<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
</parent>
<artifactId>aaf-auth-client</artifactId>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
}
public final Validator permInstance(String instance) {
- if (nob(instance,instChars)) {
+ if(!"/".equals(instance) && nob(instance,instChars)) {
msg("Perm Instance [" + instance + "] is invalid.");
}
return this;
<artifactId>authparent</artifactId>
<relativePath>../pom.xml</relativePath>
<groupId>org.onap.aaf.authz</groupId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
</parent>
<artifactId>aaf-auth-deforg</artifactId>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
. ./aaf.props
DOCKER=${DOCKER:=docker}
-CADI_VERSION=${CADI_VERSION:=2.1.7-SNAPSHOT}
+CADI_VERSION=${CADI_VERSION:=2.1.8-SNAPSHOT}
for V in VERSION DOCKER_REPOSITORY AAF_FQDN AAF_FQDN_IP DEPLOY_FQI APP_FQDN APP_FQI VOLUME DRIVER LATITUDE LONGITUDE; do
if [ "$(grep $V ./aaf.props)" = "" ]; then
ORG=onap
PROJECT=aaf
DOCKER_REPOSITORY=nexus3.onap.org:10003
-VERSION=2.1.7-SNAPSHOT
+VERSION=2.1.8-SNAPSHOT
CONF_ROOT_DIR=/opt/app/osaaf
# For local builds, set PREFIX=
PREFIX="$DOCKER_REPOSITORY/"
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
</parent>
<artifactId>authparent</artifactId>
<name>AAF Auth Parent</name>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
if (pass=sItem.length()==0) {
break; // Both Empty, keep checking
}
- } else if (sItem.charAt(0)==START_REGEX_CHAR) { // Check Server side when wildcarding like *
+ } else if (sItem.length()>0 && sItem.charAt(0)==START_REGEX_CHAR) { // Check Server side when wildcarding like *
if (pass=pkeys[i].matches(sItem.substring(1))) {
break; // Matches, keep checking
}
} else {
try {
mapIds = new MapBathConverter(access, new CSV(csvFile));
+ access.log(Level.INIT,"Basic Auth Conversion using",csvFile,"enabled" );
} catch (IOException | CadiException e) {
- access.log(e,"Bath Map Conversion is not initialzed (non fatal)");
+ access.log(e,"Bath Map Conversion is not initialized (non fatal)");
}
}
// Accept matching empty keys
assertThat(PermEval.evalInstance(":", ":"), is(true));
+ assertThat(PermEval.evalInstance("/", "/"), is(true));
+ assertThat(PermEval.evalInstance("/something/", "/something/"), is(true));
// Reject non-matching empty keys
assertThat(PermEval.evalInstance(":fred", ":"), is(false));
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
<relativePath>..</relativePath>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
public static final String CADI_PROTOCOLS = "cadi_protocols";
public static final String CADI_NOAUTHN = "cadi_noauthn";
public static final String CADI_LOC_LIST = "cadi_loc_list";
+
+ // Special Behaviors
public static final String CADI_BATH_CONVERT = "cadi_bath_convert";
+ public static final String CADI_API_ENFORCEMENT = "cadi_api_enforcement";
public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain";
public static final String CADI_USER_CHAIN = "USER_CHAIN";
oadtClss = Class.forName(OAUTH_DIRECT_TAF);
} catch (ClassNotFoundException e1) {
oadtClss = null;
- access.log(Level.INIT, e1);
+ access.log(Level.DEBUG, e1);
}
if (additionalTafLurs!=null && additionalTafLurs.length>0 && (oadtClss!=null && additionalTafLurs[0].getClass().isAssignableFrom(oadtClss))) {
htlist.add((HttpTaf)additionalTafLurs[0]);
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ */
+package org.onap.aaf.cadi.filter;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.TreeMap;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.ServletContextAccess;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.util.Split;
+
+/**
+ * This filter allows one to protect the APIs from data stored in AAF
+ *
+ * @author Instrumental(Jonathan)
+ */
+public class CadiApiEnforcementFilter implements Filter {
+ private String type;
+ private Map<String,List<String>> publicPaths;
+ private Access access;
+
+
+ public CadiApiEnforcementFilter(Access access, String enforce) throws ServletException {
+ this.access = access;
+ init(enforce);
+ }
+
+
+ @Override
+ public void init(FilterConfig fc) throws ServletException {
+ init(fc.getInitParameter(Config.CADI_API_ENFORCEMENT));
+ // need the Context for Logging, instantiating ClassLoader, etc
+ ServletContextAccess sca=new ServletContextAccess(fc);
+ if (access==null) {
+ access = sca;
+ }
+ }
+
+ private void init(final String ptypes) throws ServletException {
+ if(ptypes==null) {
+ throw new ServletException("CadiApiEnforcement requires " + Config.CADI_API_ENFORCEMENT + " property");
+ }
+ String[] full = Split.splitTrim(';', ptypes);
+ if(full.length==0) {
+ throw new ServletException(Config.CADI_API_ENFORCEMENT + " property is empty");
+ }
+ if(full.length>0) {
