airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sma...@apache.org
Subject [09/10] airavata git commit: Completion of the security solution in Airavata - adding some missing files from the previous commit and fixing issues found while testing.
Date Mon, 17 Aug 2015 04:09:11 GMT
Completion of the security solution in Airavata - adding some missing files from the previous
commit and fixing issues found while testing.


Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/f080ac26
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/f080ac26
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/f080ac26

Branch: refs/heads/master
Commit: f080ac263c6cd1c1df98dcfbd5f3366f0734fb44
Parents: 2777476
Author: hasinitg <hasi7786@gmail.com>
Authored: Sun Aug 16 23:44:51 2015 -0400
Committer: hasinitg <hasi7786@gmail.com>
Committed: Sun Aug 16 23:44:51 2015 -0400

----------------------------------------------------------------------
 .../DefaultAiravataSecurityManager.java         |   2 +-
 .../server/security/authzcache/AuthzCache.java  |   4 +-
 .../security/authzcache/AuthzCacheEntry.java    |  63 +++++++++
 .../security/authzcache/AuthzCacheIndex.java    |  78 +++++++++++
 .../security/authzcache/AuthzCacheManager.java  |  80 ++++++++++++
 .../authzcache/AuthzCacheManagerFactory.java    |  60 +++++++++
 .../authzcache/DefaultAuthzCacheManager.java    | 108 ++++++++++++++++
 .../server/security/xacml/DefaultXACMLPEP.java  | 129 +++++++++++++++++++
 .../main/resources/airavata-server.properties   |   2 +-
 9 files changed, 523 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
index f42d98d..7078659 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
@@ -148,7 +148,7 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager
{
 
                     //cache the authorization decision
                     authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, accessToken,
action),
-                            new AuthzCacheEntry(decision, expiryTimestamp));
+                            new AuthzCacheEntry(decision, expiryTimestamp, System.currentTimeMillis()));
 
                     return decision;
                 } else {

http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
index a563caa..8b14556 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
@@ -55,7 +55,9 @@ public class AuthzCache extends LinkedHashMap<AuthzCacheIndex, AuthzCacheEntry>
     @Override
     protected boolean removeEldestEntry(Map.Entry<AuthzCacheIndex, AuthzCacheEntry>
eldest) {
         //TODO: following info log is for demonstration purposes. Remove it.
-        logger.info("Authz cache max size exceeded. Removing the old entries.");
+        if (size() > MAX_SIZE) {
+            logger.info("Authz cache max size exceeded. Removing the old entries.");
+        }
         return size() > MAX_SIZE;
     }
 }

