#
# This overrides the Class used for API Permission check.
# This allows for a plugin policy check, if needed
-#ApiPermission.Class: com.company.policy.DecisionPolicy
+ApiPermission.Class: org.onap.dmaap.dbcapi.authentication.AllowAll
#
# URL of AAF environment to use.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
package org.onap.dmaap.dbcapi.authentication;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.util.Properties;
-
import org.apache.log4j.Logger;
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.LocatorException;
import org.onap.dmaap.dbcapi.aaf.DmaapPerm;
import org.onap.dmaap.dbcapi.util.DmaapConfig;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.util.Properties;
+
+
-
public class AafLurAndFish implements ApiAuthorizationCheckInterface {
private AafLurService svc;
private static String apiNamespace;
private static final String ERROR="Error";
static final Logger logger = Logger.getLogger(AafLurAndFish.class);
-
+
AafLurAndFish() throws AuthenticationErrorException {
-
+
DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig();
apiNamespace = p.getProperty( "ApiNamespace", "org.onap.dmaap-bc.api");
}
try {
PropAccess myAccess = new PropAccess( props );
-
+
svc = AafLurService.getInstance(myAccess);
} catch (APIException | CadiException | LocatorException e ) {
logger.error(ERROR, e);
logger.error( e.toString() );
throw new AuthenticationErrorException();
}
-
+
}
-
+
public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException {
-
+
try {
- boolean resp = svc.checkPerm( apiNamespace, mechid, pwd, p );
- boolean flag = false;
- if ( resp == flag ) {
+ if (mechid.isEmpty() || pwd.isEmpty()) {
+ throw new AuthenticationErrorException("No basic authorization value provided");
+ }
+
+ if (!svc.checkPerm( apiNamespace, mechid, pwd, p )) {
throw new AuthenticationErrorException();
}
- } catch ( IOException | CadiException e ) {
+ } catch ( IOException | CadiException e ) {
logger.error(ERROR, e);
logger.error( e.toString() );
throw new AuthenticationErrorException();
}
-
+
}
-
+
public static void main(String[] args) throws Exception {
AafLurAndFish alaf = new AafLurAndFish();
DmaapPerm p = new DmaapPerm( "org.onap.dmaap-bc.api.dmaap", "boot", "GET");
-
+
try {
alaf.check("mmanager@people.osaaf.org", "demo123456!", p);
} catch (AuthenticationErrorException aee ) {
--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dmaap.dbcapi.authentication;
+
+import org.onap.dmaap.dbcapi.aaf.DmaapPerm;
+
+public class AllowAll implements ApiAuthorizationCheckInterface {
+ @Override
+ public void check(String mechid, String pwd, DmaapPerm p) {
+ }
+}
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
import org.onap.dmaap.dbcapi.logging.DmaapbcLogMessageEnum;
import org.onap.dmaap.dbcapi.util.DmaapConfig;
+import java.util.Properties;
+
public class ApiPolicy extends BaseLoggingClass {
- static String allow = "allow";
- String dClass = null;
- private boolean useAuthClass;
- ApiAuthorizationCheckInterface perm = null;
-
- public ApiPolicy() {
- DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig();
- dClass = p.getProperty( "ApiPermission.Class", allow );
- logger.info( "ApiPolicy implements " + dClass);
- if ( dClass.equalsIgnoreCase( allow )) {
- useAuthClass = false;
- return;
- }
- useAuthClass = true;
- logger.info( "dClass=" + dClass + " useAuthClass=" + useAuthClass );
- try {
- perm = (ApiAuthorizationCheckInterface) (Class.forName(dClass).newInstance());
- } catch (Exception ee ) {
- errorLogger.error(DmaapbcLogMessageEnum.UNEXPECTED_CONDITION, "attempting to instantiate " + dClass );
- errorLogger.error( "trace is: " + ee );
- }
- }
-
- public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException {
- if ( dClass.equalsIgnoreCase( allow )) {
- return;
- }
-
- // execute check of loaded class
- perm.check( mechid, pwd, p );
-
- }
-
- public boolean getUseAuthClass() {
- return useAuthClass;
- }
+ private boolean permissionClassSet = true;
+ private ApiAuthorizationCheckInterface perm = null;
+
+ public ApiPolicy() {
+ this(DmaapConfig.getConfig());
+ }
+
+ ApiPolicy(Properties p) {
+ String dClass = p.getProperty("ApiPermission.Class");
+ logger.info("ApiPolicy implements " + dClass);
+ logger.info("dClass=" + dClass + " permissionClassSet=" + permissionClassSet);
+
+ try {
+ perm = (ApiAuthorizationCheckInterface) (Class.forName(dClass).newInstance());
+ } catch (Exception ee) {
