Modernize AAA authorization

Since JettyWebServer is being used, the entire AAA authorization can be
modernized to use WebContext.builder() instead of handlers.

Classes related to moon endpoins can also be ditched since now its part
ShiroProvider using WebContext.builder().

JIRA: LIGHTY-329
Signed-off-by: tobias.pobocik <[email protected]>

Author: Tobianas

lighty-modules/lighty-aaa-aggregator/lighty-aaa/src/main/java/io/lighty/aaa/AAALighty.java

@@ -14,6 +14,7 @@
 import java.util.concurrent.CountDownLatch;
 import org.opendaylight.aaa.api.CredentialAuth;
 import org.opendaylight.aaa.api.PasswordCredentials;
+import org.opendaylight.aaa.web.WebContextSecurer;
 import org.opendaylight.mdsal.binding.api.DataBroker;
 
 public final class AAALighty extends AbstractLightyModule {
@@ -22,6 +23,7 @@ public final class AAALighty extends AbstractLightyModule {
     private final LightyJettyServerProvider server;
     private final CredentialAuth<PasswordCredentials> credentialAuth;
     private final DataBroker dataBroker;
+    private WebContextSecurer webContextSecurer;
 
     private final AAAConfiguration aaaConfiguration;
 
@@ -41,6 +43,7 @@ protected boolean initProcedure() throws InterruptedException {
         final CountDownLatch cdl = new CountDownLatch(1);
         newInstance.whenComplete((t, u) -> {
             AAALighty.this.aaaShiroProviderHandler.setAaaLightyShiroProvider(t);
+            this.webContextSecurer = aaaShiroProviderHandler.getAaaLightyShiroProvider().getWebContextSecurer();
             cdl.countDown();
         });
 
@@ -70,4 +73,8 @@ AAALightyShiroProvider getAaaLightyShiroProvider() {
             return this.aaaLightyShiroProvider;
         }
     }
+
+    public WebContextSecurer getWebContextSecurer() {
+        return webContextSecurer;
+    }
 }

lighty-modules/lighty-aaa-aggregator/lighty-aaa/src/main/java/io/lighty/aaa/AAALightyShiroProvider.java

@@ -8,21 +8,14 @@
 package io.lighty.aaa;
 
 import io.lighty.aaa.config.AAAConfiguration;
-import java.util.ArrayList;
 import io.lighty.server.LightyJettyServerProvider;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.concurrent.CompletableFuture;
-import org.eclipse.jetty.server.Handler;
-import org.eclipse.jetty.server.handler.ContextHandlerCollection;
-import org.eclipse.jetty.servlet.FilterHolder;
-import org.eclipse.jetty.servlet.ServletContextHandler;
-import org.eclipse.jetty.servlet.ServletHolder;
+import javax.servlet.ServletException;
+import org.apache.shiro.mgt.DefaultSecurityManager;
+import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
 import org.eclipse.jetty.servlets.CrossOriginFilter;
-import org.glassfish.jersey.internal.guava.Preconditions;
-import org.glassfish.jersey.server.ResourceConfig;
-import org.glassfish.jersey.servlet.ServletContainer;
 import org.opendaylight.aaa.api.AuthenticationService;
 import org.opendaylight.aaa.api.ClaimCache;
 import org.opendaylight.aaa.api.CredentialAuth;
@@ -39,20 +32,23 @@
 import org.opendaylight.aaa.filterchain.configuration.impl.CustomFilterAdapterConfigurationImpl;
 import org.opendaylight.aaa.filterchain.filters.CustomFilterAdapter;
 import org.opendaylight.aaa.impl.password.service.DefaultPasswordHashService;
-import org.opendaylight.aaa.shiro.filters.AAAShiroFilter;
 import org.opendaylight.aaa.shiro.idm.IdmLightApplication;
 import org.opendaylight.aaa.shiro.idm.IdmLightProxy;
-import org.opendaylight.aaa.shiro.moon.MoonTokenEndpoint;
 import org.opendaylight.aaa.shiro.web.env.AAAWebEnvironment;
+import org.opendaylight.aaa.shiro.web.env.ShiroWebContextSecurer;
 import org.opendaylight.aaa.tokenauthrealm.auth.AuthenticationManager;
 import org.opendaylight.aaa.tokenauthrealm.auth.HttpBasicAuth;
 import org.opendaylight.aaa.tokenauthrealm.auth.TokenAuthenticators;
+import org.opendaylight.aaa.web.FilterDetails;
+import org.opendaylight.aaa.web.ServletDetails;
+import org.opendaylight.aaa.web.WebContext;
 import org.opendaylight.aaa.web.servlet.jersey2.JerseyServletSupport;
 import org.opendaylight.mdsal.binding.api.DataBroker;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.DatastoreConfig;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.ShiroConfiguration;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.password.service.config.rev170619.PasswordServiceConfig;
 import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.password.service.config.rev170619.PasswordServiceConfigBuilder;
+import org.opendaylight.yangtools.concepts.Registration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -62,7 +58,6 @@ public final class AAALightyShiroProvider {
 