+ type=full[0];
+ }
+ publicPaths = new TreeMap<String,List<String>>();
+ if(full.length>1) {
+ for(int i=1;i<full.length;++i) {
+ String pubArray[] = Split.split(':', full[i]);
+ if(pubArray.length==2) {
+ List<String> ls = publicPaths.get(pubArray[0]);
+ if(ls==null) {
+ ls = new ArrayList<String>();
+ publicPaths.put(pubArray[0], ls);
+ }
+ ls.add(pubArray[1]);
+ }
+ }
+ }
+ }
+
+
+ @Override
+ public void doFilter(ServletRequest req, ServletResponse resp, FilterChain fc) throws IOException, ServletException {
+ HttpServletRequest hreq = (HttpServletRequest)req;
+ final String meth = hreq.getMethod();
+ final String path = hreq.getContextPath()+hreq.getPathInfo();
+ List<String> list = publicPaths.get(meth);
+ if(list!=null) {
+ for( String p : publicPaths.get(meth)) {
+ if(path.startsWith(p)) {
+ access.printf(Level.INFO, "%s accessed public API %s %s\n",
+ hreq.getUserPrincipal().getName(),
+ meth,
+ path);
+ fc.doFilter(req, resp);
+ return;
+ }
+ }
+ }
+ if(hreq.isUserInRole(type + '|'+path+'|'+meth)) {
+ access.printf(Level.INFO, "%s is allowed access to %s %s\n",
+ hreq.getUserPrincipal().getName(),
+ meth,
+ path);
+ fc.doFilter(req, resp);
+ } else {
+ access.printf(Level.AUDIT, "%s is denied access to %s %s\n",
+ hreq.getUserPrincipal().getName(),
+ meth,
+ path);
+ }
+ }
+
+ @Override
+ public void destroy() {
+ }
+}
private static List<Pair> mapPairs;
private Access access;
private Object[] additionalTafLurs;
- private Filter oauthFilter;
+ private SideChain sideChain;
private static int count=0;
public Lur getLur() {
@SuppressWarnings("unchecked")
private void init(Get getter) throws ServletException {
+ sideChain = new SideChain();
// Start with the assumption of "Don't trust anyone".
TrustChecker tc = TrustChecker.NOTRUST; // default position
try {
Class<Filter> cf=null;
try {
cf= (Class<Filter>) Class.forName("org.onap.aaf.cadi.oauth.OAuthFilter");
- oauthFilter = cf.newInstance();
+ sideChain.add(cf.newInstance());
} catch (ClassNotFoundException e) {
- oauthFilter = new Filter() { // Null Filter
- @Override
- public void destroy() {
- }
-
- @Override
- public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)throws IOException, ServletException {
- chain.doFilter(req, resp);
- }
-
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- }
- };
+ access.log(Level.DEBUG, "OAuthFilter not enabled");
}
} catch (Exception e) {
access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());
}
}
+ // Add API Enforcement Point
+ String enforce = getter.get(Config.CADI_API_ENFORCEMENT, null, true);
+ if(enforce!=null && enforce.length()>0) {
+ sideChain.add(new CadiApiEnforcementFilter(access,enforce));
+ }
// Remove Getter
getter = Get.NULL;
}
CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq));
if (httpChecker.notCadi(cw, hresp)) {
startCode=System.nanoTime();
- oauthFilter.doFilter(cw,response,chain);
+ sideChain.doFilter(cw,response,chain);
code = Timing.millis(startCode);
}
}
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ */
+
+package org.onap.aaf.cadi.filter;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.xml.ws.Holder;
+
+/**
+ * Add various Filters by CADI Property not in the official Chain
+ *
+ * @author Instrumental(Jonathan)
+ *
+ */
+public class SideChain {
+ private List<Filter> sideChain;
+
+ public SideChain() {
+ sideChain = new ArrayList<Filter>();
+ }
+
+ public void add(Filter f) {
+ sideChain.add(f);
+ }
+
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {
+ final Holder<Boolean> hbool = new Holder<Boolean>(Boolean.TRUE);
+ FilterChain truth = new FilterChain() {
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
+ hbool.value=Boolean.TRUE;
+ }
+ public String toString() {
+ return hbool.value.toString();
+ }
+ };
+ for(Filter f : sideChain) {
+ hbool.value=Boolean.FALSE;
+ f.doFilter(request, response, truth);
+ if(!hbool.value) {
+ return;
+ }
+ }
+ if(hbool.value) {
+ chain.doFilter(request, response);
+ }
+ }
+}
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
</parent>
<artifactId>cadiparent</artifactId>
<name>AAF CADI Parent (Code, Access, Data, Identity)</name>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
<relativePath>..</relativePath>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<name>CADI Servlet Sample (Test Only)</name>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
</parent>
<artifactId>miscparent</artifactId>
<name>AAF Misc Parent</name>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.7-SNAPSHOT</version>
+ <version>2.1.8-SNAPSHOT</version>
<name>aaf-authz</name>
<packaging>pom</packaging>
major=2
minor=1
-patch=7
+patch=8
base_version=${major}.${minor}.${patch}
Code Review / aaf / authz.git / commitdiff