You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by sm...@apache.org on 2015/08/17 06:09:03 UTC
[01/10] airavata git commit: Added identity context to store user
identity info in thread local.
Repository: airavata
Updated Branches:
refs/heads/master 4f6e8c5e6 -> 36922c9fc
Added identity context to store user identity info in thread local.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/6ec2a39e
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/6ec2a39e
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/6ec2a39e
Branch: refs/heads/master
Commit: 6ec2a39e51999d1a1f2e6f9288926aa362d32851
Parents: 67839c0
Author: hasinitg <ha...@gmail.com>
Authored: Thu Jul 30 16:57:18 2015 +0530
Committer: hasinitg <ha...@gmail.com>
Committed: Thu Jul 30 16:57:18 2015 +0530
----------------------------------------------------------------------
.../api/server/security/IdentityContext.java | 44 ++++++++++++++++++++
1 file changed, 44 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/6ec2a39e/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/IdentityContext.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/IdentityContext.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/IdentityContext.java
new file mode 100644
index 0000000..24cc225
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/IdentityContext.java
@@ -0,0 +1,44 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.api.server.security;
+
+import org.apache.airavata.model.security.AuthzToken;
+
+/**
+ * This provides a thread local container for AuthzToken through out the execution of a particular thread.
+ */
+public class IdentityContext {
+ private static ThreadLocal authzTokenContainer = new ThreadLocal();
+
+ public static void set(AuthzToken authzToken){
+ authzTokenContainer.set(authzToken);
+ }
+
+ public static void unset(){
+ authzTokenContainer.remove();
+ }
+
+ public static AuthzToken get(){
+ return (AuthzToken) authzTokenContainer.get();
+ }
+
+}
[07/10] airavata git commit: added PAP client in Airavata Server,
which publishes and enables the default XACML authorization policy in
the XACML authorization server,
at the airavata server startup - if the security is enabled.
Posted by sm...@apache.org.
added PAP client in Airavata Server, which publishes and enables the default XACML authorization policy in the XACML authorization server, at the airavata server startup - if the security is enabled.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/59f4acda
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/59f4acda
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/59f4acda
Branch: refs/heads/master
Commit: 59f4acda5c600cb7c11a645fba1bacb4bad27e16
Parents: c365260
Author: hasinitg <ha...@gmail.com>
Authored: Sat Aug 8 01:21:08 2015 +0530
Committer: hasinitg <ha...@gmail.com>
Committed: Sat Aug 8 01:21:08 2015 +0530
----------------------------------------------------------------------
airavata-api/airavata-api-server/pom.xml | 5 +
.../airavata/api/server/AiravataAPIServer.java | 10 ++
.../security/AiravataSecurityManager.java | 13 ++
.../DefaultAiravataSecurityManager.java | 56 ++++++++-
.../api/server/security/DefaultPAPClient.java | 126 +++++++++++++++++++
.../api/server/security/DefaultXACMLPEP.java | 3 +-
.../apache/airavata/common/utils/Constants.java | 2 +
.../airavata/common/utils/ServerSettings.java | 6 +-
.../resources/airavata-default-xacml-policy.xml | 2 +-
.../main/resources/airavata-server.properties | 1 +
10 files changed, 219 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/airavata-api/airavata-api-server/pom.xml
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/pom.xml b/airavata-api/airavata-api-server/pom.xml
index 543bbaa..e78ff9d 100644
--- a/airavata-api/airavata-api-server/pom.xml
+++ b/airavata-api/airavata-api-server/pom.xml
@@ -113,6 +113,11 @@
<version>4.2.1</version>
</dependency>
<dependency>
+ <groupId>org.wso2.carbon</groupId>
+ <artifactId>org.wso2.carbon.identity.entitlement.common</artifactId>
+ <version>4.2.1</version>
+ </dependency>
+ <dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
<version>4.0</version>
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java
index 1b336e1..c06cd39 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java
@@ -27,6 +27,8 @@ import java.net.InetAddress;
import org.apache.airavata.api.Airavata;
import org.apache.airavata.api.server.handler.AiravataServerHandler;
+import org.apache.airavata.api.server.security.AiravataSecurityManager;
+import org.apache.airavata.api.server.security.SecurityManagerFactory;
import org.apache.airavata.api.server.security.SecurityModule;
import org.apache.airavata.api.server.util.AppCatalogInitUtil;
import org.apache.airavata.api.server.util.Constants;
@@ -38,6 +40,7 @@ import org.apache.airavata.common.utils.IServer;
import org.apache.airavata.common.utils.ServerSettings;
import org.apache.airavata.model.error.AiravataErrorType;
import org.apache.airavata.model.error.AiravataSystemException;
+import org.apache.airavata.security.AiravataSecurityException;
import org.apache.thrift.server.TServer;
import org.apache.thrift.server.TThreadPoolServer;
import org.apache.thrift.transport.TServerSocket;
@@ -145,6 +148,10 @@ public class AiravataAPIServer implements IServer{
}.start();
logger.info("Airavata API server starter over TLS on Port: " + ServerSettings.getTLSServerPort());
}
+ //perform any security related initialization at the server startup, according to the security manager being used.
+ AiravataSecurityManager securityManager = SecurityManagerFactory.getSecurityManager();
+ securityManager.initializeSecurityInfra();
+
} catch (TTransportException e) {
logger.error(e.getMessage());
setStatus(ServerStatus.FAILED);
@@ -156,6 +163,9 @@ public class AiravataAPIServer implements IServer{
} catch (UnknownHostException e) {
logger.error(e.getMessage(), e);
throw new AiravataSystemException(AiravataErrorType.INTERNAL_ERROR);
+ } catch (AiravataSecurityException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSystemException(AiravataErrorType.INTERNAL_ERROR);
}
}
public static void main(String[] args) {
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
index 37c348c..9245576 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
@@ -26,5 +26,18 @@ import org.apache.airavata.security.AiravataSecurityException;
import java.util.Map;
public interface AiravataSecurityManager {
+ /**
+ * Implement this method in your SecurityManager to perform necessary initializations at the server startup.
+ * @throws AiravataSecurityException
+ */
+ public void initializeSecurityInfra() throws AiravataSecurityException;
+
+ /**
+ * Implement this method with the user authentication/authorization logic in your SecurityManager.
+ * @param authzToken : this includes OAuth token and user's claims
+ * @param metaData : this includes other meta data needed for security enforcements.
+ * @return
+ * @throws AiravataSecurityException
+ */
public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException;
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
index 6230310..532f9f6 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
@@ -21,6 +21,7 @@
package org.apache.airavata.api.server.security;
import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.Constants;
import org.apache.airavata.common.utils.ServerSettings;
import org.apache.airavata.model.security.AuthzToken;
import org.apache.airavata.security.AiravataSecurityException;
@@ -32,6 +33,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationResponseDTO;
+import java.io.*;
import java.util.Map;
/**
@@ -40,6 +42,56 @@ import java.util.Map;
public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
private final static Logger logger = LoggerFactory.getLogger(DefaultAiravataSecurityManager.class);
+ @Override
+ public void initializeSecurityInfra() throws AiravataSecurityException {
+ /* in the default security manager, this method checks if the xacml authorization policy is published,
+ * and if not, publish the policy to the PDP (of WSO2 Identity Server)
+ */
+ try {
+ if (ServerSettings.isAPISecured()) {
+
+ ConfigurationContext configContext =
+ ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
+ //initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server.
+ TrustStoreManager trustStoreManager = new TrustStoreManager();
+ trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(),
+ ServerSettings.getTrustStorePassword());
+ DefaultPAPClient PAPClient = new DefaultPAPClient(ServerSettings.getRemoteAuthzServerUrl(),
+ ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
+ boolean policyAdded = PAPClient.isPolicyAdded(ServerSettings.getAuthorizationPoliyName());
+ if (policyAdded) {
+ logger.info("Authorization policy is already added in the authorization server.");
+ } else {
+ //read the policy as a string
+ BufferedReader bufferedReader = new BufferedReader(new FileReader(new File(
+ ServerSettings.getAuthorizationPoliyName() + ".xml")));
+ String line;
+ StringBuilder stringBuilder = new StringBuilder();
+ while ((line = bufferedReader.readLine()) != null) {
+ stringBuilder.append(line);
+ }
+ //publish the policy and enable it in a separate thread
+ PAPClient.addPolicy(stringBuilder.toString());
+ }
+ }
+
+ } catch (AxisFault axisFault) {
+ logger.error(axisFault.getMessage(), axisFault);
+ throw new AiravataSecurityException("Error in initializing the configuration context for creating the " +
+ "PAP client.");
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in reading configuration when creating the PAP client.");
+ } catch (FileNotFoundException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in reading authorization policy.");
+ } catch (IOException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in reading the authorization policy.");
+ }
+
+ }
+
public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
try {
ConfigurationContext configContext =
@@ -50,13 +102,13 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(),
ServerSettings.getTrustStorePassword());
- DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteOauthServerUrl(),
+ DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(),
ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken(
authzToken.getAccessToken());
boolean isOAuthTokenValid = validationResponse.getValid();
//if XACML based authorization is enabled, check for role based authorization for the API invocation
- DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteOauthServerUrl(),
+ DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(),
ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData);
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultPAPClient.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultPAPClient.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultPAPClient.java
new file mode 100644
index 0000000..b75129c
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultPAPClient.java
@@ -0,0 +1,126 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security;
+
+import com.sun.corba.se.spi.activation.Server;
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceStub;
+import org.wso2.carbon.identity.entitlement.stub.dto.PaginatedStatusHolder;
+import org.wso2.carbon.identity.entitlement.stub.dto.PolicyDTO;
+import org.wso2.carbon.identity.entitlement.stub.dto.StatusHolder;
+import org.wso2.carbon.identity.entitlement.common.EntitlementConstants;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceEntitlementException;
+import org.wso2.carbon.utils.CarbonUtils;
+
+import java.rmi.RemoteException;
+
+/**
+ * This publishes the airavata-default-xacml-policy.xml to the PDP via PAP API (of WSO2 Identity Server)
+ */
+public class DefaultPAPClient {
+
+ private final static Logger logger = LoggerFactory.getLogger(DefaultPAPClient.class);
+ private EntitlementPolicyAdminServiceStub entitlementPolicyAdminServiceStub;
+
+ public DefaultPAPClient(String auhorizationServerURL, String username, String password,
+ ConfigurationContext configCtx) throws AiravataSecurityException {
+ try {
+
+ String PDPURL = auhorizationServerURL + "EntitlementPolicyAdminService";
+ entitlementPolicyAdminServiceStub = new EntitlementPolicyAdminServiceStub(configCtx, PDPURL);
+ CarbonUtils.setBasicAccessSecurityHeaders(username, password, true,
+ entitlementPolicyAdminServiceStub._getServiceClient());
+ } catch (AxisFault e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error initializing XACML PEP client.");
+ }
+
+ }
+
+ public boolean isPolicyAdded(String policyName) {
+ try {
+ PolicyDTO policyDTO = entitlementPolicyAdminServiceStub.getPolicy(policyName, false);
+ } catch (RemoteException e) {
+ logger.debug("Error in retrieving the policy.", e);
+ return false;
+ } catch (EntitlementPolicyAdminServiceEntitlementException e) {
+ logger.debug("Error in retrieving the policy.", e);
+ return false;
+ }
+ return true;
+ }
+
+ public void addPolicy(String policy) throws AiravataSecurityException {
+ new Thread() {
+ public void run() {
+ try {
+ PolicyDTO policyDTO = new PolicyDTO();
+ policyDTO.setPolicy(policy);
+ entitlementPolicyAdminServiceStub.addPolicy(policyDTO);
+ entitlementPolicyAdminServiceStub.publishToPDP(new String[]{ServerSettings.getAuthorizationPoliyName()},
+ EntitlementConstants.PolicyPublish.ACTION_CREATE, null, false, 0);
+
+ //Since policy publishing happens asynchronously, we need to retrieve the status and verify.
+ Thread.sleep(2000);
+ PaginatedStatusHolder paginatedStatusHolder = entitlementPolicyAdminServiceStub.
+ getStatusData(EntitlementConstants.Status.ABOUT_POLICY, ServerSettings.getAuthorizationPoliyName(),
+ EntitlementConstants.StatusTypes.PUBLISH_POLICY, "*", 1);
+ StatusHolder statusHolder = paginatedStatusHolder.getStatusHolders()[0];
+ if (statusHolder.getSuccess() && EntitlementConstants.PolicyPublish.ACTION_CREATE.equals(statusHolder.getTargetAction())) {
+ logger.info("Authorization policy is published successfully.");
+ } else {
+ throw new AiravataSecurityException("Failed to publish the authorization policy.");
+ }
+
+ //enable the published policy
+ entitlementPolicyAdminServiceStub.enableDisablePolicy(ServerSettings.getAuthorizationPoliyName(), true);
+ //Since policy enabling happens asynchronously, we need to retrieve the status and verify.
+ Thread.sleep(2000);
+ paginatedStatusHolder = entitlementPolicyAdminServiceStub.
+ getStatusData(EntitlementConstants.Status.ABOUT_POLICY, ServerSettings.getAuthorizationPoliyName(),
+ EntitlementConstants.StatusTypes.PUBLISH_POLICY, "*", 1);
+ statusHolder = paginatedStatusHolder.getStatusHolders()[0];
+ if (statusHolder.getSuccess() && EntitlementConstants.PolicyPublish.ACTION_ENABLE.equals(statusHolder.getTargetAction())) {
+ logger.info("Authorization policy is enabled successfully.");
+ } else {
+ throw new AiravataSecurityException("Failed to enable the authorization policy.");
+ }
+ } catch (RemoteException e) {
+ logger.error(e.getMessage(), e);
+ } catch (InterruptedException e) {
+ logger.error(e.getMessage(), e);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ } catch (AiravataSecurityException e) {
+ logger.error(e.getMessage(), e);
+ } catch (EntitlementPolicyAdminServiceEntitlementException e) {
+ logger.error(e.getMessage(), e);
+ }
+ }
+ }.start();
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
index b60069c..71ced3a 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
@@ -47,7 +47,8 @@ import java.rmi.RemoteException;
import java.util.Map;
/**
- * This enforces XACML based fine grained authorization on the API calls.
+ * This enforces XACML based fine grained authorization on the API calls, by authorizing the API calls
+ * through default PDP which is WSO2 Identity Server.
