* Copyright (C) 2019 AT&T Intellectual Property. All rights
* reserved.
* ================================================================================
+ * Modifications Copyright (c) 2019 Samsung
+ * ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
/**
@Autowired
private ClampProperties refProp;
- private SecurityContext securityContext = SecurityContextHolder.getContext();
- private final static String permPrefix = "security.permission.type.";
- private final static String permInstance = "security.permission.instance";
+ private static final String PERM_PREFIX = "security.permission.type.";
+ private static final String PERM_INSTANCE = "security.permission.instance";
- public AuthorizationController() {
- }
/**
- * Insert event using process variables.
+ * Insert authorize the api based on the permission
*
* @param camelExchange
* The Camel Exchange object containing the properties
- * @param actionState
- * The action state that is used instead of the one in exchange property
+ * @param typeVar
+ * The type of the permissions
+ * @param instanceVar
+ * The instance of the permissions. e.g. dev
+ * @param action
+ * The action of the permissions. e.g. read
*/
+ public void authorize(Exchange camelExchange, String typeVar, String instanceVar, String action) {
+ String type = refProp.getStringValue(PERM_PREFIX + typeVar);
+ String instance = refProp.getStringValue(PERM_INSTANCE);
- public void authorize (Exchange camelExchange, String typeVar, String instanceVar, String action) {
- String type = refProp.getStringValue(permPrefix + typeVar);
- String instance = refProp.getStringValue(permInstance);
-
if (null == type || type.isEmpty()) {
//authorization is turned off, since the permission is not defined
return;
}
if (null != instanceVar && !instanceVar.isEmpty()) {
- instance = instanceVar;
+ instance = instanceVar;
}
String principalName = PrincipalUtils.getPrincipalName();
SecureServicePermission perm = SecureServicePermission.create(type, instance, action);
LoggingUtils.setTargetContext("Clamp", "authorize");
LoggingUtils.setTimeContext(startTime, new Date());
securityLogger.debug("checking if {} has permission: {}", principalName, perm);
- try {
- isUserPermitted(perm);
- } catch (NotAuthorizedException nae) {
+
+ if (!isUserPermitted(perm)){
String msg = principalName + " does not have permission: " + perm;
LoggingUtils.setErrorContext("100", "Authorization Error");
securityLogger.warn(msg);
}
}
- private boolean isUserPermitted(SecureServicePermission inPermission) {
- boolean authorized = false;
+ public boolean isUserPermitted(SecureServicePermission inPermission) {
+
String principalName = PrincipalUtils.getPrincipalName();
// check if the user has the permission key or the permission key with a
// combination of all instance and/or all action.
- if (hasRole(inPermission.getKey())) {
- auditLogger.info("{} authorized because user has permission with * for instance: {}", principalName, inPermission.getKey());
- authorized = true;
+ if (hasRole(inPermission.getKey()) || hasRole(inPermission.getKeyAllInstance())) {
+ auditLogger.info("{} authorized because user has permission with * for instance: {}",
+ principalName, inPermission.getKey());
+ return true;
// the rest of these don't seem to be required - isUserInRole method
// appears to take * as a wildcard
- } else if (hasRole(inPermission.getKeyAllInstance())) {
- auditLogger.info("{} authorized because user has permission with * for instance: {}", principalName, inPermission.getKey());
- authorized = true;
} else if (hasRole(inPermission.getKeyAllInstanceAction())) {
- auditLogger.info("{} authorized because user has permission with * for instance and * for action: {}", principalName, inPermission.getKey());
- authorized = true;
+ auditLogger.info("{} authorized because user has permission with * for instance and * for action: {}",
+ principalName, inPermission.getKey());
+ return true;
} else if (hasRole(inPermission.getKeyAllAction())) {
- auditLogger.info("{} authorized because user has permission with * for action: {}", principalName, inPermission.getKey());
- authorized = true;
+ auditLogger.info("{} authorized because user has permission with * for action: {}",
+ principalName, inPermission.getKey());
+ return true;
} else {
- throw new NotAuthorizedException("");
- }
- return authorized;
- }
-
- public boolean isUserPermittedNoException(SecureServicePermission inPermission) {
- try {
- return isUserPermitted (inPermission);
- } catch (NotAuthorizedException e) {
return false;
}
}
return false;
}
for (GrantedAuthority auth : authentication.getAuthorities()) {
- if (role.equals(auth.getAuthority()))
+ if (role.equals(auth.getAuthority())) {
return true;
+ }
}
return false;
}