aai-aaf-auth/src/main/java/org/onap/aai/aaf/auth/AafRequestFilter.java

   1 /**
   2  * ============LICENSE_START=======================================================
   3  * org.onap.aai
   4  * ================================================================================
   5  * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
   6  * ================================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *    http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END=========================================================
  19  */
  20
  21 package org.onap.aai.aaf.auth;
  22
  23 import static org.onap.aai.aaf.auth.ResponseFormatter.errorResponse;
  24
  25 import java.io.IOException;
  26 import java.util.Enumeration;
  27 import java.util.List;
  28 import java.util.Properties;
  29
  30 import javax.servlet.FilterChain;
  31 import javax.servlet.ServletException;
  32 import javax.servlet.http.HttpServletRequest;
  33 import javax.servlet.http.HttpServletResponse;
  34
  35 import org.onap.aaf.cadi.filter.CadiFilter;
  36 import org.slf4j.Logger;
  37 import org.slf4j.LoggerFactory;
  38
  39 /**
  40  * The Class AafRequestFilter provides common auth filter methods
  41  */
  42 public class AafRequestFilter {
  43
  44     private static final Logger LOGGER = LoggerFactory.getLogger(AafRequestFilter.class);
  45
  46     public static void authenticationFilter(HttpServletRequest request, HttpServletResponse response,
  47             FilterChain filterChain, CadiFilter cadiFilter, Properties props, String userChainPattern)
  48             throws IOException, ServletException {
  49         if (!request.getRequestURI().matches("^.*/util/echo$")) {
  50
  51             List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(props);
  52             String issuer = CertUtil.getCertIssuer(request);
  53             if (issuer == null || issuer.isEmpty()) {
  54                 errorResponse(request, response);
  55                 return;
  56             }
  57             issuer = issuer.replaceAll("\\s+", "").toUpperCase();
  58
  59             if (cadiConfiguredIssuers.contains(issuer)) {
  60                 LOGGER.debug("authenticationFilter CADI issuer " + issuer);
  61                 if (CertUtil.isHaProxy(request)) {
  62                     // get the end user/client mechid and use it in the user chain header value
  63                     String user = CertUtil.getMechId(request);
  64                     LOGGER.debug("authenticationFilter haProxy sent end user/mechid " + user);
  65                     if (user == null || user.isEmpty()) {
  66                         errorResponse(request, response);
  67                         return;
  68                     }
  69                     AafRequestWrapper reqWrapper = new AafRequestWrapper(request);
  70                     String userChainHdr = CertUtil.buildUserChainHeader(user, userChainPattern);
  71                     LOGGER.debug("User chain header value: " + userChainHdr);
  72                     reqWrapper.putHeader(CertUtil.AAF_USER_CHAIN_HDR, userChainHdr);
  73                     cadiFilter.doFilter(reqWrapper, response, filterChain);
  74                 } else {
  75                     cadiFilter.doFilter(request, response, filterChain);
  76                 }
  77                 if (response.getStatus() == 401 || response.getStatus() == 403) {
  78                     LOGGER.debug("authenticationFilter failed CADI authentication");
  79                     errorResponse(request, response);
  80                     return;
  81                 }
  82             } else {
  83                 filterChain.doFilter(request, response);
  84             }
  85         } else {
  86             filterChain.doFilter(request, response);
  87         }
  88     }
  89
  90     public static void authorizationFilter(HttpServletRequest request, HttpServletResponse response,
  91             FilterChain filterChain, String permission, Properties props) throws IOException, ServletException {
  92         if (request.getRequestURI().matches("^.*/util/echo$")) {
  93             filterChain.doFilter(request, response);
  94         }
  95         List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(props);
  96         String issuer = CertUtil.getCertIssuer(request);
  97         if (issuer == null || issuer.isEmpty()) {
  98             errorResponse(request, response);
  99             return;
 100         }
 101         issuer = issuer.replaceAll("\\s+", "").toUpperCase();
 102         Enumeration hdrs = request.getHeaders(CertUtil.AAF_USER_CHAIN_HDR);
 103         while (hdrs.hasMoreElements()) {
 104             String headerValue = (String) hdrs.nextElement();
 105             LOGGER.debug("authorizationFilter user chain headerValue=" + headerValue);
 106         }
 107         if ((cadiConfiguredIssuers.contains(issuer)) && (!request.isUserInRole(permission))) {
 108             LOGGER.debug(
 109                     "authorizationFilter failed CADI authorization issuer=" + issuer + " permission=" + permission);
 110             errorResponse(request, response);
 111         } else {
 112             filterChain.doFilter(request, response);
 113         }
 114     }
 115 }