From 515891e0835013e4132b1b2f460c48023cf50867 Mon Sep 17 00:00:00 2001 From: Luca Frosini Date: Fri, 11 Mar 2022 18:05:57 +0100 Subject: [PATCH] Merging patch of version 3.1.2 --- CHANGELOG.md | 2 +- .../application/request/RequestValidator.java | 37 ++++++++++++++----- 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 54edb2f..c0f3212 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm - Added Linux distribution version [#22933] -## [v3.1.2-SNAPSHOT] - 2022-01-19 +## [v3.1.2] - 2022-01-19 - enabled policy check on smartgears - container configuration for test added diff --git a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java index 423eb54..648e8c6 100644 --- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java +++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java @@ -12,10 +12,11 @@ import javax.xml.bind.annotation.XmlRootElement; import org.gcube.common.authorization.library.PolicyUtils; import org.gcube.common.authorization.library.policies.Policy; +import org.gcube.common.authorization.library.policies.User2ServicePolicy; +import org.gcube.common.authorization.library.policies.UserEntity; import org.gcube.common.authorization.library.provider.AuthorizationProvider; import org.gcube.common.authorization.library.provider.SecurityTokenProvider; import org.gcube.common.authorization.library.provider.ServiceIdentifier; -import org.gcube.common.authorization.library.utils.Caller; import org.gcube.common.scope.api.ScopeProvider; import org.gcube.common.scope.impl.ScopeBean; import org.gcube.common.scope.impl.ScopeBean.Type; @@ -120,18 +121,36 @@ public class RequestValidator extends RequestHandler { ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(call.context()).getServiceIdentifier(); - Caller caller = AuthorizationProvider.instance.get(); + String callerId = AuthorizationProvider.instance.get().getClient().getId(); + + List policies = null; try { - List policies = authorizationService().getPolicies(scope); - for (Policy policy: policies) - if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier)){ - log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), caller.getClient().getId()); - invalid_request_error.fire("rejecting call to "+context.name()+": "+caller.getClient().getId()+" is not allowed to contact the service"); - } + policies = authorizationService().getPolicies(scope); }catch (Exception e) { - log.warn("error getting policies from context {}", scope, e); + invalid_request_error.fire("error contating authorization for polices"); } + + for (Policy policy: policies) { + log.debug("policy: {}", policy.getPolicyAsString() ); + + if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier )) { + boolean toReject = false; + UserEntity entity = (((User2ServicePolicy) policy).getEntity()); + if (entity.getIdentifier()!=null) + toReject = entity.getIdentifier().equals(callerId); + else if (entity.getExcludes().isEmpty()) + toReject = true; + else toReject = !entity.getExcludes().contains(callerId); + if (toReject) { + log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId); + RequestError.request_not_authorized_error.fire("rejecting call to "+context.name()+" for polices: "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() ); + } + } + + } + } + }