diff options
author | Ravi Geda <gravik@amdocs.com> | 2018-11-07 22:37:16 +0000 |
---|---|---|
committer | Alexis de Talhouƫt <alexis.de_talhouet@bell.ca> | 2018-12-04 13:00:09 +0000 |
commit | 97a8b0f8162138d048cc6f7b1f901f1787fa1b17 (patch) | |
tree | 583f6f47b76061332b947934d641a2562adb4153 /charts/aai-resources/resources | |
parent | 2befacb93c4477c2dfd822a44ae83adb99fb94d0 (diff) |
Add Pluggable Security to aai-resources
Note that by default this feature is turned off. To enable update the
installSidecarSecurity in aai/values.yaml to true.
Change-Id: If5d2be859ead2f0bd81aabb4fde749f105974bcf
Issue-ID: AAF-616
Signed-off-by: Ravi Geda <gravik@amdocs.com>
Diffstat (limited to 'charts/aai-resources/resources')
18 files changed, 571 insertions, 0 deletions
diff --git a/charts/aai-resources/resources/config/auth/aai_policy.json b/charts/aai-resources/resources/config/auth/aai_policy.json new file mode 100644 index 0000000..65f13ef --- /dev/null +++ b/charts/aai-resources/resources/config/auth/aai_policy.json @@ -0,0 +1,298 @@ +{ + "roles": [ + { + "name": "admin", + "functions": [ + { + "name": "actions", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "servers", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "cloudinfra", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "cloud-infrastructure", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "sdandc", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "service-design-and-creation", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "business", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "network", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "search", + "methods": [ + { + "name": "GET" + }, + { + "name": "POST" + } + ] + }, + { + "name": "util", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "license-management", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "examples", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "resources", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "generateurl", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "bulkadd", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "nodes", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "query", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "dbquery", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "bulk", + "methods": [ + { + "name": "POST" + } + ] + }, + { + "name": "bulkprocess", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "recents", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "dsl", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "common", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + } + ], + "users": [ + { + "username": "CN=aai, OU=OSAAF, OU=aai@aai.onap.org, O=ONAP, C=US" + } + ] + }, + { + "name": "basicauth", + "functions": [ + { + "name": "util", + "methods": [ + { + "name": "GET" + } + ] + } + ], + "users": [ + { + "user": "aai", + "pass": "OBF:1u2a1t2v1vgb1s3g1s3m1vgj1t3b1u30" + } + ] + }, + { + "name": "HAProxy", + "functions": [ + { + "name": "util", + "methods": [ + { + "name": "GET" + } + ] + } + ], + "users": [ + { + "username": "CN=haproxyuser, OU=OSAAF, OU=aai@aai.onap.org, O=ONAP, C=US" + } + ] + } + ] +} diff --git a/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12 b/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12 Binary files differnew file mode 100644 index 0000000..d9fe86e --- /dev/null +++ b/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12 diff --git a/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore b/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore Binary files differnew file mode 100644 index 0000000..f6ebc75 --- /dev/null +++ b/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore diff --git a/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore b/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore Binary files differnew file mode 100644 index 0000000..9eec841 --- /dev/null +++ b/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore diff --git a/charts/aai-resources/resources/fproxy/config/fproxy.properties b/charts/aai-resources/resources/fproxy/config/fproxy.properties new file mode 100644 index 0000000..f512fb7 --- /dev/null +++ b/charts/aai-resources/resources/fproxy/config/fproxy.properties @@ -0,0 +1,2 @@ +credential.cache.timeout.ms=180000 +transactionid.header.name=X-TransactionId
\ No newline at end of file diff --git a/charts/aai-resources/resources/fproxy/config/logback-spring.xml b/charts/aai-resources/resources/fproxy/config/logback-spring.xml new file mode 100644 index 0000000..4fae434 --- /dev/null +++ b/charts/aai-resources/resources/fproxy/config/logback-spring.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<configuration> + + <property name="LOGS" value="./logs/AAF-FPS" /> + <property name="FILEPREFIX" value="application" /> + + <appender name="Console" + class="ch.qos.logback.core.ConsoleAppender"> + <layout class="ch.qos.logback.classic.PatternLayout"> + <Pattern> + %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable + </Pattern> + </layout> + </appender> + + <appender name="RollingFile" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${LOGS}/${FILEPREFIX}.log</file> + <encoder + class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <Pattern>%d %p %C{1.} [%t] %m%n</Pattern> + </encoder> + + <rollingPolicy + class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <!-- rollover daily and when the file reaches 10 MegaBytes --> + <fileNamePattern>${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log + </fileNamePattern> + <timeBasedFileNamingAndTriggeringPolicy + class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP"> + <maxFileSize>10MB</maxFileSize> + </timeBasedFileNamingAndTriggeringPolicy> + </rollingPolicy> + </appender> + + <!-- LOG everything at INFO level --> + <root level="info"> + <appender-ref ref="RollingFile" /> + <appender-ref ref="Console" /> + </root> + + <!-- LOG "com.baeldung*" at TRACE level --> + <logger name="org.onap.aaf.fproxy" level="trace" additivity="false"> + <appender-ref ref="RollingFile" /> + <appender-ref ref="Console" /> + </logger> + +</configuration>
\ No newline at end of file diff --git a/charts/aai-resources/resources/fproxy/config/readme.txt b/charts/aai-resources/resources/fproxy/config/readme.txt new file mode 100644 index 0000000..79cf29e --- /dev/null +++ b/charts/aai-resources/resources/fproxy/config/readme.txt @@ -0,0 +1 @@ +Relevant configuration files need to be copied here to successfully run this service locally.
