ECOMP-REST/src/main/java/org/openecomp/policy/rest/XacmlAdminAuthorization.java

   1 /*-
   2  * ============LICENSE_START=======================================================
   3  * ECOMP-REST
   4  * ================================================================================
   5  * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
   6  * ================================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END=========================================================
  19  */
  20
  21 package org.openecomp.policy.rest;
  22
  23 import org.apache.commons.logging.Log;
  24 import org.apache.commons.logging.LogFactory;
  25 import org.openecomp.policy.rest.jpa.UserInfo;
  26
  27 import com.att.research.xacml.api.DataTypeException;
  28 import com.att.research.xacml.api.Decision;
  29 import com.att.research.xacml.api.Request;
  30 import com.att.research.xacml.api.Response;
  31 import com.att.research.xacml.api.Result;
  32 import org.openecomp.policy.xacml.api.XACMLErrorConstants;
  33 import com.att.research.xacml.api.pdp.PDPEngine;
  34 import com.att.research.xacml.api.pdp.PDPEngineFactory;
  35 import com.att.research.xacml.api.pdp.PDPException;
  36 import com.att.research.xacml.std.annotations.RequestParser;
  37 import com.att.research.xacml.std.annotations.XACMLAction;
  38 import com.att.research.xacml.std.annotations.XACMLRequest;
  39 import com.att.research.xacml.std.annotations.XACMLResource;
  40 import com.att.research.xacml.std.annotations.XACMLSubject;
  41 import com.att.research.xacml.util.FactoryException;
  42
  43 import org.openecomp.policy.common.logging.eelf.MessageCodes;
  44 import org.openecomp.policy.common.logging.eelf.PolicyLogger;
  45
  46 public class XacmlAdminAuthorization {
  47         private static Log logger       = LogFactory.getLog(XacmlAdminAuthorization.class);
  48
  49         private static UserInfo userId;
  50         public static UserInfo getUserId() {
  51                 return userId;
  52         }
  53
  54         public void setUserId(UserInfo userId) {
  55                 XacmlAdminAuthorization.userId = userId;
  56         }
  57
  58         public enum AdminAction {
  59                 ACTION_ACCESS("access"),
  60                 ACTION_READ("read"),
  61                 ACTION_WRITE("write"),
  62                 ACTION_ADMIN("admin");
  63
  64                 String action;
  65                 AdminAction(String a) {
  66                         this.action = a;
  67                 }
  68                 public String toString() {
  69                         return this.action;
  70                 }
  71         }
  72
  73         public enum AdminResource {
  74                 RESOURCE_APPLICATION("application"),
  75                 RESOURCE_POLICY_WORKSPACE("workspace"),
  76                 RESOURCE_POLICY_EDITOR("editor"),
  77                 RESOURCE_DICTIONARIES("dictionaries"),
  78                 RESOURCE_PDP_ADMIN("pdp_admin"),
  79                 RESOURCE_PIP_ADMIN("pip_admin"),
  80                 RESOURCE_SCOPES_SUPERADMIN("manage_scopes");
  81
  82                 String resource;
  83                 AdminResource(String r) {
  84                         this.resource = r;
  85                 }
  86                 public String toString() {
  87                         return this.resource;
  88                 }
  89         }
  90
  91         public enum Role {
  92                 ROLE_GUEST("guest"),
  93                 ROLE_ADMIN("admin"),
  94                 ROLE_EDITOR("editor"),
  95                 ROLE_SUPERGUEST("super-guest"),
  96                 ROLE_SUPEREDITOR("super-editor"),
  97                 ROLE_SUPERADMIN("super-admin");
  98
  99                 String userRole;
 100
 101                 Role(String a) {
 102                         this.userRole = a;
 103                 }
 104                 public String toString() {
 105                         return this.userRole;
 106                 }
 107         }
 108
 109         @XACMLRequest(ReturnPolicyIdList=true)
 110         public class AuthorizationRequest {
 111
 112                 @XACMLSubject(includeInResults=true)
 113                 String  userID;
 114
 115                 @XACMLAction()
 116                 String  action;
 117
 118                 @XACMLResource()
 119                 String  resource;
 120
 121                 public AuthorizationRequest(String userId, String action, String resource) {
 122                         this.userID = userId;
 123                         this.action = action;
 124                         this.resource = resource;
 125                 }
 126
 127                 public String getUserID() {
 128                         return userID;
 129                 }
 130
