diff options
author | KAPIL SINGAL <ks220y@att.com> | 2021-08-09 02:00:54 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2021-08-09 02:00:54 +0000 |
commit | a6103b2d4971c0003a27be5fc589baf57222dc73 (patch) | |
tree | 43a01dda8c2cbf94fbaafa89b2c70d6c9aa3c9bd | |
parent | 72384f4cf8aa066e18cf4712a545c70ec23638f4 (diff) | |
parent | ea50c8f5ac2e2cfa30512acd4ab1e72c2a36b278 (diff) |
Merge "Support for external identity providers"
10 files changed, 380 insertions, 65 deletions
diff --git a/sdnr/wt/oauth-provider/provider-jar/pom.xml b/sdnr/wt/oauth-provider/provider-jar/pom.xml index f440a544e..b73602d36 100644 --- a/sdnr/wt/oauth-provider/provider-jar/pom.xml +++ b/sdnr/wt/oauth-provider/provider-jar/pom.xml @@ -50,15 +50,6 @@ <maven.javadoc.skip>true</maven.javadoc.skip> <checkstyle.skip>true</checkstyle.skip> </properties> - <dependencyManagement> - <dependencies> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - <version>1.3.2</version> - </dependency> - </dependencies> - </dependencyManagement> <dependencies> <dependency> <groupId>${project.groupId}</groupId> @@ -70,7 +61,6 @@ <artifactId>jackson-databind</artifactId> <scope>provided</scope> </dependency> - <dependency> <groupId>com.auth0</groupId> <artifactId>java-jwt</artifactId> @@ -89,7 +79,6 @@ <dependency> <groupId>com.highstreet-technologies.aaa</groupId> <artifactId>aaa-shiro</artifactId> - <version>0.12.3</version> <exclusions> <!-- <exclusion> --> <!-- <groupId>org.opendaylight.aaa</groupId> --> diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/Config.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/Config.java index a71f4c7dc..a6dff6769 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/Config.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/Config.java @@ -57,9 +57,8 @@ public class Config { @Override public String toString() { - return "Config [providers=" + providers + ", redirectUri=" + redirectUri - + ", supportOdlUsers=" + supportOdlUsers + ", tokenSecret=" + tokenSecret + ", tokenIssuer=" - + tokenIssuer + "]"; + return "Config [providers=" + providers + ", redirectUri=" + redirectUri + ", supportOdlUsers=" + + supportOdlUsers + ", tokenSecret=" + tokenSecret + ", tokenIssuer=" + tokenIssuer + "]"; } @@ -130,6 +129,11 @@ public class Config { if (isEnvExpression(supportOdlUsers)) { this.supportOdlUsers = getProperty(supportOdlUsers, null); } + if (this.providers != null && !this.providers.isEmpty()) { + for(OAuthProviderConfig cfg : this.providers) { + cfg.handleEnvironmentVars(); + } + } } @JsonIgnore @@ -154,9 +158,11 @@ public class Config { static boolean isEnvExpression(String key) { return key != null && key.contains(ENVVARIABLE); } + public static String generateSecret() { return generateSecret(30); } + public static String generateSecret(int targetStringLength) { int leftLimit = 48; // numeral '0' int rightLimit = 122; // letter 'z' @@ -234,8 +240,9 @@ public class Config { public static Config getInstance() throws IOException { return getInstance(DEFAULT_CONFIGFILENAME); } + public static Config getInstance(String filename) throws IOException { - if(_instance==null) { + if (_instance == null) { _instance = load(filename); } return _instance; diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java index 3f1673c93..11e13e226 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java @@ -29,33 +29,40 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.OAuthProviderFact public class OAuthProviderConfig { private String url; + private String internalUrl; private String clientId; private String secret; private String id; private String title; private String scope; + private String realmName; + private boolean trustAll; private OAuthProvider type; - private Map<String,String> roleMapping; + private Map<String, String> roleMapping; public OAuthProvider getType() { return type; } - public OAuthProviderConfig(String id, String url, String clientId, String secret, String scope, - String title) { + public OAuthProviderConfig(String id, String url, String internalUrl, String clientId, String secret, String scope, + String title, String realmName, boolean trustAll) { this.id = id; this.url = url; + this.internalUrl = internalUrl; this.clientId = clientId; this.secret = secret; this.scope = scope; this.title = title; + this.realmName = realmName; + this.trustAll = trustAll; this.roleMapping = new HashMap<>(); } @Override public String toString() { - return "OAuthProviderConfig [host=" + url + ", clientId=" + clientId + ", secret=" + secret + ", id=" + id - + ", title=" + title + ", scope=" + scope + ", type=" + type + "]"; + return "OAuthProviderConfig [url=" + url + ", clientId=" + clientId + ", secret=" + secret + ", id=" + id + + ", title=" + title + ", scope=" + scope + ", realmName=" + realmName + ", trustAll=" + trustAll + + ", type=" + type + ", roleMapping=" + roleMapping + "]"; } public void setType(OAuthProvider type) { @@ -63,7 +70,7 @@ public class OAuthProviderConfig { } public OAuthProviderConfig() { - this(null, null, null, null, null, null); + this(null, null, null, null, null, null, null, null, false); } public void setUrl(String url) { @@ -114,6 +121,22 @@ public class OAuthProviderConfig { return this.scope; } + public String getRealmName() { + return realmName; + } + + public void setRealmName(String realmName) { + this.realmName = realmName; + } + + public boolean trustAll() { + return trustAll; + } + + public void setTrustAll(boolean trustAll) { + this.trustAll = trustAll; + } + public Map<String, String> getRoleMapping() { return roleMapping; } @@ -122,26 +145,45 @@ public class OAuthProviderConfig { this.roleMapping = roleMapping; } + public String getInternalUrl() { + return internalUrl; + } + + public void setInternalUrl(String internalUrl) { + this.internalUrl = internalUrl; + } + @JsonIgnore public void handleEnvironmentVars() { - if (Config.isEnvExpression(id)) { - this.id = Config.getProperty(id, null); + if (Config.isEnvExpression(this.id)) { + this.id = Config.getProperty(this.id, null); + } + if (Config.isEnvExpression(this.url)) { + this.url = Config.getProperty(this.url, null); } - if (Config.isEnvExpression(url)) { - this.url = Config.getProperty(url, null); + if (Config.isEnvExpression(this.internalUrl)) { + this.internalUrl = Config.getProperty(this.internalUrl, null); } - if (Config.isEnvExpression(clientId)) { - this.clientId = Config.getProperty(clientId, null); + if (Config.isEnvExpression(this.clientId)) { + this.clientId = Config.getProperty(this.clientId, null); } - if (Config.isEnvExpression(secret)) { - this.secret = Config.getProperty(secret, null); + if (Config.isEnvExpression(this.secret)) { + this.secret = Config.getProperty(this.secret, null); } - if (Config.isEnvExpression(scope)) { - this.scope = Config.getProperty(scope, null); + if (Config.isEnvExpression(this.scope)) { + this.scope = Config.getProperty(this.scope, null); } - if (Config.isEnvExpression(title)) { - this.title = Config.getProperty(title, null); + if (Config.isEnvExpression(this.title)) { + this.title = Config.getProperty(this.title, null); } + if (Config.isEnvExpression(this.realmName)) { + this.realmName = Config.getProperty(this.realmName, null); + } + } + + @JsonIgnore + public String getUrlOrInternal() { + return this.internalUrl != null && this.internalUrl.length() > 0 ? this.internalUrl : this.url; } } diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java index cd4239081..9a9f4fc04 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java @@ -37,7 +37,11 @@ import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.shiro.SecurityUtils; +import org.apache.shiro.ShiroException; import org.apache.shiro.codec.Base64; +import org.apache.shiro.session.Session; +import org.apache.shiro.subject.Subject; import org.jolokia.osgi.security.Authenticator; import org.onap.ccsdk.features.sdnr.wt.common.http.BaseHTTPClient; import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config; @@ -66,7 +70,7 @@ public class AuthHttpServlet extends HttpServlet { private static final long serialVersionUID = 1L; private static final String BASEURI = "/oauth"; private static final String LOGINURI = BASEURI + "/login"; - //private static final String LOGOUTURI = BASEURI + "/logout"; + private static final String LOGOUTURI = BASEURI + "/logout"; private static final String PROVIDERSURI = BASEURI + "/providers"; public static final String REDIRECTURI = BASEURI + "/redirect"; private static final String REDIRECTURI_FORMAT = REDIRECTURI + "/%s"; @@ -137,6 +141,8 @@ public class AuthHttpServlet extends HttpServlet { this.sendResponse(resp, HttpServletResponse.SC_OK, getConfigs(this.providerStore.values())); } else if (req.getRequestURI().startsWith(LOGINURI)) { this.handleLoginRedirect(req, resp); + } else if (req.getRequestURI().equals(LOGOUTURI)) { + this.handleLogout(req, resp); } else if (POLICIESURI.equals(req.getRequestURI())) { this.sendResponse(resp, HttpServletResponse.SC_OK, this.getPoliciesForUser(req)); } else if (req.getRequestURI().startsWith(REDIRECTURI)) { @@ -146,7 +152,10 @@ public class AuthHttpServlet extends HttpServlet { } } - + private void handleLogout(HttpServletRequest req, HttpServletResponse resp) throws IOException { + this.logout(); + this.sendResponse(resp, HttpServletResponse.SC_OK,""); + } private void handleLoginRedirect(HttpServletRequest req, HttpServletResponse resp) throws IOException { final String uri = req.getRequestURI(); final Matcher matcher = LOGIN_REDIRECT_PATTERN.matcher(uri); @@ -458,5 +467,16 @@ public class AuthHttpServlet extends HttpServlet { os.write(output); } - + private void logout() { + final Subject subject = SecurityUtils.getSubject(); + try { + subject.logout(); + Session session = subject.getSession(false); + if (session != null) { + session.stop(); + } + } catch (ShiroException e) { + LOG.debug("Couldn't log out {}", subject, e); + } + } } diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java index 3cb79757c..56a62f5c1 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java @@ -84,7 +84,7 @@ public abstract class AuthService { this.redirectUri = redirectUri; this.mapper = new ObjectMapper(); this.mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); - this.httpClient = new MappingBaseHttpClient(this.config.getUrl()); + this.httpClient = new MappingBaseHttpClient(this.config.getUrlOrInternal(), this.config.trustAll()); } public PublicOAuthProviderConfig getConfig() { diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java index 86383c983..c226a14dc 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java @@ -44,20 +44,20 @@ public class KeycloakProviderService extends AuthService { @Override protected String getTokenVerifierUri() { - return "/auth/realms/onap/protocol/openid-connect/token"; + return String.format("/auth/realms/%s/protocol/openid-connect/token", urlEncode(this.config.getRealmName())); } @Override protected String getLoginUrl(String callbackUrl) { return String.format( - "%s/auth/realms/onap/protocol/openid-connect/auth?client_id=%s&response_type=code&scope=%s&redirect_uri=%s", - this.config.getUrl(), urlEncode(this.config.getClientId()), this.config.getScope(), - urlEncode(callbackUrl)); + "%s/auth/realms/%s/protocol/openid-connect/auth?client_id=%s&response_type=code&scope=%s&redirect_uri=%s", + this.config.getUrl(), urlEncode(this.config.getRealmName()), urlEncode(this.config.getClientId()), + this.config.getScope(), urlEncode(callbackUrl)); } @Override protected List<String> mapRoles(List<String> data) { - final Map<String,String> map = this.config.getRoleMapping(); + final Map<String, String> map = this.config.getRoleMapping(); List<String> filteredRoles = data.stream().filter(role -> !role.equals("uma_authorization") && !role.equals("offline_access")) .map(r -> map.getOrDefault(r, r)).collect(Collectors.toList()); diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java index fb938000e..6c46ed25f 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java @@ -60,8 +60,8 @@ public class TestGitlabAuthService { public static void init() { TokenCreator tokenCreator = TokenCreator.getInstance(TOKENCREATOR_SECRET, "issuer"); - OAuthProviderConfig config = - new OAuthProviderConfig("git", GITURL, "odlux.app", OAUTH_SECRET, "openid", "gitlab test"); + OAuthProviderConfig config = new OAuthProviderConfig("git", GITURL, null, "odlux.app", OAUTH_SECRET, "openid", + "gitlab test", "", false); oauthService = new GitlabProviderServiceToTest(config, REDIRECT_URI, tokenCreator); try { initGitlabTestWebserver(PORT, "/"); @@ -142,13 +142,17 @@ public class TestGitlabAuthService { } return null; } + public static class MyHandler implements HttpHandler { private static final String GITLAB_TOKEN_ENDPOINT = "/oauth/token"; private static final String GITLAB_USER_ENDPOINT = "/api/v4/user"; private static final String GITLAB_GROUP_ENDPOINT = "/api/v4/groups?min_access_level=10"; - private static final String GITLAB_TOKEN_RESPONSE = loadResourceFileContent("src/test/resources/oauth/gitlab-token-response.json"); - private static final String GITLAB_USER_RESPONSE =loadResourceFileContent("src/test/resources/oauth/gitlab-user-response.json"); - private static final String GITLAB_GROUP_RESPONSE =loadResourceFileContent("src/test/resources/oauth/gitlab-groups-response.json"); + private static final String GITLAB_TOKEN_RESPONSE = + loadResourceFileContent("src/test/resources/oauth/gitlab-token-response.json"); + private static final String GITLAB_USER_RESPONSE = + loadResourceFileContent("src/test/resources/oauth/gitlab-user-response.json"); + private static final String GITLAB_GROUP_RESPONSE = + loadResourceFileContent("src/test/resources/oauth/gitlab-groups-response.json"); @Override public void handle(HttpExchange t) throws IOException { @@ -159,23 +163,21 @@ public class TestGitlabAuthService { String response = ""; try { if (method.equals("GET")) { - if(uri.equals(GITLAB_USER_ENDPOINT)) { + if (uri.equals(GITLAB_USER_ENDPOINT)) { t.sendResponseHeaders(200, GITLAB_USER_RESPONSE.length()); os = t.getResponseBody(); os.write(GITLAB_USER_RESPONSE.getBytes()); - } - else if(uri.equals(GITLAB_GROUP_ENDPOINT)) { + } else if (uri.equals(GITLAB_GROUP_ENDPOINT)) { t.sendResponseHeaders(200, GITLAB_GROUP_RESPONSE.length()); os = t.getResponseBody(); os.write(GITLAB_GROUP_RESPONSE.getBytes()); } } else if (method.equals("POST")) { - if(uri.equals(GITLAB_TOKEN_ENDPOINT)){ + if (uri.equals(GITLAB_TOKEN_ENDPOINT)) { t.sendResponseHeaders(200, GITLAB_TOKEN_RESPONSE.length()); os = t.getResponseBody(); os.write(GITLAB_TOKEN_RESPONSE.getBytes()); - } - else { + } else { t.sendResponseHeaders(404, 0); } } else { diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java index 945ad7ff5..30b24af03 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java @@ -60,8 +60,8 @@ public class TestKeycloakAuthService { public static void init() { TokenCreator tokenCreator = TokenCreator.getInstance(TOKENCREATOR_SECRET, "issuer"); - OAuthProviderConfig config = - new OAuthProviderConfig("kc", KEYCLOAKURL, "odlux.app", OAUTH_SECRET, "openid", "keycloak test"); + OAuthProviderConfig config = new OAuthProviderConfig("kc", KEYCLOAKURL, null, "odlux.app", OAUTH_SECRET, + "openid", "keycloak test", "onap", false); oauthService = new KeycloakProviderServiceToTest(config, REDIRECT_URI, tokenCreator); try { initKeycloakTestWebserver(PORT, "/"); @@ -100,7 +100,8 @@ public class TestKeycloakAuthService { public static class KeycloakProviderServiceToTest extends KeycloakProviderService { - public KeycloakProviderServiceToTest(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) { + public KeycloakProviderServiceToTest(OAuthProviderConfig config, String redirectUri, + TokenCreator tokenCreator) { super(config, redirectUri, tokenCreator); } } @@ -137,9 +138,11 @@ public class TestKeycloakAuthService { } return null; } + public static class MyHandler implements HttpHandler { private static final String KEYCLOAK_TOKEN_ENDPOINT = "/auth/realms/onap/protocol/openid-connect/token"; - private static final String KEYCLOAK_TOKEN_RESPONSE = loadResourceFileContent("src/test/resources/oauth/keycloak-token-response.json"); + private static final String KEYCLOAK_TOKEN_RESPONSE = + loadResourceFileContent("src/test/resources/oauth/keycloak-token-response.json"); @Override public void handle(HttpExchange t) throws IOException { @@ -148,13 +151,12 @@ public class TestKeycloakAuthService { System.out.println(String.format("req received: %s %s", method, t.getRequestURI())); OutputStream os = null; try { - if (method.equals("POST")) { - if(uri.equals(KEYCLOAK_TOKEN_ENDPOINT)){ + if (method.equals("POST")) { + if (uri.equals(KEYCLOAK_TOKEN_ENDPOINT)) { t.sendResponseHeaders(200, KEYCLOAK_TOKEN_RESPONSE.length()); os = t.getResponseBody(); os.write(KEYCLOAK_TOKEN_RESPONSE.getBytes()); - } - else { + } else { t.sendResponseHeaders(404, 0); } } else { diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml index 682fa3728..1929fde8e 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml @@ -6,7 +6,6 @@ terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html , or the Apache License, Version 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0 - SPDX-License-Identifier: EPL-1.0 OR Apache-2.0 --> @@ -17,15 +16,243 @@ /////////////////////////////////////////////////////////////////////////////////////// --> - <shiro-configuration xmlns="urn:opendaylight:aaa:app:config"> + <!