1 /*******************************************************************************
2 * ============LICENSE_START==================================================
4 * * ===========================================================================
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
6 * * ===========================================================================
7 * * Licensed under the Apache License, Version 2.0 (the "License");
8 * * you may not use this file except in compliance with the License.
9 * * You may obtain a copy of the License at
11 * * http://www.apache.org/licenses/LICENSE-2.0
13 * * Unless required by applicable law or agreed to in writing, software
14 * * distributed under the License is distributed on an "AS IS" BASIS,
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * * See the License for the specific language governing permissions and
17 * * limitations under the License.
18 * * ============LICENSE_END====================================================
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
22 ******************************************************************************/
24 package org.onap.dmaap.datarouter.authz.impl;
26 import com.att.eelf.configuration.EELFLogger;
27 import com.att.eelf.configuration.EELFManager;
29 import jakarta.servlet.http.HttpServletRequest;
30 import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
31 import org.onap.dmaap.datarouter.authz.Authorizer;
32 import org.onap.dmaap.datarouter.authz.impl.AuthzResource.ResourceType;
34 /** Authorizer for the provisioning API for Data Router R1.
39 public class ProvAuthorizer implements Authorizer {
41 private EELFLogger log;
42 private ProvDataProvider provData;
44 private static final String SUBJECT_HEADER = "X-DMAAP-DR-ON-BEHALF-OF"; // HTTP header carrying requester identity
45 // HTTP header carrying requester identity by group Rally : US708115
46 private static final String SUBJECT_HEADER_GROUP = "X-DMAAP-DR-ON-BEHALF-OF-GROUP";
48 /** Constructor. For the moment, do nothing special. Make it a singleton?
51 public ProvAuthorizer(ProvDataProvider provData) {
52 this.provData = provData;
53 this.log = EELFManager.getInstance().getLogger(this.getClass());
57 * Determine if the API request carried in the <code>request</code> parameter is permitted.
59 * @param request the HTTP request for which an authorization decision is needed
60 * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
61 * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
62 * of advice and obligations.
65 public AuthorizationResponse decide(HttpServletRequest request) {
66 return this.decide(request, null);
70 * Determine if the API request carried in the <code>request</code> parameter,with additional attributes provided in
71 * the <code>additionalAttrs</code> parameter, is permitted. <code>additionalAttrs</code> isn't used in R1.
73 * @param request the HTTP request for which an authorization decision is needed
74 * @param additionalAttrs additional attributes that the <code>Authorizer</code> can in making a decision
75 * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
76 * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
77 * of advice and obligations.
80 public AuthorizationResponse decide(HttpServletRequest request,
81 Map<String, String> additionalAttrs) {
82 log.trace("Entering decide()");
83 boolean decision = false;
84 // Extract interesting parts of the HTTP request
85 String method = request.getMethod();
86 AuthzResource resource = new AuthzResource(request.getRequestURI());
87 String subject = (request.getHeader(SUBJECT_HEADER));
88 String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP));
90 log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId()
91 + " -- Subject: " + subject);
92 // Choose authorization method based on the resource type
93 ResourceType resourceType = resource.getType();
94 if (resourceType != null) {
95 switch (resourceType) {
96 case FEEDS_COLLECTION:
97 decision = allowFeedsCollectionAccess(method);
100 decision = allowSubsCollectionAccess(method);
103 decision = allowFeedAccess(resource, method, subject, subjectgroup);
106 decision = allowSubAccess(resource, method, subject, subjectgroup);
113 log.debug("Exit decide(): " + method + "|" + resourceType + "|" + resource.getId() + "|"
114 + subject + " ==> " + decision);
116 return new AuthRespImpl(decision);
119 private boolean allowFeedsCollectionAccess(String method) {
120 // Allow GET or POST unconditionally
121 return method != null && ("GET".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method));
124 private boolean allowSubsCollectionAccess(String method) {
125 // Allow GET or POST unconditionally
126 return method != null && ("GET".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method));
129 private boolean allowFeedAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
130 boolean decision = false;
131 // Allow GET, PUT, or DELETE if requester (subject) is the owner (publisher) of the feed
132 if ( method != null && ("GET".equalsIgnoreCase(method) || "PUT".equalsIgnoreCase(method)
133 || "DELETE".equalsIgnoreCase(method))) {
135 String owner = provData.getFeedOwner(resource.getId());
136 decision = (owner != null) && owner.equals(subject);
137 //Verifying by group Rally : US708115
138 if (subjectgroup != null) {
139 String feedOwner = provData.getGroupByFeedGroupId(subject, resource.getId());
140 decision = (feedOwner != null) && feedOwner.equals(subjectgroup);
146 private boolean allowSubAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
147 boolean decision = false;
149 // Allow GET, PUT, or DELETE if requester (subject) is the owner of the subscription (subscriber)
150 if (method != null && ("GET".equalsIgnoreCase(method) || "PUT".equalsIgnoreCase(method)
151 || "DELETE".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method))) {
153 String owner = provData.getSubscriptionOwner(resource.getId());
154 decision = (owner != null) && owner.equals(subject);
156 //Verifying by group Rally : US708115
157 if (subjectgroup != null) {
158 String feedowner = provData.getGroupBySubGroupId(subject, resource.getId());
159 decision = (feedowner != null) && feedowner.equals(subjectgroup);