You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by sm...@apache.org on 2015/08/17 06:09:06 UTC
[04/10] airavata git commit: adding XACML based fine grained
authorization on API calls.
adding XACML based fine grained authorization on API calls.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/d3ac7ceb
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/d3ac7ceb
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/d3ac7ceb
Branch: refs/heads/master
Commit: d3ac7ceb611b3ed853e828c8492927020aacc72a
Parents: 9c02f24
Author: hasinitg <ha...@gmail.com>
Authored: Sat Aug 1 16:01:13 2015 +0530
Committer: hasinitg <ha...@gmail.com>
Committed: Sat Aug 1 16:01:13 2015 +0530
----------------------------------------------------------------------
.../api/server/security/DefaultXACMLPEP.java | 54 +++++++++++++++++---
.../server/security/SecurityInterceptor.java | 1 -
distribution/src/main/assembly/bin-assembly.xml | 1 +
.../apache/airavata/common/utils/Constants.java | 6 +++
.../resources/airavata-default-xacml-policy.xml | 33 +++++++-----
.../airavata/secure/sample/SecureClient.java | 5 +-
6 files changed, 79 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
index 371b35d..e61904c 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultXACMLPEP.java
@@ -27,10 +27,21 @@ import org.apache.axis2.AxisFault;
import org.apache.axis2.context.ConfigurationContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
import org.wso2.carbon.utils.CarbonUtils;
+import org.xml.sax.SAXException;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
import java.rmi.Remote;
import java.rmi.RemoteException;
import java.util.Map;
@@ -71,10 +82,15 @@ public class DefaultXACMLPEP {
String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null);
//parse the XML decision string and obtain the decision
-
- if ("NotApplicable".equals(decision) || "Indeterminate".equals(decision) || decision == null) {
- logger.error("Authorization Decision is: " + decision);
+ decision = parseDecisionString(decisionString);
+ if (Constants.NOT_APPLICABLE.equals(decision) || Constants.INDETERMINATE.equals(decision) ||
+ Constants.DENY.equals(decision) || decision == null) {
+ logger.error("Authorization decision is: " + decision);
throw new AiravataSecurityException("Error in authorizing the user.");
+ } else if (Constants.PERMIT.equals(decision)) {
+ return true;
+ } else {
+ return false;
}
} catch (RemoteException e) {
logger.error(e.getMessage(), e);
@@ -83,10 +99,36 @@ public class DefaultXACMLPEP {
logger.error(e.getMessage(), e);
throw new AiravataSecurityException("Error in authorizing the user.");
}
- return Boolean.valueOf(decision);
}
- private String parseDecisionString(String decisionString) {
-
+ /**
+ * This parses the XML based authorization response by the PDP and returns the decision string.
+ *
+ * @param decisionString
+ * @return
+ * @throws AiravataSecurityException
+ */
+ private String parseDecisionString(String decisionString) throws AiravataSecurityException {
+ try {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8"));
+ Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream);
+ Node resultNode = doc.getDocumentElement().getFirstChild();
+ Node decisionNode = resultNode.getFirstChild();
+ String decision = decisionNode.getTextContent();
+ return decision;
+ } catch (ParserConfigurationException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (UnsupportedEncodingException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (SAXException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (IOException e) {
+ logger.error("Error in parsing XACML authorization response.");
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ }
}
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
index ff47e5a..1f9cd90 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/SecurityInterceptor.java
@@ -45,7 +45,6 @@ public class SecurityInterceptor implements MethodInterceptor {
//obtain the authz token from the input parameters
AuthzToken authzToken = (AuthzToken) invocation.getArguments()[0];
//authorize the API call
- System.out.println("METHOD NAME: " + invocation.getMethod().getName());
HashMap<String, String> metaDataMap = new HashMap();
metaDataMap.put(Constants.API_METHOD_NAME, invocation.getMethod().getName());
authorize(authzToken, metaDataMap);
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/distribution/src/main/assembly/bin-assembly.xml
----------------------------------------------------------------------
diff --git a/distribution/src/main/assembly/bin-assembly.xml b/distribution/src/main/assembly/bin-assembly.xml
index c00c2e2..e399291 100644
--- a/distribution/src/main/assembly/bin-assembly.xml
+++ b/distribution/src/main/assembly/bin-assembly.xml
@@ -105,6 +105,7 @@
<include>gsissh.properties</include>
<include>airavata.jks</include>
<include>client_truststore.jks</include>
+ <include>airavata-default-xacml-policy.xml</include>
</includes>
</fileSet>
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
----------------------------------------------------------------------
diff --git a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
index e373316..215a313 100644
--- a/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
+++ b/modules/commons/src/main/java/org/apache/airavata/common/utils/Constants.java
@@ -44,6 +44,12 @@ public final class Constants {
public static final String TLS_CLIENT_TIMEOUT = "TLS.client.timeout";
public static final String API_METHOD_NAME = "api.method.name";
+ //constants in XACML authorization response.
