~ ============LICENSE_END=======================================================
~
-->
+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.onap.ccsdk.features.sdnr.wt</groupId>
<artifactId>sdnr-wt-feature-aggregator-oauth</artifactId>
- <version>1.6.0-SNAPSHOT</version>
+ <version>1.7.0-SNAPSHOT</version>
<packaging>feature</packaging>
<name>ccsdk-features :: ${project.artifactId}</name>
</dependency>
<dependency>
<groupId>${project.groupId}</groupId>
- <artifactId>sdnr-wt-oauth-provider</artifactId>
+ <artifactId>sdnr-wt-oauth-web</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>${project.groupId}</groupId>
+ <artifactId>sdnr-wt-oauth-realm</artifactId>
<version>${project.version}</version>
- <exclusions>
- <exclusion>
- <groupId>${project.groupId}</groupId>
- <artifactId>sdnr-wt-oauth-provider-jar</artifactId>
- </exclusion>
- </exclusions>
</dependency>
</dependencies>
</project>
<type>xml</type>
<classifier>features</classifier>
</dependency>
- <!-- <dependency>
+ <dependency>
<groupId>${project.groupId}</groupId>
<artifactId>sdnr-wt-feature-aggregator-oauth</artifactId>
<version>${project.version}</version>
<type>xml</type>
<classifier>features</classifier>
- </dependency> -->
+ </dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>sdnr-wt-data-provider-setup</artifactId>
<modules>
<module>feature</module>
- <!-- <module>feature-oauth</module> -->
+ <module>feature-oauth</module>
<module>feature-devicemanager</module>
<module>feature-devicemanager-base</module>
<module>installer</module>
~ ============LICENSE_END=======================================================
~
-->
+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
</parent>
<groupId>org.onap.ccsdk.features.sdnr.wt</groupId>
- <artifactId>sdnr-wt-oauth-provider-jar</artifactId>
- <version>1.6.0-SNAPSHOT</version>
+ <artifactId>sdnr-wt-oauth-core</artifactId>
+ <version>1.7.0-SNAPSHOT</version>
<packaging>jar</packaging>
<name>ccsdk-features :: ${project.artifactId}</name>
<scope>provided</scope>
</dependency>
<dependency>
- <groupId>jakarta.servlet</groupId>
- <artifactId>jakarta.servlet-api</artifactId>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.core</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>com.fasterxml.jackson.dataformat</groupId>
+ <artifactId>jackson-dataformat-xml</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>${project.groupId}</groupId>
+ <artifactId>sdnr-wt-yang-utils</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>osgi.cmpn</artifactId>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>javax.servlet-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<artifactId>jetty-servlet</artifactId>
<scope>test</scope>
</dependency>
- <dependency>
- <groupId>com.fasterxml.jackson.dataformat</groupId>
- <artifactId>jackson-dataformat-xml</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>${project.groupId}</groupId>
- <artifactId>sdnr-wt-yang-utils</artifactId>
- <version>${project.version}</version>
- <scope>test</scope>
- </dependency>
<dependency>
<groupId>org.opendaylight.mdsal.binding.model.ietf</groupId>
<artifactId>rfc6991-ietf-yang-types</artifactId>
<artifactId>org.osgi.core</artifactId>
<scope>test</scope>
</dependency>
- <dependency>
- <groupId>org.osgi</groupId>
- <artifactId>osgi.cmpn</artifactId>
- <version>7.0.0</version>
- <scope>compile</scope>
- </dependency>
</dependencies>
</project>
boolean found = false;
if (isEnvExpression(key)) {
- LOG.debug("try to find env var(s) for {}", key);
+ LOG.info("try to find env var(s) for {}", key);
final Matcher matcher = pattern.matcher(key);
String tmp = new String(key);
while (matcher.find() && matcher.groupCount() > 0) {
final String mkey = matcher.group(1);
if (mkey != null) {
try {
- LOG.debug("match found for v={} and env key={}", key, mkey);
+ LOG.info("match found for v={} and env key={}", key, mkey);
String envvar = mkey.substring(2, mkey.length() - 1);
String env = System.getenv(envvar);
tmp = tmp.replace(mkey, env == null ? "" : env);
--- /dev/null
+package org.onap.ccsdk.features.sdnr.wt.oauthprovider.data;
+
+import java.util.List;
+
+public class OdlShiroConfiguration {
+
+ private List<MainItem> main;
+ private List<UrlItem> urls;
+
+
+
+ public List<MainItem> getMain() {
+ return main;
+ }
+
+ public void setMain(List<MainItem> main) {
+ this.main = main;
+ }
+ public List<UrlItem> getUrls() {
+ return urls;
+ }
+ public void setUrls(List<UrlItem> urls) {
+ this.urls = urls;
+ }
+ public OdlShiroConfiguration(){
+
+ }
+
+ public static class BaseItem{
+ private String pairKey;
+ private String pairValue;
+
+ public String getPairKey() {
+ return pairKey;
+ }
+
+ public void setPairKey(String pairKey) {
+ this.pairKey = pairKey;
+ }
+
+ public String getPairValue() {
+ return pairValue;
+ }
+
+ public void setPairValue(String pairValue) {
+ this.pairValue = pairValue;
+ }
+
+ public BaseItem(){
+
+ }
+
+ }
+
+ public static class MainItem extends BaseItem{
+ public MainItem(){
+ super();
+ }
+
+ }
+ public static class UrlItem extends BaseItem{
+ public UrlItem(){
+ super();
+ }
+ }
+
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * ONAP : ccsdk features
+ * ================================================================================
+ * Copyright (C) 2021 highstreet technologies GmbH Intellectual Property.
