ace-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorge Martín Cuervo <jo...@martincuervo.com>
Subject authorisation
Date Thu, 28 Jul 2016 20:36:23 GMT
Hello,

after setting up the authentication (1 admin account and one for each
target),
I have made some changes into the servlets to enforce the authorisation:
- repository is only accessible to the admin
- deployment is accessible to the admin and for targets if the target Id
matches
- agent is accessible to the admin and for targets if the target Id matches
- log (audit) get is accessible to the admin and for targets if the target
Id matches
- log (audit) post is accessible to everybody

This is functional, but I am not sure this is the best way.
Could you please give me some feedback?
Thanks!

diff --git
a/org.apache.ace.deployment/src/org/apache/ace/deployment/servlet/AgentDeploymentServlet.java
b/org.apache.ace.deployment/src/org/apache/ace/deployment/servlet/AgentDeploymentServlet.java
index 27ac522..c7c0a9b 100644
---
a/org.apache.ace.deployment/src/org/apache/ace/deployment/servlet/AgentDeploymentServlet.java
+++
b/org.apache.ace.deployment/src/org/apache/ace/deployment/servlet/AgentDeploymentServlet.java
@@ -54,6 +54,7 @@
 import org.osgi.service.log.LogService;
 import org.osgi.service.repository.ContentNamespace;
 import org.osgi.service.repository.Repository;
+import org.osgi.service.useradmin.User;

 import aQute.bnd.deployer.repository.FixedIndexedRepo;
 import aQute.bnd.osgi.resource.CapReqBuilder;
@@ -103,8 +104,17 @@
     protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
         try {
             String[] pathElements =
verifyAndGetPathElements(request.getPathInfo());
-            // String targetID = pathElements[1]; // in the future we
might use this for per target approval
+            String targetID = pathElements[1]; // in the future we might
use this for per target approval
             String agentID = pathElements[2];
+
+            User user =
(User)request.getAttribute("org.apache.ace.authentication.user");
+            if(user != null && user.getName().equals("admin")) {
+             //no-op
+            } else if(user != null && !user.getName().equals(targetID)) {
+             //the target does not correspond to the username
+             throw new
AceRestException(HttpServletResponse.SC_UNAUTHORIZED, "Not authorised");
+            }
+
             int numberOfElements = pathElements.length;
             if (numberOfElements == 4) {
                 handleVersionsRequest(getVersions(agentID), response);
diff --git
a/org.apache.ace.deployment/src/org/apache/ace/deployment/servlet/DeploymentServlet.java
b/org.apache.ace.deployment/src/org/apache/ace/deployment/servlet/DeploymentServlet.java
index 2509433..e8b8d34 100644
---
a/org.apache.ace.deployment/src/org/apache/ace/deployment/servlet/DeploymentServlet.java
+++
b/org.apache.ace.deployment/src/org/apache/ace/deployment/servlet/DeploymentServlet.java
@@ -38,6 +38,7 @@
 import org.apache.ace.deployment.streamgenerator.StreamGenerator;
 import org.osgi.framework.ServiceReference;
 import org.osgi.service.log.LogService;
+import org.osgi.service.useradmin.User;

 /**
  * The DeploymentServlet class provides in a list of versions available
for a target and a stream of data containing the
@@ -104,6 +105,16 @@
         try {
             String[] pathElements =
verifyAndGetPathElements(request.getPathInfo());
             String targetID = pathElements[1];
+
+            User user =
(User)request.getAttribute("org.apache.ace.authentication.user");
+            if(user != null && user.getName().equals("admin")) {
+             //no-op
+            } else if(user != null && !user.getName().equals(targetID)) {
+             //the target does not correspond to the username
+             throw new
AceRestException(HttpServletResponse.SC_UNAUTHORIZED, "Not authorised");
+            }
+
+
             int numberOfElements = pathElements.length;

             if (numberOfElements == 3) {
@@ -138,6 +149,14 @@
                 String targetID = pathElements[1];
                 String version = pathElements[3];

