-/*******************************************************************************\r
- * ============LICENSE_START==================================================\r
- * * org.onap.dmaap\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-\r
-package org.onap.dmaap.datarouter.authz.impl;\r
-\r
-import java.util.Map;\r
-\r
-import javax.servlet.http.HttpServletRequest;\r
-\r
-import org.apache.log4j.Logger;\r
-import org.onap.dmaap.datarouter.authz.AuthorizationResponse;\r
-import org.onap.dmaap.datarouter.authz.Authorizer;\r
-import org.onap.dmaap.datarouter.authz.impl.AuthzResource.ResourceType;\r
-\r
-/** Authorizer for the provisioning API for Data Router R1\r
- * \r
- * @author J. F. Lucas\r
- *\r
- */\r
-public class ProvAuthorizer implements Authorizer {\r
- \r
- private Logger log;\r
- private ProvDataProvider provData;\r
- \r
- private static final String SUBJECT_HEADER = "X-ATT-DR-ON-BEHALF-OF"; // HTTP header carrying requester identity\r
- private static final String SUBJECT_HEADER_GROUP = "X-ATT-DR-ON-BEHALF-OF-GROUP"; // HTTP header carrying requester identity by group Rally : US708115\r
- /** Constructor. For the moment, do nothing special. Make it a singleton? \r
- * \r
- */\r
- public ProvAuthorizer(ProvDataProvider provData) {\r
- this.provData = provData;\r
- this.log = Logger.getLogger(this.getClass());\r
- }\r
- \r
- /**\r
- * Determine if the API request carried in the <code>request</code> parameter is permitted.\r
- * \r
- * @param request the HTTP request for which an authorization decision is needed\r
- * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the\r
- * permit/deny decision for the request and (after R1) supplemental information related to the response in the form\r
- * of advice and obligations.\r
- */\r
- @Override\r
- public AuthorizationResponse decide(HttpServletRequest request) {\r
- return this.decide(request, null);\r
- }\r
- \r
- /**\r
- * Determine if the API request carried in the <code>request</code> parameter, with additional attributes provided in\r
- * the <code>additionalAttrs</code> parameter, is permitted. <code>additionalAttrs</code> isn't used in R1.\r
- * \r
- * @param request the HTTP request for which an authorization decision is needed\r
- * @param additionalAttrs additional attributes that the <code>Authorizer</code> can in making an authorization decision\r
- * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the\r
- * permit/deny decision for the request and (after R1) supplemental information related to the response in the form\r
- * of advice and obligations.\r
- */\r
- @Override\r
- public AuthorizationResponse decide(HttpServletRequest request,\r
- Map<String, String> additionalAttrs) {\r
- log.trace ("Entering decide()");\r
- \r
- boolean decision = false;\r
- \r
- // Extract interesting parts of the HTTP request\r
- String method = request.getMethod();\r
- AuthzResource resource = new AuthzResource(request.getRequestURI());\r
- String subject = (request.getHeader(SUBJECT_HEADER)); // identity of the requester\r
- String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP)); // identity of the requester by group Rally : US708115\r
-\r
- log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId() + \r
- " -- Subject: " + subject);\r
- \r
- // Choose authorization method based on the resource type\r
- ResourceType resourceType = resource.getType();\r
- if (resourceType != null) {\r
-\r
- switch (resourceType) {\r
-\r
- case FEEDS_COLLECTION:\r
- decision = allowFeedsCollectionAccess(resource, method, subject, subjectgroup);\r
- break;\r
-\r
- case SUBS_COLLECTION:\r
- decision = allowSubsCollectionAccess(resource, method, subject, subjectgroup);\r
- break;\r
-\r
- case FEED:\r
- decision = allowFeedAccess(resource, method, subject, subjectgroup);\r
- break;\r
-\r
- case SUB:\r
- decision = allowSubAccess(resource, method, subject, subjectgroup);\r
- break;\r
-\r
- default:\r
- decision = false;\r
- break;\r
- }\r
- }\r
- log.debug("Exit decide(): " + method + "|" + resourceType + "|" + resource.getId() + "|" + subject + " ==> " + decision);\r
