ONAP-REST/src/main/java/org/onap/policy/rest/XacmlAdminAuthorization.java

   1 /*-
   2  * ============LICENSE_START=======================================================
   3  * ONAP-REST
   4  * ================================================================================
   5  * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
   6  * ================================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END=========================================================
  19  */
  20
  21 package org.onap.policy.rest;
  22
  23 import org.apache.commons.logging.Log;
  24 import org.apache.commons.logging.LogFactory;
  25 import org.onap.policy.common.logging.eelf.MessageCodes;
  26 import org.onap.policy.common.logging.eelf.PolicyLogger;
  27 import org.onap.policy.rest.jpa.UserInfo;
  28 import org.onap.policy.xacml.api.XACMLErrorConstants;
  29
  30 import com.att.research.xacml.api.DataTypeException;
  31 import com.att.research.xacml.api.Decision;
  32 import com.att.research.xacml.api.Request;
  33 import com.att.research.xacml.api.Response;
  34 import com.att.research.xacml.api.Result;
  35 import com.att.research.xacml.api.pdp.PDPEngine;
  36 import com.att.research.xacml.api.pdp.PDPEngineFactory;
  37 import com.att.research.xacml.api.pdp.PDPException;
  38 import com.att.research.xacml.std.annotations.RequestParser;
  39 import com.att.research.xacml.std.annotations.XACMLAction;
  40 import com.att.research.xacml.std.annotations.XACMLRequest;
  41 import com.att.research.xacml.std.annotations.XACMLResource;
  42 import com.att.research.xacml.std.annotations.XACMLSubject;
  43 import com.att.research.xacml.util.FactoryException;
  44
  45
  46
  47 public class XacmlAdminAuthorization {
  48         private static Log logger       = LogFactory.getLog(XacmlAdminAuthorization.class);
  49
  50         private static UserInfo userId;
  51         public static UserInfo getUserId() {
  52                 return userId;
  53         }
  54
  55         public void setUserId(UserInfo userId) {
  56                 XacmlAdminAuthorization.userId = userId;
  57         }
  58
  59         public enum AdminAction {
  60                 ACTION_ACCESS("access"),
  61                 ACTION_READ("read"),
  62                 ACTION_WRITE("write"),
  63                 ACTION_ADMIN("admin");
  64
  65                 String action;
  66                 AdminAction(String a) {
  67                         this.action = a;
  68                 }
  69                 public String toString() {
  70                         return this.action;
  71                 }
  72         }
  73
  74         public enum AdminResource {
  75                 RESOURCE_APPLICATION("application"),
  76                 RESOURCE_POLICY_WORKSPACE("workspace"),
  77                 RESOURCE_POLICY_EDITOR("editor"),
  78                 RESOURCE_DICTIONARIES("dictionaries"),
  79                 RESOURCE_PDP_ADMIN("pdp_admin"),
  80                 RESOURCE_PIP_ADMIN("pip_admin"),
  81                 RESOURCE_SCOPES_SUPERADMIN("manage_scopes");
  82
  83                 String resource;
  84                 AdminResource(String r) {
  85                         this.resource = r;
  86                 }
  87                 public String toString() {
  88                         return this.resource;
  89                 }
  90         }
  91
  92         public enum Role {
  93                 ROLE_GUEST("guest"),
  94                 ROLE_ADMIN("admin"),
  95                 ROLE_EDITOR("editor"),
  96                 ROLE_SUPERGUEST("super-guest"),
  97                 ROLE_SUPEREDITOR("super-editor"),
  98                 ROLE_SUPERADMIN("super-admin");
  99
 100                 String userRole;
 101
 102                 Role(String a) {
 103                         this.userRole = a;
 104                 }
 105                 public String toString() {
 106                         return this.userRole;
 107                 }
 108         }
 109
 110         @XACMLRequest(ReturnPolicyIdList=true)
 111         public class AuthorizationRequest {
 112
 113                 @XACMLSubject(includeInResults=true)
 114                 String  userID;
 115
 116                 @XACMLAction()
 117                 String  action;
 118
 119                 @XACMLResource()
 120                 String  resource;
 121
 122                 public AuthorizationRequest(String userId, String action, String resource) {
 123                         this.userID = userId;
 124                         this.action = action;
 125                         this.resource = resource;
 126                 }
 127
 128                 public String getUserID() {
 129                         return userID;
 130                 }
 131
 132                 public void setUserID(String userID) {
 133                         this.userID = userID;
 134                 }
 135
 136                 public String getAction() {
 137                         return action;
 138                 }
 139
 140                 public void setAction(String action) {
 141                         this.action = action;
 142                 }
 143
 144                 public String getResource() {
 145                         return resource;
 146                 }
 147
 148                 public void setResource(String resource) {
 149                         this.resource = resource;
 150                 }
 151         }
 152
 153         //
 154         // The PDP Engine
 155         //
 156         protected PDPEngine pdpEngine;
 157
 158         public XacmlAdminAuthorization() {
 159                 PDPEngineFactory pdpEngineFactory       = null;
 160                 try {
 161                         pdpEngineFactory        = PDPEngineFactory.newInstance();
 162                         if (pdpEngineFactory == null) {
 163                                 logger.error("Failed to create PDP Engine Factory");
 164                                 PolicyLogger.error("Failed to create PDP Engine Factory");
 165                         }
 166                         this.pdpEngine = pdpEngineFactory.newEngine();
 167                 } catch (FactoryException e) {
 168                         logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception create PDP Engine: " + e.getLocalizedMessage());
 169                         PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "Exception create PDP Engine");
 170                 }
 171         }
 172
 173         public boolean  isAuthorized(String userid, AdminAction action, AdminResource resource) {
 174                 logger.info("authorize: " + userid + " to " + action + " with " + resource);
 175                 if (this.pdpEngine == null) {
 176                         logger.warn("no pdp engine available to authorize");
 177                         return false;
 178                 }
 179                 Request request;
 180                 try {
 181                         request = RequestParser.parseRequest(new AuthorizationRequest(userid, action.toString(), resource.toString()));
 182                 } catch (IllegalArgumentException | IllegalAccessException | DataTypeException e) {
 183                         logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Failed to create request: " + e.getLocalizedMessage());
 184                         PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "Failed to create request");
 185                         return false;
 186                 }
 187                 if (request == null) {
 188                         logger.error("Failed to parse request.");
 189                         PolicyLogger.error("Failed to parse request");
 190                         return false;
 191                 }
 192                 logger.info("Request: " + request);
 193                 //
 194                 // Ask the engine
 195                 //
 196                 try {
 197                         Response response = this.pdpEngine.decide(request);
 198                         if (response == null) {
 199                                 logger.error("Null response from PDP decide");
 200                                 PolicyLogger.error("Null response from PDP decide");
 201                         }
 202                         //
 203                         // Should only be one result
 204                         //
 205                         if(response != null){
 206                                 for (Result result : response.getResults()) {
 207                                         Decision decision = result.getDecision();
 208                                         logger.info("Decision: " + decision);
 209                                         if (decision.equals(Decision.PERMIT)) {
 210                                                 return true;
 211                                         }
 212                                 }
 213                         }
 214                 } catch (PDPException e) {
 215                         logger.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "PDP Decide failed: " + e.getLocalizedMessage());
 216                         PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XacmlAdminAuthorization", "PDP Decide failed");
 217                 }
 218                 return false;
 219         }
 220 }