Merging patch of version 3.1.2

2022-03-11 18:05:57 +01:00 · 2022-03-11 18:05:57 +01:00 · 515891e083
parent 635036bce1
commit 515891e083
2 changed files with 29 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,7 +8,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - Added Linux distribution version [#22933]


-## [v3.1.2-SNAPSHOT] - 2022-01-19
+## [v3.1.2] - 2022-01-19

 - enabled policy check on smartgears
 - container configuration for test added
--- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
+++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java
@ -12,10 +12,11 @@ import javax.xml.bind.annotation.XmlRootElement;

 import org.gcube.common.authorization.library.PolicyUtils;
 import org.gcube.common.authorization.library.policies.Policy;
+import org.gcube.common.authorization.library.policies.User2ServicePolicy;
+import org.gcube.common.authorization.library.policies.UserEntity;
 import org.gcube.common.authorization.library.provider.AuthorizationProvider;
 import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
 import org.gcube.common.authorization.library.provider.ServiceIdentifier;
-import org.gcube.common.authorization.library.utils.Caller;
 import org.gcube.common.scope.api.ScopeProvider;
 import org.gcube.common.scope.impl.ScopeBean;
 import org.gcube.common.scope.impl.ScopeBean.Type;
@ -120,18 +121,36 @@ public class RequestValidator extends RequestHandler {

 		ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(call.context()).getServiceIdentifier();

-		Caller caller = AuthorizationProvider.instance.get();
+		String callerId = AuthorizationProvider.instance.get().getClient().getId();
+
+		List<Policy> policies = null;
 		try {
-			List<Policy> policies = authorizationService().getPolicies(scope);
-			for (Policy policy: policies)
-				if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier)){
-					log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), caller.getClient().getId());
-					invalid_request_error.fire("rejecting call to "+context.name()+": "+caller.getClient().getId()+" is not allowed to contact the service");
-				}	
+			policies = authorizationService().getPolicies(scope);
 		}catch (Exception e) {
-			log.warn("error getting policies from context {}", scope, e);
+			invalid_request_error.fire("error contating authorization for polices"); 
 		}
+		
+		for (Policy policy: policies) {
+			log.debug("policy: {}", policy.getPolicyAsString() );
+
+			if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier )) {
+				boolean toReject = false;
+				UserEntity entity = (((User2ServicePolicy) policy).getEntity());
+				if (entity.getIdentifier()!=null)
+					toReject = entity.getIdentifier().equals(callerId);
+				else if (entity.getExcludes().isEmpty()) 
+					toReject = true;
+				else toReject = !entity.getExcludes().contains(callerId);
+				if (toReject) {
+					log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId); 
+					RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+" for polices: "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() );
+				}
+			}	
+
+		}
+
 	}
+	


 }