From 0d7feec2e32f69a8e919f06f03df3ce46e78801d Mon Sep 17 00:00:00 2001
From: "Lee, Tian (tl5884)" <TianL@amdocs.com>
Date: Thu, 20 Sep 2018 12:27:40 +0100
Subject: Initial drop of rProxy code

The Reverse Proxy sidecar is used to separate the responsibility of
authentication and authorization away from the primary microservice. In
conjunction with the Forward Proxy sidecar, it is responsible for
controlling access to the REST URL endpoints exposed by the primary
microservice, and propogating security credentials to downstream
microservices.

Change-Id: I5d80429e5422d7b3937cde73ac10c2ec00d264e8
Issue-ID: AAI-1604
Signed-off-by: Lee, Tian (tl5884) <TianL@amdocs.com>
---
 sidecar/rproxy/config/auth/client-cert.p12        | Bin 0 -> 2556 bytes
 sidecar/rproxy/config/auth/tomcat_keystore        | Bin 0 -> 3594 bytes
 sidecar/rproxy/config/auth/uri-authorization.json | 114 ++++++++++++++++++++++
 3 files changed, 114 insertions(+)
 create mode 100644 sidecar/rproxy/config/auth/client-cert.p12
 create mode 100644 sidecar/rproxy/config/auth/tomcat_keystore
 create mode 100644 sidecar/rproxy/config/auth/uri-authorization.json

(limited to 'sidecar/rproxy/config/auth')

diff --git a/sidecar/rproxy/config/auth/client-cert.p12 b/sidecar/rproxy/config/auth/client-cert.p12
new file mode 100644
index 0000000..dbf4fca
Binary files /dev/null and b/sidecar/rproxy/config/auth/client-cert.p12 differ
diff --git a/sidecar/rproxy/config/auth/tomcat_keystore b/sidecar/rproxy/config/auth/tomcat_keystore
new file mode 100644
index 0000000..99129c1
Binary files /dev/null and b/sidecar/rproxy/config/auth/tomcat_keystore differ
diff --git a/sidecar/rproxy/config/auth/uri-authorization.json b/sidecar/rproxy/config/auth/uri-authorization.json
new file mode 100644
index 0000000..29b152d
--- /dev/null
+++ b/sidecar/rproxy/config/auth/uri-authorization.json
@@ -0,0 +1,114 @@
+ [
+    {
+      "uri": "\/not\/allowed\/at\/all$",
+      "permissions": [
+        "test.auth.access\\|not\\|granted"
+       ]
+    },
+    {
+      "uri": "\/single\/permission\/required$",
+      "permissions": [
+        "test.single.access\\|single\\|permission"
+       ]
+    },
+    {
+      "uri": "\/multiple\/permissions\/required$",
+      "permissions": [
+        "test.multiple.access\\|first\\|permission",
+        "test.multiple.access\\|second\\|permission",
+        "test.multiple.access\\|third\\|permission"
+       ]
+    },
+    {
+      "uri": "\/multiple\/permissions\/required/one/missing$",
+      "permissions": [
+        "test.multiple.access\\|first\\|permission",
+        "test.multiple.access\\|second\\|permission",
+        "test.multiple.access\\|third\\|permission",
+        "test.multiple.access\\|fourth\\|permission"
+       ]
+    },
+	{
+      "uri": "\/wildcard\/permission\/granted$",
+      "permissions": [
+        "test.wildcard.access\\|first\\|permission",
+        "test.wildcard.access\\|second\\|permission",
+        "test.wildcard.access\\|third\\|consent"
+       ]
+    },
+    {
+      "uri": "\/instance\/wildcard\/permission\/granted$",
+      "permissions": [
+        "test.wildcard.access\\|first\\|permission",
+        "test.wildcard.access\\|second\\|permission",
+        "test.wildcard.access\\|third\\|permission"
+       ]
+    },
+	{
+      "uri": "\/action\/wildcard\/permission\/granted$",
+      "permissions": [
+        "test.wildcard.access\\|first\\|permission",
+        "test.wildcard.access\\|first\\|permission",
+        "test.wildcard.access\\|first\\|consent"
+       ]
+    },    
+    {
+      "uri": "\/services\/getAAFRequest$",
+      "permissions": [
+        "test.auth.access\\|services\\|GET,PUT"
+       ]
+    },
+    {
+      "uri": "\/admin\/getAAFRequest$",
+      "permissions": [
+        "test.auth.access\\|admin\\|GET,PUT,POST"
+       ]
+    },
+    {
+      "uri": "\/service\/aai\/webapp\/index.html$",
+      "permissions": [
+        "test.auth.access\\|services\\|GET,PUT"
+       ]
+    },    
+    {
+      "uri": "\/services\/aai\/webapp\/index.html$",
+      "permissions": [
+        "test.auth.access\\|services\\|GET,PUT"
+       ]
+    },    
+    {
+      "uri": "\/$",
+      "permissions": [
+      	"\\|services\\|GET",
+        "test\\.auth\\.access\\|services\\|GET,PUT"
+       ]
+    },    
+    {
+      "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions$",
+      "permissions": [
+        "test\\.auth\\.access\\|rest\\|write",
+        "test\\.auth\\.access\\|rpc\\|write"        
+       ]
+    },
+    {
+      "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*",
+      "permissions": [
+        "test.auth.access\\|clouds\\|read",
+        "test.auth.access\\|tenants\\|read"
+      ]     
+    },
+    {
+      "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+\/tenants/tenant/[^\/]+/vservers/vserver/[^\/]+$",
+      "permissions": [
+        "test.auth.access\\|clouds\\|read",
+        "test.auth.access\\|tenants\\|read",
+        "test.auth.access\\|vservers\\|read"
+      ]     
+    },
+    {
+      "uri": "\/rproxy\/.*",
+      "permissions": [
+      	"org\\.access\\|rproxy\\|get"
+       ]
+    }
+  ]
\ No newline at end of file
-- 
cgit 1.2.3-korg