2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2018 European Software Marketing Ltd.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
20 package org.onap.aaf.rproxy;
22 import com.google.gson.Gson;
23 import com.google.gson.stream.JsonReader;
25 import java.io.FileInputStream;
26 import java.io.IOException;
27 import java.io.InputStream;
28 import java.io.InputStreamReader;
30 import java.net.URISyntaxException;
31 import java.security.Principal;
32 import java.util.ArrayList;
33 import java.util.List;
34 import javax.annotation.Resource;
35 import javax.servlet.Filter;
36 import javax.servlet.FilterChain;
37 import javax.servlet.FilterConfig;
38 import javax.servlet.ServletException;
39 import javax.servlet.ServletRequest;
40 import javax.servlet.ServletResponse;
41 import javax.servlet.http.HttpServletRequest;
42 import javax.servlet.http.HttpServletResponse;
43 import org.eclipse.jetty.http.HttpStatus;
44 import org.onap.aaf.cadi.CadiWrap;
45 import org.onap.aaf.cadi.Permission;
46 import org.onap.aaf.rproxy.config.ReverseProxyURIAuthorizationProperties;
47 import org.onap.aaf.rproxy.utils.ReverseProxyAuthorization;
48 import org.slf4j.Logger;
49 import org.slf4j.LoggerFactory;
50 import org.springframework.boot.context.properties.EnableConfigurationProperties;
51 import org.springframework.core.annotation.Order;
52 import org.springframework.stereotype.Component;
56 @EnableConfigurationProperties(ReverseProxyURIAuthorizationProperties.class)
57 public class ReverseProxyAuthorizationFilter implements Filter {
59 private static final Logger LOGGER = LoggerFactory.getLogger(ReverseProxyAuthorizationFilter.class);
61 private ReverseProxyAuthorization[] reverseProxyAuthorizations = new ReverseProxyAuthorization[] {};
64 private ReverseProxyURIAuthorizationProperties reverseProxyURIAuthorizationProperties;
67 public void init(FilterConfig filterConfig) throws ServletException {
69 // Read in the URI Authorisation configuration file
70 String authFilePath = reverseProxyURIAuthorizationProperties.getConfigurationFile();
71 if (authFilePath != null) {
72 try (InputStream inputStream =
73 new FileInputStream(new File(reverseProxyURIAuthorizationProperties.getConfigurationFile()));
74 JsonReader jsonReader = new JsonReader(new InputStreamReader(inputStream))) {
75 reverseProxyAuthorizations = new Gson().fromJson(jsonReader, ReverseProxyAuthorization[].class);
76 } catch (IOException e) {
77 throw new ServletException("Authorizations config file not found.", e);
83 public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
84 throws IOException, ServletException {
86 CadiWrap cadiWrap = (CadiWrap) servletRequest;
87 Principal principal = cadiWrap.getUserPrincipal();
88 List<Permission> grantedPermissions = new ArrayList<>();
89 cadiWrap.getLur().fishAll(principal, grantedPermissions);
91 if (LOGGER.isDebugEnabled()) {
92 logNeededPermissions();
97 requestPath = new URI(((HttpServletRequest) servletRequest).getRequestURI()).getPath();
98 } catch (URISyntaxException e) {
99 throw new ServletException("Request URI not valid", e);
102 if (authorizeRequest(grantedPermissions, requestPath)) {
103 LOGGER.info("Authorized");
104 filterChain.doFilter(servletRequest, servletResponse);
106 LOGGER.info("Unauthorized");
107 ((HttpServletResponse) servletResponse).setStatus(HttpStatus.FORBIDDEN_403);
108 ((HttpServletResponse) servletResponse).setContentType("application/json");
109 ((HttpServletResponse) servletResponse).sendError(HttpStatus.FORBIDDEN_403,
110 "Sorry, the request is not allowed");
115 * Check if the granted permissions for the request path matches the configured needed permissions.
117 * @param grantedPermissions The granted permissions for the request path
118 * @param requestPath The request path
119 * @return true if permissions match
121 private boolean authorizeRequest(List<Permission> grantedPermissions, String requestPath) {
122 boolean authorized = false;
123 for (ReverseProxyAuthorization reverseProxyAuthorization : reverseProxyAuthorizations) {
124 if (requestPath.matches(reverseProxyAuthorization.getUri())) {
125 LOGGER.debug("The URI:{} matches:{}", requestPath, reverseProxyAuthorization.getUri());
126 if (checkPermissionsMatch(grantedPermissions, reverseProxyAuthorization)) {
131 LOGGER.debug("The URI:{} doesn't match any in the configuration:{}", requestPath,
132 reverseProxyAuthorization.getUri());
139 * Check all needed permissions match the granted permissions.
141 * @param grantedPermissions the granted permissions
142 * @param reverseProxyAuthorization the bean that contains the needed permissions
143 * @return true if all needed permissions match
145 private boolean checkPermissionsMatch(List<Permission> grantedPermissions,
146 ReverseProxyAuthorization reverseProxyAuthorization) {
148 boolean matchedAllPermissions = true;
149 for (String neededPermission : reverseProxyAuthorization.getPermissions()) {
151 // Check needed permission is granted
152 boolean matchedNeededPermission = false;
153 for (Permission grantedPermission : grantedPermissions) {
154 if (checkGrantedPermission(neededPermission, grantedPermission.getKey())) {
155 LOGGER.debug("Permission match found - needed permission:{}, granted permission:{}",
156 neededPermission, grantedPermission.getKey());
157 matchedNeededPermission = true;
161 if (!matchedNeededPermission) {
162 matchedAllPermissions = false;
166 return matchedAllPermissions;
170 * Check whether an AAF style permission matches a needed permission. Wildcards (*) are supported.
172 * @param neededPermission, the needed permission
173 * @param grantedPermission, the granted permission
175 * @return true if the needed permission matches a granted permission
177 private boolean checkGrantedPermission(String neededPermission, String grantedPermission) {
178 boolean permissionMatch = false;
179 if (grantedPermission.matches(neededPermission)) {
180 permissionMatch = true;
181 } else if (grantedPermission.contains("*")) {
182 String[] splitNeededPermission = neededPermission.split("\\\\\\|");
183 String[] splitGrantedPermission = grantedPermission.split("\\|");
184 if ((splitGrantedPermission[0].matches(splitNeededPermission[0]))
185 && (splitGrantedPermission[1].equals("*")
186 || splitGrantedPermission[1].matches(splitNeededPermission[1]))
187 && (splitGrantedPermission[2].equals("*")
188 || splitGrantedPermission[2].matches(splitNeededPermission[2]))) {
189 permissionMatch = true;
192 return permissionMatch;
196 * Log the needed permissions for each URL configured.
198 private void logNeededPermissions() {
199 for (ReverseProxyAuthorization reverseProxyAuthorization : reverseProxyAuthorizations) {
200 LOGGER.debug("URI For authorization: {}", reverseProxyAuthorization.getUri());
201 for (String permission : reverseProxyAuthorization.getPermissions()) {
202 LOGGER.debug("\t Needed permission:{}", permission);
208 public void destroy() {