+                User user =
(User)request.getAttribute("org.apache.ace.authentication.user");
+                if(user != null && user.getName().equals("admin")) {
+                 //no-op
+                } else if(user != null &&
!user.getName().equals(targetID)) {
+                 //the target does not correspond to the username
+                 throw new
AceRestException(HttpServletResponse.SC_UNAUTHORIZED, "Not authorised");
+                }
+
                 response.setContentType(DP_MIMETYPE);

                 long dpSize = estimateDeploymentPackageSize(request,
targetID, version);
diff --git
a/org.apache.ace.log/src/org/apache/ace/log/server/servlet/LogServlet.java
b/org.apache.ace.log/src/org/apache/ace/log/server/servlet/LogServlet.java
index 74ad089..dd0a37f 100644
---
a/org.apache.ace.log/src/org/apache/ace/log/server/servlet/LogServlet.java
+++
b/org.apache.ace.log/src/org/apache/ace/log/server/servlet/LogServlet.java
@@ -36,6 +36,7 @@
 import org.apache.ace.log.server.store.LogStore;
 import org.apache.ace.range.SortedRangeSet;
 import org.osgi.service.log.LogService;
+import org.osgi.service.useradmin.User;

 /**
  * This class acts as a servlet and handles the log protocol. This means a
number of requests will be handled:
@@ -121,6 +122,15 @@

         ServletOutputStream output = null;
         try {
+
+         User user =
(User)request.getAttribute("org.apache.ace.authentication.user");
+            if(user != null && user.getName().equals("admin")) {
+             //no-op
+            } else if(user != null && !user.getName().equals(targetID)) {
+             //the target does not correspond to the username
+             sendError(response, HttpServletResponse.SC_UNAUTHORIZED, "Not
authorised");
+            }
+
             output = response.getOutputStream();
             if (QUERY.equals(path) && !handleQuery(targetID, logID,
filter, output)) {
                 sendError(response, HttpServletResponse.SC_BAD_REQUEST,
"Unable to interpret query");
diff --git
a/org.apache.ace.repository/src/org/apache/ace/repository/servlet/RepositoryServletBase.java
b/org.apache.ace.repository/src/org/apache/ace/repository/servlet/RepositoryServletBase.java
index 3a0c456..ee69b46 100644
---
a/org.apache.ace.repository/src/org/apache/ace/repository/servlet/RepositoryServletBase.java
+++
b/org.apache.ace.repository/src/org/apache/ace/repository/servlet/RepositoryServletBase.java
@@ -34,6 +34,7 @@
 import org.osgi.framework.InvalidSyntaxException;
 import org.osgi.framework.ServiceReference;
 import org.osgi.service.log.LogService;
+import org.osgi.service.useradmin.User;

 /**
  * Base class for the repository servlets. Both the repository and the
repository replication servlets work in a similar
@@ -92,8 +93,13 @@
         String name = request.getParameter("name");
         String filter = request.getParameter("filter");
         String version = request.getParameter("version");
-
-        if (QUERY.equals(path)) {
+
+        User user =
(User)request.getAttribute("org.apache.ace.authentication.user");
+        if(user != null && !user.getName().equals("admin")) {
+
+     response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+
+     } else if (QUERY.equals(path)) {
             // both repositories have a query method
             if (filter != null) {
                 if ((name == null) && (customer == null)) {
@@ -136,8 +142,13 @@
         String customer = request.getParameter("customer");
         String name = request.getParameter("name");
         String version = request.getParameter("version");
+
+        User user =
(User)request.getAttribute("org.apache.ace.authentication.user");

-        if (getCommitCommand().equals(path)) {
+        if(user != null && !user.getName().equals("admin")) {
+     response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+     } else if (getCommitCommand().equals(path)) {
+
             // and finally, both have a commit, only it's named differently
             if ((name != null) && (customer != null) && (version != null))
{
                 handleCommit(customer, name, Long.parseLong(version),
request.getInputStream(), response);

-- 
____________________________________
Jorge Martin Cuervo

email <jorge@martincuervo.com>
voice 0032 489 336 802
voice 0034 660 026 384
skype jorgemartincuervo
____________________________________

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message