This commit is contained in:
parent
c23e98d9bb
commit
3af9a558f6
|
|
@ -2,6 +2,10 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
|
||||||
|
|
||||||
# Changelog for Common Smartgears
|
# Changelog for Common Smartgears
|
||||||
|
|
||||||
|
## [v3.1.3-SNAPSHOT] - 2022-03-21
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## [v3.1.2] - 2022-01-19
|
## [v3.1.2] - 2022-01-19
|
||||||
|
|
||||||
- enabled policy check on smartgears
|
- enabled policy check on smartgears
|
||||||
|
|
|
||||||
2
pom.xml
2
pom.xml
|
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
<groupId>org.gcube.core</groupId>
|
<groupId>org.gcube.core</groupId>
|
||||||
<artifactId>common-smartgears</artifactId>
|
<artifactId>common-smartgears</artifactId>
|
||||||
<version>3.1.2</version>
|
<version>3.1.3-SNAPSHOT</version>
|
||||||
<name>SmartGears</name>
|
<name>SmartGears</name>
|
||||||
|
|
||||||
<dependencyManagement>
|
<dependencyManagement>
|
||||||
|
|
|
||||||
|
|
@ -112,7 +112,6 @@ public class RequestContextRetriever extends RequestHandler {
|
||||||
log.trace("retrieving context using uma token {} ", accessToken);
|
log.trace("retrieving context using uma token {} ", accessToken);
|
||||||
|
|
||||||
AccessTokenProvider.instance.set(accessToken);
|
AccessTokenProvider.instance.set(accessToken);
|
||||||
SecurityTokenProvider.instance.set(gcubeToken);
|
|
||||||
parseAccessTokenAndSet(accessToken);
|
parseAccessTokenAndSet(accessToken);
|
||||||
log.info("retrieved request authorization info {} in scope {} ", AuthorizationProvider.instance.get(), ScopeProvider.instance.get());
|
log.info("retrieved request authorization info {} in scope {} ", AuthorizationProvider.instance.get(), ScopeProvider.instance.get());
|
||||||
}
|
}
|
||||||
|
|
@ -125,7 +124,6 @@ public class RequestContextRetriever extends RequestHandler {
|
||||||
|
|
||||||
ObjectMapper mapper = new ObjectMapper();
|
ObjectMapper mapper = new ObjectMapper();
|
||||||
|
|
||||||
|
|
||||||
GcubeJwt jwt = null;
|
GcubeJwt jwt = null;
|
||||||
try {
|
try {
|
||||||
jwt = mapper.readValue(realUmaToken, GcubeJwt.class);
|
jwt = mapper.readValue(realUmaToken, GcubeJwt.class);
|
||||||
|
|
@ -133,7 +131,6 @@ public class RequestContextRetriever extends RequestHandler {
|
||||||
log.error("error decoding uma token",e);
|
log.error("error decoding uma token",e);
|
||||||
internal_server_error.fire("error parsing access token");
|
internal_server_error.fire("error parsing access token");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
ScopeBean scopeBean = null;
|
ScopeBean scopeBean = null;
|
||||||
try {
|
try {
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ import static org.gcube.smartgears.handlers.application.request.RequestError.app
|
||||||
import static org.gcube.smartgears.handlers.application.request.RequestError.application_unavailable_error;
|
import static org.gcube.smartgears.handlers.application.request.RequestError.application_unavailable_error;
|
||||||
import static org.gcube.smartgears.handlers.application.request.RequestError.invalid_request_error;
|
import static org.gcube.smartgears.handlers.application.request.RequestError.invalid_request_error;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import javax.xml.bind.annotation.XmlAttribute;
|
import javax.xml.bind.annotation.XmlAttribute;
|
||||||
|
|
@ -14,6 +15,7 @@ import org.gcube.common.authorization.library.PolicyUtils;
|
||||||
import org.gcube.common.authorization.library.policies.Policy;
|
import org.gcube.common.authorization.library.policies.Policy;
|
||||||
import org.gcube.common.authorization.library.policies.User2ServicePolicy;
|
import org.gcube.common.authorization.library.policies.User2ServicePolicy;
|
||||||
import org.gcube.common.authorization.library.policies.UserEntity;
|
import org.gcube.common.authorization.library.policies.UserEntity;
|
||||||
|
import org.gcube.common.authorization.library.provider.AccessTokenProvider;
|
||||||
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
|
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
|
||||||
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
|
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
|
||||||
import org.gcube.common.authorization.library.provider.ServiceIdentifier;
|
import org.gcube.common.authorization.library.provider.ServiceIdentifier;
|
||||||
|
|
@ -51,6 +53,11 @@ public class RequestValidator extends RequestHandler {
