password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
onap_enabled=true
onap.user_id_cookie_name=UserId
-cookie_decryptor_classname=org.onap.aai.sparky.security.BaseCookieDecryptor
\ No newline at end of file
+cookie_decryptor_classname=org.onap.aai.sparky.security.BaseCookieDecryptor
+app_roles=ui_view
\ No newline at end of file
*/
package org.onap.aai.sparky.security;
+import java.util.ArrayList;
+import java.util.List;
+
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.onap.aai.cl.api.Logger;
import org.onap.aai.cl.eelf.LoggerFactory;
import org.onap.aai.sparky.logging.AaiUiMsgs;
+import org.onap.aai.sparky.security.portal.PortalRestAPICentralServiceImpl;
import org.onap.aai.sparky.security.portal.config.PortalAuthenticationConfig;
-import org.onap.portalsdk.core.onboarding.exception.CipherUtilException;
-import org.onap.portalsdk.core.onboarding.util.CipherUtil;
+import org.onap.portalsdk.core.onboarding.exception.PortalAPIException;
import org.onap.portalsdk.core.onboarding.util.PortalApiProperties;
+import org.onap.portalsdk.core.restful.domain.EcompRole;
/**
* Provides authentication services for onboarded ECOMP applications.
public static final String CSP_COOKIE_NAME = "csp_cookie_name";
public static final String CSP_GATE_KEEPER_PROD_KEY = "csp_gate_keeper_prod_key";
public static final String ONAP_ENABLED = "ONAP_ENABLED";
+ private static EcompSso eCompSso = new EcompSso();
+ private PortalRestAPICentralServiceImpl portalRestCentralImpl = new PortalRestAPICentralServiceImpl();
private static final Logger LOG = LoggerFactory.getInstance().getLogger(EcompSso.class);
/**
"getLoginIdFromCookie failed " + t.getLocalizedMessage());
}
}
+ boolean validated = eCompSso.validateUserAccess(uid);
+ if (!validated) {
+ LOG.debug(AaiUiMsgs.DEBUG_GENERIC, "Unable to grant user access to application");
+ return null;
+ }
return uid;
}
return null;
}
+
+ public boolean validateUserAccess(String uid) {
+ boolean hasAccess = false;
+ ArrayList<String> appRoles = PortalAuthenticationConfig.getInstance().getAppRoles();
+ if (uid != null) {
+ List<EcompRole> userRoles = null;
+ try {
+ userRoles = portalRestCentralImpl.getUserRoles(uid);
+ } catch (PortalAPIException e) {
+ LOG.error(AaiUiMsgs.ERROR_GENERIC, "Unable to get user roles from Portal");
+ }
+ if (userRoles == null || appRoles.isEmpty()) {
+ LOG.debug(AaiUiMsgs.DEBUG_GENERIC, " Role list is either null or empty");
+ return hasAccess;
+ } else {
+ for (EcompRole userRole : userRoles) {
+ if (appRoles.contains(userRole.getName())) {
+ hasAccess = true;
+ }
+ }
+ }
+ }
+ return hasAccess;
+ }
}
// Redirect to Portal UI
redirectURL = PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REDIRECT_URL);
logMessage = "Unauthorized login attempt.";
-
+
LOG.debug(AaiUiMsgs.LOGIN_FILTER_DEBUG,
- logMessage +
- " | Remote IP: " + request.getRemoteAddr() +
- " | User agent: " + request.getHeader(HttpHeaders.USER_AGENT) +
+ logMessage +
+ " | Remote IP: " + request.getRemoteAddr() +
+ " | User agent: " + request.getHeader(HttpHeaders.USER_AGENT) +
" | Request URL: " + request.getRequestURL() +
- " | Redirecting to: " + redirectURL);
-
+ " | Redirecting to: " + redirectURL);
+
response.sendRedirect(redirectURL);
} else {
HttpSession session = request.getSession(false);
+ response.addHeader("Cache-Control", "no-cache, no-store");
if (session == null) {
// New session
session = request.getSession(true);
import org.onap.portalsdk.core.onboarding.crossapi.IPortalRestCentralService;
import org.onap.portalsdk.core.onboarding.exception.PortalAPIException;
import org.onap.portalsdk.core.onboarding.rest.RestWebServiceClient;
+import org.onap.portalsdk.core.onboarding.util.AuthUtil;
+import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
+import org.onap.portalsdk.core.onboarding.util.PortalApiProperties;
import org.onap.portalsdk.core.restful.domain.EcompRole;
import org.onap.portalsdk.core.restful.domain.EcompUser;
import org.slf4j.Logger;
@Override
public boolean isAppAuthenticated(HttpServletRequest request) throws PortalAPIException {
LOG.debug("Authentication request");
