Loading data-access/servlet/src/main/java/auth/authz/AuthPolicy.java +70 −63 Original line number Diff line number Diff line Loading @@ -87,7 +87,7 @@ public class AuthPolicy else { userName = principal.getName(); LOGGER.finer("DBG principal not instance of VlkbUser, but has user-name: " + userName); LOGGER.finer("DBG principal '"+userName+"' is not instance of it.inaf.ia2.aa.data.User"); userGroups = new String[]{""};//{"VLKB.groupA", "AllPrivate"}; // was for shiro userGroupsValid = true; access = Access.PUBLIC_AND_AUTHORIZED_PRIVATE; Loading Loading @@ -157,19 +157,27 @@ public class AuthPolicy } // API public String[] filterAuthorized(String[] pubdidArr) { LOGGER.finer("with String[] trace"); LOGGER.finer("trace"); ArrayList<String> pubdidList = new ArrayList<String>(Arrays.asList(pubdidArr)); List<String> pubdidList = new ArrayList<String>(Arrays.asList(pubdidArr)); switch(access) { case PUBLIC_ONLY : filterNotPublic(pubdidList); //filterNotPublic(pubdidList); AuthPolicyDb adb; synchronized(AuthPolicyDb.class) { adb = new AuthPolicyDb(); } pubdidList = adb.selectPublicOnly(pubdidArr); break; case PUBLIC_AND_AUTHORIZED_PRIVATE : filterNotAuthorized(pubdidList); break; Loading @@ -181,6 +189,8 @@ public class AuthPolicy } // remove PRIVATE from the list /* private void filterNotPublic(ArrayList<String> pubdids) { LOGGER.fine("trace"); Loading @@ -188,6 +198,7 @@ public class AuthPolicy LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids)); List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids); List<String> notAuthorizedUniqPubdids = pubdidsNotPublic(privateUniqPubdids, userGroups); LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids)); Loading @@ -196,22 +207,17 @@ public class AuthPolicy LOGGER.finest("PublisherDID list filtered : " + (pubdids.isEmpty() ? "" : String.join(" ", pubdids))); } private List<String> pubdidsNotPublic(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups) { LOGGER.fine("trace"); LOGGER.finer("userGroups: " + String.join(" ",userGroups)); List<String> pubdidsNotAuthorizedList = new LinkedList<String>(); ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator(); List<String> pubdidsNotAuthorizedList = new LinkedList<String>(); while (it.hasNext()) { AuthPolicyDb.PubdidGroups pubdidGroups = it.next(); LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups)); if( true )// isIntersectionEmpty(pubdidGroups.groups, userGroups) ) { pubdidsNotAuthorizedList.add(pubdidGroups.pubdid); Loading @@ -220,16 +226,18 @@ public class AuthPolicy return pubdidsNotAuthorizedList; } */ // remove not-authorized from the list private void filterNotAuthorized(ArrayList<String> pubdids) private void filterNotAuthorized(List<String> pubdids) { LOGGER.fine("trace"); assert pubdids != null; LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids)); List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids); List<String> notAuthorizedUniqPubdids = pubdidsNotAuthorized(privateUniqPubdids, userGroups); LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids)); Loading @@ -240,8 +248,31 @@ public class AuthPolicy } private List<String> pubdidsNotAuthorized(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups) { LOGGER.fine("trace"); List<String> pubdidsNotAuthorizedList = new LinkedList<String>(); ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator(); private void removeNotAuthorized(ArrayList<String> pubdids, List<String> notAuthorizedUniqPubdids) while (it.hasNext()) { AuthPolicyDb.PubdidGroups pubdidGroups = it.next(); LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups)); if( isIntersectionEmpty(pubdidGroups.groups, userGroups) ) { pubdidsNotAuthorizedList.add(pubdidGroups.pubdid); } } return pubdidsNotAuthorizedList; } private void removeNotAuthorized(List<String> pubdids, List<String> notAuthorizedUniqPubdids) { ListIterator<String> itr = pubdids.listIterator(); while (itr.hasNext()) Loading @@ -258,6 +289,21 @@ public class AuthPolicy } private boolean isIntersectionEmpty(String[] stringsA, String[] stringsB) { for(String strA : stringsA) for(String strB : stringsB) { if(strA.equals(strB)) { return