2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2019 AT&T Intellectual Property. All rights
7 * ================================================================================
8 * Modifications Copyright (c) 2019 Samsung
9 * ================================================================================
10 * Licensed under the Apache License, Version 2.0 (the "License");
11 * you may not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
14 * http://www.apache.org/licenses/LICENSE-2.0
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS,
18 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
21 * ============LICENSE_END============================================
22 * ===================================================================
26 package org.onap.clamp.authorization;
28 import com.att.eelf.configuration.EELFLogger;
29 import com.att.eelf.configuration.EELFManager;
31 import java.util.Date;
33 import javax.ws.rs.NotAuthorizedException;
35 import org.apache.camel.Exchange;
36 import org.onap.clamp.clds.config.ClampProperties;
37 import org.onap.clamp.clds.service.SecureServiceBase;
38 import org.onap.clamp.clds.service.SecureServicePermission;
39 import org.onap.clamp.clds.util.LoggingUtils;
40 import org.onap.clamp.util.PrincipalUtils;
41 import org.springframework.beans.factory.annotation.Autowired;
42 import org.springframework.security.core.Authentication;
43 import org.springframework.security.core.GrantedAuthority;
44 import org.springframework.stereotype.Component;
50 public class AuthorizationController {
52 protected static final EELFLogger logger = EELFManager.getInstance().getLogger(SecureServiceBase.class);
53 protected static final EELFLogger auditLogger = EELFManager.getInstance().getMetricsLogger();
54 protected static final EELFLogger securityLogger = EELFManager.getInstance().getSecurityLogger();
56 // By default we'll set it to a default handler
58 private ClampProperties refProp;
60 private static final String PERM_PREFIX = "security.permission.type.";
61 private static final String PERM_INSTANCE = "security.permission.instance";
64 * Insert authorize the api based on the permission
66 * @param camelExchange
67 * The Camel Exchange object containing the properties
69 * The type of the permissions
71 * The instance of the permissions. e.g. dev
73 * The action of the permissions. e.g. read
75 public void authorize(Exchange camelExchange, String typeVar, String instanceVar, String action) {
76 String type = refProp.getStringValue(PERM_PREFIX + typeVar);
77 String instance = refProp.getStringValue(PERM_INSTANCE);
79 if (null == type || type.isEmpty()) {
80 //authorization is turned off, since the permission is not defined
83 if (null != instanceVar && !instanceVar.isEmpty()) {
84 instance = instanceVar;
86 String principalName = PrincipalUtils.getPrincipalName();
87 SecureServicePermission perm = SecureServicePermission.create(type, instance, action);
88 Date startTime = new Date();
89 LoggingUtils.setTargetContext("Clamp", "authorize");
90 LoggingUtils.setTimeContext(startTime, new Date());
91 securityLogger.debug("checking if {} has permission: {}", principalName, perm);
93 if (!isUserPermitted(perm)){
94 String msg = principalName + " does not have permission: " + perm;
95 LoggingUtils.setErrorContext("100", "Authorization Error");
96 securityLogger.warn(msg);
97 throw new NotAuthorizedException(msg);
101 public boolean isUserPermitted(SecureServicePermission inPermission) {
103 String principalName = PrincipalUtils.getPrincipalName();
104 // check if the user has the permission key or the permission key with a
105 // combination of all instance and/or all action.
106 if (hasRole(inPermission.getKey()) || hasRole(inPermission.getKeyAllInstance())) {
107 auditLogger.info("{} authorized because user has permission with * for instance: {}",
108 principalName, inPermission.getKey());
110 // the rest of these don't seem to be required - isUserInRole method
111 // appears to take * as a wildcard
112 } else if (hasRole(inPermission.getKeyAllInstanceAction())) {
113 auditLogger.info("{} authorized because user has permission with * for instance and * for action: {}",
114 principalName, inPermission.getKey());
116 } else if (hasRole(inPermission.getKeyAllAction())) {
117 auditLogger.info("{} authorized because user has permission with * for action: {}",
118 principalName, inPermission.getKey());
125 protected boolean hasRole(String role) {
126 Authentication authentication = PrincipalUtils.getSecurityContext().getAuthentication();
127 if (authentication == null) {
130 for (GrantedAuthority auth : authentication.getAuthorities()) {
131 if (role.equals(auth.getAuthority())) {