diff options
Diffstat (limited to 'aai-traversal/src/it')
6 files changed, 552 insertions, 0 deletions
diff --git a/aai-traversal/src/it/java/org/onap/aai/multitenancy/KeycloakTestConfiguration.java b/aai-traversal/src/it/java/org/onap/aai/multitenancy/KeycloakTestConfiguration.java new file mode 100644 index 0000000..01f335a --- /dev/null +++ b/aai-traversal/src/it/java/org/onap/aai/multitenancy/KeycloakTestConfiguration.java @@ -0,0 +1,73 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.multitenancy; + +import com.github.dockerjava.api.model.ExposedPort; +import com.github.dockerjava.api.model.HostConfig; +import com.github.dockerjava.api.model.PortBinding; +import com.github.dockerjava.api.model.Ports; +import dasniko.testcontainers.keycloak.KeycloakContainer; +import org.keycloak.adapters.springboot.KeycloakSpringBootProperties; +import org.keycloak.admin.client.Keycloak; +import org.keycloak.admin.client.KeycloakBuilder; +import org.keycloak.representations.adapters.config.AdapterConfig; +import org.springframework.boot.test.context.TestConfiguration; +import org.springframework.context.annotation.Bean; + +@TestConfiguration +class KeycloakTestConfiguration { + + @Bean + public AdapterConfig adapterConfig() { + return new KeycloakSpringBootProperties(); + } + + @Bean + KeycloakContainer keycloakContainer(KeycloakTestProperties properties) { + KeycloakContainer keycloak = new KeycloakContainer("jboss/keycloak:12.0.4") + .withRealmImportFile(properties.realmJson) + .withCreateContainerCmdModifier(cmd -> cmd.withHostConfig( + new HostConfig().withPortBindings(new PortBinding(Ports.Binding.bindPort(Integer.parseInt(properties.port)), new ExposedPort(8080))) + )); + keycloak.start(); + return keycloak; + } + + @Bean + Keycloak keycloakAdminClient(KeycloakContainer keycloak, KeycloakTestProperties properties) { + return KeycloakBuilder.builder() + .serverUrl(keycloak.getAuthServerUrl()) + .realm(properties.realm) + .clientId(properties.adminCli) + .username(keycloak.getAdminUsername()) + .password(keycloak.getAdminPassword()) + .build(); + } + + @Bean + RoleHandler roleHandler(Keycloak adminClient, KeycloakTestProperties properties) { + return new RoleHandler(adminClient, properties); + } + + @Bean + KeycloakTestProperties properties() { + return new KeycloakTestProperties(); + } +} diff --git a/aai-traversal/src/it/java/org/onap/aai/multitenancy/KeycloakTestProperties.java b/aai-traversal/src/it/java/org/onap/aai/multitenancy/KeycloakTestProperties.java new file mode 100644 index 0000000..de62d2d --- /dev/null +++ b/aai-traversal/src/it/java/org/onap/aai/multitenancy/KeycloakTestProperties.java @@ -0,0 +1,44 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.multitenancy; + +import org.springframework.beans.factory.annotation.Value; + +class KeycloakTestProperties { + + @Value("${test.keycloak.realm.json}") + public String realmJson; + + @Value("${keycloak.realm}") + public String realm; + + @Value("${keycloak.resource}") + public String clientId; + + @Value("${test.keycloak.client.secret}") + public String clientSecret; + + @Value("${test.keycloak.admin.cli}") + public String adminCli; + + @Value("${test.keycloak.auth-server-port}") + public String port; + +} diff --git a/aai-traversal/src/it/java/org/onap/aai/multitenancy/MultiTenancyIT.java b/aai-traversal/src/it/java/org/onap/aai/multitenancy/MultiTenancyIT.java new file mode 100644 index 0000000..e34ac2b --- /dev/null +++ b/aai-traversal/src/it/java/org/onap/aai/multitenancy/MultiTenancyIT.java @@ -0,0 +1,189 @@ +/** + * ============LICENSE_START================================================== + * org.onap.aai + * =========================================================================== + * Copyright © 2017-2020 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + */ +package org.onap.aai.multitenancy; + +import com.jayway.jsonpath.JsonPath; +import dasniko.testcontainers.keycloak.KeycloakContainer; +import org.apache.tinkerpop.gremlin.process.traversal.dsl.graph.GraphTraversalSource; +import org.janusgraph.core.JanusGraphTransaction; +import org.junit.Test; +import org.keycloak.admin.client.Keycloak; +import org.keycloak.admin.client.KeycloakBuilder; +import org.keycloak.representations.AccessTokenResponse; +import org.onap.aai.PayloadUtil; +import org.onap.aai.dbmap.AAIGraph; +import org.onap.aai.rest.AbstractSpringRestTest; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Import; +import org.springframework.http.*; +import org.springframework.test.context.TestPropertySource; + +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import static org.junit.Assert.*; + +@Import(KeycloakTestConfiguration.class) +@TestPropertySource(locations = "classpath:application-keycloak-test.properties") +public class MultiTenancyIT extends AbstractSpringRestTest { + + @Autowired + private KeycloakContainer keycloakContainer; + @Autowired + private RoleHandler roleHandler; + @Autowired + private KeycloakTestProperties properties; + + @Override + public void createTestGraph() { + JanusGraphTransaction transaction = AAIGraph.getInstance().getGraph().newTransaction(); + boolean success = true; + + try { + GraphTraversalSource g = transaction.traversal(); + + g.addV().property("aai-node-type", "pnf") + .property("pnf-name", "test-pnf-name-01") + .property("prov-status", "in_service") + .property("data-owner", "operator") + .property("in-maint", false) + .property("source-of-truth", "JUNIT") + .property("aai-uri", "/network/pnfs/pnf/test-pnf-name-01").next(); + + g.addV().property("aai-node-type", "pnf") + .property("pnf-name", "test-pnf-name-02") + .property("prov-status", "in_service") + .property("in-maint", false) + .property("source-of-truth", "JUNIT") + .property("aai-uri", "/network/pnfs/pnf/test-pnf-name-02").next(); + + g.addV().property("aai-node-type", "pnf") + .property("pnf-name", "test-pnf-name-03") + .property("prov-status", "in_service") + .property("data-owner", "selector") + .property("in-maint", false) + .property("source-of-truth", "JUNIT") + .property("aai-uri", "/network/pnfs/pnf/test-pnf-name-03").next(); + + g.addV().property("aai-node-type", "pnf") + .property("pnf-name", "test-pnf-name-04") + .property("prov-status", "in_service") + .property("data-owner", "selector") + .property("in-maint", false) + .property("source-of-truth", "JUNIT") + .property("aai-uri", "/network/pnfs/pnf/test-pnf-name-04").next(); + + g.addV().property("aai-node-type", "pnf") + .property("pnf-name", "test-pnf-name-05") + .property("prov-status", "in_service") + .property("data-owner", "selector") + .property("in-maint", false) + .property("source-of-truth", "JUNIT") + .property("aai-uri", "/network/pnfs/pnf/test-pnf-name-05").next(); + } catch (Exception ex) { + success = false; + } finally { + if (success) { + transaction.commit(); + } else { + transaction.rollback(); + fail("Unable to setup the graph"); + } + } + } + + @Test + public void testDslQueryWithDataOwner() throws Exception { + baseUrl = "http://localhost:" + randomPort; + String endpoint = baseUrl + "/aai/v23/dsl?format=console"; + List<Object> queryResults = null; + ResponseEntity responseEntity = null; + + Map<String, String> dslQueryMap = new HashMap<>(); + dslQueryMap.put("dsl-query", "pnf*('prov-status','in_service') "); + String payload = PayloadUtil.getTemplatePayload("dsl-query.json", dslQueryMap); + + // get pnf with ran (operator) + String username = "ran", password = "ran"; + headers = this.getHeaders(username, password); + httpEntity = new HttpEntity(payload, headers); + responseEntity = restTemplate.exchange(endpoint, HttpMethod.PUT, httpEntity, String.class); + queryResults = JsonPath.read(responseEntity.getBody().toString(), "$.results"); + assertEquals(HttpStatus.OK, responseEntity.getStatusCode()); + assertEquals(queryResults.size(), 2); + + // get pnf with bob (operator_readOnly) + username = "bob"; password = "bob"; + headers = this.getHeaders(username, password); + httpEntity = new HttpEntity(payload, headers); + responseEntity = restTemplate.exchange(endpoint, HttpMethod.PUT, httpEntity, String.class); + queryResults = JsonPath.read(responseEntity.getBody().toString(), "$.results"); + assertEquals(HttpStatus.OK, responseEntity.getStatusCode()); + assertEquals(queryResults.size(), 2); + + // get pnf with ted (selector) + username = "ted"; password = "ted"; + headers = this.getHeaders(username, password); + httpEntity = new HttpEntity(payload, headers); + responseEntity = restTemplate.exchange(endpoint, HttpMethod.PUT, httpEntity, String.class); + queryResults = JsonPath.read(responseEntity.getBody().toString(), "$.results"); + assertEquals(HttpStatus.OK, responseEntity.getStatusCode()); + assertEquals(queryResults.size(), 4); + + // add role to ted and try to get pnf again + roleHandler.addToUser(RoleHandler.OPERATOR, username); + headers = this.getHeaders(username, password); + httpEntity = new HttpEntity(payload, headers); + responseEntity = restTemplate.exchange(endpoint, HttpMethod.PUT, httpEntity, String.class); + queryResults = JsonPath.read(responseEntity.getBody().toString(), "$.results"); + assertEquals(HttpStatus.OK, responseEntity.getStatusCode()); + assertEquals(queryResults.size(), 5); + } + + private HttpHeaders getHeaders(String username, String password) { + HttpHeaders headers = new HttpHeaders(); + + headers.setContentType(MediaType.APPLICATION_JSON); + headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON)); + headers.add("Real-Time", "true"); + headers.add("X-FromAppId", "JUNIT"); + headers.add("X-TransactionId", "JUNIT"); + headers.add("Authorization", "Bearer " + getStringToken(username, password)); + + return headers; + } + + private String getStringToken(String username, String password) { + Keycloak keycloakClient = KeycloakBuilder.builder() + .serverUrl(keycloakContainer.getAuthServerUrl()) + .realm(properties.realm) + .clientId(properties.clientId) + .clientSecret(properties.clientSecret) + .username(username) + .password(password) + .build(); + + AccessTokenResponse tokenResponse = keycloakClient.tokenManager().getAccessToken(); + assertNotNull(tokenResponse); + return tokenResponse.getToken(); + } +} diff --git a/aai-traversal/src/it/java/org/onap/aai/multitenancy/RoleHandler.java b/aai-traversal/src/it/java/org/onap/aai/multitenancy/RoleHandler.java new file mode 100644 index 0000000..4224c2f --- /dev/null +++ b/aai-traversal/src/it/java/org/onap/aai/multitenancy/RoleHandler.java @@ -0,0 +1,56 @@ +/** + * ============LICENSE_START======================================================= + * org.onap.aai + * ================================================================================ + * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aai.multitenancy; + +import org.keycloak.admin.client.Keycloak; +import org.keycloak.admin.client.resource.RealmResource; + +import java.util.Collections; + +class RoleHandler { + + /** + Following roles should be the same as given roles in multi-tenancy-realm json file + */ + final static String OPERATOR = "operator"; + private final Keycloak adminClient; + private final KeycloakTestProperties properties; + + RoleHandler(Keycloak