-- + /////////////////////////////////////////////////////////////////////////////////// + // shiro-configuration is the model based container that contains all shiro // + // related information used in ODL AAA configuration. It is the sole pain of // + // glass for shiro related configuration, and is how to configure shiro concepts // + // such as: // + // * realms // + // * urls // + // * security manager settings // + // // + // In general, you really shouldn't muck with the settings in this file. The // + // way an operator should configure AAA shiro settings is through one of ODL's // + // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the // + // defaults if no values are specified in MD-SAL. The reason this file is so // + // verbose is for two reasons: // + // 1) to demonstrate payload examples for plausible configuration scenarios // + // 2) to allow bootstrap of the controller (first time start) since otherwise // + // configuration becomes a chicken and the egg problem. // + // // + /////////////////////////////////////////////////////////////////////////////////// + --> + + <!-- + =================================================================================== + = = + = = + = MAIN = + = = + = = + =================================================================================== + --> + + <!-- + =================================================================================== + ============================ ODLJndiLdapRealmAuthNOnly ============================ + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external LDAP = + = server for authentication only. For authorization support, refer = + = to ODLJndiLdapRealm. = + =================================================================================== + --> + <!-- Start ldapRealm commented out + <main> + <pair-key>ldapRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value> + </main> + <main> + <pair-key>ldapRealm.userDnTemplate</pair-key> + <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value> + </main> + <main> + <pair-key>ldapRealm.contextFactory.url</pair-key> + <pair-value>ldap://<URL>:389</pair-value> + </main> + <main> + <pair-key>ldapRealm.searchBase</pair-key> + <pair-value>dc=DOMAIN,dc=TLD</pair-value> + </main> + <main> + <pair-key>ldapRealm.groupRolesMap</pair-key> + <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value> + </main> + <main> + <pair-key>ldapRealm.ldapAttributeForComparison</pair-key> + <pair-value>objectClass</pair-value> + </main> + End ldapRealm commented out--> + + <!-- + =================================================================================== + ============================= ODLActiveDirectoryRealm ============================= + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external AD = + = IDP server. = + =================================================================================== + --> + <!-- Start adRealm commented out + <main> + <pair-key>adRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value> + </main> + <main> + <pair-key>adRealm.searchBase</pair-key> + <pair-value>"CN=Users,DC=example,DC=com"</pair-value> + </main> + <main> + <pair-key>adRealm.systemUsername</pair-key> + <pair-value>aduser@example.com</pair-value> + </main> + <main> + <pair-key>adRealm.systemPassword</pair-key> + <pair-value>adpassword</pair-value> + </main> + <main> + <pair-key>adRealm.url</pair-key> + <pair-value>ldaps://adserver:636</pair-value> + </main> + <main> + <pair-key>adRealm.groupRolesMap</pair-key> + <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value> + </main> + End adRealm commented out--> + + <!-- + =================================================================================== + ================================== ODLJdbcRealm =================================== + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external JDBC = + = DBMS. = + =================================================================================== + --> + <!-- Start jdbcRealm commented out + <main> + <pair-key>ds</pair-key> + <pair-value>com.mysql.jdbc.Driver</pair-value> + </main> + <main> + <pair-key>ds.serverName</pair-key> + <pair-value>localhost</pair-value> + </main> + <main> + <pair-key>ds.user</pair-key> + <pair-value>user</pair-value> + </main> + <main> + <pair-key>ds.password</pair-key> + <pair-value>password</pair-value> + </main> + <main> + <pair-key>ds.databaseName</pair-key> + <pair-value>db_name</pair-value> + </main> + <main> + <pair-key>jdbcRealm</pair-key> + <pair-value>ODLJdbcRealm</pair-value> + </main> + <main> + <pair-key>jdbcRealm.dataSource</pair-key> + <pair-value>$ds</pair-value> + </main> + <main> + <pair-key>jdbcRealm.authenticationQuery</pair-key> + <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value> + </main> + <main> + <pair-key>jdbcRealm.userRolesQuery</pair-key> + <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value> + </main> + End jdbcRealm commented out--> + <!