Add basic auth

Adding basic auth for SDC apis.

Issue-ID: OJSI-90
Signed-off-by: xuegao <xue.gao@intl.att.com>
Change-Id: Ie84e6bab8d8526f7f4d21a36bba52d8fe9abebbb
Signed-off-by: xuegao <xue.gao@intl.att.com>

5 files changed, 157 insertions, 2 deletions

diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/java/org/openecomp/server/filters/BasicAuthenticationFilter.java b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/java/org/openecomp/server/filters/BasicAuthenticationFilter.java
new file mode 100644
index 0000000000..c1eef1cd95
--- /dev/null
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/java/org/openecomp/server/filters/BasicAuthenticationFilter.java
@@ -0,0 +1,133 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.server.filters;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import org.onap.sdc.tosca.services.YamlUtil;
+import org.openecomp.sdc.be.config.Configuration.BasicAuthConfig;
+import org.openecomp.sdc.logging.api.Logger;
+import org.openecomp.sdc.logging.api.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Base64;
+import org.openecomp.sdcrests.item.rest.services.catalog.notification.EntryNotConfiguredException;
+
+public class BasicAuthenticationFilter implements Filter {
+
+  private static final Logger log = LoggerFactory.getLogger(BasicAuthenticationFilter.class);
+  private static final String CONFIG_FILE_PROPERTY = "configuration.yaml";
+  private static final String CONFIG_SECTION = "basicAuth";
+
+  @Override
+  public void destroy() {
+    // TODO Auto-generated method stub
+
+  }
+
+  @Override
+  public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
+      throws IOException, ServletException {
+      String file = Objects.requireNonNull(System.getProperty(CONFIG_FILE_PROPERTY),
+        "Config file location must be specified via system property " + CONFIG_FILE_PROPERTY);
+      Object config = getAuthenticationConfiguration(file);
+      ObjectMapper mapper = new ObjectMapper();
+      BasicAuthConfig basicAuthConfig = mapper.convertValue(config, BasicAuthConfig.class);
+      HttpServletRequest httpRequest = (HttpServletRequest) arg0;
+      HttpServletRequestWrapper servletRequest = new HttpServletRequestWrapper(httpRequest);
+
+      // BasicAuth is disabled
+      if (!basicAuthConfig.getEnabled()) {
+         arg2.doFilter(servletRequest, arg1);
+         return;
+      }
+
+      List<String> excludedUrls = Arrays.asList(basicAuthConfig.getExcludedUrls().split(","));
+      if (excludedUrls.contains(httpRequest.getServletPath() + httpRequest.getPathInfo())) {
+        // this url is included in the excludeUrls list, no need for authentication
+        arg2.doFilter(servletRequest, arg1);
+        return;
+      }
+
+
+      // Get the basicAuth info from the header
+      String authorizationHeader = httpRequest.getHeader("Authorization");
+      if (authorizationHeader == null || authorizationHeader.isEmpty()) {
+        ((HttpServletResponse) arg1).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        return;
+      }
+
+      String base64Credentials =
+          httpRequest.getHeader("Authorization").replace("Basic", "").trim();
+      if (verifyCredentials(basicAuthConfig, base64Credentials)) {
+          arg2.doFilter(servletRequest, arg1);
+      } else {
+          ((HttpServletResponse) arg1).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+      }
+  }
+
+  @Override
+  public void init(FilterConfig config) throws ServletException {
+  }
+
+  private static Object getAuthenticationConfiguration(String file) throws IOException {
+    InputStream fileInput = new FileInputStream(file);
+    YamlUtil yamlUtil = new YamlUtil();
+
+    Map<?, ?> configuration = Objects.requireNonNull(yamlUtil.yamlToMap(fileInput), "Configuration cannot be empty");
+    Object authenticationConfig = configuration.get(CONFIG_SECTION);
+    if (authenticationConfig == null) {
+      throw new EntryNotConfiguredException(CONFIG_SECTION + " section");
+    }
+    return authenticationConfig;
+  }
+
+  private boolean verifyCredentials (BasicAuthConfig basicAuthConfig, String credential) {
+    String decodedCredentials = new String(Base64.getDecoder().decode(credential));
+    int p = decodedCredentials.indexOf(':');
+    if (p != -1) {
+      String userName = decodedCredentials.substring(0, p).trim();
+      String password = decodedCredentials.substring(p + 1).trim();
+      if (!userName.equals(basicAuthConfig.getUserName()) || !password.equals(basicAuthConfig.getUserPass())) {
+        log.error("Authentication failed. Invalid user name or password");
+        return false;
+      }
+      return true;
+    } else {
+      log.error("Failed to decode credentials");
+      return false;
+    }
+  }
+}
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
index 1e41ed246c..09d2fb16b4 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
@@ -61,7 +61,10 @@
         <filter-name>RestrictionAccessFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
-
+    <filter>
+        <filter-name>BasicAuth</filter-name>
+        <filter-class>org.openecomp.server.filters.BasicAuthenticationFilter</filter-class>
+    </filter>
     <filter>
         <filter-name>AuthN</filter-name>
         <filter-class>org.openecomp.server.filters.ActionAuthenticationFilter</filter-class>
@@ -75,6 +78,10 @@
         <url-pattern>/*</url-pattern>
     </filter-mapping>
     <filter-mapping>
+        <filter-name>BasicAuth</filter-name>
+        <url-pattern>/1.0/*</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
         <filter-name>AuthN</filter-name>
         <url-pattern>/workflow/v1.0/actions/*</url-pattern>
     </filter-mapping>
diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/attributes/default.rb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/attributes/default.rb
index 077b70d2c3..2018a835f2 100644
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/attributes/default.rb
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/attributes/default.rb
@@ -20,6 +20,12 @@ default['cassandra']['socket_read_timeout'] = 20000
 default['cassandra']['socket_connect_timeout'] = 20000
 default['cassandra']['janusgraph_connection_timeout'] = 10000
 
