From e95a7b89aaac965e89d96eba59968a351cb77f40 Mon Sep 17 00:00:00 2001 From: Einat Vinouze Date: Mon, 27 Jan 2020 15:49:13 +0200 Subject: Introduce WithPermissionProperties as validation-points for RoleValidator Issue-ID: VID-758 Change-Id: Id8f1f6faeb10a92cf20ca9a17879bc7e745526b0 Signed-off-by: Einat Vinouze Signed-off-by: Ittay Stern --- .../org/onap/vid/controller/AaiController2.java | 3 +- .../controller/AsyncInstantiationController.java | 9 ++++- .../vid/model/ServiceInstanceSearchResult.java | 47 +++++++++++++--------- .../onap/vid/roles/AlwaysValidRoleValidator.java | 2 +- .../org/onap/vid/roles/PermissionProperties.kt | 17 ++++++++ .../java/org/onap/vid/roles/RoleValidator.java | 2 +- .../vid/roles/RoleValidatorByOwningEntity.java | 2 +- .../RoleValidatorBySubscriberAndServiceType.java | 19 +-------- .../java/org/onap/vid/services/AaiServiceImpl.java | 35 +++++++++------- 9 files changed, 79 insertions(+), 57 deletions(-) create mode 100644 vid-app-common/src/main/java/org/onap/vid/roles/PermissionProperties.kt (limited to 'vid-app-common/src/main/java') diff --git a/vid-app-common/src/main/java/org/onap/vid/controller/AaiController2.java b/vid-app-common/src/main/java/org/onap/vid/controller/AaiController2.java index 6431282e7..dcbd9b9e4 100644 --- a/vid-app-common/src/main/java/org/onap/vid/controller/AaiController2.java +++ b/vid-app-common/src/main/java/org/onap/vid/controller/AaiController2.java @@ -33,6 +33,7 @@ import org.onap.vid.model.aaiTree.Network; import org.onap.vid.model.aaiTree.RelatedVnf; import org.onap.vid.model.aaiTree.VpnBinding; import org.onap.vid.properties.Features; +import org.onap.vid.roles.PermissionProperties; import org.onap.vid.roles.RoleProvider; import org.onap.vid.services.AaiService; import org.springframework.beans.factory.annotation.Autowired; @@ -94,7 +95,7 @@ public class AaiController2 extends VidRestrictedBaseController { final boolean isEditPermitted = roleProvider .getUserRolesValidator(request) - .isServicePermitted(subscriberId, serviceType); + .isServicePermitted(new PermissionProperties(subscriberId, serviceType)); return new Permissions(isEditPermitted); } diff --git a/vid-app-common/src/main/java/org/onap/vid/controller/AsyncInstantiationController.java b/vid-app-common/src/main/java/org/onap/vid/controller/AsyncInstantiationController.java index 6c8a37262..4b03ea4d9 100644 --- a/vid-app-common/src/main/java/org/onap/vid/controller/AsyncInstantiationController.java +++ b/vid-app-common/src/main/java/org/onap/vid/controller/AsyncInstantiationController.java @@ -33,7 +33,9 @@ import org.onap.vid.model.ServiceInfo; import org.onap.vid.model.serviceInstantiation.ServiceInstantiation; import org.onap.vid.mso.MsoResponseWrapper2; import org.onap.vid.properties.Features; +import org.onap.vid.roles.PermissionProperties; import org.onap.vid.roles.RoleProvider; +import org.onap.vid.roles.RoleValidator; import org.onap.vid.services.AsyncInstantiationBusinessLogic; import org.onap.vid.services.AuditService; import org.onap.vid.utils.SystemPropertiesWrapper; @@ -165,8 +167,11 @@ public class AsyncInstantiationController extends VidRestrictedBaseController { } private void throwExceptionIfAccessDenied(ServiceInstantiation request, HttpServletRequest httpServletRequest, String userId) { - if (featureManager.isActive(Features.FLAG_1906_INSTANTIATION_API_USER_VALIDATION) && !roleProvider.getUserRolesValidator(httpServletRequest).isServicePermitted(request.getGlobalSubscriberId(), request.getSubscriptionServiceType())) { - throw new AccessDeniedException(String.format("User %s is not allowed to make this request", userId)); + if (featureManager.isActive(Features.FLAG_1906_INSTANTIATION_API_USER_VALIDATION)) { + RoleValidator roleValidator = roleProvider.getUserRolesValidator(httpServletRequest); + if (!roleValidator.isServicePermitted(new PermissionProperties(request.getGlobalSubscriberId(), request.getSubscriptionServiceType()))) { + throw new AccessDeniedException(String.format("User %s is not allowed to make this request", userId)); + } } } } diff --git a/vid-app-common/src/main/java/org/onap/vid/model/ServiceInstanceSearchResult.java b/vid-app-common/src/main/java/org/onap/vid/model/ServiceInstanceSearchResult.java index 259405c4e..01cc11d95 100644 --- a/vid-app-common/src/main/java/org/onap/vid/model/ServiceInstanceSearchResult.java +++ b/vid-app-common/src/main/java/org/onap/vid/model/ServiceInstanceSearchResult.java @@ -20,11 +20,17 @@ package org.onap.vid.model; -public class ServiceInstanceSearchResult { +import com.fasterxml.jackson.annotation.JsonProperty; +import org.apache.commons.lang3.StringUtils; +import org.onap.vid.roles.WithPermissionProperties; + +public class ServiceInstanceSearchResult implements WithPermissionProperties { + + private final String SUBSCRIBER_ID_FRONTEND_ALIAS = "globalCustomerId"; private String serviceInstanceId; - private String globalCustomerId; + private String subscriberId; private String serviceType; @@ -39,13 +45,13 @@ public class ServiceInstanceSearchResult { private boolean isPermitted; public ServiceInstanceSearchResult(){ - } - public ServiceInstanceSearchResult(String serviceInstanceId, String globalCustomerId, String serviceType, + + public ServiceInstanceSearchResult(String serviceInstanceId, String subscriberId, String serviceType, String serviceInstanceName, String subscriberName, String aaiModelInvariantId, String aaiModelVersionId, boolean isPermitted) { this.serviceInstanceId = serviceInstanceId; - this.globalCustomerId = globalCustomerId; + this.subscriberId = subscriberId; this.serviceType = serviceType; this.serviceInstanceName = serviceInstanceName; this.subscriberName = subscriberName; @@ -62,14 +68,17 @@ public class ServiceInstanceSearchResult { this.serviceInstanceId = serviceInstanceId; } - public String getGlobalCustomerId() { - return globalCustomerId; + @Override + @JsonProperty(SUBSCRIBER_ID_FRONTEND_ALIAS) + public String getSubscriberId() { + return subscriberId; } - public void setGlobalCustomerId(String globalCustomerId) { - this.globalCustomerId = globalCustomerId; + public void setSubscriberId(String subscriberId) { + this.subscriberId = subscriberId; } + @Override public String getServiceType() { return serviceType; } @@ -119,21 +128,21 @@ public class ServiceInstanceSearchResult { } @Override - public boolean equals(Object other){ - if (other instanceof ServiceInstanceSearchResult) { - ServiceInstanceSearchResult serviceInstanceSearchResultOther = (ServiceInstanceSearchResult) other; - if (this.getServiceInstanceId().equals(serviceInstanceSearchResultOther.getServiceInstanceId())) { - return true; - } + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; } - return false; + ServiceInstanceSearchResult that = (ServiceInstanceSearchResult) o; + + return StringUtils.equals(serviceInstanceId, that.serviceInstanceId); } @Override public int hashCode() { - int result = 17; - result = 31 * result + serviceInstanceId.hashCode(); - return result; + return serviceInstanceId != null ? serviceInstanceId.hashCode() : 0; } } diff --git a/vid-app-common/src/main/java/org/onap/vid/roles/AlwaysValidRoleValidator.java b/vid-app-common/src/main/java/org/onap/vid/roles/AlwaysValidRoleValidator.java index 4e5340fc2..e12f5403f 100644 --- a/vid-app-common/src/main/java/org/onap/vid/roles/AlwaysValidRoleValidator.java +++ b/vid-app-common/src/main/java/org/onap/vid/roles/AlwaysValidRoleValidator.java @@ -32,7 +32,7 @@ public class AlwaysValidRoleValidator implements RoleValidator { } @Override - public boolean isServicePermitted(String subscriberName, String serviceType) { + public boolean isServicePermitted(WithPermissionProperties permissionProperties) { return true; } diff --git a/vid-app-common/src/main/java/org/onap/vid/roles/PermissionProperties.kt b/vid-app-common/src/main/java/org/onap/vid/roles/PermissionProperties.kt new file mode 100644 index 000000000..f62b98aef --- /dev/null +++ b/vid-app-common/src/main/java/org/onap/vid/roles/PermissionProperties.kt @@ -0,0 +1,17 @@ +package org.onap.vid.roles + +import org.onap.vid.aai.ServiceSubscription + + +interface WithPermissionProperties { + val subscriberId: String? + val serviceType: String? +} + +data class PermissionProperties( + override val subscriberId: String, + override val serviceType: String +) : WithPermissionProperties { + constructor(serviceSubscription: ServiceSubscription, subscriberId: String) : this(subscriberId, serviceSubscription.serviceType) +} + diff --git a/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidator.java b/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidator.java index f0ee26b0b..4ad168c4f 100644 --- a/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidator.java +++ b/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidator.java @@ -40,7 +40,7 @@ public interface RoleValidator { boolean isSubscriberPermitted(String subscriberName); - boolean isServicePermitted(String subscriberName, String serviceType); + boolean isServicePermitted(WithPermissionProperties serviceInstanceSearchResult); boolean isTenantPermitted(String globalCustomerId, String serviceType, String tenantName); } diff --git a/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidatorByOwningEntity.java b/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidatorByOwningEntity.java index e615c1302..726567cc6 100644 --- a/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidatorByOwningEntity.java +++ b/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidatorByOwningEntity.java @@ -33,7 +33,7 @@ public class RoleValidatorByOwningEntity implements RoleValidator{ } @Override - public boolean isServicePermitted(String subscriberName, String serviceType) { + public boolean isServicePermitted(WithPermissionProperties permissionProperties) { return false; } diff --git a/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidatorBySubscriberAndServiceType.java b/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidatorBySubscriberAndServiceType.java index 244610c89..95d8a1627 100644 --- a/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidatorBySubscriberAndServiceType.java +++ b/vid-app-common/src/main/java/org/onap/vid/roles/RoleValidatorBySubscriberAndServiceType.java @@ -21,8 +21,6 @@ package org.onap.vid.roles; import java.util.List; -import java.util.Map; -import org.onap.vid.mso.rest.RequestDetails; public class RoleValidatorBySubscriberAndServiceType implements RoleValidator { @@ -43,9 +41,9 @@ public class RoleValidatorBySubscriberAndServiceType implements RoleValidator { } @Override - public boolean isServicePermitted(String subscriberName, String serviceType) { + public boolean isServicePermitted(WithPermissionProperties permissionProperties) { for (Role role : userRoles) { - if (role.getSubscribeName().equals(subscriberName) && role.getServiceType().equals(serviceType)) { + if (role.getSubscribeName().equals(permissionProperties.getSubscriberId()) && role.getServiceType().equals(permissionProperties.getServiceType())) { return true; } } @@ -64,17 +62,4 @@ public class RoleValidatorBySubscriberAndServiceType implements RoleValidator { return false; } - boolean isMsoRequestValid(RequestDetails msoRequest) { - try { - String globalSubscriberIdRequested = (String) ((Map) ((Map) msoRequest.getAdditionalProperties() - .get("requestDetails")).get("subscriberInfo")).get("globalSubscriberId"); - String serviceType = (String) ((Map) ((Map) msoRequest.getAdditionalProperties().get("requestDetails")) - .get("requestParameters")).get("subscriptionServiceType"); - return isServicePermitted(globalSubscriberIdRequested, serviceType); - } catch (Exception e) { - //Until we'll get the exact information regarding the tenants and the global customer id, we'll return true on unknown requests to mso - return true; - } - } - } diff --git a/vid-app-common/src/main/java/org/onap/vid/services/AaiServiceImpl.java b/vid-app-common/src/main/java/org/onap/vid/services/AaiServiceImpl.java index b3ac16884..66c0e6c04 100644 --- a/vid-app-common/src/main/java/org/onap/vid/services/AaiServiceImpl.java +++ b/vid-app-common/src/main/java/org/onap/vid/services/AaiServiceImpl.java @@ -85,6 +85,7 @@ import org.onap.vid.model.aaiTree.NodeType; import org.onap.vid.model.aaiTree.RelatedVnf; import org.onap.vid.model.aaiTree.VpnBinding; import org.onap.vid.model.aaiTree.VpnBindingKt; +import org.onap.vid.roles.PermissionProperties; import org.onap.vid.roles.RoleValidator; import org.onap.vid.utils.Intersection; import org.onap.vid.utils.Logging; @@ -217,11 +218,11 @@ public class AaiServiceImpl implements AaiService { } else if (key.equals(SERVICE_TYPE)) { serviceInstanceSearchResult.setServiceType(relationshipData.getRelationshipValue()); } else if (key.equals(CUSTOMER_ID)) { - serviceInstanceSearchResult.setGlobalCustomerId(relationshipData.getRelationshipValue()); + serviceInstanceSearchResult.setSubscriberId(relationshipData.getRelationshipValue()); } } - boolean isPermitted = roleValidator.isServicePermitted(serviceInstanceSearchResult.getSubscriberName(), serviceInstanceSearchResult.getServiceType()); + boolean