diff options
author | st782s <statta@research.att.com> | 2018-11-20 07:31:32 -0500 |
---|---|---|
committer | st782s <statta@research.att.com> | 2018-11-20 07:31:32 -0500 |
commit | 7246eabfd23d6cadc9f658f666df62b93f30ed70 (patch) | |
tree | f60963a0eb52e3bf645491afa5c6ed9477dc28c7 /ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi | |
parent | ace477c7097f4dc48498916ba2e024a81513ed93 (diff) |
CADI Integration
Issue-ID: PORTAL-474
System to system authorization using CADI
Change-Id: I76487f8155a36fca8283669fe5e28ec7d5aec91d
Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi')
3 files changed, 202 insertions, 9 deletions
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/CadiAuthFilter.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/CadiAuthFilter.java new file mode 100644 index 00000000..8bddef85 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/CadiAuthFilter.java @@ -0,0 +1,137 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * + */ +package org.onap.portalsdk.core.onboarding.crossapi; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.filter.CadiFilter; +import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; +import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; + +public class CadiAuthFilter extends CadiFilter { + + private static String inlclude_url_endpoints =""; + public static final String AUTHORIZATION = "Authorization"; + + public void init(FilterConfig filterConfig) throws ServletException { + super.init(filterConfig); + inlclude_url_endpoints = filterConfig.getInitParameter("inlclude_url_endpoints"); + } + + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException { + + if (inlclude_url_endpoints.equals("") || inlclude_url_endpoints == null || inlclude_url_endpoints.isEmpty()) { + throw new NullPointerException("inlclude_url_endpoints is null"); + } else { + String includeUrlEndPointString = inlclude_url_endpoints; + ArrayList<String> includeUrlEndPointList = new ArrayList<String>( + Arrays.asList(includeUrlEndPointString.split(","))); + if (includeFilter(request, includeUrlEndPointList)) { + super.doFilter(request, response, chain); + } else + chain.doFilter(request, response); + } + } + + private boolean includeFilter(ServletRequest request, ArrayList<String> includeapisList) { + boolean isauthenticated = false; + HttpServletRequest httpRequest = (HttpServletRequest) request; + + if(httpRequest.getHeader(AUTHORIZATION) == null) + return isauthenticated; + // TODO: refactor to have exclusion pattern + String path = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length() + 1); + if (path.contains("analytics")) { + return isauthenticated; + } + + for (String str : includeapisList) { + if (!isauthenticated) + isauthenticated = matchPattern(path, str); + } + if (isauthenticated && PortalApiProperties.getProperty(PortalApiConstants.ROLE_ACCESS_CENTRALIZED) + .equalsIgnoreCase("remote")) + isauthenticated = true; + else + isauthenticated = false; + return isauthenticated; + } + + private boolean matchPattern(String requestedPath, String includeUrl) { + includeUrl = includeUrl.substring(1); + String[] path = requestedPath.split("/"); + if (path.length > 1) { + String[] roleFunctionArray = includeUrl.split("/"); + boolean match = true; + for (int i = 0; i < roleFunctionArray.length; i++) { + if (match) { + if (!roleFunctionArray[i].equals("*")) { + Pattern p = Pattern.compile(Pattern.quote(path[i]), Pattern.CASE_INSENSITIVE); + Matcher m = p.matcher(roleFunctionArray[i]); + match = m.matches(); + } else if (roleFunctionArray[i].equals("*")) { + match = true; + } + + } + } + if (match) + return match; + } else { + if (requestedPath.matches(includeUrl)) + return true; + else if (includeUrl.equals("*")) + return true; + } + return false; + } + +}
\ No newline at end of file diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java index 208e8c3d..d53c0eb6 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPICentralServiceImpl.java @@ -51,6 +51,7 @@ import javax.servlet.http.HttpServletRequest; import org.onap.portalsdk.core.onboarding.exception.CipherUtilException; import org.onap.portalsdk.core.onboarding.exception.PortalAPIException; import org.onap.portalsdk.core.onboarding.rest.RestWebServiceClient; +import org.onap.portalsdk.core.onboarding.util.AuthUtil; import org.onap.portalsdk.core.onboarding.util.CipherUtil; import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; @@ -71,6 +72,8 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService { IPortalRestCentralService portalRestCentralService; public static final String API_VERSION = "/v4"; private static String portalApiVersion = "/v3"; + private static final String nameSpace = PortalApiProperties + .getProperty(PortalApiConstants.AUTH_NAMESPACE); public PortalRestAPICentralServiceImpl() throws ServletException { String centralClassName = PortalApiProperties.getProperty(PortalApiConstants.PORTAL_API_IMPL_CLASS); @@ -186,16 +189,13 @@ public class PortalRestAPICentralServiceImpl implements IPortalRestAPIService { @Override public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException { - boolean