@ -5,6 +5,7 @@ import static org.gcube.smartgears.handlers.application.request.RequestError.app
import static org.gcube.smartgears.handlers.application.request.RequestError.application_unavailable_error ;
import static org.gcube.smartgears.handlers.application.request.RequestError.invalid_request_error ;
import java.util.Collections ;
import java.util.List ;
import javax.xml.bind.annotation.XmlAttribute ;
@ -14,6 +15,7 @@ import org.gcube.common.authorization.library.PolicyUtils;
import org.gcube.common.authorization.library.policies.Policy ;
import org.gcube.common.authorization.library.policies.User2ServicePolicy ;
import org.gcube.common.authorization.library.policies.UserEntity ;
import org.gcube.common.authorization.library.provider.AccessTokenProvider ;
import org.gcube.common.authorization.library.provider.AuthorizationProvider ;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider ;
import org.gcube.common.authorization.library.provider.ServiceIdentifier ;
@ -51,6 +53,11 @@ public class RequestValidator extends RequestHandler {
log . trace ( "executing request validator ON REQUEST" ) ;
log . trace ( "accessToken is null? {} \nGcubeToken is null ? {} \nscope rpvideris null? {}" ,
AccessTokenProvider . instance . get ( ) = = null ,
SecurityTokenProvider . instance . get ( ) = = null ,
ScopeProvider . instance . get ( ) = = null ) ;
context = call . context ( ) ;
validateAgainstLifecycle ( call ) ;
@ -103,9 +110,9 @@ public class RequestValidator extends RequestHandler {
private void rejectUnauthorizedCalls ( RequestEvent call ) {
String token = SecurityTokenProvider . instance . get ( ) ;
String scope = Scope Provider. instance . get ( ) ;
if ( token = = null & & scope = = null ) {
String accessToken = AccessToken Provider. instance . get ( ) ;
if ( token = = null & & accessToken = = null ) {
log . warn ( "rejecting call to {}, authorization required" , context . name ( ) , token ) ;
RequestError . request_not_authorized_error . fire ( context . name ( ) + ": authorization required" ) ;
}
@ -121,36 +128,42 @@ public class RequestValidator extends RequestHandler {
ServiceIdentifier serviceIdentifier = Utils . getServiceInfo ( call . context ( ) ) . getServiceIdentifier ( ) ;
String callerId = AuthorizationProvider . instance . get ( ) . getClient ( ) . getId ( ) ;
List < Policy > policies = null ;
String previousToken = SecurityTokenProvider . instance . get ( ) ;
try {
policies = authorizationService ( ) . getPolicies ( scope ) ;
} catch ( Exception e ) {
invalid_request_error . fire ( "error contating authorization for polices" ) ;
String serviceToken = context . configuration ( ) . startTokens ( ) . stream ( ) . findFirst ( ) . get ( ) ;
SecurityTokenProvider . instance . set ( serviceToken ) ;
String callerId = AuthorizationProvider . instance . get ( ) . getClient ( ) . getId ( ) ;
List < Policy > policies = Collections . emptyList ( ) ;
try {
policies = authorizationService ( ) . getPolicies ( scope ) ;
} catch ( Exception e ) {
log . error ( "error contacting authorization services for policies" ) ;
}
for ( Policy policy : policies ) {
log . debug ( "policy: {}" , policy . getPolicyAsString ( ) ) ;
if ( PolicyUtils . isPolicyValidForClient ( policy . getServiceAccess ( ) , serviceIdentifier ) ) {
boolean toReject = false ;
UserEntity entity = ( ( ( User2ServicePolicy ) policy ) . getEntity ( ) ) ;
if ( entity . getIdentifier ( ) ! = null )
toReject = entity . getIdentifier ( ) . equals ( callerId ) ;
else if ( entity . getExcludes ( ) . isEmpty ( ) )
toReject = true ;
else toReject = ! entity . getExcludes ( ) . contains ( callerId ) ;
if ( toReject ) {
log . error ( "rejecting call to {} : {} is not allowed to contact the service " , context . name ( ) , callerId ) ;
RequestError . request_not_authorized_error . fire ( "rejecting call to " + context . name ( ) + " for polices: " + callerId + " is not allowed to contact the service: " + serviceIdentifier . getServiceName ( ) ) ;
}
}
}
} finally {
SecurityTokenProvider . instance . set ( previousToken ) ;
}
for ( Policy policy : policies ) {
log . debug ( "policy: {}" , policy . getPolicyAsString ( ) ) ;
if ( PolicyUtils . isPolicyValidForClient ( policy . getServiceAccess ( ) , serviceIdentifier ) ) {
boolean toReject = false ;
UserEntity entity = ( ( ( User2ServicePolicy ) policy ) . getEntity ( ) ) ;
if ( entity . getIdentifier ( ) ! = null )
toReject = entity . getIdentifier ( ) . equals ( callerId ) ;
else if ( entity . getExcludes ( ) . isEmpty ( ) )
toReject = true ;
else toReject = ! entity . getExcludes ( ) . contains ( callerId ) ;
if ( toReject ) {
log . error ( "rejecting call to {} : {} is not allowed to contact the service " , context . name ( ) , callerId ) ;
RequestError . request_not_authorized_error . fire ( "rejecting call to " + context . name ( ) + " for polices: " + callerId + " is not allowed to contact the service: " + serviceIdentifier . getServiceName ( ) ) ;
}
}
}
}
}