networknt · stevehu · Mar 5, 2022 · Mar 5, 2022
diff --git a/access-control/src/main/java/com/networknt/openapi/AccessControlConfig.java b/access-control/src/main/java/com/networknt/openapi/AccessControlConfig.java
@@ -18,6 +18,7 @@
 class AccessControlConfig {
     public static final String CONFIG_NAME = "access-control";
     boolean enabled;
+    boolean defaultDeny;
 
     private AccessControlConfig() {
 
@@ -30,4 +31,12 @@ public boolean isEnabled() {
     public void setEnabled(boolean enabled) {
         this.enabled = enabled;
     }
+
+    public boolean isDefaultDeny() {
+        return defaultDeny;
+    }
+
+    public void setDefaultDeny(boolean defaultDeny) {
+        this.defaultDeny = defaultDeny;
+    }
 }
diff --git a/access-control/src/main/java/com/networknt/openapi/AccessControlHandler.java b/access-control/src/main/java/com/networknt/openapi/AccessControlHandler.java
@@ -51,6 +51,7 @@ public class AccessControlHandler implements MiddlewareHandler {
     static final Logger logger = LoggerFactory.getLogger(AccessControlHandler.class);
     static final AccessControlConfig config = (AccessControlConfig) Config.getInstance().getJsonObjectConfig(AccessControlConfig.CONFIG_NAME, AccessControlConfig.class);
     static final String ACCESS_CONTROL_ERROR = "ERR10067";
+    static final String ACCESS_CONTROL_MISSING = "ERR10069";
     static final String REQUEST_ACCESS = "request-access";
     static final String RESPONSE_FILTER = "response-filter";
     static final String RULE_ID = "ruleId";
@@ -85,26 +86,36 @@ public void handleRequest(final HttpServerExchange exchange) throws Exception {
         String endpoint = (String)auditInfo.get("endpoint");
         // get the access rules (maybe multiple) based on the endpoint.
         Map<String, List> requestRules = (Map<String, List>)RuleLoaderStartupHook.endpointRules.get(endpoint);
-        List<Map<String, Object>> accessRules = requestRules.get(REQUEST_ACCESS);
-        boolean finalResult = true;
-        Map<String, Object> result = null;
-        String ruleId = null;
-        // iterate the rules and execute them in sequence. Allow access only when all rules return true.
-        for(Map<String, Object> ruleMap: accessRules) {
-            ruleId = (String)ruleMap.get(RULE_ID);
-            objMap.putAll(ruleMap);
-            result = engine.executeRule(ruleId, objMap);
-            boolean res = (Boolean)result.get(RuleConstants.RESULT);
-            if(!res) {
-                finalResult = false;
-                break;
+        // if there is no access rule for this endpoint, check the default deny flag in the config.
+        if(requestRules == null ) {
+            if(config.defaultDeny) {
+                logger.error("Access control rule is missing and default deny is true for endpoint " + endpoint);
+                setExchangeStatus(exchange, ACCESS_CONTROL_MISSING, endpoint);
+            } else {
+                next(exchange);
             }
-        }
-        if(finalResult) {
-            next(exchange);
         } else {
-            logger.error(JsonMapper.toJson(result));
-            setExchangeStatus(exchange, ACCESS_CONTROL_ERROR, ruleId);
+            boolean finalResult = true;
+            List<Map<String, Object>> accessRules = requestRules.get(REQUEST_ACCESS);
+            Map<String, Object> result = null;
+            String ruleId = null;
+            // iterate the rules and execute them in sequence. Allow access only when all rules return true.
+            for(Map<String, Object> ruleMap: accessRules) {
+                ruleId = (String)ruleMap.get(RULE_ID);
+                objMap.putAll(ruleMap);
+                result = engine.executeRule(ruleId, objMap);
+                boolean res = (Boolean)result.get(RuleConstants.RESULT);
+                if(!res) {
+                    finalResult = false;
+                    break;
+                }
+            }
+            if(finalResult) {
+                next(exchange);
+            } else {
+                logger.error(JsonMapper.toJson(result));
+                setExchangeStatus(exchange, ACCESS_CONTROL_ERROR, ruleId);
+            }
         }
     }
 

diff --git a/access-control/src/main/resources/config/access-control.yml b/access-control/src/main/resources/config/access-control.yml
@@ -2,3 +2,7 @@
 # one before the business handler to handle the fine-grained authorization in the business domain.
 # Enable Access Control Handler
 enabled: ${accessControl.enabled:true}
+# If there is no access rule defined for the endpoint, default access is denied. Users can overwrite
+# this default action by setting this config value to false. If true, the handle will force users to
+# define the rules for each endpoint when the access control handler is enabled.
+defaultDeny: ${accessControl.defaultDeny:true}