isPermitted = roleValidator.isServicePermitted(serviceInstanceSearchResult); serviceInstanceSearchResult.setIsPermitted(isPermitted); } } @@ -265,10 +266,9 @@ public class AaiServiceImpl implements AaiService { @Override public AaiResponse getSubscriberData(String subscriberId, RoleValidator roleValidator, boolean omitServiceInstances) { AaiResponse subscriberResponse = aaiClient.getSubscriberData(subscriberId, omitServiceInstances); - String subscriberGlobalId = subscriberResponse.getT().globalCustomerId; for (ServiceSubscription serviceSubscription : subscriberResponse.getT().serviceSubscriptions.serviceSubscription) { - String serviceType = serviceSubscription.serviceType; - serviceSubscription.isPermitted = roleValidator.isServicePermitted(subscriberGlobalId, serviceType); + serviceSubscription.isPermitted = roleValidator.isServicePermitted( + new PermissionProperties(serviceSubscription, subscriberResponse.getT().globalCustomerId)); } return subscriberResponse; @@ -298,38 +298,43 @@ public class AaiServiceImpl implements AaiService { private List getServicesBySubscriber(String subscriberId, String instanceIdentifier, RoleValidator roleValidator) { AaiResponse subscriberResponse = aaiClient.getSubscriberData(subscriberId, false); - String subscriberGlobalId = subscriberResponse.getT().globalCustomerId; String subscriberName = subscriberResponse.getT().subscriberName; ServiceSubscriptions serviceSubscriptions = subscriberResponse.getT().serviceSubscriptions; - return getSearchResultsForSubscriptions(serviceSubscriptions, subscriberId, instanceIdentifier, roleValidator, subscriberGlobalId, subscriberName); - + return getSearchResultsForSubscriptions(serviceSubscriptions, subscriberId, instanceIdentifier, roleValidator, subscriberName); } - private ArrayList getSearchResultsForSubscriptions(ServiceSubscriptions serviceSubscriptions, String subscriberId, String instanceIdentifier, RoleValidator roleValidator, String subscriberGlobalId, String subscriberName) { + private ArrayList getSearchResultsForSubscriptions( + ServiceSubscriptions serviceSubscriptions, String subscriberId, String instanceIdentifier, + RoleValidator roleValidator, String subscriberName) { ArrayList results = new ArrayList<>(); if (serviceSubscriptions != null) { for (ServiceSubscription serviceSubscription : serviceSubscriptions.serviceSubscription) { - String serviceType = serviceSubscription.serviceType; - serviceSubscription.isPermitted = roleValidator.isServicePermitted(subscriberGlobalId, serviceType); - ArrayList resultsForSubscription = getSearchResultsForSingleSubscription(serviceSubscription, subscriberId, instanceIdentifier, subscriberName, serviceType); - results.addAll(resultsForSubscription); + serviceSubscription.isPermitted = roleValidator.isServicePermitted(new PermissionProperties(serviceSubscription, subscriberId)); + results.addAll(getSearchResultsForSingleSubscription( + serviceSubscription, subscriberId, instanceIdentifier, subscriberName, + serviceSubscription.serviceType, roleValidator) + ); } } return results; } - private ArrayList getSearchResultsForSingleSubscription(ServiceSubscription serviceSubscription, String subscriberId, String instanceIdentifier, String subscriberName, String serviceType) { + private ArrayList getSearchResultsForSingleSubscription( + ServiceSubscription serviceSubscription, String subscriberId, String instanceIdentifier, String subscriberName, + String serviceType, RoleValidator roleValidator) { ArrayList results = new ArrayList<>(); if (serviceSubscription.serviceInstances != null) { for (ServiceInstance serviceInstance : serviceSubscription.serviceInstances.serviceInstance) { ServiceInstanceSearchResult serviceInstanceSearchResult = new ServiceInstanceSearchResult(serviceInstance.serviceInstanceId, subscriberId, serviceType, serviceInstance.serviceInstanceName, - subscriberName, serviceInstance.modelInvariantId, serviceInstance.modelVersionId, serviceSubscription.isPermitted); + subscriberName, serviceInstance.modelInvariantId, serviceInstance.modelVersionId, false); + + serviceInstanceSearchResult.setIsPermitted(roleValidator.isServicePermitted(serviceInstanceSearchResult)); if ((instanceIdentifier == null) || (serviceInstanceMatchesIdentifier(instanceIdentifier, serviceInstance))){ results.add(serviceInstanceSearchResult); -- cgit 1.2.3-korg