*/
public class DefaultXACMLPEP {
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
----------------------------------------------------------------------
diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
index 215a313..af8ca96 100644
--- a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
+++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
@@ -50,6 +50,8 @@ public final class Constants {
public static final String DENY = "Deny";
public static final String PERMIT = "Permit";
+ public static final String AUTHORIZATION_POLICY_NAME = "authorization.policy";
+
//Names of the attributes that could be passed in the AuthzToken's claims map.
public static final String USER_NAME = "userName";
public static final String EMAIL = "email";
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java
----------------------------------------------------------------------
diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java
index b898d96..d87da70 100644
--- a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java
+++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java
@@ -269,7 +269,7 @@ public class ServerSettings extends ApplicationSettings {
return Boolean.valueOf(getSetting(Constants.IS_API_SECURED));
}
- public static String getRemoteOauthServerUrl() throws ApplicationSettingsException {
+ public static String getRemoteAuthzServerUrl() throws ApplicationSettingsException {
return getSetting(Constants.REMOTE_OAUTH_SERVER_URL);
}
@@ -281,6 +281,10 @@ public class ServerSettings extends ApplicationSettings {
return getSetting(Constants.ADMIN_PASSWORD);
}
+ public static String getAuthorizationPoliyName() throws ApplicationSettingsException{
+ return getSetting(Constants.AUTHORIZATION_POLICY_NAME);
+ }
+
public static String getZookeeperConnection() throws ApplicationSettingsException {
return getSetting(ZOOKEEPER_SERVER_CONNECTION, "localhost:2181");
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
index b0ca91e..a8fbf4c 100644
--- a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
+++ b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
@@ -1,4 +1,4 @@
-<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="airavata-policy"
+<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="airavata-default-xacml-policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target/>
<Rule Effect="Permit" RuleId="admin-permit">
http://git-wip-us.apache.org/repos/asf/airavata/blob/59f4acda/modules/configuration/server/src/main/resources/airavata-server.properties
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-server.properties b/modules/configuration/server/src/main/resources/airavata-server.properties
index 0045935..58a42a3 100644
--- a/modules/configuration/server/src/main/resources/airavata-server.properties
+++ b/modules/configuration/server/src/main/resources/airavata-server.properties
@@ -237,5 +237,6 @@ keystore.password=airavata
trust.store=client_truststore.jks
trust.store.password=airavata
remote.oauth.authorization.server=https://localhost:9443/services/
+authorization.policy=airavata-default-xacml-policy
admin.user.name=admin
admin.password=admin
\ No newline at end of file
[02/10] airavata git commit: adding some missing files from previous
commit.
Posted by sm...@apache.org.
adding some missing files from previous commit.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/7ef83689
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/7ef83689
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/7ef83689
Branch: refs/heads/master
Commit: 7ef83689624cf135234976b4abb2d3fd7b43499b
Parents: 6ec2a39
Author: hasinitg <ha...@gmail.com>
Authored: Fri Jul 31 17:13:46 2015 +0530
Committer: hasinitg <ha...@gmail.com>
Committed: Fri Jul 31 17:13:46 2015 +0530
----------------------------------------------------------------------
.../server/security/AiravataSecurityManager.java | 2 +-
.../security/DefaultAiravataSecurityManager.java | 2 +-
.../api/server/security/SecurityInterceptor.java | 18 +++++++++++++-----
3 files changed, 15 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/7ef83689/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
index 5937d3e..348675f 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
@@ -24,5 +24,5 @@ import org.apache.airavata.model.security.AuthzToken;
import org.apache.airavata.security.AiravataSecurityException;
public interface AiravataSecurityManager {
- public boolean isUserAuthenticatedAndAuthorized(AuthzToken authzToken) throws AiravataSecurityException;
+ public boolean isUserAuthorized(AuthzToken authzToken) throws AiravataSecurityException;
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/7ef83689/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
index 739a1ec..9d7c959 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
@@ -37,7 +37,7 @@ import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationResponseDTO
public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
private final static Logger logger = LoggerFactory.getLogger(DefaultAiravataSecurityManager.class);
- public boolean isUserAuthenticatedAndAuthorized(AuthzToken authzToken) throws AiravataSecurityException {
+ public boolean isUserAuthorized(AuthzToken authzToken) throws AiravataSecurityException {
try {
ConfigurationContext configContext =
ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
http://git-wip-us.apache.org/repos/asf/airavata/blob/7ef83689/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
index ac89092..cf8f7e2 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
@@ -28,7 +28,6 @@ import org.apache.airavata.model.security.AuthzToken;
import org.apache.airavata.security.AiravataSecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.util.Arrays;
/**
* Interceptor of Airavata API calls for the purpose of applying security.
@@ -37,17 +36,26 @@ public class SecurityInterceptor implements MethodInterceptor{
private final static Logger logger = LoggerFactory.getLogger(SecurityInterceptor.class);
@Override
public Object invoke(MethodInvocation invocation) throws Throwable {
- authenticateNAuthorize((AuthzToken) invocation.getArguments()[0]);
- return invocation.proceed();
+ //obtain the authz token from the input parameters
+ AuthzToken authzToken = (AuthzToken) invocation.getArguments()[0];
+ //authorize the API call
+ authorize(authzToken);
+ //set the user identity info in a thread local to be used in downstream execution.
+ IdentityContext.set(authzToken);
+ //let the method call procees upon successful authorization
+ Object returnObj = invocation.proceed();
+ //clean the identity context before the method call returns
+ IdentityContext.unset();
+ return returnObj;
}
- private void authenticateNAuthorize(AuthzToken authzToken) throws AuthorizationException {
+ private void authorize(AuthzToken authzToken) throws AuthorizationException {
try {
boolean isAPISecured = ServerSettings.isAPISecured();
if (isAPISecured) {
AiravataSecurityManager securityManager = SecurityManagerFactory.getSecurityManager();
- boolean isAuthz = securityManager.isUserAuthenticatedAndAuthorized(authzToken);
+ boolean isAuthz = securityManager.isUserAuthorized(authzToken);
if (!isAuthz) {
throw new AuthorizationException("User is not authenticated or authorized.");
}
[04/10] airavata git commit: adding XACML based fine grained
authorization on API calls.
Posted by sm...@apache.org.
adding XACML based fine grained authorization on API calls.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/d3ac7ceb
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/d3ac7ceb
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/d3ac7ceb
Branch: refs/heads/master
Commit: d3ac7ceb611b3ed853e828c8492927020aacc72a
Parents: 9c02f24
Author: hasinitg <ha...@gmail.com>
Authored: Sat Aug 1 16:01:13 2015 +0530
Committer: hasinitg <ha...@gmail.com>
Committed: Sat Aug 1 16:01:13 2015 +0530
----------------------------------------------------------------------
.../api/server/security/DefaultXACMLPEP.java | 54 +++++++++++++++++---
.../server/security/SecurityInterceptor.java | 1 -
distribution/src/main/assembly/bin-assembly.xml | 1 +
.../apache/airavata/common/utils/Constants.java | 6 +++
.../resources/airavata-default-xacml-policy.xml | 33 +++++++-----
.../airavata/secure/sample/SecureClient.java | 5 +-
6 files changed, 79 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
index 371b35d..e61904c 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
@@ -27,10 +27,21 @@ import org.apache.axis2.AxisFault;
import org.apache.axis2.context.ConfigurationContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
import org.wso2.carbon.utils.CarbonUtils;
+import org.xml.sax.SAXException;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
import java.rmi.Remote;
import java.rmi.RemoteException;
import java.util.Map;
@@ -71,10 +82,15 @@ public class DefaultXACMLPEP {
String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null);
//parse the XML decision string and obtain the decision
-
- if ("NotApplicable".equals(decision) || "Indeterminate".equals(decision) || decision == null) {
- logger.error("Authorization Decision is: " + decision);
+ decision = parseDecisionString(decisionString);
+ if (Constants.NOT_APPLICABLE.equals(decision) || Constants.INDETERMINATE.equals(decision) ||
+ Constants.DENY.equals(decision) || decision == null) {
+ logger.error("Authorization decision is: " + decision);
throw new AiravataSecurityException("Error in authorizing the user.");
+ } else if (Constants.PERMIT.equals(decision)) {
+ return true;
+ } else {
+ return false;
}
} catch (RemoteException e) {
logger.error(e.getMessage(), e);
@@ -83,10 +99,36 @@ public class DefaultXACMLPEP {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in authorizing the user.");
}
- return Boolean.valueOf(decision);
}
- private String parseDecisionString(String decisionString) {
-
+ /**
+ * This parses the XML based authorization response by the PDP and returns the decision string.
+ *
+ * @param decisionString
+ * @return
+ * @throws AiravataSecurityException
+ */
+ private String parseDecisionString(String decisionString) throws AiravataSecurityException {
+ try {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8"));
+ Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream);
+ Node resultNode = doc.getDocumentElement().getFirstChild();
+ Node decisionNode = resultNode.getFirstChild();
+ String decision = decisionNode.getTextContent();
+ return decision;
+ } catch (ParserConfigurationException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (UnsupportedEncodingException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (SAXException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (IOException e) {
+ logger.error("Error in parsing XACML authorization response.");
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ }
}
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
index ff47e5a..1f9cd90 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
@@ -45,7 +45,6 @@ public class SecurityInterceptor implements MethodInterceptor {
//obtain the authz token from the input parameters
AuthzToken authzToken = (AuthzToken) invocation.getArguments()[0];
//authorize the API call
- System.out.println("METHOD NAME: " + invocation.getMethod().getName());
HashMap<String, String> metaDataMap = new HashMap();
metaDataMap.put(Constants.API_METHOD_NAME, invocation.getMethod().getName());
authorize(authzToken, metaDataMap);
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/distribution/src/main/assembly/bin-assembly.xml
----------------------------------------------------------------------
diff --git a/distribution/src/main/assembly/bin-assembly.xml b/distribution/src/main/assembly/bin-assembly.xml
index c00c2e2..e399291 100644
--- a/distribution/src/main/assembly/bin-assembly.xml
+++ b/distribution/src/main/assembly/bin-assembly.xml
@@ -105,6 +105,7 @@
<include>gsissh.properties</include>
<include>airavata.jks</include>
<include>client_truststore.jks</include>
+ <include>airavata-default-xacml-policy.xml</include>
</includes>
</fileSet>
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
----------------------------------------------------------------------
diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
index e373316..215a313 100644
--- a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
+++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
@@ -44,6 +44,12 @@ public final class Constants {
public static final String TLS_CLIENT_TIMEOUT = "TLS.client.timeout";
public static final String API_METHOD_NAME = "api.method.name";
+ //constants in XACML authorization response.
+ public static final String NOT_APPLICABLE = "NotApplicable";
+ public static final String INDETERMINATE = "Indeterminate";
+ public static final String DENY = "Deny";
+ public static final String PERMIT = "Permit";
+
//Names of the attributes that could be passed in the AuthzToken's claims map.
public static final String USER_NAME = "userName";
public static final String EMAIL = "email";
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
index 7aa42fe..ab3208d 100644
--- a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
+++ b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
@@ -1,4 +1,4 @@
-<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="airavata-policy-uploaded"
+<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="airavata-policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target/>
<Rule Effect="Permit" RuleId="admin-permit">
@@ -29,18 +29,25 @@
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?:(?!
- /airavata/addGateway|
- /airavata/deleteteway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/getExperimentStatistics).)*$\r?\n?
- </AttributeValue>
+/airavata/addGateway|
+/airavata/deleteteway|
+/airavata/updateGateway|
+/airavata/registerApplicationModule|
+/airavata/deleteApplicationModule|
+/airavata/getAllApplicationInterfaces|
+/airavata/updateApplicationInterface|
+/airavata/deleteApplicationInterface|
+/airavata/getAllComputeResourceNames|
+/airavata/getAllApplicationDeployments|
+/airavata/updateApplicationDeployment|
+/airavata/registerApplicationDeployment|
+/airavata/deleteApplicationDeployment|
+/airavata/getAllAppModules|
+/airavata/getApplicationInterface|
+/airavata/getApplicationInputs|
+/airavata/getApplicationOutputs|
+/airavata/getExperimentStatistics).)*$\r?\n?
+</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
----------------------------------------------------------------------
diff --git a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
index 36b1783..ac34c18 100644
--- a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
+++ b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
@@ -151,6 +151,9 @@ public class SecureClient {
}
} else if (grantType == 2) {
System.out.println("Obtaining OAuth access token via 'Client Credential' grant type...' grant type....");
+ System.out.println("Please enter the user name to be passed: ");
+ String userNameInput = scanner.next();
+ userName = userNameInput.trim();
}
/***************************** Finish obtaining input from user*******************************************/
@@ -176,7 +179,7 @@ public class SecureClient {
AuthzToken authzToken = new AuthzToken();
authzToken.setAccessToken(acTk);
Map<String, String> claimsMap = new HashMap<>();
- claimsMap.put("userName", "hasinitg");
+ claimsMap.put("userName", userName);
claimsMap.put("email", "hasini@gmail.com");
authzToken.setClaimsMap(claimsMap);
String version = client.getAPIVersion(authzToken);
[03/10] airavata git commit: adding XACML based authorization for API
calls.
Posted by sm...@apache.org.
adding XACML based authorization for API calls.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/9c02f24d
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/9c02f24d
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/9c02f24d
Branch: refs/heads/master
Commit: 9c02f24d99c139b7dcc38b6fcddd17dd935c8e73
Parents: 7ef8368
Author: hasinitg <ha...@gmail.com>
Authored: Sat Aug 1 01:19:34 2015 +0530
Committer: hasinitg <ha...@gmail.com>
Committed: Sat Aug 1 01:19:34 2015 +0530
----------------------------------------------------------------------
airavata-api/airavata-api-server/pom.xml | 8 +-
.../security/AiravataSecurityManager.java | 4 +-
.../DefaultAiravataSecurityManager.java | 21 ++++-
.../api/server/security/DefaultOAuthClient.java | 55 +++---------
.../api/server/security/DefaultXACMLPEP.java | 92 ++++++++++++++++++++
.../server/security/SecurityInterceptor.java | 17 +++-
.../apache/airavata/common/utils/Constants.java | 6 ++
.../resources/airavata-default-xacml-policy.xml | 62 +++++++++++++
8 files changed, 211 insertions(+), 54 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/9c02f24d/airavata-api/airavata-api-server/pom.xml
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/pom.xml b/airavata-api/airavata-api-server/pom.xml
index 7cd0f3b..543bbaa 100644
--- a/airavata-api/airavata-api-server/pom.xml
+++ b/airavata-api/airavata-api-server/pom.xml
@@ -8,7 +8,8 @@
ANY ~ KIND, either express or implied. See the License for the specific language governing permissions and limitations under
the License. -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
@@ -107,6 +108,11 @@
<version>4.2.0</version>
</dependency>
<dependency>
+ <groupId>org.wso2.carbon</groupId>
+ <artifactId>org.wso2.carbon.identity.entitlement.stub</artifactId>
+ <version>4.2.1</version>
+ </dependency>
+ <dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
<version>4.0</version>
http://git-wip-us.apache.org/repos/asf/airavata/blob/9c02f24d/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
index 348675f..37c348c 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/AiravataSecurityManager.java
@@ -23,6 +23,8 @@ package org.apache.airavata.api.server.security;
import org.apache.airavata.model.security.AuthzToken;
import org.apache.airavata.security.AiravataSecurityException;
+import java.util.Map;
+
public interface AiravataSecurityManager {
- public boolean isUserAuthorized(AuthzToken authzToken) throws AiravataSecurityException;
+ public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException;
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/9c02f24d/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
index 9d7c959..6230310 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
@@ -24,6 +24,7 @@ import org.apache.airavata.common.exception.ApplicationSettingsException;
import org.apache.airavata.common.utils.ServerSettings;
import org.apache.airavata.model.security.AuthzToken;
import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.airavata.security.util.TrustStoreManager;
import org.apache.axis2.AxisFault;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
@@ -31,22 +32,36 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationResponseDTO;
+import java.util.Map;
+
/**
* This enforces authentication and authorization on Airavata API calls.
