Added RBAC for REST APIs.
- admin role required for POST, PUT, DELETE & PATCH
- viewer role required for all other requests
- cleaned up all web.xml files for consistency and correctness
Change-Id: I33bad5cec0fb0f4285eed84173025b0a107b5aec
diff --git a/utils/rest/src/main/java/org/onlab/rest/AbstractWebApplication.java b/utils/rest/src/main/java/org/onlab/rest/AbstractWebApplication.java
index f744929..41839c7 100644
--- a/utils/rest/src/main/java/org/onlab/rest/AbstractWebApplication.java
+++ b/utils/rest/src/main/java/org/onlab/rest/AbstractWebApplication.java
@@ -19,6 +19,7 @@
import com.google.common.collect.ImmutableSet;
import org.onlab.rest.exceptions.BadRequestMapper;
import org.onlab.rest.exceptions.EntityNotFoundMapper;
+import org.onlab.rest.exceptions.ForbiddenMapper;
import org.onlab.rest.exceptions.IllegalArgumentExceptionMapper;
import org.onlab.rest.exceptions.IllegalStateExceptionMapper;
import org.onlab.rest.exceptions.NotFoundMapper;
@@ -43,7 +44,9 @@
*/
protected Set<Class<?>> getClasses(Class<?>... classes) {
ImmutableSet.Builder<Class<?>> builder = ImmutableSet.builder();
- builder.add(ServiceNotFoundMapper.class,
+ builder.add(AuthorizationFilter.class,
+ ForbiddenMapper.class,
+ ServiceNotFoundMapper.class,
EntityNotFoundMapper.class,
NotFoundMapper.class,
ServerErrorMapper.class,
diff --git a/utils/rest/src/main/java/org/onlab/rest/AuthorizationFilter.java b/utils/rest/src/main/java/org/onlab/rest/AuthorizationFilter.java
new file mode 100644
index 0000000..6bf8a2f
--- /dev/null
+++ b/utils/rest/src/main/java/org/onlab/rest/AuthorizationFilter.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2018-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onlab.rest;
+
+import com.google.common.collect.ImmutableSet;
+
+import javax.ws.rs.ForbiddenException;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import java.io.IOException;
+import java.util.Set;
+
+/**
+ * Filter that performs authorization checks on all incoming REST API requests.
+ * Methods with modify semantics require 'admin' role; all others require 'viewer' role.
+ */
+public class AuthorizationFilter implements ContainerRequestFilter {
+
+ private static final String ADMIN = "admin";
+ private static final String VIEWER = "viewer";
+
+ private static final String FORBIDDEN_MSG =
+ "User has insufficient privilege for this request";
+
+ private static final Set<String> PRIVILEGED_METHODS =
+ ImmutableSet.of("POST", "PUT", "DELETE", "PATCH");
+
+ private static boolean disableForTests = false;
+
+ @Override
+ public void filter(ContainerRequestContext requestContext) throws IOException {
+ if (disableForTests) {
+ return;
+ }
+ if ((PRIVILEGED_METHODS.contains(requestContext.getMethod()) &&
+ !requestContext.getSecurityContext().isUserInRole(ADMIN)) ||
+ !requestContext.getSecurityContext().isUserInRole(VIEWER)) {
+ throw new ForbiddenException(FORBIDDEN_MSG);
+ }
+ }
+
+ public static void disableForTests() {
+ disableForTests = true;
+ }
+}
diff --git a/utils/rest/src/main/java/org/onlab/rest/exceptions/ForbiddenMapper.java b/utils/rest/src/main/java/org/onlab/rest/exceptions/ForbiddenMapper.java
new file mode 100644
index 0000000..63c8960
--- /dev/null
+++ b/utils/rest/src/main/java/org/onlab/rest/exceptions/ForbiddenMapper.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2018-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onlab.rest.exceptions;
+
+import javax.ws.rs.ForbiddenException;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.Provider;
+
+/**
+ * Mapper for service not found exceptions to the NOT_FOUND response code.
+ */
+@Provider
+public class ForbiddenMapper extends AbstractMapper<ForbiddenException> {
+ @Override
+ protected Response.Status responseStatus() {
+ return Response.Status.FORBIDDEN;
+ }
+}