|
||||||
|
|
||||||
log.trace("executing request validator ON REQUEST");
|
log.trace("executing request validator ON REQUEST");
|
||||||
|
|
||||||
|
log.trace("accessToken is null? {} \nGcubeToken is null ? {} \nscope rpvideris null? {}",
|
||||||
|
AccessTokenProvider.instance.get()==null,
|
||||||
|
SecurityTokenProvider.instance.get()==null,
|
||||||
|
ScopeProvider.instance.get()==null);
|
||||||
|
|
||||||
context = call.context();
|
context = call.context();
|
||||||
|
|
||||||
validateAgainstLifecycle(call);
|
validateAgainstLifecycle(call);
|
||||||
|
|
@ -103,9 +110,9 @@ public class RequestValidator extends RequestHandler {
|
||||||
private void rejectUnauthorizedCalls(RequestEvent call){
|
private void rejectUnauthorizedCalls(RequestEvent call){
|
||||||
|
|
||||||
String token = SecurityTokenProvider.instance.get();
|
String token = SecurityTokenProvider.instance.get();
|
||||||
String scope = ScopeProvider.instance.get();
|
String accessToken = AccessTokenProvider.instance.get();
|
||||||
|
|
||||||
if (token == null && scope==null){
|
if (token == null && accessToken==null){
|
||||||
log.warn("rejecting call to {}, authorization required",context.name(),token);
|
log.warn("rejecting call to {}, authorization required",context.name(),token);
|
||||||
RequestError.request_not_authorized_error.fire(context.name()+": authorization required");
|
RequestError.request_not_authorized_error.fire(context.name()+": authorization required");
|
||||||
}
|
}
|
||||||
|
|
@ -121,36 +128,42 @@ public class RequestValidator extends RequestHandler {
|
||||||
|
|
||||||
ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(call.context()).getServiceIdentifier();
|
ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(call.context()).getServiceIdentifier();
|
||||||
|
|
||||||
String callerId = AuthorizationProvider.instance.get().getClient().getId();
|
String previousToken = SecurityTokenProvider.instance.get();
|
||||||
|
|
||||||
List<Policy> policies = null;
|
|
||||||
try {
|
try {
|
||||||
policies = authorizationService().getPolicies(scope);
|
String serviceToken = context.configuration().startTokens().stream().findFirst().get();
|
||||||
}catch (Exception e) {
|
SecurityTokenProvider.instance.set(serviceToken);
|
||||||
invalid_request_error.fire("error contating authorization for polices");
|
String callerId = AuthorizationProvider.instance.get().getClient().getId();
|
||||||
|
|
||||||
|
List<Policy> policies = Collections.emptyList();
|
||||||
|
try {
|
||||||
|
policies = authorizationService().getPolicies(scope);
|
||||||
|
}catch (Exception e) {
|
||||||
|
log.error("error contacting authorization services for policies");
|
||||||
|
}
|
||||||
|
|
||||||
|
for (Policy policy: policies) {
|
||||||
|
log.debug("policy: {}", policy.getPolicyAsString() );
|
||||||
|
|
||||||
|
if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier )) {
|
||||||
|
boolean toReject = false;
|
||||||
|
UserEntity entity = (((User2ServicePolicy) policy).getEntity());
|
||||||
|
if (entity.getIdentifier()!=null)
|
||||||
|
toReject = entity.getIdentifier().equals(callerId);
|
||||||
|
else if (entity.getExcludes().isEmpty())
|
||||||
|
toReject = true;
|
||||||
|
else toReject = !entity.getExcludes().contains(callerId);
|
||||||
|
if (toReject) {
|
||||||
|
log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId);
|
||||||
|
RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+" for polices: "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}finally {
|
||||||
|
SecurityTokenProvider.instance.set(previousToken);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (Policy policy: policies) {
|
|
||||||
log.debug("policy: {}", policy.getPolicyAsString() );
|
|
||||||
|
|
||||||
if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier )) {
|
|
||||||
boolean toReject = false;
|
|
||||||
UserEntity entity = (((User2ServicePolicy) policy).getEntity());
|
|
||||||
if (entity.getIdentifier()!=null)
|
|
||||||
toReject = entity.getIdentifier().equals(callerId);
|
|
||||||
else if (entity.getExcludes().isEmpty())
|
|
||||||
toReject = true;
|
|
||||||
else toReject = !entity.getExcludes().contains(callerId);
|
|
||||||
if (toReject) {
|
|
||||||
log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId);
|
|
||||||
RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+" for polices: "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue