From ea50c8f5ac2e2cfa30512acd4ab1e72c2a36b278 Mon Sep 17 00:00:00 2001
From: Ravi Pendurty <ravi.pendurty@highstreet-technologies.com>
Date: Tue, 3 Aug 2021 15:13:28 +0530
Subject: Support for external identity providers

oauth-provider now supports keycloak and gitlab as identity providers

Issue-ID: CCSDK-3411
Signed-off-by: Ravi Pendurty <ravi.pendurty@highstreet-technologies.com>
Change-Id: I78d678136e26f402b25723f4e10d76b646d76589
Signed-off-by: Ravi Pendurty <ravi.pendurty@highstreet-technologies.com>
---
 sdnr/wt/oauth-provider/provider-jar/pom.xml        |  11 -
 .../sdnr/wt/oauthprovider/data/Config.java         |  15 +-
 .../wt/oauthprovider/data/OAuthProviderConfig.java |  78 +++++--
 .../wt/oauthprovider/http/AuthHttpServlet.java     |  26 ++-
 .../wt/oauthprovider/providers/AuthService.java    |   2 +-
 .../providers/KeycloakProviderService.java         |  10 +-
 .../oauthprovider/test/TestGitlabAuthService.java  |  24 +-
 .../test/TestKeycloakAuthService.java              |  18 +-
 .../src/test/resources/aaa-app-config.test.xml     | 258 ++++++++++++++++++++-
 .../src/test/resources/test.config.json            |   3 +-
 10 files changed, 380 insertions(+), 65 deletions(-)

diff --git a/sdnr/wt/oauth-provider/provider-jar/pom.xml b/sdnr/wt/oauth-provider/provider-jar/pom.xml
index f440a544e..b73602d36 100644
--- a/sdnr/wt/oauth-provider/provider-jar/pom.xml
+++ b/sdnr/wt/oauth-provider/provider-jar/pom.xml
@@ -50,15 +50,6 @@
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <checkstyle.skip>true</checkstyle.skip>
     </properties>
-    <dependencyManagement>
-        <dependencies>
-            <dependency>
-                <groupId>org.apache.shiro</groupId>
-                <artifactId>shiro-core</artifactId>
-                <version>1.3.2</version>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
     <dependencies>
         <dependency>
             <groupId>${project.groupId}</groupId>
@@ -70,7 +61,6 @@
             <artifactId>jackson-databind</artifactId>
             <scope>provided</scope>
         </dependency>
- 
         <dependency>
             <groupId>com.auth0</groupId>
             <artifactId>java-jwt</artifactId>
@@ -89,7 +79,6 @@
         <dependency>
             <groupId>com.highstreet-technologies.aaa</groupId>
             <artifactId>aaa-shiro</artifactId>
-            <version>0.12.3</version>
             <exclusions>
 <!--                 <exclusion> -->
 <!--                     <groupId>org.opendaylight.aaa</groupId> -->
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/Config.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/Config.java
index a71f4c7dc..a6dff6769 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/Config.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/Config.java
@@ -57,9 +57,8 @@ public class Config {
 
     @Override
     public String toString() {
-        return "Config [providers=" + providers + ", redirectUri=" + redirectUri
-                + ", supportOdlUsers=" + supportOdlUsers + ", tokenSecret=" + tokenSecret + ", tokenIssuer="
-                + tokenIssuer + "]";
+        return "Config [providers=" + providers + ", redirectUri=" + redirectUri + ", supportOdlUsers="
+                + supportOdlUsers + ", tokenSecret=" + tokenSecret + ", tokenIssuer=" + tokenIssuer + "]";
     }
 
 
@@ -130,6 +129,11 @@ public class Config {
         if (isEnvExpression(supportOdlUsers)) {
             this.supportOdlUsers = getProperty(supportOdlUsers, null);
         }
+        if (this.providers != null && !this.providers.isEmpty()) {
+            for(OAuthProviderConfig cfg : this.providers) {
+                cfg.handleEnvironmentVars();
+            }
+        }
     }
 
