diff options
author | xuegao <xue.gao@intl.att.com> | 2020-12-09 16:01:22 +0100 |
---|---|---|
committer | Christophe Closset <christophe.closset@intl.att.com> | 2021-01-19 13:51:47 +0000 |
commit | 27fa75194efcf77c93b645ef7b412668ac3f5d38 (patch) | |
tree | 123dbbf734355299ed0643a77781a0542df03888 /openecomp-be | |
parent | 5b9a4251a7bce56895ca80b867ee7537e7382320 (diff) |
Add basic auth
Adding basic auth for SDC apis.
Issue-ID: OJSI-90
Signed-off-by: xuegao <xue.gao@intl.att.com>
Change-Id: Ie84e6bab8d8526f7f4d21a36bba52d8fe9abebbb
Signed-off-by: xuegao <xue.gao@intl.att.com>
Diffstat (limited to 'openecomp-be')
5 files changed, 157 insertions, 2 deletions
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/java/org/openecomp/server/filters/BasicAuthenticationFilter.java b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/java/org/openecomp/server/filters/BasicAuthenticationFilter.java new file mode 100644 index 0000000000..c1eef1cd95 --- /dev/null +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/java/org/openecomp/server/filters/BasicAuthenticationFilter.java @@ -0,0 +1,133 @@ +/*- + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2021 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.server.filters; + +import com.fasterxml.jackson.databind.ObjectMapper; +import java.io.FileInputStream; +import java.io.InputStream; +import java.util.Arrays; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import org.onap.sdc.tosca.services.YamlUtil; +import org.openecomp.sdc.be.config.Configuration.BasicAuthConfig; +import org.openecomp.sdc.logging.api.Logger; +import org.openecomp.sdc.logging.api.LoggerFactory; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Base64; +import org.openecomp.sdcrests.item.rest.services.catalog.notification.EntryNotConfiguredException; + +public class BasicAuthenticationFilter implements Filter { + + private static final Logger log = LoggerFactory.getLogger(BasicAuthenticationFilter.class); + private static final String CONFIG_FILE_PROPERTY = "configuration.yaml"; + private static final String CONFIG_SECTION = "basicAuth"; + + @Override + public void destroy() { + // TODO Auto-generated method stub + + } + + @Override + public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2) + throws IOException, ServletException { + String file = Objects.requireNonNull(System.getProperty(CONFIG_FILE_PROPERTY), + "Config file location must be specified via system property " + CONFIG_FILE_PROPERTY); + Object config = getAuthenticationConfiguration(file); + ObjectMapper mapper = new ObjectMapper(); + BasicAuthConfig basicAuthConfig = mapper.convertValue(config, BasicAuthConfig.class); + HttpServletRequest httpRequest = (HttpServletRequest) arg0; + HttpServletRequestWrapper servletRequest = new HttpServletRequestWrapper(httpRequest); + + // BasicAuth is disabled + if (!basicAuthConfig.getEnabled()) { + arg2.doFilter(servletRequest, arg1); + return; + } + + List<String> excludedUrls = Arrays.asList(basicAuthConfig.getExcludedUrls().split(",")); + if (excludedUrls.contains(httpRequest.getServletPath() + httpRequest.getPathInfo())) { + // this url is included in the excludeUrls list, no need for authentication + arg2.doFilter(servletRequest, arg1); + return; + } + + + // Get the basicAuth info from the header + String authorizationHeader = httpRequest.getHeader("Authorization"); + if (authorizationHeader == null || authorizationHeader.isEmpty()) { + ((HttpServletResponse) arg1).setStatus(HttpServletResponse.SC_UNAUTHORIZED); + return; + } + + String base64Credentials = + httpRequest.getHeader("Authorization").replace("Basic", "").trim(); + if (verifyCredentials(basicAuthConfig, base64Credentials)) { + arg2.doFilter(servletRequest, arg1); + } else { + ((HttpServletResponse) arg1).setStatus(HttpServletResponse.SC_UNAUTHORIZED); + } + } + + @Override + public void init(FilterConfig config) throws ServletException { + } + + private static Object getAuthenticationConfiguration(String file) throws IOException { + InputStream fileInput = new FileInputStream(file); + YamlUtil yamlUtil = new YamlUtil(); + + Map<?, ?