X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=src%2Fmain%2Fjava%2Forg%2Fonap%2Fclamp%2Fclds%2FClampServlet.java;h=6adb76cb3187712f76f7d94c46e5f70e225fe24b;hb=66e68b859d8faa62ca854741f9b8bc579571c9b9;hp=538edfe150f88fd33bd3ca6d4a0ce08951cafff5;hpb=e536d7a9eb3b794d6a037b663747b5971dbd8c8a;p=clamp.git diff --git a/src/main/java/org/onap/clamp/clds/ClampServlet.java b/src/main/java/org/onap/clamp/clds/ClampServlet.java index 538edfe1..6adb76cb 100644 --- a/src/main/java/org/onap/clamp/clds/ClampServlet.java +++ b/src/main/java/org/onap/clamp/clds/ClampServlet.java @@ -5,6 +5,8 @@ * Copyright (C) 2018 AT&T Intellectual Property. All rights * reserved. * ================================================================================ + * Modifications Copyright (c) 2019 Samsung + * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -26,9 +28,11 @@ package org.onap.clamp.clds; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import fj.data.Array; import java.io.IOException; import java.security.Principal; import java.util.ArrayList; +import java.util.Arrays; import java.util.List; import javax.servlet.ServletException; @@ -36,9 +40,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.camel.component.servlet.CamelHttpTransportServlet; -import org.onap.clamp.clds.service.SecureServicePermission; -import org.onap.clamp.clds.util.ClampTimer; +import org.onap.clamp.authorization.SecureServicePermission; import org.springframework.context.ApplicationContext; +import org.springframework.http.HttpStatus; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; @@ -47,55 +51,91 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.User; import org.springframework.web.context.support.WebApplicationContextUtils; - public class ClampServlet extends CamelHttpTransportServlet { /** - * + * The serial version ID. */ - private static final long serialVersionUID = -7052719614021825641L; - protected static final EELFLogger logger = EELFManager.getInstance().getLogger(ClampServlet.class); - public static final String PERM_INSTANCE = "clamp.config.security.permission.instance"; - public static final String PERM_CL= "clamp.config.security.permission.type.cl"; - public static final String PERM_TEMPLATE = "clamp.config.security.permission.type.template"; + private static final long serialVersionUID = -4198841134910211542L; - @Override - protected void doService(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); - List permissionList = new ArrayList<>(); + private static final EELFLogger logger = EELFManager.getInstance().getLogger(ClampServlet.class); + private static final String PERM_INSTANCE = "clamp.config.security.permission.instance"; + private static final String PERM_CL = "clamp.config.security.permission.type.cl"; + private static final String PERM_TEMPLATE = "clamp.config.security.permission.type.template"; + private static final String PERM_VF = "clamp.config.security.permission.type.filter.vf"; + private static final String PERM_MANAGE = "clamp.config.security.permission.type.cl.manage"; + private static final String PERM_TOSCA = "clamp.config.security.permission.type.tosca"; + private static final String AUTHENTICATION_CLASS = "clamp.config.security.authentication.class"; + private static final String READ = "read"; + private static final String UPDATE = "update"; - // Get Principal info and translate it into Spring Authentication - // If authenticataion is null: a) the authentication info was set manually in the previous thread - // b) handled by Spring automatically - // for the 2 cases above, no need for the translation, just skip the following step - if (null == authentication) { - logger.debug ("Populate Spring Authenticataion info manually."); - ApplicationContext applicationContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext()); - // Start a timer to clear the authentication after 5 mins, so that the authentication will be reinitialized with AAF DB - new ClampTimer(300); - String cldsPersmissionTypeCl = applicationContext.getEnvironment().getProperty(PERM_CL); - String cldsPermissionTypeTemplate = applicationContext.getEnvironment().getProperty(PERM_TEMPLATE); - String cldsPermissionInstance = applicationContext.getEnvironment().getProperty(PERM_INSTANCE); + private