+ errorLogger.error(DmaapbcLogMessageEnum.UNEXPECTED_CONDITION, "attempting to instantiate " + dClass);
+ errorLogger.error("trace is: " + ee);
+ permissionClassSet = false;
+ }
+ }
+
+ public void check(String mechid, String pwd, DmaapPerm p) throws AuthenticationErrorException {
+ perm.check(mechid, pwd, p);
+ }
+
+ public boolean isPermissionClassSet() {
+ return permissionClassSet;
+ }
+
+ ApiAuthorizationCheckInterface getPerm() {
+ return perm;
+ }
}
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
public class AuthenticationErrorException extends Exception {
/**
- *
+ *
*/
private static final long serialVersionUID = 1L;
+ public AuthenticationErrorException() {
+ }
+
+ public AuthenticationErrorException(String s) {
+ super(s);
+ }
}
Singleton<Dmaap> dmaapholder = DatabaseClass.getDmaap();
String name = dmaapholder.get().getDmaapName();
ApiPolicy apiPolicy = new ApiPolicy();
- if ( apiPolicy.getUseAuthClass() && (name == null || name.isEmpty())) {
+ if ( apiPolicy.isPermissionClassSet() && (name == null || name.isEmpty())) {
ApiPerms p = new ApiPerms();
p.setBootMap();
}
package org.onap.dmaap.dbcapi.service;
import static com.att.eelf.configuration.Configuration.MDC_KEY_REQUEST_ID;
-import static com.att.eelf.configuration.Configuration.MDC_PARTNER_NAME;
import static com.att.eelf.configuration.Configuration.MDC_SERVICE_NAME;
-import javax.xml.bind.DatatypeConverter;
import org.onap.dmaap.dbcapi.aaf.DmaapPerm;
import org.onap.dmaap.dbcapi.authentication.ApiPolicy;
import org.onap.dmaap.dbcapi.authentication.AuthenticationErrorException;
private String requestId;
private ApiError err;
private ApiPolicy apiPolicy;
+ private CredentialsParser credentialsParser = new CredentialsParser();
public ApiService() {
if (env == null || env.isEmpty()) {
env = "boot";
}
- if (!apiPolicy.getUseAuthClass()) {
+ if (!apiPolicy.isPermissionClassSet()) {
return; // skip authorization if not enabled
}
- if (authorization == null || authorization.isEmpty()) {
- String errmsg = "No basic authorization value provided ";
- err.setMessage(errmsg);
- logger.info(errmsg);
- throw new AuthenticationErrorException();
- }
- String credentials = authorization.substring("Basic".length()).trim();
- byte[] decoded = DatatypeConverter.parseBase64Binary(credentials);
- String decodedString = new String(decoded);
- String[] actualCredentials = decodedString.split(":");
- String ID = actualCredentials[0];
- String Password = actualCredentials[1];
- MDC.put(MDC_PARTNER_NAME, ID);
- try {
+ Credentials credentials = credentialsParser.parse(authorization);
+ try {
DmaapPerm p = new DmaapPerm(apiNamespace + "." + uri, env, method);
- apiPolicy.check(ID, Password, p);
+ apiPolicy.check(credentials.getId(), credentials.getPwd(), p);
} catch (AuthenticationErrorException ae) {
String errmsg =
- "User " + ID + " failed authentication/authorization for " + apiNamespace + "." + uriPath + " " + env
+ "User " + credentials.getId() + " failed authentication/authorization for " + apiNamespace + "." + uriPath + " " + env
+ " " + method;
logger.info(errmsg);
err.setMessage(errmsg);
--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dmaap.dbcapi.service;
+
+public class Credentials {
+
+ private final String id;
+ private final String pwd;
+
+ Credentials(String id, String pwd) {
+ this.id = id;
+ this.pwd = pwd;
+ }
+
+ static Credentials empty() {
+ return new Credentials("", "");
+ }
+
+ public String getId() {
+ return id;
+ }
+
+ public String getPwd() {
+ return pwd;
+ }
+}
--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dmaap.dbcapi.service;
+
+import javax.xml.bind.DatatypeConverter;
+
+class CredentialsParser {
+
+ Credentials parse(String authorizationHeader) {
+ if (authorizationHeader == null || authorizationHeader.isEmpty()) {
+ return Credentials.empty();
+ }
+
+ String credentials = authorizationHeader.substring("Basic".length()).trim();
+ byte[] decoded = DatatypeConverter.parseBase64Binary(credentials);
+ String decodedString = new String(decoded);
+ String[] actualCredentials = decodedString.split(":");
+ return new Credentials(actualCredentials[0], actualCredentials[1]);
+ }
+
+}
AafService aaf = new AafService( ServiceType.AAF_Admin);
ApiPolicy apiPolicy = new ApiPolicy();
- if ( apiPolicy.getUseAuthClass() ) {
+ if ( apiPolicy.isPermissionClassSet() ) {
ApiPerms p = new ApiPerms();
p.setEnvMap();
}
dmaapholder.update(nd); //need to set this so the following perms will pick up any new vals.
