diff options
Diffstat (limited to 'datarouter-prov/src/main/java/com/att/research/datarouter/authz')
10 files changed, 791 insertions, 0 deletions
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/AuthorizationResponse.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/AuthorizationResponse.java new file mode 100644 index 00000000..26956f82 --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/AuthorizationResponse.java @@ -0,0 +1,58 @@ +/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.research.datarouter.authz;
+
+import java.util.List;
+
+/**
+ * The <code>AuthorizationResponse</code> interface gives the caller access to information about an authorization
+ * decision. This information includes the permit/deny decision itself, along with supplementary information in the form of
+ * advice and obligations. (The advice and obligations will not be used in Data Router R1.)
+ *
+ * @author J. F. Lucas
+ *
+ */
+public interface AuthorizationResponse {
+ /**
+ * Indicates whether the request is authorized or not.
+ *
+ * @return a boolean flag that is <code>true</code> if the request is permitted, and <code>false</code> otherwise.
+ */
+ public boolean isAuthorized();
+
+ /**
+ * Returns any advice elements that were included in the authorization response.
+ *
+ * @return A list of objects implementing the <code>AuthorizationResponseSupplement</code> interface, with each object representing an
+ * advice element from the authorization response.
+ */
+ public List<AuthorizationResponseSupplement> getAdvice();
+
+ /**
+ * Returns any obligation elements that were included in the authorization response.
+ *
+ * @return A list of objects implementing the <code>AuthorizationResponseSupplement</code> interface, with each object representing an
+ * obligation element from the authorization response.
+ */
+ public List<AuthorizationResponseSupplement> getObligations();
+}
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/AuthorizationResponseSupplement.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/AuthorizationResponseSupplement.java new file mode 100644 index 00000000..2829c507 --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/AuthorizationResponseSupplement.java @@ -0,0 +1,52 @@ +/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+
+
+package com.att.research.datarouter.authz;
+
+import java.util.Map;
+
+/** An object that meets the <code>AuthorizationResponseSupplement</code> interface carries supplementary
+ * information for an authorization response. In a XACML-based system, a response to an authorization request
+ * carries not just the permit/deny decision but, optionally, supplemental information in the form of advice and
+ * obligation elements. The structure of a XACML advice element and a XACML obligation element are similar: each has an identifier and
+ * a set of attributes (name-value) pairs. (The difference between a XACML advice element and a XACML obligation element is in
+ * how the recipient of the response--the Policy Enforcement Point, in XACML terminology--handles the element.)
+ *
+ * @author J. F. Lucas
+ *
+ */
+public interface AuthorizationResponseSupplement {
+ /** Return the identifier for the supplementary information element.
+ *
+ * @return a <code>String</code> containing the identifier.
+ */
+ public String getId();
+
+ /** Return the attributes for the supplementary information element, as a <code>Map</code> in which
+ * keys represent attribute identifiers and values represent attribute values.
+ *
+ * @return attributes for the supplementary information element.
+ */
+ public Map<String, String> getAttributes();
+}
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/Authorizer.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/Authorizer.java new file mode 100644 index 00000000..bfed5c37 --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/Authorizer.java @@ -0,0 +1,62 @@ +/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+
+
+package com.att.research.datarouter.authz;
+
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * A Data Router API that requires authorization of incoming requests creates an instance of a class that implements
+ * the <code>Authorizer</code> interface. The class implements all of the logic necessary to determine if an API
+ * request is permitted. In Data Router R1, the classes that implement the <code>Authorizer</code> interface will have
+ * local logic that makes the authorization decision. After R1, these classes will instead have logic that creates XACML
+ * authorization requests, sends these requests to a Policy Decision Point (PDP), and parses the XACML responses.
+ *
+ * @author J. F. Lucas
+ *
+ */
+public interface Authorizer {
+ /**
+ * Determine if the API request carried in the <code>request</code> parameter is permitted.
+ *
+ * @param request the HTTP request for which an authorization decision is needed
+ * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
+ * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
+ * of advice and obligations.
+ */
+ public AuthorizationResponse decide(HttpServletRequest request);
+
+ /**
+ * Determine if the API request carried in the <code>request</code> parameter, with additional attributes provided in
+ * the <code>additionalAttrs</code> parameter, is permitted.
+ *
+ * @param request the HTTP request for which an authorization decision is needed
+ * @param additionalAttrs additional attributes that the <code>Authorizer</code> can in making an authorization decision
+ * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
+ * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
+ * of advice and obligations.