- \r
- return new AuthRespImpl(decision);\r
- }\r
- \r
- private boolean allowFeedsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {\r
- \r
- // Allow GET or POST unconditionally\r
- return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));\r
- }\r
- \r
- private boolean allowSubsCollectionAccess(AuthzResource resource, String method, String subject, String subjectgroup) {\r
- \r
- // Allow GET or POST unconditionally\r
- return method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("POST"));\r
- }\r
- \r
- private boolean allowFeedAccess(AuthzResource resource, String method, String subject, String subjectgroup) {\r
- boolean decision = false;\r
- \r
- // Allow GET, PUT, or DELETE if requester (subject) is the owner (publisher) of the feed\r
- if ( method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") ||\r
- method.equalsIgnoreCase("DELETE"))) {\r
- \r
- String owner = provData.getFeedOwner(resource.getId());\r
- decision = (owner != null) && owner.equals(subject);\r
- \r
- //Verifying by group Rally : US708115\r
- if(subjectgroup != null) { \r
- String feedowner = provData.getGroupByFeedGroupId(subject, resource.getId());\r
- decision = (feedowner != null) && feedowner.equals(subjectgroup);\r
- }\r
- }\r
- \r
- return decision;\r
- }\r
- \r
- private boolean allowSubAccess(AuthzResource resource, String method, String subject, String subjectgroup) {\r
- boolean decision = false;\r
- \r
- // Allow GET, PUT, or DELETE if requester (subject) is the owner of the subscription (subscriber)\r
- if (method != null && (method.equalsIgnoreCase("GET") || method.equalsIgnoreCase("PUT") || \r
- method.equalsIgnoreCase("DELETE") || method.equalsIgnoreCase("POST"))) {\r
- \r
- String owner = provData.getSubscriptionOwner(resource.getId());\r
- decision = (owner != null) && owner.equals(subject);\r
- \r
- //Verifying by group Rally : US708115\r
- if(subjectgroup != null) {\r
- String feedowner = provData.getGroupBySubGroupId(subject, resource.getId());\r
- decision = (feedowner != null) && feedowner.equals(subjectgroup);\r
- }\r
- }\r
- \r
- return decision;\r
- }\r
-\r
-}\r
+/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+
+package org.onap.dmaap.datarouter.authz.impl;
+
+import com.att.eelf.configuration.EELFLogger;
+import com.att.eelf.configuration.EELFManager;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+import org.onap.dmaap.datarouter.authz.AuthorizationResponse;
+import org.onap.dmaap.datarouter.authz.Authorizer;
+import org.onap.dmaap.datarouter.authz.impl.AuthzResource.ResourceType;
+
+/** Authorizer for the provisioning API for Data Router R1.
+ *
+ * @author J. F. Lucas
+ *
+ */
+public class ProvAuthorizer implements Authorizer {
+
+ private EELFLogger log;
+ private ProvDataProvider provData;
+
+ private static final String SUBJECT_HEADER = "X-DMAAP-DR-ON-BEHALF-OF"; // HTTP header carrying requester identity
+ // HTTP header carrying requester identity by group Rally : US708115
+ private static final String SUBJECT_HEADER_GROUP = "X-DMAAP-DR-ON-BEHALF-OF-GROUP";
+
+ /** Constructor. For the moment, do nothing special. Make it a singleton?
+ *
+ */
+ public ProvAuthorizer(ProvDataProvider provData) {
+ this.provData = provData;
+ this.log = EELFManager.getInstance().getLogger(this.getClass());
+ }
+
+ /**
+ * Determine if the API request carried in the <code>request</code> parameter is permitted.
+ *
+ * @param request the HTTP request for which an authorization decision is needed
+ * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
+ * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
+ * of advice and obligations.
+ */
+ @Override
+ public AuthorizationResponse decide(HttpServletRequest request) {
+ return this.decide(request, null);
+ }
+
+ /**
+ * Determine if the API request carried in the <code>request</code> parameter,with additional attributes provided in
+ * the <code>additionalAttrs</code> parameter, is permitted. <code>additionalAttrs</code> isn't used in R1.
