protected boolean enforceAclAuthorizationPolicy()

in gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java [115:171]


  protected boolean enforceAclAuthorizationPolicy(ServletRequest request, ServletResponse response, FilterChain chain) {

    // before enforcing acls check whether there are no acls defined
    // which would mean that there are no restrictions
    if (parser.users.isEmpty() && parser.groups.isEmpty() && parser.ipv.getIPAddresses().isEmpty()) {
      return true;
    }

    boolean groupAccess = false;
    boolean ipAddrAccess;

    final Subject subject = SubjectUtils.getCurrentSubject();
    final String effectivePrincipalName = SubjectUtils.getEffectivePrincipalName(subject);
    log.effectivePrincipal(effectivePrincipalName);
    boolean userAccess = checkUserAcls(effectivePrincipalName);
    log.effectivePrincipalHasAccess(userAccess);

    Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
    if (groups.length > 0) {
      groupAccess = checkGroupAcls(groups);
      log.groupPrincipalHasAccess(groupAccess);
    }
    else {
      // if we have no groups in the subject then make
      // it true if there is an anyGroup acl
      // for AND mode and acls like *;*;127.0.0.* we need to
      // make it pass
      if (parser.anyGroup && "AND".equals(aclProcessingMode)) {
        groupAccess = true;
      }
    }
    log.remoteIPAddress(((HttpServletRequest) request).getRemoteAddr());
    ipAddrAccess = checkRemoteIpAcls(((HttpServletRequest) request).getRemoteAddr());
    log.remoteIPAddressHasAccess(ipAddrAccess);

    if ("OR".equals(aclProcessingMode)) {
      // need to interpret '*' as excluded for OR semantics
      // to make sense and not grant access to everyone by mistake.
      // exclusion in OR is equivalent to denied
      // so, let's set each one that contains '*' to false.
      if (parser.anyUser) {
        userAccess = false;
      }
      if (parser.anyGroup) {
        groupAccess = false;
      }
      if (parser.ipv.allowsAnyIP()) {
        ipAddrAccess = false;
      }

      return (userAccess || groupAccess || ipAddrAccess);
    }
    else if ("AND".equals(aclProcessingMode)) {
      return (userAccess && groupAccess && ipAddrAccess);
    }
    return false;
  }