DefaultXACMLPEP.java

/**
 *
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.airavata.api.server.security.xacml;

import org.apache.airavata.common.utils.Constants;
import org.apache.airavata.model.security.AuthzToken;
import org.apache.airavata.security.AiravataSecurityException;
import org.apache.axis2.AxisFault;
import org.apache.axis2.context.ConfigurationContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
import org.wso2.carbon.utils.CarbonUtils;
import org.xml.sax.SAXException;

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.rmi.RemoteException;
import java.util.Map;

/**
 * This enforces XACML based fine grained authorization on the API calls, by authorizing the API calls
 * through default PDP which is WSO2 Identity Server.
 */
public class DefaultXACMLPEP {

    private final static Logger logger = LoggerFactory.getLogger(DefaultXACMLPEP.class);
    private EntitlementServiceStub entitlementServiceStub;

    public DefaultXACMLPEP(String auhorizationServerURL, String username, String password,
                           ConfigurationContext configCtx) throws AiravataSecurityException {
        try {

            String PDPURL = auhorizationServerURL + "EntitlementService";
            entitlementServiceStub = new EntitlementServiceStub(configCtx, PDPURL);
            CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, entitlementServiceStub._getServiceClient());
        } catch (AxisFault e) {
            logger.error(e.getMessage(), e);
            throw new AiravataSecurityException("Error initializing XACML PEP client.");
        }

    }

    /**
     * Send the XACML authorization request to XAML PDP and return the authorization decision.
     *
     * @param authzToken
     * @param metaData
     * @return
     */
    public boolean getAuthorizationDecision(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
        String decision;
        try {
            String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
            //FIXME hacky way to fix OpenID -> CILogon issue in WSO2 IS
            if(subject.startsWith("http://")){
                subject = subject.substring(6);
            }
            String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
            String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null);
            //parse the XML decision string and obtain the decision
            decision = parseDecisionString(decisionString);
            if (Constants.PERMIT.equals(decision)) {
                return true;
            } else {
                logger.error("Authorization decision is: " + decision);
                return false;
            }
        } catch (RemoteException e) {
            logger.error(e.getMessage(), e);
            throw new AiravataSecurityException("Error in authorizing the user.");
        } catch (EntitlementServiceException e) {
            logger.error(e.getMessage(), e);
            throw new AiravataSecurityException("Error in authorizing the user.");
        }
    }

    /**
     * This parses the XML based authorization response by the PDP and returns the decision string.
     *
     * @param decisionString
     * @return
     * @throws AiravataSecurityException
     */
    private String parseDecisionString(String decisionString) throws AiravataSecurityException {
        try {
            DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
            InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8"));
            Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream);
            Node resultNode = doc.getDocumentElement().getFirstChild();
            Node decisionNode = resultNode.getFirstChild();
            String decision = decisionNode.getTextContent();
            return decision;
        } catch (ParserConfigurationException e) {
            logger.error(e.getMessage(), e);
            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
        } catch (UnsupportedEncodingException e) {
            logger.error(e.getMessage(), e);
            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
        } catch (SAXException e) {
            logger.error(e.getMessage(), e);
            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
        } catch (IOException e) {
            logger.error("Error in parsing XACML authorization response.");
            throw new AiravataSecurityException("Error in parsing XACML authorization response.");
        }
    }
}