@ -12,6 +12,10 @@ import javax.xml.bind.annotation.XmlRootElement;
import org.gcube.common.authorization.library.PolicyUtils ;
import org.gcube.common.authorization.library.policies.Policy ;
import org.gcube.common.authorization.library.policies.PolicyType ;
import org.gcube.common.authorization.library.policies.ServiceAccess ;
import org.gcube.common.authorization.library.policies.User2ServicePolicy ;
import org.gcube.common.authorization.library.policies.UserEntity ;
import org.gcube.common.authorization.library.provider.AuthorizationProvider ;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider ;
import org.gcube.common.authorization.library.provider.ServiceIdentifier ;
@ -77,7 +81,7 @@ public class RequestValidator extends RequestHandler {
//nothing to do, but avoids warnings
}
}
private void validateScopeCall ( ) {
@ -120,20 +124,41 @@ public class RequestValidator extends RequestHandler {
ServiceIdentifier serviceIdentifier = Utils . getServiceInfo ( call . context ( ) ) . getServiceIdentifier ( ) ;
Caller caller = AuthorizationProvider . instance . get ( ) ;
String callerId = AuthorizationProvider . instance . get ( ) . getClient ( ) . getId ( ) ;
try {
List < Policy > policies = authorizationService ( ) . getPolicies ( scope ) ;
for ( Policy policy : policies ) {
log . debug ( "policy: {}" , policy . getPolicyAsString ( ) ) ;
if ( PolicyUtils . isPolicyValidForClient ( policy . getServiceAccess ( ) , serviceIdentifier ) ) {
log . error ( "rejecting call to {} : {} is not allowed to contact the service " , context . name ( ) , caller . getClient ( ) . getId ( ) ) ;
invalid_request_error . fire ( "rejecting call to " + context . name ( ) + ": " + caller . getClient ( ) . getId ( ) + " is not allowed to contact the service: " + serviceIdentifier . getServiceName ( ) ) ;
if ( PolicyUtils . isPolicyValidForClient ( policy . getServiceAccess ( ) , serviceIdentifier ) | | isPolicyValidForService ( policy . getServiceAccess ( ) , serviceIdentifier ) ) {
boolean toReject = false ;
UserEntity entity = ( ( ( User2ServicePolicy ) policy ) . getEntity ( ) ) ;
if ( entity . getIdentifier ( ) ! = null )
toReject = entity . getIdentifier ( ) . trim ( ) . equals ( callerId ) ;
else if ( entity . getExcludes ( ) . isEmpty ( ) )
toReject = true ;
else toReject = ! entity . getExcludes ( ) . contains ( callerId ) ;
if ( toReject ) {
log . error ( "rejecting call to {} : {} is not allowed to contact the service " , context . name ( ) , callerId ) ;
invalid_request_error . fire ( "rejecting call to " + context . name ( ) + ": " + callerId + " is not allowed to contact the service: " + serviceIdentifier . getServiceName ( ) ) ;
}
}
}
} catch ( Exception e ) {
log . warn ( "error getting policies from context {}" , scope , e ) ;
}
}
//TO resolve an error on Auth Portlet
private boolean isPolicyValidForService ( ServiceAccess serviceAccess , ServiceIdentifier serviceId ) {
String policyAsString = serviceAccess . getAsString ( ) ;
return policyAsString . equals ( "ALL" ) | | policyAsString . equals ( serviceId . getServiceClass ( ) + ":ALL:ALL" ) | |
policyAsString . equals ( serviceId . getServiceClass ( ) + ":" + serviceId . getServiceName ( ) + ":ALL" ) | |
policyAsString . equals ( serviceId . getFullIdentifier ( ) ) ;
}
}