     @JsonIgnore
@@ -154,9 +158,11 @@ public class Config {
     static boolean isEnvExpression(String key) {
         return key != null && key.contains(ENVVARIABLE);
     }
+
     public static String generateSecret() {
         return generateSecret(30);
     }
+
     public static String generateSecret(int targetStringLength) {
         int leftLimit = 48; // numeral '0'
         int rightLimit = 122; // letter 'z'
@@ -234,8 +240,9 @@ public class Config {
     public static Config getInstance() throws IOException {
         return getInstance(DEFAULT_CONFIGFILENAME);
     }
+
     public static Config getInstance(String filename) throws IOException {
-        if(_instance==null) {
+        if (_instance == null) {
             _instance = load(filename);
         }
         return _instance;
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java
index 3f1673c93..11e13e226 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/data/OAuthProviderConfig.java
@@ -29,33 +29,40 @@ import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.OAuthProviderFact
 public class OAuthProviderConfig {
 
     private String url;
+    private String internalUrl;
     private String clientId;
     private String secret;
     private String id;
     private String title;
     private String scope;
+    private String realmName;
+    private boolean trustAll;
     private OAuthProvider type;
-    private Map<String,String> roleMapping;
+    private Map<String, String> roleMapping;
 
     public OAuthProvider getType() {
         return type;
     }
 
-    public OAuthProviderConfig(String id, String url, String clientId, String secret, String scope,
-            String title) {
+    public OAuthProviderConfig(String id, String url, String internalUrl, String clientId, String secret, String scope,
+            String title, String realmName, boolean trustAll) {
         this.id = id;
         this.url = url;
+        this.internalUrl = internalUrl;
         this.clientId = clientId;
         this.secret = secret;
         this.scope = scope;
         this.title = title;
+        this.realmName = realmName;
+        this.trustAll = trustAll;
         this.roleMapping = new HashMap<>();
     }
 
     @Override
     public String toString() {
-        return "OAuthProviderConfig [host=" + url + ", clientId=" + clientId + ", secret=" + secret + ", id=" + id
-                + ", title=" + title + ", scope=" + scope + ", type=" + type + "]";
+        return "OAuthProviderConfig [url=" + url + ", clientId=" + clientId + ", secret=" + secret + ", id=" + id
+                + ", title=" + title + ", scope=" + scope + ", realmName=" + realmName + ", trustAll=" + trustAll
+                + ", type=" + type + ", roleMapping=" + roleMapping + "]";
     }
 
     public void setType(OAuthProvider type) {
@@ -63,7 +70,7 @@ public class OAuthProviderConfig {
     }
 
     public OAuthProviderConfig() {
-        this(null, null, null, null, null, null);
+        this(null, null, null, null, null, null, null, null, false);
     }
 
     public void setUrl(String url) {
@@ -114,6 +121,22 @@ public class OAuthProviderConfig {
         return this.scope;
     }
 
+    public String getRealmName() {
+        return realmName;
+    }
+
+    public void setRealmName(String realmName) {
+        this.realmName = realmName;
+    }
+
+    public boolean trustAll() {
+        return trustAll;
+    }
+
+    public void setTrustAll(boolean trustAll) {
+        this.trustAll = trustAll;
+    }
+
     public Map<String, String> getRoleMapping() {
         return roleMapping;
     }
@@ -122,26 +145,45 @@ public class OAuthProviderConfig {
         this.roleMapping = roleMapping;
     }
 
+    public String getInternalUrl() {
+        return internalUrl;
+    }
+
+    public void setInternalUrl(String internalUrl) {
+        this.internalUrl = internalUrl;
+    }
+
     @JsonIgnore
     public void handleEnvironmentVars() {
-        if (Config.isEnvExpression(id)) {
-            this.id = Config.getProperty(id, null);
+        if (Config.isEnvExpression(this.id)) {
+            this.id = Config.getProperty(this.id, null);
+        }
+        if (Config.isEnvExpression(this.url)) {
+            this.url = Config.getProperty(this.url, null);
         }
-        if (Config.isEnvExpression(url)) {
-            this.url = Config.getProperty(url, null);
+        if (Config.isEnvExpression(this.internalUrl)) {
+            this.internalUrl = Config.getProperty(this.internalUrl, null);
         }
-        if (Config.isEnvExpression(clientId)) {
-            this.clientId = Config.getProperty(clientId, null);
+        if (Config.isEnvExpression(this.clientId)) {
+            this.clientId = Config.getProperty(this.clientId, null);
         }
-        if (Config.isEnvExpression(secret)) {
-            this.secret = Config.getProperty(secret, null);
+        if (Config.isEnvExpression(this.secret)) {
+            this.secret = Config.getProperty(this.secret, null);
         }
-        if (Config.isEnvExpression(scope)) {
-            this.scope = Config.getProperty(scope, null);
+        if (Config.isEnvExpression(this.scope)) {
+            this.scope = Config.getProperty(this.scope, null);
         }
-        if (Config.isEnvExpression(title)) {
-            this.title = Config.getProperty(title, null);
+        if (Config.isEnvExpression(this.title)) {
+            this.title = Config.getProperty(this.title, null);
         }
+        if (Config.isEnvExpression(this.realmName)) {
+            this.realmName = Config.getProperty(this.realmName, null);
+        }
+    }
+
+    @JsonIgnore
+    public String getUrlOrInternal() {
+        return this.internalUrl != null && this.internalUrl.length() > 0 ? this.internalUrl : this.url;
     }
 
