2 * Copyright (c) 2017 Brocade Communications Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.aaa.shiro.realm;
10 import static com.google.common.base.Preconditions.checkArgument;
11 import static com.google.common.base.Verify.verifyNotNull;
12 import static java.util.Objects.requireNonNull;
14 import com.google.common.collect.Iterables;
15 import com.google.common.util.concurrent.Futures;
16 import com.google.common.util.concurrent.ListenableFuture;
17 import java.util.ArrayList;
18 import java.util.Collection;
19 import java.util.Comparator;
20 import java.util.List;
21 import java.util.Optional;
22 import java.util.concurrent.ExecutionException;
23 import javax.servlet.Filter;
24 import javax.servlet.ServletRequest;
25 import javax.servlet.ServletResponse;
26 import javax.servlet.http.HttpServletRequest;
27 import org.apache.shiro.subject.Subject;
28 import org.apache.shiro.web.filter.authz.AuthorizationFilter;
29 import org.opendaylight.mdsal.binding.api.ClusteredDataTreeChangeListener;
30 import org.opendaylight.mdsal.binding.api.DataBroker;
31 import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
32 import org.opendaylight.mdsal.binding.api.DataTreeModification;
33 import org.opendaylight.mdsal.binding.api.ReadTransaction;
34 import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.HttpAuthorization;
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies.Policies;
37 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.permission.Permissions;
38 import org.opendaylight.yangtools.concepts.ListenerRegistration;
39 import org.opendaylight.yangtools.concepts.Registration;
40 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
41 import org.slf4j.Logger;
42 import org.slf4j.LoggerFactory;
45 * Provides a dynamic authorization mechanism for restful web services with permission grain
46 * scope. <code>aaa.yang</code> defines the model for this filtering mechanism.
47 * This model exposes the ability to manipulate policy information for specific paths
48 * based on a tuple of (role, http_permission_list).
50 * <p>This mechanism will only work when put behind <code>authcBasic</code>.
52 @SuppressWarnings("checkstyle:AbbreviationAsWordInName")
53 public class MDSALDynamicAuthorizationFilter extends AuthorizationFilter
54 implements ClusteredDataTreeChangeListener<HttpAuthorization> {
56 private static final Logger LOG = LoggerFactory.getLogger(MDSALDynamicAuthorizationFilter.class);
58 private static final DataTreeIdentifier<HttpAuthorization> AUTHZ_CONTAINER = DataTreeIdentifier.create(
59 LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(HttpAuthorization.class));
61 private static final ThreadLocal<DataBroker> DATABROKER_TL = new ThreadLocal<>();
63 private final DataBroker dataBroker;
65 private ListenerRegistration<?> reg;
66 private volatile ListenableFuture<Optional<HttpAuthorization>> authContainer;
68 public MDSALDynamicAuthorizationFilter() {
69 this(verifyNotNull(DATABROKER_TL.get(), "MDSALDynamicAuthorizationFilter loading not prepared"));
72 public MDSALDynamicAuthorizationFilter(final DataBroker dataBroker) {
73 this.dataBroker = requireNonNull(dataBroker);
76 public static Registration prepareForLoad(final DataBroker dataBroker) {
77 DATABROKER_TL.set(requireNonNull(dataBroker));
78 return DATABROKER_TL::remove;
82 public Filter processPathConfig(final String path, final String config) {
83 try (ReadTransaction tx = dataBroker.newReadOnlyTransaction()) {
84 authContainer = tx.read(AUTHZ_CONTAINER.getDatastoreType(), AUTHZ_CONTAINER.getRootIdentifier());
86 reg = dataBroker.registerDataTreeChangeListener(AUTHZ_CONTAINER, this);
87 return super.processPathConfig(path, config);
91 public void destroy() {
100 public void onDataTreeChanged(final Collection<DataTreeModification<HttpAuthorization>> changes) {
101 final HttpAuthorization newVal = Iterables.getLast(changes).getRootNode().getDataAfter();
102 LOG.debug("Updating authorization information to {}", newVal);
103 authContainer = Futures.immediateFuture(Optional.ofNullable(newVal));
107 public boolean isAccessAllowed(final ServletRequest request, final ServletResponse response,
108 final Object mappedValue) {
109 checkArgument(request instanceof HttpServletRequest, "Expected HttpServletRequest, received {}", request);
111 final Subject subject = getSubject(request, response);
112 final HttpServletRequest httpServletRequest = (HttpServletRequest)request;
113 final String requestURI = httpServletRequest.getRequestURI();
114 LOG.debug("isAccessAllowed for user={} to requestURI={}", subject, requestURI);
116 final Optional<HttpAuthorization> authorizationOptional;
118 authorizationOptional = authContainer.get();
119 } catch (ExecutionException | InterruptedException e) {
120 // Something went completely wrong trying to read the authz container. Deny access.
121 LOG.warn("MDSAL attempt to read Http Authz Container failed, disallowing access", e);
125 if (!authorizationOptional.isPresent()) {
126 // The authorization container does not exist-- hence no authz rules are present
128 LOG.debug("Authorization Container does not exist");
132 final HttpAuthorization httpAuthorization = authorizationOptional.get();
133 final var policies = httpAuthorization.getPolicies();
134 List<Policies> policiesList = policies != null ? policies.getPolicies() : null;
135 if (policiesList == null || policiesList.isEmpty()) {
136 // The authorization container exists, but no rules are present. Allow access.
137 LOG.debug("Exiting successfully early since no authorization rules exist");
141 // Sort the Policies list based on index
142 policiesList = new ArrayList<>(policiesList);
143 policiesList.sort(Comparator.comparing(Policies::getIndex));
145 for (Policies policy : policiesList) {
146 final String resource = policy.getResource();
147 final boolean pathsMatch = pathsMatch(resource, requestURI);
149 LOG.debug("paths match for pattern={} and requestURI={}", resource, requestURI);
150 final String method = httpServletRequest.getMethod();
151 LOG.trace("method={}", method);
152 for (Permissions permission : policy.getPermissions()) {
153 final String role = permission.getRole();
154 LOG.trace("role={}", role);
155 for (Permissions.Actions action : permission.getActions()) {
156 LOG.trace("action={}", action.getName());
157 if (action.getName().equalsIgnoreCase(method)) {
158 final boolean hasRole = subject.hasRole(role);
159 LOG.trace("hasRole({})={}", role, hasRole);
166 LOG.debug("couldn't authorize the user for access");
170 LOG.debug("successfully authorized the user for access");