From 91d04c64771832a0b8815ffbe1f0f9920320d94d Mon Sep 17 00:00:00 2001 From: Pamela Dragosh Date: Tue, 14 Feb 2017 19:41:00 -0500 Subject: Initial OpenECOMP policy/engine commit Change-Id: I7dbff37733b661643dd4d1caefa3d7dccc361b6e Signed-off-by: Pamela Dragosh --- .../pap/xacml/restAuth/AuthenticationService.java | 74 ++++++++ .../policy/pap/xacml/restAuth/CheckPDP.java | 203 +++++++++++++++++++++ .../xacml/restAuth/PAPAuthenticationFilter.java | 130 +++++++++++++ 3 files changed, 407 insertions(+) create mode 100644 ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/AuthenticationService.java create mode 100644 ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/CheckPDP.java create mode 100644 ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/PAPAuthenticationFilter.java (limited to 'ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth') diff --git a/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/AuthenticationService.java b/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/AuthenticationService.java new file mode 100644 index 000000000..003585b71 --- /dev/null +++ b/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/AuthenticationService.java @@ -0,0 +1,74 @@ +/*- + * ============LICENSE_START======================================================= + * ECOMP-PAP-REST + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.policy.pap.xacml.restAuth; + +import java.util.Base64; +import java.util.StringTokenizer; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openecomp.policy.rest.XACMLRestProperties; + +import org.openecomp.policy.xacml.api.XACMLErrorConstants; +import com.att.research.xacml.util.XACMLProperties; + +import org.openecomp.policy.common.logging.eelf.MessageCodes; +import org.openecomp.policy.common.logging.eelf.PolicyLogger; +import org.openecomp.policy.common.logging.flexlogger.FlexLogger; +import org.openecomp.policy.common.logging.flexlogger.Logger; + +public class AuthenticationService { + private String papID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID); + private String papPass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS); + private static final Logger logger = FlexLogger.getLogger(AuthenticationService.class); + + public boolean authenticate(String authCredentials) { + + if (null == authCredentials) + return false; + // header value format will be "Basic encodedstring" for Basic authentication. + final String encodedUserPassword = authCredentials.replaceFirst("Basic" + " ", ""); + String usernameAndPassword = null; + try { + byte[] decodedBytes = Base64.getDecoder().decode(encodedUserPassword); + usernameAndPassword = new String(decodedBytes, "UTF-8"); + } catch (Exception e) { + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + e); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "AuthenticationService", "Exception decoding username and password"); + return false; + } + try { + final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":"); + final String username = tokenizer.nextToken(); + final String password = tokenizer.nextToken(); + + boolean authenticationStatus = papID.equals(username) && papPass.equals(password); + return authenticationStatus; + } catch (Exception e){ + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + e); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "AuthenticationService", "Exception authenticating user"); + return false; + } + } + +} diff --git a/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/CheckPDP.java b/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/CheckPDP.java new file mode 100644 index 000000000..ce35a7089 --- /dev/null +++ b/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/CheckPDP.java @@ -0,0 +1,203 @@ +/*- + * ============LICENSE_START======================================================= + * ECOMP-PAP-REST + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.policy.pap.xacml.restAuth; + +import org.openecomp.policy.common.logging.eelf.MessageCodes; +import org.openecomp.policy.common.logging.eelf.PolicyLogger; + +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Base64; +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Properties; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openecomp.policy.pap.xacml.rest.XACMLPapServlet; + +import org.openecomp.policy.xacml.api.XACMLErrorConstants; + +import org.openecomp.policy.common.logging.flexlogger.FlexLogger; +import org.openecomp.policy.common.logging.flexlogger.Logger; + +public class CheckPDP { + + private static Path pdpPath = null; + private static Properties pdpProp = null; + private static Long oldModified = null; + private static Long newModified = null; + private static HashMap pdpMap = null; + private static final Logger logger = FlexLogger.getLogger(CheckPDP.class); + + public static boolean validateID(String id) { + // ReadFile + try { + readFile(); + } catch (Exception e) { + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + e); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "CheckPDP", "Exception reading file"); + return false; + } + // Check ID + if (pdpMap.containsKey(id)) { + return true; + } + return false; + } + + private static void readFile() throws Exception { + String pdpFile = XACMLPapServlet.getPDPFile(); + if (pdpFile == null) { + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "PDP File name not Valid : " + pdpFile); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + "PDP File name is undefined"); + throw new Exception(XACMLErrorConstants.ERROR_SYSTEM_ERROR +"PDP File name not Valid : " + pdpFile); + } + if (pdpPath == null) { + pdpPath = Paths.get(pdpFile); + if (Files.notExists(pdpPath)) { + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "File doesn't exist in the specified Path : " + pdpPath.toString()); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + "File doesn't exist in the specified Path"); + throw new Exception(XACMLErrorConstants.ERROR_SYSTEM_ERROR +"File doesn't exist in the specified Path : "+ pdpPath.toString()); + } + if (pdpPath.toString().endsWith(".properties")) { + readProps(); + } else { + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "Not a .properties file " + pdpFile); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + "Not a .properties file"); + throw new Exception(XACMLErrorConstants.ERROR_SYSTEM_ERROR +"Not a .properties file"); + } + } + // Check if File is updated recently + else { + newModified = pdpPath.toFile().lastModified(); + if (newModified != oldModified) { + // File has been updated. + readProps(); + } + } + } + + private static void readProps() throws Exception { + InputStream in; + pdpProp = new Properties(); + try { + in = new FileInputStream(pdpPath.toFile()); + oldModified = pdpPath.toFile().lastModified(); + pdpProp.load(in); + } catch (IOException e) { + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + e); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "CheckPDP", "Cannot load the Properties file"); + throw new Exception("Cannot Load the Properties file", e); + } + // Read the Properties and Load the PDPs and encoding. + pdpMap = new HashMap(); + // Check the Keys for PDP_URLs + Collection unsorted = pdpProp.keySet(); + List sorted = new ArrayList(unsorted); + Collections.sort(sorted); + for (String propKey : sorted) { + if (propKey.startsWith("PDP_URL")) { + String check_val = pdpProp.getProperty(propKey); + if (check_val == null) { + throw new Exception("Properties file doesn't have the PDP_URL parameter"); + } + if (check_val.contains(";")) { + List pdp_default = new ArrayList(Arrays.asList(check_val.split("\\s*;\\s*"))); + int pdpCount = 0; + while (pdpCount < pdp_default.size()) { + String pdpVal = pdp_default.get(pdpCount); + readPDPParam(pdpVal); + pdpCount++; + } + } else { + readPDPParam(check_val); + } + } + } + if (pdpMap == null || pdpMap.isEmpty()) { + logger.debug(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "Cannot Proceed without PDP_URLs"); + throw new Exception(XACMLErrorConstants.ERROR_SYSTEM_ERROR +"Cannot Proceed without PDP_URLs"); + } + } + + private static void readPDPParam(String pdpVal) throws Exception{ + if(pdpVal.contains(",")){ + List pdpValues = new ArrayList(Arrays.asList(pdpVal.split("\\s*,\\s*"))); + if(pdpValues.size()==3){ + // 1:2 will be UserID:Password + String userID = pdpValues.get(1); + String pass = pdpValues.get(2); + Base64.Encoder encoder = Base64.getEncoder(); + // 0 - PDPURL + pdpMap.put(pdpValues.get(0), encoder.encodeToString((userID+":"+pass).getBytes(StandardCharsets.UTF_8))); + }else{ + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_PERMISSIONS + "No Credentials to send Request: " + pdpValues); + PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + "No Credentials to send Request"); + throw new Exception(XACMLErrorConstants.ERROR_PERMISSIONS + "No enough Credentials to send Request. " + pdpValues); + } + }else{ + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_PERMISSIONS + "No Credentials to send Request: " + pdpVal); + PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + "No Credentials to send Request: " + pdpVal); + throw new Exception(XACMLErrorConstants.ERROR_PERMISSIONS +"No enough Credentials to send Request."); + } + } + + public static String getEncoding(String pdpID){ + try { + readFile(); + } catch (Exception e) { + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + e); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "CheckPDP", "Exeption reading Properties file"); + } + String encoding = null; + if(pdpMap!