+ */
+ public AuthorizationResponse decide(HttpServletRequest request, Map<String,String> additionalAttrs);
+}
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthRespImpl.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthRespImpl.java new file mode 100644 index 00000000..db318d39 --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthRespImpl.java @@ -0,0 +1,97 @@ +/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+
+
+package com.att.research.datarouter.authz.impl;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import com.att.research.datarouter.authz.AuthorizationResponse;
+import com.att.research.datarouter.authz.AuthorizationResponseSupplement;
+
+
+/** A representation of an authorization response returned by a XACML Policy Decision Point.
+ * In Data Router R1, advice and obligations are not used.
+ * @author J. F. Lucas
+ *
+ */
+public class AuthRespImpl implements AuthorizationResponse {
+ private boolean authorized;
+ private List<AuthorizationResponseSupplement> advice;
+ private List<AuthorizationResponseSupplement> obligations;
+
+ /** Constructor. This version will not be used in Data Router R1 since we will not have advice and obligations.
+ *
+ * @param authorized flag indicating whether the response carried a permit response (<code>true</code>)
+ * or something else (<code>false</code>).
+ * @param advice list of advice elements returned in the response.
+ * @param obligations list of obligation elements returned in the response.
+ */
+ public AuthRespImpl(boolean authorized, List<AuthorizationResponseSupplement> advice, List<AuthorizationResponseSupplement> obligations) {
+ this.authorized = authorized;
+ this.advice = (advice == null ? null : new ArrayList<AuthorizationResponseSupplement> (advice));
+ this.obligations = (obligations == null ? null : new ArrayList<AuthorizationResponseSupplement> (obligations));
+ }
+
+ /** Constructor. Simple version for authorization responses that have no advice and no obligations.
+ *
+ * @param authorized flag indicating whether the response carried a permit (<code>true</code>) or something else (<code>false</code>).
+ */
+ public AuthRespImpl(boolean authorized) {
+ this(authorized, null, null);
+ }
+
+ /**
+ * Indicates whether the request is authorized or not.
+ *
+ * @return a boolean flag that is <code>true</code> if the request is permitted, and <code>false</code> otherwise.
+ */
+ @Override
+ public boolean isAuthorized() {
+ return authorized;
+ }
+
+ /**
+ * Returns any advice elements that were included in the authorization response.
+ *
+ * @return A list of objects implementing the <code>AuthorizationResponseSupplement</code> interface, with each object representing an
+ * advice element from the authorization response.
+ */
+ @Override
+ public List<AuthorizationResponseSupplement> getAdvice() {
+ return advice;
+ }
+
+ /**
+ * Returns any obligation elements that were included in the authorization response.
+ *
+ * @return A list of objects implementing the <code>AuthorizationResponseSupplement</code> interface, with each object representing an
+ * obligation element from the authorization response.
+ */
+ @Override
+ public List<AuthorizationResponseSupplement> getObligations() {
+ return obligations;
+ }
+
+}
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthRespSupplementImpl.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthRespSupplementImpl.java new file mode 100644 index 00000000..5d2b61c8 --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthRespSupplementImpl.java @@ -0,0 +1,71 @@ +/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+
+
+package com.att.research.datarouter.authz.impl;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import com.att.research.datarouter.authz.AuthorizationResponseSupplement;
+
+/** Carries supplementary information--an advice or an obligation--from the authorization response returned
+ * by a XACML Policy Decision Point. Not used in Data Router R1.
+ * @author J. F. Lucas
+ *
+ */
+public class AuthRespSupplementImpl implements AuthorizationResponseSupplement {
+
+ private String id = null;
+ private Map<String, String> attributes = null;
+
+ /** Constructor, available within the package.
+ *
+ * @param id The identifier for the advice or obligation element
+ * @param attributes The attributes (name-value pairs) for the advice or obligation element.
+ */
+ AuthRespSupplementImpl (String id, Map<String, String> attributes) {
+ this.id = id;
+ this.attributes = new HashMap<String,String>(attributes);
+ }
+
+ /** Return the identifier for the supplementary information element.
+ *
+ * @return a <code>String</code> containing the identifier.
+ */
+ @Override
+ public String getId() {
+ return id;
+ }
+
+ /** Return the attributes for the supplementary information element, as a <code>Map</code> in which
+ * keys represent attribute identifiers and values represent attribute values.