*/
public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
private final static Logger logger = LoggerFactory.getLogger(DefaultAiravataSecurityManager.class);
- public boolean isUserAuthorized(AuthzToken authzToken) throws AiravataSecurityException {
+ public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
try {
ConfigurationContext configContext =
ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
- //TODO:read following properties from server-settings.properties file.
+
+ //initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server.
+ TrustStoreManager trustStoreManager = new TrustStoreManager();
+ trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(),
+ ServerSettings.getTrustStorePassword());
+
DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteOauthServerUrl(),
ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken(
authzToken.getAccessToken());
- return validationResponse.getValid();
+ boolean isOAuthTokenValid = validationResponse.getValid();
+ //if XACML based authorization is enabled, check for role based authorization for the API invocation
+ DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteOauthServerUrl(),
+ ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
+ boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData);
+
+ return (isOAuthTokenValid && authorizationDecision);
+
} catch (AxisFault axisFault) {
logger.error(axisFault.getMessage(), axisFault);
throw new AiravataSecurityException("Error in initializing the configuration context for creating the OAuth validation client.");
http://git-wip-us.apache.org/repos/asf/airavata/blob/9c02f24d/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java
index 7996474..e1afacd 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java
@@ -58,47 +58,14 @@ public class DefaultOAuthClient {
*/
public DefaultOAuthClient(String auhorizationServerURL, String username, String password,
ConfigurationContext configCtx) throws AiravataSecurityException {
- String serviceURL = auhorizationServerURL + "OAuth2TokenValidationService";
try {
+ String serviceURL = auhorizationServerURL + "OAuth2TokenValidationService";
stub = new OAuth2TokenValidationServiceStub(configCtx, serviceURL);
CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, stub._getServiceClient());
} catch (AxisFault e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error initializing OAuth client.");
}
- /*//TODO:Import the WSO2 IS cert into Airavata trust store.
- try {
- // Get SSL context
- SSLContext sc = SSLContext.getInstance("SSL");
-
- // Create empty HostnameVerifier
- HostnameVerifier hv = new HostnameVerifier() {
- public boolean verify(String urlHostName, SSLSession session) {
- return true;
- }
- };
- HttpsURLConnection.setDefaultHostnameVerifier(hv);
-
- // Create a trust manager that does not validate certificate chains
- TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
- public java.security.cert.X509Certificate[] getAcceptedIssuers() {
- return null;
- }
-
- public void checkClientTrusted(java.security.cert.X509Certificate[] certs,
- String authType) {
- }
-
- public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
- String authType) {
- }
- }};
-
- sc.init(null, trustAllCerts, new java.security.SecureRandom());
- SSLContext.setDefault(sc);
- } catch (Exception e) {
- e.printStackTrace();
- }*/
}
/**
@@ -110,24 +77,22 @@ public class DefaultOAuthClient {
*/
public OAuth2TokenValidationResponseDTO validateAccessToken(String accessToken)
throws AiravataSecurityException {
- OAuth2TokenValidationRequestDTO oauthReq = new OAuth2TokenValidationRequestDTO();
- OAuth2TokenValidationRequestDTO_OAuth2AccessToken token =
- new OAuth2TokenValidationRequestDTO_OAuth2AccessToken();
- token.setIdentifier(accessToken);
- token.setTokenType(BEARER_TOKEN_TYPE);
- oauthReq.setAccessToken(token);
+
try {
- //initialize SSL context with the trust store.
- TrustStoreManager trustStoreManager = new TrustStoreManager();
- trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(), ServerSettings.getTrustStorePassword());
+ OAuth2TokenValidationRequestDTO oauthReq = new OAuth2TokenValidationRequestDTO();
+ OAuth2TokenValidationRequestDTO_OAuth2AccessToken token =
+ new OAuth2TokenValidationRequestDTO_OAuth2AccessToken();
+ token.setIdentifier(accessToken);
+ token.setTokenType(BEARER_TOKEN_TYPE);
+ oauthReq.setAccessToken(token);
return stub.validate(oauthReq);
} catch (RemoteException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in validating the OAuth access token.");
- } catch (ApplicationSettingsException e) {
+ } /*catch (ApplicationSettingsException e) {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in reading OAuth configuration.");
- }
+ }*/
}
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/9c02f24d/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
new file mode 100644
index 0000000..371b35d
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
@@ -0,0 +1,92 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security;
+
+import org.apache.airavata.common.utils.Constants;
+import org.apache.airavata.model.security.AuthzToken;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
+import org.wso2.carbon.utils.CarbonUtils;
+
+import java.rmi.Remote;
+import java.rmi.RemoteException;
+import java.util.Map;
+
+/**
+ * This enforces XACML based fine grained authorization on the API calls.
+ */
+public class DefaultXACMLPEP {
+
+ private final static Logger logger = LoggerFactory.getLogger(DefaultXACMLPEP.class);
+ private EntitlementServiceStub entitlementServiceStub;
+
+ public DefaultXACMLPEP(String auhorizationServerURL, String username, String password,
+ ConfigurationContext configCtx) throws AiravataSecurityException {
+ try {
+
+ String PDPURL = auhorizationServerURL + "EntitlementService";
+ entitlementServiceStub = new EntitlementServiceStub(configCtx, PDPURL);
+ CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, entitlementServiceStub._getServiceClient());
+ } catch (AxisFault e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error initializing XACML PEP client.");
+ }
+
+ }
+
+ /**
+ * Send the XACML authorization request to XAML PDP and return the authorization decision.
+ *
+ * @param authzToken
+ * @param metaData
+ * @return
+ */
+ public boolean getAuthorizationDecision(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
+ String decision;
+ try {
+ String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
+ String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
+ String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null);
+ //parse the XML decision string and obtain the decision
+
+ if ("NotApplicable".equals(decision) || "Indeterminate".equals(decision) || decision == null) {
+ logger.error("Authorization Decision is: " + decision);
+ throw new AiravataSecurityException("Error in authorizing the user.");
+ }
+ } catch (RemoteException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in authorizing the user.");
+ } catch (EntitlementServiceException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in authorizing the user.");
+ }
+ return Boolean.valueOf(decision);
+ }
+
+ private String parseDecisionString(String decisionString) {
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/9c02f24d/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
index cf8f7e2..ff47e5a 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
@@ -19,9 +19,11 @@
*
*/
package org.apache.airavata.api.server.security;
+
import org.aopalliance.intercept.MethodInterceptor;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.Constants;
import org.apache.airavata.common.utils.ServerSettings;
import org.apache.airavata.model.error.AuthorizationException;
import org.apache.airavata.model.security.AuthzToken;
@@ -29,17 +31,24 @@ import org.apache.airavata.security.AiravataSecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.util.HashMap;
+import java.util.Map;
+
/**
* Interceptor of Airavata API calls for the purpose of applying security.
*/
-public class SecurityInterceptor implements MethodInterceptor{
+public class SecurityInterceptor implements MethodInterceptor {
private final static Logger logger = LoggerFactory.getLogger(SecurityInterceptor.class);
+
@Override
public Object invoke(MethodInvocation invocation) throws Throwable {
//obtain the authz token from the input parameters
AuthzToken authzToken = (AuthzToken) invocation.getArguments()[0];
//authorize the API call
- authorize(authzToken);
+ System.out.println("METHOD NAME: " + invocation.getMethod().getName());
+ HashMap<String, String> metaDataMap = new HashMap();
+ metaDataMap.put(Constants.API_METHOD_NAME, invocation.getMethod().getName());
+ authorize(authzToken, metaDataMap);
//set the user identity info in a thread local to be used in downstream execution.
IdentityContext.set(authzToken);
//let the method call procees upon successful authorization
@@ -49,13 +58,13 @@ public class SecurityInterceptor implements MethodInterceptor{
return returnObj;
}
- private void authorize(AuthzToken authzToken) throws AuthorizationException {
+ private void authorize(AuthzToken authzToken, Map<String, String> metaData) throws AuthorizationException {
try {
boolean isAPISecured = ServerSettings.isAPISecured();
if (isAPISecured) {
AiravataSecurityManager securityManager = SecurityManagerFactory.getSecurityManager();
- boolean isAuthz = securityManager.isUserAuthorized(authzToken);
+ boolean isAuthz = securityManager.isUserAuthorized(authzToken, metaData);
if (!isAuthz) {
throw new AuthorizationException("User is not authenticated or authorized.");
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/9c02f24d/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
----------------------------------------------------------------------
diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
index a2d032f..e373316 100644
--- a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
+++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
@@ -42,4 +42,10 @@ public final class Constants {
public static final String KEYSTORE_PATH = "keystore.path";
public static final String KEYSTORE_PASSWORD = "keystore.password";
public static final String TLS_CLIENT_TIMEOUT = "TLS.client.timeout";
+ public static final String API_METHOD_NAME = "api.method.name";
+
+ //Names of the attributes that could be passed in the AuthzToken's claims map.
+ public static final String USER_NAME = "userName";
+ public static final String EMAIL = "email";
+ public static final String ROLE = "role";
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/9c02f24d/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
new file mode 100644
index 0000000..7aa42fe
--- /dev/null
+++ b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
@@ -0,0 +1,62 @@
+<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="airavata-policy-uploaded"
+ RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
+ <Target/>
+ <Rule Effect="Permit" RuleId="admin-permit">
+ <Target>
+ <AnyOf>
+ <AllOf>
+ <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/airavata/*</AttributeValue>
+ <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
+ DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+ </Match>
+ </AllOf>
+ </AnyOf>
+ </Target>
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
+ <AttributeDesignator AttributeId="http://wso2.org/claims/role"
+ Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
+ DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule Effect="Permit" RuleId="user-permit">
+ <Target>
+ <AnyOf>
+ <AllOf>
+ <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?:(?!
+ /airavata/addGateway|
+ /airavata/deleteteway|
+ /airavata/updateGateway|
+ /airavata/updateGateway|
+ /airavata/updateGateway|
+ /airavata/updateGateway|
+ /airavata/updateGateway|
+ /airavata/updateGateway|
+ /airavata/updateGateway|
+ /airavata/updateGateway|
+ /airavata/getExperimentStatistics).)*$\r?\n?
+ </AttributeValue>
+ <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
+ DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+ </Match>
+ </AllOf>
+ </AnyOf>
+ </Target>
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/everyone</AttributeValue>
+ <AttributeDesignator AttributeId="http://wso2.org/claims/role"
+ Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
+ DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule Effect="Deny" RuleId="deny-rule"/>
+</Policy>
+
[06/10] airavata git commit: updated the default-xacml-policy with a
new rule for admin-read-only role,
finished identifying including all admin methods in the policy and updated the
sample client to demonstrate the latest updates to the authorization po
Posted by sm...@apache.org.
updated the default-xacml-policy with a new rule for admin-read-only role, finished identifying including all admin methods in the policy and updated the sample client to demonstrate the latest updates to the authorization policy.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/c3652607
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/c3652607
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/c3652607
Branch: refs/heads/master
Commit: c3652607aff77da6dc4dd6ab039ada78aa836c79
Parents: 4226a2d
Author: hasinitg <ha...@gmail.com>
Authored: Wed Aug 5 14:04:41 2015 +0530
Committer: hasinitg <ha...@gmail.com>
Committed: Wed Aug 5 14:04:41 2015 +0530
----------------------------------------------------------------------
.../resources/airavata-default-xacml-policy.xml | 98 +++++++++++++++++++-
.../airavata/secure/sample/SecureClient.java | 18 +++-
2 files changed, 113 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/c3652607/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
index ab3208d..b0ca91e 100644
--- a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
+++ b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
@@ -23,6 +23,64 @@
</Apply>
</Condition>
</Rule>
+ <Rule Effect="Permit" RuleId="admin-read-only-permit">
+ <Target>
+ <AnyOf>
+ <AllOf>
+ <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?:(?!
+/airavata/addGateway|
+/airavata/deleteteway|
+/airavata/updateGateway|
+/airavata/registerApplicationModule|
+/airavata/deleteApplicationModule|
+/airavata/updateApplicationInterface|
+/airavata/deleteApplicationInterface|
+/airavata/updateApplicationDeployment|
+/airavata/registerApplicationDeployment|
+/airavata/deleteApplicationDeployment|
+/airavata/updateComputeResource|
+/airavata/registerComputeResource|
+/airavata/deleteBatchQueue|
+/airavata/updateResourceJobManager|
+/airavata/addLocalSubmissionDetails|
+/airavata/updateResourceJobManager|
+/airavaa/updateSSHJobSubmissionDetails|
+/airavata/addSSHJobSubmissionDetails|
+/airavata/updateUnicoreJobSubmissionDetails|
+/airavata/addUNICOREJobSubmissionDetails|
+/airavata/addLocalDataMovementDetails|
+/airavata/updateSCPDataMovementDetails|
+/airavata/addSCPDataMovementDetails|
+/airavata/updateGridFTPDataMovementDetails|
+/airavata/addGridFTPDataMovementDetails|
+/airavata/updateUnicoreDataMovementDetails|
+/airavata/addUnicoreDataMovementDetails|
+/airavata/deleteJobSubmissionInterface|
+/airavata/deleteDataMovementInterface|
+/airavata/deleteComputeResource|
+/airavata/updateGatewayResourceProfile|
+/airavata/registerGatewayResourceProfile|
+/airavata/addGatewayComputeResourcePreference|
+/airavata/deleteGatewayResourceProfile|
+/airavata/deleteGatewayComputeResourcePreference).)*$\r?\n?
+</AttributeValue>
+ <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
+ DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+ </Match>
+ </AllOf>
+ </AnyOf>
+ </Target>
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_read_only</AttributeValue>
+ <AttributeDesignator AttributeId="http://wso2.org/claims/role"
+ Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
+ DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+ </Apply>
+ </Condition>
+ </Rule>
<Rule Effect="Permit" RuleId="user-permit">
<Target>
<AnyOf>
@@ -30,6 +88,7 @@
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?:(?!
/airavata/addGateway|
+/airavata/getExperimentStatistics|
/airavata/deleteteway|
/airavata/updateGateway|
/airavata/registerApplicationModule|
@@ -46,7 +105,44 @@
/airavata/getApplicationInterface|
/airavata/getApplicationInputs|
/airavata/getApplicationOutputs|
-/airavata/getExperimentStatistics).)*$\r?\n?
