Changing interpretation of role

author Pavel Paroulek <pavel.paroulek@orange.com>

Fri, 26 Oct 2018 13:49:22 +0000 (15:49 +0200)

committer Pavel Paroulek <pavel.paroulek@orange.com>

Fri, 26 Oct 2018 13:49:22 +0000 (15:49 +0200)
author Pavel Paroulek <pavel.paroulek@orange.com>
Fri, 26 Oct 2018 13:49:22 +0000 (15:49 +0200)
committer Pavel Paroulek <pavel.paroulek@orange.com>
Fri, 26 Oct 2018 13:49:22 +0000 (15:49 +0200)
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java

index af5f399..9382946 100644 (file)
--- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java
@@ -19,6 +19,8 @@
   */
  package org.onap.aai.config.aaf;
  
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
  import org.apache.commons.io.IOUtils;
  import org.onap.aai.Profiles;
  import org.springframework.beans.factory.annotation.Value;
@@ -43,6 +45,8 @@ import java.nio.charset.StandardCharsets;
  @PropertySource("file:${server.local.startpath}/aaf/permissions.properties")
  public class AafAuthorizationFilter extends OrderedRequestContextFilter {
  
+    private static final EELFLogger logger = EELFManager.getInstance().getLogger(AafAuthorizationFilter.class.getName());
+
      private static final String ADVANCED = "advanced";
      private static final String BASIC = "basic";
      private static final String ECHO_ENDPOINT = "^.*/util/echo$";
@@ -68,11 +72,22 @@ public class AafAuthorizationFilter extends OrderedRequestContextFilter {
  
          String payload = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.name());
          boolean containsWordGremlin = payload.contains("\"gremlin\"");
-        //if the request contains the word "gremlin" it's an advanced query
-        String queryType = containsWordGremlin ? ADVANCED : BASIC;
-        String permission = String.format("%s|%s|%s", type, instance, queryType);
  
-        if(!request.isUserInRole(permission)){
+        //if the request contains the word "gremlin" it's an "advanced" query needing an "advanced" role
+        String permissionBasic = String.format("%s|%s|%s", type, instance, ADVANCED);
+        String permissionAdvanced = String.format("%s|%s|%s", type, instance, BASIC);
+
+        boolean isAuthorized;
+
+        if(containsWordGremlin){
+            isAuthorized = request.isUserInRole(permissionAdvanced);
+        }else{
+            isAuthorized = request.isUserInRole(permissionAdvanced) || request.isUserInRole(permissionBasic);
+        }
+
+        if(!isAuthorized){
+            String name = request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : "unknown";
+            logger.info("User " + name + " does not have a role for " + (containsWordGremlin ? "gremlin" : "non-gremlin") + " query" );
              response.setStatus(403);
          }else{
              filterChain.doFilter(request,response);
diff --git a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java

index 4a20fe8..51e0c17 100644 (file)
--- a/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
+++ b/aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java
@@ -19,6 +19,8 @@
   */
  package org.onap.aai.config.aaf;
  
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
  import org.onap.aaf.cadi.PropAccess;
  import org.onap.aaf.cadi.filter.CadiFilter;
  import org.onap.aai.Profiles;
@@ -44,6 +46,8 @@ import static org.onap.aai.config.aaf.ResponseFormatter.errorResponse;
  @Profile(Profiles.AAF_AUTHENTICATION)
  public class AafFilter extends OrderedRequestContextFilter {
  
+    private static final EELFLogger log = EELFManager.getInstance().getLogger(AafFilter.class.getName());
+
      private final CadiFilter cadiFilter;
  
      public AafFilter() throws IOException, ServletException {
@@ -58,6 +62,7 @@ public class AafFilter extends OrderedRequestContextFilter {
          if(!request.getRequestURI().matches("^.*/util/echo$")) {
              cadiFilter.doFilter(request, response, filterChain);
              if (response.getStatus() == 401 || response.getStatus() == 403) {
+                log.info("User does not have permissions to run the query" );
                  errorResponse(request, response);
              }
          }
author	Pavel Paroulek <pavel.paroulek@orange.com>
	Fri, 26 Oct 2018 13:49:22 +0000 (15:49 +0200)
committer	Pavel Paroulek <pavel.paroulek@orange.com>
	Fri, 26 Oct 2018 13:49:22 +0000 (15:49 +0200)
aai-traversal/src/main/java/org/onap/aai/config/aaf/AafAuthorizationFilter.java		patch \| blob \| history
aai-traversal/src/main/java/org/onap/aai/config/aaf/AafFilter.java		patch \| blob \| history