+ * All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ *
+ */
+package org.onap.ccsdk.features.sdnr.wt.oauthprovider.data;
+
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.MapperFeature;
+import com.fasterxml.jackson.databind.PropertyNamingStrategy;
+import com.fasterxml.jackson.dataformat.xml.XmlMapper;
+import org.onap.ccsdk.features.sdnr.wt.yang.mapper.mapperextensions.YangToolsBuilderAnnotationIntrospector;
+
+public class OdlXmlMapper extends XmlMapper {
+
+ private static final long serialVersionUID = 1L;
+
+
+ public OdlXmlMapper() {
+ this.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+ this.setSerializationInclusion(Include.NON_NULL);
+ this.setPropertyNamingStrategy(PropertyNamingStrategy.KEBAB_CASE);
+ this.enable(MapperFeature.USE_GETTERS_AS_SETTERS);
+ YangToolsBuilderAnnotationIntrospector introspector = new YangToolsBuilderAnnotationIntrospector();
+ this.setAnnotationIntrospector(introspector);
+ }
+}
*/
package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters;
+import java.util.Locale;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.codec.Base64;
+import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.apache.shiro.web.filter.authc.BearerHttpAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
-import org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class BearerAndBasicHttpAuthenticationFilter extends BearerHttpAuthenticationFilter{
+public class BearerAndBasicHttpAuthenticationFilter extends BearerHttpAuthenticationFilter {
// defined in lower-case for more efficient string comparison
private static final Logger LOG = LoggerFactory.getLogger(BearerAndBasicHttpAuthenticationFilter.class);
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
final HttpServletRequest httpRequest = WebUtils.toHttp(request);
final String httpMethod = httpRequest.getMethod();
+ //always allow options requests
if (OPTIONS_HEADER.equalsIgnoreCase(httpMethod)) {
return true;
- } else {
- if (this.basicAuthFilter.isAccessAllowed(httpRequest, response, mappedValue)) {
- LOG.debug("isAccessAllowed succeeded on basicAuth");
- return true;
- }
}
+
+ if (this.basicAuthFilter.isAccessAllowed(httpRequest, response, mappedValue)) {
+ LOG.debug("isAccessAllowed succeeded on basicAuth");
+ return true;
+ }
+
return super.isAccessAllowed(request, response, mappedValue);
}
return createToken(username, password, request, response);
}
+ private static class ODLHttpAuthenticationHelperFilter extends BasicHttpAuthenticationFilter {
+
+ private static final Logger LOG = LoggerFactory.getLogger(ODLHttpAuthenticationHelperFilter.class);
- private static class ODLHttpAuthenticationHelperFilter extends ODLHttpAuthenticationFilter{
+ // defined in lower-case for more efficient string comparison
+ protected static final String BEARER_SCHEME = "bearer";
- ODLHttpAuthenticationHelperFilter(){
- super();
+ protected static final String OPTIONS_HEADER = "OPTIONS";
+
+ public ODLHttpAuthenticationHelperFilter() {
+ LOG.info("Creating the ODLHttpAuthenticationFilter");
}
@Override
- protected boolean isLoginAttempt(String authzHeader) {
- return super.isLoginAttempt(authzHeader);
+ protected String[] getPrincipalsAndCredentials(String scheme, String encoded) {
+ final String decoded = Base64.decodeToString(encoded);
+ // attempt to decode username/password; otherwise decode as token
+ if (decoded.contains(":")) {
+ return decoded.split(":");
+ }
+ return new String[]{encoded};
}
+
@Override
- protected String[] getPrincipalsAndCredentials(String scheme, String encoded) {
- return super.getPrincipalsAndCredentials(scheme, encoded);
+ protected boolean isLoginAttempt(String authzHeader) {
+ final String authzScheme = getAuthzScheme().toLowerCase(Locale.ROOT);
+ final String authzHeaderLowerCase = authzHeader.toLowerCase(Locale.ROOT);
+ return authzHeaderLowerCase.startsWith(authzScheme)
+ || authzHeaderLowerCase.startsWith(BEARER_SCHEME);
}
+
@Override
- protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
- return super.isAccessAllowed(request, response, mappedValue);
+ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response,
+ Object mappedValue) {
+ final HttpServletRequest httpRequest = WebUtils.toHttp(request);
+ final String httpMethod = httpRequest.getMethod();
+ if (OPTIONS_HEADER.equalsIgnoreCase(httpMethod)) {
+ return true;
+ } else {
+ return super.isAccessAllowed(httpRequest, response, mappedValue);
+ }
}
}
}
package org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters;
+import static com.google.common.base.Preconditions.checkArgument;
+import static java.util.Objects.requireNonNull;
+
import com.google.common.collect.Iterables;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
+
+import java.io.IOException;
+import java.util.*;
+import java.util.concurrent.ExecutionException;
+import javax.servlet.Filter;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
-import org.opendaylight.mdsal.binding.api.*;
+import org.opendaylight.mdsal.binding.api.ClusteredDataTreeChangeListener;
+import org.opendaylight.mdsal.binding.api.DataBroker;
+import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
+import org.opendaylight.mdsal.binding.api.DataTreeModification;
+import org.opendaylight.mdsal.binding.api.ReadTransaction;
import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.HttpAuthorization;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies.Policies;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.Filter;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.*;
-import java.util.concurrent.ExecutionException;
-
-import static com.google.common.base.Preconditions.checkArgument;
-import static java.util.Objects.requireNonNull;
-
+@SuppressWarnings("checkstyle:AbbreviationAsWordInName")
public class CustomizedMDSALDynamicAuthorizationFilter extends AuthorizationFilter
implements ClusteredDataTreeChangeListener<HttpAuthorization> {
private static final DataTreeIdentifier<HttpAuthorization> AUTHZ_CONTAINER = DataTreeIdentifier.create(
LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(HttpAuthorization.class));
- private final DataBroker dataBroker;
+ private static DataBroker dataBroker;
+ public static void setDataBroker(DataBroker dataBroker2){
+ dataBroker = dataBroker2;
+ }
private ListenerRegistration<?> reg;
private volatile ListenableFuture<Optional<HttpAuthorization>> authContainer;
- private static final ThreadLocal<DataBroker> DATABROKER_TL = new ThreadLocal<>();
public CustomizedMDSALDynamicAuthorizationFilter() {
- dataBroker = requireNonNull(DATABROKER_TL.get());
+
}
@Override
public Filter processPathConfig(final String path, final String config) {
- try (ReadTransaction tx = dataBroker.newReadOnlyTransaction()) {
- authContainer = tx.read(AUTHZ_CONTAINER.getDatastoreType(), AUTHZ_CONTAINER.getRootIdentifier());
- }
- this.reg = dataBroker.registerDataTreeChangeListener(AUTHZ_CONTAINER, this);
+ /*if (dataBroker == null){
+ throw new RuntimeException("dataBroker is not initialized");
+ }*/
+
return super.processPathConfig(path, config);
}
@Override
public boolean isAccessAllowed(final ServletRequest request, final ServletResponse response,
final Object mappedValue) {
+ if (dataBroker == null){
+ throw new RuntimeException("dataBroker is not initialized");
+ }
+ if(reg == null){
+ try (ReadTransaction tx = dataBroker.newReadOnlyTransaction()) {
+ authContainer = tx.read(AUTHZ_CONTAINER.getDatastoreType(), AUTHZ_CONTAINER.getRootIdentifier());
+ }
+ reg = dataBroker.registerDataTreeChangeListener(AUTHZ_CONTAINER, this);
+ }
checkArgument(request instanceof HttpServletRequest, "Expected HttpServletRequest, received {}", request);
