[DMAAP-48] Initial code import

[dmaap/datarouter.git] / datarouter-prov / src / main / java / com / att / research / datarouter / authz / impl / ProvAuthorizer.java

/*******************************************************************************\r
 * ============LICENSE_START==================================================\r
 * * org.onap.dmaap\r
 * * ===========================================================================\r
 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
 * * ===========================================================================\r
 * * Licensed under the Apache License, Version 2.0 (the "License");\r
 * * you may not use this file except in compliance with the License.\r
 * * You may obtain a copy of the License at\r
 * * \r
 *  *      http://www.apache.org/licenses/LICENSE-2.0\r
 * * \r
 *  * Unless required by applicable law or agreed to in writing, software\r
 * * distributed under the License is distributed on an "AS IS" BASIS,\r
 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 * * See the License for the specific language governing permissions and\r
 * * limitations under the License.\r
 * * ============LICENSE_END====================================================\r
 * *\r
 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
 * *\r
 ******************************************************************************/\r
\r
package com.att.research.datarouter.authz.impl;\r
\r
import java.util.Map;\r
\r
import javax.servlet.http.HttpServletRequest;\r
\r
import org.apache.log4j.Logger;\r
\r
import com.att.research.datarouter.authz.AuthorizationResponse;\r
import com.att.research.datarouter.authz.Authorizer;\r
import com.att.research.datarouter.authz.impl.AuthzResource.ResourceType;\r
\r
/** Authorizer for the provisioning API for Data Router R1\r
 * \r
 * @author J. F. Lucas\r
 *\r
 */\r
public class ProvAuthorizer implements Authorizer {\r
        \r
        private Logger log;\r
        private ProvDataProvider provData;\r
        \r
        private static final String SUBJECT_HEADER = "X-ATT-DR-ON-BEHALF-OF";  // HTTP header carrying requester identity\r
        private static final String SUBJECT_HEADER_GROUP = "X-ATT-DR-ON-BEHALF-OF-GROUP";  // HTTP header carrying requester identity  by group Rally : US708115\r
        /** Constructor. For the moment, do nothing special.  Make it a singleton? \r
         * \r
         */\r
        public ProvAuthorizer(ProvDataProvider provData) {\r
                this.provData = provData;\r
                this.log = Logger.getLogger(this.getClass());\r
        }\r
        \r
        /**\r
         * Determine if the API request carried in the <code>request</code> parameter is permitted.\r
         * \r
         * @param request the HTTP request for which an authorization decision is needed\r
         * @return an object implementing the <code>AuthorizationResponse</code> interface.  This object includes the\r
         * permit/deny decision for the request and (after R1) supplemental information related to the response in the form\r
         * of advice and obligations.\r
         */\r
        @Override\r
        public AuthorizationResponse decide(HttpServletRequest request) {\r
                        return this.decide(request, null);\r
        }\r
        \r
        /**\r
         * Determine if the API request carried in the <code>request</code> parameter, with additional attributes provided in\r
         * the <code>additionalAttrs</code> parameter, is permitted.   <code>additionalAttrs</code> isn't used in R1.\r
         * \r
         * @param request the HTTP request for which an authorization decision is needed\r
         * @param additionalAttrs additional attributes that the <code>Authorizer</code> can in making an authorization decision\r
         * @return an object implementing the <code>AuthorizationResponse</code> interface.  This object includes the\r
         * permit/deny decision for the request and (after R1) supplemental information related to the response in the form\r
         * of advice and obligations.\r
         */\r
        @Override\r
        public AuthorizationResponse decide(HttpServletRequest request,\r
                        Map<String, String> additionalAttrs) {\r
                log.trace ("Entering decide()");\r
                \r
                boolean decision = false;\r
                \r
                // Extract interesting parts of the HTTP request\r
                String method = request.getMethod();\r
                AuthzResource resource = new AuthzResource(request.getRequestURI());\r
                String subject = (request.getHeader(SUBJECT_HEADER));            // identity of the requester\r
                String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP)); // identity of the requester by group Rally : US708115\r
\r
                log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId() + \r
                                " -- Subject: " + subject);\r
                \r
                // Choose authorization method based on the resource type\r
                ResourceType resourceType = resource.getType();\r
                if (resourceType != null) {\r
\r
                        switch (resourceType) {\r
\r
                        case FEEDS_COLLECTION:\r
                                decision = allowFeedsCollectionAccess(resource, method, subject, subjectgroup);\r
                                break;\r
\r
                        case SUBS_COLLECTION:\r
                                decision = allowSubsCollectionAccess(resource, method, subject, subjectgroup);\r
                                break;\r
\r
                        case FEED:\r
                                decision = allowFeedAccess(resource, method, subject, subjectgroup);\r
                                break;\r
\r
                        case SUB:\r
                                decision = allowSubAccess(resource, method, subject, subjectgroup);\r
                                break;\r
\r
                        default:\r
                                decision = false;\r
                                break;\r
                        }\r
                }\r
                log.debug("Exit decide(): "  + method + "|" + resourceType + "|" + resource.getId() + "|" + subject + " ==> " + decision);\r
                \r
                return new AuthRespImpl(decision);\r
        }\r
        \r
        private boolean allowFeedsCollectionAccess(AuthzResource resource,      String method, String subject, String subjectgroup) {\r
                \r
                // Allow GET or POST unconditionally\r
                return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));\r
        }\r
        \r
        private boolean allowSubsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {\r
                \r
                // Allow GET or POST unconditionally\r
                return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));\r
        }\r
        \r
        private boolean allowFeedAccess(AuthzResource resource, String method,  String subject, String subjectgroup) {\r
                boolean decision = false;\r
                \r
                // Allow GET, PUT, or DELETE if requester (subject) is the owner (publisher) of the feed\r
                if ( method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") ||\r
                                method.equalsIgnoreCase("DELETE"))) {\r
                        \r
                        String owner = provData.getFeedOwner(resource.getId());\r
                        decision = (owner != null) && owner.equals(subject);\r
                        \r
                        //Verifying by group Rally : US708115\r
                        if(subjectgroup != null) { \r
                                String feedowner = provData.getGroupByFeedGroupId(subject, resource.getId());\r
                                decision = (feedowner != null) && feedowner.equals(subjectgroup);\r
                        }\r
                }\r
                \r
                return decision;\r
        }\r
        \r
        private boolean allowSubAccess(AuthzResource resource, String method, String subject, String subjectgroup) {\r
                boolean decision = false;\r
                \r
                // Allow GET, PUT, or DELETE if requester (subject) is the owner of the subscription (subscriber)\r
                if (method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") || \r
                                method.equalsIgnoreCase("DELETE") || method.equalsIgnoreCase("POST"))) {\r
                        \r
                        String owner = provData.getSubscriptionOwner(resource.getId());\r
                        decision = (owner != null) && owner.equals(subject);\r
                        \r
                        //Verifying by group Rally : US708115\r
                        if(subjectgroup != null) {\r
                                String feedowner = provData.getGroupBySubGroupId(subject, resource.getId());\r
                                decision = (feedowner != null) && feedowner.equals(subjectgroup);\r
                        }\r
                }\r
                \r
                return decision;\r
        }\r
\r
}\r