import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Base64;
-import java.util.stream.Collectors;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.onap.dcae.ApplicationSettings;
import org.onap.dcaegen2.services.sdk.security.CryptPassword;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+import org.springframework.stereotype.Component;
-final class ApiAuthInterceptor extends HandlerInterceptorAdapter {
+@Component
+public class ApiAuthInterceptor implements Filter {
private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class);
private static final String CERTIFICATE_X_509 = "javax.servlet.request.X509Certificate";
this.errorLogger = errorLogger;
}
- @Override
- public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
- throws IOException {
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
SubjectMatcher subjectMatcher = new SubjectMatcher(settings,(X509Certificate[]) request.getAttribute(CERTIFICATE_X_509));
if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value())){
- return validateCertRequest(response, subjectMatcher);
+ if( validateCertRequest((HttpServletResponse )response, subjectMatcher)){
+ chain.doFilter(request, response);
+ return;
+ }
+ return;
}
if(isCertSubject(subjectMatcher)){
- return true;
+ chain.doFilter(request, response);
+ return;
}
if (isBasicAuth() ) {
- return validateBasicHeader(request, response);
+ if(validateBasicHeader((HttpServletRequest)request, (HttpServletResponse)response)){
+ chain.doFilter(request, response);
+ return;
+ }
+ return;
}
- return true;
+ chain.doFilter(request, response);
}
private boolean validateBasicHeader(HttpServletRequest request, HttpServletResponse response)
+++ /dev/null
-/*
- * ============LICENSE_START=======================================================
- * PROJECT
- * ================================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
- * Copyright (C) 2018 Nokia. All rights reserved.s
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.dcae.restapi;
-
-import org.onap.dcae.ApplicationSettings;
-import org.slf4j.Logger;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.web.servlet.config.annotation.EnableWebMvc;
-import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-
-@EnableWebMvc
-@Configuration
-public class ApiConfiguration implements WebMvcConfigurer {
-
- private final ApplicationSettings applicationSettings;
- private Logger errorLogger;
-
- @Autowired
- ApiConfiguration(ApplicationSettings applicationSettings, Logger errorLogger) {
- this.applicationSettings = applicationSettings;
- this.errorLogger = errorLogger;
- }
-
- @Override
- public void addInterceptors(InterceptorRegistry registry) {
- registry.addInterceptor(new ApiAuthInterceptor(applicationSettings, errorLogger));
- }
-}
package org.onap.dcae.restapi;
+import static org.mockito.Mockito.atLeastOnce;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
import io.vavr.collection.HashMap;
import io.vavr.collection.Map;
+import java.io.IOException;
+import java.io.PrintWriter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.io.PrintWriter;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
@RunWith(MockitoJUnitRunner.Silent.class)
public class ApiAuthInterceptionTest {
private static final String USERNAME = "Foo";
private HttpServletResponse response;
@Mock
- private Object obj;
+ private FilterChain obj;
@Mock
private PrintWriter writer;
}
@Test
- public void shouldSucceedWhenAuthorizationIsDisabled() throws IOException {
+ public void shouldSucceedWhenAuthorizationIsDisabled() throws IOException, ServletException {
// given
final HttpServletRequest request = createEmptyRequest();
when(settings.authMethod()).thenReturn(AuthMethodType.NO_AUTH.value());
// when
- final boolean isAuthorized = sut.preHandle(request, response, obj);
+ sut.doFilter(request, response, obj);
// then
- assertTrue(isAuthorized);
+ verify(obj, atLeastOnce()).doFilter(request, response);
}
@Test
- public void shouldFailDueToEmptyBasicAuthorizationHeader() throws IOException {
+ public void shouldFailDueToEmptyBasicAuthorizationHeader() throws IOException, ServletException {
// given
final HttpServletRequest request = createEmptyRequest();
when(response.getWriter()).thenReturn(writer);
// when
- final boolean isAuthorized = sut.preHandle(request, response, obj);
-
+ sut.doFilter(request, response, obj);
// then
- assertFalse(isAuthorized);
-
verify(response).setStatus(HttpStatus.UNAUTHORIZED.value());
verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString());
}
@Test
- public void shouldFailDueToBasicAuthenticationUserMissingFromSettings() throws IOException {
+ public void shouldFailDueToBasicAuthenticationUserMissingFromSettings()
+ throws IOException, ServletException {
// given
final HttpServletRequest request = createRequestWithAuthorizationHeader();
when(response.getWriter()).thenReturn(writer);
// when
- final boolean isAuthorized = sut.preHandle(request, response, obj);
+ sut.doFilter(request, response, obj);
// then
- assertFalse(isAuthorized);
-
verify(response).setStatus(HttpStatus.UNAUTHORIZED.value());
verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString());
}
@Test
- public void shouldSucceed() throws IOException {
+ public void shouldSucceed() throws IOException, ServletException {
// given
final HttpServletRequest request = createRequestWithAuthorizationHeader();
when(settings.authMethod()).thenReturn(AuthMethodType.BASIC_AUTH.value());
when(response.getWriter()).thenReturn(writer);
// when
- final boolean isAuthorized = sut.preHandle(request, response, obj);
+ sut.doFilter(request, response, obj);
// then
- assertTrue(isAuthorized);
+ verify(obj, atLeastOnce()).doFilter(request, response);
}
@Test
- public void shouldFailDueToInvalidBasicAuthorizationHeaderValue() throws IOException {
+ public void shouldFailDueToInvalidBasicAuthorizationHeaderValue()
+ throws IOException, ServletException {
// given
final HttpServletRequest request =
MockMvcRequestBuilders
when(response.getWriter()).thenReturn(writer);
// when
- final boolean isAuthorized = sut.preHandle(request, response, obj);
-
- // then
- assertFalse(isAuthorized);
+ sut.doFilter(request, response, obj);
+ //then
verify(response).setStatus(HttpStatus.UNAUTHORIZED.value());
verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString());
}
Code Review / dcaegen2 / collectors / ves.git / commitdiff