+/airavata/updateComputeResource|
+/airavata/getComputeResource|
+/airavata/registerComputeResource|
+/airavata/deleteBatchQueue|
+/airavata/getLocalJobSubmission|
+/airavata/updateResourceJobManager|
+/airavata/addLocalSubmissionDetails|
+/airavata/getSSHJobSubmission|
+/airavata/updateResourceJobManager|
+/airavata/getresourceJobManager|
+/airavaa/updateSSHJobSubmissionDetails|
+/airavata/addSSHJobSubmissionDetails|
+/airavata/getUnicoreJobSubmission|
+/airavata/updateUnicoreJobSubmissionDetails|
+/airavata/addUNICOREJobSubmissionDetails|
+/airavata/addLocalDataMovementDetails|
+/airavata/updateSCPDataMovementDetails|
+/airavata/addSCPDataMovementDetails|
+/airavata/updateGridFTPDataMovementDetails|
+/airavata/addGridFTPDataMovementDetails|
+/airavata/updateUnicoreDataMovementDetails|
+/airavata/addUnicoreDataMovementDetails|
+/airavata/getCloudJobSubmission|
+/airavata/getSCPDataMovement|
+/airavata/getGridFTPDataMovement|
+/airavata/getUnicoreDataMovement|
+/airavata/deleteJobSubmissionInterface|
+/airavata/deleteDataMovementInterface|
+/airavata/deleteComputeResource|
+/airavata/updateGatewayResourceProfile|
+/airavata/registerGatewayResourceProfile|
+/airavata/getAllGateways|
+/airavata/getGateway|
+/airavata/getAllGatewayComputeResources|
+/airavata/addGatewayComputeResourcePreference|
+/airavata/deleteGatewayResourceProfile|
+/airavata/deleteGatewayComputeResourcePreference|
+/airavata/getAvailableAppInterfaceComputeResources).)*$\r?\n?
</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
http://git-wip-us.apache.org/repos/asf/airavata/blob/c3652607/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
----------------------------------------------------------------------
diff --git a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
index 890aa99..992d17d 100644
--- a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
+++ b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
@@ -21,6 +21,7 @@
package org.apache.airavata.secure.sample;
import org.apache.airavata.api.client.AiravataClientFactory;
+import org.apache.airavata.model.appcatalog.appdeployment.ApplicationModule;
import org.apache.airavata.model.error.*;
import org.apache.airavata.api.Airavata;
import org.apache.airavata.model.security.AuthzToken;
@@ -35,6 +36,7 @@ import org.slf4j.LoggerFactory;
import org.wso2.carbon.identity.oauth.stub.dto.OAuthConsumerAppDTO;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import java.util.Scanner;
@@ -185,7 +187,8 @@ public class SecureClient {
System.out.println("");
System.out.println("Enter the number corresponding to the method to be invoked: ");
System.out.println("1. getAPIVersion");
- System.out.println("2. addGateway");
+ System.out.println("2. getAllAppModules");
+ System.out.println("3. addGateway");
String methodNumberString = scanner.next();
int methodNumber = Integer.valueOf(methodNumberString.trim());
@@ -202,12 +205,23 @@ public class SecureClient {
System.out.println("");
System.out.println("Airavata API version: " + version);
System.out.println("");
-
} else if (methodNumber == 2) {
System.out.println("");
System.out.println("Enter the gateway id: ");
String gatewayId = scanner.next().trim();
+ List<ApplicationModule> appModules= client.getAllAppModules(authzToken, gatewayId);
+ System.out.println("Output of getAllAppModuels: ");
+ for (ApplicationModule appModule : appModules) {
+ System.out.println(appModule.getAppModuleName());
+ }
+ System.out.println("");
+ System.out.println("");
+ } else if (methodNumber == 3) {
+ System.out.println("");
+ System.out.println("Enter the gateway id: ");
+ String gatewayId = scanner.next().trim();
+
Gateway gateway = new Gateway(gatewayId);
gateway.setDomain("airavata.org");
gateway.setEmailAddress("airavata@apache.org");
[10/10] airavata git commit: Re-created the pull request with
conflicts with the master resolved.
Posted by sm...@apache.org.
Re-created the pull request with conflicts with the master resolved.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/36922c9f
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/36922c9f
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/36922c9f
Branch: refs/heads/master
Commit: 36922c9fcf4b1af517e18389e1657007d06b7a0e
Parents: 4f6e8c5 f080ac2
Author: hasinitg <ha...@gmail.com>
Authored: Sun Aug 16 23:56:54 2015 -0400
Committer: hasinitg <ha...@gmail.com>
Committed: Sun Aug 16 23:56:54 2015 -0400
----------------------------------------------------------------------
airavata-api/airavata-api-server/pom.xml | 13 +-
.../airavata/api/server/AiravataAPIServer.java | 15 +-
.../server/handler/AiravataServerHandler.java | 2 +-
.../security/AiravataSecurityManager.java | 17 +-
.../DefaultAiravataSecurityManager.java | 149 ++++++++++++++++-
.../api/server/security/DefaultOAuthClient.java | 133 ---------------
.../api/server/security/IdentityContext.java | 44 +++++
.../api/server/security/SecurityCheck.java | 36 ----
.../server/security/SecurityInterceptor.java | 65 --------
.../server/security/SecurityManagerFactory.java | 7 +-
.../api/server/security/SecurityModule.java | 39 -----
.../server/security/authzcache/AuthzCache.java | 63 +++++++
.../security/authzcache/AuthzCacheEntry.java | 63 +++++++
.../security/authzcache/AuthzCacheIndex.java | 78 +++++++++
.../security/authzcache/AuthzCacheManager.java | 80 +++++++++
.../authzcache/AuthzCacheManagerFactory.java | 60 +++++++
.../security/authzcache/AuthzCachedStatus.java | 34 ++++
.../authzcache/DefaultAuthzCacheManager.java | 108 ++++++++++++
.../security/interceptor/SecurityCheck.java | 36 ++++
.../interceptor/SecurityInterceptor.java | 83 ++++++++++
.../security/interceptor/SecurityModule.java | 41 +++++
.../security/oauth/DefaultOAuthClient.java | 94 +++++++++++
.../server/security/xacml/DefaultPAPClient.java | 125 ++++++++++++++
.../server/security/xacml/DefaultXACMLPEP.java | 129 +++++++++++++++
distribution/src/main/assembly/bin-assembly.xml | 1 +
.../apache/airavata/common/utils/Constants.java | 21 +++
.../airavata/common/utils/ServerSettings.java | 86 ++++++----
.../resources/airavata-default-xacml-policy.xml | 165 +++++++++++++++++++
.../main/resources/airavata-server.properties | 11 ++
.../airavata/secure/sample/SecureClient.java | 60 ++++++-
30 files changed, 1527 insertions(+), 331 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/36922c9f/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
----------------------------------------------------------------------
diff --cc airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
index 73767ab,7531fae..a4735ee
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
@@@ -22,8 -22,8 +22,8 @@@
package org.apache.airavata.api.server.handler;
import org.apache.airavata.api.Airavata;
-import org.apache.airavata.api.airavataAPIConstants;
+import org.apache.airavata.api.airavata_apiConstants;
- import org.apache.airavata.api.server.security.SecurityCheck;
+ import org.apache.airavata.api.server.security.interceptor.SecurityCheck;
import org.apache.airavata.common.exception.AiravataException;
import org.apache.airavata.common.exception.ApplicationSettingsException;
import org.apache.airavata.common.utils.AiravataUtils;
[09/10] airavata git commit: Completion of the security solution in
Airavata - adding some missing files from the previous commit and fixing
issues found while testing.
Posted by sm...@apache.org.
Completion of the security solution in Airavata - adding some missing files from the previous commit and fixing issues found while testing.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/f080ac26
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/f080ac26
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/f080ac26
Branch: refs/heads/master
Commit: f080ac263c6cd1c1df98dcfbd5f3366f0734fb44
Parents: 2777476
Author: hasinitg <ha...@gmail.com>
Authored: Sun Aug 16 23:44:51 2015 -0400
Committer: hasinitg <ha...@gmail.com>
Committed: Sun Aug 16 23:44:51 2015 -0400
----------------------------------------------------------------------
.../DefaultAiravataSecurityManager.java | 2 +-
.../server/security/authzcache/AuthzCache.java | 4 +-
.../security/authzcache/AuthzCacheEntry.java | 63 +++++++++
.../security/authzcache/AuthzCacheIndex.java | 78 +++++++++++
.../security/authzcache/AuthzCacheManager.java | 80 ++++++++++++
.../authzcache/AuthzCacheManagerFactory.java | 60 +++++++++
.../authzcache/DefaultAuthzCacheManager.java | 108 ++++++++++++++++
.../server/security/xacml/DefaultXACMLPEP.java | 129 +++++++++++++++++++
.../main/resources/airavata-server.properties | 2 +-
9 files changed, 523 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
index f42d98d..7078659 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
@@ -148,7 +148,7 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
//cache the authorization decision
authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, accessToken, action),
- new AuthzCacheEntry(decision, expiryTimestamp));
+ new AuthzCacheEntry(decision, expiryTimestamp, System.currentTimeMillis()));
return decision;
} else {
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
index a563caa..8b14556 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
@@ -55,7 +55,9 @@ public class AuthzCache extends LinkedHashMap<AuthzCacheIndex, AuthzCacheEntry>
@Override
protected boolean removeEldestEntry(Map.Entry<AuthzCacheIndex, AuthzCacheEntry> eldest) {
//TODO: following info log is for demonstration purposes. Remove it.
- logger.info("Authz cache max size exceeded. Removing the old entries.");
+ if (size() > MAX_SIZE) {
+ logger.info("Authz cache max size exceeded. Removing the old entries.");
+ }
return size() > MAX_SIZE;
}
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
new file mode 100644
index 0000000..03ca229
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
@@ -0,0 +1,63 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+/**
+ * Cache entry in the default authorization cache.
+ */
+public class AuthzCacheEntry {
+ //authorization decision for the authorization request associated with this cache entry.
+ private boolean decision;
+ //time to live value for the access token in seconds.
+ private long expiryTime;
+ //time stamp in milli seconds at the time this entry is put into the cache
+ private long entryTimestamp;
+
+ public AuthzCacheEntry(boolean decision, long expiryTime, long entryTimestamp) {
+ this.decision = decision;
+ this.expiryTime = expiryTime;
+ this.entryTimestamp = entryTimestamp;
+ }
+
+ public long getEntryTimestamp() {
+ return entryTimestamp;
+ }
+
+ public void setEntryTimestamp(long entryTimestamp) {
+ this.entryTimestamp = entryTimestamp;
+ }
+
+ public long getExpiryTime() {
+ return expiryTime;
+ }
+
+ public void setExpiryTime(long timestamp) {
+ this.expiryTime = timestamp;
+ }
+
+ public boolean getDecision() {
+ return decision;
+ }
+
+ public void setDecision(boolean decision) {
+ this.decision = decision;
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
new file mode 100644
index 0000000..59667d8
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
@@ -0,0 +1,78 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+/**
+ * Cache index of the default authorization cache.
+ */
+public class AuthzCacheIndex {
+
+ private String subject;
+ private String oauthAccessToken;
+ private String action;
+
+ public AuthzCacheIndex(String userName, String accessToken, String actionString) {
+ this.subject = userName;
+ this.oauthAccessToken = accessToken;
+ this.action = actionString;
+ }
+
+ public String getSubject() {
+ return subject;
+ }
+
+ public void setSubject(String subject) {
+ this.subject = subject;
+ }
+
+ public String getAction() {
+ return action;
+ }
+
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public String getOauthAccessToken() {
+ return oauthAccessToken;
+ }
+
+ public void setOauthAccessToken(String oauthAccessToken) {
+ this.oauthAccessToken = oauthAccessToken;
+ }
+
+ /*Equals and hash code methods are overriden since this is being used as an index of a map and that containsKey method
+ * should return true if the values of two index objects are equal.*/
+ @Override
+ public boolean equals(Object other) {
+ if (other == null || other.getClass() != getClass()) {
+ return false;
+ }
+ return ((this.getSubject().equals(((AuthzCacheIndex) other).getSubject()))
+ && (this.getOauthAccessToken().equals(((AuthzCacheIndex) other).getOauthAccessToken()))
+ && (this.getAction().equals(((AuthzCacheIndex) other).getAction())));
+ }
+
+ @Override
+ public int hashCode() {
+ return this.getSubject().hashCode() + this.getOauthAccessToken().hashCode() + this.getAction().hashCode();
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
new file mode 100644
index 0000000..48cfb03
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
@@ -0,0 +1,80 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.security.AiravataSecurityException;
+
+/**
+ * This is the interface through which security manager accesses the underlying caching implementation
+ * See the DefaultAuthzCacheManager.java for an example implementation of this interface.
+ */
+public interface AuthzCacheManager {
+ /**
+ * Returns the status of the cache w.r.t the given authorization request which is encapsulated in
+ * the AuthzCacheIndex.
+ *
+ * @param authzCacheIndex
+ * @return
+ */
+ public AuthzCachedStatus getAuthzCachedStatus(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+ /**
+ * Add to cache the authorization decision pertaining to a given authorization request.
+ *
+ * @param authzCacheIndex
+ * @param authzCacheEntry
+ * @throws AiravataSecurityException
+ */
+ public void addToAuthzCache(AuthzCacheIndex authzCacheIndex, AuthzCacheEntry authzCacheEntry) throws AiravataSecurityException;
+
+ /**
+ * Check if a valid decision is cached for a given authorization request.
+ *
+ * @param authzCacheIndex
+ * @return
+ */
+ public boolean isAuthzDecisionCached(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+ /**
+ * Returns the AuthzCacheEntry for a given authorization request.
+ *
+ * @param authzCacheIndex
+ * @return
+ * @throws AiravataSecurityException
+ */
+ public AuthzCacheEntry getAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+ /**
+ * Removes the authorization cache entry for a given authorization request.
+ *
+ * @param authzCacheIndex
+ * @throws AiravataSecurityException
+ */
+ public void removeAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+ /**
+ * Clear the authorization cache.
+ *
+ * @return
+ */
+ public void clearCache() throws AiravataSecurityException;
+
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
new file mode 100644
index 0000000..b555122
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
@@ -0,0 +1,60 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.api.server.security.AiravataSecurityManager;
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+/**
+ * This initializes the AuthzCacheManager implementation to be used as defined by the configuration.
