Add xfcc header auth (#77)

acdc-ws/app/utils/Authorization.scala

@@ -21,9 +21,26 @@ class Authorization(private var authorizationSettings: AuthorizationSettings) {
   import Authorization._
 
   def getRoles(request: Request[_]): List[String] = {
-    authorizationSettings.authEnabled match {
-      case true => getKeyRoles(request.headers.get(authorizationSettings.authHeader))
-      case false => List(Admin)
+    (authorizationSettings.apiKeyAuthEnabled, authorizationSettings.xfccKeyAuthEnabled) match {
+      case (true, true) =>
+        if (getKeyRoles(request.headers.get(authorizationSettings.apiKeyAuthHeader)) ==
+          getXfccRoles(request.headers.get(authorizationSettings.xfccAuthHeader))) {
+          List(Admin)
+        } else {
+          List.empty
+        }
+      case (true, false) => getKeyRoles(request.headers.get(authorizationSettings.apiKeyAuthHeader))
+      case (false, true) => getXfccRoles(request.headers.get(authorizationSettings.xfccAuthHeader))
+      case (false, false) => List(Admin)
+    }
+  }
+
+  private def getXfccRoles(key: Option[String]) = {
+    key match {
+      case Some(xfcc) =>
+        if (xfcc.contains(authorizationSettings.xfccMustContain)) { List(Admin) }
+        else { List.empty }
+      case None => List.empty
     }
   }
 
@@ -34,17 +51,8 @@ class Authorization(private var authorizationSettings: AuthorizationSettings) {
     }
   }
 
-  def checkAuthorization(request: Request[_]): Boolean =
-    request.headers
-      .get(authorizationSettings.authHeader)
-      .map(validateKey)
-      .getOrElse(!authorizationSettings.authEnabled)
-
   def refreshDelay: Option[FiniteDuration] = authorizationSettings.ttl.map(_.second)
 
-  private def validateKey(key: String): Boolean =
-    authorizationSettings.keyRoles.contains(convertToSha256(key))
-
   def reloadSettings(): this.type = {
     ConfigFactory.invalidateCaches()
     authorizationSettings = AuthorizationSettings()

acdc-ws/app/utils/AuthorizationSettings.scala

@@ -17,9 +17,15 @@ import com.typesafe.config.{Config, ConfigFactory, ConfigList}
 
 class AuthorizationSettings private (config: Config) {
 
-  def authHeader: String = config.getString(s"header-name")
+  def apiKeyAuthHeader: String = config.getString(s"header-name")
 
-  def authEnabled: Boolean = config.getBoolean(s"enabled")
+  def apiKeyAuthEnabled: Boolean = config.getBoolean("enabled")
+
+  def xfccAuthHeader: String = config.getString("xfcc.header-name")
+
+  def xfccKeyAuthEnabled: Boolean = config.getBoolean("xfcc.enabled")
+
+  def xfccMustContain: String = config.getString("xfcc.must-contain")
 
   def keyRoles: Map[String, List[String]] = {
     val userRoles = for {

acdc-ws/conf/application.conf

@@ -22,6 +22,12 @@ acdc.auth = {
         user = [ ${?MCE_ENV_X_API_USER1} , ${?MCE_ENV_X_API_USER2} ]
         admin = [ ${?MCE_ENV_X_API_ADMIN1} , ${?MCE_ENV_X_API_ADMIN2} ]
     }
+    xfcc = {
+        enabled = false
+        header-name = ${?XFCC_HEADER_NAME}
+        must-contain = ${?XFCC_MUST_CONTAIN}
+    }
+
     # referesh settings every x seconds, setting it to null will make it never refresh. Note also
     # it only works if auth is specified as an external source config, setting it along with play's
     # setting will prevent it from being reloaded, and the reload/cache is handled at playframework

version.sbt

@@ -1 +1 @@
- ThisBuild / version := "0.10.1"
+ ThisBuild / version := "0.11.0"