package org.onap.ccsdk.features.sdnr.wt.oauthprovider.http;
import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
-import org.jolokia.osgi.security.Authenticator;
-import org.onap.ccsdk.features.sdnr.wt.common.http.BaseHTTPClient;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.InvalidConfigurationException;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.NoDefinitionFoundException;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthProviderConfig;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OAuthToken;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OdlPolicy;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UnableToConfigureOAuthService;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UserTokenPayload;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.*;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OdlShiroConfiguration.MainItem;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.OdlShiroConfiguration.UrlItem;
+import org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters.CustomizedMDSALDynamicAuthorizationFilter;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.AuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.AuthService.PublicOAuthProviderConfig;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.MdSalAuthorizationStore;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.OAuthProviderFactory;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator;
-import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.PasswordCredentialAuth;
+import org.opendaylight.aaa.api.PasswordCredentials;
+import org.opendaylight.aaa.tokenauthrealm.auth.PasswordCredentialBuilder;
import org.opendaylight.mdsal.binding.api.DataBroker;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.ShiroConfiguration;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.ini.Main;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.ini.Urls;
+import org.osgi.service.http.HttpService;
+import org.osgi.service.http.NamespaceException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
private static final Logger LOG = LoggerFactory.getLogger(AuthHttpServlet.class.getName());
private static final long serialVersionUID = 1L;
- public static final String BASEURI = "/oauth";
+ private static final String BASEURI = "/oauth";
private static final String LOGINURI = BASEURI + "/login";
private static final String LOGOUTURI = BASEURI + "/logout";
private static final String PROVIDERSURI = BASEURI + "/providers";
private static final String CLASSNAME_ODLMDSALAUTH =
"org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter";
public static final String LOGIN_REDIRECT_FORMAT = LOGINURI + "/%s";
+ private static final String URI_PRE = BASEURI;
+ private static final String CONFIGFILE ="/opt/opendaylight/etc/opendaylight/datastore/initial/config/aaa-app-config.xml";
private final ObjectMapper mapper;
/* state <=> AuthProviderService> */
private final Map<String, AuthService> providerStore;
private final TokenCreator tokenCreator;
private final Config config;
- private static Authenticator odlAuthenticator;
- private static IdMService odlIdentityService;
- private static ShiroConfiguration shiroConfiguration;
private static MdSalAuthorizationStore mdsalAuthStore;
+ private PasswordCredentialAuth passwordCredentialAuth;
+ private OdlShiroConfiguration shiroConfiguration;
public AuthHttpServlet() throws IllegalArgumentException, IOException, InvalidConfigurationException,
UnableToConfigureOAuthService {
+ this(CONFIGFILE);
+ }
+ public AuthHttpServlet(String shiroconfigfile) throws IllegalArgumentException, IOException, InvalidConfigurationException,
+ UnableToConfigureOAuthService {
this.config = Config.getInstance();
+ this.shiroConfiguration = loadShiroConfig(shiroconfigfile);
this.tokenCreator = TokenCreator.getInstance(this.config);
this.mapper = new ObjectMapper();
this.providerStore = new HashMap<>();
}
}
- public void setOdlAuthenticator(Authenticator odlAuthenticator2) {
- odlAuthenticator = odlAuthenticator2;
+ public void setDataBroker(DataBroker dataBroker) {
+ CustomizedMDSALDynamicAuthorizationFilter.setDataBroker(dataBroker);
+ mdsalAuthStore = new MdSalAuthorizationStore(dataBroker);
}
- public void setOdlIdentityService(IdMService odlIdentityService2) {
- odlIdentityService = odlIdentityService2;
+ public void setPasswordCredentialAuth(PasswordCredentialAuth passwordCredentialAuth) {
+ this.passwordCredentialAuth = passwordCredentialAuth;
}
- public void setShiroConfiguration(ShiroConfiguration shiroConfiguration2) {
- shiroConfiguration = shiroConfiguration2;
+
+ public void onUnbindService(HttpService httpService) {
+ httpService.unregister(AuthHttpServlet.URI_PRE);
+
}
- public void setDataBroker(DataBroker dataBroker) {
- mdsalAuthStore = new MdSalAuthorizationStore(dataBroker);
+ public void onBindService(HttpService httpService)
+ throws ServletException, NamespaceException {
+ if (httpService == null) {
+ LOG.warn("Unable to inject HttpService into loader.");
+ } else {
+ httpService.registerServlet(AuthHttpServlet.URI_PRE, this, null, null);
+ LOG.info("oauth servlet registered.");
+ }
+ }
+ private static OdlShiroConfiguration loadShiroConfig(String filename) throws IOException {
+ OdlXmlMapper mapper = new OdlXmlMapper();
+ return mapper.readValue(new File(filename), OdlShiroConfiguration.class);
}
@Override
if (redirectUrl == null) {
redirectUrl = this.config.getPublicUrl();
}
- // if nothing configured and nothing from request
- if(redirectUrl == null || redirectUrl.isBlank()){
- redirectUrl="/";
- }
UserTokenPayload userInfo = this.tokenCreator.decode(bearerToken);
if (bearerToken != null && userInfo != null && !userInfo.isInternal()) {
AuthService provider = this.providerStore.getOrDefault(userInfo.getProviderId(), null);
/**
* find out what urls can be accessed by user and which are forbidden
- *
+ * <p>
* urlEntries: "anon" -> any access allowed "authcXXX" -> no grouping rule -> any access for user allowed "authcXXX,
* roles[abc] -> user needs to have role abc "authcXXX, roles["abc,def"] -> user needs to have roles abc AND def
* "authcXXX, anyroles[abc] -> user needs to have role abc "authcXXX, anyroles["abc,def"] -> user needs to have
* roles abc OR def
*
- *
* @param req
* @return
*/
private List<OdlPolicy> getPoliciesForUser(HttpServletRequest req) {
- List<Urls> urlRules = shiroConfiguration.getUrls();
- UserTokenPayload data = this.getUserInfo(req);
List<OdlPolicy> policies = new ArrayList<>();
+ List<UrlItem> urlRules = this.shiroConfiguration.getUrls();
+ UserTokenPayload data = this.getUserInfo(req);
if (urlRules != null) {
LOG.debug("try to find rules for user {} with roles {}",
data == null ? "null" : data.getPreferredUsername(), data == null ? "null" : data.getRoles());
final String regex = "^([^,]+)[,]?[\\ ]?([anyroles]+)?(\\[\"?([a-zA-Z,]+)\"?\\])?";
final Pattern pattern = Pattern.compile(regex);
Matcher matcher;
- for (Urls urlRule : urlRules) {
+ for (UrlItem urlRule : urlRules) {
matcher = pattern.matcher(urlRule.getPairValue());
if (matcher.find()) {
try {
//anon access allowed
if (authClass == null) {
policy = Optional.of(OdlPolicy.allowAll(urlRule.getPairKey()));
- } else if (authClass.equals(CLASSNAME_ODLBASICAUTH)) {
+ } else if (authClass.equals(CLASSNAME_ODLBASICAUTH) || "authcBasic".equals(urlRule.getPairKey())) {
policy = isBasic(req) ? this.getTokenBasedPolicy(urlRule, matcher, data)
: Optional.of(OdlPolicy.denyAll(urlRule.getPairKey()));
} else if (authClass.equals(CLASSNAME_ODLBEARERANDBASICAUTH)) {
* @param data
* @return
*/
- private Optional<OdlPolicy> getMdSalBasedPolicy(Urls urlRule, UserTokenPayload data) {
