X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=ONAP-REST%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fpolicy%2Frest%2FXacmlAdminAuthorization.java;fp=ONAP-REST%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fpolicy%2Frest%2FXacmlAdminAuthorization.java;h=c8dc71918682189ba7191d7f4f6ff7099d461f13;hb=073cc188efe9abb4c010cf674e34e2cf46ef1c52;hp=0000000000000000000000000000000000000000;hpb=4ca818fdfb9b807562166800a086b413593d6894;p=policy%2Fengine.git diff --git a/ONAP-REST/src/main/java/org/onap/policy/rest/XacmlAdminAuthorization.java b/ONAP-REST/src/main/java/org/onap/policy/rest/XacmlAdminAuthorization.java new file mode 100644 index 000000000..c8dc71918 --- /dev/null +++ b/ONAP-REST/src/main/java/org/onap/policy/rest/XacmlAdminAuthorization.java @@ -0,0 +1,220 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP-REST + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.rest; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.onap.policy.common.logging.eelf.MessageCodes; +import org.onap.policy.common.logging.eelf.PolicyLogger; +import org.onap.policy.rest.jpa.UserInfo; +import org.onap.policy.xacml.api.XACMLErrorConstants; + +import com.att.research.xacml.api.DataTypeException; +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Request; +import com.att.research.xacml.api.Response; +import com.att.research.xacml.api.Result; +import com.att.research.xacml.api.pdp.PDPEngine; +import com.att.research.xacml.api.pdp.PDPEngineFactory; +import com.att.research.xacml.api.pdp.PDPException; +import com.att.research.xacml.std.annotations.RequestParser; +import com.att.research.xacml.std.annotations.XACMLAction; +import com.att.research.xacml.std.annotations.XACMLRequest; +import com.att.research.xacml.std.annotations.XACMLResource; +import com.att.research.xacml.std.annotations.XACMLSubject; +import com.att.research.xacml.util.FactoryException; + + + +public class XacmlAdminAuthorization { + private static Log logger = LogFactory.getLog(XacmlAdminAuthorization.class); + + private static UserInfo userId; + public static UserInfo getUserId() { + return userId; + } + + public void setUserId(UserInfo userId) { + XacmlAdminAuthorization.userId = userId; + } + + public enum AdminAction { + ACTION_ACCESS("access"), + ACTION_READ("read"), + ACTION_WRITE("write"), + ACTION_ADMIN("admin"); + + String action; + AdminAction(String a) { + this.action = a; + } + public String toString() { + return this.action; + } + } + + public enum AdminResource { + RESOURCE_APPLICATION("application"), + RESOURCE_POLICY_WORKSPACE("workspace"), + RESOURCE_POLICY_EDITOR("editor"), + RESOURCE_DICTIONARIES("dictionaries"), + RESOURCE_PDP_ADMIN("pdp_admin"), + RESOURCE_PIP_ADMIN("pip_admin"), + RESOURCE_SCOPES_SUPERADMIN("manage_scopes"); + + String resource; + AdminResource(String r) { + this.resource = r; + } + public String toString() { + return this.resource; + } + } + + public enum Role { + ROLE_GUEST("guest"), + ROLE_ADMIN("admin"), + ROLE_EDITOR("editor"), + ROLE_SUPERGUEST("super-guest"), + ROLE_SUPEREDITOR("super-editor"), + ROLE_SUPERADMIN("super-admin"); + + String userRole; + + Role(String a) { + this.userRole = a; + } + public String toString() { + return this.userRole; + } + } + + @XACMLRequest(ReturnPolicyIdList=true) + public class AuthorizationRequest { + + @XACMLSubject(includeInResults=true) + String userID; + + @XACMLAction() + String action; + + @XACMLResource() + String resource; + + public AuthorizationRequest(String userId, String action, String resource) { + this.userID = userId; + this.action = action; + this.resource = resource; + } + + public String getUserID() { + return userID; + } + + public void setUserID(String userID) { + this.userID = userID; + } + + public String getAction() { + return action; + } + + public void setAction(String action) { + this.action = action; + } + + public String getResource() { + return resource; + } + + public void setResource(String resource) { + this.resource = resource; + } + } + + // + // The PDP Engine + // + protected PDPEngine pdpEngine; + + public XacmlAdminAuthorization() { + PDPEngineFactory pdpEngineFactory = null; + try { + pdpEngineFactory = PDPEngineFactory.newInstance(); + if (pdpEngineFactory == null) { + logger.error("Failed to create PDP Engine Factory"); + PolicyLogger.error("Failed to create PDP Engine Factory"); + } + this.pdpEngine = pdpEngineFactory.newEngine(); + } catch (FactoryException e) { + logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception create PDP Engine: " + e.getLocalizedMessage()); + PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "Exception create PDP Engine"); + } + } + + public boolean isAuthorized(String userid, AdminAction action, AdminResource resource) { + logger.info("authorize: " + userid + " to " + action + " with " + resource); + if (this.pdpEngine == null) { + logger.warn("no pdp engine available to authorize"); + return false; + } + Request request; + try { + request = RequestParser.parseRequest(new AuthorizationRequest(userid, action.toString(), resource.toString())); + } catch (IllegalArgumentException | IllegalAccessException | DataTypeException e) { + logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Failed to create request: " + e.getLocalizedMessage()); + PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "Failed to create request"); + return false; + } + if (request == null) { + logger.error("Failed to parse request."); + PolicyLogger.error("Failed to parse request"); + return false; + } + logger.info("Request: " + request); + // + // Ask the engine + // + try { + Response response = this.pdpEngine.decide(request); + if (response == null) { + logger.error("Null response from PDP decide"); + PolicyLogger.error("Null response from PDP decide"); + } + // + // Should only be one result + // + if(response != null){ + for (Result result : response.getResults()) { + Decision decision = result.getDecision(); + logger.info("Decision: " + decision); + if (decision.equals(Decision.PERMIT)) { + return true; + } + } + } + } catch (PDPException e) { + logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "PDP Decide failed: " + e.getLocalizedMessage()); + PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "PDP Decide failed"); + } + return false; + } +}