--- /dev/null
+/* Copyright (c) 2019 AT&T Intellectual Property. #\r
+# #\r
+# Licensed under the Apache License, Version 2.0 (the "License"); #\r
+# you may not use this file except in compliance with the License. #\r
+# You may obtain a copy of the License at #\r
+# #\r
+# http://www.apache.org/licenses/LICENSE-2.0 #\r
+# #\r
+# Unless required by applicable law or agreed to in writing, software #\r
+# distributed under the License is distributed on an "AS IS" BASIS, #\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #\r
+# See the License for the specific language governing permissions and #\r
+# limitations under the License. #\r
+##############################################################################*/\r
+\r
+\r
+package org.oran.otf.api.config;\r
+\r
+import com.google.common.base.Strings;\r
+import java.io.IOException;\r
+import java.util.ArrayList;\r
+import java.util.List;\r
+import java.util.Map;\r
+import java.util.TreeMap;\r
+import javax.servlet.Filter;\r
+import javax.servlet.FilterChain;\r
+import javax.servlet.FilterConfig;\r
+import javax.servlet.ServletException;\r
+import javax.servlet.ServletRequest;\r
+import javax.servlet.ServletResponse;\r
+import javax.servlet.http.HttpServletRequest;\r
+import javax.servlet.http.HttpServletResponse;\r
+import org.apache.commons.logging.Log;\r
+import org.apache.commons.logging.LogFactory;\r
+import org.onap.aaf.cadi.Access;\r
+import org.onap.aaf.cadi.Access.Level;\r
+import org.onap.aaf.cadi.ServletContextAccess;\r
+import org.onap.aaf.cadi.util.Split;\r
+\r
+public class OTFApiEnforcementFilter implements Filter {\r
+ private static final Log log = LogFactory.getLog(OTFApiEnforcementFilter.class);\r
+ private String type;\r
+ private Map<String, List<String>> publicPaths;\r
+ private Access access = null;\r
+\r
+ public OTFApiEnforcementFilter(Access access, String enforce) throws ServletException {\r
+ this.access = access;\r
+ init(enforce);\r
+ }\r
+\r
+ @Override\r
+ public void init(FilterConfig fc) throws ServletException {\r
+ init(fc.getInitParameter("aaf_perm_type"));\r
+ // need the Context for Logging, instantiating ClassLoader, etc\r
+ ServletContextAccess sca = new ServletContextAccess(fc);\r
+ if (access == null) {\r
+ access = sca;\r
+ }\r
+ }\r
+\r
+ private void init(final String ptypes) throws ServletException {\r
+ if (Strings.isNullOrEmpty(ptypes)) {\r
+ throw new ServletException("OTFApiEnforcement requires aaf_perm_type property");\r
+ }\r
+ String[] full = Split.splitTrim(';', ptypes);\r
+ if (full.length <= 0) {\r
+ throw new ServletException("aaf_perm_type property is empty");\r
+ }\r
+\r
+ type = full[0];\r
+ publicPaths = new TreeMap<>();\r
+ if (full.length > 1) {\r
+ for (int i = 1; i < full.length; ++i) {\r
+ String[] pubArray = Split.split(':', full[i]);\r
+ if (pubArray.length == 2) {\r
+ List<String> ls = publicPaths.get(pubArray[0]);\r
+ if (ls == null) {\r
+ ls = new ArrayList<>();\r
+ publicPaths.put(pubArray[0], ls);\r
+ }\r
+ ls.add(pubArray[1]);\r
+ }\r
+ }\r
+ }\r
+ }\r
+\r
+ @Override\r
+ public void doFilter(ServletRequest req, ServletResponse resp, FilterChain fc)\r
+ throws IOException, ServletException {\r
+ HttpServletRequest hreq = (HttpServletRequest) req;\r
+ final String meth = hreq.getMethod();\r
+ String path = hreq.getContextPath(); // + hreq.getPathInfo();\r
+\r
+ if (Strings.isNullOrEmpty(path) || "null".equals(path)) {\r
+ path = hreq.getRequestURI().substring(hreq.getContextPath().length());\r
+ }\r
+\r
+ List<String> list = publicPaths.get(meth);\r
+ if (list != null) {\r
+ for (String p : publicPaths.get(meth)) {\r
+ if (path.startsWith(p)) {\r
+ access.printf(\r
+ Level.INFO,\r
+ "%s accessed public API %s %s\n",\r
+ hreq.getUserPrincipal().getName(),\r
+ meth,\r
+ path);\r
+ fc.doFilter(req, resp);\r
+ return;\r
+ }\r
+ }\r
+ }\r
+ if (hreq.isUserInRole(type + '|' + path + '|' + meth)) {\r
+ access.printf(\r
+ Level.INFO,\r
+ "%s is allowed access to %s %s\n",\r
+ hreq.getUserPrincipal().getName(),\r
+ meth,\r
+ path);\r
+ fc.doFilter(req, resp);\r
+ } else {\r
+ access.printf(\r
+ Level.AUDIT,\r
+ "%s is denied access to %s %s\n",\r
+ hreq.getUserPrincipal().getName(),\r
+ meth,\r
+ path);\r
+ ((HttpServletResponse) resp).sendError(HttpServletResponse.SC_UNAUTHORIZED);\r
+ }\r
+ }\r
+\r
+ @Override\r
+ public void destroy() {}\r
+}\r