@ -12,10 +12,11 @@ import javax.xml.bind.annotation.XmlRootElement;
import org.gcube.common.authorization.library.PolicyUtils ;
import org.gcube.common.authorization.library.policies.Policy ;
import org.gcube.common.authorization.library.policies.User2ServicePolicy ;
import org.gcube.common.authorization.library.policies.UserEntity ;
import org.gcube.common.authorization.library.provider.AuthorizationProvider ;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider ;
import org.gcube.common.authorization.library.provider.ServiceIdentifier ;
import org.gcube.common.authorization.library.utils.Caller ;
import org.gcube.common.scope.api.ScopeProvider ;
import org.gcube.common.scope.impl.ScopeBean ;
import org.gcube.common.scope.impl.ScopeBean.Type ;
@ -120,18 +121,36 @@ public class RequestValidator extends RequestHandler {
ServiceIdentifier serviceIdentifier = Utils . getServiceInfo ( call . context ( ) ) . getServiceIdentifier ( ) ;
Caller caller = AuthorizationProvider . instance . get ( ) ;
String callerId = AuthorizationProvider . instance . get ( ) . getClient ( ) . getId ( ) ;
List < Policy > policies = null ;
try {
List < Policy > policies = authorizationService ( ) . getPolicies ( scope ) ;
for ( Policy policy : policies )
if ( PolicyUtils . isPolicyValidForClient ( policy . getServiceAccess ( ) , serviceIdentifier ) ) {
log . error ( "rejecting call to {} : {} is not allowed to contact the service " , context . name ( ) , caller . getClient ( ) . getId ( ) ) ;
invalid_request_error . fire ( "rejecting call to " + context . name ( ) + ": " + caller . getClient ( ) . getId ( ) + " is not allowed to contact the service" ) ;
}
policies = authorizationService ( ) . getPolicies ( scope ) ;
} catch ( Exception e ) {
log . warn ( "error getting policies from context {}" , scope , e ) ;
invalid_request_error . fire ( "error contating authorization for polices" ) ;
}
for ( Policy policy : policies ) {
log . debug ( "policy: {}" , policy . getPolicyAsString ( ) ) ;
if ( PolicyUtils . isPolicyValidForClient ( policy . getServiceAccess ( ) , serviceIdentifier ) ) {
boolean toReject = false ;
UserEntity entity = ( ( ( User2ServicePolicy ) policy ) . getEntity ( ) ) ;
if ( entity . getIdentifier ( ) ! = null )
toReject = entity . getIdentifier ( ) . equals ( callerId ) ;
else if ( entity . getExcludes ( ) . isEmpty ( ) )
toReject = true ;
else toReject = ! entity . getExcludes ( ) . contains ( callerId ) ;
if ( toReject ) {
log . error ( "rejecting call to {} : {} is not allowed to contact the service " , context . name ( ) , callerId ) ;
RequestError . request_not_authorized_error . fire ( "rejecting call to " + context . name ( ) + " for polices: " + callerId + " is not allowed to contact the service: " + serviceIdentifier . getServiceName ( ) ) ;
}
}
}
}
}