http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
new file mode 100644
index 0000000..03ca229
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
@@ -0,0 +1,63 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+/**
+ * Cache entry in the default authorization cache.
+ */
+public class AuthzCacheEntry {
+    //authorization decision for the authorization request associated with this cache entry.
+    private boolean decision;
+    //time to live value for the access token in seconds.
+    private long expiryTime;
+    //time stamp in milli seconds at the time this entry is put into the cache
+    private long entryTimestamp;
+
+    public AuthzCacheEntry(boolean decision, long expiryTime, long entryTimestamp) {
+        this.decision = decision;
+        this.expiryTime = expiryTime;
+        this.entryTimestamp = entryTimestamp;
+    }
+
+    public long getEntryTimestamp() {
+        return entryTimestamp;
+    }
+
+    public void setEntryTimestamp(long entryTimestamp) {
+        this.entryTimestamp = entryTimestamp;
+    }
+
+    public long getExpiryTime() {
+        return expiryTime;
+    }
+
+    public void setExpiryTime(long timestamp) {
+        this.expiryTime = timestamp;
+    }
+
+    public boolean getDecision() {
+        return decision;
+    }
+
+    public void setDecision(boolean decision) {
+        this.decision = decision;
+    }
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
new file mode 100644
index 0000000..59667d8
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
@@ -0,0 +1,78 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+/**
+ * Cache index of the default authorization cache.
+ */
+public class AuthzCacheIndex {
+
+    private String subject;
+    private String oauthAccessToken;
+    private String action;
+
+    public AuthzCacheIndex(String userName, String accessToken, String actionString) {
+        this.subject = userName;
+        this.oauthAccessToken = accessToken;
+        this.action = actionString;
+    }
+
+    public String getSubject() {
+        return subject;
+    }
+
+    public void setSubject(String subject) {
+        this.subject = subject;
+    }
+
+    public String getAction() {
+        return action;
+    }
+
+    public void setAction(String action) {
+        this.action = action;
+    }
+
+    public String getOauthAccessToken() {
+        return oauthAccessToken;
+    }
+
+    public void setOauthAccessToken(String oauthAccessToken) {
+        this.oauthAccessToken = oauthAccessToken;
+    }
+
+    /*Equals and hash code methods are overriden since this is being used as an index of
a map and that containsKey method
+    * should return true if the values of two index objects are equal.*/
+    @Override
+    public boolean equals(Object other) {
+        if (other == null || other.getClass() != getClass()) {
+            return false;
+        }
+        return ((this.getSubject().equals(((AuthzCacheIndex) other).getSubject()))
+                && (this.getOauthAccessToken().equals(((AuthzCacheIndex) other).getOauthAccessToken()))
+                && (this.getAction().equals(((AuthzCacheIndex) other).getAction())));
+    }
+
+    @Override
+    public int hashCode() {
+        return this.getSubject().hashCode() + this.getOauthAccessToken().hashCode() + this.getAction().hashCode();
+    }
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
new file mode 100644
index 0000000..48cfb03
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
@@ -0,0 +1,80 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.security.AiravataSecurityException;
+
+/**
+ * This is the interface through which security manager accesses the underlying caching implementation
+ * See the DefaultAuthzCacheManager.java for an example implementation of this interface.
+ */
+public interface AuthzCacheManager {
+    /**
+     * Returns the status of the cache w.r.t the given authorization request which is encapsulated
in
+     * the AuthzCacheIndex.
+     *
+     * @param authzCacheIndex
+     * @return
+     */
+    public AuthzCachedStatus getAuthzCachedStatus(AuthzCacheIndex authzCacheIndex) throws
AiravataSecurityException;
+
+    /**
+     * Add to cache the authorization decision pertaining to a given authorization request.
+     *
+     * @param authzCacheIndex
+     * @param authzCacheEntry
+     * @throws AiravataSecurityException
+     */
+    public void addToAuthzCache(AuthzCacheIndex authzCacheIndex, AuthzCacheEntry authzCacheEntry)
throws AiravataSecurityException;
+
+    /**
+     * Check if a valid decision is cached for a given authorization request.
+     *
+     * @param authzCacheIndex
+     * @return
+     */
+    public boolean isAuthzDecisionCached(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+    /**
+     * Returns the AuthzCacheEntry for a given authorization request.
+     *
+     * @param authzCacheIndex
+     * @return
+     * @throws AiravataSecurityException
+     */
+    public AuthzCacheEntry getAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+    /**
+     * Removes the authorization cache entry for a given authorization request.
+     *
+     * @param authzCacheIndex
+     * @throws AiravataSecurityException
+     */
+    public void removeAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+    /**
+     * Clear the authorization cache.
+     *
+     * @return
+     */
+    public void clearCache() throws AiravataSecurityException;
+
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
new file mode 100644
index 0000000..b555122
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
@@ -0,0 +1,60 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.api.server.security.AiravataSecurityManager;
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+/**
+ * This initializes the AuthzCacheManager implementation to be used as defined by the configuration.
+ */
+public class AuthzCacheManagerFactory {
+    private final static Logger logger = LoggerFactory.getLogger(AuthzCacheManagerFactory.class);
+
+    public static AuthzCacheManager getAuthzCacheManager() throws AiravataSecurityException
{
+        try {
+            Class authzCacheManagerImpl = Class.forName(ServerSettings.getAuthzCacheManagerClassName());
+            AuthzCacheManager authzCacheManager  = (AuthzCacheManager) authzCacheManagerImpl.newInstance();
+            return  authzCacheManager;
+        } catch (ClassNotFoundException e) {
+            String error = "Authorization Cache Manager class could not be found.";
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException(error);
+        } catch (ApplicationSettingsException e) {
+            String error = "Error in reading the configuration related to Authorization Cache
Manager class.";
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException(error);
+        } catch (InstantiationException e) {
+            String error = "Error in instantiating the Authorization Cache Manager class.";
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException(error);
+        } catch (IllegalAccessException e) {
+            String error = "Error in instantiating the Authorization Cache Manager class.";
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException(error);
+
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
new file mode 100644
index 0000000..232908d
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
@@ -0,0 +1,108 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Date;
+
+public class DefaultAuthzCacheManager implements AuthzCacheManager {
+
+    private final static Logger logger = LoggerFactory.getLogger(DefaultAuthzCacheManager.class);
+
+    @Override
+    public AuthzCachedStatus getAuthzCachedStatus(AuthzCacheIndex authzCacheIndex) throws
AiravataSecurityException {
+        if (isAuthzDecisionCached(authzCacheIndex)) {
+            AuthzCacheEntry cacheEntry = getAuthzCacheEntry(authzCacheIndex);
+            long expiryTime = cacheEntry.getExpiryTime();
+            long currentTime = System.currentTimeMillis();
+            long timePassed = (currentTime - cacheEntry.getEntryTimestamp()) / 1000;
+            if (expiryTime > timePassed) {
+                //access token is still valid. Hence, return the cached decision
+                if (cacheEntry.getDecision()) {
+                    return AuthzCachedStatus.AUTHORIZED;
+                } else {
+                    return AuthzCachedStatus.NOT_AUTHORIZED;
+                }
+            } else {
+                //access token has been expired. Hence, remove the entry and return.
+                removeAuthzCacheEntry(authzCacheIndex);
+                return AuthzCachedStatus.NOT_CACHED;
+            }
+        } else {
+            return AuthzCachedStatus.NOT_CACHED;
+        }
+    }
+
+    @Override
+    public void addToAuthzCache(AuthzCacheIndex authzCacheIndex, AuthzCacheEntry authzCacheEntry)
throws AiravataSecurityException {
+        try {
+            AuthzCache.getInstance().put(authzCacheIndex, authzCacheEntry);
+        } catch (ApplicationSettingsException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in obtaining the authorization cache
instance.");
+        }
+    }
+
+    @Override
+    public boolean isAuthzDecisionCached(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException
{
+        try {
+            return AuthzCache.getInstance().containsKey(authzCacheIndex);
+        } catch (ApplicationSettingsException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in obtaining the authorization cache
instance.");
+        }
+    }
+
+    @Override
+    public AuthzCacheEntry getAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException
{
+        try {
+            return AuthzCache.getInstance().get(authzCacheIndex);
+        } catch (ApplicationSettingsException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in obtaining the authorization cache
instance.");
+        }
+    }
+
+    @Override
+    public void removeAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException
{
+        try {
+            AuthzCache.getInstance().remove(authzCacheIndex);
+        } catch (ApplicationSettingsException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in obtaining the authorization cache
instance.");
+        }
+    }
+
+    @Override
+    public void clearCache() throws AiravataSecurityException {
+        try {
+            AuthzCache.getInstance().clear();
+        } catch (ApplicationSettingsException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in obtaining the authorization cache
instance.");
+
+        }
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
new file mode 100644
index 0000000..42328d1
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
@@ -0,0 +1,129 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.xacml;
+
+import org.apache.airavata.common.utils.Constants;
+import org.apache.airavata.model.security.AuthzToken;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
+import org.wso2.carbon.utils.CarbonUtils;
+import org.xml.sax.SAXException;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.rmi.RemoteException;
+import java.util.Map;
+
+/**
+ * This enforces XACML based fine grained authorization on the API calls, by authorizing
the API calls
+ * through default PDP which is WSO2 Identity Server.
+ */
+public class DefaultXACMLPEP {
+
+    private final static Logger logger = LoggerFactory.getLogger(DefaultXACMLPEP.class);
+    private EntitlementServiceStub entitlementServiceStub;
+
+    public DefaultXACMLPEP(String auhorizationServerURL, String username, String password,
+                           ConfigurationContext configCtx) throws AiravataSecurityException
{
+        try {
+
+            String PDPURL = auhorizationServerURL + "EntitlementService";
+            entitlementServiceStub = new EntitlementServiceStub(configCtx, PDPURL);
+            CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, entitlementServiceStub._getServiceClient());
+        } catch (AxisFault e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error initializing XACML PEP client.");
+        }
+
+    }
+
+    /**
+     * Send the XACML authorization request to XAML PDP and return the authorization decision.
+     *
+     * @param authzToken
+     * @param metaData
+     * @return
+     */
+    public boolean getAuthorizationDecision(AuthzToken authzToken, Map<String, String>
metaData) throws AiravataSecurityException {
+        String decision;
+        try {
+            String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
+            String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
+            String decisionString = entitlementServiceStub.getDecisionByAttributes(subject,
null, action, null);
+            //parse the XML decision string and obtain the decision
+            decision = parseDecisionString(decisionString);
+            if (Constants.PERMIT.equals(decision)) {
+                return true;
+            } else {
+                logger.error("Authorization decision is: " + decision);
+                return false;
+            }
+        } catch (RemoteException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in authorizing the user.");
+        } catch (EntitlementServiceException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in authorizing the user.");
+        }
+    }
+
+    /**
+     * This parses the XML based authorization response by the PDP and returns the decision
string.
+     *
+     * @param decisionString
+     * @return
+     * @throws AiravataSecurityException
+     */
+    private String parseDecisionString(String decisionString) throws AiravataSecurityException
{
+        try {
+            DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+            InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8"));
+            Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream);
+            Node resultNode = doc.getDocumentElement().getFirstChild();
+            Node decisionNode = resultNode.getFirstChild();
+            String decision = decisionNode.getTextContent();
+            return decision;
+        } catch (ParserConfigurationException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+        } catch (UnsupportedEncodingException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+        } catch (SAXException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+        } catch (IOException e) {
+            logger.error("Error in parsing XACML authorization response.");
+            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/modules/configuration/server/src/main/resources/airavata-server.properties
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-server.properties b/modules/configuration/server/src/main/resources/airavata-server.properties
index fb57382..d45e3d9 100644
--- a/modules/configuration/server/src/main/resources/airavata-server.properties
+++ b/modules/configuration/server/src/main/resources/airavata-server.properties
@@ -245,7 +245,7 @@ remote.oauth.authorization.server=https://localhost:9443/services/
 authorization.policy=airavata-default-xacml-policy
 #### authorization cache related configuration ####
 authz.cache.enabled=true
-authz.cache.manager.class=org.apache.airavata.api.server.security.cache.DefaultAuthzCacheManager
+authz.cache.manager.class=org.apache.airavata.api.server.security.authzcache.DefaultAuthzCacheManager
 in.memory.cache.size=1000
 #### admin user credentials of authorization server ####
 admin.user.name=admin


Mime
View raw message