aboutsummaryrefslogtreecommitdiffstats
path: root/sidecar/rproxy/config
diff options
context:
space:
mode:
authorLee, Tian (tl5884) <TianL@amdocs.com>2018-09-20 12:27:40 +0100
committerTian Lee <TianL@amdocs.com>2018-09-24 09:25:29 +0000
commit0d7feec2e32f69a8e919f06f03df3ce46e78801d (patch)
treed712e56fb78bea085eb1bf9c04447a07d0f50341 /sidecar/rproxy/config
parent6c3031ea90d5b51ae44a599c0cd0d95c057cf633 (diff)
Initial drop of rProxy code
The Reverse Proxy sidecar is used to separate the responsibility of authentication and authorization away from the primary microservice. In conjunction with the Forward Proxy sidecar, it is responsible for controlling access to the REST URL endpoints exposed by the primary microservice, and propogating security credentials to downstream microservices. Change-Id: I5d80429e5422d7b3937cde73ac10c2ec00d264e8 Issue-ID: AAI-1604 Signed-off-by: Lee, Tian (tl5884) <TianL@amdocs.com>
Diffstat (limited to 'sidecar/rproxy/config')
-rw-r--r--sidecar/rproxy/config/auth/client-cert.p12bin0 -> 2556 bytes
-rw-r--r--sidecar/rproxy/config/auth/tomcat_keystorebin0 -> 3594 bytes
-rw-r--r--sidecar/rproxy/config/auth/uri-authorization.json114
-rw-r--r--sidecar/rproxy/config/cadi.properties19
-rw-r--r--sidecar/rproxy/config/forward-proxy.properties4
-rw-r--r--sidecar/rproxy/config/logback-spring.xml48
-rw-r--r--sidecar/rproxy/config/primary-service.properties5
-rw-r--r--sidecar/rproxy/config/readme.txt1
-rw-r--r--sidecar/rproxy/config/reverse-proxy.properties1
-rw-r--r--sidecar/rproxy/config/security/keyfile27
10 files changed, 219 insertions, 0 deletions
diff --git a/sidecar/rproxy/config/auth/client-cert.p12 b/sidecar/rproxy/config/auth/client-cert.p12
new file mode 100644
index 0000000..dbf4fca
--- /dev/null
+++ b/sidecar/rproxy/config/auth/client-cert.p12
Binary files differ
diff --git a/sidecar/rproxy/config/auth/tomcat_keystore b/sidecar/rproxy/config/auth/tomcat_keystore
new file mode 100644
index 0000000..99129c1
--- /dev/null
+++ b/sidecar/rproxy/config/auth/tomcat_keystore
Binary files differ
diff --git a/sidecar/rproxy/config/auth/uri-authorization.json b/sidecar/rproxy/config/auth/uri-authorization.json
new file mode 100644
index 0000000..29b152d
--- /dev/null
+++ b/sidecar/rproxy/config/auth/uri-authorization.json
@@ -0,0 +1,114 @@
+ [
+ {
+ "uri": "\/not\/allowed\/at\/all$",
+ "permissions": [
+ "test.auth.access\\|not\\|granted"
+ ]
+ },
+ {
+ "uri": "\/single\/permission\/required$",
+ "permissions": [
+ "test.single.access\\|single\\|permission"
+ ]
+ },
+ {
+ "uri": "\/multiple\/permissions\/required$",
+ "permissions": [
+ "test.multiple.access\\|first\\|permission",
+ "test.multiple.access\\|second\\|permission",
+ "test.multiple.access\\|third\\|permission"
+ ]
+ },
+ {
+ "uri": "\/multiple\/permissions\/required/one/missing$",
+ "permissions": [
+ "test.multiple.access\\|first\\|permission",
+ "test.multiple.access\\|second\\|permission",
+ "test.multiple.access\\|third\\|permission",
+ "test.multiple.access\\|fourth\\|permission"
+ ]
+ },
+ {
+ "uri": "\/wildcard\/permission\/granted$",
+ "permissions": [
+ "test.wildcard.access\\|first\\|permission",
+ "test.wildcard.access\\|second\\|permission",
+ "test.wildcard.access\\|third\\|consent"
+ ]
+ },
+ {
+ "uri": "\/instance\/wildcard\/permission\/granted$",
+ "permissions": [
+ "test.wildcard.access\\|first\\|permission",
+ "test.wildcard.access\\|second\\|permission",
+ "test.wildcard.access\\|third\\|permission"
+ ]
+ },
+ {
+ "uri": "\/action\/wildcard\/permission\/granted$",
+ "permissions": [
+ "test.wildcard.access\\|first\\|permission",
+ "test.wildcard.access\\|first\\|permission",
+ "test.wildcard.access\\|first\\|consent"
+ ]
+ },
+ {
+ "uri": "\/services\/getAAFRequest$",
+ "permissions": [
+ "test.auth.access\\|services\\|GET,PUT"
+ ]
+ },
+ {
+ "uri": "\/admin\/getAAFRequest$",
+ "permissions": [
+ "test.auth.access\\|admin\\|GET,PUT,POST"
+ ]
+ },
+ {
+ "uri": "\/service\/aai\/webapp\/index.html$",
+ "permissions": [
+ "test.auth.access\\|services\\|GET,PUT"
+ ]
+ },
+ {
+ "uri": "\/services\/aai\/webapp\/index.html$",
+ "permissions": [
+ "test.auth.access\\|services\\|GET,PUT"
+ ]
+ },
+ {
+ "uri": "\/$",
+ "permissions": [
+ "\\|services\\|GET",
+ "test\\.auth\\.access\\|services\\|GET,PUT"
+ ]
+ },
+ {
+ "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions$",
+ "permissions": [
+ "test\\.auth\\.access\\|rest\\|write",
+ "test\\.auth\\.access\\|rpc\\|write"
+ ]
+ },
+ {
+ "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*",
+ "permissions": [
+ "test.auth.access\\|clouds\\|read",
+ "test.auth.access\\|tenants\\|read"
+ ]
+ },
+ {
+ "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+\/tenants/tenant/[^\/]+/vservers/vserver/[^\/]+$",
+ "permissions": [
+ "test.auth.access\\|clouds\\|read",
+ "test.auth.access\\|tenants\\|read",
+ "test.auth.access\\|vservers\\|read"
+ ]
+ },
+ {
+ "uri": "\/rproxy\/.*",
+ "permissions": [
+ "org\\.access\\|rproxy\\|get"
+ ]
+ }
+ ] \ No newline at end of file
diff --git a/sidecar/rproxy/config/cadi.properties b/sidecar/rproxy/config/cadi.properties
new file mode 100644
index 0000000..543bc1e
--- /dev/null
+++ b/sidecar/rproxy/config/cadi.properties
@@ -0,0 +1,19 @@
+# This is a normal Java Properties File
+# Comments are with Pound Signs at beginning of lines,
+# and multi-line expression of properties can be obtained by backslash at end of line
+
+cadi_loglevel=DEBUG
+cadi_keyfile=config/security/keyfile
+
+cadi_truststore=config/auth/tomcat_keystore
+cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+
+# Configure AAF
+aaf_url=https://aaf.osaaf.org:30247
+aaf_env=DEV
+
+aaf_id=demo@people.osaaf.org
