @@ package org.onap.dcae.restapi; +import static org.mockito.Mockito.atLeastOnce; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + import io.vavr.collection.HashMap; import io.vavr.collection.Map; +import java.io.IOException; +import java.io.PrintWriter; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.InjectMocks; @@ -35,16 +45,6 @@ import org.springframework.http.HttpStatus; import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.io.PrintWriter; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - @RunWith(MockitoJUnitRunner.Silent.class) public class ApiAuthInterceptionTest { private static final String USERNAME = "Foo"; @@ -61,7 +61,7 @@ public class ApiAuthInterceptionTest { private HttpServletResponse response; @Mock - private Object obj; + private FilterChain obj; @Mock private PrintWriter writer; @@ -86,21 +86,21 @@ public class ApiAuthInterceptionTest { } @Test - public void shouldSucceedWhenAuthorizationIsDisabled() throws IOException { + public void shouldSucceedWhenAuthorizationIsDisabled() throws IOException, ServletException { // given final HttpServletRequest request = createEmptyRequest(); when(settings.authMethod()).thenReturn(AuthMethodType.NO_AUTH.value()); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); + sut.doFilter(request, response, obj); // then - assertTrue(isAuthorized); + verify(obj, atLeastOnce()).doFilter(request, response); } @Test - public void shouldFailDueToEmptyBasicAuthorizationHeader() throws IOException { + public void shouldFailDueToEmptyBasicAuthorizationHeader() throws IOException, ServletException { // given final HttpServletRequest request = createEmptyRequest(); @@ -108,18 +108,16 @@ public class ApiAuthInterceptionTest { when(response.getWriter()).thenReturn(writer); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); - + sut.doFilter(request, response, obj); // then - assertFalse(isAuthorized); - verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } @Test - public void shouldFailDueToBasicAuthenticationUserMissingFromSettings() throws IOException { + public void shouldFailDueToBasicAuthenticationUserMissingFromSettings() + throws IOException, ServletException { // given final HttpServletRequest request = createRequestWithAuthorizationHeader(); @@ -127,17 +125,15 @@ public class ApiAuthInterceptionTest { when(response.getWriter()).thenReturn(writer); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); + sut.doFilter(request, response, obj); // then - assertFalse(isAuthorized); - verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } @Test - public void shouldSucceed() throws IOException { + public void shouldSucceed() throws IOException, ServletException { // given final HttpServletRequest request = createRequestWithAuthorizationHeader(); when(settings.authMethod()).thenReturn(AuthMethodType.BASIC_AUTH.value()); @@ -146,14 +142,15 @@ public class ApiAuthInterceptionTest { when(response.getWriter()).thenReturn(writer); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); + sut.doFilter(request, response, obj); // then - assertTrue(isAuthorized); + verify(obj, atLeastOnce()).doFilter(request, response); } @Test - public void shouldFailDueToInvalidBasicAuthorizationHeaderValue() throws IOException { + public void shouldFailDueToInvalidBasicAuthorizationHeaderValue() + throws IOException, ServletException { // given final HttpServletRequest request = MockMvcRequestBuilders @@ -166,11 +163,9 @@ public class ApiAuthInterceptionTest { when(response.getWriter()).thenReturn(writer); // when - final boolean isAuthorized = sut.preHandle(request, response, obj); - - // then - assertFalse(isAuthorized); + sut.doFilter(request, response, obj); + //then verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } diff --git a/version.properties b/version.properties index 9e50923f..ff4463f6 100644 --- a/version.properties +++ b/version.properties @@ -1,6 +1,6 @@ major=1 minor=4 -patch=4 +patch=5 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT -- cgit 1.2.3-korg