+ public static final String NOT_APPLICABLE = "NotApplicable";
+ public static final String INDETERMINATE = "Indeterminate";
+ public static final String DENY = "Deny";
+ public static final String PERMIT = "Permit";
+
//Names of the attributes that could be passed in the AuthzToken's claims map.
public static final String USER_NAME = "userName";
public static final String EMAIL = "email";
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
index 7aa42fe..ab3208d 100644
--- a/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
+++ b/modules/configuration/server/src/main/resources/airavata-default-xacml-policy.xml
@@ -1,4 +1,4 @@
-<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="airavata-policy-uploaded"
+<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="airavata-policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target/>
<Rule Effect="Permit" RuleId="admin-permit">
@@ -29,18 +29,25 @@
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?:(?!
- /airavata/addGateway|
- /airavata/deleteteway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/updateGateway|
- /airavata/getExperimentStatistics).)*$\r?\n?
- </AttributeValue>
+/airavata/addGateway|
+/airavata/deleteteway|
+/airavata/updateGateway|
+/airavata/registerApplicationModule|
+/airavata/deleteApplicationModule|
+/airavata/getAllApplicationInterfaces|
+/airavata/updateApplicationInterface|
+/airavata/deleteApplicationInterface|
+/airavata/getAllComputeResourceNames|
+/airavata/getAllApplicationDeployments|
+/airavata/updateApplicationDeployment|
+/airavata/registerApplicationDeployment|
+/airavata/deleteApplicationDeployment|
+/airavata/getAllAppModules|
+/airavata/getApplicationInterface|
+/airavata/getApplicationInputs|
+/airavata/getApplicationOutputs|
+/airavata/getExperimentStatistics).)*$\r?\n?
+</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
http://git-wip-us.apache.org/repos/asf/airavata/blob/d3ac7ceb/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
----------------------------------------------------------------------
diff --git a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
index 36b1783..ac34c18 100644
--- a/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
+++ b/samples/java-client/secure-client/src/main/java/org/apache/airavata/secure/sample/SecureClient.java
@@ -151,6 +151,9 @@ public class SecureClient {
}
} else if (grantType == 2) {
System.out.println("Obtaining OAuth access token via 'Client Credential' grant type...' grant type....");
+ System.out.println("Please enter the user name to be passed: ");
+ String userNameInput = scanner.next();
+ userName = userNameInput.trim();
}
/***************************** Finish obtaining input from user*******************************************/
@@ -176,7 +179,7 @@ public class SecureClient {
AuthzToken authzToken = new AuthzToken();
authzToken.setAccessToken(acTk);
Map<String, String> claimsMap = new HashMap<>();
- claimsMap.put("userName", "hasinitg");
+ claimsMap.put("userName", userName);
claimsMap.put("email", "hasini@gmail.com");
authzToken.setClaimsMap(claimsMap);
String version = client.getAPIVersion(authzToken);