diff options
4 files changed, 315 insertions, 17 deletions
diff --git a/cmso-service/src/main/java/org/onap/optf/cmso/aaf/AafClientCache.java b/cmso-service/src/main/java/org/onap/optf/cmso/aaf/AafClientCache.java index 847836b..3b55a84 100755 --- a/cmso-service/src/main/java/org/onap/optf/cmso/aaf/AafClientCache.java +++ b/cmso-service/src/main/java/org/onap/optf/cmso/aaf/AafClientCache.java @@ -90,7 +90,7 @@ public class AafClientCache { if (!env.getProperty(AafProperties.aafEnabled.toString(), Boolean.class, true)) {
return AuthorizationResult.Authorized;
}
- Map<String, String> auth = getUserPasssword(requestContext);
+ Map<String, String> auth = getUserPassword(requestContext);
String permissions = getPermissions(auth);
if (permissions == null) {
return AuthorizationResult.AuthenticationFailure;
@@ -209,7 +209,7 @@ public class AafClientCache { return AuthorizationResult.AuthenticationFailure;
}
- private Map<String, String> getUserPasssword(ContainerRequestContext requestContext) {
+ private Map<String, String> getUserPassword(ContainerRequestContext requestContext) {
String header = requestContext.getHeaderString("Authorization");
Map<String, String> userPassword = getUserPasswordFromAuthorizationHeader(header);
diff --git a/cmso-service/src/main/java/org/onap/optf/cmso/aaf/AafContainerFilters.java b/cmso-service/src/main/java/org/onap/optf/cmso/aaf/AafContainerFilters.java index a8d860d..f23dca0 100755 --- a/cmso-service/src/main/java/org/onap/optf/cmso/aaf/AafContainerFilters.java +++ b/cmso-service/src/main/java/org/onap/optf/cmso/aaf/AafContainerFilters.java @@ -1,6 +1,7 @@ /*
* Copyright (c) 2019 AT&T Intellectual Property.
* Modifications Copyright © 2018 IBM.
+ * Modifications Copyright © 2020 Nokia.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,30 +54,43 @@ import org.springframework.stereotype.Component; @Profile(SpringProfiles.AAF_AUTHENTICATION)
public class AafContainerFilters implements ContainerRequestFilter {
+ private static final String EMPTY_ENTITY_CONTENT = "";
+
@Autowired
- AafClientCache aafClientCache;
+ private AafClientCache aafClientCache;
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
- ResponseBuilder builder = null;
- AuthorizationResult status = null;
- try {
- status = aafClientCache.authorize(requestContext);
- } catch (Exception e) {
- Observation.report(LogMessages.UNEXPECTED_EXCEPTION, e, e.getMessage());
- status = AuthorizationResult.AuthenticationFailure;
- }
- switch (status) {
+ AuthorizationResult authorizationStatus = getAuthorizationResult(requestContext);
+ switch (authorizationStatus) {
case AuthenticationFailure:
- builder = Response.status(Response.Status.UNAUTHORIZED).entity("");
- builder.header("WWW-Authenticate", "Basic realm=\"Realm\"");
- throw new WebApplicationException(builder.build());
+ throw new WebApplicationException(createAuthenticationErrorResponse());
case AuthorizationFailure:
- builder = Response.status(Response.Status.FORBIDDEN).entity("");
- throw new WebApplicationException(builder.build());
+ throw new WebApplicationException(createAuthorizationErrorResponse());
case Authorized:
case Authenticated:
default:
}
}
+
+ private AuthorizationResult getAuthorizationResult(ContainerRequestContext requestContext) {
+ AuthorizationResult status;
+ try {
+ status = aafClientCache.authorize(requestContext);
+ } catch (Exception e) {
+ Observation.report(LogMessages.UNEXPECTED_EXCEPTION, e, e.getMessage());
+ status = AuthorizationResult.AuthenticationFailure;
+ }
+ return status;
+ }
+
+ private Response createAuthenticationErrorResponse() {
+ ResponseBuilder builder = Response.status(Response.Status.UNAUTHORIZED).entity(EMPTY_ENTITY_CONTENT);
+ builder.header("WWW-Authenticate", "Basic realm=\"Realm\"");
+ return builder.build();
+ }
+
+ private Response createAuthorizationErrorResponse() {
+ return Response.status(Response.Status.FORBIDDEN).entity(EMPTY_ENTITY_CONTENT).build();
+ }
}
