diff options
| author |   WuKong <rebirthmonkey@gmail.com> | 2017-12-23 21:49:35 +0100 |
|---|---|---|
| committer | WuKong <rebirthmonkey@gmail.com> | 2017-12-23 21:49:58 +0100 |
| commit | 1100c66ce03a059ebe7ece9734e799b49b3a5a9e (patch) | |
| tree | a057e7e7511f6675a9327b79e6919f07c5f89f07 | |
| parent | 7a4dfdde6314476ae2a1a1c881ff1e3c430f790e (diff) | |
moonv4 cleanup
Change-Id: Icef927f3236d985ac13ff7376f6ce6314b2b39b0
Signed-off-by: WuKong <rebirthmonkey@gmail.com>
902 files changed, 0 insertions, 44883 deletions
diff --git a/moonv4/README.md b/README.md index ba3604d6..ba3604d6 100644 --- a/moonv4/README.md +++ b/README.md diff --git a/README.rst b/README.rst deleted file mode 100644 index d91649bf..00000000 --- a/README.rst +++ /dev/null @@ -1,35 +0,0 @@ -MOON OPNFV Repo -=============== - -keystone-moon -------------- - -this is a fork of OpenStack/keystone which adds an extension to Keystone for access control policy - -keystonemiddleware-moon ------------------------ - -this is a fork of OpenStack/keystonemiddleware which enables access control policy enforcement of keystone-moon - - -moonclient ----------- - -this is a command-line interface to manipulate keystone-moon - - -moonv4 ------- - -this is the new moon framework based on micro-service architectures - - -upstream/odl-aaa-moon ---------------------- - -this is a fork of OpenDaylight/aaa which adds a shiro filter/realm to delegate OpenDaylight authenticaiton to keystone-moon - -tests ------ - -this contains tests for OPNFV/CI tests integration diff --git a/moonv4/bin/README.md b/bin/README.md index 3125c468..3125c468 100644 --- a/moonv4/bin/README.md +++ b/bin/README.md diff --git a/moonv4/bin/bootstrap.py b/bin/bootstrap.py index 6f2a5e03..6f2a5e03 100644 --- a/moonv4/bin/bootstrap.py +++ b/bin/bootstrap.py diff --git a/moonv4/bin/build_all.sh b/bin/build_all.sh index 5bbf6a19..5bbf6a19 100644 --- a/moonv4/bin/build_all.sh +++ b/bin/build_all.sh diff --git a/moonv4/bin/build_all_pip.sh b/bin/build_all_pip.sh index 2b415bf0..2b415bf0 100644 --- a/moonv4/bin/build_all_pip.sh +++ b/bin/build_all_pip.sh diff --git a/moonv4/bin/delete_orchestrator.sh b/bin/delete_orchestrator.sh index 95fcfddd..95fcfddd 100644 --- a/moonv4/bin/delete_orchestrator.sh +++ b/bin/delete_orchestrator.sh diff --git a/moonv4/bin/moon_lib_update.sh b/bin/moon_lib_update.sh index 3925e336..3925e336 100644 --- a/moonv4/bin/moon_lib_update.sh +++ b/bin/moon_lib_update.sh diff --git a/moonv4/bin/set_auth.src b/bin/set_auth.src index d955e30b..d955e30b 100644 --- a/moonv4/bin/set_auth.src +++ b/bin/set_auth.src diff --git a/moonv4/bin/start.sh b/bin/start.sh index e95ac393..e95ac393 100755 --- a/moonv4/bin/start.sh +++ b/bin/start.sh diff --git a/moonv4/conf/moon.conf b/conf/moon.conf index a5a40ad2..a5a40ad2 100644 --- a/moonv4/conf/moon.conf +++ b/conf/moon.conf diff --git a/keystonemiddleware-moon/.coveragerc b/keystonemiddleware-moon/.coveragerc deleted file mode 100644 index 75b0fcb0..00000000 --- a/keystonemiddleware-moon/.coveragerc +++ /dev/null @@ -1,7 +0,0 @@ -[run] -branch = True -source = keystonemiddleware -omit = keystonemiddleware/tests/*,keystonemiddleware/openstack/* - -[report] -ignore-errors = True diff --git a/keystonemiddleware-moon/.gitignore b/keystonemiddleware-moon/.gitignore deleted file mode 100644 index bd6a3658..00000000 --- a/keystonemiddleware-moon/.gitignore +++ /dev/null @@ -1,55 +0,0 @@ -*.py[cod] - -# C extensions -*.so - -# Packages -*.egg -*.egg-info -dist -build -eggs -parts -bin -var -sdist -develop-eggs -.installed.cfg -lib -lib64 - -# Installer logs -pip-log.txt - -# Unit test / coverage reports -.coverage -.tox -nosetests.xml -.testrepository -cover - -# Translations -*.mo - -# Mr Developer -.mr.developer.cfg -.project -.pydevproject - -# Complexity -output/*.html -output/*/index.html - -# Sphinx -doc/build - -# pbr generates these -AUTHORS -ChangeLog - -# Editors -*~ -.*.swp - -# Oslo Sync -.update-venv diff --git a/keystonemiddleware-moon/.gitreview b/keystonemiddleware-moon/.gitreview deleted file mode 100644 index 99b3a27f..00000000 --- a/keystonemiddleware-moon/.gitreview +++ /dev/null @@ -1,4 +0,0 @@ -[gerrit] -host=review.openstack.org -port=29418 -project=openstack/keystonemiddleware.git diff --git a/keystonemiddleware-moon/.testr.conf b/keystonemiddleware-moon/.testr.conf deleted file mode 100644 index 06f67a02..00000000 --- a/keystonemiddleware-moon/.testr.conf +++ /dev/null @@ -1,8 +0,0 @@ -[DEFAULT] -test_command= - OS_STDOUT_CAPTURE=${OS_STDOUT_CAPTURE:-1} \ - OS_STDERR_CAPTURE=${OS_STDERR_CAPTURE:-1} \ - OS_LOG_CAPTURE=${OS_LOG_CAPTURE:-1} \ - ${PYTHON:-python} -m subunit.run discover -t ./ ./keystonemiddleware/tests $LISTOPT $IDOPTION -test_id_option=--load-list $IDFILE -test_list_option=--list diff --git a/keystonemiddleware-moon/CONTRIBUTING.rst b/keystonemiddleware-moon/CONTRIBUTING.rst deleted file mode 100644 index ba308f23..00000000 --- a/keystonemiddleware-moon/CONTRIBUTING.rst +++ /dev/null @@ -1,16 +0,0 @@ -If you would like to contribute to the development of OpenStack, -you must follow the steps in this page: - - http://docs.openstack.org/infra/manual/developers.html - -Once those steps have been completed, changes to OpenStack -should be submitted for review via the Gerrit tool, following -the workflow documented at: - - http://docs.openstack.org/infra/manual/developers.html#development-workflow - -Pull requests submitted through GitHub will be ignored. - -Bugs should be filed on Launchpad, not GitHub: - - https://bugs.launchpad.net/keystonemiddleware diff --git a/keystonemiddleware-moon/HACKING.rst b/keystonemiddleware-moon/HACKING.rst deleted file mode 100644 index 77de6b32..00000000 --- a/keystonemiddleware-moon/HACKING.rst +++ /dev/null @@ -1,24 +0,0 @@ -Keystone Style Commandments -=========================== - -- Step 1: Read the OpenStack Style Commandments - http://docs.openstack.org/developer/hacking/ -- Step 2: Read on - -Exceptions ----------- - -When dealing with exceptions from underlying libraries, translate those -exceptions to an instance or subclass of ClientException. - -======= -Testing -======= - -Keystone Middleware uses testtools and testr for its unittest suite -and its test runner. Basic workflow around our use of tox and testr can -be found at http://wiki.openstack.org/testr. If you'd like to learn more -in depth: - - https://testtools.readthedocs.org/ - https://testrepository.readthedocs.org/ diff --git a/keystonemiddleware-moon/LICENSE b/keystonemiddleware-moon/LICENSE deleted file mode 100644 index 4a5b9421..00000000 --- a/keystonemiddleware-moon/LICENSE +++ /dev/null @@ -1,210 +0,0 @@ -Copyright (c) 2009 Jacob Kaplan-Moss - initial codebase (< v2.1) -Copyright (c) 2011 Rackspace - OpenStack extensions (>= v2.1) -Copyright (c) 2011 Nebula, Inc - Keystone refactor (>= v2.7) -Copyright (c) 2017 Orange - Moon platform (>= v3.0) -All rights reserved. - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - ---- License for python-keystoneclient versions prior to 2.1 --- - -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - 3. Neither the name of this project nor the names of its contributors may - be used to endorse or promote products derived from this software without - specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/keystonemiddleware-moon/MANIFEST.in b/keystonemiddleware-moon/MANIFEST.in deleted file mode 100644 index 29c06765..00000000 --- a/keystonemiddleware-moon/MANIFEST.in +++ /dev/null @@ -1,7 +0,0 @@ -include README.rst -include AUTHORS HACKING LICENSE -include ChangeLog -include run_tests.sh tox.ini -recursive-include doc * -recursive-include tests * -recursive-include tools * diff --git a/keystonemiddleware-moon/README.rst b/keystonemiddleware-moon/README.rst deleted file mode 100644 index fcbdbdde..00000000 --- a/keystonemiddleware-moon/README.rst +++ /dev/null @@ -1,19 +0,0 @@ -Middleware for the OpenStack Identity API (Keystone) -==================================================== - -This package contains middleware modules designed to provide authentication and -authorization features to web services other than `Keystone -<https://github.com/openstack/keystone>`. The most prominent module is -``keystonemiddleware.auth_token``. This package does not expose any CLI or -Python API features. - -For information on contributing, see ``CONTRIBUTING.rst``. - -* License: Apache License, Version 2.0 -* Documentation: http://docs.openstack.org/developer/keystonemiddleware -* Source: http://git.openstack.org/cgit/openstack/keystonemiddleware -* Bugs: http://bugs.launchpad.net/keystonemiddleware - -For any other information, refer to the parent project, Keystone: - - https://github.com/openstack/keystone diff --git a/keystonemiddleware-moon/babel.cfg b/keystonemiddleware-moon/babel.cfg deleted file mode 100644 index 79cd39bf..00000000 --- a/keystonemiddleware-moon/babel.cfg +++ /dev/null @@ -1,3 +0,0 @@ -[python: **.py] - - diff --git a/keystonemiddleware-moon/bandit.yaml b/keystonemiddleware-moon/bandit.yaml deleted file mode 100644 index d4e7dbca..00000000 --- a/keystonemiddleware-moon/bandit.yaml +++ /dev/null @@ -1,134 +0,0 @@ -# optional: after how many files to update progress -#show_progress_every: 100 - -# optional: plugins directory name -#plugins_dir: 'plugins' - -# optional: plugins discovery name pattern -plugin_name_pattern: '*.py' - -# optional: terminal escape sequences to display colors -#output_colors: -# DEFAULT: '\033[0m' -# HEADER: '\033[95m' -# INFO: '\033[94m' -# WARN: '\033[93m' -# ERROR: '\033[91m' - -# optional: log format string -#log_format: "[%(module)s]\t%(levelname)s\t%(message)s" - -# globs of files which should be analyzed -include: - - '*.py' - - '*.pyw' - -# a list of strings, which if found in the path will cause files to be excluded -# for example /tests/ - to remove all all files in tests directory -exclude_dirs: - - '/tests/' - -profiles: - keystone_conservative: - include: - - blacklist_functions - - blacklist_imports - - request_with_no_cert_validation - - exec_used - - set_bad_file_permissions - - subprocess_popen_with_shell_equals_true - - linux_commands_wildcard_injection - - ssl_with_bad_version - - - keystone_verbose: - include: - - blacklist_functions - - blacklist_imports - - request_with_no_cert_validation - - exec_used - - set_bad_file_permissions - - hardcoded_tmp_directory - - subprocess_popen_with_shell_equals_true - - any_other_function_with_shell_equals_true - - linux_commands_wildcard_injection - - ssl_with_bad_version - - ssl_with_bad_defaults - -blacklist_functions: - bad_name_sets: - - pickle: - qualnames: [pickle.loads, pickle.load, pickle.Unpickler, - cPickle.loads, cPickle.load, cPickle.Unpickler] - message: "Pickle library appears to be in use, possible security issue." - - marshal: - qualnames: [marshal.load, marshal.loads] - message: "Deserialization with the marshal module is possibly dangerous." - - md5: - qualnames: [hashlib.md5] - message: "Use of insecure MD5 hash function." - - mktemp_q: - qualnames: [tempfile.mktemp] - message: "Use of insecure and deprecated function (mktemp)." - - eval: - qualnames: [eval] - message: "Use of possibly insecure function - consider using safer ast.literal_eval." - - mark_safe: - names: [mark_safe] - message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed." - - httpsconnection: - qualnames: [httplib.HTTPSConnection] - message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033" - - yaml_load: - qualnames: [yaml.load] - message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()." - - urllib_urlopen: - qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request] - message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected." - -shell_injection: - # Start a process using the subprocess module, or one of its wrappers. - subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, - subprocess.check_output, utils.execute, utils.execute_with_timeout] - # Start a process with a function vulnerable to shell injection. - shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, - popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3, - popen2.Popen4, commands.getoutput, commands.getstatusoutput] - # Start a process with a function that is not vulnerable to shell injection. - no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve, - os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp, - os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, - os.startfile] - -blacklist_imports: - bad_import_sets: - - telnet: - imports: [telnetlib] - level: ERROR - message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." - -hardcoded_password: - word_list: "wordlist/default-passwords" - -ssl_with_bad_version: - bad_protocol_versions: - - 'PROTOCOL_SSLv2' - - 'SSLv2_METHOD' - - 'SSLv23_METHOD' - - 'PROTOCOL_SSLv3' # strict option - - 'PROTOCOL_TLSv1' # strict option - - 'SSLv3_METHOD' # strict option - - 'TLSv1_METHOD' # strict option - -password_config_option_not_marked_secret: - function_names: - - oslo.config.cfg.StrOpt - - oslo_config.cfg.StrOpt - -execute_with_run_as_root_equals_true: - function_names: - - ceilometer.utils.execute - - cinder.utils.execute - - neutron.agent.linux.utils.execute - - nova.utils.execute - - nova.utils.trycmd diff --git a/keystonemiddleware-moon/debian/changelog b/keystonemiddleware-moon/debian/changelog deleted file mode 100644 index ffc44169..00000000 --- a/keystonemiddleware-moon/debian/changelog +++ /dev/null @@ -1,121 +0,0 @@ -python-keystonemiddleware (4.4.0-4) UNRELEASED; urgency=medium - - * Standards-Version is 3.9.8 now (no change) - * d/rules: Changed UPSTREAM_GIT protocol to https - * d/copyright: Changed source URL to https protocol - - -- Ondřej Nový <novy@ondrej.org> Sat, 09 Apr 2016 19:27:43 +0200 - -python-keystonemiddleware (4.4.0-3) unstable; urgency=medium - - * Re-add missing auth options in oslo-config-generator: - - Add re-add-missing-auth-options.patch - - Disable now failing unit tests. - - -- Thomas Goirand <zigo@debian.org> Wed, 06 Apr 2016 22:16:03 +0000 - -python-keystonemiddleware (4.4.0-2) unstable; urgency=medium - - * Added git as build-depends-indep. - - -- Thomas Goirand <zigo@debian.org> Mon, 04 Apr 2016 11:22:51 +0000 - -python-keystonemiddleware (4.4.0-1) unstable; urgency=medium - - [ Ondřej Nový ] - * Fixed homepage (https). - * Fixed VCS URLs (https). - - [ Thomas Goirand ] - * New upstream release. - * Uploading to unstable. - * Fixed (build-)depends for this release. - * Standards-Version: 3.9.7 (no change). - - -- Thomas Goirand <zigo@debian.org> Mon, 04 Apr 2016 12:21:37 +0200 - -python-keystonemiddleware (4.0.0-1) experimental; urgency=medium - - * New upstream release. - * Fixed (build-)depends for this release. - * Also test with Python 3. - * Fixed debian/copyright ordering. - - -- Thomas Goirand <zigo@debian.org> Thu, 10 Dec 2015 16:29:42 +0100 - -python-keystonemiddleware (3.0.0-1) experimental; urgency=medium - - * New upstream release. - * Fixed (build-)depends for this release. - - -- Thomas Goirand <zigo@debian.org> Fri, 04 Dec 2015 11:02:00 +0100 - -python-keystonemiddleware (2.3.0-3) unstable; urgency=medium - - * Uploading to unstable. - - -- Thomas Goirand <zigo@debian.org> Fri, 16 Oct 2015 10:04:17 +0000 - -python-keystonemiddleware (2.3.0-2) experimental; urgency=medium - - * Added Python 3 support. - - -- Thomas Goirand <zigo@debian.org> Sat, 03 Oct 2015 19:48:25 +0200 - -python-keystonemiddleware (2.3.0-1) experimental; urgency=medium - - * New upstream release. - * Align dependencies with upstream. - * d/control: Update uploaders. - - -- Corey Bryant <corey.bryant@canonical.com> Wed, 30 Sep 2015 14:42:41 -0400 - -python-keystonemiddleware (2.1.0-2) experimental; urgency=medium - - * Removed python-bandit build-depends. - - -- Thomas Goirand <zigo@debian.org> Thu, 30 Jul 2015 20:50:50 +0000 - -python-keystonemiddleware (2.1.0-1) experimental; urgency=medium - - * New upstream release. - * Fixed (build-)depends for this release. - * Fixed watch file. - - -- Thomas Goirand <zigo@debian.org> Thu, 30 Jul 2015 07:38:14 +0000 - -python-keystonemiddleware (1.5.0-2) unstable; urgency=high - - * CVE-2015-1852: S3Token TLS cert verification option not honored. Applied - upstream patch. - - -- Thomas Goirand <zigo@debian.org> Wed, 17 Jun 2015 08:28:00 +0000 - -python-keystonemiddleware (1.5.0-1) unstable; urgency=medium - - * New upstream release. - * Fixed (build-)depends for this release. - * Removed nature.css from debian/copyright (and it's BSD licence). - - -- Thomas Goirand <zigo@debian.org> Wed, 08 Apr 2015 10:08:46 +0200 - -python-keystonemiddleware (1.0.0-3) unstable; urgency=medium - - * Added CVE-2014-7144_convert_the_conf_value_into_correct_type.patch. Thanks - to Luciano Bello <luciano@debian.org> for the report (Closes: #762748). - - -- Thomas Goirand <zigo@debian.org> Thu, 25 Sep 2014 07:16:29 +0000 - -python-keystonemiddleware (1.0.0-2) unstable; urgency=medium - - * Do not attempt to run unit tests in Python 2.6, as it needs the discover - package, which we don't want as build-depends. - * Removes intersphinx plugin from docs build. - - -- Thomas Goirand <zigo@debian.org> Mon, 28 Jul 2014 00:29:44 +0800 - -python-keystonemiddleware (1.0.0-1) unstable; urgency=medium - - * Initial release. (Closes: #755135) - - -- Thomas Goirand <zigo@debian.org> Tue, 08 Jul 2014 14:25:47 +0800 diff --git a/keystonemiddleware-moon/debian/compat b/keystonemiddleware-moon/debian/compat deleted file mode 100644 index ec635144..00000000 --- a/keystonemiddleware-moon/debian/compat +++ /dev/null @@ -1 +0,0 @@ -9 diff --git a/keystonemiddleware-moon/debian/control b/keystonemiddleware-moon/debian/control deleted file mode 100644 index a6dd5eab..00000000 --- a/keystonemiddleware-moon/debian/control +++ /dev/null @@ -1,136 +0,0 @@ -Source: python-keystonemiddleware -Section: python -Priority: optional -Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org> -Uploaders: Thomas Goirand <zigo@debian.org>, - Corey Bryant <corey.bryant@canonical.com>, -Build-Depends: debhelper (>= 9), - dh-python, - openstack-pkg-tools, - python-all, - python-pbr (>= 1.8), - python-setuptools, - python-sphinx, - python3-all, - python3-pbr (>= 1.8), - python3-setuptools, -Build-Depends-Indep: git, - python-bandit, - python-coverage, - python-crypto, - python-fixtures (>= 1.3.1), - python-hacking, - python-keystoneauth1 (>= 2.1.0), - python-keystoneclient (>= 1:1.6.0), - python-memcache (>= 1.56), - python-mock (>= 1.2), - python-oslo.config (>= 1:3.7.0), - python-oslo.context (>= 0.2.0), - python-oslo.i18n (>= 2.1.0), - python-oslo.messaging (>= 4.0.0), - python-oslo.serialization (>= 1.10.0), - python-oslo.utils (>= 3.5.0), - python-oslosphinx (>= 2.5.0), - python-oslotest (>= 1.10.0), - python-positional (>= 1.0.1), - python-pycadf (>= 1.1.0), - python-requests (>= 2.8.1), - python-requests-mock (>= 0.7.0), - python-six (>= 1.9.0), - python-stevedore (>= 1.5.0), - python-testresources, - python-testtools (>= 1.4.0), - python-webob, - python3-bandit, - python3-crypto, - python3-fixtures (>= 1.3.1), - python3-keystoneauth1 (>= 2.1.0), - python3-keystoneclient (>= 1:1.6.0), - python3-memcache (>= 1.56), - python3-mock (>= 1.2), - python3-oslo.config (>= 1:3.7.0), - python3-oslo.context (>= 0.2.0), - python3-oslo.i18n (>= 2.1.0), - python3-oslo.messaging (>= 4.0.0), - python3-oslo.serialization (>= 1.10.0), - python3-oslo.utils (>= 3.5.0), - python3-oslotest (>= 1.10.0), - python3-positional (>= 1.0.1), - python3-pycadf (>= 1.1.0), - python3-requests (>= 2.8.1), - python3-requests-mock (>= 0.7.0), - python3-six (>= 1.9.0), - python3-stevedore (>= 1.5.0), - python3-subunit, - python3-testresources, - python3-testtools (>= 1.4.0), - python3-webob, - subunit, - testrepository, -Standards-Version: 3.9.8 -Vcs-Browser: https://anonscm.debian.org/cgit/openstack/python-keystonemiddleware.git/ -Vcs-Git: https://anonscm.debian.org/git/openstack/python-keystonemiddleware.git -Homepage: https://launchpad.net/keystonemiddleware - -Package: python-keystonemiddleware -Architecture: all -Depends: python-keystoneauth1 (>= 2.1.0), - python-keystoneclient (>= 1:1.6.0), - python-oslo.config (>= 1:3.7.0), - python-oslo.context (>= 0.2.0), - python-oslo.i18n (>= 2.1.0), - python-oslo.serialization (>= 1.10.0), - python-oslo.utils (>= 3.5.0), - python-pbr (>= 1.8), - python-positional (>= 1.0.1), - python-pycadf (>= 1.1.0), - python-requests (>= 2.8.1), - python-six (>= 1.9.0), - python-webob, - ${misc:Depends}, - ${python:Depends}, -Description: Middleware for OpenStack Identity (Keystone) - Python 2.x - This package contains middleware modules designed to provide authentication - and authorization features to web services other than Keystone. The most - prominent module is keystonemiddleware.auth_token. This package does not - expose any CLI or Python API features. - . - This package contains the Python 2.x module. - -Package: python3-keystonemiddleware -Architecture: all -Depends: python3-keystoneauth1 (>= 2.1.0), - python3-keystoneclient (>= 1:1.6.0), - python3-oslo.config (>= 1:3.7.0), - python3-oslo.context (>= 0.2.0), - python3-oslo.i18n (>= 2.1.0), - python3-oslo.serialization (>= 1.10.0), - python3-oslo.utils (>= 3.5.0), - python3-pbr (>= 1.8), - python3-positional (>= 1.0.1), - python3-pycadf (>= 1.1.0), - python3-requests (>= 2.8.1), - python3-six (>= 1.9.0), - python3-webob, - ${misc:Depends}, - ${python3:Depends}, -Description: Middleware for OpenStack Identity (Keystone) - Python 3.x - This package contains middleware modules designed to provide authentication - and authorization features to web services other than Keystone. The most - prominent module is keystonemiddleware.auth_token. This package does not - expose any CLI or Python API features. - . - This package contains the Python 3.x module. - -Package: python-keystonemiddleware-doc -Section: doc -Architecture: all -Depends: ${misc:Depends}, - ${sphinxdoc:Depends}, -Description: Middleware for OpenStack Identity (Keystone) - doc - This package contains middleware modules designed to provide authentication - and authorization features to web services other than Keystone. The most - prominent module is keystonemiddleware.auth_token. This package does not - expose any CLI or Python API features. - . - This package contains the documentation. diff --git a/keystonemiddleware-moon/debian/copyright b/keystonemiddleware-moon/debian/copyright deleted file mode 100644 index cae54f2a..00000000 --- a/keystonemiddleware-moon/debian/copyright +++ /dev/null @@ -1,27 +0,0 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: keystonemiddleware -Source: https://launchpad.net/keystonemiddleware - -Files: * -Copyright: (c) 2013-2016, OpenStack Foundation <openstack-dev@lists.openstack.org> -License: Apache-2 - -Files: debian/* -Copyright: (c) 2014-2016, Thomas Goirand <zigo@debian.org> -License: Apache-2 - -License: Apache-2 - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - . - http://www.apache.org/licenses/LICENSE-2.0 - . - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - . - On Debian-based systems the full text of the Apache version 2.0 license - can be found in /usr/share/common-licenses/Apache-2.0. diff --git a/keystonemiddleware-moon/debian/create_deb.py b/keystonemiddleware-moon/debian/create_deb.py deleted file mode 100644 index 03d6b790..00000000 --- a/keystonemiddleware-moon/debian/create_deb.py +++ /dev/null @@ -1,196 +0,0 @@ -#!/usr/bin/env python3.5 - -import os -import sys -import subprocess -import glob -import argparse - - -parser = argparse.ArgumentParser() -parser.add_argument('--src', help='Do not clone Moon repository, use SRC as source directory', dest="src") -args = parser.parse_args() - - -TMP_DIR = "/tmp/debian-moon" -MOON_DIR = os.path.join(TMP_DIR, "moon") -INIT_dir = os.path.split(os.path.abspath(sys.argv[0]))[0] - -print("init dir: {}".format(INIT_dir)) - -_run = subprocess.run(["mkdir", "-p", TMP_DIR]) -if _run.returncode != 0: - exit("\033[31mCannot create tmp dir\033[m") - -os.chdir(TMP_DIR) - -_run = subprocess.run(["sudo", "apt-get", "install", "-y", "git"]) -if _run.returncode != 0: - exit("\033[31mCannot install Git\033[m") - -# print("\033[32mCloning Debian version\033[m") -# _run = subprocess.run(["git", "clone", "https://anonscm.debian.org/git/openstack/python-keystonemiddleware.git"]) -# if _run.returncode != 0: -# os.chdir(os.path.join(TMP_DIR, "python-keystonemiddleware")) -# _run = subprocess.run(["git", "pull"]) -# if _run.returncode != 0: -# print("\033[31mCannot clone ou pull debian version\033[m") - -os.chdir(TMP_DIR) - -if args.src: - print("\033[32mUsing {} as source directory\033[m".format(args.src)) - MOON_DIR = args.src -else: - print("\033[32mCloning Moon project\033[m") - _run = subprocess.run(["git", "clone", "https://git.opnfv.org/moon"]) - if _run.returncode != 0: - os.chdir(os.path.join(TMP_DIR, "moon")) - _run = subprocess.run(["git", "pull"]) - if _run.returncode != 0: - print("\033[31mCannot clone Moon project\033[m") - -os.chdir(TMP_DIR) - -# src_path = os.path.join(TMP_DIR, "python-keystonemiddleware", "debian") -# dst_path = os.path.join(TMP_DIR, "moon", "keystonemiddleware-moon") -# print("\033[32mCopying from {} to {}\033[m".format(src_path, dst_path)) -# _run = subprocess.run(["cp", -# "-rv", -# src_path, -# dst_path]) - -print("\033[32mBuilding Moon project\033[m") -os.chdir(os.path.join(MOON_DIR, "keystonemiddleware-moon")) - -mandatory_deb_pkg = """dh-apparmor -dh-systemd -openstack-pkg-tools -python-all python-pbr -python-sphinx -python-bashate -python-keystonemiddleware -python-ldap -python-ldappool -python-memcache -python-migrate -python-mock -python-msgpack -python-oslo.cache -python-oslo.concurrency -python-oslo.config -python-oslo.context -python-oslo.db -python-oslo.i18n -python-oslo.log -python-oslo.messaging -python-oslo.policy -python-oslo.serialization -python-oslo.service -python-oslo.utils -python-oslosphinx -python-oslotest -python-os-testr -python-passlib -python-paste -python-pastedeploy -python-pycadf -python-pymongo -python-pysaml2 -python-pysqlite2 -python-routes -python-sqlalchemy -python-stevedore -python-testscenarios -python-testtools -python-unittest2 -python-webob -python-webtest -subunit -testrepository -python-coverage -python-dogpile.cache -python-eventlet -python-hacking -python-oslo.cache -python-oslo.concurrency -python-oslo.config -python-oslo.db -python-oslo.log -python-oslo.messaging -python-oslo.middleware -python-tempest-lib -python-oauthlib -python-pam -python3-all -python3-setuptools -python-bandit -python-requests-mock -python-testresources -python3-bandit -python3-crypto -python3-keystoneauth1 -python3-keystoneclient -python3-memcache -python3-mock -python3-oslo.config -python3-oslo.context -python3-oslo.i18n -python3-oslo.messaging -python3-oslo.serialization -python3-oslo.utils -python3-oslotest -python3-positional -python3-pycadf -python3-requests-mock -python3-stevedore -python3-testresources -python3-webob -""" - -_command = ["sudo", "apt-get", "install", "-y"] -_command.extend(mandatory_deb_pkg.split()) -_run = subprocess.run(_command) - -print("\033[32mremove a Debian patch as it inserts a bug in Moon\033[m") -series_filename = os.path.join(MOON_DIR, "keystonemiddleware-moon", - "debian", "patches", "series") -series_lines = open(series_filename).readlines() - -output = open(series_filename, "w") -for line in series_lines: - if "re-add-missing-auth-options.patch" not in line: - output.write(line) - output.write("\n") -output.close() -os.remove(os.path.join(MOON_DIR, "keystonemiddleware-moon", - "debian", "patches", "re-add-missing-auth-options.patch")) - -os.putenv("DEB_BUILD_OPTIONS", "nocheck") - -changelog = open(os.path.join(MOON_DIR, "keystonemiddleware-moon", "debian", "changelog"), "rt") -changelog_str = changelog.read() -# print(changelog_str.splitlines()[0]) -current_version = changelog_str.splitlines()[0].split("(")[1].split(")")[0] -changelog.close() -changelog = open(os.path.join(MOON_DIR, "keystonemiddleware-moon", "debian", "changelog"), "wt") -changelog.write("""python-keystonemiddleware ({version}) UNRELEASED; urgency=medium - - * integration of the Moon platform. - - -- Thomas Duval <thomas.duval@orange.com> {date} - -""".format( - version=current_version+"-moon", - date=subprocess.Popen(["date"], stdin=None, stdout=subprocess.PIPE).communicate()[0].decode("utf-8").strip())) -changelog.write(changelog_str) -changelog.close() - -_run = subprocess.run(["dpkg-buildpackage", "-b", "-us"]) - -print("\033[32mResults:\033[m") -subprocess.run(["mkdir", "-p", "/tmp/deb"]) - -files = glob.glob(os.path.join(MOON_DIR, "*.deb")) -for _file in files: - subprocess.run(["mv", "-v", _file, "/tmp/deb/"]) diff --git a/keystonemiddleware-moon/debian/gbp.conf b/keystonemiddleware-moon/debian/gbp.conf deleted file mode 100644 index 7436424b..00000000 --- a/keystonemiddleware-moon/debian/gbp.conf +++ /dev/null @@ -1,9 +0,0 @@ -[DEFAULT] -upstream-branch = master -debian-branch = debian/mitaka -upstream-tag = %(version)s -compression = xz - -[buildpackage] -export-dir = ../build-area/ - diff --git a/keystonemiddleware-moon/debian/patches/no-intersphinx.patch b/keystonemiddleware-moon/debian/patches/no-intersphinx.patch deleted file mode 100644 index a5e25751..00000000 --- a/keystonemiddleware-moon/debian/patches/no-intersphinx.patch +++ /dev/null @@ -1,17 +0,0 @@ -Description: Remove the intersphinx plugin. - Do not use the intersphinx plugin which is doing network access during - the build. -Author: Thomas Goirand <zigo@debian.org> -Forwarded: no -Last-Update: 2014-07-28 - ---- python-keystonemiddleware-1.0.0.orig/doc/source/conf.py -+++ python-keystonemiddleware-1.0.0/doc/source/conf.py -@@ -42,7 +42,6 @@ sys.path.insert(0, os.path.abspath(os.pa - extensions = ['sphinx.ext.autodoc', - 'sphinx.ext.todo', - 'sphinx.ext.coverage', -- 'sphinx.ext.intersphinx', - # NOTE(blk-u): Uncomment the [pbr] section in setup.cfg and - # remove this Sphinx extension when - # https://launchpad.net/bugs/1260495 is fixed. diff --git a/keystonemiddleware-moon/debian/patches/re-add-missing-auth-options.patch b/keystonemiddleware-moon/debian/patches/re-add-missing-auth-options.patch deleted file mode 100644 index fc981d0c..00000000 --- a/keystonemiddleware-moon/debian/patches/re-add-missing-auth-options.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: Re-add missing auth options - Upstream went a bit quick to remove Auth options from the default generated - config files. -Author: Thomas Goirand <zigo@debian.org> -Forwarded: no -Last-Update: 2016-04-07 - ---- python-keystonemiddleware-4.4.0.orig/keystonemiddleware/auth_token/__init__.py -+++ python-keystonemiddleware-4.4.0/keystonemiddleware/auth_token/__init__.py -@@ -370,7 +370,7 @@ _OPTS = [ - ' only while migrating from a less secure algorithm to a more' - ' secure one. Once all the old tokens are expired this option' - ' should be set to a single value for better performance.'), --] -+] + _auth.OPTS - - CONF = cfg.CONF - CONF.register_opts(_OPTS, group=_base.AUTHTOKEN_GROUP) diff --git a/keystonemiddleware-moon/debian/patches/series b/keystonemiddleware-moon/debian/patches/series deleted file mode 100644 index 3c47073f..00000000 --- a/keystonemiddleware-moon/debian/patches/series +++ /dev/null @@ -1,2 +0,0 @@ -no-intersphinx.patch -re-add-missing-auth-options.patch diff --git a/keystonemiddleware-moon/debian/python-keystonemiddleware-doc.doc-base b/keystonemiddleware-moon/debian/python-keystonemiddleware-doc.doc-base deleted file mode 100644 index bd08be62..00000000 --- a/keystonemiddleware-moon/debian/python-keystonemiddleware-doc.doc-base +++ /dev/null @@ -1,9 +0,0 @@ -Document: keystonemiddleware-doc -Title: keystonemiddleware Documentation -Author: N/A -Abstract: Sphinx documentation for keystonemiddleware -Section: Programming/Python - -Format: HTML -Index: /usr/share/doc/python-keystonemiddleware-doc/html/index.html -Files: /usr/share/doc/python-keystonemiddleware-doc/html/* diff --git a/keystonemiddleware-moon/debian/rules b/keystonemiddleware-moon/debian/rules deleted file mode 100755 index 2229093a..00000000 --- a/keystonemiddleware-moon/debian/rules +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/make -f - -PYTHONS:=$(shell pyversions -vr) -PYTHON3S:=$(shell py3versions -vr) - -UPSTREAM_GIT := https://github.com/openstack/keystonemiddleware.git -include /usr/share/openstack-pkg-tools/pkgos.make - -export OSLO_PACKAGE_VERSION=$(shell dpkg-parsechangelog | grep Version: | cut -d' ' -f2 | sed -e 's/^[[:digit:]]*://' -e 's/[-].*//' -e 's/~/.0/' | head -n 1) - -%: - dh $@ --buildsystem=python_distutils --with python2,python3,sphinxdoc - -override_dh_auto_install: - set -e ; for pyvers in $(PYTHONS); do \ - python$$pyvers setup.py install --install-layout=deb \ - --root $(CURDIR)/debian/python-keystonemiddleware; \ - done - set -e ; for pyvers in $(PYTHON3S); do \ - python$$pyvers setup.py install --install-layout=deb \ - --root $(CURDIR)/debian/python3-keystonemiddleware; \ - done - -override_dh_auto_test: -ifeq (,$(findstring nocheck, $(DEB_BUILD_OPTIONS))) - echo "===> Running tests" - set -e ; for i in 2.7 $(PYTHON3S) ; do \ - PYMAJOR=`echo $$i | cut -d'.' -f1` ; \ - echo "===> Testing with python$$i (python$$PYMAJOR)" ; \ - rm -rf .testrepository ; \ - testr-python$$PYMAJOR init ; \ - TEMP_REZ=`mktemp -t` ; \ - PYTHONPATH=$(CURDIR) PYTHON=python$$i testr-python$$PYMAJOR run --subunit 'keystonemiddleware.tests\.unit\.(?!(.*OptsTestCase.test_entry_point.*|.*test_opts.OptsTestCase.test_list_auth_token_opts.*|.*test_opts.OptsTestCase.test_original_list_all_options.*))' | tee $$TEMP_REZ | subunit2pyunit ; \ - cat $$TEMP_REZ | subunit-filter -s --no-passthrough | subunit-stats ; \ - rm -f $$TEMP_REZ ; \ - testr-python$$PYMAJOR slowest ; \ - done -endif - -override_dh_clean: - dh_clean -O--buildsystem=python_distutils - rm -rf build - -override_dh_sphinxdoc: - sphinx-build -b html doc/source debian/python-keystonemiddleware-doc/usr/share/doc/python-keystonemiddleware-doc/html - dh_sphinxdoc -O--buildsystem=python_distutils - -# Commands not to run -override_dh_installcatalogs: -override_dh_installemacsen override_dh_installifupdown: -override_dh_installinfo override_dh_installmenu override_dh_installmime: -override_dh_installmodules override_dh_installlogcheck: -override_dh_installpam override_dh_installppp override_dh_installudev override_dh_installwm: -override_dh_installxfonts override_dh_gconf override_dh_icons override_dh_perl override_dh_usrlocal: diff --git a/keystonemiddleware-moon/debian/source/format b/keystonemiddleware-moon/debian/source/format deleted file mode 100644 index 163aaf8d..00000000 --- a/keystonemiddleware-moon/debian/source/format +++ /dev/null @@ -1 +0,0 @@ -3.0 (quilt) diff --git a/keystonemiddleware-moon/debian/source/options b/keystonemiddleware-moon/debian/source/options deleted file mode 100644 index cb61fa52..00000000 --- a/keystonemiddleware-moon/debian/source/options +++ /dev/null @@ -1 +0,0 @@ -extend-diff-ignore = "^[^/]*[.]egg-info/" diff --git a/keystonemiddleware-moon/debian/watch b/keystonemiddleware-moon/debian/watch deleted file mode 100644 index d7d3dbeb..00000000 --- a/keystonemiddleware-moon/debian/watch +++ /dev/null @@ -1,3 +0,0 @@ -version=3 -opts="uversionmangle=s/\.(b|rc)/~$1/" \ -https://github.com/openstack/keystonemiddleware/tags .*/(\d[\d\.]+)\.tar\.gz diff --git a/keystonemiddleware-moon/doc/.gitignore b/keystonemiddleware-moon/doc/.gitignore deleted file mode 100644 index edde2181..00000000 --- a/keystonemiddleware-moon/doc/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -build/ -source/api/ diff --git a/keystonemiddleware-moon/doc/Makefile b/keystonemiddleware-moon/doc/Makefile deleted file mode 100644 index 84f00bd5..00000000 --- a/keystonemiddleware-moon/doc/Makefile +++ /dev/null @@ -1,90 +0,0 @@ -# Makefile for Sphinx documentation -# - -# You can set these variables from the command line. -SPHINXOPTS = -SPHINXBUILD = sphinx-build -SPHINXSOURCE = source -PAPER = -BUILDDIR = build - -# Internal variables. -PAPEROPT_a4 = -D latex_paper_size=a4 -PAPEROPT_letter = -D latex_paper_size=letter -ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) $(SPHINXSOURCE) - -.PHONY: help clean html dirhtml pickle json htmlhelp qthelp latex changes linkcheck doctest - -help: - @echo "Please use \`make <target>' where <target> is one of" - @echo " html to make standalone HTML files" - @echo " dirhtml to make HTML files named index.html in directories" - @echo " pickle to make pickle files" - @echo " json to make JSON files" - @echo " htmlhelp to make HTML files and a HTML help project" - @echo " qthelp to make HTML files and a qthelp project" - @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" - @echo " changes to make an overview of all changed/added/deprecated items" - @echo " linkcheck to check all external links for integrity" - @echo " doctest to run all doctests embedded in the documentation (if enabled)" - -clean: - -rm -rf $(BUILDDIR)/* - -html: - $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html - @echo - @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." - -dirhtml: - $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml - @echo - @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." - -pickle: - $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle - @echo - @echo "Build finished; now you can process the pickle files." - -json: - $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json - @echo - @echo "Build finished; now you can process the JSON files." - -htmlhelp: - $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp - @echo - @echo "Build finished; now you can run HTML Help Workshop with the" \ - ".hhp project file in $(BUILDDIR)/htmlhelp." - -qthelp: - $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp - @echo - @echo "Build finished; now you can run "qcollectiongenerator" with the" \ - ".qhcp project file in $(BUILDDIR)/qthelp, like this:" - @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/keystonemiddleware.qhcp" - @echo "To view the help file:" - @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/keystonemiddleware.qhc" - -latex: - $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex - @echo - @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." - @echo "Run \`make all-pdf' or \`make all-ps' in that directory to" \ - "run these through (pdf)latex." - -changes: - $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes - @echo - @echo "The overview file is in $(BUILDDIR)/changes." - -linkcheck: - $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck - @echo - @echo "Link check complete; look for any errors in the above output " \ - "or in $(BUILDDIR)/linkcheck/output.txt." - -doctest: - $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest - @echo "Testing of doctests in the sources finished, look at the " \ - "results in $(BUILDDIR)/doctest/output.txt." diff --git a/keystonemiddleware-moon/doc/ext/apidoc.py b/keystonemiddleware-moon/doc/ext/apidoc.py deleted file mode 100644 index 2575f422..00000000 --- a/keystonemiddleware-moon/doc/ext/apidoc.py +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2014 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# NOTE(blk-u): Uncomment the [pbr] section in setup.cfg and remove this -# Sphinx extension when https://launchpad.net/bugs/1260495 is fixed. - -import os.path as path - -from sphinx import apidoc - - -# NOTE(blk-u): pbr will run Sphinx multiple times when it generates -# documentation. Once for each builder. To run this extension we use the -# 'builder-inited' hook that fires at the beginning of a Sphinx build. -# We use ``run_already`` to make sure apidocs are only generated once -# even if Sphinx is run multiple times. -run_already = False - - -def run_apidoc(app): - global run_already - if run_already: - return - run_already = True - - package_dir = path.abspath(path.join(app.srcdir, '..', '..', - 'keystonemiddleware')) - source_dir = path.join(app.srcdir, 'api') - apidoc.main(['apidoc', package_dir, '-f', - '-H', 'keystonemiddleware Modules', - '-o', source_dir]) - - -def setup(app): - app.connect('builder-inited', run_apidoc) diff --git a/keystonemiddleware-moon/doc/source/audit.rst b/keystonemiddleware-moon/doc/source/audit.rst deleted file mode 100644 index d23f8168..00000000 --- a/keystonemiddleware-moon/doc/source/audit.rst +++ /dev/null @@ -1,81 +0,0 @@ -.. - Copyright 2014 IBM Corp - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -.. _middleware: - -================= - Audit middleware -================= - -The Keystone middleware library provides an optional WSGI middleware filter -which allows the ability to audit API requests for each component of OpenStack. - -The audit middleware filter utilises environment variables to build the CADF -event. - -.. figure:: ./images/audit.png - :width: 100% - :align: center - :alt: Figure 1: Audit middleware in Nova pipeline - -The figure above shows the middleware in Nova's pipeline. - -Enabling audit middleware -========================= -To enable auditing, oslo.messaging_ should be installed. If not, the middleware -will log the audit event instead. Auditing can be enabled for a specific -project by editing the project's api-paste.ini file to include the following -filter definition: - -:: - - [filter:audit] - paste.filter_factory = keystonemiddleware.audit:filter_factory - audit_map_file = /etc/nova/api_audit_map.conf - -The filter should be included after Keystone middleware's auth_token middleware -so it can utilise environment variables set by auth_token. Below is an example -using Nova's WSGI pipeline:: - - [composite:openstack_compute_api_v2] - use = call:nova.api.auth:pipeline_factory - noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 - keystone = faultwrap sizelimit authtoken keystonecontext ratelimit audit osapi_compute_app_v2 - keystone_nolimit = faultwrap sizelimit authtoken keystonecontext audit osapi_compute_app_v2 - -.. _oslo.messaging: http://www.github.com/openstack/oslo.messaging - -Configure audit middleware -========================== -To properly audit api requests, the audit middleware requires an -api_audit_map.conf to be defined. The project's corresponding -api_audit_map.conf file is included in the `pyCADF library`_. - -The location of the mapping file should be specified explicitly by adding the -path to the 'audit_map_file' option of the filter definition:: - - [filter:audit] - paste.filter_factory = keystonemiddleware.audit:filter_factory - audit_map_file = /etc/nova/api_audit_map.conf - -Additional options can be set:: - - [filter:audit] - paste.filter_factory = pycadf.middleware.audit:filter_factory - audit_map_file = /etc/nova/api_audit_map.conf - service_name = test # opt to set HTTP_X_SERVICE_NAME environ variable - ignore_req_list = GET,POST # opt to ignore specific requests - -.. _pyCADF library: https://github.com/openstack/pycadf/tree/master/etc/pycadf diff --git a/keystonemiddleware-moon/doc/source/conf.py b/keystonemiddleware-moon/doc/source/conf.py deleted file mode 100644 index ff4b24cc..00000000 --- a/keystonemiddleware-moon/doc/source/conf.py +++ /dev/null @@ -1,237 +0,0 @@ -# -*- coding: utf-8 -*- -# -# keystonemiddleware documentation build configuration file, created by -# sphinx-quickstart on Sun Dec 6 14:19:25 2009. -# -# This file is execfile()d with the current directory set to its containing -# dir. -# -# Note that not all possible configuration values are present in this -# autogenerated file. -# -# All configuration values have a default; values that are commented out -# serve to show the default. - -from __future__ import unicode_literals - -import os -import sys - -import pbr.version - - -sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), - '..', '..'))) - -# NOTE(blk-u): Path for our Sphinx extension, remove when -# https://launchpad.net/bugs/1260495 is fixed. -sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), - '..'))) - - -# If extensions (or modules to document with autodoc) are in another directory, -# add these directories to sys.path here. If the directory is relative to the -# documentation root, use os.path.abspath to make it absolute, like shown here. -#sys.path.append(os.path.abspath('.')) - -# -- General configuration ---------------------------------------------------- - -# Add any Sphinx extension module names here, as strings. They can be -# extensions -# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. -extensions = ['sphinx.ext.autodoc', - 'sphinx.ext.todo', - 'sphinx.ext.coverage', - 'sphinx.ext.intersphinx', - # NOTE(blk-u): Uncomment the [pbr] section in setup.cfg and - # remove this Sphinx extension when - # https://launchpad.net/bugs/1260495 is fixed. - 'ext.apidoc', - 'oslosphinx' - ] - -todo_include_todos = True - -# Add any paths that contain templates here, relative to this directory. -#templates_path = ['_templates'] - -# The suffix of source filenames. -source_suffix = '.rst' - -# The encoding of source files. -#source_encoding = 'utf-8' - -# The master toctree document. -master_doc = 'index' - -# General information about the project. -project = 'keystonemiddleware' -copyright = 'OpenStack Contributors' - -# The version info for the project you're documenting, acts as replacement for -# |version| and |release|, also used in various other places throughout the -# built documents. -version_info = pbr.version.VersionInfo('keystonemiddleware') -# The short X.Y version. -version = version_info.version_string() -# The full version, including alpha/beta/rc tags. -release = version_info.release_string() - -# The language for content autogenerated by Sphinx. Refer to documentation -# for a list of supported languages. -#language = None - -# There are two options for replacing |today|: either, you set today to some -# non-false value, then it is used: -#today = '' -# Else, today_fmt is used as the format for a strftime call. -#today_fmt = '%B %d, %Y' - -# List of documents that shouldn't be included in the build. -#unused_docs = [] - -# List of directories, relative to source directory, that shouldn't be searched -# for source files. -exclude_trees = [] - -# The reST default role (used for this markup: `text`) to use for all -# documents. -#default_role = None - -# If true, '()' will be appended to :func: etc. cross-reference text. -add_function_parentheses = True - -# If true, the current module name will be prepended to all description -# unit titles (such as .. function::). -add_module_names = True - -# If true, sectionauthor and moduleauthor directives will be shown in the -# output. They are ignored by default. -#show_authors = False - -# The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' - -# A list of ignored prefixes for module index sorting. -modindex_common_prefix = ['keystonemiddleware.'] - -# Grouping the document tree for man pages. -# List of tuples 'sourcefile', 'target', 'title', 'Authors name', 'manual' - -man_pages = [] - -# -- Options for HTML output -------------------------------------------------- - -# The theme to use for HTML and HTML Help pages. Major themes that come with -# Sphinx are currently 'default' and 'sphinxdoc'. -#html_theme_path = ["."] -#html_theme = '_theme' - -# Theme options are theme-specific and customize the look and feel of a theme -# further. For a list of options available for each theme, see the -# documentation. -#html_theme_options = {} - -# Add any paths that contain custom themes here, relative to this directory. -#html_theme_path = [] - -# The name for this set of Sphinx documents. If None, it defaults to -# "<project> v<release> documentation". -#html_title = None - -# A shorter title for the navigation bar. Default is the same as html_title. -#html_short_title = None - -# The name of an image file (relative to this directory) to place at the top -# of the sidebar. -#html_logo = None - -# The name of an image file (within the static path) to use as favicon of the -# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 -# pixels large. -#html_favicon = None - -# Add any paths that contain custom static files (such as style sheets) here, -# relative to this directory. They are copied after the builtin static files, -# so a file named "default.css" will overwrite the builtin "default.css". -#html_static_path = ['static'] - -# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, -# using the given strftime format. -git_cmd = "git log --pretty=format:'%ad, commit %h' --date=local -n1" -html_last_updated_fmt = os.popen(git_cmd).read() - -# If true, SmartyPants will be used to convert quotes and dashes to -# typographically correct entities. -#html_use_smartypants = True - -# Custom sidebar templates, maps document names to template names. -#html_sidebars = {} - -# Additional templates that should be rendered to pages, maps page names to -# template names. -#html_additional_pages = {} - -# If false, no module index is generated. -#html_use_modindex = True - -# If false, no index is generated. -#html_use_index = True - -# If true, the index is split into individual pages for each letter. -#html_split_index = False - -# If true, links to the reST sources are added to the pages. -#html_show_sourcelink = True - -# If true, an OpenSearch description file will be output, and all pages will -# contain a <link> tag referring to it. The value of this option must be the -# base URL from which the finished HTML is served. -#html_use_opensearch = '' - -# If nonempty, this is the file name suffix for HTML files (e.g. ".xhtml"). -#html_file_suffix = '' - -# Output file base name for HTML help builder. -htmlhelp_basename = 'keystonemiddlewaredoc' - - -# -- Options for LaTeX output ------------------------------------------------- - -# The paper size ('letter' or 'a4'). -#latex_paper_size = 'letter' - -# The font size ('10pt', '11pt' or '12pt'). -#latex_font_size = '10pt' - -# Grouping the document tree into LaTeX files. List of tuples -# (source start file, target name, title, author, documentclass [howto/manual]) -# . -latex_documents = [ - ('index', 'keystonmiddleware.tex', - 'keystonemiddleware Documentation', - 'Nebula Inc, based on work by Rackspace and Jacob Kaplan-Moss', - 'manual'), -] - -# The name of an image file (relative to this directory) to place at the top of -# the title page. -#latex_logo = None - -# For "manual" documents, if this is true, then toplevel headings are parts, -# not chapters. -#latex_use_parts = False - -# Additional stuff for the LaTeX preamble. -#latex_preamble = '' - -# Documents to append as an appendix to all manuals. -#latex_appendices = [] - -# If false, no module index is generated. -#latex_use_modindex = True - -keystoneclient = 'http://docs.openstack.org/developer/python-keystoneclient/' - -intersphinx_mapping = {'keystoneclient': (keystoneclient, None), - } diff --git a/keystonemiddleware-moon/doc/source/images/audit.png b/keystonemiddleware-moon/doc/source/images/audit.png Binary files differdeleted file mode 100644 index 5c2b1305..00000000 --- a/keystonemiddleware-moon/doc/source/images/audit.png +++ /dev/null diff --git a/keystonemiddleware-moon/doc/source/images/graphs_authComp.svg b/keystonemiddleware-moon/doc/source/images/graphs_authComp.svg deleted file mode 100644 index 6be629c1..00000000 --- a/keystonemiddleware-moon/doc/source/images/graphs_authComp.svg +++ /dev/null @@ -1,48 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: AuthComp Pages: 1 --> -<svg width="510pt" height="118pt" - viewBox="0.00 0.00 510.00 118.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 114)"> -<title>AuthComp</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-114 507,-114 507,5 -4,5"/> -<!-- AuthComp --> -<g id="node2" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="292,-65 194,-65 194,-25 292,-25 292,-65"/> -<text text-anchor="middle" x="243" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="243" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Reject --> -<!-- AuthComp->Reject --> -<g id="edge3" class="edge"><title>AuthComp->Reject</title> -<path fill="none" stroke="black" d="M193.933,-51.2787C157.514,-55.939 108.38,-62.2263 73.8172,-66.649"/> -<polygon fill="black" stroke="black" points="73.0637,-63.2168 63.5888,-67.9578 73.9522,-70.1602 73.0637,-63.2168"/> -<text text-anchor="middle" x="129" y="-97.4" font-family="Times,serif" font-size="14.00">Reject</text> -<text text-anchor="middle" x="129" y="-82.4" font-family="Times,serif" font-size="14.00">Unauthenticated</text> -<text text-anchor="middle" x="129" y="-67.4" font-family="Times,serif" font-size="14.00">Requests</text> -</g> -<!-- Service --> -<g id="node6" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="502,-65 408,-65 408,-25 502,-25 502,-65"/> -<text text-anchor="middle" x="455" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="455" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<g id="edge5" class="edge"><title>AuthComp->Service</title> -<path fill="none" stroke="black" d="M292.17,-45C323.626,-45 364.563,-45 397.52,-45"/> -<polygon fill="black" stroke="black" points="397.917,-48.5001 407.917,-45 397.917,-41.5001 397.917,-48.5001"/> -<text text-anchor="middle" x="350" y="-77.4" font-family="Times,serif" font-size="14.00">Forward</text> -<text text-anchor="middle" x="350" y="-62.4" font-family="Times,serif" font-size="14.00">Authenticated</text> -<text text-anchor="middle" x="350" y="-47.4" font-family="Times,serif" font-size="14.00">Requests</text> -</g> -<!-- Start --> -<!-- Start->AuthComp --> -<g id="edge7" class="edge"><title>Start->AuthComp</title> -<path fill="none" stroke="black" d="M59.1526,-21.4745C90.4482,-25.4792 142.816,-32.1802 183.673,-37.4084"/> -<polygon fill="black" stroke="black" points="183.43,-40.9057 193.793,-38.7034 184.318,-33.9623 183.43,-40.9057"/> -</g> -</g> -</svg> diff --git a/keystonemiddleware-moon/doc/source/images/graphs_authCompDelegate.svg b/keystonemiddleware-moon/doc/source/images/graphs_authCompDelegate.svg deleted file mode 100644 index 4788829a..00000000 --- a/keystonemiddleware-moon/doc/source/images/graphs_authCompDelegate.svg +++ /dev/null @@ -1,53 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" - "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545) - --> -<!-- Title: AuthCompDelegate Pages: 1 --> -<svg width="588pt" height="104pt" - viewBox="0.00 0.00 588.00 104.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> -<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 100)"> -<title>AuthCompDelegate</title> -<polygon fill="white" stroke="white" points="-4,5 -4,-100 585,-100 585,5 -4,5"/> -<!-- AuthComp --> -<g id="node2" class="node"><title>AuthComp</title> -<polygon fill="#fdefe3" stroke="#c00000" points="338,-65 240,-65 240,-25 338,-25 338,-65"/> -<text text-anchor="middle" x="289" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text> -<text text-anchor="middle" x="289" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text> -</g> -<!-- Reject --> -<!-- AuthComp->Reject --> -<g id="edge3" class="edge"><title>AuthComp->Reject</title> -<path fill="none" stroke="black" d="M239.6,-50.1899C191.406,-55.2531 118.917,-62.8686 73.5875,-67.6309"/> -<polygon fill="black" stroke="black" points="73.0928,-64.1635 63.5132,-68.6893 73.8242,-71.1252 73.0928,-64.1635"/> -<text text-anchor="middle" x="152" y="-83.4" font-family="Times,serif" font-size="14.00">Reject Requests</text> -<text text-anchor="middle" x="152" y="-68.4" font-family="Times,serif" font-size="14.00">Indicated by the Service</text> -</g> -<!-- Service --> -<g id="node6" class="node"><title>Service</title> -<polygon fill="#d1ebf1" stroke="#1f477d" points="580,-65 486,-65 486,-25 580,-25 580,-65"/> -<text text-anchor="middle" x="533" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text> -<text text-anchor="middle" x="533" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text> -</g> -<!-- AuthComp->Service --> -<g id="edge5" class="edge"><title>AuthComp->Service</title> -<path fill="none" stroke="black" d="M338.009,-49.0804C344.065,-49.4598 350.172,-49.7828 356,-50 405.743,-51.8535 418.259,-51.9103 468,-50 470.523,-49.9031 473.101,-49.7851 475.704,-49.6504"/> -<polygon fill="black" stroke="black" points="476.03,-53.1374 485.807,-49.0576 475.62,-46.1494 476.03,-53.1374"/> -<text text-anchor="middle" x="412" y="-68.4" font-family="Times,serif" font-size="14.00">Forward Requests</text> -<text text-anchor="middle" x="412" y="-53.4" font-family="Times,serif" font-size="14.00">with Identiy Status</text> -</g> -<!-- Service->AuthComp --> -<g id="edge7" class="edge"><title>Service->AuthComp</title> -<path fill="none" stroke="black" d="M495.062,-24.9037C486.397,-21.2187 477.064,-17.9304 468,-16 419.314,-5.63183 404.743,-5.9037 356,-16 349.891,-17.2653 343.655,-19.116 337.566,-21.2803"/> -<polygon fill="black" stroke="black" points="336.234,-18.0426 328.158,-24.9003 338.748,-24.5757 336.234,-18.0426"/> -<text text-anchor="middle" x="412" y="-33.4" font-family="Times,serif" font-size="14.00">Send Response OR</text> -<text text-anchor="middle" x="412" y="-18.4" font-family="Times,serif" font-size="14.00">Reject Message</text> -</g> -<!-- Start --> -<!-- Start->AuthComp --> -<g id="edge9" class="edge"><title>Start->AuthComp</title> -<path fill="none" stroke="black" d="M59.0178,-20.8384C99.2135,-25.0613 175.782,-33.1055 229.492,-38.7482"/> -<polygon fill="black" stroke="black" points="229.265,-42.2435 239.576,-39.8076 229.997,-35.2818 229.265,-42.2435"/> -</g> -</g> -</svg> diff --git a/keystonemiddleware-moon/doc/source/index.rst b/keystonemiddleware-moon/doc/source/index.rst deleted file mode 100644 index 9092ec79..00000000 --- a/keystonemiddleware-moon/doc/source/index.rst +++ /dev/null @@ -1,46 +0,0 @@ -Python Middleware for OpenStack Identity API (Keystone) -======================================================= - -This is the middleware provided for integrating with the OpenStack -Identity API and handling authorization enforcement based upon the -data within the OpenStack Identity tokens. Also included is middleware that -provides the ability to create audit events based on API requests. - -Contents: - -.. toctree:: - :maxdepth: 1 - - middlewarearchitecture - audit - -Related Identity Projects -========================= - -In addition to creating the Python Middleware for OpenStack Identity -API, the Keystone team also provides `Identity Service`_, as well as -`Python Client Library`_. - -.. _`Identity Service`: http://docs.openstack.org/developer/keystone/ -.. _`Python Client Library`: http://docs.openstack.org/developer/python-keystoneclient/ - -Contributing -============ - -Code is hosted `on GitHub`_. Submit bugs to the Keystone project on -`Launchpad`_. Submit code to the ``openstack/keystonemiddleware`` project -using `Gerrit`_. - -.. _on GitHub: https://github.com/openstack/keystonemiddleware -.. _Launchpad: https://launchpad.net/keystonemiddleware -.. _Gerrit: http://docs.openstack.org/infra/manual/developers.html#development-workflow - -Run tests with ``python setup.py test``. - -Indices and tables -================== - -* :ref:`genindex` -* :ref:`modindex` -* :ref:`search` - diff --git a/keystonemiddleware-moon/doc/source/middlewarearchitecture.rst b/keystonemiddleware-moon/doc/source/middlewarearchitecture.rst deleted file mode 100644 index e543be47..00000000 --- a/keystonemiddleware-moon/doc/source/middlewarearchitecture.rst +++ /dev/null @@ -1,472 +0,0 @@ -.. Copyright 2011-2013 OpenStack Foundation -.. All Rights Reserved. - -.. Licensed under the Apache License, Version 2.0 (the "License"); you may -.. not use this file except in compliance with the License. You may obtain -.. a copy of the License at - -.. http://www.apache.org/licenses/LICENSE-2.0 - -.. Unless required by applicable law or agreed to in writing, software -.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -.. License for the specific language governing permissions and limitations -.. under the License. - -======================= -Middleware Architecture -======================= - -Abstract -======== - -The Keystone middleware architecture supports a common authentication protocol -in use between the OpenStack projects. By using keystone as a common -authentication and authorization mechanism, the OpenStack project can plug in -to existing authentication and authorization systems in use by existing -environments. - -In this document, we describe the architecture and responsibilities of the -authentication middleware which acts as the internal API mechanism for -OpenStack projects based on the WSGI standard. - -This documentation describes the implementation in -:class:`keystonemiddleware.auth_token` - -Specification Overview -====================== - -'Authentication' is the process of determining that users are who they say they -are. Typically, 'authentication protocols' such as HTTP Basic Auth, Digest -Access, public key, token, etc, are used to verify a user's identity. In this -document, we define an ''authentication component'' as a software module that -implements an authentication protocol for an OpenStack service. OpenStack is -using a token based mechanism to represent authentication and authorization. - -At a high level, an authentication middleware component is a proxy that -intercepts HTTP calls from clients and populates HTTP headers in the request -context for other WSGI middleware or applications to use. The general flow -of the middleware processing is: - -* clear any existing authorization headers to prevent forgery -* collect the token from the existing HTTP request headers -* validate the token - - * if valid, populate additional headers representing the identity that has - been authenticated and authorized - * if invalid, or no token present, reject the request (HTTPUnauthorized) - or pass along a header indicating the request is unauthorized (configurable - in the middleware) - * if the keystone service is unavailable to validate the token, reject - the request with HTTPServiceUnavailable. - -.. _authComponent: - -Authentication Component ------------------------- - -Figure 1. Authentication Component - -.. image:: images/graphs_authComp.svg - :width: 100% - :height: 180 - :alt: An Authentication Component - -The middleware may also be configured to operate in a 'delegated mode'. -In this mode, the decision to reject an unauthenticated client is delegated to -the OpenStack service, as illustrated in :ref:`authComponentDelegated`. - -Here, requests are forwarded to the OpenStack service with an identity status -message that indicates whether the client's identity has been confirmed or is -indeterminate. It is the OpenStack service that decides whether or not a reject -message should be sent to the client. - -.. _authComponentDelegated: - -Authentication Component (Delegated Mode) ------------------------------------------ - -Figure 2. Authentication Component (Delegated Mode) - -.. image:: images/graphs_authCompDelegate.svg - :width: 100% - :height: 180 - :alt: An Authentication Component (Delegated Mode) - -.. _deployStrategies: - -Deployment Strategy -=================== - -The middleware is intended to be used inline with OpenStack wsgi components, -based on the Oslo WSGI middleware class. It is typically deployed -as a configuration element in a paste configuration pipeline of other -middleware components, with the pipeline terminating in the service -application. The middleware conforms to the python WSGI standard [PEP-333]_. -In initializing the middleware, a configuration item (which acts like a python -dictionary) is passed to the middleware with relevant configuration options. - -Configuration -------------- - -The middleware is configured within the config file of the main application as -a WSGI component. Example for the auth_token middleware: - -.. code-block:: ini - - [app:myService] - paste.app_factory = myService:app_factory - - [pipeline:main] - pipeline = authtoken myService - - [filter:authtoken] - paste.filter_factory = keystonemiddleware.auth_token:filter_factory - - # Prefix to prepend at the beginning of the path (string - # value) - #auth_admin_prefix= - - # Host providing the admin Identity API endpoint (string - # value) - auth_host=127.0.0.1 - - # Port of the admin Identity API endpoint (integer value) - auth_port=35357 - - # Protocol of the admin Identity API endpoint(http or https) - # (string value) - auth_protocol=https - - # Complete public Identity API endpoint (string value) - #auth_uri=<None> - - # API version of the admin Identity API endpoint (string - # value) - #auth_version=<None> - - # Do not handle authorization requests within the middleware, - # but delegate the authorization decision to downstream WSGI - # components (boolean value) - #delay_auth_decision=false - - # Request timeout value for communicating with Identity API - # server. (boolean value) - #http_connect_timeout=<None> - - # How many times are we trying to reconnect when communicating - # with Identity API Server. (integer value) - #http_request_max_retries=3 - - # Single shared secret with the Keystone configuration used - # for bootstrapping a Keystone installation, or otherwise - # bypassing the normal authentication process. (string value) - #admin_token=<None> - - # Keystone account username (string value) - #admin_user=<None> - - # Keystone account password (string value) - admin_password=SuperSekretPassword - - # Keystone service account tenant name to validate user tokens - # (string value) - #admin_tenant_name=admin - - # Env key for the swift cache (string value) - #cache=<None> - - # Required if Keystone server requires client certificate - # (string value) - #certfile=<None> - - # Required if Keystone server requires client certificate - # (string value) - #keyfile=<None> - - # A PEM encoded Certificate Authority to use when verifying - # HTTPs connections. Defaults to system CAs. (string value) - #cafile=<None> - - # Verify HTTPS connections. (boolean value) - #insecure=false - - # Directory used to cache files related to PKI tokens (string - # value) - #signing_dir=<None> - - # If defined, the memcached server(s) to use for caching (list - # value) - # Deprecated group/name - [DEFAULT]/memcache_servers - #memcached_servers=<None> - - # In order to prevent excessive requests and validations, the - # middleware uses an in-memory cache for the tokens the - # Keystone API returns. This is only valid if memcache_servers - # is defined. Set to -1 to disable caching completely. - # (integer value) - #token_cache_time=300 - - # Value only used for unit testing (integer value) - #revocation_cache_time=1 - - # (optional) if defined, indicate whether token data should be - # authenticated or authenticated and encrypted. Acceptable - # values are MAC or ENCRYPT. If MAC, token data is - # authenticated (with HMAC) in the cache. If ENCRYPT, token - # data is encrypted and authenticated in the cache. If the - # value is not one of these options or empty, auth_token will - # raise an exception on initialization. (string value) - #memcache_security_strategy=<None> - - # (optional, mandatory if memcache_security_strategy is - # defined) this string is used for key derivation. (string - # value) - #memcache_secret_key=<None> - - # (optional) indicate whether to set the X-Service-Catalog - # header. If False, middleware will not ask for service - # catalog on token validation and will not set the X-Service- - # Catalog header. (boolean value) - #include_service_catalog=true - - # Used to control the use and type of token binding. Can be - # set to: "disabled" to not check token binding. "permissive" - # (default) to validate binding information if the bind type - # is of a form known to the server and ignore it if not. - # "strict" like "permissive" but if the bind type is unknown - # the token will be rejected. "required" any form of token - # binding is needed to be allowed. Finally the name of a - # binding method that must be present in tokens. (string - # value) - #enforce_token_bind=permissive - -For services which have a separate paste-deploy ini file, auth_token middleware -can be alternatively configured in [keystone_authtoken] section in the main -config file. For example in Nova, all middleware parameters can be removed -from ``api-paste.ini``: - -.. code-block:: ini - - [filter:authtoken] - paste.filter_factory = keystonemiddleware.auth_token:filter_factory - -and set in ``nova.conf``: - -.. code-block:: ini - - [DEFAULT] - auth_strategy=keystone - - [keystone_authtoken] - auth_host = 127.0.0.1 - auth_port = 35357 - auth_protocol = http - admin_user = admin - admin_password = SuperSekretPassword - admin_tenant_name = service - # Any of the options that could be set in api-paste.ini can be set here. - -Note that middleware parameters in paste config take priority, they must be -removed to use values in [keystone_authtoken] section. - -If the service doesn't use the global oslo.config object (CONF), then the -olso config project name can be set it in paste config and -keystonemiddleware will load the project configuration itself. -Optionally the location of the configuration file can be set if oslo.config -is not able to discover it. - -.. code-block:: ini - - [filter:authtoken] - paste.filter_factory = keystonemiddleware.auth_token:filter_factory - oslo_config_project = nova - # oslo_config_file = /not_discoverable_location/nova.conf - - -Configuration Options ---------------------- - -* ``auth_admin_prefix``: Prefix to prepend at the beginning of the path -* ``auth_host``: (required) the host providing the keystone service API endpoint - for validating and requesting tokens -* ``auth_port``: (optional, default `35357`) the port used to validate tokens -* ``auth_protocol``: (optional, default `https`) -* ``auth_uri``: (optional, defaults to - `auth_protocol`://`auth_host`:`auth_port`) -* ``auth_version``: API version of the admin Identity API endpoint -* ``delay_auth_decision``: (optional, default `0`) (off). If on, the middleware - will not reject invalid auth requests, but will delegate that decision to - downstream WSGI components. -* ``http_connect_timeout``: (optional) Request timeout value for communicating - with Identity API server. -* ``http_request_max_retries``: (default 3) How many times are we trying to - reconnect when communicating with Identity API Server. -* ``http_handler``: (optional) Allows to pass in the name of a fake - http_handler callback function used instead of `httplib.HTTPConnection` or - `httplib.HTTPSConnection`. Useful for unit testing where network is not - available. - -* ``admin_token``: either this or the following three options are required. If - set, this is a single shared secret with the keystone configuration used to - validate tokens. -* ``admin_user``, ``admin_password``, ``admin_tenant_name``: if ``admin_token`` - is not set, or invalid, then admin_user, admin_password, and - admin_tenant_name are defined as a service account which is expected to have - been previously configured in Keystone to validate user tokens. - -* ``cache``: (optional) Env key for the swift cache - -* ``certfile``: (required, if Keystone server requires client cert) -* ``keyfile``: (required, if Keystone server requires client cert) This can be - the same as the certfile if the certfile includes the private key. -* ``cafile``: (optional, defaults to use system CA bundle) the path to a PEM - encoded CA file/bundle that will be used to verify HTTPS connections. -* ``insecure``: (optional, default `False`) Don't verify HTTPS connections - (overrides `cafile`). - -* ``signing_dir``: (optional) Directory used to cache files related to PKI - tokens - -* ``memcached_servers``: (optional) If defined, the memcached server(s) to use - for caching -* ``token_cache_time``: (default 300) In order to prevent excessive requests - and validations, the middleware uses an in-memory cache for the tokens the - Keystone API returns. This is only valid if memcache_servers s defined. Set - to -1 to disable caching completely. -* ``memcache_security_strategy``: (optional) if defined, indicate whether token - data should be authenticated or authenticated and encrypted. Acceptable - values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) - in the cache. If ENCRYPT, token data is encrypted and authenticated in the - cache. If the value is not one of these options or empty, auth_token will - raise an exception on initialization. -* ``memcache_secret_key``: (mandatory if memcache_security_strategy is defined) - this string is used for key derivation. -* ``include_service_catalog``: (optional, default `True`) Indicate whether to - set the X-Service-Catalog header. If False, middleware will not ask for - service catalog on token validation and will not set the X-Service-Catalog - header. -* ``enforce_token_bind``: (default ``permissive``) Used to control the use and - type of token binding. Can be set to: "disabled" to not check token binding. - "permissive" (default) to validate binding information if the bind type is of - a form known to the server and ignore it if not. "strict" like "permissive" - but if the bind type is unknown the token will be rejected. "required" any - form of token binding is needed to be allowed. Finally the name of a binding - method that must be present in tokens. - -Caching for improved response ------------------------------ - -In order to prevent excessive requests and validations, the middleware uses an -in-memory cache for the tokens the keystone API returns. Keep in mind that -invalidated tokens may continue to work if they are still in the token cache, -so token_cache_time is configurable. For larger deployments, the middleware -also supports memcache based caching. - -* ``memcached_servers``: (optonal) if defined, the memcached server(s) to use for - cacheing. It will be ignored if Swift MemcacheRing is used instead. -* ``token_cache_time``: (optional, default 300 seconds) Set to -1 to disable - caching completely. - -When deploying auth_token middleware with Swift, user may elect -to use Swift MemcacheRing instead of the local Keystone memcache. -The Swift MemcacheRing object is passed in from the request environment -and it defaults to 'swift.cache'. However it could be -different, depending on deployment. To use Swift MemcacheRing, you must -provide the ``cache`` option. - -* ``cache``: (optional) if defined, the environment key where the Swift - MemcacheRing object is stored. - -Memcached dependencies -====================== - -In order to use `memcached`_ it is necessary to install the `python-memcached`_ -library. If data stored in `memcached`_ will need to be encrypted it is also -necessary to install the `pycrypto`_ library. These libs are not listed in -the requirements.txt file. - -.. _`memcached`: http://memcached.org/ -.. _`python-memcached`: https://pypi.python.org/pypi/python-memcached -.. _`pycrypto`: https://pypi.python.org/pypi/pycrypto - -Memcached and System Time -========================= - -When using `memcached`_ with ``auth_token`` middleware, ensure that the system -time of memcached hosts is set to UTC. Memcached uses the host's system -time in determining whether a key has expired, whereas Keystone sets -key expiry in UTC. The timezone used by Keystone and memcached must -match if key expiry is to behave as expected. - -Memcache Protection -=================== - -When using memcached, we are storing user tokens and token validation -information into the cache as raw data. Which means that anyone who -has access to the memcached servers can read and modify data stored -there. To mitigate this risk, ``auth_token`` middleware provides an -option to authenticate and optionally encrypt the token data stored in -the cache. - -* ``memcache_security_strategy``: (optional) if defined, indicate - whether token data should be authenticated or authenticated and - encrypted. Acceptable values are ``MAC`` or ``ENCRYPT``. If ``MAC``, - token data is authenticated (with HMAC) in the cache. If - ``ENCRYPT``, token data is encrypted and authenticated in the - cache. If the value is not one of these options or empty, - ``auth_token`` will raise an exception on initialization. -* ``memcache_secret_key``: (optional, mandatory if - ``memcache_security_strategy`` is defined) this string is used for - key derivation. If ``memcache_security_strategy`` is defined and - ``memcache_secret_key`` is absent, ``auth_token`` will raise an - exception on initialization. - -Exchanging User Information -=========================== - -The middleware expects to find a token representing the user with the header -``X-Auth-Token`` or ``X-Storage-Token``. `X-Storage-Token` is supported for -swift/cloud files and for legacy Rackspace use. If the token isn't present and -the middleware is configured to not delegate auth responsibility, it will -respond to the HTTP request with HTTPUnauthorized, returning the header -``WWW-Authenticate`` with the value `Keystone uri='...'` to indicate where to -request a token. The auth_uri returned is configured with the middleware. - -The authentication middleware extends the HTTP request with the header -``X-Identity-Status``. If a request is successfully authenticated, the value -is set to `Confirmed`. If the middleware is delegating the auth decision to the -service, then the status is set to `Invalid` if the auth request was -unsuccessful. - -An ``X-Service-Token`` header may also be included with a request. If present, -and the value of ``X-Auth-Token`` or ``X-Storage-Token`` has not caused the -request to be denied, then the middleware will attempt to validate the value of -``X-Service-Token``. If valid, the authentication middleware extends the HTTP -request with the header ``X-Service-Identity-Status`` having value `Confirmed` -and also extends the request with additional headers representing the identity -authenticated and authorised by the token. - -If ``X-Service-Token`` is present and its value is invalid and the -``delay_auth_decision`` option is True then the value of -``X-Service-Identity-Status`` is set to `Invalid` and no further headers are -added. Otherwise if ``X-Service-Token`` is present and its value is invalid -then the middleware will respond to the HTTP request with HTTPUnauthorized, -regardless of the validity of the ``X-Auth-Token`` or ``X-Storage-Token`` -values. - -Extended the request with additional User Information ------------------------------------------------------ - -:py:class:`keystonemiddleware.auth_token.AuthProtocol` extends the -request with additional information if the user has been authenticated. See the -"What we add to the request for use by the OpenStack service" section in -:py:mod:`keystonemiddleware.auth_token` for the list of fields set by -the auth_token middleware. - - -References -========== - -.. [PEP-333] pep0333 Phillip J Eby. 'Python Web Server Gateway Interface - v1.0.'' http://www.python.org/dev/peps/pep-0333/. diff --git a/keystonemiddleware-moon/examples/pki/certs/cacert.pem b/keystonemiddleware-moon/examples/pki/certs/cacert.pem deleted file mode 100644 index 952bdaea..00000000 --- a/keystonemiddleware-moon/examples/pki/certs/cacert.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID1jCCAr6gAwIBAgIJAJOtRP2+wrM/MA0GCSqGSIb3DQEBBQUAMIGeMQowCAYD -VQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55 -dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMG -CSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2Vs -ZiBTaWduZWQwIBcNMTMwOTEzMTYyNTQyWhgPMjA3MjAzMDcxNjI1NDJaMIGeMQow -CAYDVQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1 -bm55dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTEl -MCMGCSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxML -U2VsZiBTaWduZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCl8906 -EaRpibQFcCBWfxzLi5x/XpZ9iL6UX92NrSJxcDbaGws7s+GtjgDy8UOEonesRWTe -qQEZtHpC3/UHHOnsA8F6ha/pq9LioqT7RehCnZCLBJwh5Ct+lclpWs15SkjJD2LT -Dkjox0eA9nOBx+XDlWyU/GAyqx5Wsvg/Kxr0iod9/4IcJdnSdUjq4v0Cxg/zNk08 -XPJX+F0bUDhgdUf7JrAmmS5LA8wphRnbIgtVsf6VN9HrbqtHAJDxh8gEfuwdhEW1 -df1fBtZ+6WMIF3IRSbIsZELFB6sqcyRj7HhMoWMkdEyPb2f8mq61MzTgE6lJGIyT -RvEoFie7qtGADIofAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN -AQEFBQADggEBAJRMdEwAdN+crqI9dBLYlbBbnQ8xr9mk+REMdz9+SKhDCNdVisWU -iLEZvK/aozrsRsDi81JjS4Tz0wXo8zsPPoDnXgDYEicNPTKifbPKgHdDIGFOwBKn -y2cF6fHEn8n3KIBrDCNY6rHcYGZ7lbq/8eF0GoYQboPiuYesvVpynPmIK5/Mmire -EuuZALAe1IFqqFt+l6tiJU2JWUFjLkFARMOD14qFZm+SInl64toi08j6gdou+NMW -7GEMbVHwNTafM/TgFN5j0yP9SAnYubckLSyH6hwR+rM8dztP5769joxQfnc9O/Bn -TBD9KFpeQv6VJWLAxiIKcQCRTTDJLZZ0MQI= ------END CERTIFICATE----- diff --git a/keystonemiddleware-moon/examples/pki/certs/middleware.pem b/keystonemiddleware-moon/examples/pki/certs/middleware.pem deleted file mode 100644 index 7d593efd..00000000 --- a/keystonemiddleware-moon/examples/pki/certs/middleware.pem +++ /dev/null @@ -1,50 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDpjCCAo4CARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgZAxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDL06AaJROwHPgJ9tcySSBepzJ81jYars2sMvLjyuvd -iIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rpv8dGDIDsxZQVjT/4SLaQUOeDM+9b -fkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLYWso0SJD0vAi1gmGDlSM/mmhhHTpC -DGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1ZrslPC5lFvlHD7KBBf6IU2A8Xh/dUa3 -p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYRR45pPCVkk6vFsy6P0JwwpnkszB+L -cK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4YEPirGGrAgMBAAEwDQYJKoZIhvcN -AQEFBQADggEBAAjU7YomUx/U56p1KWHvr1B7oczHF8fPHYbuk5c/N81WOJeSRy+P -5ZGZ2UPjvqqXByv+78YWMKGY1BZ/2doeWuydr0sdSxEwmIUBYxFpujuYY+0AjS/n -mMr1ZijK7TJssteKM7/MClzghUhPweDZrAg3ff1hbhK5QSy+9UPxUqLH44tfYSVC -/BzM6se0p5ToM0bwdsa8TofaBRE1L1IW/Hg4VIGOoKs0R0uLm7+Oot2me2cEuZ6h -Wls6MED8ND1Nz8EAKwndkeDu2iMM+qx/YFp6K8BQ5E5nXd2rbUZUlQMp1WbUlZ87 -KvC98aT0UYIq6uo1Lx/dQvJs7faAkYd4lmE= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDL06AaJROwHPgJ -9tcySSBepzJ81jYars2sMvLjyuvdiIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rp -v8dGDIDsxZQVjT/4SLaQUOeDM+9bfkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLY -Wso0SJD0vAi1gmGDlSM/mmhhHTpCDGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1Zrs -lPC5lFvlHD7KBBf6IU2A8Xh/dUa3p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYR -R45pPCVkk6vFsy6P0JwwpnkszB+LcK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4 -YEPirGGrAgMBAAECggEATwvbY0hNwlb5uqOIAXBqpUqiQdexU9fG26lGmSDxKBDv -9o5frcRgBDrMWwvDCgY+HT4CAvB9kJx4/qnpVjkzJp/ZNiJ5VIiehIlbv348rXbh -xkk+bz5dDATCFOXuu1fwL2FhyM5anwhMAav0DyK1VLQ3jGzr9GO6L8hqAn+bQFFu -6ngiODwfhBMl5aRoL9UOBEhccK07znrH0JGRz+3+5Cdz59Xw91Bv210LhNNDL58+ -0JD0N+YztVOQd2bgwo0bQbOEijzmYq+0mjoqAnJh1/++y7PlIPs0AnPgqSnFPx9+ -6FsQEVRgk5Uq3kvPLaP4nT2y6MDZSp+ujYldvJhyQQKBgQDuX2pZIJMZ4aFnkG+K -TmJ5wsLa/u9an0TmvAL9RLtBpVpQNKD8cQ+y8PUZavXDbAIt5NWqZVnTbCR79Dnd -mZKblwcHhtsyA5f89el5KcxY2BREWdHdTnJpNd7XRlUECmzvX1zGj77lA982PhII -yflRBRV3vqLkgC8vfoYgRyRElwKBgQDa5jnLdx/RahfYMOgn1HE5o4hMzLR4Y0Dd -+gELshcUbPqouoP5zOb8WOagVJIgZVOSN+/VqbilVYrqRiNTn2rnoxs+HHRdaJNN -3eXllD4J2HfC2BIj1xSpIdyh2XewAJqw9IToHNB29QUhxOtgwseHciPG6JaKH2ik -kqGKH/EKDQKBgFFAftygiOPCkCTgC9UmANUmOQsy6N2H+pF3tsEj43xt44oBVnqW -A1boYXNnjRwuvdNs9BPf9i1l6E3EItFRXrLgWQoMwryakv0ryYh+YeRKyyW9RBbe -fYs1TJ8unx4Ae79gTxxztQsVNcmkgLs0NWKTjAzEE3w14V+cDhYEie1DAoGBAJdI -V5cLrBzBstsB6eBlDR9lqrRRIUS2a8U9m+1mVlcSfiWQSdehSd4K3tDdwePLw3ch -W4qR8n+pYAlLEe0gFvUhn5lMdwt7U5qUCeehjUKmrRYm2FqWsbu2IFJnBjXIJSC4 -zQXRrC0aZ0KQYpAL7XPpaVp1slyhGmPqxuO78Y0dAoGBAMHo3EIMwu9rfuGwFodr -GFsOZhfJqgo5GDNxxf89Q9WWpMDTCdX+wdBTrN/wsMbBuwIDHrUuRnk6D5CWRjSk -/ikCgHN3kOtrbL8zzqRomGAIIWKYGFEIGe1GHVGo5r//HXHdPxFXygvruQ/xbOA4 -RGvmDiji8vVDq7Shho8I6KuT ------END PRIVATE KEY----- diff --git a/keystonemiddleware-moon/examples/pki/certs/signing_cert.pem b/keystonemiddleware-moon/examples/pki/certs/signing_cert.pem deleted file mode 100644 index 63ab2478..00000000 --- a/keystonemiddleware-moon/examples/pki/certs/signing_cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDpTCCAo0CAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgY8xCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMREwDwYDVQQDEwhLZXlzdG9uZTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMz5WsgsuX3rZUdLwQpZXN2Ro7LQ6jEZnreBqMztVObw -BuC1WdiJsg6dVlC7PVdt+0gY1c8WFg1TKmsucxesQSyfGAPg+9T/hsRMb6y12uJx -fp3Wgqqw0U1HsXvMiaJH87MaGnt043BxzF+R9fhAcDk6Cyj5cx9J0LvZJEOzN4J4 -ZRyO6j/DZZItb3lK5W9xkuoT+mTdDZOQJnXyG818uiWfjdCkLjr1ruytRcBOo4na -Y828voT/A7I95+YCgKgbjiUWhHeTaNmMEQiGy0nGYfteC+oSsHOlxZ3b12azzHPk -83Bh2ez0Ih9vcZoe9DqvlFOXfv9q8OsYc5Yo6gPTXEsCAwEAATANBgkqhkiG9w0B -AQUFAAOCAQEAmaYE98kOQWu6DV84ZcZP/OdT8eeu3vdB247nRj+6+GYItN/Gzqt4 -HVvz7c+FVTolCcAQQ+z3XGswI9fIJ78Hb0p9CgnLprc3L7Xtk60Im59Xlf3tcurn -r/ZnSDcjRBXKiEDrSM0VrhAnc0GoSeb6aDWopec+1hWOWfBVAg9R8yJgU9sUgO3O -0gimGyrw8eubmNhckSQLJTunUTsrkcBjuSg63wAD9OqCiX6c2eoQr+0YBp2eV2/n -aOiJXWNLbeueMKSYiJNyyvM/dlON7/56cdwDTzKzgD34TImouM5VKipUwCX1ovLu -ITLzALzpqFFzc8ugV9pMgUKtDbZoPp9EEA== ------END CERTIFICATE----- diff --git a/keystonemiddleware-moon/examples/pki/certs/ssl_cert.pem b/keystonemiddleware-moon/examples/pki/certs/ssl_cert.pem deleted file mode 100644 index cdd2e4c0..00000000 --- a/keystonemiddleware-moon/examples/pki/certs/ssl_cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDpjCCAo4CARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x -MzA5MTMxNjI1NDNaGA8yMDcyMDMwNzE2MjU0M1owgZAxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDL06AaJROwHPgJ9tcySSBepzJ81jYars2sMvLjyuvd -iIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rpv8dGDIDsxZQVjT/4SLaQUOeDM+9b -fkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLYWso0SJD0vAi1gmGDlSM/mmhhHTpC -DGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1ZrslPC5lFvlHD7KBBf6IU2A8Xh/dUa3 -p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYRR45pPCVkk6vFsy6P0JwwpnkszB+L -cK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4YEPirGGrAgMBAAEwDQYJKoZIhvcN -AQEFBQADggEBAAjU7YomUx/U56p1KWHvr1B7oczHF8fPHYbuk5c/N81WOJeSRy+P -5ZGZ2UPjvqqXByv+78YWMKGY1BZ/2doeWuydr0sdSxEwmIUBYxFpujuYY+0AjS/n -mMr1ZijK7TJssteKM7/MClzghUhPweDZrAg3ff1hbhK5QSy+9UPxUqLH44tfYSVC -/BzM6se0p5ToM0bwdsa8TofaBRE1L1IW/Hg4VIGOoKs0R0uLm7+Oot2me2cEuZ6h -Wls6MED8ND1Nz8EAKwndkeDu2iMM+qx/YFp6K8BQ5E5nXd2rbUZUlQMp1WbUlZ87 -KvC98aT0UYIq6uo1Lx/dQvJs7faAkYd4lmE= ------END CERTIFICATE----- diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.json b/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.json deleted file mode 100644 index 3da8f8bb..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "access": { - "token": { - "expires": "2038-01-18T21:14:07Z", - "id": "placeholder", - "tenant": { - "id": "tenant_id1", - "enabled": true, - "description": null, - "name": "tenant_name1" - } - }, - "serviceCatalog": [ - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "volume", - "name": "volume" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" - } - ], - "type": "image", - "name": "glance" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "compute", - "name": "nova" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:35357/v2.0", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v2.0", - "publicURL": "http://127.0.0.1:5000/v2.0" - } - ], - "type": "identity", - "name": "keystone" - } - ], - "user": { - "username": "revoked_username1", - "roles_links": [ - "role1", - "role2" - ], - "id": "revoked_user_id1", - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "name": "revoked_username1" - } - } -} diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.pem b/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.pem deleted file mode 100644 index a685a457..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.pem +++ /dev/null @@ -1,75 +0,0 @@ ------BEGIN CMS----- -MIINnQYJKoZIhvcNAQcCoIINjjCCDYoCAQExCTAHBgUrDgMCGjCCC6oGCSqGSIb3 -DQEHAaCCC5sEgguXew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIwMzgtMDEtMThUMjE6MTQ6MDda -IiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAgICAgICAg -ICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5hbnRfaWQx -IiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAgICAgICAg -ICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQog -ICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6 -ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4w -LjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwN -CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdh -Ig0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAg -ICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7 -DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVy -bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAg -ICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAg -IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8v -MTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2 -NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAi -aHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBm -Y2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVl -OGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAg -ICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIs -DQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0s -DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5r -cyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAg -ICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUz -NTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjog -Imh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAg -ICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6 -ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUi -DQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0K -ICAgICAgICAgICAgInVzZXJuYW1lIjogInJldm9rZWRfdXNlcm5hbWUxIiwNCiAg -ICAgICAgICAgICJyb2xlc19saW5rcyI6IFsNCiAgICAgICAgICAgICAgICAicm9s -ZTEiLA0KICAgICAgICAgICAgICAgICJyb2xlMiINCiAgICAgICAgICAgIF0sDQog -ICAgICAgICAgICAiaWQiOiAicmV2b2tlZF91c2VyX2lkMSIsDQogICAgICAgICAg -ICAicm9sZXMiOiBbDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg -ICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAgICAgICAgICAgICB9LA0KICAgICAg -ICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIi -DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAg -ICJuYW1lIjogInJldm9rZWRfdXNlcm5hbWUxIg0KICAgICAgICB9DQogICAgfQ0K -fQ0KMYIByjCCAcYCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh -Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv -cGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjAN -BgkqhkiG9w0BAQEFAASCAQAxJMbNZf0/IWg/+/ciWQr9yuW9M48hQdaHcN+t6qvZ -OlPev8N1tP8pNTupW9LXt0N8ZU/8AzPLPeRXHqd4lzuDV6ttesfLL3Ag410o4Elb -Aum11Y1kDGlbwnaYoD9m07FML1ZfOWJ81Z0CITVGGRX90e+jlYjtnmdshmi2saVl -r/Sae6ta52gjptaZE9tOu42uXlfhWNuC0/W7lRuWbWSHZENZWtTHHz2Q+v/HxORf -jY3kwSaVEkx9faQ9Npy6J+rSQg+lIMRAYw/rFWedEsP9MzHKBcKTXid0yIQ2ox1r -1Em3WapL1FDpwJtHaaL92WTEQulpxJUcmzPgEd5H78+Q ------END CMS----- diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.pkiz b/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.pkiz deleted file mode 100644 index 9fbe8ea2..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_revoked.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJylVtly4jgUfddXzHuqK9jGED_Mgze8BInYeEF-8wJeBYTF29ePbEh3p9OZycxQRZUtS_eee87Rlb59oz9J1Qz0hwzXw8s3AA1DZxpsPh8CI6tjJFqxfKBjnSLL0pMli5bayo6oS6l7UlIoawUd31qavH7V1kbEAcVSdTGkg4mrpunG3nZmhllUxRzMV7k0N_b0eR8cMespeGNnkSbsjeKQ-tw5j8jiAoK1MTNkk43Ylol8N1_KYh74fBlrwjHa2_3bZOzbl9DnPbdsaGAxD3V7EiuHGix7tUPdtFkW4hU6hynqY3bJ4XbZ4wkuAgLZIMcsZGBv9ch3p9jBTUAQWSlVjgvMAugkmZE3qbE3q4Ct6igfEXWBnxwjln-JyA0VzT4JNuYV--07FGCA8X9QgAHGDxQSg0l7xIy3duQRySHR7WaVP9XQMbgxgTxtV0XKoR7XSaHWABV2jgjuA2IWuHd7pEAmcLIMFRLBLJ6ufDNHBW4Rq-Y7b3KmQSfbjVQN5Br7oAaR7l2oEsOHKiJ2E7HVNdHRLtKqa3iTMtps6EL9JttdtX2kLa6YdXPwb2X7hS8ewKLsBsL-qxLgs8jvA39OLnjPbtmtHGNg9yNhpLpgP6nGgMS7BrpUD4hAzAhn-nCKOxp5cUl26yal-4HCZO4L-Toh6qcWB18kazDXZDQX1f5n6cE_aT9kjom3D33hetP-TnQpXAf5Aa1zgFTFhM-ixVccaA0cXeH6iUWawYKgoGAIKpADJ7D3qpWmslALiqBIeUwMFhUqh29GaxLfpHyhL22m39b7u3LB33qdoDraSEyifWw0G7Y9RuTSg1EOhhGWMm1fAw-0K43wWI-PObt-c-FndgdfkLCn_DCoE1iYT5tfLT-osP5q9_ldcPAx-lebittARaxBUhh0wBQ262GxzcfanQPfrmi9x0QvPyVw4AIMBN4X15S40W10L1RbXTpSB46TjMJoYJ9eoKJeoJO5sFBn0LFmUElCcINNs5HFNRkg085Ds2W0jCoY3-0u8d1B3h8b7G3-QriCYRDenFYGG1TEpGoS7d5UNJ6JtGb4dgxufEyG4LSMXehbrbGf3PbC_WND-1wR-FkdaXRv5KYw1J5s6NGW35DFRDjTJO_6JaCa0gXuW0sbnjujmvwC2awSIpwC396NAW-GG9fcA3j9zwfmvfN29Lyk5ZkfXDoicYzR-kMJTMx63c8Lg00wKFJuOK-_Geo7T2_lfp8D7pPupDDCztFkMT40aaprYqpK0NBK-t9C69DIIlY8y1qojcpA69zIFlYAHdDUxvTcXl1CsdRExlVlCcrWRG3VQrSkFHmSGDuyh5iI8HxCFhS-uoaSOM4FcgZNh5OqqEIT7KMTtNVGacZMS7XJlsGm6hONti9HraAMv99M6MXEFG3sgx_b1hOjIdD-FmhJhC7oVRdKxphJbOHSZb1zkEtO6CfXwKfXH5oMSA1ePDdTRcwOjWL9fFdSJckS6bVHFfF1IvDP-CWbCmXy9NpVu_BpqcRivc16oLGr4hK_vmoz1BDkvSxetosqVk-l6J5X-elhpsFty70GHNfuNX6VQnbGwedWP0pnp9wFMTBTn1wV_hryDJ7He69j2piEh31eh4yyeDTnVnOUqwekOJskWmXPiGm6R-UlY4xz-ZjMe0C6bus-TBfLy45cLuHM19gyW1Df1s5JbjUu1XU3FphSW7XS6UnvrDYL42XW7YvwyD-fOhBCxpuHZbEsrSeTeY6cR3W5TY66RQ4MmmvZUYXRflFI5uuWEecPjMA9If-BMIFQZVOb04E_O0ai7my7iTy3iyjLPXa6O678kDwyBSTepGIrln2AO_U4mzlzS-TU7WP1_DJr_vwTjHdVFSk_7q1_AfJ_mjc=
\ No newline at end of file diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.json b/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.json deleted file mode 100644 index cf18fa18..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "access": { - "token": { - "expires": "2038-01-18T21:14:07Z", - "id": "placeholder", - "tenant": { - "id": "tenant_id1", - "enabled": true, - "description": null, - "name": "tenant_name1" - }, - "audit_ids": [ - "SLIXlXQUQZWUi9VJrqdXqA" - ] - }, - "serviceCatalog": [ - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "volume", - "name": "volume" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" - } - ], - "type": "image", - "name": "glance" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "compute", - "name": "nova" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:35357/v2.0", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v2.0", - "publicURL": "http://127.0.0.1:5000/v2.0" - } - ], - "type": "identity", - "name": "keystone" - } - ], - "user": { - "username": "user_name1", - "roles_links": [ - "role1", - "role2" - ], - "id": "user_id1", - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "name": "user_name1" - } - } -} diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.pem b/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.pem deleted file mode 100644 index 68f50493..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.pem +++ /dev/null @@ -1,77 +0,0 @@ ------BEGIN CMS----- -MIIN5QYJKoZIhvcNAQcCoIIN1jCCDdICAQExDTALBglghkgBZQMEAgEwggvqBgkq -hkiG9w0BBwGgggvbBIIL13sNCiAgICAiYWNjZXNzIjogew0KICAgICAgICAidG9r -ZW4iOiB7DQogICAgICAgICAgICAiZXhwaXJlcyI6ICIyMDM4LTAxLTE4VDIxOjE0 -OjA3WiIsDQogICAgICAgICAgICAiaWQiOiAicGxhY2Vob2xkZXIiLA0KICAgICAg -ICAgICAgInRlbmFudCI6IHsNCiAgICAgICAgICAgICAgICAiaWQiOiAidGVuYW50 -X2lkMSIsDQogICAgICAgICAgICAgICAgImVuYWJsZWQiOiB0cnVlLA0KICAgICAg -ICAgICAgICAgICJkZXNjcmlwdGlvbiI6IG51bGwsDQogICAgICAgICAgICAgICAg -Im5hbWUiOiAidGVuYW50X25hbWUxIg0KICAgICAgICAgICAgfSwNCiAgICAgICAg -ICAgICJhdWRpdF9pZHMiOiBbDQogICAgICAgICAgICAgICAgIlNMSVhsWFFVUVpX -VWk5VkpycWRYcUEiDQogICAgICAgICAgICBdDQogICAgICAgIH0sDQogICAgICAg -ICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAg -ICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAgICAgImVu -ZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAg -ICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92 -MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4 -Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAg -ICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEyNy4wLjAu -MTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIg0KICAg -ICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAg -ICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAgICJuYW1l -IjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7DQogICAg -ICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAgICAg -ICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4x -OjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJy -ZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVybmFsVVJM -IjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAgICAgICAg -ICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIN -CiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQogICAg -ICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAgICAgICJu -YW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7DQog -ICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAg -ICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAg -ICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAu -MC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIs -DQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIs -DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDov -LzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJi -NjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VSTCI6ICJo -dHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZj -Zjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAg -ICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIsDQogICAg -ICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0sDQogICAg -ICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtd -LA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAg -ICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJo -dHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAgICAgICAg -ICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAg -ICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjIu -MCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6 -Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAgICB9DQog -ICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6ICJpZGVu -dGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUiDQogICAg -ICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0KICAgICAg -ICAgICAgInVzZXJuYW1lIjogInVzZXJfbmFtZTEiLA0KICAgICAgICAgICAgInJv -bGVzX2xpbmtzIjogWw0KICAgICAgICAgICAgICAgICJyb2xlMSIsDQogICAgICAg -ICAgICAgICAgInJvbGUyIg0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJp -ZCI6ICJ1c2VyX2lkMSIsDQogICAgICAgICAgICAicm9sZXMiOiBbDQogICAgICAg -ICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJyb2xlMSIN -CiAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAg -ICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICAgICAgfQ0K -ICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInVzZXJfbmFtZTEi -DQogICAgICAgIH0NCiAgICB9DQp9DQoxggHOMIIBygIBATCBpDCBnjEKMAgGA1UE -BRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZh -bGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkq -hkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYg -U2lnbmVkAgERMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQCgtkCXRzS8 -s7WjZCsKDhMt6q5JQIm7x6EMKCBaOABQG9EOVIAyqfoJDdjDtz9rZEPO3UVTpPkg -VjtA0QV97qT8bX55AcCkk7kBRDOKTtco5GOGwjMxL+GWbIwWiB7DKIP4RA6NLZtF -WxUbLBY+OgBSiayuHqSx+Rd08QC9oHf25wRkTNp3VFPxtAleDmASzdAoIafoS+FB -Po+9WuTaGdeya7S+ms4SSyXf9cdMKGv010R/aMINWUWaBrkB4wlespYLmKH/XzwS -pENRIdbI9XHEOYTWKqul5tucA3p21IA24ND6acl9CXHr3KeqXpRwclSZ38Kg/23T -92D+SowEjlGf ------END CMS----- diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.pkiz b/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.pkiz deleted file mode 100644 index cbfc0821..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJylVkuXojgY3edXzL5OnwLUKlnMgrdBwAJDgOx4KK-gVimC_PoJWFVdM93z6DNuNEFu7nfv98i3b-wjawZ0flPs7bj4BmwIV8s8MtdHAotr6khuqhzZ3nxQFFlcKpKr9SqSLDmneVHnMnFtTcq1Ls_DmZzXr6CoS0PsOFnujJxtHmUI9cXqXEaBU5HQGWB1zHc3k0uEC01K-ATZMxIWXRyaNL3BJwAVeLNVe24hqbeQNscq7DeVxm0qaRaU8AwV80QU9qJidomhVyQoronh0fT-jAMkWBTJwS03pfwMG9xGgXkmwbTm0gOmliKV8bSWyswYny-4UKC1vZ0AWhAFPB1pwoNHk0ZvM11sx733P9QsjCptaJcZ9DqFYCz4xOjFETgKcQ3i0NvHgTfFGtxMhDQaJXrhYazHmMenDSbr9KDXwUqXIeWnF1MB37KGVsR3CpAZ-jkR0pFywsRiLLwuEWibreyPvYIY_CmheIvuWhyzlddtyuXVRnAGrEpqbWXOhMtnzhBds0q7OpVXOk00kMasosEfHNXmCSoKp5KbSIjmm8AsnSrqHUErwUSpwYc4ENu7FiYlAou3Flty1-GUMH3Shomt_8gCjDT-Dwsw0phYrHCZGLTC2LQnJk3BZSvpybote7tKxwM6q9KeNmo6c0pRsLdLwTGgAEjFzmmcykE2Zw-YbgxNsA1SkSpfRA0UnEqbRVtTDLddPuYJWcnXmOVCyotn9v0GxnSE-iUbWWQr2rG4xxiFROj5JPAndiw_Ln_d3zPA0TXwq7Z916u-bRC8AiZY-X-cAH-H_An8L-KCT3URXNiTun8v2M_0AhO9QD-8U20_i6vJzqzyKsIALeVeqZ-AdyC2p9cgCWj7n7xXRnbz3hoiLqpIYwukjASbB_bgDk7gzyMUdaRxmo1Ky6hij1BWwLL7Lmg5CXcjQXZKhMVL0twtBiMlEo7Ue-zX3dQ44pXHperxag3azbmNLJjA6Dh3hpSzZlFvfUl18F8q7p_cAL8S78_CBZ_xHvjJHtYj69QQx8QZQqE_Jc3l3q14bmqiu1B-d8m5JqHMs470Q763yYwwQPbC2MK_AE5As7Hlexem3aQZ-AfRBlahvHNj4ZTz7ieObEdHwFdLfsGRT3DwHV3mo6Y_Rfy_VaHf2arEagWytSmCX8n7aUqx4cJmBLf7YbA0F7oLHTYDF_TDkSx0xhE2zcPp91jOrJlMU2pcU_EO8D6Fbqzb0D8zOLM-IZ4J-ugZ429Y3lnTejwYwAMemHBsOrn9u9JseOJPy77YOx1gf1bnnc1k4wfyHnN_Lul38AmEsdiHvGhHUB4qRZHS43h36EAeu11O5r1SSVDOHSxLPpKQ3yuDZN7XEZIoRrZ77hQ3UrHrQq0zVRdpW1uWDCDxvib3tunPcJscqMBygNoe7DRp-vNa6-hLypT3Z14RCedeQ9LLHfiMFO1CwYfy9tbvYPf1qlPLekHeSEiHzGDN1ZevI1B6B2Lpbh5sz-2Alk8nqVp3QSToG6g7J8IACYtI-8ndSHW_HqLJQHYlLc81aX3lauEoClh6VuT6CVmW_Xx4cUKMVpistrF-8znERbl2fHvMwv1Zg7ipXuENxJolYFGlM8EwxIGkw0pI51zZPri711NwFfOy9-h2eDMzXGe6HAtPSqjDtyZSZq0lXBUA-dVBNQ9FszxyDqe-1DG0sq2P0nb_-vCoLDptv3s43RpcnC1-vVPWh6J_uR7D1-xVklHsgVJt1t5DSq3mbKql9HradSuMTCoWQ_HywKdLk7-01l5nbWlbqI8WXjxrwgYhdFwe0MF9AUVO9lb9XD9JQ2Ku-TjaCYawm8_np5i1w2pmP9qSdKH5rttzT12SxPlSXOs3xXe0U6N6BnD2jNsSSlK1ffBnwirm-se3_a7NcLsk-e-_g-lCqznq98vtH9MPoOI=
\ No newline at end of file diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.json b/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.json deleted file mode 100644 index 04ec9f30..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "access": { - "token": { - "expires": "2010-06-02T14:47:34Z", - "id": "placeholder", - "tenant": { - "id": "tenant_id1", - "enabled": true, - "description": null, - "name": "tenant_name1" - } - }, - "serviceCatalog": [ - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "volume", - "name": "volume" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" - } - ], - "type": "image", - "name": "glance" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "type": "compute", - "name": "nova" - }, - { - "endpoints_links": [], - "endpoints": [ - { - "adminURL": "http://127.0.0.1:35357/v2.0", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v2.0", - "publicURL": "http://127.0.0.1:5000/v2.0" - } - ], - "type": "identity", - "name": "keystone" - } - ], - "user": { - "username": "user_name1", - "roles_links": [ - "role1", - "role2" - ], - "id": "user_id1", - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "name": "user_name1" - } - } -} diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.pem b/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.pem deleted file mode 100644 index c3de8bbe..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.pem +++ /dev/null @@ -1,75 +0,0 @@ ------BEGIN CMS----- -MIINhwYJKoZIhvcNAQcCoIINeDCCDXQCAQExCTAHBgUrDgMCGjCCC5QGCSqGSIb3 -DQEHAaCCC4UEgguBew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIwMTAtMDYtMDJUMTQ6NDc6MzRa -IiwNCiAgICAgICAgICAgICJpZCI6ICJwbGFjZWhvbGRlciIsDQogICAgICAgICAg -ICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJpZCI6ICJ0ZW5hbnRfaWQx -IiwNCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUsDQogICAgICAgICAg -ICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJ0ZW5hbnRfbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQog -ICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIHsNCiAgICAg -ICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICAgICAgICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6 -ODc3Ni92MS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4w -LjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwN -CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc2L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdh -Ig0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAg -ICAgICAgICAgICAgICAidHlwZSI6ICJ2b2x1bWUiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogInZvbHVtZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7 -DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjkyOTIvdjEiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiLA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVy -bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAg -ICAgICAgICAgICAgICAicHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAg -ICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAg -IHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8v -MTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2 -NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSIsDQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAi -aHR0cDovLzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBm -Y2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVl -OGE2MGZjZjg5YmI2NjE3YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAg -ICAgICAgICAgIF0sDQogICAgICAgICAgICAgICAgInR5cGUiOiAiY29tcHV0ZSIs -DQogICAgICAgICAgICAgICAgIm5hbWUiOiAibm92YSINCiAgICAgICAgICAgIH0s -DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5r -cyI6IFtdLA0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAg -ICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVS -TCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YyLjAiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiLA0KICAgICAgICAgICAg -ICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUz -NTcvdjIuMCIsDQogICAgICAgICAgICAgICAgICAgICAgICAicHVibGljVVJMIjog -Imh0dHA6Ly8xMjcuMC4wLjE6NTAwMC92Mi4wIg0KICAgICAgICAgICAgICAgICAg -ICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAidHlwZSI6 -ICJpZGVudGl0eSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAia2V5c3RvbmUi -DQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJ1c2VyIjogew0K -ICAgICAgICAgICAgInVzZXJuYW1lIjogInVzZXJfbmFtZTEiLA0KICAgICAgICAg -ICAgInJvbGVzX2xpbmtzIjogWw0KICAgICAgICAgICAgICAgICJyb2xlMSIsDQog -ICAgICAgICAgICAgICAgInJvbGUyIg0KICAgICAgICAgICAgXSwNCiAgICAgICAg -ICAgICJpZCI6ICJ1c2VyX2lkMSIsDQogICAgICAgICAgICAicm9sZXMiOiBbDQog -ICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJy -b2xlMSINCiAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgIHsNCiAg -ICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTIiDQogICAgICAgICAgICAg -ICAgfQ0KICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICJuYW1lIjogInVzZXJf -bmFtZTEiDQogICAgICAgIH0NCiAgICB9DQp9DQoxggHKMIIBxgIBATCBpDCBnjEK -MAgGA1UEBRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlT -dW5ueXZhbGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUx -JTAjBgkqhkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMT -C1NlbGYgU2lnbmVkAgERMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIIBALYxBjRE -hecjo98fUdki3cwcpGU8zY8XHQa4x15WGkPxkI1HwSYaId/WjrOWP2CxmT3vVe7Z -lqV2a0YmdPx9zdDm09VmoiZr3HxYaNzXztT817dECYINCgz33EnansIyPHG2hjOR -4Gt7R26MXf+AIRiCNuCFZPnHI1pfCbwuky9/iBokvE9mThA+bVrUPZd/2+jp4s3B -n3+fbC+FCoZ5t522wGgEtVyMNvC90Wvvuf2mx7baXNo4/0ZG8C86lT+qmMe22zlf -+DxmJl149p419zdv6rzTU7p2OeTBnkdw1GsEqKyvtHYxzAjLYjiJo6jyaERXBaLm -/J7ZRSBmhHoLuWk= ------END CMS----- diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.pkiz b/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.pkiz deleted file mode 100644 index 766b4cdd..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_scoped_expired.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJylVtlyozgUfddXzHuqK2xOzCObMdiSzW7pzUCMwchLbNavH4GT6kmnM5OZcZWrQEhH555z75V-_GA_1TAt9IcGveHlB4CWNW8cbC9OxNrXCVKcRDuxsWuhaeqTpCmO0Wq-Mlez4FXPoGYO44lkat7F9KxYBLpjzJUtG4ynRpZFzy-dvccCKhMR5qtcfbaO7PlIzlgIdbxx97EpH63ilEXiNY_p7AaIZz1Zmi3EQsvHUZAvNSUn0eSQmPI5Prr9-2QcubdtNAmDQ8OAlXw7d7lEP9Vg2Rsd6qRmWSgV9E8S6hNhKeJ22WMOF4RCgeRYgDzsnR5FgYR93BCK6Eovc1xgAUA_3Vt5k1lHuyRCWcf5yKgjUXqOhck6pndWbHeObOwKR-0HFmCg8X9YgIHGTxYqj2l7xnzo-drI5JTO3WaVT2voW-K4gSa1qyITUY_rtDBqgAo3RxT3hNoF7oMe6ZAn_n6PCpViAUuryM5RgVskGPku5K4MlHvZqOUgrnUkNYjn4Y05MXwoY-o2sVBW6RztYrOstncr482GLZzfbXtz7RibswoLQQ7-rW2_6DUBsDh0g2D_1QnwFfJH4K_FBR_VPXQr3xrU_SwYLW84SssRkIYVmav1wAgkvHxlD69Jx5Bnt3TnNRmrB0aTf1s4qVNqfJni4JtiDcnFjcnFvP-r9eCfvB92Tmh43EZydff-TeiDXA32AxbnQKlM6GQfz76Tgc6gUQW9qYBMSwCkYGQoKpAPOdiH5co0BGiSghTZBFNLQIUh4nuiNWlkM73Qt4rpt_H-Llzwt7lOUR1vVD41PzeajdCeY3rrwWgHz8tLjbWvQQfWlUZ6QjhJRLd-z8Kv0h18w8Ke6cOjThZgLjW_pvzggvfd7vM7cPAZ_btNJWigrtQgLSw2YMsbb1jsThLzTYPILVm853R--FLAQQswCPi2uGbCjdnGaqF8matnloHjJKuwGugrN6hj9rcD6DtPSE-eYO9uwZ02243OqnSgzDoP223PwijJ-O52aRQM9v4ssPf5M7kCwyC8Z9qBbFCR0LJJzbemYk742GyGb2dy14MbwFkYu23ktNaRu9fC28eG9bmCRPs6Nllt5LY8xJ5u2NGW35klVL6yTT70S8A8ZQuC95Y2PHdWyf1COeyZrbuxqfrvFTqAwRwMKB8ayDvg8VMn7tj5WcL83bER9K7BV7uwOEdLxzBK-Ux0Vi8bXobYUjt2zCsJ1gA7_5ts6zQZkVqtUCw1Q6GqBL7iB63WK_b9HftKGfrQuTaag_XQcSyjsXXHNzwAVcVU-MBQW2gHYljFx1JgKVxC12oMZZy8MJpynZhhFYguuztcW8NX1nfgqw8041a-bBDHaoHZGTRW89fbykGd7ckr2ZR9arIWFqj1AJTcgapYtI8Auk5jZONOutHcfBK11JqhM2GAhEVkfLjeKEjNDpf9ITflhlNZ-DOgKB67B2niTXTXpH1IYeWIT09VZWNhm5pu_7LFotenk40hKN5tMWmeLuGz5F_p9Lw8CZct2Exj5Vhc1ig3oPTgy6G0cGOnnYclRPPLjp6a5elZauAxWJk7U3pep74japd2cbW6ykoJIP5aWuX7hwdztjNlszcnrfuwmnC8LJSzZ11Osktpha621jm0Jdw6epycXy3yWK5odqWiC66rXBCk-CJeBffxOaJazV2mNJhOt4l2eFXI3o0Wt2oBV3SWRiePSlr56B_UY9dRTz2YEvCb9bK-zFdQrRHO5cuZqx5fIiHT1CZ3-SQq7Cpz7MNRvjxORbSpQnmy7B7YRZI_16hsr-B6Pb2IF9vVHjxzkSbJLjhEi9h4DOIVBeNd1ED6z3vpnxbOkgI=
\ No newline at end of file diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.json b/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.json deleted file mode 100644 index 41566888..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "access": { - "token": { - "expires": "2112-08-17T15:35:34Z", - "id": "01e032c996ef4406b144335915a41e79" - }, - "serviceCatalog": {}, - "user": { - "username": "user_name1", - "roles_links": [], - "id": "c9c89e3be3ee453fbf00c7966f6d3fbd", - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "name": "user_name1" - } - } -} diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.pem b/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.pem deleted file mode 100644 index 6855221f..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CMS----- -MIIERgYJKoZIhvcNAQcCoIIENzCCBDMCAQExCTAHBgUrDgMCGjCCAlMGCSqGSIb3 -DQEHAaCCAkQEggJAew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJ0b2tlbiI6 -IHsNCiAgICAgICAgICAgICJleHBpcmVzIjogIjIxMTItMDgtMTdUMTU6MzU6MzRa -IiwNCiAgICAgICAgICAgICJpZCI6ICIwMWUwMzJjOTk2ZWY0NDA2YjE0NDMzNTkx -NWE0MWU3OSINCiAgICAgICAgfSwNCiAgICAgICAgInNlcnZpY2VDYXRhbG9nIjog -e30sDQogICAgICAgICJ1c2VyIjogew0KICAgICAgICAgICAgInVzZXJuYW1lIjog -InVzZXJfbmFtZTEiLA0KICAgICAgICAgICAgInJvbGVzX2xpbmtzIjogW10sDQog -ICAgICAgICAgICAiaWQiOiAiYzljODllM2JlM2VlNDUzZmJmMDBjNzk2NmY2ZDNm -YmQiLA0KICAgICAgICAgICAgInJvbGVzIjogWw0KICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAicm9sZTEiDQogICAgICAgICAg -ICAgICAgfSwNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAg -ICJuYW1lIjogInJvbGUyIg0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAg -IF0sDQogICAgICAgICAgICAibmFtZSI6ICJ1c2VyX25hbWUxIg0KICAgICAgICB9 -DQogICAgfQ0KfQ0KMYIByjCCAcYCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK -EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr -ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAH -BgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQAXNWXYv3q2EcEjigKDJEOvnKBGTHeV -o9iwYmtdJ2kKtbuZiSGOcWymxNtv//IPMmNDWZ/uwDZt37YdPwCMRJa79h6dastD -5slEZGMxgFekm/1yqpV2F7xGqGIED2rNTeBlVnYS6ZOL8hCqekPb1OqXZ3vDaHtQ -rrBzNP8RbWS4MyUoVZtSEYANjJVp/zou/pYASml9iNPPKrl2xRgYuzaAirVIiTZt -QZY4LQYnHdVBLTZ0fQQugohTba789ix0U79ReQrIOqnBD3OnmN0uRovu5s1HYyre -c67FixOpNgA4IBFsqYG2feP6ZF1zCmAaRYX4LpprZLGzg/aPHxqjXGsT ------END CMS----- diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.pkiz b/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.pkiz deleted file mode 100644 index 13c5e40c..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_token_unscoped.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJx9VMmSozgQvfMVfa-oMAbbVRzmIAlZCFvQGLHewAs72MaY5esHuzt65tSKUEiZkS_z5RL5-TkfiAk1fiBmv4RPgVGq7kCg75qQps-jAawjamYd4QiBwUHAwgPiQIOJc1cThkg-67lDkH0jNo1lQbWwBqJZaQc4SXB2HvU0kIzyKLPMzOAXred_HV4DyVUD_5DGRKlp3iRnWWwp0kUhlh5lnNEN1dos9NM-8vXyOM4yoiPjeNxzsNpzLLsqXpo5e13Ry-gLfA0R3QizYc88p2eTnpu8kEIvEA0VSEGO55dNBi8Gw8PibCObtq7sEchO_szqd1DhWClt6BuXmJRd9It27Nt9Qqt1GnvOLP8GlEoXeMuS2e_oYywNb6YC3T6-_m_8dshxdpmdzPV4g14501p_xsQZab08_WEx44S_RHnnOL-56bGV6TlTUDlT6DmiwY0qqIKeESYLJg-kMA8LJoVZiHTl4otDkmi7ub1wSCgEHMGrimCd4x0DCQFLB8MDgwbHewYKIrwVKUOuywY0AR0mhgtBwkFhQHagPQaB6lqWhvuSn7x1d_bDuZXOgHNgvWwFCBqOHKUPvTU_kW0eTfjAwPc7EhoYtSV3fZQPz7hyBp2DHCbFLS0yovQiRBb2hG31KM--IcbSurTI29H0djSun8fqOGxVYP9ixThaGmVMgsSRyjqu3AIk-CAwcCTQbk3Q04gB8c-IzhMKgeUAONcCbO8atS73i3mAGF0iWEaZWKcHN11FAj1_r8a1F5ZGKDWGyD468ZlOstqwRb1jnp5-5fK-M-cJvXSTbE6Vxqs4Sg9dUQdNcSuE_Cfc3JzH-fqxLruP-wpoqpNGV9iP8lMuzsmGtUkY1PCeUyJHQ7Nl2vfJslSkKOoJWpOw21fD1JDztsjbyx27Hw95icVWut-JOC6a_SUK-k1AmpUrNtpjm3T5osNNEn608g1lsSOgZBVvppgUhx2vm-5ate56rZynjSgam_tr6J7awn9y4n5Lth48bJRdy6Wx8m52ju7IE1Z-G92-ldZegIXrbm6gHJuBT63Ss1g3be9i5-ZTVotYxMm5WNrPXaB2_PpzsPt_hPdKwYb633r5FzKfcIU=
\ No newline at end of file diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.json b/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.json deleted file mode 100644 index c5dc01a9..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "token": { - "catalog": [ - { - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "endpoints_links": [], - "type": "volume", - "name": "volume" - }, - { - "endpoints": [ - { - "adminURL": "http://127.0.0.1:9292/v1", - "region": "regionOne", - "internalURL": "http://127.0.0.1:9292/v1", - "publicURL": "http://127.0.0.1:9292/v1" - } - ], - "endpoints_links": [], - "type": "image", - "name": "glance" - }, - { - "endpoints": [ - { - "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne", - "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a" - } - ], - "endpoints_links": [], - "type": "compute", - "name": "nova" - }, - { - "endpoints": [ - { - "adminURL": "http://127.0.0.1:35357/v3", - "region": "RegionOne", - "internalURL": "http://127.0.0.1:35357/v3", - "publicURL": "http://127.0.0.1:5000/v3" - } - ], - "endpoints_links": [], - "type": "identity", - "name": "keystone" - } - ], - "expires_at": "2038-01-18T21:14:07Z", - "project": { - "enabled": true, - "description": null, - "name": "tenant_name1", - "id": "tenant_id1", - "domain": { - "id": "domain_id1", - "name": "domain_name1" - } - }, - "user": { - "name": "revoked_username1", - "id": "revoked_user_id1", - "domain": { - "id": "domain_id1", - "name": "domain_name1" - } - }, - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "methods": [ - "password" - ] - } -} diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.pem b/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.pem deleted file mode 100644 index 94a077ba..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.pem +++ /dev/null @@ -1,76 +0,0 @@ ------BEGIN CMS----- -MIINrQYJKoZIhvcNAQcCoIINnjCCDZoCAQExCTAHBgUrDgMCGjCCC7oGCSqGSIb3 -DQEHAaCCC6sEggunew0KICAgICJ0b2tlbiI6IHsNCiAgICAgICAgImNhdGFsb2ci -OiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50cyI6 -IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAg -ICAgImFkbWluVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82NGI2ZjNm -YmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3YxLzY0 -YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx -LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIg0KICAgICAgICAgICAg -ICAgICAgICB9DQogICAgICAgICAgICAgICAgXSwNCiAgICAgICAgICAgICAgICAi -ZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAgICAgICAgICAgICAgInR5cGUiOiAi -dm9sdW1lIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJ2b2x1bWUiDQogICAg -ICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJlbmRw -b2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEi -LA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdpb25PbmUi -LA0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVybmFsVVJMIjogImh0dHA6 -Ly8xMjcuMC4wLjE6OTI5Mi92MSIsDQogICAgICAgICAgICAgICAgICAgICAgICAi -cHVibGljVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5Mi92MSINCiAgICAgICAg -ICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQogICAgICAgICAgICAg -ICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAgICAgICAgICJ0eXBl -IjogImltYWdlIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJnbGFuY2UiDQog -ICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJl -bmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAg -ICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzQv -djEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAg -ICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lvbk9uZSIsDQogICAgICAg -ICAgICAgICAgICAgICAgICAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAu -MTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJiNjYxN2EiLA0K -ICAgICAgICAgICAgICAgICAgICAgICAgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3 -YSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0sDQog -ICAgICAgICAgICAgICAgImVuZHBvaW50c19saW5rcyI6IFtdLA0KICAgICAgICAg -ICAgICAgICJ0eXBlIjogImNvbXB1dGUiLA0KICAgICAgICAgICAgICAgICJuYW1l -IjogIm5vdmEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAg -ICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAgICAgICAgIHsN -CiAgICAgICAgICAgICAgICAgICAgICAgICJhZG1pblVSTCI6ICJodHRwOi8vMTI3 -LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdp -b24iOiAiUmVnaW9uT25lIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRl -cm5hbFVSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAg -ICAgICAgICAgICAgICAgICJwdWJsaWNVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1 -MDAwL3YzIg0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAg -XSwNCiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzX2xpbmtzIjogW10sDQogICAg -ICAgICAgICAgICAgInR5cGUiOiAiaWRlbnRpdHkiLA0KICAgICAgICAgICAgICAg -ICJuYW1lIjogImtleXN0b25lIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdLA0K -ICAgICAgICAiZXhwaXJlc19hdCI6ICIyMDM4LTAxLTE4VDIxOjE0OjA3WiIsDQog -ICAgICAgICJwcm9qZWN0Ijogew0KICAgICAgICAgICAgImVuYWJsZWQiOiB0cnVl -LA0KICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAg -ICJuYW1lIjogInRlbmFudF9uYW1lMSIsDQogICAgICAgICAgICAiaWQiOiAidGVu -YW50X2lkMSIsDQogICAgICAgICAgICAiZG9tYWluIjogew0KICAgICAgICAgICAg -ICAgICJpZCI6ICJkb21haW5faWQxIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6 -ICJkb21haW5fbmFtZTEiDQogICAgICAgICAgICB9DQogICAgICAgIH0sDQogICAg -ICAgICJ1c2VyIjogew0KICAgICAgICAgICAgIm5hbWUiOiAicmV2b2tlZF91c2Vy -bmFtZTEiLA0KICAgICAgICAgICAgImlkIjogInJldm9rZWRfdXNlcl9pZDEiLA0K -ICAgICAgICAgICAgImRvbWFpbiI6IHsNCiAgICAgICAgICAgICAgICAiaWQiOiAi -ZG9tYWluX2lkMSIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAiZG9tYWluX25h -bWUxIg0KICAgICAgICAgICAgfQ0KICAgICAgICB9LA0KICAgICAgICAicm9sZXMi -OiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgIm5hbWUiOiAicm9s -ZTEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgew0KICAgICAgICAgICAg -ICAgICJuYW1lIjogInJvbGUyIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdLA0K -ICAgICAgICAibWV0aG9kcyI6IFsNCiAgICAgICAgICAgICJwYXNzd29yZCINCiAg -ICAgICAgXQ0KICAgIH0NCn0NCjGCAcowggHGAgEBMIGkMIGeMQowCAYDVQQFEwE1 -MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55dmFsZTES -MBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMGCSqGSIb3 -DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2VsZiBTaWdu -ZWQCAREwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAwFCjl3GSGrlil3cLwS11 -1gtc6K3gBSMbc7LviIFk4KDRBvHWEHT1fs/Q4T0Y12P97Uaxh47f2sNgdbsDKSE8 -K/KCeMy+0I7Eo3iDoXKcIRPux1sXFhOX36qLPpY4eWd3Q77MiUPng+78qA3AMPPl -wEcfb2OaYsWmVi9jGsDfAvksF/WO5dg+G9m2l+zcboIJswsKbBJnM5bn8EDHk7bg -YuMnOzqZsoymr6sehOPQ8QTV6kIj1w/gmtkaIH2QtBo78hCqjZ+cFeYy4zDk2HJg -Mf7PDm0hx1G0hJMVxdNzkWoFvLreTzRselsrXrx8Gejof92JyKuBjZq0kBpphOHG -6w== ------END CMS----- diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.pkiz b/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.pkiz deleted file mode 100644 index 67823fd3..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_revoked.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJylVsmSozgQvesr5l7R0Symyhz6wG5oS5jFgLixtDEY7PLC-vUjYXd31Sw1PTOOcNgIZerle7no0yfykTXDRL8p0KMPnwA0zdWywNbXU2zuuwxJTqacyNpiUhRZXCqSow2KL63kYntRC6gYFVnfLQ3FOxuemfJAdbSVlNBFSSuK6PpttJiUu9VpaT6bq2uZrawuaYIqV-7PcSjscTPU8fzsjiAPt1dTsQ4px-6TcFHapfxiNsI-Dbfkv1TGhnjDYd1G3Lw2mGVfmE19MKsT-XU7kIb6a1qLr7GqlTuPvvxpnBtBi0OBeW_s1hmHxiSSmSQUW0A9pcfgmipvPB_dOm30NtffOkb73NCvKZdRlCkJlThna3A3iLt0Fdxiz6ThEGO3T7m6zVfw--Z9bLAEaeD5NHbFOuUrt7fLZQegb_LrSmqhshjsquDRhLu80jpUuSVq8BQ3VoWn7YRUyMb-fo8qucEcXtihVaIKDwBxWrlWpDJrgiON6Y7IqmOu7tKD2D5QvaYkrIzyo79HASiM_4MCUBg_UKyCMjXqKggseJdpz-Qr6Xk9LgdYZfSAfl1pz7aa8agUOegtOYAMk4srck6DKuRDBk5BbRsaB424iqtCwI3JoUrjsWeJEVXj6AqZ8ZC5Ea8kkdj6rm_Qxiu5S4juGSteye8lG0ms-i2nMn6X7Y4sv5L8qCg_4N_K9p6vwwhs36SE_WclwN95fuf4A3LBO3Z9U4Azu38mLAnZfcxtZ4ekIg-ZIVJEE4i44TVtbhP1HLKsuFbeV2PaiBz-IMXBr5FFk8uhIbVU-7fSg4-1n08e4zB_TbnFjOg70T4nzPIDUsItqfuRlO_1lzJQoRwthvWEGVzFDYBcXGIOsnByJhRuF9jHfdygxlbrElfkjZ_v50Q7yixpZa-Y_aVi-ut4_ypc8FGuY068kRxg_txo0I7kRZvwsARUjihirrTjEh5oV6LwLnFUT7nxIwv_Nt3BP0tI-dnyax5Pdy4eKV7ONh64SyRs0uaeZbQa44hW3hBsD_09C1cuk6mnbj1pIxqpIsS5f5oIJyxAI5FlnGH2eWiRMkb_ZMhCVepnREc2B_TUfFX3j9hfYzILcqNmvn1A3J03Nqe2ZLAETGKIh3vzIKPM0KeMz7usccpZlSZYZEY9xhHa4ciZkcFKmmyF6aHHDMDWnZHAGpB66hF7evQF8RpH8N0AefSILjXIhDr-VA08oI8pN9Sw_J4LwRRH5mNOut08_h7D9o3U8zwFhPXdvOhrDxWcPwzV-kD7A333xpiEFHcJFxxAxNPT7jDho3XFyvtNjz074pzAZ8WdbyhSduqLYmUAqdBkaBoH8v0GnVOvSFgNHEfXeo2FzrVXnPnZ0Hor2E7aGkoHQ2K3miJDxWG0AWiV5MgFCmQp85UAsWkjCDkpbRKSB2XpvnkPLZ-X67RGDA7RBbpar_az4zXQ-v36R977Wg0V-OP6Qm4vluTikIQhZDwhswmklDo63h2tG3EE8aRtoWzOJ0kDXG-54BqXsp-EeRuHjiKR0-Qe61_7hSrtT73qvL1PaTKQHXo30qTi8A1d3G3mrSX5pubCKREZlaxEeZF0qnqe3Gq0mmcvvB763tW0W69v-s-RDqpRgZnLY1x4BMViY3G8gDiW3cTRsolW2uc0MOVLyz_fal5dtTiSq7TstR2f2eNmoWKwQVmIxW25t-zzywnrqrEbO_VsuJd1bWtQ1vTyKWg3ngtbQfl80c8Xd0wydeAbqJRPVxcMHty3SBcuQd0vfX_h9ofRwuYUcmWwGJJ8SL7mJRwCzcebvLt5SqHwT_LGzgaxZ3aFBBzm5Ww_7faNib7K_nR4sXH7ujkdrPPlZSva8pNYtf1zPY0o6XtJv52T6LwNfIlbdkJvSQxA-XNVOzJ7Vlipvh6Dk_2UC0vmcxS3tiN9-QLmC62G1J-X298BCSOhiw==
\ No newline at end of file diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.json b/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.json deleted file mode 100644 index 90207457..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "token": { - "audit_ids": [ - "SLIXlXQUQZWUi9VJrqdXqA" - ], - "methods": [ - "password" - ], - "roles": [ - { - "name": "role1" - }, - { - "name": "role2" - } - ], - "expires_at": "2038-01-18T21:14:07Z", - "project": { - "id": "tenant_id1", - "domain": { - "id": "domain_id1", - "name": "domain_name1" - }, - "enabled": true, - "description": null, - "name": "tenant_name1" - }, - "catalog": [ - { - "endpoints": [ - { - "interface": "admin", - "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - }, - { - "interface": "internal", - "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - }, - { - "interface": "public", - "url": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - } - ], - "type": "volume", - "name": "volume" - }, - { - "endpoints": [ - { - "interface": "admin", - "url": "http://127.0.0.1:9292/v1", - "region": "regionOne" - }, - { - "interface": "internal", - "url": "http://127.0.0.1:9292/v1", - "region": "regionOne" - }, - { - "interface": "public", - "url": "http://127.0.0.1:9292/v1", - "region": "regionOne" - } - ], - "type": "image", - "name": "glance" - }, - { - "endpoints": [ - { - "interface": "admin", - "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - }, - { - "interface": "internal", - "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - }, - { - "interface": "public", - "url": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a", - "region": "regionOne" - } - ], - "type": "compute", - "name": "nova" - }, - { - "endpoints": [ - { - "interface": "admin", - "url": "http://127.0.0.1:35357/v3", - "region": "RegionOne" - }, - { - "interface": "internal", - "url": "http://127.0.0.1:35357/v3", - "region": "RegionOne" - }, - { - "interface": "public", - "url": "http://127.0.0.1:5000/v3", - "region": "RegionOne" - } - ], - "type": "identity", - "name": "keystone" - } - ], - "user": { - "domain": { - "id": "domain_id1", - "name": "domain_name1" - }, - "name": "user_name1", - "id": "user_id1" - } - } -} diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.pem b/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.pem deleted file mode 100644 index e83e7a09..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.pem +++ /dev/null @@ -1,100 +0,0 @@ ------BEGIN CMS----- -MIISOAYJKoZIhvcNAQcCoIISKTCCEiUCAQExDTALBglghkgBZQMEAgEwghA9Bgkq -hkiG9w0BBwGgghAuBIIQKnsNCiAgICAidG9rZW4iOiB7DQogICAgICAgICJhdWRp -dF9pZHMiOiBbDQogICAgICAgICAgICAiU0xJWGxYUVVRWldVaTlWSnJxZFhxQSIN -CiAgICAgICAgXSwNCiAgICAgICAgIm1ldGhvZHMiOiBbDQogICAgICAgICAgICAi -cGFzc3dvcmQiDQogICAgICAgIF0sDQogICAgICAgICJyb2xlcyI6IFsNCiAgICAg -ICAgICAgIHsNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJyb2xlMSINCiAgICAg -ICAgICAgIH0sDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgIm5hbWUi -OiAicm9sZTIiDQogICAgICAgICAgICB9DQogICAgICAgIF0sDQogICAgICAgICJl -eHBpcmVzX2F0IjogIjIwMzgtMDEtMThUMjE6MTQ6MDdaIiwNCiAgICAgICAgInBy -b2plY3QiOiB7DQogICAgICAgICAgICAiaWQiOiAidGVuYW50X2lkMSIsDQogICAg -ICAgICAgICAiZG9tYWluIjogew0KICAgICAgICAgICAgICAgICJpZCI6ICJkb21h -aW5faWQxIiwNCiAgICAgICAgICAgICAgICAibmFtZSI6ICJkb21haW5fbmFtZTEi -DQogICAgICAgICAgICB9LA0KICAgICAgICAgICAgImVuYWJsZWQiOiB0cnVlLA0K -ICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogbnVsbCwNCiAgICAgICAgICAgICJu -YW1lIjogInRlbmFudF9uYW1lMSINCiAgICAgICAgfSwNCiAgICAgICAgImNhdGFs -b2ciOiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50 -cyI6IFsNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAg -ICAgICAgImludGVyZmFjZSI6ICJhZG1pbiIsDQogICAgICAgICAgICAgICAgICAg -ICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82NGI2ZjNmYmNj -NTM0MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAg -ICAicmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfSwN -CiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAg -ImludGVyZmFjZSI6ICJpbnRlcm5hbCIsDQogICAgICAgICAgICAgICAgICAgICAg -ICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6ODc3Ni92MS82NGI2ZjNmYmNjNTM0 -MzVlOGE2MGZjZjg5YmI2NjE3YSIsDQogICAgICAgICAgICAgICAgICAgICAgICAi -cmVnaW9uIjogInJlZ2lvbk9uZSINCiAgICAgICAgICAgICAgICAgICAgfSwNCiAg -ICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgImlu -dGVyZmFjZSI6ICJwdWJsaWMiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInVy -bCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzYvdjEvNjRiNmYzZmJjYzUzNDM1ZThh -NjBmY2Y4OWJiNjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lv -biI6ICJyZWdpb25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAg -ICAgICAgICBdLA0KICAgICAgICAgICAgICAgICJ0eXBlIjogInZvbHVtZSIsDQog -ICAgICAgICAgICAgICAgIm5hbWUiOiAidm9sdW1lIg0KICAgICAgICAgICAgfSwN -CiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAiZW5kcG9pbnRzIjogWw0K -ICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAi -aW50ZXJmYWNlIjogImFkbWluIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1 -cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAgICAgICAgICAgICAg -ICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAg -ICAgICAgICAiaW50ZXJmYWNlIjogImludGVybmFsIiwNCiAgICAgICAgICAgICAg -ICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwNCiAg -ICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVnaW9uT25lIg0KICAg -ICAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAgICAgICB7DQogICAg -ICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogInB1YmxpYyIsDQogICAg -ICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0dHA6Ly8xMjcuMC4wLjE6OTI5 -Mi92MSIsDQogICAgICAgICAgICAgICAgICAgICAgICAicmVnaW9uIjogInJlZ2lv -bk9uZSINCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIF0s -DQogICAgICAgICAgICAgICAgInR5cGUiOiAiaW1hZ2UiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogImdsYW5jZSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAg -ICB7DQogICAgICAgICAgICAgICAgImVuZHBvaW50cyI6IFsNCiAgICAgICAgICAg -ICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgImludGVyZmFjZSI6 -ICJhZG1pbiIsDQogICAgICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0dHA6 -Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODli -YjY2MTdhIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJyZWdpb24iOiAicmVn -aW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9LA0KICAgICAgICAgICAgICAg -ICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50ZXJmYWNlIjogImlu -dGVybmFsIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDov -LzEyNy4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJi -NjYxN2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdp -b25PbmUiDQogICAgICAgICAgICAgICAgICAgIH0sDQogICAgICAgICAgICAgICAg -ICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRlcmZhY2UiOiAicHVi -bGljIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1cmwiOiAiaHR0cDovLzEy -Ny4wLjAuMTo4Nzc0L3YxLjEvNjRiNmYzZmJjYzUzNDM1ZThhNjBmY2Y4OWJiNjYx -N2EiLA0KICAgICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJyZWdpb25P -bmUiDQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBdLA0K -ICAgICAgICAgICAgICAgICJ0eXBlIjogImNvbXB1dGUiLA0KICAgICAgICAgICAg -ICAgICJuYW1lIjogIm5vdmEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAg -ew0KICAgICAgICAgICAgICAgICJlbmRwb2ludHMiOiBbDQogICAgICAgICAgICAg -ICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICJpbnRlcmZhY2UiOiAi -YWRtaW4iLA0KICAgICAgICAgICAgICAgICAgICAgICAgInVybCI6ICJodHRwOi8v -MTI3LjAuMC4xOjM1MzU3L3YzIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJy -ZWdpb24iOiAiUmVnaW9uT25lIg0KICAgICAgICAgICAgICAgICAgICB9LA0KICAg -ICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAiaW50 -ZXJmYWNlIjogImludGVybmFsIiwNCiAgICAgICAgICAgICAgICAgICAgICAgICJ1 -cmwiOiAiaHR0cDovLzEyNy4wLjAuMTozNTM1Ny92MyIsDQogICAgICAgICAgICAg -ICAgICAgICAgICAicmVnaW9uIjogIlJlZ2lvbk9uZSINCiAgICAgICAgICAgICAg -ICAgICAgfSwNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAg -ICAgICAgICAgImludGVyZmFjZSI6ICJwdWJsaWMiLA0KICAgICAgICAgICAgICAg -ICAgICAgICAgInVybCI6ICJodHRwOi8vMTI3LjAuMC4xOjUwMDAvdjMiLA0KICAg -ICAgICAgICAgICAgICAgICAgICAgInJlZ2lvbiI6ICJSZWdpb25PbmUiDQogICAg -ICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBdLA0KICAgICAgICAg -ICAgICAgICJ0eXBlIjogImlkZW50aXR5IiwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJrZXlzdG9uZSINCiAgICAgICAgICAgIH0NCiAgICAgICAgXSwNCiAgICAg -ICAgInVzZXIiOiB7DQogICAgICAgICAgICAiZG9tYWluIjogew0KICAgICAgICAg -ICAgICAgICJpZCI6ICJkb21haW5faWQxIiwNCiAgICAgICAgICAgICAgICAibmFt -ZSI6ICJkb21haW5fbmFtZTEiDQogICAgICAgICAgICB9LA0KICAgICAgICAgICAg -Im5hbWUiOiAidXNlcl9uYW1lMSIsDQogICAgICAgICAgICAiaWQiOiAidXNlcl9p -ZDEiDQogICAgICAgIH0NCiAgICB9DQp9DQoxggHOMIIBygIBATCBpDCBnjEKMAgG -A1UEBRMBNTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5u -eXZhbGUxEjAQBgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAj -BgkqhkiG9w0BCQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1Nl -bGYgU2lnbmVkAgERMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQBBvzoh -0iSPMQhuRCAtTG3cPhyewvf554MPjbGQnu8mYmmfyxl7gMmWkTAmyckAsSv4mS6/ -4SQj9WCn4T1lFkhUz7WWjCwt6fWWp3mzF8Nl/kMsJKDwlxDGbPzsyewXIUsw11sz -q/Qxs7qGxQ1vYWnaWQ3hC3oZw7cOswKRJicdP439iVPvfqR9CDbK55sPP+ewZRgQ -YJ3Uc/xDizxepudFJj9+VHKceA37/sVK0ataNe2uHLHwVBYPwOppMckP169QBw8x -QYh9h+kcOAyZ5psiUzCpLKnlMiYDrVcTGxnTeiVHxKXxj/MERNhR1Y4lEr0ZHJ+p -Y6p3FBP2VUCefaRh ------END CMS----- diff --git a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.pkiz b/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.pkiz deleted file mode 100644 index 74f8f632..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/auth_v3_token_scoped.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJy9V0tzozoT3etX3H1qKoBNEhbfgpexMJKNjXloZyDmJWwnNs9f_wnsSWYyuXUzc6uuq7yQQN2n-_RpNd--sZ-iGxD_paLNsPgGEISmIwfm4khgWkdYtiP1yPZWjqqqTqHKtt5qjmwpCU3SIlGIjXQ50ZskiddKUryAtMgMqeEUpTEStqkqEM5Xh3MWG9Ir8abZMlMeYcnT2EhrMkfDOoQHJY0meBJOzAJAyp2hanah0NKogw9wdmEHxDT0tuxlOYtK6UwcPdtvmuS5M6vA4ynMjwk8mHVobDsAD3xsqXJG_LTZ-SaNeCmNVWZIhR3S0NRy5NZy9KmrwXaZ69wylydeBgenDTP-AoiHucEis16EAp_u3mDTYvRUruvQm51CKp2IpmeDs7CcXchmcMJCuB4S9-PmDSosXQbVPBPPHoxx0cGlw8HduJZZfobnIucLtABoM8L5IbY1ZcaqeCaNe7fnBfFxHpW0iQ1ahxnzboh8aLQSGCwHwowLvLYmb0l0KzJXaoaMe08srZjnjpSz_AY_JQZ_AuE1IXxUNiO83XzNRdqxtnq9w920sXK5Qs5xivtIsCZBa_UBF-SkRAJhjhEPUG_32NtOAydoSInLpUazIGePnDiFWTPQRYlwg83oJl58CgVxFZbbMV-AZf8UsrijkqSBcOV-gE78IS_NmPXYN89XRlIunssPVvfUojyqkDptgJXrD0uN1VUmCWjzJGADCiTHZVDiHDuIQ71Ll4YuIIPkJE_EoIQCzvVJcE1uB66Qpreqcw87T6ocQaTwwCp0fv6Opgw8fGNJ4YOyPQXdNXfgT5P3PXfgj5Lnjvrhnn2FgissUodzdyjPD0X1fd-ULFX5tD7A3xXIF-tDBCgvuiHGr3D-GeXgdzgfKXegiEbK_yMaxX8KEXxGzTUEegm8mI4Hf2hxRGjTsMRvCFkIYhEZ0pCcfjjoTT6BXc6K0KPVFYXbhWPLM4_xfN2AZfZUIwdORsjqlPW9ZIJ7u45zvfqKNsBHcfxuUt8KibWx82cQ_wkh-F35fkQIfpf3j7SDT-TLjfLN9Rrn64xh60lp5kG_7bGGeOKkKc6VMhCC6dIzM4DzoMXC9cL4nrTb1XUtmkKqBjX6w31xWIuRca2HQJAu0dzlwC8SLsU6Lt_uQnZHrJtQYIm-XawfBQVGa976MlxpXxETGkJxIsYCGt8HP8GmP8O-NpFf-sUNAStvFZ7BF5oG84h43DEJd79SCbZ_IOEfHYJPPPJIkxtGZf-JhDcfmyv4IOGCqZPb-Wvxo4x3gitGEzYrvEufjwS3A_9muBjOgF-Hi3evsY9pRH-aE07kKrTR-23AGOhiteC7BYO-33m3xtKZjqPTIJyla9ed7VzePS1dsogOs8KbzxRIeWnvGCqQoymb-eYLNvspCBoF-z8j-9iocqC5tj3TG51H9rlR7XFt6I3pbnvdQnJhyPxWB6qCVJvTWz2XbSXBriJHjupiPixFMWY9goW2QYo8vqymyHQmCg0pZhMNfkVrvQFaM1q29Ca1iE97NmBW7BBFKjLUzYuxgeFEs3VTXgfeOxOuHA6GDpgDgyWrlDrS61ukwNGT3CJrK7hnkinOzosrNq2pMvOmNoEZQAJlb6spMlSQzBngBy-KbG9lNuoqsl45jyd9AeeC-HheWe3ZcDV83l82hJcKyxTugoXTmR29W7ggfMi9NIj3U057PbLunu_O-6Pf76PznSIHxJRq4e7OOIWL7KTwPgcP9f2rd7_dRKUwebBCDmgngUi2KFhknc5gFhThttK4Je6NbWFO4GIz0T3rsfJW4mql2yo1yqqtlZnzjLO21O874K2f7p-3F08ISRVMDf_iXbz5PD_K8sTuT0er8oTnKn5NWsdHyHVR99DQbfas-vv01XjSVsATVN47Wg1furyTLmYXI0p8ob7Xl6tjv6sXjplX6K40Nz4WV013XF_UIgmX3fSurGfTwwJ0j4vLEa_um-eE7-4VWqYvq8eX-zbZTFYPl2htaOZRdlYzh4P_A-M3io619--V_wMk2UFA
\ No newline at end of file diff --git a/keystonemiddleware-moon/examples/pki/cms/revocation_list.der b/keystonemiddleware-moon/examples/pki/cms/revocation_list.der deleted file mode 100644 index e69de29b..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/revocation_list.der +++ /dev/null diff --git a/keystonemiddleware-moon/examples/pki/cms/revocation_list.json b/keystonemiddleware-moon/examples/pki/cms/revocation_list.json deleted file mode 100644 index 2c239e53..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/revocation_list.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "revoked": [ - { - "expires": "2112-08-14T17:58:48Z", - "id": "dc57ea171d2f93e4ff5fa01fe5711f2a" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "4948fb46f88c41af90b65213a48baef7" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "dc57ea171d2f93e4ff5fa01fe5711f2a" - }, - { - "expires": "2112-08-14T17:58:48Z", - "id": "4948fb46f88c41af90b65213a48baef7" - } - ] -} diff --git a/keystonemiddleware-moon/examples/pki/cms/revocation_list.pem b/keystonemiddleware-moon/examples/pki/cms/revocation_list.pem deleted file mode 100644 index a86d6d34..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/revocation_list.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CMS----- -MIIEGAYJKoZIhvcNAQcCoIIECTCCBAUCAQExCTAHBgUrDgMCGjCCAiUGCSqGSIb3 -DQEHAaCCAhYEggISew0KICAgICJyZXZva2VkIjogWw0KICAgICAgICB7DQogICAg -ICAgICAgICAiZXhwaXJlcyI6ICIyMTEyLTA4LTE0VDE3OjU4OjQ4WiIsDQogICAg -ICAgICAgICAiaWQiOiAiZGM1N2VhMTcxZDJmOTNlNGZmNWZhMDFmZTU3MTFmMmEi -DQogICAgICAgIH0sDQogICAgICAgIHsNCiAgICAgICAgICAgICJleHBpcmVzIjog -IjIxMTItMDgtMTRUMTc6NTg6NDhaIiwNCiAgICAgICAgICAgICJpZCI6ICI0OTQ4 -ZmI0NmY4OGM0MWFmOTBiNjUyMTNhNDhiYWVmNyINCiAgICAgICAgfSwNCiAgICAg -ICAgew0KICAgICAgICAgICAgImV4cGlyZXMiOiAiMjExMi0wOC0xNFQxNzo1ODo0 -OFoiLA0KICAgICAgICAgICAgImlkIjogImRjNTdlYTE3MWQyZjkzZTRmZjVmYTAx -ZmU1NzExZjJhIg0KICAgICAgICB9LA0KICAgICAgICB7DQogICAgICAgICAgICAi -ZXhwaXJlcyI6ICIyMTEyLTA4LTE0VDE3OjU4OjQ4WiIsDQogICAgICAgICAgICAi -aWQiOiAiNDk0OGZiNDZmODhjNDFhZjkwYjY1MjEzYTQ4YmFlZjciDQogICAgICAg -IH0NCiAgICBdDQp9DQoxggHKMIIBxgIBATCBpDCBnjEKMAgGA1UEBRMBNTELMAkG -A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNV -BAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEW -FmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVkAgER -MAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIIBAGMtzsHJdosl27LoRWYHGknORRWE -K0E9a7Bm4ZDt0XiGn0opGWpXF3Kj+7q86Ph1qcG9vZy20e2V+8n5696//OgMGCZe -QNbkOv70c0pkICMqczv4RaNF+UPetwDdv+p0WV8nLH5dDVc8Pp8B4T6fN6vXHXA2 -GMWxxn8SpF9bvP8S5VCAt7wsvmhWJpJVYe6bOdYzlhR0yLJzv4GvHtPVP+cBz6nS -uJguvt77MfQU97pOaDbvfmsJRUf/L3Fd93KbgLTzFPEhddTs1oD9pSDckncnZwua -9nIDn2iFNB/NfZrbqy+owM0Nt5j1m4dcPX/qm0J9DAhKGeDUbIu+81yL308= ------END CMS----- diff --git a/keystonemiddleware-moon/examples/pki/cms/revocation_list.pkiz b/keystonemiddleware-moon/examples/pki/cms/revocation_list.pkiz deleted file mode 100644 index 600fce02..00000000 --- a/keystonemiddleware-moon/examples/pki/cms/revocation_list.pkiz +++ /dev/null @@ -1 +0,0 @@ -PKIZ_eJx9VEuPszgQvPMr9h6NQgIhk8N3MMaACTaBmJdvCZMxGMhjkgmPX79kRtq9rNYXq0ul6u7qVr-9Tc9EDqZ_QbJ_BW8KwdhiXe5tLxyXz4KCsICXCQstCMHYQRCiHjLgmiL-sgSBjpzwpHPg_ubs8VFTrBC54DCBsYqEsL3T4A0848_DMqmxvIhUu1c8K7tD5jXFgA0M8UAYGnwGdJ8hVUkspAUy1gMZ6mmF7xh6Vw5fRK_Ox1jjKerpaNekzVdkGau8zRe8RR1JeUNZ0SskzYd87218aK5xm-iF00wVkCqoQEUk6kmldgFUe2qHk9BlEVgXNbAvlQ9BdUjDSnkRqVWrgcOnn7eBVUpq2SWXdZfLfDGJjDkL9by1Gy6L6nPfianN5uSa16JNRuXVJ5a4Jww_iCUehEUxYYVBmTCoVR5w1QncNj9-4DaSlH00OUMaScNhSjIqnEUtl0mbM9DzNl7QEfVceiU-q3fs_r-BL_-U_zYQq8FUNm-xSttcDxyiktRuA2ZWVMaTCC2n6qo8TVqFDt4my9ReCHc77YTZC2wCBs2rBc2zRFsChAMWMTIjYlKGfALq37gkMElIr8AReKagiQkEAzU1SYQ7BHIrCUMXdQ37SFffp4yXRyfukQThL_fCYLzpeLpiyodjy8OIIgLef5RhT_B-mawKLXoe27j3GJCmqG9lXTmbTjVhiKZmHs0po-pxuWqU0PlRGn-EhtWzaIvetsD-NxNhcEGbo5OLeNmcj21SA_FKVjjm_h6ADh8UAtR_9npaaxOEMTAnLwBePp4BLmXIWNlG3VbvrrPtiQexUW7rJVjJVTHLKFesvvOb53c2y3nfroKr_4HPWybJU5LKEN9F1blaEoPLEt9um4GU7jwrV4_30NvPxp29rpSZE9w6fjULI9zSqsSXWt34unwcYvmpzz_XiIe0nEtSfz6-gVaWj2__0JzrPF0PCCzvtnI-rXdREidG9V7NbmsBV_6mymo9HLTrEoxi53yWtrEjc_U6DtJ71MbzfWfCehrqqf-qb0q011N5z0mktafnQvrah6d2TEBxvsEi0o7hw_LnxL3Gxs2AJyPULAcZZR0GOHJPZzRX6GXHb1Y-J5pO3aO8k1ulj14d6C75KgSo8sN8zOaD2Y1P9P2F_yg_dwhR69-b9Dc2l4GQ
\ No newline at end of file diff --git a/keystonemiddleware-moon/examples/pki/gen_cmsz.py b/keystonemiddleware-moon/examples/pki/gen_cmsz.py deleted file mode 100644 index 6840c08e..00000000 --- a/keystonemiddleware-moon/examples/pki/gen_cmsz.py +++ /dev/null @@ -1,117 +0,0 @@ -#!/usr/bin/python - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import json -import os - -from keystoneclient.common import cms -from keystoneclient import utils - -CURRENT_DIR = os.path.abspath(os.path.dirname(__file__)) - - -def make_filename(*args): - return os.path.join(CURRENT_DIR, *args) - - -def generate_revocation_list(): - REVOKED_TOKENS = ['auth_token_revoked', 'auth_v3_token_revoked'] - revoked_list = [] - for token in REVOKED_TOKENS: - with open(make_filename('cms', '%s.pkiz' % name), 'r') as f: - token_data = f.read() - id = utils.hash_signed_token(token_data.encode('utf-8')) - revoked_list.append({ - 'id': id, - "expires": "2112-08-14T17:58:48Z" - }) - with open(make_filename('cms', '%s.pem' % name), 'r') as f: - pem_data = f.read() - token_data = cms.cms_to_token(pem_data).encode('utf-8') - id = utils.hash_signed_token(token_data) - revoked_list.append({ - 'id': id, - "expires": "2112-08-14T17:58:48Z" - }) - revoked_json = json.dumps({"revoked": revoked_list}) - with open(make_filename('cms', 'revocation_list.json'), 'w') as f: - f.write(revoked_json) - encoded = cms.pkiz_sign(revoked_json, - SIGNING_CERT_FILE_NAME, - SIGNING_KEY_FILE_NAME) - with open(make_filename('cms', 'revocation_list.pkiz'), 'w') as f: - f.write(encoded) - - encoded = cms.cms_sign_data(revoked_json, - SIGNING_CERT_FILE_NAME, - SIGNING_KEY_FILE_NAME) - with open(make_filename('cms', 'revocation_list.pem'), 'w') as f: - f.write(encoded) - - -CA_CERT_FILE_NAME = make_filename('certs', 'cacert.pem') -SIGNING_CERT_FILE_NAME = make_filename('certs', 'signing_cert.pem') -SIGNING_KEY_FILE_NAME = make_filename('private', 'signing_key.pem') -EXAMPLE_TOKENS = ['auth_token_revoked', - 'auth_token_unscoped', - 'auth_token_scoped', - 'auth_token_scoped_expired', - 'auth_v3_token_scoped', - 'auth_v3_token_revoked'] - - -# Helper script to generate the sample data for testing -# the signed tokens using the existing JSON data for the -# MII-prefixed tokens. Uses the keys and certificates -# generated in gen_pki.sh. -def generate_der_form(name): - derfile = make_filename('cms', '%s.der' % name) - with open(derfile, 'w') as f: - derform = cms.cms_sign_data(text, - SIGNING_CERT_FILE_NAME, - SIGNING_KEY_FILE_NAME, cms.PKIZ_CMS_FORM) - f.write(derform) - -for name in EXAMPLE_TOKENS: - json_file = make_filename('cms', name + '.json') - pkiz_file = make_filename('cms', name + '.pkiz') - with open(json_file, 'r') as f: - string_data = f.read() - - # validate the JSON - try: - token_data = json.loads(string_data) - except ValueError as v: - raise SystemExit('%s while processing token data from %s: %s' % - (v, json_file, string_data)) - - text = json.dumps(token_data).encode('utf-8') - - # Uncomment to record the token uncompressed, - # useful for debugging - # generate_der_form(name) - - encoded = cms.pkiz_sign(text, - SIGNING_CERT_FILE_NAME, - SIGNING_KEY_FILE_NAME) - - # verify before writing - cms.pkiz_verify(encoded, - SIGNING_CERT_FILE_NAME, - CA_CERT_FILE_NAME) - - with open(pkiz_file, 'w') as f: - f.write(encoded) - - generate_revocation_list() diff --git a/keystonemiddleware-moon/examples/pki/gen_pki.sh b/keystonemiddleware-moon/examples/pki/gen_pki.sh deleted file mode 100755 index b8b28f9d..00000000 --- a/keystonemiddleware-moon/examples/pki/gen_pki.sh +++ /dev/null @@ -1,213 +0,0 @@ -#!/bin/bash - -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# These functions generate the certificates and signed tokens for the tests. - -DIR=`dirname "$0"` -CURRENT_DIR=`cd "$DIR" && pwd` -CERTS_DIR=$CURRENT_DIR/certs -PRIVATE_DIR=$CURRENT_DIR/private -CMS_DIR=$CURRENT_DIR/cms - - -function rm_old { - rm -rf $CERTS_DIR/*.pem - rm -rf $PRIVATE_DIR/*.pem -} - -function cleanup { - rm -rf *.conf > /dev/null 2>&1 - rm -rf index* > /dev/null 2>&1 - rm -rf *.crt > /dev/null 2>&1 - rm -rf newcerts > /dev/null 2>&1 - rm -rf *.pem > /dev/null 2>&1 - rm -rf serial* > /dev/null 2>&1 -} - -function generate_ca_conf { - echo ' -[ req ] -default_bits = 2048 -default_keyfile = cakey.pem -default_md = default - -prompt = no -distinguished_name = ca_distinguished_name - -x509_extensions = ca_extensions - -[ ca_distinguished_name ] -serialNumber = 5 -countryName = US -stateOrProvinceName = CA -localityName = Sunnyvale -organizationName = OpenStack -organizationalUnitName = Keystone -emailAddress = keystone@openstack.org -commonName = Self Signed - -[ ca_extensions ] -basicConstraints = critical,CA:true -' > ca.conf -} - -function generate_ssl_req_conf { - echo ' -[ req ] -default_bits = 2048 -default_keyfile = keystonekey.pem -default_md = default - -prompt = no -distinguished_name = distinguished_name - -[ distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Sunnyvale -organizationName = OpenStack -organizationalUnitName = Keystone -commonName = localhost -emailAddress = keystone@openstack.org -' > ssl_req.conf -} - -function generate_cms_signing_req_conf { - echo ' -[ req ] -default_bits = 2048 -default_keyfile = keystonekey.pem -default_md = default - -prompt = no -distinguished_name = distinguished_name - -[ distinguished_name ] -countryName = US -stateOrProvinceName = CA -localityName = Sunnyvale -organizationName = OpenStack -organizationalUnitName = Keystone -commonName = Keystone -emailAddress = keystone@openstack.org -' > cms_signing_req.conf -} - -function generate_signing_conf { - echo ' -[ ca ] -default_ca = signing_ca - -[ signing_ca ] -dir = . -database = $dir/index.txt -new_certs_dir = $dir/newcerts - -certificate = $dir/certs/cacert.pem -serial = $dir/serial -private_key = $dir/private/cakey.pem - -default_days = 21360 -default_crl_days = 30 -default_md = default - -policy = policy_any - -[ policy_any ] -countryName = supplied -stateOrProvinceName = supplied -localityName = optional -organizationName = supplied -organizationalUnitName = supplied -emailAddress = supplied -commonName = supplied -' > signing.conf -} - -function setup { - touch index.txt - echo '10' > serial - generate_ca_conf - mkdir newcerts -} - -function check_error { - if [ $1 != 0 ] ; then - echo "Failed! rc=${1}" - echo 'Bailing ...' - cleanup - exit $1 - else - echo 'Done' - fi -} - -function generate_ca { - echo 'Generating New CA Certificate ...' - openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes - check_error $? -} - -function ssl_cert_req { - echo 'Generating SSL Certificate Request ...' - generate_ssl_req_conf - openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes - check_error $? - #openssl req -in req.pem -text -noout -} - -function cms_signing_cert_req { - echo 'Generating CMS Signing Certificate Request ...' - generate_cms_signing_req_conf - openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes - check_error $? - #openssl req -in req.pem -text -noout -} - -function issue_certs { - generate_signing_conf - echo 'Issuing SSL Certificate ...' - openssl ca -in ssl_req.pem -config signing.conf -batch - check_error $? - openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/ssl_cert.pem - check_error $? - echo 'Issuing CMS Signing Certificate ...' - openssl ca -in cms_signing_req.pem -config signing.conf -batch - check_error $? - openssl x509 -in $CURRENT_DIR/newcerts/11.pem -out $CERTS_DIR/signing_cert.pem - check_error $? -} - -function create_middleware_cert { - cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem - cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem -} - -function check_openssl { - echo 'Checking openssl availability ...' - which openssl - check_error $? -} - -JSON_FILES="${CMS_DIR}/auth_token_revoked.json ${CMS_DIR}/auth_token_unscoped.json ${CMS_DIR}/auth_token_scoped.json ${CMS_DIR}/auth_token_scoped_expired.json ${CMS_DIR}/revocation_list.json ${CMS_DIR}/auth_v3_token_scoped.json ${CMS_DIR}/auth_v3_token_revoked.json" - -function gen_sample_cms { - for json_file in $JSON_FILES - do - openssl cms -sign -in $json_file -nosmimecap -signer $CERTS_DIR/signing_cert.pem -inkey $PRIVATE_DIR/signing_key.pem -outform PEM -nodetach -nocerts -noattr -out ${json_file/.json/.pem} - done -} - diff --git a/keystonemiddleware-moon/examples/pki/private/cakey.pem b/keystonemiddleware-moon/examples/pki/private/cakey.pem deleted file mode 100644 index 1c93ee18..00000000 --- a/keystonemiddleware-moon/examples/pki/private/cakey.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCl8906EaRpibQF -cCBWfxzLi5x/XpZ9iL6UX92NrSJxcDbaGws7s+GtjgDy8UOEonesRWTeqQEZtHpC -3/UHHOnsA8F6ha/pq9LioqT7RehCnZCLBJwh5Ct+lclpWs15SkjJD2LTDkjox0eA -9nOBx+XDlWyU/GAyqx5Wsvg/Kxr0iod9/4IcJdnSdUjq4v0Cxg/zNk08XPJX+F0b -UDhgdUf7JrAmmS5LA8wphRnbIgtVsf6VN9HrbqtHAJDxh8gEfuwdhEW1df1fBtZ+ -6WMIF3IRSbIsZELFB6sqcyRj7HhMoWMkdEyPb2f8mq61MzTgE6lJGIyTRvEoFie7 -qtGADIofAgMBAAECggEBAJ47X3y2xaU7f0KQHsVafgI2JAnuDl+zusOOhJlJs8Wl -0Sc1EgjjAxOQiqcaE96rap//qqYDTuFLjCenkuItV32KNzizr3+GLZWaruRHS6X4 -xpFG2/gUrsQL3fdudOxpP+01lmzW+f25xRvZ4VilWRabquSDntWxA0R3cOwKFbGD -uuwbTw3pBrRfCk/2IdpQtRrvvkVIFiYT6b/zeCQzhp4RETbC0oxqcEEOIUGmimAV -9cbwafinxCo54cOfX4JAh3j7Mp3eQUymoFk5gnmIeVe0QmpH2VkN7eItrhEvHKOk -On7a5xvQ8s3wqPV5ZawHQcqar/p3QnGkiT6a+8LkIMECgYEA2iJ2DprTGZFRN0M7 -Yj4WLsSC3/GKK8eYsKG3TvMrmPqUDaiWLIvBoc1Le59x9eoF7Mha+WX+cAFL+GTg -1sB+PUZZStpf1R1tGvMldvpQ+5GplUBpuQe4J0n5rCG6+5jkvSr7xO+G1B+C3GFq -KR3iltiW5WJRVwh2k8yGvx3agyUCgYEAwsKFX82F7O+9IVud1JSQWmZMiyEK+DEX -JRnwx4HBuWr+AZqbb0grRRb6x8JTUOD4T7DZGxTaAdfzzRjKU2sBAO8VCgaj2Auv -5nsbvfXvrmDDCqwoaD2PMy+kgFvE0QTh65tzuGXl1IgpIYSC1JwnP6kOeUDbqE+k -UXzfVZzDdvMCgYByk9dfJIPt0h7O4Em4+NO+DQqRhtYE2PqjDM60cZZc7IIICp2X -GHHFA4i6jq3Vde9WyIbAqYpUWtoExzgylTm6BdGxN7NOxf4hQcZUEHepLIHfG85s -mlloibrTZ4RH06+SjZlhgE9Z7JNYHvMcVc5HXc0k/9ep15AxYiUFDjFQ4QKBgG7i -k089U4/X2wWgBNdgkmN1tQTNllJCmNvdzhG41dQ8j0vYe8C7BS+76qJLCGaW/6lX -lfRuRcUg78UI5UDjPloKxR7FMwmxdb+yvdPEr2bH3qQ36nWW/u30pSMTnJYownwD -MLp/AYCk2U4lBNwJ3+rF1ODCRY2pcnOWtg0nSL5zAoGAWRoOinogEnOodJzO7eB3 -TmL6M9QMyrAPBDsCnduJ8yW5mMUNod139YbSDxZPYwTLhK/GiHP/7OvLV5hg0s4s -QKnNaMeEowX7dyEO4ehnbfzysxXPKLRVhWhN6MCUc71NMxqr7QkuCXAjJS6/G21+ -Im3+Xb3Scq+UZghR+jiEZF0= ------END PRIVATE KEY----- diff --git a/keystonemiddleware-moon/examples/pki/private/signing_key.pem b/keystonemiddleware-moon/examples/pki/private/signing_key.pem deleted file mode 100644 index 758c0ffe..00000000 --- a/keystonemiddleware-moon/examples/pki/private/signing_key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDM+VrILLl962VH -S8EKWVzdkaOy0OoxGZ63gajM7VTm8AbgtVnYibIOnVZQuz1XbftIGNXPFhYNUypr -LnMXrEEsnxgD4PvU/4bETG+stdricX6d1oKqsNFNR7F7zImiR/OzGhp7dONwccxf -kfX4QHA5Ogso+XMfSdC72SRDszeCeGUcjuo/w2WSLW95SuVvcZLqE/pk3Q2TkCZ1 -8hvNfLoln43QpC469a7srUXATqOJ2mPNvL6E/wOyPefmAoCoG44lFoR3k2jZjBEI -hstJxmH7XgvqErBzpcWd29dms8xz5PNwYdns9CIfb3GaHvQ6r5RTl37/avDrGHOW -KOoD01xLAgMBAAECggEAaIi22qWsh+JYCW9B6NRAPyN6V8Sh2x6UykOO4cwb45b/ -+vOh+YPn0fo9vfhvxTnq0A8SY4WBA5SpanYK7kTEDEyqw7em1y7l/RB6V5t7IMb+ -6uIuS3zXkVEB3AApJSEK0Ql7/gBTydHPh+H5jnzWfujyLhhhtNBBarvH+drZcWio -lWx8RERN4cH+3DZD/xxjH2Ff+X1XMvb8Xcup7MlWi2FtREg7LttLNWNK25iWjciP -QwfWQIrURRJrD2IrOr9V2nuIEvRqRRBoO+pxJT2sC48NJ3hiKV2GtSQe2nRpQJ47 -f9MEsF5KVQOOn+aQ60EKOI0MpNPmpiCZ5hFvBrNuOQKBgQD6vueEdI9eJgz5YN+t -XWdpNippv35RTD8R4bQcE6GqIUXOmtQFS2wPJLn7nisZUsGMNEs36Yl0T9iow63r -5GNAfgzpqN1XZqaSMwAdxKmlBNYpAkVXHhv+1jN+9diDYmoj9T+3Q6Zvk5e/Liyp -6i+TsDppwmmr2utWajhyJ7owFwKBgQDRROncTztGDYLfRcrIoYsPo79KQ8tqwd2a -07Usch2kplTqojCUmmhMMFgV2eZPPiCjnEy2bAYh9I/oj7xG6EwApXTshZdCpivC -rbUV64MakRTUP8IvM6PdI+apkJRsRUi/bSyIbcRlvEoCMNZhfj/5VY6w/jlwrPJj -oBOCXBlB7QKBgQDGEbEeX1i03UfYYh6uep7qbEAaooqsu5cCkBDPMO6+TmQvLPyY -Zhio6bEEQs/2w/lhwBk+xHqw5zXVMiWbtiB03F1k4eBeXxbrW+AWo7gCQ4zMfh+6 -Dm284wVwn9D1D/OaDevT31uEvcjb2ySq3/PPLSEnU8xXVaoa6/NEsX8Q5wKBgQCm -2smULWBXZKJ6n00mVxdnqun0rsVcI6Mrta14+KwGAdEnG5achdivFsTE924YtLKV -gSPxN4RUQokTprc52jHvOf1WMNYAADpYCOSfy55G6nKvIP8VX5lB00Qw4uRUx5FP -gB7H0K2NaGmiAYqNRXqAtOUG3kyyOFMzeAjWIdTJqQKBgQCHzY1c7sS1vv7mPEkr -6CpwoaEbZeFnWoHBA8Rd82psqfYsVJIRwk5Id8zgDSEmoEi8hQ9UrYbrFpLK77xq -EYSxLQHTNlM0G3lyEsv/gJhwYYhdTYiW3Cx3F6Y++jyn9O/+hFMyQvuesAL7DUYE -ptEfvzFprpQUpByXkIpuJub6fg== ------END PRIVATE KEY----- diff --git a/keystonemiddleware-moon/examples/pki/private/ssl_key.pem b/keystonemiddleware-moon/examples/pki/private/ssl_key.pem deleted file mode 100644 index 363ce94b..00000000 --- a/keystonemiddleware-moon/examples/pki/private/ssl_key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDL06AaJROwHPgJ -9tcySSBepzJ81jYars2sMvLjyuvdiIBbhWvbS/a9Tw3WgL8H6OALkHiOU/f0A6Rp -v8dGDIDsxZQVjT/4SLaQUOeDM+9bfkKHpSd9G3CsdSSZgOH08n+MyZ7slPHfUHLY -Wso0SJD0vAi1gmGDlSM/mmhhHTpCDGo6Wbwqare6JNeTCGJTJYwrxtoMCh/W1Zrs -lPC5lFvlHD7KBBf6IU2A8Xh/dUa3p5pmQeHPW8Em90DzIB1qH0DRXl3KANc24xYR -R45pPCVkk6vFsy6P0JwwpnkszB+LcK6CEsJhLsOYvQFsiQfSZ8m7YGhgrMLxtop4 -YEPirGGrAgMBAAECggEATwvbY0hNwlb5uqOIAXBqpUqiQdexU9fG26lGmSDxKBDv -9o5frcRgBDrMWwvDCgY+HT4CAvB9kJx4/qnpVjkzJp/ZNiJ5VIiehIlbv348rXbh -xkk+bz5dDATCFOXuu1fwL2FhyM5anwhMAav0DyK1VLQ3jGzr9GO6L8hqAn+bQFFu -6ngiODwfhBMl5aRoL9UOBEhccK07znrH0JGRz+3+5Cdz59Xw91Bv210LhNNDL58+ -0JD0N+YztVOQd2bgwo0bQbOEijzmYq+0mjoqAnJh1/++y7PlIPs0AnPgqSnFPx9+ -6FsQEVRgk5Uq3kvPLaP4nT2y6MDZSp+ujYldvJhyQQKBgQDuX2pZIJMZ4aFnkG+K -TmJ5wsLa/u9an0TmvAL9RLtBpVpQNKD8cQ+y8PUZavXDbAIt5NWqZVnTbCR79Dnd -mZKblwcHhtsyA5f89el5KcxY2BREWdHdTnJpNd7XRlUECmzvX1zGj77lA982PhII -yflRBRV3vqLkgC8vfoYgRyRElwKBgQDa5jnLdx/RahfYMOgn1HE5o4hMzLR4Y0Dd -+gELshcUbPqouoP5zOb8WOagVJIgZVOSN+/VqbilVYrqRiNTn2rnoxs+HHRdaJNN -3eXllD4J2HfC2BIj1xSpIdyh2XewAJqw9IToHNB29QUhxOtgwseHciPG6JaKH2ik -kqGKH/EKDQKBgFFAftygiOPCkCTgC9UmANUmOQsy6N2H+pF3tsEj43xt44oBVnqW -A1boYXNnjRwuvdNs9BPf9i1l6E3EItFRXrLgWQoMwryakv0ryYh+YeRKyyW9RBbe -fYs1TJ8unx4Ae79gTxxztQsVNcmkgLs0NWKTjAzEE3w14V+cDhYEie1DAoGBAJdI -V5cLrBzBstsB6eBlDR9lqrRRIUS2a8U9m+1mVlcSfiWQSdehSd4K3tDdwePLw3ch -W4qR8n+pYAlLEe0gFvUhn5lMdwt7U5qUCeehjUKmrRYm2FqWsbu2IFJnBjXIJSC4 -zQXRrC0aZ0KQYpAL7XPpaVp1slyhGmPqxuO78Y0dAoGBAMHo3EIMwu9rfuGwFodr -GFsOZhfJqgo5GDNxxf89Q9WWpMDTCdX+wdBTrN/wsMbBuwIDHrUuRnk6D5CWRjSk -/ikCgHN3kOtrbL8zzqRomGAIIWKYGFEIGe1GHVGo5r//HXHdPxFXygvruQ/xbOA4 -RGvmDiji8vVDq7Shho8I6KuT ------END PRIVATE KEY----- diff --git a/keystonemiddleware-moon/examples/pki/run_all.sh b/keystonemiddleware-moon/examples/pki/run_all.sh deleted file mode 100755 index ba2f0b6e..00000000 --- a/keystonemiddleware-moon/examples/pki/run_all.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -x - -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# This script generates the crypto necessary for the SSL tests. - -. gen_pki.sh - -check_openssl -rm_old -cleanup -setup -generate_ca -ssl_cert_req -cms_signing_cert_req -issue_certs -create_middleware_cert -gen_sample_cms -cleanup diff --git a/keystonemiddleware-moon/keystonemiddleware.egg-info/dependency_links.txt b/keystonemiddleware-moon/keystonemiddleware.egg-info/dependency_links.txt deleted file mode 100644 index 8b137891..00000000 --- a/keystonemiddleware-moon/keystonemiddleware.egg-info/dependency_links.txt +++ /dev/null @@ -1 +0,0 @@ - diff --git a/keystonemiddleware-moon/keystonemiddleware.egg-info/entry_points.txt b/keystonemiddleware-moon/keystonemiddleware.egg-info/entry_points.txt deleted file mode 100644 index 8bc83366..00000000 --- a/keystonemiddleware-moon/keystonemiddleware.egg-info/entry_points.txt +++ /dev/null @@ -1,3 +0,0 @@ -[oslo.config.opts] -keystonemiddleware.auth_token = keystonemiddleware.opts:list_auth_token_opts - diff --git a/keystonemiddleware-moon/keystonemiddleware.egg-info/not-zip-safe b/keystonemiddleware-moon/keystonemiddleware.egg-info/not-zip-safe deleted file mode 100644 index 8b137891..00000000 --- a/keystonemiddleware-moon/keystonemiddleware.egg-info/not-zip-safe +++ /dev/null @@ -1 +0,0 @@ - diff --git a/keystonemiddleware-moon/keystonemiddleware.egg-info/top_level.txt b/keystonemiddleware-moon/keystonemiddleware.egg-info/top_level.txt deleted file mode 100644 index 0622f2ef..00000000 --- a/keystonemiddleware-moon/keystonemiddleware.egg-info/top_level.txt +++ /dev/null @@ -1 +0,0 @@ -keystonemiddleware diff --git a/keystonemiddleware-moon/keystonemiddleware/audit.py b/keystonemiddleware-moon/keystonemiddleware/audit.py deleted file mode 100644 index e3536092..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/audit.py +++ /dev/null @@ -1,449 +0,0 @@ -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Build open standard audit information based on incoming requests - -AuditMiddleware filter should be placed after keystonemiddleware.auth_token -in the pipeline so that it can utilise the information the Identity server -provides. -""" - -import ast -import collections -import functools -import logging -import os.path -import re -import sys - -from oslo_config import cfg -from oslo_context import context -try: - import oslo_messaging - messaging = True -except ImportError: - messaging = False -from pycadf import cadftaxonomy as taxonomy -from pycadf import cadftype -from pycadf import credential -from pycadf import endpoint -from pycadf import eventfactory as factory -from pycadf import host -from pycadf import identifier -from pycadf import reason -from pycadf import reporterstep -from pycadf import resource -from pycadf import tag -from pycadf import timestamp -import six -from six.moves import configparser -from six.moves.urllib import parse as urlparse -import webob.dec - -from keystonemiddleware.i18n import _LE, _LI - - -_LOG = None - - -def _log_and_ignore_error(fn): - @functools.wraps(fn) - def wrapper(*args, **kwargs): - try: - return fn(*args, **kwargs) - except Exception as e: - _LOG.exception(_LE('An exception occurred processing ' - 'the API call: %s '), e) - return wrapper - - -Service = collections.namedtuple('Service', - ['id', 'name', 'type', 'admin_endp', - 'public_endp', 'private_endp']) - - -AuditMap = collections.namedtuple('AuditMap', - ['path_kw', - 'custom_actions', - 'service_endpoints', - 'default_target_endpoint_type']) - - -# NOTE(blk-u): Compatibility for Python 2. SafeConfigParser and -# SafeConfigParser.readfp are deprecated in Python 3. Remove this when we drop -# support for Python 2. -if six.PY2: - class _ConfigParser(configparser.SafeConfigParser): - read_file = configparser.SafeConfigParser.readfp -else: - _ConfigParser = configparser.ConfigParser - - -class OpenStackAuditApi(object): - - def __init__(self, cfg_file): - """Configure to recognize and map known api paths.""" - path_kw = {} - custom_actions = {} - endpoints = {} - default_target_endpoint_type = None - - if cfg_file: - try: - map_conf = _ConfigParser() - map_conf.read_file(open(cfg_file)) - - try: - default_target_endpoint_type = map_conf.get( - 'DEFAULT', 'target_endpoint_type') - except configparser.NoOptionError: - pass - - try: - custom_actions = dict(map_conf.items('custom_actions')) - except configparser.Error: - pass - - try: - path_kw = dict(map_conf.items('path_keywords')) - except configparser.Error: - pass - - try: - endpoints = dict(map_conf.items('service_endpoints')) - except configparser.Error: - pass - except configparser.ParsingError as err: - raise PycadfAuditApiConfigError( - 'Error parsing audit map file: %s' % err) - self._MAP = AuditMap( - path_kw=path_kw, custom_actions=custom_actions, - service_endpoints=endpoints, - default_target_endpoint_type=default_target_endpoint_type) - - @staticmethod - def _clean_path(value): - """Clean path if path has json suffix.""" - return value[:-5] if value.endswith('.json') else value - - def get_action(self, req): - """Take a given Request, parse url path to calculate action type. - - Depending on req.method: - - if POST: - - - path ends with 'action', read the body and use as action; - - path ends with known custom_action, take action from config; - - request ends with known path, assume is create action; - - request ends with unknown path, assume is update action. - - if GET: - - - request ends with known path, assume is list action; - - request ends with unknown path, assume is read action. - - if PUT, assume update action. - if DELETE, assume delete action. - if HEAD, assume read action. - - """ - path = req.path[:-1] if req.path.endswith('/') else req.path - url_ending = self._clean_path(path[path.rfind('/') + 1:]) - method = req.method - - if url_ending + '/' + method.lower() in self._MAP.custom_actions: - action = self._MAP.custom_actions[url_ending + '/' + - method.lower()] - elif url_ending in self._MAP.custom_actions: - action = self._MAP.custom_actions[url_ending] - elif method == 'POST': - if url_ending == 'action': - try: - if req.json: - body_action = list(req.json.keys())[0] - action = taxonomy.ACTION_UPDATE + '/' + body_action - else: - action = taxonomy.ACTION_CREATE - except ValueError: - action = taxonomy.ACTION_CREATE - elif url_ending not in self._MAP.path_kw: - action = taxonomy.ACTION_UPDATE - else: - action = taxonomy.ACTION_CREATE - elif method == 'GET': - if url_ending in self._MAP.path_kw: - action = taxonomy.ACTION_LIST - else: - action = taxonomy.ACTION_READ - elif method == 'PUT' or method == 'PATCH': - action = taxonomy.ACTION_UPDATE - elif method == 'DELETE': - action = taxonomy.ACTION_DELETE - elif method == 'HEAD': - action = taxonomy.ACTION_READ - else: - action = taxonomy.UNKNOWN - - return action - - def _get_service_info(self, endp): - service = Service( - type=self._MAP.service_endpoints.get( - endp['type'], - taxonomy.UNKNOWN), - name=endp['name'], - id=identifier.norm_ns(endp['endpoints'][0].get('id', - endp['name'])), - admin_endp=endpoint.Endpoint( - name='admin', - url=endp['endpoints'][0].get('adminURL', taxonomy.UNKNOWN)), - private_endp=endpoint.Endpoint( - name='private', - url=endp['endpoints'][0].get('internalURL', taxonomy.UNKNOWN)), - public_endp=endpoint.Endpoint( - name='public', - url=endp['endpoints'][0].get('publicURL', taxonomy.UNKNOWN))) - - return service - - def _build_typeURI(self, req, service_type): - """Build typeURI of target - - Combines service type and corresponding path for greater detail. - """ - type_uri = '' - prev_key = None - for key in re.split('/', req.path): - key = self._clean_path(key) - if key in self._MAP.path_kw: - type_uri += '/' + key - elif prev_key in self._MAP.path_kw: - type_uri += '/' + self._MAP.path_kw[prev_key] - prev_key = key - return service_type + type_uri - - def _build_target(self, req, service): - """Build target resource.""" - target_typeURI = ( - self._build_typeURI(req, service.type) - if service.type != taxonomy.UNKNOWN else service.type) - target = resource.Resource(typeURI=target_typeURI, - id=service.id, name=service.name) - if service.admin_endp: - target.add_address(service.admin_endp) - if service.private_endp: - target.add_address(service.private_endp) - if service.public_endp: - target.add_address(service.public_endp) - return target - - def get_target_resource(self, req): - """Retrieve target information - - If discovery is enabled, target will attempt to retrieve information - from service catalog. If not, the information will be taken from - given config file. - """ - service_info = Service(type=taxonomy.UNKNOWN, name=taxonomy.UNKNOWN, - id=taxonomy.UNKNOWN, admin_endp=None, - private_endp=None, public_endp=None) - try: - catalog = ast.literal_eval( - req.environ['HTTP_X_SERVICE_CATALOG']) - except KeyError: - raise PycadfAuditApiConfigError( - 'Service catalog is missing. ' - 'Cannot discover target information') - - default_endpoint = None - for endp in catalog: - endpoint_urls = endp['endpoints'][0] - admin_urlparse = urlparse.urlparse( - endpoint_urls.get('adminURL', '')) - public_urlparse = urlparse.urlparse( - endpoint_urls.get('publicURL', '')) - req_url = urlparse.urlparse(req.host_url) - if (req_url.netloc == admin_urlparse.netloc - or req_url.netloc == public_urlparse.netloc): - service_info = self._get_service_info(endp) - break - elif (self._MAP.default_target_endpoint_type and - endp['type'] == self._MAP.default_target_endpoint_type): - default_endpoint = endp - else: - if default_endpoint: - service_info = self._get_service_info(default_endpoint) - return self._build_target(req, service_info) - - -class ClientResource(resource.Resource): - def __init__(self, project_id=None, **kwargs): - super(ClientResource, self).__init__(**kwargs) - if project_id is not None: - self.project_id = project_id - - -class KeystoneCredential(credential.Credential): - def __init__(self, identity_status=None, **kwargs): - super(KeystoneCredential, self).__init__(**kwargs) - if identity_status is not None: - self.identity_status = identity_status - - -class PycadfAuditApiConfigError(Exception): - """Error raised when pyCADF fails to configure correctly.""" - - -class AuditMiddleware(object): - """Create an audit event based on request/response. - - The audit middleware takes in various configuration options such as the - ability to skip audit of certain requests. The full list of options can - be discovered here: - http://docs.openstack.org/developer/keystonemiddleware/audit.html - """ - - @staticmethod - def _get_aliases(proj): - aliases = {} - if proj: - # Aliases to support backward compatibility - aliases = { - '%s.openstack.common.rpc.impl_kombu' % proj: 'rabbit', - '%s.openstack.common.rpc.impl_qpid' % proj: 'qpid', - '%s.openstack.common.rpc.impl_zmq' % proj: 'zmq', - '%s.rpc.impl_kombu' % proj: 'rabbit', - '%s.rpc.impl_qpid' % proj: 'qpid', - '%s.rpc.impl_zmq' % proj: 'zmq', - } - return aliases - - def __init__(self, app, **conf): - self._application = app - global _LOG - _LOG = logging.getLogger(conf.get('log_name', __name__)) - self._service_name = conf.get('service_name') - self._ignore_req_list = [x.upper().strip() for x in - conf.get('ignore_req_list', '').split(',')] - self._cadf_audit = OpenStackAuditApi(conf.get('audit_map_file')) - - transport_aliases = self._get_aliases(cfg.CONF.project) - if messaging: - self._notifier = oslo_messaging.Notifier( - oslo_messaging.get_transport(cfg.CONF, - aliases=transport_aliases), - os.path.basename(sys.argv[0])) - - def _emit_audit(self, context, event_type, payload): - """Emit audit notification - - if oslo.messaging enabled, send notification. if not, log event. - """ - - if messaging: - self._notifier.info(context, event_type, payload) - else: - _LOG.info(_LI('Event type: %(event_type)s, Context: %(context)s, ' - 'Payload: %(payload)s'), {'context': context, - 'event_type': event_type, - 'payload': payload}) - - def _create_event(self, req): - correlation_id = identifier.generate_uuid() - action = self._cadf_audit.get_action(req) - - initiator = ClientResource( - typeURI=taxonomy.ACCOUNT_USER, - id=identifier.norm_ns(str(req.environ['HTTP_X_USER_ID'])), - name=req.environ['HTTP_X_USER_NAME'], - host=host.Host(address=req.client_addr, agent=req.user_agent), - credential=KeystoneCredential( - token=req.environ['HTTP_X_AUTH_TOKEN'], - identity_status=req.environ['HTTP_X_IDENTITY_STATUS']), - project_id=identifier.norm_ns(req.environ['HTTP_X_PROJECT_ID'])) - target = self._cadf_audit.get_target_resource(req) - - event = factory.EventFactory().new_event( - eventType=cadftype.EVENTTYPE_ACTIVITY, - outcome=taxonomy.OUTCOME_PENDING, - action=action, - initiator=initiator, - target=target, - observer=resource.Resource(id='target')) - event.requestPath = req.path_qs - event.add_tag(tag.generate_name_value_tag('correlation_id', - correlation_id)) - # cache model in request to allow tracking of transistive steps. - req.environ['cadf_event'] = event - return event - - @_log_and_ignore_error - def _process_request(self, request): - event = self._create_event(request) - - self._emit_audit(context.get_admin_context().to_dict(), - 'audit.http.request', event.as_dict()) - - @_log_and_ignore_error - def _process_response(self, request, response=None): - # NOTE(gordc): handle case where error processing request - if 'cadf_event' not in request.environ: - self._create_event(request) - event = request.environ['cadf_event'] - - if response: - if response.status_int >= 200 and response.status_int < 400: - result = taxonomy.OUTCOME_SUCCESS - else: - result = taxonomy.OUTCOME_FAILURE - event.reason = reason.Reason( - reasonType='HTTP', reasonCode=str(response.status_int)) - else: - result = taxonomy.UNKNOWN - - event.outcome = result - event.add_reporterstep( - reporterstep.Reporterstep( - role=cadftype.REPORTER_ROLE_MODIFIER, - reporter=resource.Resource(id='target'), - reporterTime=timestamp.get_utc_now())) - - self._emit_audit(context.get_admin_context().to_dict(), - 'audit.http.response', event.as_dict()) - - @webob.dec.wsgify - def __call__(self, req): - if req.method in self._ignore_req_list: - return req.get_response(self._application) - - self._process_request(req) - try: - response = req.get_response(self._application) - except Exception: - self._process_response(req) - raise - else: - self._process_response(req, response) - return response - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def audit_filter(app): - return AuditMiddleware(app, **conf) - return audit_filter diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py deleted file mode 100644 index be268da3..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/__init__.py +++ /dev/null @@ -1,1129 +0,0 @@ -# Copyright 2010-2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -""" -Token-based Authentication Middleware - -This WSGI component: - -* Verifies that incoming client requests have valid tokens by validating - tokens with the auth service. -* Rejects unauthenticated requests unless the auth_token middleware is in - ``delay_auth_decision`` mode, which means the final decision is delegated to - the downstream WSGI component (usually the OpenStack service). -* Collects and forwards identity information based on a valid token - such as user name, domain, project, etc. - -Refer to: http://docs.openstack.org/developer/keystonemiddleware/\ -middlewarearchitecture.html - - -Headers -------- - -The auth_token middleware uses headers sent in by the client on the request -and sets headers and environment variables for the downstream WSGI component. - -Coming in from initial call from client or customer -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -HTTP_X_AUTH_TOKEN - The client token being passed in. - -HTTP_X_SERVICE_TOKEN - A service token being passed in. - -Used for communication between components -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -WWW-Authenticate - HTTP header returned to a user indicating which endpoint to use - to retrieve a new token. - -What auth_token adds to the request for use by the OpenStack service -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -When using composite authentication (a user and service token are -present) additional service headers relating to the service user -will be added. They take the same form as the standard headers but add -``_SERVICE_``. These headers will not exist in the environment if no -service token is present. - -HTTP_X_IDENTITY_STATUS, HTTP_X_SERVICE_IDENTITY_STATUS - Will be set to either ``Confirmed`` or ``Invalid``. - - The underlying service will only see a value of 'Invalid' if the middleware - is configured to run in ``delay_auth_decision`` mode. As with all such - headers, ``HTTP_X_SERVICE_IDENTITY_STATUS`` will only exist in the - environment if a service token is presented. This is different than - ``HTTP_X_IDENTITY_STATUS`` which is always set even if no user token is - presented. This allows the underlying service to determine if a - denial should use ``401 Unauthenticated`` or ``403 Forbidden``. - -HTTP_X_DOMAIN_ID, HTTP_X_SERVICE_DOMAIN_ID - Identity service managed unique identifier, string. Only present if - this is a domain-scoped token. - -HTTP_X_DOMAIN_NAME, HTTP_X_SERVICE_DOMAIN_NAME - Unique domain name, string. Only present if this is a domain-scoped - token. - -HTTP_X_PROJECT_ID, HTTP_X_SERVICE_PROJECT_ID - Identity service managed unique identifier, string. Only present if - this is a project-scoped token. - -HTTP_X_PROJECT_NAME, HTTP_X_SERVICE_PROJECT_NAME - Project name, unique within owning domain, string. Only present if - this is a project-scoped token. - -HTTP_X_PROJECT_DOMAIN_ID, HTTP_X_SERVICE_PROJECT_DOMAIN_ID - Identity service managed unique identifier of owning domain of - project, string. Only present if this is a project-scoped v3 token. If - this variable is set, this indicates that the PROJECT_NAME can only - be assumed to be unique within this domain. - -HTTP_X_PROJECT_DOMAIN_NAME, HTTP_X_SERVICE_PROJECT_DOMAIN_NAME - Name of owning domain of project, string. Only present if this is a - project-scoped v3 token. If this variable is set, this indicates that - the PROJECT_NAME can only be assumed to be unique within this domain. - -HTTP_X_USER_ID, HTTP_X_SERVICE_USER_ID - Identity-service managed unique identifier, string. - -HTTP_X_USER_NAME, HTTP_X_SERVICE_USER_NAME - User identifier, unique within owning domain, string. - -HTTP_X_USER_DOMAIN_ID, HTTP_X_SERVICE_USER_DOMAIN_ID - Identity service managed unique identifier of owning domain of - user, string. If this variable is set, this indicates that the USER_NAME - can only be assumed to be unique within this domain. - -HTTP_X_USER_DOMAIN_NAME, HTTP_X_SERVICE_USER_DOMAIN_NAME - Name of owning domain of user, string. If this variable is set, this - indicates that the USER_NAME can only be assumed to be unique within - this domain. - -HTTP_X_ROLES, HTTP_X_SERVICE_ROLES - Comma delimited list of case-sensitive role names. - -HTTP_X_SERVICE_CATALOG - service catalog (optional, JSON string). - - For compatibility reasons this catalog will always be in the V2 catalog - format even if it is a v3 token. - - .. note:: This is an exception in that it contains 'SERVICE' but relates to - a user token, not a service token. The existing user's catalog can be - very large; it was decided not to present a catalog relating to the - service token to avoid using more HTTP header space. - -HTTP_X_TENANT_ID - *Deprecated* in favor of HTTP_X_PROJECT_ID. - - Identity service managed unique identifier, string. For v3 tokens, this - will be set to the same value as HTTP_X_PROJECT_ID. - -HTTP_X_TENANT_NAME - *Deprecated* in favor of HTTP_X_PROJECT_NAME. - - Project identifier, unique within owning domain, string. For v3 tokens, - this will be set to the same value as HTTP_X_PROJECT_NAME. - -HTTP_X_TENANT - *Deprecated* in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME. - - Identity server-assigned unique identifier, string. For v3 tokens, this - will be set to the same value as HTTP_X_PROJECT_ID. - -HTTP_X_USER - *Deprecated* in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME. - - User name, unique within owning domain, string. - -HTTP_X_ROLE - *Deprecated* in favor of HTTP_X_ROLES. - - Will contain the same values as HTTP_X_ROLES. - -Environment Variables -^^^^^^^^^^^^^^^^^^^^^ - -These variables are set in the request environment for use by the downstream -WSGI component. - -keystone.token_info - Information about the token discovered in the process of validation. This - may include extended information returned by the token validation call, as - well as basic information about the project and user. - -keystone.token_auth - A keystoneclient auth plugin that may be used with a - :py:class:`keystoneclient.session.Session`. This plugin will load the - authentication data provided to auth_token middleware. - - -Configuration -------------- - -auth_token middleware configuration can be in the main application's -configuration file, e.g. in ``nova.conf``: - -.. code-block:: ini - - [keystone_authtoken] - auth_plugin = password - auth_url = http://keystone:35357/ - username = nova - user_domain_id = default - password = whyarewestillusingpasswords - project_name = service - project_domain_id = default - -Configuration can also be in the ``api-paste.ini`` file with the same options, -but this is discouraged. - -Swift ------ - -When deploy auth_token middleware with Swift, user may elect to use Swift -memcache instead of the local auth_token memcache. Swift memcache is passed in -from the request environment and it's identified by the ``swift.cache`` key. -However it could be different, depending on deployment. To use Swift memcache, -you must set the ``cache`` option to the environment key where the Swift cache -object is stored. - -""" - -import binascii -import datetime -import logging - -from keystoneclient import access -from keystoneclient import adapter -from keystoneclient import auth -from keystoneclient.common import cms -from keystoneclient import discover -from keystoneclient import exceptions -from keystoneclient import session -from oslo_config import cfg -from oslo_serialization import jsonutils -import pkg_resources -import six -import webob.dec - -from keystonemiddleware.auth_token import _auth -from keystonemiddleware.auth_token import _base -from keystonemiddleware.auth_token import _cache -from keystonemiddleware.auth_token import _exceptions as exc -from keystonemiddleware.auth_token import _identity -from keystonemiddleware.auth_token import _request -from keystonemiddleware.auth_token import _revocations -from keystonemiddleware.auth_token import _signing_dir -from keystonemiddleware.auth_token import _user_plugin -from keystonemiddleware.i18n import _, _LC, _LE, _LI, _LW - - -# NOTE(jamielennox): A number of options below are deprecated however are left -# in the list and only mentioned as deprecated in the help string. This is -# because we have to provide the same deprecation functionality for arguments -# passed in via the conf in __init__ (from paste) and there is no way to test -# that the default value was set or not in CONF. -# Also if we were to remove the options from the CONF list (as typical CONF -# deprecation works) then other projects will not be able to override the -# options via CONF. - -_OPTS = [ - cfg.StrOpt('auth_uri', - default=None, - # FIXME(dolph): should be default='http://127.0.0.1:5000/v2.0/', - # or (depending on client support) an unversioned, publicly - # accessible identity endpoint (see bug 1207517) - help='Complete public Identity API endpoint.'), - cfg.StrOpt('auth_version', - default=None, - help='API version of the admin Identity API endpoint.'), - cfg.BoolOpt('delay_auth_decision', - default=False, - help='Do not handle authorization requests within the' - ' middleware, but delegate the authorization decision to' - ' downstream WSGI components.'), - cfg.IntOpt('http_connect_timeout', - default=None, - help='Request timeout value for communicating with Identity' - ' API server.'), - cfg.IntOpt('http_request_max_retries', - default=3, - help='How many times are we trying to reconnect when' - ' communicating with Identity API Server.'), - cfg.StrOpt('cache', - default=None, - help='Env key for the swift cache.'), - cfg.StrOpt('certfile', - help='Required if identity server requires client certificate'), - cfg.StrOpt('keyfile', - help='Required if identity server requires client certificate'), - cfg.StrOpt('cafile', default=None, - help='A PEM encoded Certificate Authority to use when ' - 'verifying HTTPs connections. Defaults to system CAs.'), - cfg.BoolOpt('insecure', default=False, help='Verify HTTPS connections.'), - cfg.StrOpt('region_name', default=None, - help='The region in which the identity server can be found.'), - cfg.StrOpt('signing_dir', - help='Directory used to cache files related to PKI tokens.'), - cfg.ListOpt('memcached_servers', - deprecated_name='memcache_servers', - help='Optionally specify a list of memcached server(s) to' - ' use for caching. If left undefined, tokens will instead be' - ' cached in-process.'), - cfg.IntOpt('token_cache_time', - default=300, - help='In order to prevent excessive effort spent validating' - ' tokens, the middleware caches previously-seen tokens for a' - ' configurable duration (in seconds). Set to -1 to disable' - ' caching completely.'), - cfg.IntOpt('revocation_cache_time', - default=10, - help='Determines the frequency at which the list of revoked' - ' tokens is retrieved from the Identity service (in seconds). A' - ' high number of revocation events combined with a low cache' - ' duration may significantly reduce performance.'), - cfg.StrOpt('memcache_security_strategy', - default=None, - help='(Optional) If defined, indicate whether token data' - ' should be authenticated or authenticated and encrypted.' - ' Acceptable values are MAC or ENCRYPT. If MAC, token data is' - ' authenticated (with HMAC) in the cache. If ENCRYPT, token' - ' data is encrypted and authenticated in the cache. If the' - ' value is not one of these options or empty, auth_token will' - ' raise an exception on initialization.'), - cfg.StrOpt('memcache_secret_key', - default=None, - secret=True, - help='(Optional, mandatory if memcache_security_strategy is' - ' defined) This string is used for key derivation.'), - cfg.IntOpt('memcache_pool_dead_retry', - default=5 * 60, - help='(Optional) Number of seconds memcached server is' - ' considered dead before it is tried again.'), - cfg.IntOpt('memcache_pool_maxsize', - default=10, - help='(Optional) Maximum total number of open connections to' - ' every memcached server.'), - cfg.IntOpt('memcache_pool_socket_timeout', - default=3, - help='(Optional) Socket timeout in seconds for communicating ' - 'with a memcached server.'), - cfg.IntOpt('memcache_pool_unused_timeout', - default=60, - help='(Optional) Number of seconds a connection to memcached' - ' is held unused in the pool before it is closed.'), - cfg.IntOpt('memcache_pool_conn_get_timeout', - default=10, - help='(Optional) Number of seconds that an operation will wait ' - 'to get a memcached client connection from the pool.'), - cfg.BoolOpt('memcache_use_advanced_pool', - default=False, - help='(Optional) Use the advanced (eventlet safe) memcached ' - 'client pool. The advanced pool will only work under ' - 'python 2.x.'), - cfg.BoolOpt('include_service_catalog', - default=True, - help='(Optional) Indicate whether to set the X-Service-Catalog' - ' header. If False, middleware will not ask for service' - ' catalog on token validation and will not set the' - ' X-Service-Catalog header.'), - cfg.StrOpt('enforce_token_bind', - default='permissive', - help='Used to control the use and type of token binding. Can' - ' be set to: "disabled" to not check token binding.' - ' "permissive" (default) to validate binding information if the' - ' bind type is of a form known to the server and ignore it if' - ' not. "strict" like "permissive" but if the bind type is' - ' unknown the token will be rejected. "required" any form of' - ' token binding is needed to be allowed. Finally the name of a' - ' binding method that must be present in tokens.'), - cfg.BoolOpt('check_revocations_for_cached', default=False, - help='If true, the revocation list will be checked for cached' - ' tokens. This requires that PKI tokens are configured on the' - ' identity server.'), - cfg.ListOpt('hash_algorithms', default=['md5'], - help='Hash algorithms to use for hashing PKI tokens. This may' - ' be a single algorithm or multiple. The algorithms are those' - ' supported by Python standard hashlib.new(). The hashes will' - ' be tried in the order given, so put the preferred one first' - ' for performance. The result of the first hash will be stored' - ' in the cache. This will typically be set to multiple values' - ' only while migrating from a less secure algorithm to a more' - ' secure one. Once all the old tokens are expired this option' - ' should be set to a single value for better performance.'), -] - -CONF = cfg.CONF -CONF.register_opts(_OPTS, group=_base.AUTHTOKEN_GROUP) - -_LOG = logging.getLogger(__name__) - - -class _BIND_MODE(object): - DISABLED = 'disabled' - PERMISSIVE = 'permissive' - STRICT = 'strict' - REQUIRED = 'required' - KERBEROS = 'kerberos' - - -def _token_is_v2(token_info): - return ('access' in token_info) - - -def _token_is_v3(token_info): - return ('token' in token_info) - - -def _conf_values_type_convert(conf): - """Convert conf values into correct type.""" - if not conf: - return {} - - opt_types = {} - for o in (_OPTS + _auth.AuthTokenPlugin.get_options()): - type_dest = (getattr(o, 'type', str), o.dest) - opt_types[o.dest] = type_dest - # Also add the deprecated name with the same type and dest. - for d_o in o.deprecated_opts: - opt_types[d_o.name] = type_dest - - opts = {} - for k, v in six.iteritems(conf): - dest = k - try: - if v is not None: - type_, dest = opt_types[k] - v = type_(v) - except KeyError: - # This option is not known to auth_token. - pass - except ValueError as e: - raise exc.ConfigurationError( - _('Unable to convert the value of %(key)s option into correct ' - 'type: %(ex)s') % {'key': k, 'ex': e}) - opts[dest] = v - return opts - - -def _get_project_version(project): - return pkg_resources.get_distribution(project).version - - -class _BaseAuthProtocol(object): - """A base class for AuthProtocol token checking implementations. - - :param Callable app: The next application to call after middleware. - :param logging.Logger log: The logging object to use for output. By default - it will use a logger in the - keystonemiddleware.auth_token namespace. - :param str enforce_token_bind: The style of token binding enforcement to - perform. - """ - - def __init__(self, - app, - log=_LOG, - enforce_token_bind=_BIND_MODE.PERMISSIVE): - self.log = log - self._app = app - self._enforce_token_bind = enforce_token_bind - - @webob.dec.wsgify(RequestClass=_request._AuthTokenRequest) - def __call__(self, req): - """Handle incoming request.""" - response = self.process_request(req) - if response: - return response - response = req.get_response(self._app) - return self.process_response(response) - - def process_request(self, request): - """Process request. - - If this method returns a value then that value will be used as the - response. The next application down the stack will not be executed and - process_response will not be called. - - Otherwise, the next application down the stack will be executed and - process_response will be called with the generated response. - - By default this method does not return a value. - - :param request: Incoming request - :type request: _request.AuthTokenRequest - - """ - request.remove_auth_headers() - - user_auth_ref = None - serv_auth_ref = None - - if request.user_token: - self.log.debug('Authenticating user token') - try: - data, user_auth_ref = self._do_fetch_token(request.user_token) - self._validate_token(user_auth_ref) - self._confirm_token_bind(user_auth_ref, request) - except exc.InvalidToken: - self.log.info(_LI('Invalid user token')) - request.user_token_valid = False - else: - request.user_token_valid = True - request.environ['keystone.token_info'] = data - - if request.service_token: - self.log.debug('Authenticating service token') - try: - _, serv_auth_ref = self._do_fetch_token(request.service_token) - self._validate_token(serv_auth_ref) - self._confirm_token_bind(serv_auth_ref, request) - except exc.InvalidToken: - self.log.info(_LI('Invalid service token')) - request.service_token_valid = False - else: - request.service_token_valid = True - - p = _user_plugin.UserAuthPlugin(user_auth_ref, serv_auth_ref) - request.environ['keystone.token_auth'] = p - - def _validate_token(self, auth_ref): - """Perform the validation steps on the token. - - :param auth_ref: The token data - :type auth_ref: keystoneclient.access.AccessInfo - - :raises exc.InvalidToken: if token is rejected - """ - # 0 seconds of validity means is it valid right now. - if auth_ref.will_expire_soon(stale_duration=0): - raise exc.InvalidToken(_('Token authorization failed')) - - def _do_fetch_token(self, token): - """Helper method to fetch a token and convert it into an AccessInfo""" - data = self._fetch_token(token) - - try: - return data, access.AccessInfo.factory(body=data, auth_token=token) - except Exception: - self.log.warning(_LW('Invalid token contents.'), exc_info=True) - raise exc.InvalidToken(_('Token authorization failed')) - - def _fetch_token(self, token): - """Fetch the token data based on the value in the header. - - Retrieve the data associated with the token value that was in the - header. This can be from PKI, contacting the identity server or - whatever is required. - - :param str token: The token present in the request header. - - :raises exc.InvalidToken: if token is invalid. - - :returns: The token data - :rtype: dict - """ - raise NotImplemented() - - def process_response(self, response): - """Do whatever you'd like to the response. - - By default the response is returned unmodified. - - :param response: Response object - :type response: ._request._AuthTokenResponse - """ - return response - - def _invalid_user_token(self, msg=False): - # NOTE(jamielennox): use False as the default so that None is valid - if msg is False: - msg = _('Token authorization failed') - - raise exc.InvalidToken(msg) - - def _confirm_token_bind(self, auth_ref, req): - if self._enforce_token_bind == _BIND_MODE.DISABLED: - return - - try: - if auth_ref.version == 'v2.0': - bind = auth_ref['token']['bind'] - elif auth_ref.version == 'v3': - bind = auth_ref['bind'] - else: - self._invalid_user_token() - except KeyError: - bind = {} - - # permissive and strict modes don't require there to be a bind - permissive = self._enforce_token_bind in (_BIND_MODE.PERMISSIVE, - _BIND_MODE.STRICT) - - if not bind: - if permissive: - # no bind provided and none required - return - else: - self.log.info(_LI('No bind information present in token.')) - self._invalid_user_token() - - # get the named mode if bind_mode is not one of the predefined - if permissive or self._enforce_token_bind == _BIND_MODE.REQUIRED: - name = None - else: - name = self._enforce_token_bind - - if name and name not in bind: - self.log.info(_LI('Named bind mode %s not in bind information'), - name) - self._invalid_user_token() - - for bind_type, identifier in six.iteritems(bind): - if bind_type == _BIND_MODE.KERBEROS: - if req.auth_type != 'negotiate': - self.log.info(_LI('Kerberos credentials required and ' - 'not present.')) - self._invalid_user_token() - - if req.remote_user != identifier: - self.log.info(_LI('Kerberos credentials do not match ' - 'those in bind.')) - self._invalid_user_token() - - self.log.debug('Kerberos bind authentication successful.') - - elif self._enforce_token_bind == _BIND_MODE.PERMISSIVE: - self.log.debug('Ignoring Unknown bind for permissive mode: ' - '%(bind_type)s: %(identifier)s.', - {'bind_type': bind_type, - 'identifier': identifier}) - - else: - self.log.info( - _LI('Couldn`t verify unknown bind: %(bind_type)s: ' - '%(identifier)s.'), - {'bind_type': bind_type, 'identifier': identifier}) - self._invalid_user_token() - - -class AuthProtocol(_BaseAuthProtocol): - """Middleware that handles authenticating client calls.""" - - _SIGNING_CERT_FILE_NAME = 'signing_cert.pem' - _SIGNING_CA_FILE_NAME = 'cacert.pem' - - def __init__(self, app, conf): - log = logging.getLogger(conf.get('log_name', __name__)) - log.info(_LI('Starting Keystone auth_token middleware')) - - # NOTE(wanghong): If options are set in paste file, all the option - # values passed into conf are string type. So, we should convert the - # conf value into correct type. - self._conf = _conf_values_type_convert(conf) - - # NOTE(sileht): If we don't want to use oslo.config global object - # we can set the paste "oslo_config_project" and the middleware - # will load the configuration with a local oslo.config object. - self._local_oslo_config = None - if 'oslo_config_project' in conf: - if 'oslo_config_file' in conf: - default_config_files = [conf['oslo_config_file']] - else: - default_config_files = None - - # For unit tests, support passing in a ConfigOpts in - # oslo_config_config. - self._local_oslo_config = conf.get('oslo_config_config', - cfg.ConfigOpts()) - self._local_oslo_config( - {}, project=conf['oslo_config_project'], - default_config_files=default_config_files, - validate_default_values=True) - - self._local_oslo_config.register_opts( - _OPTS, group=_base.AUTHTOKEN_GROUP) - auth.register_conf_options(self._local_oslo_config, - group=_base.AUTHTOKEN_GROUP) - - super(AuthProtocol, self).__init__( - app, - log=log, - enforce_token_bind=self._conf_get('enforce_token_bind')) - - # delay_auth_decision means we still allow unauthenticated requests - # through and we let the downstream service make the final decision - self._delay_auth_decision = self._conf_get('delay_auth_decision') - self._include_service_catalog = self._conf_get( - 'include_service_catalog') - self._hash_algorithms = self._conf_get('hash_algorithms') - - self._identity_server = self._create_identity_server() - - self._auth_uri = self._conf_get('auth_uri') - if not self._auth_uri: - self.log.warning( - _LW('Configuring auth_uri to point to the public identity ' - 'endpoint is required; clients may not be able to ' - 'authenticate against an admin endpoint')) - - # FIXME(dolph): drop support for this fallback behavior as - # documented in bug 1207517. - - self._auth_uri = self._identity_server.auth_uri - - self._signing_directory = _signing_dir.SigningDirectory( - directory_name=self._conf_get('signing_dir'), log=self.log) - - self._token_cache = self._token_cache_factory() - - revocation_cache_timeout = datetime.timedelta( - seconds=self._conf_get('revocation_cache_time')) - self._revocations = _revocations.Revocations(revocation_cache_timeout, - self._signing_directory, - self._identity_server, - self._cms_verify, - self.log) - - self._check_revocations_for_cached = self._conf_get( - 'check_revocations_for_cached') - - def _conf_get(self, name, group=_base.AUTHTOKEN_GROUP): - # try config from paste-deploy first - if name in self._conf: - return self._conf[name] - elif self._local_oslo_config: - return self._local_oslo_config[group][name] - else: - return CONF[group][name] - - def process_request(self, request): - """Process request. - - Evaluate the headers in a request and attempt to authenticate the - request. If authenticated then additional headers are added to the - request for use by applications. If not authenticated the request will - be rejected or marked unauthenticated depending on configuration. - """ - self._token_cache.initialize(request.environ) - - resp = super(AuthProtocol, self).process_request(request) - if resp: - return resp - - if not request.user_token: - # if no user token is present then that's an invalid request - request.user_token_valid = False - - # NOTE(jamielennox): The service status is allowed to be missing if a - # service token is not passed. If the service status is missing that's - # a valid request. We should find a better way to expose this from the - # request object. - user_status = request.user_token and request.user_token_valid - service_status = request.headers.get('X-Service-Identity-Status', - 'Confirmed') - - if not (user_status and service_status == 'Confirmed'): - if self._delay_auth_decision: - self.log.info(_LI('Deferring reject downstream')) - else: - self.log.info(_LI('Rejecting request')) - self._reject_request() - - if request.user_token_valid: - request.set_user_headers(request.token_auth._user_auth_ref, - self._include_service_catalog) - - if request.service_token and request.service_token_valid: - request.set_service_headers(request.token_auth._serv_auth_ref) - - if self.log.isEnabledFor(logging.DEBUG): - self.log.debug('Received request from %s', - request.token_auth._log_format) - - def process_response(self, response): - """Process Response. - - Add ``WWW-Authenticate`` headers to requests that failed with - ``401 Unauthenticated`` so users know where to authenticate for future - requests. - """ - if response.status_int == 401: - response.headers.extend(self._reject_auth_headers) - - return response - - @property - def _reject_auth_headers(self): - header_val = 'Keystone uri=\'%s\'' % self._auth_uri - return [('WWW-Authenticate', header_val)] - - def _reject_request(self): - """Redirect client to auth server. - - :param env: wsgi request environment - :param start_response: wsgi response callback - :returns: HTTPUnauthorized http response - - """ - raise webob.exc.HTTPUnauthorized(body='Authentication required', - headers=self._reject_auth_headers) - - def _token_hashes(self, token): - """Generate a list of hashes that the current token may be cached as. - - With PKI tokens we have multiple hashing algorithms that we test with - revocations. This generates that whole list. - - The first element of this list is the preferred algorithm and is what - new cache values should be saved as. - - :param str token: The token being presented by a user. - - :returns: list of str token hashes. - """ - if cms.is_asn1_token(token) or cms.is_pkiz(token): - return list(cms.cms_hash_token(token, mode=algo) - for algo in self._hash_algorithms) - else: - return [token] - - def _cache_get_hashes(self, token_hashes): - """Check if the token is cached already. - - Functions takes a list of hashes that might be in the cache and matches - the first one that is present. If nothing is found in the cache it - returns None. - - :returns: token data if found else None. - """ - - for token in token_hashes: - cached = self._token_cache.get(token) - - if cached: - return cached - - def _fetch_token(self, token): - """Retrieve a token from either a PKI bundle or the identity server. - - :param str token: token id - - :raises exc.InvalidToken: if token is rejected - """ - data = None - token_hashes = None - - try: - token_hashes = self._token_hashes(token) - cached = self._cache_get_hashes(token_hashes) - - if cached: - data = cached - - if self._check_revocations_for_cached: - # A token stored in Memcached might have been revoked - # regardless of initial mechanism used to validate it, - # and needs to be checked. - self._revocations.check(token_hashes) - else: - data = self._validate_offline(token, token_hashes) - if not data: - data = self._identity_server.verify_token(token) - - self._token_cache.store(token_hashes[0], data) - - except (exceptions.ConnectionRefused, exceptions.RequestTimeout, - exc.RevocationListError, exc.ServiceError) as e: - self.log.critical(_LC('Unable to validate token: %s'), e) - raise webob.exc.HTTPServiceUnavailable() - except exc.InvalidToken: - self.log.debug('Token validation failure.', exc_info=True) - if token_hashes: - self._token_cache.store_invalid(token_hashes[0]) - self.log.warning(_LW('Authorization failed for token')) - raise - except Exception: - self.log.critical(_LC('Unable to validate token'), exc_info=True) - raise webob.exc.HTTPInternalServerError() - - return data - - def _validate_offline(self, token, token_hashes): - try: - if cms.is_pkiz(token): - verified = self._verify_pkiz_token(token, token_hashes) - elif cms.is_asn1_token(token): - verified = self._verify_signed_token(token, token_hashes) - else: - # Can't do offline validation for this type of token. - return - except exceptions.CertificateConfigError: - self.log.warning(_LW('Fetch certificate config failed, ' - 'fallback to online validation.')) - except exc.RevocationListError: - self.log.warning(_LW('Fetch revocation list failed, ' - 'fallback to online validation.')) - else: - data = jsonutils.loads(verified) - - audit_ids = None - if 'access' in data: - # It's a v2 token. - audit_ids = data['access']['token'].get('audit_ids') - else: - # It's a v3 token - audit_ids = data['token'].get('audit_ids') - - if audit_ids: - self._revocations.check_by_audit_id(audit_ids) - - return data - - def _validate_token(self, auth_ref): - super(AuthProtocol, self)._validate_token(auth_ref) - - if auth_ref.version == 'v2.0' and not auth_ref.project_id: - msg = _('Unable to determine service tenancy.') - raise exc.InvalidToken(msg) - - def _cms_verify(self, data, inform=cms.PKI_ASN1_FORM): - """Verifies the signature of the provided data's IAW CMS syntax. - - If either of the certificate files might be missing, fetch them and - retry. - """ - def verify(): - try: - signing_cert_path = self._signing_directory.calc_path( - self._SIGNING_CERT_FILE_NAME) - signing_ca_path = self._signing_directory.calc_path( - self._SIGNING_CA_FILE_NAME) - return cms.cms_verify(data, signing_cert_path, - signing_ca_path, - inform=inform).decode('utf-8') - except (exceptions.CMSError, - cms.subprocess.CalledProcessError) as err: - self.log.warning(_LW('Verify error: %s'), err) - raise exc.InvalidToken(_('Token authorization failed')) - - try: - return verify() - except exceptions.CertificateConfigError: - # the certs might be missing; unconditionally fetch to avoid racing - self._fetch_signing_cert() - self._fetch_ca_cert() - - try: - # retry with certs in place - return verify() - except exceptions.CertificateConfigError as err: - # if this is still occurring, something else is wrong and we - # need err.output to identify the problem - self.log.error(_LE('CMS Verify output: %s'), err.output) - raise - - def _verify_signed_token(self, signed_text, token_ids): - """Check that the token is unrevoked and has a valid signature.""" - self._revocations.check(token_ids) - formatted = cms.token_to_cms(signed_text) - verified = self._cms_verify(formatted) - return verified - - def _verify_pkiz_token(self, signed_text, token_ids): - self._revocations.check(token_ids) - try: - uncompressed = cms.pkiz_uncompress(signed_text) - verified = self._cms_verify(uncompressed, inform=cms.PKIZ_CMS_FORM) - return verified - # TypeError If the signed_text is not zlib compressed - # binascii.Error if signed_text has incorrect base64 padding (py34) - except (TypeError, binascii.Error): - raise exc.InvalidToken(signed_text) - - def _fetch_signing_cert(self): - self._signing_directory.write_file( - self._SIGNING_CERT_FILE_NAME, - self._identity_server.fetch_signing_cert()) - - def _fetch_ca_cert(self): - self._signing_directory.write_file( - self._SIGNING_CA_FILE_NAME, - self._identity_server.fetch_ca_cert()) - - def _get_auth_plugin(self): - # NOTE(jamielennox): Ideally this would use get_from_conf_options - # however that is not possible because we have to support the override - # pattern we use in _conf_get. There is a somewhat replacement for this - # in keystoneclient in load_from_options_getter which should be used - # when available. Until then this is essentially a copy and paste of - # the ksc load_from_conf_options code because we need to get a fix out - # for this quickly. - - # FIXME(jamielennox): update to use load_from_options_getter when - # https://review.openstack.org/162529 merges. - - # !!! - UNDER NO CIRCUMSTANCES COPY ANY OF THIS CODE - !!! - - group = self._conf_get('auth_section') or _base.AUTHTOKEN_GROUP - plugin_name = self._conf_get('auth_plugin', group=group) - plugin_kwargs = dict() - - if plugin_name: - plugin_class = auth.get_plugin_class(plugin_name) - else: - plugin_class = _auth.AuthTokenPlugin - # logger object is a required parameter of the default plugin - plugin_kwargs['log'] = self.log - - plugin_opts = plugin_class.get_options() - (self._local_oslo_config or CONF).register_opts(plugin_opts, - group=group) - - for opt in plugin_opts: - val = self._conf_get(opt.dest, group=group) - if val is not None: - val = opt.type(val) - plugin_kwargs[opt.dest] = val - - return plugin_class.load_from_options(**plugin_kwargs) - - def _determine_project(self): - """Determine a project name from all available config sources. - - The sources are checked in the following order: - - 1. The paste-deploy config for auth_token middleware - 2. The keystone_authtoken in the project's config - 3. The oslo.config CONF.project property - - """ - try: - return self._conf_get('project') - except cfg.NoSuchOptError: - # Prefer local oslo config object - if self._local_oslo_config: - return self._local_oslo_config.project - try: - # CONF.project will exist only if the service uses - # oslo.config. It will only be set when the project - # calls CONF(...) and when not set oslo.config oddly - # raises a NoSuchOptError exception. - return CONF.project - except cfg.NoSuchOptError: - return '' - - def _build_useragent_string(self): - project = self._determine_project() - if project: - project_version = _get_project_version(project) - project = '{project}/{project_version} '.format( - project=project, - project_version=project_version) - - ua_template = ('{project}' - 'keystonemiddleware.auth_token/{ksm_version}') - return ua_template.format( - project=project, - ksm_version=_get_project_version('keystonemiddleware')) - - def _create_identity_server(self): - # NOTE(jamielennox): Loading Session here should be exactly the - # same as calling Session.load_from_conf_options(CONF, GROUP) - # however we can't do that because we have to use _conf_get to - # support the paste.ini options. - sess = session.Session.construct(dict( - cert=self._conf_get('certfile'), - key=self._conf_get('keyfile'), - cacert=self._conf_get('cafile'), - insecure=self._conf_get('insecure'), - timeout=self._conf_get('http_connect_timeout'), - user_agent=self._build_useragent_string() - )) - - auth_plugin = self._get_auth_plugin() - - adap = adapter.Adapter( - sess, - auth=auth_plugin, - service_type='identity', - interface='admin', - region_name=self._conf_get('region_name'), - connect_retries=self._conf_get('http_request_max_retries')) - - auth_version = self._conf_get('auth_version') - if auth_version is not None: - auth_version = discover.normalize_version_number(auth_version) - return _identity.IdentityServer( - self.log, - adap, - include_service_catalog=self._include_service_catalog, - requested_auth_version=auth_version) - - def _token_cache_factory(self): - security_strategy = self._conf_get('memcache_security_strategy') - - cache_kwargs = dict( - cache_time=int(self._conf_get('token_cache_time')), - env_cache_name=self._conf_get('cache'), - memcached_servers=self._conf_get('memcached_servers'), - use_advanced_pool=self._conf_get('memcache_use_advanced_pool'), - memcache_pool_dead_retry=self._conf_get( - 'memcache_pool_dead_retry'), - memcache_pool_maxsize=self._conf_get('memcache_pool_maxsize'), - memcache_pool_unused_timeout=self._conf_get( - 'memcache_pool_unused_timeout'), - memcache_pool_conn_get_timeout=self._conf_get( - 'memcache_pool_conn_get_timeout'), - memcache_pool_socket_timeout=self._conf_get( - 'memcache_pool_socket_timeout'), - ) - - if security_strategy: - secret_key = self._conf_get('memcache_secret_key') - return _cache.SecureTokenCache(self.log, - security_strategy, - secret_key, - **cache_kwargs) - else: - return _cache.TokenCache(self.log, **cache_kwargs) - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def auth_filter(app): - return AuthProtocol(app, conf) - return auth_filter - - -def app_factory(global_conf, **local_conf): - conf = global_conf.copy() - conf.update(local_conf) - return AuthProtocol(None, conf) - - -# NOTE(jamielennox): Maintained here for public API compatibility. -InvalidToken = exc.InvalidToken -ServiceError = exc.ServiceError -ConfigurationError = exc.ConfigurationError -RevocationListError = exc.RevocationListError diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py deleted file mode 100644 index cf7ed84d..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_auth.py +++ /dev/null @@ -1,194 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import logging - -from keystoneclient import auth -from keystoneclient.auth.identity import v2 -from keystoneclient.auth import token_endpoint -from keystoneclient import discover -from oslo_config import cfg - -from keystonemiddleware.auth_token import _base -from keystonemiddleware.i18n import _, _LW - - -_LOG = logging.getLogger(__name__) - - -class AuthTokenPlugin(auth.BaseAuthPlugin): - - def __init__(self, auth_host, auth_port, auth_protocol, auth_admin_prefix, - admin_user, admin_password, admin_tenant_name, admin_token, - identity_uri, log): - - log.warning(_LW( - "Use of the auth_admin_prefix, auth_host, auth_port, " - "auth_protocol, identity_uri, admin_token, admin_user, " - "admin_password, and admin_tenant_name configuration options is " - "deprecated in favor of auth_plugin and related options and may " - "be removed in a future release.")) - - # NOTE(jamielennox): it does appear here that our default arguments - # are backwards. We need to do it this way so that we can handle the - # same deprecation strategy for CONF and the conf variable. - if not identity_uri: - log.warning(_LW('Configuring admin URI using auth fragments. ' - 'This is deprecated, use \'identity_uri\'' - ' instead.')) - - if ':' in auth_host: - # Note(dzyu) it is an IPv6 address, so it needs to be wrapped - # with '[]' to generate a valid IPv6 URL, based on - # http://www.ietf.org/rfc/rfc2732.txt - auth_host = '[%s]' % auth_host - - identity_uri = '%s://%s:%s' % (auth_protocol, - auth_host, - auth_port) - - if auth_admin_prefix: - identity_uri = '%s/%s' % (identity_uri, - auth_admin_prefix.strip('/')) - - self._identity_uri = identity_uri.rstrip('/') - - # FIXME(jamielennox): Yes. This is wrong. We should be determining the - # plugin to use based on a combination of discovery and inputs. Much - # of this can be changed when we get keystoneclient 0.10. For now this - # hardcoded path is EXACTLY the same as the original auth_token did. - auth_url = '%s/v2.0' % self._identity_uri - - if admin_token: - log.warning(_LW( - "The admin_token option in the auth_token middleware is " - "deprecated and should not be used. The admin_user and " - "admin_password options should be used instead. The " - "admin_token option may be removed in a future release.")) - self._plugin = token_endpoint.Token(auth_url, admin_token) - else: - self._plugin = v2.Password(auth_url, - username=admin_user, - password=admin_password, - tenant_name=admin_tenant_name) - - self._LOG = log - self._discover = None - - def get_token(self, *args, **kwargs): - return self._plugin.get_token(*args, **kwargs) - - def get_endpoint(self, session, interface=None, version=None, **kwargs): - """Return an endpoint for the client. - - There are no required keyword arguments to ``get_endpoint`` as a plugin - implementation should use best effort with the information available to - determine the endpoint. - - :param session: The session object that the auth_plugin belongs to. - :type session: keystoneclient.session.Session - :param version: The version number required for this endpoint. - :type version: tuple or str - :param str interface: what visibility the endpoint should have. - - :returns: The base URL that will be used to talk to the required - service or None if not available. - :rtype: string - """ - if interface == auth.AUTH_INTERFACE: - return self._identity_uri - - if not version: - # NOTE(jamielennox): This plugin can only be used within auth_token - # and auth_token will always provide version= with requests. - return None - - if not self._discover: - self._discover = discover.Discover(session, - auth_url=self._identity_uri, - authenticated=False) - - if not self._discover.url_for(version): - # NOTE(jamielennox): The requested version is not supported by the - # identity server. - return None - - # NOTE(jamielennox): for backwards compatibility here we don't - # actually use the URL from discovery we hack it up instead. :( - # NOTE(blk-u): Normalizing the version is a workaround for bug 1450272. - # This can be removed once that's fixed. Also fix the docstring for the - # version parameter to be just "tuple". - version = discover.normalize_version_number(version) - if discover.version_match((2, 0), version): - return '%s/v2.0' % self._identity_uri - elif discover.version_match((3, 0), version): - return '%s/v3' % self._identity_uri - - # NOTE(jamielennox): This plugin will only get called from auth_token - # middleware. The middleware should never request a version that the - # plugin doesn't know how to handle. - msg = _('Invalid version asked for in auth_token plugin') - raise NotImplementedError(msg) - - def invalidate(self): - return self._plugin.invalidate() - - @classmethod - def get_options(cls): - options = super(AuthTokenPlugin, cls).get_options() - - options.extend([ - cfg.StrOpt('auth_admin_prefix', - default='', - help='Prefix to prepend at the beginning of the path. ' - 'Deprecated, use identity_uri.'), - cfg.StrOpt('auth_host', - default='127.0.0.1', - help='Host providing the admin Identity API endpoint. ' - 'Deprecated, use identity_uri.'), - cfg.IntOpt('auth_port', - default=35357, - help='Port of the admin Identity API endpoint. ' - 'Deprecated, use identity_uri.'), - cfg.StrOpt('auth_protocol', - default='https', - help='Protocol of the admin Identity API endpoint ' - '(http or https). Deprecated, use identity_uri.'), - cfg.StrOpt('identity_uri', - default=None, - help='Complete admin Identity API endpoint. This ' - 'should specify the unversioned root endpoint ' - 'e.g. https://localhost:35357/'), - cfg.StrOpt('admin_token', - secret=True, - help='This option is deprecated and may be removed in ' - 'a future release. Single shared secret with the ' - 'Keystone configuration used for bootstrapping a ' - 'Keystone installation, or otherwise bypassing ' - 'the normal authentication process. This option ' - 'should not be used, use `admin_user` and ' - '`admin_password` instead.'), - cfg.StrOpt('admin_user', - help='Service username.'), - cfg.StrOpt('admin_password', - secret=True, - help='Service user password.'), - cfg.StrOpt('admin_tenant_name', - default='admin', - help='Service tenant name.'), - ]) - - return options - - -auth.register_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP) -AuthTokenPlugin.register_conf_options(cfg.CONF, _base.AUTHTOKEN_GROUP) diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_base.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_base.py deleted file mode 100644 index ee4ec13c..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_base.py +++ /dev/null @@ -1,13 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -AUTHTOKEN_GROUP = 'keystone_authtoken' diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_cache.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_cache.py deleted file mode 100644 index ce5faf66..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_cache.py +++ /dev/null @@ -1,338 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import contextlib -import hashlib - -from oslo_serialization import jsonutils -import six - -from keystonemiddleware.auth_token import _exceptions as exc -from keystonemiddleware.auth_token import _memcache_crypt as memcache_crypt -from keystonemiddleware.i18n import _, _LE -from keystonemiddleware.openstack.common import memorycache - - -def _hash_key(key): - """Turn a set of arguments into a SHA256 hash. - - Using a known-length cache key is important to ensure that memcache - maximum key length is not exceeded causing failures to validate. - """ - if isinstance(key, six.text_type): - # NOTE(morganfainberg): Ensure we are always working with a bytes - # type required for the hasher. In python 2.7 it is possible to - # get a text_type (unicode). In python 3.4 all strings are - # text_type and not bytes by default. This encode coerces the - # text_type to the appropriate bytes values. - key = key.encode('utf-8') - return hashlib.sha256(key).hexdigest() - - -class _CachePool(list): - """A lazy pool of cache references.""" - - def __init__(self, cache, memcached_servers): - self._environment_cache = cache - self._memcached_servers = memcached_servers - - @contextlib.contextmanager - def reserve(self): - """Context manager to manage a pooled cache reference.""" - if self._environment_cache is not None: - # skip pooling and just use the cache from the upstream filter - yield self._environment_cache - return # otherwise the context manager will continue! - - try: - c = self.pop() - except IndexError: - # the pool is empty, so we need to create a new client - c = memorycache.get_client(self._memcached_servers) - - try: - yield c - finally: - self.append(c) - - -class _MemcacheClientPool(object): - """An advanced memcached client pool that is eventlet safe.""" - def __init__(self, memcache_servers, memcache_dead_retry=None, - memcache_pool_maxsize=None, memcache_pool_unused_timeout=None, - memcache_pool_conn_get_timeout=None, - memcache_pool_socket_timeout=None): - # NOTE(morganfainberg): import here to avoid hard dependency on - # python-memcached library. - global _memcache_pool - from keystonemiddleware.auth_token import _memcache_pool - - self._pool = _memcache_pool.MemcacheClientPool( - memcache_servers, - arguments={ - 'dead_retry': memcache_dead_retry, - 'socket_timeout': memcache_pool_socket_timeout, - }, - maxsize=memcache_pool_maxsize, - unused_timeout=memcache_pool_unused_timeout, - conn_get_timeout=memcache_pool_conn_get_timeout, - ) - - @contextlib.contextmanager - def reserve(self): - with self._pool.get() as client: - yield client - - -class TokenCache(object): - """Encapsulates the auth_token token cache functionality. - - auth_token caches tokens that it's seen so that when a token is re-used the - middleware doesn't have to do a more expensive operation (like going to the - identity server) to validate the token. - - initialize() must be called before calling the other methods. - - Store a valid token in the cache using store(); mark a token as invalid in - the cache using store_invalid(). - - Check if a token is in the cache and retrieve it using get(). - - """ - - _CACHE_KEY_TEMPLATE = 'tokens/%s' - _INVALID_INDICATOR = 'invalid' - - def __init__(self, log, cache_time=None, - env_cache_name=None, memcached_servers=None, - use_advanced_pool=False, memcache_pool_dead_retry=None, - memcache_pool_maxsize=None, memcache_pool_unused_timeout=None, - memcache_pool_conn_get_timeout=None, - memcache_pool_socket_timeout=None): - self._LOG = log - self._cache_time = cache_time - self._env_cache_name = env_cache_name - self._memcached_servers = memcached_servers - self._use_advanced_pool = use_advanced_pool - self._memcache_pool_dead_retry = memcache_pool_dead_retry, - self._memcache_pool_maxsize = memcache_pool_maxsize, - self._memcache_pool_unused_timeout = memcache_pool_unused_timeout - self._memcache_pool_conn_get_timeout = memcache_pool_conn_get_timeout - self._memcache_pool_socket_timeout = memcache_pool_socket_timeout - - self._cache_pool = None - self._initialized = False - - def _get_cache_pool(self, cache, memcache_servers, use_advanced_pool=False, - memcache_dead_retry=None, memcache_pool_maxsize=None, - memcache_pool_unused_timeout=None, - memcache_pool_conn_get_timeout=None, - memcache_pool_socket_timeout=None): - if use_advanced_pool is True and memcache_servers and cache is None: - return _MemcacheClientPool( - memcache_servers, - memcache_dead_retry=memcache_dead_retry, - memcache_pool_maxsize=memcache_pool_maxsize, - memcache_pool_unused_timeout=memcache_pool_unused_timeout, - memcache_pool_conn_get_timeout=memcache_pool_conn_get_timeout, - memcache_pool_socket_timeout=memcache_pool_socket_timeout) - else: - return _CachePool(cache, memcache_servers) - - def initialize(self, env): - if self._initialized: - return - - self._cache_pool = self._get_cache_pool( - env.get(self._env_cache_name), - self._memcached_servers, - use_advanced_pool=self._use_advanced_pool, - memcache_dead_retry=self._memcache_pool_dead_retry, - memcache_pool_maxsize=self._memcache_pool_maxsize, - memcache_pool_unused_timeout=self._memcache_pool_unused_timeout, - memcache_pool_conn_get_timeout=self._memcache_pool_conn_get_timeout - ) - - self._initialized = True - - def store(self, token_id, data): - """Put token data into the cache. - """ - self._LOG.debug('Storing token in cache') - self._cache_store(token_id, data) - - def store_invalid(self, token_id): - """Store invalid token in cache.""" - self._LOG.debug('Marking token as unauthorized in cache') - self._cache_store(token_id, self._INVALID_INDICATOR) - - def _get_cache_key(self, token_id): - """Get a unique key for this token id. - - Turn the token_id into something that can uniquely identify that token - in a key value store. - - As this is generally the first function called in a key lookup this - function also returns a context object. This context object is not - modified or used by the Cache object but is passed back on subsequent - functions so that decryption or other data can be shared throughout a - cache lookup. - - :param str token_id: The unique token id. - - :returns: A tuple of a string key and an implementation specific - context object - """ - # NOTE(jamielennox): in the basic implementation there is no need for - # a context so just pass None as it will only get passed back later. - unused_context = None - return self._CACHE_KEY_TEMPLATE % _hash_key(token_id), unused_context - - def _deserialize(self, data, context): - """Deserialize data from the cache back into python objects. - - Take data retrieved from the cache and return an appropriate python - dictionary. - - :param str data: The data retrieved from the cache. - :param object context: The context that was returned from - _get_cache_key. - - :returns: The python object that was saved. - """ - # memory cache will handle deserialization for us - return data - - def _serialize(self, data, context): - """Serialize data so that it can be saved to the cache. - - Take python objects and serialize them so that they can be saved into - the cache. - - :param object data: The data to be cached. - :param object context: The context that was returned from - _get_cache_key. - - :returns: The python object that was saved. - """ - # memory cache will handle serialization for us - return data - - def get(self, token_id): - """Return token information from cache. - - If token is invalid raise exc.InvalidToken - return token only if fresh (not expired). - """ - - if not token_id: - # Nothing to do - return - - key, context = self._get_cache_key(token_id) - - with self._cache_pool.reserve() as cache: - serialized = cache.get(key) - - if serialized is None: - return None - - if isinstance(serialized, six.text_type): - serialized = serialized.encode('utf8') - data = self._deserialize(serialized, context) - - # Note that _INVALID_INDICATOR and (data, expires) are the only - # valid types of serialized cache entries, so there is not - # a collision with jsonutils.loads(serialized) == None. - if not isinstance(data, six.string_types): - data = data.decode('utf-8') - cached = jsonutils.loads(data) - if cached == self._INVALID_INDICATOR: - self._LOG.debug('Cached Token is marked unauthorized') - raise exc.InvalidToken(_('Token authorization failed')) - - # NOTE(jamielennox): Cached values used to be stored as a tuple of data - # and expiry time. They no longer are but we have to allow some time to - # transition the old format so if it's a tuple just return the data. - try: - data, expires = cached - except ValueError: - data = cached - - return data - - def _cache_store(self, token_id, data): - """Store value into memcache. - - data may be _INVALID_INDICATOR or a tuple like (data, expires) - - """ - data = jsonutils.dumps(data) - if isinstance(data, six.text_type): - data = data.encode('utf-8') - - cache_key, context = self._get_cache_key(token_id) - data_to_store = self._serialize(data, context) - - with self._cache_pool.reserve() as cache: - cache.set(cache_key, data_to_store, time=self._cache_time) - - -class SecureTokenCache(TokenCache): - """A token cache that stores tokens encrypted. - - A more secure version of TokenCache that will encrypt tokens before - caching them. - """ - - def __init__(self, log, security_strategy, secret_key, **kwargs): - super(SecureTokenCache, self).__init__(log, **kwargs) - - security_strategy = security_strategy.upper() - - if security_strategy not in ('MAC', 'ENCRYPT'): - msg = _('memcache_security_strategy must be ENCRYPT or MAC') - raise exc.ConfigurationError(msg) - if not secret_key: - msg = _('memcache_secret_key must be defined when a ' - 'memcache_security_strategy is defined') - raise exc.ConfigurationError(msg) - - if isinstance(security_strategy, six.string_types): - security_strategy = security_strategy.encode('utf-8') - if isinstance(secret_key, six.string_types): - secret_key = secret_key.encode('utf-8') - - self._security_strategy = security_strategy - self._secret_key = secret_key - - def _get_cache_key(self, token_id): - context = memcache_crypt.derive_keys(token_id, - self._secret_key, - self._security_strategy) - key = self._CACHE_KEY_TEMPLATE % memcache_crypt.get_cache_key(context) - return key, context - - def _deserialize(self, data, context): - try: - # unprotect_data will return None if raw_cached is None - return memcache_crypt.unprotect_data(context, data) - except Exception: - msg = _LE('Failed to decrypt/verify cache data') - self._LOG.exception(msg) - - # this should have the same effect as data not - # found in cache - return None - - def _serialize(self, data, context): - return memcache_crypt.protect_data(context, data) diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_exceptions.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_exceptions.py deleted file mode 100644 index be045c96..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_exceptions.py +++ /dev/null @@ -1,27 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -class InvalidToken(Exception): - pass - - -class ServiceError(Exception): - pass - - -class ConfigurationError(Exception): - pass - - -class RevocationListError(Exception): - pass diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_identity.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_identity.py deleted file mode 100644 index 6fbeac27..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_identity.py +++ /dev/null @@ -1,252 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import functools - -from keystoneclient import auth -from keystoneclient import discover -from keystoneclient import exceptions -from keystoneclient.v2_0 import client as v2_client -from keystoneclient.v3 import client as v3_client -from six.moves import urllib - -from keystonemiddleware.auth_token import _auth -from keystonemiddleware.auth_token import _exceptions as exc -from keystonemiddleware.i18n import _, _LE, _LI, _LW - - -def _convert_fetch_cert_exception(fetch_cert): - @functools.wraps(fetch_cert) - def wrapper(self): - try: - text = fetch_cert(self) - except exceptions.HTTPError as e: - raise exceptions.CertificateConfigError(e.details) - return text - - return wrapper - - -class _RequestStrategy(object): - - AUTH_VERSION = None - - def __init__(self, adap, include_service_catalog=None): - self._include_service_catalog = include_service_catalog - - def verify_token(self, user_token): - pass - - @_convert_fetch_cert_exception - def fetch_signing_cert(self): - return self._fetch_signing_cert() - - def _fetch_signing_cert(self): - pass - - @_convert_fetch_cert_exception - def fetch_ca_cert(self): - return self._fetch_ca_cert() - - def _fetch_ca_cert(self): - pass - - def fetch_revocation_list(self): - pass - - -class _V2RequestStrategy(_RequestStrategy): - - AUTH_VERSION = (2, 0) - - def __init__(self, adap, **kwargs): - super(_V2RequestStrategy, self).__init__(adap, **kwargs) - self._client = v2_client.Client(session=adap) - - def verify_token(self, token): - auth_ref = self._client.tokens.validate_access_info(token) - - if not auth_ref: - msg = _('Failed to fetch token data from identity server') - raise exc.InvalidToken(msg) - - return {'access': auth_ref} - - def _fetch_signing_cert(self): - return self._client.certificates.get_signing_certificate() - - def _fetch_ca_cert(self): - return self._client.certificates.get_ca_certificate() - - def fetch_revocation_list(self): - return self._client.tokens.get_revoked() - - -class _V3RequestStrategy(_RequestStrategy): - - AUTH_VERSION = (3, 0) - - def __init__(self, adap, **kwargs): - super(_V3RequestStrategy, self).__init__(adap, **kwargs) - self._client = v3_client.Client(session=adap) - - def verify_token(self, token): - auth_ref = self._client.tokens.validate( - token, - include_catalog=self._include_service_catalog) - - if not auth_ref: - msg = _('Failed to fetch token data from identity server') - raise exc.InvalidToken(msg) - - return {'token': auth_ref} - - def _fetch_signing_cert(self): - return self._client.simple_cert.get_certificates() - - def _fetch_ca_cert(self): - return self._client.simple_cert.get_ca_certificates() - - def fetch_revocation_list(self): - return self._client.tokens.get_revoked() - - -_REQUEST_STRATEGIES = [_V3RequestStrategy, _V2RequestStrategy] - - -class IdentityServer(object): - """Base class for operations on the Identity API server. - - The auth_token middleware needs to communicate with the Identity API server - to validate UUID tokens, fetch the revocation list, signing certificates, - etc. This class encapsulates the data and methods to perform these - operations. - - """ - - def __init__(self, log, adap, include_service_catalog=None, - requested_auth_version=None): - self._LOG = log - self._adapter = adap - self._include_service_catalog = include_service_catalog - self._requested_auth_version = requested_auth_version - - # Built on-demand with self._request_strategy. - self._request_strategy_obj = None - - @property - def auth_uri(self): - auth_uri = self._adapter.get_endpoint(interface=auth.AUTH_INTERFACE) - - # NOTE(jamielennox): This weird stripping of the prefix hack is - # only relevant to the legacy case. We urljoin '/' to get just the - # base URI as this is the original behaviour. - if isinstance(self._adapter.auth, _auth.AuthTokenPlugin): - auth_uri = urllib.parse.urljoin(auth_uri, '/').rstrip('/') - - return auth_uri - - @property - def auth_version(self): - return self._request_strategy.AUTH_VERSION - - @property - def _request_strategy(self): - if not self._request_strategy_obj: - strategy_class = self._get_strategy_class() - self._adapter.version = strategy_class.AUTH_VERSION - - self._request_strategy_obj = strategy_class( - self._adapter, - include_service_catalog=self._include_service_catalog) - - return self._request_strategy_obj - - def _get_strategy_class(self): - if self._requested_auth_version: - # A specific version was requested. - if discover.version_match(_V3RequestStrategy.AUTH_VERSION, - self._requested_auth_version): - return _V3RequestStrategy - - # The version isn't v3 so we don't know what to do. Just assume V2. - return _V2RequestStrategy - - # Specific version was not requested then we fall through to - # discovering available versions from the server - for klass in _REQUEST_STRATEGIES: - if self._adapter.get_endpoint(version=klass.AUTH_VERSION): - msg = _LI('Auth Token confirmed use of %s apis') - self._LOG.info(msg, self._requested_auth_version) - return klass - - versions = ['v%d.%d' % s.AUTH_VERSION for s in _REQUEST_STRATEGIES] - self._LOG.error(_LE('No attempted versions [%s] supported by server'), - ', '.join(versions)) - - msg = _('No compatible apis supported by server') - raise exc.ServiceError(msg) - - def verify_token(self, user_token, retry=True): - """Authenticate user token with identity server. - - :param user_token: user's token id - :param retry: flag that forces the middleware to retry - user authentication when an indeterminate - response is received. Optional. - :returns: access info received from identity server on success - :rtype: :py:class:`keystoneclient.access.AccessInfo` - :raises exc.InvalidToken: if token is rejected - :raises exc.ServiceError: if unable to authenticate token - - """ - try: - auth_ref = self._request_strategy.verify_token(user_token) - except exceptions.NotFound as e: - self._LOG.warning(_LW('Authorization failed for token')) - self._LOG.warning(_LW('Identity response: %s'), e.response.text) - raise exc.InvalidToken(_('Token authorization failed')) - except exceptions.Unauthorized as e: - self._LOG.info(_LI('Identity server rejected authorization')) - self._LOG.warning(_LW('Identity response: %s'), e.response.text) - if retry: - self._LOG.info(_LI('Retrying validation')) - return self.verify_token(user_token, False) - msg = _('Identity server rejected authorization necessary to ' - 'fetch token data') - raise exc.ServiceError(msg) - except exceptions.HttpError as e: - self._LOG.error( - _LE('Bad response code while validating token: %s'), - e.http_status) - self._LOG.warning(_LW('Identity response: %s'), e.response.text) - msg = _('Failed to fetch token data from identity server') - raise exc.ServiceError(msg) - else: - return auth_ref - - def fetch_revocation_list(self): - try: - data = self._request_strategy.fetch_revocation_list() - except exceptions.HTTPError as e: - msg = _('Failed to fetch token revocation list: %d') - raise exc.RevocationListError(msg % e.http_status) - if 'signed' not in data: - msg = _('Revocation list improperly formatted.') - raise exc.RevocationListError(msg) - return data['signed'] - - def fetch_signing_cert(self): - return self._request_strategy.fetch_signing_cert() - - def fetch_ca_cert(self): - return self._request_strategy.fetch_ca_cert() diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_memcache_crypt.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_memcache_crypt.py deleted file mode 100644 index 2e45571f..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_memcache_crypt.py +++ /dev/null @@ -1,210 +0,0 @@ -# Copyright 2010-2013 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -""" -Utilities for memcache encryption and integrity check. - -Data should be serialized before entering these functions. Encryption -has a dependency on the pycrypto. If pycrypto is not available, -CryptoUnavailableError will be raised. - -This module will not be called unless signing or encryption is enabled -in the config. It will always validate signatures, and will decrypt -data if encryption is enabled. It is not valid to mix protection -modes. - -""" - -import base64 -import functools -import hashlib -import hmac -import math -import os -import six -import sys - -from keystonemiddleware.i18n import _ - -# make sure pycrypto is available -try: - from Crypto.Cipher import AES -except ImportError: - AES = None - -HASH_FUNCTION = hashlib.sha384 -DIGEST_LENGTH = HASH_FUNCTION().digest_size -DIGEST_SPLIT = DIGEST_LENGTH // 3 -DIGEST_LENGTH_B64 = 4 * int(math.ceil(DIGEST_LENGTH / 3.0)) - - -class InvalidMacError(Exception): - """raise when unable to verify MACed data. - - This usually indicates that data had been expectedly modified in memcache. - - """ - pass - - -class DecryptError(Exception): - """raise when unable to decrypt encrypted data. - - """ - pass - - -class CryptoUnavailableError(Exception): - """raise when Python Crypto module is not available. - - """ - pass - - -def assert_crypto_availability(f): - """Ensure Crypto module is available.""" - - @functools.wraps(f) - def wrapper(*args, **kwds): - if AES is None: - raise CryptoUnavailableError() - return f(*args, **kwds) - return wrapper - - -if sys.version_info >= (3, 3): - constant_time_compare = hmac.compare_digest -else: - def constant_time_compare(first, second): - """Returns True if both string inputs are equal, otherwise False. - - This function should take a constant amount of time regardless of - how many characters in the strings match. - - """ - if len(first) != len(second): - return False - result = 0 - if six.PY3 and isinstance(first, bytes) and isinstance(second, bytes): - for x, y in zip(first, second): - result |= x ^ y - else: - for x, y in zip(first, second): - result |= ord(x) ^ ord(y) - return result == 0 - - -def derive_keys(token, secret, strategy): - """Derives keys for MAC and ENCRYPTION from the user-provided - secret. The resulting keys should be passed to the protect and - unprotect functions. - - As suggested by NIST Special Publication 800-108, this uses the - first 128 bits from the sha384 KDF for the obscured cache key - value, the second 128 bits for the message authentication key and - the remaining 128 bits for the encryption key. - - This approach is faster than computing a separate hmac as the KDF - for each desired key. - """ - digest = hmac.new(secret, token + strategy, HASH_FUNCTION).digest() - return {'CACHE_KEY': digest[:DIGEST_SPLIT], - 'MAC': digest[DIGEST_SPLIT: 2 * DIGEST_SPLIT], - 'ENCRYPTION': digest[2 * DIGEST_SPLIT:], - 'strategy': strategy} - - -def sign_data(key, data): - """Sign the data using the defined function and the derived key.""" - mac = hmac.new(key, data, HASH_FUNCTION).digest() - return base64.b64encode(mac) - - -@assert_crypto_availability -def encrypt_data(key, data): - """Encrypt the data with the given secret key. - - Padding is n bytes of the value n, where 1 <= n <= blocksize. - """ - iv = os.urandom(16) - cipher = AES.new(key, AES.MODE_CBC, iv) - padding = 16 - len(data) % 16 - return iv + cipher.encrypt(data + six.int2byte(padding) * padding) - - -@assert_crypto_availability -def decrypt_data(key, data): - """Decrypt the data with the given secret key.""" - iv = data[:16] - cipher = AES.new(key, AES.MODE_CBC, iv) - try: - result = cipher.decrypt(data[16:]) - except Exception: - raise DecryptError(_('Encrypted data appears to be corrupted.')) - - # Strip the last n padding bytes where n is the last value in - # the plaintext - return result[:-1 * six.byte2int([result[-1]])] - - -def protect_data(keys, data): - """Given keys and serialized data, returns an appropriately - protected string suitable for storage in the cache. - - """ - if keys['strategy'] == b'ENCRYPT': - data = encrypt_data(keys['ENCRYPTION'], data) - - encoded_data = base64.b64encode(data) - - signature = sign_data(keys['MAC'], encoded_data) - return signature + encoded_data - - -def unprotect_data(keys, signed_data): - """Given keys and cached string data, verifies the signature, - decrypts if necessary, and returns the original serialized data. - - """ - # cache backends return None when no data is found. We don't mind - # that this particular special value is unsigned. - if signed_data is None: - return None - - # First we calculate the signature - provided_mac = signed_data[:DIGEST_LENGTH_B64] - calculated_mac = sign_data( - keys['MAC'], - signed_data[DIGEST_LENGTH_B64:]) - - # Then verify that it matches the provided value - if not constant_time_compare(provided_mac, calculated_mac): - raise InvalidMacError(_('Invalid MAC; data appears to be corrupted.')) - - data = base64.b64decode(signed_data[DIGEST_LENGTH_B64:]) - - # then if necessary decrypt the data - if keys['strategy'] == b'ENCRYPT': - data = decrypt_data(keys['ENCRYPTION'], data) - - return data - - -def get_cache_key(keys): - """Given keys generated by derive_keys(), returns a base64 - encoded value suitable for use as a cache key in memcached. - - """ - return base64.b64encode(keys['CACHE_KEY']) diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_memcache_pool.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_memcache_pool.py deleted file mode 100644 index 77652868..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_memcache_pool.py +++ /dev/null @@ -1,184 +0,0 @@ -# Copyright 2014 Mirantis Inc -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Thread-safe connection pool for python-memcached.""" - -# NOTE(yorik-sar): this file is copied between keystone and keystonemiddleware -# and should be kept in sync until we can use external library for this. - -import collections -import contextlib -import itertools -import logging -import time - -from six.moves import queue - -from keystonemiddleware.i18n import _LC - - -_PoolItem = collections.namedtuple('_PoolItem', ['ttl', 'connection']) - - -class ConnectionGetTimeoutException(Exception): - pass - - -class ConnectionPool(queue.Queue): - """Base connection pool class - - This class implements the basic connection pool logic as an abstract base - class. - """ - def __init__(self, maxsize, unused_timeout, conn_get_timeout=None): - """Initialize the connection pool. - - :param maxsize: maximum number of client connections for the pool - :type maxsize: int - :param unused_timeout: idle time to live for unused clients (in - seconds). If a client connection object has been - in the pool and idle for longer than the - unused_timeout, it will be reaped. This is to - ensure resources are released as utilization - goes down. - :type unused_timeout: int - :param conn_get_timeout: maximum time in seconds to wait for a - connection. If set to `None` timeout is - indefinite. - :type conn_get_timeout: int - """ - queue.Queue.__init__(self, maxsize) - self._unused_timeout = unused_timeout - self._connection_get_timeout = conn_get_timeout - self._acquired = 0 - self._LOG = logging.getLogger(__name__) - - def _create_connection(self): - raise NotImplementedError - - def _destroy_connection(self, conn): - raise NotImplementedError - - @contextlib.contextmanager - def acquire(self): - try: - conn = self.get(timeout=self._connection_get_timeout) - except queue.Empty: - self._LOG.critical(_LC('Unable to get a connection from pool id ' - '%(id)s after %(seconds)s seconds.'), - {'id': id(self), - 'seconds': self._connection_get_timeout}) - raise ConnectionGetTimeoutException() - try: - yield conn - finally: - self.put(conn) - - def _qsize(self): - return self.maxsize - self._acquired - - if not hasattr(queue.Queue, '_qsize'): - qsize = _qsize - - def _get(self): - if self.queue: - conn = self.queue.pop().connection - else: - conn = self._create_connection() - self._acquired += 1 - return conn - - def _put(self, conn): - self.queue.append(_PoolItem( - ttl=time.time() + self._unused_timeout, - connection=conn, - )) - self._acquired -= 1 - # Drop all expired connections from the right end of the queue - now = time.time() - while self.queue and self.queue[0].ttl < now: - conn = self.queue.popleft().connection - self._destroy_connection(conn) - - -class MemcacheClientPool(ConnectionPool): - def __init__(self, urls, arguments, **kwargs): - ConnectionPool.__init__(self, **kwargs) - self._urls = urls - self._arguments = arguments - # NOTE(morganfainberg): The host objects expect an int for the - # deaduntil value. Initialize this at 0 for each host with 0 indicating - # the host is not dead. - self._hosts_deaduntil = [0] * len(urls) - - # NOTE(morganfainberg): Lazy import to allow middleware to work with - # python 3k even if memcache will not due to python 3k - # incompatibilities within the python-memcache library. - global memcache - import memcache - - # This 'class' is taken from http://stackoverflow.com/a/22520633/238308 - # Don't inherit client from threading.local so that we can reuse - # clients in different threads - MemcacheClient = type('_MemcacheClient', (object,), - dict(memcache.Client.__dict__)) - - self._memcache_client_class = MemcacheClient - - def _create_connection(self): - return self._memcache_client_class(self._urls, **self._arguments) - - def _destroy_connection(self, conn): - conn.disconnect_all() - - def _get(self): - conn = ConnectionPool._get(self) - try: - # Propagate host state known to us to this client's list - now = time.time() - for deaduntil, host in zip(self._hosts_deaduntil, conn.servers): - if deaduntil > now and host.deaduntil <= now: - host.mark_dead('propagating death mark from the pool') - host.deaduntil = deaduntil - except Exception: - # We need to be sure that connection doesn't leak from the pool. - # This code runs before we enter context manager's try-finally - # block, so we need to explicitly release it here - ConnectionPool._put(self, conn) - raise - return conn - - def _put(self, conn): - try: - # If this client found that one of the hosts is dead, mark it as - # such in our internal list - now = time.time() - for i, deaduntil, host in zip(itertools.count(), - self._hosts_deaduntil, - conn.servers): - # Do nothing if we already know this host is dead - if deaduntil <= now: - if host.deaduntil > now: - self._hosts_deaduntil[i] = host.deaduntil - else: - self._hosts_deaduntil[i] = 0 - # If all hosts are dead we should forget that they're dead. This - # way we won't get completely shut off until dead_retry seconds - # pass, but will be checking servers as frequent as we can (over - # way smaller socket_timeout) - if all(deaduntil > now for deaduntil in self._hosts_deaduntil): - self._hosts_deaduntil[:] = [0] * len(self._hosts_deaduntil) - finally: - ConnectionPool._put(self, conn) diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_request.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_request.py deleted file mode 100644 index 72fd5380..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_request.py +++ /dev/null @@ -1,224 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import itertools - -from oslo_serialization import jsonutils -import six -import webob - - -def _v3_to_v2_catalog(catalog): - """Convert a catalog to v2 format. - - X_SERVICE_CATALOG must be specified in v2 format. If you get a token - that is in v3 convert it. - """ - v2_services = [] - for v3_service in catalog: - # first copy over the entries we allow for the service - v2_service = {'type': v3_service['type']} - try: - v2_service['name'] = v3_service['name'] - except KeyError: - pass - - # now convert the endpoints. Because in v3 we specify region per - # URL not per group we have to collect all the entries of the same - # region together before adding it to the new service. - regions = {} - for v3_endpoint in v3_service.get('endpoints', []): - region_name = v3_endpoint.get('region') - try: - region = regions[region_name] - except KeyError: - region = {'region': region_name} if region_name else {} - regions[region_name] = region - - interface_name = v3_endpoint['interface'].lower() + 'URL' - region[interface_name] = v3_endpoint['url'] - - v2_service['endpoints'] = list(regions.values()) - v2_services.append(v2_service) - - return v2_services - - -# NOTE(jamielennox): this should probably be moved into its own file, but at -# the moment there's no real logic here so just keep it locally. -class _AuthTokenResponse(webob.Response): - - default_content_type = None # prevents webob assigning a content type - - -class _AuthTokenRequest(webob.Request): - - ResponseClass = _AuthTokenResponse - - _HEADER_TEMPLATE = { - 'X%s-Domain-Id': 'domain_id', - 'X%s-Domain-Name': 'domain_name', - 'X%s-Project-Id': 'project_id', - 'X%s-Project-Name': 'project_name', - 'X%s-Project-Domain-Id': 'project_domain_id', - 'X%s-Project-Domain-Name': 'project_domain_name', - 'X%s-User-Id': 'user_id', - 'X%s-User-Name': 'username', - 'X%s-User-Domain-Id': 'user_domain_id', - 'X%s-User-Domain-Name': 'user_domain_name', - } - - _ROLES_TEMPLATE = 'X%s-Roles' - - _USER_HEADER_PREFIX = '' - _SERVICE_HEADER_PREFIX = '-Service' - - _USER_STATUS_HEADER = 'X-Identity-Status' - _SERVICE_STATUS_HEADER = 'X-Service-Identity-Status' - - _SERVICE_CATALOG_HEADER = 'X-Service-Catalog' - _TOKEN_AUTH = 'keystone.token_auth' - - _CONFIRMED = 'Confirmed' - _INVALID = 'Invalid' - - # header names that have been deprecated in favour of something else. - _DEPRECATED_HEADER_MAP = { - 'X-Role': 'X-Roles', - 'X-User': 'X-User-Name', - 'X-Tenant-Id': 'X-Project-Id', - 'X-Tenant-Name': 'X-Project-Name', - 'X-Tenant': 'X-Project-Name', - } - - def _confirmed(cls, value): - return cls._CONFIRMED if value else cls._INVALID - - @property - def user_token_valid(self): - """User token is marked as valid. - - :returns: True if the X-Identity-Status header is set to Confirmed. - :rtype: bool - """ - return self.headers[self._USER_STATUS_HEADER] == self._CONFIRMED - - @user_token_valid.setter - def user_token_valid(self, value): - self.headers[self._USER_STATUS_HEADER] = self._confirmed(value) - - @property - def user_token(self): - return self.headers.get('X-Auth-Token', - self.headers.get('X-Storage-Token')) - - @property - def service_token_valid(self): - """Service token is marked as valid. - - :returns: True if the X-Service-Identity-Status header - is set to Confirmed. - :rtype: bool - """ - return self.headers[self._SERVICE_STATUS_HEADER] == self._CONFIRMED - - @service_token_valid.setter - def service_token_valid(self, value): - self.headers[self._SERVICE_STATUS_HEADER] = self._confirmed(value) - - @property - def service_token(self): - return self.headers.get('X-Service-Token') - - def _set_auth_headers(self, auth_ref, prefix): - names = ','.join(auth_ref.role_names) - self.headers[self._ROLES_TEMPLATE % prefix] = names - - for header_tmplt, attr in six.iteritems(self._HEADER_TEMPLATE): - self.headers[header_tmplt % prefix] = getattr(auth_ref, attr) - - def set_user_headers(self, auth_ref, include_service_catalog): - """Convert token object into headers. - - Build headers that represent authenticated user - see main - doc info at start of __init__ file for details of headers to be defined - """ - self._set_auth_headers(auth_ref, self._USER_HEADER_PREFIX) - - for k, v in six.iteritems(self._DEPRECATED_HEADER_MAP): - self.headers[k] = self.headers[v] - - if include_service_catalog and auth_ref.has_service_catalog(): - catalog = auth_ref.service_catalog.get_data() - if auth_ref.version == 'v3': - catalog = _v3_to_v2_catalog(catalog) - - c = jsonutils.dumps(catalog) - self.headers[self._SERVICE_CATALOG_HEADER] = c - - self.user_token_valid = True - - def set_service_headers(self, auth_ref): - """Convert token object into service headers. - - Build headers that represent authenticated user - see main - doc info at start of __init__ file for details of headers to be defined - """ - self._set_auth_headers(auth_ref, self._SERVICE_HEADER_PREFIX) - self.service_token_valid = True - - def _all_auth_headers(self): - """All the authentication headers that can be set on the request""" - yield self._SERVICE_CATALOG_HEADER - yield self._USER_STATUS_HEADER - yield self._SERVICE_STATUS_HEADER - - for header in self._DEPRECATED_HEADER_MAP: - yield header - - prefixes = (self._USER_HEADER_PREFIX, self._SERVICE_HEADER_PREFIX) - - for tmpl, prefix in itertools.product(self._HEADER_TEMPLATE, prefixes): - yield tmpl % prefix - - for prefix in prefixes: - yield self._ROLES_TEMPLATE % prefix - - def remove_auth_headers(self): - """Remove headers so a user can't fake authentication.""" - for header in self._all_auth_headers(): - self.headers.pop(header, None) - - @property - def auth_type(self): - """The authentication type that was performed by the web server. - - The returned string value is always lower case. - - :returns: The AUTH_TYPE environ string or None if not present. - :rtype: str or None - """ - try: - auth_type = self.environ['AUTH_TYPE'] - except KeyError: - return None - else: - return auth_type.lower() - - @property - def token_auth(self): - """The auth plugin that will be associated with this request""" - return self.environ.get(self._TOKEN_AUTH) - - @token_auth.setter - def token_auth(self, v): - self.environ[self._TOKEN_AUTH] = v diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_revocations.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_revocations.py deleted file mode 100644 index a68356a8..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_revocations.py +++ /dev/null @@ -1,128 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import datetime -import logging -import os - -from oslo_serialization import jsonutils -from oslo_utils import timeutils - -from keystonemiddleware.auth_token import _exceptions as exc -from keystonemiddleware.i18n import _ - -_LOG = logging.getLogger(__name__) - - -class Revocations(object): - _FILE_NAME = 'revoked.pem' - - def __init__(self, timeout, signing_directory, identity_server, - cms_verify, log=_LOG): - self._cache_timeout = timeout - self._signing_directory = signing_directory - self._identity_server = identity_server - self._cms_verify = cms_verify - self._log = log - - self._fetched_time_prop = None - self._list_prop = None - - @property - def _fetched_time(self): - if not self._fetched_time_prop: - # If the fetched list has been written to disk, use its - # modification time. - file_path = self._signing_directory.calc_path(self._FILE_NAME) - if os.path.exists(file_path): - mtime = os.path.getmtime(file_path) - fetched_time = datetime.datetime.utcfromtimestamp(mtime) - # Otherwise the list will need to be fetched. - else: - fetched_time = datetime.datetime.min - self._fetched_time_prop = fetched_time - return self._fetched_time_prop - - @_fetched_time.setter - def _fetched_time(self, value): - self._fetched_time_prop = value - - def _fetch(self): - revocation_list_data = self._identity_server.fetch_revocation_list() - return self._cms_verify(revocation_list_data) - - @property - def _list(self): - timeout = self._fetched_time + self._cache_timeout - list_is_current = timeutils.utcnow() < timeout - - if list_is_current: - # Load the list from disk if required - if not self._list_prop: - self._list_prop = jsonutils.loads( - self._signing_directory.read_file(self._FILE_NAME)) - else: - self._list = self._fetch() - return self._list_prop - - @_list.setter - def _list(self, value): - """Save a revocation list to memory and to disk. - - :param value: A json-encoded revocation list - - """ - self._list_prop = jsonutils.loads(value) - self._fetched_time = timeutils.utcnow() - self._signing_directory.write_file(self._FILE_NAME, value) - - def _is_revoked(self, token_id): - """Indicate whether the token_id appears in the revocation list.""" - revoked_tokens = self._list.get('revoked', None) - if not revoked_tokens: - return False - - revoked_ids = (x['id'] for x in revoked_tokens) - return token_id in revoked_ids - - def _any_revoked(self, token_ids): - for token_id in token_ids: - if self._is_revoked(token_id): - return True - return False - - def check(self, token_ids): - if self._any_revoked(token_ids): - self._log.debug('Token is marked as having been revoked') - raise exc.InvalidToken(_('Token has been revoked')) - - def check_by_audit_id(self, audit_ids): - """Check whether the audit_id appears in the revocation list. - - :raises keystonemiddleware.auth_token._exceptions.InvalidToken: - if the audit ID(s) appear in the revocation list. - - """ - revoked_tokens = self._list.get('revoked', None) - if not revoked_tokens: - # There's no revoked tokens, so nothing to do. - return - - # The audit_id may not be present in the revocation events because - # earlier versions of the identity server didn't provide them. - revoked_ids = set( - x['audit_id'] for x in revoked_tokens if 'audit_id' in x) - for audit_id in audit_ids: - if audit_id in revoked_ids: - self._log.debug( - 'Token is marked as having been revoked by audit id') - raise exc.InvalidToken(_('Token has been revoked')) diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_signing_dir.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_signing_dir.py deleted file mode 100644 index f8b1a410..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_signing_dir.py +++ /dev/null @@ -1,83 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import logging -import os -import stat -import tempfile - -import six - -from keystonemiddleware.auth_token import _exceptions as exc -from keystonemiddleware.i18n import _, _LI, _LW - -_LOG = logging.getLogger(__name__) - - -class SigningDirectory(object): - - def __init__(self, directory_name=None, log=None): - self._log = log or _LOG - - if directory_name is None: - directory_name = tempfile.mkdtemp(prefix='keystone-signing-') - self._log.info( - _LI('Using %s as cache directory for signing certificate'), - directory_name) - self._directory_name = directory_name - - self._verify_signing_dir() - - def write_file(self, file_name, new_contents): - - # In Python2, encoding is slow so the following check avoids it if it - # is not absolutely necessary. - if isinstance(new_contents, six.text_type): - new_contents = new_contents.encode('utf-8') - - def _atomic_write(): - with tempfile.NamedTemporaryFile(dir=self._directory_name, - delete=False) as f: - f.write(new_contents) - os.rename(f.name, self.calc_path(file_name)) - - try: - _atomic_write() - except (OSError, IOError): - self._verify_signing_dir() - _atomic_write() - - def read_file(self, file_name): - path = self.calc_path(file_name) - open_kwargs = {'encoding': 'utf-8'} if six.PY3 else {} - with open(path, 'r', **open_kwargs) as f: - return f.read() - - def calc_path(self, file_name): - return os.path.join(self._directory_name, file_name) - - def _verify_signing_dir(self): - if os.path.isdir(self._directory_name): - if not os.access(self._directory_name, os.W_OK): - raise exc.ConfigurationError( - _('unable to access signing_dir %s') % - self._directory_name) - uid = os.getuid() - if os.stat(self._directory_name).st_uid != uid: - self._log.warning(_LW('signing_dir is not owned by %s'), uid) - current_mode = stat.S_IMODE(os.stat(self._directory_name).st_mode) - if current_mode != stat.S_IRWXU: - self._log.warning( - _LW('signing_dir mode is %(mode)s instead of %(need)s'), - {'mode': oct(current_mode), 'need': oct(stat.S_IRWXU)}) - else: - os.makedirs(self._directory_name, stat.S_IRWXU) diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_user_plugin.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_user_plugin.py deleted file mode 100644 index 93075c5c..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_user_plugin.py +++ /dev/null @@ -1,193 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystoneclient.auth.identity import base as base_identity - - -class _TokenData(object): - """An abstraction to show auth_token consumers some of the token contents. - - This is a simplified and cleaned up keystoneclient.access.AccessInfo object - with which services relying on auth_token middleware can find details of - the current token. - """ - - def __init__(self, auth_ref): - self._stored_auth_ref = auth_ref - - @property - def _is_v2(self): - return self._stored_auth_ref.version == 'v2.0' - - @property - def auth_token(self): - """The token data used to authenticate requests. - - :returns: token data. - :rtype: str - """ - return self._stored_auth_ref.auth_token - - @property - def user_id(self): - """The user id associated with the authentication request. - - :rtype: str - """ - return self._stored_auth_ref.user_id - - @property - def user_domain_id(self): - """Returns the domain id of the user associated with the authentication - request. - - :returns: str - """ - # NOTE(jamielennox): v2 AccessInfo returns 'default' for domain_id - # because it can't know that value. We want to return None instead. - if self._is_v2: - return None - - return self._stored_auth_ref.user_domain_id - - @property - def project_id(self): - """The project ID associated with the authentication. - - :rtype: str - """ - return self._stored_auth_ref.project_id - - @property - def project_domain_id(self): - """The domain id of the project associated with the authentication - request. - - :rtype: str - """ - # NOTE(jamielennox): v2 AccessInfo returns 'default' for domain_id - # because it can't know that value. We want to return None instead. - if self._is_v2: - return None - - return self._stored_auth_ref.project_domain_id - - @property - def trust_id(self): - """Returns the trust id associated with the authentication request.. - - :rtype: str - """ - return self._stored_auth_ref.trust_id - - @property - def role_ids(self): - """Role ids of the user associated with the authentication request. - - :rtype: set(str) - """ - return frozenset(self._stored_auth_ref.role_ids or []) - - @property - def role_names(self): - """Role names of the user associated with the authentication request. - - :rtype: set(str) - """ - return frozenset(self._stored_auth_ref.role_names or []) - - @property - def _log_format(self): - roles = ','.join(self.role_names) - return 'user_id %s, project_id %s, roles %s' % (self.user_id, - self.project_id, - roles) - - -class UserAuthPlugin(base_identity.BaseIdentityPlugin): - """The incoming authentication credentials. - - A plugin that represents the incoming user credentials. This can be - consumed by applications. - - This object is not expected to be constructed directly by users. It is - created and passed by auth_token middleware and then can be used as the - authentication plugin when communicating via a session. - """ - - def __init__(self, user_auth_ref, serv_auth_ref): - super(UserAuthPlugin, self).__init__(reauthenticate=False) - - # NOTE(jamielennox): _user_auth_ref and _serv_auth_ref are private - # because this object ends up in the environ that is passed to the - # service, however they are used within auth_token middleware. - self._user_auth_ref = user_auth_ref - self._serv_auth_ref = serv_auth_ref - - self._user_data = None - self._serv_data = None - - @property - def has_user_token(self): - """Did this authentication request contained a user auth token.""" - return self._user_auth_ref is not None - - @property - def user(self): - """Authentication information about the user token. - - Will return None if a user token was not passed with this request. - """ - if not self.has_user_token: - return None - - if not self._user_data: - self._user_data = _TokenData(self._user_auth_ref) - - return self._user_data - - @property - def has_service_token(self): - """Did this authentication request contained a service token.""" - return self._serv_auth_ref is not None - - @property - def service(self): - """Authentication information about the service token. - - Will return None if a user token was not passed with this request. - """ - if not self.has_service_token: - return None - - if not self._serv_data: - self._serv_data = _TokenData(self._serv_auth_ref) - - return self._serv_data - - def get_auth_ref(self, session, **kwargs): - # NOTE(jamielennox): We will always use the auth_ref that was - # calculated by the middleware. reauthenticate=False in __init__ should - # ensure that this function is only called on the first access. - return self._user_auth_ref - - @property - def _log_format(self): - msg = [] - - if self.has_user_token: - msg.append('user: %s' % self.user._log_format) - - if self.has_service_token: - msg.append('service: %s' % self.service._log_format) - - return ' '.join(msg) diff --git a/keystonemiddleware-moon/keystonemiddleware/auth_token/_utils.py b/keystonemiddleware-moon/keystonemiddleware/auth_token/_utils.py deleted file mode 100644 index daed02dd..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/auth_token/_utils.py +++ /dev/null @@ -1,32 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from six.moves import urllib - - -def safe_quote(s): - """URL-encode strings that are not already URL-encoded.""" - return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s - - -class MiniResp(object): - - def __init__(self, error_message, env, headers=[]): - # The HEAD method is unique: it must never return a body, even if - # it reports an error (RFC-2616 clause 9.4). We relieve callers - # from varying the error responses depending on the method. - if env['REQUEST_METHOD'] == 'HEAD': - self.body = [''] - else: - self.body = [error_message.encode()] - self.headers = list(headers) - self.headers.append(('Content-type', 'text/plain')) diff --git a/keystonemiddleware-moon/keystonemiddleware/authz.py b/keystonemiddleware-moon/keystonemiddleware/authz.py deleted file mode 100644 index 93c0a7da..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/authz.py +++ /dev/null @@ -1,292 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import webob -import logging -import json -import six -import requests -import re -import httplib - -from keystone import exception -from cStringIO import StringIO -from oslo_config import cfg -# from keystoneclient import auth -from keystonemiddleware.i18n import _, _LC, _LE, _LI, _LW - - -_OPTS = [ - cfg.StrOpt('auth_uri', - default="http://127.0.0.1:35357/v3", - help='Complete public Identity API endpoint.'), - cfg.StrOpt('auth_version', - default=None, - help='API version of the admin Identity API endpoint.'), - cfg.StrOpt('authz_login', - default="admin", - help='Name of the administrator who will connect to the Keystone Moon backends.'), - cfg.StrOpt('authz_password', - default="nomoresecrete", - help='Password of the administrator who will connect to the Keystone Moon backends.'), - cfg.StrOpt('logfile', - default="/tmp/authz.log", - help='File where logs goes.'), - ] - -_AUTHZ_GROUP = 'keystone_authz' -CONF = cfg.CONF -CONF.register_opts(_OPTS, group=_AUTHZ_GROUP) -CONF.debug = True -# auth.register_conf_options(CONF, _AUTHZ_GROUP) - -# from http://developer.openstack.org/api-ref-objectstorage-v1.html -SWIFT_API = ( - ("^/v1/(?P<account>[\w_-]+)$", "GET", "get_account_details"), - ("^/v1/(?P<account>[\w_-]+)$", "POST", "modify_account"), - ("^/v1/(?P<account>[\w_-]+)$", "HEAD", "get_account"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "GET", "get_container"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "PUT", "create_container"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "POST", "update_container_metadata"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "DELETE", "delete_container"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "HEAD", "get_container_metadata"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "GET", "get_object"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "PUT", "create_object"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "COPY", "copy_object"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "POST", "update_object_metadata"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "DELETE", "delete_object"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "HEAD", "get_object_metadata"), -) - - -class ServiceError(Exception): - pass - - -class AuthZProtocol(object): - """Middleware that handles authenticating client calls.""" - - def __init__(self, app, conf): - self._LOG = logging.getLogger(conf.get('log_name', __name__)) - # FIXME: events are duplicated in log file - authz_fh = logging.FileHandler(CONF.keystone_authz["logfile"]) - self._LOG.setLevel(logging.DEBUG) - self._LOG.addHandler(authz_fh) - self._LOG.info(_LI('Starting Keystone authz middleware')) - self._conf = conf - self._app = app - - # MOON - self.auth_host = conf.get('auth_host', "127.0.0.1") - self.auth_port = int(conf.get('auth_port', 35357)) - auth_protocol = conf.get('auth_protocol', 'http') - self._request_uri = '%s://%s:%s' % (auth_protocol, self.auth_host, - self.auth_port) - - # SSL - insecure = conf.get('insecure', False) - cert_file = conf.get('certfile') - key_file = conf.get('keyfile') - - if insecure: - self._verify = False - elif cert_file and key_file: - self._verify = (cert_file, key_file) - elif cert_file: - self._verify = cert_file - else: - self._verify = None - - def get_url(self, url): - conn = httplib.HTTPConnection(self.auth_host, self.auth_port) - headers = { - "Content-type": "application/x-www-form-urlencoded", - "Accept": "text/plain,text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", - } - conn.request('GET', url, headers=headers) - resp = conn.getresponse() - content = resp.read() - conn.close() - try: - return json.loads(content) - except ValueError: - return {"content": content} - - def _deny_request(self, code): - error_table = { - 'AccessDenied': (401, 'Access denied'), - 'InvalidURI': (400, 'Could not parse the specified URI'), - 'NotFound': (404, 'URI not found'), - 'Error': (500, 'Server error'), - } - resp = webob.Response(content_type='text/xml') - resp.status = error_table[code][0] - error_msg = ('<?xml version="1.0" encoding="UTF-8"?>\r\n' - '<Error>\r\n <Code>%s</Code>\r\n ' - '<Message>%s</Message>\r\n</Error>\r\n' % - (code, error_table[code][1])) - if six.PY3: - error_msg = error_msg.encode() - resp.body = error_msg - return resp - - def _get_authz_from_moon(self, tenant_id, subject_id, object_id, action_id): - try: - _url ='{}/v3/OS-MOON/authz/{}/{}/{}/{}'.format( - self._request_uri, - tenant_id, - subject_id, - object_id, - action_id) - self._LOG.info(_url) - response = requests.get(_url,verify=self._verify) - except requests.exceptions.RequestException as e: - self._LOG.error(_LI('HTTP connection exception: %s'), e) - resp = self._deny_request('InvalidURI') - raise ServiceError(resp) - - if response.status_code < 200 or response.status_code >= 300: - self._LOG.debug('Keystone reply error: status=%s reason=%s', - response.status_code, response.reason) - if response.status_code == 404: - resp = self._deny_request('NotFound') - elif response.status_code == 401: - resp = self._deny_request('AccessDenied') - else: - resp = self._deny_request('Error') - raise ServiceError(resp) - - return response - - def _find_openstack_component(self, env): - if "nova.context" in env.keys(): - return "nova" - elif "swift.authorize" in env.keys(): - return "swift" - else: - self._LOG.debug(env.keys()) - return "unknown" - - def _get_action(self, env, component): - """ Find and return the action of the request - Actually, find only Nova (start, destroy, pause, unpause, ...) and swift actions - - :param env: the request - :return: the action or "" - """ - action = "" - self.input = "" - if component == "nova": - length = int(env.get('CONTENT_LENGTH', '0')) - # TODO (dthom): compute for Nova, Cinder, Neutron, ... - action = "" - if length > 0: - try: - sub_action_object = env['wsgi.input'].read(length) - self.input = sub_action_object - action = json.loads(sub_action_object).keys()[0] - body = StringIO(sub_action_object) - env['wsgi.input'] = body - except ValueError: - self._LOG.error("Error in decoding sub-action") - except Exception as e: - self._LOG.error(str(e)) - if not action or len(action) == 0 and "servers/detail" in env["PATH_INFO"]: - return "list" - if component == "swift": - path = env["PATH_INFO"] - method = env["REQUEST_METHOD"] - for api in SWIFT_API: - if re.match(api[0], path) and method == api[1]: - action = api[2] - length = int(env.get('CONTENT_LENGTH', '0')) - # TODO (dthom): compute for Nova, Cinder, Neutron, ... - _action = "" - if length > 0: - try: - sub_action_object = env['wsgi.input'].read(length) - self.input = sub_action_object - _action = json.loads(sub_action_object).keys()[0] - body = StringIO(sub_action_object) - env['wsgi.input'] = body - self._LOG.debug("wsgi.input={}".format(_action)) - except ValueError: - self._LOG.error("Error in decoding sub-action") - except Exception as e: - self._LOG.error(str(e)) - return action - - @staticmethod - def _get_object(env, component): - if component == "nova": - # http://developer.openstack.org/api-ref-compute-v2.1.html - # nova URLs: - # /<tenant_id>/servers/<server_id> - # list details for server_id - # /<tenant_id>/servers/<server_id>/action - # execute action to server_id - # /<tenant_id>/servers/<server_id>/metadata - # show metadata from server_id - # /<tenant_id>/servers/details - # list servers - url = env.get("PATH_INFO").split("/") - if url[-1] == "detail": - return "servers" - try: - return url[3] - except IndexError: - return - elif component == "swift": - # remove the "/v1/" part of the URL - return env.get("PATH_INFO").split("/", 2)[-1].replace("/", "-").replace(".", "-") - return "unknown" - - def __call__(self, env, start_response): - req = webob.Request(env) - - subject_id = env.get("HTTP_X_USER_ID") - if not subject_id: - self._LOG.warning("No subject_id found for {}".format(env.get("PATH_INFO"))) - return self._app(env, start_response) - tenant_id = env.get("HTTP_X_TENANT_ID") - if not tenant_id: - self._LOG.warning("No tenant_id found for {}".format(env.get("PATH_INFO"))) - return self._app(env, start_response) - component = self._find_openstack_component(env) - action_id = self._get_action(env, component) - self._LOG.debug("\033[1m\033[31mrequest={}\033[m".format(env["PATH_INFO"])) - if action_id: - object_id = self._get_object(env, component) - if not object_id: - object_id = "servers" - self._LOG.debug("object_id={}".format(object_id)) - resp = self._get_authz_from_moon(tenant_id, subject_id, object_id, action_id) - if resp.status_code == 200: - answer = json.loads(resp.content) - self._LOG.debug("action_id={}/{}".format(component, action_id)) - self._LOG.debug(answer) - if "authz" in answer and answer["authz"]: - return self._app(env, start_response) - self._LOG.error("You are not authorized to do that! ({})".format(unicode(answer["comment"]))) - raise exception.Unauthorized(message="You are not authorized to do that! ({})".format(unicode(answer["comment"]))) - else: - self._LOG.error("Unable to request Moon ({}: {})".format(resp.status_code, resp.reason)) - else: - self._LOG.debug("No action_id found for {}".format(env.get("PATH_INFO"))) - # If action is not found, we can't raise an exception because a lots of action is missing - # in function self._get_action, it is not possible to get them all. - return self._app(env, start_response) - # raise exception.Unauthorized(message="You are not authorized to do that!") - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def auth_filter(app): - return AuthZProtocol(app, conf) - return auth_filter - diff --git a/keystonemiddleware-moon/keystonemiddleware/ec2_token.py b/keystonemiddleware-moon/keystonemiddleware/ec2_token.py deleted file mode 100644 index df3bb6b0..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/ec2_token.py +++ /dev/null @@ -1,130 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Starting point for routing EC2 requests. - -""" - -from oslo_config import cfg -from oslo_serialization import jsonutils -import requests -import webob.dec -import webob.exc - -keystone_ec2_opts = [ - cfg.StrOpt('url', - default='http://localhost:5000/v2.0/ec2tokens', - help='URL to get token from ec2 request.'), - cfg.StrOpt('keyfile', - help='Required if EC2 server requires client certificate.'), - cfg.StrOpt('certfile', - help='Client certificate key filename. Required if EC2 server ' - 'requires client certificate.'), - cfg.StrOpt('cafile', - help='A PEM encoded certificate authority to use when ' - 'verifying HTTPS connections. Defaults to the system ' - 'CAs.'), - cfg.BoolOpt('insecure', default=False, - help='Disable SSL certificate verification.'), -] - -CONF = cfg.CONF -CONF.register_opts(keystone_ec2_opts, group='keystone_ec2_token') - - -class EC2Token(object): - """Authenticate an EC2 request with keystone and convert to token.""" - - def __init__(self, application): - super(EC2Token, self).__init__() - self._application = application - - @webob.dec.wsgify() - def __call__(self, req): - # Read request signature and access id. - try: - signature = req.params['Signature'] - access = req.params['AWSAccessKeyId'] - except KeyError: - raise webob.exc.HTTPBadRequest() - - # Make a copy of args for authentication and signature verification. - auth_params = dict(req.params) - # Not part of authentication args - auth_params.pop('Signature') - - # Authenticate the request. - creds = { - 'ec2Credentials': { - 'access': access, - 'signature': signature, - 'host': req.host, - 'verb': req.method, - 'path': req.path, - 'params': auth_params, - } - } - creds_json = jsonutils.dumps(creds) - headers = {'Content-Type': 'application/json'} - - verify = True - if CONF.keystone_ec2_token.insecure: - verify = False - elif CONF.keystone_ec2_token.cafile: - verify = CONF.keystone_ec2_token.cafile - - cert = None - if (CONF.keystone_ec2_token.certfile and - CONF.keystone_ec2_token.keyfile): - cert = (CONF.keystone_ec2_certfile, - CONF.keystone_ec2_token.keyfile) - elif CONF.keystone_ec2_token.certfile: - cert = CONF.keystone_ec2_token.certfile - - response = requests.post(CONF.keystone_ec2_token.url, data=creds_json, - headers=headers, verify=verify, cert=cert) - - # NOTE(vish): We could save a call to keystone by - # having keystone return token, tenant, - # user, and roles from this call. - - result = response.json() - try: - token_id = result['access']['token']['id'] - except (AttributeError, KeyError): - raise webob.exc.HTTPBadRequest() - - # Authenticated! - req.headers['X-Auth-Token'] = token_id - return self._application - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def auth_filter(app): - return EC2Token(app, conf) - return auth_filter - - -def app_factory(global_conf, **local_conf): - conf = global_conf.copy() - conf.update(local_conf) - return EC2Token(None, conf) diff --git a/keystonemiddleware-moon/keystonemiddleware/echo/__main__.py b/keystonemiddleware-moon/keystonemiddleware/echo/__main__.py deleted file mode 100644 index 88332f02..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/echo/__main__.py +++ /dev/null @@ -1,7 +0,0 @@ -from keystonemiddleware.echo import service - - -try: - service.EchoService() -except KeyboardInterrupt: - pass diff --git a/keystonemiddleware-moon/keystonemiddleware/echo/service.py b/keystonemiddleware-moon/keystonemiddleware/echo/service.py deleted file mode 100644 index 277cc027..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/echo/service.py +++ /dev/null @@ -1,48 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -""" -Run the echo service directly on port 8000 by executing the following:: - - $ python -m keystonemiddleware.echo - -When the ``auth_token`` module authenticates a request, the echo service -will respond with all the environment variables presented to it by this -module. -""" - -from wsgiref import simple_server - -from oslo_serialization import jsonutils -import six - -from keystonemiddleware import auth_token - - -def echo_app(environ, start_response): - """A WSGI application that echoes the CGI environment back to the user.""" - start_response('200 OK', [('Content-Type', 'application/json')]) - environment = dict((k, v) for k, v in six.iteritems(environ) - if k.startswith('HTTP_X_')) - yield jsonutils.dumps(environment) - - -class EchoService(object): - """Runs an instance of the echo app on init.""" - def __init__(self): - # hardcode any non-default configuration here - conf = {'auth_protocol': 'http', 'admin_token': 'ADMIN'} - app = auth_token.AuthProtocol(echo_app, conf) - server = simple_server.make_server('', 8000, app) - print('Serving on port 8000 (Ctrl+C to end)...') - server.serve_forever() diff --git a/keystonemiddleware-moon/keystonemiddleware/i18n.py b/keystonemiddleware-moon/keystonemiddleware/i18n.py deleted file mode 100644 index 0591284d..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/i18n.py +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2014 IBM Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""oslo.i18n integration module. - -See http://docs.openstack.org/developer/oslo.i18n/usage.html . - -""" - -import oslo_i18n as i18n - - -_translators = i18n.TranslatorFactory(domain='keystonemiddleware') - -# The primary translation function using the well-known name "_" -_ = _translators.primary - -# Translators for log levels. -# -# The abbreviated names are meant to reflect the usual use of a short -# name like '_'. The "L" is for "log" and the other letter comes from -# the level. -_LI = _translators.log_info -_LW = _translators.log_warning -_LE = _translators.log_error -_LC = _translators.log_critical diff --git a/keystonemiddleware-moon/keystonemiddleware/moon_agent.py b/keystonemiddleware-moon/keystonemiddleware/moon_agent.py deleted file mode 100644 index fd878fea..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/moon_agent.py +++ /dev/null @@ -1,310 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import webob -import logging -import json -import re -import httplib - -from cStringIO import StringIO -from oslo_config import cfg -from keystonemiddleware.i18n import _, _LC, _LE, _LI, _LW - - -_OPTS = [ - cfg.StrOpt('auth_uri', - default="http://127.0.0.1:35357/v3", - help='Complete public Identity API endpoint.'), - cfg.StrOpt('auth_version', - default=None, - help='API version of the admin Identity API endpoint.'), - cfg.StrOpt('authz_login', - default="admin", - help='Name of the administrator who will connect to the Keystone Moon backends.'), - cfg.StrOpt('authz_password', - default="nomoresecrete", - help='Password of the administrator who will connect to the Keystone Moon backends.'), - cfg.StrOpt('logfile', - default="/tmp/authz.log", - help='File where logs goes.'), - ] - -_MOON_KEYSTONEMIDDLEWARE_AGENT_GROUP = 'moon_keystonemiddleware_agent' -CONF = cfg.CONF -CONF.register_opts(_OPTS, group=_MOON_KEYSTONEMIDDLEWARE_AGENT_GROUP) -CONF.debug = True - -# from http://developer.openstack.org/api-ref-objectstorage-v1.html -SWIFT_API = ( - ("^/v1/(?P<account>[\w_-]+)$", "GET", "get_account_details"), - ("^/v1/(?P<account>[\w_-]+)$", "POST", "modify_account"), - ("^/v1/(?P<account>[\w_-]+)$", "HEAD", "get_account"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "GET", "get_container"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "PUT", "create_container"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "POST", "update_container_metadata"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "DELETE", "delete_container"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "HEAD", "get_container_metadata"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "GET", "get_object"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "PUT", "create_object"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "COPY", "copy_object"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "POST", "update_object_metadata"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "DELETE", "delete_object"), - ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "HEAD", "get_object_metadata"), -) - - -class MoonAgentKeystoneMiddleware(object): - """Moon's agent for KeystoneMiddleware to interact calls.""" - - post_data = { - "auth": { - "identity": { - "methods": [ - "password" - ], - "password": { - "user": { - "domain": { - "id": "Default" - }, - "name": "admin", - "password": "nomoresecrete" - } - } - } - } - } - - def __init__(self, app, conf): - self.conf = conf - self._LOG = logging.getLogger(conf.get('log_name', __name__)) - # FIXME: events are duplicated in log file - moon_agent_fh = logging.FileHandler(self.conf.get('logfile', "/tmp/keystonemiddleware.log")) - self._LOG.setLevel(logging.DEBUG) - self._LOG.addHandler(moon_agent_fh) - self._LOG.info(_LI('Starting Moon KeystoneMiddleware Agent')) - self._conf = conf - self._app = app - - # Auth - self.auth_host = conf.get('auth_host', "127.0.0.1") - self.auth_port = int(conf.get('auth_port', 35357)) - auth_protocol = conf.get('auth_protocol', 'http') - self._conf["_request_uri"] = '%s://%s:%s' % (auth_protocol, self.auth_host, # TODO: ??? for auth or authz - self.auth_port) - - # SSL - insecure = conf.get('insecure', False) - cert_file = conf.get('certfile') - key_file = conf.get('keyfile') - - if insecure: - self._conf["_verify"] = False - elif cert_file and key_file: - self._conf["_verify"] = (cert_file, key_file) - elif cert_file: - self._conf["_verify"] = cert_file - else: - self._conf["_verify"] = None - - # Moon registered mgrs - self.local_registered_mgr_dict = dict() # TODO: load from the sql backend - from keystonemiddleware.moon_mgrs.authz_mgr.authz_mgr import AuthzMgr - self.local_registered_mgr_dict["authz_mgr"] = AuthzMgr(self._conf) - - def __set_token(self): - self.post_data["auth"]["identity"]["password"]["user"]["name"] = self.conf.get('authz_login', "admin") - self.post_data["auth"]["identity"]["password"]["user"]["password"] = self.conf.get('authz_password', "nomoresecrete") - data = self.get_url("/v3/auth/tokens", post_data=self.post_data) - if "token" not in data: - raise Exception("Authentication problem ({})".format(data)) - self.token = data["token"] - - def __unset_token(self): - data = self.get_url("/v3/auth/tokens", method="DELETE", authtoken=True) - if "content" in data and len(data["content"]) > 0: - self._LOG.error("Error while unsetting token {}".format(data["content"])) - self.token = None - - def get_url(self, url, post_data=None, delete_data=None, method="GET", authtoken=None): - if post_data: - method = "POST" - if delete_data: - method = "DELETE" - self._LOG.debug("\033[32m{} {}\033[m".format(method, url)) - conn = httplib.HTTPConnection(self.auth_host, self.auth_port) - headers = { - "Content-type": "application/x-www-form-urlencoded", - "Accept": "text/plain,text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", - } - if authtoken: - if self.x_subject_token: - if method == "DELETE": - headers["X-Subject-Token"] = self.x_subject_token - headers["X-Auth-Token"] = self.x_subject_token - else: - headers["X-Auth-Token"] = self.x_subject_token - if post_data: - method = "POST" - headers["Content-type"] = "application/json" - post_data = json.dumps(post_data) - conn.request(method, url, post_data, headers=headers) - elif delete_data: - method = "DELETE" - conn.request(method, url, json.dumps(delete_data), headers=headers) - else: - conn.request(method, url, headers=headers) - resp = conn.getresponse() - headers = resp.getheaders() - try: - self.x_subject_token = dict(headers)["x-subject-token"] - except KeyError: - pass - content = resp.read() - conn.close() - try: - return json.loads(content) - except ValueError: - return {"content": content} - - def _find_openstack_component(self, env): - if "nova.context" in env.keys(): - return "nova" - elif "swift.authorize" in env.keys(): - return "swift" - else: - self._LOG.debug(env.keys()) - return "unknown" - - def _get_action(self, env, component): - """ Find and return the action of the request - Actually, find only Nova action (start, destroy, pause, unpause, ...) - - :param env: the request - :return: the action or "" - """ - action = "" - self.input = "" - if component == "nova": - length = int(env.get('CONTENT_LENGTH', '0')) - # TODO (dthom): compute for Nova, Cinder, Neutron, ... - action = "" - if length > 0: - try: - sub_action_object = env['wsgi.input'].read(length) - self.input = sub_action_object - action = json.loads(sub_action_object).keys()[0] - body = StringIO(sub_action_object) - env['wsgi.input'] = body - except ValueError: - self._LOG.error("Error in decoding sub-action") - except Exception as e: - self._LOG.error(str(e)) - if not action or len(action) == 0 and "servers/detail" in env["PATH_INFO"]: - return "list" - if component == "swift": - path = env["PATH_INFO"] - method = env["REQUEST_METHOD"] - for api in SWIFT_API: - if re.match(api[0], path) and method == api[1]: - action = api[2] - length = int(env.get('CONTENT_LENGTH', '0')) - # TODO (dthom): compute for Nova, Cinder, Neutron, ... - _action = "" - if length > 0: - try: - sub_action_object = env['wsgi.input'].read(length) - self.input = sub_action_object - _action = json.loads(sub_action_object).keys()[0] - body = StringIO(sub_action_object) - env['wsgi.input'] = body - self._LOG.debug("wsgi.input={}".format(_action)) - except ValueError: - self._LOG.error("Error in decoding sub-action") - except Exception as e: - self._LOG.error(str(e)) - return action - - @staticmethod - def _get_resource(env, component): - if component == "nova": - # http://developer.openstack.org/api-ref-compute-v2.1.html - # nova URLs: - # /<tenant_id>/servers/<server_id> - # list details for server_id - # /<tenant_id>/servers/<server_id>/action - # execute action to server_id - # /<tenant_id>/servers/<server_id>/metadata - # show metadata from server_id - # /<tenant_id>/servers/details - # list servers - url = env.get("PATH_INFO").split("/") - if url[-1] == "detail": - return "servers" - try: - return url[3] - except IndexError: - return - elif component == "swift": - # remove the "/v1/" part of the URL - return env.get("PATH_INFO").split("/", 2)[-1].replace("/", "-").replace(".", "-") - return "unknown" - - def __call__(self, env, start_response): - req = webob.Request(env) - agent_data = dict() - - agent_data['user_id'] = env.get("HTTP_X_USER_ID") - if not agent_data['user_id']: - self._LOG.warning("No user_id found for {}".format(env.get("PATH_INFO"))) - return self._app(env, start_response) - - agent_data['tenant_id'] = env.get("HTTP_X_TENANT_ID") - if not agent_data['tenant_id']: - self._LOG.warning("No tenant_id found for {}".format(env.get("PATH_INFO"))) - return self._app(env, start_response) - - agent_data['OS_component'] = self._find_openstack_component(env) - - agent_data['action_id'] = self._get_action(env, agent_data['OS_component']) - if not agent_data['action_id']: - self._LOG.warning("No action_id found for {}".format(env.get("PATH_INFO"))) - # If action is not found, we can't raise an exception because a lots of action is missing - # in function self._get_action, it is not possible to get them all. - return self._app(env, start_response) - - agent_data['resource_id'] = self._get_resource(env, agent_data['OS_component']) - if not agent_data['resource_id'] : - self._LOG.warning("No resource_id found for {}".format(env.get("PATH_INFO"))) - return self._app(env, start_response) - else: - self._LOG.debug("resource_id={}".format(agent_data['resource_id'])) - - self.__set_token() - for _mgr in self.local_registered_mgr_dict: # TODO: update from the sql backend - self.local_registered_mgr_dict[_mgr].response_content = \ - json.loads(self.local_registered_mgr_dict[_mgr].treat_request(self.x_subject_token, agent_data).content) - self.__unset_token() - - aggregate_result = 1 - for _mgr in self.local_registered_mgr_dict: - if not self.local_registered_mgr_dict[_mgr].response_content: - aggregate_result = 0 - - if aggregate_result: - return self._app(env, start_response) - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def moon_agent_filter(app): - return MoonAgentKeystoneMiddleware(app, conf) - return moon_agent_filter - - diff --git a/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/__init__.py b/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/__init__.py deleted file mode 100644 index 10d80bc9..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/__init__.py +++ /dev/null @@ -1 +0,0 @@ -__author__ = 'wukong' diff --git a/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/authz_mgr/authz_mgr.py b/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/authz_mgr/authz_mgr.py deleted file mode 100644 index 9a0a4009..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/authz_mgr/authz_mgr.py +++ /dev/null @@ -1,106 +0,0 @@ -import logging -import requests -import six -import webob -import json - -from keystone import exception -from keystonemiddleware.i18n import _, _LC, _LE, _LI, _LW -from oslo_config import cfg - - -_OPTS = [ - cfg.StrOpt('authz_login', - default="admin", - help='Name of the administrator who will connect to the Keystone Moon backends.'), - cfg.StrOpt('authz_password', - default="nomoresecrete", - help='Password of the administrator who will connect to the Keystone Moon backends.'), - cfg.StrOpt('logfile', - default="/tmp/moon_authz_mgr.log", # TODO: update in paste.init - help='File where logs goes.'), - ] - -_MOON_AUTHZ_MGR_GROUP = 'moon_authz_mgr' -CONF = cfg.CONF -CONF.register_opts(_OPTS, group=_MOON_AUTHZ_MGR_GROUP) -CONF.debug = True - - -class ServiceError(Exception): - pass - - -class AuthzMgr(object): - - def __init__(self, conf): - self.conf = conf - self._LOG = logging.getLogger(conf.get('log_name', __name__)) - authz_mgr_fh = logging.FileHandler(self.conf.get('logfile', "/tmp/keystonemiddleware.log")) - self._LOG.setLevel(logging.DEBUG) - self._LOG.addHandler(authz_mgr_fh) - self.response_content = "" - - def _deny_request(self, code): - error_table = { - 'AccessDenied': (401, 'Access denied'), - 'InvalidURI': (400, 'Could not parse the specified URI'), - 'NotFound': (404, 'URI not found'), - 'Error': (500, 'Server error'), - } - resp = webob.Response(content_type='text/xml') - resp.status = error_table[code][0] - error_msg = ('<?xml version="1.0" encoding="UTF-8"?>\r\n' - '<Error>\r\n <Code>%s</Code>\r\n ' - '<Message>%s</Message>\r\n</Error>\r\n' % - (code, error_table[code][1])) - if six.PY3: - error_msg = error_msg.encode() - resp.body = error_msg - return resp - - def treat_request(self, auth_token, agent_data): - if not agent_data['resource_id']: - agent_data['resource_id'] = "servers" - - headers = {'X-Auth-Token': auth_token} - self._LOG.debug('X-Auth-Token={}'.format(auth_token)) - try: - _url = '{}/moon/authz/{}/{}/{}/{}'.format( - self.conf["_request_uri"], - agent_data['tenant_id'], - agent_data['user_id'], - agent_data['resource_id'], - agent_data['action_id']) - self._LOG.info(_url) - response = requests.get(_url, - headers=headers, - verify=self.conf["_verify"]) - except requests.exceptions.RequestException as e: - self._LOG.error(_LI('HTTP connection exception: %s'), e) - resp = self._deny_request('InvalidURI') - raise ServiceError(resp) - - if response.status_code < 200 or response.status_code >= 300: - self._LOG.debug('Keystone reply error: status=%s reason=%s', - response.status_code, response.reason) - if response.status_code == 404: - resp = self._deny_request('NotFound') - elif response.status_code == 401: - resp = self._deny_request('AccessDenied') - else: - resp = self._deny_request('Error') - raise ServiceError(resp) - - elif response.status_code == 200: - answer = json.loads(response.content) - self._LOG.debug("action_id={}/{}".format(agent_data['OS_component'], agent_data['action_id'])) - self._LOG.debug(answer) - if "authz" in answer and answer["authz"]: - return response - self._LOG.error("You are not authorized to do that! ({})".format(unicode(answer["comment"]))) - raise exception.Unauthorized(message="You are not authorized to do that! ({})".format(unicode(answer["comment"]))) - else: - self._LOG.error("Unable to request Moon ({}: {})".format(response.status_code, response.reason)) - - return response diff --git a/keystonemiddleware-moon/keystonemiddleware/openstack/common/memorycache.py b/keystonemiddleware-moon/keystonemiddleware/openstack/common/memorycache.py deleted file mode 100644 index e72c26df..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/openstack/common/memorycache.py +++ /dev/null @@ -1,97 +0,0 @@ -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Super simple fake memcache client.""" - -import copy - -from oslo_config import cfg -from oslo_utils import timeutils - -memcache_opts = [ - cfg.ListOpt('memcached_servers', - help='Memcached servers or None for in process cache.'), -] - -CONF = cfg.CONF -CONF.register_opts(memcache_opts) - - -def list_opts(): - """Entry point for oslo-config-generator.""" - return [(None, copy.deepcopy(memcache_opts))] - - -def get_client(memcached_servers=None): - client_cls = Client - - if not memcached_servers: - memcached_servers = CONF.memcached_servers - if memcached_servers: - import memcache - client_cls = memcache.Client - - return client_cls(memcached_servers, debug=0) - - -class Client(object): - """Replicates a tiny subset of memcached client interface.""" - - def __init__(self, *args, **kwargs): - """Ignores the passed in args.""" - self.cache = {} - - def get(self, key): - """Retrieves the value for a key or None. - - This expunges expired keys during each get. - """ - - now = timeutils.utcnow_ts() - for k in list(self.cache): - (timeout, _value) = self.cache[k] - if timeout and now >= timeout: - del self.cache[k] - - return self.cache.get(key, (0, None))[1] - - def set(self, key, value, time=0, min_compress_len=0): - """Sets the value for a key.""" - timeout = 0 - if time != 0: - timeout = timeutils.utcnow_ts() + time - self.cache[key] = (timeout, value) - return True - - def add(self, key, value, time=0, min_compress_len=0): - """Sets the value for a key if it doesn't exist.""" - if self.get(key) is not None: - return False - return self.set(key, value, time, min_compress_len) - - def incr(self, key, delta=1): - """Increments the value for a key.""" - value = self.get(key) - if value is None: - return None - new_value = int(value) + delta - self.cache[key] = (self.cache[key][0], str(new_value)) - return new_value - - def delete(self, key, time=0): - """Deletes the value associated with a key.""" - if key in self.cache: - del self.cache[key] diff --git a/keystonemiddleware-moon/keystonemiddleware/opts.py b/keystonemiddleware-moon/keystonemiddleware/opts.py deleted file mode 100644 index 62a7dabf..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/opts.py +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright (c) 2014 OpenStack Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -__all__ = [ - 'list_auth_token_opts', -] - -import copy - -import keystonemiddleware.auth_token -from keystonemiddleware.auth_token import _auth -from keystonemiddleware.auth_token import _base - -auth_token_opts = [ - (_base.AUTHTOKEN_GROUP, - keystonemiddleware.auth_token._OPTS + - _auth.AuthTokenPlugin.get_options()) -] - - -def list_auth_token_opts(): - """Return a list of oslo_config options available in auth_token middleware. - - The returned list includes all oslo_config options which may be registered - at runtime by the project. - - Each element of the list is a tuple. The first element is the name of the - group under which the list of elements in the second element will be - registered. A group name of None corresponds to the [DEFAULT] group in - config files. - - This function is also discoverable via the entry point - 'keystonemiddleware.auth_token' under the 'oslo.config.opts' - namespace. - - The purpose of this is to allow tools like the Oslo sample config file - generator to discover the options exposed to users by this middleware. - - :returns: a list of (group_name, opts) tuples - """ - return [(g, copy.deepcopy(o)) for g, o in auth_token_opts] diff --git a/keystonemiddleware-moon/keystonemiddleware/s3_token.py b/keystonemiddleware-moon/keystonemiddleware/s3_token.py deleted file mode 100644 index d71ab276..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/s3_token.py +++ /dev/null @@ -1,270 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# Copyright 2011,2012 Akira YOSHIYAMA <akirayoshiyama@gmail.com> -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# This source code is based ./auth_token.py and ./ec2_token.py. -# See them for their copyright. - -""" -S3 Token Middleware - -This WSGI component: - -* Gets a request from the swift3 middleware with an S3 Authorization - access key. -* Validates s3 token in Keystone. -* Transforms the account name to AUTH_%(tenant_name). - -""" - -import logging -import webob - -from oslo_serialization import jsonutils -from oslo_utils import strutils -import requests -import six -from six.moves import urllib - -from keystonemiddleware.i18n import _, _LI - - -PROTOCOL_NAME = 'S3 Token Authentication' - - -# TODO(kun): remove it after oslo merge this. -def _split_path(path, minsegs=1, maxsegs=None, rest_with_last=False): - """Validate and split the given HTTP request path. - - **Examples**:: - - ['a'] = _split_path('/a') - ['a', None] = _split_path('/a', 1, 2) - ['a', 'c'] = _split_path('/a/c', 1, 2) - ['a', 'c', 'o/r'] = _split_path('/a/c/o/r', 1, 3, True) - - :param path: HTTP Request path to be split - :param minsegs: Minimum number of segments to be extracted - :param maxsegs: Maximum number of segments to be extracted - :param rest_with_last: If True, trailing data will be returned as part - of last segment. If False, and there is - trailing data, raises ValueError. - :returns: list of segments with a length of maxsegs (non-existent - segments will return as None) - :raises: ValueError if given an invalid path - """ - if not maxsegs: - maxsegs = minsegs - if minsegs > maxsegs: - raise ValueError(_('minsegs > maxsegs: %(min)d > %(max)d)') % - {'min': minsegs, 'max': maxsegs}) - if rest_with_last: - segs = path.split('/', maxsegs) - minsegs += 1 - maxsegs += 1 - count = len(segs) - if (segs[0] or count < minsegs or count > maxsegs or - '' in segs[1:minsegs]): - raise ValueError(_('Invalid path: %s') % urllib.parse.quote(path)) - else: - minsegs += 1 - maxsegs += 1 - segs = path.split('/', maxsegs) - count = len(segs) - if (segs[0] or count < minsegs or count > maxsegs + 1 or - '' in segs[1:minsegs] or - (count == maxsegs + 1 and segs[maxsegs])): - raise ValueError(_('Invalid path: %s') % urllib.parse.quote(path)) - segs = segs[1:maxsegs] - segs.extend([None] * (maxsegs - 1 - len(segs))) - return segs - - -class ServiceError(Exception): - pass - - -class S3Token(object): - """Middleware that handles S3 authentication.""" - - def __init__(self, app, conf): - """Common initialization code.""" - self._app = app - self._logger = logging.getLogger(conf.get('log_name', __name__)) - self._logger.debug('Starting the %s component', PROTOCOL_NAME) - self._reseller_prefix = conf.get('reseller_prefix', 'AUTH_') - # where to find the auth service (we use this to validate tokens) - - auth_host = conf.get('auth_host') - auth_port = int(conf.get('auth_port', 35357)) - auth_protocol = conf.get('auth_protocol', 'https') - - self._request_uri = '%s://%s:%s' % (auth_protocol, auth_host, - auth_port) - - # SSL - insecure = strutils.bool_from_string(conf.get('insecure', False)) - cert_file = conf.get('certfile') - key_file = conf.get('keyfile') - - if insecure: - self._verify = False - elif cert_file and key_file: - self._verify = (cert_file, key_file) - elif cert_file: - self._verify = cert_file - else: - self._verify = None - - def _deny_request(self, code): - error_table = { - 'AccessDenied': (401, 'Access denied'), - 'InvalidURI': (400, 'Could not parse the specified URI'), - } - resp = webob.Response(content_type='text/xml') - resp.status = error_table[code][0] - error_msg = ('<?xml version="1.0" encoding="UTF-8"?>\r\n' - '<Error>\r\n <Code>%s</Code>\r\n ' - '<Message>%s</Message>\r\n</Error>\r\n' % - (code, error_table[code][1])) - if six.PY3: - error_msg = error_msg.encode() - resp.body = error_msg - return resp - - def _json_request(self, creds_json): - headers = {'Content-Type': 'application/json'} - try: - response = requests.post('%s/v2.0/s3tokens' % self._request_uri, - headers=headers, data=creds_json, - verify=self._verify) - except requests.exceptions.RequestException as e: - self._logger.info(_LI('HTTP connection exception: %s'), e) - resp = self._deny_request('InvalidURI') - raise ServiceError(resp) - - if response.status_code < 200 or response.status_code >= 300: - self._logger.debug('Keystone reply error: status=%s reason=%s', - response.status_code, response.reason) - resp = self._deny_request('AccessDenied') - raise ServiceError(resp) - - return response - - def __call__(self, environ, start_response): - """Handle incoming request. authenticate and send downstream.""" - req = webob.Request(environ) - self._logger.debug('Calling S3Token middleware.') - - try: - parts = _split_path(req.path, 1, 4, True) - version, account, container, obj = parts - except ValueError: - msg = 'Not a path query, skipping.' - self._logger.debug(msg) - return self._app(environ, start_response) - - # Read request signature and access id. - if 'Authorization' not in req.headers: - msg = 'No Authorization header. skipping.' - self._logger.debug(msg) - return self._app(environ, start_response) - - token = req.headers.get('X-Auth-Token', - req.headers.get('X-Storage-Token')) - if not token: - msg = 'You did not specify an auth or a storage token. skipping.' - self._logger.debug(msg) - return self._app(environ, start_response) - - auth_header = req.headers['Authorization'] - try: - access, signature = auth_header.split(' ')[-1].rsplit(':', 1) - except ValueError: - msg = 'You have an invalid Authorization header: %s' - self._logger.debug(msg, auth_header) - return self._deny_request('InvalidURI')(environ, start_response) - - # NOTE(chmou): This is to handle the special case with nova - # when we have the option s3_affix_tenant. We will force it to - # connect to another account than the one - # authenticated. Before people start getting worried about - # security, I should point that we are connecting with - # username/token specified by the user but instead of - # connecting to its own account we will force it to go to an - # another account. In a normal scenario if that user don't - # have the reseller right it will just fail but since the - # reseller account can connect to every account it is allowed - # by the swift_auth middleware. - force_tenant = None - if ':' in access: - access, force_tenant = access.split(':') - - # Authenticate request. - creds = {'credentials': {'access': access, - 'token': token, - 'signature': signature}} - creds_json = jsonutils.dumps(creds) - self._logger.debug('Connecting to Keystone sending this JSON: %s', - creds_json) - # NOTE(vish): We could save a call to keystone by having - # keystone return token, tenant, user, and roles - # from this call. - # - # NOTE(chmou): We still have the same problem we would need to - # change token_auth to detect if we already - # identified and not doing a second query and just - # pass it through to swiftauth in this case. - try: - resp = self._json_request(creds_json) - except ServiceError as e: - resp = e.args[0] - msg = 'Received error, exiting middleware with error: %s' - self._logger.debug(msg, resp.status_code) - return resp(environ, start_response) - - self._logger.debug('Keystone Reply: Status: %d, Output: %s', - resp.status_code, resp.content) - - try: - identity_info = resp.json() - token_id = str(identity_info['access']['token']['id']) - tenant = identity_info['access']['token']['tenant'] - except (ValueError, KeyError): - error = 'Error on keystone reply: %d %s' - self._logger.debug(error, resp.status_code, resp.content) - return self._deny_request('InvalidURI')(environ, start_response) - - req.headers['X-Auth-Token'] = token_id - tenant_to_connect = force_tenant or tenant['id'] - if six.PY2 and isinstance(tenant_to_connect, six.text_type): - tenant_to_connect = tenant_to_connect.encode('utf-8') - self._logger.debug('Connecting with tenant: %s', tenant_to_connect) - new_tenant_name = '%s%s' % (self._reseller_prefix, tenant_to_connect) - environ['PATH_INFO'] = environ['PATH_INFO'].replace(account, - new_tenant_name) - return self._app(environ, start_response) - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def auth_filter(app): - return S3Token(app, conf) - return auth_filter diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/base.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/base.py deleted file mode 100644 index d76572a8..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/base.py +++ /dev/null @@ -1,73 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import logging - -import fixtures -from oslo_config import cfg -from oslo_config import fixture as cfg_fixture -from requests_mock.contrib import fixture as rm_fixture -import six -import webob.dec - -from keystonemiddleware import auth_token -from keystonemiddleware.tests.unit import utils - - -class BaseAuthTokenTestCase(utils.BaseTestCase): - - def setUp(self): - super(BaseAuthTokenTestCase, self).setUp() - self.requests_mock = self.useFixture(rm_fixture.Fixture()) - self.logger = fixtures.FakeLogger(level=logging.DEBUG) - self.cfg = self.useFixture(cfg_fixture.Config(conf=cfg.ConfigOpts())) - - def create_middleware(self, cb, conf=None, use_global_conf=False): - - @webob.dec.wsgify - def _do_cb(req): - return cb(req) - - if use_global_conf: - opts = conf or {} - else: - opts = { - 'oslo_config_project': 'keystonemiddleware', - 'oslo_config_config': self.cfg.conf, - } - opts.update(conf or {}) - - return auth_token.AuthProtocol(_do_cb, opts) - - def create_simple_middleware(self, - status='200 OK', - body='', - headers=None, - **kwargs): - def cb(req): - resp = webob.Response(body, status) - resp.headers.update(headers or {}) - return resp - - return self.create_middleware(cb, **kwargs) - - @classmethod - def call(cls, middleware, method='GET', path='/', headers=None): - req = webob.Request.blank(path) - req.method = method - - for k, v in six.iteritems(headers or {}): - req.headers[k] = v - - resp = req.get_response(middleware) - resp.request = req - return resp diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_auth.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_auth.py deleted file mode 100644 index d6ebc9a0..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_auth.py +++ /dev/null @@ -1,102 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import logging -import uuid - -from keystoneclient import auth -from keystoneclient import fixture -from keystoneclient import session -from requests_mock.contrib import fixture as rm_fixture -import six - -from keystonemiddleware.auth_token import _auth -from keystonemiddleware.tests.unit import utils - - -class DefaultAuthPluginTests(utils.BaseTestCase): - - def new_plugin(self, auth_host=None, auth_port=None, auth_protocol=None, - auth_admin_prefix=None, admin_user=None, - admin_password=None, admin_tenant_name=None, - admin_token=None, identity_uri=None, log=None): - if not log: - log = self.logger - - return _auth.AuthTokenPlugin.load_from_options( - auth_host=auth_host, - auth_port=auth_port, - auth_protocol=auth_protocol, - auth_admin_prefix=auth_admin_prefix, - admin_user=admin_user, - admin_password=admin_password, - admin_tenant_name=admin_tenant_name, - admin_token=admin_token, - identity_uri=identity_uri, - log=log) - - def setUp(self): - super(DefaultAuthPluginTests, self).setUp() - - self.stream = six.StringIO() - self.logger = logging.getLogger(__name__) - self.session = session.Session() - self.requests_mock = self.useFixture(rm_fixture.Fixture()) - - def test_auth_uri_from_fragments(self): - auth_protocol = 'http' - auth_host = 'testhost' - auth_port = 8888 - auth_admin_prefix = 'admin' - - expected = '%s://%s:%d/admin' % (auth_protocol, auth_host, auth_port) - - plugin = self.new_plugin(auth_host=auth_host, - auth_protocol=auth_protocol, - auth_port=auth_port, - auth_admin_prefix=auth_admin_prefix) - - self.assertEqual(expected, - plugin.get_endpoint(self.session, - interface=auth.AUTH_INTERFACE)) - - def test_identity_uri_overrides_fragments(self): - identity_uri = 'http://testhost:8888/admin' - plugin = self.new_plugin(identity_uri=identity_uri, - auth_host='anotherhost', - auth_port=9999, - auth_protocol='ftp') - - self.assertEqual(identity_uri, - plugin.get_endpoint(self.session, - interface=auth.AUTH_INTERFACE)) - - def test_with_admin_token(self): - token = uuid.uuid4().hex - plugin = self.new_plugin(identity_uri='http://testhost:8888/admin', - admin_token=token) - self.assertEqual(token, plugin.get_token(self.session)) - - def test_with_user_pass(self): - base_uri = 'http://testhost:8888/admin' - token = fixture.V2Token() - admin_tenant_name = uuid.uuid4().hex - - self.requests_mock.post(base_uri + '/v2.0/tokens', - json=token) - - plugin = self.new_plugin(identity_uri=base_uri, - admin_user=uuid.uuid4().hex, - admin_password=uuid.uuid4().hex, - admin_tenant_name=admin_tenant_name) - - self.assertEqual(token.token_id, plugin.get_token(self.session)) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py deleted file mode 100644 index e6a495f4..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_auth_token_middleware.py +++ /dev/null @@ -1,2634 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import datetime -import json -import logging -import os -import shutil -import stat -import tempfile -import time -import uuid -import warnings - -import fixtures -from keystoneclient import auth -from keystoneclient.common import cms -from keystoneclient import exceptions -from keystoneclient import fixture -from keystoneclient import session -import mock -from oslo_config import cfg -from oslo_serialization import jsonutils -from oslo_utils import timeutils -from oslotest import createfile -import six -import testresources -import testtools -from testtools import matchers -import webob -import webob.dec - -from keystonemiddleware import auth_token -from keystonemiddleware.auth_token import _base -from keystonemiddleware.auth_token import _exceptions as exc -from keystonemiddleware.auth_token import _revocations -from keystonemiddleware.openstack.common import memorycache -from keystonemiddleware.tests.unit.auth_token import base -from keystonemiddleware.tests.unit import client_fixtures -from keystonemiddleware.tests.unit import utils - - -EXPECTED_V2_DEFAULT_ENV_RESPONSE = { - 'HTTP_X_IDENTITY_STATUS': 'Confirmed', - 'HTTP_X_TENANT_ID': 'tenant_id1', - 'HTTP_X_TENANT_NAME': 'tenant_name1', - 'HTTP_X_USER_ID': 'user_id1', - 'HTTP_X_USER_NAME': 'user_name1', - 'HTTP_X_ROLES': 'role1,role2', - 'HTTP_X_USER': 'user_name1', # deprecated (diablo-compat) - 'HTTP_X_TENANT': 'tenant_name1', # deprecated (diablo-compat) - 'HTTP_X_ROLE': 'role1,role2', # deprecated (diablo-compat) -} - -EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE = { - 'HTTP_X_SERVICE_IDENTITY_STATUS': 'Confirmed', - 'HTTP_X_SERVICE_PROJECT_ID': 'service_project_id1', - 'HTTP_X_SERVICE_PROJECT_NAME': 'service_project_name1', - 'HTTP_X_SERVICE_USER_ID': 'service_user_id1', - 'HTTP_X_SERVICE_USER_NAME': 'service_user_name1', - 'HTTP_X_SERVICE_ROLES': 'service_role1,service_role2', -} - -EXPECTED_V3_DEFAULT_ENV_ADDITIONS = { - 'HTTP_X_PROJECT_DOMAIN_ID': 'domain_id1', - 'HTTP_X_PROJECT_DOMAIN_NAME': 'domain_name1', - 'HTTP_X_USER_DOMAIN_ID': 'domain_id1', - 'HTTP_X_USER_DOMAIN_NAME': 'domain_name1', -} - -EXPECTED_V3_DEFAULT_SERVICE_ENV_ADDITIONS = { - 'HTTP_X_SERVICE_PROJECT_DOMAIN_ID': 'service_domain_id1', - 'HTTP_X_SERVICE_PROJECT_DOMAIN_NAME': 'service_domain_name1', - 'HTTP_X_SERVICE_USER_DOMAIN_ID': 'service_domain_id1', - 'HTTP_X_SERVICE_USER_DOMAIN_NAME': 'service_domain_name1' -} - - -BASE_HOST = 'https://keystone.example.com:1234' -BASE_URI = '%s/testadmin' % BASE_HOST -FAKE_ADMIN_TOKEN_ID = 'admin_token2' -FAKE_ADMIN_TOKEN = jsonutils.dumps( - {'access': {'token': {'id': FAKE_ADMIN_TOKEN_ID, - 'expires': '2022-10-03T16:58:01Z'}}}) - -VERSION_LIST_v3 = fixture.DiscoveryList(href=BASE_URI) -VERSION_LIST_v2 = fixture.DiscoveryList(v3=False, href=BASE_URI) - -ERROR_TOKEN = '7ae290c2a06244c4b41692eb4e9225f2' -MEMCACHED_SERVERS = ['localhost:11211'] -MEMCACHED_AVAILABLE = None - - -def memcached_available(): - """Do a sanity check against memcached. - - Returns ``True`` if the following conditions are met (otherwise, returns - ``False``): - - - ``python-memcached`` is installed - - a usable ``memcached`` instance is available via ``MEMCACHED_SERVERS`` - - the client is able to set and get a key/value pair - - """ - global MEMCACHED_AVAILABLE - - if MEMCACHED_AVAILABLE is None: - try: - import memcache - c = memcache.Client(MEMCACHED_SERVERS) - c.set('ping', 'pong', time=1) - MEMCACHED_AVAILABLE = c.get('ping') == 'pong' - except ImportError: - MEMCACHED_AVAILABLE = False - - return MEMCACHED_AVAILABLE - - -def cleanup_revoked_file(filename): - try: - os.remove(filename) - except OSError: - pass - - -def strtime(at=None): - at = at or timeutils.utcnow() - return at.strftime(timeutils.PERFECT_TIME_FORMAT) - - -class TimezoneFixture(fixtures.Fixture): - @staticmethod - def supported(): - # tzset is only supported on Unix. - return hasattr(time, 'tzset') - - def __init__(self, new_tz): - super(TimezoneFixture, self).__init__() - self.tz = new_tz - self.old_tz = os.environ.get('TZ') - - def setUp(self): - super(TimezoneFixture, self).setUp() - if not self.supported(): - raise NotImplementedError('timezone override is not supported.') - os.environ['TZ'] = self.tz - time.tzset() - self.addCleanup(self.cleanup) - - def cleanup(self): - if self.old_tz is not None: - os.environ['TZ'] = self.old_tz - elif 'TZ' in os.environ: - del os.environ['TZ'] - time.tzset() - - -class TimeFixture(fixtures.Fixture): - - def __init__(self, new_time, normalize=True): - super(TimeFixture, self).__init__() - if isinstance(new_time, six.string_types): - new_time = timeutils.parse_isotime(new_time) - if normalize: - new_time = timeutils.normalize_time(new_time) - self.new_time = new_time - - def setUp(self): - super(TimeFixture, self).setUp() - timeutils.set_time_override(self.new_time) - self.addCleanup(timeutils.clear_time_override) - - -class FakeApp(object): - """This represents a WSGI app protected by the auth_token middleware.""" - - SUCCESS = b'SUCCESS' - FORBIDDEN = b'FORBIDDEN' - expected_env = {} - - def __init__(self, expected_env=None, need_service_token=False): - self.expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE) - - if expected_env: - self.expected_env.update(expected_env) - - self.need_service_token = need_service_token - - @webob.dec.wsgify - def __call__(self, req): - for k, v in self.expected_env.items(): - assert req.environ[k] == v, '%s != %s' % (req.environ[k], v) - - resp = webob.Response() - - if (req.environ.get('HTTP_X_IDENTITY_STATUS') == 'Invalid' and - req.environ['HTTP_X_SERVICE_IDENTITY_STATUS'] == 'Invalid'): - # Simulate delayed auth forbidding access with arbitrary status - # code to differentiate checking this code path - resp.status = 419 - resp.body = FakeApp.FORBIDDEN - elif req.environ.get('HTTP_X_SERVICE_IDENTITY_STATUS') == 'Invalid': - # Simulate delayed auth forbidding access with arbitrary status - # code to differentiate checking this code path - resp.status = 420 - resp.body = FakeApp.FORBIDDEN - elif req.environ['HTTP_X_IDENTITY_STATUS'] == 'Invalid': - # Simulate delayed auth forbidding access - resp.status = 403 - resp.body = FakeApp.FORBIDDEN - elif (self.need_service_token is True and - req.environ.get('HTTP_X_SERVICE_TOKEN') is None): - # Simulate requiring composite auth - # Arbitrary value to allow checking this code path - resp.status = 418 - resp.body = FakeApp.FORBIDDEN - else: - resp.body = FakeApp.SUCCESS - - return resp - - -class v3FakeApp(FakeApp): - """This represents a v3 WSGI app protected by the auth_token middleware.""" - - def __init__(self, expected_env=None, need_service_token=False): - - # with v3 additions, these are for the DEFAULT TOKEN - v3_default_env_additions = dict(EXPECTED_V3_DEFAULT_ENV_ADDITIONS) - if expected_env: - v3_default_env_additions.update(expected_env) - super(v3FakeApp, self).__init__(expected_env=v3_default_env_additions, - need_service_token=need_service_token) - - -class CompositeBase(object): - """Base composite auth object with common service token environment.""" - - def __init__(self, expected_env=None): - comp_expected_env = dict(EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE) - - if expected_env: - comp_expected_env.update(expected_env) - - super(CompositeBase, self).__init__( - expected_env=comp_expected_env, need_service_token=True) - - -class CompositeFakeApp(CompositeBase, FakeApp): - """A fake v2 WSGI app protected by composite auth_token middleware.""" - - def __init__(self, expected_env): - super(CompositeFakeApp, self).__init__(expected_env=expected_env) - - -class v3CompositeFakeApp(CompositeBase, v3FakeApp): - """A fake v3 WSGI app protected by composite auth_token middleware.""" - - def __init__(self, expected_env=None): - - # with v3 additions, these are for the DEFAULT SERVICE TOKEN - v3_default_service_env_additions = dict( - EXPECTED_V3_DEFAULT_SERVICE_ENV_ADDITIONS) - - if expected_env: - v3_default_service_env_additions.update(expected_env) - - super(v3CompositeFakeApp, self).__init__( - v3_default_service_env_additions) - - -class BaseAuthTokenMiddlewareTest(base.BaseAuthTokenTestCase): - """Base test class for auth_token middleware. - - All the tests allow for running with auth_token - configured for receiving v2 or v3 tokens, with the - choice being made by passing configuration data into - setUp(). - - The base class will, by default, run all the tests - expecting v2 token formats. Child classes can override - this to specify, for instance, v3 format. - - """ - def setUp(self, expected_env=None, auth_version=None, fake_app=None): - super(BaseAuthTokenMiddlewareTest, self).setUp() - - self.expected_env = expected_env or dict() - self.fake_app = fake_app or FakeApp - self.middleware = None - - signing_dir = self._setup_signing_directory() - - self.conf = { - 'identity_uri': 'https://keystone.example.com:1234/testadmin/', - 'signing_dir': signing_dir, - 'auth_version': auth_version, - 'auth_uri': 'https://keystone.example.com:1234', - 'admin_user': uuid.uuid4().hex, - } - - self.auth_version = auth_version - self.response_status = None - self.response_headers = None - - # NOTE(gyee): For this test suite and for the stable liberty branch - # only, we will ignore deprecated calls that keystonemiddleware makes. - warnings.filterwarnings('ignore', category=DeprecationWarning, - module='^keystonemiddleware\\.') - - def call_middleware(self, **kwargs): - return self.call(self.middleware, **kwargs) - - def _setup_signing_directory(self): - directory_name = self.useFixture(fixtures.TempDir()).path - - # Copy the sample certificate files into the temporary directory. - for filename in ['cacert.pem', 'signing_cert.pem', ]: - shutil.copy2(os.path.join(client_fixtures.CERTDIR, filename), - os.path.join(directory_name, filename)) - - return directory_name - - def set_middleware(self, expected_env=None, conf=None): - """Configure the class ready to call the auth_token middleware. - - Set up the various fake items needed to run the middleware. - Individual tests that need to further refine these can call this - function to override the class defaults. - - """ - if conf: - self.conf.update(conf) - - if expected_env: - self.expected_env.update(expected_env) - - self.middleware = auth_token.AuthProtocol( - self.fake_app(self.expected_env), self.conf) - - self.middleware._revocations._list = jsonutils.dumps( - {"revoked": [], "extra": "success"}) - - def update_expected_env(self, expected_env={}): - self.middleware._app.expected_env.update(expected_env) - - def purge_token_expected_env(self): - for key in six.iterkeys(self.token_expected_env): - del self.middleware._app.expected_env[key] - - def purge_service_token_expected_env(self): - for key in six.iterkeys(self.service_token_expected_env): - del self.middleware._app.expected_env[key] - - def assertLastPath(self, path): - if path: - self.assertEqual(BASE_URI + path, - self.requests_mock.last_request.url) - else: - self.assertIsNone(self.requests_mock.last_request) - - -class DiabloAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - """Auth Token middleware should understand Diablo keystone responses.""" - def setUp(self): - # pre-diablo only had Tenant ID, which was also the Name - expected_env = { - 'HTTP_X_TENANT_ID': 'tenant_id1', - 'HTTP_X_TENANT_NAME': 'tenant_id1', - # now deprecated (diablo-compat) - 'HTTP_X_TENANT': 'tenant_id1', - } - - super(DiabloAuthTokenMiddlewareTest, self).setUp( - expected_env=expected_env) - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v2, - status_code=300) - - self.requests_mock.post("%s/v2.0/tokens" % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - self.token_id = self.examples.VALID_DIABLO_TOKEN - token_response = self.examples.JSON_TOKEN_RESPONSES[self.token_id] - - url = "%s/v2.0/tokens/%s" % (BASE_URI, self.token_id) - self.requests_mock.get(url, text=token_response) - - self.set_middleware() - - def test_valid_diablo_response(self): - resp = self.call_middleware(headers={'X-Auth-Token': self.token_id}) - self.assertEqual(200, resp.status_int) - self.assertIn('keystone.token_info', resp.request.environ) - - -class NoMemcacheAuthToken(BaseAuthTokenMiddlewareTest): - """These tests will not have the memcache module available.""" - - def setUp(self): - super(NoMemcacheAuthToken, self).setUp() - self.useFixture(utils.DisableModuleFixture('memcache')) - - def test_nomemcache(self): - conf = { - 'admin_token': 'admin_token1', - 'auth_host': 'keystone.example.com', - 'auth_port': '1234', - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'auth_uri': 'https://keystone.example.com:1234', - } - - auth_token.AuthProtocol(FakeApp(), conf) - - -class CachePoolTest(BaseAuthTokenMiddlewareTest): - def test_use_cache_from_env(self): - """If `swift.cache` is set in the environment and `cache` is set in the - config then the env cache is used. - """ - env = {'swift.cache': 'CACHE_TEST'} - conf = { - 'cache': 'swift.cache' - } - self.set_middleware(conf=conf) - self.middleware._token_cache.initialize(env) - with self.middleware._token_cache._cache_pool.reserve() as cache: - self.assertEqual(cache, 'CACHE_TEST') - - def test_not_use_cache_from_env(self): - """If `swift.cache` is set in the environment but `cache` isn't set in - the config then the env cache isn't used. - """ - self.set_middleware() - env = {'swift.cache': 'CACHE_TEST'} - self.middleware._token_cache.initialize(env) - with self.middleware._token_cache._cache_pool.reserve() as cache: - self.assertNotEqual(cache, 'CACHE_TEST') - - def test_multiple_context_managers_share_single_client(self): - self.set_middleware() - token_cache = self.middleware._token_cache - env = {} - token_cache.initialize(env) - - caches = [] - - with token_cache._cache_pool.reserve() as cache: - caches.append(cache) - - with token_cache._cache_pool.reserve() as cache: - caches.append(cache) - - self.assertIs(caches[0], caches[1]) - self.assertEqual(set(caches), set(token_cache._cache_pool)) - - def test_nested_context_managers_create_multiple_clients(self): - self.set_middleware() - env = {} - self.middleware._token_cache.initialize(env) - token_cache = self.middleware._token_cache - - with token_cache._cache_pool.reserve() as outer_cache: - with token_cache._cache_pool.reserve() as inner_cache: - self.assertNotEqual(outer_cache, inner_cache) - - self.assertEqual( - set([inner_cache, outer_cache]), - set(token_cache._cache_pool)) - - -class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - """These tests are not affected by the token format - (see CommonAuthTokenMiddlewareTest). - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def test_token_is_v2_accepts_v2(self): - token = self.examples.UUID_TOKEN_DEFAULT - token_response = self.examples.TOKEN_RESPONSES[token] - self.assertTrue(auth_token._token_is_v2(token_response)) - - def test_token_is_v2_rejects_v3(self): - token = self.examples.v3_UUID_TOKEN_DEFAULT - token_response = self.examples.TOKEN_RESPONSES[token] - self.assertFalse(auth_token._token_is_v2(token_response)) - - def test_token_is_v3_rejects_v2(self): - token = self.examples.UUID_TOKEN_DEFAULT - token_response = self.examples.TOKEN_RESPONSES[token] - self.assertFalse(auth_token._token_is_v3(token_response)) - - def test_token_is_v3_accepts_v3(self): - token = self.examples.v3_UUID_TOKEN_DEFAULT - token_response = self.examples.TOKEN_RESPONSES[token] - self.assertTrue(auth_token._token_is_v3(token_response)) - - def test_fixed_cache_key_length(self): - self.set_middleware() - short_string = uuid.uuid4().hex - long_string = 8 * uuid.uuid4().hex - - token_cache = self.middleware._token_cache - hashed_short_string_key, context_ = token_cache._get_cache_key( - short_string) - hashed_long_string_key, context_ = token_cache._get_cache_key( - long_string) - - # The hash keys should always match in length - self.assertThat(hashed_short_string_key, - matchers.HasLength(len(hashed_long_string_key))) - - @testtools.skipUnless(memcached_available(), 'memcached not available') - def test_encrypt_cache_data(self): - conf = { - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'memcache_security_strategy': 'encrypt', - 'memcache_secret_key': 'mysecret' - } - self.set_middleware(conf=conf) - token = b'my_token' - data = 'this_data' - token_cache = self.middleware._token_cache - token_cache.initialize({}) - token_cache._cache_store(token, data) - self.assertEqual(token_cache.get(token), data) - - @testtools.skipUnless(memcached_available(), 'memcached not available') - def test_sign_cache_data(self): - conf = { - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'memcache_security_strategy': 'mac', - 'memcache_secret_key': 'mysecret' - } - self.set_middleware(conf=conf) - token = b'my_token' - data = 'this_data' - token_cache = self.middleware._token_cache - token_cache.initialize({}) - token_cache._cache_store(token, data) - self.assertEqual(token_cache.get(token), data) - - @testtools.skipUnless(memcached_available(), 'memcached not available') - def test_no_memcache_protection(self): - conf = { - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'memcache_secret_key': 'mysecret' - } - self.set_middleware(conf=conf) - token = 'my_token' - data = 'this_data' - token_cache = self.middleware._token_cache - token_cache.initialize({}) - token_cache._cache_store(token, data) - self.assertEqual(token_cache.get(token), data) - - def test_assert_valid_memcache_protection_config(self): - # test missing memcache_secret_key - conf = { - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'memcache_security_strategy': 'Encrypt' - } - self.assertRaises(exc.ConfigurationError, self.set_middleware, - conf=conf) - # test invalue memcache_security_strategy - conf = { - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'memcache_security_strategy': 'whatever' - } - self.assertRaises(exc.ConfigurationError, self.set_middleware, - conf=conf) - # test missing memcache_secret_key - conf = { - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'memcache_security_strategy': 'mac' - } - self.assertRaises(exc.ConfigurationError, self.set_middleware, - conf=conf) - conf = { - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'memcache_security_strategy': 'Encrypt', - 'memcache_secret_key': '' - } - self.assertRaises(exc.ConfigurationError, self.set_middleware, - conf=conf) - conf = { - 'memcached_servers': ','.join(MEMCACHED_SERVERS), - 'memcache_security_strategy': 'mAc', - 'memcache_secret_key': '' - } - self.assertRaises(exc.ConfigurationError, self.set_middleware, - conf=conf) - - def test_config_revocation_cache_timeout(self): - conf = { - 'revocation_cache_time': '24', - 'auth_uri': 'https://keystone.example.com:1234', - 'admin_user': uuid.uuid4().hex - } - middleware = auth_token.AuthProtocol(self.fake_app, conf) - self.assertEqual(middleware._revocations._cache_timeout, - datetime.timedelta(seconds=24)) - - def test_conf_values_type_convert(self): - conf = { - 'revocation_cache_time': '24', - 'identity_uri': 'https://keystone.example.com:1234', - 'include_service_catalog': '0', - 'nonexsit_option': '0', - } - - middleware = auth_token.AuthProtocol(self.fake_app, conf) - self.assertEqual(datetime.timedelta(seconds=24), - middleware._revocations._cache_timeout) - self.assertEqual(False, middleware._include_service_catalog) - self.assertEqual('0', middleware._conf['nonexsit_option']) - - def test_deprecated_conf_values(self): - conf = { - 'memcache_servers': ','.join(MEMCACHED_SERVERS), - } - - middleware = auth_token.AuthProtocol(self.fake_app, conf) - self.assertEqual(MEMCACHED_SERVERS, - middleware._conf_get('memcached_servers')) - - def test_conf_values_type_convert_with_wrong_value(self): - conf = { - 'include_service_catalog': '123', - } - self.assertRaises(exc.ConfigurationError, - auth_token.AuthProtocol, self.fake_app, conf) - - def test_auth_region_name(self): - token = fixture.V3Token() - - auth_url = 'http://keystone-auth.example.com:5000' - east_url = 'http://keystone-east.example.com:5000' - west_url = 'http://keystone-west.example.com:5000' - - auth_versions = fixture.DiscoveryList(href=auth_url) - east_versions = fixture.DiscoveryList(href=east_url) - west_versions = fixture.DiscoveryList(href=west_url) - - s = token.add_service('identity') - s.add_endpoint(interface='admin', url=east_url, region='east') - s.add_endpoint(interface='admin', url=west_url, region='west') - - self.requests_mock.get(auth_url, json=auth_versions) - self.requests_mock.get(east_url, json=east_versions) - self.requests_mock.get(west_url, json=west_versions) - - self.requests_mock.post( - '%s/v3/auth/tokens' % auth_url, - headers={'X-Subject-Token': uuid.uuid4().hex}, - json=token) - - east_mock = self.requests_mock.get( - '%s/v3/auth/tokens' % east_url, - headers={'X-Subject-Token': uuid.uuid4().hex}, - json=fixture.V3Token()) - - west_mock = self.requests_mock.get( - '%s/v3/auth/tokens' % west_url, - headers={'X-Subject-Token': uuid.uuid4().hex}, - json=fixture.V3Token()) - - conf = {'auth_uri': auth_url, - 'auth_url': auth_url + '/v3', - 'auth_plugin': 'v3password', - 'username': 'user', - 'password': 'pass'} - - self.assertEqual(0, east_mock.call_count) - self.assertEqual(0, west_mock.call_count) - - east_app = self.create_simple_middleware(conf=dict(region_name='east', - **conf)) - self.call(east_app, headers={'X-Auth-Token': uuid.uuid4().hex}) - - self.assertEqual(1, east_mock.call_count) - self.assertEqual(0, west_mock.call_count) - - west_app = self.create_simple_middleware(conf=dict(region_name='west', - **conf)) - - self.call(west_app, headers={'X-Auth-Token': uuid.uuid4().hex}) - - self.assertEqual(1, east_mock.call_count) - self.assertEqual(1, west_mock.call_count) - - -class CommonAuthTokenMiddlewareTest(object): - """These tests are run once using v2 tokens and again using v3 tokens.""" - - def test_init_does_not_call_http(self): - conf = { - 'revocation_cache_time': '1' - } - self.create_simple_middleware(conf=conf) - self.assertLastPath(None) - - def test_auth_with_no_token_does_not_call_http(self): - middleware = self.create_simple_middleware() - resp = self.call(middleware) - self.assertLastPath(None) - self.assertEqual(401, resp.status_int) - - def test_init_by_ipv6Addr_auth_host(self): - del self.conf['identity_uri'] - conf = { - 'auth_host': '2001:2013:1:f101::1', - 'auth_port': '1234', - 'auth_protocol': 'http', - 'auth_uri': None, - 'auth_version': 'v3.0', - } - middleware = self.create_simple_middleware(conf=conf) - self.assertEqual('http://[2001:2013:1:f101::1]:1234', - middleware._auth_uri) - - def assert_valid_request_200(self, token, with_catalog=True): - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - if with_catalog: - self.assertTrue(resp.request.headers.get('X-Service-Catalog')) - else: - self.assertNotIn('X-Service-Catalog', resp.request.headers) - self.assertEqual(FakeApp.SUCCESS, resp.body) - self.assertIn('keystone.token_info', resp.request.environ) - return resp.request - - def test_valid_uuid_request(self): - for _ in range(2): # Do it twice because first result was cached. - token = self.token_dict['uuid_token_default'] - self.assert_valid_request_200(token) - self.assert_valid_last_url(token) - - def test_valid_uuid_request_with_auth_fragments(self): - del self.conf['identity_uri'] - self.conf['auth_protocol'] = 'https' - self.conf['auth_host'] = 'keystone.example.com' - self.conf['auth_port'] = '1234' - self.conf['auth_admin_prefix'] = '/testadmin' - self.set_middleware() - self.assert_valid_request_200(self.token_dict['uuid_token_default']) - self.assert_valid_last_url(self.token_dict['uuid_token_default']) - - def _test_cache_revoked(self, token, revoked_form=None): - # When the token is cached and revoked, 401 is returned. - self.middleware._check_revocations_for_cached = True - - # Token should be cached as ok after this. - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - - # Put it in revocation list. - self.middleware._revocations._list = self.get_revocation_list_json( - token_ids=[revoked_form or token]) - - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(401, resp.status_int) - - def test_cached_revoked_error(self): - # When the token is cached and revocation list retrieval fails, - # 503 is returned - token = self.token_dict['uuid_token_default'] - self.middleware._check_revocations_for_cached = True - - # Token should be cached as ok after this. - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - - # Cause the revocation list to be fetched again next time so we can - # test the case where that retrieval fails - self.middleware._revocations._fetched_time = datetime.datetime.min - with mock.patch.object(self.middleware._revocations, '_fetch', - side_effect=exc.RevocationListError): - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(503, resp.status_int) - - def test_unexpected_exception_in_validate_offline(self): - # When an unexpected exception is hit during _validate_offline, - # 500 is returned - token = self.token_dict['uuid_token_default'] - with mock.patch.object(self.middleware, '_validate_offline', - side_effect=Exception): - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(500, resp.status_int) - - def test_cached_revoked_uuid(self): - # When the UUID token is cached and revoked, 401 is returned. - self._test_cache_revoked(self.token_dict['uuid_token_default']) - - def test_valid_signed_request(self): - for _ in range(2): # Do it twice because first result was cached. - self.assert_valid_request_200( - self.token_dict['signed_token_scoped']) - # ensure that signed requests do not generate HTTP traffic - self.assertLastPath(None) - - def test_valid_signed_compressed_request(self): - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - # ensure that signed requests do not generate HTTP traffic - self.assertLastPath(None) - - def test_revoked_token_receives_401(self): - self.middleware._revocations._list = ( - self.get_revocation_list_json()) - - token = self.token_dict['revoked_token'] - resp = self.call_middleware(headers={'X-Auth-Token': token}) - - self.assertEqual(401, resp.status_int) - - def test_revoked_token_receives_401_sha256(self): - self.conf['hash_algorithms'] = ','.join(['sha256', 'md5']) - self.set_middleware() - self.middleware._revocations._list = ( - self.get_revocation_list_json(mode='sha256')) - - token = self.token_dict['revoked_token'] - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(401, resp.status_int) - - def test_cached_revoked_pki(self): - # When the PKI token is cached and revoked, 401 is returned. - token = self.token_dict['signed_token_scoped'] - revoked_form = cms.cms_hash_token(token) - self._test_cache_revoked(token, revoked_form) - - def test_cached_revoked_pkiz(self): - # When the PKIZ token is cached and revoked, 401 is returned. - token = self.token_dict['signed_token_scoped_pkiz'] - revoked_form = cms.cms_hash_token(token) - self._test_cache_revoked(token, revoked_form) - - def test_revoked_token_receives_401_md5_secondary(self): - # When hash_algorithms has 'md5' as the secondary hash and the - # revocation list contains the md5 hash for a token, that token is - # considered revoked so returns 401. - self.conf['hash_algorithms'] = ','.join(['sha256', 'md5']) - self.set_middleware() - self.middleware._revocations._list = ( - self.get_revocation_list_json()) - - token = self.token_dict['revoked_token'] - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(401, resp.status_int) - - def _test_revoked_hashed_token(self, token_name): - # If hash_algorithms is set as ['sha256', 'md5'], - # and check_revocations_for_cached is True, - # and a token is in the cache because it was successfully validated - # using the md5 hash, then - # if the token is in the revocation list by md5 hash, it'll be - # rejected and auth_token returns 401. - self.conf['hash_algorithms'] = ','.join(['sha256', 'md5']) - self.conf['check_revocations_for_cached'] = 'true' - self.set_middleware() - - token = self.token_dict[token_name] - - # Put the token in the revocation list. - token_hashed = cms.cms_hash_token(token) - self.middleware._revocations._list = self.get_revocation_list_json( - token_ids=[token_hashed]) - - # First, request is using the hashed token, is valid so goes in - # cache using the given hash. - resp = self.call_middleware(headers={'X-Auth-Token': token_hashed}) - self.assertEqual(200, resp.status_int) - - # This time use the PKI(Z) token - resp = self.call_middleware(headers={'X-Auth-Token': token}) - - # Should find the token in the cache and revocation list. - self.assertEqual(401, resp.status_int) - - def test_revoked_hashed_pki_token(self): - self._test_revoked_hashed_token('signed_token_scoped') - - def test_revoked_hashed_pkiz_token(self): - self._test_revoked_hashed_token('signed_token_scoped_pkiz') - - def test_revoked_pki_token_by_audit_id(self): - # When the audit ID is in the revocation list, the token is invalid. - self.set_middleware() - token = self.token_dict['signed_token_scoped'] - - # Put the token audit ID in the revocation list, - # the entry will have a false token ID so the token ID doesn't match. - fake_token_id = uuid.uuid4().hex - # The audit_id value is in examples/pki/cms/auth_*_token_scoped.json. - audit_id = 'SLIXlXQUQZWUi9VJrqdXqA' - revocation_list_data = { - 'revoked': [ - { - 'id': fake_token_id, - 'audit_id': audit_id - }, - ] - } - self.middleware._revocations._list = jsonutils.dumps( - revocation_list_data) - - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(401, resp.status_int) - - def get_revocation_list_json(self, token_ids=None, mode=None): - if token_ids is None: - key = 'revoked_token_hash' + (('_' + mode) if mode else '') - token_ids = [self.token_dict[key]] - revocation_list = {'revoked': [{'id': x, 'expires': timeutils.utcnow()} - for x in token_ids]} - return jsonutils.dumps(revocation_list) - - def test_is_signed_token_revoked_returns_false(self): - # explicitly setting an empty revocation list here to document intent - self.middleware._revocations._list = jsonutils.dumps( - {"revoked": [], "extra": "success"}) - result = self.middleware._revocations._any_revoked( - [self.token_dict['revoked_token_hash']]) - self.assertFalse(result) - - def test_is_signed_token_revoked_returns_true(self): - self.middleware._revocations._list = ( - self.get_revocation_list_json()) - result = self.middleware._revocations._any_revoked( - [self.token_dict['revoked_token_hash']]) - self.assertTrue(result) - - def test_is_signed_token_revoked_returns_true_sha256(self): - self.conf['hash_algorithms'] = ','.join(['sha256', 'md5']) - self.set_middleware() - self.middleware._revocations._list = ( - self.get_revocation_list_json(mode='sha256')) - result = self.middleware._revocations._any_revoked( - [self.token_dict['revoked_token_hash_sha256']]) - self.assertTrue(result) - - def test_verify_signed_token_raises_exception_for_revoked_token(self): - self.middleware._revocations._list = ( - self.get_revocation_list_json()) - self.assertRaises(exc.InvalidToken, - self.middleware._verify_signed_token, - self.token_dict['revoked_token'], - [self.token_dict['revoked_token_hash']]) - - def test_verify_signed_token_raises_exception_for_revoked_token_s256(self): - self.conf['hash_algorithms'] = ','.join(['sha256', 'md5']) - self.set_middleware() - self.middleware._revocations._list = ( - self.get_revocation_list_json(mode='sha256')) - self.assertRaises(exc.InvalidToken, - self.middleware._verify_signed_token, - self.token_dict['revoked_token'], - [self.token_dict['revoked_token_hash_sha256'], - self.token_dict['revoked_token_hash']]) - - def test_verify_signed_token_raises_exception_for_revoked_pkiz_token(self): - self.middleware._revocations._list = ( - self.examples.REVOKED_TOKEN_PKIZ_LIST_JSON) - self.assertRaises(exc.InvalidToken, - self.middleware._verify_pkiz_token, - self.token_dict['revoked_token_pkiz'], - [self.token_dict['revoked_token_pkiz_hash']]) - - def assertIsValidJSON(self, text): - json.loads(text) - - def test_verify_signed_token_succeeds_for_unrevoked_token(self): - self.middleware._revocations._list = ( - self.get_revocation_list_json()) - text = self.middleware._verify_signed_token( - self.token_dict['signed_token_scoped'], - [self.token_dict['signed_token_scoped_hash']]) - self.assertIsValidJSON(text) - - def test_verify_signed_compressed_token_succeeds_for_unrevoked_token(self): - self.middleware._revocations._list = ( - self.get_revocation_list_json()) - text = self.middleware._verify_pkiz_token( - self.token_dict['signed_token_scoped_pkiz'], - [self.token_dict['signed_token_scoped_hash']]) - self.assertIsValidJSON(text) - - def test_verify_signed_token_succeeds_for_unrevoked_token_sha256(self): - self.conf['hash_algorithms'] = ','.join(['sha256', 'md5']) - self.set_middleware() - self.middleware._revocations._list = ( - self.get_revocation_list_json(mode='sha256')) - text = self.middleware._verify_signed_token( - self.token_dict['signed_token_scoped'], - [self.token_dict['signed_token_scoped_hash_sha256'], - self.token_dict['signed_token_scoped_hash']]) - self.assertIsValidJSON(text) - - def test_get_token_revocation_list_fetched_time_returns_min(self): - self.middleware._revocations._fetched_time = None - - # Get rid of the revoked file - revoked_path = self.middleware._signing_directory.calc_path( - _revocations.Revocations._FILE_NAME) - os.remove(revoked_path) - - self.assertEqual(self.middleware._revocations._fetched_time, - datetime.datetime.min) - - # FIXME(blk-u): move the unit tests into unit/test_auth_token.py - def test_get_token_revocation_list_fetched_time_returns_mtime(self): - self.middleware._revocations._fetched_time = None - revoked_path = self.middleware._signing_directory.calc_path( - _revocations.Revocations._FILE_NAME) - mtime = os.path.getmtime(revoked_path) - fetched_time = datetime.datetime.utcfromtimestamp(mtime) - self.assertEqual(fetched_time, - self.middleware._revocations._fetched_time) - - @testtools.skipUnless(TimezoneFixture.supported(), - 'TimezoneFixture not supported') - def test_get_token_revocation_list_fetched_time_returns_utc(self): - with TimezoneFixture('UTC-1'): - self.middleware._revocations._list = jsonutils.dumps( - self.examples.REVOCATION_LIST) - self.middleware._revocations._fetched_time = None - fetched_time = self.middleware._revocations._fetched_time - self.assertTrue(timeutils.is_soon(fetched_time, 1)) - - def test_get_token_revocation_list_fetched_time_returns_value(self): - expected = self.middleware._revocations._fetched_time - self.assertEqual(self.middleware._revocations._fetched_time, - expected) - - def test_get_revocation_list_returns_fetched_list(self): - # auth_token uses v2 to fetch this, so don't allow the v3 - # tests to override the fake http connection - self.middleware._revocations._fetched_time = None - - # Get rid of the revoked file - revoked_path = self.middleware._signing_directory.calc_path( - _revocations.Revocations._FILE_NAME) - os.remove(revoked_path) - - self.assertEqual(self.middleware._revocations._list, - self.examples.REVOCATION_LIST) - - def test_get_revocation_list_returns_current_list_from_memory(self): - self.assertEqual(self.middleware._revocations._list, - self.middleware._revocations._list_prop) - - def test_get_revocation_list_returns_current_list_from_disk(self): - in_memory_list = self.middleware._revocations._list - self.middleware._revocations._list_prop = None - self.assertEqual(self.middleware._revocations._list, - in_memory_list) - - def test_invalid_revocation_list_raises_error(self): - self.requests_mock.get(self.revocation_url, json={}) - self.assertRaises(exc.RevocationListError, - self.middleware._revocations._fetch) - - def test_fetch_revocation_list(self): - # auth_token uses v2 to fetch this, so don't allow the v3 - # tests to override the fake http connection - fetched = jsonutils.loads(self.middleware._revocations._fetch()) - self.assertEqual(fetched, self.examples.REVOCATION_LIST) - - def test_request_invalid_uuid_token(self): - # remember because we are testing the middleware we stub the connection - # to the keystone server, but this is not what gets returned - invalid_uri = "%s/v2.0/tokens/invalid-token" % BASE_URI - self.requests_mock.get(invalid_uri, status_code=404) - - resp = self.call_middleware(headers={'X-Auth-Token': 'invalid-token'}) - self.assertEqual(401, resp.status_int) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - resp.headers['WWW-Authenticate']) - - def test_request_invalid_signed_token(self): - token = self.examples.INVALID_SIGNED_TOKEN - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(401, resp.status_int) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - resp.headers['WWW-Authenticate']) - - def test_request_invalid_signed_pkiz_token(self): - token = self.examples.INVALID_SIGNED_PKIZ_TOKEN - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(401, resp.status_int) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - resp.headers['WWW-Authenticate']) - - def test_request_no_token(self): - resp = self.call_middleware() - self.assertEqual(401, resp.status_int) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - resp.headers['WWW-Authenticate']) - - def test_request_no_token_http(self): - resp = self.call_middleware(method='HEAD') - self.assertEqual(401, resp.status_int) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - resp.headers['WWW-Authenticate']) - - def test_request_blank_token(self): - resp = self.call_middleware(headers={'X-Auth-Token': ''}) - self.assertEqual(401, resp.status_int) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - resp.headers['WWW-Authenticate']) - - def _get_cached_token(self, token, mode='md5'): - token_id = cms.cms_hash_token(token, mode=mode) - return self.middleware._token_cache.get(token_id) - - def test_memcache(self): - token = self.token_dict['signed_token_scoped'] - self.call_middleware(headers={'X-Auth-Token': token}) - self.assertIsNotNone(self._get_cached_token(token)) - - def test_expired(self): - token = self.token_dict['signed_token_scoped_expired'] - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(401, resp.status_int) - - def test_memcache_set_invalid_uuid(self): - invalid_uri = "%s/v2.0/tokens/invalid-token" % BASE_URI - self.requests_mock.get(invalid_uri, status_code=404) - - token = 'invalid-token' - self.call_middleware(headers={'X-Auth-Token': token}) - self.assertRaises(exc.InvalidToken, self._get_cached_token, token) - - def test_memcache_set_expired(self, extra_conf={}, extra_environ={}): - token_cache_time = 10 - conf = { - 'token_cache_time': '%s' % token_cache_time, - } - conf.update(extra_conf) - self.set_middleware(conf=conf) - - token = self.token_dict['signed_token_scoped'] - self.call_middleware(headers={'X-Auth-Token': token}) - - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = token - req.environ.update(extra_environ) - - now = datetime.datetime.utcnow() - self.useFixture(TimeFixture(now)) - req.get_response(self.middleware) - self.assertIsNotNone(self._get_cached_token(token)) - - timeutils.advance_time_seconds(token_cache_time) - self.assertIsNone(self._get_cached_token(token)) - - def test_swift_memcache_set_expired(self): - extra_conf = {'cache': 'swift.cache'} - extra_environ = {'swift.cache': memorycache.Client()} - self.test_memcache_set_expired(extra_conf, extra_environ) - - def test_http_error_not_cached_token(self): - """Test to don't cache token as invalid on network errors. - - We use UUID tokens since they are the easiest one to reach - get_http_connection. - """ - self.middleware._http_request_max_retries = 0 - self.call_middleware(headers={'X-Auth-Token': ERROR_TOKEN}) - self.assertIsNone(self._get_cached_token(ERROR_TOKEN)) - self.assert_valid_last_url(ERROR_TOKEN) - - def test_http_request_max_retries(self): - times_retry = 10 - - conf = {'http_request_max_retries': '%s' % times_retry} - self.set_middleware(conf=conf) - - with mock.patch('time.sleep') as mock_obj: - self.call_middleware(headers={'X-Auth-Token': ERROR_TOKEN}) - - self.assertEqual(mock_obj.call_count, times_retry) - - def test_nocatalog(self): - conf = { - 'include_service_catalog': 'False' - } - self.set_middleware(conf=conf) - self.assert_valid_request_200(self.token_dict['uuid_token_default'], - with_catalog=False) - - def assert_kerberos_bind(self, token, bind_level, - use_kerberos=True, success=True): - conf = { - 'enforce_token_bind': bind_level, - 'auth_version': self.auth_version, - } - self.set_middleware(conf=conf) - - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = token - - if use_kerberos: - if use_kerberos is True: - req.environ['REMOTE_USER'] = self.examples.KERBEROS_BIND - else: - req.environ['REMOTE_USER'] = use_kerberos - - req.environ['AUTH_TYPE'] = 'Negotiate' - - resp = req.get_response(self.middleware) - - if success: - self.assertEqual(200, resp.status_int) - self.assertEqual(FakeApp.SUCCESS, resp.body) - self.assertIn('keystone.token_info', req.environ) - self.assert_valid_last_url(token) - else: - self.assertEqual(401, resp.status_int) - msg = "Keystone uri='https://keystone.example.com:1234'" - self.assertEqual(msg, resp.headers['WWW-Authenticate']) - - def test_uuid_bind_token_disabled_with_kerb_user(self): - for use_kerberos in [True, False]: - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='disabled', - use_kerberos=use_kerberos, - success=True) - - def test_uuid_bind_token_disabled_with_incorrect_ticket(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos='ronald@MCDONALDS.COM', - success=False) - - def test_uuid_bind_token_permissive_with_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='permissive', - use_kerberos=True, - success=True) - - def test_uuid_bind_token_permissive_without_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='permissive', - use_kerberos=False, - success=False) - - def test_uuid_bind_token_permissive_with_unknown_bind(self): - token = self.token_dict['uuid_token_unknown_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='permissive', - use_kerberos=use_kerberos, - success=True) - - def test_uuid_bind_token_permissive_with_incorrect_ticket(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos='ronald@MCDONALDS.COM', - success=False) - - def test_uuid_bind_token_strict_with_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='strict', - use_kerberos=True, - success=True) - - def test_uuid_bind_token_strict_with_kerbout_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='strict', - use_kerberos=False, - success=False) - - def test_uuid_bind_token_strict_with_unknown_bind(self): - token = self.token_dict['uuid_token_unknown_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='strict', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_required_with_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='required', - use_kerberos=True, - success=True) - - def test_uuid_bind_token_required_without_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='required', - use_kerberos=False, - success=False) - - def test_uuid_bind_token_required_with_unknown_bind(self): - token = self.token_dict['uuid_token_unknown_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='required', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_required_without_bind(self): - for use_kerberos in [True, False]: - self.assert_kerberos_bind(self.token_dict['uuid_token_default'], - bind_level='required', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_named_kerberos_with_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos=True, - success=True) - - def test_uuid_bind_token_named_kerberos_without_kerb_user(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos=False, - success=False) - - def test_uuid_bind_token_named_kerberos_with_unknown_bind(self): - token = self.token_dict['uuid_token_unknown_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='kerberos', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_named_kerberos_without_bind(self): - for use_kerberos in [True, False]: - self.assert_kerberos_bind(self.token_dict['uuid_token_default'], - bind_level='kerberos', - use_kerberos=use_kerberos, - success=False) - - def test_uuid_bind_token_named_kerberos_with_incorrect_ticket(self): - self.assert_kerberos_bind(self.token_dict['uuid_token_bind'], - bind_level='kerberos', - use_kerberos='ronald@MCDONALDS.COM', - success=False) - - def test_uuid_bind_token_with_unknown_named_FOO(self): - token = self.token_dict['uuid_token_bind'] - - for use_kerberos in [True, False]: - self.assert_kerberos_bind(token, - bind_level='FOO', - use_kerberos=use_kerberos, - success=False) - - def test_caching_token_on_verify(self): - # When the token is cached it isn't cached again when it's verified. - - # The token cache has to be initialized with our cache instance. - self.middleware._token_cache._env_cache_name = 'cache' - cache = memorycache.Client() - self.middleware._token_cache.initialize(env={'cache': cache}) - - # Mock cache.set since then the test can verify call_count. - orig_cache_set = cache.set - cache.set = mock.Mock(side_effect=orig_cache_set) - - token = self.token_dict['signed_token_scoped'] - - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - - self.assertThat(1, matchers.Equals(cache.set.call_count)) - - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - - # Assert that the token wasn't cached again. - self.assertThat(1, matchers.Equals(cache.set.call_count)) - - def test_auth_plugin(self): - - for service_url in (self.examples.UNVERSIONED_SERVICE_URL, - self.examples.SERVICE_URL): - self.requests_mock.get(service_url, - json=VERSION_LIST_v3, - status_code=300) - - token = self.token_dict['uuid_token_default'] - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - self.assertEqual(FakeApp.SUCCESS, resp.body) - - token_auth = resp.request.environ['keystone.token_auth'] - endpoint_filter = {'service_type': self.examples.SERVICE_TYPE, - 'version': 3} - - url = token_auth.get_endpoint(session.Session(), **endpoint_filter) - self.assertEqual('%s/v3' % BASE_URI, url) - - self.assertTrue(token_auth.has_user_token) - self.assertFalse(token_auth.has_service_token) - self.assertIsNone(token_auth.service) - - def test_doesnt_auto_set_content_type(self): - # webob will set content_type = 'text/html' by default if nothing is - # provided. We don't want our middleware messing with the content type - # of the underlying applications. - - text = uuid.uuid4().hex - - def _middleware(environ, start_response): - start_response(200, []) - return text - - def _start_response(status_code, headerlist, exc_info=None): - self.assertIn('200', status_code) # will be '200 OK' - self.assertEqual([], headerlist) - - m = auth_token.AuthProtocol(_middleware, self.conf) - - env = {'REQUEST_METHOD': 'GET', - 'HTTP_X_AUTH_TOKEN': self.token_dict['uuid_token_default']} - - r = m(env, _start_response) - self.assertEqual(text, r) - - -class V2CertDownloadMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def __init__(self, *args, **kwargs): - super(V2CertDownloadMiddlewareTest, self).__init__(*args, **kwargs) - self.auth_version = 'v2.0' - self.fake_app = None - self.ca_path = '/v2.0/certificates/ca' - self.signing_path = '/v2.0/certificates/signing' - - def setUp(self): - super(V2CertDownloadMiddlewareTest, self).setUp( - auth_version=self.auth_version, - fake_app=self.fake_app) - self.base_dir = tempfile.mkdtemp() - self.addCleanup(shutil.rmtree, self.base_dir) - self.cert_dir = os.path.join(self.base_dir, 'certs') - os.makedirs(self.cert_dir, stat.S_IRWXU) - conf = { - 'signing_dir': self.cert_dir, - 'auth_version': self.auth_version, - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v3, - status_code=300) - - self.set_middleware(conf=conf) - - # Usually we supply a signed_dir with pre-installed certificates, - # so invocation of /usr/bin/openssl succeeds. This time we give it - # an empty directory, so it fails. - def test_request_no_token_dummy(self): - cms._ensure_subprocess() - - self.requests_mock.get('%s%s' % (BASE_URI, self.ca_path), - status_code=404) - self.requests_mock.get('%s%s' % (BASE_URI, self.signing_path), - status_code=404) - self.assertRaises(exceptions.CertificateConfigError, - self.middleware._verify_signed_token, - self.examples.SIGNED_TOKEN_SCOPED, - [self.examples.SIGNED_TOKEN_SCOPED_HASH]) - - def test_fetch_signing_cert(self): - data = 'FAKE CERT' - url = "%s%s" % (BASE_URI, self.signing_path) - self.requests_mock.get(url, text=data) - self.middleware._fetch_signing_cert() - - signing_cert_path = self.middleware._signing_directory.calc_path( - self.middleware._SIGNING_CERT_FILE_NAME) - with open(signing_cert_path, 'r') as f: - self.assertEqual(f.read(), data) - - self.assertEqual(url, self.requests_mock.last_request.url) - - def test_fetch_signing_ca(self): - data = 'FAKE CA' - url = "%s%s" % (BASE_URI, self.ca_path) - self.requests_mock.get(url, text=data) - self.middleware._fetch_ca_cert() - - ca_file_path = self.middleware._signing_directory.calc_path( - self.middleware._SIGNING_CA_FILE_NAME) - with open(ca_file_path, 'r') as f: - self.assertEqual(f.read(), data) - - self.assertEqual(url, self.requests_mock.last_request.url) - - def test_prefix_trailing_slash(self): - del self.conf['identity_uri'] - self.conf['auth_protocol'] = 'https' - self.conf['auth_host'] = 'keystone.example.com' - self.conf['auth_port'] = '1234' - self.conf['auth_admin_prefix'] = '/newadmin/' - - base_url = '%s/newadmin' % BASE_HOST - ca_url = "%s%s" % (base_url, self.ca_path) - signing_url = "%s%s" % (base_url, self.signing_path) - - self.requests_mock.get(base_url, - json=VERSION_LIST_v3, - status_code=300) - self.requests_mock.get(ca_url, text='FAKECA') - self.requests_mock.get(signing_url, text='FAKECERT') - - self.set_middleware(conf=self.conf) - - self.middleware._fetch_ca_cert() - self.assertEqual(ca_url, self.requests_mock.last_request.url) - - self.middleware._fetch_signing_cert() - self.assertEqual(signing_url, self.requests_mock.last_request.url) - - def test_without_prefix(self): - del self.conf['identity_uri'] - self.conf['auth_protocol'] = 'https' - self.conf['auth_host'] = 'keystone.example.com' - self.conf['auth_port'] = '1234' - self.conf['auth_admin_prefix'] = '' - - ca_url = "%s%s" % (BASE_HOST, self.ca_path) - signing_url = "%s%s" % (BASE_HOST, self.signing_path) - - self.requests_mock.get(BASE_HOST, - json=VERSION_LIST_v3, - status_code=300) - self.requests_mock.get(ca_url, text='FAKECA') - self.requests_mock.get(signing_url, text='FAKECERT') - - self.set_middleware(conf=self.conf) - - self.middleware._fetch_ca_cert() - self.assertEqual(ca_url, self.requests_mock.last_request.url) - - self.middleware._fetch_signing_cert() - self.assertEqual(signing_url, self.requests_mock.last_request.url) - - -class V3CertDownloadMiddlewareTest(V2CertDownloadMiddlewareTest): - - def __init__(self, *args, **kwargs): - super(V3CertDownloadMiddlewareTest, self).__init__(*args, **kwargs) - self.auth_version = 'v3.0' - self.fake_app = v3FakeApp - self.ca_path = '/v3/OS-SIMPLE-CERT/ca' - self.signing_path = '/v3/OS-SIMPLE-CERT/certificates' - - -def network_error_response(request, context): - raise exceptions.ConnectionRefused("Network connection refused.") - - -class v2AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - CommonAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - """v2 token specific tests. - - There are some differences between how the auth-token middleware handles - v2 and v3 tokens over and above the token formats, namely: - - - A v3 keystone server will auto scope a token to a user's default project - if no scope is specified. A v2 server assumes that the auth-token - middleware will do that. - - A v2 keystone server may issue a token without a catalog, even with a - tenant - - The tests below were originally part of the generic AuthTokenMiddlewareTest - class, but now, since they really are v2 specific, they are included here. - - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def setUp(self): - super(v2AuthTokenMiddlewareTest, self).setUp() - - self.token_dict = { - 'uuid_token_default': self.examples.UUID_TOKEN_DEFAULT, - 'uuid_token_unscoped': self.examples.UUID_TOKEN_UNSCOPED, - 'uuid_token_bind': self.examples.UUID_TOKEN_BIND, - 'uuid_token_unknown_bind': self.examples.UUID_TOKEN_UNKNOWN_BIND, - 'signed_token_scoped': self.examples.SIGNED_TOKEN_SCOPED, - 'signed_token_scoped_pkiz': self.examples.SIGNED_TOKEN_SCOPED_PKIZ, - 'signed_token_scoped_hash': self.examples.SIGNED_TOKEN_SCOPED_HASH, - 'signed_token_scoped_hash_sha256': - self.examples.SIGNED_TOKEN_SCOPED_HASH_SHA256, - 'signed_token_scoped_expired': - self.examples.SIGNED_TOKEN_SCOPED_EXPIRED, - 'revoked_token': self.examples.REVOKED_TOKEN, - 'revoked_token_pkiz': self.examples.REVOKED_TOKEN_PKIZ, - 'revoked_token_pkiz_hash': - self.examples.REVOKED_TOKEN_PKIZ_HASH, - 'revoked_token_hash': self.examples.REVOKED_TOKEN_HASH, - 'revoked_token_hash_sha256': - self.examples.REVOKED_TOKEN_HASH_SHA256, - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v2, - status_code=300) - - self.requests_mock.post('%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - self.revocation_url = '%s/v2.0/tokens/revoked' % BASE_URI - self.requests_mock.get(self.revocation_url, - text=self.examples.SIGNED_REVOCATION_LIST) - - for token in (self.examples.UUID_TOKEN_DEFAULT, - self.examples.UUID_TOKEN_UNSCOPED, - self.examples.UUID_TOKEN_BIND, - self.examples.UUID_TOKEN_UNKNOWN_BIND, - self.examples.UUID_TOKEN_NO_SERVICE_CATALOG, - self.examples.SIGNED_TOKEN_SCOPED_KEY, - self.examples.SIGNED_TOKEN_SCOPED_PKIZ_KEY,): - url = "%s/v2.0/tokens/%s" % (BASE_URI, token) - text = self.examples.JSON_TOKEN_RESPONSES[token] - self.requests_mock.get(url, text=text) - - url = '%s/v2.0/tokens/%s' % (BASE_URI, ERROR_TOKEN) - self.requests_mock.get(url, text=network_error_response) - - self.set_middleware() - - def assert_unscoped_default_tenant_auto_scopes(self, token): - """Unscoped v2 requests with a default tenant should "auto-scope." - - The implied scope is the user's tenant ID. - - """ - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - self.assertEqual(FakeApp.SUCCESS, resp.body) - self.assertIn('keystone.token_info', resp.request.environ) - - def assert_valid_last_url(self, token_id): - self.assertLastPath("/v2.0/tokens/%s" % token_id) - - def test_default_tenant_uuid_token(self): - self.assert_unscoped_default_tenant_auto_scopes( - self.examples.UUID_TOKEN_DEFAULT) - - def test_default_tenant_signed_token(self): - self.assert_unscoped_default_tenant_auto_scopes( - self.examples.SIGNED_TOKEN_SCOPED) - - def assert_unscoped_token_receives_401(self, token): - """Unscoped requests with no default tenant ID should be rejected.""" - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(401, resp.status_int) - self.assertEqual("Keystone uri='https://keystone.example.com:1234'", - resp.headers['WWW-Authenticate']) - - def test_unscoped_uuid_token_receives_401(self): - self.assert_unscoped_token_receives_401( - self.examples.UUID_TOKEN_UNSCOPED) - - def test_unscoped_pki_token_receives_401(self): - self.assert_unscoped_token_receives_401( - self.examples.SIGNED_TOKEN_UNSCOPED) - - def test_request_prevent_service_catalog_injection(self): - token = self.examples.UUID_TOKEN_NO_SERVICE_CATALOG - resp = self.call_middleware(headers={'X-Service-Catalog': '[]', - 'X-Auth-Token': token}) - - self.assertEqual(200, resp.status_int) - self.assertFalse(resp.request.headers.get('X-Service-Catalog')) - self.assertEqual(FakeApp.SUCCESS, resp.body) - - def test_user_plugin_token_properties(self): - token = self.examples.UUID_TOKEN_DEFAULT - token_data = self.examples.TOKEN_RESPONSES[token] - - resp = self.call_middleware(headers={'X-Service-Catalog': '[]', - 'X-Auth-Token': token, - 'X-Service-Token': token}) - - self.assertEqual(200, resp.status_int) - self.assertEqual(FakeApp.SUCCESS, resp.body) - - token_auth = resp.request.environ['keystone.token_auth'] - - self.assertTrue(token_auth.has_user_token) - self.assertTrue(token_auth.has_service_token) - - for t in [token_auth.user, token_auth.service]: - self.assertEqual(token_data.user_id, t.user_id) - self.assertEqual(token_data.tenant_id, t.project_id) - - self.assertThat(t.role_names, matchers.HasLength(2)) - self.assertIn('role1', t.role_names) - self.assertIn('role2', t.role_names) - - self.assertIsNone(t.trust_id) - self.assertIsNone(t.user_domain_id) - self.assertIsNone(t.project_domain_id) - - -class CrossVersionAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def test_valid_uuid_request_forced_to_2_0(self): - """Test forcing auth_token to use lower api version. - - By installing the v3 http hander, auth_token will be get - a version list that looks like a v3 server - from which it - would normally chose v3.0 as the auth version. However, here - we specify v2.0 in the configuration - which should force - auth_token to use that version instead. - - """ - conf = { - 'auth_version': 'v2.0' - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v3, - status_code=300) - - self.requests_mock.post('%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - token = self.examples.UUID_TOKEN_DEFAULT - url = "%s/v2.0/tokens/%s" % (BASE_URI, token) - text = self.examples.JSON_TOKEN_RESPONSES[token] - self.requests_mock.get(url, text=text) - - self.set_middleware(conf=conf) - - # This tests will only work is auth_token has chosen to use the - # lower, v2, api version - resp = self.call_middleware(headers={'X-Auth-Token': token}) - self.assertEqual(200, resp.status_int) - self.assertEqual(url, self.requests_mock.last_request.url) - - -class v3AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest, - CommonAuthTokenMiddlewareTest, - testresources.ResourcedTestCase): - """Test auth_token middleware with v3 tokens. - - Re-execute the AuthTokenMiddlewareTest class tests, but with the - auth_token middleware configured to expect v3 tokens back from - a keystone server. - - This is done by configuring the AuthTokenMiddlewareTest class via - its Setup(), passing in v3 style data that will then be used by - the tests themselves. This approach has been used to ensure we - really are running the same tests for both v2 and v3 tokens. - - There a few additional specific test for v3 only: - - - We allow an unscoped token to be validated (as unscoped), where - as for v2 tokens, the auth_token middleware is expected to try and - auto-scope it (and fail if there is no default tenant) - - Domain scoped tokens - - Since we don't specify an auth version for auth_token to use, by - definition we are thefore implicitely testing that it will use - the highest available auth version, i.e. v3.0 - - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def setUp(self): - super(v3AuthTokenMiddlewareTest, self).setUp( - auth_version='v3.0', - fake_app=v3FakeApp) - - self.token_dict = { - 'uuid_token_default': self.examples.v3_UUID_TOKEN_DEFAULT, - 'uuid_token_unscoped': self.examples.v3_UUID_TOKEN_UNSCOPED, - 'uuid_token_bind': self.examples.v3_UUID_TOKEN_BIND, - 'uuid_token_unknown_bind': - self.examples.v3_UUID_TOKEN_UNKNOWN_BIND, - 'signed_token_scoped': self.examples.SIGNED_v3_TOKEN_SCOPED, - 'signed_token_scoped_pkiz': - self.examples.SIGNED_v3_TOKEN_SCOPED_PKIZ, - 'signed_token_scoped_hash': - self.examples.SIGNED_v3_TOKEN_SCOPED_HASH, - 'signed_token_scoped_hash_sha256': - self.examples.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256, - 'signed_token_scoped_expired': - self.examples.SIGNED_TOKEN_SCOPED_EXPIRED, - 'revoked_token': self.examples.REVOKED_v3_TOKEN, - 'revoked_token_pkiz': self.examples.REVOKED_v3_TOKEN_PKIZ, - 'revoked_token_hash': self.examples.REVOKED_v3_TOKEN_HASH, - 'revoked_token_hash_sha256': - self.examples.REVOKED_v3_TOKEN_HASH_SHA256, - 'revoked_token_pkiz_hash': - self.examples.REVOKED_v3_PKIZ_TOKEN_HASH, - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v3, - status_code=300) - - # TODO(jamielennox): auth_token middleware uses a v2 admin token - # regardless of the auth_version that is set. - self.requests_mock.post('%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - self.revocation_url = '%s/v3/auth/tokens/OS-PKI/revoked' % BASE_URI - self.requests_mock.get(self.revocation_url, - text=self.examples.SIGNED_REVOCATION_LIST) - - self.requests_mock.get('%s/v3/auth/tokens' % BASE_URI, - text=self.token_response, - headers={'X-Subject-Token': uuid.uuid4().hex}) - - self.set_middleware() - - def token_response(self, request, context): - auth_id = request.headers.get('X-Auth-Token') - token_id = request.headers.get('X-Subject-Token') - self.assertEqual(auth_id, FAKE_ADMIN_TOKEN_ID) - - if token_id == ERROR_TOKEN: - raise exceptions.ConnectionRefused("Network connection refused.") - - try: - response = self.examples.JSON_TOKEN_RESPONSES[token_id] - except KeyError: - response = "" - context.status_code = 404 - - return response - - def assert_valid_last_url(self, token_id): - self.assertLastPath('/v3/auth/tokens') - - def test_valid_unscoped_uuid_request(self): - # Remove items that won't be in an unscoped token - delta_expected_env = { - 'HTTP_X_PROJECT_ID': None, - 'HTTP_X_PROJECT_NAME': None, - 'HTTP_X_PROJECT_DOMAIN_ID': None, - 'HTTP_X_PROJECT_DOMAIN_NAME': None, - 'HTTP_X_TENANT_ID': None, - 'HTTP_X_TENANT_NAME': None, - 'HTTP_X_ROLES': '', - 'HTTP_X_TENANT': None, - 'HTTP_X_ROLE': '', - } - self.set_middleware(expected_env=delta_expected_env) - self.assert_valid_request_200(self.examples.v3_UUID_TOKEN_UNSCOPED, - with_catalog=False) - self.assertLastPath('/v3/auth/tokens') - - def test_domain_scoped_uuid_request(self): - # Modify items compared to default token for a domain scope - delta_expected_env = { - 'HTTP_X_DOMAIN_ID': 'domain_id1', - 'HTTP_X_DOMAIN_NAME': 'domain_name1', - 'HTTP_X_PROJECT_ID': None, - 'HTTP_X_PROJECT_NAME': None, - 'HTTP_X_PROJECT_DOMAIN_ID': None, - 'HTTP_X_PROJECT_DOMAIN_NAME': None, - 'HTTP_X_TENANT_ID': None, - 'HTTP_X_TENANT_NAME': None, - 'HTTP_X_TENANT': None - } - self.set_middleware(expected_env=delta_expected_env) - self.assert_valid_request_200( - self.examples.v3_UUID_TOKEN_DOMAIN_SCOPED) - self.assertLastPath('/v3/auth/tokens') - - def test_gives_v2_catalog(self): - self.set_middleware() - req = self.assert_valid_request_200( - self.examples.SIGNED_v3_TOKEN_SCOPED) - - catalog = jsonutils.loads(req.headers['X-Service-Catalog']) - - for service in catalog: - for endpoint in service['endpoints']: - # no point checking everything, just that it's in v2 format - self.assertIn('adminURL', endpoint) - self.assertIn('publicURL', endpoint) - self.assertIn('adminURL', endpoint) - - def test_fallback_to_online_validation_with_signing_error(self): - self.requests_mock.get('%s/v3/OS-SIMPLE-CERT/certificates' % BASE_URI, - status_code=404) - self.assert_valid_request_200(self.token_dict['signed_token_scoped']) - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - - def test_fallback_to_online_validation_with_ca_error(self): - self.requests_mock.get('%s/v3/OS-SIMPLE-CERT/ca' % BASE_URI, - status_code=404) - self.assert_valid_request_200(self.token_dict['signed_token_scoped']) - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - - def test_fallback_to_online_validation_with_revocation_list_error(self): - self.requests_mock.get(self.revocation_url, status_code=404) - self.assert_valid_request_200(self.token_dict['signed_token_scoped']) - self.assert_valid_request_200( - self.token_dict['signed_token_scoped_pkiz']) - - def test_user_plugin_token_properties(self): - token = self.examples.v3_UUID_TOKEN_DEFAULT - token_data = self.examples.TOKEN_RESPONSES[token] - - resp = self.call_middleware(headers={'X-Service-Catalog': '[]', - 'X-Auth-Token': token, - 'X-Service-Token': token}) - - self.assertEqual(200, resp.status_int) - self.assertEqual(FakeApp.SUCCESS, resp.body) - - token_auth = resp.request.environ['keystone.token_auth'] - - self.assertTrue(token_auth.has_user_token) - self.assertTrue(token_auth.has_service_token) - - for t in [token_auth.user, token_auth.service]: - self.assertEqual(token_data.user_id, t.user_id) - self.assertEqual(token_data.project_id, t.project_id) - self.assertEqual(token_data.user_domain_id, t.user_domain_id) - self.assertEqual(token_data.project_domain_id, t.project_domain_id) - - self.assertThat(t.role_names, matchers.HasLength(2)) - self.assertIn('role1', t.role_names) - self.assertIn('role2', t.role_names) - - self.assertIsNone(t.trust_id) - - def test_expire_stored_in_cache(self): - # tests the upgrade path from storing a tuple vs just the data in the - # cache. Can be removed in the future. - token = 'mytoken' - data = 'this_data' - self.set_middleware() - self.middleware._token_cache.initialize({}) - now = datetime.datetime.utcnow() - delta = datetime.timedelta(hours=1) - expires = strtime(at=(now + delta)) - self.middleware._token_cache.store(token, (data, expires)) - self.assertEqual(self.middleware._token_cache.get(token), data) - - -class DelayedAuthTests(BaseAuthTokenMiddlewareTest): - - def test_header_in_401(self): - body = uuid.uuid4().hex - auth_uri = 'http://local.test' - conf = {'delay_auth_decision': 'True', - 'auth_version': 'v3.0', - 'auth_uri': auth_uri} - - middleware = self.create_simple_middleware(status='401 Unauthorized', - body=body, - conf=conf) - resp = self.call(middleware) - self.assertEqual(six.b(body), resp.body) - - self.assertEqual(401, resp.status_int) - self.assertEqual("Keystone uri='%s'" % auth_uri, - resp.headers['WWW-Authenticate']) - - def test_delayed_auth_values(self): - conf = {'auth_uri': 'http://local.test'} - status = '401 Unauthorized' - - middleware = self.create_simple_middleware(status=status, conf=conf) - self.assertFalse(middleware._delay_auth_decision) - - for v in ('True', '1', 'on', 'yes'): - conf = {'delay_auth_decision': v, - 'auth_uri': 'http://local.test'} - - middleware = self.create_simple_middleware(status=status, - conf=conf) - self.assertTrue(middleware._delay_auth_decision) - - for v in ('False', '0', 'no'): - conf = {'delay_auth_decision': v, - 'auth_uri': 'http://local.test'} - - middleware = self.create_simple_middleware(status=status, - conf=conf) - self.assertFalse(middleware._delay_auth_decision) - - def test_auth_plugin_with_no_tokens(self): - body = uuid.uuid4().hex - auth_uri = 'http://local.test' - conf = {'delay_auth_decision': True, 'auth_uri': auth_uri} - - middleware = self.create_simple_middleware(body=body, conf=conf) - resp = self.call(middleware) - self.assertEqual(six.b(body), resp.body) - - token_auth = resp.request.environ['keystone.token_auth'] - - self.assertFalse(token_auth.has_user_token) - self.assertIsNone(token_auth.user) - self.assertFalse(token_auth.has_service_token) - self.assertIsNone(token_auth.service) - - -class CommonCompositeAuthTests(object): - """Test Composite authentication. - - Test the behaviour of adding a service-token. - """ - - def test_composite_auth_ok(self): - token = self.token_dict['uuid_token_default'] - service_token = self.token_dict['uuid_service_token_default'] - fake_logger = fixtures.FakeLogger(level=logging.DEBUG) - self.middleware.logger = self.useFixture(fake_logger) - resp = self.call_middleware(headers={'X-Auth-Token': token, - 'X-Service-Token': service_token}) - self.assertEqual(200, resp.status_int) - self.assertEqual(FakeApp.SUCCESS, resp.body) - expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE) - expected_env.update(EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE) - - # role list may get reordered, check for string pieces individually - self.assertIn('Received request from user: ', fake_logger.output) - self.assertIn('user_id %(HTTP_X_USER_ID)s, ' - 'project_id %(HTTP_X_TENANT_ID)s, ' - 'roles ' % expected_env, fake_logger.output) - self.assertIn('service: user_id %(HTTP_X_SERVICE_USER_ID)s, ' - 'project_id %(HTTP_X_SERVICE_PROJECT_ID)s, ' - 'roles ' % expected_env, fake_logger.output) - - roles = ','.join([expected_env['HTTP_X_SERVICE_ROLES'], - expected_env['HTTP_X_ROLES']]) - - for r in roles.split(','): - self.assertIn(r, fake_logger.output) - - def test_composite_auth_invalid_service_token(self): - token = self.token_dict['uuid_token_default'] - service_token = 'invalid-service-token' - resp = self.call_middleware(headers={'X-Auth-Token': token, - 'X-Service-Token': service_token}) - self.assertEqual(401, resp.status_int) - self.assertEqual(b'Authentication required', resp.body) - - def test_composite_auth_no_service_token(self): - self.purge_service_token_expected_env() - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.token_dict['uuid_token_default'] - - # Ensure injection of service headers is not possible - for key, value in six.iteritems(self.service_token_expected_env): - header_key = key[len('HTTP_'):].replace('_', '-') - req.headers[header_key] = value - # Check arbitrary headers not removed - req.headers['X-Foo'] = 'Bar' - resp = req.get_response(self.middleware) - for key in six.iterkeys(self.service_token_expected_env): - header_key = key[len('HTTP_'):].replace('_', '-') - self.assertFalse(req.headers.get(header_key)) - self.assertEqual('Bar', req.headers.get('X-Foo')) - self.assertEqual(418, resp.status_int) - self.assertEqual(FakeApp.FORBIDDEN, resp.body) - - def test_composite_auth_invalid_user_token(self): - token = 'invalid-token' - service_token = self.token_dict['uuid_service_token_default'] - resp = self.call_middleware(headers={'X-Auth-Token': token, - 'X-Service-Token': service_token}) - self.assertEqual(401, resp.status_int) - self.assertEqual(b'Authentication required', resp.body) - - def test_composite_auth_no_user_token(self): - service_token = self.token_dict['uuid_service_token_default'] - resp = self.call_middleware(headers={'X-Service-Token': service_token}) - self.assertEqual(401, resp.status_int) - self.assertEqual(b'Authentication required', resp.body) - - def test_composite_auth_delay_ok(self): - self.middleware._delay_auth_decision = True - token = self.token_dict['uuid_token_default'] - service_token = self.token_dict['uuid_service_token_default'] - resp = self.call_middleware(headers={'X-Auth-Token': token, - 'X-Service-Token': service_token}) - self.assertEqual(200, resp.status_int) - self.assertEqual(FakeApp.SUCCESS, resp.body) - - def test_composite_auth_delay_invalid_service_token(self): - self.middleware._delay_auth_decision = True - self.purge_service_token_expected_env() - expected_env = { - 'HTTP_X_SERVICE_IDENTITY_STATUS': 'Invalid', - } - self.update_expected_env(expected_env) - - token = self.token_dict['uuid_token_default'] - service_token = 'invalid-service-token' - resp = self.call_middleware(headers={'X-Auth-Token': token, - 'X-Service-Token': service_token}) - self.assertEqual(420, resp.status_int) - self.assertEqual(FakeApp.FORBIDDEN, resp.body) - - def test_composite_auth_delay_invalid_service_and_user_tokens(self): - self.middleware._delay_auth_decision = True - self.purge_service_token_expected_env() - self.purge_token_expected_env() - expected_env = { - 'HTTP_X_IDENTITY_STATUS': 'Invalid', - 'HTTP_X_SERVICE_IDENTITY_STATUS': 'Invalid', - } - self.update_expected_env(expected_env) - - token = 'invalid-token' - service_token = 'invalid-service-token' - resp = self.call_middleware(headers={'X-Auth-Token': token, - 'X-Service-Token': service_token}) - self.assertEqual(419, resp.status_int) - self.assertEqual(FakeApp.FORBIDDEN, resp.body) - - def test_composite_auth_delay_no_service_token(self): - self.middleware._delay_auth_decision = True - self.purge_service_token_expected_env() - - req = webob.Request.blank('/') - req.headers['X-Auth-Token'] = self.token_dict['uuid_token_default'] - - # Ensure injection of service headers is not possible - for key, value in six.iteritems(self.service_token_expected_env): - header_key = key[len('HTTP_'):].replace('_', '-') - req.headers[header_key] = value - # Check arbitrary headers not removed - req.headers['X-Foo'] = 'Bar' - resp = req.get_response(self.middleware) - for key in six.iterkeys(self.service_token_expected_env): - header_key = key[len('HTTP_'):].replace('_', '-') - self.assertFalse(req.headers.get(header_key)) - self.assertEqual('Bar', req.headers.get('X-Foo')) - self.assertEqual(418, resp.status_int) - self.assertEqual(FakeApp.FORBIDDEN, resp.body) - - def test_composite_auth_delay_invalid_user_token(self): - self.middleware._delay_auth_decision = True - self.purge_token_expected_env() - expected_env = { - 'HTTP_X_IDENTITY_STATUS': 'Invalid', - } - self.update_expected_env(expected_env) - - token = 'invalid-token' - service_token = self.token_dict['uuid_service_token_default'] - resp = self.call_middleware(headers={'X-Auth-Token': token, - 'X-Service-Token': service_token}) - self.assertEqual(403, resp.status_int) - self.assertEqual(FakeApp.FORBIDDEN, resp.body) - - def test_composite_auth_delay_no_user_token(self): - self.middleware._delay_auth_decision = True - self.purge_token_expected_env() - expected_env = { - 'HTTP_X_IDENTITY_STATUS': 'Invalid', - } - self.update_expected_env(expected_env) - - service_token = self.token_dict['uuid_service_token_default'] - resp = self.call_middleware(headers={'X-Service-Token': service_token}) - self.assertEqual(403, resp.status_int) - self.assertEqual(FakeApp.FORBIDDEN, resp.body) - - -class v2CompositeAuthTests(BaseAuthTokenMiddlewareTest, - CommonCompositeAuthTests, - testresources.ResourcedTestCase): - """Test auth_token middleware with v2 token based composite auth. - - Execute the Composite auth class tests, but with the - auth_token middleware configured to expect v2 tokens back from - a keystone server. - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def setUp(self): - super(v2CompositeAuthTests, self).setUp( - expected_env=EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE, - fake_app=CompositeFakeApp) - - uuid_token_default = self.examples.UUID_TOKEN_DEFAULT - uuid_service_token_default = self.examples.UUID_SERVICE_TOKEN_DEFAULT - self.token_dict = { - 'uuid_token_default': uuid_token_default, - 'uuid_service_token_default': uuid_service_token_default, - } - - self.requests_mock.get(BASE_URI, - json=VERSION_LIST_v2, - status_code=300) - - self.requests_mock.post('%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - self.requests_mock.get('%s/v2.0/tokens/revoked' % BASE_URI, - text=self.examples.SIGNED_REVOCATION_LIST, - status_code=200) - - for token in (self.examples.UUID_TOKEN_DEFAULT, - self.examples.UUID_SERVICE_TOKEN_DEFAULT,): - text = self.examples.JSON_TOKEN_RESPONSES[token] - self.requests_mock.get('%s/v2.0/tokens/%s' % (BASE_URI, token), - text=text) - - for invalid_uri in ("%s/v2.0/tokens/invalid-token" % BASE_URI, - "%s/v2.0/tokens/invalid-service-token" % BASE_URI): - self.requests_mock.get(invalid_uri, text='', status_code=404) - - self.token_expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE) - self.service_token_expected_env = dict( - EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE) - self.set_middleware() - - -class v3CompositeAuthTests(BaseAuthTokenMiddlewareTest, - CommonCompositeAuthTests, - testresources.ResourcedTestCase): - """Test auth_token middleware with v3 token based composite auth. - - Execute the Composite auth class tests, but with the - auth_token middleware configured to expect v3 tokens back from - a keystone server. - """ - - resources = [('examples', client_fixtures.EXAMPLES_RESOURCE)] - - def setUp(self): - super(v3CompositeAuthTests, self).setUp( - auth_version='v3.0', - fake_app=v3CompositeFakeApp) - - uuid_token_default = self.examples.v3_UUID_TOKEN_DEFAULT - uuid_serv_token_default = self.examples.v3_UUID_SERVICE_TOKEN_DEFAULT - self.token_dict = { - 'uuid_token_default': uuid_token_default, - 'uuid_service_token_default': uuid_serv_token_default, - } - - self.requests_mock.get(BASE_URI, json=VERSION_LIST_v3, status_code=300) - - # TODO(jamielennox): auth_token middleware uses a v2 admin token - # regardless of the auth_version that is set. - self.requests_mock.post('%s/v2.0/tokens' % BASE_URI, - text=FAKE_ADMIN_TOKEN) - - self.requests_mock.get('%s/v3/auth/tokens/OS-PKI/revoked' % BASE_URI, - text=self.examples.SIGNED_REVOCATION_LIST) - - self.requests_mock.get('%s/v3/auth/tokens' % BASE_URI, - text=self.token_response, - headers={'X-Subject-Token': uuid.uuid4().hex}) - - self.token_expected_env = dict(EXPECTED_V2_DEFAULT_ENV_RESPONSE) - self.token_expected_env.update(EXPECTED_V3_DEFAULT_ENV_ADDITIONS) - self.service_token_expected_env = dict( - EXPECTED_V2_DEFAULT_SERVICE_ENV_RESPONSE) - self.service_token_expected_env.update( - EXPECTED_V3_DEFAULT_SERVICE_ENV_ADDITIONS) - self.set_middleware() - - def token_response(self, request, context): - auth_id = request.headers.get('X-Auth-Token') - token_id = request.headers.get('X-Subject-Token') - self.assertEqual(auth_id, FAKE_ADMIN_TOKEN_ID) - - status = 200 - response = "" - - if token_id == ERROR_TOKEN: - raise exceptions.ConnectionRefused("Network connection refused.") - - try: - response = self.examples.JSON_TOKEN_RESPONSES[token_id] - except KeyError: - status = 404 - - context.status_code = status - return response - - -class OtherTests(BaseAuthTokenMiddlewareTest): - - def setUp(self): - super(OtherTests, self).setUp() - self.logger = self.useFixture(fixtures.FakeLogger()) - - def test_unknown_server_versions(self): - versions = fixture.DiscoveryList(v2=False, v3_id='v4', href=BASE_URI) - self.set_middleware() - - self.requests_mock.get(BASE_URI, json=versions, status_code=300) - - resp = self.call_middleware(headers={'X-Auth-Token': uuid.uuid4().hex}) - self.assertEqual(503, resp.status_int) - - self.assertIn('versions [v3.0, v2.0]', self.logger.output) - - def _assert_auth_version(self, conf_version, identity_server_version): - self.set_middleware(conf={'auth_version': conf_version}) - identity_server = self.middleware._create_identity_server() - self.assertEqual(identity_server_version, - identity_server.auth_version) - - def test_micro_version(self): - self._assert_auth_version('v2', (2, 0)) - self._assert_auth_version('v2.0', (2, 0)) - self._assert_auth_version('v3', (3, 0)) - self._assert_auth_version('v3.0', (3, 0)) - self._assert_auth_version('v3.1', (3, 0)) - self._assert_auth_version('v3.2', (3, 0)) - self._assert_auth_version('v3.9', (3, 0)) - self._assert_auth_version('v3.3.1', (3, 0)) - self._assert_auth_version('v3.3.5', (3, 0)) - - def test_default_auth_version(self): - # VERSION_LIST_v3 contains both v2 and v3 version elements - self.requests_mock.get(BASE_URI, json=VERSION_LIST_v3, status_code=300) - self._assert_auth_version(None, (3, 0)) - - # VERSION_LIST_v2 contains only v2 version elements - self.requests_mock.get(BASE_URI, json=VERSION_LIST_v2, status_code=300) - self._assert_auth_version(None, (2, 0)) - - def test_unsupported_auth_version(self): - # If the requested version isn't supported we will use v2 - self._assert_auth_version('v1', (2, 0)) - self._assert_auth_version('v10', (2, 0)) - - -class AuthProtocolLoadingTests(BaseAuthTokenMiddlewareTest): - - AUTH_URL = 'http://auth.url/prefix' - DISC_URL = 'http://disc.url/prefix' - KEYSTONE_BASE_URL = 'http://keystone.url/prefix' - CRUD_URL = 'http://crud.url/prefix' - - # NOTE(jamielennox): use the /v2.0 prefix here because this is what's most - # likely to be in the service catalog and we should be able to ignore it. - KEYSTONE_URL = KEYSTONE_BASE_URL + '/v2.0' - - def setUp(self): - super(AuthProtocolLoadingTests, self).setUp() - - self.project_id = uuid.uuid4().hex - - # first touch is to discover the available versions at the auth_url - self.requests_mock.get(self.AUTH_URL, - json=fixture.DiscoveryList(href=self.DISC_URL), - status_code=300) - - # then we do discovery on the URL from the service catalog. In practice - # this is mostly the same URL as before but test the full range. - self.requests_mock.get(self.KEYSTONE_BASE_URL + '/', - json=fixture.DiscoveryList(href=self.CRUD_URL), - status_code=300) - - def good_request(self, app): - # admin_token is the token that the service will get back from auth - admin_token_id = uuid.uuid4().hex - admin_token = fixture.V3Token(project_id=self.project_id) - s = admin_token.add_service('identity', name='keystone') - s.add_standard_endpoints(admin=self.KEYSTONE_URL) - - self.requests_mock.post(self.DISC_URL + '/v3/auth/tokens', - json=admin_token, - headers={'X-Subject-Token': admin_token_id}) - - # user_token is the data from the user's inputted token - user_token_id = uuid.uuid4().hex - user_token = fixture.V3Token() - user_token.set_project_scope() - - request_headers = {'X-Subject-Token': user_token_id, - 'X-Auth-Token': admin_token_id} - - self.requests_mock.get(self.CRUD_URL + '/v3/auth/tokens', - request_headers=request_headers, - json=user_token, - headers={'X-Subject-Token': uuid.uuid4().hex}) - - resp = self.call(app, headers={'X-Auth-Token': user_token_id}) - self.assertEqual(200, resp.status_int) - return resp - - def test_loading_password_plugin(self): - # the password options aren't set on config until loading time, but we - # need them set so we can override the values for testing, so force it - opts = auth.get_plugin_options('password') - self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP) - - project_id = uuid.uuid4().hex - - # Register the authentication options - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) - - # configure the authentication options - self.cfg.config(auth_plugin='password', - username='testuser', - password='testpass', - auth_url=self.AUTH_URL, - project_id=project_id, - user_domain_id='userdomainid', - group=_base.AUTHTOKEN_GROUP) - - body = uuid.uuid4().hex - app = self.create_simple_middleware(body=body) - - resp = self.good_request(app) - self.assertEqual(six.b(body), resp.body) - - @staticmethod - def get_plugin(app): - return app._identity_server._adapter.auth - - def test_invalid_plugin_fails_to_initialize(self): - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) - self.cfg.config(auth_plugin=uuid.uuid4().hex, - group=_base.AUTHTOKEN_GROUP) - - self.assertRaises( - exceptions.NoMatchingPlugin, - self.create_simple_middleware) - - def test_plugin_loading_mixed_opts(self): - # some options via override and some via conf - opts = auth.get_plugin_options('password') - self.cfg.register_opts(opts, group=_base.AUTHTOKEN_GROUP) - - username = 'testuser' - password = 'testpass' - - # Register the authentication options - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) - - # configure the authentication options - self.cfg.config(auth_plugin='password', - password=password, - project_id=self.project_id, - user_domain_id='userdomainid', - group=_base.AUTHTOKEN_GROUP) - - conf = {'username': username, 'auth_url': self.AUTH_URL} - - body = uuid.uuid4().hex - app = self.create_simple_middleware(body=body, conf=conf) - - resp = self.good_request(app) - self.assertEqual(six.b(body), resp.body) - - plugin = self.get_plugin(app) - - self.assertEqual(self.AUTH_URL, plugin.auth_url) - self.assertEqual(username, plugin._username) - self.assertEqual(password, plugin._password) - self.assertEqual(self.project_id, plugin._project_id) - - def test_plugin_loading_with_auth_section(self): - # some options via override and some via conf - section = 'testsection' - username = 'testuser' - password = 'testpass' - - auth.register_conf_options(self.cfg.conf, group=section) - opts = auth.get_plugin_options('password') - self.cfg.register_opts(opts, group=section) - - # Register the authentication options - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) - - # configure the authentication options - self.cfg.config(auth_section=section, group=_base.AUTHTOKEN_GROUP) - self.cfg.config(auth_plugin='password', - password=password, - project_id=self.project_id, - user_domain_id='userdomainid', - group=section) - - conf = {'username': username, 'auth_url': self.AUTH_URL} - - body = uuid.uuid4().hex - app = self.create_simple_middleware(body=body, conf=conf) - - resp = self.good_request(app) - self.assertEqual(six.b(body), resp.body) - - plugin = self.get_plugin(app) - - self.assertEqual(self.AUTH_URL, plugin.auth_url) - self.assertEqual(username, plugin._username) - self.assertEqual(password, plugin._password) - self.assertEqual(self.project_id, plugin._project_id) - - -class TestAuthPluginUserAgentGeneration(BaseAuthTokenMiddlewareTest): - - def setUp(self): - super(TestAuthPluginUserAgentGeneration, self).setUp() - self.auth_url = uuid.uuid4().hex - self.project_id = uuid.uuid4().hex - self.username = uuid.uuid4().hex - self.password = uuid.uuid4().hex - self.section = uuid.uuid4().hex - self.user_domain_id = uuid.uuid4().hex - - auth.register_conf_options(self.cfg.conf, group=self.section) - opts = auth.get_plugin_options('password') - self.cfg.register_opts(opts, group=self.section) - - # Register the authentication options - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) - - # configure the authentication options - self.cfg.config(auth_section=self.section, group=_base.AUTHTOKEN_GROUP) - self.cfg.config(auth_plugin='password', - password=self.password, - project_id=self.project_id, - user_domain_id=self.user_domain_id, - group=self.section) - - def test_no_project_configured(self): - ksm_version = uuid.uuid4().hex - conf = {'username': self.username, 'auth_url': self.auth_url} - - app = self._create_app(conf, ksm_version) - self._assert_user_agent(app, '', ksm_version) - - def test_project_in_configuration(self): - project = uuid.uuid4().hex - project_version = uuid.uuid4().hex - - conf = {'username': self.username, - 'auth_url': self.auth_url, - 'project': project} - app = self._create_app(conf, project_version) - project_with_version = '{0}/{1} '.format(project, project_version) - self._assert_user_agent(app, project_with_version, project_version) - - def test_project_in_oslo_configuration(self): - project = uuid.uuid4().hex - project_version = uuid.uuid4().hex - - conf = {'username': self.username, 'auth_url': self.auth_url} - with mock.patch.object(cfg.CONF, 'project', new=project, create=True): - app = self._create_app(conf, project_version) - project = '{0}/{1} '.format(project, project_version) - self._assert_user_agent(app, project, project_version) - - def _create_app(self, conf, project_version): - fake_pkg_resources = mock.Mock() - fake_pkg_resources.get_distribution().version = project_version - - body = uuid.uuid4().hex - with mock.patch('keystonemiddleware.auth_token.pkg_resources', - new=fake_pkg_resources): - return self.create_simple_middleware(body=body, conf=conf, - use_global_conf=True) - - def _assert_user_agent(self, app, project, ksm_version): - sess = app._identity_server._adapter.session - expected_ua = ('{0}keystonemiddleware.auth_token/{1}' - .format(project, ksm_version)) - self.assertEqual(expected_ua, sess.user_agent) - - -class TestAuthPluginLocalOsloConfig(BaseAuthTokenMiddlewareTest): - def test_project_in_local_oslo_configuration(self): - options = { - 'auth_plugin': 'password', - 'auth_uri': uuid.uuid4().hex, - 'password': uuid.uuid4().hex, - } - - content = ("[keystone_authtoken]\n" - "auth_plugin=%(auth_plugin)s\n" - "auth_uri=%(auth_uri)s\n" - "password=%(password)s\n" % options) - conf_file_fixture = self.useFixture( - createfile.CreateFileWithContent("my_app", content)) - conf = {'oslo_config_project': 'my_app', - 'oslo_config_file': conf_file_fixture.path} - app = self._create_app(conf, uuid.uuid4().hex) - for option in options: - self.assertEqual(options[option], app._conf_get(option)) - - def _create_app(self, conf, project_version): - fake_pkg_resources = mock.Mock() - fake_pkg_resources.get_distribution().version = project_version - - body = uuid.uuid4().hex - with mock.patch('keystonemiddleware.auth_token.pkg_resources', - new=fake_pkg_resources): - return self.create_simple_middleware(body=body, conf=conf) - - -def load_tests(loader, tests, pattern): - return testresources.OptimisingTestSuite(tests) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py deleted file mode 100644 index b213f546..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py +++ /dev/null @@ -1,202 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import datetime -import uuid - -from keystoneclient import fixture -import mock -import six -import testtools -import webob - -from keystonemiddleware import auth_token -from keystonemiddleware.auth_token import _request - - -class FakeApp(object): - - @webob.dec.wsgify - def __call__(self, req): - return webob.Response() - - -class FetchingMiddleware(auth_token._BaseAuthProtocol): - - def __init__(self, app, token_dict={}, **kwargs): - super(FetchingMiddleware, self).__init__(app, **kwargs) - self.token_dict = token_dict - - def _fetch_token(self, token): - try: - return self.token_dict[token] - except KeyError: - raise auth_token.InvalidToken() - - -class BaseAuthProtocolTests(testtools.TestCase): - - @mock.patch.multiple(auth_token._BaseAuthProtocol, - process_request=mock.DEFAULT, - process_response=mock.DEFAULT) - def test_process_flow(self, process_request, process_response): - m = auth_token._BaseAuthProtocol(FakeApp()) - - process_request.return_value = None - process_response.side_effect = lambda x: x - - req = webob.Request.blank('/', method='GET') - resp = req.get_response(m) - - self.assertEqual(200, resp.status_code) - - self.assertEqual(1, process_request.call_count) - self.assertIsInstance(process_request.call_args[0][0], - _request._AuthTokenRequest) - - self.assertEqual(1, process_response.call_count) - self.assertIsInstance(process_response.call_args[0][0], webob.Response) - - @classmethod - def call(cls, middleware, method='GET', path='/', headers=None): - req = webob.Request.blank(path) - req.method = method - - for k, v in six.iteritems(headers or {}): - req.headers[k] = v - - resp = req.get_response(middleware) - resp.request = req - return resp - - def test_good_v3_user_token(self): - t = fixture.V3Token() - t.set_project_scope() - role = t.add_role() - - token_id = uuid.uuid4().hex - token_dict = {token_id: t} - - @webob.dec.wsgify - def _do_cb(req): - self.assertEqual(token_id, req.headers['X-Auth-Token']) - - self.assertEqual('Confirmed', req.headers['X-Identity-Status']) - self.assertNotIn('X-Service-Token', req.headers) - - p = req.environ['keystone.token_auth'] - - self.assertTrue(p.has_user_token) - self.assertFalse(p.has_service_token) - - self.assertEqual(t.project_id, p.user.project_id) - self.assertEqual(t.project_domain_id, p.user.project_domain_id) - self.assertEqual(t.user_id, p.user.user_id) - self.assertEqual(t.user_domain_id, p.user.user_domain_id) - self.assertIn(role['name'], p.user.role_names) - - return webob.Response() - - m = FetchingMiddleware(_do_cb, token_dict) - self.call(m, headers={'X-Auth-Token': token_id}) - - def test_invalid_user_token(self): - token_id = uuid.uuid4().hex - - @webob.dec.wsgify - def _do_cb(req): - self.assertEqual('Invalid', req.headers['X-Identity-Status']) - self.assertEqual(token_id, req.headers['X-Auth-Token']) - return webob.Response() - - m = FetchingMiddleware(_do_cb) - self.call(m, headers={'X-Auth-Token': token_id}) - - def test_expired_user_token(self): - t = fixture.V3Token() - t.set_project_scope() - t.expires = datetime.datetime.utcnow() - datetime.timedelta(minutes=10) - - token_id = uuid.uuid4().hex - token_dict = {token_id: t} - - @webob.dec.wsgify - def _do_cb(req): - self.assertEqual('Invalid', req.headers['X-Identity-Status']) - self.assertEqual(token_id, req.headers['X-Auth-Token']) - return webob.Response() - - m = FetchingMiddleware(_do_cb, token_dict=token_dict) - self.call(m, headers={'X-Auth-Token': token_id}) - - def test_good_v3_service_token(self): - t = fixture.V3Token() - t.set_project_scope() - role = t.add_role() - - token_id = uuid.uuid4().hex - token_dict = {token_id: t} - - @webob.dec.wsgify - def _do_cb(req): - self.assertEqual(token_id, req.headers['X-Service-Token']) - - self.assertEqual('Confirmed', - req.headers['X-Service-Identity-Status']) - self.assertNotIn('X-Auth-Token', req.headers) - - p = req.environ['keystone.token_auth'] - - self.assertFalse(p.has_user_token) - self.assertTrue(p.has_service_token) - - self.assertEqual(t.project_id, p.service.project_id) - self.assertEqual(t.project_domain_id, p.service.project_domain_id) - self.assertEqual(t.user_id, p.service.user_id) - self.assertEqual(t.user_domain_id, p.service.user_domain_id) - self.assertIn(role['name'], p.service.role_names) - - return webob.Response() - - m = FetchingMiddleware(_do_cb, token_dict) - self.call(m, headers={'X-Service-Token': token_id}) - - def test_invalid_service_token(self): - token_id = uuid.uuid4().hex - - @webob.dec.wsgify - def _do_cb(req): - self.assertEqual('Invalid', - req.headers['X-Service-Identity-Status']) - self.assertEqual(token_id, req.headers['X-Service-Token']) - return webob.Response() - - m = FetchingMiddleware(_do_cb) - self.call(m, headers={'X-Service-Token': token_id}) - - def test_expired_service_token(self): - t = fixture.V3Token() - t.set_project_scope() - t.expires = datetime.datetime.utcnow() - datetime.timedelta(minutes=10) - - token_id = uuid.uuid4().hex - token_dict = {token_id: t} - - @webob.dec.wsgify - def _do_cb(req): - self.assertEqual('Invalid', - req.headers['X-Service-Identity-Status']) - self.assertEqual(token_id, req.headers['X-Service-Token']) - return webob.Response() - - m = FetchingMiddleware(_do_cb, token_dict=token_dict) - self.call(m, headers={'X-Service-Token': token_id}) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_connection_pool.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_connection_pool.py deleted file mode 100644 index 074d1e5d..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_connection_pool.py +++ /dev/null @@ -1,118 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import time - -import mock -from six.moves import queue -import testtools -from testtools import matchers - -from keystonemiddleware.auth_token import _memcache_pool -from keystonemiddleware.tests.unit import utils - - -class _TestConnectionPool(_memcache_pool.ConnectionPool): - destroyed_value = 'destroyed' - - def _create_connection(self): - return mock.MagicMock() - - def _destroy_connection(self, conn): - conn(self.destroyed_value) - - -class TestConnectionPool(utils.TestCase): - def setUp(self): - super(TestConnectionPool, self).setUp() - self.unused_timeout = 10 - self.maxsize = 2 - self.connection_pool = _TestConnectionPool( - maxsize=self.maxsize, - unused_timeout=self.unused_timeout) - - def test_get_context_manager(self): - self.assertThat(self.connection_pool.queue, matchers.HasLength(0)) - with self.connection_pool.acquire() as conn: - self.assertEqual(1, self.connection_pool._acquired) - self.assertEqual(0, self.connection_pool._acquired) - self.assertThat(self.connection_pool.queue, matchers.HasLength(1)) - self.assertEqual(conn, self.connection_pool.queue[0].connection) - - def test_cleanup_pool(self): - self.test_get_context_manager() - newtime = time.time() + self.unused_timeout * 2 - non_expired_connection = _memcache_pool._PoolItem( - ttl=(newtime * 2), - connection=mock.MagicMock()) - self.connection_pool.queue.append(non_expired_connection) - self.assertThat(self.connection_pool.queue, matchers.HasLength(2)) - with mock.patch.object(time, 'time', return_value=newtime): - conn = self.connection_pool.queue[0].connection - with self.connection_pool.acquire(): - pass - conn.assert_has_calls( - [mock.call(self.connection_pool.destroyed_value)]) - self.assertThat(self.connection_pool.queue, matchers.HasLength(1)) - self.assertEqual(0, non_expired_connection.connection.call_count) - - def test_acquire_conn_exception_returns_acquired_count(self): - class TestException(Exception): - pass - - with mock.patch.object(_TestConnectionPool, '_create_connection', - side_effect=TestException): - with testtools.ExpectedException(TestException): - with self.connection_pool.acquire(): - pass - self.assertThat(self.connection_pool.queue, - matchers.HasLength(0)) - self.assertEqual(0, self.connection_pool._acquired) - - def test_connection_pool_limits_maximum_connections(self): - # NOTE(morganfainberg): To ensure we don't lockup tests until the - # job limit, explicitly call .get_nowait() and .put_nowait() in this - # case. - conn1 = self.connection_pool.get_nowait() - conn2 = self.connection_pool.get_nowait() - - # Use a nowait version to raise an Empty exception indicating we would - # not get another connection until one is placed back into the queue. - self.assertRaises(queue.Empty, self.connection_pool.get_nowait) - - # Place the connections back into the pool. - self.connection_pool.put_nowait(conn1) - self.connection_pool.put_nowait(conn2) - - # Make sure we can get a connection out of the pool again. - self.connection_pool.get_nowait() - - def test_connection_pool_maximum_connection_get_timeout(self): - connection_pool = _TestConnectionPool( - maxsize=1, - unused_timeout=self.unused_timeout, - conn_get_timeout=0) - - def _acquire_connection(): - with connection_pool.acquire(): - pass - - # Make sure we've consumed the only available connection from the pool - conn = connection_pool.get_nowait() - - self.assertRaises(_memcache_pool.ConnectionGetTimeoutException, - _acquire_connection) - - # Put the connection back and ensure we can acquire the connection - # after it is available. - connection_pool.put_nowait(conn) - _acquire_connection() diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_memcache_crypt.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_memcache_crypt.py deleted file mode 100644 index e9189831..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_memcache_crypt.py +++ /dev/null @@ -1,97 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import six - -from keystonemiddleware.auth_token import _memcache_crypt as memcache_crypt -from keystonemiddleware.tests.unit import utils - - -class MemcacheCryptPositiveTests(utils.BaseTestCase): - def _setup_keys(self, strategy): - return memcache_crypt.derive_keys(b'token', b'secret', strategy) - - def test_constant_time_compare(self): - # make sure it works as a compare, the "constant time" aspect - # isn't appropriate to test in unittests - ctc = memcache_crypt.constant_time_compare - self.assertTrue(ctc('abcd', 'abcd')) - self.assertTrue(ctc('', '')) - self.assertFalse(ctc('abcd', 'efgh')) - self.assertFalse(ctc('abc', 'abcd')) - self.assertFalse(ctc('abc', 'abc\x00')) - self.assertFalse(ctc('', 'abc')) - - # For Python 3, we want to test these functions with both str and bytes - # as input. - if six.PY3: - self.assertTrue(ctc(b'abcd', b'abcd')) - self.assertTrue(ctc(b'', b'')) - self.assertFalse(ctc(b'abcd', b'efgh')) - self.assertFalse(ctc(b'abc', b'abcd')) - self.assertFalse(ctc(b'abc', b'abc\x00')) - self.assertFalse(ctc(b'', b'abc')) - - def test_derive_keys(self): - keys = self._setup_keys(b'strategy') - self.assertEqual(len(keys['ENCRYPTION']), - len(keys['CACHE_KEY'])) - self.assertEqual(len(keys['CACHE_KEY']), - len(keys['MAC'])) - self.assertNotEqual(keys['ENCRYPTION'], - keys['MAC']) - self.assertIn('strategy', keys.keys()) - - def test_key_strategy_diff(self): - k1 = self._setup_keys(b'MAC') - k2 = self._setup_keys(b'ENCRYPT') - self.assertNotEqual(k1, k2) - - def test_sign_data(self): - keys = self._setup_keys(b'MAC') - sig = memcache_crypt.sign_data(keys['MAC'], b'data') - self.assertEqual(len(sig), memcache_crypt.DIGEST_LENGTH_B64) - - def test_encryption(self): - keys = self._setup_keys(b'ENCRYPT') - # what you put in is what you get out - for data in [b'data', b'1234567890123456', b'\x00\xFF' * 13 - ] + [six.int2byte(x % 256) * x for x in range(768)]: - crypt = memcache_crypt.encrypt_data(keys['ENCRYPTION'], data) - decrypt = memcache_crypt.decrypt_data(keys['ENCRYPTION'], crypt) - self.assertEqual(data, decrypt) - self.assertRaises(memcache_crypt.DecryptError, - memcache_crypt.decrypt_data, - keys['ENCRYPTION'], crypt[:-1]) - - def test_protect_wrappers(self): - data = b'My Pretty Little Data' - for strategy in [b'MAC', b'ENCRYPT']: - keys = self._setup_keys(strategy) - protected = memcache_crypt.protect_data(keys, data) - self.assertNotEqual(protected, data) - if strategy == b'ENCRYPT': - self.assertNotIn(data, protected) - unprotected = memcache_crypt.unprotect_data(keys, protected) - self.assertEqual(data, unprotected) - self.assertRaises(memcache_crypt.InvalidMacError, - memcache_crypt.unprotect_data, - keys, protected[:-1]) - self.assertIsNone(memcache_crypt.unprotect_data(keys, None)) - - def test_no_pycrypt(self): - aes = memcache_crypt.AES - memcache_crypt.AES = None - self.assertRaises(memcache_crypt.CryptoUnavailableError, - memcache_crypt.encrypt_data, 'token', 'secret', - 'data') - memcache_crypt.AES = aes diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_request.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_request.py deleted file mode 100644 index 223433f8..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_request.py +++ /dev/null @@ -1,253 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import itertools -import uuid - -from keystoneclient import access -from keystoneclient import fixture - -from keystonemiddleware.auth_token import _request -from keystonemiddleware.tests.unit import utils - - -class RequestObjectTests(utils.TestCase): - - def setUp(self): - super(RequestObjectTests, self).setUp() - self.request = _request._AuthTokenRequest.blank('/') - - def test_setting_user_token_valid(self): - self.assertNotIn('X-Identity-Status', self.request.headers) - - self.request.user_token_valid = True - self.assertEqual('Confirmed', - self.request.headers['X-Identity-Status']) - self.assertTrue(self.request.user_token_valid) - - self.request.user_token_valid = False - self.assertEqual('Invalid', - self.request.headers['X-Identity-Status']) - self.assertFalse(self.request.user_token_valid) - - def test_setting_service_token_valid(self): - self.assertNotIn('X-Service-Identity-Status', self.request.headers) - - self.request.service_token_valid = True - self.assertEqual('Confirmed', - self.request.headers['X-Service-Identity-Status']) - self.assertTrue(self.request.service_token_valid) - - self.request.service_token_valid = False - self.assertEqual('Invalid', - self.request.headers['X-Service-Identity-Status']) - self.assertFalse(self.request.service_token_valid) - - def test_removing_headers(self): - GOOD = ('X-Auth-Token', - 'unknownstring', - uuid.uuid4().hex) - - BAD = ('X-Domain-Id', - 'X-Domain-Name', - 'X-Project-Id', - 'X-Project-Name', - 'X-Project-Domain-Id', - 'X-Project-Domain-Name', - 'X-User-Id', - 'X-User-Name', - 'X-User-Domain-Id', - 'X-User-Domain-Name', - 'X-Roles', - 'X-Identity-Status', - - 'X-Service-Domain-Id', - 'X-Service-Domain-Name', - 'X-Service-Project-Id', - 'X-Service-Project-Name', - 'X-Service-Project-Domain-Id', - 'X-Service-Project-Domain-Name', - 'X-Service-User-Id', - 'X-Service-User-Name', - 'X-Service-User-Domain-Id', - 'X-Service-User-Domain-Name', - 'X-Service-Roles', - 'X-Service-Identity-Status', - - 'X-Service-Catalog', - - 'X-Role', - 'X-User', - 'X-Tenant-Id', - 'X-Tenant-Name', - 'X-Tenant', - ) - - header_vals = {} - - for header in itertools.chain(GOOD, BAD): - v = uuid.uuid4().hex - header_vals[header] = v - self.request.headers[header] = v - - self.request.remove_auth_headers() - - for header in BAD: - self.assertNotIn(header, self.request.headers) - - for header in GOOD: - self.assertEqual(header_vals[header], self.request.headers[header]) - - def _test_v3_headers(self, token, prefix): - self.assertEqual(token.domain_id, - self.request.headers['X%s-Domain-Id' % prefix]) - self.assertEqual(token.domain_name, - self.request.headers['X%s-Domain-Name' % prefix]) - self.assertEqual(token.project_id, - self.request.headers['X%s-Project-Id' % prefix]) - self.assertEqual(token.project_name, - self.request.headers['X%s-Project-Name' % prefix]) - self.assertEqual( - token.project_domain_id, - self.request.headers['X%s-Project-Domain-Id' % prefix]) - self.assertEqual( - token.project_domain_name, - self.request.headers['X%s-Project-Domain-Name' % prefix]) - - self.assertEqual(token.user_id, - self.request.headers['X%s-User-Id' % prefix]) - self.assertEqual(token.user_name, - self.request.headers['X%s-User-Name' % prefix]) - self.assertEqual( - token.user_domain_id, - self.request.headers['X%s-User-Domain-Id' % prefix]) - self.assertEqual( - token.user_domain_name, - self.request.headers['X%s-User-Domain-Name' % prefix]) - - def test_project_scoped_user_headers(self): - token = fixture.V3Token() - token.set_project_scope() - token_id = uuid.uuid4().hex - - auth_ref = access.AccessInfo.factory(token_id=token_id, body=token) - self.request.set_user_headers(auth_ref, include_service_catalog=True) - - self._test_v3_headers(token, '') - - def test_project_scoped_service_headers(self): - token = fixture.V3Token() - token.set_project_scope() - token_id = uuid.uuid4().hex - - auth_ref = access.AccessInfo.factory(token_id=token_id, body=token) - self.request.set_service_headers(auth_ref) - - self._test_v3_headers(token, '-Service') - - def test_auth_type(self): - self.assertIsNone(self.request.auth_type) - self.request.environ['AUTH_TYPE'] = 'NeGoTiatE' - self.assertEqual('negotiate', self.request.auth_type) - - def test_user_token(self): - token = uuid.uuid4().hex - self.assertIsNone(self.request.user_token) - self.request.headers['X-Auth-Token'] = token - self.assertEqual(token, self.request.user_token) - - def test_storage_token(self): - storage_token = uuid.uuid4().hex - user_token = uuid.uuid4().hex - - self.assertIsNone(self.request.user_token) - self.request.headers['X-Storage-Token'] = storage_token - self.assertEqual(storage_token, self.request.user_token) - self.request.headers['X-Auth-Token'] = user_token - self.assertEqual(user_token, self.request.user_token) - - def test_service_token(self): - token = uuid.uuid4().hex - self.assertIsNone(self.request.service_token) - self.request.headers['X-Service-Token'] = token - self.assertEqual(token, self.request.service_token) - - def test_token_auth(self): - plugin = object() - - self.assertNotIn('keystone.token_auth', self.request.environ) - self.request.token_auth = plugin - self.assertIs(plugin, self.request.environ['keystone.token_auth']) - self.assertIs(plugin, self.request.token_auth) - - -class CatalogConversionTests(utils.TestCase): - - PUBLIC_URL = 'http://server:5000/v2.0' - ADMIN_URL = 'http://admin:35357/v2.0' - INTERNAL_URL = 'http://internal:5000/v2.0' - - REGION_ONE = 'RegionOne' - REGION_TWO = 'RegionTwo' - REGION_THREE = 'RegionThree' - - def test_basic_convert(self): - token = fixture.V3Token() - s = token.add_service(type='identity') - s.add_standard_endpoints(public=self.PUBLIC_URL, - admin=self.ADMIN_URL, - internal=self.INTERNAL_URL, - region=self.REGION_ONE) - - auth_ref = access.AccessInfo.factory(body=token) - catalog_data = auth_ref.service_catalog.get_data() - catalog = _request._v3_to_v2_catalog(catalog_data) - - self.assertEqual(1, len(catalog)) - service = catalog[0] - self.assertEqual(1, len(service['endpoints'])) - endpoints = service['endpoints'][0] - - self.assertEqual('identity', service['type']) - self.assertEqual(4, len(endpoints)) - self.assertEqual(self.PUBLIC_URL, endpoints['publicURL']) - self.assertEqual(self.ADMIN_URL, endpoints['adminURL']) - self.assertEqual(self.INTERNAL_URL, endpoints['internalURL']) - self.assertEqual(self.REGION_ONE, endpoints['region']) - - def test_multi_region(self): - token = fixture.V3Token() - s = token.add_service(type='identity') - - s.add_endpoint('internal', self.INTERNAL_URL, region=self.REGION_ONE) - s.add_endpoint('public', self.PUBLIC_URL, region=self.REGION_TWO) - s.add_endpoint('admin', self.ADMIN_URL, region=self.REGION_THREE) - - auth_ref = access.AccessInfo.factory(body=token) - catalog_data = auth_ref.service_catalog.get_data() - catalog = _request._v3_to_v2_catalog(catalog_data) - - self.assertEqual(1, len(catalog)) - service = catalog[0] - - # the 3 regions will come through as 3 separate endpoints - expected = [{'internalURL': self.INTERNAL_URL, - 'region': self.REGION_ONE}, - {'publicURL': self.PUBLIC_URL, - 'region': self.REGION_TWO}, - {'adminURL': self.ADMIN_URL, - 'region': self.REGION_THREE}] - - self.assertEqual('identity', service['type']) - self.assertEqual(3, len(service['endpoints'])) - for e in expected: - self.assertIn(e, expected) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py deleted file mode 100644 index 258e195a..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_revocations.py +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 2014 IBM Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import datetime -import json -import shutil -import uuid - -import mock - -from keystonemiddleware.auth_token import _exceptions as exc -from keystonemiddleware.auth_token import _revocations -from keystonemiddleware.auth_token import _signing_dir -from keystonemiddleware.tests.unit import utils - - -class RevocationsTests(utils.BaseTestCase): - - def _setup_revocations(self, revoked_list): - directory_name = '/tmp/%s' % uuid.uuid4().hex - signing_directory = _signing_dir.SigningDirectory(directory_name) - self.addCleanup(shutil.rmtree, directory_name) - - identity_server = mock.Mock() - - verify_result_obj = {'revoked': revoked_list} - cms_verify = mock.Mock(return_value=json.dumps(verify_result_obj)) - - revocations = _revocations.Revocations( - timeout=datetime.timedelta(1), signing_directory=signing_directory, - identity_server=identity_server, cms_verify=cms_verify) - return revocations - - def _check_with_list(self, revoked_list, token_ids): - revoked_list = list({'id': r} for r in revoked_list) - revocations = self._setup_revocations(revoked_list) - revocations.check(token_ids) - - def test_check_empty_list(self): - # When the identity server returns an empty list, a token isn't - # revoked. - - revoked_tokens = [] - token_ids = [uuid.uuid4().hex] - # No assert because this would raise - self._check_with_list(revoked_tokens, token_ids) - - def test_check_revoked(self): - # When the identity server returns a list with a token in it, that - # token is revoked. - - token_id = uuid.uuid4().hex - revoked_tokens = [token_id] - token_ids = [token_id] - self.assertRaises(exc.InvalidToken, - self._check_with_list, revoked_tokens, token_ids) - - def test_check_by_audit_id_revoked(self): - # When the audit ID is in the revocation list, InvalidToken is raised. - audit_id = uuid.uuid4().hex - revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': audit_id}] - revocations = self._setup_revocations(revoked_list) - self.assertRaises(exc.InvalidToken, - revocations.check_by_audit_id, [audit_id]) - - def test_check_by_audit_id_chain_revoked(self): - # When the token's audit chain ID is in the revocation list, - # InvalidToken is raised. - revoked_audit_id = uuid.uuid4().hex - revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': revoked_audit_id}] - revocations = self._setup_revocations(revoked_list) - - token_audit_ids = [uuid.uuid4().hex, revoked_audit_id] - self.assertRaises(exc.InvalidToken, - revocations.check_by_audit_id, token_audit_ids) - - def test_check_by_audit_id_not_revoked(self): - # When the audit ID is not in the revocation list no exception. - revoked_list = [{'id': uuid.uuid4().hex, 'audit_id': uuid.uuid4().hex}] - revocations = self._setup_revocations(revoked_list) - - audit_id = uuid.uuid4().hex - revocations.check_by_audit_id([audit_id]) - - def test_check_by_audit_id_no_audit_ids(self): - # Older identity servers don't send audit_ids in the revocation list. - # When this happens, check_by_audit_id still works, just doesn't - # verify anything. - revoked_list = [{'id': uuid.uuid4().hex}] - revocations = self._setup_revocations(revoked_list) - - audit_id = uuid.uuid4().hex - revocations.check_by_audit_id([audit_id]) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py deleted file mode 100644 index b2ef95dd..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_signing_dir.py +++ /dev/null @@ -1,137 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import shutil -import stat -import uuid - -from keystonemiddleware.auth_token import _signing_dir -from keystonemiddleware.tests.unit import utils - - -class SigningDirectoryTests(utils.BaseTestCase): - - def test_directory_created_when_doesnt_exist(self): - # When _SigningDirectory is created, if the directory doesn't exist - # it's created with the expected permissions. - tmp_name = uuid.uuid4().hex - parent_directory = '/tmp/%s' % tmp_name - directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2) - - # Directories are created by __init__. - _signing_dir.SigningDirectory(directory_name) - self.addCleanup(shutil.rmtree, parent_directory) - - self.assertTrue(os.path.isdir(directory_name)) - self.assertTrue(os.access(directory_name, os.W_OK)) - self.assertEqual(os.stat(directory_name).st_uid, os.getuid()) - self.assertEqual(stat.S_IMODE(os.stat(directory_name).st_mode), - stat.S_IRWXU) - - def test_use_directory_already_exists(self): - # The directory can already exist. - - tmp_name = uuid.uuid4().hex - parent_directory = '/tmp/%s' % tmp_name - directory_name = '/tmp/%s/%s' % ((tmp_name,) * 2) - os.makedirs(directory_name, stat.S_IRWXU) - self.addCleanup(shutil.rmtree, parent_directory) - - _signing_dir.SigningDirectory(directory_name) - - def test_write_file(self): - # write_file when the file doesn't exist creates the file. - - signing_directory = _signing_dir.SigningDirectory() - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - file_name = self.getUniqueString() - contents = self.getUniqueString() - signing_directory.write_file(file_name, contents) - - file_path = signing_directory.calc_path(file_name) - with open(file_path) as f: - actual_contents = f.read() - - self.assertEqual(contents, actual_contents) - - def test_replace_file(self): - # write_file when the file already exists overwrites it. - - signing_directory = _signing_dir.SigningDirectory() - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - file_name = self.getUniqueString() - orig_contents = self.getUniqueString() - signing_directory.write_file(file_name, orig_contents) - - new_contents = self.getUniqueString() - signing_directory.write_file(file_name, new_contents) - - file_path = signing_directory.calc_path(file_name) - with open(file_path) as f: - actual_contents = f.read() - - self.assertEqual(new_contents, actual_contents) - - def test_recreate_directory(self): - # If the original directory is lost, it gets recreated when a file - # is written. - - signing_directory = _signing_dir.SigningDirectory() - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - # Delete the directory. - shutil.rmtree(signing_directory._directory_name) - - file_name = self.getUniqueString() - contents = self.getUniqueString() - signing_directory.write_file(file_name, contents) - - actual_contents = signing_directory.read_file(file_name) - self.assertEqual(contents, actual_contents) - - def test_read_file(self): - # Can read a file that was written. - - signing_directory = _signing_dir.SigningDirectory() - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - file_name = self.getUniqueString() - contents = self.getUniqueString() - signing_directory.write_file(file_name, contents) - - actual_contents = signing_directory.read_file(file_name) - - self.assertEqual(contents, actual_contents) - - def test_read_file_doesnt_exist(self): - # Show what happens when try to read a file that wasn't written. - - signing_directory = _signing_dir.SigningDirectory() - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - file_name = self.getUniqueString() - self.assertRaises(IOError, signing_directory.read_file, file_name) - - def test_calc_path(self): - # calc_path returns the actual filename built from the directory name. - - signing_directory = _signing_dir.SigningDirectory() - self.addCleanup(shutil.rmtree, signing_directory._directory_name) - - file_name = self.getUniqueString() - actual_path = signing_directory.calc_path(file_name) - expected_path = os.path.join(signing_directory._directory_name, - file_name) - self.assertEqual(expected_path, actual_path) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py deleted file mode 100644 index 19d3d7a9..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_user_auth_plugin.py +++ /dev/null @@ -1,201 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import uuid -import warnings - -from keystoneclient import auth -from keystoneclient import fixture - -from keystonemiddleware.auth_token import _base -from keystonemiddleware.tests.unit.auth_token import base - -# NOTE(jamielennox): just some sample values that we can use for testing -BASE_URI = 'https://keystone.example.com:1234' -AUTH_URL = 'https://keystone.auth.com:1234' - - -class BaseUserPluginTests(object): - - def configure_middleware(self, - auth_plugin, - group='keystone_authtoken', - **kwargs): - # NOTE(gyee): For this test suite and for the stable liberty branch - # only, we will ignore deprecated calls that keystonemiddleware makes. - warnings.filterwarnings('ignore', category=DeprecationWarning, - module='^keystonemiddleware\\.') - - opts = auth.get_plugin_class(auth_plugin).get_options() - self.cfg.register_opts(opts, group=group) - - # Since these tests cfg.config() themselves rather than waiting for - # auth_token to do it on __init__ we need to register the base auth - # options (e.g., auth_plugin) - auth.register_conf_options(self.cfg.conf, group=_base.AUTHTOKEN_GROUP) - - self.cfg.config(group=group, - auth_plugin=auth_plugin, - **kwargs) - - def assertTokenDataEqual(self, token_id, token, token_data): - self.assertEqual(token_id, token_data.auth_token) - self.assertEqual(token.user_id, token_data.user_id) - try: - trust_id = token.trust_id - except KeyError: - trust_id = None - self.assertEqual(trust_id, token_data.trust_id) - self.assertEqual(self.get_role_names(token), token_data.role_names) - - def get_plugin(self, token_id, service_token_id=None): - headers = {'X-Auth-Token': token_id} - - if service_token_id: - headers['X-Service-Token'] = service_token_id - - m = self.create_simple_middleware() - - resp = self.call(m, headers=headers) - self.assertEqual(200, resp.status_int) - return resp.request.environ['keystone.token_auth'] - - def test_user_information(self): - token_id, token = self.get_token() - plugin = self.get_plugin(token_id) - - self.assertTokenDataEqual(token_id, token, plugin.user) - self.assertFalse(plugin.has_service_token) - self.assertIsNone(plugin.service) - - def test_with_service_information(self): - token_id, token = self.get_token() - service_id, service = self.get_token() - - plugin = self.get_plugin(token_id, service_id) - - self.assertTokenDataEqual(token_id, token, plugin.user) - self.assertTokenDataEqual(service_id, service, plugin.service) - - -class V2UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase): - - def setUp(self): - super(V2UserPluginTests, self).setUp() - - self.service_token = fixture.V2Token() - self.service_token.set_scope() - s = self.service_token.add_service('identity', name='keystone') - - s.add_endpoint(public=BASE_URI, - admin=BASE_URI, - internal=BASE_URI) - - self.configure_middleware(auth_plugin='v2password', - auth_url='%s/v2.0/' % AUTH_URL, - user_id=self.service_token.user_id, - password=uuid.uuid4().hex, - tenant_id=self.service_token.tenant_id) - - auth_discovery = fixture.DiscoveryList(href=AUTH_URL, v3=False) - self.requests_mock.get(AUTH_URL, json=auth_discovery) - - base_discovery = fixture.DiscoveryList(href=BASE_URI, v3=False) - self.requests_mock.get(BASE_URI, json=base_discovery) - - url = '%s/v2.0/tokens' % AUTH_URL - self.requests_mock.post(url, json=self.service_token) - - def get_role_names(self, token): - return set(x['name'] for x in token['access']['user'].get('roles', [])) - - def get_token(self): - token = fixture.V2Token() - token.set_scope() - token.add_role() - - request_headers = {'X-Auth-Token': self.service_token.token_id} - - url = '%s/v2.0/tokens/%s' % (BASE_URI, token.token_id) - self.requests_mock.get(url, - request_headers=request_headers, - json=token) - - return token.token_id, token - - def assertTokenDataEqual(self, token_id, token, token_data): - super(V2UserPluginTests, self).assertTokenDataEqual(token_id, - token, - token_data) - - self.assertEqual(token.tenant_id, token_data.project_id) - self.assertIsNone(token_data.user_domain_id) - self.assertIsNone(token_data.project_domain_id) - - -class V3UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase): - - def setUp(self): - super(V3UserPluginTests, self).setUp() - - self.service_token_id = uuid.uuid4().hex - self.service_token = fixture.V3Token() - s = self.service_token.add_service('identity', name='keystone') - s.add_standard_endpoints(public=BASE_URI, - admin=BASE_URI, - internal=BASE_URI) - - self.configure_middleware(auth_plugin='v3password', - auth_url='%s/v3/' % AUTH_URL, - user_id=self.service_token.user_id, - password=uuid.uuid4().hex, - project_id=self.service_token.project_id) - - auth_discovery = fixture.DiscoveryList(href=AUTH_URL) - self.requests_mock.get(AUTH_URL, json=auth_discovery) - - base_discovery = fixture.DiscoveryList(href=BASE_URI) - self.requests_mock.get(BASE_URI, json=base_discovery) - - self.requests_mock.post( - '%s/v3/auth/tokens' % AUTH_URL, - headers={'X-Subject-Token': self.service_token_id}, - json=self.service_token) - - def get_role_names(self, token): - return set(x['name'] for x in token['token'].get('roles', [])) - - def get_token(self): - token_id = uuid.uuid4().hex - token = fixture.V3Token() - token.set_project_scope() - token.add_role() - - request_headers = {'X-Auth-Token': self.service_token_id, - 'X-Subject-Token': token_id} - headers = {'X-Subject-Token': token_id} - - self.requests_mock.get('%s/v3/auth/tokens' % BASE_URI, - request_headers=request_headers, - headers=headers, - json=token) - - return token_id, token - - def assertTokenDataEqual(self, token_id, token, token_data): - super(V3UserPluginTests, self).assertTokenDataEqual(token_id, - token, - token_data) - - self.assertEqual(token.user_domain_id, token_data.user_domain_id) - self.assertEqual(token.project_id, token_data.project_id) - self.assertEqual(token.project_domain_id, token_data.project_domain_id) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_utils.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_utils.py deleted file mode 100644 index fcd1e628..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/test_utils.py +++ /dev/null @@ -1,37 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import testtools - -from keystonemiddleware.auth_token import _utils - - -class TokenEncodingTest(testtools.TestCase): - - def test_unquoted_token(self): - self.assertEqual('foo%20bar', _utils.safe_quote('foo bar')) - - def test_quoted_token(self): - self.assertEqual('foo%20bar', _utils.safe_quote('foo%20bar')) - - def test_messages_encoded_as_bytes(self): - """Test that string are passed around as bytes for PY3.""" - msg = "This is an error" - - class FakeResp(_utils.MiniResp): - def __init__(self, error, env): - super(FakeResp, self).__init__(error, env) - - fake_resp = FakeResp(msg, dict(REQUEST_METHOD='GET')) - # On Py2 .encode() don't do much but that's better than to - # have a ifdef with six.PY3 - self.assertEqual(msg.encode(), fake_resp.body[0]) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/client_fixtures.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/client_fixtures.py deleted file mode 100644 index ee4111ec..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/client_fixtures.py +++ /dev/null @@ -1,452 +0,0 @@ -# Copyright 2013 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os - -import fixtures -from keystoneclient.common import cms -from keystoneclient import fixture -from keystoneclient import utils -from oslo_serialization import jsonutils -from oslo_utils import timeutils -import six -import testresources - - -TESTDIR = os.path.dirname(os.path.abspath(__file__)) -ROOTDIR = os.path.normpath(os.path.join(TESTDIR, '..', '..', '..')) -CERTDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'certs') -CMSDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'cms') -KEYDIR = os.path.join(ROOTDIR, 'examples', 'pki', 'private') - - -def _hash_signed_token_safe(signed_text, **kwargs): - if isinstance(signed_text, six.text_type): - signed_text = signed_text.encode('utf-8') - return utils.hash_signed_token(signed_text, **kwargs) - - -class Examples(fixtures.Fixture): - """Example tokens and certs loaded from the examples directory. - - To use this class correctly, the module needs to override the test suite - class to use testresources.OptimisingTestSuite (otherwise the files will - be read on every test). This is done by defining a load_tests function - in the module, like this: - - def load_tests(loader, tests, pattern): - return testresources.OptimisingTestSuite(tests) - - (see http://docs.python.org/2/library/unittest.html#load-tests-protocol ) - - """ - - def setUp(self): - super(Examples, self).setUp() - - # The data for several tests are signed using openssl and are stored in - # files in the signing subdirectory. In order to keep the values - # consistent between the tests and the signed documents, we read them - # in for use in the tests. - with open(os.path.join(CMSDIR, 'auth_token_scoped.json')) as f: - self.TOKEN_SCOPED_DATA = cms.cms_to_token(f.read()) - - with open(os.path.join(CMSDIR, 'auth_token_scoped.pem')) as f: - self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) - self.SIGNED_TOKEN_SCOPED_HASH = _hash_signed_token_safe( - self.SIGNED_TOKEN_SCOPED) - self.SIGNED_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( - self.SIGNED_TOKEN_SCOPED, mode='sha256') - with open(os.path.join(CMSDIR, 'auth_token_unscoped.pem')) as f: - self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pem')) as f: - self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read()) - self.SIGNED_v3_TOKEN_SCOPED_HASH = _hash_signed_token_safe( - self.SIGNED_v3_TOKEN_SCOPED) - self.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( - self.SIGNED_v3_TOKEN_SCOPED, mode='sha256') - with open(os.path.join(CMSDIR, 'auth_token_revoked.pem')) as f: - self.REVOKED_TOKEN = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pem')) as f: - self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pem')) as f: - self.REVOKED_v3_TOKEN = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_token_scoped.pkiz')) as f: - self.SIGNED_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_token_unscoped.pkiz')) as f: - self.SIGNED_TOKEN_UNSCOPED_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pkiz')) as f: - self.SIGNED_v3_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_token_revoked.pkiz')) as f: - self.REVOKED_TOKEN_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, - 'auth_token_scoped_expired.pkiz')) as f: - self.SIGNED_TOKEN_SCOPED_EXPIRED_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pkiz')) as f: - self.REVOKED_v3_TOKEN_PKIZ = cms.cms_to_token(f.read()) - with open(os.path.join(CMSDIR, 'revocation_list.json')) as f: - self.REVOCATION_LIST = jsonutils.loads(f.read()) - with open(os.path.join(CMSDIR, 'revocation_list.pem')) as f: - self.SIGNED_REVOCATION_LIST = jsonutils.dumps({'signed': f.read()}) - - self.SIGNING_CERT_FILE = os.path.join(CERTDIR, 'signing_cert.pem') - with open(self.SIGNING_CERT_FILE) as f: - self.SIGNING_CERT = f.read() - - self.KERBEROS_BIND = 'USER@REALM' - - self.SIGNING_KEY_FILE = os.path.join(KEYDIR, 'signing_key.pem') - with open(self.SIGNING_KEY_FILE) as f: - self.SIGNING_KEY = f.read() - - self.SIGNING_CA_FILE = os.path.join(CERTDIR, 'cacert.pem') - with open(self.SIGNING_CA_FILE) as f: - self.SIGNING_CA = f.read() - - self.UUID_TOKEN_DEFAULT = "ec6c0710ec2f471498484c1b53ab4f9d" - self.UUID_TOKEN_NO_SERVICE_CATALOG = '8286720fbe4941e69fa8241723bb02df' - self.UUID_TOKEN_UNSCOPED = '731f903721c14827be7b2dc912af7776' - self.UUID_TOKEN_BIND = '3fc54048ad64405c98225ce0897af7c5' - self.UUID_TOKEN_UNKNOWN_BIND = '8885fdf4d42e4fb9879e6379fa1eaf48' - self.VALID_DIABLO_TOKEN = 'b0cf19b55dbb4f20a6ee18e6c6cf1726' - self.v3_UUID_TOKEN_DEFAULT = '5603457654b346fdbb93437bfe76f2f1' - self.v3_UUID_TOKEN_UNSCOPED = 'd34835fdaec447e695a0a024d84f8d79' - self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792' - self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2' - self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2' - - self.UUID_SERVICE_TOKEN_DEFAULT = 'fe4c0710ec2f492748596c1b53ab124' - self.v3_UUID_SERVICE_TOKEN_DEFAULT = 'g431071bbc2f492748596c1b53cb229' - - revoked_token = self.REVOKED_TOKEN - if isinstance(revoked_token, six.text_type): - revoked_token = revoked_token.encode('utf-8') - self.REVOKED_TOKEN_HASH = utils.hash_signed_token(revoked_token) - self.REVOKED_TOKEN_HASH_SHA256 = utils.hash_signed_token(revoked_token, - mode='sha256') - self.REVOKED_TOKEN_LIST = ( - {'revoked': [{'id': self.REVOKED_TOKEN_HASH, - 'expires': timeutils.utcnow()}]}) - self.REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_TOKEN_LIST) - - revoked_v3_token = self.REVOKED_v3_TOKEN - if isinstance(revoked_v3_token, six.text_type): - revoked_v3_token = revoked_v3_token.encode('utf-8') - self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(revoked_v3_token) - hash = utils.hash_signed_token(revoked_v3_token, mode='sha256') - self.REVOKED_v3_TOKEN_HASH_SHA256 = hash - self.REVOKED_v3_TOKEN_LIST = ( - {'revoked': [{'id': self.REVOKED_v3_TOKEN_HASH, - 'expires': timeutils.utcnow()}]}) - self.REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps( - self.REVOKED_v3_TOKEN_LIST) - - revoked_token_pkiz = self.REVOKED_TOKEN_PKIZ - if isinstance(revoked_token_pkiz, six.text_type): - revoked_token_pkiz = revoked_token_pkiz.encode('utf-8') - self.REVOKED_TOKEN_PKIZ_HASH = utils.hash_signed_token( - revoked_token_pkiz) - revoked_v3_token_pkiz = self.REVOKED_v3_TOKEN_PKIZ - if isinstance(revoked_v3_token_pkiz, six.text_type): - revoked_v3_token_pkiz = revoked_v3_token_pkiz.encode('utf-8') - self.REVOKED_v3_PKIZ_TOKEN_HASH = utils.hash_signed_token( - revoked_v3_token_pkiz) - - self.REVOKED_TOKEN_PKIZ_LIST = ( - {'revoked': [{'id': self.REVOKED_TOKEN_PKIZ_HASH, - 'expires': timeutils.utcnow()}, - {'id': self.REVOKED_v3_PKIZ_TOKEN_HASH, - 'expires': timeutils.utcnow()}, - ]}) - self.REVOKED_TOKEN_PKIZ_LIST_JSON = jsonutils.dumps( - self.REVOKED_TOKEN_PKIZ_LIST) - - self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token( - self.SIGNED_TOKEN_SCOPED) - self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token( - self.SIGNED_TOKEN_UNSCOPED) - self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token( - self.SIGNED_v3_TOKEN_SCOPED) - - self.SIGNED_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( - self.SIGNED_TOKEN_SCOPED_PKIZ) - self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY = cms.cms_hash_token( - self.SIGNED_TOKEN_UNSCOPED_PKIZ) - self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( - self.SIGNED_v3_TOKEN_SCOPED_PKIZ) - - self.INVALID_SIGNED_TOKEN = ( - "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" - "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" - "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" - "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "0000000000000000000000000000000000000000000000000000000000000000" - "1111111111111111111111111111111111111111111111111111111111111111" - "2222222222222222222222222222222222222222222222222222222222222222" - "3333333333333333333333333333333333333333333333333333333333333333" - "4444444444444444444444444444444444444444444444444444444444444444" - "5555555555555555555555555555555555555555555555555555555555555555" - "6666666666666666666666666666666666666666666666666666666666666666" - "7777777777777777777777777777777777777777777777777777777777777777" - "8888888888888888888888888888888888888888888888888888888888888888" - "9999999999999999999999999999999999999999999999999999999999999999" - "0000000000000000000000000000000000000000000000000000000000000000") - - self.INVALID_SIGNED_PKIZ_TOKEN = ( - "PKIZ_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" - "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" - "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" - "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "0000000000000000000000000000000000000000000000000000000000000000" - "1111111111111111111111111111111111111111111111111111111111111111" - "2222222222222222222222222222222222222222222222222222222222222222" - "3333333333333333333333333333333333333333333333333333333333333333" - "4444444444444444444444444444444444444444444444444444444444444444" - "5555555555555555555555555555555555555555555555555555555555555555" - "6666666666666666666666666666666666666666666666666666666666666666" - "7777777777777777777777777777777777777777777777777777777777777777" - "8888888888888888888888888888888888888888888888888888888888888888" - "9999999999999999999999999999999999999999999999999999999999999999" - "0000000000000000000000000000000000000000000000000000000000000000") - - # JSON responses keyed by token ID - self.TOKEN_RESPONSES = {} - - # basic values - PROJECT_ID = 'tenant_id1' - PROJECT_NAME = 'tenant_name1' - USER_ID = 'user_id1' - USER_NAME = 'user_name1' - DOMAIN_ID = 'domain_id1' - DOMAIN_NAME = 'domain_name1' - ROLE_NAME1 = 'role1' - ROLE_NAME2 = 'role2' - - SERVICE_PROJECT_ID = 'service_project_id1' - SERVICE_PROJECT_NAME = 'service_project_name1' - SERVICE_USER_ID = 'service_user_id1' - SERVICE_USER_NAME = 'service_user_name1' - SERVICE_DOMAIN_ID = 'service_domain_id1' - SERVICE_DOMAIN_NAME = 'service_domain_name1' - SERVICE_ROLE_NAME1 = 'service_role1' - SERVICE_ROLE_NAME2 = 'service_role2' - - self.SERVICE_TYPE = 'identity' - self.UNVERSIONED_SERVICE_URL = 'http://keystone.server:5000/' - self.SERVICE_URL = self.UNVERSIONED_SERVICE_URL + 'v2.0' - - # Old Tokens - - self.TOKEN_RESPONSES[self.VALID_DIABLO_TOKEN] = { - 'access': { - 'token': { - 'id': self.VALID_DIABLO_TOKEN, - 'expires': '2020-01-01T00:00:10.000123Z', - 'tenantId': PROJECT_ID, - }, - 'user': { - 'id': USER_ID, - 'name': USER_NAME, - 'roles': [ - {'name': ROLE_NAME1}, - {'name': ROLE_NAME2}, - ], - }, - }, - } - - # Generated V2 Tokens - - token = fixture.V2Token(token_id=self.UUID_TOKEN_DEFAULT, - tenant_id=PROJECT_ID, - tenant_name=PROJECT_NAME, - user_id=USER_ID, - user_name=USER_NAME) - token.add_role(name=ROLE_NAME1) - token.add_role(name=ROLE_NAME2) - svc = token.add_service(self.SERVICE_TYPE) - svc.add_endpoint(public=self.SERVICE_URL) - self.TOKEN_RESPONSES[self.UUID_TOKEN_DEFAULT] = token - - token = fixture.V2Token(token_id=self.UUID_TOKEN_UNSCOPED, - user_id=USER_ID, - user_name=USER_NAME) - self.TOKEN_RESPONSES[self.UUID_TOKEN_UNSCOPED] = token - - token = fixture.V2Token(token_id='valid-token', - tenant_id=PROJECT_ID, - tenant_name=PROJECT_NAME, - user_id=USER_ID, - user_name=USER_NAME) - token.add_role(ROLE_NAME1) - token.add_role(ROLE_NAME2) - self.TOKEN_RESPONSES[self.UUID_TOKEN_NO_SERVICE_CATALOG] = token - - token = fixture.V2Token(token_id=self.SIGNED_TOKEN_SCOPED_KEY, - tenant_id=PROJECT_ID, - tenant_name=PROJECT_NAME, - user_id=USER_ID, - user_name=USER_NAME) - token.add_role(ROLE_NAME1) - token.add_role(ROLE_NAME2) - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = token - - token = fixture.V2Token(token_id=self.SIGNED_TOKEN_UNSCOPED_KEY, - user_id=USER_ID, - user_name=USER_NAME) - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY] = token - - token = fixture.V2Token(token_id=self.UUID_TOKEN_BIND, - tenant_id=PROJECT_ID, - tenant_name=PROJECT_NAME, - user_id=USER_ID, - user_name=USER_NAME) - token.add_role(ROLE_NAME1) - token.add_role(ROLE_NAME2) - token['access']['token']['bind'] = {'kerberos': self.KERBEROS_BIND} - self.TOKEN_RESPONSES[self.UUID_TOKEN_BIND] = token - - token = fixture.V2Token(token_id=self.UUID_TOKEN_UNKNOWN_BIND, - tenant_id=PROJECT_ID, - tenant_name=PROJECT_NAME, - user_id=USER_ID, - user_name=USER_NAME) - token.add_role(ROLE_NAME1) - token.add_role(ROLE_NAME2) - token['access']['token']['bind'] = {'FOO': 'BAR'} - self.TOKEN_RESPONSES[self.UUID_TOKEN_UNKNOWN_BIND] = token - - token = fixture.V2Token(token_id=self.UUID_SERVICE_TOKEN_DEFAULT, - tenant_id=SERVICE_PROJECT_ID, - tenant_name=SERVICE_PROJECT_NAME, - user_id=SERVICE_USER_ID, - user_name=SERVICE_USER_NAME) - token.add_role(name=SERVICE_ROLE_NAME1) - token.add_role(name=SERVICE_ROLE_NAME2) - svc = token.add_service(self.SERVICE_TYPE) - svc.add_endpoint(public=self.SERVICE_URL) - self.TOKEN_RESPONSES[self.UUID_SERVICE_TOKEN_DEFAULT] = token - - # Generated V3 Tokens - - token = fixture.V3Token(user_id=USER_ID, - user_name=USER_NAME, - user_domain_id=DOMAIN_ID, - user_domain_name=DOMAIN_NAME, - project_id=PROJECT_ID, - project_name=PROJECT_NAME, - project_domain_id=DOMAIN_ID, - project_domain_name=DOMAIN_NAME) - token.add_role(id=ROLE_NAME1, name=ROLE_NAME1) - token.add_role(id=ROLE_NAME2, name=ROLE_NAME2) - svc = token.add_service(self.SERVICE_TYPE) - svc.add_endpoint('public', self.SERVICE_URL) - self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_DEFAULT] = token - - token = fixture.V3Token(user_id=USER_ID, - user_name=USER_NAME, - user_domain_id=DOMAIN_ID, - user_domain_name=DOMAIN_NAME) - self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNSCOPED] = token - - token = fixture.V3Token(user_id=USER_ID, - user_name=USER_NAME, - user_domain_id=DOMAIN_ID, - user_domain_name=DOMAIN_NAME, - domain_id=DOMAIN_ID, - domain_name=DOMAIN_NAME) - token.add_role(id=ROLE_NAME1, name=ROLE_NAME1) - token.add_role(id=ROLE_NAME2, name=ROLE_NAME2) - svc = token.add_service(self.SERVICE_TYPE) - svc.add_endpoint('public', self.SERVICE_URL) - self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_DOMAIN_SCOPED] = token - - token = fixture.V3Token(user_id=USER_ID, - user_name=USER_NAME, - user_domain_id=DOMAIN_ID, - user_domain_name=DOMAIN_NAME, - project_id=PROJECT_ID, - project_name=PROJECT_NAME, - project_domain_id=DOMAIN_ID, - project_domain_name=DOMAIN_NAME) - token.add_role(name=ROLE_NAME1) - token.add_role(name=ROLE_NAME2) - svc = token.add_service(self.SERVICE_TYPE) - svc.add_endpoint('public', self.SERVICE_URL) - self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY] = token - - token = fixture.V3Token(user_id=USER_ID, - user_name=USER_NAME, - user_domain_id=DOMAIN_ID, - user_domain_name=DOMAIN_NAME, - project_id=PROJECT_ID, - project_name=PROJECT_NAME, - project_domain_id=DOMAIN_ID, - project_domain_name=DOMAIN_NAME) - token.add_role(name=ROLE_NAME1) - token.add_role(name=ROLE_NAME2) - svc = token.add_service(self.SERVICE_TYPE) - svc.add_endpoint('public', self.SERVICE_URL) - token['token']['bind'] = {'kerberos': self.KERBEROS_BIND} - self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_BIND] = token - - token = fixture.V3Token(user_id=USER_ID, - user_name=USER_NAME, - user_domain_id=DOMAIN_ID, - user_domain_name=DOMAIN_NAME, - project_id=PROJECT_ID, - project_name=PROJECT_NAME, - project_domain_id=DOMAIN_ID, - project_domain_name=DOMAIN_NAME) - token.add_role(name=ROLE_NAME1) - token.add_role(name=ROLE_NAME2) - svc = token.add_service(self.SERVICE_TYPE) - svc.add_endpoint('public', self.SERVICE_URL) - token['token']['bind'] = {'FOO': 'BAR'} - self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNKNOWN_BIND] = token - - token = fixture.V3Token(user_id=SERVICE_USER_ID, - user_name=SERVICE_USER_NAME, - user_domain_id=SERVICE_DOMAIN_ID, - user_domain_name=SERVICE_DOMAIN_NAME, - project_id=SERVICE_PROJECT_ID, - project_name=SERVICE_PROJECT_NAME, - project_domain_id=SERVICE_DOMAIN_ID, - project_domain_name=SERVICE_DOMAIN_NAME) - token.add_role(id=SERVICE_ROLE_NAME1, - name=SERVICE_ROLE_NAME1) - token.add_role(id=SERVICE_ROLE_NAME2, - name=SERVICE_ROLE_NAME2) - svc = token.add_service(self.SERVICE_TYPE) - svc.add_endpoint('public', self.SERVICE_URL) - self.TOKEN_RESPONSES[self.v3_UUID_SERVICE_TOKEN_DEFAULT] = token - - # PKIZ tokens generally link to above tokens - - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_PKIZ_KEY] = ( - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY]) - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY] = ( - self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY]) - self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY] = ( - self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY]) - - self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in - six.iteritems(self.TOKEN_RESPONSES)]) - - -EXAMPLES_RESOURCE = testresources.FixtureResource(Examples()) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_audit_middleware.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_audit_middleware.py deleted file mode 100644 index fc761c0f..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_audit_middleware.py +++ /dev/null @@ -1,560 +0,0 @@ -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import tempfile -import uuid -import warnings - -import mock -from oslo_config import cfg -from pycadf import identifier -from testtools import matchers -import webob - -from keystonemiddleware import audit -from keystonemiddleware.tests.unit import utils - - -class FakeApp(object): - def __call__(self, env, start_response): - body = 'Some response' - start_response('200 OK', [ - ('Content-Type', 'text/plain'), - ('Content-Length', str(sum(map(len, body)))) - ]) - return [body] - - -class FakeFailingApp(object): - def __call__(self, env, start_response): - raise Exception('It happens!') - - -class BaseAuditMiddlewareTest(utils.BaseTestCase): - def setUp(self): - super(BaseAuditMiddlewareTest, self).setUp() - self.fd, self.audit_map = tempfile.mkstemp() - - with open(self.audit_map, "w") as f: - f.write("[custom_actions]\n") - f.write("reboot = start/reboot\n") - f.write("os-migrations/get = read\n\n") - f.write("[path_keywords]\n") - f.write("action = None\n") - f.write("os-hosts = host\n") - f.write("os-migrations = None\n") - f.write("reboot = None\n") - f.write("servers = server\n\n") - f.write("[service_endpoints]\n") - f.write("compute = service/compute") - - cfg.CONF([], project='keystonemiddleware') - - self.middleware = audit.AuditMiddleware( - FakeApp(), audit_map_file=self.audit_map, - service_name='pycadf') - - # NOTE(stevemar): For this test suite and for the stable liberty branch - # only, we will ignore deprecated calls that keystonemiddleware makes. - warnings.filterwarnings('ignore', category=DeprecationWarning, - module='^keystonemiddleware\\.') - - self.addCleanup(lambda: os.close(self.fd)) - self.addCleanup(cfg.CONF.reset) - - @staticmethod - def get_environ_header(req_type): - env_headers = {'HTTP_X_SERVICE_CATALOG': - '''[{"endpoints_links": [], - "endpoints": [{"adminURL": - "http://admin_host:8774", - "region": "RegionOne", - "publicURL": - "http://public_host:8774", - "internalURL": - "http://internal_host:8774", - "id": "resource_id"}], - "type": "compute", - "name": "nova"},]''', - 'HTTP_X_USER_ID': 'user_id', - 'HTTP_X_USER_NAME': 'user_name', - 'HTTP_X_AUTH_TOKEN': 'token', - 'HTTP_X_PROJECT_ID': 'tenant_id', - 'HTTP_X_IDENTITY_STATUS': 'Confirmed'} - env_headers['REQUEST_METHOD'] = req_type - return env_headers - - -@mock.patch('oslo_messaging.get_transport', mock.MagicMock()) -class AuditMiddlewareTest(BaseAuditMiddlewareTest): - - def test_api_request(self): - req = webob.Request.blank('/foo/bar', - environ=self.get_environ_header('GET')) - with mock.patch('oslo_messaging.Notifier.info') as notify: - self.middleware(req) - # Check first notification with only 'request' - call_args = notify.call_args_list[0][0] - self.assertEqual('audit.http.request', call_args[1]) - self.assertEqual('/foo/bar', call_args[2]['requestPath']) - self.assertEqual('pending', call_args[2]['outcome']) - self.assertNotIn('reason', call_args[2]) - self.assertNotIn('reporterchain', call_args[2]) - - # Check second notification with request + response - call_args = notify.call_args_list[1][0] - self.assertEqual('audit.http.response', call_args[1]) - self.assertEqual('/foo/bar', call_args[2]['requestPath']) - self.assertEqual('success', call_args[2]['outcome']) - self.assertIn('reason', call_args[2]) - self.assertIn('reporterchain', call_args[2]) - - def test_api_request_failure(self): - self.middleware = audit.AuditMiddleware( - FakeFailingApp(), - audit_map_file=self.audit_map, - service_name='pycadf') - req = webob.Request.blank('/foo/bar', - environ=self.get_environ_header('GET')) - with mock.patch('oslo_messaging.Notifier.info') as notify: - try: - self.middleware(req) - self.fail('Application exception has not been re-raised') - except Exception: - pass - # Check first notification with only 'request' - call_args = notify.call_args_list[0][0] - self.assertEqual('audit.http.request', call_args[1]) - self.assertEqual('/foo/bar', call_args[2]['requestPath']) - self.assertEqual('pending', call_args[2]['outcome']) - self.assertNotIn('reporterchain', call_args[2]) - - # Check second notification with request + response - call_args = notify.call_args_list[1][0] - self.assertEqual('audit.http.response', call_args[1]) - self.assertEqual('/foo/bar', call_args[2]['requestPath']) - self.assertEqual('unknown', call_args[2]['outcome']) - self.assertIn('reporterchain', call_args[2]) - - def test_process_request_fail(self): - req = webob.Request.blank('/foo/bar', - environ=self.get_environ_header('GET')) - with mock.patch('oslo_messaging.Notifier.info', - side_effect=Exception('error')) as notify: - self.middleware._process_request(req) - self.assertTrue(notify.called) - - def test_process_response_fail(self): - req = webob.Request.blank('/foo/bar', - environ=self.get_environ_header('GET')) - with mock.patch('oslo_messaging.Notifier.info', - side_effect=Exception('error')) as notify: - self.middleware._process_response(req, webob.response.Response()) - self.assertTrue(notify.called) - - def test_ignore_req_opt(self): - self.middleware = audit.AuditMiddleware(FakeApp(), - audit_map_file=self.audit_map, - ignore_req_list='get, PUT') - req = webob.Request.blank('/skip/foo', - environ=self.get_environ_header('GET')) - req1 = webob.Request.blank('/skip/foo', - environ=self.get_environ_header('PUT')) - req2 = webob.Request.blank('/accept/foo', - environ=self.get_environ_header('POST')) - with mock.patch('oslo_messaging.Notifier.info') as notify: - # Check GET/PUT request does not send notification - self.middleware(req) - self.middleware(req1) - self.assertEqual([], notify.call_args_list) - - # Check non-GET/PUT request does send notification - self.middleware(req2) - self.assertThat(notify.call_args_list, matchers.HasLength(2)) - call_args = notify.call_args_list[0][0] - self.assertEqual('audit.http.request', call_args[1]) - self.assertEqual('/accept/foo', call_args[2]['requestPath']) - - call_args = notify.call_args_list[1][0] - self.assertEqual('audit.http.response', call_args[1]) - self.assertEqual('/accept/foo', call_args[2]['requestPath']) - - def test_api_request_no_messaging(self): - req = webob.Request.blank('/foo/bar', - environ=self.get_environ_header('GET')) - with mock.patch('keystonemiddleware.audit.messaging', None): - with mock.patch('keystonemiddleware.audit._LOG.info') as log: - self.middleware(req) - # Check first notification with only 'request' - call_args = log.call_args_list[0][0] - self.assertEqual('audit.http.request', - call_args[1]['event_type']) - - # Check second notification with request + response - call_args = log.call_args_list[1][0] - self.assertEqual('audit.http.response', - call_args[1]['event_type']) - - def test_cadf_event_scoped_to_request(self): - middleware = audit.AuditMiddleware( - FakeApp(), - audit_map_file=self.audit_map, - service_name='pycadf') - req = webob.Request.blank('/foo/bar', - environ=self.get_environ_header('GET')) - with mock.patch('oslo_messaging.Notifier.info') as notify: - middleware(req) - self.assertIsNotNone(req.environ.get('cadf_event')) - - # ensure exact same event is used between request and response - self.assertEqual(notify.call_args_list[0][0][2]['id'], - notify.call_args_list[1][0][2]['id']) - - def test_cadf_event_scoped_to_request_on_error(self): - middleware = audit.AuditMiddleware( - FakeApp(), - audit_map_file=self.audit_map, - service_name='pycadf') - req = webob.Request.blank('/foo/bar', - environ=self.get_environ_header('GET')) - with mock.patch('oslo_messaging.Notifier.info', - side_effect=Exception('error')) as notify: - middleware._process_request(req) - self.assertTrue(notify.called) - req2 = webob.Request.blank('/foo/bar', - environ=self.get_environ_header('GET')) - with mock.patch('oslo_messaging.Notifier.info') as notify: - middleware._process_response(req2, webob.response.Response()) - self.assertTrue(notify.called) - # ensure event is not the same across requests - self.assertNotEqual(req.environ['cadf_event'].id, - notify.call_args_list[0][0][2]['id']) - - -@mock.patch('oslo_messaging.rpc', mock.MagicMock()) -class AuditApiLogicTest(BaseAuditMiddlewareTest): - - def api_request(self, method, url): - req = webob.Request.blank(url, environ=self.get_environ_header(method), - remote_addr='192.168.0.1') - self.middleware._process_request(req) - return req - - def test_get_list(self): - req = self.api_request('GET', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['action'], 'read/list') - self.assertEqual(payload['typeURI'], - 'http://schemas.dmtf.org/cloud/audit/1.0/event') - self.assertEqual(payload['outcome'], 'pending') - self.assertEqual(payload['eventType'], 'activity') - self.assertEqual(payload['target']['name'], 'nova') - self.assertEqual(payload['target']['id'], 'openstack:resource_id') - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers') - self.assertEqual(len(payload['target']['addresses']), 3) - self.assertEqual(payload['target']['addresses'][0]['name'], 'admin') - self.assertEqual(payload['target']['addresses'][0]['url'], - 'http://admin_host:8774') - self.assertEqual(payload['initiator']['id'], 'openstack:user_id') - self.assertEqual(payload['initiator']['name'], 'user_name') - self.assertEqual(payload['initiator']['project_id'], - 'openstack:tenant_id') - self.assertEqual(payload['initiator']['host']['address'], - '192.168.0.1') - self.assertEqual(payload['initiator']['typeURI'], - 'service/security/account/user') - self.assertNotEqual(payload['initiator']['credential']['token'], - 'token') - self.assertEqual(payload['initiator']['credential']['identity_status'], - 'Confirmed') - self.assertNotIn('reason', payload) - self.assertNotIn('reporterchain', payload) - self.assertEqual(payload['observer']['id'], 'target') - self.assertEqual(req.path, payload['requestPath']) - - def test_get_read(self): - req = self.api_request('GET', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers/' - + str(uuid.uuid4())) - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers/server') - self.assertEqual(payload['action'], 'read') - self.assertEqual(payload['outcome'], 'pending') - - def test_get_unknown_endpoint(self): - req = self.api_request('GET', 'http://unknown:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['action'], 'read/list') - self.assertEqual(payload['outcome'], 'pending') - self.assertEqual(payload['target']['name'], 'unknown') - self.assertEqual(payload['target']['id'], 'unknown') - self.assertEqual(payload['target']['typeURI'], 'unknown') - - def test_get_unknown_endpoint_default_set(self): - with open(self.audit_map, "w") as f: - f.write("[DEFAULT]\n") - f.write("target_endpoint_type = compute\n") - f.write("[path_keywords]\n") - f.write("servers = server\n\n") - f.write("[service_endpoints]\n") - f.write("compute = service/compute") - - self.middleware = audit.AuditMiddleware( - FakeApp(), audit_map_file=self.audit_map, - service_name='pycadf') - - req = self.api_request('GET', 'http://unknown:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['action'], 'read/list') - self.assertEqual(payload['outcome'], 'pending') - self.assertEqual(payload['target']['name'], 'nova') - self.assertEqual(payload['target']['id'], 'openstack:resource_id') - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers') - - def test_put(self): - req = self.api_request('PUT', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers') - self.assertEqual(payload['action'], 'update') - self.assertEqual(payload['outcome'], 'pending') - - def test_delete(self): - req = self.api_request('DELETE', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers') - self.assertEqual(payload['action'], 'delete') - self.assertEqual(payload['outcome'], 'pending') - - def test_head(self): - req = self.api_request('HEAD', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers') - self.assertEqual(payload['action'], 'read') - self.assertEqual(payload['outcome'], 'pending') - - def test_post_update(self): - req = self.api_request('POST', - 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers/' - + str(uuid.uuid4())) - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers/server') - self.assertEqual(payload['action'], 'update') - self.assertEqual(payload['outcome'], 'pending') - - def test_post_create(self): - req = self.api_request('POST', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers') - self.assertEqual(payload['action'], 'create') - self.assertEqual(payload['outcome'], 'pending') - - def test_post_action(self): - req = webob.Request.blank('http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers/action', - environ=self.get_environ_header('POST')) - req.body = b'{"createImage" : {"name" : "new-image","metadata": ' \ - b'{"ImageType": "Gold","ImageVersion": "2.0"}}}' - self.middleware._process_request(req) - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers/action') - self.assertEqual(payload['action'], 'update/createImage') - self.assertEqual(payload['outcome'], 'pending') - - def test_post_empty_body_action(self): - req = self.api_request('POST', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers/action') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/servers/action') - self.assertEqual(payload['action'], 'create') - self.assertEqual(payload['outcome'], 'pending') - - def test_custom_action(self): - req = self.api_request('GET', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/os-hosts/' - + str(uuid.uuid4()) + '/reboot') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/os-hosts/host/reboot') - self.assertEqual(payload['action'], 'start/reboot') - self.assertEqual(payload['outcome'], 'pending') - - def test_custom_action_complex(self): - req = self.api_request('GET', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/os-migrations') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/os-migrations') - self.assertEqual(payload['action'], 'read') - req = self.api_request('POST', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/os-migrations') - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['typeURI'], - 'service/compute/os-migrations') - self.assertEqual(payload['action'], 'create') - - def test_response_mod_msg(self): - req = self.api_request('GET', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.middleware._process_response(req, webob.Response()) - payload2 = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['id'], payload2['id']) - self.assertEqual(payload['tags'], payload2['tags']) - self.assertEqual(payload2['outcome'], 'success') - self.assertEqual(payload2['reason']['reasonType'], 'HTTP') - self.assertEqual(payload2['reason']['reasonCode'], '200') - self.assertEqual(len(payload2['reporterchain']), 1) - self.assertEqual(payload2['reporterchain'][0]['role'], 'modifier') - self.assertEqual(payload2['reporterchain'][0]['reporter']['id'], - 'target') - - def test_no_response(self): - req = self.api_request('GET', 'http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers') - payload = req.environ['cadf_event'].as_dict() - self.middleware._process_response(req, None) - payload2 = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['id'], payload2['id']) - self.assertEqual(payload['tags'], payload2['tags']) - self.assertEqual(payload2['outcome'], 'unknown') - self.assertNotIn('reason', payload2) - self.assertEqual(len(payload2['reporterchain']), 1) - self.assertEqual(payload2['reporterchain'][0]['role'], 'modifier') - self.assertEqual(payload2['reporterchain'][0]['reporter']['id'], - 'target') - - def test_missing_req(self): - req = webob.Request.blank('http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers', - environ=self.get_environ_header('GET')) - self.assertNotIn('cadf_event', req.environ) - self.middleware._process_response(req, webob.Response()) - self.assertIn('cadf_event', req.environ) - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['outcome'], 'success') - self.assertEqual(payload['reason']['reasonType'], 'HTTP') - self.assertEqual(payload['reason']['reasonCode'], '200') - self.assertEqual(payload['observer']['id'], 'target') - - def test_missing_catalog_endpoint_id(self): - env_headers = {'HTTP_X_SERVICE_CATALOG': - '''[{"endpoints_links": [], - "endpoints": [{"adminURL": - "http://admin_host:8774", - "region": "RegionOne", - "publicURL": - "http://public_host:8774", - "internalURL": - "http://internal_host:8774"}], - "type": "compute", - "name": "nova"},]''', - 'HTTP_X_USER_ID': 'user_id', - 'HTTP_X_USER_NAME': 'user_name', - 'HTTP_X_AUTH_TOKEN': 'token', - 'HTTP_X_PROJECT_ID': 'tenant_id', - 'HTTP_X_IDENTITY_STATUS': 'Confirmed', - 'REQUEST_METHOD': 'GET'} - req = webob.Request.blank('http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers', - environ=env_headers) - self.middleware._process_request(req) - payload = req.environ['cadf_event'].as_dict() - self.assertEqual(payload['target']['id'], identifier.norm_ns('nova')) - - def test_endpoint_missing_internal_url(self): - env_headers = {'HTTP_X_SERVICE_CATALOG': - '''[{"endpoints_links": [], - "endpoints": [{"adminURL": - "http://admin_host:8774", - "region": "RegionOne", - "publicURL": - "http://public_host:8774"}], - "type": "compute", - "name": "nova"},]''', - 'HTTP_X_USER_ID': 'user_id', - 'HTTP_X_USER_NAME': 'user_name', - 'HTTP_X_AUTH_TOKEN': 'token', - 'HTTP_X_PROJECT_ID': 'tenant_id', - 'HTTP_X_IDENTITY_STATUS': 'Confirmed', - 'REQUEST_METHOD': 'GET'} - req = webob.Request.blank('http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers', - environ=env_headers) - self.middleware._process_request(req) - payload = req.environ['cadf_event'].as_dict() - self.assertEqual((payload['target']['addresses'][1]['url']), "unknown") - - def test_endpoint_missing_public_url(self): - env_headers = {'HTTP_X_SERVICE_CATALOG': - '''[{"endpoints_links": [], - "endpoints": [{"adminURL": - "http://admin_host:8774", - "region": "RegionOne", - "internalURL": - "http://internal_host:8774"}], - "type": "compute", - "name": "nova"},]''', - 'HTTP_X_USER_ID': 'user_id', - 'HTTP_X_USER_NAME': 'user_name', - 'HTTP_X_AUTH_TOKEN': 'token', - 'HTTP_X_PROJECT_ID': 'tenant_id', - 'HTTP_X_IDENTITY_STATUS': 'Confirmed', - 'REQUEST_METHOD': 'GET'} - req = webob.Request.blank('http://admin_host:8774/v2/' - + str(uuid.uuid4()) + '/servers', - environ=env_headers) - self.middleware._process_request(req) - payload = req.environ['cadf_event'].as_dict() - self.assertEqual((payload['target']['addresses'][2]['url']), "unknown") - - def test_endpoint_missing_admin_url(self): - env_headers = {'HTTP_X_SERVICE_CATALOG': - '''[{"endpoints_links": [], - "endpoints": [{"region": "RegionOne", - "publicURL": - "http://public_host:8774", - "internalURL": - "http://internal_host:8774"}], - "type": "compute", - "name": "nova"},]''', - 'HTTP_X_USER_ID': 'user_id', - 'HTTP_X_USER_NAME': 'user_name', - 'HTTP_X_AUTH_TOKEN': 'token', - 'HTTP_X_PROJECT_ID': 'tenant_id', - 'HTTP_X_IDENTITY_STATUS': 'Confirmed', - 'REQUEST_METHOD': 'GET'} - req = webob.Request.blank('http://public_host:8774/v2/' - + str(uuid.uuid4()) + '/servers', - environ=env_headers) - self.middleware._process_request(req) - payload = req.environ['cadf_event'].as_dict() - self.assertEqual((payload['target']['addresses'][0]['url']), "unknown") diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_opts.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_opts.py deleted file mode 100644 index 9ddb8005..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_opts.py +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright (c) 2014 OpenStack Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import stevedore -from testtools import matchers - -from keystonemiddleware import opts -from keystonemiddleware.tests.unit import utils - - -class OptsTestCase(utils.TestCase): - - def _test_list_auth_token_opts(self, result): - self.assertThat(result, matchers.HasLength(1)) - - for group in (g for (g, _l) in result): - self.assertEqual('keystone_authtoken', group) - - expected_opt_names = [ - 'auth_admin_prefix', - 'auth_host', - 'auth_port', - 'auth_protocol', - 'auth_uri', - 'identity_uri', - 'auth_version', - 'delay_auth_decision', - 'http_connect_timeout', - 'http_request_max_retries', - 'admin_token', - 'admin_user', - 'admin_password', - 'admin_tenant_name', - 'cache', - 'certfile', - 'keyfile', - 'cafile', - 'region_name', - 'insecure', - 'signing_dir', - 'memcached_servers', - 'token_cache_time', - 'revocation_cache_time', - 'memcache_security_strategy', - 'memcache_secret_key', - 'memcache_use_advanced_pool', - 'memcache_pool_dead_retry', - 'memcache_pool_maxsize', - 'memcache_pool_unused_timeout', - 'memcache_pool_conn_get_timeout', - 'memcache_pool_socket_timeout', - 'include_service_catalog', - 'enforce_token_bind', - 'check_revocations_for_cached', - 'hash_algorithms' - ] - opt_names = [o.name for (g, l) in result for o in l] - self.assertThat(opt_names, matchers.HasLength(len(expected_opt_names))) - - for opt in opt_names: - self.assertIn(opt, expected_opt_names) - - def test_list_auth_token_opts(self): - self._test_list_auth_token_opts(opts.list_auth_token_opts()) - - def test_entry_point(self): - em = stevedore.ExtensionManager('oslo.config.opts', - invoke_on_load=True) - for extension in em: - if extension.name == 'keystonemiddleware.auth_token': - break - else: - self.fail('keystonemiddleware.auth_token not found') - - self._test_list_auth_token_opts(extension.obj) diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_s3_token_middleware.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_s3_token_middleware.py deleted file mode 100644 index b0993886..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/test_s3_token_middleware.py +++ /dev/null @@ -1,268 +0,0 @@ -# Copyright 2012 OpenStack Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import mock -from oslo_serialization import jsonutils -import requests -from requests_mock.contrib import fixture as rm_fixture -import six -from six.moves import urllib -import webob - -from keystonemiddleware import s3_token -from keystonemiddleware.tests.unit import utils - - -GOOD_RESPONSE = {'access': {'token': {'id': 'TOKEN_ID', - 'tenant': {'id': 'TENANT_ID'}}}} - - -class FakeApp(object): - """This represents a WSGI app protected by the auth_token middleware.""" - def __call__(self, env, start_response): - resp = webob.Response() - resp.environ = env - return resp(env, start_response) - - -class S3TokenMiddlewareTestBase(utils.TestCase): - - TEST_PROTOCOL = 'https' - TEST_HOST = 'fakehost' - TEST_PORT = 35357 - TEST_URL = '%s://%s:%d/v2.0/s3tokens' % (TEST_PROTOCOL, - TEST_HOST, - TEST_PORT) - - def setUp(self): - super(S3TokenMiddlewareTestBase, self).setUp() - - self.conf = { - 'auth_host': self.TEST_HOST, - 'auth_port': self.TEST_PORT, - 'auth_protocol': self.TEST_PROTOCOL, - } - - self.requests_mock = self.useFixture(rm_fixture.Fixture()) - - def start_fake_response(self, status, headers): - self.response_status = int(status.split(' ', 1)[0]) - self.response_headers = dict(headers) - - -class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase): - - def setUp(self): - super(S3TokenMiddlewareTestGood, self).setUp() - self.middleware = s3_token.S3Token(FakeApp(), self.conf) - - self.requests_mock.post(self.TEST_URL, - status_code=201, - json=GOOD_RESPONSE) - - # Ignore the request and pass to the next middleware in the - # pipeline if no path has been specified. - def test_no_path_request(self): - req = webob.Request.blank('/') - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - - # Ignore the request and pass to the next middleware in the - # pipeline if no Authorization header has been specified - def test_without_authorization(self): - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - - def test_without_auth_storage_token(self): - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'badboy' - self.middleware(req.environ, self.start_fake_response) - self.assertEqual(self.response_status, 200) - - def test_authorized(self): - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - self.assertTrue(req.path.startswith('/v1/AUTH_TENANT_ID')) - self.assertEqual(req.headers['X-Auth-Token'], 'TOKEN_ID') - - def test_authorized_http(self): - self.requests_mock.post(self.TEST_URL.replace('https', 'http'), - status_code=201, - json=GOOD_RESPONSE) - - self.middleware = ( - s3_token.filter_factory({'auth_protocol': 'http', - 'auth_host': self.TEST_HOST, - 'auth_port': self.TEST_PORT})(FakeApp())) - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - self.assertTrue(req.path.startswith('/v1/AUTH_TENANT_ID')) - self.assertEqual(req.headers['X-Auth-Token'], 'TOKEN_ID') - - def test_authorization_nova_toconnect(self): - req = webob.Request.blank('/v1/AUTH_swiftint/c/o') - req.headers['Authorization'] = 'access:FORCED_TENANT_ID:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - path = req.environ['PATH_INFO'] - self.assertTrue(path.startswith('/v1/AUTH_FORCED_TENANT_ID')) - - @mock.patch.object(requests, 'post') - def test_insecure(self, MOCK_REQUEST): - self.middleware = ( - s3_token.filter_factory({'insecure': 'True'})(FakeApp())) - - text_return_value = jsonutils.dumps(GOOD_RESPONSE) - if six.PY3: - text_return_value = text_return_value.encode() - MOCK_REQUEST.return_value = utils.TestResponse({ - 'status_code': 201, - 'text': text_return_value}) - - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - - self.assertTrue(MOCK_REQUEST.called) - mock_args, mock_kwargs = MOCK_REQUEST.call_args - self.assertIs(mock_kwargs['verify'], False) - - def test_insecure_option(self): - # insecure is passed as a string. - - # Some non-secure values. - true_values = ['true', 'True', '1', 'yes'] - for val in true_values: - config = {'insecure': val, 'certfile': 'false_ind'} - middleware = s3_token.filter_factory(config)(FakeApp()) - self.assertIs(False, middleware._verify) - - # Some "secure" values, including unexpected value. - false_values = ['false', 'False', '0', 'no', 'someweirdvalue'] - for val in false_values: - config = {'insecure': val, 'certfile': 'false_ind'} - middleware = s3_token.filter_factory(config)(FakeApp()) - self.assertEqual('false_ind', middleware._verify) - - # Default is secure. - config = {'certfile': 'false_ind'} - middleware = s3_token.filter_factory(config)(FakeApp()) - self.assertIs('false_ind', middleware._verify) - - def test_unicode_path(self): - url = u'/v1/AUTH_cfa/c/euro\u20ac'.encode('utf8') - req = webob.Request.blank(urllib.parse.quote(url)) - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - req.get_response(self.middleware) - - -class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase): - def setUp(self): - super(S3TokenMiddlewareTestBad, self).setUp() - self.middleware = s3_token.S3Token(FakeApp(), self.conf) - - def test_unauthorized_token(self): - ret = {"error": - {"message": "EC2 access key not found.", - "code": 401, - "title": "Unauthorized"}} - self.requests_mock.post(self.TEST_URL, status_code=403, json=ret) - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - resp = req.get_response(self.middleware) - s3_denied_req = self.middleware._deny_request('AccessDenied') - self.assertEqual(resp.body, s3_denied_req.body) - self.assertEqual(resp.status_int, s3_denied_req.status_int) - - def test_bogus_authorization(self): - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'badboy' - req.headers['X-Storage-Token'] = 'token' - resp = req.get_response(self.middleware) - self.assertEqual(resp.status_int, 400) - s3_invalid_req = self.middleware._deny_request('InvalidURI') - self.assertEqual(resp.body, s3_invalid_req.body) - self.assertEqual(resp.status_int, s3_invalid_req.status_int) - - def test_fail_to_connect_to_keystone(self): - with mock.patch.object(self.middleware, '_json_request') as o: - s3_invalid_req = self.middleware._deny_request('InvalidURI') - o.side_effect = s3_token.ServiceError(s3_invalid_req) - - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - resp = req.get_response(self.middleware) - self.assertEqual(resp.body, s3_invalid_req.body) - self.assertEqual(resp.status_int, s3_invalid_req.status_int) - - def test_bad_reply(self): - self.requests_mock.post(self.TEST_URL, - status_code=201, - text="<badreply>") - - req = webob.Request.blank('/v1/AUTH_cfa/c/o') - req.headers['Authorization'] = 'access:signature' - req.headers['X-Storage-Token'] = 'token' - resp = req.get_response(self.middleware) - s3_invalid_req = self.middleware._deny_request('InvalidURI') - self.assertEqual(resp.body, s3_invalid_req.body) - self.assertEqual(resp.status_int, s3_invalid_req.status_int) - - -class S3TokenMiddlewareTestUtil(utils.BaseTestCase): - def test_split_path_failed(self): - self.assertRaises(ValueError, s3_token._split_path, '') - self.assertRaises(ValueError, s3_token._split_path, '/') - self.assertRaises(ValueError, s3_token._split_path, '//') - self.assertRaises(ValueError, s3_token._split_path, '//a') - self.assertRaises(ValueError, s3_token._split_path, '/a/c') - self.assertRaises(ValueError, s3_token._split_path, '//c') - self.assertRaises(ValueError, s3_token._split_path, '/a/c/') - self.assertRaises(ValueError, s3_token._split_path, '/a//') - self.assertRaises(ValueError, s3_token._split_path, '/a', 2) - self.assertRaises(ValueError, s3_token._split_path, '/a', 2, 3) - self.assertRaises(ValueError, s3_token._split_path, '/a', 2, 3, True) - self.assertRaises(ValueError, s3_token._split_path, '/a/c/o/r', 3, 3) - self.assertRaises(ValueError, s3_token._split_path, '/a', 5, 4) - - def test_split_path_success(self): - self.assertEqual(s3_token._split_path('/a'), ['a']) - self.assertEqual(s3_token._split_path('/a/'), ['a']) - self.assertEqual(s3_token._split_path('/a/c', 2), ['a', 'c']) - self.assertEqual(s3_token._split_path('/a/c/o', 3), ['a', 'c', 'o']) - self.assertEqual(s3_token._split_path('/a/c/o/r', 3, 3, True), - ['a', 'c', 'o/r']) - self.assertEqual(s3_token._split_path('/a/c', 2, 3, True), - ['a', 'c', None]) - self.assertEqual(s3_token._split_path('/a/c/', 2), ['a', 'c']) - self.assertEqual(s3_token._split_path('/a/c/', 2, 3), ['a', 'c', '']) - - def test_split_path_invalid_path(self): - try: - s3_token._split_path('o\nn e', 2) - except ValueError as err: - self.assertEqual(str(err), 'Invalid path: o%0An%20e') - try: - s3_token._split_path('o\nn e', 2, 3, True) - except ValueError as err: - self.assertEqual(str(err), 'Invalid path: o%0An%20e') diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/utils.py b/keystonemiddleware-moon/keystonemiddleware/tests/unit/utils.py deleted file mode 100644 index 8c6c0e9a..00000000 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/utils.py +++ /dev/null @@ -1,150 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import logging -import sys -import time -import warnings - -import fixtures -import mock -import oslotest.base as oslotest -import requests -import uuid - - -class BaseTestCase(oslotest.BaseTestCase): - def setUp(self): - super(BaseTestCase, self).setUp() - - # If keystonemiddleware calls any deprecated function this will raise - # an exception. - warnings.filterwarnings('error', category=DeprecationWarning, - module='^keystonemiddleware\\.') - self.addCleanup(warnings.resetwarnings) - - -class TestCase(BaseTestCase): - TEST_DOMAIN_ID = '1' - TEST_DOMAIN_NAME = 'aDomain' - TEST_GROUP_ID = uuid.uuid4().hex - TEST_ROLE_ID = uuid.uuid4().hex - TEST_TENANT_ID = '1' - TEST_TENANT_NAME = 'aTenant' - TEST_TOKEN = 'aToken' - TEST_TRUST_ID = 'aTrust' - TEST_USER = 'test' - TEST_USER_ID = uuid.uuid4().hex - - TEST_ROOT_URL = 'http://127.0.0.1:5000/' - - def setUp(self): - super(TestCase, self).setUp() - self.logger = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG)) - self.time_patcher = mock.patch.object(time, 'time', lambda: 1234) - self.time_patcher.start() - - def tearDown(self): - self.time_patcher.stop() - super(TestCase, self).tearDown() - - -if tuple(sys.version_info)[0:2] < (2, 7): - - def assertDictEqual(self, d1, d2, msg=None): - # Simple version taken from 2.7 - self.assertIsInstance(d1, dict, - 'First argument is not a dictionary') - self.assertIsInstance(d2, dict, - 'Second argument is not a dictionary') - if d1 != d2: - if msg: - self.fail(msg) - else: - standardMsg = '%r != %r' % (d1, d2) - self.fail(standardMsg) - - TestCase.assertDictEqual = assertDictEqual - - -class TestResponse(requests.Response): - """Class used to wrap requests.Response and provide some - convenience to initialize with a dict. - """ - - def __init__(self, data): - self._text = None - super(TestResponse, self).__init__() - if isinstance(data, dict): - self.status_code = data.get('status_code', 200) - headers = data.get('headers') - if headers: - self.headers.update(headers) - # Fake the text attribute to streamline Response creation - # _content is defined by requests.Response - self._content = data.get('text') - else: - self.status_code = data - - def __eq__(self, other): - return self.__dict__ == other.__dict__ - - @property - def text(self): - return self.content - - -class DisableModuleFixture(fixtures.Fixture): - """A fixture to provide support for unloading/disabling modules.""" - - def __init__(self, module, *args, **kw): - super(DisableModuleFixture, self).__init__(*args, **kw) - self.module = module - self._finders = [] - self._cleared_modules = {} - - def tearDown(self): - super(DisableModuleFixture, self).tearDown() - for finder in self._finders: - sys.meta_path.remove(finder) - sys.modules.update(self._cleared_modules) - - def clear_module(self): - cleared_modules = {} - for fullname in list(sys.modules.keys()): - if (fullname == self.module or - fullname.startswith(self.module + '.')): - cleared_modules[fullname] = sys.modules.pop(fullname) - return cleared_modules - - def setUp(self): - """Ensure ImportError for the specified module.""" - - super(DisableModuleFixture, self).setUp() - - # Clear 'module' references in sys.modules - self._cleared_modules.update(self.clear_module()) - - finder = NoModuleFinder(self.module) - self._finders.append(finder) - sys.meta_path.insert(0, finder) - - -class NoModuleFinder(object): - """Disallow further imports of 'module'.""" - - def __init__(self, module): - self.module = module - - def find_module(self, fullname, path): - if fullname == self.module or fullname.startswith(self.module + '.'): - raise ImportError diff --git a/keystonemiddleware-moon/openstack-common.conf b/keystonemiddleware-moon/openstack-common.conf deleted file mode 100644 index abdd7b30..00000000 --- a/keystonemiddleware-moon/openstack-common.conf +++ /dev/null @@ -1,7 +0,0 @@ -[DEFAULT] - -# The list of modules to copy from oslo-incubator -module=memorycache - -# The base module to hold the copy of openstack.common -base=keystonemiddleware diff --git a/keystonemiddleware-moon/requirements.txt b/keystonemiddleware-moon/requirements.txt deleted file mode 100644 index 4d39b223..00000000 --- a/keystonemiddleware-moon/requirements.txt +++ /dev/null @@ -1,16 +0,0 @@ -# The order of packages is significant, because pip processes them in the order -# of appearance. Changing the order has an impact on the overall integration -# process, which may cause wedges in the gate later. - -Babel>=1.3 -oslo.config>=2.3.0 # Apache-2.0 -oslo.context>=0.2.0 # Apache-2.0 -oslo.i18n>=1.5.0 # Apache-2.0 -oslo.serialization>=1.4.0 # Apache-2.0 -oslo.utils!=2.6.0,>=2.0.0 # Apache-2.0 -pbr>=1.6 -pycadf>=1.1.0 -python-keystoneclient!=1.8.0,>=1.6.0 -requests!=2.8.0,!=2.9.0,>=2.5.2 -six>=1.9.0 -WebOb>=1.2.3 diff --git a/keystonemiddleware-moon/setup.cfg b/keystonemiddleware-moon/setup.cfg deleted file mode 100644 index 6893198b..00000000 --- a/keystonemiddleware-moon/setup.cfg +++ /dev/null @@ -1,57 +0,0 @@ -[metadata] -name = keystonemiddleware -summary = Middleware for OpenStack Identity -description-file = - README.rst -author = OpenStack -author-email = openstack-dev@lists.openstack.org -home-page = http://launchpad.net/keystonemiddleware -license = Apache-2.0 -classifier = - Environment :: OpenStack - Intended Audience :: Information Technology - Intended Audience :: System Administrators - License :: OSI Approved :: Apache Software License - Operating System :: POSIX :: Linux - Programming Language :: Python - Programming Language :: Python :: 2 - Programming Language :: Python :: 2.7 - Programming Language :: Python :: 3 - Programming Language :: Python :: 3.4 - -[files] -packages = - keystonemiddleware - -[global] -setup-hooks = - pbr.hooks.setup_hook - -[entry_points] -oslo.config.opts = - keystonemiddleware.auth_token = keystonemiddleware.opts:list_auth_token_opts - -[build_sphinx] -source-dir = doc/source -build-dir = doc/build -all_files = 1 - -[upload_sphinx] -upload-dir = doc/build/html - -[compile_catalog] -directory = keystonemiddleware/locale -domain = keystonemiddleware - -[update_catalog] -domain = keystonemiddleware -output_dir = keystonemiddleware/locale -input_file = keystonemiddleware/locale/keystonemiddleware.pot - -[extract_messages] -keywords = _ gettext ngettext l_ lazy_gettext -mapping_file = babel.cfg -output_file = keystonemiddleware/locale/keystonemiddleware.pot - -[wheel] -universal = 1 diff --git a/keystonemiddleware-moon/setup.py b/keystonemiddleware-moon/setup.py deleted file mode 100644 index 782bb21f..00000000 --- a/keystonemiddleware-moon/setup.py +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2013 Hewlett-Packard Development Company, L.P. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# THIS FILE IS MANAGED BY THE GLOBAL REQUIREMENTS REPO - DO NOT EDIT -import setuptools - -# In python < 2.7.4, a lazy loading of package `pbr` will break -# setuptools if some other modules registered functions in `atexit`. -# solution from: http://bugs.python.org/issue15881#msg170215 -try: - import multiprocessing # noqa -except ImportError: - pass - -setuptools.setup( - setup_requires=['pbr>=1.8'], - pbr=True) diff --git a/keystonemiddleware-moon/test-requirements-py3.txt b/keystonemiddleware-moon/test-requirements-py3.txt deleted file mode 100644 index ff9e614c..00000000 --- a/keystonemiddleware-moon/test-requirements-py3.txt +++ /dev/null @@ -1,18 +0,0 @@ -# The order of packages is significant, because pip processes them in the order -# of appearance. Changing the order has an impact on the overall integration -# process, which may cause wedges in the gate later. - -coverage>=3.6 -discover -fixtures>=0.3.14 -hacking>=0.8.0,<0.9 -mock>=1.0 -pycrypto>=2.6 -oslosphinx>=2.2.0 # Apache-2.0 -oslotest>=1.2.0 # Apache-2.0 -oslo.messaging>=1.6.0 # Apache-2.0 -requests-mock>=0.5.1 # Apache-2.0 -sphinx>=1.1.2,!=1.2.0,!=1.3b1,<1.3 -testrepository>=0.0.18 -testresources>=0.2.4 -testtools>=0.9.36,!=1.2.0 diff --git a/keystonemiddleware-moon/test-requirements.txt b/keystonemiddleware-moon/test-requirements.txt deleted file mode 100644 index 261a8ffc..00000000 --- a/keystonemiddleware-moon/test-requirements.txt +++ /dev/null @@ -1,24 +0,0 @@ -# The order of packages is significant, because pip processes them in the order -# of appearance. Changing the order has an impact on the overall integration -# process, which may cause wedges in the gate later. - -hacking<0.11,>=0.10.0 - -coverage>=3.6 -fixtures>=1.3.1 -mock>=1.2 -pycrypto>=2.6 -oslosphinx>=2.5.0 # Apache-2.0 -oslotest>=1.10.0 # Apache-2.0 -oslo.messaging!=1.17.0,!=1.17.1,!=2.6.0,!=2.6.1,!=2.7.0,!=2.8.0,!=2.8.1,!=2.9.0,!=3.1.0,>=1.16.0 # Apache-2.0 -requests-mock>=0.6.0 # Apache-2.0 -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 -stevedore>=1.5.0 # Apache-2.0 -testrepository>=0.0.18 -testresources>=0.2.4 -testtools>=1.4.0 -python-memcached>=1.56 - -# Bandit security code scanner -bandit>=0.13.2 - diff --git a/keystonemiddleware-moon/tools/install_venv_common.py b/keystonemiddleware-moon/tools/install_venv_common.py deleted file mode 100644 index e279159a..00000000 --- a/keystonemiddleware-moon/tools/install_venv_common.py +++ /dev/null @@ -1,172 +0,0 @@ -# Copyright 2013 OpenStack Foundation -# Copyright 2013 IBM Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Provides methods needed by installation script for OpenStack development -virtual environments. - -Since this script is used to bootstrap a virtualenv from the system's Python -environment, it should be kept strictly compatible with Python 2.6. - -Synced in from openstack-common -""" - -from __future__ import print_function - -import optparse -import os -import subprocess -import sys - - -class InstallVenv(object): - - def __init__(self, root, venv, requirements, - test_requirements, py_version, - project): - self.root = root - self.venv = venv - self.requirements = requirements - self.test_requirements = test_requirements - self.py_version = py_version - self.project = project - - def die(self, message, *args): - print(message % args, file=sys.stderr) - sys.exit(1) - - def check_python_version(self): - if sys.version_info < (2, 6): - self.die("Need Python Version >= 2.6") - - def run_command_with_code(self, cmd, redirect_output=True, - check_exit_code=True): - """Runs a command in an out-of-process shell. - - Returns the output of that command. Working directory is self.root. - """ - if redirect_output: - stdout = subprocess.PIPE - else: - stdout = None - - proc = subprocess.Popen(cmd, cwd=self.root, stdout=stdout) - output = proc.communicate()[0] - if check_exit_code and proc.returncode != 0: - self.die('Command "%s" failed.\n%s', ' '.join(cmd), output) - return (output, proc.returncode) - - def run_command(self, cmd, redirect_output=True, check_exit_code=True): - return self.run_command_with_code(cmd, redirect_output, - check_exit_code)[0] - - def get_distro(self): - if (os.path.exists('/etc/fedora-release') or - os.path.exists('/etc/redhat-release')): - return Fedora( - self.root, self.venv, self.requirements, - self.test_requirements, self.py_version, self.project) - else: - return Distro( - self.root, self.venv, self.requirements, - self.test_requirements, self.py_version, self.project) - - def check_dependencies(self): - self.get_distro().install_virtualenv() - - def create_virtualenv(self, no_site_packages=True): - """Creates the virtual environment and installs PIP. - - Creates the virtual environment and installs PIP only into the - virtual environment. - """ - if not os.path.isdir(self.venv): - print('Creating venv...', end=' ') - if no_site_packages: - self.run_command(['virtualenv', '-q', '--no-site-packages', - self.venv]) - else: - self.run_command(['virtualenv', '-q', self.venv]) - print('done.') - else: - print("venv already exists...") - pass - - def pip_install(self, *args): - self.run_command(['tools/with_venv.sh', - 'pip', 'install', '--upgrade'] + list(args), - redirect_output=False) - - def install_dependencies(self): - print('Installing dependencies with pip (this can take a while)...') - - # First things first, make sure our venv has the latest pip and - # setuptools and pbr - self.pip_install('pip>=1.4') - self.pip_install('setuptools') - self.pip_install('pbr') - - self.pip_install('-r', self.requirements, '-r', self.test_requirements) - - def parse_args(self, argv): - """Parses command-line arguments.""" - parser = optparse.OptionParser() - parser.add_option('-n', '--no-site-packages', - action='store_true', - help="Do not inherit packages from global Python " - "install.") - return parser.parse_args(argv[1:])[0] - - -class Distro(InstallVenv): - - def check_cmd(self, cmd): - return bool(self.run_command(['which', cmd], - check_exit_code=False).strip()) - - def install_virtualenv(self): - if self.check_cmd('virtualenv'): - return - - if self.check_cmd('easy_install'): - print('Installing virtualenv via easy_install...', end=' ') - if self.run_command(['easy_install', 'virtualenv']): - print('Succeeded') - return - else: - print('Failed') - - self.die('ERROR: virtualenv not found.\n\n%s development' - ' requires virtualenv, please install it using your' - ' favorite package management tool' % self.project) - - -class Fedora(Distro): - """This covers all Fedora-based distributions. - - Includes: Fedora, RHEL, CentOS, Scientific Linux - """ - - def check_pkg(self, pkg): - return self.run_command_with_code(['rpm', '-q', pkg], - check_exit_code=False)[1] == 0 - - def install_virtualenv(self): - if self.check_cmd('virtualenv'): - return - - if not self.check_pkg('python-virtualenv'): - self.die("Please install 'python-virtualenv'.") - - super(Fedora, self).install_virtualenv() diff --git a/keystonemiddleware-moon/tox.ini b/keystonemiddleware-moon/tox.ini deleted file mode 100644 index 790bf027..00000000 --- a/keystonemiddleware-moon/tox.ini +++ /dev/null @@ -1,50 +0,0 @@ -[tox] -minversion = 1.6 -skipsdist = True -envlist = py26,py27,py34,pep8 - -[testenv] -usedevelop = True -install_command = pip install -U {opts} {packages} -setenv = VIRTUAL_ENV={envdir} - OS_STDOUT_NOCAPTURE=False - OS_STDERR_NOCAPTURE=False - -deps = -r{toxinidir}/requirements.txt - -r{toxinidir}/test-requirements.txt -commands = python setup.py testr --testr-args='{posargs}' - -[testenv:pep8] -commands = - flake8 - -[testenv:venv] -commands = {posargs} - -[testenv:cover] -commands = python setup.py testr --coverage --testr-args='{posargs}' - -[tox:jenkins] -downloadcache = ~/cache/pip - -[testenv:debug] - -commands = oslo_debug_helper {posargs} - -[testenv:bandit] -deps = -r{toxinidir}/test-requirements.txt -commands = bandit -c bandit.yaml -r keystonemiddleware -n5 -p keystone_conservative - -[flake8] -# H405: multi line docstring summary not separated with an empty line -ignore = H405 -show-source = True -exclude = .venv,.tox,dist,doc,*egg,build,*openstack/common* - -[testenv:docs] -commands= - python setup.py build_sphinx - -[hacking] -import_exceptions = - keystonemiddleware.i18n diff --git a/moonv4/kubernetes/README.md b/kubernetes/README.md index 04d54924..04d54924 100644 --- a/moonv4/kubernetes/README.md +++ b/kubernetes/README.md diff --git a/moonv4/kubernetes/conf/password_moon.txt b/kubernetes/conf/password_moon.txt index bb9bcf7d..bb9bcf7d 100644 --- a/moonv4/kubernetes/conf/password_moon.txt +++ b/kubernetes/conf/password_moon.txt diff --git a/moonv4/kubernetes/conf/password_root.txt b/kubernetes/conf/password_root.txt index bb9bcf7d..bb9bcf7d 100644 --- a/moonv4/kubernetes/conf/password_root.txt +++ b/kubernetes/conf/password_root.txt diff --git a/moonv4/kubernetes/conf/ports.conf b/kubernetes/conf/ports.conf index 487945c0..487945c0 100644 --- a/moonv4/kubernetes/conf/ports.conf +++ b/kubernetes/conf/ports.conf diff --git a/moonv4/kubernetes/init_k8s.sh b/kubernetes/init_k8s.sh index 6eb94e78..6eb94e78 100644 --- a/moonv4/kubernetes/init_k8s.sh +++ b/kubernetes/init_k8s.sh diff --git a/moonv4/kubernetes/start_moon.sh b/kubernetes/start_moon.sh index 8121e319..8121e319 100644 --- a/moonv4/kubernetes/start_moon.sh +++ b/kubernetes/start_moon.sh diff --git a/moonv4/kubernetes/templates/consul.yaml b/kubernetes/templates/consul.yaml index f0fb764e..f0fb764e 100644 --- a/moonv4/kubernetes/templates/consul.yaml +++ b/kubernetes/templates/consul.yaml diff --git a/moonv4/kubernetes/templates/db.yaml b/kubernetes/templates/db.yaml index 38418643..38418643 100644 --- a/moonv4/kubernetes/templates/db.yaml +++ b/kubernetes/templates/db.yaml diff --git a/moonv4/kubernetes/templates/keystone.yaml b/kubernetes/templates/keystone.yaml index e4218e4c..e4218e4c 100644 --- a/moonv4/kubernetes/templates/keystone.yaml +++ b/kubernetes/templates/keystone.yaml diff --git a/moonv4/kubernetes/templates/kube-dns.yaml b/kubernetes/templates/kube-dns.yaml index c8f18fd8..c8f18fd8 100644 --- a/moonv4/kubernetes/templates/kube-dns.yaml +++ b/kubernetes/templates/kube-dns.yaml diff --git a/moonv4/kubernetes/templates/moon_configuration.yaml b/kubernetes/templates/moon_configuration.yaml index 3bcaa533..3bcaa533 100644 --- a/moonv4/kubernetes/templates/moon_configuration.yaml +++ b/kubernetes/templates/moon_configuration.yaml diff --git a/moonv4/kubernetes/templates/moon_gui.yaml b/kubernetes/templates/moon_gui.yaml index 2d355216..2d355216 100644 --- a/moonv4/kubernetes/templates/moon_gui.yaml +++ b/kubernetes/templates/moon_gui.yaml diff --git a/moonv4/kubernetes/templates/moon_manager.yaml b/kubernetes/templates/moon_manager.yaml index 9d4a09a8..9d4a09a8 100644 --- a/moonv4/kubernetes/templates/moon_manager.yaml +++ b/kubernetes/templates/moon_manager.yaml diff --git a/moonv4/kubernetes/templates/moon_orchestrator.yaml b/kubernetes/templates/moon_orchestrator.yaml index 419f2d52..419f2d52 100644 --- a/moonv4/kubernetes/templates/moon_orchestrator.yaml +++ b/kubernetes/templates/moon_orchestrator.yaml diff --git a/moonv4/moon_authz/Dockerfile b/moon_authz/Dockerfile index 7ab172b0..7ab172b0 100644 --- a/moonv4/moon_authz/Dockerfile +++ b/moon_authz/Dockerfile diff --git a/moonv4/moon_authz/LICENSE b/moon_authz/LICENSE index d6456956..d6456956 100644 --- a/moonv4/moon_authz/LICENSE +++ b/moon_authz/LICENSE diff --git a/moonv4/moon_authz/MANIFEST.in b/moon_authz/MANIFEST.in index 1f674d50..1f674d50 100644 --- a/moonv4/moon_authz/MANIFEST.in +++ b/moon_authz/MANIFEST.in diff --git a/moonv4/moon_authz/README.rst b/moon_authz/README.rst index ded4e99a..ded4e99a 100644 --- a/moonv4/moon_authz/README.rst +++ b/moon_authz/README.rst diff --git a/moonv4/moon_authz/moon_authz/__init__.py b/moon_authz/moon_authz/__init__.py index 903c6518..903c6518 100644 --- a/moonv4/moon_authz/moon_authz/__init__.py +++ b/moon_authz/moon_authz/__init__.py diff --git a/moonv4/moon_authz/moon_authz/__main__.py b/moon_authz/moon_authz/__main__.py index 699c008c..699c008c 100644 --- a/moonv4/moon_authz/moon_authz/__main__.py +++ b/moon_authz/moon_authz/__main__.py diff --git a/keystonemiddleware-moon/doc/ext/__init__.py b/moon_authz/moon_authz/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/doc/ext/__init__.py +++ b/moon_authz/moon_authz/api/__init__.py diff --git a/moonv4/moon_authz/moon_authz/api/authorization.py b/moon_authz/moon_authz/api/authorization.py index 4cd8de06..4cd8de06 100644 --- a/moonv4/moon_authz/moon_authz/api/authorization.py +++ b/moon_authz/moon_authz/api/authorization.py diff --git a/moonv4/moon_authz/moon_authz/api/generic.py b/moon_authz/moon_authz/api/generic.py index f4e13e42..f4e13e42 100644 --- a/moonv4/moon_authz/moon_authz/api/generic.py +++ b/moon_authz/moon_authz/api/generic.py diff --git a/moonv4/moon_authz/moon_authz/http_server.py b/moon_authz/moon_authz/http_server.py index 50e878d3..50e878d3 100644 --- a/moonv4/moon_authz/moon_authz/http_server.py +++ b/moon_authz/moon_authz/http_server.py diff --git a/moonv4/moon_authz/moon_authz/server.py b/moon_authz/moon_authz/server.py index 974012dc..974012dc 100644 --- a/moonv4/moon_authz/moon_authz/server.py +++ b/moon_authz/moon_authz/server.py diff --git a/moonv4/moon_authz/requirements.txt b/moon_authz/requirements.txt index 8cad7a7a..8cad7a7a 100644 --- a/moonv4/moon_authz/requirements.txt +++ b/moon_authz/requirements.txt diff --git a/moonv4/moon_authz/setup.py b/moon_authz/setup.py index a8dcd0c4..a8dcd0c4 100644 --- a/moonv4/moon_authz/setup.py +++ b/moon_authz/setup.py diff --git a/moonv4/moon_authz/tests/unit_python/conftest.py b/moon_authz/tests/unit_python/conftest.py index a6e62078..a6e62078 100644 --- a/moonv4/moon_authz/tests/unit_python/conftest.py +++ b/moon_authz/tests/unit_python/conftest.py diff --git a/moonv4/moon_authz/tests/unit_python/mock_pods.py b/moon_authz/tests/unit_python/mock_pods.py index 7488f4f3..7488f4f3 100644 --- a/moonv4/moon_authz/tests/unit_python/mock_pods.py +++ b/moon_authz/tests/unit_python/mock_pods.py diff --git a/moonv4/moon_authz/tests/unit_python/requirements.txt b/moon_authz/tests/unit_python/requirements.txt index 21975ce3..21975ce3 100644 --- a/moonv4/moon_authz/tests/unit_python/requirements.txt +++ b/moon_authz/tests/unit_python/requirements.txt diff --git a/moonv4/moon_authz/tests/unit_python/test_authz.py b/moon_authz/tests/unit_python/test_authz.py index f98abebc..f98abebc 100644 --- a/moonv4/moon_authz/tests/unit_python/test_authz.py +++ b/moon_authz/tests/unit_python/test_authz.py diff --git a/moonv4/moon_authz/tests/unit_python/utilities.py b/moon_authz/tests/unit_python/utilities.py index 19b9354c..19b9354c 100644 --- a/moonv4/moon_authz/tests/unit_python/utilities.py +++ b/moon_authz/tests/unit_python/utilities.py diff --git a/moonv4/moon_bouchon/Dockerfile b/moon_bouchon/Dockerfile index ed013935..ed013935 100644 --- a/moonv4/moon_bouchon/Dockerfile +++ b/moon_bouchon/Dockerfile diff --git a/moonv4/moon_bouchon/README.md b/moon_bouchon/README.md index 11733cef..11733cef 100644 --- a/moonv4/moon_bouchon/README.md +++ b/moon_bouchon/README.md diff --git a/moonv4/moon_bouchon/moon_bouchon/__init__.py b/moon_bouchon/moon_bouchon/__init__.py index 8811d91d..8811d91d 100644 --- a/moonv4/moon_bouchon/moon_bouchon/__init__.py +++ b/moon_bouchon/moon_bouchon/__init__.py diff --git a/moonv4/moon_bouchon/moon_bouchon/__main__.py b/moon_bouchon/moon_bouchon/__main__.py index 4499a96b..4499a96b 100644 --- a/moonv4/moon_bouchon/moon_bouchon/__main__.py +++ b/moon_bouchon/moon_bouchon/__main__.py diff --git a/moonv4/moon_bouchon/moon_bouchon/server.py b/moon_bouchon/moon_bouchon/server.py index 29e9101e..29e9101e 100644 --- a/moonv4/moon_bouchon/moon_bouchon/server.py +++ b/moon_bouchon/moon_bouchon/server.py diff --git a/moonv4/moon_bouchon/requirements.txt b/moon_bouchon/requirements.txt index 8ab6294c..8ab6294c 100644 --- a/moonv4/moon_bouchon/requirements.txt +++ b/moon_bouchon/requirements.txt diff --git a/moonv4/moon_bouchon/setup.cfg b/moon_bouchon/setup.cfg index 7c2b2874..7c2b2874 100644 --- a/moonv4/moon_bouchon/setup.cfg +++ b/moon_bouchon/setup.cfg diff --git a/moonv4/moon_bouchon/setup.py b/moon_bouchon/setup.py index a875be40..a875be40 100644 --- a/moonv4/moon_bouchon/setup.py +++ b/moon_bouchon/setup.py diff --git a/moonv4/moon_bouchon/tests/test_interface.py b/moon_bouchon/tests/test_interface.py index 425ba2e5..425ba2e5 100644 --- a/moonv4/moon_bouchon/tests/test_interface.py +++ b/moon_bouchon/tests/test_interface.py diff --git a/moonv4/moon_bouchon/tests/test_wrapper.py b/moon_bouchon/tests/test_wrapper.py index 3d5e150c..3d5e150c 100644 --- a/moonv4/moon_bouchon/tests/test_wrapper.py +++ b/moon_bouchon/tests/test_wrapper.py diff --git a/moonv4/moon_gui/.gitignore b/moon_gui/.gitignore index 04bca1bc..04bca1bc 100644 --- a/moonv4/moon_gui/.gitignore +++ b/moon_gui/.gitignore diff --git a/moonv4/moon_gui/.jshintrc b/moon_gui/.jshintrc index b9955f87..b9955f87 100644 --- a/moonv4/moon_gui/.jshintrc +++ b/moon_gui/.jshintrc diff --git a/moonv4/moon_gui/DEV.md b/moon_gui/DEV.md index 28743da3..28743da3 100644 --- a/moonv4/moon_gui/DEV.md +++ b/moon_gui/DEV.md diff --git a/moonv4/moon_gui/Dockerfile b/moon_gui/Dockerfile index 428e1037..428e1037 100644 --- a/moonv4/moon_gui/Dockerfile +++ b/moon_gui/Dockerfile diff --git a/moonv4/moon_gui/README.md b/moon_gui/README.md index ff6e5a97..ff6e5a97 100644 --- a/moonv4/moon_gui/README.md +++ b/moon_gui/README.md diff --git a/moonv4/moon_gui/delivery/assets/css/main.css b/moon_gui/delivery/assets/css/main.css index dbc15489..dbc15489 100644 --- a/moonv4/moon_gui/delivery/assets/css/main.css +++ b/moon_gui/delivery/assets/css/main.css diff --git a/moonv4/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.eot b/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.eot Binary files differindex 4a4ca865..4a4ca865 100644 --- a/moonv4/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.eot +++ b/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.eot diff --git a/moonv4/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.svg b/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.svg index e3e2dc73..e3e2dc73 100644 --- a/moonv4/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.svg +++ b/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.svg diff --git a/moonv4/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.ttf b/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.ttf Binary files differindex 67fa00bf..67fa00bf 100644 --- a/moonv4/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.ttf +++ b/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.ttf diff --git a/moonv4/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.woff b/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.woff Binary files differindex 8c54182a..8c54182a 100644 --- a/moonv4/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.woff +++ b/moon_gui/delivery/assets/fonts/glyphicons-halflings-regular.woff diff --git a/moonv4/moon_gui/delivery/assets/i18n/en.json b/moon_gui/delivery/assets/i18n/en.json index dd54e112..dd54e112 100755 --- a/moonv4/moon_gui/delivery/assets/i18n/en.json +++ b/moon_gui/delivery/assets/i18n/en.json diff --git a/moonv4/moon_gui/delivery/assets/i18n/fr.json b/moon_gui/delivery/assets/i18n/fr.json index 85c513b3..85c513b3 100755 --- a/moonv4/moon_gui/delivery/assets/i18n/fr.json +++ b/moon_gui/delivery/assets/i18n/fr.json diff --git a/moonv4/moon_gui/delivery/assets/img/ajax-loader.gif b/moon_gui/delivery/assets/img/ajax-loader.gif Binary files differindex d0bce154..d0bce154 100755 --- a/moonv4/moon_gui/delivery/assets/img/ajax-loader.gif +++ b/moon_gui/delivery/assets/img/ajax-loader.gif diff --git a/moonv4/moon_gui/delivery/assets/img/ajax-waiting.gif b/moon_gui/delivery/assets/img/ajax-waiting.gif Binary files differindex d84f6537..d84f6537 100755 --- a/moonv4/moon_gui/delivery/assets/img/ajax-waiting.gif +++ b/moon_gui/delivery/assets/img/ajax-waiting.gif diff --git a/moonv4/moon_gui/delivery/assets/img/arrow-link.gif b/moon_gui/delivery/assets/img/arrow-link.gif Binary files differindex ca17f44b..ca17f44b 100755 --- a/moonv4/moon_gui/delivery/assets/img/arrow-link.gif +++ b/moon_gui/delivery/assets/img/arrow-link.gif diff --git a/moonv4/moon_gui/delivery/assets/img/favicon.ico b/moon_gui/delivery/assets/img/favicon.ico Binary files differindex a7910bf5..a7910bf5 100755 --- a/moonv4/moon_gui/delivery/assets/img/favicon.ico +++ b/moon_gui/delivery/assets/img/favicon.ico diff --git a/moonv4/moon_gui/delivery/assets/img/logo-openstack.png b/moon_gui/delivery/assets/img/logo-openstack.png Binary files differindex 60ab0e1e..60ab0e1e 100755 --- a/moonv4/moon_gui/delivery/assets/img/logo-openstack.png +++ b/moon_gui/delivery/assets/img/logo-openstack.png diff --git a/moonv4/moon_gui/delivery/assets/img/logo-orange.gif b/moon_gui/delivery/assets/img/logo-orange.gif Binary files differindex 9c612291..9c612291 100755 --- a/moonv4/moon_gui/delivery/assets/img/logo-orange.gif +++ b/moon_gui/delivery/assets/img/logo-orange.gif diff --git a/moonv4/moon_gui/delivery/html/authentication/authentication.tpl.html b/moon_gui/delivery/html/authentication/authentication.tpl.html index d942d8e8..d942d8e8 100644 --- a/moonv4/moon_gui/delivery/html/authentication/authentication.tpl.html +++ b/moon_gui/delivery/html/authentication/authentication.tpl.html diff --git a/moonv4/moon_gui/delivery/html/common/404/404.tpl.html b/moon_gui/delivery/html/common/404/404.tpl.html index f03a2e98..f03a2e98 100644 --- a/moonv4/moon_gui/delivery/html/common/404/404.tpl.html +++ b/moon_gui/delivery/html/common/404/404.tpl.html diff --git a/moonv4/moon_gui/delivery/html/common/compatibility/compatibility.tpl.html b/moon_gui/delivery/html/common/compatibility/compatibility.tpl.html index 7a39554e..7a39554e 100644 --- a/moonv4/moon_gui/delivery/html/common/compatibility/compatibility.tpl.html +++ b/moon_gui/delivery/html/common/compatibility/compatibility.tpl.html diff --git a/moonv4/moon_gui/delivery/html/common/footer/footer.tpl.html b/moon_gui/delivery/html/common/footer/footer.tpl.html index 6c01bd92..6c01bd92 100644 --- a/moonv4/moon_gui/delivery/html/common/footer/footer.tpl.html +++ b/moon_gui/delivery/html/common/footer/footer.tpl.html diff --git a/moonv4/moon_gui/delivery/html/common/header/header.tpl.html b/moon_gui/delivery/html/common/header/header.tpl.html index 6f46cf8f..6f46cf8f 100644 --- a/moonv4/moon_gui/delivery/html/common/header/header.tpl.html +++ b/moon_gui/delivery/html/common/header/header.tpl.html diff --git a/moonv4/moon_gui/delivery/html/common/loader/loader.tpl.html b/moon_gui/delivery/html/common/loader/loader.tpl.html index dc52e911..dc52e911 100644 --- a/moonv4/moon_gui/delivery/html/common/loader/loader.tpl.html +++ b/moon_gui/delivery/html/common/loader/loader.tpl.html diff --git a/moonv4/moon_gui/delivery/html/common/waiting/waiting.tpl.html b/moon_gui/delivery/html/common/waiting/waiting.tpl.html index eca2ae9e..eca2ae9e 100644 --- a/moonv4/moon_gui/delivery/html/common/waiting/waiting.tpl.html +++ b/moon_gui/delivery/html/common/waiting/waiting.tpl.html diff --git a/moonv4/moon_gui/delivery/html/dashboard/dashboard.tpl.html b/moon_gui/delivery/html/dashboard/dashboard.tpl.html index caee0db0..caee0db0 100644 --- a/moonv4/moon_gui/delivery/html/dashboard/dashboard.tpl.html +++ b/moon_gui/delivery/html/dashboard/dashboard.tpl.html diff --git a/moonv4/moon_gui/delivery/html/logs/logs.tpl.html b/moon_gui/delivery/html/logs/logs.tpl.html index bb6dd686..bb6dd686 100644 --- a/moonv4/moon_gui/delivery/html/logs/logs.tpl.html +++ b/moon_gui/delivery/html/logs/logs.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/action/model-add.tpl.html b/moon_gui/delivery/html/model/action/model-add.tpl.html index 5741b537..5741b537 100644 --- a/moonv4/moon_gui/delivery/html/model/action/model-add.tpl.html +++ b/moon_gui/delivery/html/model/action/model-add.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/action/model-delete.tpl.html b/moon_gui/delivery/html/model/action/model-delete.tpl.html index 79e4aa0d..79e4aa0d 100644 --- a/moonv4/moon_gui/delivery/html/model/action/model-delete.tpl.html +++ b/moon_gui/delivery/html/model/action/model-delete.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/action/model-view.tpl.html b/moon_gui/delivery/html/model/action/model-view.tpl.html index 46673c0a..46673c0a 100644 --- a/moonv4/moon_gui/delivery/html/model/action/model-view.tpl.html +++ b/moon_gui/delivery/html/model/action/model-view.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/metadata/metadata-edit.tpl.html b/moon_gui/delivery/html/model/edit/metadata/metadata-edit.tpl.html index 7d53a991..7d53a991 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/metadata/metadata-edit.tpl.html +++ b/moon_gui/delivery/html/model/edit/metadata/metadata-edit.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/metadata/metadata-list.tpl.html b/moon_gui/delivery/html/model/edit/metadata/metadata-list.tpl.html index 050bfbce..050bfbce 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/metadata/metadata-list.tpl.html +++ b/moon_gui/delivery/html/model/edit/metadata/metadata-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-add.tpl.html b/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-add.tpl.html index 8593236d..8593236d 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-add.tpl.html +++ b/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-add.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-map.tpl.html b/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-map.tpl.html index 0170fc2e..0170fc2e 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-map.tpl.html +++ b/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-map.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-unmap.tpl.html b/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-unmap.tpl.html index 76e1e486..76e1e486 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-unmap.tpl.html +++ b/moon_gui/delivery/html/model/edit/metarules/action/mapping/metarules-unmap.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/metarules-edit-basic.tpl.html b/moon_gui/delivery/html/model/edit/metarules/action/metarules-edit-basic.tpl.html index 3a171600..3a171600 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/metarules-edit-basic.tpl.html +++ b/moon_gui/delivery/html/model/edit/metarules/action/metarules-edit-basic.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/metarules-edit.tpl.html b/moon_gui/delivery/html/model/edit/metarules/action/metarules-edit.tpl.html index fe37cc90..fe37cc90 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/metarules/action/metarules-edit.tpl.html +++ b/moon_gui/delivery/html/model/edit/metarules/action/metarules-edit.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/metarules/metarules-list.tpl.html b/moon_gui/delivery/html/model/edit/metarules/metarules-list.tpl.html index c6d6c92e..c6d6c92e 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/metarules/metarules-list.tpl.html +++ b/moon_gui/delivery/html/model/edit/metarules/metarules-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/model-edit-basic.tpl.html b/moon_gui/delivery/html/model/edit/model-edit-basic.tpl.html index a645b1ee..a645b1ee 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/model-edit-basic.tpl.html +++ b/moon_gui/delivery/html/model/edit/model-edit-basic.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/edit/model-edit.tpl.html b/moon_gui/delivery/html/model/edit/model-edit.tpl.html index 10f4545b..10f4545b 100644 --- a/moonv4/moon_gui/delivery/html/model/edit/model-edit.tpl.html +++ b/moon_gui/delivery/html/model/edit/model-edit.tpl.html diff --git a/moonv4/moon_gui/delivery/html/model/model-list.tpl.html b/moon_gui/delivery/html/model/model-list.tpl.html index 138a66b7..138a66b7 100644 --- a/moonv4/moon_gui/delivery/html/model/model-list.tpl.html +++ b/moon_gui/delivery/html/model/model-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/pdp/action/pdp-add.tpl.html b/moon_gui/delivery/html/pdp/action/pdp-add.tpl.html index e372a8c3..e372a8c3 100644 --- a/moonv4/moon_gui/delivery/html/pdp/action/pdp-add.tpl.html +++ b/moon_gui/delivery/html/pdp/action/pdp-add.tpl.html diff --git a/moonv4/moon_gui/delivery/html/pdp/action/pdp-delete.tpl.html b/moon_gui/delivery/html/pdp/action/pdp-delete.tpl.html index 2c8a5f34..2c8a5f34 100644 --- a/moonv4/moon_gui/delivery/html/pdp/action/pdp-delete.tpl.html +++ b/moon_gui/delivery/html/pdp/action/pdp-delete.tpl.html diff --git a/moonv4/moon_gui/delivery/html/pdp/edit/pdp-edit-basic.tpl.html b/moon_gui/delivery/html/pdp/edit/pdp-edit-basic.tpl.html index e15e27e0..e15e27e0 100644 --- a/moonv4/moon_gui/delivery/html/pdp/edit/pdp-edit-basic.tpl.html +++ b/moon_gui/delivery/html/pdp/edit/pdp-edit-basic.tpl.html diff --git a/moonv4/moon_gui/delivery/html/pdp/edit/pdp-edit.tpl.html b/moon_gui/delivery/html/pdp/edit/pdp-edit.tpl.html index 96b3dd78..96b3dd78 100644 --- a/moonv4/moon_gui/delivery/html/pdp/edit/pdp-edit.tpl.html +++ b/moon_gui/delivery/html/pdp/edit/pdp-edit.tpl.html diff --git a/moonv4/moon_gui/delivery/html/pdp/pdp-list.tpl.html b/moon_gui/delivery/html/pdp/pdp-list.tpl.html index 31d1aae0..31d1aae0 100644 --- a/moonv4/moon_gui/delivery/html/pdp/pdp-list.tpl.html +++ b/moon_gui/delivery/html/pdp/pdp-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/action/mapping/policy-map.tpl.html b/moon_gui/delivery/html/policy/action/mapping/policy-map.tpl.html index 9d115c18..9d115c18 100644 --- a/moonv4/moon_gui/delivery/html/policy/action/mapping/policy-map.tpl.html +++ b/moon_gui/delivery/html/policy/action/mapping/policy-map.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/action/mapping/policy-unmap.tpl.html b/moon_gui/delivery/html/policy/action/mapping/policy-unmap.tpl.html index 3892782d..3892782d 100644 --- a/moonv4/moon_gui/delivery/html/policy/action/mapping/policy-unmap.tpl.html +++ b/moon_gui/delivery/html/policy/action/mapping/policy-unmap.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/action/policy-add.tpl.html b/moon_gui/delivery/html/policy/action/policy-add.tpl.html index e1220479..e1220479 100644 --- a/moonv4/moon_gui/delivery/html/policy/action/policy-add.tpl.html +++ b/moon_gui/delivery/html/policy/action/policy-add.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/action/policy-delete.tpl.html b/moon_gui/delivery/html/policy/action/policy-delete.tpl.html index d2c679e3..d2c679e3 100644 --- a/moonv4/moon_gui/delivery/html/policy/action/policy-delete.tpl.html +++ b/moon_gui/delivery/html/policy/action/policy-delete.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/edit/parameter/assignments/assignments-list.tpl.html b/moon_gui/delivery/html/policy/edit/parameter/assignments/assignments-list.tpl.html index 6cae38d8..6cae38d8 100644 --- a/moonv4/moon_gui/delivery/html/policy/edit/parameter/assignments/assignments-list.tpl.html +++ b/moon_gui/delivery/html/policy/edit/parameter/assignments/assignments-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/edit/parameter/data/data-list.tpl.html b/moon_gui/delivery/html/policy/edit/parameter/data/data-list.tpl.html index ef9b2ba7..ef9b2ba7 100644 --- a/moonv4/moon_gui/delivery/html/policy/edit/parameter/data/data-list.tpl.html +++ b/moon_gui/delivery/html/policy/edit/parameter/data/data-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/edit/parameter/perimeter/perimeter-list.tpl.html b/moon_gui/delivery/html/policy/edit/parameter/perimeter/perimeter-list.tpl.html index 5331e640..5331e640 100644 --- a/moonv4/moon_gui/delivery/html/policy/edit/parameter/perimeter/perimeter-list.tpl.html +++ b/moon_gui/delivery/html/policy/edit/parameter/perimeter/perimeter-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/edit/parameter/rules/rules-list.tpl.html b/moon_gui/delivery/html/policy/edit/parameter/rules/rules-list.tpl.html index 98669f6f..98669f6f 100644 --- a/moonv4/moon_gui/delivery/html/policy/edit/parameter/rules/rules-list.tpl.html +++ b/moon_gui/delivery/html/policy/edit/parameter/rules/rules-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/edit/policy-edit-basic.tpl.html b/moon_gui/delivery/html/policy/edit/policy-edit-basic.tpl.html index 23f760d4..23f760d4 100644 --- a/moonv4/moon_gui/delivery/html/policy/edit/policy-edit-basic.tpl.html +++ b/moon_gui/delivery/html/policy/edit/policy-edit-basic.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/edit/policy-edit.tpl.html b/moon_gui/delivery/html/policy/edit/policy-edit.tpl.html index 0e4525f7..0e4525f7 100644 --- a/moonv4/moon_gui/delivery/html/policy/edit/policy-edit.tpl.html +++ b/moon_gui/delivery/html/policy/edit/policy-edit.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/policy-list.tpl.html b/moon_gui/delivery/html/policy/policy-list.tpl.html index 2e8a981c..2e8a981c 100644 --- a/moonv4/moon_gui/delivery/html/policy/policy-list.tpl.html +++ b/moon_gui/delivery/html/policy/policy-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/policy/policy-mapped-list.tpl.html b/moon_gui/delivery/html/policy/policy-mapped-list.tpl.html index 2e18a1b5..2e18a1b5 100644 --- a/moonv4/moon_gui/delivery/html/policy/policy-mapped-list.tpl.html +++ b/moon_gui/delivery/html/policy/policy-mapped-list.tpl.html diff --git a/moonv4/moon_gui/delivery/html/project/action/mapping/project-map.tpl.html b/moon_gui/delivery/html/project/action/mapping/project-map.tpl.html index dd47853f..dd47853f 100644 --- a/moonv4/moon_gui/delivery/html/project/action/mapping/project-map.tpl.html +++ b/moon_gui/delivery/html/project/action/mapping/project-map.tpl.html diff --git a/moonv4/moon_gui/delivery/html/project/action/mapping/project-unmap.tpl.html b/moon_gui/delivery/html/project/action/mapping/project-unmap.tpl.html index bde6982e..bde6982e 100644 --- a/moonv4/moon_gui/delivery/html/project/action/mapping/project-unmap.tpl.html +++ b/moon_gui/delivery/html/project/action/mapping/project-unmap.tpl.html diff --git a/moonv4/moon_gui/delivery/html/project/action/project-add.tpl.html b/moon_gui/delivery/html/project/action/project-add.tpl.html index 612aa9b5..612aa9b5 100644 --- a/moonv4/moon_gui/delivery/html/project/action/project-add.tpl.html +++ b/moon_gui/delivery/html/project/action/project-add.tpl.html diff --git a/moonv4/moon_gui/delivery/html/project/action/project-delete.tpl.html b/moon_gui/delivery/html/project/action/project-delete.tpl.html index a3a2d3e4..a3a2d3e4 100644 --- a/moonv4/moon_gui/delivery/html/project/action/project-delete.tpl.html +++ b/moon_gui/delivery/html/project/action/project-delete.tpl.html diff --git a/moonv4/moon_gui/delivery/html/project/action/project-view.tpl.html b/moon_gui/delivery/html/project/action/project-view.tpl.html index b2bd975b..b2bd975b 100644 --- a/moonv4/moon_gui/delivery/html/project/action/project-view.tpl.html +++ b/moon_gui/delivery/html/project/action/project-view.tpl.html diff --git a/moonv4/moon_gui/delivery/html/project/project-list.tpl.html b/moon_gui/delivery/html/project/project-list.tpl.html index d0ab8886..d0ab8886 100644 --- a/moonv4/moon_gui/delivery/html/project/project-list.tpl.html +++ b/moon_gui/delivery/html/project/project-list.tpl.html diff --git a/moonv4/moon_gui/delivery/index.html b/moon_gui/delivery/index.html index 0631ab7a..0631ab7a 100644 --- a/moonv4/moon_gui/delivery/index.html +++ b/moon_gui/delivery/index.html diff --git a/moonv4/moon_gui/delivery/js/app.js b/moon_gui/delivery/js/app.js index ef98d469..ef98d469 100644 --- a/moonv4/moon_gui/delivery/js/app.js +++ b/moon_gui/delivery/js/app.js diff --git a/moonv4/moon_gui/delivery/js/modules.js b/moon_gui/delivery/js/modules.js index 834d4eb8..834d4eb8 100644 --- a/moonv4/moon_gui/delivery/js/modules.js +++ b/moon_gui/delivery/js/modules.js diff --git a/moonv4/moon_gui/delivery/version.json b/moon_gui/delivery/version.json index 0e224bd8..0e224bd8 100755 --- a/moonv4/moon_gui/delivery/version.json +++ b/moon_gui/delivery/version.json diff --git a/moonv4/moon_gui/gulpfile.js b/moon_gui/gulpfile.js index 5929da4b..5929da4b 100644 --- a/moonv4/moon_gui/gulpfile.js +++ b/moon_gui/gulpfile.js diff --git a/moonv4/moon_gui/package.json b/moon_gui/package.json index cfb51078..cfb51078 100644 --- a/moonv4/moon_gui/package.json +++ b/moon_gui/package.json diff --git a/moonv4/moon_gui/run.sh b/moon_gui/run.sh index 94bc8360..94bc8360 100644 --- a/moonv4/moon_gui/run.sh +++ b/moon_gui/run.sh diff --git a/moonv4/moon_gui/static/app/authentication/authentication.controller.js b/moon_gui/static/app/authentication/authentication.controller.js index ce38bc5f..ce38bc5f 100755 --- a/moonv4/moon_gui/static/app/authentication/authentication.controller.js +++ b/moon_gui/static/app/authentication/authentication.controller.js diff --git a/moonv4/moon_gui/static/app/authentication/authentication.tpl.html b/moon_gui/static/app/authentication/authentication.tpl.html index 77d1646b..77d1646b 100755 --- a/moonv4/moon_gui/static/app/authentication/authentication.tpl.html +++ b/moon_gui/static/app/authentication/authentication.tpl.html diff --git a/moonv4/moon_gui/static/app/common/404/404.tpl.html b/moon_gui/static/app/common/404/404.tpl.html index 61e0420c..61e0420c 100755 --- a/moonv4/moon_gui/static/app/common/404/404.tpl.html +++ b/moon_gui/static/app/common/404/404.tpl.html diff --git a/moonv4/moon_gui/static/app/common/compatibility/compatibility.tpl.html b/moon_gui/static/app/common/compatibility/compatibility.tpl.html index 0e32dc4f..0e32dc4f 100755 --- a/moonv4/moon_gui/static/app/common/compatibility/compatibility.tpl.html +++ b/moon_gui/static/app/common/compatibility/compatibility.tpl.html diff --git a/moonv4/moon_gui/static/app/common/footer/footer.controller.js b/moon_gui/static/app/common/footer/footer.controller.js index d7506840..d7506840 100755 --- a/moonv4/moon_gui/static/app/common/footer/footer.controller.js +++ b/moon_gui/static/app/common/footer/footer.controller.js diff --git a/moonv4/moon_gui/static/app/common/footer/footer.tpl.html b/moon_gui/static/app/common/footer/footer.tpl.html index aacb392d..aacb392d 100755 --- a/moonv4/moon_gui/static/app/common/footer/footer.tpl.html +++ b/moon_gui/static/app/common/footer/footer.tpl.html diff --git a/moonv4/moon_gui/static/app/common/header/header.controller.js b/moon_gui/static/app/common/header/header.controller.js index 13ef4d6f..13ef4d6f 100755 --- a/moonv4/moon_gui/static/app/common/header/header.controller.js +++ b/moon_gui/static/app/common/header/header.controller.js diff --git a/moonv4/moon_gui/static/app/common/header/header.tpl.html b/moon_gui/static/app/common/header/header.tpl.html index f703fa79..f703fa79 100755 --- a/moonv4/moon_gui/static/app/common/header/header.tpl.html +++ b/moon_gui/static/app/common/header/header.tpl.html diff --git a/moonv4/moon_gui/static/app/common/loader/loader.dir.js b/moon_gui/static/app/common/loader/loader.dir.js index ba40c121..ba40c121 100755 --- a/moonv4/moon_gui/static/app/common/loader/loader.dir.js +++ b/moon_gui/static/app/common/loader/loader.dir.js diff --git a/moonv4/moon_gui/static/app/common/loader/loader.tpl.html b/moon_gui/static/app/common/loader/loader.tpl.html index 51da439f..51da439f 100755 --- a/moonv4/moon_gui/static/app/common/loader/loader.tpl.html +++ b/moon_gui/static/app/common/loader/loader.tpl.html diff --git a/moonv4/moon_gui/static/app/common/waiting/waiting.tpl.html b/moon_gui/static/app/common/waiting/waiting.tpl.html index 6c042635..6c042635 100755 --- a/moonv4/moon_gui/static/app/common/waiting/waiting.tpl.html +++ b/moon_gui/static/app/common/waiting/waiting.tpl.html diff --git a/moonv4/moon_gui/static/app/dashboard/dashboard.tpl.html b/moon_gui/static/app/dashboard/dashboard.tpl.html index 67184bcc..67184bcc 100755 --- a/moonv4/moon_gui/static/app/dashboard/dashboard.tpl.html +++ b/moon_gui/static/app/dashboard/dashboard.tpl.html diff --git a/moonv4/moon_gui/static/app/logs/logs.controller.js b/moon_gui/static/app/logs/logs.controller.js index e48e2b8b..e48e2b8b 100755 --- a/moonv4/moon_gui/static/app/logs/logs.controller.js +++ b/moon_gui/static/app/logs/logs.controller.js diff --git a/moonv4/moon_gui/static/app/logs/logs.tpl.html b/moon_gui/static/app/logs/logs.tpl.html index fecc0289..fecc0289 100755 --- a/moonv4/moon_gui/static/app/logs/logs.tpl.html +++ b/moon_gui/static/app/logs/logs.tpl.html diff --git a/moonv4/moon_gui/static/app/model/action/model-add.tpl.html b/moon_gui/static/app/model/action/model-add.tpl.html index dee53a97..dee53a97 100755 --- a/moonv4/moon_gui/static/app/model/action/model-add.tpl.html +++ b/moon_gui/static/app/model/action/model-add.tpl.html diff --git a/moonv4/moon_gui/static/app/model/action/model-delete.tpl.html b/moon_gui/static/app/model/action/model-delete.tpl.html index cde16d0e..cde16d0e 100755 --- a/moonv4/moon_gui/static/app/model/action/model-delete.tpl.html +++ b/moon_gui/static/app/model/action/model-delete.tpl.html diff --git a/moonv4/moon_gui/static/app/model/action/model-view.tpl.html b/moon_gui/static/app/model/action/model-view.tpl.html index 46c295c7..46c295c7 100755 --- a/moonv4/moon_gui/static/app/model/action/model-view.tpl.html +++ b/moon_gui/static/app/model/action/model-view.tpl.html diff --git a/moonv4/moon_gui/static/app/model/action/model.controller.add.js b/moon_gui/static/app/model/action/model.controller.add.js index 11d3abf4..11d3abf4 100755 --- a/moonv4/moon_gui/static/app/model/action/model.controller.add.js +++ b/moon_gui/static/app/model/action/model.controller.add.js diff --git a/moonv4/moon_gui/static/app/model/action/model.controller.delete.js b/moon_gui/static/app/model/action/model.controller.delete.js index 5d9dae1a..5d9dae1a 100755 --- a/moonv4/moon_gui/static/app/model/action/model.controller.delete.js +++ b/moon_gui/static/app/model/action/model.controller.delete.js diff --git a/moonv4/moon_gui/static/app/model/action/model.controller.view.js b/moon_gui/static/app/model/action/model.controller.view.js index 7605eecf..7605eecf 100755 --- a/moonv4/moon_gui/static/app/model/action/model.controller.view.js +++ b/moon_gui/static/app/model/action/model.controller.view.js diff --git a/moonv4/moon_gui/static/app/model/edit/metadata/metadata-edit.tpl.html b/moon_gui/static/app/model/edit/metadata/metadata-edit.tpl.html index 2616be1c..2616be1c 100755 --- a/moonv4/moon_gui/static/app/model/edit/metadata/metadata-edit.tpl.html +++ b/moon_gui/static/app/model/edit/metadata/metadata-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/metadata/metadata-list.tpl.html b/moon_gui/static/app/model/edit/metadata/metadata-list.tpl.html index 30a42dbc..30a42dbc 100755 --- a/moonv4/moon_gui/static/app/model/edit/metadata/metadata-list.tpl.html +++ b/moon_gui/static/app/model/edit/metadata/metadata-list.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/metadata/metadata.edit.dir.js b/moon_gui/static/app/model/edit/metadata/metadata.edit.dir.js index 10df83b0..10df83b0 100755 --- a/moonv4/moon_gui/static/app/model/edit/metadata/metadata.edit.dir.js +++ b/moon_gui/static/app/model/edit/metadata/metadata.edit.dir.js diff --git a/moonv4/moon_gui/static/app/model/edit/metadata/metadata.list.dir.js b/moon_gui/static/app/model/edit/metadata/metadata.list.dir.js index beb2ed86..beb2ed86 100755 --- a/moonv4/moon_gui/static/app/model/edit/metadata/metadata.list.dir.js +++ b/moon_gui/static/app/model/edit/metadata/metadata.list.dir.js diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-add.tpl.html b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-add.tpl.html index a721e6d0..a721e6d0 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-add.tpl.html +++ b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-add.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-map.tpl.html b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-map.tpl.html index 1830204b..1830204b 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-map.tpl.html +++ b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-map.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-unmap.tpl.html b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-unmap.tpl.html index bb02aba2..bb02aba2 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-unmap.tpl.html +++ b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules-unmap.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.controller.add.js b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.controller.add.js index a95951fa..a95951fa 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.controller.add.js +++ b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.controller.add.js diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.map.controller.js b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.map.controller.js index cf9ba06c..cf9ba06c 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.map.controller.js +++ b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.map.controller.js diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.unmap.controller.js b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.unmap.controller.js index 30f32d51..30f32d51 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.unmap.controller.js +++ b/moon_gui/static/app/model/edit/metarules/action/mapping/metarules.unmap.controller.js diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/metarules-edit-basic.tpl.html b/moon_gui/static/app/model/edit/metarules/action/metarules-edit-basic.tpl.html index b6136195..b6136195 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/metarules-edit-basic.tpl.html +++ b/moon_gui/static/app/model/edit/metarules/action/metarules-edit-basic.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/metarules-edit.tpl.html b/moon_gui/static/app/model/edit/metarules/action/metarules-edit.tpl.html index 7b074448..7b074448 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/metarules-edit.tpl.html +++ b/moon_gui/static/app/model/edit/metarules/action/metarules-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/metarules.controller.edit.js b/moon_gui/static/app/model/edit/metarules/action/metarules.controller.edit.js index b2ebc45d..b2ebc45d 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/metarules.controller.edit.js +++ b/moon_gui/static/app/model/edit/metarules/action/metarules.controller.edit.js diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/action/metarules.edit.basic.dir.js b/moon_gui/static/app/model/edit/metarules/action/metarules.edit.basic.dir.js index 603e7a33..603e7a33 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/action/metarules.edit.basic.dir.js +++ b/moon_gui/static/app/model/edit/metarules/action/metarules.edit.basic.dir.js diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/metarules-list.tpl.html b/moon_gui/static/app/model/edit/metarules/metarules-list.tpl.html index ebe307c3..ebe307c3 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/metarules-list.tpl.html +++ b/moon_gui/static/app/model/edit/metarules/metarules-list.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/metarules/metarules.list.dir.js b/moon_gui/static/app/model/edit/metarules/metarules.list.dir.js index 120b6a8b..120b6a8b 100755 --- a/moonv4/moon_gui/static/app/model/edit/metarules/metarules.list.dir.js +++ b/moon_gui/static/app/model/edit/metarules/metarules.list.dir.js diff --git a/moonv4/moon_gui/static/app/model/edit/model-edit-basic.tpl.html b/moon_gui/static/app/model/edit/model-edit-basic.tpl.html index bd73b4ef..bd73b4ef 100755 --- a/moonv4/moon_gui/static/app/model/edit/model-edit-basic.tpl.html +++ b/moon_gui/static/app/model/edit/model-edit-basic.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/model-edit.tpl.html b/moon_gui/static/app/model/edit/model-edit.tpl.html index 4955f441..4955f441 100755 --- a/moonv4/moon_gui/static/app/model/edit/model-edit.tpl.html +++ b/moon_gui/static/app/model/edit/model-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/model/edit/model.controller.edit.js b/moon_gui/static/app/model/edit/model.controller.edit.js index 3e10a533..3e10a533 100755 --- a/moonv4/moon_gui/static/app/model/edit/model.controller.edit.js +++ b/moon_gui/static/app/model/edit/model.controller.edit.js diff --git a/moonv4/moon_gui/static/app/model/edit/model.edit.basic.dir.js b/moon_gui/static/app/model/edit/model.edit.basic.dir.js index 54bb7071..54bb7071 100755 --- a/moonv4/moon_gui/static/app/model/edit/model.edit.basic.dir.js +++ b/moon_gui/static/app/model/edit/model.edit.basic.dir.js diff --git a/moonv4/moon_gui/static/app/model/model-list.tpl.html b/moon_gui/static/app/model/model-list.tpl.html index 89c682cc..89c682cc 100755 --- a/moonv4/moon_gui/static/app/model/model-list.tpl.html +++ b/moon_gui/static/app/model/model-list.tpl.html diff --git a/moonv4/moon_gui/static/app/model/model.controller.list.js b/moon_gui/static/app/model/model.controller.list.js index 5021a57e..5021a57e 100755 --- a/moonv4/moon_gui/static/app/model/model.controller.list.js +++ b/moon_gui/static/app/model/model.controller.list.js diff --git a/moonv4/moon_gui/static/app/moon.constants.js b/moon_gui/static/app/moon.constants.js index 9681e3dc..9681e3dc 100644 --- a/moonv4/moon_gui/static/app/moon.constants.js +++ b/moon_gui/static/app/moon.constants.js diff --git a/moonv4/moon_gui/static/app/moon.module.js b/moon_gui/static/app/moon.module.js index a653f8f3..a653f8f3 100755 --- a/moonv4/moon_gui/static/app/moon.module.js +++ b/moon_gui/static/app/moon.module.js diff --git a/moonv4/moon_gui/static/app/pdp/action/pdp-add.tpl.html b/moon_gui/static/app/pdp/action/pdp-add.tpl.html index f83fb85c..f83fb85c 100755 --- a/moonv4/moon_gui/static/app/pdp/action/pdp-add.tpl.html +++ b/moon_gui/static/app/pdp/action/pdp-add.tpl.html diff --git a/moonv4/moon_gui/static/app/pdp/action/pdp-delete.tpl.html b/moon_gui/static/app/pdp/action/pdp-delete.tpl.html index 167ba417..167ba417 100755 --- a/moonv4/moon_gui/static/app/pdp/action/pdp-delete.tpl.html +++ b/moon_gui/static/app/pdp/action/pdp-delete.tpl.html diff --git a/moonv4/moon_gui/static/app/pdp/action/pdp.controller.add.js b/moon_gui/static/app/pdp/action/pdp.controller.add.js index d1c34c79..d1c34c79 100755 --- a/moonv4/moon_gui/static/app/pdp/action/pdp.controller.add.js +++ b/moon_gui/static/app/pdp/action/pdp.controller.add.js diff --git a/moonv4/moon_gui/static/app/pdp/action/pdp.controller.delete.js b/moon_gui/static/app/pdp/action/pdp.controller.delete.js index 62557864..62557864 100755 --- a/moonv4/moon_gui/static/app/pdp/action/pdp.controller.delete.js +++ b/moon_gui/static/app/pdp/action/pdp.controller.delete.js diff --git a/moonv4/moon_gui/static/app/pdp/edit/pdp-edit-basic.tpl.html b/moon_gui/static/app/pdp/edit/pdp-edit-basic.tpl.html index 887d81ca..887d81ca 100755 --- a/moonv4/moon_gui/static/app/pdp/edit/pdp-edit-basic.tpl.html +++ b/moon_gui/static/app/pdp/edit/pdp-edit-basic.tpl.html diff --git a/moonv4/moon_gui/static/app/pdp/edit/pdp-edit.tpl.html b/moon_gui/static/app/pdp/edit/pdp-edit.tpl.html index 1fbd555a..1fbd555a 100755 --- a/moonv4/moon_gui/static/app/pdp/edit/pdp-edit.tpl.html +++ b/moon_gui/static/app/pdp/edit/pdp-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/pdp/edit/pdp.controller.edit.js b/moon_gui/static/app/pdp/edit/pdp.controller.edit.js index 41b73098..41b73098 100755 --- a/moonv4/moon_gui/static/app/pdp/edit/pdp.controller.edit.js +++ b/moon_gui/static/app/pdp/edit/pdp.controller.edit.js diff --git a/moonv4/moon_gui/static/app/pdp/edit/pdp.edit.basic.dir.js b/moon_gui/static/app/pdp/edit/pdp.edit.basic.dir.js index 402422b6..402422b6 100755 --- a/moonv4/moon_gui/static/app/pdp/edit/pdp.edit.basic.dir.js +++ b/moon_gui/static/app/pdp/edit/pdp.edit.basic.dir.js diff --git a/moonv4/moon_gui/static/app/pdp/pdp-list.tpl.html b/moon_gui/static/app/pdp/pdp-list.tpl.html index 8aa4e653..8aa4e653 100755 --- a/moonv4/moon_gui/static/app/pdp/pdp-list.tpl.html +++ b/moon_gui/static/app/pdp/pdp-list.tpl.html diff --git a/moonv4/moon_gui/static/app/pdp/pdp.controller.list.js b/moon_gui/static/app/pdp/pdp.controller.list.js index a831cfe3..a831cfe3 100755 --- a/moonv4/moon_gui/static/app/pdp/pdp.controller.list.js +++ b/moon_gui/static/app/pdp/pdp.controller.list.js diff --git a/moonv4/moon_gui/static/app/policy/action/mapping/policy-map.tpl.html b/moon_gui/static/app/policy/action/mapping/policy-map.tpl.html index 8b787f14..8b787f14 100755 --- a/moonv4/moon_gui/static/app/policy/action/mapping/policy-map.tpl.html +++ b/moon_gui/static/app/policy/action/mapping/policy-map.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/action/mapping/policy-unmap.tpl.html b/moon_gui/static/app/policy/action/mapping/policy-unmap.tpl.html index a2cda52a..a2cda52a 100755 --- a/moonv4/moon_gui/static/app/policy/action/mapping/policy-unmap.tpl.html +++ b/moon_gui/static/app/policy/action/mapping/policy-unmap.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/action/mapping/policy.controller.map.js b/moon_gui/static/app/policy/action/mapping/policy.controller.map.js index 6ad8caa7..6ad8caa7 100755 --- a/moonv4/moon_gui/static/app/policy/action/mapping/policy.controller.map.js +++ b/moon_gui/static/app/policy/action/mapping/policy.controller.map.js diff --git a/moonv4/moon_gui/static/app/policy/action/mapping/policy.controller.unmap.js b/moon_gui/static/app/policy/action/mapping/policy.controller.unmap.js index d309ec0f..d309ec0f 100755 --- a/moonv4/moon_gui/static/app/policy/action/mapping/policy.controller.unmap.js +++ b/moon_gui/static/app/policy/action/mapping/policy.controller.unmap.js diff --git a/moonv4/moon_gui/static/app/policy/action/policy-add.tpl.html b/moon_gui/static/app/policy/action/policy-add.tpl.html index d20c41be..d20c41be 100755 --- a/moonv4/moon_gui/static/app/policy/action/policy-add.tpl.html +++ b/moon_gui/static/app/policy/action/policy-add.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/action/policy-delete.tpl.html b/moon_gui/static/app/policy/action/policy-delete.tpl.html index 3b5df88b..3b5df88b 100755 --- a/moonv4/moon_gui/static/app/policy/action/policy-delete.tpl.html +++ b/moon_gui/static/app/policy/action/policy-delete.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/action/policy.controller.add.js b/moon_gui/static/app/policy/action/policy.controller.add.js index 0320c2e9..0320c2e9 100755 --- a/moonv4/moon_gui/static/app/policy/action/policy.controller.add.js +++ b/moon_gui/static/app/policy/action/policy.controller.add.js diff --git a/moonv4/moon_gui/static/app/policy/action/policy.controller.delete.js b/moon_gui/static/app/policy/action/policy.controller.delete.js index 9a718ddc..9a718ddc 100755 --- a/moonv4/moon_gui/static/app/policy/action/policy.controller.delete.js +++ b/moon_gui/static/app/policy/action/policy.controller.delete.js diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/assignments/assignments-edit.tpl.html b/moon_gui/static/app/policy/edit/parameter/assignments/assignments-edit.tpl.html index 9069dcd0..9069dcd0 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/assignments/assignments-edit.tpl.html +++ b/moon_gui/static/app/policy/edit/parameter/assignments/assignments-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/assignments/assignments-list.tpl.html b/moon_gui/static/app/policy/edit/parameter/assignments/assignments-list.tpl.html index 34bbc7a8..34bbc7a8 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/assignments/assignments-list.tpl.html +++ b/moon_gui/static/app/policy/edit/parameter/assignments/assignments-list.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/assignments/assignments.edit.dir.js b/moon_gui/static/app/policy/edit/parameter/assignments/assignments.edit.dir.js index 5297eccb..5297eccb 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/assignments/assignments.edit.dir.js +++ b/moon_gui/static/app/policy/edit/parameter/assignments/assignments.edit.dir.js diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/assignments/assignments.list.dir.js b/moon_gui/static/app/policy/edit/parameter/assignments/assignments.list.dir.js index 22931e4d..22931e4d 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/assignments/assignments.list.dir.js +++ b/moon_gui/static/app/policy/edit/parameter/assignments/assignments.list.dir.js diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/data/data-edit.tpl.html b/moon_gui/static/app/policy/edit/parameter/data/data-edit.tpl.html index 3f11a641..3f11a641 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/data/data-edit.tpl.html +++ b/moon_gui/static/app/policy/edit/parameter/data/data-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/data/data-list.tpl.html b/moon_gui/static/app/policy/edit/parameter/data/data-list.tpl.html index b69a4eed..b69a4eed 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/data/data-list.tpl.html +++ b/moon_gui/static/app/policy/edit/parameter/data/data-list.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/data/data.edit.dir.js b/moon_gui/static/app/policy/edit/parameter/data/data.edit.dir.js index 57ad0c9b..57ad0c9b 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/data/data.edit.dir.js +++ b/moon_gui/static/app/policy/edit/parameter/data/data.edit.dir.js diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/data/data.list.dir.js b/moon_gui/static/app/policy/edit/parameter/data/data.list.dir.js index 23a7e535..23a7e535 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/data/data.list.dir.js +++ b/moon_gui/static/app/policy/edit/parameter/data/data.list.dir.js diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter-edit.tpl.html b/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter-edit.tpl.html index fa2f93c0..fa2f93c0 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter-edit.tpl.html +++ b/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter-list.tpl.html b/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter-list.tpl.html index a94d663e..a94d663e 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter-list.tpl.html +++ b/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter-list.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter.edit.dir.js b/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter.edit.dir.js index a96741fe..a96741fe 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter.edit.dir.js +++ b/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter.edit.dir.js diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter.list.dir.js b/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter.list.dir.js index dffa7783..dffa7783 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter.list.dir.js +++ b/moon_gui/static/app/policy/edit/parameter/perimeter/perimeter.list.dir.js diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/rules/rules-edit.tpl.html b/moon_gui/static/app/policy/edit/parameter/rules/rules-edit.tpl.html index 685046a5..685046a5 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/rules/rules-edit.tpl.html +++ b/moon_gui/static/app/policy/edit/parameter/rules/rules-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/rules/rules-list.tpl.html b/moon_gui/static/app/policy/edit/parameter/rules/rules-list.tpl.html index 76ac4365..76ac4365 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/rules/rules-list.tpl.html +++ b/moon_gui/static/app/policy/edit/parameter/rules/rules-list.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/rules/rules.edit.dir.js b/moon_gui/static/app/policy/edit/parameter/rules/rules.edit.dir.js index b7bb7614..b7bb7614 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/rules/rules.edit.dir.js +++ b/moon_gui/static/app/policy/edit/parameter/rules/rules.edit.dir.js diff --git a/moonv4/moon_gui/static/app/policy/edit/parameter/rules/rules.list.dir.js b/moon_gui/static/app/policy/edit/parameter/rules/rules.list.dir.js index 5c3e7457..5c3e7457 100755 --- a/moonv4/moon_gui/static/app/policy/edit/parameter/rules/rules.list.dir.js +++ b/moon_gui/static/app/policy/edit/parameter/rules/rules.list.dir.js diff --git a/moonv4/moon_gui/static/app/policy/edit/policy-edit-basic.tpl.html b/moon_gui/static/app/policy/edit/policy-edit-basic.tpl.html index f55c1d05..f55c1d05 100755 --- a/moonv4/moon_gui/static/app/policy/edit/policy-edit-basic.tpl.html +++ b/moon_gui/static/app/policy/edit/policy-edit-basic.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/policy-edit.tpl.html b/moon_gui/static/app/policy/edit/policy-edit.tpl.html index a1a6a54a..a1a6a54a 100755 --- a/moonv4/moon_gui/static/app/policy/edit/policy-edit.tpl.html +++ b/moon_gui/static/app/policy/edit/policy-edit.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/edit/policy.controller.edit.js b/moon_gui/static/app/policy/edit/policy.controller.edit.js index 123ee58b..123ee58b 100755 --- a/moonv4/moon_gui/static/app/policy/edit/policy.controller.edit.js +++ b/moon_gui/static/app/policy/edit/policy.controller.edit.js diff --git a/moonv4/moon_gui/static/app/policy/edit/policy.edit.basic.dir.js b/moon_gui/static/app/policy/edit/policy.edit.basic.dir.js index c32d9e69..c32d9e69 100755 --- a/moonv4/moon_gui/static/app/policy/edit/policy.edit.basic.dir.js +++ b/moon_gui/static/app/policy/edit/policy.edit.basic.dir.js diff --git a/moonv4/moon_gui/static/app/policy/policy-list.tpl.html b/moon_gui/static/app/policy/policy-list.tpl.html index aeb90f0b..aeb90f0b 100755 --- a/moonv4/moon_gui/static/app/policy/policy-list.tpl.html +++ b/moon_gui/static/app/policy/policy-list.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/policy-mapped-list.tpl.html b/moon_gui/static/app/policy/policy-mapped-list.tpl.html index 127dae3b..127dae3b 100755 --- a/moonv4/moon_gui/static/app/policy/policy-mapped-list.tpl.html +++ b/moon_gui/static/app/policy/policy-mapped-list.tpl.html diff --git a/moonv4/moon_gui/static/app/policy/policy.controller.list.js b/moon_gui/static/app/policy/policy.controller.list.js index fc2c6503..fc2c6503 100755 --- a/moonv4/moon_gui/static/app/policy/policy.controller.list.js +++ b/moon_gui/static/app/policy/policy.controller.list.js diff --git a/moonv4/moon_gui/static/app/policy/policy.mapped.list.dir.js b/moon_gui/static/app/policy/policy.mapped.list.dir.js index 78bb3b8d..78bb3b8d 100755 --- a/moonv4/moon_gui/static/app/policy/policy.mapped.list.dir.js +++ b/moon_gui/static/app/policy/policy.mapped.list.dir.js diff --git a/moonv4/moon_gui/static/app/project/action/mapping/project-map.tpl.html b/moon_gui/static/app/project/action/mapping/project-map.tpl.html index 5ffd98e2..5ffd98e2 100755 --- a/moonv4/moon_gui/static/app/project/action/mapping/project-map.tpl.html +++ b/moon_gui/static/app/project/action/mapping/project-map.tpl.html diff --git a/moonv4/moon_gui/static/app/project/action/mapping/project-unmap.tpl.html b/moon_gui/static/app/project/action/mapping/project-unmap.tpl.html index 5cc5c6dd..5cc5c6dd 100755 --- a/moonv4/moon_gui/static/app/project/action/mapping/project-unmap.tpl.html +++ b/moon_gui/static/app/project/action/mapping/project-unmap.tpl.html diff --git a/moonv4/moon_gui/static/app/project/action/mapping/project.controller.map.js b/moon_gui/static/app/project/action/mapping/project.controller.map.js index afa2bfc0..afa2bfc0 100755 --- a/moonv4/moon_gui/static/app/project/action/mapping/project.controller.map.js +++ b/moon_gui/static/app/project/action/mapping/project.controller.map.js diff --git a/moonv4/moon_gui/static/app/project/action/mapping/project.controller.unmap.js b/moon_gui/static/app/project/action/mapping/project.controller.unmap.js index 911b30ff..911b30ff 100755 --- a/moonv4/moon_gui/static/app/project/action/mapping/project.controller.unmap.js +++ b/moon_gui/static/app/project/action/mapping/project.controller.unmap.js diff --git a/moonv4/moon_gui/static/app/project/action/project-add.tpl.html b/moon_gui/static/app/project/action/project-add.tpl.html index a90dcfa1..a90dcfa1 100755 --- a/moonv4/moon_gui/static/app/project/action/project-add.tpl.html +++ b/moon_gui/static/app/project/action/project-add.tpl.html diff --git a/moonv4/moon_gui/static/app/project/action/project-delete.tpl.html b/moon_gui/static/app/project/action/project-delete.tpl.html index 96b4f2e3..96b4f2e3 100755 --- a/moonv4/moon_gui/static/app/project/action/project-delete.tpl.html +++ b/moon_gui/static/app/project/action/project-delete.tpl.html diff --git a/moonv4/moon_gui/static/app/project/action/project-view.tpl.html b/moon_gui/static/app/project/action/project-view.tpl.html index 3228c915..3228c915 100755 --- a/moonv4/moon_gui/static/app/project/action/project-view.tpl.html +++ b/moon_gui/static/app/project/action/project-view.tpl.html diff --git a/moonv4/moon_gui/static/app/project/action/project.controller.add.js b/moon_gui/static/app/project/action/project.controller.add.js index 4d12b75d..4d12b75d 100755 --- a/moonv4/moon_gui/static/app/project/action/project.controller.add.js +++ b/moon_gui/static/app/project/action/project.controller.add.js diff --git a/moonv4/moon_gui/static/app/project/action/project.controller.delete.js b/moon_gui/static/app/project/action/project.controller.delete.js index 4f18f8e6..4f18f8e6 100755 --- a/moonv4/moon_gui/static/app/project/action/project.controller.delete.js +++ b/moon_gui/static/app/project/action/project.controller.delete.js diff --git a/moonv4/moon_gui/static/app/project/action/project.controller.view.js b/moon_gui/static/app/project/action/project.controller.view.js index fe98a507..fe98a507 100755 --- a/moonv4/moon_gui/static/app/project/action/project.controller.view.js +++ b/moon_gui/static/app/project/action/project.controller.view.js diff --git a/moonv4/moon_gui/static/app/project/project-list.tpl.html b/moon_gui/static/app/project/project-list.tpl.html index 82a3745e..82a3745e 100755 --- a/moonv4/moon_gui/static/app/project/project-list.tpl.html +++ b/moon_gui/static/app/project/project-list.tpl.html diff --git a/moonv4/moon_gui/static/app/project/project.controller.list.js b/moon_gui/static/app/project/project.controller.list.js index b1cb2056..b1cb2056 100755 --- a/moonv4/moon_gui/static/app/project/project.controller.list.js +++ b/moon_gui/static/app/project/project.controller.list.js diff --git a/moonv4/moon_gui/static/app/services/gui/alert.service.js b/moon_gui/static/app/services/gui/alert.service.js index 8435eab1..8435eab1 100755 --- a/moonv4/moon_gui/static/app/services/gui/alert.service.js +++ b/moon_gui/static/app/services/gui/alert.service.js diff --git a/moonv4/moon_gui/static/app/services/gui/browser.service.js b/moon_gui/static/app/services/gui/browser.service.js index 88c693a8..88c693a8 100755 --- a/moonv4/moon_gui/static/app/services/gui/browser.service.js +++ b/moon_gui/static/app/services/gui/browser.service.js diff --git a/moonv4/moon_gui/static/app/services/gui/form.service.js b/moon_gui/static/app/services/gui/form.service.js index e436593c..e436593c 100755 --- a/moonv4/moon_gui/static/app/services/gui/form.service.js +++ b/moon_gui/static/app/services/gui/form.service.js diff --git a/moonv4/moon_gui/static/app/services/gui/menu.service.js b/moon_gui/static/app/services/gui/menu.service.js index fd90a2fa..fd90a2fa 100755 --- a/moonv4/moon_gui/static/app/services/gui/menu.service.js +++ b/moon_gui/static/app/services/gui/menu.service.js diff --git a/moonv4/moon_gui/static/app/services/gui/security.pipeline.service.js b/moon_gui/static/app/services/gui/security.pipeline.service.js index 3831e487..3831e487 100755 --- a/moonv4/moon_gui/static/app/services/gui/security.pipeline.service.js +++ b/moon_gui/static/app/services/gui/security.pipeline.service.js diff --git a/moonv4/moon_gui/static/app/services/gui/util.service.js b/moon_gui/static/app/services/gui/util.service.js index 7274244a..7274244a 100755 --- a/moonv4/moon_gui/static/app/services/gui/util.service.js +++ b/moon_gui/static/app/services/gui/util.service.js diff --git a/moonv4/moon_gui/static/app/services/gui/version.service.js b/moon_gui/static/app/services/gui/version.service.js index 5f9f2786..5f9f2786 100755 --- a/moonv4/moon_gui/static/app/services/gui/version.service.js +++ b/moon_gui/static/app/services/gui/version.