X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=datarouter-prov%2Fsrc%2Fmain%2Fjava%2Fcom%2Fatt%2Fresearch%2Fdatarouter%2Fauthz%2Fimpl%2FProvAuthorizer.java;fp=datarouter-prov%2Fsrc%2Fmain%2Fjava%2Fcom%2Fatt%2Fresearch%2Fdatarouter%2Fauthz%2Fimpl%2FProvAuthorizer.java;h=0000000000000000000000000000000000000000;hb=e4b20cc6f7c31f48ddd0de5bcd054b09a35cd510;hp=d6683d5ced3f38c65b8c49ef1cbc27667a671e9b;hpb=315f5603d8e42969a13d985ca8bb50146e82325a;p=dmaap%2Fdatarouter.git
diff --git a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvAuthorizer.java b/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvAuthorizer.java
deleted file mode 100644
index d6683d5c..00000000
--- a/datarouter-prov/src/main/java/com/att/research/datarouter/authz/impl/ProvAuthorizer.java
+++ /dev/null
@@ -1,179 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START==================================================
- * * org.onap.dmaap
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-
-package com.att.research.datarouter.authz.impl;
-
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.log4j.Logger;
-
-import com.att.research.datarouter.authz.AuthorizationResponse;
-import com.att.research.datarouter.authz.Authorizer;
-import com.att.research.datarouter.authz.impl.AuthzResource.ResourceType;
-
-/** Authorizer for the provisioning API for Data Router R1
- *
- * @author J. F. Lucas
- *
- */
-public class ProvAuthorizer implements Authorizer {
-
- private Logger log;
- private ProvDataProvider provData;
-
- private static final String SUBJECT_HEADER = "X-ATT-DR-ON-BEHALF-OF"; // HTTP header carrying requester identity
- private static final String SUBJECT_HEADER_GROUP = "X-ATT-DR-ON-BEHALF-OF-GROUP"; // HTTP header carrying requester identity by group Rally : US708115
- /** Constructor. For the moment, do nothing special. Make it a singleton?
- *
- */
- public ProvAuthorizer(ProvDataProvider provData) {
- this.provData = provData;
- this.log = Logger.getLogger(this.getClass());
- }
-
- /**
- * Determine if the API request carried in the request
parameter is permitted.
- *
- * @param request the HTTP request for which an authorization decision is needed
- * @return an object implementing the AuthorizationResponse
interface. This object includes the
- * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
- * of advice and obligations.
- */
- @Override
- public AuthorizationResponse decide(HttpServletRequest request) {
- return this.decide(request, null);
- }
-
- /**
- * Determine if the API request carried in the request
parameter, with additional attributes provided in
- * the additionalAttrs
parameter, is permitted. additionalAttrs
isn't used in R1.
- *
- * @param request the HTTP request for which an authorization decision is needed
- * @param additionalAttrs additional attributes that the Authorizer
can in making an authorization decision
- * @return an object implementing the AuthorizationResponse
interface. This object includes the
- * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
- * of advice and obligations.
- */
- @Override
- public AuthorizationResponse decide(HttpServletRequest request,
- Map additionalAttrs) {
- log.trace ("Entering decide()");
-
- boolean decision = false;
-
- // Extract interesting parts of the HTTP request
- String method = request.getMethod();
- AuthzResource resource = new AuthzResource(request.getRequestURI());
- String subject = (request.getHeader(SUBJECT_HEADER)); // identity of the requester
- String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP)); // identity of the requester by group Rally : US708115
-
- log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId() +
- " -- Subject: " + subject);
-
- // Choose authorization method based on the resource type
- ResourceType resourceType = resource.getType();
- if (resourceType != null) {
-
- switch (resourceType) {
-
- case FEEDS_COLLECTION:
- decision = allowFeedsCollectionAccess(resource, method, subject, subjectgroup);
- break;
-
- case SUBS_COLLECTION:
- decision = allowSubsCollectionAccess(resource, method, subject, subjectgroup);
- break;
-
- case FEED:
- decision = allowFeedAccess(resource, method, subject, subjectgroup);
- break;
-
- case SUB:
- decision = allowSubAccess(resource, method, subject, subjectgroup);
- break;
-
- default:
- decision = false;
- break;
- }
- }
- log.debug("Exit decide(): " + method + "|" + resourceType + "|" + resource.getId() + "|" + subject + " ==> " + decision);
-
- return new AuthRespImpl(decision);
- }
-
- private boolean allowFeedsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
-
- // Allow GET or POST unconditionally
- return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));
- }
-
- private boolean allowSubsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
-
- // Allow GET or POST unconditionally
- return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));
- }
-
- private boolean allowFeedAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
- boolean decision = false;
-
- // Allow GET, PUT, or DELETE if requester (subject) is the owner (publisher) of the feed
- if ( method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") ||
- method.equalsIgnoreCase("DELETE"))) {
-
- String owner = provData.getFeedOwner(resource.getId());
- decision = (owner != null) && owner.equals(subject);
-
- //Verifying by group Rally : US708115
- if(subjectgroup != null) {
- String feedowner = provData.getGroupByFeedGroupId(subject, resource.getId());
- decision = (feedowner != null) && feedowner.equals(subjectgroup);
- }
- }
-
- return decision;
- }
-
- private boolean allowSubAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
- boolean decision = false;
-
- // Allow GET, PUT, or DELETE if requester (subject) is the owner of the subscription (subscriber)
- if (method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") ||
- method.equalsIgnoreCase("DELETE") || method.equalsIgnoreCase("POST"))) {
-
- String owner = provData.getSubscriptionOwner(resource.getId());
- decision = (owner != null) && owner.equals(subject);
-
- //Verifying by group Rally : US708115
- if(subjectgroup != null) {
- String feedowner = provData.getGroupBySubGroupId(subject, resource.getId());
- decision = (feedowner != null) && feedowner.equals(subjectgroup);
- }
- }
-
- return decision;
- }
-
-}