diff options
author | Ravi Pendurty <ravi.pendurty@highstreet-technologies.com> | 2021-08-03 15:13:28 +0530 |
---|---|---|
committer | KAPIL SINGAL <ks220y@att.com> | 2021-08-06 12:44:28 +0000 |
commit | ea50c8f5ac2e2cfa30512acd4ab1e72c2a36b278 (patch) | |
tree | 757a476b9f91449b708fa71ef15287bd2c21377b /sdnr/wt/oauth-provider/provider-jar/src/test | |
parent | 3ba5eb125ac8890968e4437b098e39195d699434 (diff) |
Support for external identity providers
oauth-provider now supports keycloak and gitlab as identity providers
Issue-ID: CCSDK-3411
Signed-off-by: Ravi Pendurty <ravi.pendurty@highstreet-technologies.com>
Change-Id: I78d678136e26f402b25723f4e10d76b646d76589
Signed-off-by: Ravi Pendurty <ravi.pendurty@highstreet-technologies.com>
Diffstat (limited to 'sdnr/wt/oauth-provider/provider-jar/src/test')
4 files changed, 280 insertions, 23 deletions
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java index fb938000e..6c46ed25f 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java @@ -60,8 +60,8 @@ public class TestGitlabAuthService { public static void init() { TokenCreator tokenCreator = TokenCreator.getInstance(TOKENCREATOR_SECRET, "issuer"); - OAuthProviderConfig config = - new OAuthProviderConfig("git", GITURL, "odlux.app", OAUTH_SECRET, "openid", "gitlab test"); + OAuthProviderConfig config = new OAuthProviderConfig("git", GITURL, null, "odlux.app", OAUTH_SECRET, "openid", + "gitlab test", "", false); oauthService = new GitlabProviderServiceToTest(config, REDIRECT_URI, tokenCreator); try { initGitlabTestWebserver(PORT, "/"); @@ -142,13 +142,17 @@ public class TestGitlabAuthService { } return null; } + public static class MyHandler implements HttpHandler { private static final String GITLAB_TOKEN_ENDPOINT = "/oauth/token"; private static final String GITLAB_USER_ENDPOINT = "/api/v4/user"; private static final String GITLAB_GROUP_ENDPOINT = "/api/v4/groups?min_access_level=10"; - private static final String GITLAB_TOKEN_RESPONSE = loadResourceFileContent("src/test/resources/oauth/gitlab-token-response.json"); - private static final String GITLAB_USER_RESPONSE =loadResourceFileContent("src/test/resources/oauth/gitlab-user-response.json"); - private static final String GITLAB_GROUP_RESPONSE =loadResourceFileContent("src/test/resources/oauth/gitlab-groups-response.json"); + private static final String GITLAB_TOKEN_RESPONSE = + loadResourceFileContent("src/test/resources/oauth/gitlab-token-response.json"); + private static final String GITLAB_USER_RESPONSE = + loadResourceFileContent("src/test/resources/oauth/gitlab-user-response.json"); + private static final String GITLAB_GROUP_RESPONSE = + loadResourceFileContent("src/test/resources/oauth/gitlab-groups-response.json"); @Override public void handle(HttpExchange t) throws IOException { @@ -159,23 +163,21 @@ public class TestGitlabAuthService { String response = ""; try { if (method.equals("GET")) { - if(uri.equals(GITLAB_USER_ENDPOINT)) { + if (uri.equals(GITLAB_USER_ENDPOINT)) { t.sendResponseHeaders(200, GITLAB_USER_RESPONSE.length()); os = t.getResponseBody(); os.write(GITLAB_USER_RESPONSE.getBytes()); - } - else if(uri.equals(GITLAB_GROUP_ENDPOINT)) { + } else if (uri.equals(GITLAB_GROUP_ENDPOINT)) { t.sendResponseHeaders(200, GITLAB_GROUP_RESPONSE.length()); os = t.getResponseBody(); os.write(GITLAB_GROUP_RESPONSE.getBytes()); } } else if (method.equals("POST")) { - if(uri.equals(GITLAB_TOKEN_ENDPOINT)){ + if (uri.equals(GITLAB_TOKEN_ENDPOINT)) { t.sendResponseHeaders(200, GITLAB_TOKEN_RESPONSE.length()); os = t.getResponseBody(); os.write(GITLAB_TOKEN_RESPONSE.getBytes()); - } - else { + } else { t.sendResponseHeaders(404, 0); } } else { diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java index 945ad7ff5..30b24af03 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java @@ -60,8 +60,8 @@ public class TestKeycloakAuthService { public static void init() { TokenCreator tokenCreator = TokenCreator.getInstance(TOKENCREATOR_SECRET, "issuer"); - OAuthProviderConfig config = - new OAuthProviderConfig("kc", KEYCLOAKURL, "odlux.app", OAUTH_SECRET, "openid", "keycloak test"); + OAuthProviderConfig config = new OAuthProviderConfig("kc", KEYCLOAKURL, null, "odlux.app", OAUTH_SECRET, + "openid", "keycloak test", "onap", false); oauthService = new KeycloakProviderServiceToTest(config, REDIRECT_URI, tokenCreator); try { initKeycloakTestWebserver(PORT, "/"); @@ -100,7 +100,8 @@ public class TestKeycloakAuthService { public static class KeycloakProviderServiceToTest extends KeycloakProviderService { - public KeycloakProviderServiceToTest(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) { + public KeycloakProviderServiceToTest(OAuthProviderConfig config, String redirectUri, + TokenCreator tokenCreator) { super(config, redirectUri, tokenCreator); } } @@ -137,9 +138,11 @@ public class TestKeycloakAuthService { } return null; } + public static class MyHandler implements HttpHandler { private static final String KEYCLOAK_TOKEN_ENDPOINT = "/auth/realms/onap/protocol/openid-connect/token"; - private static final String KEYCLOAK_TOKEN_RESPONSE = loadResourceFileContent("src/test/resources/oauth/keycloak-token-response.json"); + private static final String KEYCLOAK_TOKEN_RESPONSE = + loadResourceFileContent("src/test/resources/oauth/keycloak-token-response.json"); @Override public void