gerrit.opnfv Code Review - moon.git/blob

   1 /*
   2  * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8
   9 package org.opendaylight.aaa.authz.srv;
  10
  11 import java.util.List;
  12 import org.opendaylight.aaa.api.Authentication;
  13 import org.opendaylight.aaa.api.AuthenticationService;
  14 import org.opendaylight.controller.config.yang.config.aaa_authz.srv.Policies;
  15 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
  16 import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType;
  17 import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.AuthorizationResponseType;
  18 import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier;
  19
  20 /**
  21  * @author lmukkama Date: 9/2/14
  22  */
  23 public class AuthzServiceImpl {
  24
  25     private static List<Policies> listPolicies;
  26
  27     private static final String WILDCARD_TOKEN = "*";
  28
  29     public static boolean isAuthorized(LogicalDatastoreType logicalDatastoreType,
  30             YangInstanceIdentifier yangInstanceIdentifier, ActionType actionType) {
  31
  32         AuthorizationResponseType authorizationResponseType = AuthzServiceImpl.reqAuthorization(
  33                 actionType, logicalDatastoreType, yangInstanceIdentifier);
  34         return authorizationResponseType.equals(AuthorizationResponseType.Authorized);
  35     }
  36
  37     public static boolean isAuthorized(ActionType actionType) {
  38         AuthorizationResponseType authorizationResponseType = AuthzServiceImpl
  39                 .reqAuthorization(actionType);
  40         return authorizationResponseType.equals(AuthorizationResponseType.Authorized);
  41     }
  42
  43     public static void setPolicies(List<Policies> policies) {
  44
  45         AuthzServiceImpl.listPolicies = policies;
  46     }
  47
  48     public static AuthorizationResponseType reqAuthorization(ActionType actionType) {
  49
  50         AuthenticationService authenticationService = AuthzDomDataBroker.getInstance()
  51                 .getAuthService();
  52         if (authenticationService != null && AuthzServiceImpl.listPolicies != null
  53                 && AuthzServiceImpl.listPolicies.size() > 0) {
  54             Authentication authentication = authenticationService.get();
  55             if (authentication != null && authentication.roles() != null
  56                     && authentication.roles().size() > 0) {
  57                 return checkAuthorization(actionType, authentication);
  58             }
  59         }
  60         return AuthorizationResponseType.NotAuthorized;
  61     }
  62
  63     public static AuthorizationResponseType reqAuthorization(ActionType actionType,
  64             LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) {
  65
  66         AuthenticationService authenticationService = AuthzDomDataBroker.getInstance()
  67                 .getAuthService();
  68
  69         if (authenticationService != null && AuthzServiceImpl.listPolicies != null
  70                 && AuthzServiceImpl.listPolicies.size() > 0) {
  71             // Authentication Service exists. Can do authorization checks
  72             Authentication authentication = authenticationService.get();
  73
  74             if (authentication != null && authentication.roles() != null
  75                     && authentication.roles().size() > 0) {
  76                 // Authentication claim object exists with atleast one role
  77                 return checkAuthorization(actionType, authentication, logicalDatastoreType,
  78                         yangInstanceIdentifier);
  79             }
  80         }
  81
  82         return AuthorizationResponseType.Authorized;
  83     }
  84
  85     private static AuthorizationResponseType checkAuthorization(ActionType actionType,
  86             Authentication authentication, LogicalDatastoreType logicalDatastoreType,
  87             YangInstanceIdentifier yangInstanceIdentifier) {
  88
  89         for (Policies policy : AuthzServiceImpl.listPolicies) {
  90
  91             // Action type is compared as string, since its type is string in
  92             // the config yang. Comparison is case insensitive
  93             if (authentication.roles().contains(policy.getRole().getValue())
  94                     && (policy.getResource().getValue().equals(WILDCARD_TOKEN) || policy
  95                             .getResource().getValue().equals(yangInstanceIdentifier.toString()))
  96                     && (policy.getAction().toLowerCase()
  97                             .equals(ActionType.Any.name().toLowerCase()) || actionType.name()
  98                             .toLowerCase().equals(policy.getAction().toLowerCase()))) {
  99
 100                 return AuthorizationResponseType.Authorized;
 101             }
 102
 103         }
 104
 105         // For helium release we unauthorize other requests.
 106         return AuthorizationResponseType.NotAuthorized;
 107     }
 108
 109     private static AuthorizationResponseType checkAuthorization(ActionType actionType,
 110             Authentication authentication) {
 111
 112         for (Policies policy : AuthzServiceImpl.listPolicies) {
 113             if (authentication.roles().contains(policy.getRole().getValue())
 114                     && (policy.getAction().equalsIgnoreCase(ActionType.Any.name()) || policy
 115                             .getAction().equalsIgnoreCase(actionType.name()))) {
 116                 return AuthorizationResponseType.Authorized;
 117             }
 118         }
 119         return AuthorizationResponseType.NotAuthorized;
 120     }
 121 }