//dcaeTopicNs = dmaapholder.get().getTopicNsRoot();
ApiPolicy apiPolicy = new ApiPolicy();
- if ( apiPolicy.getUseAuthClass()) {
+ if ( apiPolicy.isPermissionClassSet()) {
ApiPerms p = new ApiPerms();
p.setEnvMap();
}
--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.dmaap.dbcapi.authentication;
+
+import org.junit.Test;
+
+import static org.junit.Assert.fail;
+
+public class AllowAllTest {
+
+ private AllowAll allowAll = new AllowAll();
+
+ @Test
+ public void check_shouldPassValidationForAllPerms() {
+ try {
+ allowAll.check(null, null, null);
+ } catch (Exception e) {
+ fail("No exception should be thrown");
+ }
+ }
+}
\ No newline at end of file
--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dmaap.dbcapi.authentication;
+
+import org.junit.Test;
+import org.onap.dmaap.dbcapi.aaf.DmaapPerm;
+
+import java.util.Properties;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class ApiPolicyTest {
+
+ private Properties properties = new Properties();
+ private ApiPolicy apiPolicy;
+
+ @Test
+ public void check_shouldExecuteAuthorizationApi() throws Exception {
+ properties.put("ApiPermission.Class", "org.onap.dmaap.dbcapi.authentication.ApiPolicyTest$DummyApiAuthorization");
+ apiPolicy = new ApiPolicy(properties);
+
+ apiPolicy.check("mechId", "pwd", new DmaapPerm("api.perm", "*", "GET"));
+
+ assertTrue(((DummyApiAuthorization) apiPolicy.getPerm()).isCheckExecuted());
+ }
+
+ @Test
+ public void isPermissionClassSet_shouldReturnTrueForValidApiPermClass() {
+ properties.put("ApiPermission.Class", "org.onap.dmaap.dbcapi.authentication.ApiPolicyTest$DummyApiAuthorization");
+ apiPolicy = new ApiPolicy(properties);
+
+ assertTrue(apiPolicy.isPermissionClassSet());
+ }
+
+ @Test
+ public void isPermissionClassSet_shouldReturnFalseWhenPropertyIsNotSet() {
+ apiPolicy = new ApiPolicy(properties);
+
+ assertFalse(apiPolicy.isPermissionClassSet());
+ }
+
+ @Test
+ public void isPermissionClassSet_shouldReturnFalseWhenWrongClassIsSet() {
+ properties.put("ApiPermission.Class", "org.onap.dmaap.dbcapi.authentication.NotExisting");
+ apiPolicy = new ApiPolicy(properties);
+
+ assertFalse(apiPolicy.isPermissionClassSet());
+ }
+
+ public static class DummyApiAuthorization implements ApiAuthorizationCheckInterface {
+
+ private boolean checkExecuted = false;
+
+ @Override
+ public void check(String mechid, String pwd, DmaapPerm p) {
+ checkExecuted = true;
+ }
+
+ boolean isCheckExecuted() {
+ return checkExecuted;
+ }
+ }
+}
\ No newline at end of file
--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dmaap.dbcapi.service;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public class CredentialsParserTest {
+
+ private CredentialsParser credentialsParser = new CredentialsParser();
+
+ @Test
+ public void parse_shouldReturnEmptyCredentialsWhenAuthorizationHeaderIsNull() {
+
+ Credentials credentials = credentialsParser.parse(null);
+
+ assertTrue(credentials.getId().isEmpty());
+ assertTrue(credentials.getPwd().isEmpty());
+ }
+
+ @Test
+ public void parse_shouldReturnEmptyCredentialsWhenAuthorizationHeaderIsEmpty() {
+
+ Credentials credentials = credentialsParser.parse("");
+
+ assertTrue(credentials.getId().isEmpty());
+ assertTrue(credentials.getPwd().isEmpty());
+ }
+
+ @Test
+ public void parse_shouldParseCorrectCredentials() {
+
+ Credentials credentials = credentialsParser.parse("Basic dXNlcjpwYXNzd29yZA==");
+
+ assertEquals("user", credentials.getId());
+ assertEquals("password", credentials.getPwd());
+ }
+}
\ No newline at end of file
Code Review / dmaap / dbcapi.git / commitdiff