diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7024686..348073c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
# Changelog for Common Smartgears
+## [v3.1.3-SNAPSHOT] - 2022-03-21
+
+
+
## [v3.1.2] - 2022-01-19
- enabled policy check on smartgears
diff --git a/pom.xml b/pom.xml
index c24fdd5..6c4114c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
org.gcube.core
common-smartgears
- 3.1.2
+ 3.1.3-SNAPSHOT
SmartGears
diff --git a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestContextRetriever.java b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestContextRetriever.java
index 70e983d..37fac3d 100644
--- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestContextRetriever.java
+++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestContextRetriever.java
@@ -112,7 +112,6 @@ public class RequestContextRetriever extends RequestHandler {
log.trace("retrieving context using uma token {} ", accessToken);
AccessTokenProvider.instance.set(accessToken);
- SecurityTokenProvider.instance.set(gcubeToken);
parseAccessTokenAndSet(accessToken);
log.info("retrieved request authorization info {} in scope {} ", AuthorizationProvider.instance.get(), ScopeProvider.instance.get());
}
@@ -125,7 +124,6 @@ public class RequestContextRetriever extends RequestHandler {
ObjectMapper mapper = new ObjectMapper();
-
GcubeJwt jwt = null;
try {
jwt = mapper.readValue(realUmaToken, GcubeJwt.class);
@@ -133,7 +131,6 @@ public class RequestContextRetriever extends RequestHandler {
log.error("error decoding uma token",e);
internal_server_error.fire("error parsing access token");
}
-
ScopeBean scopeBean = null;
try {
diff --git a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
index 648e8c6..a35ec9a 100644
--- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
+++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
@@ -5,6 +5,7 @@ import static org.gcube.smartgears.handlers.application.request.RequestError.app
import static org.gcube.smartgears.handlers.application.request.RequestError.application_unavailable_error;
import static org.gcube.smartgears.handlers.application.request.RequestError.invalid_request_error;
+import java.util.Collections;
import java.util.List;
import javax.xml.bind.annotation.XmlAttribute;
@@ -14,6 +15,7 @@ import org.gcube.common.authorization.library.PolicyUtils;
import org.gcube.common.authorization.library.policies.Policy;
import org.gcube.common.authorization.library.policies.User2ServicePolicy;
import org.gcube.common.authorization.library.policies.UserEntity;
+import org.gcube.common.authorization.library.provider.AccessTokenProvider;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
import org.gcube.common.authorization.library.provider.ServiceIdentifier;
@@ -51,6 +53,11 @@ public class RequestValidator extends RequestHandler {
log.trace("executing request validator ON REQUEST");
+ log.trace("accessToken is null? {} \nGcubeToken is null ? {} \nscope rpvideris null? {}",
+ AccessTokenProvider.instance.get()==null,
+ SecurityTokenProvider.instance.get()==null,
+ ScopeProvider.instance.get()==null);
+
context = call.context();
validateAgainstLifecycle(call);
@@ -103,9 +110,9 @@ public class RequestValidator extends RequestHandler {
private void rejectUnauthorizedCalls(RequestEvent call){
String token = SecurityTokenProvider.instance.get();
- String scope = ScopeProvider.instance.get();
-
- if (token == null && scope==null){
+ String accessToken = AccessTokenProvider.instance.get();
+
+ if (token == null && accessToken==null){
log.warn("rejecting call to {}, authorization required",context.name(),token);
RequestError.request_not_authorized_error.fire(context.name()+": authorization required");
}
@@ -121,36 +128,42 @@ public class RequestValidator extends RequestHandler {
ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(call.context()).getServiceIdentifier();
- String callerId = AuthorizationProvider.instance.get().getClient().getId();
-
- List policies = null;
+ String previousToken = SecurityTokenProvider.instance.get();
try {
- policies = authorizationService().getPolicies(scope);
- }catch (Exception e) {
- invalid_request_error.fire("error contating authorization for polices");
+ String serviceToken = context.configuration().startTokens().stream().findFirst().get();
+ SecurityTokenProvider.instance.set(serviceToken);
+ String callerId = AuthorizationProvider.instance.get().getClient().getId();
+
+ List policies = Collections.emptyList();
+ try {
+ policies = authorizationService().getPolicies(scope);
+ }catch (Exception e) {
+ log.error("error contacting authorization services for policies");
+ }
+
+ for (Policy policy: policies) {
+ log.debug("policy: {}", policy.getPolicyAsString() );
+
+ if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier )) {
+ boolean toReject = false;
+ UserEntity entity = (((User2ServicePolicy) policy).getEntity());
+ if (entity.getIdentifier()!=null)
+ toReject = entity.getIdentifier().equals(callerId);
+ else if (entity.getExcludes().isEmpty())
+ toReject = true;
+ else toReject = !entity.getExcludes().contains(callerId);
+ if (toReject) {
+ log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId);
+ RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+" for polices: "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() );
+ }
+ }
+
+ }
+ }finally {
+ SecurityTokenProvider.instance.set(previousToken);
}
-
- for (Policy policy: policies) {
- log.debug("policy: {}", policy.getPolicyAsString() );
-
- if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier )) {
- boolean toReject = false;
- UserEntity entity = (((User2ServicePolicy) policy).getEntity());
- if (entity.getIdentifier()!=null)
- toReject = entity.getIdentifier().equals(callerId);
- else if (entity.getExcludes().isEmpty())
- toReject = true;
- else toReject = !entity.getExcludes().contains(callerId);
- if (toReject) {
- log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId);
- RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+" for polices: "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() );
- }
- }
-
- }
-
}
-
+
}