=null && (!pdpMap.isEmpty())){ + try{ + encoding = pdpMap.get(pdpID); + } catch(Exception e){ + //TODO:EELF Cleanup - Remove logger + //logger.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR + e); + PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "CheckPDP", "Exception encoding"); + } + return encoding; + }else{ + return null; + } + } + +} diff --git a/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/PAPAuthenticationFilter.java b/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/PAPAuthenticationFilter.java new file mode 100644 index 000000000..817629420 --- /dev/null +++ b/ECOMP-PAP-REST/src/main/java/org/openecomp/policy/pap/xacml/restAuth/PAPAuthenticationFilter.java @@ -0,0 +1,130 @@ +/*- + * ============LICENSE_START======================================================= + * ECOMP-PAP-REST + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.policy.pap.xacml.restAuth; + +import java.io.IOException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.annotation.WebFilter; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openecomp.policy.pap.xacml.rest.XACMLPapServlet; + +/** + * Servlet Filter implementation class PAPAuthenticationFilter + */ +@WebFilter("/*") +public class PAPAuthenticationFilter implements Filter { + + private static final Log logger = LogFactory.getLog(PAPAuthenticationFilter.class); + public static final String AUTHENTICATION_HEADER = "Authorization"; + + @Override + public void doFilter(ServletRequest request, ServletResponse response, + FilterChain filter) throws IOException, ServletException { + + + if (request instanceof HttpServletRequest) { + HttpServletRequest httpServletRequest = (HttpServletRequest) request; + + String authCredentials = null; + String url = httpServletRequest.getRequestURI(); + + logger.info("Request URI: " + url); + System.out.println("Request URI: " + url); + + //getting authentication credentials + if(url.contains("@Auth@")){ + int authIndex = url.lastIndexOf("@"); + int endAuthIndex = url.indexOf("/ecomp"); + authCredentials = "Basic " + url.substring(authIndex+1, endAuthIndex); + + //parse the url for /pap/ecomp/ + String url1 = url.substring(0, 4); + String url2 = url.substring(endAuthIndex, url.length()); + url = url1 + url2; + + } else { + authCredentials = httpServletRequest.getHeader(AUTHENTICATION_HEADER); + } + + // Check Authentication credentials + AuthenticationService authenticationService = new AuthenticationService(); + boolean authenticationStatus = authenticationService.authenticate(authCredentials); + + if (authenticationStatus) { + //indicates the request comes from Traditional Admin Console or PolicyEngineAPI + if (url.equals("/pap/")){ + logger.info("Request comes from Traditional Admin Console or PolicyEngineAPI"); + + //forward request to the XACMLPAPServlet if authenticated + request.getRequestDispatcher("/pap/pap/").forward(request, response); + + }else if (url.startsWith("/pap/ecomp/")){ + + //indicates the request comes from the ECOMP Portal ecomp-sdk-app + if(response instanceof HttpServletResponse) { + HttpServletResponse alteredResponse = ((HttpServletResponse)response); + addCorsHeader(alteredResponse); + logger.info("Request comes from Ecomp Portal"); + //Spring dispatcher servlet is at the end of the filter chain at /pap/ecomp/ path + System.out.println("New Request URI: " + url); + //request.getRequestDispatcher(url).forward(request, alteredResponse); + filter.doFilter(request, response); + } + + } + + } else { + if (response instanceof HttpServletResponse) { + HttpServletResponse httpServletResponse = (HttpServletResponse) response; + httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + } + } + + } + } + + //method to add CorsHeaders for ecomp portal rest call + private void addCorsHeader(HttpServletResponse response) { + logger.info("Adding Cors Response Headers!!!"); + response.addHeader("Access-Control-Allow-Origin", "*"); + response.addHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, HEAD"); + response.addHeader("Access-Control-Allow-Headers", "X-PINGOTHER, Origin, X-Requested-With, Content-Type, Accept"); + response.addHeader("Access-Control-Max-Age", "1728000"); + } + + @Override + public void destroy() { + } + + @Override + public void init(FilterConfig arg0) throws ServletException { + } +} -- cgit 1.2.3-korg