     private static AAALightyShiroProvider INSTANCE;
 
-    private final List<Handler> handlers;
     private final DataBroker dataBroker;
     private final ICertificateManager certificateManager;
     private final ShiroConfiguration shiroConfiguration;
@@ -73,6 +68,8 @@ public final class AAALightyShiroProvider {
     private ClaimCache claimCache;
     private PasswordHashService passwordHashService;
     private IIDMStore iidmStore;
+    private Registration registration;
+    private ShiroWebContextSecurer webContextSecurer;
 
     private AAAWebEnvironment aaaWebEnvironment;
 
@@ -84,7 +81,6 @@ private AAALightyShiroProvider(final DataBroker dataBroker,
         this.certificateManager = aaaConfiguration.getCertificateManager();
         this.credentialAuth = credentialAuth;
         this.shiroConfiguration = aaaConfiguration.getShiroConf();
-        this.handlers = new ArrayList<>();
         this.authenticationService = new AuthenticationManager();
         final DatastoreConfig datastoreConfig = aaaConfiguration.getDatastoreConf();
 
@@ -121,47 +117,60 @@ private AAALightyShiroProvider(final DataBroker dataBroker,
         } catch (final IDMStoreException e) {
             LOG.error("Failed to initialize data in store", e);
         }
-        final LocalHttpServer httpService = new LocalHttpServer(server);
-        registerServletContexts(httpService, aaaConfiguration.getMoonEndpointPath());
-
         initAAAonServer(server);
     }
 
     private void initAAAonServer(final LightyJettyServerProvider server) {
-        final ContextHandlerCollection contexts = new ContextHandlerCollection();
-        final ServletContextHandler mainHandler = new ServletContextHandler(contexts, "/auth", true, false);
-        final IdmLightApplication idmLightApplication = new IdmLightApplication(iidmStore, claimCache);
-        final ServletHolder idmLightServlet = new ServletHolder(new ServletContainer(ResourceConfig.forApplication(
-                idmLightApplication)));
-        idmLightServlet.setInitParameter("jersey.config.server.provider.packages",
-                "org.opendaylight.aaa.impl.provider");
-        mainHandler.addServlet(idmLightServlet, "/*");
-        server.addContextHandler(contexts);
-        this.handlers.add(contexts);
-        this.handlers.add(mainHandler);
-        this.aaaWebEnvironment = new AAAWebEnvironment(shiroConfiguration,
-                dataBroker,
-                certificateManager,
-                authenticationService,
-                tokenAuthenticators,
-                passwordHashService,
-                new JerseyServletSupport());
-
         final Map<String, String> properties = new HashMap<>();
         final CustomFilterAdapterConfigurationImpl customFilterAdapterConfig =
-                new CustomFilterAdapterConfigurationImpl();
+            new CustomFilterAdapterConfigurationImpl();
         customFilterAdapterConfig.update(properties);
-        final FilterHolder customFilterAdapter = new FilterHolder(new CustomFilterAdapter(customFilterAdapterConfig));
-        server.addCommonFilter(customFilterAdapter, "/*");
 