static List permissionList; - // set the stragety to Mode_Global, so that all thread is able to see the authentication - SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_GLOBAL); - Principal p = request.getUserPrincipal(); + private synchronized String[] loadDynamicAuthenticationClasses() { + String[] authenticationObjects = WebApplicationContextUtils.getWebApplicationContext(getServletContext()) + .getEnvironment().getProperty(AUTHENTICATION_CLASS).split(","); + Arrays.stream(authenticationObjects).forEach(className -> className.trim()); + return authenticationObjects; + } - permissionList.add(SecureServicePermission.create(cldsPersmissionTypeCl, cldsPermissionInstance, "read")); - permissionList.add(SecureServicePermission.create(cldsPersmissionTypeCl, cldsPermissionInstance, "update")); - permissionList.add(SecureServicePermission.create(cldsPermissionTypeTemplate, cldsPermissionInstance, "read")); - permissionList.add(SecureServicePermission.create(cldsPermissionTypeTemplate, cldsPermissionInstance, "update")); + private synchronized List getPermissionList() { + if (permissionList == null) { + permissionList = new ArrayList<>(); + ApplicationContext applicationContext = WebApplicationContextUtils + .getWebApplicationContext(getServletContext()); + String cldsPermissionInstance = applicationContext.getEnvironment().getProperty(PERM_INSTANCE); + permissionList.add(SecureServicePermission.create(applicationContext.getEnvironment().getProperty(PERM_CL), + cldsPermissionInstance, READ)); + permissionList.add(SecureServicePermission.create(applicationContext.getEnvironment().getProperty(PERM_CL), + cldsPermissionInstance, UPDATE)); + permissionList.add(SecureServicePermission.create( + applicationContext.getEnvironment().getProperty(PERM_TEMPLATE), cldsPermissionInstance, READ)); + permissionList.add(SecureServicePermission.create( + applicationContext.getEnvironment().getProperty(PERM_TEMPLATE), cldsPermissionInstance, UPDATE)); + permissionList.add(SecureServicePermission.create(applicationContext.getEnvironment().getProperty(PERM_VF), + cldsPermissionInstance, "*")); + permissionList.add(SecureServicePermission + .create(applicationContext.getEnvironment().getProperty(PERM_MANAGE), cldsPermissionInstance, "*")); + permissionList.add(SecureServicePermission + .create(applicationContext.getEnvironment().getProperty(PERM_TOSCA), cldsPermissionInstance, READ)); + permissionList.add(SecureServicePermission + .create(applicationContext.getEnvironment().getProperty(PERM_TOSCA), + cldsPermissionInstance, UPDATE)); + } + return permissionList; + } + /** + * When AAF is enabled, request object will contain a cadi Wrapper, so queries + * to isUserInRole will invoke a http call to AAF server. + */ + @Override + protected void doService(HttpServletRequest request, HttpServletResponse response) { + Principal principal = request.getUserPrincipal(); + if (principal != null && Arrays.stream(loadDynamicAuthenticationClasses()) + .anyMatch(className -> className.equals(principal.getClass().getName()))) { + // When AAF is enabled, there is a need to provision the permissions to Spring + // system List grantedAuths = new ArrayList<>(); - for (SecureServicePermission perm:permissionList) { + for (SecureServicePermission perm : getPermissionList()) { String permString = perm.toString(); if (request.isUserInRole(permString)) { grantedAuths.add(new SimpleGrantedAuthority(permString)); } } - Authentication auth = new UsernamePasswordAuthenticationToken(new User(p.getName(), "", grantedAuths), "", grantedAuths); + Authentication auth = new UsernamePasswordAuthenticationToken(new User(principal.getName(), "", + grantedAuths), "", grantedAuths); SecurityContextHolder.getContext().setAuthentication(auth); } - super.doService(request, response); + try { + super.doService(request, response); + } catch (ServletException | IOException ioe) { + logger.error("Exception caught when executing doService in servlet", ioe); + try { + response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value()); + } catch (IOException e) { + logger.error("Exception caught when executing HTTP sendError in servlet", e); + } + } } -} \ No newline at end of file +}