+aaf_password=enc:92w4px0y_rrm265LXLpw58QnNPgDXykyA1YTrflbAKz
+
+# This is a colon separated list of client cert issuers
+cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA \ No newline at end of file
diff --git a/sidecar/rproxy/config/forward-proxy.properties b/sidecar/rproxy/config/forward-proxy.properties
new file mode 100644
index 0000000..1b58d42
--- /dev/null
+++ b/sidecar/rproxy/config/forward-proxy.properties
@@ -0,0 +1,4 @@
+forward-proxy.protocol = https
+forward-proxy.host = localhost
+forward-proxy.port = 10680
+forward-proxy.cacheurl = /credential-cache \ No newline at end of file
diff --git a/sidecar/rproxy/config/logback-spring.xml b/sidecar/rproxy/config/logback-spring.xml
new file mode 100644
index 0000000..5b3a8dc
--- /dev/null
+++ b/sidecar/rproxy/config/logback-spring.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+ <property name="LOGS" value="./logs/reverse-proxy" />
+ <property name="FILEPREFIX" value="application" />
+
+ <appender name="Console"
+ class="ch.qos.logback.core.ConsoleAppender">
+ <layout class="ch.qos.logback.classic.PatternLayout">
+ <Pattern>
+ %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable
+ </Pattern>
+ </layout>
+ </appender>
+
+ <appender name="RollingFile"
+ class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${LOGS}/${FILEPREFIX}.log</file>
+ <encoder
+ class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <Pattern>%d %p %C{1.} [%t] %m%n</Pattern>
+ </encoder>
+
+ <rollingPolicy
+ class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <!-- rollover daily and when the file reaches 10 MegaBytes -->
+ <fileNamePattern>${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log
+ </fileNamePattern>
+ <timeBasedFileNamingAndTriggeringPolicy
+ class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
+ <maxFileSize>10MB</maxFileSize>
+ </timeBasedFileNamingAndTriggeringPolicy>
+ </rollingPolicy>
+ </appender>
+
+ <!-- LOG everything at INFO level -->
+ <root level="info">
+ <appender-ref ref="RollingFile" />
+ <appender-ref ref="Console" />
+ </root>
+
+ <!-- LOG "org.onap.aaf.rproxy" at DEBUG level -->
+ <logger name="org.onap.aaf.rproxy" level="debug" additivity="false">
+ <appender-ref ref="RollingFile" />
+ <appender-ref ref="Console" />
+ </logger>
+
+</configuration>
diff --git a/sidecar/rproxy/config/primary-service.properties b/sidecar/rproxy/config/primary-service.properties
new file mode 100644
index 0000000..d0f7a32
--- /dev/null
+++ b/sidecar/rproxy/config/primary-service.properties
@@ -0,0 +1,5 @@
+primary-service.protocol = https
+primary-service.host = localhost
+
+# This needs to be configured to match the port of the primary service running in the pod
+primary-service.port = 9000
diff --git a/sidecar/rproxy/config/readme.txt b/sidecar/rproxy/config/readme.txt
new file mode 100644
index 0000000..79cf29e
