diff --git a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java index d5743c7..dc53501 100644 --- a/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java +++ b/src/main/java/org/gcube/smartgears/handlers/application/request/RequestValidator.java @@ -12,6 +12,10 @@ import javax.xml.bind.annotation.XmlRootElement; import org.gcube.common.authorization.library.PolicyUtils; import org.gcube.common.authorization.library.policies.Policy; +import org.gcube.common.authorization.library.policies.PolicyType; +import org.gcube.common.authorization.library.policies.ServiceAccess; +import org.gcube.common.authorization.library.policies.User2ServicePolicy; +import org.gcube.common.authorization.library.policies.UserEntity; import org.gcube.common.authorization.library.provider.AuthorizationProvider; import org.gcube.common.authorization.library.provider.SecurityTokenProvider; import org.gcube.common.authorization.library.provider.ServiceIdentifier; @@ -77,7 +81,7 @@ public class RequestValidator extends RequestHandler { //nothing to do, but avoids warnings } - + } private void validateScopeCall() { @@ -120,20 +124,41 @@ public class RequestValidator extends RequestHandler { ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(call.context()).getServiceIdentifier(); - Caller caller = AuthorizationProvider.instance.get(); + String callerId = AuthorizationProvider.instance.get().getClient().getId(); try { List policies = authorizationService().getPolicies(scope); for (Policy policy: policies) { log.debug("policy: {}", policy.getPolicyAsString() ); - if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier)){ - log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), caller.getClient().getId()); - invalid_request_error.fire("rejecting call to "+context.name()+": "+caller.getClient().getId()+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() ); + + if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier ) || isPolicyValidForService(policy.getServiceAccess(), serviceIdentifier)) { + boolean toReject = false; + UserEntity entity = (((User2ServicePolicy) policy).getEntity()); + if (entity.getIdentifier()!=null) + toReject = entity.getIdentifier().trim().equals(callerId); + else if (entity.getExcludes().isEmpty()) + toReject = true; + else toReject = !entity.getExcludes().contains(callerId); + + if (toReject) { + log.error("rejecting call to {} : {} is not allowed to contact the service ",context.name(), callerId); + invalid_request_error.fire("rejecting call to "+context.name()+": "+callerId+" is not allowed to contact the service: "+serviceIdentifier.getServiceName() ); + } } + } }catch (Exception e) { log.warn("error getting policies from context {}", scope, e); } } + + //TO resolve an error on Auth Portlet + private boolean isPolicyValidForService(ServiceAccess serviceAccess, ServiceIdentifier serviceId) { + String policyAsString = serviceAccess.getAsString(); + + return policyAsString.equals("ALL") || policyAsString.equals(serviceId.getServiceClass()+":ALL:ALL") || + policyAsString.equals(serviceId.getServiceClass()+":"+serviceId.getServiceName()+":ALL") || + policyAsString.equals(serviceId.getFullIdentifier()); + } }