2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.onap.aai.aaf.auth;
23 import org.slf4j.Logger;
24 import org.slf4j.LoggerFactory;
25 import org.onap.aaf.cadi.filter.CadiFilter;
27 import javax.servlet.FilterChain;
28 import javax.servlet.ServletException;
29 import javax.servlet.http.HttpServletRequest;
30 import javax.servlet.http.HttpServletResponse;
31 import java.io.IOException;
32 import java.util.Enumeration;
33 import java.util.List;
34 import java.util.Properties;
36 import static org.onap.aai.aaf.auth.ResponseFormatter.errorResponse;
39 * The Class AafRequestFilter provides common auth filter methods
41 public class AafRequestFilter {
43 private static final Logger LOGGER = LoggerFactory.getLogger(AafRequestFilter.class);
45 public static void authenticationFilter(HttpServletRequest request, HttpServletResponse response,
46 FilterChain filterChain, CadiFilter cadiFilter, Properties props, String userChainPattern)
47 throws IOException, ServletException {
48 if (!request.getRequestURI().matches("^.*/util/echo$")) {
50 List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(props);
51 String issuer = CertUtil.getCertIssuer(request);
52 if (issuer == null || issuer.isEmpty()) {
53 errorResponse(request, response);
56 issuer = issuer.replaceAll("\\s+", "").toUpperCase();
58 if (cadiConfiguredIssuers.contains(issuer)) {
59 LOGGER.debug("authenticationFilter CADI issuer " + issuer);
60 if (CertUtil.isHaProxy(request)) {
61 // get the end user/client mechid and use it in the user chain header value
62 String user = CertUtil.getMechId(request);
63 LOGGER.debug("authenticationFilter haProxy sent end user/mechid " + user);
64 if (user == null || user.isEmpty()) {
65 errorResponse(request, response);
68 AafRequestWrapper reqWrapper = new AafRequestWrapper(request);
69 String userChainHdr = CertUtil.buildUserChainHeader(user, userChainPattern);
70 LOGGER.debug("User chain header value: " + userChainHdr);
71 reqWrapper.putHeader(CertUtil.AAF_USER_CHAIN_HDR, userChainHdr);
72 cadiFilter.doFilter(reqWrapper, response, filterChain);
74 cadiFilter.doFilter(request, response, filterChain);
76 if (response.getStatus() == 401 || response.getStatus() == 403) {
77 LOGGER.debug("authenticationFilter failed CADI authentication");
78 errorResponse(request, response);
82 filterChain.doFilter(request, response);
85 filterChain.doFilter(request, response);
89 public static void authorizationFilter(HttpServletRequest request, HttpServletResponse response,
90 FilterChain filterChain, String permission, Properties props) throws IOException, ServletException {
91 if (request.getRequestURI().matches("^.*/util/echo$")) {
92 filterChain.doFilter(request, response);
94 List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(props);
95 String issuer = CertUtil.getCertIssuer(request);
96 if (issuer == null || issuer.isEmpty()) {
97 errorResponse(request, response);
100 issuer = issuer.replaceAll("\\s+", "").toUpperCase();
101 Enumeration hdrs = request.getHeaders(CertUtil.AAF_USER_CHAIN_HDR);
102 while (hdrs.hasMoreElements()) {
103 String headerValue = (String) hdrs.nextElement();
104 LOGGER.debug("authorizationFilter user chain headerValue=" + headerValue);
106 if ((cadiConfiguredIssuers.contains(issuer)) && (!request.isUserInRole(permission))) {
108 "authorizationFilter failed CADI authorization issuer=" + issuer + " permission=" + permission);
109 errorResponse(request, response);
111 filterChain.doFilter(request, response);