From 4cfb2d4827156cd4dd64a09ada3214415a8a7fdd Mon Sep 17 00:00:00 2001
From: vrvarma <vv8305@att.com>
Date: Tue, 9 Apr 2019 09:31:42 -0400
Subject: Reduce AAF auth permission cache time to 5 mins

Refactor code smell issues found in sonar

Change-Id: I819a91e374609224561afa7ddb6878fab37feaf2
Signed-off-by: vrvarma <vv8305@att.com>
Issue-ID: OPTFRA-471
---
 config/osdf_config.yaml                 |  5 ++++-
 osdf/adapters/aaf/aaf_authentication.py | 34 +++++++++++++++++++++------------
 test/config/osdf_config.yaml            |  2 +-
 test/test_aaf_authentication.py         |  7 ++++---
 4 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/config/osdf_config.yaml b/config/osdf_config.yaml
index 8c6d9f1..53c9ef9 100755
--- a/config/osdf_config.yaml
+++ b/config/osdf_config.yaml
@@ -31,10 +31,13 @@ sdcONAPInstanceID: NA
 
 # AAF Authentication config
 is_aaf_enabled: False
-aaf_cache_expiry_hrs: 3
+aaf_cache_expiry_mins: 5
 aaf_url: https://aaftest.simpledemo.onap.org:8095
 aaf_user_roles:
     - /api/oof/v1/placement:org.onap.osdf.access|*|read ALL
+    - /api/oof/placement/v1:org.onap.osdf.access|*|read ALL
+    - /api/oof/v1/pci:org.onap.osdf.access|*|read ALL
+    - /api/oof/pci/v1:org.onap.osdf.access|*|read ALL
 
 # Secret Management Service from AAF
 aaf_sms_url: https://aaf-sms.onap:10443
diff --git a/osdf/adapters/aaf/aaf_authentication.py b/osdf/adapters/aaf/aaf_authentication.py
index 26eac29..2a72c30 100644
--- a/osdf/adapters/aaf/aaf_authentication.py
+++ b/osdf/adapters/aaf/aaf_authentication.py
@@ -43,7 +43,6 @@ def authenticate(uid, passwd):
         return has_valid_role(perms)
     except Exception as exp:
         error_log.error("Error Authenticating the user {} : {}: ".format(uid, exp))
-        pass
     return False
 
 
@@ -57,27 +56,38 @@ else return false
 def has_valid_role(perms):
     aaf_user_roles = deploy_config['aaf_user_roles']
 
+    aaf_roles = get_role_list(perms)
+
     for roles in aaf_user_roles:
         path_perm = roles.split(':')
         uri = path_perm[0]
-        role = path_perm[1].split('|')[0]
-        if re.search(uri, request.path) and perms:
-            roles = perms.get('roles')
-            if roles:
-                perm_list = roles.get('perm')
-                for p in perm_list:
-                    if role == p['type']:
-                        return True
+        perm = path_perm[1].split('|')
+        p = (perm[0], perm[1], perm[2].split()[0])
+        if re.search(uri, request.path) and p in aaf_roles:
+            return True
     return False
 
+
 """
-Make the remote aaf api call if user is not in the cache.
+Build a list of roles tuples from the AAF response.
 
-Return the perms
 """
+
+
+def get_role_list(perms):
+    role_list = []
+    if perms:
+        roles = perms.get('roles')
+        if roles:
+            perm = roles.get('perm', [])
+            for p in perm:
+                role_list.append((p['type'], p['instance'], p['action']))
+    return role_list
+
+
 def get_aaf_permissions(uid, passwd):
     key = base64.b64encode(bytes("{}_{}".format(uid, passwd), "ascii"))
-    time_delta = timedelta(hours=deploy_config.get('aaf_cache_expiry_hrs', 3))
+    time_delta = timedelta(minutes=deploy_config.get('aaf_cache_expiry_mins', 5))
 
     perms = perm_cache.get(key)
 
diff --git a/test/config/osdf_config.yaml b/test/config/osdf_config.yaml
index 8cff1d5..7582696 100755
--- a/test/config/osdf_config.yaml
+++ b/test/config/osdf_config.yaml
@@ -48,7 +48,7 @@ osdfPlacementUsername: "test"
 osdfPlacementPassword: "testpwd"
 
 is_aaf_enabled: False
-aaf_cache_expiry_hrs: 3
+aaf_cache_expiry_mins: 5
 aaf_url: https://aaftest.simpledemo.onap.org:8095
 aaf_user_roles:
     - /api/oof/v1/placement:org.onap.osdf.access|*|read ALL
diff --git a/test/test_aaf_authentication.py b/test/test_aaf_authentication.py
index f20a860..e69b2aa 100644
--- a/test/test_aaf_authentication.py
+++ b/test/test_aaf_authentication.py
@@ -16,6 +16,7 @@
 # -------------------------------------------------------------------------
 #
 import os
+
 from flask import Flask
 from mock import mock
 
@@ -33,7 +34,7 @@ class TestAafAuthentication():
 
         def mock_aaf_response(*args, **kwargs):
             return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.oof.controller.dev.menu"},
-                             {"instance": "*", "action": "*", "type": "org.onap.osdf.access"},
+                             {"instance": "*", "action": "read", "type": "org.onap.osdf.access"},
                              {"instance": "aaf", "action": "request", "type": "org.onap.osdf.certman"},
                              {"instance": "*", "action": "*", "type": "org.onap.osdf.dev.access"},
                              {"instance": ":*:*", "action": "*", "type": "org.onap.osdf.dev.k8"},
@@ -48,8 +49,8 @@ class TestAafAuthentication():
         auth.clear_cache()
 
         def mock_aaf_response(*args, **kwargs):
-            return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.oof.controller.dev.menu"},
-                             {"instance": "*", "action": "*", "type": "org.onap.osdf.access"},
+            return {"perm": [{"instance": "menu_ecd", "action": "*", "type": "org.onap.osdf.controller.dev.menu"},
+                             {"instance": "*", "action": "read", "type": "org.onap.osdf.access"},
                              {"instance": "aaf", "action": "request", "type": "org.onap.osdf.certman"},
                              {"instance": "*", "action": "*", "type": "org.onap.osdf.dev.access"},
                              {"instance": ":*:*", "action": "*", "type": "org.onap.osdf.dev.k8"},
-- 
cgit 1.2.3-korg