aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestFilter.java

   1 /**
   2  * ============LICENSE_START=======================================================
   3  * org.onap.aai
   4  * ================================================================================
   5  * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
   6  * ================================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *    http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END=========================================================
  19  */
  20
  21 package org.onap.aai.aaf.auth;
  22
  23 import org.slf4j.Logger;
  24 import org.slf4j.LoggerFactory;
  25 import org.onap.aaf.cadi.filter.CadiFilter;
  26
  27 import javax.servlet.FilterChain;
  28 import javax.servlet.ServletException;
  29 import javax.servlet.http.HttpServletRequest;
  30 import javax.servlet.http.HttpServletResponse;
  31 import java.io.IOException;
  32 import java.util.Enumeration;
  33 import java.util.List;
  34 import java.util.Properties;
  35
  36 import static org.onap.aai.aaf.auth.ResponseFormatter.errorResponse;
  37
  38 /**
  39  * The Class AafRequestFilter provides common auth filter methods
  40  */
  41 public class AafRequestFilter {
  42
  43     private static final Logger LOGGER = LoggerFactory.getLogger(AafRequestFilter.class);
  44
  45     public static void authenticationFilter(HttpServletRequest request, HttpServletResponse response,
  46             FilterChain filterChain, CadiFilter cadiFilter, Properties props, String userChainPattern)
  47             throws IOException, ServletException {
  48         if (!request.getRequestURI().matches("^.*/util/echo$")) {
  49
  50             List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(props);
  51             String issuer = CertUtil.getCertIssuer(request);
  52             if (issuer == null || issuer.isEmpty()) {
  53                 errorResponse(request, response);
  54                 return;
  55             }
  56             issuer = issuer.replaceAll("\\s+", "").toUpperCase();
  57
  58             if (cadiConfiguredIssuers.contains(issuer)) {
  59                 LOGGER.debug("authenticationFilter CADI issuer " + issuer);
  60                 if (CertUtil.isHaProxy(request)) {
  61                     // get the end user/client mechid and use it in the user chain header value
  62                     String user = CertUtil.getMechId(request);
  63                     LOGGER.debug("authenticationFilter haProxy sent end user/mechid " + user);
  64                     if (user == null || user.isEmpty()) {
  65                         errorResponse(request, response);
  66                         return;
  67                     }
  68                     AafRequestWrapper reqWrapper = new AafRequestWrapper(request);
  69                     String userChainHdr = CertUtil.buildUserChainHeader(user, userChainPattern);
  70                     LOGGER.debug("User chain header value: " + userChainHdr);
  71                     reqWrapper.putHeader(CertUtil.AAF_USER_CHAIN_HDR, userChainHdr);
  72                     cadiFilter.doFilter(reqWrapper, response, filterChain);
  73                 } else {
  74                     cadiFilter.doFilter(request, response, filterChain);
  75                 }
  76                 if (response.getStatus() == 401 || response.getStatus() == 403) {
  77                     LOGGER.debug("authenticationFilter failed CADI authentication");
  78                     errorResponse(request, response);
  79                     return;
  80                 }
  81             } else {
  82                 filterChain.doFilter(request, response);
  83             }
  84         } else {
  85             filterChain.doFilter(request, response);
  86         }
  87     }
  88
  89     public static void authorizationFilter(HttpServletRequest request, HttpServletResponse response,
  90             FilterChain filterChain, String permission, Properties props) throws IOException, ServletException {
  91         if (request.getRequestURI().matches("^.*/util/echo$")) {
  92             filterChain.doFilter(request, response);
  93         }
  94         List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(props);
  95         String issuer = CertUtil.getCertIssuer(request);
  96         if (issuer == null || issuer.isEmpty()) {
  97             errorResponse(request, response);
  98             return;
  99         }
 100         issuer = issuer.replaceAll("\\s+", "").toUpperCase();
 101         Enumeration hdrs = request.getHeaders(CertUtil.AAF_USER_CHAIN_HDR);
 102         while (hdrs.hasMoreElements()) {
 103             String headerValue = (String) hdrs.nextElement();
 104             LOGGER.debug("authorizationFilter user chain headerValue=" + headerValue);
 105         }
 106         if ((cadiConfiguredIssuers.contains(issuer)) && (!request.isUserInRole(permission))) {
 107             LOGGER.debug(
 108                     "authorizationFilter failed CADI authorization issuer=" + issuer + " permission=" + permission);
 109             errorResponse(request, response);
 110         } else {
 111             filterChain.doFilter(request, response);
 112         }
 113     }
 114 }