X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=src%2Fmain%2Fjava%2Forg%2Fonap%2Fdmaap%2Fdbcapi%2Fresources%2FAAFAuthorizationFilter.java;fp=src%2Fmain%2Fjava%2Forg%2Fonap%2Fdmaap%2Fdbcapi%2Fresources%2FAAFAuthorizationFilter.java;h=5bc3dec2af6147814cdc3944b93dae00ac15cc06;hb=03b16f6df6fe5545a4ed219916c77dd696694ea2;hp=0000000000000000000000000000000000000000;hpb=ea44032b89d04201924f7ca1551cb33ed49b947e;p=dmaap%2Fdbcapi.git

diff --git a/src/main/java/org/onap/dmaap/dbcapi/resources/AAFAuthorizationFilter.java b/src/main/java/org/onap/dmaap/dbcapi/resources/AAFAuthorizationFilter.java
new file mode 100644
index 0000000..5bc3dec
--- /dev/null
+++ b/src/main/java/org/onap/dmaap/dbcapi/resources/AAFAuthorizationFilter.java
@@ -0,0 +1,116 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.dmaap.dbcapi.resources;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.log4j.Logger;
+import org.eclipse.jetty.http.HttpStatus;
+import org.onap.dmaap.dbcapi.model.ApiError;
+import org.onap.dmaap.dbcapi.service.DmaapService;
+import org.onap.dmaap.dbcapi.util.DmaapConfig;
+import org.onap.dmaap.dbcapi.util.PermissionBuilder;
+
+public class AAFAuthorizationFilter implements Filter{
+
+    private static final Logger LOGGER = Logger.getLogger(AAFAuthenticationFilter.class.getName());
+    static final String AAF_AUTHZ_FLAG = "UseAAF";
+    private boolean isAafEnabled = false;
+
+    private PermissionBuilder permissionBuilder;
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        DmaapConfig dmaapConfig = getConfig();
+        isAafEnabled = "true".equalsIgnoreCase(dmaapConfig.getProperty(AAF_AUTHZ_FLAG, "false"));
+        if(isAafEnabled) {
+            permissionBuilder = new PermissionBuilder(dmaapConfig, getDmaapService());
+        }
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
+        throws IOException, ServletException {
+
+        if(isAafEnabled) {
+            HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
+            permissionBuilder.updateDmaapInstance();
+            String permission = permissionBuilder.buildPermission(httpRequest);
+
+            if (httpRequest.isUserInRole(permission)) {
+                LOGGER.info("User " + httpRequest.getUserPrincipal().getName() + " has permission " + permission);
+                filterChain.doFilter(servletRequest, servletResponse);
+            } else {
+                String msg = "User " + httpRequest.getUserPrincipal().getName() + " does not have permission " + permission;
+                LOGGER.error(msg);
+                ((HttpServletResponse) servletResponse).setStatus(HttpStatus.FORBIDDEN_403);
+                servletResponse.setContentType("application/json");
+                servletResponse.setCharacterEncoding("UTF-8");
+                servletResponse.getWriter().print(buildErrorResponse(msg));
+                servletResponse.getWriter().flush();
+            }
+        } else {
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+    }
+
+    @Override
+    public void destroy() {
+        //nothing to cleanup
+    }
+
+    DmaapConfig getConfig() {
+        return (DmaapConfig) DmaapConfig.getConfig();
+    }
+
+    DmaapService getDmaapService() {
+        return new DmaapService();
+    }
+
+    private String buildErrorResponse(String msg) {
+        try {
+            return new ObjectMapper().writeValueAsString(new ApiError(HttpStatus.FORBIDDEN_403, msg, "Authorization"));
+        } catch (JsonProcessingException e) {
+            LOGGER.warn("Could not serialize response entity: " + e.getMessage());
+            return "";
+        }
+    }
+
+    PermissionBuilder getPermissionBuilder() {
+        return permissionBuilder;
+    }
+
+    void setPermissionBuilder(PermissionBuilder permissionBuilder) {
+        this.permissionBuilder = permissionBuilder;
+    }
+
+    void setAafEnabled(boolean aafEnabled) {
+        isAafEnabled = aafEnabled;
+    }
+}