-        final FilterHolder shiroFilter = new FilterHolder(new AAAShiroFilter(aaaWebEnvironment));
-        server.addCommonFilter(shiroFilter, "/*");
+        this.aaaWebEnvironment = new AAAWebEnvironment(
+            shiroConfiguration,
+            dataBroker,
+            certificateManager,
+            authenticationService,
+            tokenAuthenticators,
+            passwordHashService,
+            new JerseyServletSupport());
+
+        DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
+        ((DefaultSecurityManager) aaaWebEnvironment.getSecurityManager()).setSessionManager(sessionManager);
+
+        final var webContextBuilder = WebContext.builder()
+            .name("RealmManagement")
+            .contextPath("/auth")
+            .supportsSessions(true)
 
-        final FilterHolder crossOriginFilter = new FilterHolder(new CrossOriginFilter());
-        crossOriginFilter.setInitParameter("allowedMethods", "GET,POST,OPTIONS,DELETE,PUT,HEAD");
-        crossOriginFilter.setInitParameter("allowedHeaders",
-                "origin, content-type, accept, authorization, Authorization");
-        server.addCommonFilter(crossOriginFilter, "/*");
+            // Add servlet
+            .addServlet(ServletDetails.builder()
+                .servlet(new JerseyServletSupport().createHttpServletBuilder(
+                    new IdmLightApplication(iidmStore, claimCache)).build())
+                .addUrlPattern("/*")
+                .build())
+
+            // CustomFilterAdapter
+            .addFilter(FilterDetails.builder()
+                .filter(new CustomFilterAdapter(customFilterAdapterConfig))
+                .addUrlPattern("/*")
+                .build())
+
+            // CORS filter
+            .addFilter(FilterDetails.builder()
+                .filter(new CrossOriginFilter())
+                .addUrlPattern("/*")
+                .putInitParam("allowedMethods", "GET,POST,OPTIONS,DELETE,PUT,HEAD")
+                .putInitParam("allowedHeaders", "origin, content-type, accept, authorization, Authorization")
+                .build());
+        this.webContextSecurer = new ShiroWebContextSecurer(aaaWebEnvironment);
+        webContextSecurer.requireAuthentication(webContextBuilder, "/*", "/moon/*");
+
+        try {
+            this.registration = server.build().registerWebContext(webContextBuilder.build());
+        } catch (ServletException e) {
+            LOG.error("Failed to register AAA web context: {}!", server.getClass(), e);
+        }
     }
 
     public static CompletableFuture<AAALightyShiroProvider> newInstance(final DataBroker dataBroker,
@@ -225,6 +234,10 @@ public static IIDMStore getIdmStore() {
         return INSTANCE.iidmStore;
     }
 
+    public ShiroWebContextSecurer getWebContextSecurer() {
+        return webContextSecurer;
+    }
+
     /**
      * Set IDM data store, only used for test.
      *
@@ -236,26 +249,13 @@ public static void setIdmStore(final IIDMStore store) {
 
     @SuppressWarnings("IllegalCatch")
     public void close() {
-        this.handlers.forEach((handler) -> {
-            try {
-                handler.stop();
-            } catch (Exception e) {
-                LOG.error("Failed to close AAA handler [{}]", handler, e);
-            } finally {
-                handler.destroy();
-            }
-        });
+        if (registration != null) {
+            registration.close();
+        }
     }
 
     private static TokenAuthenticators buildTokenAuthenticators(
             final CredentialAuth<PasswordCredentials> credentialAuth) {
         return new TokenAuthenticators(new HttpBasicAuth(credentialAuth));
     }
-
-    private void registerServletContexts(final LocalHttpServer httpService, final String moonEndpointPath) {
-        LOG.info("attempting registration of AAA moon and auth servlets");
-
-        Preconditions.checkNotNull(httpService, "httpService cannot be null");
-        httpService.registerServlet(moonEndpointPath, new MoonTokenEndpoint(), null);
-    }
 }