Skip to content
Snippets Groups Projects
Commit 64c83edb authored by Robert Butora's avatar Robert Butora
Browse files

auth: logs added and selectPublicOnly Db-query added (when AuthLib not configed e.g. no Principal)

parent edb59b3d
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
+ 70
63
View file @ 64c83edb
...@@ -87,7 +87,7 @@ public class AuthPolicy ...@@ -87,7 +87,7 @@ public class AuthPolicy
else else
{ {
userName = principal.getName(); userName = principal.getName();
LOGGER.finer("DBG principal not instance of VlkbUser, but has user-name: " + userName); LOGGER.finer("DBG principal '"+userName+"' is not instance of it.inaf.ia2.aa.data.User");
userGroups = new String[]{""};//{"VLKB.groupA", "AllPrivate"}; // was for shiro userGroups = new String[]{""};//{"VLKB.groupA", "AllPrivate"}; // was for shiro
userGroupsValid = true; userGroupsValid = true;
access = Access.PUBLIC_AND_AUTHORIZED_PRIVATE; access = Access.PUBLIC_AND_AUTHORIZED_PRIVATE;
...@@ -157,19 +157,27 @@ public class AuthPolicy ...@@ -157,19 +157,27 @@ public class AuthPolicy
} }
// API
public String[] filterAuthorized(String[] pubdidArr) public String[] filterAuthorized(String[] pubdidArr)
{ {
LOGGER.finer("with String[] trace"); LOGGER.finer("trace");
ArrayList<String> pubdidList = new ArrayList<String>(Arrays.asList(pubdidArr)); List<String> pubdidList = new ArrayList<String>(Arrays.asList(pubdidArr));
switch(access) switch(access)
{ {
case PUBLIC_ONLY : case PUBLIC_ONLY :
filterNotPublic(pubdidList); //filterNotPublic(pubdidList);
AuthPolicyDb adb;
synchronized(AuthPolicyDb.class)
{
adb = new AuthPolicyDb();
}
pubdidList = adb.selectPublicOnly(pubdidArr);
break; break;
case PUBLIC_AND_AUTHORIZED_PRIVATE : case PUBLIC_AND_AUTHORIZED_PRIVATE :
filterNotAuthorized(pubdidList); filterNotAuthorized(pubdidList);
break; break;
...@@ -181,6 +189,8 @@ public class AuthPolicy ...@@ -181,6 +189,8 @@ public class AuthPolicy
} }
// remove PRIVATE from the list
/*
private void filterNotPublic(ArrayList<String> pubdids) private void filterNotPublic(ArrayList<String> pubdids)
{ {
LOGGER.fine("trace"); LOGGER.fine("trace");
...@@ -188,6 +198,7 @@ public class AuthPolicy ...@@ -188,6 +198,7 @@ public class AuthPolicy
LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids)); LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids));
List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids); List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids);
List<String> notAuthorizedUniqPubdids = pubdidsNotPublic(privateUniqPubdids, userGroups); List<String> notAuthorizedUniqPubdids = pubdidsNotPublic(privateUniqPubdids, userGroups);
LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids)); LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids));
...@@ -196,22 +207,17 @@ public class AuthPolicy ...@@ -196,22 +207,17 @@ public class AuthPolicy
LOGGER.finest("PublisherDID list filtered : " + (pubdids.isEmpty() ? "" : String.join(" ", pubdids))); LOGGER.finest("PublisherDID list filtered : " + (pubdids.isEmpty() ? "" : String.join(" ", pubdids)));
} }
private List<String> pubdidsNotPublic(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups) private List<String> pubdidsNotPublic(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups)
{ {
LOGGER.fine("trace"); LOGGER.fine("trace");
LOGGER.finer("userGroups: " + String.join(" ",userGroups));
List<String> pubdidsNotAuthorizedList = new LinkedList<String>();
ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator(); ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator();
List<String> pubdidsNotAuthorizedList = new LinkedList<String>();
while (it.hasNext()) while (it.hasNext())
{ {
AuthPolicyDb.PubdidGroups pubdidGroups = it.next(); AuthPolicyDb.PubdidGroups pubdidGroups = it.next();
LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups));
if( true )// isIntersectionEmpty(pubdidGroups.groups, userGroups) ) if( true )// isIntersectionEmpty(pubdidGroups.groups, userGroups) )
{ {
pubdidsNotAuthorizedList.add(pubdidGroups.pubdid); pubdidsNotAuthorizedList.add(pubdidGroups.pubdid);
...@@ -220,16 +226,18 @@ public class AuthPolicy ...@@ -220,16 +226,18 @@ public class AuthPolicy
return pubdidsNotAuthorizedList; return pubdidsNotAuthorizedList;
} }
*/
// remove not-authorized from the list
private void filterNotAuthorized(List<String> pubdids)
