2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.openecomp.policy.rest;
23 import org.apache.commons.logging.Log;
24 import org.apache.commons.logging.LogFactory;
25 import org.openecomp.policy.rest.jpa.UserInfo;
27 import com.att.research.xacml.api.DataTypeException;
28 import com.att.research.xacml.api.Decision;
29 import com.att.research.xacml.api.Request;
30 import com.att.research.xacml.api.Response;
31 import com.att.research.xacml.api.Result;
32 import org.openecomp.policy.xacml.api.XACMLErrorConstants;
33 import com.att.research.xacml.api.pdp.PDPEngine;
34 import com.att.research.xacml.api.pdp.PDPEngineFactory;
35 import com.att.research.xacml.api.pdp.PDPException;
36 import com.att.research.xacml.std.annotations.RequestParser;
37 import com.att.research.xacml.std.annotations.XACMLAction;
38 import com.att.research.xacml.std.annotations.XACMLRequest;
39 import com.att.research.xacml.std.annotations.XACMLResource;
40 import com.att.research.xacml.std.annotations.XACMLSubject;
41 import com.att.research.xacml.util.FactoryException;
43 import org.openecomp.policy.common.logging.eelf.MessageCodes;
44 import org.openecomp.policy.common.logging.eelf.PolicyLogger;
46 public class XacmlAdminAuthorization {
47 private static Log logger = LogFactory.getLog(XacmlAdminAuthorization.class);
49 private static UserInfo userId;
50 public static UserInfo getUserId() {
54 public void setUserId(UserInfo userId) {
55 XacmlAdminAuthorization.userId = userId;
58 public enum AdminAction {
59 ACTION_ACCESS("access"),
61 ACTION_WRITE("write"),
62 ACTION_ADMIN("admin");
65 AdminAction(String a) {
68 public String toString() {
73 public enum AdminResource {
74 RESOURCE_APPLICATION("application"),
75 RESOURCE_POLICY_WORKSPACE("workspace"),
76 RESOURCE_POLICY_EDITOR("editor"),
77 RESOURCE_DICTIONARIES("dictionaries"),
78 RESOURCE_PDP_ADMIN("pdp_admin"),
79 RESOURCE_PIP_ADMIN("pip_admin"),
80 RESOURCE_SCOPES_SUPERADMIN("manage_scopes");
83 AdminResource(String r) {
86 public String toString() {
94 ROLE_EDITOR("editor"),
95 ROLE_SUPERGUEST("super-guest"),
96 ROLE_SUPEREDITOR("super-editor"),
97 ROLE_SUPERADMIN("super-admin");
104 public String toString() {
105 return this.userRole;
109 @XACMLRequest(ReturnPolicyIdList=true)
110 public class AuthorizationRequest {
112 @XACMLSubject(includeInResults=true)
121 public AuthorizationRequest(String userId, String action, String resource) {
122 this.userID = userId;
123 this.action = action;
124 this.resource = resource;
127 public String getUserID() {
131 public void setUserID(String userID) {
132 this.userID = userID;
135 public String getAction() {
139 public void setAction(String action) {
140 this.action = action;
143 public String getResource() {
147 public void setResource(String resource) {
148 this.resource = resource;
155 protected PDPEngine pdpEngine;
157 public XacmlAdminAuthorization() {
158 PDPEngineFactory pdpEngineFactory = null;
160 pdpEngineFactory = PDPEngineFactory.newInstance();
161 if (pdpEngineFactory == null) {
162 logger.error("Failed to create PDP Engine Factory");
163 // TODO:EELF Cleanup - Remove logger
164 PolicyLogger.error("Failed to create PDP Engine Factory");
166 this.pdpEngine = pdpEngineFactory.newEngine();
167 } catch (FactoryException e) {
168 logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception create PDP Engine: " + e.getLocalizedMessage());
169 // TODO:EELF Cleanup - Remove logger
170 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "Exception create PDP Engine");
174 public boolean isAuthorized(String userid, AdminAction action, AdminResource resource) {
175 logger.info("authorize: " + userid + " to " + action + " with " + resource);
176 if (this.pdpEngine == null) {
177 logger.warn("no pdp engine available to authorize");
182 request = RequestParser.parseRequest(new AuthorizationRequest(userid, action.toString(), resource.toString()));
183 } catch (IllegalArgumentException | IllegalAccessException | DataTypeException e) {
184 logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Failed to create request: " + e.getLocalizedMessage());
185 // TODO:EELF Cleanup - Remove logger
186 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "Failed to create request");
189 if (request == null) {
190 logger.error("Failed to parse request.");
191 // TODO:EELF Cleanup - Remove logger
192 PolicyLogger.error("Failed to parse request");
195 logger.info("Request: " + request);
200 Response response = this.pdpEngine.decide(request);
201 if (response == null) {
202 logger.error("Null response from PDP decide");
203 // TODO:EELF Cleanup - Remove logger
204 PolicyLogger.error("Null response from PDP decide");
207 // Should only be one result
209 for (Result result : response.getResults()) {
210 Decision decision = result.getDecision();
211 logger.info("Decision: " + decision);
212 if (decision.equals(Decision.PERMIT)) {
216 } catch (PDPException e) {
217 logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "PDP Decide failed: " + e.getLocalizedMessage());
218 // TODO:EELF Cleanup - Remove logger
219 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "PDP Decide failed");