summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorShankaranarayanan Puzhavakath Narayanan <snarayanan@research.att.com>2019-04-09 13:57:47 +0000
committerGerrit Code Review <gerrit@onap.org>2019-04-09 13:57:47 +0000
commit4198ff2f181030c73b4cf43979fd8a40adf80f70 (patch)
tree27e149a586e46c98c38a46779b814630cb68416a
parent134a18e619772b6cb21000c97291d7966d5598eb (diff)
parent4cfb2d4827156cd4dd64a09ada3214415a8a7fdd (diff)
Merge "Reduce AAF auth permission cache time to 5 mins"
-rwxr-xr-xconfig/osdf_config.yaml5
-rw-r--r--osdf/adapters/aaf/aaf_authentication.py34
-rwxr-xr-xtest/config/osdf_config.yaml2
-rw-r--r--test/test_aaf_authentication.py7
4 files changed, 31 insertions, 17 deletions
diff --git a/config/osdf_config.yaml b/config/osdf_config.yaml
index eac9883..c867171 100755
--- a/config/osdf_config.yaml
+++ b/config/osdf_config.yaml
@@ -33,10 +33,13 @@ sdcONAPInstanceID: NA
# AAF Authentication config
is_aaf_enabled: False
-aaf_cache_expiry_hrs: 3
+aaf_cache_expiry_mins: 5
aaf_url: https://aaftest.simpledemo.onap.org:8095
aaf_user_roles:
- /api/oof/v1/placement:org.onap.osdf.access|*|read ALL
+ - /api/oof/placement/v1:org.onap.osdf.access|*|read ALL
+ - /api/oof/v1/pci:org.onap.osdf.access|*|read ALL
+ - /api/oof/pci/v1:org.onap.osdf.access|*|read ALL
# Secret Management Service from AAF
aaf_sms_url: https://aaf-sms.onap:10443
diff --git a/osdf/adapters/aaf/aaf_authentication.py b/osdf/adapters/aaf/aaf_authentication.py
index 26eac29..2a72c30 100644
--- a/osdf/adapters/aaf/aaf_authentication.py
+++ b/osdf/adapters/aaf/aaf_authentication.py
@@ -43,7 +43,6 @@ def authenticate(uid, passwd):
return has_valid_role(perms)
except Exception as exp:
error_log.error("Error Authenticating the user {} : {}: ".format(uid, exp))
- pass
return False
@@ -57,27 +56,38 @@ else return false
def has_valid_role(perms):
aaf_user_roles = deploy_config['aaf_user_roles']
+ aaf_roles = get_role_list(perms)
+
for roles in aaf_user_roles:
path_perm = roles.split(':')
uri = path_perm[0]
- role = path_perm[1].split('|')[0]
- if re.search(uri, request.path) and perms:
- roles = perms.get('roles')
- if roles:
- perm_list = roles.get('perm')
- for p in perm_list:
- if role == p['type']:
- return True
+ perm = path_perm[1].split('|')
+ p = (perm[0], perm[1], perm[2].split()[0])
+ if re.search(uri, request.path) and p in aaf_roles:
+ return True
return False
+
"""
-Make the remote aaf api call if user is not in the cache.
+Build a list of roles tuples from the AAF response.
-Return the perms
"""
+
+
+def get_role_list(perms):
+ role_list = []
+ if perms:
+ roles = perms.get('roles')
+ if roles:
+ perm = roles.get('perm', [])
+ for p in perm:
+ role_list.append((p['type'], p['instance'], p['action']))
+ return role_list
+
+
def get_aaf_permissions(uid, passwd):
key = base64.b64encode(bytes("{}_{}".format(uid, passwd), "ascii"))
- time_delta = timedelta(hours=deploy_config.get('aaf_cache_expiry_hrs', 3))
+ time_delta = timedelta(minutes=deploy_config.get('aaf_cache_expiry_mins', 5))
perms = perm_cache.get(key)
diff --git a/test/config/osdf_config.yaml b/test/config/osdf_config.yaml
index 8cff1d5..7582696 100755
--- a/test/config/osdf_config.yaml
+++ b/test/config/osdf_config.yaml
@@ -48,7 +48,7 @@ osdfPlacementUsername: "test"
osdfPlacementPassword: "testpwd"
is_aaf_enabled: False
-aaf_cache_expiry_hrs: 3
+aaf_cache_expiry_mins: 5
aaf_url: https://aaftest.simpledemo.onap.org:8095
aaf_user_roles:
- /api/oof/v1/placement:org.onap.osdf.access|*|read ALL
diff --git a/test/test_aaf_authentication.py b/test/test_aaf_authentication.py
index f20a860..e69b2aa 100644
--- a/test/test_aaf_authentication.py
+++ b/test/test_aaf_authentication.py
@@ -16,6 +16,7 @@
# -------------------------------------------------------------------------
#
import os
+
from flask import Flask
from mock import mock
@@ -33,7 +34,7 @@ class TestAafAuthentication():
def mock_aaf_response(*args, **kwargs):
return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.oof.controller.dev.menu"},
- {"instance": "*", "action": "*", "type": "org.onap.osdf.access"},
+ {"instance": "*", "action": "read", "type": "org.onap.osdf.access"},
{"instance": "aaf", "action": "request", "type": "org.onap.osdf.certman"},
{"instance": "*", "action": "*", "type": "org.onap.osdf.dev.access"},
{"instance": ":*:*", "action": "*", "type": "org.onap.osdf.dev.k8"},
@@ -48,8 +49,8 @@ class TestAafAuthentication():
auth.clear_cache()
def mock_aaf_response(*args, **kwargs):
- return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.oof.controller.dev.menu"},
- {"instance": "*", "action": "*", "type": "org.onap.osdf.access"},
+ return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.osdf.controller.dev.menu"},
+ {"instance": "*", "action": "read", "type": "org.onap.osdf.access"},
{"instance": "aaf", "action": "request", "type": "org.onap.osdf.certman"},
{"instance": "*", "action": "*", "type": "org.onap.osdf.dev.access"},
{"instance": ":*:*", "action": "*", "type": "org.onap.osdf.dev.k8"},