private void filterNotAuthorized(ArrayList<String> pubdids)
{ {
LOGGER.fine("trace"); LOGGER.fine("trace");
assert pubdids != null; assert pubdids != null;
LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids)); LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids));
List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids); List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids);
List<String> notAuthorizedUniqPubdids = pubdidsNotAuthorized(privateUniqPubdids, userGroups); List<String> notAuthorizedUniqPubdids = pubdidsNotAuthorized(privateUniqPubdids, userGroups);
LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids)); LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids));
...@@ -240,8 +248,31 @@ public class AuthPolicy ...@@ -240,8 +248,31 @@ public class AuthPolicy
} }
private List<String> pubdidsNotAuthorized(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups)
{
LOGGER.fine("trace");
List<String> pubdidsNotAuthorizedList = new LinkedList<String>();
ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator();
private void removeNotAuthorized(ArrayList<String> pubdids, List<String> notAuthorizedUniqPubdids) while (it.hasNext())
{
AuthPolicyDb.PubdidGroups pubdidGroups = it.next();
LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups));
if( isIntersectionEmpty(pubdidGroups.groups, userGroups) )
{
pubdidsNotAuthorizedList.add(pubdidGroups.pubdid);
}
}
return pubdidsNotAuthorizedList;
}
private void removeNotAuthorized(List<String> pubdids, List<String> notAuthorizedUniqPubdids)
{ {
ListIterator<String> itr = pubdids.listIterator(); ListIterator<String> itr = pubdids.listIterator();
while (itr.hasNext()) while (itr.hasNext())
...@@ -258,6 +289,21 @@ public class AuthPolicy ...@@ -258,6 +289,21 @@ public class AuthPolicy
} }
private boolean isIntersectionEmpty(String[] stringsA, String[] stringsB)
{
for(String strA : stringsA)
for(String strB : stringsB)
{
if(strA.equals(strB))
{
return false;
}
}
return true;
}
// DB-query
private List<AuthPolicyDb.PubdidGroups> db_queryPrivateUniqPubdidGroups(List<String> pubdids) private List<AuthPolicyDb.PubdidGroups> db_queryPrivateUniqPubdidGroups(List<String> pubdids)
{ {
...@@ -284,44 +330,5 @@ public class AuthPolicy ...@@ -284,44 +330,5 @@ public class AuthPolicy
private List<String> pubdidsNotAuthorized(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups)
{
LOGGER.fine("trace");
List<String> pubdidsNotAuthorizedList = new LinkedList<String>();
ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator();
while (it.hasNext())
{
AuthPolicyDb.PubdidGroups pubdidGroups = it.next();
LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups));
if( isIntersectionEmpty(pubdidGroups.groups, userGroups) )
{
pubdidsNotAuthorizedList.add(pubdidGroups.pubdid);
}
}
return pubdidsNotAuthorizedList;
}
private boolean isIntersectionEmpty(String[] stringsA, String[] stringsB)
{
for(String strA : stringsA)
for(String strB : stringsB)
{
if(strA.equals(strB))
{
return false;
}
}
return true;
}
} }
data-access/servlet/src/main/java/auth/authz/AuthPolicyDb.java
+ 40
0
View file @ 64c83edb
...@@ -89,6 +89,46 @@ public class AuthPolicyDb ...@@ -89,6 +89,46 @@ public class AuthPolicyDb
return pubdidGroups; return pubdidGroups;
} }
public List<String> selectPublicOnly(String[] uniqPubdids)
{
String commaSepObscorePubdids = String.join("\',\'", uniqPubdids);
assert (commaSepObscorePubdids != null) && (!commaSepObscorePubdids.isEmpty());
String TheQuery
= "SELECT obs_publisher_did FROM obscore "
+ "WHERE (policy = 'FREE') AND (obs_publisher_did IN (\'"+commaSepObscorePubdids+"\'));";
LOGGER.finer("Connecting to: "+dbconn.uri()+" with optional user/pwd: "+dbconn.userName()+" / ***");
List<String> pubdidPublic = new LinkedList<String>();
try(Connection conn = DriverManager.getConnection(dbconn.uri(), dbconn.userName(), dbconn.password());
Statement st = conn.createStatement();
ResultSet res = st.executeQuery(TheQuery);)
{
while (res.next())
{
pubdidPublic.add(res.getString("obs_publisher_did"));
}
}
catch (SQLException se)
{
logSqlExInfo(se);
se.printStackTrace();
}
LOGGER.finest("Found public: " + pubdidPublic.size());
return pubdidPublic;
}
private void logSqlExInfo(SQLException se) private void logSqlExInfo(SQLException se)
{ {
LOGGER.severe("SQLState : " + se.getSQLState()); LOGGER.severe("SQLState : " + se.getSQLState());
......