handle(HttpExchange t) throws IOException { @@ -148,13 +151,12 @@ public class TestKeycloakAuthService { System.out.println(String.format("req received: %s %s", method, t.getRequestURI())); OutputStream os = null; try { - if (method.equals("POST")) { - if(uri.equals(KEYCLOAK_TOKEN_ENDPOINT)){ + if (method.equals("POST")) { + if (uri.equals(KEYCLOAK_TOKEN_ENDPOINT)) { t.sendResponseHeaders(200, KEYCLOAK_TOKEN_RESPONSE.length()); os = t.getResponseBody(); os.write(KEYCLOAK_TOKEN_RESPONSE.getBytes()); - } - else { + } else { t.sendResponseHeaders(404, 0); } } else { diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml index 682fa3728..1929fde8e 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml @@ -6,7 +6,6 @@ terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html , or the Apache License, Version 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0 - SPDX-License-Identifier: EPL-1.0 OR Apache-2.0 --> @@ -17,15 +16,243 @@ /////////////////////////////////////////////////////////////////////////////////////// --> - <shiro-configuration xmlns="urn:opendaylight:aaa:app:config"> + <!-- + /////////////////////////////////////////////////////////////////////////////////// + // shiro-configuration is the model based container that contains all shiro // + // related information used in ODL AAA configuration. It is the sole pain of // + // glass for shiro related configuration, and is how to configure shiro concepts // + // such as: // + // * realms // + // * urls // + // * security manager settings // + // // + // In general, you really shouldn't muck with the settings in this file. The // + // way an operator should configure AAA shiro settings is through one of ODL's // + // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the // + // defaults if no values are specified in MD-SAL. The reason this file is so // + // verbose is for two reasons: // + // 1) to demonstrate payload examples for plausible configuration scenarios // + // 2) to allow bootstrap of the controller (first time start) since otherwise // + // configuration becomes a chicken and the egg problem. // + // // + /////////////////////////////////////////////////////////////////////////////////// + --> + + <!-- + =================================================================================== + = = + = = + = MAIN = + = = + = = + =================================================================================== + --> + + <!-- + =================================================================================== + ============================ ODLJndiLdapRealmAuthNOnly ============================ + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external LDAP = + = server for authentication only. For authorization support, refer = + = to ODLJndiLdapRealm. = + =================================================================================== + --> + <!-- Start ldapRealm commented out + <main> + <pair-key>ldapRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value> + </main> + <main> + <pair-key>ldapRealm.userDnTemplate</pair-key> + <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value> + </main> + <main> + <pair-key>ldapRealm.contextFactory.url</pair-key> + <pair-value>ldap://<URL>:389</pair-value> + </main> + <main> + <pair-key>ldapRealm.searchBase</pair-key> + <pair-value>dc=DOMAIN,dc=TLD</pair-value> + </main> + <main> + <pair-key>ldapRealm.groupRolesMap</pair-key> + <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value> + </main> + <main> + <pair-key>ldapRealm.ldapAttributeForComparison</pair-key> + <pair-value>objectClass</pair-value> + </main> + End ldapRealm commented out--> + + <!-- + =================================================================================== + ============================= ODLActiveDirectoryRealm ============================= + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external AD = + = IDP server. = + =================================================================================== + --> + <!-- Start adRealm commented out + <main> + <pair-key>adRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value> + </main> + <main> + <pair-key>adRealm.searchBase</pair-key> + <pair-value>"CN=Users,DC=example,DC=com"</pair-value> + </main> + <main> + <pair-key>adRealm.systemUsername</pair-key> + <pair-value>aduser@example.com</pair-value> + </main> + <main> + <pair-key>adRealm.systemPassword</pair-key> + <pair-value>adpassword</pair-value> + </main> + <main> + <pair-key>adRealm.url</pair-key> + <pair-value>ldaps://adserver:636</pair-value> + </main> + <main> + <pair-key>adRealm.groupRolesMap</pair-key> + <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value> + </main> + End adRealm commented out--> + + <!-- + =================================================================================== + ================================== ODLJdbcRealm =================================== + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an external JDBC = + = DBMS. = + =================================================================================== + --> + <!