+ private Optional<OdlPolicy> getMdSalBasedPolicy(UrlItem urlRule, UserTokenPayload data) {
if (mdsalAuthStore != null) {
return data != null ? mdsalAuthStore.getPolicy(urlRule.getPairKey(), data.getRoles())
: Optional.of(OdlPolicy.denyAll(urlRule.getPairKey()));
* @param data
* @return
*/
- private Optional<OdlPolicy> getTokenBasedPolicy(Urls urlRule, Matcher matcher, UserTokenPayload data) {
+ private Optional<OdlPolicy> getTokenBasedPolicy(UrlItem urlRule, Matcher matcher,
+ UserTokenPayload data) {
final String url = urlRule.getPairKey();
final String rule = urlRule.getPairValue();
if (!rule.contains(",")) {
if ("anon".equals(key)) {
return null;
}
- List<Main> list = shiroConfiguration.getMain();
- Optional<Main> main =
+ if("authcBasic".equals(key)){
+ return CLASSNAME_ODLBASICAUTH;
+ }
+ List<MainItem> list = shiroConfiguration.getMain();
+ Optional<MainItem> main =
list == null ? Optional.empty() : list.stream().filter(e -> e.getPairKey().equals(key)).findFirst();
if (main.isPresent()) {
return main.get().getPairValue();
if (!username.contains("@")) {
username = String.format("%s@%s", username, domain);
}
- List<String> roles = odlIdentityService.listRoles(username, domain);
+ List<String> roles = List.of();// odlIdentityService.listRoles(username, domain);
return UserTokenPayload.createInternal(username, roles);
}
}
private static boolean isBasic(HttpServletRequest req) {
final String header = req.getHeader(HEAEDER_AUTHORIZATION);
- return header == null ? false : header.startsWith("Basic");
+ return header != null && header.startsWith("Basic");
}
private static boolean isBearer(HttpServletRequest req) {
final String header = req.getHeader(HEAEDER_AUTHORIZATION);
- return header == null ? false : header.startsWith("Bearer");
+ return header != null && header.startsWith("Bearer");
}
private boolean rolesMatch(List<String> userRoles, List<String> policyRoles, boolean any) {
hostUrl = matcher.group(1);
}
}
- LOG.debug("host={}", hostUrl);
+ LOG.info("host={}", hostUrl);
return hostUrl;
}
}
}
- resp.sendError(HttpServletResponse.SC_NOT_FOUND);
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
}
private BearerToken doLogin(String username, String password, String domain) {
- if (!username.contains("@")) {
- username = String.format("%s@%s", username, domain);
+
+ PasswordCredentials pc =
+ (new PasswordCredentialBuilder()).setUserName(username).setPassword(password).setDomain(domain).build();
+ Claim claim = null;
+ try {
+ claim = this.passwordCredentialAuth.authenticate(pc);
+ } catch (AuthenticationException e) {
+ LOG.warn("unable to authentication user {} for domain {}: ", username, domain, e);
}
- HttpServletRequest req = new HeadersOnlyHttpServletRequest(
- Map.of("Authorization", BaseHTTPClient.getAuthorizationHeaderValue(username, password)));
- if (odlAuthenticator.authenticate(req)) {
- List<String> roles = odlIdentityService.listRoles(username, domain);
+ if (claim != null) {
+ List<String> roles = claim.roles().stream().toList();//odlIdentityService.listRoles(username, domain);
UserTokenPayload data = new UserTokenPayload();
data.setPreferredUsername(username);
data.setFamilyName("");
data.setExp(this.tokenCreator.getDefaultExp());
data.setRoles(roles);
return this.tokenCreator.createNewJWT(data);
-
+ } else {
+ LOG.info("unable to read auth from authservice");
}
return null;
}
- private void sendResponse(HttpServletResponse resp, int code) throws IOException {
+/* private void sendResponse(HttpServletResponse resp, int code) throws IOException {
this.sendResponse(resp, code, null);
- }
+ }*/
private void sendResponse(HttpServletResponse resp, int code, Object data) throws IOException {
byte[] output = data != null ? mapper.writeValueAsString(data).getBytes() : new byte[0];
resp.setStatus(code);
resp.setContentLength(output.length);
resp.setContentType("application/json");
- ServletOutputStream os = null;
- os = resp.getOutputStream();
+ ServletOutputStream os = resp.getOutputStream();
os.write(output);
}
private void logout() {
- final Subject subject = SecurityUtils.getSubject();
+ /* final Subject subject = SecurityUtils.getSubject();
try {
subject.logout();
Session session = subject.getSession(false);
}
} catch (ShiroException e) {
LOG.debug("Couldn't log out {}", subject, e);
- }
+ }*/
}
}
@Override
protected UserTokenPayload requestUserRoles(String access_token, long issued_at, long expires_at) {
- LOG.debug("reqesting user roles with token={}", access_token);
+ LOG.info("reqesting user roles with token={}", access_token);
Map<String, String> authHeaders = new HashMap<>();
authHeaders.put("Authorization", String.format("Bearer %s", access_token));
Optional<MappedBaseHttpResponse<GitlabUserInfo>> userInfo =
public String getBearerToken(HttpServletRequest req, boolean checkCookie) {
final String authHeader = req.getHeader("Authorization");
if ((authHeader == null || !authHeader.startsWith("Bearer")) && checkCookie) {
- if(req!=null) {
- Cookie[] cookies = req.getCookies();
- Optional<Cookie> ocookie = Optional.empty();
- if (cookies != null) {
- ocookie = Arrays.stream(cookies).filter(c -> c != null && COOKIE_NAME_AUTH.equals(c.getName()))
- .findFirst();
- }
- if (ocookie.isEmpty()) {
- return null;
- }
- return ocookie.get().getValue();
+ Cookie[] cookies = req.getCookies();
+ Optional<Cookie> ocookie = Optional.empty();
+ if (cookies != null) {
+ ocookie = Arrays.stream(cookies).filter(c -> c != null && COOKIE_NAME_AUTH.equals(c.getName()))
+ .findFirst();
}
+ if (ocookie.isEmpty()) {
+ return null;
+ }
+ return ocookie.get().getValue();
}
return authHeader.substring(7);
}
*/
package org.onap.ccsdk.features.sdnr.wt.oauthprovider.test;
+import java.util.Set;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
+import org.junit.Ignore;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import org.json.JSONArray;
import org.junit.BeforeClass;
import org.junit.Test;
+import org.mockito.internal.matchers.Any;
import org.onap.ccsdk.features.sdnr.wt.common.http.BaseHTTPClient;
import org.onap.ccsdk.features.sdnr.wt.common.test.ServletOutputStreamToByteArrayOutputStream;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.Config;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.test.helper.OdlJsonMapper;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.test.helper.OdlXmlMapper;
+import org.opendaylight.aaa.api.Claim;
import org.opendaylight.aaa.api.IdMService;
import org.apache.shiro.authc.BearerToken;
+import org.opendaylight.aaa.api.PasswordCredentialAuth;
+import org.opendaylight.aaa.api.PasswordCredentials;
+import org.opendaylight.aaa.shiro.web.env.AAAShiroWebEnvironment;
import org.opendaylight.mdsal.binding.api.DataBroker;
import org.opendaylight.mdsal.binding.api.ReadTransaction;
import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
private static DataBroker dataBroker = loadDynamicMdsalAuthDataBroker();
private static Authenticator odlAuthenticator = mock(Authenticator.class);
private static IdMService odlIdentityService = mock(IdMService.class);
- private static ShiroConfiguration shiroConfiguration = null;
+ private static PasswordCredentialAuth passwordCredentialAuth;
private static TokenCreator tokenCreator;
// private static final HttpServletRequest authreq = new HeadersOnlyHttpServletRequest(
// Map.of("Authorization", BaseHTTPClient.getAuthorizationHeaderValue("admin@sdn", "admin")));
Config config = createConfigFile();
tokenCreator = TokenCreator.getInstance(config);
servlet = new TestServlet();
- shiroConfiguration = loadShiroConfig(TESTSHIROCONFIGFILE);
} catch (IOException | InvalidConfigurationException e) {
fail(e.getMessage());
}
servlet.setDataBroker(dataBroker);
