X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Faaf%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Faaf%2Fv2_0%2FAAFTrustChecker.java;h=db6ae9630b75cbfec00d1589b0ecb5d9d88d3a7d;hb=4b5a7d721d994a49057e9bfb403c7bff1b376660;hp=074b704b95c374a4ee387ed0571cce9c93e4a381;hpb=a20accc73189d8e5454cd26049c0e6fae75da16f;p=aaf%2Fauthz.git diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java index 074b704b..db6ae963 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -36,79 +36,91 @@ import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.util.Split; public class AAFTrustChecker implements TrustChecker { - private final String tag, id; - private final AAFPermission perm; - private Lur lur; + private final String tag, id; + private final AAFPermission perm; + private Lur lur; + + /** + * + * Instance will be replaced by Identity + * @param lur + * + * @param tag + * @param perm + */ + public AAFTrustChecker(final Env env) { + tag = env.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); + id = env.getProperty(Config.CADI_ALIAS,env.getProperty(Config.AAF_APPID)); // share between components + String str = env.getProperty(Config.CADI_TRUST_PERM); + AAFPermission temp=null; + if(str!=null) { + String[] sp = Split.splitTrim('|', str); + switch(sp.length) { + case 3: + temp = new AAFPermission(null,sp[0],sp[1],sp[2]); + break; + case 4: + temp = new AAFPermission(sp[0],sp[1],sp[2],sp[3]); + break; + } + } + perm=temp; + } + + public AAFTrustChecker(final Access access) { + tag = access.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); + id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID,null)); // share between components + String str = access.getProperty(Config.CADI_TRUST_PERM,null); + AAFPermission temp=null; + if(str!=null) { + String[] sp = Split.splitTrim('|', str); + switch(sp.length) { + case 3: + temp = new AAFPermission(null,sp[0],sp[1],sp[2]); + break; + case 4: + temp = new AAFPermission(sp[0],sp[1],sp[2],sp[3]); + break; + } + } + perm=temp; + } - /** - * - * Instance will be replaced by Identity - * @param lur - * - * @param tag - * @param perm - */ - public AAFTrustChecker(final Env env) { - tag = env.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); - id = env.getProperty(Config.CADI_ALIAS,env.getProperty(Config.AAF_APPID)); // share between components - String str = env.getProperty(Config.CADI_TRUST_PERM); - AAFPermission temp=null; - if(str!=null) { - String[] sp = Split.splitTrim('|', str); - if(sp.length==3) { - temp = new AAFPermission(sp[0],sp[1],sp[2]); - } - } - perm=temp; - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.TrustChecker#setLur(org.onap.aaf.cadi.Lur) + */ + @Override + public void setLur(Lur lur) { + this.lur = lur; + } - public AAFTrustChecker(final Access access) { - tag = access.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); - id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID,null)); // share between components - String str = access.getProperty(Config.CADI_TRUST_PERM,null); - AAFPermission temp=null; - if(str!=null) { - String[] sp = Split.splitTrim('|', str); - if(sp.length==3) { - temp = new AAFPermission(sp[0],sp[1],sp[2]); - } - } - perm=temp; - } + @Override + public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { + String user_info = req.getHeader(tag); + if (user_info == null) { + return tresp; + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.TrustChecker#setLur(org.onap.aaf.cadi.Lur) - */ - @Override - public void setLur(Lur lur) { - this.lur = lur; - } + String[] info = Split.split(',', user_info); + String[] flds = Split.splitTrim(':', info[0]); + if (flds.length < 4) { + return tresp; + } + if (!("AS".equals(flds[3]))) { // is it set for "AS" + return tresp; + } - @Override - public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { - String user_info = req.getHeader(tag); - if(user_info !=null ) { - String[] info = Split.split(',', user_info); - if(info.length>0) { - String[] flds = Split.splitTrim(':',info[0]); - if(flds.length>3 && "AS".equals(flds[3])) { // is it set for "AS" - String pn = tresp.getPrincipal().getName(); - if(pn.equals(id) // We do trust our own App Components: if a trust entry is made with self, always accept - || lur.fish(tresp.getPrincipal(), perm)) { // Have Perm set by Config.CADI_TRUST_PERM - return new TrustTafResp(tresp, - new TrustPrincipal(tresp.getPrincipal(), flds[0]), - " " + flds[0] + " validated using " + flds[2] + " by " + flds[1] + ',' - ); - } else if(pn.equals(flds[0])) { // Ignore if same identity - return tresp; - } else { - return new TrustNotTafResp(tresp, tresp.getPrincipal().getName() + " requested trust as " - + flds[0] + ", but does not have Authorization"); - } - } - } - } - return tresp; - } + String principalName = tresp.getPrincipal().getName(); + if(principalName.equals(id) // We do trust our own App Components: if a trust entry is made with self, always accept + || lur.fish(tresp.getPrincipal(), perm)) { // Have Perm set by Config.CADI_TRUST_PERM + String desc = " " + flds[0] + " validated using " + flds[2] + " by " + flds[1] + ','; + return new TrustTafResp(tresp, new TrustPrincipal(tresp.getPrincipal(), flds[0]), desc); + } else if(principalName.equals(flds[0])) { // Ignore if same identity + return tresp; + } else { + String desc = tresp.getPrincipal().getName() + " requested trust as " + flds[0] + ", but does not have Authorization"; + return new TrustNotTafResp(tresp, desc); + } + } } \ No newline at end of file