From b84b4fad8108286085720cb08231bb79b93db114 Mon Sep 17 00:00:00 2001 From: lucio lelii Date: Fri, 4 Mar 2022 17:28:40 +0100 Subject: [PATCH] throws error on invalid policy --- .../application/request/RequestValidator.java | 51 ++++++++++--------- 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java index dc53501..992f977 100644 --- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java +++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java @@ -81,7 +81,7 @@ public class RequestValidator extends RequestHandler { //nothing to do, but avoids warnings } - + } private void validateScopeCall() { @@ -125,36 +125,39 @@ public class RequestValidator extends RequestHandler { ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(call.context()).getServiceIdentifier(); String callerId = AuthorizationProvider.instance.get().getClient().getId(); + + List policies = null; try { - List policies = authorizationService().getPolicies(scope); - for (Policy policy: policies) { - log.debug("policy: {}", policy.getPolicyAsString() ); - - if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier ) || isPolicyValidForService(policy.getServiceAccess(), serviceIdentifier)) { - boolean toReject = false; - UserEntity entity = (((User2ServicePolicy) policy).getEntity()); - if (entity.getIdentifier()!=null) - toReject = entity.getIdentifier().trim().equals(callerId); - else if (entity.getExcludes().isEmpty()) - toReject = true; - else toReject = !entity.getExcludes().contains(callerId); - - if (toReject) { - log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId); - invalid_request_error.fire("rejecting call to "+context.name()+": "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() ); - } - } - - } + authorizationService().getPolicies(scope); }catch (Exception e) { - log.warn("error getting policies from context {}", scope, e); + invalid_request_error.fire("error contating authorization"); } + + for (Policy policy: policies) { + log.debug("policy: {}", policy.getPolicyAsString() ); + + if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier ) || isPolicyValidForService(policy.getServiceAccess(), serviceIdentifier)) { + boolean toReject = false; + UserEntity entity = (((User2ServicePolicy) policy).getEntity()); + if (entity.getIdentifier()!=null) + toReject = entity.getIdentifier().trim().equals(callerId); + else if (entity.getExcludes().isEmpty()) + toReject = true; + else toReject = !entity.getExcludes().contains(callerId); + if (toReject) { + log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId); + RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+": "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() ); + } + } + + } + } - + //TO resolve an error on Auth Portlet private boolean isPolicyValidForService(ServiceAccess serviceAccess, ServiceIdentifier serviceId) { String policyAsString = serviceAccess.getAsString(); - + return policyAsString.equals("ALL") || policyAsString.equals(serviceId.getServiceClass()+":ALL:ALL") || policyAsString.equals(serviceId.getServiceClass()+":"+serviceId.getServiceName()+":ALL") || policyAsString.equals(serviceId.getFullIdentifier());