+ */
+public class AuthzCacheManagerFactory {
+ private final static Logger logger = LoggerFactory.getLogger(AuthzCacheManagerFactory.class);
+
+ public static AuthzCacheManager getAuthzCacheManager() throws AiravataSecurityException {
+ try {
+ Class authzCacheManagerImpl = Class.forName(ServerSettings.getAuthzCacheManagerClassName());
+ AuthzCacheManager authzCacheManager = (AuthzCacheManager) authzCacheManagerImpl.newInstance();
+ return authzCacheManager;
+ } catch (ClassNotFoundException e) {
+ String error = "Authorization Cache Manager class could not be found.";
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException(error);
+ } catch (ApplicationSettingsException e) {
+ String error = "Error in reading the configuration related to Authorization Cache Manager class.";
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException(error);
+ } catch (InstantiationException e) {
+ String error = "Error in instantiating the Authorization Cache Manager class.";
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException(error);
+ } catch (IllegalAccessException e) {
+ String error = "Error in instantiating the Authorization Cache Manager class.";
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException(error);
+
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
new file mode 100644
index 0000000..232908d
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
@@ -0,0 +1,108 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Date;
+
+public class DefaultAuthzCacheManager implements AuthzCacheManager {
+
+ private final static Logger logger = LoggerFactory.getLogger(DefaultAuthzCacheManager.class);
+
+ @Override
+ public AuthzCachedStatus getAuthzCachedStatus(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException {
+ if (isAuthzDecisionCached(authzCacheIndex)) {
+ AuthzCacheEntry cacheEntry = getAuthzCacheEntry(authzCacheIndex);
+ long expiryTime = cacheEntry.getExpiryTime();
+ long currentTime = System.currentTimeMillis();
+ long timePassed = (currentTime - cacheEntry.getEntryTimestamp()) / 1000;
+ if (expiryTime > timePassed) {
+ //access token is still valid. Hence, return the cached decision
+ if (cacheEntry.getDecision()) {
+ return AuthzCachedStatus.AUTHORIZED;
+ } else {
+ return AuthzCachedStatus.NOT_AUTHORIZED;
+ }
+ } else {
+ //access token has been expired. Hence, remove the entry and return.
+ removeAuthzCacheEntry(authzCacheIndex);
+ return AuthzCachedStatus.NOT_CACHED;
+ }
+ } else {
+ return AuthzCachedStatus.NOT_CACHED;
+ }
+ }
+
+ @Override
+ public void addToAuthzCache(AuthzCacheIndex authzCacheIndex, AuthzCacheEntry authzCacheEntry) throws AiravataSecurityException {
+ try {
+ AuthzCache.getInstance().put(authzCacheIndex, authzCacheEntry);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+ }
+ }
+
+ @Override
+ public boolean isAuthzDecisionCached(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException {
+ try {
+ return AuthzCache.getInstance().containsKey(authzCacheIndex);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+ }
+ }
+
+ @Override
+ public AuthzCacheEntry getAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException {
+ try {
+ return AuthzCache.getInstance().get(authzCacheIndex);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+ }
+ }
+
+ @Override
+ public void removeAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException {
+ try {
+ AuthzCache.getInstance().remove(authzCacheIndex);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+ }
+ }
+
+ @Override
+ public void clearCache() throws AiravataSecurityException {
+ try {
+ AuthzCache.getInstance().clear();
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
new file mode 100644
index 0000000..42328d1
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
@@ -0,0 +1,129 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.xacml;
+
+import org.apache.airavata.common.utils.Constants;
+import org.apache.airavata.model.security.AuthzToken;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
+import org.wso2.carbon.utils.CarbonUtils;
+import org.xml.sax.SAXException;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.rmi.RemoteException;
+import java.util.Map;
+
+/**
+ * This enforces XACML based fine grained authorization on the API calls, by authorizing the API calls
+ * through default PDP which is WSO2 Identity Server.
+ */
+public class DefaultXACMLPEP {
+
+ private final static Logger logger = LoggerFactory.getLogger(DefaultXACMLPEP.class);
+ private EntitlementServiceStub entitlementServiceStub;
+
+ public DefaultXACMLPEP(String auhorizationServerURL, String username, String password,
+ ConfigurationContext configCtx) throws AiravataSecurityException {
+ try {
+
+ String PDPURL = auhorizationServerURL + "EntitlementService";
+ entitlementServiceStub = new EntitlementServiceStub(configCtx, PDPURL);
+ CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, entitlementServiceStub._getServiceClient());
+ } catch (AxisFault e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error initializing XACML PEP client.");
+ }
+
+ }
+
+ /**
+ * Send the XACML authorization request to XAML PDP and return the authorization decision.
+ *
+ * @param authzToken
+ * @param metaData
+ * @return
+ */
+ public boolean getAuthorizationDecision(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
+ String decision;
+ try {
+ String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
+ String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
+ String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null);
+ //parse the XML decision string and obtain the decision
+ decision = parseDecisionString(decisionString);
+ if (Constants.PERMIT.equals(decision)) {
+ return true;
+ } else {
+ logger.error("Authorization decision is: " + decision);
+ return false;
+ }
+ } catch (RemoteException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in authorizing the user.");
+ } catch (EntitlementServiceException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in authorizing the user.");
+ }
+ }
+
+ /**
+ * This parses the XML based authorization response by the PDP and returns the decision string.
+ *
+ * @param decisionString
+ * @return
+ * @throws AiravataSecurityException
+ */
+ private String parseDecisionString(String decisionString) throws AiravataSecurityException {
+ try {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8"));
+ Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream);
+ Node resultNode = doc.getDocumentElement().getFirstChild();
+ Node decisionNode = resultNode.getFirstChild();
+ String decision = decisionNode.getTextContent();
+ return decision;
+ } catch (ParserConfigurationException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (UnsupportedEncodingException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (SAXException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (IOException e) {
+ logger.error("Error in parsing XACML authorization response.");
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/modules/configuration/server/src/main/resources/airavata-server.properties
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-server.properties b/modules/configuration/server/src/main/resources/airavata-server.properties
index fb57382..d45e3d9 100644
--- a/modules/configuration/server/src/main/resources/airavata-server.properties
+++ b/modules/configuration/server/src/main/resources/airavata-server.properties
@@ -245,7 +245,7 @@ remote.oauth.authorization.server=https://localhost:9443/services/
authorization.policy=airavata-default-xacml-policy
#### authorization cache related configuration ####
authz.cache.enabled=true
-authz.cache.manager.class=org.apache.airavata.api.server.security.cache.DefaultAuthzCacheManager
+authz.cache.manager.class=org.apache.airavata.api.server.security.authzcache.DefaultAuthzCacheManager
in.memory.cache.size=1000
#### admin user credentials of authorization server ####
admin.user.name=admin
[05/10] airavata git commit: Updated the secure-client sample to
showcase the XACML based authorization on API calls and fixed some issues
found when running the sample.
Posted by sm...@apache.org.
Updated the secure-client sample to showcase the XACML based authorization on API calls and fixed some issues found when running the sample.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/4226a2db
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/4226a2db
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/4226a2db
Branch: refs/heads/master
Commit: 4226a2db00aec8ba0abb84e722bcb9767f0c96fa
Parents: d3ac7ce
Author: hasinitg <ha...@gmail.com>
Authored: Sat Aug 1 20:56:51 2015 +0530
Committer: hasinitg <ha...@gmail.com>
Committed: Sat Aug 1 20:56:51 2015 +0530
----------------------------------------------------------------------
.../api/server/security/DefaultXACMLPEP.java | 7 +---
.../server/security/SecurityInterceptor.java | 3 ++
.../airavata/secure/sample/SecureClient.java | 43 +++++++++++++++++---
3 files changed, 43 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/4226a2db/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
index e61904c..b60069c 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
@@ -83,13 +83,10 @@ public class DefaultXACMLPEP {
String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null);
//parse the XML decision string and obtain the decision
decision = parseDecisionString(decisionString);
- if (Constants.NOT_APPLICABLE.equals(decision) || Constants.INDETERMINATE.equals(decision) ||
- Constants.DENY.equals(decision) || decision == null) {
- logger.error("Authorization decision is: " + decision);
- throw new AiravataSecurityException("Error in authorizing the user.");
- } else if (Constants.PERMIT.equals(decision)) {
+ if (Constants.PERMIT.equals(decision)) {
return true;
} else {
+ logger.error("Authorization decision is: " + decision);
return false;
}
} catch (RemoteException e) {
http://git-wip-us.apache.org/repos/asf/airavata/blob/4226a2db/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
index 1f9cd90..2d35b1b 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
@@ -61,12 +61,15 @@ public class SecurityInterceptor implements MethodInterceptor {
try {
boolean isAPISecured = ServerSettings.isAPISecured();
if (isAPISecured) {
+ //check in the cache
+ //if not in the cache, perform authorization with the authorization server
AiravataSecurityManager securityManager = SecurityManagerFactory.getSecurityManager();
boolean isAuthz = securityManager.isUserAuthorized(authzToken, metaData);
if (!isAuthz) {
throw new AuthorizationException("User is not authenticated or authorized.");
}
+ //put the successful authorization decision in the cache
}
} catch (AiravataSecurityException e) {
logger.error(e.getMessage(), e);
http://git-wip-us.apache.org/repos/asf/airavata/blob/4226a2db/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
----------------------------------------------------------------------
diff --git a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
index ac34c18..890aa99 100644
--- a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
+++ b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
@@ -24,6 +24,7 @@ import org.apache.airavata.api.client.AiravataClientFactory;
import org.apache.airavata.model.error.*;
import org.apache.airavata.api.Airavata;
import org.apache.airavata.model.security.AuthzToken;
+import org.apache.airavata.model.workspace.Gateway;
import org.apache.airavata.security.AiravataSecurityException;
import org.apache.axis2.AxisFault;
import org.apache.axis2.context.ConfigurationContext;
@@ -109,6 +110,7 @@ public class SecureClient {
throw e;
}
} else if (option == 2) {
+ System.out.println("");
System.out.println("Enter Consumer Id: ");
consumerId = scanner.next().trim();
System.out.println("Enter Consumer Secret: ");
@@ -117,6 +119,7 @@ public class SecureClient {
//obtain OAuth access token
/************************Start obtaining input from user*****************************/
+ System.out.println("");
System.out.println("Please select the preferred grant type: (or press d to use the default option" + Properties.grantType + ")");
System.out.println("1. Resource Owner Password Credential.");
System.out.println("2. Client Credential.");
@@ -150,10 +153,12 @@ public class SecureClient {
password = passwordInput.trim();
}
} else if (grantType == 2) {
- System.out.println("Obtaining OAuth access token via 'Client Credential' grant type...' grant type....");
+ System.out.println("");
System.out.println("Please enter the user name to be passed: ");
String userNameInput = scanner.next();
userName = userNameInput.trim();
+ System.out.println("");
+ System.out.println("Obtaining OAuth access token via 'Client Credential' grant type...' grant type....");
}
/***************************** Finish obtaining input from user*******************************************/
@@ -161,10 +166,11 @@ public class SecureClient {
//obtain the OAuth token for the specified end user.
String accessToken = new OAuthTokenRetrievalClient().retrieveAccessToken(consumerId, consumerSecret,
userName, password, grantType);
- System.out.println("OAuth access token is: " + accessToken);
System.out.println("");
+ System.out.println("OAuth access token is: " + accessToken);
//invoke Airavata API by the SecureClient, on behalf of the user.
+ System.out.println("");
System.out.println("Invoking Airavata API...");
System.out.println("Enter the access token to be used: (default:" + accessToken + ", press 'd' to use default value.)");
String accessTokenInput = scanner.next();
@@ -175,6 +181,14 @@ public class SecureClient {
acTk = accessTokenInput.trim();
}
+ //obtain as input, the method to be invoked
+ System.out.println("");
+ System.out.println("Enter the number corresponding to the method to be invoked: ");
+ System.out.println("1. getAPIVersion");
+ System.out.println("2. addGateway");
+ String methodNumberString = scanner.next();
+ int methodNumber = Integer.valueOf(methodNumberString.trim());
+
Airavata.Client client = createAiravataClient(Properties.SERVER_HOST, Properties.SERVER_PORT);
AuthzToken authzToken = new AuthzToken();
authzToken.setAccessToken(acTk);
@@ -182,9 +196,28 @@ public class SecureClient {
claimsMap.put("userName", userName);
claimsMap.put("email", "hasini@gmail.com");
authzToken.setClaimsMap(claimsMap);
- String version = client.getAPIVersion(authzToken);
- System.out.println("Airavata API version: " + version);
- System.out.println("");
+ if (methodNumber == 1) {
+
+ String version = client.getAPIVersion(authzToken);
+ System.out.println("");
+ System.out.println("Airavata API version: " + version);
+ System.out.println("");
+
+ } else if (methodNumber == 2) {
+ System.out.println("");
+ System.out.println("Enter the gateway id: ");
+ String gatewayId = scanner.next().trim();
+
+ Gateway gateway = new Gateway(gatewayId);
+ gateway.setDomain("airavata.org");
+ gateway.setEmailAddress("airavata@apache.org");
+ gateway.setGatewayName("airavataGW");
+ String output = client.addGateway(authzToken, gateway);
+ System.out.println("");
+ System.out.println("Output of addGateway: " + output);
+ System.out.println("");
+
+ }
} catch (InvalidRequestException e) {
e.printStackTrace();
} catch (TException e) {
[08/10] airavata git commit: Adding the Authorization caching
implementation. This completes the security solution implementation in the
Airavata source code.
Posted by sm...@apache.org.
Adding the Authorization caching implementation. This completes the security solution implementation in the Airavata source code.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/27774766
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/27774766
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/27774766
Branch: refs/heads/master
Commit: 27774766f502f2e62c288c5bce0f8980926a7741
Parents: 59f4acd
Author: hasinitg <ha...@gmail.com>
Authored: Sun Aug 16 09:39:56 2015 -0400
Committer: hasinitg <ha...@gmail.com>
Committed: Sun Aug 16 09:39:56 2015 -0400
----------------------------------------------------------------------
.../airavata/api/server/AiravataAPIServer.java | 7 +-
.../server/handler/AiravataServerHandler.java | 5 +-
.../DefaultAiravataSecurityManager.java | 102 +++++++++++---
.../api/server/security/DefaultOAuthClient.java | 98 --------------
.../api/server/security/DefaultPAPClient.java | 126 ------------------
.../api/server/security/DefaultXACMLPEP.java | 132 -------------------
.../api/server/security/SecurityCheck.java | 36 -----
.../server/security/SecurityInterceptor.java | 84 ------------
.../server/security/SecurityManagerFactory.java | 7 +-
.../api/server/security/SecurityModule.java | 39 ------
.../server/security/authzcache/AuthzCache.java | 61 +++++++++
.../security/authzcache/AuthzCachedStatus.java | 34 +++++
.../security/interceptor/SecurityCheck.java | 36 +++++
.../interceptor/SecurityInterceptor.java | 83 ++++++++++++
.../security/interceptor/SecurityModule.java | 41 ++++++
.../security/oauth/DefaultOAuthClient.java | 94 +++++++++++++
.../server/security/xacml/DefaultPAPClient.java | 125 ++++++++++++++++++
.../apache/airavata/common/utils/Constants.java | 7 +
.../airavata/common/utils/ServerSettings.java | 82 +++++++-----
.../main/resources/airavata-server.properties | 10 ++
20 files changed, 629 insertions(+), 580 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java
index c06cd39..ca4e345 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java
@@ -29,13 +29,11 @@ import org.apache.airavata.api.Airavata;
import org.apache.airavata.api.server.handler.AiravataServerHandler;
import org.apache.airavata.api.server.security.AiravataSecurityManager;
import org.apache.airavata.api.server.security.SecurityManagerFactory;
-import org.apache.airavata.api.server.security.SecurityModule;
+import org.apache.airavata.api.server.security.interceptor.SecurityModule;
import org.apache.airavata.api.server.util.AppCatalogInitUtil;
import org.apache.airavata.api.server.util.Constants;
import org.apache.airavata.api.server.util.RegistryInitUtil;
import org.apache.airavata.common.exception.ApplicationSettingsException;
-import org.apache.airavata.common.utils.AiravataUtils;
-import org.apache.airavata.common.utils.AiravataZKUtils;
import org.apache.airavata.common.utils.IServer;
import org.apache.airavata.common.utils.ServerSettings;
import org.apache.airavata.model.error.AiravataErrorType;
@@ -148,7 +146,8 @@ public class AiravataAPIServer implements IServer{
}.start();
logger.info("Airavata API server starter over TLS on Port: " + ServerSettings.getTLSServerPort());
}
- //perform any security related initialization at the server startup, according to the security manager being used.