response = false; + boolean accessAllowed = false; try { - String restUser = request.getHeader("username"); - String restPw = request.getHeader("password"); - response = restUser != null && restPw != null && restUser.equals(username) && restPw.equals(password); - logger.debug("isAppAuthenticated: " + response); - } catch (Exception ex) { - throw new PortalAPIException("isAppAuthenticated failed", ex); + accessAllowed = AuthUtil.isAccessAllowed(request, nameSpace); + } catch (Exception e) { + logger.error(e); } - return response; + return accessAllowed; } @Override diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java index 1ce03146..71f66168 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java @@ -43,8 +43,13 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.io.PrintWriter; import java.io.StringWriter; +import java.util.Arrays; +import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.Set; +import java.util.TreeSet; +import java.util.stream.Collectors; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; @@ -60,6 +65,7 @@ import org.onap.portalsdk.core.onboarding.rest.RestWebServiceClient; import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; import org.onap.portalsdk.core.restful.domain.EcompRole; +import org.onap.portalsdk.core.restful.domain.EcompRoleFunction; import org.onap.portalsdk.core.restful.domain.EcompUser; import org.owasp.esapi.ESAPI; @@ -146,6 +152,8 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer response.getWriter().write(buildJsonResponse(false, "Misconfigured - no instance of service class")); return; } + + String requestUri = request.getRequestURI(); String responseJson = ""; String storeAnalyticsContextPath = "/storeAnalytics"; @@ -217,6 +225,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer writeAndFlush(response, APPLICATION_JSON, buildJsonResponse(false, "Not authorized")); return; } + try { String requestBody = readRequestBody(request); @@ -264,6 +273,9 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer if (requestUri.endsWith(PortalApiConstants.API_PREFIX + "/user")) { try { EcompUser user = mapper.readValue(requestBody, EcompUser.class); + logger.debug("doPost: create user requestbody: "+ requestBody); + Set<EcompRole> userEcompRoles = getEcompRolesOfUser(user); + user.setRoles(userEcompRoles); pushUser(user); if (logger.isDebugEnabled()) logger.debug("doPost: pushUser: success"); @@ -280,6 +292,9 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer String loginId = requestUri.substring(requestUri.lastIndexOf('/') + 1); try { EcompUser user = mapper.readValue(requestBody, EcompUser.class); + logger.debug("doPost: update user requestbody: "+ requestBody); + Set<EcompRole> userEcompRoles = getEcompRolesOfUser(user); + user.setRoles(userEcompRoles); editUser(loginId, user); if (logger.isDebugEnabled()) logger.debug("doPost: editUser: success"); @@ -342,6 +357,7 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer buildJsonResponse(false, "Misconfigured - no instance of service class")); return; } + String requestUri = request.getRequestURI(); String contentType = APPLICATION_JSON; @@ -413,7 +429,6 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer writeAndFlush(response, APPLICATION_JSON, buildJsonResponse(false, "Not authorized")); return; } - String responseJson = null; try { // Ignore any request body in a GET. @@ -683,4 +698,45 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer return portalRestApiServiceImpl.getCredentials(); } + private Set<EcompRole> getEcompRolesOfUser(EcompUser user) throws JsonProcessingException + { + + Set<EcompRole> userEcompRoles = new TreeSet<>(); + Set<EcompRole> ecompRoles = user.getRoles(); + for (EcompRole role : ecompRoles) { + Set roleFunctions = role.getRoleFunctions(); + Iterator<EcompRoleFunction> roleIter = roleFunctions.iterator(); + ObjectMapper mapper = new ObjectMapper(); + Set<EcompRoleFunction> EcompRoleFunctions = new TreeSet<>(); + while (roleIter.hasNext()) { + String str = mapper.writeValueAsString(roleIter.next()); + + String str1 = str.substring(1, str.length() - 1); + Map<String, String> result = Arrays.stream(str1.split(",")).map(s -> s.split(":")) + .collect(Collectors.toMap(a -> a[0], // key + a -> a[1] // value + )); + + EcompRoleFunction roleFunction = new EcompRoleFunction(); + for (Map.Entry<String, String> set : result.entrySet()) { + String key = set.getKey().replaceAll("\"", " ").trim(); + if (!key.isEmpty() && key.equalsIgnoreCase("action")) { + roleFunction.setAction(set.getValue().replaceAll("\"", " ").trim()); + } else if (!key.isEmpty() && key.equalsIgnoreCase("type")) { + roleFunction.setType(set.getValue().replaceAll("\"", " ").trim()); + + } else if (!key.isEmpty() && key.equalsIgnoreCase("code")) { + roleFunction.setCode(set.getValue().replaceAll("\"", " ").trim()); + + } else if (!key.isEmpty() && key.equalsIgnoreCase("name")) { + roleFunction.setName(set.getValue().replaceAll("\"", " ").trim()); + } + } + EcompRoleFunctions.add(roleFunction); + } + role.setRoleFunctions(EcompRoleFunctions); + userEcompRoles.add(role); + } + return userEcompRoles; + } } |