+ *
+ * @param request the HTTP request for which an authorization decision is needed
+ * @param additionalAttrs additional attributes that the <code>Authorizer</code> can in making a decision
+ * @return an object implementing the <code>AuthorizationResponse</code> interface. This object includes the
+ * permit/deny decision for the request and (after R1) supplemental information related to the response in the form
+ * of advice and obligations.
+ */
+ @Override
+ public AuthorizationResponse decide(HttpServletRequest request,
+ Map<String, String> additionalAttrs) {
+ log.trace("Entering decide()");
+ boolean decision = false;
+ // Extract interesting parts of the HTTP request
+ String method = request.getMethod();
+ AuthzResource resource = new AuthzResource(request.getRequestURI());
+ String subject = (request.getHeader(SUBJECT_HEADER));
+ String subjectgroup = (request.getHeader(SUBJECT_HEADER_GROUP));
+
+ log.trace("Method: " + method + " -- Type: " + resource.getType() + " -- Id: " + resource.getId()
+ + " -- Subject: " + subject);
+ // Choose authorization method based on the resource type
+ ResourceType resourceType = resource.getType();
+ if (resourceType != null) {
+ switch (resourceType) {
+ case FEEDS_COLLECTION:
+ decision = allowFeedsCollectionAccess(method);
+ break;
+ case SUBS_COLLECTION:
+ decision = allowSubsCollectionAccess(method);
+ break;
+ case FEED:
+ decision = allowFeedAccess(resource, method, subject, subjectgroup);
+ break;
+ case SUB:
+ decision = allowSubAccess(resource, method, subject, subjectgroup);
+ break;
+ default:
+ decision = false;
+ break;
+ }
+ }
+ log.debug("Exit decide(): " + method + "|" + resourceType + "|" + resource.getId() + "|"
+ + subject + " ==> " + decision);
+
+ return new AuthRespImpl(decision);
+ }
+
+ private boolean allowFeedsCollectionAccess(String method) {
+ // Allow GET or POST unconditionally
+ return method != null && ("GET".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method));
+ }
+
+ private boolean allowSubsCollectionAccess(String method) {
+ // Allow GET or POST unconditionally
+ return method != null && ("GET".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method));
+ }
+
+ private boolean allowFeedAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
+ boolean decision = false;
+ // Allow GET, PUT, or DELETE if requester (subject) is the owner (publisher) of the feed
+ if ( method != null && ("GET".equalsIgnoreCase(method) || "PUT".equalsIgnoreCase(method)
+ || "DELETE".equalsIgnoreCase(method))) {
+
+ String owner = provData.getFeedOwner(resource.getId());
+ decision = (owner != null) && owner.equals(subject);
+ //Verifying by group Rally : US708115
+ if (subjectgroup != null) {
+ String feedOwner = provData.getGroupByFeedGroupId(subject, resource.getId());
+ decision = (feedOwner != null) && feedOwner.equals(subjectgroup);
+ }
+ }
+ return decision;
+ }
+
+ private boolean allowSubAccess(AuthzResource resource, String method, String subject, String subjectgroup) {
+ boolean decision = false;
+
+ // Allow GET, PUT, or DELETE if requester (subject) is the owner of the subscription (subscriber)
+ if (method != null && ("GET".equalsIgnoreCase(method) || "PUT".equalsIgnoreCase(method)
+ || "DELETE".equalsIgnoreCase(method) || "POST".equalsIgnoreCase(method))) {
+
+ String owner = provData.getSubscriptionOwner(resource.getId());
+ decision = (owner != null) && owner.equals(subject);
+
+ //Verifying by group Rally : US708115
+ if (subjectgroup != null) {
+ String feedowner = provData.getGroupBySubGroupId(subject, resource.getId());
+ decision = (feedowner != null) && feedowner.equals(subjectgroup);
+ }
+ }
+
+ return decision;
+ }
+
+}
Code Review / dmaap / datarouter.git / blobdiff