+ /*perform any security related initialization at the server startup, according to the underlying security
+ manager implementation being used.*/
AiravataSecurityManager securityManager = SecurityManagerFactory.getSecurityManager();
securityManager.initializeSecurityInfra();
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
index 600c694..7531fae 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
@@ -23,9 +23,7 @@ package org.apache.airavata.api.server.handler;
import org.apache.airavata.api.Airavata;
import org.apache.airavata.api.airavataAPIConstants;
-import org.apache.airavata.api.server.security.AiravataSecurityManager;
-import org.apache.airavata.api.server.security.SecurityCheck;
-import org.apache.airavata.api.server.security.SecurityManagerFactory;
+import org.apache.airavata.api.server.security.interceptor.SecurityCheck;
import org.apache.airavata.common.exception.AiravataException;
import org.apache.airavata.common.exception.ApplicationSettingsException;
import org.apache.airavata.common.utils.AiravataUtils;
@@ -105,7 +103,6 @@ import org.apache.airavata.registry.cpi.RegistryException;
import org.apache.airavata.registry.cpi.ResultOrderType;
import org.apache.airavata.registry.cpi.WorkflowCatalog;
import org.apache.airavata.registry.cpi.utils.Constants;
-import org.apache.airavata.security.AiravataSecurityException;
import org.apache.thrift.TException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
index 532f9f6..f42d98d 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
@@ -20,6 +20,10 @@
*/
package org.apache.airavata.api.server.security;
+import org.apache.airavata.api.server.security.authzcache.*;
+import org.apache.airavata.api.server.security.oauth.DefaultOAuthClient;
+import org.apache.airavata.api.server.security.xacml.DefaultPAPClient;
+import org.apache.airavata.api.server.security.xacml.DefaultXACMLPEP;
import org.apache.airavata.common.exception.ApplicationSettingsException;
import org.apache.airavata.common.utils.Constants;
import org.apache.airavata.common.utils.ServerSettings;
@@ -72,6 +76,7 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
}
//publish the policy and enable it in a separate thread
PAPClient.addPolicy(stringBuilder.toString());
+ logger.info("Authorization policy is published in the authorization server.");
}
}
@@ -94,25 +99,84 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
try {
- ConfigurationContext configContext =
- ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
-
- //initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server.
- TrustStoreManager trustStoreManager = new TrustStoreManager();
- trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(),
- ServerSettings.getTrustStorePassword());
-
- DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(),
- ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
- OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken(
- authzToken.getAccessToken());
- boolean isOAuthTokenValid = validationResponse.getValid();
- //if XACML based authorization is enabled, check for role based authorization for the API invocation
- DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(),
- ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
- boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData);
-
- return (isOAuthTokenValid && authorizationDecision);
+ //if the authz cache is enabled, check in the cache if the authz decision is cached and if so, what the status is
+ if (ServerSettings.isAuthzCacheEnabled()) {
+ //obtain an instance of AuthzCacheManager implementation.
+ AuthzCacheManager authzCacheManager = AuthzCacheManagerFactory.getAuthzCacheManager();
+ //collect the necessary info for contructing the authz cache index
+ String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
+ String accessToken = authzToken.getAccessToken();
+ String action = metaData.get(Constants.API_METHOD_NAME);
+ //check in the cache
+ AuthzCachedStatus authzCachedStatus = authzCacheManager.getAuthzCachedStatus(
+ new AuthzCacheIndex(subject, accessToken, action));
+
+ if (AuthzCachedStatus.AUTHORIZED.equals(authzCachedStatus)) {
+ //TODO: following info log is for demonstration purpose. change it to debug log.
+ logger.info("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache.");
+ return true;
+ } else if (AuthzCachedStatus.NOT_AUTHORIZED.equals(authzCachedStatus)) {
+ //TODO: following info log is for demonstration purpose. change it to debug log.
+ logger.info("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is retrieved from cache.");
+ return false;
+ } else if (AuthzCachedStatus.NOT_CACHED.equals(authzCachedStatus)) {
+ //TODO: following info log is for demonstration purpose. change it to debug log.
+ logger.info("Authz decision for: (" + subject + ", " + accessToken + ", " + action + ") is not in the cache. " +
+ "Obtaining it from the authorization server.");
+ //talk to Authorization Server, obtain the decision, cache it and return the result.
+ ConfigurationContext configContext =
+ ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
+
+ //initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server.
+ TrustStoreManager trustStoreManager = new TrustStoreManager();
+ trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(),
+ ServerSettings.getTrustStorePassword());
+
+ DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(),
+ ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
+ OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken(
+ authzToken.getAccessToken());
+ boolean isOAuthTokenValid = validationResponse.getValid();
+ long expiryTimestamp = validationResponse.getExpiryTime();
+
+ //check for fine grained authorization for the API invocation, based on XACML.
+ DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(),
+ ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
+ boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData);
+
+ boolean decision = isOAuthTokenValid && authorizationDecision;
+
+ //cache the authorization decision
+ authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, accessToken, action),
+ new AuthzCacheEntry(decision, expiryTimestamp));
+
+ return decision;
+ } else {
+ //undefined status returned from the authz cache manager
+ throw new AiravataSecurityException("Error in reading from the authorization cache.");
+ }
+ } else {
+ //talk to Authorization Server, obtain the decision and return the result (authz cache is not enabled).
+ ConfigurationContext configContext =
+ ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
+
+ //initialize SSL context with the trust store that contains the public cert of WSO2 Identity Server.
+ TrustStoreManager trustStoreManager = new TrustStoreManager();
+ trustStoreManager.initializeTrustStoreManager(ServerSettings.getTrustStorePath(),
+ ServerSettings.getTrustStorePassword());
+
+ DefaultOAuthClient oauthClient = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(),
+ ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
+ OAuth2TokenValidationResponseDTO validationResponse = oauthClient.validateAccessToken(
+ authzToken.getAccessToken());
+ boolean isOAuthTokenValid = validationResponse.getValid();
+ //if XACML based authorization is enabled, check for role based authorization for the API invocation
+ DefaultXACMLPEP entitlementClient = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(),
+ ServerSettings.getAdminUsername(), ServerSettings.getAdminPassword(), configContext);
+ boolean authorizationDecision = entitlementClient.getAuthorizationDecision(authzToken, metaData);
+
+ return (isOAuthTokenValid && authorizationDecision);
+ }
} catch (AxisFault axisFault) {
logger.error(axisFault.getMessage(), axisFault);
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java
deleted file mode 100644
index e1afacd..0000000
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultOAuthClient.java
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.airavata.api.server.security;
-
-import org.apache.airavata.common.exception.ApplicationSettingsException;
-import org.apache.airavata.common.utils.ServerSettings;
-import org.apache.airavata.security.AiravataSecurityException;
-import org.apache.airavata.security.util.TrustStoreManager;
-import org.apache.axis2.AxisFault;
-import org.apache.axis2.context.ConfigurationContext;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub;
-import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO;
-import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken;
-import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationResponseDTO;
-import org.wso2.carbon.utils.CarbonUtils;
-
-import javax.net.ssl.*;
-import java.rmi.RemoteException;
-
-/**
- * This is the default OAuth Client that talks to WSO2 IS's OAuth Authentication Server
- * to get the OAuth token validated.
- */
-public class DefaultOAuthClient {
-
- private OAuth2TokenValidationServiceStub stub;
- private final static Logger logger = LoggerFactory.getLogger(DefaultOAuthClient.class);
- public static final String BEARER_TOKEN_TYPE = "bearer";
-
- /**
- * OAuth2TokenValidationService Admin Service Client
- *
- * @param auhorizationServerURL
- * @param username
- * @param password
- * @param configCtx
- * @throws Exception
- */
- public DefaultOAuthClient(String auhorizationServerURL, String username, String password,
- ConfigurationContext configCtx) throws AiravataSecurityException {
- try {
- String serviceURL = auhorizationServerURL + "OAuth2TokenValidationService";
- stub = new OAuth2TokenValidationServiceStub(configCtx, serviceURL);
- CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, stub._getServiceClient());
- } catch (AxisFault e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error initializing OAuth client.");
- }
- }
-
- /**
- * Validates the OAuth 2.0 access token
- *
- * @param accessToken
- * @return
- * @throws Exception
- */
- public OAuth2TokenValidationResponseDTO validateAccessToken(String accessToken)
- throws AiravataSecurityException {
-
- try {
- OAuth2TokenValidationRequestDTO oauthReq = new OAuth2TokenValidationRequestDTO();
- OAuth2TokenValidationRequestDTO_OAuth2AccessToken token =
- new OAuth2TokenValidationRequestDTO_OAuth2AccessToken();
- token.setIdentifier(accessToken);
- token.setTokenType(BEARER_TOKEN_TYPE);
- oauthReq.setAccessToken(token);
- return stub.validate(oauthReq);
- } catch (RemoteException e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error in validating the OAuth access token.");
- } /*catch (ApplicationSettingsException e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error in reading OAuth configuration.");
- }*/
- }
-
-}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultPAPClient.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultPAPClient.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultPAPClient.java
deleted file mode 100644
index b75129c..0000000
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultPAPClient.java
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.airavata.api.server.security;
-
-import com.sun.corba.se.spi.activation.Server;
-import org.apache.airavata.common.exception.ApplicationSettingsException;
-import org.apache.airavata.common.utils.ServerSettings;
-import org.apache.airavata.security.AiravataSecurityException;
-import org.apache.axis2.AxisFault;
-import org.apache.axis2.context.ConfigurationContext;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceStub;
-import org.wso2.carbon.identity.entitlement.stub.dto.PaginatedStatusHolder;
-import org.wso2.carbon.identity.entitlement.stub.dto.PolicyDTO;
-import org.wso2.carbon.identity.entitlement.stub.dto.StatusHolder;
-import org.wso2.carbon.identity.entitlement.common.EntitlementConstants;
-import org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceEntitlementException;
-import org.wso2.carbon.utils.CarbonUtils;
-
-import java.rmi.RemoteException;
-
-/**
- * This publishes the airavata-default-xacml-policy.xml to the PDP via PAP API (of WSO2 Identity Server)
- */
-public class DefaultPAPClient {
-
- private final static Logger logger = LoggerFactory.getLogger(DefaultPAPClient.class);
- private EntitlementPolicyAdminServiceStub entitlementPolicyAdminServiceStub;
-
- public DefaultPAPClient(String auhorizationServerURL, String username, String password,
- ConfigurationContext configCtx) throws AiravataSecurityException {
- try {
-
- String PDPURL = auhorizationServerURL + "EntitlementPolicyAdminService";
- entitlementPolicyAdminServiceStub = new EntitlementPolicyAdminServiceStub(configCtx, PDPURL);
- CarbonUtils.setBasicAccessSecurityHeaders(username, password, true,
- entitlementPolicyAdminServiceStub._getServiceClient());
- } catch (AxisFault e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error initializing XACML PEP client.");
- }
-
- }
-
- public boolean isPolicyAdded(String policyName) {
- try {
- PolicyDTO policyDTO = entitlementPolicyAdminServiceStub.getPolicy(policyName, false);
- } catch (RemoteException e) {
- logger.debug("Error in retrieving the policy.", e);
- return false;
- } catch (EntitlementPolicyAdminServiceEntitlementException e) {
- logger.debug("Error in retrieving the policy.", e);
- return false;
- }
- return true;
- }
-
- public void addPolicy(String policy) throws AiravataSecurityException {
- new Thread() {
- public void run() {
- try {
- PolicyDTO policyDTO = new PolicyDTO();
- policyDTO.setPolicy(policy);
- entitlementPolicyAdminServiceStub.addPolicy(policyDTO);
- entitlementPolicyAdminServiceStub.publishToPDP(new String[]{ServerSettings.getAuthorizationPoliyName()},
- EntitlementConstants.PolicyPublish.ACTION_CREATE, null, false, 0);
-
- //Since policy publishing happens asynchronously, we need to retrieve the status and verify.
- Thread.sleep(2000);
- PaginatedStatusHolder paginatedStatusHolder = entitlementPolicyAdminServiceStub.
- getStatusData(EntitlementConstants.Status.ABOUT_POLICY, ServerSettings.getAuthorizationPoliyName(),
- EntitlementConstants.StatusTypes.PUBLISH_POLICY, "*", 1);
- StatusHolder statusHolder = paginatedStatusHolder.getStatusHolders()[0];
- if (statusHolder.getSuccess() && EntitlementConstants.PolicyPublish.ACTION_CREATE.equals(statusHolder.getTargetAction())) {
- logger.info("Authorization policy is published successfully.");
- } else {
- throw new AiravataSecurityException("Failed to publish the authorization policy.");
- }
-
- //enable the published policy
- entitlementPolicyAdminServiceStub.enableDisablePolicy(ServerSettings.getAuthorizationPoliyName(), true);
- //Since policy enabling happens asynchronously, we need to retrieve the status and verify.
- Thread.sleep(2000);
- paginatedStatusHolder = entitlementPolicyAdminServiceStub.
- getStatusData(EntitlementConstants.Status.ABOUT_POLICY, ServerSettings.getAuthorizationPoliyName(),
- EntitlementConstants.StatusTypes.PUBLISH_POLICY, "*", 1);
- statusHolder = paginatedStatusHolder.getStatusHolders()[0];
- if (statusHolder.getSuccess() && EntitlementConstants.PolicyPublish.ACTION_ENABLE.equals(statusHolder.getTargetAction())) {
- logger.info("Authorization policy is enabled successfully.");
- } else {
- throw new AiravataSecurityException("Failed to enable the authorization policy.");
- }
- } catch (RemoteException e) {
- logger.error(e.getMessage(), e);
- } catch (InterruptedException e) {
- logger.error(e.getMessage(), e);
- } catch (ApplicationSettingsException e) {
- logger.error(e.getMessage(), e);
- } catch (AiravataSecurityException e) {
- logger.error(e.getMessage(), e);
- } catch (EntitlementPolicyAdminServiceEntitlementException e) {
- logger.error(e.getMessage(), e);
- }
- }
- }.start();
- }
-}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
deleted file mode 100644
index 71ced3a..0000000
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.airavata.api.server.security;
-
-import org.apache.airavata.common.utils.Constants;
-import org.apache.airavata.model.security.AuthzToken;
-import org.apache.airavata.security.AiravataSecurityException;
-import org.apache.axis2.AxisFault;
-import org.apache.axis2.context.ConfigurationContext;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.w3c.dom.Document;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
-import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
-import org.wso2.carbon.utils.CarbonUtils;
-import org.xml.sax.SAXException;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.UnsupportedEncodingException;
-import java.rmi.Remote;
-import java.rmi.RemoteException;
-import java.util.Map;
-
-/**
- * This enforces XACML based fine grained authorization on the API calls, by authorizing the API calls
- * through default PDP which is WSO2 Identity Server.
