1 /*******************************************************************************
\r
2 * ============LICENSE_START==================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
24 package org.onap.dmaap.datarouter.authz.impl;
\r
26 import java.util.Map;
\r
28 import javax.servlet.http.HttpServletRequest;
\r
30 import org.apache.log4j.Logger;
\r
31 import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
\r
32 import org.onap.dmaap.datarouter.authz.Authorizer;
\r
33 import org.onap.dmaap.datarouter.authz.impl.AuthzResource.ResourceType;
\r
35 /** Authorizer for the provisioning API for Data Router R1
\r
37 * @author J. F. Lucas
\r
40 public class ProvAuthorizer implements Authorizer {
\r
43 private ProvDataProvider provData;
\r
45 private static final String SUBJECT_HEADER = "X-ATT-DR-ON-BEHALF-OF"; // HTTP header carrying requester identity
\r
46 private static final String SUBJECT_HEADER_GROUP = "X-ATT-DR-ON-BEHALF-OF-GROUP"; // HTTP header carrying requester identity by group Rally : US708115
\r
47 /** Constructor. For the moment, do nothing special. Make it a singleton?
\r
50 public ProvAuthorizer(ProvDataProvider provData) {
\r
51 this.provData = provData;
\r
52 this.log = Logger.getLogger(this.getClass());
\r
56 * Determine if the API request carried in the <code>request</code> parameter is permitted.
\r
58 * @param request the HTTP request for which an authorization decision is needed
\r
59 * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
\r
60 * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
\r
61 * of advice and obligations.
\r
64 public AuthorizationResponse decide(HttpServletRequest request) {
\r
65 return this.decide(request, null);
\r
69 * Determine if the API request carried in the <code>request</code> parameter, with additional attributes provided in
\r
70 * the <code>additionalAttrs</code> parameter, is permitted. <code>additionalAttrs</code> isn't used in R1.
\r
72 * @param request the HTTP request for which an authorization decision is needed
\r
73 * @param additionalAttrs additional attributes that the <code>Authorizer</code> can in making an authorization decision
\r
74 * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
\r
75 * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
\r
76 * of advice and obligations.
\r
79 public AuthorizationResponse decide(HttpServletRequest request,
\r
80 Map<String, String> additionalAttrs) {
\r
81 log.trace ("Entering decide()");
\r
83 boolean decision = false;
\r
85 // Extract interesting parts of the HTTP request
\r
86 String method = request.getMethod();
\r
87 AuthzResource resource = new AuthzResource(request.getRequestURI());
\r
88 String subject = (request.getHeader(SUBJECT_HEADER)); // identity of the requester
\r
89 String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP)); // identity of the requester by group Rally : US708115
\r
91 log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId() +
\r
92 " -- Subject: " + subject);
\r
94 // Choose authorization method based on the resource type
\r
95 ResourceType resourceType = resource.getType();
\r
96 if (resourceType != null) {
\r
98 switch (resourceType) {
\r
100 case FEEDS_COLLECTION:
\r
101 decision = allowFeedsCollectionAccess(resource, method, subject, subjectgroup);
\r
104 case SUBS_COLLECTION:
\r
105 decision = allowSubsCollectionAccess(resource, method, subject, subjectgroup);
\r
109 decision = allowFeedAccess(resource, method, subject, subjectgroup);
\r
113 decision = allowSubAccess(resource, method, subject, subjectgroup);
\r
121 log.debug("Exit decide(): " + method + "|" + resourceType + "|" + resource.getId() + "|" + subject + " ==> " + decision);
\r
123 return new AuthRespImpl(decision);
\r
126 private boolean allowFeedsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
\r
128 // Allow GET or POST unconditionally
\r
129 return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));
\r
132 private boolean allowSubsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
\r
134 // Allow GET or POST unconditionally
\r
135 return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));
\r
138 private boolean allowFeedAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
\r
139 boolean decision = false;
\r
141 // Allow GET, PUT, or DELETE if requester (subject) is the owner (publisher) of the feed
\r
142 if ( method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") ||
\r
143 method.equalsIgnoreCase("DELETE"))) {
\r
145 String owner = provData.getFeedOwner(resource.getId());
\r
146 decision = (owner != null) && owner.equals(subject);
\r
148 //Verifying by group Rally : US708115
\r
149 if(subjectgroup != null) {
\r
150 String feedowner = provData.getGroupByFeedGroupId(subject, resource.getId());
\r
151 decision = (feedowner != null) && feedowner.equals(subjectgroup);
\r
158 private boolean allowSubAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
\r
159 boolean decision = false;
\r
161 // Allow GET, PUT, or DELETE if requester (subject) is the owner of the subscription (subscriber)
\r
162 if (method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") ||
\r
163 method.equalsIgnoreCase("DELETE") || method.equalsIgnoreCase("POST"))) {
\r
165 String owner = provData.getSubscriptionOwner(resource.getId());
\r
166 decision = (owner != null) && owner.equals(subject);
\r
168 //Verifying by group Rally : US708115
\r
169 if(subjectgroup != null) {
\r
170 String feedowner = provData.getGroupBySubGroupId(subject, resource.getId());
\r
171 decision = (feedowner != null) && feedowner.equals(subjectgroup);
\r