false; } } return true; } // DB-query private List<AuthPolicyDb.PubdidGroups> db_queryPrivateUniqPubdidGroups(List<String> pubdids) { Loading @@ -284,44 +330,5 @@ public class AuthPolicy private List<String> pubdidsNotAuthorized(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups) { LOGGER.fine("trace"); List<String> pubdidsNotAuthorizedList = new LinkedList<String>(); ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator(); while (it.hasNext()) { AuthPolicyDb.PubdidGroups pubdidGroups = it.next(); LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups)); if( isIntersectionEmpty(pubdidGroups.groups, userGroups) ) { pubdidsNotAuthorizedList.add(pubdidGroups.pubdid); } } return pubdidsNotAuthorizedList; } private boolean isIntersectionEmpty(String[] stringsA, String[] stringsB) { for(String strA : stringsA) for(String strB : stringsB) { if(strA.equals(strB)) { return false; } } return true; } } data-access/servlet/src/main/java/auth/authz/AuthPolicyDb.java +40 −0 Original line number Diff line number Diff line Loading @@ -89,6 +89,46 @@ public class AuthPolicyDb return pubdidGroups; } public List<String> selectPublicOnly(String[] uniqPubdids) { String commaSepObscorePubdids = String.join("\',\'", uniqPubdids); assert (commaSepObscorePubdids != null) && (!commaSepObscorePubdids.isEmpty()); String TheQuery = "SELECT obs_publisher_did FROM obscore " + "WHERE (policy = 'FREE') AND (obs_publisher_did IN (\'"+commaSepObscorePubdids+"\'));"; LOGGER.finer("Connecting to: "+dbconn.uri()+" with optional user/pwd: "+dbconn.userName()+" / ***"); List<String> pubdidPublic = new LinkedList<String>(); try(Connection conn = DriverManager.getConnection(dbconn.uri(), dbconn.userName(), dbconn.password()); Statement st = conn.createStatement(); ResultSet res = st.executeQuery(TheQuery);) { while (res.next()) { pubdidPublic.add(res.getString("obs_publisher_did")); } } catch (SQLException se) { logSqlExInfo(se); se.printStackTrace(); } LOGGER.finest("Found public: " + pubdidPublic.size()); return pubdidPublic; } private void logSqlExInfo(SQLException se) { LOGGER.severe("SQLState : " + se.getSQLState()); Loading data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java +14 −2 Original line number Diff line number Diff line Loading @@ -101,8 +101,18 @@ class AuthZ * if one or more of pubdids not-authorized -> all request not authorized * */ /* NOTE for now soda/vlkb_cutout does not allow multiplicity --> only one pubdid allowed */ if((authorized_pubdids==null) || (pubdidArr==null)) { LOGGER.warning("One of arrays null"); return true; } else { LOGGER.finest("authorized vs original length: "+authorized_pubdids.length + " / " + pubdidArr.length); return (authorized_pubdids.length == pubdidArr.length); } } } Loading @@ -123,7 +133,8 @@ public class AuthZFilter implements Filter public void destroy() {} @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { LOGGER.fine("doFilter"); Loading @@ -139,6 +150,7 @@ public class AuthZFilter implements Filter else { resp.setContentType("text/plain"); // FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()... resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden"); } } Loading docker/deps/soda.logging.properties +2 −0 Original line number Diff line number Diff line Loading @@ -70,3 +70,5 @@ SodaImpl.level = INFO VlkbCli.level = INFO AuthPolicy.level = INFO AuthPolicyDb.level = INFO AuthZFilter.level = INFO AuthZ.level = INFO docker/start-soda.sh.soda +2 −0 Original line number Diff line number Diff line Loading @@ -129,6 +129,8 @@ sed -i "s/.*SodaImpl\.level.*=.*/SodaImpl.level = $DBG_LEVEL/g" $CATALINA_BASE/c sed -i "s/.*VlkbCli\.level.*=.*/VlkbCli.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthPolicy\.level.*=.*/AuthPolicy.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthPolicyDb\.level.*=.*/AuthPolicyDb.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthZFilter\.level.*=.*/AuthZFilter.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthZ\.level.*=.*/AuthZ.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties date Loading Loading