- */
-public class DefaultXACMLPEP {
-
- private final static Logger logger = LoggerFactory.getLogger(DefaultXACMLPEP.class);
- private EntitlementServiceStub entitlementServiceStub;
-
- public DefaultXACMLPEP(String auhorizationServerURL, String username, String password,
- ConfigurationContext configCtx) throws AiravataSecurityException {
- try {
-
- String PDPURL = auhorizationServerURL + "EntitlementService";
- entitlementServiceStub = new EntitlementServiceStub(configCtx, PDPURL);
- CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, entitlementServiceStub._getServiceClient());
- } catch (AxisFault e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error initializing XACML PEP client.");
- }
-
- }
-
- /**
- * Send the XACML authorization request to XAML PDP and return the authorization decision.
- *
- * @param authzToken
- * @param metaData
- * @return
- */
- public boolean getAuthorizationDecision(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
- String decision;
- try {
- String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
- String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
- String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null);
- //parse the XML decision string and obtain the decision
- decision = parseDecisionString(decisionString);
- if (Constants.PERMIT.equals(decision)) {
- return true;
- } else {
- logger.error("Authorization decision is: " + decision);
- return false;
- }
- } catch (RemoteException e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error in authorizing the user.");
- } catch (EntitlementServiceException e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error in authorizing the user.");
- }
- }
-
- /**
- * This parses the XML based authorization response by the PDP and returns the decision string.
- *
- * @param decisionString
- * @return
- * @throws AiravataSecurityException
- */
- private String parseDecisionString(String decisionString) throws AiravataSecurityException {
- try {
- DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
- InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8"));
- Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream);
- Node resultNode = doc.getDocumentElement().getFirstChild();
- Node decisionNode = resultNode.getFirstChild();
- String decision = decisionNode.getTextContent();
- return decision;
- } catch (ParserConfigurationException e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error in parsing XACML authorization response.");
- } catch (UnsupportedEncodingException e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error in parsing XACML authorization response.");
- } catch (SAXException e) {
- logger.error(e.getMessage(), e);
- throw new AiravataSecurityException("Error in parsing XACML authorization response.");
- } catch (IOException e) {
- logger.error("Error in parsing XACML authorization response.");
- throw new AiravataSecurityException("Error in parsing XACML authorization response.");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityCheck.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityCheck.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityCheck.java
deleted file mode 100644
index dc36211..0000000
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityCheck.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.airavata.api.server.security;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-import com.google.inject.BindingAnnotation;
-
-/**
- * This is just the definition of the annotation used to mark the API methods to be intercepted.
- */
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.METHOD})
-@BindingAnnotation
-public @interface SecurityCheck {
-}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
deleted file mode 100644
index 2d35b1b..0000000
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.airavata.api.server.security;
-
-import org.aopalliance.intercept.MethodInterceptor;
-import org.aopalliance.intercept.MethodInvocation;
-import org.apache.airavata.common.exception.ApplicationSettingsException;
-import org.apache.airavata.common.utils.Constants;
-import org.apache.airavata.common.utils.ServerSettings;
-import org.apache.airavata.model.error.AuthorizationException;
-import org.apache.airavata.model.security.AuthzToken;
-import org.apache.airavata.security.AiravataSecurityException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Interceptor of Airavata API calls for the purpose of applying security.
- */
-public class SecurityInterceptor implements MethodInterceptor {
- private final static Logger logger = LoggerFactory.getLogger(SecurityInterceptor.class);
-
- @Override
- public Object invoke(MethodInvocation invocation) throws Throwable {
- //obtain the authz token from the input parameters
- AuthzToken authzToken = (AuthzToken) invocation.getArguments()[0];
- //authorize the API call
- HashMap<String, String> metaDataMap = new HashMap();
- metaDataMap.put(Constants.API_METHOD_NAME, invocation.getMethod().getName());
- authorize(authzToken, metaDataMap);
- //set the user identity info in a thread local to be used in downstream execution.
- IdentityContext.set(authzToken);
- //let the method call procees upon successful authorization
- Object returnObj = invocation.proceed();
- //clean the identity context before the method call returns
- IdentityContext.unset();
- return returnObj;
- }
-
- private void authorize(AuthzToken authzToken, Map<String, String> metaData) throws AuthorizationException {
- try {
- boolean isAPISecured = ServerSettings.isAPISecured();
- if (isAPISecured) {
- //check in the cache
-
- //if not in the cache, perform authorization with the authorization server
- AiravataSecurityManager securityManager = SecurityManagerFactory.getSecurityManager();
- boolean isAuthz = securityManager.isUserAuthorized(authzToken, metaData);
- if (!isAuthz) {
- throw new AuthorizationException("User is not authenticated or authorized.");
- }
- //put the successful authorization decision in the cache
- }
- } catch (AiravataSecurityException e) {
- logger.error(e.getMessage(), e);
- throw new AuthorizationException("Error in authenticating or authorizing user.");
- } catch (ApplicationSettingsException e) {
- logger.error(e.getMessage(), e);
- throw new AuthorizationException("Internal error in authenticating or authorizing user.");
- }
- }
-}
-
-
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityManagerFactory.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityManagerFactory.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityManagerFactory.java
index 0b376a7..dc03b63 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityManagerFactory.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityManagerFactory.java
@@ -32,15 +32,12 @@ import org.slf4j.LoggerFactory;
*/
public class SecurityManagerFactory {
private final static Logger logger = LoggerFactory.getLogger(SecurityManagerFactory.class);
- private static Class secManagerImpl = null;
public static AiravataSecurityManager getSecurityManager() throws AiravataSecurityException {
try {
- if(secManagerImpl == null){
- secManagerImpl = Class.forName(ServerSettings.getSecurityManagerClassName());
- }
+ Class secManagerImpl = Class.forName(ServerSettings.getSecurityManagerClassName());
AiravataSecurityManager securityManager = (AiravataSecurityManager) secManagerImpl.newInstance();
- return securityManager;
+ return securityManager;
} catch (ClassNotFoundException e) {
String error = "Security Manager class could not be found.";
logger.error(e.getMessage(), e);
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityModule.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityModule.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityModule.java
deleted file mode 100644
index 0b56221..0000000
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityModule.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.airavata.api.server.security;
-
-import com.google.inject.matcher.Matchers;
-import com.google.inject.AbstractModule;
-
-/**
- * This does the plumbing work of integrating the interceptor with Guice framework for the methods to be
- * intercepted upon their invocation.
- */
-public class SecurityModule extends AbstractModule {
- public void configure(){
- System.out.println("Security module reached...");
- SecurityInterceptor interceptor = new SecurityInterceptor();
- //requestInjection(interceptor);
-
- bindInterceptor(Matchers.any(), Matchers.annotatedWith(SecurityCheck.class), interceptor);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
new file mode 100644
index 0000000..a563caa
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
@@ -0,0 +1,61 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import javax.management.MXBean;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AuthzCache extends LinkedHashMap<AuthzCacheIndex, AuthzCacheEntry> {
+
+ private static int MAX_SIZE;
+ private final static Logger logger = LoggerFactory.getLogger(AuthzCache.class);
+
+ private static AuthzCache authzCache = null;
+
+ public static AuthzCache getInstance() throws ApplicationSettingsException {
+ if (authzCache == null) {
+ synchronized (AuthzCache.class) {
+ if (authzCache == null) {
+ authzCache = new AuthzCache(ServerSettings.getCacheSize());
+ }
+ }
+ }
+ return authzCache;
+ }
+
+ private AuthzCache(int initialCapacity) {
+ super(initialCapacity);
+ MAX_SIZE = initialCapacity;
+ }
+
+ @Override
+ protected boolean removeEldestEntry(Map.Entry<AuthzCacheIndex, AuthzCacheEntry> eldest) {
+ //TODO: following info log is for demonstration purposes. Remove it.
+ logger.info("Authz cache max size exceeded. Removing the old entries.");
+ return size() > MAX_SIZE;
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCachedStatus.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCachedStatus.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCachedStatus.java
new file mode 100644
index 0000000..e166265
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCachedStatus.java
@@ -0,0 +1,34 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+/**
+ * This enum defines the status of the authorization cache returned by the authorization cache manager
+ * when an authorization status is checked against an authorization request.
+ */
+public enum AuthzCachedStatus {
+ /*Authorization decision is cached for the given authrization request and the decision authorizes the request.*/
+ AUTHORIZED,
+ /*Authorization decision is cached for the given authorization request and the decision denies authorization.*/
+ NOT_AUTHORIZED,
+ /*Authorization decision is not either cached or the cached entry is invalid such that re-authorization is needed.*/
+ NOT_CACHED
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityCheck.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityCheck.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityCheck.java
new file mode 100644
index 0000000..d4b4952
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityCheck.java
@@ -0,0 +1,36 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.interceptor;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import com.google.inject.BindingAnnotation;
+
+/**
+ * This is just the definition of the annotation used to mark the API methods to be intercepted.
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD})
+@BindingAnnotation
+public @interface SecurityCheck {
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityInterceptor.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityInterceptor.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityInterceptor.java
new file mode 100644
index 0000000..1b4f0ad
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityInterceptor.java
@@ -0,0 +1,83 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.interceptor;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+import org.apache.airavata.api.server.security.AiravataSecurityManager;
+import org.apache.airavata.api.server.security.IdentityContext;
+import org.apache.airavata.api.server.security.SecurityManagerFactory;
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.Constants;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.model.error.AuthorizationException;
+import org.apache.airavata.model.security.AuthzToken;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Interceptor of Airavata API calls for the purpose of applying security.
+ */
+public class SecurityInterceptor implements MethodInterceptor {
+ private final static Logger logger = LoggerFactory.getLogger(SecurityInterceptor.class);
+
+ @Override
+ public Object invoke(MethodInvocation invocation) throws Throwable {
+ //obtain the authz token from the input parameters
+ AuthzToken authzToken = (AuthzToken) invocation.getArguments()[0];
+ //authorize the API call
+ HashMap<String, String> metaDataMap = new HashMap();
+ metaDataMap.put(Constants.API_METHOD_NAME, invocation.getMethod().getName());
+ authorize(authzToken, metaDataMap);
+ //set the user identity info in a thread local to be used in downstream execution.
+ IdentityContext.set(authzToken);
+ //let the method call procees upon successful authorization
+ Object returnObj = invocation.proceed();
+ //clean the identity context before the method call returns
+ IdentityContext.unset();
+ return returnObj;
+ }
+
+ private void authorize(AuthzToken authzToken, Map<String, String> metaData) throws AuthorizationException {
+ try {
+ boolean isAPISecured = ServerSettings.isAPISecured();
+ if (isAPISecured) {
+ AiravataSecurityManager securityManager = SecurityManagerFactory.getSecurityManager();
+ boolean isAuthz = securityManager.isUserAuthorized(authzToken, metaData);
+ if (!isAuthz) {
+ throw new AuthorizationException("User is not authenticated or authorized.");
+ }
+ }
+ } catch (AiravataSecurityException e) {
+ logger.error(e.getMessage(), e);
+ throw new AuthorizationException("Error in authenticating or authorizing user.");
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AuthorizationException("Internal error in authenticating or authorizing user.");
+ }
+ }
+}
+
+
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityModule.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityModule.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityModule.java
new file mode 100644
index 0000000..f30dc9b
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/interceptor/SecurityModule.java
@@ -0,0 +1,41 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.interceptor;
+
+import com.google.inject.matcher.Matchers;
+import com.google.inject.AbstractModule;
+import org.apache.airavata.api.server.security.interceptor.SecurityCheck;
+import org.apache.airavata.api.server.security.interceptor.SecurityInterceptor;
+
+/**
+ * This does the plumbing work of integrating the interceptor with Guice framework for the methods to be
+ * intercepted upon their invocation.
+ */
+public class SecurityModule extends AbstractModule {
+ public void configure(){
+ System.out.println("Security module reached...");
+ SecurityInterceptor interceptor = new SecurityInterceptor();
+ //requestInjection(interceptor);
+
+ bindInterceptor(Matchers.any(), Matchers.annotatedWith(SecurityCheck.class), interceptor);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/oauth/DefaultOAuthClient.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/oauth/DefaultOAuthClient.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/oauth/DefaultOAuthClient.java
new file mode 100644
index 0000000..74b36cf
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/oauth/DefaultOAuthClient.java
@@ -0,0 +1,94 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.oauth;
+
+import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub;
+import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO;
+import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken;
+import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationResponseDTO;
+import org.wso2.carbon.utils.CarbonUtils;
+
+import java.rmi.RemoteException;
+
+/**
+ * This is the default OAuth Client that talks to WSO2 IS's OAuth Authentication Server
+ * to get the OAuth token validated.
