• Home
• org.ow2.xlcloud
• iam-utils
• 1.0.0
• source code
• BaseEntitlementValidator.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.xlcloud.iam.BaseEntitlementValidator Maven / Gradle / Ivy

/*
 * Copyright 2012 AMG.lab, a Bull Group Company
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *    http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.xlcloud.iam;

import javax.inject.Inject;

import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.xlcloud.config.ConfigParam;
import org.xlcloud.logging.LoggingUtils;
import org.xlcloud.rest.exception.AuthenticateException;
import org.xlcloud.rest.exception.AuthenticateException.AuthenticationFailureType;
import org.xlcloud.rest.exception.ForbiddenException;
import org.xlcloud.rest.exception.ForbiddenException.Reason;

/**
 * Validates if user is authorized to access the resource with specified token
 * (as {@link EntitlementContext}). {@link ForbiddenException} is thrown when
 * user is not authorized to call the request. {@link AuthenticateException}
 * exception is thrown when user did not provide access token.
 * 
 * @author Piotr Kulasek, AMG.net
 * @author Krzysztof Szafrański, AMG.net
 */
public abstract class BaseEntitlementValidator {

    private static Logger LOG = Logger.getLogger(BaseEntitlementValidator.class);

    @Inject
    private EntitlementContext entitlementCtx;

    @Inject
    @ConfigParam
    private Boolean authTokenRequestFilterEnabled = false;

    /**
     * Validate the token and then validate if the user is allowed to access the
     * resource described by the retrieved options using implementation provided
     * by an extending class.
     * 
     * @throws ForbiddenException
     *             If the user is not allowed to access the resource
     * @throws AuthenticateException
     *             If the user did not specify access token at all
     */
    public void validate() {
        if (!isAuthTokenRequired()) {
            return;
        }

        if (LOG.isDebugEnabled()) {
            LOG.debug("Evaluating authentication using entitlement context " + entitlementCtx.toString());
        }

        validateToken();

        Decision decision = isAllowed(entitlementCtx.getAccessToken(), entitlementCtx.getAction(), entitlementCtx.getResource());

        String errorMessage;
        switch(decision.getAnswer()) {
        case DENY:
            errorMessage = "User is not allowed to access resource";
            LOG.info(LoggingUtils.maskResource(errorMessage));
            throw new ForbiddenException(decision.getDetails(), entitlementCtx.getAction(), entitlementCtx.getResource(), Reason.DENIAL);
        case FAILED:
            errorMessage = "Error occured when validating entitlements for resource";
            LOG.warn(LoggingUtils.maskResource(errorMessage));
            throw new ForbiddenException(decision.getDetails(), entitlementCtx.getAction(), entitlementCtx.getResource(), Reason.ERROR);
        case RESTRICTED:
            errorMessage = "User is restricted to access resource";
            String explanation = decision.getDetails() == null ? "" : ", because: " + decision.getDetails();
            LOG.info(LoggingUtils.maskResource(errorMessage) + explanation);
            throw new ForbiddenException(decision.getDetails(), entitlementCtx.getAction(), entitlementCtx.getResource(), Reason.RESTRICTION);
        default:
            break;
        }
    }
    
    protected abstract Decision isAllowed(String accessToken, String action, String resource);

    private boolean isAuthTokenRequired() {
        if (!authTokenRequestFilterEnabled) {
            LOG.warn("Authentication filter disabled! This is only acceptable in development mode");
            LOG.debug("Skipped validation for path: " + LoggingUtils.maskResource(entitlementCtx.getResource()));
            return false;
        }

        return true;
    }

    private void validateToken() {
        if (StringUtils.isBlank(entitlementCtx.getAccessToken())) {
            throw new AuthenticateException("Oauth token header cannot be empty", AuthenticationFailureType.MISSING_AUTH_HEADER);
        }
    }
}