},
{
"uri": "\/single\/permission\/required$",
+ "method": "GET",
+ "permissions": [
+ "test.single.access\\|single\\|permission"
+ ]
+ },
+ {
+ "uri": "\/single\/permission\/required$",
+ "method": "PUT|POST",
"permissions": [
"test.single.access\\|single\\|permission"
]
},
{
"uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*",
+ "method": "GET",
"permissions": [
"test.auth.access\\|clouds\\|read",
"test.auth.access\\|tenants\\|read"
}
String requestPath;
+ String requestMethod;
try {
requestPath = new URI(((HttpServletRequest) servletRequest).getRequestURI()).getPath();
+ requestMethod = ((HttpServletRequest)servletRequest).getMethod();
} catch (URISyntaxException e) {
throw new ServletException("Request URI not valid", e);
}
- if (authorizeRequest(grantedPermissions, requestPath)) {
+ if (authorizeRequest(grantedPermissions, requestPath, requestMethod)) {
LOGGER.info("Authorized");
filterChain.doFilter(servletRequest, servletResponse);
} else {
*
* @param grantedPermissions The granted permissions for the request path
* @param requestPath The request path
+ * @param requestMethod The request method i.e. HTTP verb e.g. GET, PUT, POST etc
* @return true if permissions match
*/
- private boolean authorizeRequest(List<Permission> grantedPermissions, String requestPath) {
+ private boolean authorizeRequest(List<Permission> grantedPermissions, String requestPath, String requestMethod) {
boolean authorized = false;
for (ReverseProxyAuthorization reverseProxyAuthorization : reverseProxyAuthorizations) {
- if (requestPath.matches(reverseProxyAuthorization.getUri())) {
+ if (requestPath.matches(reverseProxyAuthorization.getUri()) &&
+ requestMethod.matches(reverseProxyAuthorization.getMethod())) {
LOGGER.debug("The URI:{} matches:{}", requestPath, reverseProxyAuthorization.getUri());
if (checkPermissionsMatch(grantedPermissions, reverseProxyAuthorization)) {
authorized = true;
public class ReverseProxyAuthorization {
private String uri;
+ private String method;
private String[] permissions;
public String getUri() {
public String[] getPermissions() {
return permissions;
}
+
+ public String getMethod() {
+ return method == null ? "GET" : method;
+ }
}
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import javax.annotation.Resource;
+
import org.eclipse.jetty.util.security.Password;
import org.junit.Before;
import org.junit.Test;
}
+ @Test
+ public void testURIPUTMatchSinglePermissionMatch() throws Exception {
+
+ String transactionId = "63f88b50-6345-4a61-bc59-3a48cabb60a4";
+ String testUrl = "/single/permission/required";
+ String testResponse = "Response from MockRestService";
+
+ mockServer
+ .expect(requestTo(primaryServiceBaseUrl + testUrl))
+ .andExpect(method(HttpMethod.PUT))
+ .andExpect(header(transactionIdHeaderName, transactionId))
+ .andRespond(withSuccess(testResponse, MediaType.APPLICATION_JSON));
+
+ // Send request to mock server with transaction Id
+ mockMvc
+ .perform(MockMvcRequestBuilders.put(testUrl).accept(MediaType.APPLICATION_JSON).header(transactionIdHeaderName, transactionId))
+ .andExpect(status().isOk())
+ .andExpect(content().string(equalTo(testResponse)));
+
+ mockServer.verify();
+
+ }
+
+
+ @Test
+ public void testURIPATCHMatchSinglePermissionMatch() throws Exception {
+
+ String transactionId = "63f88b50-6345-4a61-bc59-3a48cabb60a4";
+ String testUrl = "/single/permission/required";
+ String testResponse = "Sorry, the request is not allowed";
+
+ // Send request to mock server with transaction Id
+ mockMvc
+ .perform(MockMvcRequestBuilders.patch(testUrl).accept(MediaType.APPLICATION_JSON).header(transactionIdHeaderName, transactionId))
+ .andExpect(status().isForbidden())
+ .andExpect(status().reason(testResponse));
+
+ mockServer.verify();
+
+ }
+
@Test
public void testURIMatchMultiplePermissionMatch() throws Exception {
Code Review / aaf / cadi.git / commitdiff