diff --git a/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java b/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
index 10eb3144b1bc6f40b8ed7bbd3d1b6921e7df3371..4c36dc279f28b6e09f4715539a30e3338999a8b0 100644
--- a/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
+++ b/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
@@ -87,7 +87,7 @@ public class AuthPolicy
else
{
userName = principal.getName();
- LOGGER.finer("DBG principal not instance of VlkbUser, but has user-name: " + userName);
+ LOGGER.finer("DBG principal '"+userName+"' is not instance of it.inaf.ia2.aa.data.User");
userGroups = new String[]{""};//{"VLKB.groupA", "AllPrivate"}; // was for shiro
userGroupsValid = true;
access = Access.PUBLIC_AND_AUTHORIZED_PRIVATE;
@@ -157,19 +157,27 @@ public class AuthPolicy
}
+ // API
public String[] filterAuthorized(String[] pubdidArr)
{
- LOGGER.finer("with String[] trace");
+ LOGGER.finer("trace");
- ArrayList<String> pubdidList = new ArrayList<String>(Arrays.asList(pubdidArr));
+ List<String> pubdidList = new ArrayList<String>(Arrays.asList(pubdidArr));
switch(access)
{
case PUBLIC_ONLY :
- filterNotPublic(pubdidList);
+ //filterNotPublic(pubdidList);
+ AuthPolicyDb adb;
+ synchronized(AuthPolicyDb.class)
+ {
+ adb = new AuthPolicyDb();
+ }
+ pubdidList = adb.selectPublicOnly(pubdidArr);
break;
+
case PUBLIC_AND_AUTHORIZED_PRIVATE :
filterNotAuthorized(pubdidList);
break;
@@ -181,13 +189,16 @@ public class AuthPolicy
}
- private void filterNotPublic(ArrayList<String> pubdids)
- {
+ // remove PRIVATE from the list
+ /*
+ private void filterNotPublic(ArrayList<String> pubdids)
+ {
LOGGER.fine("trace");
assert pubdids != null;
LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids));
List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids);
+
List<String> notAuthorizedUniqPubdids = pubdidsNotPublic(privateUniqPubdids, userGroups);
LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids));
@@ -195,41 +206,38 @@ public class AuthPolicy
removeNotAuthorized(pubdids, notAuthorizedUniqPubdids);
LOGGER.finest("PublisherDID list filtered : " + (pubdids.isEmpty() ? "" : String.join(" ", pubdids)));
- }
-
-
- private List<String> pubdidsNotPublic(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups)
- {
+ }
+ private List<String> pubdidsNotPublic(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups)
+ {
LOGGER.fine("trace");
- LOGGER.finer("userGroups: " + String.join(" ",userGroups));
- List<String> pubdidsNotAuthorizedList = new LinkedList<String>();
ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator();
+ List<String> pubdidsNotAuthorizedList = new LinkedList<String>();
while (it.hasNext())
{
- AuthPolicyDb.PubdidGroups pubdidGroups = it.next();
-
- LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups));
+ AuthPolicyDb.PubdidGroups pubdidGroups = it.next();
- if( true )// isIntersectionEmpty(pubdidGroups.groups, userGroups) )
- {
- pubdidsNotAuthorizedList.add(pubdidGroups.pubdid);
- }
+ if( true )// isIntersectionEmpty(pubdidGroups.groups, userGroups) )
+ {
+ pubdidsNotAuthorizedList.add(pubdidGroups.pubdid);
+ }
}
return pubdidsNotAuthorizedList;
- }
-
+ }
+ */
+ // remove not-authorized from the list
- private void filterNotAuthorized(ArrayList<String> pubdids)
+ private void filterNotAuthorized(List<String> pubdids)
{
LOGGER.fine("trace");
assert pubdids != null;
LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids));
List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids);
+
List<String> notAuthorizedUniqPubdids = pubdidsNotAuthorized(privateUniqPubdids, userGroups);
LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids));
@@ -240,8 +248,31 @@ public class AuthPolicy
}
+ private List<String> pubdidsNotAuthorized(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups)
+ {
+ LOGGER.fine("trace");
- private void removeNotAuthorized(ArrayList<String> pubdids, List<String> notAuthorizedUniqPubdids)
+ List<String> pubdidsNotAuthorizedList = new LinkedList<String>();
+ ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator();
+
+ while (it.hasNext())
+ {
+ AuthPolicyDb.PubdidGroups pubdidGroups = it.next();
+
+ LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups));
+
+ if( isIntersectionEmpty(pubdidGroups.groups, userGroups) )
+ {
+ pubdidsNotAuthorizedList.add(pubdidGroups.pubdid);
+ }
+ }
+
+ return pubdidsNotAuthorizedList;
+ }
+
+
+
+ private void removeNotAuthorized(List<String> pubdids, List<String> notAuthorizedUniqPubdids)
{
ListIterator<String> itr = pubdids.listIterator();
while (itr.hasNext())
@@ -258,6 +289,21 @@ public class AuthPolicy
}
+ private boolean isIntersectionEmpty(String[] stringsA, String[] stringsB)
+ {
+ for(String strA : stringsA)
+ for(String strB : stringsB)
+ {
+ if(strA.equals(strB))
+ {
+ return false;
+ }
+ }
+ return true;
+ }
+
+
+ // DB-query
private List<AuthPolicyDb.PubdidGroups> db_queryPrivateUniqPubdidGroups(List<String> pubdids)
{
