diff options
author | Dominic Lunanuova <dgl@research.att.com> | 2019-07-18 14:59:18 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2019-07-18 14:59:18 +0000 |
commit | e78963869f8f55101d22b0afc06a5c6d6577dbb0 (patch) | |
tree | bb89b7d1d21cb02b5a3ecbc122dc2c306d1e40e3 /datarouter-prov/src/main/java | |
parent | ee6f2d1d32b6c536387c37cb9ee700366c33e5f0 (diff) | |
parent | 00cc27b0fa1346435c7685300286f1adc98b69fb (diff) |
Merge "Authz unit test and code cleanup"
Diffstat (limited to 'datarouter-prov/src/main/java')
4 files changed, 59 insertions, 74 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespImpl.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespImpl.java index f3278332..c7d71996 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespImpl.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespImpl.java @@ -44,21 +44,23 @@ public class AuthRespImpl implements AuthorizationResponse { /** Constructor. This version will not be used in Data Router R1 since we will not have advice and obligations.
*
* @param authorized flag indicating whether the response carried a permit response (<code>true</code>)
- * or something else (<code>false</code>).
+ * or something else (<code>false</code>).
* @param advice list of advice elements returned in the response.
* @param obligations list of obligation elements returned in the response.
*/
- public AuthRespImpl(boolean authorized, List<AuthorizationResponseSupplement> advice, List<AuthorizationResponseSupplement> obligations) {
+ private AuthRespImpl(boolean authorized, List<AuthorizationResponseSupplement> advice,
+ List<AuthorizationResponseSupplement> obligations) {
this.authorized = authorized;
- this.advice = (advice == null ? null : new ArrayList<AuthorizationResponseSupplement> (advice));
- this.obligations = (obligations == null ? null : new ArrayList<AuthorizationResponseSupplement> (obligations));
+ this.advice = (advice == null ? null : new ArrayList<>(advice));
+ this.obligations = (obligations == null ? null : new ArrayList<>(obligations));
}
/** Constructor. Simple version for authorization responses that have no advice and no obligations.
*
- * @param authorized flag indicating whether the response carried a permit (<code>true</code>) or something else (<code>false</code>).
+ * @param authorized flag indicating whether the response carried a permit (<code>true</code>)
+ * or something else (<code>false</code>).
*/
- public AuthRespImpl(boolean authorized) {
+ AuthRespImpl(boolean authorized) {
this(authorized, null, null);
}
@@ -69,25 +71,25 @@ public class AuthRespImpl implements AuthorizationResponse { */
@Override
public boolean isAuthorized() {
- return authorized;
+ return authorized;
}
/**
* Returns any advice elements that were included in the authorization response.
*
- * @return A list of objects implementing the <code>AuthorizationResponseSupplement</code> interface, with each object representing an
- * advice element from the authorization response.
+ * @return A list of objects implementing the <code>AuthorizationResponseSupplement</code> interface,
+ * with each object representing an advice element from the authorization response.
*/
@Override
public List<AuthorizationResponseSupplement> getAdvice() {
- return advice;
+ return advice;
}
/**
* Returns any obligation elements that were included in the authorization response.
*
- * @return A list of objects implementing the <code>AuthorizationResponseSupplement</code> interface, with each object representing an
- * obligation element from the authorization response.
+ * @return A list of objects implementing the <code>AuthorizationResponseSupplement</code> interface,
+ * with each object representing an obligation element from the authorization response.
*/
@Override
public List<AuthorizationResponseSupplement> getObligations() {
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespSupplementImpl.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespSupplementImpl.java index d995270e..b61c00e5 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespSupplementImpl.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespSupplementImpl.java @@ -36,17 +36,17 @@ import org.onap.dmaap.datarouter.authz.AuthorizationResponseSupplement; */
public class AuthRespSupplementImpl implements AuthorizationResponseSupplement {
- private String id = null;
- private Map<String, String> attributes = null;
+ private String id;
+ private Map<String, String> attributes;
/** Constructor, available within the package.
*
* @param id The identifier for the advice or obligation element
* @param attributes The attributes (name-value pairs) for the advice or obligation element.
*/
- AuthRespSupplementImpl (String id, Map<String, String> attributes) {
+ AuthRespSupplementImpl(String id, Map<String, String> attributes) {
this.id = id;
- this.attributes = new HashMap<String,String>(attributes);
+ this.attributes = new HashMap<>(attributes);
}
/** Return the identifier for the supplementary information element.
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthzResource.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthzResource.java index 0357fa74..c248468f 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthzResource.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthzResource.java @@ -30,7 +30,6 @@ import java.util.regex.Pattern; /** Internal representation of an authorization resource (the entity to which access is being requested). Consists
* of a type and an identifier. The constructor takes the request URI from an HTTP request and checks it against
* patterns for the the different resource types. In DR R1, there are four resource types:
- * <ul>
* <li>the feeds collection resource, the target of POST requests to create a new feed and GET requests to list
* the existing feeds. This is the root resource for the DR provisioning system, and it has no explicit id.
* </li>
@@ -53,10 +52,10 @@ public class AuthzResource { private String id = "";
/* Construct an AuthzResource by matching a request URI against the various patterns */
- public AuthzResource(String rURI) {
- if (rURI != null) {
+ AuthzResource(String requestUri) {
+ if (requestUri != null) {
for (ResourceType t : ResourceType.values()) {
- Matcher m = t.getPattern().matcher(rURI);
+ Matcher m = t.getPattern().matcher(requestUri);
if (m.find(0)) {
this.type = t;
if (m.group("id") != null) {
@@ -83,13 +82,13 @@ public class AuthzResource { */
public enum ResourceType {
FEEDS_COLLECTION("((://[^/]+/)|(^/))(?<id>)$"),
- SUBS_COLLECTION ("((://[^/]+/)|(^/{0,1}))subscribe/(?<id>[^/]+)$"),
+ SUBS_COLLECTION("((://[^/]+/)|(^/{0,1}))subscribe/(?<id>[^/]+)$"),
FEED("((://[^/]+/)|(^/{0,1}))feed/(?<id>[^/]+)$"),
SUB("((://[^/]+/)|(^/{0,1}))subs/(?<id>[^/]+)$");
private Pattern uriPattern;
- private ResourceType(String patternString) {
+ ResourceType(String patternString) {
this.uriPattern = Pattern.compile(patternString);
}
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/ProvAuthorizer.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/ProvAuthorizer.java index 745e339d..595b626c 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/ProvAuthorizer.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/ProvAuthorizer.java @@ -23,17 +23,15 @@ package org.onap.dmaap.datarouter.authz.impl; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; - import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import java.util.Map; +import javax.servlet.http.HttpServletRequest; import org.onap.dmaap.datarouter.authz.AuthorizationResponse; import org.onap.dmaap.datarouter.authz.Authorizer; import org.onap.dmaap.datarouter.authz.impl.AuthzResource.ResourceType; -/** Authorizer for the provisioning API for Data Router R1 +/** Authorizer for the provisioning API for Data Router R1. * * @author J. F. Lucas * @@ -45,6 +43,7 @@ public class ProvAuthorizer implements Authorizer { private static final String SUBJECT_HEADER = "X-DMAAP-DR-ON-BEHALF-OF"; // HTTP header carrying requester identity private static final String SUBJECT_HEADER_GROUP = "X-DMAAP-DR-ON-BEHALF-OF-GROUP"; // HTTP header carrying requester identity by group Rally : US708115 + /** Constructor. For the moment, do nothing special. Make it a singleton? * */ @@ -63,7 +62,7 @@ public class ProvAuthorizer implements Authorizer { */ @Override public AuthorizationResponse decide(HttpServletRequest request) { - return this.decide(request, null); + return this.decide(request, null); } /** @@ -79,80 +78,66 @@ public class ProvAuthorizer implements Authorizer { @Override public AuthorizationResponse decide(HttpServletRequest request, Map<String, String> additionalAttrs) { - log.trace ("Entering decide()"); - + log.trace("Entering decide()"); boolean decision = false; - // Extract interesting parts of the HTTP request String method = request.getMethod(); AuthzResource resource = new AuthzResource(request.getRequestURI()); - String subject = (request.getHeader(SUBJECT_HEADER)); // identity of the requester - String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP)); // identity of the requester by group Rally : US708115 - - log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId() + - " -- Subject: " + subject); + String subject = (request.getHeader(SUBJECT_HEADER)); + String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP)); + log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId() + + " -- Subject: " + subject); // Choose authorization method based on the resource type ResourceType resourceType = resource.getType(); if (resourceType != null) { - switch (resourceType) { - - case FEEDS_COLLECTION: - decision = allowFeedsCollectionAccess(resource, method, subject, subjectgroup); - break; - - case SUBS_COLLECTION: - decision = allowSubsCollectionAccess(resource, method, subject, subjectgroup); - break; - - case FEED: - decision = allowFeedAccess(resource, method, subject, subjectgroup); - break; - - case SUB: - decision = allowSubAccess(resource, method, subject, subjectgroup); - break; - - default: - decision = false; - break; + case FEEDS_COLLECTION: + decision = allowFeedsCollectionAccess(method); + break; + case SUBS_COLLECTION: + decision = allowSubsCollectionAccess(method); + break; + case FEED: + decision = allowFeedAccess(resource, method, subject, subjectgroup); + break; + case SUB: + decision = allowSubAccess(resource, method, subject, subjectgroup); + break; + default: + decision = false; + break; } } - log.debug("Exit decide(): " + method + "|" + resourceType + "|" + resource.getId() + "|" + subject + " ==> " + decision); + log.debug("Exit decide(): " + method + "|" + resourceType + "|" + resource.getId() + "|" + + subject + " ==> " + decision); return new AuthRespImpl(decision); } - private boolean allowFeedsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) { - + private boolean allowFeedsCollectionAccess(String method) { // Allow GET or POST unconditionally return method != null && ("GET".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method)); } - private boolean allowSubsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) { - + private boolean allowSubsCollectionAccess(String method) { // Allow GET or POST unconditionally return method != null && ("GET".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method)); } - private boolean allowFeedAccess(AuthzResource resource, String method, String subject, String subjectgroup) { + private boolean allowFeedAccess(AuthzResource resource, String method, String subject, String subjectgroup) { boolean decision = false; - // Allow GET, PUT, or DELETE if requester (subject) is the owner (publisher) of the feed - if ( method != null && ("GET".equalsIgnoreCase(method) || "PUT".equalsIgnoreCase(method) || - "DELETE".equalsIgnoreCase(method))) { + if ( method != null && ("GET".equalsIgnoreCase(method) || "PUT".equalsIgnoreCase(method) || "DELETE".equalsIgnoreCase(method))) { String owner = provData.getFeedOwner(resource.getId()); decision = (owner != null) && owner.equals(subject); - //Verifying by group Rally : US708115 - if(subjectgroup != null) { - String feedowner = provData.getGroupByFeedGroupId(subject, resource.getId()); - decision = (feedowner != null) && feedowner.equals(subjectgroup); + if (subjectgroup != null) { + String feedOwner = provData.getGroupByFeedGroupId(subject, resource.getId()); + decision = (feedOwner != null) && feedOwner.equals(subjectgroup); } } - return decision; } @@ -160,14 +145,13 @@ public class ProvAuthorizer implements Authorizer { boolean decision = false; // Allow GET, PUT, or DELETE if requester (subject) is the owner of the subscription (subscriber) - if (method != null && ("GET".equalsIgnoreCase(method) || "PUT".equalsIgnoreCase(method) || - "DELETE".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method))) { + if (method != null && ("GET".equalsIgnoreCase(method) || "PUT".equalsIgnoreCase(method) || "DELETE".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method))) { String owner = provData.getSubscriptionOwner(resource.getId()); decision = (owner != null) && owner.equals(subject); //Verifying by group Rally : US708115 - if(subjectgroup != null) { + if (subjectgroup != null) { String feedowner = provData.getGroupBySubGroupId(subject, resource.getId()); decision = (feedowner != null) && feedowner.equals(subjectgroup); } |