@ -1,21 +1,12 @@
package org.gcube.smartgears.handlers.application.request ;
import static org.gcube.common.authorization.client.Constants.authorizationService ;
import static org.gcube.smartgears.handlers.application.request.RequestError.application_failed_error ;
import static org.gcube.smartgears.handlers.application.request.RequestError.application_unavailable_error ;
import static org.gcube.smartgears.handlers.application.request.RequestError.invalid_request_error ;
import java.util.List ;
import javax.xml.bind.annotation.XmlAttribute ;
import javax.xml.bind.annotation.XmlRootElement ;
import org.gcube.common.authorization.library.PolicyUtils ;
import org.gcube.common.authorization.library.policies.Policy ;
import org.gcube.common.authorization.library.policies.User2ServicePolicy ;
import org.gcube.common.authorization.library.policies.UserEntity ;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider ;
import org.gcube.common.authorization.library.provider.ServiceIdentifier ;
import org.gcube.common.authorization.utils.manager.SecretManager ;
import org.gcube.common.authorization.utils.manager.SecretManagerProvider ;
import org.gcube.common.scope.api.ScopeProvider ;
import org.gcube.common.scope.impl.ScopeBean ;
@ -26,7 +17,6 @@ import org.gcube.smartgears.configuration.container.ContainerConfiguration;
import org.gcube.smartgears.context.application.ApplicationContext ;
import org.gcube.smartgears.handlers.application.RequestEvent ;
import org.gcube.smartgears.handlers.application.RequestHandler ;
import org.gcube.smartgears.utils.Utils ;
import org.slf4j.Logger ;
import org.slf4j.LoggerFactory ;
@ -83,30 +73,30 @@ public class RequestValidator extends RequestHandler {
private void validateScopeCall ( ) {
String scope = Scope Provider. instance . ge t( ) ;
String context = SecretManager Provider. instance . ge t( ) . getContex t( ) ;
if ( scope = = null ) {
if ( context = = null ) {
log . warn ( "rejecting unscoped call to {}" , appContext . name ( ) ) ;
invalid_request_error . fire ( "call is unscoped" ) ;
}
ScopeBean bean = new ScopeBean ( scope ) ;
ScopeBean bean = new ScopeBean ( context ) ;
ContainerConfiguration conf = appContext . container ( ) . configuration ( ) ;
if ( ! conf . allowedContexts ( ) . contains ( scope ) & &
! ( conf . authorizeChildrenContext ( ) & & bean . is ( Type . VRE ) & & conf . allowedContexts ( ) . contains ( bean . enclosingScope ( ) . toString ( ) ) ) ) {
log . warn ( "rejecting call to {} in invalid context {}, allowed context are {}" , appContext . name ( ) , scope , appContext . container ( ) . configuration ( ) . allowedContexts ( ) ) ;
invalid_request_error . fire ( appContext . name ( ) + " cannot be called in scope " + scope ) ;
if ( ! conf . allowedContexts ( ) . contains ( context ) & &
! ( conf . authorizeChildrenContext ( ) & & bean . is ( Type . VRE )
& & conf . allowedContexts ( ) . contains ( bean . enclosingScope ( ) . toString ( ) ) ) ) {
log . warn ( "rejecting call to {} in invalid context {}, allowed context are {}" , appContext . name ( ) , context , appContext . container ( ) . configuration ( ) . allowedContexts ( ) ) ;
invalid_request_error . fire ( appContext . name ( ) + " cannot be called in scope " + context ) ;
}
}
private void rejectUnauthorizedCalls ( RequestEvent call ) {
String token = SecurityTokenProvider . instance . get ( ) ;
String context = SecretManagerProvider . instance . get ( ) . getContext ( ) ;
if ( token = = null & & context = = null ) {
log . warn ( "rejecting call to {}, authorization required" , appContext . name ( ) , token ) ;
SecretManager secretManager = SecretManagerProvider . instance . get ( ) ;
if ( secretManager . getCurrentSecretHolder ( ) . getSecrets ( ) . size ( ) > 0 ) {
log . warn ( "rejecting call to {}, authorization required" , appContext . name ( ) ) ;
RequestError . request_not_authorized_error . fire ( appContext . name ( ) + ": authorization required" ) ;
}
}
@ -117,40 +107,10 @@ public class RequestValidator extends RequestHandler {
}
private void validatePolicy ( String scope , RequestEvent call ) {
log . info ( "accessing policy validator in scope {} " , scope ) ;
ServiceIdentifier serviceIdentifier = Utils . getServiceInfo ( call . context ( ) ) . getServiceIdentifier ( ) ;
String callerId = SecretManagerProvider . instance . get ( ) . getUser ( ) . getUsername ( ) ;
List < Policy > policies = null ;
try {
policies = authorizationService ( ) . getPolicies ( scope ) ;
} catch ( Exception e ) {
invalid_request_error . fire ( "error contating authorization for polices" ) ;
}
for ( Policy policy : policies ) {
log . debug ( "policy: {}" , policy . getPolicyAsString ( ) ) ;
if ( PolicyUtils . isPolicyValidForClient ( policy . getServiceAccess ( ) , serviceIdentifier ) ) {
boolean toReject = false ;
UserEntity entity = ( ( ( User2ServicePolicy ) policy ) . getEntity ( ) ) ;
if ( entity . getIdentifier ( ) ! = null )
toReject = entity . getIdentifier ( ) . equals ( callerId ) ;
else if ( entity . getExcludes ( ) . isEmpty ( ) )
toReject = true ;
else toReject = ! entity . getExcludes ( ) . contains ( callerId ) ;
if ( toReject ) {
log . error ( "rejecting call to {} : {} is not allowed to contact the service " , appContext . name ( ) , callerId ) ;
RequestError . request_not_authorized_error . fire ( "rejecting call to " + appContext . name ( ) + " for polices: " + callerId + " is not allowed to contact the service: " + serviceIdentifier . getServiceName ( ) ) ;
}
}
}
//TODO: must be re-think
}
}