From cdc040e38d8ad11fc9233479c24ef691bcbc2369 Mon Sep 17 00:00:00 2001
From: Robert Butora <robert.butora@inaf.it>
Date: Thu, 6 Mar 2025 12:10:29 +0100
Subject: [PATCH] authz/mcutout: implements a workaround for mcutout authZ: if
async request user must be in VLKB.AllPrivate group
---
.../src/main/java/auth/authz/AuthPolicy.java | 9 ++
.../java/auth/authz/webapi/AuthZFilter.java | 123 ++++++++----------
2 files changed, 64 insertions(+), 68 deletions(-)
diff --git a/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java b/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
index d0873c6..7325a0c 100644
--- a/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
+++ b/data-access/servlet/src/main/java/auth/authz/AuthPolicy.java
@@ -79,6 +79,15 @@ public class AuthPolicy
}
+ public boolean isUserInGroup(String group)
+ {
+ for(String uGroup : userGroups)
+ if(uGroup.equals(group)) return true;
+ return false;
+ }
+
+
+
public String[] removeNotAuthorized(String[] pubdidArr)
{
LOGGER.finer("trace");
diff --git a/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java b/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
index 4223e65..a1fa3db 100644
--- a/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
+++ b/data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java
@@ -42,44 +42,33 @@ class AuthZ
List<String> pubdidList = new ArrayList<String>();
- String servletPath;
+ String requestPath;
+ // collect ID's in request to pubdidList
public AuthZ(HttpServletRequest req) throws IOException, ServletException
{
LOGGER.fine("constructor");
+ requestPath = req.getRequestURI();
+ LOGGER.fine("Req.Path: " + requestPath);
+
String[] pubdidArr = req.getParameterValues("ID");
+
if(pubdidArr == null)
{
- String pubdids = req.getParameter("pubdid");
- if(pubdids != null) pubdidArr = pubdids.split(";");
+ LOGGER.fine("No ID found in request params");
}
-
- if(pubdidArr != null)
+ else
{
for(String pubdid : pubdidArr)
if(pubdid.length() > 0) pubdidList.add(pubdid);
- LOGGER.finest("pubdids: " + String.join(" ", pubdidList));
+ LOGGER.finest("Request IDs: " + String.join(" ", pubdidList));
}
}
- private String getValue(Part part) throws IOException
- {
- BufferedReader reader = new BufferedReader(new InputStreamReader(part.getInputStream(), "UTF-8"));
- StringBuilder value = new StringBuilder();
- char[] buffer = new char[1024];
- for (int length = 0; (length = reader.read(buffer)) > 0;)
- {
- value.append(buffer, 0, length);
- }
- return value.toString();
- }
-
-
-
public boolean isAuthorized(HttpServletRequest req)
{
LOGGER.fine("isAuthorized");
@@ -93,26 +82,22 @@ class AuthZ
{
throw new IllegalArgumentException("Authorization : UserPrincipal is not of expected type");
}
+
String[] pubdidArr = pubdidList.toArray(new String[pubdidList.size()]);
- String[] authorizedPubdids;
- authorizedPubdids = auth.removeNotAuthorized(pubdidArr);
+ String[] authorizedPubdids = auth.removeNotAuthorized(pubdidArr);
+ // none of above must result in null
- /* If multiplicity allowed (and in mcutout/merge):
- * if one or more of pubdids not-authorized -> all request not authorized
- * */
- /* NOTE for now soda/vlkb_cutout does not allow multiplicity --> only one pubdid allowed */
+ LOGGER.finest("authorized vs original length: " + authorizedPubdids.length + " / " + pubdidArr.length);
- if((authorizedPubdids==null) || (pubdidArr==null))
- {
- LOGGER.warning("One of arrays null");
- return true;
- }
- else
- {
- LOGGER.finest("authorized vs original length: "+authorizedPubdids.length + " / " + pubdidArr.length);
- return (authorizedPubdids.length == pubdidArr.length);
- }
- }
+ if(requestPath.contains("async"))
+ return auth.isUserInGroup("VLKB.AllPrivate");// FIXME workaround for mcutout request
+ else
+ return (authorizedPubdids.length == pubdidArr.length); // SODA request
+
+ /* NOTE: If multiplicity allowed like in mcutout/merge:
+ * if one or more of pubdids not-authorized -> all request not authorized
+ * SODA does not allow multiplicity, has only one ID */
+ }
}
@@ -123,37 +108,39 @@ class AuthZ
@javax.servlet.annotation.MultipartConfig
public class AuthZFilter implements Filter
{
- private static final Logger LOGGER = Logger.getLogger(AuthZFilter.class.getName());
-
-
- @Override
- public void init(FilterConfig fc) throws ServletException {}
-
- @Override
- public void destroy() {}
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException
- {
- LOGGER.fine("doFilter");
-
- HttpServletRequest req = (HttpServletRequest) request;
- HttpServletResponse resp = (HttpServletResponse) response;
-
- AuthZ authz = new AuthZ(req);
-
- if(authz.isAuthorized(req))
- {
- chain.doFilter(request, response);
- }
- else
- {
- resp.setContentType("text/plain");
- // FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()...
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
- }
- }
+ private static final Logger LOGGER = Logger.getLogger(AuthZFilter.class.getName());
+
+
+ @Override
+ public void init(FilterConfig fc) throws ServletException {}
+
+ @Override
+ public void destroy() {}
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException
+ {
+ LOGGER.fine("doFilter");
+
+ HttpServletRequest req = (HttpServletRequest) request;
+ HttpServletResponse resp = (HttpServletResponse) response;
+
+ AuthZ authz = new AuthZ(req);
+
+ if(authz.isAuthorized(req))
+ {
+ LOGGER.fine("Decision: Authorized, pass to servlet");
+ chain.doFilter(request, response);
+ }
+ else
+ {
+ LOGGER.fine("Decision: Not Authorized, return FORBIDDEN");
+ resp.setContentType("text/plain");
+ // FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()...
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
+ }
+ }
}
--
GitLab