 131                 public void setUserID(String userID) {
 132                         this.userID = userID;
 133                 }
 134
 135                 public String getAction() {
 136                         return action;
 137                 }
 138
 139                 public void setAction(String action) {
 140                         this.action = action;
 141                 }
 142
 143                 public String getResource() {
 144                         return resource;
 145                 }
 146
 147                 public void setResource(String resource) {
 148                         this.resource = resource;
 149                 }
 150         }
 151
 152         //
 153         // The PDP Engine
 154         //
 155         protected PDPEngine pdpEngine;
 156
 157         public XacmlAdminAuthorization() {
 158                 PDPEngineFactory pdpEngineFactory       = null;
 159                 try {
 160                         pdpEngineFactory        = PDPEngineFactory.newInstance();
 161                         if (pdpEngineFactory == null) {
 162                                 logger.error("Failed to create PDP Engine Factory");
 163                                 // TODO:EELF Cleanup - Remove logger
 164                                 PolicyLogger.error("Failed to create PDP Engine Factory");
 165                         }
 166                         this.pdpEngine = pdpEngineFactory.newEngine();
 167                 } catch (FactoryException e) {
 168                         logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception create PDP Engine: " + e.getLocalizedMessage());
 169                         // TODO:EELF Cleanup - Remove logger
 170                         PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "Exception create PDP Engine");
 171                 }
 172         }
 173
 174         public boolean  isAuthorized(String userid, AdminAction action, AdminResource resource) {
 175                 logger.info("authorize: " + userid + " to " + action + " with " + resource);
 176                 if (this.pdpEngine == null) {
 177                         logger.warn("no pdp engine available to authorize");
 178                         return false;
 179                 }
 180                 Request request;
 181                 try {
 182                         request = RequestParser.parseRequest(new AuthorizationRequest(userid, action.toString(), resource.toString()));
 183                 } catch (IllegalArgumentException | IllegalAccessException | DataTypeException e) {
 184                         logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Failed to create request: " + e.getLocalizedMessage());
 185                         // TODO:EELF Cleanup - Remove logger
 186                         PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "Failed to create request");
 187                         return false;
 188                 }
 189                 if (request == null) {
 190                         logger.error("Failed to parse request.");
 191                         // TODO:EELF Cleanup - Remove logger
 192                         PolicyLogger.error("Failed to parse request");
 193                         return false;
 194                 }
 195                 logger.info("Request: " + request);
 196                 //
 197                 // Ask the engine
 198                 //
 199                 try {
 200                         Response response = this.pdpEngine.decide(request);
 201                         if (response == null) {
 202                                 logger.error("Null response from PDP decide");
 203                                 // TODO:EELF Cleanup - Remove logger
 204                                 PolicyLogger.error("Null response from PDP decide");
 205                         }
 206                         //
 207                         // Should only be one result
 208                         //
 209                         for (Result result : response.getResults()) {
 210                                 Decision decision = result.getDecision();
 211                                 logger.info("Decision: " + decision);
 212                                 if (decision.equals(Decision.PERMIT)) {
 213                                         return true;
 214                                 }
 215                         }
 216                 } catch (PDPException e) {
 217                         logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "PDP Decide failed: " + e.getLocalizedMessage());
 218                         // TODO:EELF Cleanup - Remove logger
 219                         PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "PDP Decide failed");
 220                 }
 221                 return false;
 222         }
 223 }