2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2019 AT&T Intellectual Property. All rights
7 * ================================================================================
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 * ============LICENSE_END============================================
20 * ===================================================================
24 package org.onap.clamp.authorization;
26 import com.att.eelf.configuration.EELFLogger;
27 import com.att.eelf.configuration.EELFManager;
29 import java.util.Date;
31 import javax.ws.rs.NotAuthorizedException;
33 import org.apache.camel.Exchange;
34 import org.onap.clamp.clds.config.ClampProperties;
35 import org.onap.clamp.clds.service.SecureServiceBase;
36 import org.onap.clamp.clds.service.SecureServicePermission;
37 import org.onap.clamp.clds.util.LoggingUtils;
38 import org.onap.clamp.util.PrincipalUtils;
39 import org.springframework.beans.factory.annotation.Autowired;
40 import org.springframework.security.core.Authentication;
41 import org.springframework.security.core.GrantedAuthority;
42 import org.springframework.security.core.context.SecurityContext;
43 import org.springframework.security.core.context.SecurityContextHolder;
44 import org.springframework.stereotype.Component;
50 public class AuthorizationController {
52 protected static final EELFLogger logger = EELFManager.getInstance().getLogger(SecureServiceBase.class);
53 protected static final EELFLogger auditLogger = EELFManager.getInstance().getMetricsLogger();
54 protected static final EELFLogger securityLogger = EELFManager.getInstance().getSecurityLogger();
56 // By default we'll set it to a default handler
58 private ClampProperties refProp;
60 private SecurityContext securityContext = SecurityContextHolder.getContext();
61 private final static String permPrefix = "security.permission.type.";
62 private final static String permInstance = "security.permission.instance";
64 public AuthorizationController() {
67 * Insert event using process variables.
69 * @param camelExchange
70 * The Camel Exchange object containing the properties
72 * The action state that is used instead of the one in exchange property
75 public void authorize (Exchange camelExchange, String typeVar, String instanceVar, String action) {
76 String type = refProp.getStringValue(permPrefix + typeVar);
77 String instance = refProp.getStringValue(permInstance);
79 if (null == type || type.isEmpty()) {
80 //authorization is turned off, since the permission is not defined
83 if (null != instanceVar && !instanceVar.isEmpty()) {
84 instance = instanceVar;
86 String principalName = PrincipalUtils.getPrincipalName();
87 SecureServicePermission perm = SecureServicePermission.create(type, instance, action);
88 Date startTime = new Date();
89 LoggingUtils.setTargetContext("Clamp", "authorize");
90 LoggingUtils.setTimeContext(startTime, new Date());
91 securityLogger.debug("checking if {} has permission: {}", principalName, perm);
93 isUserPermitted(perm);
94 } catch (NotAuthorizedException nae) {
95 String msg = principalName + " does not have permission: " + perm;
96 LoggingUtils.setErrorContext("100", "Authorization Error");
97 securityLogger.warn(msg);
98 throw new NotAuthorizedException(msg);
102 private boolean isUserPermitted(SecureServicePermission inPermission) {
103 boolean authorized = false;
104 String principalName = PrincipalUtils.getPrincipalName();
105 // check if the user has the permission key or the permission key with a
106 // combination of all instance and/or all action.
107 if (hasRole(inPermission.getKey())) {
108 auditLogger.info("{} authorized because user has permission with * for instance: {}", principalName, inPermission.getKey());
110 // the rest of these don't seem to be required - isUserInRole method
111 // appears to take * as a wildcard
112 } else if (hasRole(inPermission.getKeyAllInstance())) {
113 auditLogger.info("{} authorized because user has permission with * for instance: {}", principalName, inPermission.getKey());
115 } else if (hasRole(inPermission.getKeyAllInstanceAction())) {
116 auditLogger.info("{} authorized because user has permission with * for instance and * for action: {}", principalName, inPermission.getKey());
118 } else if (hasRole(inPermission.getKeyAllAction())) {
119 auditLogger.info("{} authorized because user has permission with * for action: {}", principalName, inPermission.getKey());
122 throw new NotAuthorizedException("");
127 public boolean isUserPermittedNoException(SecureServicePermission inPermission) {
129 return isUserPermitted (inPermission);
130 } catch (NotAuthorizedException e) {
135 protected boolean hasRole(String role) {
136 Authentication authentication = PrincipalUtils.getSecurityContext().getAuthentication();
137 if (authentication == null) {
140 for (GrantedAuthority auth : authentication.getAuthorities()) {
141 if (role.equals(auth.getAuthority()))