- servlet.setOdlAuthenticator(odlAuthenticator);
- servlet.setOdlIdentityService(odlIdentityService);
- servlet.setShiroConfiguration(shiroConfiguration);
+ passwordCredentialAuth = mock(PasswordCredentialAuth.class);
+
+ servlet.setPasswordCredentialAuth(passwordCredentialAuth);
}
private static DataBroker loadDynamicMdsalAuthDataBroker() {
when(req.getRequestURI()).thenReturn("/oauth/login");
when(req.getParameter("username")).thenReturn("admin");
when(req.getParameter("password")).thenReturn("admin");
- when(odlAuthenticator.authenticate(any(HeadersOnlyHttpServletRequest.class))).thenReturn(true);
+ Claim claim = new Claim() {
+ @Override
+ public String clientId() {
+ return "admin";
+ }
+
+ @Override
+ public String userId() {
+ return "admin";
+ }
+
+ @Override
+ public String user() {
+ return null;
+ }
+
+ @Override
+ public String domain() {
+ return "sdn";
+ }
+
+ @Override
+ public Set<String> roles() {
+ return Set.of("admin");
+ }
+ };
+ when(passwordCredentialAuth.authenticate(any(PasswordCredentials.class))).thenReturn(claim);
HttpServletResponse resp = mock(HttpServletResponse.class);
ServletOutputStreamToByteArrayOutputStream printOut = new ServletOutputStreamToByteArrayOutputStream();
try {
}
@Test
+/*
+ @Ignore
+*/
public void testPoliciesAnon() {
HttpServletRequest req = mock(HttpServletRequest.class);
assertEquals(9, anonPolicies.length);
OdlPolicy pApidoc = find(anonPolicies, "/apidoc/**");
assertNotNull(pApidoc);
- assertAllEquals(true, pApidoc);
+ assertAllEquals(false, pApidoc);
OdlPolicy pOauth = find(anonPolicies, "/oauth/**");
assertNotNull(pOauth);
assertAllEquals(true, pOauth);
OdlPolicy pRestconf = find(anonPolicies, "/rests/**");
assertNotNull(pRestconf);
- assertAllEquals(true, pRestconf);
+ assertAllEquals(false, pRestconf);
}
@Test
private static final long serialVersionUID = 1L;
public TestServlet() throws IllegalArgumentException, Exception {
- super();
+ super(TESTSHIROCONFIGFILE);
}
@Override
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
-import java.util.function.Supplier;
-
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.AuthService;
import org.onap.ccsdk.features.sdnr.wt.oauthprovider.providers.TokenCreator;
import org.opendaylight.aaa.api.Authentication;
-import org.opendaylight.aaa.api.AuthenticationService;
import org.opendaylight.aaa.api.TokenStore;
import org.opendaylight.aaa.api.shiro.principal.ODLPrincipal;
import org.opendaylight.aaa.shiro.realm.TokenAuthRealm;
import org.opendaylight.aaa.tokenauthrealm.auth.AuthenticationManager;
import org.opendaylight.aaa.tokenauthrealm.auth.TokenAuthenticators;
-import org.opendaylight.mdsal.binding.api.DataBroker;
public class TestRealm {
private static OAuth2RealmToTest realm;
private static TokenCreator tokenCreator;
- private static final AuthenticationManager authManager = new AuthenticationManager();
- private static final TokenAuthenticators tokenAuth = new TokenAuthenticators();
-
- private static final TokenStore tokenStore = new TokenStore(){
-
- @Override
- public void put(String token, Authentication auth) {
-
- }
-
- @Override
- public Authentication get(String token) {
- return null;
- }
-
- @Override
- public boolean delete(String token) {
- return false;
- }
-
- @Override
- public long tokenExpiration() {
- return 0;
- }
- };
@BeforeClass
public static void init() throws IllegalArgumentException, Exception {
- TokenAuthRealm.prepareForLoad(authManager,tokenAuth,tokenStore);
+
try {
Config config = Config.getInstance(TestConfig.TEST_CONFIG_FILENAME);
tokenCreator = TokenCreator.getInstance(config);
+ TokenAuthRealm.prepareForLoad(new AuthenticationManager(), new TokenAuthenticators(), new TokenStore() {
+ @Override
+ public void put(String token, Authentication auth) {
+
+ }
+
+ @Override
+ public Authentication get(String token) {
+ return null;
+ }
+
+ @Override
+ public boolean delete(String token) {
+ return false;
+ }
+
+ @Override
+ public long tokenExpiration() {
+ return 0;
+ }
+ });
realm = new OAuth2RealmToTest();
} catch (IOException e) {
fail(e.getMessage());
this.enable(MapperFeature.USE_GETTERS_AS_SETTERS);
YangToolsBuilderAnnotationIntrospector introspector = new YangToolsBuilderAnnotationIntrospector();
//introspector.addDeserializer(Main.class, ShiroMainBuilder.class.getName());
- introspector.addDeserializer(Permissions.class,PermissionsBuilder.class.getName());
+ //introspector.addDeserializer(Permissions.class,PermissionsBuilder.class.getName());
this.setAnnotationIntrospector(introspector);
this.registerModule(new YangToolsModule());
}
- public static class PermissionsBuilder {
+ /* public static class PermissionsBuilder implements Builder<Permissions> {
private Permissions _value;
public PermissionsBuilder() {
this._value = value;
}
-
+ @Override
public Permissions build() {
return this._value;
}
- }
+ }*/
}
--- /dev/null
+<?xml version="1.0" ?>
+
+
+<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
+
+
+ <main>
+ <pair-key>tokenAuthRealm</pair-key>
+ <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
+ </main>
+
+ <main>
+ <pair-key>securityManager.realms</pair-key>
+ <pair-value>$tokenAuthRealm</pair-value>
+ </main>
+
+ <main>
+ <pair-key>anyroles</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value>
+ </main>
+ <main>
+ <pair-key>authcBearer</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value>
+ </main>
+
+ <main>
+ <pair-key>accountingListener</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
+ </main>
+ <main>
+ <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
+ <pair-value>$accountingListener</pair-value>
+ </main>
+
+ <main>
+ <pair-key>dynamicAuthorization</pair-key>
+ <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
+ </main>
+
+ <urls>
+ <pair-key>/**/operations/cluster-admin**</pair-key>
+ <pair-value>dynamicAuthorization</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/**/v1/**</pair-key>
+ <pair-value>authcBearer, roles[admin]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/**/config/aaa*/**</pair-key>
+ <pair-value>authcBearer, roles[admin]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/oauth/**</pair-key>
+ <pair-value>anon</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/odlux/**</pair-key>
+ <pair-value>anon</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/apidoc/**</pair-key>
+ <pair-value>authcBasic, roles[admin]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/test123/**</pair-key>
+ <pair-value>authcBasic</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/rests/**</pair-key>
+ <pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
+ </urls>
+ <urls>
+ <pair-key>/**</pair-key>
+ <pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
+ </urls>
+</shiro-configuration>
+
~ ============LICENSE_END=======================================================
~
-->
+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
</parent>
<groupId>org.onap.ccsdk.features.sdnr.wt</groupId>
- <artifactId>sdnr-wt-oauth-provider</artifactId>
- <version>1.6.0-SNAPSHOT</version>
+ <artifactId>sdnr-wt-oauth-realm</artifactId>
+ <version>1.7.0-SNAPSHOT</version>
<packaging>bundle</packaging>
<name>ccsdk-features :: ${project.artifactId}</name>
<dependencies>
<dependency>
<groupId>${project.groupId}</groupId>
- <artifactId>sdnr-wt-oauth-provider-jar</artifactId>
+ <artifactId>sdnr-wt-oauth-core</artifactId>
<version>${project.version}</version>
<exclusions>
<exclusion>
<Export-Package>
org.onap.ccsdk.features.sdnr.wt.oauthprovider;version=${project.version},
org.onap.ccsdk.features.sdnr.wt.oauthprovider.filters;version=${project.version},
- org.onap.ccsdk.features.sdnr.wt.oauthprovider.http;version=${project.version},