-- Start jdbcRealm commented out + <main> + <pair-key>ds</pair-key> + <pair-value>com.mysql.jdbc.Driver</pair-value> + </main> + <main> + <pair-key>ds.serverName</pair-key> + <pair-value>localhost</pair-value> + </main> + <main> + <pair-key>ds.user</pair-key> + <pair-value>user</pair-value> + </main> + <main> + <pair-key>ds.password</pair-key> + <pair-value>password</pair-value> + </main> + <main> + <pair-key>ds.databaseName</pair-key> + <pair-value>db_name</pair-value> + </main> + <main> + <pair-key>jdbcRealm</pair-key> + <pair-value>ODLJdbcRealm</pair-value> + </main> + <main> + <pair-key>jdbcRealm.dataSource</pair-key> + <pair-value>$ds</pair-value> + </main> + <main> + <pair-key>jdbcRealm.authenticationQuery</pair-key> + <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value> + </main> + <main> + <pair-key>jdbcRealm.userRolesQuery</pair-key> + <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value> + </main> + End jdbcRealm commented out--> + <!-- + =================================================================================== + ================================= TokenAuthRealm ================================== + =================================================================================== + = = + = Description: A Realm implementation utilizing a per node H2 database store. = + =================================================================================== + --> +<!-- <main> --> +<!-- <pair-key>tokenAuthRealm</pair-key> --> +<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> --> +<!-- </main> --> <main> <pair-key>tokenAuthRealm</pair-key> <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value> </main> + <!-- + =================================================================================== + =================================== MdsalRealm ==================================== + =================================================================================== + = = + = Description: A Realm implementation utilizing the aaa.yang model. = + =================================================================================== + --> + <!-- Start mdsalRealm commented out + <main> + <pair-key>mdsalRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value> + </main> + End mdsalRealm commented out--> + + <!-- + =================================================================================== + ================================= MoonAuthRealm =================================== + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with OPNFV Moon. = + =================================================================================== + --> + <!-- Start moonAuthRealm commented out + <main> + <pair-key>moonAuthRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value> + </main> + <main> + <pair-key>moonAuthRealm.moonServerURL</pair-key> + <pair-value>http://<host>:<port></pair-value> + </main> + End moonAuthRealm commented out--> + + <!-- + =================================================================================== + ================================= KeystoneAuthRealm == ============================ + =================================================================================== + = = + = Description: A Realm implementation aimed at federating with an OpenStack = + = Keystone. = + =================================================================================== + --> + <!-- Start keystoneAuthRealm commented out + <main> + <pair-key>keystoneAuthRealm</pair-key> + <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.url</pair-key> + <pair-value>https://<host>:<port></pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.sslVerification</pair-key> + <pair-value>true</pair-value> + </main> + <main> + <pair-key>keystoneAuthRealm.defaultDomain</pair-key> + <pair-value>Default</pair-value> + </main> + --> + + <!-- + Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm. + --> <main> <pair-key>securityManager.realms</pair-key> <pair-value>$tokenAuthRealm</pair-value> @@ -43,6 +270,13 @@ <pair-key>authcBearer</pair-key> <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value> </main> + + <!-- Start moonAuthRealm commented out + <main> + <pair-key>rest</pair-key> + <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value> + </main> + End moonAuthRealm commented out--> <!-- in order to track AAA challenge attempts --> <main> @@ -59,8 +293,26 @@ <pair-key>dynamicAuthorization</pair-key> <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value> </main> +<!-- <main> --> +<!-- <pair-key>securityManager.sessionManager.sessionIdCookieEnabled</pair-key> --> +<!-- <pair-value>false</pair-value> --> +<!-- </main> --> - + <!-- + =================================================================================== + = = + = = + = URLS = + = = + = = + =================================================================================== + --> + <!-- Start moonAuthRealm commented out + <urls> + <pair-key>/token</pair-key> + <pair-value>rest</pair-value> + </urls> + End moonAuthRealm commented out--> <urls> <pair-key>/**/operations/cluster-admin**</pair-key> <pair-value>dynamicAuthorization</pair-value> diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json index 157ddb71a..260b77da7 100644 --- a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json +++ b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json @@ -12,7 +12,8 @@ "clientId": "odlux.app", "secret": "5da4ea3d-8cc9-4669-bd7e-3ecb91d120cd", "scope": "openid", - "title": "OSNL Keycloak Provider" + "title": "OSNL Keycloak Provider", + "realmName":"onap" } ] }
\ No newline at end of file |