private static List<Pair> mapPairs;
private Access access;
private Object[] additionalTafLurs;
- private Filter oauthFilter;
+ private SideChain sideChain;
private static int count=0;
public Lur getLur() {
public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException {
this.access = access;
additionalTafLurs = moreTafLurs;
- if(init) {
+ if (init) {
init(new AccessGetter(access));
}
}
public void init(FilterConfig filterConfig) throws ServletException {
// need the Context for Logging, instantiating ClassLoader, etc
ServletContextAccess sca=new ServletContextAccess(filterConfig);
- if(access==null) {
+ if (access==null) {
access = sca;
}
@SuppressWarnings("unchecked")
- private void init(Get getter) throws ServletException {
+ protected void init(Get getter) throws ServletException {
+ sideChain = new SideChain();
// Start with the assumption of "Don't trust anyone".
TrustChecker tc = TrustChecker.NOTRUST; // default position
try {
Class<TrustChecker> ctc = (Class<TrustChecker>) Class.forName("org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker");
- if(ctc!=null) {
+ if (ctc!=null) {
Constructor<TrustChecker> contc = ctc.getConstructor(Access.class);
- if(contc!=null) {
+ if (contc!=null) {
tc = contc.newInstance(access);
}
}
Class<Filter> cf=null;
try {
cf= (Class<Filter>) Class.forName("org.onap.aaf.cadi.oauth.OAuthFilter");
- oauthFilter = cf.newInstance();
+ sideChain.add(cf.newInstance());
} catch (ClassNotFoundException e) {
- oauthFilter = new Filter() { // Null Filter
- @Override
- public void destroy() {
- }
-
- @Override
- public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)throws IOException, ServletException {
- chain.doFilter(req, resp);
- }
-
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- }
- };
+ access.log(Level.DEBUG, "OAuthFilter not enabled");
}
} catch (Exception e) {
access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());
// In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice.
synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) {
++count;
- if(httpChecker == null) {
- if(access==null) {
+ if (httpChecker == null) {
+ if (access==null) {
access = new PropAccess();
}
try {
} catch (CadiException | LocatorException e1) {
throw new ServletException(e1);
}
- } else if(access==null) {
+ } else if (access==null) {
access= httpChecker.getAccess();
}
/*
* Setup Authn Path Exceptions
*/
- if(pathExceptions==null) {
+ if (pathExceptions==null) {
String str = getter.get(Config.CADI_NOAUTHN, null, true);
- if(str!=null) {
+ if (str!=null) {
pathExceptions = str.split("\\s*:\\s*");
}
}
/*
* SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions
*/
- if(mapPairs==null) {
+ if (mapPairs==null) {
String str = getter.get(Config.AAF_PERM_MAP, null, true);
- if(str!=null) {
+ if (str!=null) {
String mstr = getter.get(Config.AAF_PERM_MAP, null, true);
- if(mstr!=null) {
+ if (mstr!=null) {
String map[] = mstr.split("\\s*:\\s*");
- if(map.length>0) {
+ if (map.length>0) {
MapPermConverter mpc=null;
int idx;
mapPairs = new ArrayList<>();
- for(String entry : map) {
- if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter
+ for (String entry : map) {
+ if ((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter
access.log(Level.INIT,"Loading Perm Conversions for:",entry);
mapPairs.add(new Pair(entry,mpc=new MapPermConverter()));
} else {
- if(mpc!=null) {
+ if (mpc!=null) {
mpc.map().put(entry.substring(0,idx),entry.substring(idx+1));
} else {
access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped");
}
}
+ // Add API Enforcement Point
+ String enforce = getter.get(Config.CADI_API_ENFORCEMENT, null, true);
+ if(enforce!=null && enforce.length()>0) {
+ sideChain.add(new CadiApiEnforcementFilter(access,enforce));
+ }
// Remove Getter
getter = Get.NULL;
}
public void destroy() {
// Synchronize, in case multiCadiFilters are used.
synchronized(CadiHTTPManip.noAdditional) {
- if(--count<=0 && httpChecker!=null) {
+ if (--count<=0 && httpChecker!=null) {
httpChecker.destroy();
httpChecker=null;
access=null;
String tag = "";
try {
HttpServletRequest hreq = (HttpServletRequest)request;
- if(noAuthn(hreq)) {
+ if (noAuthn(hreq)) {
startCode=System.nanoTime();
chain.doFilter(request, response);
code = Timing.millis(startCode);
startValidate=System.nanoTime();
TafResp tresp = httpChecker.validate(hreq, hresp, hreq);
validate = Timing.millis(startValidate);
- if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) {
+ if (tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) {
user = tresp.getPrincipal().personalName();
tag = tresp.getPrincipal().tag();
CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq));
- if(httpChecker.notCadi(cw, hresp)) {
+ if (httpChecker.notCadi(cw, hresp)) {
startCode=System.nanoTime();
- oauthFilter.doFilter(cw,response,chain);
+ sideChain.doFilter(cw,response,chain);
code = Timing.millis(startCode);
}
}
* @return
*/
private boolean noAuthn(HttpServletRequest hreq) {
- if(pathExceptions!=null) {
+ if (pathExceptions!=null) {
String pi = hreq.getPathInfo();
- if(pi==null) return false; // JBoss sometimes leaves null
- for(String pe : pathExceptions) {
- if(pi.startsWith(pe))return true;
+ if (pi==null) {
+ // Attempt to get from URI only (Daniel Rose)
+ pi = hreq.getRequestURI().substring(hreq.getContextPath().length());
+ if(pi==null) {
+ // Nothing works.
+ return false; // JBoss sometimes leaves null
+ }
+ }
+ for (String pe : pathExceptions) {
+ if (pi.startsWith(pe))return true;
}
}
return false;
* Get Converter by Path
*/
private PermConverter getConverter(HttpServletRequest hreq) {
- if(mapPairs!=null) {
+ if (mapPairs!=null) {
String pi = hreq.getPathInfo();
- if(pi !=null) {
- for(Pair p: mapPairs) {
- if(pi.startsWith(p.name))return p.pc;
+ if (pi !=null) {
+ for (Pair p: mapPairs) {
+ if (pi.startsWith(p.name))return p.pc;
}
}
}
Code Review / aaf / authz.git / blobdiff