data-access/servlet/src/main/java/auth/authz/AuthPolicy.java +70 −63 Original line number Diff line number Diff line Loading @@ -87,7 +87,7 @@ public class AuthPolicy else { userName = principal.getName(); LOGGER.finer("DBG principal not instance of VlkbUser, but has user-name: " + userName); LOGGER.finer("DBG principal '"+userName+"' is not instance of it.inaf.ia2.aa.data.User"); userGroups = new String[]{""};//{"VLKB.groupA", "AllPrivate"}; // was for shiro userGroupsValid = true; access = Access.PUBLIC_AND_AUTHORIZED_PRIVATE; Loading Loading @@ -157,19 +157,27 @@ public class AuthPolicy } // API public String[] filterAuthorized(String[] pubdidArr) { LOGGER.finer("with String[] trace"); LOGGER.finer("trace"); ArrayList<String> pubdidList = new ArrayList<String>(Arrays.asList(pubdidArr)); List<String> pubdidList = new ArrayList<String>(Arrays.asList(pubdidArr)); switch(access) { case PUBLIC_ONLY : filterNotPublic(pubdidList); //filterNotPublic(pubdidList); AuthPolicyDb adb; synchronized(AuthPolicyDb.class) { adb = new AuthPolicyDb(); } pubdidList = adb.selectPublicOnly(pubdidArr); break; case PUBLIC_AND_AUTHORIZED_PRIVATE : filterNotAuthorized(pubdidList); break; Loading @@ -181,6 +189,8 @@ public class AuthPolicy } // remove PRIVATE from the list /* private void filterNotPublic(ArrayList<String> pubdids) { LOGGER.fine("trace"); Loading @@ -188,6 +198,7 @@ public class AuthPolicy LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids)); List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids); List<String> notAuthorizedUniqPubdids = pubdidsNotPublic(privateUniqPubdids, userGroups); LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids)); Loading @@ -196,22 +207,17 @@ public class AuthPolicy LOGGER.finest("PublisherDID list filtered : " + (pubdids.isEmpty() ? "" : String.join(" ", pubdids))); } private List<String> pubdidsNotPublic(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups) { LOGGER.fine("trace"); LOGGER.finer("userGroups: " + String.join(" ",userGroups)); List<String> pubdidsNotAuthorizedList = new LinkedList<String>(); ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator(); List<String> pubdidsNotAuthorizedList = new LinkedList<String>(); while (it.hasNext()) { AuthPolicyDb.PubdidGroups pubdidGroups = it.next(); LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups)); if( true )// isIntersectionEmpty(pubdidGroups.groups, userGroups) ) { pubdidsNotAuthorizedList.add(pubdidGroups.pubdid); Loading @@ -220,16 +226,18 @@ public class AuthPolicy return pubdidsNotAuthorizedList; } */ // remove not-authorized from the list private void filterNotAuthorized(ArrayList<String> pubdids) private void filterNotAuthorized(List<String> pubdids) { LOGGER.fine("trace"); assert pubdids != null; LOGGER.finer("PublisherDID list original : " + String.join(" ", pubdids)); List<AuthPolicyDb.PubdidGroups> privateUniqPubdids = db_queryPrivateUniqPubdidGroups(pubdids); List<String> notAuthorizedUniqPubdids = pubdidsNotAuthorized(privateUniqPubdids, userGroups); LOGGER.finest("AuthZ removes: " + String.join(" ", notAuthorizedUniqPubdids)); Loading @@ -240,8 +248,31 @@ public class AuthPolicy } private List<String> pubdidsNotAuthorized(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups) { LOGGER.fine("trace"); List<String> pubdidsNotAuthorizedList = new LinkedList<String>(); ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator(); private void removeNotAuthorized(ArrayList<String> pubdids, List<String> notAuthorizedUniqPubdids) while (it.hasNext()) { AuthPolicyDb.PubdidGroups pubdidGroups = it.next(); LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups)); if( isIntersectionEmpty(pubdidGroups.groups, userGroups) ) { pubdidsNotAuthorizedList.add(pubdidGroups.pubdid); } } return pubdidsNotAuthorizedList; } private void removeNotAuthorized(List<String> pubdids, List<String> notAuthorizedUniqPubdids) { ListIterator<String> itr = pubdids.listIterator(); while (itr.hasNext()) Loading @@ -258,6 +289,21 @@ public class AuthPolicy } private boolean isIntersectionEmpty(String[] stringsA, String[] stringsB) { for(String strA : stringsA) for(String strB : stringsB) { if(strA.equals(strB)) { return