Code Review / it / otf.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
added svcapi ui and camunda code
[it/otf.git] / otf-camunda / src / main / java / org / oran / otf / cadi / filter / OTFApiEnforcementFilter.java
diff --git a/otf-camunda/src/main/java/org/oran/otf/cadi/filter/OTFApiEnforcementFilter.java b/otf-camunda/src/main/java/org/oran/otf/cadi/filter/OTFApiEnforcementFilter.java
new file mode 100644 (file)
index 0000000..cf04193
--- /dev/null
+++ b/otf-camunda/src/main/java/org/oran/otf/cadi/filter/OTFApiEnforcementFilter.java
@@ -0,0 +1,134 @@
+/*  Copyright (c) 2019 AT&T Intellectual Property.                             #\r
+#                                                                              #\r
+#   Licensed under the Apache License, Version 2.0 (the "License");            #\r
+#   you may not use this file except in compliance with the License.           #\r
+#   You may obtain a copy of the License at                                    #\r
+#                                                                              #\r
+#       http://www.apache.org/licenses/LICENSE-2.0                             #\r
+#                                                                              #\r
+#   Unless required by applicable law or agreed to in writing, software        #\r
+#   distributed under the License is distributed on an "AS IS" BASIS,          #\r
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #\r
+#   See the License for the specific language governing permissions and        #\r
+#   limitations under the License.                                             #\r
+##############################################################################*/\r
+\r
+\r
+package org.oran.otf.cadi.filter;\r
+\r
+import com.google.common.base.Strings;\r
+import java.io.IOException;\r
+import java.util.ArrayList;\r
+import java.util.List;\r
+import java.util.Map;\r
+import java.util.TreeMap;\r
+import javax.servlet.Filter;\r
+import javax.servlet.FilterChain;\r
+import javax.servlet.FilterConfig;\r
+import javax.servlet.ServletException;\r
+import javax.servlet.ServletRequest;\r
+import javax.servlet.ServletResponse;\r
+import javax.servlet.http.HttpServletRequest;\r
+import javax.servlet.http.HttpServletResponse;\r
+import org.apache.commons.logging.Log;\r
+import org.apache.commons.logging.LogFactory;\r
+import org.onap.aaf.cadi.Access;\r
+import org.onap.aaf.cadi.Access.Level;\r
+import org.onap.aaf.cadi.ServletContextAccess;\r
+import org.onap.aaf.cadi.util.Split;\r
+\r
+public class OTFApiEnforcementFilter implements Filter {\r
+  private static final Log log = LogFactory.getLog(OTFApiEnforcementFilter.class);\r
+  private String type;\r
+  private Map<String, List<String>> publicPaths;\r
+  private Access access = null;\r
+\r
+  public OTFApiEnforcementFilter(Access access, String enforce) throws ServletException {\r
+    this.access = access;\r
+    init(enforce);\r
+  }\r
+\r
+  @Override\r
+  public void init(FilterConfig fc) throws ServletException {\r
+    init(fc.getInitParameter("aaf_perm_type"));\r
+    // need the Context for Logging, instantiating ClassLoader, etc\r
+    ServletContextAccess sca = new ServletContextAccess(fc);\r
+    if (access == null) {\r
+      access = sca;\r
+    }\r
+  }\r
+\r
+  private void init(final String ptypes) throws ServletException {\r
+    if (Strings.isNullOrEmpty(ptypes)) {\r
+      throw new ServletException("OTFApiEnforcement requires aaf_perm_type property");\r
+    }\r
+    String[] full = Split.splitTrim(';', ptypes);\r
+    if (full.length <= 0) {\r
+      throw new ServletException("aaf_perm_type property is empty");\r
+    }\r
+\r
+    type = full[0];\r
+    publicPaths = new TreeMap<>();\r
+    if (full.length > 1) {\r
+      for (int i = 1; i < full.length; ++i) {\r
+        String[] pubArray = Split.split(':', full[i]);\r
+        if (pubArray.length == 2) {\r
+          List<String> ls = publicPaths.get(pubArray[0]);\r
+          if (ls == null) {\r
+            ls = new ArrayList<>();\r
+            publicPaths.put(pubArray[0], ls);\r
+          }\r
+          ls.add(pubArray[1]);\r
+        }\r
+      }\r
+    }\r
+  }\r
+\r
+  @Override\r
+  public void doFilter(ServletRequest req, ServletResponse resp, FilterChain fc)\r
+      throws IOException, ServletException {\r
+    HttpServletRequest hreq = (HttpServletRequest) req;\r
+    final String meth = hreq.getMethod();\r
+    String path = hreq.getContextPath(); // + hreq.getPathInfo();\r
+\r
+    if (Strings.isNullOrEmpty(path) || "null".equals(path)) {\r
+      path = hreq.getRequestURI().substring(hreq.getContextPath().length());\r
+    }\r
+\r
+    List<String> list = publicPaths.get(meth);\r
+    if (list != null) {\r
+      for (String p : publicPaths.get(meth)) {\r
+        if (path.startsWith(p)) {\r
+          access.printf(\r
+              Level.INFO,\r
+              "%s accessed public API %s %s\n",\r
+              hreq.getUserPrincipal().getName(),\r
+              meth,\r
+              path);\r
+          fc.doFilter(req, resp);\r
+          return;\r
+        }\r
+      }\r
+    }\r
+    if (hreq.isUserInRole(type + '|' + path + '|' + meth)) {\r
+      access.printf(\r
+          Level.INFO,\r
+          "%s is allowed access to %s %s\n",\r
+          hreq.getUserPrincipal().getName(),\r
+          meth,\r
+          path);\r
+      fc.doFilter(req, resp);\r
+    } else {\r
+      access.printf(\r
+          Level.AUDIT,\r
+          "%s is denied access to %s %s\n",\r
+          hreq.getUserPrincipal().getName(),\r
+          meth,\r
+          path);\r
+      ((HttpServletResponse) resp).sendError(HttpServletResponse.SC_UNAUTHORIZED);\r
+    }\r
+  }\r
+\r
+  @Override\r
+  public void destroy() {}\r
+}\r