data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
+ 14
2
View file @ 64c83edb
...@@ -101,8 +101,18 @@ class AuthZ ...@@ -101,8 +101,18 @@ class AuthZ
* if one or more of pubdids not-authorized -> all request not authorized * if one or more of pubdids not-authorized -> all request not authorized
* */ * */
/* NOTE for now soda/vlkb_cutout does not allow multiplicity --> only one pubdid allowed */ /* NOTE for now soda/vlkb_cutout does not allow multiplicity --> only one pubdid allowed */
if((authorized_pubdids==null) || (pubdidArr==null))
{
LOGGER.warning("One of arrays null");
return true;
}
else
{
LOGGER.finest("authorized vs original length: "+authorized_pubdids.length + " / " + pubdidArr.length);
return (authorized_pubdids.length == pubdidArr.length); return (authorized_pubdids.length == pubdidArr.length);
} }
}
} }
...@@ -123,7 +133,8 @@ public class AuthZFilter implements Filter ...@@ -123,7 +133,8 @@ public class AuthZFilter implements Filter
public void destroy() {} public void destroy() {}
@Override @Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
{ {
LOGGER.fine("doFilter"); LOGGER.fine("doFilter");
...@@ -139,6 +150,7 @@ public class AuthZFilter implements Filter ...@@ -139,6 +150,7 @@ public class AuthZFilter implements Filter
else else
{ {
resp.setContentType("text/plain"); resp.setContentType("text/plain");
// FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()...
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden"); resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
} }
} }
......
docker/deps/soda.logging.properties
+ 2
0
View file @ 64c83edb
...@@ -70,3 +70,5 @@ SodaImpl.level = INFO ...@@ -70,3 +70,5 @@ SodaImpl.level = INFO
VlkbCli.level = INFO VlkbCli.level = INFO
AuthPolicy.level = INFO AuthPolicy.level = INFO
AuthPolicyDb.level = INFO AuthPolicyDb.level = INFO
AuthZFilter.level = INFO
AuthZ.level = INFO
docker/start-soda.sh.soda
+ 2
0
View file @ 64c83edb
...@@ -129,6 +129,8 @@ sed -i "s/.*SodaImpl\.level.*=.*/SodaImpl.level = $DBG_LEVEL/g" $CATALINA_BASE/c ...@@ -129,6 +129,8 @@ sed -i "s/.*SodaImpl\.level.*=.*/SodaImpl.level = $DBG_LEVEL/g" $CATALINA_BASE/c
sed -i "s/.*VlkbCli\.level.*=.*/VlkbCli.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*VlkbCli\.level.*=.*/VlkbCli.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
sed -i "s/.*AuthPolicy\.level.*=.*/AuthPolicy.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthPolicy\.level.*=.*/AuthPolicy.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
sed -i "s/.*AuthPolicyDb\.level.*=.*/AuthPolicyDb.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthPolicyDb\.level.*=.*/AuthPolicyDb.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
sed -i "s/.*AuthZFilter\.level.*=.*/AuthZFilter.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
sed -i "s/.*AuthZ\.level.*=.*/AuthZ.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
date date
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment