airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From scnakand...@apache.org
Subject [18/50] [abbrv] airavata git commit: Add code for airavata-services security
Date Wed, 05 Apr 2017 19:10:42 GMT
http://git-wip-us.apache.org/repos/asf/airavata/blob/6e5530c1/airavata-services/services-security/src/main/java/org/apache/airavata/service/security/xacml/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-services/services-security/src/main/java/org/apache/airavata/service/security/xacml/DefaultXACMLPEP.java
b/airavata-services/services-security/src/main/java/org/apache/airavata/service/security/xacml/DefaultXACMLPEP.java
new file mode 100644
index 0000000..4b0d24f
--- /dev/null
+++ b/airavata-services/services-security/src/main/java/org/apache/airavata/service/security/xacml/DefaultXACMLPEP.java
@@ -0,0 +1,133 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.service.security.xacml;
+
+import org.apache.airavata.common.utils.Constants;
+import org.apache.airavata.model.security.AuthzToken;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
+import org.wso2.carbon.utils.CarbonUtils;
+import org.xml.sax.SAXException;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.rmi.RemoteException;
+import java.util.Map;
+
+/**
+ * This enforces XACML based fine grained authorization on the API calls, by authorizing
the API calls
+ * through default PDP which is WSO2 Identity Server.
+ */
+public class DefaultXACMLPEP {
+
+    private final static Logger logger = LoggerFactory.getLogger(DefaultXACMLPEP.class);
+    private EntitlementServiceStub entitlementServiceStub;
+
+    public DefaultXACMLPEP(String auhorizationServerURL, String username, String password,
+                           ConfigurationContext configCtx) throws AiravataSecurityException
{
+        try {
+
+            String PDPURL = auhorizationServerURL + "EntitlementService";
+            entitlementServiceStub = new EntitlementServiceStub(configCtx, PDPURL);
+            CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, entitlementServiceStub._getServiceClient());
+        } catch (AxisFault e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error initializing XACML PEP client.");
+        }
+
+    }
+
+    /**
+     * Send the XACML authorization request to XAML PDP and return the authorization decision.
+     *
+     * @param authzToken
+     * @param metaData
+     * @return
+     */
+    public boolean getAuthorizationDecision(AuthzToken authzToken, Map<String, String>
metaData) throws AiravataSecurityException {
+        String decision;
+        try {
+            String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
+            //FIXME hacky way to fix OpenID -> CILogon issue in WSO2 IS
+            if(subject.startsWith("http://")){
+                subject = subject.substring(6);
+            }
+            String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
+            String decisionString = entitlementServiceStub.getDecisionByAttributes(subject,
null, action, null);
+            //parse the XML decision string and obtain the decision
+            decision = parseDecisionString(decisionString);
+            if (Constants.PERMIT.equals(decision)) {
+                return true;
+            } else {
+                logger.error("Authorization decision is: " + decision);
+                return false;
+            }
+        } catch (RemoteException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in authorizing the user.");
+        } catch (EntitlementServiceException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in authorizing the user.");
+        }
+    }
+
+    /**
+     * This parses the XML based authorization response by the PDP and returns the decision
string.
+     *
+     * @param decisionString
+     * @return
+     * @throws AiravataSecurityException
+     */
+    private String parseDecisionString(String decisionString) throws AiravataSecurityException
{
+        try {
+            DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+            InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8"));
+            Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream);
+            Node resultNode = doc.getDocumentElement().getFirstChild();
+            Node decisionNode = resultNode.getFirstChild();
+            String decision = decisionNode.getTextContent();
+            return decision;
+        } catch (ParserConfigurationException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+        } catch (UnsupportedEncodingException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+        } catch (SAXException e) {
+            logger.error(e.getMessage(), e);
+            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+        } catch (IOException e) {
+            logger.error("Error in parsing XACML authorization response.");
+            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+        }
+    }
+}


Mime
View raw message