- org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client;version=${project.version},
org.onap.ccsdk.features.sdnr.wt.oauthprovider.data;version=${project.version},
org.onap.ccsdk.features.sdnr.wt.oauthprovider.services;version=${project.version}
</Export-Package>
javax.xml.parsers,
javax.xml.namespace,
javax.xml.transform.stream,
+ org.apache.commons.codec.binary,
+ org.apache.shiro,
org.apache.shiro.authc,
org.apache.shiro.authz,
org.apache.shiro.realm,
org.apache.shiro.subject,
+ org.apache.shiro.web.filter.authc,
org.apache.shiro.web.filter.authz,
+ org.apache.shiro.web.util,
org.jolokia.osgi.security,
org.onap.ccsdk.features.sdnr.wt.common.http,
org.opendaylight.aaa.api,
org.opendaylight.aaa.api.shiro.principal,
org.opendaylight.aaa.shiro.realm,
- org.opendaylight.aaa.shiro.filters,
- org.opendaylight.aaa.shiro.web.env,
org.opendaylight.mdsal.binding.api,
org.opendaylight.mdsal.common.api,
- org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619,
- org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.shiro.configuration,
org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214,
org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization,
org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies,
org.opendaylight.yangtools.concepts,
org.opendaylight.yangtools.yang.binding,
org.opendaylight.yangtools.yang.common,
- org.osgi.service.http,
+ org.slf4j,
com.fasterxml.jackson.databind,
com.fasterxml.jackson.databind.deser.std,
com.fasterxml.jackson.databind.ser.std,
com.fasterxml.jackson.annotation,
com.fasterxml.jackson.core.type,
com.fasterxml.jackson.core,
- org.apache.commons.codec.binary,
com.google.common.base,
com.google.common.collect,
com.google.common.util.concurrent
<Embed-Dependency>*;scope=compile|runtime;inline=false</Embed-Dependency>
<Embed-Dependency>*;scope=compile|runtime;artifactId=!shiro-core;inline=false</Embed-Dependency>
<Embed-Transitive>true</Embed-Transitive>
- <Fragment-Host>org.opendaylight.aaa.repackaged-shiro</Fragment-Host>
+ <Fragment-Host>org.opendaylight.aaa.shiro</Fragment-Host>
</instructions>
</configuration>
</plugin>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ ============LICENSE_START=======================================================
+ ~ ONAP : ccsdk features
+ ~ ================================================================================
+ ~ Copyright (C) 2019 highstreet technologies GmbH Intellectual Property.
+ ~ All rights reserved.
+ ~ ================================================================================
+ ~ Update Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+ ~ ================================================================================
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~ ============LICENSE_END=======================================================
+ ~
+ -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.onap.ccsdk.parent</groupId>
+ <artifactId>binding-parent</artifactId>
+ <version>2.6.1</version>
+ <relativePath/>
+ </parent>
+
+ <groupId>org.onap.ccsdk.features.sdnr.wt</groupId>
+ <artifactId>sdnr-wt-oauth-web</artifactId>
+ <version>1.7.0-SNAPSHOT</version>
+ <packaging>bundle</packaging>
+
+ <name>ccsdk-features :: ${project.artifactId}</name>
+ <licenses>
+ <license>
+ <name>Apache License, Version 2.0</name>
+ <url>http://www.apache.org/licenses/LICENSE-2.0</url>
+ </license>
+ </licenses>
+
+ <properties>
+ <maven.javadoc.skip>true</maven.javadoc.skip>
+ <checkstyle.skip>true</checkstyle.skip>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>${project.groupId}</groupId>
+ <artifactId>sdnr-wt-oauth-core</artifactId>
+ <version>${project.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.opendaylight.aaa</groupId>
+ <artifactId>aaa-shiro</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.opendaylight.aaa</groupId>
+ <artifactId>aaa-shiro</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-web</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>${project.groupId}</groupId>
+ <artifactId>sdnr-wt-common</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ </dependencies>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+ <extensions>true</extensions>
+ <configuration>
+ <instructions>
+ <Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName>
+ <Bundle-Version>${project.version}</Bundle-Version>
+ <Export-Package>
+ org.onap.ccsdk.features.sdnr.wt.oauthprovider.http;version=${project.version},
+ org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.client;version=${project.version}
+ </Export-Package>
+ <Import-Package>
+ javax.servlet,
+ javax.servlet.http,
+ javax.net.ssl,
+ javax.crypto,
+ javax.crypto.spec,
+ javax.xml.transform,
+ javax.xml.datatype,
+ javax.management,
+ javax.security.auth,
+ javax.security.auth.login,
+ javax.security.auth.callback,
+ javax.xml.parsers,
+ javax.xml.namespace,
+ javax.xml.transform.stream,
+ org.apache.commons.codec.binary,
+ org.apache.shiro,
+ org.apache.shiro.authc,
+ org.apache.shiro.authz,
+ org.apache.shiro.config,
+ org.apache.shiro.realm,
+ org.apache.shiro.subject,
+ org.apache.shiro.web.env,
+ org.apache.shiro.web.filter.authz,
+ org.jolokia.osgi.security,
+ org.onap.ccsdk.features.sdnr.wt.common.http,
+ org.onap.ccsdk.features.sdnr.wt.yang.mapper.mapperextensions,
+ org.opendaylight.aaa.api,
+ org.opendaylight.aaa.api.shiro.principal,
+ org.opendaylight.aaa.shiro.realm,
+ org.opendaylight.aaa.shiro.web.env,
+ org.opendaylight.aaa.tokenauthrealm.auth,
+ org.opendaylight.mdsal.binding.api,
+ org.opendaylight.mdsal.common.api,
+ org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214,
+ org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization,
+ org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies,
+ org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.permission,
+ org.opendaylight.yangtools.concepts,
+ org.opendaylight.yangtools.yang.binding,
+ org.opendaylight.yangtools.yang.common,
+ org.osgi.service.http,
+ org.slf4j,
+ com.fasterxml.jackson.databind,
+ com.fasterxml.jackson.databind.deser.std,
+ com.fasterxml.jackson.databind.ser.std,
+ com.fasterxml.jackson.databind.module,
+ com.fasterxml.jackson.dataformat.xml,
+ com.fasterxml.jackson.annotation,
+ com.fasterxml.jackson.core.type,
+ com.fasterxml.jackson.core,
+ com.google.common.base,
+ com.google.common.collect,
+ com.google.common.util.concurrent
+ </Import-Package>
+ <!-- <Embed-Dependency>*;scope=compile|runtime;inline=false</Embed-Dependency>-->
+ <Embed-Dependency>*;scope=compile|runtime;artifactId=sdnr-wt-oauth-core,java-jwt,bcprov-jdk15on,aaa-shiro;inline=false</Embed-Dependency>
+ <Embed-Transitive>true</Embed-Transitive>
+ </instructions>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+</project>
<blueprint xmlns:odl="http://opendaylight.org/xmlns/blueprint/v1.0.0"
xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" odl:use-default-for-reference-types="true">
- <reference id="odlAuthenticator" interface="org.jolokia.osgi.security.Authenticator" />
-
- <reference id="odlIdentityService" interface="org.opendaylight.aaa.api.IdMService" />
-
- <reference id="dataBroker" interface="org.opendaylight.mdsal.binding.api.DataBroker" />
-
- <bean id="provider" class="org.onap.ccsdk.features.sdnr.wt.oauthprovider.Helper" init-method="init" destroy-method="close">
- <property ref="odlAuthenticator" name="odlAuthenticator" />
- <property ref="odlIdentityService" name="odlIdentityService" />
- <property ref="shiroConfiguration" name="shiroConfiguration" />
- <property ref="dataBroker" name="dataBroker" />
- </bean>
-
+ <reference id="dataBroker" interface="org.opendaylight.mdsal.binding.api.DataBroker"/>
+ <reference id="passwordCredentialAuth" interface="org.opendaylight.aaa.api.PasswordCredentialAuth"/>
<reference id="onBindService" availability="mandatory" activation="eager" interface="org.osgi.service.http.HttpService">
- <reference-listener ref="provider" bind-method="onBindService" unbind-method="onUnbindService"/>
+ <reference-listener ref="authServlet" bind-method="onBindService" unbind-method="onUnbindService"/>
</reference>
- <odl:clustered-app-config
- binding-class="org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.ShiroConfiguration"
- id="shiroConfiguration" default-config-file-name="aaa-app-config.xml" />
-
- <bean id="authServlet" class="org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet">
- <property ref="odlAuthenticator" name="odlAuthenticator" />
- <property ref="odlIdentityService" name="odlIdentityService" />
- <property ref="shiroConfiguration" name="shiroConfiguration" />
- <property ref="dataBroker" name="dataBroker" />
+ <bean id="authServlet"
+ class="org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet">
+ <property ref="dataBroker" name="dataBroker" />
+ <property ref="passwordCredentialAuth" name="passwordCredentialAuth" />
</bean>
</blueprint>
<name>ccsdk-features :: ${project.artifactId}</name>
<modules>
- <module>provider-jar</module>
- <module>provider-osgi</module>
+ <module>oauth-core</module>
+ <module>oauth-realm</module>
+ <module>oauth-web</module>
</modules>
<properties>
+++ /dev/null
-package org.onap.ccsdk.features.sdnr.wt.oauthprovider;
-
-import org.jolokia.osgi.security.Authenticator;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.InvalidConfigurationException;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.data.UnableToConfigureOAuthService;
-import org.onap.ccsdk.features.sdnr.wt.oauthprovider.http.AuthHttpServlet;
-import org.opendaylight.aaa.api.IdMService;
-import org.opendaylight.mdsal.binding.api.DataBroker;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.aaa.app.config.rev170619.ShiroConfiguration;
-import org.osgi.service.http.HttpService;
-import org.osgi.service.http.NamespaceException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.servlet.ServletException;
-import java.io.IOException;
-
-public class Helper {
-
- private static final Logger LOG = LoggerFactory.getLogger(Helper.class);
- private AuthHttpServlet authServlet;
-
- public Helper() throws UnableToConfigureOAuthService, IOException, InvalidConfigurationException {
- this.authServlet = new AuthHttpServlet();
-
- }
-
- public void onUnbindService(HttpService httpService) {
- httpService.unregister(AuthHttpServlet.BASEURI);
- this.authServlet = null;
- }
-
- public void onBindService(HttpService httpService)
- throws ServletException, NamespaceException {
- if (httpService == null) {
- LOG.warn("Unable to inject HttpService into loader.");
- } else {
- httpService.registerServlet(AuthHttpServlet.BASEURI, authServlet, null, null);
- LOG.info("auth servlet registered.");
- }
- }
-
- public void setOdlAuthenticator(Authenticator odlAuthenticator) {
- authServlet.setOdlAuthenticator(odlAuthenticator);
- }
-
- public void setOdlIdentityService(IdMService odlIdentityService) {
- this.authServlet.setOdlIdentityService(odlIdentityService);
- }
-
- public void setShiroConfiguration(ShiroConfiguration shiroConfiguration) {
- this.authServlet.setShiroConfiguration(shiroConfiguration);
- }
-
- public void setDataBroker(DataBroker dataBroker) {
- this.authServlet.setDataBroker(dataBroker);
- }
-
- public void init() {
-
- }
-
- public void close() {
-
- }
-}
+++ /dev/null
-<?xml version="1.0" ?>
-<!--
- Copyright (c) 2017 Inocybe Technologies and others. All rights reserved.
-
- This program and the accompanying materials are made available under the
- terms of the Eclipse Public License v1.0 which accompanies this distribution,
- and is available at http://www.eclipse.org/legal/epl-v10.html , or the Apache License,
- Version 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0
- SPDX-License-Identifier: EPL-1.0 OR Apache-2.0
--->
-
-<!--
- ///////////////////////////////////////////////////////////////////////////////////////
- // clustered-app-config instance responsible for AAA configuration. In the future, //
- // this will contain all AAA related configuration. //
- ///////////////////////////////////////////////////////////////////////////////////////
--->
-
-<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
-
- <!--
- ///////////////////////////////////////////////////////////////////////////////////
- // shiro-configuration is the model based container that contains all shiro //
- // related information used in ODL AAA configuration. It is the sole pain of //
- // glass for shiro related configuration, and is how to configure shiro concepts //
- // such as: //
- // * realms //
- // * urls //
- // * security manager settings //
- // //
- // In general, you really shouldn't muck with the settings in this file. The //
- // way an operator should configure AAA shiro settings is through one of ODL's //
- // northbound interfaces (i.e., RESTCONF or NETCONF). These are just the //
- // defaults if no values are specified in MD-SAL. The reason this file is so //
- // verbose is for two reasons: //
- // 1) to demonstrate payload examples for plausible configuration scenarios //
- // 2) to allow bootstrap of the controller (first time start) since otherwise //
- // configuration becomes a chicken and the egg problem. //
- // //
- ///////////////////////////////////////////////////////////////////////////////////
- -->
-
- <!--
- ===================================================================================
- = =
- = =
- = MAIN =
- = =
- = =
- ===================================================================================
- -->
-
- <!--
- ===================================================================================
- ============================ ODLJndiLdapRealmAuthNOnly ============================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with an external LDAP =
- = server for authentication only. For authorization support, refer =
- = to ODLJndiLdapRealm. =
- ===================================================================================
- -->
- <!-- Start ldapRealm commented out
- <main>
- <pair-key>ldapRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.userDnTemplate</pair-key>
- <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.contextFactory.url</pair-key>
- <pair-value>ldap://<URL>:389</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.searchBase</pair-key>
- <pair-value>dc=DOMAIN,dc=TLD</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.groupRolesMap</pair-key>
- <pair-value>"person":"admin", "organizationalPerson":"user"</pair-value>
- </main>
- <main>
- <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
- <pair-value>objectClass</pair-value>
- </main>
- End ldapRealm commented out-->
-
- <!--
- ===================================================================================
- ============================= ODLActiveDirectoryRealm =============================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with an external AD =
- = IDP server. =
- ===================================================================================
- -->
- <!-- Start adRealm commented out
- <main>
- <pair-key>adRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
- </main>
- <main>
- <pair-key>adRealm.searchBase</pair-key>
- <pair-value>"CN=Users,DC=example,DC=com"</pair-value>
- </main>
- <main>
- <pair-key>adRealm.systemUsername</pair-key>
- <pair-value>aduser@example.com</pair-value>
- </main>
- <main>