> configuration = Objects.requireNonNull(yamlUtil.yamlToMap(fileInput), "Configuration cannot be empty"); + Object authenticationConfig = configuration.get(CONFIG_SECTION); + if (authenticationConfig == null) { + throw new EntryNotConfiguredException(CONFIG_SECTION + " section"); + } + return authenticationConfig; + } + + private boolean verifyCredentials (BasicAuthConfig basicAuthConfig, String credential) { + String decodedCredentials = new String(Base64.getDecoder().decode(credential)); + int p = decodedCredentials.indexOf(':'); + if (p != -1) { + String userName = decodedCredentials.substring(0, p).trim(); + String password = decodedCredentials.substring(p + 1).trim(); + if (!userName.equals(basicAuthConfig.getUserName()) || !password.equals(basicAuthConfig.getUserPass())) { + log.error("Authentication failed. Invalid user name or password"); + return false; + } + return true; + } else { + log.error("Failed to decode credentials"); + return false; + } + } +} diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml index 1e41ed246c..09d2fb16b4 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml @@ -61,7 +61,10 @@ <filter-name>RestrictionAccessFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - + <filter> + <filter-name>BasicAuth</filter-name> + <filter-class>org.openecomp.server.filters.BasicAuthenticationFilter</filter-class> + </filter> <filter> <filter-name>AuthN</filter-name> <filter-class>org.openecomp.server.filters.ActionAuthenticationFilter</filter-class> @@ -75,6 +78,10 @@ <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> + <filter-name>BasicAuth</filter-name> + <url-pattern>/1.0/*</url-pattern> + </filter-mapping> + <filter-mapping> <filter-name>AuthN</filter-name> <url-pattern>/workflow/v1.0/actions/*</url-pattern> </filter-mapping> diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/attributes/default.rb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/attributes/default.rb index 077b70d2c3..2018a835f2 100644 --- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/attributes/default.rb +++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/attributes/default.rb @@ -20,6 +20,12 @@ default['cassandra']['socket_read_timeout'] = 20000 default['cassandra']['socket_connect_timeout'] = 20000 default['cassandra']['janusgraph_connection_timeout'] = 10000 +#Basicauth +default['basic_auth']['enabled'] = false +default['basic_auth'][:user_name] = "userName" +default['basic_auth'][:user_pass] = "userPass" +default['basic_auth']['excludedUrls'] = "" + #ExternalTesting default['EXTTEST']['ep1_config'] = "vtp,VTP,true,http://refrepo:8702/onapapi/vnfsdk-marketplace,onap.*" default['EXTTEST']['ep2_config'] = "repository,Repository,false,,.*" diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb index 80fc57efcb..d767ddd1c8 100644 --- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb +++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/recipes/ON_5_setup_configuration.rb @@ -17,6 +17,9 @@ template "onboard-be-config" do :cassandra_usr => node['cassandra'][:cassandra_user], :cassandra_truststore_password => node['cassandra'][:truststore_password], :cassandra_ssl_enabled => "#{ENV['cassandra_ssl_enabled']}", + :basic_auth_enabled => node['basic_auth']['enabled'], + :basic_auth_username => node['basic_auth'][:user_name], + :basic_auth_password => node['basic_auth'][:user_pass], :catalog_notification_url => node['ONBOARDING_BE']['catalog_notification_url'], :catalog_be_http_port => node['BE'][:http_port], :catalog_be_ssl_port => node['BE'][:https_port], diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb index d73799fcd3..54d01a2436 100644 --- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb +++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb @@ -43,4 +43,10 @@ authCookie: # redirect variable name from portal.properties file redirectURL: "redirect_url" excludedUrls: ['/.*'] - onboardingExcludedUrls: ['/.*']
\ No newline at end of file + onboardingExcludedUrls: ['/.*'] + +basicAuth: + enabled: <%= @basic_auth_enabled %> + userName: <%= @basic_auth_username %> + userPass: <%= @basic_auth_password %> + excludedUrls: ""
\ No newline at end of file |