diff --git a/cmso-service/src/test/java/org/onap/optf/cmso/aaf/AafClientCacheTest.java b/cmso-service/src/test/java/org/onap/optf/cmso/aaf/AafClientCacheTest.java new file mode 100644 index 0000000..ef2e425 --- /dev/null +++ b/cmso-service/src/test/java/org/onap/optf/cmso/aaf/AafClientCacheTest.java @@ -0,0 +1,169 @@ +package org.onap.optf.cmso.aaf; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.runners.MockitoJUnitRunner; +import org.onap.optf.cmso.common.exceptions.CmsoException; +import org.springframework.core.env.Environment; + +import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.SecurityContext; +import javax.ws.rs.core.UriInfo; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Matchers.anyMap; +import static org.mockito.Matchers.eq; +import static org.mockito.Mockito.when; + +@RunWith(MockitoJUnitRunner.class) +public class AafClientCacheTest { + + @Mock + Environment env; + + @Mock + AafClient aafClient; + + @Mock + AafUserRoleProperties aafUserRoleProperties; + + @Mock + SecurityContext securityContext; + + @Mock + ContainerRequestContext requestContext; + + @Mock + UriInfo uriInfo; + + @Mock + Response aafResponse; + + @InjectMocks + AafClientCache aafClientCache; + + @Test + public void shouldAuthorizeActorWhenAafIsDisabled() { + // given + when(env.getProperty( + eq(AafProperties.aafEnabled.toString()), + eq(Boolean.class), + eq(true)) + ).thenReturn(false); + + // when + final AafClientCache.AuthorizationResult result = aafClientCache.authorize(requestContext); + + // then + assertThat(result).isEqualTo(AafClientCache.AuthorizationResult.Authorized); + } + + @Test + public void shouldAuthorizeActorToResourceWhenActorHasProperPermissions() throws URISyntaxException, CmsoException, JsonProcessingException { + // given + when(env.getProperty( + eq(AafProperties.aafEnabled.toString()), + eq(Boolean.class), + eq(true)) + ).thenReturn(true); + + AafUserRole requiredRole = new AafUserRole("/context/someMethod","org\\.onap\\.osaaf\\.resources\\.access\\|rest\\|read"); + + // configure request context + setRequestContextWithAuthorizationHeader(); + + // configure aaf response + configureAafClientToReturnRequiredRole(requiredRole); + + // define which role is required/expected for selected url and method + when(aafUserRoleProperties.getForUrlMethod(eq("/context"), eq("someMethod"))).thenReturn(List.of(requiredRole)); + + // when + final AafClientCache.AuthorizationResult result = aafClientCache.authorize(requestContext); + + // then + assertThat(result).isEqualTo(AafClientCache.AuthorizationResult.Authorized); + } + + @Test + public void shouldReportThatActorDoesNotHaveAccessToResourceWhenRolesDoNotMatch() throws URISyntaxException, CmsoException, JsonProcessingException { + // given + when(env.getProperty( + eq(AafProperties.aafEnabled.toString()), + eq(Boolean.class), + eq(true)) + ).thenReturn(true); + + AafUserRole requiredRole = new AafUserRole("/context/someMethod","org\\.onap\\.osaaf\\.resources\\.access\\|rest\\|read"); + AafUserRole roleReturnedByAaf = new AafUserRole("/context/someMethod","org\\.onap\\.osaaf\\.resources\\.access\\|rest\\|write"); + + // configure request context + setRequestContextWithAuthorizationHeader(); + + // configure aaf response + configureAafClientToReturnRequiredRole(roleReturnedByAaf); + + // define which role is required/expected for selected url and method + when(aafUserRoleProperties.getForUrlMethod(eq("/context"), eq("someMethod"))).thenReturn(List.of(requiredRole)); + + // when + final AafClientCache.AuthorizationResult result = aafClientCache.authorize(requestContext); + + // then + assertThat(result).isEqualTo(AafClientCache.AuthorizationResult.AuthorizationFailure); + } + + @Test + public void shouldReportThatActorDoesNotHaveAccessToResourceWhenUserAndPasswordWasNotSet() throws URISyntaxException { + // given + when(env.getProperty( + eq(AafProperties.aafEnabled.toString()), + eq(Boolean.class), + eq(true)) + ).thenReturn(true); + + setDefaultRequestContextConfiguration(); + + // when + final AafClientCache.AuthorizationResult result = aafClientCache.authorize(requestContext); + + // then + assertThat(result).isEqualTo(AafClientCache.AuthorizationResult.AuthenticationFailure); + } + + private void setRequestContextWithAuthorizationHeader() throws URISyntaxException { + when(requestContext.getHeaderString(eq("Authorization"))).thenReturn("Basic YWxhZGRpbjpvcGVuc2VzYW1l"); + setDefaultRequestContextConfiguration(); + } + + private void setDefaultRequestContextConfiguration() throws URISyntaxException { + when(requestContext.getUriInfo()).thenReturn(uriInfo); + when(uriInfo.getAbsolutePath()).thenReturn(new URI("/context")); + when(requestContext.getMethod()).thenReturn("someMethod"); + when(requestContext.getSecurityContext()).thenReturn(securityContext); + } + + private void configureAafClientToReturnRequiredRole(AafUserRole requiredRole) throws JsonProcessingException, CmsoException { + when(aafResponse.getStatus()).thenReturn(Response.Status.OK.getStatusCode()); + when(aafResponse.getStatusInfo()).thenReturn(Response.Status.OK); + when(aafResponse.readEntity(Mockito.eq(String.class))).thenReturn(givenAafResponse(requiredRole)); + + when(aafClient.getAuthz(anyMap())).thenReturn(aafResponse); + } + + private String givenAafResponse(AafUserRole role) throws JsonProcessingException { + ObjectMapper om = new ObjectMapper(); + final AafPermResponse aafPermResponse = new AafPermResponse(); + aafPermResponse.setPerm(role.getAafPerms()); + return om.writeValueAsString(aafPermResponse); + } +} diff --git a/cmso-service/src/test/java/org/onap/optf/cmso/aaf/AafContainerFiltersTest.java b/cmso-service/src/test/java/org/onap/optf/cmso/aaf/AafContainerFiltersTest.java new file mode 100644 index 0000000..95ad4aa --- /dev/null +++ b/cmso-service/src/test/java/org/onap/optf/cmso/aaf/AafContainerFiltersTest.java @@ -0,0 +1,115 @@ +/* + * Copyright (c) 2020 Nokia. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onap.optf.cmso.aaf; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.runners.MockitoJUnitRunner; + +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.container.ContainerRequestContext; + +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.assertj.core.api.Assertions.fail; + +@RunWith(MockitoJUnitRunner.class) +public class AafContainerFiltersTest { + + @Mock + AafClientCache aafClientCache; + + @Mock + ContainerRequestContext requestContext; + + @InjectMocks + AafContainerFilters aafContainerFilters; + + @Test + public void shouldReportUnauthorizedErrorWhenErrorOccursDuringFetchingDataFromAafCache() { + + // given + Mockito.doThrow(new IllegalArgumentException("For JUnit only!")) + .when(aafClientCache) + .authorize(Mockito.any()); + + // when/then + assertThatThrownBy(() -> aafContainerFilters.filter(requestContext)) + .isInstanceOf(WebApplicationException.class) + .hasMessage("HTTP 401 Unauthorized"); + } + + + @Test + public void shouldReportAuthorizationErrorWhenAccessToResourceIsForbidden() { + + // given + Mockito.when(aafClientCache.authorize(Mockito.any())) + .thenReturn(AafClientCache.AuthorizationResult.AuthorizationFailure); + + // when/then + assertThatThrownBy(() -> aafContainerFilters.filter(requestContext)) + .isInstanceOf(WebApplicationException.class) + .hasMessage("HTTP 403 Forbidden"); + } + + @Test + public void shouldAcceptRequestWhenActorWasAuthenticated() { + + // given + Mockito.when(aafClientCache.authorize(Mockito.any())) + .thenReturn(AafClientCache.AuthorizationResult.Authenticated); + + // when/then + try { + aafContainerFilters.filter(requestContext); + } catch (Exception e) { + fail("Operation should pass!"); + } + } + + @Test + public void shouldAcceptRequestWhenActorWasAuthorized() { + + // given + Mockito.when(aafClientCache.authorize(Mockito.any())) + .thenReturn(AafClientCache.AuthorizationResult.Authorized); + + // when/then + try { + aafContainerFilters.filter(requestContext); + } catch (Exception e) { + fail("Operation should pass!"); + } + } +} |