false; } } return true; } // DB-query private List<AuthPolicyDb.PubdidGroups> db_queryPrivateUniqPubdidGroups(List<String> pubdids) { Loading @@ -284,44 +330,5 @@ public class AuthPolicy private List<String> pubdidsNotAuthorized(List<AuthPolicyDb.PubdidGroups> pubdidList, String[] userGroups) { LOGGER.fine("trace"); List<String> pubdidsNotAuthorizedList = new LinkedList<String>(); ListIterator<AuthPolicyDb.PubdidGroups> it = pubdidList.listIterator(); while (it.hasNext()) { AuthPolicyDb.PubdidGroups pubdidGroups = it.next(); LOGGER.finest(pubdidGroups.pubdid + " : " + String.join(" ",pubdidGroups.groups)); if( isIntersectionEmpty(pubdidGroups.groups, userGroups) ) { pubdidsNotAuthorizedList.add(pubdidGroups.pubdid); } } return pubdidsNotAuthorizedList; } private boolean isIntersectionEmpty(String[] stringsA, String[] stringsB) { for(String strA : stringsA) for(String strB : stringsB) { if(strA.equals(strB)) { return false; } } return true; } }
data-access/servlet/src/main/java/auth/authz/AuthPolicyDb.java +40 −0 Original line number Diff line number Diff line Loading @@ -89,6 +89,46 @@ public class AuthPolicyDb return pubdidGroups; } public List<String> selectPublicOnly(String[] uniqPubdids) { String commaSepObscorePubdids = String.join("\',\'", uniqPubdids); assert (commaSepObscorePubdids != null) && (!commaSepObscorePubdids.isEmpty()); String TheQuery = "SELECT obs_publisher_did FROM obscore " + "WHERE (policy = 'FREE') AND (obs_publisher_did IN (\'"+commaSepObscorePubdids+"\'));"; LOGGER.finer("Connecting to: "+dbconn.uri()+" with optional user/pwd: "+dbconn.userName()+" / ***"); List<String> pubdidPublic = new LinkedList<String>(); try(Connection conn = DriverManager.getConnection(dbconn.uri(), dbconn.userName(), dbconn.password()); Statement st = conn.createStatement(); ResultSet res = st.executeQuery(TheQuery);) { while (res.next()) { pubdidPublic.add(res.getString("obs_publisher_did")); } } catch (SQLException se) { logSqlExInfo(se); se.printStackTrace(); } LOGGER.finest("Found public: " + pubdidPublic.size()); return pubdidPublic; } private void logSqlExInfo(SQLException se) { LOGGER.severe("SQLState : " + se.getSQLState()); Loading
data-access/servlet/src/main/java/auth/authz/webapi/AuthZFilter.java +14 −2 Original line number Diff line number Diff line Loading @@ -101,8 +101,18 @@ class AuthZ * if one or more of pubdids not-authorized -> all request not authorized * */ /* NOTE for now soda/vlkb_cutout does not allow multiplicity --> only one pubdid allowed */ if((authorized_pubdids==null) || (pubdidArr==null)) { LOGGER.warning("One of arrays null"); return true; } else { LOGGER.finest("authorized vs original length: "+authorized_pubdids.length + " / " + pubdidArr.length); return (authorized_pubdids.length == pubdidArr.length); } } } Loading @@ -123,7 +133,8 @@ public class AuthZFilter implements Filter public void destroy() {} @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { LOGGER.fine("doFilter"); Loading @@ -139,6 +150,7 @@ public class AuthZFilter implements Filter else { resp.setContentType("text/plain"); // FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()... resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden"); } } Loading
docker/deps/soda.logging.properties +2 −0 Original line number Diff line number Diff line Loading @@ -70,3 +70,5 @@ SodaImpl.level = INFO VlkbCli.level = INFO AuthPolicy.level = INFO AuthPolicyDb.level = INFO AuthZFilter.level = INFO AuthZ.level = INFO
docker/start-soda.sh.soda +2 −0 Original line number Diff line number Diff line Loading @@ -129,6 +129,8 @@ sed -i "s/.*SodaImpl\.level.*=.*/SodaImpl.level = $DBG_LEVEL/g" $CATALINA_BASE/c sed -i "s/.*VlkbCli\.level.*=.*/VlkbCli.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthPolicy\.level.*=.*/AuthPolicy.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthPolicyDb\.level.*=.*/AuthPolicyDb.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthZFilter\.level.*=.*/AuthZFilter.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties sed -i "s/.*AuthZ\.level.*=.*/AuthZ.level = $DBG_LEVEL/g" $CATALINA_BASE/conf/soda.logging.properties date Loading