--- /dev/null
+++ b/sidecar/rproxy/config/readme.txt
@@ -0,0 +1 @@
+Relevant configuration files need to be copied here to successfully run this service locally. \ No newline at end of file
diff --git a/sidecar/rproxy/config/reverse-proxy.properties b/sidecar/rproxy/config/reverse-proxy.properties
new file mode 100644
index 0000000..8d46e1f
--- /dev/null
+++ b/sidecar/rproxy/config/reverse-proxy.properties
@@ -0,0 +1 @@
+transactionid.header.name=X-TransactionId \ No newline at end of file
diff --git a/sidecar/rproxy/config/security/keyfile b/sidecar/rproxy/config/security/keyfile
new file mode 100644
index 0000000..6cd12fc
--- /dev/null
+++ b/sidecar/rproxy/config/security/keyfile
@@ -0,0 +1,27 @@
+bZNOXiGDJ2_eiKBKWYLIFx27URvb-SWfmOl2d-QKetcVKIupOrsG-ScS_VXOtKN3Yxfb2cR6t7oM
+1RNpDnhsKAxDLM6A62IkS_h_Rp3Q9c2JeyomVmyiuHR7a2ARbelaMrX8WDrxXI_t9ce4pIHDVE29
+xiQm3Bdp7d7IiKkgg-ipvOU7Y6NEzeQbvHlHvRTJ3ZZMSwHxBOA5M8DhKN-AF1sqwozEVaNAuJxK
+BVdh72A6KTW7ieb_GvVQQp8h32BuOz8oJhZV7KaGXsWTEvXg9ImboY0h7Sl9hufgn1ZtDK1jxzGm
+6O6LBg1qezzZaFGTXRmHvaeYmEeYSu0bGsU4x-JCU0RyhNTzFhkhjNoccaqPXBdcJymLf096mD99
+QLS8nyji_KtLQJL1fqr500c8p6SOURLPgG6Gzkn4ghgFYlfgve92xs1R3ggHKhNTLV4HJ4O6iSDm
+zCoHeRbsZR1JER9yxT-v8NtcHOMAZe1oDQeY6jVyxb-bhaonN6eZPI4nyF6MHJQtWKhGARC_kOs6
+x9E0ZdAEp5TrX7F7J5PwkXzbCOuSiTVftOBum43iUB4q9He8tn2tJ0X4LtLHT3bPl16wWnZm9RPf
+8wBtTJh4QP_cTStPq1ftSaLIAuqVFpbiC2DxGemXZn3QvykuYqa-rKeYPoIJ5dtWd5rNb_hhcSIz
+FakKTELb0HWYGji98TBF6PaStea2f2m-wGX_uQGD7_Dijl6AgnV9koKVs1bN1XljLtNMPbLdD8sz
+UCvc5lwvCFyyeunljI7os1fgwBmaMyckflq5VfZv9kFxom6jFLbcozylQ_uBg4j7oCP79IXVUI-r
+banZltOSmm8zHGc2R9UlUyxJWBi01yxwi1hUtn9g1H4RtncQpu3BY0Qvu5YLAmS5imivUnGVZWbv
+6wcqnJt5HwaVatE9NHONSLNTViQPsUOutWZBZxhJtAncdZuWOYZSh4TPzUJWvt6zT0E3YMBc_UuG
+yPmdLyqo7qGHR8YWRqq_vq6ISJqENMnVD6X9-BeI6KM4GPEAlDWyhgENXxQFjG45ufg3UpP8LBTB
+xDntlfkphRumsd13-8IlvwVtlpgnbuCMbwP_-lNVeNJcdA1InPt79oY-SEVZ-RVM1881ZASCnFeB
+lh3BTc_bGQ8YoC9s6iHtcCK_1SdbwzBfQBJUqqcYsa8hJLe-j8di7KCaFzI3a-UXWKuuWljpbKbq
+ibd48UFJt_34_GxkD6bmLxycuNH-og2Sd2VcYU0o5UarcrY4-2sgFPE7Mzxovrl98uayfgNF9DqE
+fJ4MwFGqLRtEHlm4zfuMxQ5Rh_giMUHDJApc1DYRkxdGbNUd4bC4aRBln2IhN-rNKbSVtiW_uT6v
+1KTMGmElvktjPWybJd2SvhT5qOLUM81-cmZzAsNa04jxZLBlQn_1fel3IroVos4Ohbdhar2NG6T5
+liten9RZ9P4Cg9RWhgeQonAD5kqLWXAHnCfffb5CVcAU5PHqkCgCbdThvD0-zIGETLO9AE0jKISc
+0o67CUZn3MzJ9pP_3gh-ALr2w-KAwqasqCf0igf1wmEDijv9wEDcgDm39ERIElTpGKgfyuVl4F8u
+PrpK5ZfpUYySUB6CZFQVVz0MvH6E7orQk4dCKFIimV_XwEtGijBttrTvyV6xYNScAEw_olt-0mdm
+8UEKSsuqSyDMxUWLjKJT19rNedahYJNtI87WR9Fhhjsrai9Or3a-srOYa56wcvSj2ZHbkevbO9Xv
+dQ2wzWCGEAMQSpSr83n0XEpR2pZT19Z19Svbhr08mnt2JNykCk60FLCeDTUOylJtYw6YOjqBizQZ
+-85B51BCbSEaAKJkgT9-8n_-LGW5aPBrBB_9FT7UIYczNEt3B1Lqr2s4ipPI_36JecEfqaS2cNLn
+c0ObAtNGAONkhO5LYLneMR3fZPMFuOX1-rMObPgE0i9dYqWDZ_30w9rpRsmiWyxYi5lvWDxU5L1J
+uJxwREz3oa_VgpSC3Y2oxCufdQwzBk57iVLDOb1qs_Hwj1SWd1nukWyAo2-g5sR1folAEcao \ No newline at end of file