[aaf/cadi.git] / core / src / main / java / com / att / cadi / filter / PathFilter.java

/*******************************************************************************\r
 * ============LICENSE_START====================================================\r
 * * org.onap.aaf\r
 * * ===========================================================================\r
 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
 * * ===========================================================================\r
 * * Licensed under the Apache License, Version 2.0 (the "License");\r
 * * you may not use this file except in compliance with the License.\r
 * * You may obtain a copy of the License at\r
 * * \r
 *  *      http://www.apache.org/licenses/LICENSE-2.0\r
 * * \r
 *  * Unless required by applicable law or agreed to in writing, software\r
 * * distributed under the License is distributed on an "AS IS" BASIS,\r
 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 * * See the License for the specific language governing permissions and\r
 * * limitations under the License.\r
 * * ============LICENSE_END====================================================\r
 * *\r
 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
 * *\r
 ******************************************************************************/\r
package com.att.cadi.filter;\r
\r
import java.io.IOException;\r
\r
import javax.servlet.Filter;\r
import javax.servlet.FilterChain;\r
import javax.servlet.FilterConfig;\r
import javax.servlet.ServletContext;\r
import javax.servlet.ServletException;\r
import javax.servlet.ServletRequest;\r
import javax.servlet.ServletResponse;\r
import javax.servlet.http.HttpServletRequest;\r
import javax.servlet.http.HttpServletResponse;\r
\r
import com.att.cadi.Access;\r
import com.att.cadi.Access.Level;\r
import com.att.cadi.config.Config;\r
\r
/**\r
 * PathFilter\r
 * \r
 * This class implements Servlet Filter, and uses AAF to validate access to a Path.\r
 * \r
 * This class can be used in a standard J2EE Servlet manner.\r
 *  \r
 *\r
 */\r
public class PathFilter implements Filter {\r
        private ServletContext context;\r
        private String aaf_type;\r
        private String not_authorized_msg;\r
        private final Log log;\r
\r
        /**\r
         * Construct a viable Filter for installing in Container WEB.XML, etc.\r
         * \r
         */\r
        public PathFilter() {\r
                log = new Log() {\r
                        public void info(String ... msg) {\r
                                context.log(build("INFO:",msg));\r
                        }\r
                        public void audit(String ... msg) {\r
                                context.log(build("AUDIT:",msg));\r
                        }\r
                        private String build(String type, String []msg) {\r
                                StringBuilder sb = new StringBuilder(type);\r
                                for(String s : msg) {\r
                                        sb.append(' ');\r
                                        sb.append(s);\r
                                }\r
                                return sb.toString();\r
                        }\r
                \r
                };\r
        }\r
        \r
        /**\r
         * Filter that can be constructed within Java\r
         * @param access\r
         */\r
        public PathFilter(final Access access) {\r
                log = new Log() {\r
                        public void info(String ... msg) {\r
                                access.log(Level.INFO, (Object[])msg);\r
                        }\r
                        public void audit(String ... msg) {\r
                                access.log(Level.AUDIT, (Object[])msg);\r
                        }\r
                };\r
        }\r
        \r
        /**\r
         * Init\r
         * \r
         * Standard Filter "init" call with FilterConfig to obtain properties.  POJOs can construct a\r
         * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this\r
         * mechanism already.\r
         */\r
        public void init(FilterConfig filterConfig) throws ServletException {\r
                // need the Context for Logging, instantiating ClassLoader, etc\r
                context = filterConfig.getServletContext();\r
                StringBuilder sb = new StringBuilder();\r
                StringBuilder err = new StringBuilder(); \r
                Object attr = context.getAttribute(Config.PATHFILTER_NS);\r
                if(attr==null) {\r
                        err.append("PathFilter - pathfilter_ns is not set");\r
                } else {\r
                        sb.append(attr.toString()); \r
                }\r
\r
                attr = context.getAttribute(Config.PATHFILTER_STACK);\r
                if(attr==null) {\r
                        log.info("PathFilter - No pathfilter_stack set, ignoring");\r
                } else {\r
                        sb.append('.');\r
                        sb.append(attr.toString());\r
                }\r
\r
                attr = context.getAttribute(Config.PATHFILTER_URLPATTERN);\r
                if(attr==null) {\r
                        log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'");\r
                        sb.append(".urlpattern");\r
                } else {\r
                        sb.append('.');\r
                        sb.append(attr.toString());\r
                }\r
\r
                log.info("PathFilter - AAF Permission Type is",sb.toString());\r
                \r
                sb.append('|');\r
                \r
                aaf_type = sb.toString();\r
\r
                attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG);\r
                if(attr==null) {\r
                        not_authorized_msg = "Forbidden - Not Authorized to access this Path";\r
                } else {\r
                        not_authorized_msg = attr.toString();\r
                }\r
\r
                if(err.length()>0) {\r
                        throw new ServletException(err.toString());\r
                }\r
        }\r
\r
        private interface Log {\r
                public void info(String ... msg);\r
                public void audit(String ... msg);\r
        }\r
\r
        /**\r
         * doFilter\r
         * \r
         * This is the standard J2EE invocation.  Analyze the request, modify response as necessary, and\r
         * only call the next item in the filterChain if request is suitably Authenticated.\r
         */\r
        //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions\r
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {\r
                HttpServletRequest hreq = (HttpServletRequest)request;\r
                HttpServletResponse hresp = (HttpServletResponse)response;\r
                String perm = aaf_type+hreq.getPathInfo()+'|'+hreq.getMethod();\r
                if(hreq.isUserInRole(perm)) {\r
                        chain.doFilter(request, response);\r
                } else {\r
                        log.audit("PathFilter has denied",hreq.getUserPrincipal().getName(),"access to",perm);\r
                        hresp.sendError(403,not_authorized_msg);\r
                }\r
        }\r
\r
        /**\r
         * Containers call "destroy" when time to cleanup \r
         */\r
        public void destroy() {\r
                log.info("PathFilter destroyed.");\r
        }\r
\r
\r
\r
}\r
\r