+ *
+ * @return attributes for the supplementary information element.
+ */
+ @Override
+ public Map<String, String> getAttributes() {
+ return attributes;
+ }
+
+}
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthzResource.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthzResource.java new file mode 100644 index 00000000..1a201b7e --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/AuthzResource.java @@ -0,0 +1,100 @@ +/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+
+
+package com.att.research.datarouter.authz.impl;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/** Internal representation of an authorization resource (the entity to which access is being requested). Consists
+ * of a type and an identifier. The constructor takes the request URI from an HTTP request and checks it against
+ * patterns for the the different resource types. In DR R1, there are four resource types:
+ * <ul>
+ * <li>the feeds collection resource, the target of POST requests to create a new feed and GET requests to list
+ * the existing feeds. This is the root resource for the DR provisioning system, and it has no explicit id.
+ * </li>
+ * <li>a feed resource, the target of GET, PUT, and DELETE requests used to manage an existing feed. Each feed
+ * has a unique feed ID.
+ * </li>
+ * <li>a subscription collection resource, the target of POST requests to create a new subscription and GET requests
+ * to list the subscriptions for a feed. Each feed has a subscription collection, and the ID associated with a
+ * subscription collection is the ID of the feed.
+ * </li>
+ * <li>a subscription resource, the target of GET, PUT, and DELETE requests used to manage an existing subscription.
+ * Each subscription has a unique subscription ID.
+ * </li>
+ *
+ * @author J. F. Lucas
+ *
+ */
+public class AuthzResource {
+ private ResourceType type = null;
+ private String id = "";
+
+ /* Construct an AuthzResource by matching a request URI against the various patterns */
+ public AuthzResource(String rURI) {
+ if (rURI != null) {
+ for (ResourceType t : ResourceType.values()) {
+ Matcher m = t.getPattern().matcher(rURI);
+ if (m.find(0)) {
+ this.type = t;
+ if (m.group("id") != null) {
+ this.id = m.group("id");
+ }
+ break;
+ }
+ }
+ }
+ }
+
+ public ResourceType getType() {
+ return this.type;
+ }
+
+ public String getId() {
+ return this.id;
+ }
+
+ /* Enumeration that helps turn a request URI into something more useful for
+ * authorization purposes by given a type name and a pattern for determining if the URI
+ * represents that resource type.
+ * Highly dependent on the URL scheme, could be parameterized.
+ */
+ public enum ResourceType {
+ FEEDS_COLLECTION("((://[^/]+/)|(^/))(?<id>)$"),
+ SUBS_COLLECTION ("((://[^/]+/)|(^/{0,1}))subscribe/(?<id>[^/]+)$"),
+ FEED("((://[^/]+/)|(^/{0,1}))feed/(?<id>[^/]+)$"),
+ SUB("((://[^/]+/)|(^/{0,1}))subs/(?<id>[^/]+)$");
+
+ private Pattern uriPattern;
+
+ private ResourceType(String patternString) {
+ this.uriPattern = Pattern.compile(patternString);
+ }
+
+ Pattern getPattern() {
+ return this.uriPattern;
+ }
+ }
+}
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvAuthorizer.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvAuthorizer.java new file mode 100644 index 00000000..d6683d5c --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvAuthorizer.java @@ -0,0 +1,179 @@ +/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+
+package com.att.research.datarouter.authz.impl;
+
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.log4j.Logger;
+
+import com.att.research.datarouter.authz.AuthorizationResponse;
+import com.att.research.datarouter.authz.Authorizer;
+import com.att.research.datarouter.authz.impl.AuthzResource.ResourceType;
+
+/** Authorizer for the provisioning API for Data Router R1
+ *
+ * @author J. F. Lucas
+ *
+ */
+public class ProvAuthorizer implements Authorizer {
+
+ private Logger log;
+ private ProvDataProvider provData;
+
+ private static final String SUBJECT_HEADER = "X-ATT-DR-ON-BEHALF-OF"; // HTTP header carrying requester identity
+ private static final String SUBJECT_HEADER_GROUP = "X-ATT-DR-ON-BEHALF-OF-GROUP"; // HTTP header carrying requester identity by group Rally : US708115
+ /** Constructor. For the moment, do nothing special. Make it a singleton?
+ *
+ */
+ public ProvAuthorizer(ProvDataProvider provData) {
+ this.provData = provData;
+ this.log = Logger.getLogger(this.getClass());
+ }
+
+ /**
+ * Determine if the API request carried in the <code>request</code> parameter is permitted.