- PortalAuthenticationConfig config = PortalAuthenticationConfig.getInstance();
- String restUsername = request.getHeader(PortalAuthenticationConfig.PROP_USERNAME);
- String restPassword = request.getHeader(PortalAuthenticationConfig.PROP_PASSWORD);
- return restUsername != null && restPassword != null && restUsername.equals(config.getUsername())
- && restPassword.equals(config.getPassword());
+ String nameSpace = PortalApiProperties.getProperty(PortalApiConstants.AUTH_NAMESPACE);
+ boolean accessAllowed = false;
+ try {
+ accessAllowed = AuthUtil.isAccessAllowed(request, nameSpace);
+ } catch (Exception e) {
+ String response = "PortalRestAPICentralServiceImpl.isAppAuthenticated failed";
+ LOG.error(response, e);
+ }
+ return accessAllowed;
}
package org.onap.aai.sparky.security.portal.config;
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Properties;
import org.onap.aai.cl.api.Logger;
private String userIdCookieName;
private CookieDecryptor cookieDecryptor;
private String cookieDecryptorClassName;
+ private String delimitedAppRoles;
public static final String PROP_USERNAME = "username";
public static final String PROP_PASSWORD = "password"; // NOSONAR
public static final String PROP_USERID_COOKIE_NAME = "onap.user_id_cookie_name"; // NOSONAR
private static final String AUTHENTICATION_CONFIG_FILE = SparkyConstants.PORTAL_AUTHENTICATION_FILE_LOCATION;
public static final String PROP_COOKIEDECRYPTORCLASSNAME = "cookie_decryptor_classname";
+ public static final String PROP_APP_ROLES = "app_roles";
private static final Logger LOG = LoggerFactory.getInstance().getLogger(PortalAuthenticationConfig.class);
private PortalAuthenticationConfig() {
isOnapEnabled = Boolean.parseBoolean(props.getProperty(PROP_IS_ONAP_ENABLED, "true"));
userIdCookieName = props.getProperty(PROP_USERID_COOKIE_NAME);
cookieDecryptorClassName= props.getProperty(PROP_COOKIEDECRYPTORCLASSNAME);
+ delimitedAppRoles = props.getProperty(PROP_APP_ROLES);
}
-
- public CookieDecryptor getCookieDecryptor() throws ClassNotFoundException{
-
- Class cookieDecrypterClass = Class.forName(cookieDecryptorClassName);
- try {
- cookieDecryptor = (CookieDecryptor) cookieDecrypterClass.newInstance();
- } catch (InstantiationException | IllegalAccessException e) {
- LOG.error(AaiUiMsgs.DECRYPTION_ERROR,"Unable to instantiate Cookie Decryptor Class");
- }
- return cookieDecryptor;
+
+ public CookieDecryptor getCookieDecryptor() throws ClassNotFoundException {
+
+ Class cookieDecrypterClass = Class.forName(cookieDecryptorClassName);
+ try {
+ cookieDecryptor = (CookieDecryptor) cookieDecrypterClass.newInstance();
+ } catch (InstantiationException | IllegalAccessException e) {
+ LOG.error(AaiUiMsgs.DECRYPTION_ERROR, "Unable to instantiate Cookie Decryptor Class");
+ }
+ return cookieDecryptor;
}
-
+
+ public ArrayList<String> getAppRoles() {
+
+ ArrayList<String> appRoles = null;
+ if (delimitedAppRoles == null) {
+ return new ArrayList<>();
+ }
+
+ try {
+ appRoles = new ArrayList<String>(Arrays.asList(delimitedAppRoles.split(",")));
+ } catch (Exception exc) {
+ appRoles = new ArrayList<>();
+ }
+ return appRoles;
+ }
+
}
\ No newline at end of file
--- /dev/null
+package org.onap.aai.sparky.security;
+
+import static org.junit.Assert.assertNotNull;
+
+import java.util.ArrayList;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.onap.aai.sparky.security.portal.PortalRestAPICentralServiceImpl;
+import org.onap.portalsdk.core.onboarding.exception.PortalAPIException;
+import org.onap.portalsdk.core.restful.domain.EcompRole;
+
+
+public class EcompSsoTest {
+
+ private EcompSso ecompSso;
+ private PortalRestAPICentralServiceImpl portalRestCentralServiceImpl;
+
+ @Before
+ public void init() throws Exception {
+ ecompSso = new EcompSso();
+ portalRestCentralServiceImpl = Mockito.mock(PortalRestAPICentralServiceImpl.class);
+ }
+
+
+ @Test
+ public void TestValidateUserAccess() throws PortalAPIException {
+
+ Mockito.when(portalRestCentralServiceImpl.getUserRoles(Mockito.anyString()))
+ .thenReturn(new ArrayList<EcompRole>());
+ assertNotNull(ecompSso.validateUserAccess("ui_view"));
+ }
+
+
+}
Code Review / aai / sparky-be.git / commitdiff