From 27fa75194efcf77c93b645ef7b412668ac3f5d38 Mon Sep 17 00:00:00 2001 From: xuegao Date: Wed, 9 Dec 2020 16:01:22 +0100 Subject: Add basic auth Adding basic auth for SDC apis. Issue-ID: OJSI-90 Signed-off-by: xuegao Change-Id: Ie84e6bab8d8526f7f4d21a36bba52d8fe9abebbb Signed-off-by: xuegao --- .../cookbooks/sdc-catalog-be/attributes/default.rb | 6 +++ .../recipes/BE_2_setup_configuration.rb | 3 ++ .../templates/default/BE-configuration.yaml.erb | 6 ++- .../sdc/be/filters/BasicAuthenticationFilter.java | 45 ++++++++++++---------- .../src/main/resources/config/configuration.yaml | 6 +++ catalog-be/src/main/webapp/WEB-INF/web.xml | 18 +++++++++ 6 files changed, 63 insertions(+), 21 deletions(-) (limited to 'catalog-be') diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb index d8c737728d..40411f2041 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb @@ -24,6 +24,12 @@ default['DCAE']['BE'][:http_port] = 8082 default['DCAE']['BE'][:https_port] = 8444 default['DCAE_BE_VIP'] = "dcae-be" +#BasicAuth +default['basic_auth']['enabled'] = false +default['basic_auth'][:user_name] = "testName" +default['basic_auth'][:user_pass] = "testPass" +default['basic_auth']['excludedUrls'] = "/sdc2/rest/healthCheck,/sdc2/rest/v1/user,/sdc2/rest/v1/user/jh0003,/sdc2/rest/v1/screen,/sdc2/rest/v1/consumers,/sdc2/rest/v1/catalog/uploadType/datatypes,/sdc2/rest/v1/catalog/upload/multipart" + #Cassandra default['cassandra']['cassandra_port'] = 9042 default['cassandra']['datacenter_name'] = "DC-" diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb index 2e66e2da98..cdb9f82729 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb @@ -46,6 +46,9 @@ template "catalog-be-config" do :catalog_ip => node['Nodes']['BE'], :catalog_port => node['BE'][:http_port], :ssl_port => node['BE'][:https_port], + :basic_auth_flag => node['basic_auth']['enabled'], + :user_name => node['basic_auth'][:user_name], + :user_pass => node['basic_auth'][:user_pass], :cassandra_ip => node['Nodes']['CS'].join(",").gsub(/[|]/, ''), :cassandra_port => node['cassandra']['cassandra_port'], :rep_factor => replication_factor, diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb index 8e62c4fbf6..1e1888e95b 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/BE-configuration.yaml.erb @@ -95,7 +95,11 @@ authCookie: excludedUrls: [<%= node['access_restriction']['excluded_urls'] %>] onboardingExcludedUrls: [<%= node['access_restriction']['excluded_urls_onboarding'] %>] - +basicAuth: + enabled: <%= @basic_auth_flag %> + userName: <%= @user_name %> + userPass: <%= @user_pass %> + excludedUrls: "/sdc2/rest/healthCheck,/sdc2/rest/v1/user,/sdc2/rest/v1/user/jh0003,/sdc2/rest/v1/screen,/sdc2/rest/v1/consumers,/sdc2/rest/v1/catalog/uploadType/datatypes,/sdc2/rest/v1/catalog/upload/multipart,/sdc2/rest/v1/catalog/uploadType/capability,/sdc2/rest/v1/catalog/uploadType/relationship,/sdc2/rest/v1/catalog/uploadType/interfaceLifecycle,/sdc2/rest/v1/catalog/uploadType/categories,/sdc2/rest/v1/catalog/uploadType/grouptypes,/sdc2/rest/v1/catalog/uploadType/policytypes,/sdc2/rest/v1/catalog/uploadType/annotationtypes" cassandraConfig: cassandraHosts: [<%= @cassandra_ip %>] diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BasicAuthenticationFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BasicAuthenticationFilter.java index 8c81464ac5..cc4a11f6d9 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BasicAuthenticationFilter.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BasicAuthenticationFilter.java @@ -24,9 +24,14 @@ import com.google.gson.Gson; import com.google.gson.GsonBuilder; import fj.data.Either; import java.nio.charset.StandardCharsets; +import java.util.Arrays; +import java.util.List; import org.apache.commons.codec.binary.Base64; +import org.glassfish.jersey.server.ContainerRequest; import org.onap.sdc.security.Passwords; import org.openecomp.sdc.be.components.impl.ConsumerBusinessLogic; +import org.openecomp.sdc.be.config.Configuration; +import org.openecomp.sdc.be.config.ConfigurationManager; import org.openecomp.sdc.be.dao.api.ActionStatus; import org.openecomp.sdc.be.impl.ComponentsUtils; import org.openecomp.sdc.be.impl.WebAppContextWrapper; @@ -59,6 +64,8 @@ public class BasicAuthenticationFilter implements ContainerRequestFilter { private static final Logger log = Logger.getLogger(BasicAuthenticationFilter.class); private static final String COMPONENT_UTILS_FAILED = "Authentication Filter Failed to get component utils."; private static final String CONSUMER_BL_FAILED = "Authentication Filter Failed to get