+ *
+ * @param request the HTTP request for which an authorization decision is needed
+ * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
+ * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
+ * of advice and obligations.
+ */
+ @Override
+ public AuthorizationResponse decide(HttpServletRequest request) {
+ return this.decide(request, null);
+ }
+
+ /**
+ * Determine if the API request carried in the <code>request</code> parameter, with additional attributes provided in
+ * the <code>additionalAttrs</code> parameter, is permitted. <code>additionalAttrs</code> isn't used in R1.
+ *
+ * @param request the HTTP request for which an authorization decision is needed
+ * @param additionalAttrs additional attributes that the <code>Authorizer</code> can in making an authorization decision
+ * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
+ * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
+ * of advice and obligations.
+ */
+ @Override
+ public AuthorizationResponse decide(HttpServletRequest request,
+ Map<String, String> additionalAttrs) {
+ log.trace ("Entering decide()");
+
+ boolean decision = false;
+
+ // Extract interesting parts of the HTTP request
+ String method = request.getMethod();
+ AuthzResource resource = new AuthzResource(request.getRequestURI());
+ String subject = (request.getHeader(SUBJECT_HEADER)); // identity of the requester
+ String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP)); // identity of the requester by group Rally : US708115
+
+ log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId() +
+ " -- Subject: " + subject);
+
+ // Choose authorization method based on the resource type
+ ResourceType resourceType = resource.getType();
+ if (resourceType != null) {
+
+ switch (resourceType) {
+
+ case FEEDS_COLLECTION:
+ decision = allowFeedsCollectionAccess(resource, method, subject, subjectgroup);
+ break;
+
+ case SUBS_COLLECTION:
+ decision = allowSubsCollectionAccess(resource, method, subject, subjectgroup);
+ break;
+
+ case FEED:
+ decision = allowFeedAccess(resource, method, subject, subjectgroup);
+ break;
+
+ case SUB:
+ decision = allowSubAccess(resource, method, subject, subjectgroup);
+ break;
+
+ default:
+ decision = false;
+ break;
+ }
+ }
+ log.debug("Exit decide(): " + method + "|" + resourceType + "|" + resource.getId() + "|" + subject + " ==> " + decision);
+
+ return new AuthRespImpl(decision);
+ }
+
+ private boolean allowFeedsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
+
+ // Allow GET or POST unconditionally
+ return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));
+ }
+
+ private boolean allowSubsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
+
+ // Allow GET or POST unconditionally
+ return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));
+ }
+
+ private boolean allowFeedAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
+ boolean decision = false;
+
+ // Allow GET, PUT, or DELETE if requester (subject) is the owner (publisher) of the feed
+ if ( method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") ||
+ method.equalsIgnoreCase("DELETE"))) {
+
+ String owner = provData.getFeedOwner(resource.getId());
+ decision = (owner != null) && owner.equals(subject);
+
+ //Verifying by group Rally : US708115
+ if(subjectgroup != null) {
+ String feedowner = provData.getGroupByFeedGroupId(subject, resource.getId());
+ decision = (feedowner != null) && feedowner.equals(subjectgroup);
+ }
+ }
+
+ return decision;
+ }
+
+ private boolean allowSubAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
+ boolean decision = false;
+
+ // Allow GET, PUT, or DELETE if requester (subject) is the owner of the subscription (subscriber)
+ if (method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") ||
+ method.equalsIgnoreCase("DELETE") || method.equalsIgnoreCase("POST"))) {
+
+ String owner = provData.getSubscriptionOwner(resource.getId());
+ decision = (owner != null) && owner.equals(subject);
+
+ //Verifying by group Rally : US708115
+ if(subjectgroup != null) {
+ String feedowner = provData.getGroupBySubGroupId(subject, resource.getId());
+ decision = (feedowner != null) && feedowner.equals(subjectgroup);
+ }
+ }
+
+ return decision;
+ }
+
+}
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvDataProvider.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvDataProvider.java new file mode 100644 index 00000000..76ae0344 --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvDataProvider.java @@ -0,0 +1,66 @@ +/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.research.datarouter.authz.impl;
+
+/** Interface to access data about subscriptions and feeds. A software component that
+ * uses the <code>ProvAuthorizer</code> needs to supply an implementation of this interface.
+ * @author J. F. Lucas
+ *
+ */
+public interface ProvDataProvider {
+
+ /** Get the identity of the owner of a feed.
