WebAppSecContributor.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.gateway.webappsec.deploy;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;

import org.apache.hadoop.gateway.deploy.DeploymentContext;
import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
import org.apache.hadoop.gateway.topology.Provider;
import org.apache.hadoop.gateway.topology.Service;

public class WebAppSecContributor extends
    ProviderDeploymentContributorBase {
  private static final String ROLE = "webappsec";
  private static final String NAME = "WebAppSec";
  private static final String CSRF_SUFFIX = "_CSRF";
  private static final String CSRF_FILTER_CLASSNAME = "org.apache.hadoop.gateway.webappsec.filter.CSRFPreventionFilter";
  private static final String CSRF_ENABLED = "csrf.enabled";
  private static final String CORS_SUFFIX = "_CORS";
  private static final String CORS_FILTER_CLASSNAME = "com.thetransactioncompany.cors.CORSFilter";
  private static final String CORS_ENABLED = "cors.enabled";
  private static final String XFRAME_OPTIONS_SUFFIX = "_XFRAMEOPTIONS";
  private static final String XFRAME_OPTIONS_FILTER_CLASSNAME = "org.apache.hadoop.gateway.webappsec.filter.XFrameOptionsFilter";
  private static final String XFRAME_OPTIONS_ENABLED = "xframe.options.enabled";

  @Override
  public String getRole() {
    return ROLE;
  }

  @Override
  public String getName() {
    return NAME;
  }

  @Override
  public void initializeContribution(DeploymentContext context) {
    super.initializeContribution(context);
  }

  @Override
  public void contributeFilter(DeploymentContext context, Provider provider, Service service, 
      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
    
    Provider webappsec = context.getTopology().getProvider(ROLE, NAME);
    if (webappsec != null && webappsec.isEnabled()) {
      Map<String,String> map = provider.getParams();
      if (params == null) {
        params = new ArrayList<FilterParamDescriptor>();
      }

      Map<String, String> providerParams = provider.getParams();
      // CORS support
      String corsEnabled = map.get(CORS_ENABLED);
      if ( corsEnabled != null && corsEnabled.equals("true")) {
        provisionConfig(resource, providerParams, params, "cors.");
        resource.addFilter().name( getName() + CORS_SUFFIX ).role( getRole() ).impl( CORS_FILTER_CLASSNAME ).params( params );
      }

      // CRSF
      params = new ArrayList<FilterParamDescriptor>();
      String csrfEnabled = map.get(CSRF_ENABLED);
      if ( csrfEnabled != null && csrfEnabled.equals("true")) {
        provisionConfig(resource, providerParams, params, "csrf.");
        resource.addFilter().name( getName() + CSRF_SUFFIX ).role( getRole() ).impl( CSRF_FILTER_CLASSNAME ).params( params );
      }

      // X-Frame-Options - clickjacking protection
      params = new ArrayList<FilterParamDescriptor>();
      String xframeOptionsEnabled = map.get(XFRAME_OPTIONS_ENABLED);
      if ( xframeOptionsEnabled != null && xframeOptionsEnabled.equals("true")) {
        provisionConfig(resource, providerParams, params, "xframe.");
        resource.addFilter().name( getName() + XFRAME_OPTIONS_SUFFIX ).role( getRole() ).impl( XFRAME_OPTIONS_FILTER_CLASSNAME ).params( params );
      }
    }
  }

  private void provisionConfig(ResourceDescriptor resource, Map<String,String> providerParams,
      List<FilterParamDescriptor> params, String prefix) {
    for(Entry<String, String> entry : providerParams.entrySet()) {
      if (entry.getKey().startsWith(prefix)) {
        params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
      }
    }
  }
}