--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.dmaap.dbcapi.resources;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.log4j.Logger;
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.dmaap.dbcapi.model.ApiError;
+import org.onap.dmaap.dbcapi.service.DmaapService;
+import org.onap.dmaap.dbcapi.util.DmaapConfig;
+import org.onap.dmaap.dbcapi.util.PermissionBuilder;
+
+public class AAFAuthorizationFilter implements Filter{
+
+ private static final Logger LOGGER = Logger.getLogger(AAFAuthenticationFilter.class.getName());
+ static final String AAF_AUTHZ_FLAG = "UseAAF";
+ private boolean isAafEnabled = false;
+
+ private PermissionBuilder permissionBuilder;
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ DmaapConfig dmaapConfig = getConfig();
+ isAafEnabled = "true".equalsIgnoreCase(dmaapConfig.getProperty(AAF_AUTHZ_FLAG, "false"));
+ if(isAafEnabled) {
+ permissionBuilder = new PermissionBuilder(dmaapConfig, getDmaapService());
+ }
+ }
+
+ @Override
+ public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
+ throws IOException, ServletException {
+
+ if(isAafEnabled) {
+ HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
+ permissionBuilder.updateDmaapInstance();
+ String permission = permissionBuilder.buildPermission(httpRequest);
+
+ if (httpRequest.isUserInRole(permission)) {
+ LOGGER.info("User " + httpRequest.getUserPrincipal().getName() + " has permission " + permission);
+ filterChain.doFilter(servletRequest, servletResponse);
+ } else {
+ String msg = "User " + httpRequest.getUserPrincipal().getName() + " does not have permission " + permission;
+ LOGGER.error(msg);
+ ((HttpServletResponse) servletResponse).setStatus(HttpStatus.FORBIDDEN_403);
+ servletResponse.setContentType("application/json");
+ servletResponse.setCharacterEncoding("UTF-8");
+ servletResponse.getWriter().print(buildErrorResponse(msg));
+ servletResponse.getWriter().flush();
+ }
+ } else {
+ filterChain.doFilter(servletRequest, servletResponse);
+ }
+ }
+
+ @Override
+ public void destroy() {
+ //nothing to cleanup
+ }
+
+ DmaapConfig getConfig() {
+ return (DmaapConfig) DmaapConfig.getConfig();
+ }
+
+ DmaapService getDmaapService() {
+ return new DmaapService();
+ }
+
+ private String buildErrorResponse(String msg) {
+ try {
+ return new ObjectMapper().writeValueAsString(new ApiError(HttpStatus.FORBIDDEN_403, msg, "Authorization"));
+ } catch (JsonProcessingException e) {
+ LOGGER.warn("Could not serialize response entity: " + e.getMessage());
+ return "";
+ }
+ }
+
+ PermissionBuilder getPermissionBuilder() {
+ return permissionBuilder;
+ }
+
+ void setPermissionBuilder(PermissionBuilder permissionBuilder) {
+ this.permissionBuilder = permissionBuilder;
+ }
+
+ void setAafEnabled(boolean aafEnabled) {
+ isAafEnabled = aafEnabled;
+ }
+}