From c6b5e85bc0a1d9f884ef3fda68eb8a9ca0bbc44c Mon Sep 17 00:00:00 2001
From: Ravi Geda <gravik@amdocs.com>
Date: Sun, 30 Sep 2018 21:14:41 +0100
Subject: Add Pluggable Security to Gizmo

Note that by default this feature is turned off. To enable update the
installSidecarSecurity in aai/values.yaml to true.

Change-Id: If4c32b55aa6d8e123c9e86015ff084848fd01c25
Issue-ID: AAI-1694
Signed-off-by: Ravi Geda <gravik@amdocs.com>
---
 .../resources/rproxy/config/auth/client-cert.p12   | Bin 0 -> 2556 bytes
 .../resources/rproxy/config/auth/tomcat_keystore   | Bin 0 -> 3594 bytes
 .../rproxy/config/auth/uri-authorization.json      |  99 +++++++++++++++++++++
 3 files changed, 99 insertions(+)
 create mode 100644 kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12
 create mode 100644 kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore
 create mode 100644 kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json

(limited to 'kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth')

diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12
new file mode 100644
index 0000000000..dbf4fcacec
Binary files /dev/null and b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12 differ
diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore
new file mode 100644
index 0000000000..99129c145f
Binary files /dev/null and b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore differ
diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json
new file mode 100644
index 0000000000..e468b3d7bd
--- /dev/null
+++ b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json
@@ -0,0 +1,99 @@
+[
+  {
+    "uri": "\/not\/allowed\/at\/all$",
+    "permissions": [
+      "test.auth.access.ifYouLikedItYouShouldHavePutAPermissionOnIt"
+     ]
+  },
+  {
+    "uri": "\/one\/auth\/required$",
+    "permissions": [
+      "test.auth.access.aSimpleSingleAuth"
+     ]
+  },
+  {
+    "uri": "\/multi\/auth\/required$",
+    "permissions": [
+      "test.auth.access.aMultipleAuth1",
+      "test.auth.access.aMultipleAuth2",
+      "test.auth.access.aMultipleAuth3"
+     ]
+  },
+  {
+    "uri": "\/one\/[^\/]+\/required$",
+    "permissions": [
+      "test.auth.access.aSimpleSingleAuth"
+     ]
+  },
+  {
+    "uri": "\/services\/getAAFRequest$",
+    "permissions": [
+      "test.auth.access|services|GET,PUT"
+     ]
+  },
+  {
+    "uri": "\/admin\/getAAFRequest$",
+    "permissions": [
+      "test.auth.access|admin|GET,PUT,POST"
+     ]
+  },
+  {
+    "uri": "\/service\/aai\/webapp\/index.html$",
+    "permissions": [
+      "test.auth.access|services|GET,PUT"
+     ]
+  },
+  {
+    "uri": "\/services\/aai\/webapp\/index.html$",
+    "permissions": [
+      "test.auth.access|services|GET,PUT"
+     ]
+  },
+  {
+    "uri": "\/$",
+    "permissions": [
+    	"\\|services\\|GET",
+      "test\\.auth\\.access\\|services\\|GET,PUT"
+     ]
+  },
+  {
+    "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions$",
+    "permissions": [
+      "test\\.auth\\.access\\|rest\\|read"
+     ]
+  },
+  {
+    "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*",
+    "permissions": [
+      "test.auth.access|clouds|read",
+      "test.auth.access|tenants|read"
+    ]
+  },
+  {
+    "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+\/tenants/tenant/[^\/]+/vservers/vserver/[^\/]+$",
+    "permissions": [
+      "test.auth.access|clouds|read",
+      "test.auth.access|tenants|read",
+      "test.auth.access|vservers|read"
+    ]
+  },
+  {
+    "uri": "\/backend$",
+    "permissions": [
+      "test\\.auth\\.access\\|services\\|GET,PUT",
+      "\\|services\\|GET"
+     ]
+  },
+  {
+    "uri": "\/services\/inventory\/.*",
+    "permissions": [
+      "org\\.access\\|\\*\\|\\*"
+     ]
+  },
+  {
+    "uri": "\/services\/gizmo\/.*",
+    "permissions": [
+      "org\\.access\\|\\*\\|\\*"
+     ]
+  }
+]
-- 
cgit