+#Basicauth
+default['basic_auth']['enabled'] = false
+default['basic_auth'][:user_name] = "userName"
+default['basic_auth'][:user_pass] = "userPass"
+default['basic_auth']['excludedUrls'] = ""
+
 #ExternalTesting
 default['EXTTEST']['ep1_config'] = "vtp,VTP,true,http://refrepo:8702/onapapi/vnfsdk-marketplace,onap.*"
 default['EXTTEST']['ep2_config'] = "repository,Repository,false,,.*"
diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb
index 80fc57efcb..d767ddd1c8 100644
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb
@@ -17,6 +17,9 @@ template "onboard-be-config" do
       :cassandra_usr                   => node['cassandra'][:cassandra_user],
       :cassandra_truststore_password   => node['cassandra'][:truststore_password],
       :cassandra_ssl_enabled           => "#{ENV['cassandra_ssl_enabled']}",
+      :basic_auth_enabled              => node['basic_auth']['enabled'],
+      :basic_auth_username             => node['basic_auth'][:user_name],
+      :basic_auth_password             => node['basic_auth'][:user_pass],
       :catalog_notification_url        => node['ONBOARDING_BE']['catalog_notification_url'],
       :catalog_be_http_port            => node['BE'][:http_port],
       :catalog_be_ssl_port             => node['BE'][:https_port],
diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
index d73799fcd3..54d01a2436 100644
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
@@ -43,4 +43,10 @@ authCookie:
   # redirect variable name from portal.properties file
   redirectURL: "redirect_url"
   excludedUrls: ['/.*']
-  onboardingExcludedUrls: ['/.*']
\ No newline at end of file
+  onboardingExcludedUrls: ['/.*']
+
+basicAuth:
+  enabled: <%= @basic_auth_enabled %>
+  userName: <%= @basic_auth_username %>
+  userPass: <%= @basic_auth_password %>
+  excludedUrls: ""
\ No newline at end of file