@@ -284,44 +330,5 @@ public class AuthPolicy
- private List<String> pubdidsNotAuthorized(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups)
- {
- LOGGER.fine("trace");
-
- List<String> pubdidsNotAuthorizedList = new LinkedList<String>();
- ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator();
-
- while (it.hasNext())
- {
- AuthPolicyDb.PubdidGroups pubdidGroups = it.next();
-
- LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups));
-
- if( isIntersectionEmpty(pubdidGroups.groups, userGroups) )
- {
- pubdidsNotAuthorizedList.add(pubdidGroups.pubdid);
- }
- }
-
- return pubdidsNotAuthorizedList;
- }
-
-
-
- private boolean isIntersectionEmpty(String[] stringsA, String[] stringsB)
- {
- for(String strA : stringsA)
- for(String strB : stringsB)
- {
- if(strA.equals(strB))
- {
- return false;
- }
- }
- return true;
- }
-
-
-
}
diff --git a/data-access/servlet/src/main/java/auth/authz/AuthPolicyDb.java b/data-access/servlet/src/main/java/auth/authz/AuthPolicyDb.java
index f8c166c24bbe543878da981f2f955c5e887eca41..614bdda9255bb3d0eb1c57c54e500c9f719002a0 100644
--- a/data-access/servlet/src/main/java/auth/authz/AuthPolicyDb.java
+++ b/data-access/servlet/src/main/java/auth/authz/AuthPolicyDb.java
@@ -89,6 +89,46 @@ public class AuthPolicyDb
return pubdidGroups;
}
+
+
+ public List<String> selectPublicOnly(String[] uniqPubdids)
+ {
+ String commaSepObscorePubdids = String.join("\',\'", uniqPubdids);
+
+ assert (commaSepObscorePubdids != null) && (!commaSepObscorePubdids.isEmpty());
+
+ String TheQuery
+ = "SELECT obs_publisher_did FROM obscore "
+ + "WHERE (policy = 'FREE') AND (obs_publisher_did IN (\'"+commaSepObscorePubdids+"\'));";
+
+ LOGGER.finer("Connecting to: "+dbconn.uri()+" with optional user/pwd: "+dbconn.userName()+" / ***");
+
+ List<String> pubdidPublic = new LinkedList<String>();
+
+ try(Connection conn = DriverManager.getConnection(dbconn.uri(), dbconn.userName(), dbconn.password());
+ Statement st = conn.createStatement();
+ ResultSet res = st.executeQuery(TheQuery);)
+ {
+ while (res.next())
+ {
+ pubdidPublic.add(res.getString("obs_publisher_did"));
+ }
+ }
+ catch (SQLException se)
+ {
+ logSqlExInfo(se);
+ se.printStackTrace();
+ }
+
+ LOGGER.finest("Found public: " + pubdidPublic.size());
+
+ return pubdidPublic;
+ }
+
+
+
+
+
private void logSqlExInfo(SQLException se)
{
LOGGER.severe("SQLState : " + se.getSQLState());
diff --git a/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java b/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
index 25b946497297358c20ef39c8f30f041e70c974f3..ed9b0ec09b976288c44849bd15da3bbc28a0e652 100644
--- a/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
+++ b/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
@@ -101,7 +101,17 @@ class AuthZ
* if one or more of pubdids not-authorized -> all request not authorized
* */
/* NOTE for now soda/vlkb_cutout does not allow multiplicity --> only one pubdid allowed */
- return (authorized_pubdids.length == pubdidArr.length);
+
+ if((authorized_pubdids==null) || (pubdidArr==null))
+ {
+ LOGGER.warning("One of arrays null");
+ return true;
+ }
+ else
+ {
+ LOGGER.finest("authorized vs original length: "+authorized_pubdids.length + " / " + pubdidArr.length);
+ return (authorized_pubdids.length == pubdidArr.length);
+ }
}
}
@@ -123,7 +133,8 @@ public class AuthZFilter implements Filter
public void destroy() {}
@Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException
{
LOGGER.fine("doFilter");
@@ -139,6 +150,7 @@ public class AuthZFilter implements Filter
else
{
resp.setContentType("text/plain");
+ // FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()...
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
}
}
diff --git a/docker/deps/soda.logging.properties b/docker/deps/soda.logging.properties
index 6c78bf65852876567ff0ca3054862be29db380fc..08c107e9c4fdcd2bcbcc0d14d8fe3f48b27ecf07 100644
--- a/docker/deps/soda.logging.properties
+++ b/docker/deps/soda.logging.properties
@@ -70,3 +70,5 @@ SodaImpl.level = INFO
VlkbCli.level = INFO
AuthPolicy.level = INFO
AuthPolicyDb.level = INFO
+AuthZFilter.level = INFO
+AuthZ.level = INFO
diff --git a/docker/start-soda.sh.soda b/docker/start-soda.sh.soda
index 82e6ce813d6eb538c5f2dd5b8f3710664ef44a85..0ed173f4465f6222dda3c60bb301257d6c895411 100755
--- a/docker/start-soda.sh.soda
+++ b/docker/start-soda.sh.soda
@@ -129,6 +129,8 @@ sed -i "s/.*SodaImpl\.level.*=.*/SodaImpl.level = $DBG_LEVEL/g" $CATALINA_BASE/c
sed -i "s/.*VlkbCli\.level.*=.*/VlkbCli.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
sed -i "s/.*AuthPolicy\.level.*=.*/AuthPolicy.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
sed -i "s/.*AuthPolicyDb\.level.*=.*/AuthPolicyDb.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
+sed -i "s/.*AuthZFilter\.level.*=.*/AuthZFilter.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
+sed -i "s/.*AuthZ\.level.*=.*/AuthZ.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties
date