* ============LICENSE_START==========================================
* ONAP Portal
* ===================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved.
+ *
+ * Modification Copyright (C) 2018 IBM.
* ===================================================================
*
* Unless otherwise specified, all software contained herein is licensed
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.commons.codec.binary.Hex;
import org.onap.portalapp.controller.sessionmgt.SessionCommunicationController;
import org.onap.portalapp.portal.controller.BasicAuthenticationController;
import org.onap.portalapp.portal.controller.ExternalAppsRestfulController;
import org.onap.portalapp.portal.controller.SharedContextRestController;
import org.onap.portalapp.portal.controller.WebAnalyticsExtAppController;
import org.onap.portalapp.portal.domain.BasicAuthCredentials;
+import org.onap.portalapp.portal.domain.EPApp;
import org.onap.portalapp.portal.domain.EPEndpoint;
-import org.onap.portalapp.portal.domain.EPRole;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.logging.aop.EPEELFLoggerAdvice;
import org.onap.portalapp.portal.logging.format.EPAppMessagesEnum;
import org.onap.portalapp.portal.logging.logic.EPLogUtil;
+import org.onap.portalapp.portal.service.AppsCacheService;
import org.onap.portalapp.portal.service.BasicAuthenticationCredentialService;
+import org.onap.portalapp.portal.service.ExternalAccessRolesService;
+import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.service.RemoteWebServiceCallService;
import org.onap.portalapp.service.sessionmgt.ManageService;
import org.springframework.web.method.HandlerMethod;
public class PortalResourceInterceptor extends ResourceInterceptor {
- private static final String APP_KEY = "uebkey";
-
+
private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(PortalResourceInterceptor.class);
@Autowired
@Autowired
private ManageService manageService;
+
+ @Autowired
+ AppsCacheService appCacheService;
@Autowired
private EPEELFLoggerAdvice epAdvice;
@Autowired
private BasicAuthenticationCredentialService basicAuthService;
+ @Autowired
+ private ExternalAccessRolesService externalAccessRolesService;
@SuppressWarnings("unchecked")
@Override
String secretKey = null;
try {
epAdvice.loadServletRequestBasedDefaults(request, SecurityEventTypeEnum.INCOMING_REST_MESSAGE);
- if (!remoteWebServiceCallService.verifyRESTCredential(secretKey, request.getHeader(APP_KEY),
+ if (!remoteWebServiceCallService.verifyRESTCredential(secretKey, request.getHeader(EPCommonSystemProperties.UEB_KEY),
request.getHeader("username"), request.getHeader("password"))) {
throw new UrlAccessRestrictedException();
}
}
if (controllerObj instanceof WebAnalyticsExtAppController) {
- if (!remoteWebServiceCallService.verifyAppKeyCredential(request.getHeader(APP_KEY))) {
+ if (!remoteWebServiceCallService.verifyAppKeyCredential(request.getHeader(EPCommonSystemProperties.UEB_KEY))) {
logger.error(EELFLoggerDelegate.errorLogger,
"preHandle: failed to verify app key for web analytics call");
throw new UrlAccessRestrictedException();
String uri = request.getRequestURI().toString();
uri = uri.substring(uri.indexOf("/", 1));
- final String authHeader = request.getHeader("Authorization");
-
+ final String authHeader = request.getHeader(EPCommonSystemProperties.AUTHORIZATION);
+ final String uebkey = request.getHeader(EPCommonSystemProperties.UEB_KEY);
+
// Unauthorized access due to missing HTTP Authorization request header
if (authHeader == null) {
final String msg = "no authorization found";
return false;
}
- String[] accountNamePassword = getUserNamePassword(authHeader);
+ String[] accountNamePassword = EcompPortalUtils.getUserNamePassword(authHeader);
if (accountNamePassword == null || accountNamePassword.length != 2) {
final String msg = "failed to get username and password from Atuhorization header";
logger.debug(EELFLoggerDelegate.debugLogger, "checkBasicAuth: {}", msg);
return false;
}
+ if(uebkey !=null && !uebkey.isEmpty())
+ {
+ EPApp application = appCacheService.getAppFromUeb(uebkey,1);
+ if (application == null) {
+ throw new Exception("Invalid uebkey!");
+ }
+ else {
+ final String appUsername = application.getUsername();
+ final String dbDecryptedPwd = CipherUtil.decryptPKC(application.getAppPassword());
+ if (appUsername.equals(accountNamePassword[0]) && dbDecryptedPwd.equals(accountNamePassword[1])) {
+ return true;
+ }
+ }
+ }
+
+
BasicAuthCredentials creds;
try {
creds = basicAuthService.getBasicAuthCredentialByUsernameAndPassword(accountNamePassword[0],
return true;
}
- private String[] getUserNamePassword(String authValue) {
- String base64Credentials = authValue.substring("Basic".length()).trim();
- String credentials = new String(Base64.getDecoder().decode(base64Credentials), Charset.forName("UTF-8"));
- final String[] values = credentials.split(":", 2);
- return values;
- }
-
@SuppressWarnings("unused")
private String decrypted(String encrypted) throws Exception {
String result = "";
- if (encrypted != null & encrypted.length() > 0) {
+ if (encrypted != null && encrypted.length() > 0) {
try {
result = CipherUtil.decryptPKC(encrypted, SystemProperties.getProperty(SystemProperties.Decryption_Key));
} catch (Exception e) {
private String encrypted(String decryptedPwd) throws Exception {
String result = "";
- if (decryptedPwd != null & decryptedPwd.length() > 0) {
+ if (decryptedPwd != null && decryptedPwd.length() > 0) {
try {
result = CipherUtil.encryptPKC(decryptedPwd,
SystemProperties.getProperty(SystemProperties.Decryption_Key));