2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.onap.aai.aaf.auth;
23 import static org.onap.aai.aaf.auth.ResponseFormatter.errorResponse;
25 import java.io.IOException;
26 import java.util.Enumeration;
27 import java.util.List;
28 import java.util.Properties;
30 import javax.servlet.FilterChain;
31 import javax.servlet.ServletException;
32 import javax.servlet.http.HttpServletRequest;
33 import javax.servlet.http.HttpServletResponse;
35 import org.onap.aaf.cadi.filter.CadiFilter;
36 import org.slf4j.Logger;
37 import org.slf4j.LoggerFactory;
40 * The Class AafRequestFilter provides common auth filter methods
42 public class AafRequestFilter {
44 private static final Logger LOGGER = LoggerFactory.getLogger(AafRequestFilter.class);
46 public static void authenticationFilter(HttpServletRequest request, HttpServletResponse response,
47 FilterChain filterChain, CadiFilter cadiFilter, Properties props, String userChainPattern)
48 throws IOException, ServletException {
49 if (!request.getRequestURI().matches("^.*/util/echo$")) {
51 List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(props);
52 String issuer = CertUtil.getCertIssuer(request);
53 if (issuer == null || issuer.isEmpty()) {
54 errorResponse(request, response);
57 issuer = issuer.replaceAll("\\s+", "").toUpperCase();
59 if (cadiConfiguredIssuers.contains(issuer)) {
60 LOGGER.debug("authenticationFilter CADI issuer " + issuer);
61 if (CertUtil.isHaProxy(request)) {
62 // get the end user/client mechid and use it in the user chain header value
63 String user = CertUtil.getMechId(request);
64 LOGGER.debug("authenticationFilter haProxy sent end user/mechid " + user);
65 if (user == null || user.isEmpty()) {
66 errorResponse(request, response);
69 AafRequestWrapper reqWrapper = new AafRequestWrapper(request);
70 String userChainHdr = CertUtil.buildUserChainHeader(user, userChainPattern);
71 LOGGER.debug("User chain header value: " + userChainHdr);
72 reqWrapper.putHeader(CertUtil.AAF_USER_CHAIN_HDR, userChainHdr);
73 cadiFilter.doFilter(reqWrapper, response, filterChain);
75 cadiFilter.doFilter(request, response, filterChain);
77 if (response.getStatus() == 401 || response.getStatus() == 403) {
78 LOGGER.debug("authenticationFilter failed CADI authentication");
79 errorResponse(request, response);
83 filterChain.doFilter(request, response);
86 filterChain.doFilter(request, response);
90 public static void authorizationFilter(HttpServletRequest request, HttpServletResponse response,
91 FilterChain filterChain, String permission, Properties props) throws IOException, ServletException {
92 if (request.getRequestURI().matches("^.*/util/echo$")) {
93 filterChain.doFilter(request, response);
95 List<String> cadiConfiguredIssuers = CertUtil.getCadiCertIssuers(props);
96 String issuer = CertUtil.getCertIssuer(request);
97 if (issuer == null || issuer.isEmpty()) {
98 errorResponse(request, response);
101 issuer = issuer.replaceAll("\\s+", "").toUpperCase();
102 Enumeration hdrs = request.getHeaders(CertUtil.AAF_USER_CHAIN_HDR);
103 while (hdrs.hasMoreElements()) {
104 String headerValue = (String) hdrs.nextElement();
105 LOGGER.debug("authorizationFilter user chain headerValue=" + headerValue);
107 if ((cadiConfiguredIssuers.contains(issuer)) && (!request.isUserInRole(permission))) {
109 "authorizationFilter failed CADI authorization issuer=" + issuer + " permission=" + permission);
110 errorResponse(request, response);
112 filterChain.doFilter(request, response);