From 4b7a95ec2282fadb00c419a96c00b62f8a1d4028 Mon Sep 17 00:00:00 2001 From: pawel Date: Wed, 6 Nov 2019 12:38:18 +0100 Subject: Remove certOnly and basicAuth from authentication methods Issue-ID: DCAEGEN2-1776 Signed-off-by: pawel Change-Id: I475dcce9de8c7c05d2a05cf51dc862b5bf920164 --- .../org/onap/dcae/restapi/ApiAuthInterceptor.java | 55 ++++++++++++---------- 1 file changed, 30 insertions(+), 25 deletions(-) (limited to 'src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java') diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index f1734080..8c5fb82a 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -22,7 +22,9 @@ package org.onap.dcae.restapi; import io.vavr.control.Option; import java.io.IOException; import java.security.cert.X509Certificate; +import java.util.Arrays; import java.util.Base64; +import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; @@ -53,7 +55,8 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException { - SubjectMatcher subjectMatcher = new SubjectMatcher(settings,(X509Certificate[]) request.getAttribute(CERTIFICATE_X_509)); + X509Certificate[] certificates = (X509Certificate[]) request.getAttribute(CERTIFICATE_X_509); + SubjectMatcher subjectMatcher = new SubjectMatcher(settings, certificates); if(isHttpPortCalledWithAuthTurnedOn(request)){ if(isHealthcheckCalledFromInsideCluster(request)){ @@ -64,20 +67,23 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { return false; } - if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value())){ - return validateCertRequest(response, subjectMatcher); - } - if(isCertSubject(subjectMatcher)){ + LOG.debug("Cert and subjectDN is valid. Subject: " + extractSubject(certificates)); return true; } - if (isBasicAuth() ) { + if (isBasicAuth()) { return validateBasicHeader(request, response); } return true; } + private String extractSubject(X509Certificate[] certs) { + return Arrays.stream(certs) + .map(e -> e.getSubjectDN().getName()) + .collect(Collectors.joining(",")); + } + private boolean isHttpPortCalledWithAuthTurnedOn(HttpServletRequest request) { return !settings.authMethod().equalsIgnoreCase(AuthMethodType.NO_AUTH.value()) && request.getLocalPort() == settings.httpPort(); @@ -97,24 +103,12 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { response.getWriter().write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); return false; } - LOG.info("Request is authorized by basic auth"); - return true; - } - - private boolean validateCertRequest(HttpServletResponse response, SubjectMatcher subjectMatcher) - throws IOException { - if (!isCertSubject(subjectMatcher)) { - response.setStatus(HttpServletResponse.SC_FORBIDDEN); - response.getWriter().write(String.format(MESSAGE, settings.certSubjectMatcher())); - return false; - } - LOG.info("Cert and subjectDN is valid"); + LOG.debug("Request is authorized by basic auth. User: " + extractUser(decodeCredentials(authorizationHeader))); return true; } private boolean isCertSubject(SubjectMatcher subjectMatcher) { if(subjectMatcher.isCert() && subjectMatcher.match()){ - LOG.info("Cert and subjectDN is valid"); return true; } LOG.info(String.format(MESSAGE, settings.certSubjectMatcher())); @@ -122,16 +116,14 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { } private boolean isBasicAuth() { - return settings.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) - || settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); + return settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); } private boolean isAuthorized(String authorizationHeader) { try { - String encodedData = authorizationHeader.split(" ")[1]; - String decodedData = new String(Base64.getDecoder().decode(encodedData)); - String providedUser = decodedData.split(":")[0].trim(); - String providedPassword = decodedData.split(":")[1].trim(); + String decodeCredentials = decodeCredentials(authorizationHeader); + String providedUser = extractUser(decodeCredentials); + String providedPassword = extractPassword(decodeCredentials); Option maybeSavedPassword = settings.validAuthorizationCredentials().get(providedUser); boolean userRegistered = maybeSavedPassword.isDefined(); return userRegistered && cryptPassword.matches(providedPassword,maybeSavedPassword.get()); @@ -141,4 +133,17 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { return false; } } + + private String extractPassword(String decodeCredentials) { + return decodeCredentials.split(":")[1].trim(); + } + + private String extractUser(String decodeCredentials) { + return decodeCredentials.split(":")[0].trim(); + } + + private String decodeCredentials(String authorizationHeader) { + String encodedData = authorizationHeader.split(" ")[1]; + return new String(Base64.getDecoder().decode(encodedData)); + } } \ No newline at end of file -- cgit 1.2.3-korg