\ No newline at end of file diff --git a/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12 b/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12 Binary files differnew file mode 100644 index 0000000..071d407 --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12 diff --git a/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12 b/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12 Binary files differnew file mode 100644 index 0000000..023e2ea --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12 diff --git a/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore b/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore Binary files differnew file mode 100644 index 0000000..6ad5f51 --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore diff --git a/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json b/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json new file mode 100644 index 0000000..e23c03d --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json @@ -0,0 +1,99 @@ +[ + { + "uri": "\/not\/allowed\/at\/all$", + "permissions": [ + "test.auth.access.ifYouLikedItYouShouldHavePutAPermissionOnIt" + ] + }, + { + "uri": "\/one\/auth\/required$", + "permissions": [ + "test.auth.access.aSimpleSingleAuth" + ] + }, + { + "uri": "\/multi\/auth\/required$", + "permissions": [ + "test.auth.access.aMultipleAuth1", + "test.auth.access.aMultipleAuth2", + "test.auth.access.aMultipleAuth3" + ] + }, + { + "uri": "\/one\/[^\/]+\/required$", + "permissions": [ + "test.auth.access.aSimpleSingleAuth" + ] + }, + { + "uri": "\/services\/getAAFRequest$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/admin\/getAAFRequest$", + "permissions": [ + "test.auth.access|admin|GET,PUT,POST" + ] + }, + { + "uri": "\/service\/aai\/webapp\/index.html$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/services\/aai\/webapp\/index.html$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/$", + "permissions": [ + "\\|services\\|GET", + "test\\.auth\\.access\\|services\\|GET,PUT" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions$", + "permissions": [ + "test\\.auth\\.access\\|rest\\|read" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*", + "permissions": [ + "test.auth.access|clouds|read", + "test.auth.access|tenants|read" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+\/tenants/tenant/[^\/]+/vservers/vserver/[^\/]+$", + "permissions": [ + "test.auth.access|clouds|read", + "test.auth.access|tenants|read", + "test.auth.access|vservers|read" + ] + }, + { + "uri": "\/backend$", + "permissions": [ + "test\\.auth\\.access\\|services\\|GET,PUT", + "\\|services\\|GET" + ] + }, + { + "uri": "\/aai\/.*", + "permissions": [ + "org\\.onap\\.aai\\.resources\\|\\*\\|.*" + ] + }, + { + "uri": "\/aai\/util\/echo", + "permissions": [ + "org\\.onap\\.aai\\.resources\\|\\*\\|.*" + ] + } +] diff --git a/charts/aai-resources/resources/rproxy/config/cadi.properties b/charts/aai-resources/resources/rproxy/config/cadi.properties new file mode 100644 index 0000000..c2b628d --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/cadi.properties @@ -0,0 +1,39 @@ +# This is a normal Java Properties File +# Comments are with Pound Signs at beginning of lines, +# and multi-line expression of properties can be obtained by backslash at end of line + +#hostname is used for local testing where you may have to set your hostname to **.att.com or **.sbc.com. The example given below +#will allow for an ATT cross domain cookie to be used for GLO. If you are running on Windows corp machine, your machine name +#may be used automatically by cadi. However, if it is not, you will need to use hostname=mywebserver.att.com and add mywebserver.att.com +#to your hosts file on your machine. +#hostname=test.aic.cip.att.com + +cadi_loglevel=DEBUG + +# OAuth2 +aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.0/token +aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.0/introspect + +cadi_latitude=37.78187 +cadi_longitude=-122.26147 + +# Locate URL (which AAF Env) +aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 + +# AAF URL +aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.0 + +cadi_keyfile=/opt/app/rproxy/config/security/keyfile +cadi_keystore=/opt/app/rproxy/config/auth/org.onap.aai.p12 +cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5INQjrea7GTV +cadi_alias=aai@aai.onap.org +cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore +cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 + +aaf_env=DEV + +aaf_id=demo@people.osaaf.org +aaf_password=enc:92w4px0y_rrm265LXLpw58QnNPgDXykyA1YTrflbAKz + +# This is a colon separated list of client cert issuers +cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA diff --git a/charts/aai-resources/resources/rproxy/config/forward-proxy.properties b/charts/aai-resources/resources/rproxy/config/forward-proxy.properties new file mode 100644 index 0000000..1b58d42 --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/forward-proxy.properties @@ -0,0 +1,4 @@ +forward-proxy.protocol = https +forward-proxy.host = localhost +forward-proxy.port = 10680 +forward-proxy.cacheurl = /credential-cache
\ No newline at end of file diff --git a/charts/aai-resources/resources/rproxy/config/logback-spring.xml b/charts/aai-resources/resources/rproxy/config/logback-spring.xml new file mode 100644 index 0000000..57bc4e2 --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/logback-spring.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<configuration> + + <property name="LOGS" value="./logs/reverse-proxy" /> + <property name="FILEPREFIX" value="application" /> + + <appender name="Console" + class="ch.qos.logback.core.ConsoleAppender"> + <layout class="ch.qos.logback.classic.PatternLayout"> + <Pattern> + %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable + </Pattern> + </layout> + </appender> + + <appender name="RollingFile" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${LOGS}/${FILEPREFIX}.log</file> + <encoder + class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <Pattern>%d %p %C{1.} [%t] %m%n</Pattern> + </encoder> + + <rollingPolicy + class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <!-- rollover daily and when the file reaches 10 MegaBytes --> + <fileNamePattern>${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log + </fileNamePattern> + <timeBasedFileNamingAndTriggeringPolicy + class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP"> + <maxFileSize>10MB</maxFileSize> + </timeBasedFileNamingAndTriggeringPolicy> + </rollingPolicy> + </appender> + + <!-- LOG everything at INFO level --> + <root level="debug"> + <appender-ref ref="RollingFile" /> + <appender-ref ref="Console" /> + </root> + + <!-- LOG "com.baeldung*" at TRACE level --> + <logger name="org.onap.aaf.rproxy" level="trace" additivity="false"> + <appender-ref ref="RollingFile" /> + <appender-ref ref="Console" /> + </logger> + +</configuration> diff --git a/charts/aai-resources/resources/rproxy/config/primary-service.properties b/charts/aai-resources/resources/rproxy/config/primary-service.properties new file mode 100644 index 0000000..2c89d28 --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/primary-service.properties @@ -0,0 +1,3 @@ +primary-service.protocol = https +primary-service.host = localhost +primary-service.port = 8447 diff --git a/charts/aai-resources/resources/rproxy/config/readme.txt b/charts/aai-resources/resources/rproxy/config/readme.txt new file mode 100644 index 0000000..79cf29e --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/readme.txt @@ -0,0 +1 @@ +Relevant configuration files need to be copied here to successfully run this service locally.
