authz/mcutout: implements a workaround for mcutout authZ: if async request...

authz/mcutout: implements a workaround for mcutout authZ: if async request user must be in VLKB.AllPrivate group

authz/mcutout: implements a workaround for mcutout authZ: if async request...
cdc040e3 · Robert Butora · db866e95 · cdc040e3 · cdc040e3
Commit cdc040e3 authored 1 month ago by Robert Butora
--- a/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
+++ b/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
@@ -79,6 +79,15 @@ public class AuthPolicy
   }


+   public boolean isUserInGroup(String group)
+   {
+      for(String uGroup : userGroups)
+			if(uGroup.equals(group)) return true;
+      return false;
+   }
+
+
+
   public String[] removeNotAuthorized(String[] pubdidArr)
   {
      LOGGER.finer("trace");

--- a/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
+++ b/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
@@ -42,44 +42,33 @@ class AuthZ

   List<String> pubdidList = new ArrayList<String>();

-   String servletPath;
+   String requestPath;


+	// collect ID's in request to pubdidList
   public AuthZ(HttpServletRequest req) throws IOException, ServletException
   {
      LOGGER.fine("constructor");

+      requestPath = req.getRequestURI();
+      LOGGER.fine("Req.Path: " + requestPath);
+
      String[] pubdidArr = req.getParameterValues("ID");
+
      if(pubdidArr == null)
      {
-         String pubdids = req.getParameter("pubdid");
-         if(pubdids != null) pubdidArr = pubdids.split(";");
+         LOGGER.fine("No ID found in request params");
      }
-
-      if(pubdidArr != null)
+      else
      {
         for(String pubdid : pubdidArr)
            if(pubdid.length() > 0) pubdidList.add(pubdid);

-         LOGGER.finest("pubdids: " + String.join(" ", pubdidList));
+         LOGGER.finest("Request IDs: " + String.join(" ", pubdidList));
      }
   }


-   private String getValue(Part part) throws IOException
-   {
-      BufferedReader reader = new BufferedReader(new InputStreamReader(part.getInputStream(), "UTF-8"));
-      StringBuilder value = new StringBuilder();
-      char[] buffer = new char[1024];
-      for (int length = 0; (length = reader.read(buffer)) > 0;)
-      {
-         value.append(buffer, 0, length);
-      }
-      return value.toString();
-   }
-
-
-
   public boolean isAuthorized(HttpServletRequest req)
   {
      LOGGER.fine("isAuthorized");
@@ -93,26 +82,22 @@ class AuthZ
      {
         throw new IllegalArgumentException("Authorization : UserPrincipal is not of expected type");
      }
+
      String[] pubdidArr = pubdidList.toArray(new String[pubdidList.size()]);
-      String[] authorizedPubdids;
-      authorizedPubdids = auth.removeNotAuthorized(pubdidArr);
+		String[] authorizedPubdids = auth.removeNotAuthorized(pubdidArr);
+		// none of above must result in null

-      /* If multiplicity allowed (and in mcutout/merge):
-       * if one or more of pubdids not-authorized -> all request not authorized
-       * */
-      /* NOTE for now soda/vlkb_cutout does not allow multiplicity --> only one pubdid allowed */
+		LOGGER.finest("authorized vs original length: " + authorizedPubdids.length + " / " + pubdidArr.length);

-      if((authorizedPubdids==null) || (pubdidArr==null))
-      {
-         LOGGER.warning("One of arrays null");
-         return true;
-      }
-      else
-      {
-         LOGGER.finest("authorized vs original length: "+authorizedPubdids.length + " / " + pubdidArr.length);
-         return (authorizedPubdids.length == pubdidArr.length);
-      }
-   }
+		if(requestPath.contains("async"))
+			return auth.isUserInGroup("VLKB.AllPrivate");// FIXME workaround for mcutout request
+		else
+			return (authorizedPubdids.length == pubdidArr.length); // SODA request
+
+		/* NOTE: If multiplicity allowed like in mcutout/merge:
+		 * if one or more of pubdids not-authorized -> all request not authorized
+		 * SODA does not allow multiplicity, has only one ID */
+	}

 }

@@ -123,37 +108,39 @@ class AuthZ
 @javax.servlet.annotation.MultipartConfig
 public class AuthZFilter implements Filter
 {
-   private static final Logger LOGGER = Logger.getLogger(AuthZFilter.class.getName());
-
-
-   @Override
-   public void init(FilterConfig fc) throws ServletException {}
-
-   @Override
-   public void destroy() {}
-
-   @Override
-   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-      throws IOException, ServletException
-   {
-      LOGGER.fine("doFilter");
-
-      HttpServletRequest  req  = (HttpServletRequest)  request;
-      HttpServletResponse  resp = (HttpServletResponse)  response;
-
-      AuthZ authz = new AuthZ(req);
-
-      if(authz.isAuthorized(req))
-      {
-         chain.doFilter(request, response);
-      }
-      else
-      {
-         resp.setContentType("text/plain");
-         // FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()...
-         resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
-      }
-   }
+	private static final Logger LOGGER = Logger.getLogger(AuthZFilter.class.getName());
+
+
+	@Override
+		public void init(FilterConfig fc) throws ServletException {}
+
+	@Override
+		public void destroy() {}
+
+	@Override
+		public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+		throws IOException, ServletException
+		{
+			LOGGER.fine("doFilter");
+
+			HttpServletRequest  req  = (HttpServletRequest)  request;
+			HttpServletResponse  resp = (HttpServletResponse)  response;
+
+			AuthZ authz = new AuthZ(req);
+
+			if(authz.isAuthorized(req))
+			{
+				LOGGER.fine("Decision: Authorized, pass to servlet");
+				chain.doFilter(request, response);
+			}
+			else
+			{
+				LOGGER.fine("Decision: Not Authorized, return FORBIDDEN");
+				resp.setContentType("text/plain");
+				// FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()...
+				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
+			}
+		}

 }