 }
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
index cd4239081..9a9f4fc04 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/http/AuthHttpServlet.java
@@ -37,7 +37,11 @@ import javax.servlet.ServletOutputStream;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.ShiroException;
 import org.apache.shiro.codec.Base64;
+import org.apache.shiro.session.Session;
+import org.apache.shiro.subject.Subject;
 import org.jolokia.osgi.security.Authenticator;
 import org.onap.ccsdk.features.sdnr.wt.common.http.BaseHTTPClient;
 import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config;
@@ -66,7 +70,7 @@ public class AuthHttpServlet extends HttpServlet {
     private static final long serialVersionUID = 1L;
     private static final String BASEURI = "/oauth";
     private static final String LOGINURI = BASEURI + "/login";
-    //private static final String LOGOUTURI = BASEURI + "/logout";
+    private static final String LOGOUTURI = BASEURI + "/logout";
     private static final String PROVIDERSURI = BASEURI + "/providers";
     public static final String REDIRECTURI = BASEURI + "/redirect";
     private static final String REDIRECTURI_FORMAT = REDIRECTURI + "/%s";
@@ -137,6 +141,8 @@ public class AuthHttpServlet extends HttpServlet {
             this.sendResponse(resp, HttpServletResponse.SC_OK, getConfigs(this.providerStore.values()));
         } else if (req.getRequestURI().startsWith(LOGINURI)) {
             this.handleLoginRedirect(req, resp);
+        } else if (req.getRequestURI().equals(LOGOUTURI)) {
+            this.handleLogout(req, resp);
         } else if (POLICIESURI.equals(req.getRequestURI())) {
             this.sendResponse(resp, HttpServletResponse.SC_OK, this.getPoliciesForUser(req));
         } else if (req.getRequestURI().startsWith(REDIRECTURI)) {
@@ -146,7 +152,10 @@ public class AuthHttpServlet extends HttpServlet {
         }
 
     }
-
+    private void handleLogout(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        this.logout();
+        this.sendResponse(resp, HttpServletResponse.SC_OK,"");
+    }
     private void handleLoginRedirect(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         final String uri = req.getRequestURI();
         final Matcher matcher = LOGIN_REDIRECT_PATTERN.matcher(uri);
@@ -458,5 +467,16 @@ public class AuthHttpServlet extends HttpServlet {
         os.write(output);
 
     }
-
+    private void logout() {
+        final Subject subject = SecurityUtils.getSubject();
+        try {
+            subject.logout();
+            Session session = subject.getSession(false);
+            if (session != null) {
+                session.stop();
+            }
+        } catch (ShiroException e) {
+            LOG.debug("Couldn't log out {}", subject, e);
+        }
+    }
 }
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java
index 3cb79757c..56a62f5c1 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/AuthService.java
@@ -84,7 +84,7 @@ public abstract class AuthService {
         this.redirectUri = redirectUri;
         this.mapper = new ObjectMapper();
         this.mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
-        this.httpClient = new MappingBaseHttpClient(this.config.getUrl());
+        this.httpClient = new MappingBaseHttpClient(this.config.getUrlOrInternal(), this.config.trustAll());
     }
 
     public PublicOAuthProviderConfig getConfig() {
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java
index 86383c983..c226a14dc 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/main/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/providers/KeycloakProviderService.java
@@ -44,20 +44,20 @@ public class KeycloakProviderService extends AuthService {
 
     @Override
     protected String getTokenVerifierUri() {
-        return "/auth/realms/onap/protocol/openid-connect/token";
+        return String.format("/auth/realms/%s/protocol/openid-connect/token", urlEncode(this.config.getRealmName()));
     }
 
     @Override
     protected String getLoginUrl(String callbackUrl) {
         return String.format(
-                "%s/auth/realms/onap/protocol/openid-connect/auth?client_id=%s&response_type=code&scope=%s&redirect_uri=%s",
-                this.config.getUrl(), urlEncode(this.config.getClientId()), this.config.getScope(),
-                urlEncode(callbackUrl));
+                "%s/auth/realms/%s/protocol/openid-connect/auth?client_id=%s&response_type=code&scope=%s&redirect_uri=%s",
+                this.config.getUrl(), urlEncode(this.config.getRealmName()), urlEncode(this.config.getClientId()),
+                this.config.getScope(), urlEncode(callbackUrl));
     }
 
     @Override
     protected List<String> mapRoles(List<String> data) {
-        final Map<String,String> map = this.config.getRoleMapping();
+        final Map<String, String> map = this.config.getRoleMapping();
         List<String> filteredRoles =
                 data.stream().filter(role -> !role.equals("uma_authorization") && !role.equals("offline_access"))
                         .map(r -> map.getOrDefault(r, r)).collect(Collectors.toList());
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java
index fb938000e..6c46ed25f 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestGitlabAuthService.java
@@ -60,8 +60,8 @@ public class TestGitlabAuthService {
     public static void init() {
 
         TokenCreator tokenCreator = TokenCreator.getInstance(TOKENCREATOR_SECRET, "issuer");
-        OAuthProviderConfig config =
-                new OAuthProviderConfig("git", GITURL, "odlux.app", OAUTH_SECRET, "openid", "gitlab test");
+        OAuthProviderConfig config = new OAuthProviderConfig("git", GITURL, null, "odlux.app", OAUTH_SECRET, "openid",
+                "gitlab test", "", false);
         oauthService = new GitlabProviderServiceToTest(config, REDIRECT_URI, tokenCreator);
         try {
             initGitlabTestWebserver(PORT, "/");
@@ -142,13 +142,17 @@ public class TestGitlabAuthService {
         }
         return null;
     }
+
     public static class MyHandler implements HttpHandler {
         private static final String GITLAB_TOKEN_ENDPOINT = "/oauth/token";
         private static final String GITLAB_USER_ENDPOINT = "/api/v4/user";
         private static final String GITLAB_GROUP_ENDPOINT = "/api/v4/groups?min_access_level=10";
-        private static final String GITLAB_TOKEN_RESPONSE = loadResourceFileContent("src/test/resources/oauth/gitlab-token-response.json");
-        private static final String GITLAB_USER_RESPONSE =loadResourceFileContent("src/test/resources/oauth/gitlab-user-response.json");
-        private static final String GITLAB_GROUP_RESPONSE =loadResourceFileContent("src/test/resources/oauth/gitlab-groups-response.json");
+        private static final String GITLAB_TOKEN_RESPONSE =
+                loadResourceFileContent("src/test/resources/oauth/gitlab-token-response.json");
+        private static final String GITLAB_USER_RESPONSE =
+                loadResourceFileContent("src/test/resources/oauth/gitlab-user-response.json");
+        private static final String GITLAB_GROUP_RESPONSE =
+                loadResourceFileContent("src/test/resources/oauth/gitlab-groups-response.json");
 
         @Override
         public void handle(HttpExchange t) throws IOException {
@@ -159,23 +163,21 @@ public class TestGitlabAuthService {
             String response = "";
             try {
                 if (method.equals("GET")) {
-                    if(uri.equals(GITLAB_USER_ENDPOINT)) {
+                    if (uri.equals(GITLAB_USER_ENDPOINT)) {
                         t.sendResponseHeaders(200, GITLAB_USER_RESPONSE.length());
                         os = t.getResponseBody();
                         os.write(GITLAB_USER_RESPONSE.getBytes());
-                    }
-                    else if(uri.equals(GITLAB_GROUP_ENDPOINT)) {
+                    } else if (uri.equals(GITLAB_GROUP_ENDPOINT)) {
                         t.sendResponseHeaders(200, GITLAB_GROUP_RESPONSE.length());
                         os = t.getResponseBody();
                         os.write(GITLAB_GROUP_RESPONSE.getBytes());
                     }
                 } else if (method.equals("POST")) {
-                    if(uri.equals(GITLAB_TOKEN_ENDPOINT)){
+                    if (uri.equals(GITLAB_TOKEN_ENDPOINT)) {
                         t.sendResponseHeaders(200, GITLAB_TOKEN_RESPONSE.length());
                         os = t.getResponseBody();
                         os.write(GITLAB_TOKEN_RESPONSE.getBytes());
-                    }
-                    else {
+                    } else {
                         t.sendResponseHeaders(404, 0);
                     }
                 } else {
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java
index 945ad7ff5..30b24af03 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java
+++ b/sdnr/wt/oauth-provider/provider-jar/src/test/java/org/onap/ccsdk/features/sdnr/wt/oauthprovider/test/TestKeycloakAuthService.java
@@ -60,8 +60,8 @@ public class TestKeycloakAuthService {
     public static void init() {
 
         TokenCreator tokenCreator = TokenCreator.getInstance(TOKENCREATOR_SECRET, "issuer");
-        OAuthProviderConfig config =
-                new OAuthProviderConfig("kc", KEYCLOAKURL, "odlux.app", OAUTH_SECRET, "openid", "keycloak test");
+        OAuthProviderConfig config = new OAuthProviderConfig("kc", KEYCLOAKURL, null, "odlux.app", OAUTH_SECRET,
+                "openid", "keycloak test", "onap", false);
         oauthService = new KeycloakProviderServiceToTest(config, REDIRECT_URI, tokenCreator);
         try {
             initKeycloakTestWebserver(PORT, "/");
@@ -100,7 +100,8 @@ public class TestKeycloakAuthService {
 
     public static class KeycloakProviderServiceToTest extends KeycloakProviderService {
 
-        public KeycloakProviderServiceToTest(OAuthProviderConfig config, String redirectUri, TokenCreator tokenCreator) {
+        public KeycloakProviderServiceToTest(OAuthProviderConfig config, String redirectUri,
+                TokenCreator tokenCreator) {
             super(config, redirectUri, tokenCreator);
         }
     }
@@ -137,9 +138,11 @@ public class TestKeycloakAuthService {
         }
         return null;
     }
+
     public static class MyHandler implements HttpHandler {
         private static final String KEYCLOAK_TOKEN_ENDPOINT = "/auth/realms/onap/protocol/openid-connect/token";
-        private static final String KEYCLOAK_TOKEN_RESPONSE = loadResourceFileContent("src/test/resources/oauth/keycloak-token-response.json");
+        private static final String KEYCLOAK_TOKEN_RESPONSE =
+                loadResourceFileContent("src/test/resources/oauth/keycloak-token-response.json");
 
         @Override
         public void handle(HttpExchange t) throws IOException {
@@ -148,13 +151,12 @@ public class TestKeycloakAuthService {
             System.out.println(String.format("req received: %s %s", method, t.getRequestURI()));
             OutputStream os = null;
             try {
-               if (method.equals("POST")) {
-                    if(uri.equals(KEYCLOAK_TOKEN_ENDPOINT)){
+                if (method.equals("POST")) {
+                    if (uri.equals(KEYCLOAK_TOKEN_ENDPOINT)) {
                         t.sendResponseHeaders(200, KEYCLOAK_TOKEN_RESPONSE.length());
                         os = t.getResponseBody();
                         os.write(KEYCLOAK_TOKEN_RESPONSE.getBytes());
-                    }
-                    else {
+                    } else {
                         t.sendResponseHeaders(404, 0);
                     }
                 } else {
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml
index 682fa3728..1929fde8e 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml
+++ b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/aaa-app-config.test.xml
@@ -6,7 +6,6 @@
      terms of the Eclipse Public License v1.0 which accompanies this distribution,
      and is available at http://www.eclipse.org/legal/epl-v10.html , or the Apache License,
      Version 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0
-
      SPDX-License-Identifier: EPL-1.0 OR Apache-2.0
 -->
 
@@ -17,15 +16,243 @@
   ///////////////////////////////////////////////////////////////////////////////////////
 -->
 
-
 <shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
 
+    <!--
+      ///////////////////////////////////////////////////////////////////////////////////
+      // shiro-configuration is the model based container that contains all shiro      //
+      // related information used in ODL AAA configuration.  It is the sole pain of    //
+      // glass for shiro related configuration, and is how to configure shiro concepts //
+      // such as:                                                                      //
+      // * realms                                                                      //
+      // * urls                                                                        //
+      // * security manager settings                                                   //
+      //                                                                               //
+      // In general, you really shouldn't muck with the settings in this file.  The    //
+      // way an operator should configure AAA shiro settings is through one of ODL's   //
+      // northbound interfaces (i.e., RESTCONF or NETCONF).  These are just the        //
+      // defaults if no values are specified in MD-SAL.  The reason this file is so    //
+      // verbose is for two reasons:                                                   //
+      // 1) to demonstrate payload examples for plausible configuration scenarios      //
+      // 2) to allow bootstrap of the controller (first time start) since otherwise    //
+      //    configuration becomes a chicken and the egg problem.                       //
+      //                                                                               //
+      ///////////////////////////////////////////////////////////////////////////////////
+    -->
+
+    <!--
+      ===================================================================================
+      =                                                                                 =
+      =                                                                                 =
+      =                                      MAIN                                       =
+      =                                                                                 =
+      =                                                                                 =
+      ===================================================================================
+    -->
+
+    <!--
+      ===================================================================================
+      ============================ ODLJndiLdapRealmAuthNOnly ============================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with an external LDAP  =
+      =               server for authentication only.  For authorization support, refer =
+      =               to ODLJndiLdapRealm.                                              =
+      ===================================================================================
+    -->
+    <!-- Start ldapRealm commented out
+    <main>
+        <pair-key>ldapRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.userDnTemplate</pair-key>
+        <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.contextFactory.url</pair-key>
+        <pair-value>ldap://&lt;URL&gt;:389</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.searchBase</pair-key>
+        <pair-value>dc=DOMAIN,dc=TLD</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.groupRolesMap</pair-key>
+        <pair-value>&quot;person&quot;:&quot;admin&quot;, &quot;organizationalPerson&quot;:&quot;user&quot;</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
+        <pair-value>objectClass</pair-value>
+    </main>
+    End ldapRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ============================= ODLActiveDirectoryRealm =============================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with an external AD    =
+      =               IDP server.                                                       =
+      ===================================================================================
+    -->
+    <!-- Start adRealm commented out
+    <main>
+        <pair-key>adRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.searchBase</pair-key>
+        <pair-value>&quot;CN=Users,DC=example,DC=com&quot;</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.systemUsername</pair-key>
+        <pair-value>aduser@example.com</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.systemPassword</pair-key>
+        <pair-value>adpassword</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.url</pair-key>
+        <pair-value>ldaps://adserver:636</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.groupRolesMap</pair-key>
+        <pair-value>&quot;CN=sysadmin,CN=Users,DC=example,DC=com&quot;:&quot;admin&quot;, &quot;CN=unprivileged,CN=Users,DC=example,DC=com&quot;:&quot;user&quot;</pair-value>
+    </main>
+    End adRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ================================== ODLJdbcRealm ===================================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with an external JDBC  =
+      =               DBMS.                                                             =
+      ===================================================================================
+    -->
+    <!-- Start jdbcRealm commented out
+    <main>
+        <pair-key>ds</pair-key>
+        <pair-value>com.mysql.jdbc.Driver</pair-value>
+    </main>
+    <main>
+        <pair-key>ds.serverName</pair-key>
+        <pair-value>localhost</pair-value>
+    </main>
+    <main>
+        <pair-key>ds.user</pair-key>
+        <pair-value>user</pair-value>
+    </main>
+    <main>
+        <pair-key>ds.password</pair-key>
+        <pair-value>password</pair-value>
+    </main>
+    <main>
+        <pair-key>ds.databaseName</pair-key>
+        <pair-value>db_name</pair-value>
+    </main>
+    <main>
+        <pair-key>jdbcRealm</pair-key>
+        <pair-value>ODLJdbcRealm</pair-value>
+    </main>
+    <main>
+        <pair-key>jdbcRealm.dataSource</pair-key>
+        <pair-value>$ds</pair-value>
+    </main>
+    <main>
+        <pair-key>jdbcRealm.authenticationQuery</pair-key>
+        <pair-value>&quot;SELECT password FROM users WHERE user_name = ?&quot;</pair-value>
+    </main>
+    <main>
+        <pair-key>jdbcRealm.userRolesQuery</pair-key>
+        <pair-value>&quot;SELECT role_name FROM user_rolesWHERE user_name = ?&quot;</pair-value>
+    </main>
+    End jdbcRealm commented out-->
 