+ */
+public class DefaultOAuthClient {
+
+ private OAuth2TokenValidationServiceStub stub;
+ private final static Logger logger = LoggerFactory.getLogger(DefaultOAuthClient.class);
+ public static final String BEARER_TOKEN_TYPE = "bearer";
+
+ /**
+ * OAuth2TokenValidationService Admin Service Client
+ *
+ * @param auhorizationServerURL
+ * @param username
+ * @param password
+ * @param configCtx
+ * @throws Exception
+ */
+ public DefaultOAuthClient(String auhorizationServerURL, String username, String password,
+ ConfigurationContext configCtx) throws AiravataSecurityException {
+ try {
+ String serviceURL = auhorizationServerURL + "OAuth2TokenValidationService";
+ stub = new OAuth2TokenValidationServiceStub(configCtx, serviceURL);
+ CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, stub._getServiceClient());
+ } catch (AxisFault e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error initializing OAuth client.");
+ }
+ }
+
+ /**
+ * Validates the OAuth 2.0 access token
+ *
+ * @param accessToken
+ * @return
+ * @throws Exception
+ */
+ public OAuth2TokenValidationResponseDTO validateAccessToken(String accessToken)
+ throws AiravataSecurityException {
+
+ try {
+ OAuth2TokenValidationRequestDTO oauthReq = new OAuth2TokenValidationRequestDTO();
+ OAuth2TokenValidationRequestDTO_OAuth2AccessToken token =
+ new OAuth2TokenValidationRequestDTO_OAuth2AccessToken();
+ token.setIdentifier(accessToken);
+ token.setTokenType(BEARER_TOKEN_TYPE);
+ oauthReq.setAccessToken(token);
+ return stub.validate(oauthReq);
+ } catch (RemoteException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in validating the OAuth access token.");
+ } /*catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in reading OAuth configuration.");
+ }*/
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultPAPClient.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultPAPClient.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultPAPClient.java
new file mode 100644
index 0000000..110d4d3
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultPAPClient.java
@@ -0,0 +1,125 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.xacml;
+
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceStub;
+import org.wso2.carbon.identity.entitlement.stub.dto.PaginatedStatusHolder;
+import org.wso2.carbon.identity.entitlement.stub.dto.PolicyDTO;
+import org.wso2.carbon.identity.entitlement.stub.dto.StatusHolder;
+import org.wso2.carbon.identity.entitlement.common.EntitlementConstants;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementPolicyAdminServiceEntitlementException;
+import org.wso2.carbon.utils.CarbonUtils;
+
+import java.rmi.RemoteException;
+
+/**
+ * This publishes the airavata-default-xacml-policy.xml to the PDP via PAP API (of WSO2 Identity Server)
+ */
+public class DefaultPAPClient {
+
+ private final static Logger logger = LoggerFactory.getLogger(DefaultPAPClient.class);
+ private EntitlementPolicyAdminServiceStub entitlementPolicyAdminServiceStub;
+
+ public DefaultPAPClient(String auhorizationServerURL, String username, String password,
+ ConfigurationContext configCtx) throws AiravataSecurityException {
+ try {
+
+ String PDPURL = auhorizationServerURL + "EntitlementPolicyAdminService";
+ entitlementPolicyAdminServiceStub = new EntitlementPolicyAdminServiceStub(configCtx, PDPURL);
+ CarbonUtils.setBasicAccessSecurityHeaders(username, password, true,
+ entitlementPolicyAdminServiceStub._getServiceClient());
+ } catch (AxisFault e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error initializing XACML PEP client.");
+ }
+
+ }
+
+ public boolean isPolicyAdded(String policyName) {
+ try {
+ PolicyDTO policyDTO = entitlementPolicyAdminServiceStub.getPolicy(policyName, false);
+ } catch (RemoteException e) {
+ logger.debug("Error in retrieving the policy.", e);
+ return false;
+ } catch (EntitlementPolicyAdminServiceEntitlementException e) {
+ logger.debug("Error in retrieving the policy.", e);
+ return false;
+ }
+ return true;
+ }
+
+ public void addPolicy(String policy) throws AiravataSecurityException {
+ new Thread() {
+ public void run() {
+ try {
+ PolicyDTO policyDTO = new PolicyDTO();
+ policyDTO.setPolicy(policy);
+ entitlementPolicyAdminServiceStub.addPolicy(policyDTO);
+ entitlementPolicyAdminServiceStub.publishToPDP(new String[]{ServerSettings.getAuthorizationPoliyName()},
+ EntitlementConstants.PolicyPublish.ACTION_CREATE, null, false, 0);
+
+ //Since policy publishing happens asynchronously, we need to retrieve the status and verify.
+ Thread.sleep(2000);
+ PaginatedStatusHolder paginatedStatusHolder = entitlementPolicyAdminServiceStub.
+ getStatusData(EntitlementConstants.Status.ABOUT_POLICY, ServerSettings.getAuthorizationPoliyName(),
+ EntitlementConstants.StatusTypes.PUBLISH_POLICY, "*", 1);
+ StatusHolder statusHolder = paginatedStatusHolder.getStatusHolders()[0];
+ if (statusHolder.getSuccess() && EntitlementConstants.PolicyPublish.ACTION_CREATE.equals(statusHolder.getTargetAction())) {
+ logger.info("Authorization policy is published successfully.");
+ } else {
+ throw new AiravataSecurityException("Failed to publish the authorization policy.");
+ }
+
+ //enable the published policy
+ entitlementPolicyAdminServiceStub.enableDisablePolicy(ServerSettings.getAuthorizationPoliyName(), true);
+ //Since policy enabling happens asynchronously, we need to retrieve the status and verify.
+ Thread.sleep(2000);
+ paginatedStatusHolder = entitlementPolicyAdminServiceStub.
+ getStatusData(EntitlementConstants.Status.ABOUT_POLICY, ServerSettings.getAuthorizationPoliyName(),
+ EntitlementConstants.StatusTypes.PUBLISH_POLICY, "*", 1);
+ statusHolder = paginatedStatusHolder.getStatusHolders()[0];
+ if (statusHolder.getSuccess() && EntitlementConstants.PolicyPublish.ACTION_ENABLE.equals(statusHolder.getTargetAction())) {
+ logger.info("Authorization policy is enabled successfully.");
+ } else {
+ throw new AiravataSecurityException("Failed to enable the authorization policy.");
+ }
+ } catch (RemoteException e) {
+ logger.error(e.getMessage(), e);
+ } catch (InterruptedException e) {
+ logger.error(e.getMessage(), e);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ } catch (AiravataSecurityException e) {
+ logger.error(e.getMessage(), e);
+ } catch (EntitlementPolicyAdminServiceEntitlementException e) {
+ logger.error(e.getMessage(), e);
+ }
+ }
+ }.start();
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
----------------------------------------------------------------------
diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
index af8ca96..dba0525 100644
--- a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
+++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
@@ -42,6 +42,7 @@ public final class Constants {
public static final String KEYSTORE_PATH = "keystore.path";
public static final String KEYSTORE_PASSWORD = "keystore.password";
public static final String TLS_CLIENT_TIMEOUT = "TLS.client.timeout";
+
public static final String API_METHOD_NAME = "api.method.name";
//constants in XACML authorization response.
@@ -52,6 +53,12 @@ public final class Constants {
public static final String AUTHORIZATION_POLICY_NAME = "authorization.policy";
+ public static final String AUTHZ_CACHE_MANAGER_CLASS = "authz.cache.manager.class";
+
+ public static final String AUTHZ_CACHE_ENABLED = "authz.cache.enabled";
+
+ public static final String IN_MEMORY_CACHE_SIZE = "in.memory.cache.size";
+
//Names of the attributes that could be passed in the AuthzToken's claims map.
public static final String USER_NAME = "userName";
public static final String EMAIL = "email";
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java
----------------------------------------------------------------------
diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java
index d87da70..b47a939 100644
--- a/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java
+++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/ServerSettings.java
@@ -30,25 +30,25 @@ import org.slf4j.LoggerFactory;
public class ServerSettings extends ApplicationSettings {
- private static final Logger log = LoggerFactory.getLogger(ServerSettings.class);
+ private static final Logger log = LoggerFactory.getLogger(ServerSettings.class);
private static final String DEFAULT_USER = "default.registry.user";
private static final String DEFAULT_USER_PASSWORD = "default.registry.password";
- private static final String DEFAULT_USER_GATEWAY = "default.registry.gateway";
- private static final String OUTPUT_LOCATION = "out.location";
+ private static final String DEFAULT_USER_GATEWAY = "default.registry.gateway";
+ private static final String OUTPUT_LOCATION = "out.location";
private static final String SERVER_CONTEXT_ROOT = "server.context-root";
public static final String IP = "ip";
// Orchestrator Constants
public static final String ORCHESTRATOR_SERVER_HOST = "orchestrator.server.host";
public static final String ORCHESTRATOR_SERVER_PORT = "orchestrator.server.port";
- public static final String ORCHESTRATOR_SERVER_NAME = "orchestrator.server.name";
- // Gfac constants
+ public static final String ORCHESTRATOR_SERVER_NAME = "orchestrator.server.name";
+ // Gfac constants
public static final String GFAC_SERVER_HOST = "gfac.server.host";
public static final String GFAC_SERVER_PORT = "gfac.server.port";
public static final String GFAC_SERVER_NAME = "gfac.server.name";
public static final String GFAC_THREAD_POOL_SIZE = "gfac.thread.pool.size";
- public static final int DEFAULT_GFAC_THREAD_POOL_SIZE = 50;
+ public static final int DEFAULT_GFAC_THREAD_POOL_SIZE = 50;
public static final String GFAC_CONFIG_XML = "gfac-config.xml";
// Credential Store constants
public static final String CREDENTIAL_SERVER_HOST = "credential.store.server.host";
@@ -99,9 +99,9 @@ public class ServerSettings extends ApplicationSettings {
private static boolean stopAllThreads = false;
private static boolean emailBaseNotificationEnable;
- private static String outputLocation;
+ private static String outputLocation;
- public static String getDefaultUser() throws ApplicationSettingsException {
+ public static String getDefaultUser() throws ApplicationSettingsException {
return getSetting(DEFAULT_USER);
}
@@ -281,7 +281,7 @@ public class ServerSettings extends ApplicationSettings {
return getSetting(Constants.ADMIN_PASSWORD);
}
- public static String getAuthorizationPoliyName() throws ApplicationSettingsException{
+ public static String getAuthorizationPoliyName() throws ApplicationSettingsException {
return getSetting(Constants.AUTHORIZATION_POLICY_NAME);
}
@@ -289,9 +289,9 @@ public class ServerSettings extends ApplicationSettings {
return getSetting(ZOOKEEPER_SERVER_CONNECTION, "localhost:2181");
}
- public static int getZookeeperTimeout() {
- return Integer.valueOf(getSetting(ZOOKEEPER_TIMEOUT, "3000"));
- }
+ public static int getZookeeperTimeout() {
+ return Integer.valueOf(getSetting(ZOOKEEPER_TIMEOUT, "3000"));
+ }
public static String getGFacServerName() throws ApplicationSettingsException {
return getSetting(GFAC_SERVER_NAME);
@@ -308,43 +308,47 @@ public class ServerSettings extends ApplicationSettings {
public static int getGFacThreadPoolSize() {
try {
String threadPoolSize = getSetting(GFAC_THREAD_POOL_SIZE);
- if (threadPoolSize != null && !threadPoolSize.isEmpty()) {
- return Integer.valueOf(threadPoolSize);
- } else {
- log.warn("Thread pool size is not configured, use default gfac thread pool size " +
- DEFAULT_GFAC_THREAD_POOL_SIZE);
- }
+ if (threadPoolSize != null && !threadPoolSize.isEmpty()) {
+ return Integer.valueOf(threadPoolSize);
+ } else {
+ log.warn("Thread pool size is not configured, use default gfac thread pool size " +
+ DEFAULT_GFAC_THREAD_POOL_SIZE);
+ }
} catch (ApplicationSettingsException e) {
- log.warn("Couldn't read thread pool size from configuration on exception, use default gfac thread pool " +
- "size " + DEFAULT_GFAC_THREAD_POOL_SIZE);
+ log.warn("Couldn't read thread pool size from configuration on exception, use default gfac thread pool " +
+ "size " + DEFAULT_GFAC_THREAD_POOL_SIZE);
}
- return DEFAULT_GFAC_THREAD_POOL_SIZE;
+ return DEFAULT_GFAC_THREAD_POOL_SIZE;
}
- public static String getOrchestratorServerName() throws ApplicationSettingsException {
- return getSetting(ORCHESTRATOR_SERVER_NAME);
- }
+ public static String getOrchestratorServerName() throws ApplicationSettingsException {
+ return getSetting(ORCHESTRATOR_SERVER_NAME);
+ }
- public static String getOrchestratorServerHost() throws ApplicationSettingsException {
- return getSetting(ORCHESTRATOR_SERVER_HOST);
- }
+ public static String getOrchestratorServerHost() throws ApplicationSettingsException {
+ return getSetting(ORCHESTRATOR_SERVER_HOST);
+ }
- public static int getOrchestratorServerPort() throws ApplicationSettingsException {
- return Integer.valueOf(getSetting(ORCHESTRATOR_SERVER_PORT));
- }
+ public static int getOrchestratorServerPort() throws ApplicationSettingsException {
+ return Integer.valueOf(getSetting(ORCHESTRATOR_SERVER_PORT));
+ }
public static boolean isTLSEnabled() throws ApplicationSettingsException {
return Boolean.valueOf(getSetting(Constants.IS_TLS_ENABLED));
}
+
public static int getTLSServerPort() throws ApplicationSettingsException {
return Integer.valueOf(getSetting(Constants.TLS_SERVER_PORT));
}
+
public static String getKeyStorePath() throws ApplicationSettingsException {
return getSetting(Constants.KEYSTORE_PATH);
}
+
public static String getKeyStorePassword() throws ApplicationSettingsException {
return getSetting(Constants.KEYSTORE_PASSWORD);
}
+
public static int getTLSClientTimeout() throws ApplicationSettingsException {
return Integer.valueOf(getSetting(Constants.TLS_CLIENT_TIMEOUT));
}
@@ -353,7 +357,19 @@ public class ServerSettings extends ApplicationSettings {
return getSetting(Constants.SECURITY_MANAGER_CLASS);
}
- public static String getOutputLocation() {
- return getSetting(OUTPUT_LOCATION, System.getProperty("java.io.tmpdir"));
- }
+ public static String getAuthzCacheManagerClassName() throws ApplicationSettingsException {
+ return getSetting(Constants.AUTHZ_CACHE_MANAGER_CLASS);
+ }
+
+ public static boolean isAuthzCacheEnabled() throws ApplicationSettingsException {
+ return Boolean.valueOf(getSetting(Constants.AUTHZ_CACHE_ENABLED));
+ }
+
+ public static int getCacheSize() throws ApplicationSettingsException {
+ return Integer.valueOf(getSetting(Constants.IN_MEMORY_CACHE_SIZE));
+ }
+
+ public static String getOutputLocation() {
+ return getSetting(OUTPUT_LOCATION, System.getProperty("java.io.tmpdir"));
+ }
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/27774766/modules/configuration/server/src/main/resources/airavata-server.properties
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-server.properties b/modules/configuration/server/src/main/resources/airavata-server.properties
index 58a42a3..fb57382 100644
--- a/modules/configuration/server/src/main/resources/airavata-server.properties
+++ b/modules/configuration/server/src/main/resources/airavata-server.properties
@@ -229,14 +229,24 @@ zookeeper.timeout=30000
########################################################################
api.secured=true
security.manager.class=org.apache.airavata.api.server.security.DefaultAiravataSecurityManager
+### TLS related configuration ####
TLS.enabled=true
TLS.api.server.port=9930
TLS.client.timeout=10000
+#### keystore configuration ####
keystore.path=airavata.jks
keystore.password=airavata
+#### trust store configuration ####
trust.store=client_truststore.jks
trust.store.password=airavata
+#### remote authorization server url ####
remote.oauth.authorization.server=https://localhost:9443/services/
+#### xacml based authorization policy ####
authorization.policy=airavata-default-xacml-policy
+#### authorization cache related configuration ####
+authz.cache.enabled=true
+authz.cache.manager.class=org.apache.airavata.api.server.security.cache.DefaultAuthzCacheManager
+in.memory.cache.size=1000
+#### admin user credentials of authorization server ####
admin.user.name=admin
admin.password=admin
\ No newline at end of file