adminClient, KeycloakTestProperties properties) { + this.adminClient = adminClient; + this.properties = properties; + } + + void addToUser(String role, String username) { + RealmResource realm = adminClient.realm(properties.realm); + realm.users().get(username) + .roles() + .realmLevel() + .add(Collections.singletonList(realm.roles().get(role).toRepresentation())); + } + + void removeFromUser(String role, String username) { + RealmResource realm = adminClient.realm(properties.realm); + realm.users().get(username) + .roles() + .realmLevel() + .remove(Collections.singletonList(realm.roles().get(role).toRepresentation())); + } +} diff --git a/aai-traversal/src/it/resources/application-keycloak-test.properties b/aai-traversal/src/it/resources/application-keycloak-test.properties new file mode 100644 index 0000000..0959099 --- /dev/null +++ b/aai-traversal/src/it/resources/application-keycloak-test.properties @@ -0,0 +1,17 @@ +test.keycloak.realm.json=multi-tenancy-realm.json +test.keycloak.client.secret=secret +test.keycloak.admin.cli=admin-cli +test.keycloak.auth-server-port=58181 + +keycloak.auth-server-url=http://localhost:58181/auth +keycloak.realm=aai-resources +keycloak.resource=aai-resources-app +keycloak.public-client=true +keycloak.principal-attribute=preferred_username + +keycloak.ssl-required=external +keycloak.bearer-only=true + +multi.tenancy.enabled=true +spring.profiles.active=production,keycloak +schema.version.list=v10,v11,v12,v13,v14,v15,v23 diff --git a/aai-traversal/src/it/resources/multi-tenancy-realm.json b/aai-traversal/src/it/resources/multi-tenancy-realm.json new file mode 100644 index 0000000..401187b --- /dev/null +++ b/aai-traversal/src/it/resources/multi-tenancy-realm.json @@ -0,0 +1,173 @@ +{ + "id": "aai-resources", + "realm": "aai-resources", + "notBefore": 0, + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "users": [ + { + "username": "admin", + "enabled": true, + "credentials": [ + { + "type": "password", + "value": "admin" + } + ], + "clientRoles": { + "realm-management": ["manage-users", "view-clients", "view-realm", "view-users"] + } + }, + { + "id": "ran", + "username": "ran", + "enabled": true, + "credentials": [ + { + "type": "password", + "value": "ran" + } + ], + "realmRoles": [ + "operator" + ] + }, + { + "id": "bob", + "username": "bob", + "enabled": true, + "credentials": [ + { + "type": "password", + "value": "bob" + } + ], + "realmRoles": [ + "operator_readOnly" + ] + }, + { + "id": "ted", + "username": "ted", + "enabled": true, + "credentials": [ + { + "type": "password", + "value": "ted" + } + ], + "realmRoles": [ + "selector" + ] + } + ], + "roles": { + "realm": [ + { + "name": "operator", + "description": "Operator privileges" + }, + { + "name": "operator_readOnly", + "description": "Operator's read only privileges" + }, + { + "name": "selector", + "description": "Selector privileges" + }, + { + "name": "selector_readOnly", + "description": "Selector's read only privileges" + }, + { + "name": "admin", + "description": "Administrator privileges" + } + ] + }, + "clients": [ + { + "clientId": "aai-resources-app", + "enabled": true, + "secret": "secret", + "directAccessGrantsEnabled": true, + "authorizationServicesEnabled": true, + "authorizationSettings": { + "allowRemoteResourceManagement": true, + "policyEnforcementMode": "ENFORCING" + } + } + ], + "defaultDefaultClientScopes": [ + "roles", + "email", + "web-origins", + "profile", + "role_list" + ], + "clientScopes": [ + { + "id": "0f7dfd8b-c230-4664-8d77-da85bcc4fe2a", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "4b9f8798-8990-4c0d-87d3-034e72655e3b", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String" + } + } + ] + } + ] +}
\ No newline at end of file |