consumerBL."; + private static final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + private static final Configuration.BasicAuthConfig basicAuthConf = configurationManager.getConfiguration().getBasicAuth(); @Context private HttpServletRequest sr; @@ -70,8 +77,15 @@ public class BasicAuthenticationFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) throws IOException { + audit.startLog(requestContext); - audit.startLog(requestContext); + if (!basicAuthConf.getEnabled()) { + return; + } + List excludedUrls = Arrays.asList(basicAuthConf.getExcludedUrls().split(",")); + if (excludedUrls.contains(((ContainerRequest) requestContext).getRequestUri().getPath())) { + return; + } String authHeader = requestContext.getHeaderString(Constants.AUTHORIZATION_HEADER); if (authHeader != null) { @@ -79,24 +93,23 @@ public class BasicAuthenticationFilter implements ContainerRequestFilter { String failedToRetrieveAuthErrorMsg = "Authentication Filter Failed Couldn't retrieve authentication, no basic authentication."; if (st.hasMoreTokens()) { String basic = st.nextToken(); - if ("Basic".equalsIgnoreCase(basic)) { String credentials = new String(Base64.decodeBase64(st.nextToken()), StandardCharsets.UTF_8); log.debug("Credentials: {}", credentials); checkUserCredentials(requestContext, credentials); } else { - log.error(failedToRetrieveAuthErrorMsg); + log.error(failedToRetrieveAuthErrorMsg); authInvalidHeaderError(requestContext); } } else { - log.error(failedToRetrieveAuthErrorMsg); + log.error(failedToRetrieveAuthErrorMsg); authInvalidHeaderError(requestContext); } - } else { - log.error("Authentication Filter Failed no authorization header"); + log.error("Authentication Filter Failed no authorization header"); authRequiredError(requestContext); } + } private void checkUserCredentials(ContainerRequestContext requestContext, String credentials) { @@ -105,17 +118,14 @@ public class BasicAuthenticationFilter implements ContainerRequestFilter { String userName = credentials.substring(0, p).trim(); String password = credentials.substring(p + 1).trim(); - ConsumerBusinessLogic consumerBL = getConsumerBusinessLogic(); - if (consumerBL == null) { - abortWith(requestContext, CONSUMER_BL_FAILED, Response.serverError().status(Status.INTERNAL_SERVER_ERROR).build()); - } else { - Either result = consumerBL.getConsumer(userName); - validatePassword(requestContext, userName, password, result); + if (!userName.equals(basicAuthConf.getUserName()) || !password.equals(basicAuthConf.getUserPass())) { + log.error("Authentication Failed. Invalid userName or password"); + authInvalidPasswordError(requestContext, userName); } + authSuccessful(requestContext, userName); } else { - log.error("Authentication Filter Failed Couldn't retrieve authentication, no basic authentication."); + log.error("Authentication Filter Failed Couldn't retrieve authentication, no basic authentication."); authInvalidHeaderError(requestContext); - } } @@ -130,12 +140,7 @@ public class BasicAuthenticationFilter implements ContainerRequestFilter { } } else { ConsumerDefinition consumerCredentials = result.left().value(); - if (!Passwords.isExpectedPassword(password, consumerCredentials.getConsumerSalt(), consumerCredentials.getConsumerPassword())) { - log.error("Authentication Filter Failed invalid password"); - authInvalidPasswordError(requestContext, userName); - } else { - authSuccessful(requestContext, userName); - } + } } diff --git a/catalog-be/src/main/resources/config/configuration.yaml b/catalog-be/src/main/resources/config/configuration.yaml index 298862e79f..4042b0192b 100644 --- a/catalog-be/src/main/resources/config/configuration.yaml +++ b/catalog-be/src/main/resources/config/configuration.yaml @@ -114,6 +114,12 @@ neo4j: user: neo4j password: "12345" +basicAuth: + enabled: false + userName: "testName" + userPass: "testPass" + excludedUrls: "" + cassandraConfig: cassandraHosts: [192.168.33.10] cassandraPort: 9042 diff --git a/catalog-be/src/main/webapp/WEB-INF/web.xml b/catalog-be/src/main/webapp/WEB-INF/web.xml index 23a08319ff..ca71eee221 100644 --- a/catalog-be/src/main/webapp/WEB-INF/web.xml +++ b/catalog-be/src/main/webapp/WEB-INF/web.xml @@ -17,6 +17,7 @@ jersey.config.server.provider.classnames org.glassfish.jersey.media.multipart.MultiPartFeature, + org.openecomp.sdc.be.filters.BasicAuthenticationFilter, org.openecomp.sdc.be.filters.BeServletFilter, org.openecomp.sdc.be.filters.ComponentsAvailabilityFilter, org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature, @@ -173,6 +174,23 @@ /sdc/* + + -- cgit 1.2.3-korg