- <pair-key>adRealm.systemPassword</pair-key>
- <pair-value>adpassword</pair-value>
- </main>
- <main>
- <pair-key>adRealm.url</pair-key>
- <pair-value>ldaps://adserver:636</pair-value>
- </main>
- <main>
- <pair-key>adRealm.groupRolesMap</pair-key>
- <pair-value>"CN=sysadmin,CN=Users,DC=example,DC=com":"admin", "CN=unprivileged,CN=Users,DC=example,DC=com":"user"</pair-value>
- </main>
- End adRealm commented out-->
-
- <!--
- ===================================================================================
- ================================== ODLJdbcRealm ===================================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with an external JDBC =
- = DBMS. =
- ===================================================================================
- -->
- <!-- Start jdbcRealm commented out
- <main>
- <pair-key>ds</pair-key>
- <pair-value>com.mysql.jdbc.Driver</pair-value>
- </main>
- <main>
- <pair-key>ds.serverName</pair-key>
- <pair-value>localhost</pair-value>
- </main>
- <main>
- <pair-key>ds.user</pair-key>
- <pair-value>user</pair-value>
- </main>
- <main>
- <pair-key>ds.password</pair-key>
- <pair-value>password</pair-value>
- </main>
- <main>
- <pair-key>ds.databaseName</pair-key>
- <pair-value>db_name</pair-value>
- </main>
- <main>
- <pair-key>jdbcRealm</pair-key>
- <pair-value>ODLJdbcRealm</pair-value>
- </main>
- <main>
- <pair-key>jdbcRealm.dataSource</pair-key>
- <pair-value>$ds</pair-value>
- </main>
- <main>
- <pair-key>jdbcRealm.authenticationQuery</pair-key>
- <pair-value>"SELECT password FROM users WHERE user_name = ?"</pair-value>
- </main>
- <main>
- <pair-key>jdbcRealm.userRolesQuery</pair-key>
- <pair-value>"SELECT role_name FROM user_rolesWHERE user_name = ?"</pair-value>
- </main>
- End jdbcRealm commented out-->
-
- <!--
- ===================================================================================
- ================================= TokenAuthRealm ==================================
- ===================================================================================
- = =
- = Description: A Realm implementation utilizing a per node H2 database store. =
- ===================================================================================
- -->
-<!-- <main> -->
-<!-- <pair-key>tokenAuthRealm</pair-key> -->
-<!-- <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
-<!-- </main> -->
- <main>
- <pair-key>tokenAuthRealm</pair-key>
- <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
- </main>
-
- <!--
- ===================================================================================
- =================================== MdsalRealm ====================================
- ===================================================================================
- = =
- = Description: A Realm implementation utilizing the aaa.yang model. =
- ===================================================================================
- -->
- <!-- Start mdsalRealm commented out
- <main>
- <pair-key>mdsalRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
- </main>
- End mdsalRealm commented out-->
-
- <!--
- ===================================================================================
- ================================= MoonAuthRealm ===================================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with OPNFV Moon. =
- ===================================================================================
- -->
- <!-- Start moonAuthRealm commented out
- <main>
- <pair-key>moonAuthRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
- </main>
- <main>
- <pair-key>moonAuthRealm.moonServerURL</pair-key>
- <pair-value>http://<host>:<port></pair-value>
- </main>
- End moonAuthRealm commented out-->
-
- <!--
- ===================================================================================
- ================================= KeystoneAuthRealm == ============================
- ===================================================================================
- = =
- = Description: A Realm implementation aimed at federating with an OpenStack =
- = Keystone. =
- ===================================================================================
- -->
- <!-- Start keystoneAuthRealm commented out
- <main>
- <pair-key>keystoneAuthRealm</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
- </main>
- <main>
- <pair-key>keystoneAuthRealm.url</pair-key>
- <pair-value>https://<host>:<port></pair-value>
- </main>
- <main>
- <pair-key>keystoneAuthRealm.sslVerification</pair-key>
- <pair-value>true</pair-value>
- </main>
- <main>
- <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
- <pair-value>Default</pair-value>
- </main>
- -->
-
- <!--
- Add tokenAuthRealm as the only realm. To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
- -->
- <main>
- <pair-key>securityManager.realms</pair-key>
- <pair-value>$tokenAuthRealm</pair-value>
- </main>
- <!-- Used to support OAuth2 use case. -->
- <main>
- <pair-key>authcBasic</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
- </main>
- <main>
- <pair-key>anyroles</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value>
- </main>
- <main>
- <pair-key>authcBearer</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value>
- </main>
-
- <!-- Start moonAuthRealm commented out
- <main>
- <pair-key>rest</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
- </main>
- End moonAuthRealm commented out-->
-
- <!-- in order to track AAA challenge attempts -->
- <main>
- <pair-key>accountingListener</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
- </main>
- <main>
- <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
- <pair-value>$accountingListener</pair-value>
- </main>
-
- <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
- <main>
- <pair-key>dynamicAuthorization</pair-key>
- <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
- </main>
-<!-- <main> -->
-<!-- <pair-key>securityManager.sessionManager.sessionIdCookieEnabled</pair-key> -->
-<!-- <pair-value>false</pair-value> -->
-<!-- </main> -->
-
- <!--
- ===================================================================================
- = =
- = =
- = URLS =
- = =
- = =
- ===================================================================================
- -->
- <!-- Start moonAuthRealm commented out
- <urls>
- <pair-key>/token</pair-key>
- <pair-value>rest</pair-value>
- </urls>
- End moonAuthRealm commented out-->
- <urls>
- <pair-key>/**/operations/cluster-admin**</pair-key>
- <pair-value>dynamicAuthorization</pair-value>
- </urls>
- <urls>
- <pair-key>/**/v1/**</pair-key>
- <pair-value>authcBearer, roles[admin]</pair-value>
- </urls>
- <urls>
- <pair-key>/**/config/aaa*/**</pair-key>
- <pair-value>authcBearer, roles[admin]</pair-value>
- </urls>
- <urls>
- <pair-key>/oauth/**</pair-key>
- <pair-value>anon</pair-value>
- </urls>
- <urls>
- <pair-key>/odlux/**</pair-key>
- <pair-value>anon</pair-value>
- </urls>
- <urls>
- <pair-key>/apidoc/**</pair-key>
- <pair-value>authcBasic, roles[admin]</pair-value>
- </urls>
- <urls>
- <pair-key>/test123/**</pair-key>
- <pair-value>authcBasic</pair-value>
- </urls>
- <urls>
- <pair-key>/rests/**</pair-key>
- <pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
- </urls>
- <urls>
- <pair-key>/**</pair-key>
- <pair-value>authcBearer, anyroles["admin,provision"]</pair-value>
- </urls>
-</shiro-configuration>
-
<module>mountpoint-registrar</module>
<module>netconfnode-state-service</module>
<module>mountpoint-state-provider</module>
- <!--<module>oauth-provider</module>-->
+ <module>oauth-provider</module>
<module>featureaggregator</module>
</modules>
</project>
Code Review / ccsdk / features.git / commitdiff