https://support.d4science.org/issues/23003

2 years ago · 3af9a558f6
parent c23e98d9bb
commit 3af9a558f6
4 changed files with 48 additions and 34 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,10 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm

 # Changelog for Common Smartgears

+## [v3.1.3-SNAPSHOT] - 2022-03-21
+
+
+
 ## [v3.1.2] - 2022-01-19

 - enabled policy check on smartgears
--- a/pom.xml
+++ b/pom.xml
@ -11,7 +11,7 @@

 	<groupId>org.gcube.core</groupId>
 	<artifactId>common-smartgears</artifactId>
-	<version>3.1.2</version>
+	<version>3.1.3-SNAPSHOT</version>
 	<name>SmartGears</name>

 	<dependencyManagement>
--- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestContextRetriever.java
+++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestContextRetriever.java
@ -112,7 +112,6 @@ public class RequestContextRetriever extends RequestHandler {
 		log.trace("retrieving context using uma token {} ", accessToken);
 		
 		AccessTokenProvider.instance.set(accessToken);
-		SecurityTokenProvider.instance.set(gcubeToken);
 		parseAccessTokenAndSet(accessToken);
 		log.info("retrieved request authorization info {} in scope {} ", AuthorizationProvider.instance.get(), ScopeProvider.instance.get());
 	}
@ -125,7 +124,6 @@ public class RequestContextRetriever extends RequestHandler {
 	
 		ObjectMapper mapper = new ObjectMapper();
 		
-		
 		GcubeJwt jwt = null;
 		try {
 			 jwt = mapper.readValue(realUmaToken, GcubeJwt.class);
@ -133,7 +131,6 @@ public class RequestContextRetriever extends RequestHandler {
 			log.error("error decoding uma token",e);
 			internal_server_error.fire("error parsing access token");
 		}
-			
 		
 		ScopeBean scopeBean = null;
 		try { 
--- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
+++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
@ -5,6 +5,7 @@ import static org.gcube.smartgears.handlers.application.request.RequestError.app
 import static org.gcube.smartgears.handlers.application.request.RequestError.application_unavailable_error;
 import static org.gcube.smartgears.handlers.application.request.RequestError.invalid_request_error;

+import java.util.Collections;
 import java.util.List;

 import javax.xml.bind.annotation.XmlAttribute;
@ -14,6 +15,7 @@ import org.gcube.common.authorization.library.PolicyUtils;
 import org.gcube.common.authorization.library.policies.Policy;
 import org.gcube.common.authorization.library.policies.User2ServicePolicy;
 import org.gcube.common.authorization.library.policies.UserEntity;
+import org.gcube.common.authorization.library.provider.AccessTokenProvider;
 import org.gcube.common.authorization.library.provider.AuthorizationProvider;
 import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
 import org.gcube.common.authorization.library.provider.ServiceIdentifier;
@ -51,6 +53,11 @@ public class RequestValidator extends RequestHandler {

 		log.trace("executing request validator ON REQUEST");

+		log.trace("accessToken is null? {} \nGcubeToken is null ? {} \nscope rpvideris null? {}", 
+				AccessTokenProvider.instance.get()==null, 
+				SecurityTokenProvider.instance.get()==null, 
+				ScopeProvider.instance.get()==null);
+		
 		context = call.context();

 		validateAgainstLifecycle(call);
@ -103,9 +110,9 @@ public class RequestValidator extends RequestHandler {
 	private void rejectUnauthorizedCalls(RequestEvent call){

 		String token = SecurityTokenProvider.instance.get();
-		String scope = ScopeProvider.instance.get();
-
-		if (token == null && scope==null){
+		String accessToken = AccessTokenProvider.instance.get();
+				
+		if (token == null && accessToken==null){
 			log.warn("rejecting call to {}, authorization required",context.name(),token);
 			RequestError.request_not_authorized_error.fire(context.name()+": authorization required");
 		} 
@ -121,36 +128,42 @@ public class RequestValidator extends RequestHandler {

 		ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(call.context()).getServiceIdentifier();

-		String callerId = AuthorizationProvider.instance.get().getClient().getId();
-
-		List<Policy> policies = null;
+		String previousToken = SecurityTokenProvider.instance.get();
 		try {
-			policies = authorizationService().getPolicies(scope);
-		}catch (Exception e) {
-			invalid_request_error.fire("error contating authorization for polices"); 
+			String serviceToken = context.configuration().startTokens().stream().findFirst().get();
+			SecurityTokenProvider.instance.set(serviceToken);
+			String callerId = AuthorizationProvider.instance.get().getClient().getId();
+
+			List<Policy> policies = Collections.emptyList();
+			try {
+				policies = authorizationService().getPolicies(scope);
+			}catch (Exception e) {
+				log.error("error contacting authorization services for policies"); 
+			}
+
+			for (Policy policy: policies) {
+				log.debug("policy: {}", policy.getPolicyAsString() );
+
+				if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier )) {
+					boolean toReject = false;
+					UserEntity entity = (((User2ServicePolicy) policy).getEntity());
+					if (entity.getIdentifier()!=null)
+						toReject = entity.getIdentifier().equals(callerId);
+					else if (entity.getExcludes().isEmpty()) 
+						toReject = true;
+					else toReject = !entity.getExcludes().contains(callerId);
+					if (toReject) {
+						log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId); 
+						RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+" for polices: "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() );
+					}
+				}	
+
+			}
+		}finally {
+			SecurityTokenProvider.instance.set(previousToken);
 		}
-		
-		for (Policy policy: policies) {
-			log.debug("policy: {}", policy.getPolicyAsString() );
-
-			if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier )) {
-				boolean toReject = false;
-				UserEntity entity = (((User2ServicePolicy) policy).getEntity());
-				if (entity.getIdentifier()!=null)
-					toReject = entity.getIdentifier().equals(callerId);
-				else if (entity.getExcludes().isEmpty()) 
-					toReject = true;
-				else toReject = !entity.getExcludes().contains(callerId);
-				if (toReject) {
-					log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId); 
-					RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+" for polices: "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() );
-				}
-			}	
-
-		}
-
 	}
-	
+


 }