From 7246eabfd23d6cadc9f658f666df62b93f30ed70 Mon Sep 17 00:00:00 2001 From: st782s Date: Tue, 20 Nov 2018 07:31:32 -0500 Subject: CADI Integration Issue-ID: PORTAL-474 System to system authorization using CADI Change-Id: I76487f8155a36fca8283669fe5e28ec7d5aec91d Signed-off-by: st782s --- .../portalsdk/core/onboarding/util/AuthUtil.java | 190 +++++++++++++++++++++ 1 file changed, 190 insertions(+) create mode 100644 ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java (limited to 'ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java') diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java new file mode 100644 index 00000000..a7aa6765 --- /dev/null +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/AuthUtil.java @@ -0,0 +1,190 @@ +/* + * ============LICENSE_START========================================== + * ONAP Portal SDK + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * + */ +package org.onap.portalsdk.core.onboarding.util; + +import java.util.ArrayList; +import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.commons.codec.DecoderException; +import org.apache.commons.codec.binary.Hex; +import org.onap.aaf.cadi.CadiWrap; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.onboarding.exception.PortalAPIException; + +public class AuthUtil { + + private static final String decodeValueOfForwardSlash = "2f"; + private static final String decodeValueOfHyphen = "2d"; + private static final String decodeValueOfAsterisk = "2a"; + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AuthUtil.class); + + /* + * This method compares the portalApiPath against the urlPattern; splits the + * portalApiPath by "/" and compares each part with that of the urlPattern. + * + * Example: "xyz/1/abc" matches with the pattern "xyz/* /abc" but not with + * "xyz/*" + * + */ + public static Boolean matchPattern(String portalApiPath, String urlPattern) { + String[] path = portalApiPath.split("/"); + if (path.length > 1) { + + String[] roleFunctionArray = urlPattern.split("/"); + boolean match = true; + if (roleFunctionArray.length == path.length) { + for (int i = 0; i < roleFunctionArray.length; i++) { + if (match) { + if (!roleFunctionArray[i].equals("*")) { + Pattern p = Pattern.compile(Pattern.quote(path[i]), Pattern.CASE_INSENSITIVE); + Matcher m = p.matcher(roleFunctionArray[i]); + match = m.matches(); + + } + } + } + if (match) + return match; + } + } else { + if (portalApiPath.matches(urlPattern)) + return true; + else if (urlPattern.equals("*")) + return true; + + } + return false; + } + /** + * + * @param request + * @return returns list of AAFPermission of the requested MechId for all the namespaces + */ + public static List getAAFPermissions(HttpServletRequest request) { + CadiWrap wrapReq = (CadiWrap) request; + List perms = wrapReq.getPermissions(wrapReq.getUserPrincipal()); + List aafPermsList = new ArrayList<>(); + for (Permission perm : perms) { + AAFPermission aafPerm = (AAFPermission) perm; + aafPermsList.add(aafPerm); + } + return aafPermsList; + } + + /** + * + * @param request + * @return returns list of AAFPermission for the specific namespace + */ + public static List getNameSpacesAAFPermissions(String nameSpace, + List allPermissionsList) { + String type = nameSpace + ".url"; + allPermissionsList.removeIf(perm -> (!perm.getType().equals(type))); + return allPermissionsList; + } + /** + * + * @param permsList + * @return returns the list of instaces of namespace + * @throws PortalAPIException + */ + public static List getAllInstances(List permsList) throws PortalAPIException { + List instanceList = permsList.stream().map(AAFPermission::getInstance).collect(Collectors.toList()); + + List finalInstanceList = new ArrayList<>(); + for (String instance : instanceList) { + String str = ""; + if (instance.equals("*")) + str = instance; + else + str = decodeFunctionCode(instance); + finalInstanceList.add(str); + } + return finalInstanceList; + } + + public static String decodeFunctionCode(String str) throws PortalAPIException { + String decodedString = str; + List decodingList = new ArrayList<>(); + decodingList.add(Pattern.compile(decodeValueOfForwardSlash)); + decodingList.add(Pattern.compile(decodeValueOfHyphen)); + decodingList.add(Pattern.compile(decodeValueOfAsterisk)); + for (Pattern xssInputPattern : decodingList) { + try { + decodedString = decodedString.replaceAll("%" + xssInputPattern, + new String(Hex.decodeHex(xssInputPattern.toString().toCharArray()))); + } catch (DecoderException e) { + logger.error(EELFLoggerDelegate.errorLogger, "Decode Failed! for instance: "+ str); + throw new PortalAPIException("decode failed", e); + } + } + + return decodedString; + } + + /** + * + * @param request + * @param nameSpace application namespace + * @return boolean value if the access is allowed + * @throws PortalAPIException + */ + public static boolean isAccessAllowed(HttpServletRequest request, String nameSpace) throws PortalAPIException { + List aafPermsList = getAAFPermissions(request); + logger.debug(EELFLoggerDelegate.debugLogger, "Application nameSpace: "+ nameSpace); + if (nameSpace.isEmpty()) { + throw new PortalAPIException("NameSpace not Declared!"); + } + List aafPermsFinalList = getNameSpacesAAFPermissions(nameSpace, aafPermsList); + List finalInstanceList = getAllInstances(aafPermsFinalList); + String requestUri = request.getRequestURI().substring(request.getContextPath().length() + 1); + boolean isauthorized = false; + for (String str : finalInstanceList) { + if (!isauthorized) + isauthorized = matchPattern(requestUri, str); + } + return isauthorized; + } +} \ No newline at end of file -- cgit 1.2.3-korg