diff options
-rwxr-xr-x | config/osdf_config.yaml | 5 | ||||
-rw-r--r-- | osdf/adapters/aaf/aaf_authentication.py | 34 | ||||
-rwxr-xr-x | test/config/osdf_config.yaml | 2 | ||||
-rw-r--r-- | test/test_aaf_authentication.py | 7 |
4 files changed, 31 insertions, 17 deletions
diff --git a/config/osdf_config.yaml b/config/osdf_config.yaml index 8c6d9f1..53c9ef9 100755 --- a/config/osdf_config.yaml +++ b/config/osdf_config.yaml @@ -31,10 +31,13 @@ sdcONAPInstanceID: NA # AAF Authentication config is_aaf_enabled: False -aaf_cache_expiry_hrs: 3 +aaf_cache_expiry_mins: 5 aaf_url: https://aaftest.simpledemo.onap.org:8095 aaf_user_roles: - /api/oof/v1/placement:org.onap.osdf.access|*|read ALL + - /api/oof/placement/v1:org.onap.osdf.access|*|read ALL + - /api/oof/v1/pci:org.onap.osdf.access|*|read ALL + - /api/oof/pci/v1:org.onap.osdf.access|*|read ALL # Secret Management Service from AAF aaf_sms_url: https://aaf-sms.onap:10443 diff --git a/osdf/adapters/aaf/aaf_authentication.py b/osdf/adapters/aaf/aaf_authentication.py index 26eac29..2a72c30 100644 --- a/osdf/adapters/aaf/aaf_authentication.py +++ b/osdf/adapters/aaf/aaf_authentication.py @@ -43,7 +43,6 @@ def authenticate(uid, passwd): return has_valid_role(perms) except Exception as exp: error_log.error("Error Authenticating the user {} : {}: ".format(uid, exp)) - pass return False @@ -57,27 +56,38 @@ else return false def has_valid_role(perms): aaf_user_roles = deploy_config['aaf_user_roles'] + aaf_roles = get_role_list(perms) + for roles in aaf_user_roles: path_perm = roles.split(':') uri = path_perm[0] - role = path_perm[1].split('|')[0] - if re.search(uri, request.path) and perms: - roles = perms.get('roles') - if roles: - perm_list = roles.get('perm') - for p in perm_list: - if role == p['type']: - return True + perm = path_perm[1].split('|') + p = (perm[0], perm[1], perm[2].split()[0]) + if re.search(uri, request.path) and p in aaf_roles: + return True return False + """ -Make the remote aaf api call if user is not in the cache. +Build a list of roles tuples from the AAF response. -Return the perms """ + + +def get_role_list(perms): + role_list = [] + if perms: + roles = perms.get('roles') + if roles: + perm = roles.get('perm', []) + for p in perm: + role_list.append((p['type'], p['instance'], p['action'])) + return role_list + + def get_aaf_permissions(uid, passwd): key = base64.b64encode(bytes("{}_{}".format(uid, passwd), "ascii")) - time_delta = timedelta(hours=deploy_config.get('aaf_cache_expiry_hrs', 3)) + time_delta = timedelta(minutes=deploy_config.get('aaf_cache_expiry_mins', 5)) perms = perm_cache.get(key) diff --git a/test/config/osdf_config.yaml b/test/config/osdf_config.yaml index 8cff1d5..7582696 100755 --- a/test/config/osdf_config.yaml +++ b/test/config/osdf_config.yaml @@ -48,7 +48,7 @@ osdfPlacementUsername: "test" osdfPlacementPassword: "testpwd" is_aaf_enabled: False -aaf_cache_expiry_hrs: 3 +aaf_cache_expiry_mins: 5 aaf_url: https://aaftest.simpledemo.onap.org:8095 aaf_user_roles: - /api/oof/v1/placement:org.onap.osdf.access|*|read ALL diff --git a/test/test_aaf_authentication.py b/test/test_aaf_authentication.py index f20a860..e69b2aa 100644 --- a/test/test_aaf_authentication.py +++ b/test/test_aaf_authentication.py @@ -16,6 +16,7 @@ # ------------------------------------------------------------------------- # import os + from flask import Flask from mock import mock @@ -33,7 +34,7 @@ class TestAafAuthentication(): def mock_aaf_response(*args, **kwargs): return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.oof.controller.dev.menu"}, - {"instance": "*", "action": "*", "type": "org.onap.osdf.access"}, + {"instance": "*", "action": "read", "type": "org.onap.osdf.access"}, {"instance": "aaf", "action": "request", "type": "org.onap.osdf.certman"}, {"instance": "*", "action": "*", "type": "org.onap.osdf.dev.access"}, {"instance": ":*:*", "action": "*", "type": "org.onap.osdf.dev.k8"}, @@ -48,8 +49,8 @@ class TestAafAuthentication(): auth.clear_cache() def mock_aaf_response(*args, **kwargs): - return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.oof.controller.dev.menu"}, - {"instance": "*", "action": "*", "type": "org.onap.osdf.access"}, + return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.osdf.controller.dev.menu"}, + {"instance": "*", "action": "read", "type": "org.onap.osdf.access"}, {"instance": "aaf", "action": "request", "type": "org.onap.osdf.certman"}, {"instance": "*", "action": "*", "type": "org.onap.osdf.dev.access"}, {"instance": ":*:*", "action": "*", "type": "org.onap.osdf.dev.k8"}, |