-- + =================================================================================== + ================================= TokenAuthRealm ================================== + =================================================================================== + = = + = Description: A Realm implementation utilizing a per node H2 database store. = + =================================================================================== + --> +<!-- <main> --> +<!-- <pair-key>tokenAuthRealm</pair-key> --> +<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> --> +<!-- </main> --> <main> <pair-key>tokenAuthRealm</pair-key> <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value> </main> + <!-- + =================================================================================== + =================================== MdsalRealm ==================================== + =================================================================================== + = = + = Description: A Realm implementation utilizing the aaa.yang model. = + =================================================================================== + --> + <!-- Start mdsalRealm commented out + <main> + <pair-key>mdsalRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value> + </main> + End mdsalRealm commented out--> + + <!-- + =================================================================================== + ================================= MoonAuthRealm =================================== + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with OPNFV Moon. = + =================================================================================== + --> + <!-- Start moonAuthRealm commented out + <main> + <pair-key>moonAuthRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value> + </main> + <main> + <pair-key>moonAuthRealm.moonServerURL</pair-key> + <pair-value>http://<host>:<port></pair-value> + </main> + End moonAuthRealm commented out--> + + <!-- + =================================================================================== + ================================= KeystoneAuthRealm == ============================ + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an OpenStack = + = Keystone. = + =================================================================================== + --> + <!-- Start keystoneAuthRealm commented out + <main> + <pair-key>keystoneAuthRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.url</pair-key> + <pair-value>https://<host>:<port></pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.sslVerification</pair-key> + <pair-value>true</pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.defaultDomain</pair-key> + <pair-value>Default</pair-value> + </main> + --> + + <!-- + Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm. + --> <main> <pair-key>securityManager.realms</pair-key> <pair-value>$tokenAuthRealm</pair-value> @@ -43,6 +270,13 @@ <pair-key>authcBearer</pair-key> <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value> </main> + + <!-- Start moonAuthRealm commented out + <main> + <pair-key>rest</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value> + </main> + End moonAuthRealm commented out--> <!-- in order to track AAA challenge attempts --> <main> @@ -59,8 +293,26 @@ <pair-key>dynamicAuthorization</pair-key> <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value> </main> +<!-- <main> --> +<!-- <pair-key>securityManager.sessionManager.sessionIdCookieEnabled</pair-key> --> +<!-- <pair-value>false</pair-value> --> +<!-- </main> --> - + <!-- + =================================================================================== + = = + = = + = URLS = + = = + = = + =================================================================================== + --> + <!-- Start moonAuthRealm commented out + <urls> + <pair-key>/token</pair-key> + <pair-value>rest</pair-value> + </urls> + End moonAuthRealm commented out--> <urls> <pair-key>/**/operations/cluster-admin**</pair-key> <pair-value>dynamicAuthorization</pair-value> diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json index 157ddb71a..260b77da7 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json @@ -12,7 +12,8 @@ "clientId": "odlux.app", "secret": "5da4ea3d-8cc9-4669-bd7e-3ecb91d120cd", "scope": "openid", - "title": "OSNL Keycloak Provider" + "title": "OSNL Keycloak Provider", + "realmName":"onap" } ] }
\ No newline at end of file |