+    <!--
+      ===================================================================================
+      ================================= TokenAuthRealm ==================================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation utilizing a per node H2 database store.    =
+      ===================================================================================
+    -->
+<!--     <main> -->
+<!--         <pair-key>tokenAuthRealm</pair-key> -->
+<!--         <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
+<!--     </main> -->
     <main>
         <pair-key>tokenAuthRealm</pair-key>
         <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
     </main>
 
+    <!--
+      ===================================================================================
+      =================================== MdsalRealm ====================================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation utilizing the aaa.yang model.              =
+      ===================================================================================
+    -->
+    <!-- Start mdsalRealm commented out
+    <main>
+        <pair-key>mdsalRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
+    </main>
+    End mdsalRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ================================= MoonAuthRealm ===================================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with OPNFV Moon.       =
+      ===================================================================================
+    -->
+    <!-- Start moonAuthRealm commented out
+    <main>
+        <pair-key>moonAuthRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
+    </main>
+    <main>
+        <pair-key>moonAuthRealm.moonServerURL</pair-key>
+        <pair-value>http://&lt;host&gt;:&lt;port&gt;</pair-value>
+    </main>
+    End moonAuthRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ================================= KeystoneAuthRealm == ============================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with an OpenStack      =
+      =               Keystone.                                                         =
+      ===================================================================================
+    -->
+    <!-- Start keystoneAuthRealm commented out
+    <main>
+        <pair-key>keystoneAuthRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
+    </main>
+    <main>
+        <pair-key>keystoneAuthRealm.url</pair-key>
+        <pair-value>https://&lt;host&gt;:&lt;port&gt;</pair-value>
+    </main>
+    <main>
+        <pair-key>keystoneAuthRealm.sslVerification</pair-key>
+        <pair-value>true</pair-value>
+    </main>
+    <main>
+        <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
+        <pair-value>Default</pair-value>
+    </main>
+    -->
+
+    <!--
+    Add tokenAuthRealm as the only realm.  To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
+    -->
     <main>
         <pair-key>securityManager.realms</pair-key>
         <pair-value>$tokenAuthRealm</pair-value>
@@ -43,6 +270,13 @@
         <pair-key>authcBearer</pair-key>
         <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value>
     </main>
+   
+    <!-- Start moonAuthRealm commented out
+    <main>
+        <pair-key>rest</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
+    </main>
+    End moonAuthRealm commented out-->
 
     <!-- in order to track AAA challenge attempts -->
     <main>
@@ -59,8 +293,26 @@
         <pair-key>dynamicAuthorization</pair-key>
         <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
     </main>
+<!--     <main> -->
+<!--         <pair-key>securityManager.sessionManager.sessionIdCookieEnabled</pair-key> -->
+<!--         <pair-value>false</pair-value> -->
+<!--     </main> -->
 
-
+    <!--
+      ===================================================================================
+      =                                                                                 =
+      =                                                                                 =
+      =                                      URLS                                       =
+      =                                                                                 =
+      =                                                                                 =
+      ===================================================================================
+    -->
+    <!-- Start moonAuthRealm commented out
+    <urls>
+        <pair-key>/token</pair-key>
+        <pair-value>rest</pair-value>
+    </urls>
+    End moonAuthRealm commented out-->
     <urls>
         <pair-key>/**/operations/cluster-admin**</pair-key>
         <pair-value>dynamicAuthorization</pair-value>
diff --git a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json
index 157ddb71a..260b77da7 100644
--- a/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json
+++ b/sdnr/wt/oauth-provider/provider-jar/src/test/resources/test.config.json
@@ -12,7 +12,8 @@
             "clientId": "odlux.app",
             "secret": "5da4ea3d-8cc9-4669-bd7e-3ecb91d120cd",
             "scope": "openid",
-            "title": "OSNL Keycloak Provider"
+            "title": "OSNL Keycloak Provider",
+            "realmName":"onap"
         }
     ]
 }
\ No newline at end of file
-- 
cgit 1.2.3-korg