+ *
+ * @param feedId the feed ID of the feed whose owner is being looked up.
+ * @return the feed owner's identity
+ */
+ public String getFeedOwner(String feedId);
+
+ /** Get the security classification of a feed.
+ *
+ * @param feedId the ID of the feed whose classification is being looked up.
+ * @return the classification of the feed.
+ */
+ public String getFeedClassification(String feedId);
+
+ /** Get the identity of the owner of a feed
+ *
+ * @param subId the ID of the subscripition whose owner is being looked up.
+ * @return the subscription owner's identity.
+ */
+ public String getSubscriptionOwner(String subId);
+
+ /** Get the identity of the owner of a feed by group id - Rally : US708115
+ *
+ * @param feedid, user the ID of the feed whose owner is being looked up.
+ * @return the feed owner's identity by group.
+ */
+ public String getGroupByFeedGroupId(String owner, String feedId);
+
+ /** Get the identity of the owner of a sub by group id Rally : US708115
+ *
+ * @param subid, user the ID of the feed whose owner is being looked up.
+ * @return the feed owner's identity by group.
+ */
+ public String getGroupBySubGroupId(String owner, String subId);
+}
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/package.html b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/package.html new file mode 100644 index 00000000..fae27ee0 --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/package.html @@ -0,0 +1,68 @@ +#-------------------------------------------------------------------------------
+# ============LICENSE_START==================================================
+# * org.onap.dmaap
+# * ===========================================================================
+# * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# * ===========================================================================
+# * Licensed under the Apache License, Version 2.0 (the "License");
+# * you may not use this file except in compliance with the License.
+# * You may obtain a copy of the License at
+# *
+# * http://www.apache.org/licenses/LICENSE-2.0
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+# * ============LICENSE_END====================================================
+# *
+# * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+# *
+#-------------------------------------------------------------------------------
+
+<html>
+<head>
+</head>
+<body>
+<p>
+This package provides an implementation of the authorization-related interfaces
+defined by the <code>com.att.research.datarouter.authz</code> package, intended for
+use with the provisioning server for Data Router Release 1. In DR R1, we do not
+have an external policy engine, so this implementation performs the authorization
+locally.
+</p>
+<p>
+In order to perform the authorization, this package needs access to provisioning data
+about feeds and subscriptions. This package defines an interface
+(<code>com.att.research.datarouter.authz.impl.ProvDataProvider</code>) through which it
+expects to get this data. The provisioning server code must provide an implementation
+of this interface.
+</p>
+<p>
+A software component that wishes to use this implementation must:
+<ul>
+<li>Provide an implementation of the
+<code>com.att.research.datarouter.authz.impl.ProvDataProvider</code>
+interface.
+</li>
+<li>
+Create an instance of the <code>ProvDataProvider</code> implementation.
+<li>
+Create an instance of the
+<code>com.att.research.datarouter.authz.impl.ProvAuthorizer</code>
+class defined in this package, passing it an instance of the <code>ProvDataProvider</code>
+implementation.
+</li>
+</ul>
+</p>
+<p>
+Example:
+<pre>
+<code>
+ProvDataProvider dataProv = new MyDataProvider();
+Authorizer authz = new ProvAuthorizer(dataProv);
+</code>
+</pre>
+</body>
+</html>
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/package.html b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/package.html new file mode 100644 index 00000000..7628ae82 --- /dev/null +++ b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/package.html @@ -0,0 +1,38 @@ +#-------------------------------------------------------------------------------
+# ============LICENSE_START==================================================
+# * org.onap.dmaap
+# * ===========================================================================
+# * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# * ===========================================================================
+# * Licensed under the Apache License, Version 2.0 (the "License");
+# * you may not use this file except in compliance with the License.
+# * You may obtain a copy of the License at
+# *
+# * http://www.apache.org/licenses/LICENSE-2.0
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+# * ============LICENSE_END====================================================
+# *
+# * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+# *
+#-------------------------------------------------------------------------------
+
+<html>
+<head>
+</head>
+<body>
+<p>
+This package defines an interface that can be used by servlet-based HTTP APIs to
+make authorization requests and receive authorization responses from an external
+authorization entity such as a XACML Policy Decision Point (PDP).
+</p>
+<p>
+In Data Router Release 1, there is no external authorization system. The provisioning server
+will use an implementation of this interface for local authorization of provisioning requests.
+</p>
+</body>
+</html>
|