\ No newline at end of file diff --git a/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties b/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties new file mode 100644 index 0000000..8d46e1f --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties @@ -0,0 +1 @@ +transactionid.header.name=X-TransactionId
\ No newline at end of file diff --git a/charts/aai-resources/resources/rproxy/config/security/keyfile b/charts/aai-resources/resources/rproxy/config/security/keyfile new file mode 100644 index 0000000..3416d4a --- /dev/null +++ b/charts/aai-resources/resources/rproxy/config/security/keyfile @@ -0,0 +1,27 @@ +2otP92kNFHdexroZxvgYY7ffslFiwCD3CiVYMIfUF2edqZK7972NwkvE_mbaBo6jh8lByLIqrWAf +jyzoiVsvQ_kCa0cS1xaRLpcxv3bx1b7o3hGPBqpd6vmSG4y2JLzNlCBZWuTJz827wr8p_fWrYuUm +4L1WoaEe8W5PRnXjl4hDqbJBAlEoRIBXugUDt_7O5wgx2Rl3HVoOczZtf0RzONZ1F0BmKf3QlAUe +moSbARitYRgIPt5sLbT7qPyoEpGDhQ1XBowR744-wsjBc-14yO62Ajp5xWKTp15uWn3_HHuw1SAf +GWSBRGlSlEVkXQqi9Hw5jDttKVzHX1ckwR0SQOirbtHPHplxPX3WKjKhSdSeMzw6LOAHIQYRMKBT +74oGnULAfPtV7TaGwOKriT3P49CoPdt9On89-LGyCZSxDWKH0K-rgB6I2_hPT2Uzr3jmXiMa-sfh +iMvyQ7ABBVx0OFsUuNb5mcU2O6dWiQreL5RerrloV_X3ZtnNjxENXKjQ5KBR1A5ISPjFFK-kf4Rb +p6FSII8LcsiqgdWuZ4GX_C6x8HX4A-vD0x3Uc9CfoXY-k23cNIy-R-W-oB-P2OgdWDNgZ7VaOLNt +3L-NwWpNblfYvs93cNmkbVAwCZ3r0OP7RFeuON84TRaynK_Fh2S3rypRyJcUmM1pvpZqJ5_-umSW +hUs1OqkdLv3xjlVzzK-3nMr0q3Zcyp4XdyLYtcX5I3Xqk9ZcsyAT7ghmHhV8KjUjue7OcfAWg0m7 +RJLGq6VC8HeK4HEMa4lF677Qh7DRufghIDEmQSIDfGA790WGSA8HqcOvAL4hURCHyCWiPa5i8ksX +xX4HyqF8PCVCLJ_ZhzcuIlc0jStAexWbJU_vcyX7XgUaHCkF-M-zv1FP6Z3DHBMD2QqSWjmyNCCk +8sIuwzs62P_j2o9jG33kssedCrUWOwZancU107-5H0Zw-UWvtCqUfmRZ7TsEbWY7lk_SKfLfAN5q +ncOQgU_VxDXUFDST4LN_WVECRafK3UtwWomxWSji25Lbf6NVni3ok-yLMDZR-wrE-54jLPES9j0i +5N0xrk9CfsvGUpUZ1_XQcgaxI6m27DtCCJXb5ywenPBiUIJCMCTq88CqNZxGpju2i4BJcUH2hUHe +GKhO8pgslwhtEVot9EDwdzSrJkWFCfb6ud4zMxrqdi7-mLWMOydg6lhpEFEX5wu2BLIujGsZlEGE +_K9jGfBypjXuJCKDZIuPfEnf_7idjKis_JcFB7x4Hx2HHDcBjlWWFZN_VIEnPkQSyZEC26RTFP3k +zkY3GwUfA36a4XW2pu3gE9wz-W6fkONfzOZ6YiyCm_dRFUVuGSdJG02Hh5iXYlMOGJltPzWH2jVf +S-QTOmXQTKSOheXoJO6O-9uQbsRf-kq-6w1pvIOp4ms35w4_0Xj0Xr2a9y-L9PdBZvrUsa-jxsZU +LyA-YY4Ej6QwDBDTD2MGjF1E5_ekYgjoNlltM9rJjofruM4ym0n7LPHC7YXXQSEFOZYeTKi6wUDw +hQ1DoWHgu4PQ2lexada8sxQdConbPe2iW16h-PrO5D12E4XbT00fqaMlBmjQwzdNRdCC2NRPIQ5W +nwaO8dZ9yjxsjT7ZVHb9-DRblb3XDocponzxVXqUGtJAie4WXQnerX0ApTWGaHEr5y56JJVS_3LP +bKrbXBXcs4jTUX4ECXRrOs8JQDQNysXhvTPCu0XUxNZpjx6KLxDs93k2OcESHjl5J6n6OKKJqqoN +JEyFO5LGXpnmUJbn0-CaHHPRI1mHwEu4brY8wDZd9A0PD1KGXDoCHMfEk1lGblQdyOcVrXZ6uSBk +Z6zHDnwSCHO1mPYqtelJQehZoFuPSv9PIgKLxs_qJOtZFnXII5YO1mGXgiIBWBjUFDR5HG4ENS6y +J4MCF-JLMp-PVMAkOaCIQRRDpRnMm_fT1sc_P562Diu_pcdt-r55pMFQYGoGfjRmxQBKk0-SsdnP +mlZIiis9DfQEN0q3QQdNRYBJD7tmhUwhAPZdLgXqJA8sZf8UyFQhhpsky79NT343YL9smUlF
\ No newline at end of file |