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/model/model.service.js b/moon_gui/static/app/services/moon/model/model.service.js index a676fc1a..a676fc1a 100755 --- a/moonv4/moon_gui/static/app/services/moon/model/model.service.js +++ b/moon_gui/static/app/services/moon/model/model.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/pdp.service.js b/moon_gui/static/app/services/moon/pdp.service.js index 822f7414..822f7414 100755 --- a/moonv4/moon_gui/static/app/services/moon/pdp.service.js +++ b/moon_gui/static/app/services/moon/pdp.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/policy/parameters/assignements.service.js b/moon_gui/static/app/services/moon/policy/parameters/assignements.service.js index ca138b45..ca138b45 100755 --- a/moonv4/moon_gui/static/app/services/moon/policy/parameters/assignements.service.js +++ b/moon_gui/static/app/services/moon/policy/parameters/assignements.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/policy/parameters/data.service.js b/moon_gui/static/app/services/moon/policy/parameters/data.service.js index 1bbd3b24..1bbd3b24 100755 --- a/moonv4/moon_gui/static/app/services/moon/policy/parameters/data.service.js +++ b/moon_gui/static/app/services/moon/policy/parameters/data.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/policy/parameters/perimeter.service.js b/moon_gui/static/app/services/moon/policy/parameters/perimeter.service.js index 42e7288a..42e7288a 100755 --- a/moonv4/moon_gui/static/app/services/moon/policy/parameters/perimeter.service.js +++ b/moon_gui/static/app/services/moon/policy/parameters/perimeter.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/policy/parameters/rule.service.js b/moon_gui/static/app/services/moon/policy/parameters/rule.service.js index b1a350ae..b1a350ae 100644 --- a/moonv4/moon_gui/static/app/services/moon/policy/parameters/rule.service.js +++ b/moon_gui/static/app/services/moon/policy/parameters/rule.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/policy/parameters/rules.service.js b/moon_gui/static/app/services/moon/policy/parameters/rules.service.js index 76b24011..76b24011 100755 --- a/moonv4/moon_gui/static/app/services/moon/policy/parameters/rules.service.js +++ b/moon_gui/static/app/services/moon/policy/parameters/rules.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/policy/policy.service.js b/moon_gui/static/app/services/moon/policy/policy.service.js index 5ad31421..5ad31421 100755 --- a/moonv4/moon_gui/static/app/services/moon/policy/policy.service.js +++ b/moon_gui/static/app/services/moon/policy/policy.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/rule/metadata.service.js b/moon_gui/static/app/services/moon/rule/metadata.service.js index 8c68b2ef..8c68b2ef 100755 --- a/moonv4/moon_gui/static/app/services/moon/rule/metadata.service.js +++ b/moon_gui/static/app/services/moon/rule/metadata.service.js diff --git a/moonv4/moon_gui/static/app/services/moon/rule/metarule.service.js b/moon_gui/static/app/services/moon/rule/metarule.service.js index 2679fc5b..2679fc5b 100755 --- a/moonv4/moon_gui/static/app/services/moon/rule/metarule.service.js +++ b/moon_gui/static/app/services/moon/rule/metarule.service.js diff --git a/moonv4/moon_gui/static/app/services/partner/authentication.service.js b/moon_gui/static/app/services/partner/authentication.service.js index b6d3f36d..b6d3f36d 100755 --- a/moonv4/moon_gui/static/app/services/partner/authentication.service.js +++ b/moon_gui/static/app/services/partner/authentication.service.js diff --git a/moonv4/moon_gui/static/app/services/partner/nova.service.js b/moon_gui/static/app/services/partner/nova.service.js index 38e2a0fc..38e2a0fc 100755 --- a/moonv4/moon_gui/static/app/services/partner/nova.service.js +++ b/moon_gui/static/app/services/partner/nova.service.js diff --git a/moonv4/moon_gui/static/app/services/partner/project.service.js b/moon_gui/static/app/services/partner/project.service.js index 4ec27f2e..4ec27f2e 100755 --- a/moonv4/moon_gui/static/app/services/partner/project.service.js +++ b/moon_gui/static/app/services/partner/project.service.js diff --git a/moonv4/moon_gui/static/favicon.ico b/moon_gui/static/favicon.ico Binary files differindex a7910bf5..a7910bf5 100755 --- a/moonv4/moon_gui/static/favicon.ico +++ b/moon_gui/static/favicon.ico diff --git a/moonv4/moon_gui/static/i18n/en.json b/moon_gui/static/i18n/en.json index dd54e112..dd54e112 100755 --- a/moonv4/moon_gui/static/i18n/en.json +++ b/moon_gui/static/i18n/en.json diff --git a/moonv4/moon_gui/static/i18n/fr.json b/moon_gui/static/i18n/fr.json index 85c513b3..85c513b3 100755 --- a/moonv4/moon_gui/static/i18n/fr.json +++ b/moon_gui/static/i18n/fr.json diff --git a/moonv4/moon_gui/static/img/ajax-loader.gif b/moon_gui/static/img/ajax-loader.gif Binary files differindex d0bce154..d0bce154 100755 --- a/moonv4/moon_gui/static/img/ajax-loader.gif +++ b/moon_gui/static/img/ajax-loader.gif diff --git a/moonv4/moon_gui/static/img/ajax-waiting.gif b/moon_gui/static/img/ajax-waiting.gif Binary files differindex d84f6537..d84f6537 100755 --- a/moonv4/moon_gui/static/img/ajax-waiting.gif +++ b/moon_gui/static/img/ajax-waiting.gif diff --git a/moonv4/moon_gui/static/img/arrow-link.gif b/moon_gui/static/img/arrow-link.gif Binary files differindex ca17f44b..ca17f44b 100755 --- a/moonv4/moon_gui/static/img/arrow-link.gif +++ b/moon_gui/static/img/arrow-link.gif diff --git a/moonv4/moon_gui/static/img/et.jpg b/moon_gui/static/img/et.jpg Binary files differindex 67cc0a9d..67cc0a9d 100644 --- a/moonv4/moon_gui/static/img/et.jpg +++ b/moon_gui/static/img/et.jpg diff --git a/moonv4/moon_gui/static/img/logo-openstack.png b/moon_gui/static/img/logo-openstack.png Binary files differindex 60ab0e1e..60ab0e1e 100755 --- a/moonv4/moon_gui/static/img/logo-openstack.png +++ b/moon_gui/static/img/logo-openstack.png diff --git a/moonv4/moon_gui/static/img/logo-orange.gif b/moon_gui/static/img/logo-orange.gif Binary files differindex 9c612291..9c612291 100755 --- a/moonv4/moon_gui/static/img/logo-orange.gif +++ b/moon_gui/static/img/logo-orange.gif diff --git a/moonv4/moon_gui/static/styles/main.css b/moon_gui/static/styles/main.css index 4e10370e..4e10370e 100644 --- a/moonv4/moon_gui/static/styles/main.css +++ b/moon_gui/static/styles/main.css diff --git a/moonv4/moon_gui/static/version.json b/moon_gui/static/version.json index ec74a2db..ec74a2db 100755 --- a/moonv4/moon_gui/static/version.json +++ b/moon_gui/static/version.json diff --git a/moonv4/moon_gui/templates/index.html b/moon_gui/templates/index.html index 7a321543..7a321543 100644 --- a/moonv4/moon_gui/templates/index.html +++ b/moon_gui/templates/index.html diff --git a/moonv4/moon_interface/Dockerfile b/moon_interface/Dockerfile index 82160cc9..82160cc9 100644 --- a/moonv4/moon_interface/Dockerfile +++ b/moon_interface/Dockerfile diff --git a/moonv4/moon_interface/LICENSE b/moon_interface/LICENSE index d6456956..d6456956 100644 --- a/moonv4/moon_interface/LICENSE +++ b/moon_interface/LICENSE diff --git a/moonv4/moon_interface/MANIFEST.in b/moon_interface/MANIFEST.in index 1f674d50..1f674d50 100644 --- a/moonv4/moon_interface/MANIFEST.in +++ b/moon_interface/MANIFEST.in diff --git a/moonv4/moon_interface/Makefile b/moon_interface/Makefile index af91b904..af91b904 100644 --- a/moonv4/moon_interface/Makefile +++ b/moon_interface/Makefile diff --git a/moonv4/moon_interface/README.rst b/moon_interface/README.rst index ded4e99a..ded4e99a 100644 --- a/moonv4/moon_interface/README.rst +++ b/moon_interface/README.rst diff --git a/moonv4/moon_interface/moon_interface/__init__.py b/moon_interface/moon_interface/__init__.py index 903c6518..903c6518 100644 --- a/moonv4/moon_interface/moon_interface/__init__.py +++ b/moon_interface/moon_interface/__init__.py diff --git a/moonv4/moon_interface/moon_interface/__main__.py b/moon_interface/moon_interface/__main__.py index 517fdd60..517fdd60 100644 --- a/moonv4/moon_interface/moon_interface/__main__.py +++ b/moon_interface/moon_interface/__main__.py diff --git a/keystonemiddleware-moon/keystonemiddleware/__init__.py b/moon_interface/moon_interface/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/__init__.py +++ b/moon_interface/moon_interface/api/__init__.py diff --git a/moonv4/moon_interface/moon_interface/api/authz.py b/moon_interface/moon_interface/api/authz.py index c9f4697f..c9f4697f 100644 --- a/moonv4/moon_interface/moon_interface/api/authz.py +++ b/moon_interface/moon_interface/api/authz.py diff --git a/moonv4/moon_interface/moon_interface/api/generic.py b/moon_interface/moon_interface/api/generic.py index 51de9214..51de9214 100644 --- a/moonv4/moon_interface/moon_interface/api/generic.py +++ b/moon_interface/moon_interface/api/generic.py diff --git a/moonv4/moon_interface/moon_interface/authz_requests.py b/moon_interface/moon_interface/authz_requests.py index 3f99cb93..3f99cb93 100644 --- a/moonv4/moon_interface/moon_interface/authz_requests.py +++ b/moon_interface/moon_interface/authz_requests.py diff --git a/moonv4/moon_interface/moon_interface/containers.py b/moon_interface/moon_interface/containers.py index 4f93d742..4f93d742 100644 --- a/moonv4/moon_interface/moon_interface/containers.py +++ b/moon_interface/moon_interface/containers.py diff --git a/moonv4/moon_interface/moon_interface/http_server.py b/moon_interface/moon_interface/http_server.py index 890bb82f..890bb82f 100644 --- a/moonv4/moon_interface/moon_interface/http_server.py +++ b/moon_interface/moon_interface/http_server.py diff --git a/moonv4/moon_interface/moon_interface/server.py b/moon_interface/moon_interface/server.py index e53b4504..e53b4504 100644 --- a/moonv4/moon_interface/moon_interface/server.py +++ b/moon_interface/moon_interface/server.py diff --git a/moonv4/moon_interface/requirements.txt b/moon_interface/requirements.txt index 7aa2b6df..7aa2b6df 100644 --- a/moonv4/moon_interface/requirements.txt +++ b/moon_interface/requirements.txt diff --git a/moonv4/moon_interface/setup.py b/moon_interface/setup.py index 3460c991..3460c991 100644 --- a/moonv4/moon_interface/setup.py +++ b/moon_interface/setup.py diff --git a/keystonemiddleware-moon/keystonemiddleware/echo/__init__.py b/moon_interface/tests/unit_python/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/echo/__init__.py +++ b/moon_interface/tests/unit_python/api/__init__.py diff --git a/moonv4/moon_interface/tests/unit_python/api/test_authz.py b/moon_interface/tests/unit_python/api/test_authz.py index a63948f8..a63948f8 100644 --- a/moonv4/moon_interface/tests/unit_python/api/test_authz.py +++ b/moon_interface/tests/unit_python/api/test_authz.py diff --git a/moonv4/moon_interface/tests/unit_python/conftest.py b/moon_interface/tests/unit_python/conftest.py index 1f4e8cfa..1f4e8cfa 100644 --- a/moonv4/moon_interface/tests/unit_python/conftest.py +++ b/moon_interface/tests/unit_python/conftest.py diff --git a/moonv4/moon_interface/tests/unit_python/requirements.txt b/moon_interface/tests/unit_python/requirements.txt index 21975ce3..21975ce3 100644 --- a/moonv4/moon_interface/tests/unit_python/requirements.txt +++ b/moon_interface/tests/unit_python/requirements.txt diff --git a/moonv4/moon_interface/tools/api2rst.py b/moon_interface/tools/api2rst.py index 6d407bdf..6d407bdf 100644 --- a/moonv4/moon_interface/tools/api2rst.py +++ b/moon_interface/tools/api2rst.py diff --git a/moonv4/moon_interface/tools/get_keystone_token.py b/moon_interface/tools/get_keystone_token.py index 1856aab8..1856aab8 100644 --- a/moonv4/moon_interface/tools/get_keystone_token.py +++ b/moon_interface/tools/get_keystone_token.py diff --git a/moonv4/moon_interface/tools/run.sh b/moon_interface/tools/run.sh index d1db1f00..d1db1f00 100644 --- a/moonv4/moon_interface/tools/run.sh +++ b/moon_interface/tools/run.sh diff --git a/moonv4/moon_manager/Dockerfile b/moon_manager/Dockerfile index 873e3aa2..873e3aa2 100644 --- a/moonv4/moon_manager/Dockerfile +++ b/moon_manager/Dockerfile diff --git a/moonv4/moon_manager/LICENSE b/moon_manager/LICENSE index d6456956..d6456956 100644 --- a/moonv4/moon_manager/LICENSE +++ b/moon_manager/LICENSE diff --git a/moonv4/moon_manager/MANIFEST.in b/moon_manager/MANIFEST.in index 1f674d50..1f674d50 100644 --- a/moonv4/moon_manager/MANIFEST.in +++ b/moon_manager/MANIFEST.in diff --git a/moonv4/moon_manager/README.rst b/moon_manager/README.rst index ded4e99a..ded4e99a 100644 --- a/moonv4/moon_manager/README.rst +++ b/moon_manager/README.rst diff --git a/moonv4/moon_manager/moon_manager/__init__.py b/moon_manager/moon_manager/__init__.py index 903c6518..903c6518 100644 --- a/moonv4/moon_manager/moon_manager/__init__.py +++ b/moon_manager/moon_manager/__init__.py diff --git a/moonv4/moon_manager/moon_manager/__main__.py b/moon_manager/moon_manager/__main__.py index 7d97f003..7d97f003 100644 --- a/moonv4/moon_manager/moon_manager/__main__.py +++ b/moon_manager/moon_manager/__main__.py diff --git a/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/abe_mgr/__init__.py b/moon_manager/moon_manager/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/abe_mgr/__init__.py +++ b/moon_manager/moon_manager/api/__init__.py diff --git a/moonv4/moon_manager/moon_manager/api/assignments.py b/moon_manager/moon_manager/api/assignments.py index c3ac45c8..c3ac45c8 100644 --- a/moonv4/moon_manager/moon_manager/api/assignments.py +++ b/moon_manager/moon_manager/api/assignments.py diff --git a/moonv4/moon_manager/moon_manager/api/containers.py b/moon_manager/moon_manager/api/containers.py index 6dc50ea5..6dc50ea5 100644 --- a/moonv4/moon_manager/moon_manager/api/containers.py +++ b/moon_manager/moon_manager/api/containers.py diff --git a/moonv4/moon_manager/moon_manager/api/data.py b/moon_manager/moon_manager/api/data.py index 61fe92bf..61fe92bf 100644 --- a/moonv4/moon_manager/moon_manager/api/data.py +++ b/moon_manager/moon_manager/api/data.py diff --git a/moonv4/moon_manager/moon_manager/api/generic.py b/moon_manager/moon_manager/api/generic.py index bd7dcdac..bd7dcdac 100644 --- a/moonv4/moon_manager/moon_manager/api/generic.py +++ b/moon_manager/moon_manager/api/generic.py diff --git a/moonv4/moon_manager/moon_manager/api/meta_data.py b/moon_manager/moon_manager/api/meta_data.py index 9dc04cc7..9dc04cc7 100644 --- a/moonv4/moon_manager/moon_manager/api/meta_data.py +++ b/moon_manager/moon_manager/api/meta_data.py diff --git a/moonv4/moon_manager/moon_manager/api/meta_rules.py b/moon_manager/moon_manager/api/meta_rules.py index ceba0ffb..ceba0ffb 100644 --- a/moonv4/moon_manager/moon_manager/api/meta_rules.py +++ b/moon_manager/moon_manager/api/meta_rules.py diff --git a/moonv4/moon_manager/moon_manager/api/models.py b/moon_manager/moon_manager/api/models.py index 62866191..62866191 100644 --- a/moonv4/moon_manager/moon_manager/api/models.py +++ b/moon_manager/moon_manager/api/models.py diff --git a/moonv4/moon_manager/moon_manager/api/pdp.py b/moon_manager/moon_manager/api/pdp.py index 9183c25d..9183c25d 100644 --- a/moonv4/moon_manager/moon_manager/api/pdp.py +++ b/moon_manager/moon_manager/api/pdp.py diff --git a/moonv4/moon_manager/moon_manager/api/perimeter.py b/moon_manager/moon_manager/api/perimeter.py index 8196e627..8196e627 100644 --- a/moonv4/moon_manager/moon_manager/api/perimeter.py +++ b/moon_manager/moon_manager/api/perimeter.py diff --git a/moonv4/moon_manager/moon_manager/api/policies.py b/moon_manager/moon_manager/api/policies.py index f34276bb..f34276bb 100644 --- a/moonv4/moon_manager/moon_manager/api/policies.py +++ b/moon_manager/moon_manager/api/policies.py diff --git a/moonv4/moon_manager/moon_manager/api/rules.py b/moon_manager/moon_manager/api/rules.py index b25365df..b25365df 100644 --- a/moonv4/moon_manager/moon_manager/api/rules.py +++ b/moon_manager/moon_manager/api/rules.py diff --git a/moonv4/moon_manager/moon_manager/http_server.py b/moon_manager/moon_manager/http_server.py index 584e71a2..584e71a2 100644 --- a/moonv4/moon_manager/moon_manager/http_server.py +++ b/moon_manager/moon_manager/http_server.py diff --git a/moonv4/moon_manager/moon_manager/server.py b/moon_manager/moon_manager/server.py index bcc52cb3..bcc52cb3 100644 --- a/moonv4/moon_manager/moon_manager/server.py +++ b/moon_manager/moon_manager/server.py diff --git a/moonv4/moon_manager/requirements.txt b/moon_manager/requirements.txt index 15ba715b..15ba715b 100644 --- a/moonv4/moon_manager/requirements.txt +++ b/moon_manager/requirements.txt diff --git a/moonv4/moon_manager/setup.py b/moon_manager/setup.py index a6fc5fc7..a6fc5fc7 100644 --- a/moonv4/moon_manager/setup.py +++ b/moon_manager/setup.py diff --git a/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/authz_mgr/__init__.py b/moon_manager/tests/unit_python/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/moon_mgrs/authz_mgr/__init__.py +++ b/moon_manager/tests/unit_python/__init__.py diff --git a/keystonemiddleware-moon/keystonemiddleware/openstack/__init__.py b/moon_manager/tests/unit_python/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/openstack/__init__.py +++ b/moon_manager/tests/unit_python/api/__init__.py diff --git a/moonv4/moon_manager/tests/unit_python/api/test_perimeter.py b/moon_manager/tests/unit_python/api/test_perimeter.py index 18d3837a..18d3837a 100644 --- a/moonv4/moon_manager/tests/unit_python/api/test_perimeter.py +++ b/moon_manager/tests/unit_python/api/test_perimeter.py diff --git a/moonv4/moon_manager/tests/unit_python/conftest.py b/moon_manager/tests/unit_python/conftest.py index c59fae40..c59fae40 100644 --- a/moonv4/moon_manager/tests/unit_python/conftest.py +++ b/moon_manager/tests/unit_python/conftest.py diff --git a/moonv4/moon_manager/tests/unit_python/requirements.txt b/moon_manager/tests/unit_python/requirements.txt index 21975ce3..21975ce3 100644 --- a/moonv4/moon_manager/tests/unit_python/requirements.txt +++ b/moon_manager/tests/unit_python/requirements.txt diff --git a/moonv4/moon_orchestrator/Changelog b/moon_orchestrator/Changelog index 31aabf5d..31aabf5d 100644 --- a/moonv4/moon_orchestrator/Changelog +++ b/moon_orchestrator/Changelog diff --git a/moonv4/moon_orchestrator/Dockerfile b/moon_orchestrator/Dockerfile index aafe1784..aafe1784 100644 --- a/moonv4/moon_orchestrator/Dockerfile +++ b/moon_orchestrator/Dockerfile diff --git a/moonv4/moon_orchestrator/LICENSE b/moon_orchestrator/LICENSE index d6456956..d6456956 100644 --- a/moonv4/moon_orchestrator/LICENSE +++ b/moon_orchestrator/LICENSE diff --git a/moonv4/moon_orchestrator/MANIFEST.in b/moon_orchestrator/MANIFEST.in index 8de5a391..8de5a391 100644 --- a/moonv4/moon_orchestrator/MANIFEST.in +++ b/moon_orchestrator/MANIFEST.in diff --git a/moonv4/moon_orchestrator/README.md b/moon_orchestrator/README.md index d4cdc4fb..d4cdc4fb 100644 --- a/moonv4/moon_orchestrator/README.md +++ b/moon_orchestrator/README.md diff --git a/moonv4/moon_orchestrator/conf/dockers/template.dockerfile b/moon_orchestrator/conf/dockers/template.dockerfile index 6bb8a0c6..6bb8a0c6 100644 --- a/moonv4/moon_orchestrator/conf/dockers/template.dockerfile +++ b/moon_orchestrator/conf/dockers/template.dockerfile diff --git a/moonv4/moon_orchestrator/conf/moon.conf b/moon_orchestrator/conf/moon.conf index 49086d48..49086d48 100644 --- a/moonv4/moon_orchestrator/conf/moon.conf +++ b/moon_orchestrator/conf/moon.conf diff --git a/moonv4/moon_orchestrator/conf/plugins/authz.py b/moon_orchestrator/conf/plugins/authz.py index 4a1441c9..4a1441c9 100644 --- a/moonv4/moon_orchestrator/conf/plugins/authz.py +++ b/moon_orchestrator/conf/plugins/authz.py diff --git a/moonv4/moon_orchestrator/conf/plugins/session.py b/moon_orchestrator/conf/plugins/session.py index 6fa2cfe2..6fa2cfe2 100644 --- a/moonv4/moon_orchestrator/conf/plugins/session.py +++ b/moon_orchestrator/conf/plugins/session.py diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/assignment.json b/moon_orchestrator/conf/policies/policy_authz/assignment.json index 7a6c722e..7a6c722e 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_authz/assignment.json +++ b/moon_orchestrator/conf/policies/policy_authz/assignment.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/metadata.json b/moon_orchestrator/conf/policies/policy_authz/metadata.json index 21a99eb2..21a99eb2 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_authz/metadata.json +++ b/moon_orchestrator/conf/policies/policy_authz/metadata.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/metarule.json b/moon_orchestrator/conf/policies/policy_authz/metarule.json index c9afd6c2..c9afd6c2 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_authz/metarule.json +++ b/moon_orchestrator/conf/policies/policy_authz/metarule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_authz/perimeter.json index 47a8ee45..47a8ee45 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_authz/perimeter.json +++ b/moon_orchestrator/conf/policies/policy_authz/perimeter.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/rule.json b/moon_orchestrator/conf/policies/policy_authz/rule.json index 25f9d93a..25f9d93a 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_authz/rule.json +++ b/moon_orchestrator/conf/policies/policy_authz/rule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/scope.json b/moon_orchestrator/conf/policies/policy_authz/scope.json index 9b313daf..9b313daf 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_authz/scope.json +++ b/moon_orchestrator/conf/policies/policy_authz/scope.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json b/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json index 24018a09..24018a09 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json +++ b/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json b/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json index 3c9be2e5..3c9be2e5 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json +++ b/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json b/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json index 7acd8848..7acd8848 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json +++ b/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json b/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json index 54dbfc31..54dbfc31 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json +++ b/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/rule.json b/moon_orchestrator/conf/policies/policy_empty_admin/rule.json index fe4fae5a..fe4fae5a 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/rule.json +++ b/moon_orchestrator/conf/policies/policy_empty_admin/rule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/scope.json b/moon_orchestrator/conf/policies/policy_empty_admin/scope.json index 1efebe6f..1efebe6f 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/scope.json +++ b/moon_orchestrator/conf/policies/policy_empty_admin/scope.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json b/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json index 24018a09..24018a09 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json +++ b/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json b/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json index 4f300d78..4f300d78 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json +++ b/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json b/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json index 7acd8848..7acd8848 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json +++ b/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json index 9da8a8c0..9da8a8c0 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json +++ b/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/rule.json b/moon_orchestrator/conf/policies/policy_empty_authz/rule.json index fe4fae5a..fe4fae5a 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/rule.json +++ b/moon_orchestrator/conf/policies/policy_empty_authz/rule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/scope.json b/moon_orchestrator/conf/policies/policy_empty_authz/scope.json index 1efebe6f..1efebe6f 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/scope.json +++ b/moon_orchestrator/conf/policies/policy_empty_authz/scope.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json b/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json index 0712dfbc..0712dfbc 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json +++ b/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json b/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json index c419c815..c419c815 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json +++ b/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json b/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json index e068927c..e068927c 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json +++ b/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json index 47a8ee45..47a8ee45 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json +++ b/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json b/moon_orchestrator/conf/policies/policy_mls_authz/rule.json index b17dc822..b17dc822 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json +++ b/moon_orchestrator/conf/policies/policy_mls_authz/rule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json b/moon_orchestrator/conf/policies/policy_mls_authz/scope.json index 6cc1c28e..6cc1c28e 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json +++ b/moon_orchestrator/conf/policies/policy_mls_authz/scope.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json b/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json index f2378333..f2378333 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json b/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json index 9ee8a11d..9ee8a11d 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json b/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json index 86dbfad2..86dbfad2 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json b/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json index 1155533e..1155533e 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json b/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json index c89ceff3..c89ceff3 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json b/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json index 149056a6..149056a6 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/assignment.json b/moon_orchestrator/conf/policies/policy_root/assignment.json index e849ae13..e849ae13 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_root/assignment.json +++ b/moon_orchestrator/conf/policies/policy_root/assignment.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/metadata.json b/moon_orchestrator/conf/policies/policy_root/metadata.json index 9dd7a928..9dd7a928 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_root/metadata.json +++ b/moon_orchestrator/conf/policies/policy_root/metadata.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/metarule.json b/moon_orchestrator/conf/policies/policy_root/metarule.json index 86dbfad2..86dbfad2 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_root/metarule.json +++ b/moon_orchestrator/conf/policies/policy_root/metarule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/perimeter.json b/moon_orchestrator/conf/policies/policy_root/perimeter.json index 788a27f2..788a27f2 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_root/perimeter.json +++ b/moon_orchestrator/conf/policies/policy_root/perimeter.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/rule.json b/moon_orchestrator/conf/policies/policy_root/rule.json index 9bbd5e4c..9bbd5e4c 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_root/rule.json +++ b/moon_orchestrator/conf/policies/policy_root/rule.json diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/scope.json b/moon_orchestrator/conf/policies/policy_root/scope.json index 43f9ced8..43f9ced8 100644 --- a/moonv4/moon_orchestrator/conf/policies/policy_root/scope.json +++ b/moon_orchestrator/conf/policies/policy_root/scope.json diff --git a/moonv4/moon_orchestrator/moon_orchestrator/__init__.py b/moon_orchestrator/moon_orchestrator/__init__.py index 2302dea9..2302dea9 100644 --- a/moonv4/moon_orchestrator/moon_orchestrator/__init__.py +++ b/moon_orchestrator/moon_orchestrator/__init__.py diff --git a/moonv4/moon_orchestrator/moon_orchestrator/__main__.py b/moon_orchestrator/moon_orchestrator/__main__.py index 9ebc3a7f..9ebc3a7f 100644 --- a/moonv4/moon_orchestrator/moon_orchestrator/__main__.py +++ b/moon_orchestrator/moon_orchestrator/__main__.py diff --git a/keystonemiddleware-moon/keystonemiddleware/openstack/common/__init__.py b/moon_orchestrator/moon_orchestrator/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/openstack/common/__init__.py +++ b/moon_orchestrator/moon_orchestrator/api/__init__.py diff --git a/moonv4/moon_orchestrator/moon_orchestrator/api/generic.py b/moon_orchestrator/moon_orchestrator/api/generic.py index 84de4e69..84de4e69 100644 --- a/moonv4/moon_orchestrator/moon_orchestrator/api/generic.py +++ b/moon_orchestrator/moon_orchestrator/api/generic.py diff --git a/moonv4/moon_orchestrator/moon_orchestrator/api/pods.py b/moon_orchestrator/moon_orchestrator/api/pods.py index 9bca4d93..9bca4d93 100644 --- a/moonv4/moon_orchestrator/moon_orchestrator/api/pods.py +++ b/moon_orchestrator/moon_orchestrator/api/pods.py diff --git a/moonv4/moon_orchestrator/moon_orchestrator/drivers.py b/moon_orchestrator/moon_orchestrator/drivers.py index 08c53be3..08c53be3 100644 --- a/moonv4/moon_orchestrator/moon_orchestrator/drivers.py +++ b/moon_orchestrator/moon_orchestrator/drivers.py diff --git a/moonv4/moon_orchestrator/moon_orchestrator/http_server.py b/moon_orchestrator/moon_orchestrator/http_server.py index e6a5ee57..e6a5ee57 100644 --- a/moonv4/moon_orchestrator/moon_orchestrator/http_server.py +++ b/moon_orchestrator/moon_orchestrator/http_server.py diff --git a/moonv4/moon_orchestrator/moon_orchestrator/server.py b/moon_orchestrator/moon_orchestrator/server.py index 0cbd535a..0cbd535a 100644 --- a/moonv4/moon_orchestrator/moon_orchestrator/server.py +++ b/moon_orchestrator/moon_orchestrator/server.py diff --git a/moonv4/moon_orchestrator/requirements.txt b/moon_orchestrator/requirements.txt index 0d952e6c..0d952e6c 100644 --- a/moonv4/moon_orchestrator/requirements.txt +++ b/moon_orchestrator/requirements.txt diff --git a/moonv4/moon_orchestrator/setup.py b/moon_orchestrator/setup.py index 624dba94..624dba94 100644 --- a/moonv4/moon_orchestrator/setup.py +++ b/moon_orchestrator/setup.py diff --git a/moonv4/moon_orchestrator/tests/unit_python/conftest.py b/moon_orchestrator/tests/unit_python/conftest.py index 044489e6..044489e6 100644 --- a/moonv4/moon_orchestrator/tests/unit_python/conftest.py +++ b/moon_orchestrator/tests/unit_python/conftest.py diff --git a/moonv4/moon_orchestrator/tests/unit_python/mock_pods.py b/moon_orchestrator/tests/unit_python/mock_pods.py index c5633152..c5633152 100644 --- a/moonv4/moon_orchestrator/tests/unit_python/mock_pods.py +++ b/moon_orchestrator/tests/unit_python/mock_pods.py diff --git a/moonv4/moon_orchestrator/tests/unit_python/requirements.txt b/moon_orchestrator/tests/unit_python/requirements.txt index 21975ce3..21975ce3 100644 --- a/moonv4/moon_orchestrator/tests/unit_python/requirements.txt +++ b/moon_orchestrator/tests/unit_python/requirements.txt diff --git a/moonv4/moon_orchestrator/tests/unit_python/test_pods.py b/moon_orchestrator/tests/unit_python/test_pods.py index 42c8404b..42c8404b 100644 --- a/moonv4/moon_orchestrator/tests/unit_python/test_pods.py +++ b/moon_orchestrator/tests/unit_python/test_pods.py diff --git a/moonv4/moon_orchestrator/tests/unit_python/utilities.py b/moon_orchestrator/tests/unit_python/utilities.py index aec03d9d..aec03d9d 100644 --- a/moonv4/moon_orchestrator/tests/unit_python/utilities.py +++ b/moon_orchestrator/tests/unit_python/utilities.py diff --git a/moonv4/moon_wrapper/Dockerfile b/moon_wrapper/Dockerfile index 55e7208d..55e7208d 100644 --- a/moonv4/moon_wrapper/Dockerfile +++ b/moon_wrapper/Dockerfile diff --git a/moonv4/moon_wrapper/LICENSE b/moon_wrapper/LICENSE index d6456956..d6456956 100644 --- a/moonv4/moon_wrapper/LICENSE +++ b/moon_wrapper/LICENSE diff --git a/moonv4/moon_wrapper/MANIFEST.in b/moon_wrapper/MANIFEST.in index cf4d2e4e..cf4d2e4e 100644 --- a/moonv4/moon_wrapper/MANIFEST.in +++ b/moon_wrapper/MANIFEST.in diff --git a/moonv4/moon_wrapper/README.md b/moon_wrapper/README.md index 4e8fd05c..4e8fd05c 100644 --- a/moonv4/moon_wrapper/README.md +++ b/moon_wrapper/README.md diff --git a/moonv4/moon_wrapper/moon_wrapper/__init__.py b/moon_wrapper/moon_wrapper/__init__.py index 903c6518..903c6518 100644 --- a/moonv4/moon_wrapper/moon_wrapper/__init__.py +++ b/moon_wrapper/moon_wrapper/__init__.py diff --git a/moonv4/moon_wrapper/moon_wrapper/__main__.py b/moon_wrapper/moon_wrapper/__main__.py index 46cafa76..46cafa76 100644 --- a/moonv4/moon_wrapper/moon_wrapper/__main__.py +++ b/moon_wrapper/moon_wrapper/__main__.py diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/__init__.py b/moon_wrapper/moon_wrapper/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/tests/__init__.py +++ b/moon_wrapper/moon_wrapper/api/__init__.py diff --git a/moonv4/moon_wrapper/moon_wrapper/api/generic.py b/moon_wrapper/moon_wrapper/api/generic.py index 7dd44fb4..7dd44fb4 100644 --- a/moonv4/moon_wrapper/moon_wrapper/api/generic.py +++ b/moon_wrapper/moon_wrapper/api/generic.py diff --git a/moonv4/moon_wrapper/moon_wrapper/api/wrapper.py b/moon_wrapper/moon_wrapper/api/wrapper.py index e1ce783a..e1ce783a 100644 --- a/moonv4/moon_wrapper/moon_wrapper/api/wrapper.py +++ b/moon_wrapper/moon_wrapper/api/wrapper.py diff --git a/moonv4/moon_wrapper/moon_wrapper/http_server.py b/moon_wrapper/moon_wrapper/http_server.py index 1b429bc5..1b429bc5 100644 --- a/moonv4/moon_wrapper/moon_wrapper/http_server.py +++ b/moon_wrapper/moon_wrapper/http_server.py diff --git a/moonv4/moon_wrapper/moon_wrapper/server.py b/moon_wrapper/moon_wrapper/server.py index 2f236c4f..2f236c4f 100644 --- a/moonv4/moon_wrapper/moon_wrapper/server.py +++ b/moon_wrapper/moon_wrapper/server.py diff --git a/moonv4/moon_wrapper/requirements.txt b/moon_wrapper/requirements.txt index c1bd9a2f..c1bd9a2f 100644 --- a/moonv4/moon_wrapper/requirements.txt +++ b/moon_wrapper/requirements.txt diff --git a/moonv4/moon_wrapper/setup.py b/moon_wrapper/setup.py index 6aaa343f..6aaa343f 100644 --- a/moonv4/moon_wrapper/setup.py +++ b/moon_wrapper/setup.py diff --git a/moonv4/moon_wrapper/tests/README.md b/moon_wrapper/tests/README.md index 73a9fcd2..73a9fcd2 100644 --- a/moonv4/moon_wrapper/tests/README.md +++ b/moon_wrapper/tests/README.md diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/__init__.py b/moon_wrapper/tests/unit_python/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/__init__.py +++ b/moon_wrapper/tests/unit_python/api/__init__.py diff --git a/moonv4/moon_wrapper/tests/unit_python/api/test_wrapper.py b/moon_wrapper/tests/unit_python/api/test_wrapper.py index 7e9a7421..7e9a7421 100644 --- a/moonv4/moon_wrapper/tests/unit_python/api/test_wrapper.py +++ b/moon_wrapper/tests/unit_python/api/test_wrapper.py diff --git a/moonv4/moon_wrapper/tests/unit_python/conftest.py b/moon_wrapper/tests/unit_python/conftest.py index b160ebf6..b160ebf6 100644 --- a/moonv4/moon_wrapper/tests/unit_python/conftest.py +++ b/moon_wrapper/tests/unit_python/conftest.py diff --git a/moonv4/moon_wrapper/tests/unit_python/requirements.txt b/moon_wrapper/tests/unit_python/requirements.txt index 21975ce3..21975ce3 100644 --- a/moonv4/moon_wrapper/tests/unit_python/requirements.txt +++ b/moon_wrapper/tests/unit_python/requirements.txt diff --git a/moonv4/moon_interface/.cache/v/cache/lastfailed b/moonv4/moon_interface/.cache/v/cache/lastfailed deleted file mode 100644 index 9e26dfee..00000000 --- a/moonv4/moon_interface/.cache/v/cache/lastfailed +++ /dev/null @@ -1 +0,0 @@ -{}
\ No newline at end of file diff --git a/moonv4/moon_manager/moon_manager/api/__init__.py b/moonv4/moon_manager/moon_manager/api/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/moon_manager/moon_manager/api/__init__.py +++ /dev/null diff --git a/moonv4/moon_manager/tests/unit_python/__init__.py b/moonv4/moon_manager/tests/unit_python/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/moon_manager/tests/unit_python/__init__.py +++ /dev/null diff --git a/moonv4/moon_manager/tests/unit_python/api/__init__.py b/moonv4/moon_manager/tests/unit_python/api/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/moon_manager/tests/unit_python/api/__init__.py +++ /dev/null diff --git a/moonv4/moon_orchestrator/moon_orchestrator/api/__init__.py b/moonv4/moon_orchestrator/moon_orchestrator/api/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/moon_orchestrator/moon_orchestrator/api/__init__.py +++ /dev/null diff --git a/moonv4/moon_wrapper/moon_wrapper/api/__init__.py b/moonv4/moon_wrapper/moon_wrapper/api/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/moon_wrapper/moon_wrapper/api/__init__.py +++ /dev/null diff --git a/moonv4/moon_wrapper/tests/unit_python/api/__init__.py b/moonv4/moon_wrapper/tests/unit_python/api/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/moon_wrapper/tests/unit_python/api/__init__.py +++ /dev/null diff --git a/moonv4/python_moondb/python_moondb/api/__init__.py b/moonv4/python_moondb/python_moondb/api/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/python_moondb/python_moondb/api/__init__.py +++ /dev/null diff --git a/moonv4/python_moondb/python_moondb/migrate_repo/__init__.py b/moonv4/python_moondb/python_moondb/migrate_repo/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/python_moondb/python_moondb/migrate_repo/__init__.py +++ /dev/null diff --git a/moonv4/python_moondb/python_moondb/migrate_repo/versions/__init__.py b/moonv4/python_moondb/python_moondb/migrate_repo/versions/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/python_moondb/python_moondb/migrate_repo/versions/__init__.py +++ /dev/null diff --git a/moonv4/templates/moonforming/utils/__init__.py b/moonv4/templates/moonforming/utils/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moonv4/templates/moonforming/utils/__init__.py +++ /dev/null diff --git a/moonv4/python_moonclient/Changelog b/python_moonclient/Changelog index 854200cb..854200cb 100644 --- a/moonv4/python_moonclient/Changelog +++ b/python_moonclient/Changelog diff --git a/moonv4/python_moonclient/LICENSE b/python_moonclient/LICENSE index d6456956..d6456956 100644 --- a/moonv4/python_moonclient/LICENSE +++ b/python_moonclient/LICENSE diff --git a/moonv4/python_moonclient/MANIFEST.in b/python_moonclient/MANIFEST.in index 2a5ac509..2a5ac509 100644 --- a/moonv4/python_moonclient/MANIFEST.in +++ b/python_moonclient/MANIFEST.in diff --git a/moonv4/python_moonclient/README.md b/python_moonclient/README.md index d1ebc786..d1ebc786 100644 --- a/moonv4/python_moonclient/README.md +++ b/python_moonclient/README.md diff --git a/moonv4/python_moonclient/python_moonclient/__init__.py b/python_moonclient/python_moonclient/__init__.py index d7cdd111..d7cdd111 100644 --- a/moonv4/python_moonclient/python_moonclient/__init__.py +++ b/python_moonclient/python_moonclient/__init__.py diff --git a/moonv4/python_moonclient/python_moonclient/authz.py b/python_moonclient/python_moonclient/authz.py index 9458767e..9458767e 100644 --- a/moonv4/python_moonclient/python_moonclient/authz.py +++ b/python_moonclient/python_moonclient/authz.py diff --git a/moonv4/python_moonclient/python_moonclient/config.py b/python_moonclient/python_moonclient/config.py index d6317820..d6317820 100644 --- a/moonv4/python_moonclient/python_moonclient/config.py +++ b/python_moonclient/python_moonclient/config.py diff --git a/moonv4/python_moonclient/python_moonclient/models.py b/python_moonclient/python_moonclient/models.py index 069c673b..069c673b 100644 --- a/moonv4/python_moonclient/python_moonclient/models.py +++ b/python_moonclient/python_moonclient/models.py diff --git a/moonv4/python_moonclient/python_moonclient/parse.py b/python_moonclient/python_moonclient/parse.py index 34a4a996..34a4a996 100644 --- a/moonv4/python_moonclient/python_moonclient/parse.py +++ b/python_moonclient/python_moonclient/parse.py diff --git a/moonv4/python_moonclient/python_moonclient/pdp.py b/python_moonclient/python_moonclient/pdp.py index a7c75a61..a7c75a61 100644 --- a/moonv4/python_moonclient/python_moonclient/pdp.py +++ b/python_moonclient/python_moonclient/pdp.py diff --git a/moonv4/python_moonclient/python_moonclient/policies.py b/python_moonclient/python_moonclient/policies.py index 80210811..80210811 100644 --- a/moonv4/python_moonclient/python_moonclient/policies.py +++ b/python_moonclient/python_moonclient/policies.py diff --git a/moonv4/python_moonclient/requirements.txt b/python_moonclient/requirements.txt index 5b80e5f2..5b80e5f2 100644 --- a/moonv4/python_moonclient/requirements.txt +++ b/python_moonclient/requirements.txt diff --git a/moonv4/python_moonclient/setup.py b/python_moonclient/setup.py index 000e87ca..000e87ca 100644 --- a/moonv4/python_moonclient/setup.py +++ b/python_moonclient/setup.py diff --git a/moonv4/python_moonclient/tests/unit_python/conftest.py b/python_moonclient/tests/unit_python/conftest.py index e98f48c5..e98f48c5 100644 --- a/moonv4/python_moonclient/tests/unit_python/conftest.py +++ b/python_moonclient/tests/unit_python/conftest.py diff --git a/moonv4/python_moonclient/tests/unit_python/mock_config.py b/python_moonclient/tests/unit_python/mock_config.py index 6d6c8249..6d6c8249 100644 --- a/moonv4/python_moonclient/tests/unit_python/mock_config.py +++ b/python_moonclient/tests/unit_python/mock_config.py diff --git a/moonv4/python_moonclient/tests/unit_python/requirements.txt b/python_moonclient/tests/unit_python/requirements.txt index 3c1ad607..3c1ad607 100644 --- a/moonv4/python_moonclient/tests/unit_python/requirements.txt +++ b/python_moonclient/tests/unit_python/requirements.txt diff --git a/moonv4/python_moonclient/tests/unit_python/test_config.py b/python_moonclient/tests/unit_python/test_config.py index ebdfacf0..ebdfacf0 100644 --- a/moonv4/python_moonclient/tests/unit_python/test_config.py +++ b/python_moonclient/tests/unit_python/test_config.py diff --git a/moonv4/python_moonclient/tests/unit_python/test_models.py b/python_moonclient/tests/unit_python/test_models.py index f708c6e4..f708c6e4 100644 --- a/moonv4/python_moonclient/tests/unit_python/test_models.py +++ b/python_moonclient/tests/unit_python/test_models.py diff --git a/moonv4/python_moonclient/tests/unit_python/test_pdp.py b/python_moonclient/tests/unit_python/test_pdp.py index 8d9a3ac3..8d9a3ac3 100644 --- a/moonv4/python_moonclient/tests/unit_python/test_pdp.py +++ b/python_moonclient/tests/unit_python/test_pdp.py diff --git a/moonv4/python_moonclient/tests/unit_python/test_policies.py b/python_moonclient/tests/unit_python/test_policies.py index 386c37af..386c37af 100644 --- a/moonv4/python_moonclient/tests/unit_python/test_policies.py +++ b/python_moonclient/tests/unit_python/test_policies.py diff --git a/moonv4/python_moonclient/tests/unit_python/utilities.py b/python_moonclient/tests/unit_python/utilities.py index ae2932c7..ae2932c7 100644 --- a/moonv4/python_moonclient/tests/unit_python/utilities.py +++ b/python_moonclient/tests/unit_python/utilities.py diff --git a/moonv4/python_moondb/Changelog b/python_moondb/Changelog index ff244af5..ff244af5 100644 --- a/moonv4/python_moondb/Changelog +++ b/python_moondb/Changelog diff --git a/moonv4/python_moondb/LICENSE b/python_moondb/LICENSE index d6456956..d6456956 100644 --- a/moonv4/python_moondb/LICENSE +++ b/python_moondb/LICENSE diff --git a/moonv4/python_moondb/MANIFEST.in b/python_moondb/MANIFEST.in index 82b40140..82b40140 100644 --- a/moonv4/python_moondb/MANIFEST.in +++ b/python_moondb/MANIFEST.in diff --git a/moonv4/python_moondb/README.md b/python_moondb/README.md index d36c6ae3..d36c6ae3 100644 --- a/moonv4/python_moondb/README.md +++ b/python_moondb/README.md diff --git a/moonv4/python_moondb/bin/drop_tables.sql b/python_moondb/bin/drop_tables.sql index f5f65ea7..f5f65ea7 100644 --- a/moonv4/python_moondb/bin/drop_tables.sql +++ b/python_moondb/bin/drop_tables.sql diff --git a/moonv4/python_moondb/build.sh b/python_moondb/build.sh index f109e9b8..f109e9b8 100644 --- a/moonv4/python_moondb/build.sh +++ b/python_moondb/build.sh diff --git a/moonv4/python_moondb/python_moondb/__init__.py b/python_moondb/python_moondb/__init__.py index 73faf752..73faf752 100644 --- a/moonv4/python_moondb/python_moondb/__init__.py +++ b/python_moondb/python_moondb/__init__.py diff --git a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/__init__.py b/python_moondb/python_moondb/api/__init__.py index e69de29b..e69de29b 100644 --- a/keystonemiddleware-moon/keystonemiddleware/tests/unit/auth_token/__init__.py +++ b/python_moondb/python_moondb/api/__init__.py diff --git a/moonv4/python_moondb/python_moondb/api/keystone.py b/python_moondb/python_moondb/api/keystone.py index f5410190..f5410190 100644 --- a/moonv4/python_moondb/python_moondb/api/keystone.py +++ b/python_moondb/python_moondb/api/keystone.py diff --git a/moonv4/python_moondb/python_moondb/api/managers.py b/python_moondb/python_moondb/api/managers.py index 602e0f11..602e0f11 100644 --- a/moonv4/python_moondb/python_moondb/api/managers.py +++ b/python_moondb/python_moondb/api/managers.py diff --git a/moonv4/python_moondb/python_moondb/api/model.py b/python_moondb/python_moondb/api/model.py index fbfbb680..fbfbb680 100644 --- a/moonv4/python_moondb/python_moondb/api/model.py +++ b/python_moondb/python_moondb/api/model.py diff --git a/moonv4/python_moondb/python_moondb/api/pdp.py b/python_moondb/python_moondb/api/pdp.py index 5fb7aa78..5fb7aa78 100644 --- a/moonv4/python_moondb/python_moondb/api/pdp.py +++ b/python_moondb/python_moondb/api/pdp.py diff --git a/moonv4/python_moondb/python_moondb/api/policy.py b/python_moondb/python_moondb/api/policy.py index 81689826..81689826 100644 --- a/moonv4/python_moondb/python_moondb/api/policy.py +++ b/python_moondb/python_moondb/api/policy.py diff --git a/moonv4/python_moondb/python_moondb/backends/__init__.py b/python_moondb/python_moondb/backends/__init__.py index 237bdc3e..237bdc3e 100644 --- a/moonv4/python_moondb/python_moondb/backends/__init__.py +++ b/python_moondb/python_moondb/backends/__init__.py diff --git a/moonv4/python_moondb/python_moondb/backends/flat.py b/python_moondb/python_moondb/backends/flat.py index 0fe2f00b..0fe2f00b 100644 --- a/moonv4/python_moondb/python_moondb/backends/flat.py +++ b/python_moondb/python_moondb/backends/flat.py diff --git a/moonv4/python_moondb/python_moondb/backends/sql.py b/python_moondb/python_moondb/backends/sql.py index 5dba8eb2..5dba8eb2 100644 --- a/moonv4/python_moondb/python_moondb/backends/sql.py +++ b/python_moondb/python_moondb/backends/sql.py diff --git a/moonv4/python_moondb/python_moondb/core.py b/python_moondb/python_moondb/core.py index 49e9f711..49e9f711 100644 --- a/moonv4/python_moondb/python_moondb/core.py +++ b/python_moondb/python_moondb/core.py diff --git a/moonv4/python_moondb/python_moondb/db_manager.py b/python_moondb/python_moondb/db_manager.py index c305284d..c305284d 100644 --- a/moonv4/python_moondb/python_moondb/db_manager.py +++ b/python_moondb/python_moondb/db_manager.py diff --git a/moonv4/moon_authz/moon_authz/api/__init__.py b/python_moondb/python_moondb/migrate_repo/__init__.py index e69de29b..e69de29b 100644 --- a/moonv4/moon_authz/moon_authz/api/__init__.py +++ b/python_moondb/python_moondb/migrate_repo/__init__.py diff --git a/moonv4/python_moondb/python_moondb/migrate_repo/versions/001_moon.py b/python_moondb/python_moondb/migrate_repo/versions/001_moon.py index 2cc36140..2cc36140 100644 --- a/moonv4/python_moondb/python_moondb/migrate_repo/versions/001_moon.py +++ b/python_moondb/python_moondb/migrate_repo/versions/001_moon.py diff --git a/moonv4/moon_interface/moon_interface/api/__init__.py b/python_moondb/python_moondb/migrate_repo/versions/__init__.py index e69de29b..e69de29b 100644 --- a/moonv4/moon_interface/moon_interface/api/__init__.py +++ b/python_moondb/python_moondb/migrate_repo/versions/__init__.py diff --git a/moonv4/python_moondb/requirements.txt b/python_moondb/requirements.txt index 03afc879..03afc879 100644 --- a/moonv4/python_moondb/requirements.txt +++ b/python_moondb/requirements.txt diff --git a/moonv4/python_moondb/setup.py b/python_moondb/setup.py index 65687c3f..65687c3f 100644 --- a/moonv4/python_moondb/setup.py +++ b/python_moondb/setup.py diff --git a/moonv4/python_moondb/tests/unit_python/conftest.py b/python_moondb/tests/unit_python/conftest.py index c2e5e579..c2e5e579 100644 --- a/moonv4/python_moondb/tests/unit_python/conftest.py +++ b/python_moondb/tests/unit_python/conftest.py diff --git a/moonv4/python_moondb/tests/unit_python/mock_components.py b/python_moondb/tests/unit_python/mock_components.py index a0319e1a..a0319e1a 100644 --- a/moonv4/python_moondb/tests/unit_python/mock_components.py +++ b/python_moondb/tests/unit_python/mock_components.py diff --git a/moonv4/python_moondb/tests/unit_python/mock_keystone.py b/python_moondb/tests/unit_python/mock_keystone.py index c0b26b88..c0b26b88 100644 --- a/moonv4/python_moondb/tests/unit_python/mock_keystone.py +++ b/python_moondb/tests/unit_python/mock_keystone.py diff --git a/moonv4/python_moondb/tests/unit_python/requirements.txt b/python_moondb/tests/unit_python/requirements.txt index 5f507ff7..5f507ff7 100644 --- a/moonv4/python_moondb/tests/unit_python/requirements.txt +++ b/python_moondb/tests/unit_python/requirements.txt diff --git a/moonv4/python_moondb/tests/unit_python/test_policies.py b/python_moondb/tests/unit_python/test_policies.py index 3bd1360e..3bd1360e 100644 --- a/moonv4/python_moondb/tests/unit_python/test_policies.py +++ b/python_moondb/tests/unit_python/test_policies.py diff --git a/moonv4/python_moondb/tests/unit_python/utilities.py b/python_moondb/tests/unit_python/utilities.py index 1d79d890..1d79d890 100644 --- a/moonv4/python_moondb/tests/unit_python/utilities.py +++ b/python_moondb/tests/unit_python/utilities.py diff --git a/moonv4/python_moonutilities/Changelog b/python_moonutilities/Changelog index dd441427..dd441427 100644 --- a/moonv4/python_moonutilities/Changelog +++ b/python_moonutilities/Changelog diff --git a/moonv4/python_moonutilities/LICENSE b/python_moonutilities/LICENSE index d6456956..d6456956 100644 --- a/moonv4/python_moonutilities/LICENSE +++ b/python_moonutilities/LICENSE diff --git a/moonv4/python_moonutilities/MANIFEST.in b/python_moonutilities/MANIFEST.in index 2a5ac509..2a5ac509 100644 --- a/moonv4/python_moonutilities/MANIFEST.in +++ b/python_moonutilities/MANIFEST.in diff --git a/moonv4/python_moonutilities/README.md b/python_moonutilities/README.md index 8e21966a..8e21966a 100644 --- a/moonv4/python_moonutilities/README.md +++ b/python_moonutilities/README.md diff --git a/moonv4/python_moonutilities/python_moonutilities/__init__.py b/python_moonutilities/python_moonutilities/__init__.py index fb899fe2..fb899fe2 100644 --- a/moonv4/python_moonutilities/python_moonutilities/__init__.py +++ b/python_moonutilities/python_moonutilities/__init__.py diff --git a/moonv4/python_moonutilities/python_moonutilities/api.py b/python_moonutilities/python_moonutilities/api.py index 8e80c21d..8e80c21d 100644 --- a/moonv4/python_moonutilities/python_moonutilities/api.py +++ b/python_moonutilities/python_moonutilities/api.py diff --git a/moonv4/python_moonutilities/python_moonutilities/auth.py b/python_moonutilities/python_moonutilities/auth.py index 7656f4e7..7656f4e7 100644 --- a/moonv4/python_moonutilities/python_moonutilities/auth.py +++ b/python_moonutilities/python_moonutilities/auth.py diff --git a/moonv4/python_moonutilities/python_moonutilities/cache.py b/python_moonutilities/python_moonutilities/cache.py index 93e3daca..93e3daca 100644 --- a/moonv4/python_moonutilities/python_moonutilities/cache.py +++ b/python_moonutilities/python_moonutilities/cache.py diff --git a/moonv4/python_moonutilities/python_moonutilities/configuration.py b/python_moonutilities/python_moonutilities/configuration.py index f0ef74a6..f0ef74a6 100644 --- a/moonv4/python_moonutilities/python_moonutilities/configuration.py +++ b/python_moonutilities/python_moonutilities/configuration.py diff --git a/moonv4/python_moonutilities/python_moonutilities/exceptions.py b/python_moonutilities/python_moonutilities/exceptions.py index 5bbab2be..5bbab2be 100644 --- a/moonv4/python_moonutilities/python_moonutilities/exceptions.py +++ b/python_moonutilities/python_moonutilities/exceptions.py diff --git a/moonv4/python_moonutilities/python_moonutilities/misc.py b/python_moonutilities/python_moonutilities/misc.py index b83523c3..b83523c3 100644 --- a/moonv4/python_moonutilities/python_moonutilities/misc.py +++ b/python_moonutilities/python_moonutilities/misc.py diff --git a/moonv4/python_moonutilities/python_moonutilities/security_functions.py b/python_moonutilities/python_moonutilities/security_functions.py index 6d9307fe..6d9307fe 100644 --- a/moonv4/python_moonutilities/python_moonutilities/security_functions.py +++ b/python_moonutilities/python_moonutilities/security_functions.py diff --git a/moonv4/python_moonutilities/requirements.txt b/python_moonutilities/requirements.txt index 5b80e5f2..5b80e5f2 100644 --- a/moonv4/python_moonutilities/requirements.txt +++ b/python_moonutilities/requirements.txt diff --git a/moonv4/python_moonutilities/setup.py b/python_moonutilities/setup.py index 4a2eef5d..4a2eef5d 100644 --- a/moonv4/python_moonutilities/setup.py +++ b/python_moonutilities/setup.py diff --git a/moonv4/python_moonutilities/tests/unit_python/conftest.py b/python_moonutilities/tests/unit_python/conftest.py index 7217586a..7217586a 100644 --- a/moonv4/python_moonutilities/tests/unit_python/conftest.py +++ b/python_moonutilities/tests/unit_python/conftest.py diff --git a/moonv4/python_moonutilities/tests/unit_python/mock_cache.py b/python_moonutilities/tests/unit_python/mock_cache.py index b2b287a9..b2b287a9 100644 --- a/moonv4/python_moonutilities/tests/unit_python/mock_cache.py +++ b/python_moonutilities/tests/unit_python/mock_cache.py diff --git a/moonv4/python_moonutilities/tests/unit_python/mock_components.py b/python_moonutilities/tests/unit_python/mock_components.py index a0319e1a..a0319e1a 100644 --- a/moonv4/python_moonutilities/tests/unit_python/mock_components.py +++ b/python_moonutilities/tests/unit_python/mock_components.py diff --git a/moonv4/python_moonutilities/tests/unit_python/mock_keystone.py b/python_moonutilities/tests/unit_python/mock_keystone.py index c0b26b88..c0b26b88 100644 --- a/moonv4/python_moonutilities/tests/unit_python/mock_keystone.py +++ b/python_moonutilities/tests/unit_python/mock_keystone.py diff --git a/moonv4/python_moonutilities/tests/unit_python/requirements.txt b/python_moonutilities/tests/unit_python/requirements.txt index 3c1ad607..3c1ad607 100644 --- a/moonv4/python_moonutilities/tests/unit_python/requirements.txt +++ b/python_moonutilities/tests/unit_python/requirements.txt diff --git a/moonv4/python_moonutilities/tests/unit_python/test_cache.py b/python_moonutilities/tests/unit_python/test_cache.py index c479395b..c479395b 100644 --- a/moonv4/python_moonutilities/tests/unit_python/test_cache.py +++ b/python_moonutilities/tests/unit_python/test_cache.py diff --git a/moonv4/python_moonutilities/tests/unit_python/test_configuration.py b/python_moonutilities/tests/unit_python/test_configuration.py index 48699062..48699062 100644 --- a/moonv4/python_moonutilities/tests/unit_python/test_configuration.py +++ b/python_moonutilities/tests/unit_python/test_configuration.py diff --git a/moonv4/python_moonutilities/tests/unit_python/utilities.py b/python_moonutilities/tests/unit_python/utilities.py index 1d79d890..1d79d890 100644 --- a/moonv4/python_moonutilities/tests/unit_python/utilities.py +++ b/python_moonutilities/tests/unit_python/utilities.py diff --git a/moonv4/templates/glance/policy.json b/templates/glance/policy.json index 5505f67f..5505f67f 100644 --- a/moonv4/templates/glance/policy.json +++ b/templates/glance/policy.json diff --git a/moonv4/templates/moon_keystone/Dockerfile b/templates/moon_keystone/Dockerfile index 2a43bd92..2a43bd92 100644 --- a/moonv4/templates/moon_keystone/Dockerfile +++ b/templates/moon_keystone/Dockerfile diff --git a/moonv4/templates/moon_keystone/README.md b/templates/moon_keystone/README.md index 7027324e..7027324e 100644 --- a/moonv4/templates/moon_keystone/README.md +++ b/templates/moon_keystone/README.md diff --git a/moonv4/templates/moon_keystone/run.sh b/templates/moon_keystone/run.sh index 2a61901e..2a61901e 100644 --- a/moonv4/templates/moon_keystone/run.sh +++ b/templates/moon_keystone/run.sh diff --git a/moonv4/templates/moonforming/Dockerfile b/templates/moonforming/Dockerfile index fe48eee0..fe48eee0 100644 --- a/moonv4/templates/moonforming/Dockerfile +++ b/templates/moonforming/Dockerfile diff --git a/moonv4/templates/moonforming/README.md b/templates/moonforming/README.md index f6327693..f6327693 100644 --- a/moonv4/templates/moonforming/README.md +++ b/templates/moonforming/README.md diff --git a/moonv4/templates/moonforming/conf/mls.py b/templates/moonforming/conf/mls.py index 0e6285c9..0e6285c9 100644 --- a/moonv4/templates/moonforming/conf/mls.py +++ b/templates/moonforming/conf/mls.py diff --git a/moonv4/templates/moonforming/conf/rbac.py b/templates/moonforming/conf/rbac.py index 25c010fd..25c010fd 100644 --- a/moonv4/templates/moonforming/conf/rbac.py +++ b/templates/moonforming/conf/rbac.py diff --git a/moonv4/templates/moonforming/conf2consul.py b/templates/moonforming/conf2consul.py index 46c99d5c..46c99d5c 100644 --- a/moonv4/templates/moonforming/conf2consul.py +++ b/templates/moonforming/conf2consul.py diff --git a/moonv4/templates/moonforming/moon.conf b/templates/moonforming/moon.conf index dc498e34..dc498e34 100644 --- a/moonv4/templates/moonforming/moon.conf +++ b/templates/moonforming/moon.conf diff --git a/moonv4/templates/moonforming/populate_default_values.py b/templates/moonforming/populate_default_values.py index fa099458..fa099458 100644 --- a/moonv4/templates/moonforming/populate_default_values.py +++ b/templates/moonforming/populate_default_values.py diff --git a/moonv4/templates/moonforming/run.sh b/templates/moonforming/run.sh index 71543f9e..71543f9e 100644 --- a/moonv4/templates/moonforming/run.sh +++ b/templates/moonforming/run.sh diff --git a/moonv4/moon_interface/tests/unit_python/api/__init__.py b/templates/moonforming/utils/__init__.py index e69de29b..e69de29b 100644 --- a/moonv4/moon_interface/tests/unit_python/api/__init__.py +++ b/templates/moonforming/utils/__init__.py diff --git a/moonv4/templates/moonforming/utils/config.py b/templates/moonforming/utils/config.py index 30c8ea4f..30c8ea4f 100644 --- a/moonv4/templates/moonforming/utils/config.py +++ b/templates/moonforming/utils/config.py diff --git a/moonv4/templates/moonforming/utils/models.py b/templates/moonforming/utils/models.py index 3cf31354..3cf31354 100644 --- a/moonv4/templates/moonforming/utils/models.py +++ b/templates/moonforming/utils/models.py diff --git a/moonv4/templates/moonforming/utils/pdp.py b/templates/moonforming/utils/pdp.py index f3c6df37..f3c6df37 100644 --- a/moonv4/templates/moonforming/utils/pdp.py +++ b/templates/moonforming/utils/pdp.py diff --git a/moonv4/templates/moonforming/utils/policies.py b/templates/moonforming/utils/policies.py index bd08291a..bd08291a 100644 --- a/moonv4/templates/moonforming/utils/policies.py +++ b/templates/moonforming/utils/policies.py diff --git a/moonv4/templates/nova/policy.json b/templates/nova/policy.json index 29763ce3..29763ce3 100644 --- a/moonv4/templates/nova/policy.json +++ b/templates/nova/policy.json diff --git a/moonv4/templates/python_unit_test/Dockerfile b/templates/python_unit_test/Dockerfile index b8fb5151..b8fb5151 100644 --- a/moonv4/templates/python_unit_test/Dockerfile +++ b/templates/python_unit_test/Dockerfile diff --git a/moonv4/templates/python_unit_test/README.md b/templates/python_unit_test/README.md index 45d3a988..45d3a988 100644 --- a/moonv4/templates/python_unit_test/README.md +++ b/templates/python_unit_test/README.md diff --git a/moonv4/templates/python_unit_test/requirements.txt b/templates/python_unit_test/requirements.txt index b611b008..b611b008 100644 --- a/moonv4/templates/python_unit_test/requirements.txt +++ b/templates/python_unit_test/requirements.txt diff --git a/moonv4/templates/python_unit_test/run_tests.sh b/templates/python_unit_test/run_tests.sh index 6c586f87..6c586f87 100644 --- a/moonv4/templates/python_unit_test/run_tests.sh +++ b/templates/python_unit_test/run_tests.sh diff --git a/moonv4/tests/get_keystone_projects.py b/tests/get_keystone_projects.py index 9b5d87cd..9b5d87cd 100644 --- a/moonv4/tests/get_keystone_projects.py +++ b/tests/get_keystone_projects.py diff --git a/moonv4/tests/performance/README.md b/tests/performance/README.md index 52613d2c..52613d2c 100644 --- a/moonv4/tests/performance/README.md +++ b/tests/performance/README.md diff --git a/moonv4/tests/populate_default_values.py b/tests/populate_default_values.py index d5a5769b..d5a5769b 100644 --- a/moonv4/tests/populate_default_values.py +++ b/tests/populate_default_values.py diff --git a/tests/run_tests.py b/tests/run_tests.py deleted file mode 100755 index 2d96bef7..00000000 --- a/tests/run_tests.py +++ /dev/null @@ -1,186 +0,0 @@ -#!/usr/bin/python - -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the -# 'Apache-2.0'license which can be found in the file 'LICENSE' in this -# package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import argparse -import functest.utils.functest_logger as ft_logger -import functest.utils.functest_utils as functest_utils -import os -import sys -import time -import yaml -import subprocess -import json -import requests -from requests.auth import HTTPBasicAuth -try: - import http.client as client -except ImportError: - import httplib as client -try: - # Python3 version - from urllib.request import urlopen, HTTPBasicAuthHandler, build_opener, install_opener -except ImportError: - # Python2 version - from urllib import urlopen - from urllib2 import HTTPBasicAuthHandler, build_opener, install_opener - - -PORT_ODL = 8181 -HOST_ODL = "localhost" - -parser = argparse.ArgumentParser() - -parser.add_argument("-r", "--report", - help="Create json result file", - action="store_true") -args = parser.parse_args() - -with open(os.environ["CONFIG_FUNCTEST_YAML"]) as f: - functest_yaml = yaml.safe_load(f) - -dirs = functest_yaml.get('general').get('directories') -TEST_DB_URL = functest_yaml.get('results').get('test_db_url') - -logger = ft_logger.Logger("moon").getLogger() - -RESULTS_DIR = \ - functest_utils.get_functest_config('general.directories.dir_results') - - -def __get_endpoint_url(name="keystone"): - proc = subprocess.Popen(["openstack", "endpoint", "show", - name, "-f", "yaml"], stdout=subprocess.PIPE) - y = yaml.load(proc.stdout.read()) - url = y['publicurl'] - url = url.replace("http://", "") - url = url.replace("https://", "") - host, port = url.split(":") - port = port.split("/")[0] - return host, port - - -def test_federation(): - - username = "test_fede" - password = "pass_fede" - - # Create a new user in OpenStack - proc = subprocess.Popen(["openstack", "user", "create", - "--password", password, username, "-f", - "yaml"], stdout=subprocess.PIPE) - logger.info("Create new user ({})".format(proc.stdout.read())) - - # Add the role admin to our new user - proc = subprocess.Popen(["openstack", "role", "add", "--project", - "admin", "--user", username, "admin", "-f", - "yaml"], stdout=subprocess.PIPE) - logger.info("Add the role admin to our new user ({})".format(proc.stdout.read())) - - # Add the sdn tenant - proc = subprocess.Popen(["openstack", "project", "create", "sdn", - "-f", "yaml"], stdout=subprocess.PIPE) - logger.info("Add the tenant sdn ({})".format(proc.stdout.read())) - - # Add the role admin to test_fede in tenant sdn - proc = subprocess.Popen(["openstack", "role", "add", "--project", - "sdn", "--user", username, "admin", "-f", - "yaml"], stdout=subprocess.PIPE) - logger.info("Add the role admin for the user test_fede in the tenant sdn ({})".format(proc.stdout.read())) - - # Retrieve Moon token - nhost, nport = __get_endpoint_url() - auth_data = {'username': username, 'password': password} - conn = client.HTTPConnection(nhost, nport) - headers = {"Content-type": "application/json"} - conn.request("POST", "/moon/auth/tokens", json.dumps(auth_data).encode('utf-8'), headers=headers) - resp = conn.getresponse() - if resp.status not in (200, 201, 202, 204): - return False, "Not able to retrieve Moon token on {}:{} (error code: {}).".format(nhost, nport, resp.status) - - # Test ODL auth - nhost, nport = __get_endpoint_url(name="neutron") - nport = "8181" - - # Test with basic login/pass - # auth = HTTPBasicAuth("admin", "console") - # req = requests.get(url='http://{host}:{port}/auth/v1/domains'.format(host=nhost, port=nport), auth=auth) - # code = req.status_code - # if code not in (200, 201, 202, 204): - # return False, "Not able to authenticate to ODL with admin (error code: {}).".format(code) - - auth = HTTPBasicAuth(username, password) - req = requests.get(url='http://{host}:{port}/auth/v1/domains'.format(host=nhost, port=nport), auth=auth) - code = req.status_code - if code not in (200, 201, 202, 204): - return False, "Not able to authenticate to ODL (error code: {}).".format(code) - return True, "" - - -def test_moon_openstack(): - log_filename = RESULTS_DIR + "/moonclient_selftest.log" - cmd = "moon test --password console --self --logfile {}".format(log_filename) - - ret_val = functest_utils.execute_command(cmd, - info=True, - exit_on_error=False, - output_file=log_filename) - - return ret_val, open(log_filename, "rt").read() - - -def main(): - start_time = time.time() - - result_os = test_moon_openstack() - result_odl = test_federation() - - stop_time = time.time() - duration = round(stop_time - start_time, 1) - if result_os[0] == 0 and result_odl[0]: - logger.info("OS MOON PASSED") - test_status = 'PASS' - else: - logger.info("OS MOON ERROR") - test_status = 'FAIL' - logger.info("Errors from OpenStack tests:") - logger.info(result_os[1]) - logger.info("Errors from Federation tests:") - logger.info(result_odl[1]) - - details = { - 'timestart': start_time, - 'duration': duration, - 'status': test_status, - 'results': { - 'openstack': result_os, - 'opendaylight': result_odl - } - } - - functest_utils.logger_test_results("moon", - "moon_authentication", - test_status, details) - if args.report: - functest_utils.push_results_to_db("moon", - "moon_authentication", - start_time, - stop_time, - test_status, - details) - logger.info("Moon results pushed to DB") - - if result_os[0] != 0 or not result_odl[0]: - return False - return True - - -if __name__ == '__main__': - ret = main() - if ret: - sys.exit(0) - sys.exit(1) diff --git a/tests/run_tests.sh b/tests/run_tests.sh deleted file mode 100755 index a86c9649..00000000 --- a/tests/run_tests.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bash - -if [ $# -eq 1 ]; then cd $1; fi - -# ========================================================== -# test for OpenStack/Moon API through moonclient cli - -python run_tests.py - -# ========================================================== -# test for OpenStack OpenDaylight identity federation - -# create tenant, user, and password in OpenStack/moon -# use the created tenant, user, password to access OpenDaylight diff --git a/moonv4/tests/scenario/delegation.py b/tests/scenario/delegation.py index 839e74ce..839e74ce 100644 --- a/moonv4/tests/scenario/delegation.py +++ b/tests/scenario/delegation.py diff --git a/moonv4/tests/scenario/mls.py b/tests/scenario/mls.py index 3a3ded43..3a3ded43 100644 --- a/moonv4/tests/scenario/mls.py +++ b/tests/scenario/mls.py diff --git a/moonv4/tests/scenario/rbac.py b/tests/scenario/rbac.py index 89fd7de8..89fd7de8 100644 --- a/moonv4/tests/scenario/rbac.py +++ b/tests/scenario/rbac.py diff --git a/moonv4/tests/scenario/rbac_custom_100.py b/tests/scenario/rbac_custom_100.py index 9ee55dbd..9ee55dbd 100644 --- a/moonv4/tests/scenario/rbac_custom_100.py +++ b/tests/scenario/rbac_custom_100.py diff --git a/moonv4/tests/scenario/rbac_custom_1000.py b/tests/scenario/rbac_custom_1000.py index d6850485..d6850485 100644 --- a/moonv4/tests/scenario/rbac_custom_1000.py +++ b/tests/scenario/rbac_custom_1000.py diff --git a/moonv4/tests/scenario/rbac_custom_50.py b/tests/scenario/rbac_custom_50.py index e1437cf4..e1437cf4 100644 --- a/moonv4/tests/scenario/rbac_custom_50.py +++ b/tests/scenario/rbac_custom_50.py diff --git a/moonv4/tests/scenario/rbac_large.py b/tests/scenario/rbac_large.py index ef5dd9b2..ef5dd9b2 100644 --- a/moonv4/tests/scenario/rbac_large.py +++ b/tests/scenario/rbac_large.py diff --git a/moonv4/tests/scenario/rbac_mls.py b/tests/scenario/rbac_mls.py index 8a5362ea..8a5362ea 100644 --- a/moonv4/tests/scenario/rbac_mls.py +++ b/tests/scenario/rbac_mls.py diff --git a/moonv4/tests/scenario/session.py b/tests/scenario/session.py index 97d7aec3..97d7aec3 100644 --- a/moonv4/tests/scenario/session.py +++ b/tests/scenario/session.py diff --git a/moonv4/tests/scenario/session_large.py b/tests/scenario/session_large.py index 5b4a64b6..5b4a64b6 100644 --- a/moonv4/tests/scenario/session_large.py +++ b/tests/scenario/session_large.py diff --git a/moonv4/tests/send_authz.py b/tests/send_authz.py index b4ed1d2f..b4ed1d2f 100644 --- a/moonv4/tests/send_authz.py +++ b/tests/send_authz.py diff --git a/upstream/odl-aaa-moon/aaa/.gitignore b/upstream/odl-aaa-moon/aaa/.gitignore deleted file mode 100644 index b8938691..00000000 --- a/upstream/odl-aaa-moon/aaa/.gitignore +++ /dev/null @@ -1,26 +0,0 @@ -*.class - -# Mobile Tools for Java (J2ME) -.mtj.tmp/ - -# Package Files # -*.jar -*.war -*.ear - -# IDE Files -.classpath -.project -.settings/ -.idea - -# Generated stuff -target/ -META-INF/ -*.iml -.DS_Store -yang-gen-sal/ -yang-gen-config/ - -# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml -hs_err_pid* diff --git a/upstream/odl-aaa-moon/aaa/README.md b/upstream/odl-aaa-moon/aaa/README.md deleted file mode 100644 index dc748ef1..00000000 --- a/upstream/odl-aaa-moon/aaa/README.md +++ /dev/null @@ -1,62 +0,0 @@ -## Welcome to the OPNFV/Opendaylight AAA Project! - -This project is aimed at providing a flexible, pluggable framework with out-of-the-box capabilities for: - -* *Authentication*: Means to authenticate the identity of both human and machine users (direct or federated). -* *Authorization*: Means to authorize human or machine user access to resources including RPCs, notification subscriptions, and subsets of the datatree. -* *Accounting*: Means to record and access the records of human or machine user access to resources including RPCs, notifications, and subsets of the datatree - - - -### Building - -*Prerequisite:* The followings are required for building AAA: - -- Maven 3 -- Java 7 - -Get the code: - - clone the project with git - -Build it: - - cd aaa && mvn clean install -DskipTests - -### Export Moon information - -export MOON_SERVER_ADDR=192.168.56.101 -export MOON_SERVER_PORT=5000 - - -### Installing - -AAA installs into an existing Opendaylight controller Karaf installation. If you don't have an Opendaylight installation, please refer to this [page](https://wiki.opendaylight.org/view/OpenDaylight_Controller:Installation). - -Start the controller Karaf container: - cd distribution-karaf/target/assembly/ - bin/karaf - -Install AAA AuthN features: - - feature:install odl-aaa-shiro - -### Running - -Once the installation finishes, one can authenticates with the Opendaylight controller by presenting a username/password and a domain name (scope) to be logged into: - - curl -s -d 'grant_type=password&username=admin&password=admin' http://<controller>:<port>/moon/token - - curl -s -d 'grant_type=password&username=admin&password=password' http://localhost:8080/moon/token - -Upon successful authentication, the controller returns an access token with a configurable expiration in seconds, something similar to the followings: - - {"expires_in":3600,"token_type":"Bearer","access_token":"d772d85e-34c7-3099-bea5-cfafd3c747cb"} - -The access token can then be used to access protected resources on the controller by passing it along in the standard HTTP Authorization header with the resource request. Example: - - curl -s -H 'Authorization: Bearer d772d85e-34c7-3099-bea5-cfafd3c747cb' http://<controller>:<port>/restconf/operational/opendaylight-inventory:nodes - -Test HTTP Basic Authentication - - curl -u admin:password http://localhost:8080/auth/v1/domains
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-api/pom.xml deleted file mode 100644 index 97249ace..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/pom.xml +++ /dev/null @@ -1,38 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn-api</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - </dependencies> - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - </plugin> - </plugins> - </build> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/Makefile b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/Makefile deleted file mode 100644 index 446795b4..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/Makefile +++ /dev/null @@ -1,29 +0,0 @@ -all: sssd_configuration.html sssd_configuration.pdf mapping.html - - -images = sssd_01.png sssd_02.png sssd_03.png sssd_04.png sssd_05.png - -sssd_configuration.html: $(images) - -sssd_configuration.pdf: $(images) - -%.html: %.rst - rst2html $< $@ - -%.pdf: %.rst - rst2pdf --footer='-###Page###-' $< -o $@ - -%.png: %.svg - inkscape -z -e $@ -w 800 $< - -sssd_01.svg: sssd_01.diag - blockdiag -Tsvg $< - -sssd_02.svg: sssd_02.diag - blockdiag -Tsvg $< - -sssd_03.svg: sssd_03.diag - seqdiag -Tsvg $< - -sssd_04.svg: sssd_04.diag - blockdiag -Tsvg $< diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/class_diagram.png b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/class_diagram.png Binary files differdeleted file mode 100644 index 999a41f9..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/class_diagram.png +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/class_diagram.ucls b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/class_diagram.ucls deleted file mode 100644 index 68345256..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/class_diagram.ucls +++ /dev/null @@ -1,127 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<class-diagram version="1.1.6" icons="true" automaticImage="PNG" always-add-relationships="false" generalizations="true" - realizations="true" associations="true" dependencies="true" nesting-relationships="true"> - <interface id="1" language="java" name="org.opendaylight.aaa.api.TokenStore" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java" binary="false" corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="637" y="568"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <interface id="2" language="java" name="org.opendaylight.aaa.api.AuthenticationService" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java" binary="false" - corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="385" y="727"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <interface id="3" language="java" name="org.opendaylight.aaa.api.CredentialAuth" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java" binary="false" - corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="148" y="94"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <interface id="4" language="java" name="org.opendaylight.aaa.api.TokenAuth" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java" binary="false" corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="139" y="568"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <interface id="5" language="java" name="org.opendaylight.aaa.api.PasswordCredentials" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java" binary="false" - corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="383" y="218"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <interface id="6" language="java" name="org.opendaylight.aaa.api.Credentials" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java" binary="false" corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="385" y="93"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <interface id="7" language="java" name="org.opendaylight.aaa.api.Authentication" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java" binary="false" - corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="386" y="567"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <interface id="8" language="java" name="org.opendaylight.aaa.api.ClaimAuth" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java" binary="false" corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="138" y="386"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <interface id="9" language="java" name="org.opendaylight.aaa.api.Claim" project="aaa-authn-api" - file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java" binary="false" corner="BOTTOM_RIGHT"> - <position height="-1" width="-1" x="386" y="386"/> - <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" - visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </display> - </interface> - <dependency id="10"> - <end type="SOURCE" refId="3"/> - <end type="TARGET" refId="6"/> - </dependency> - <dependency id="11"> - <end type="SOURCE" refId="2"/> - <end type="TARGET" refId="7"/> - </dependency> - <generalization id="12"> - <end type="SOURCE" refId="5"/> - <end type="TARGET" refId="6"/> - </generalization> - <dependency id="13"> - <end type="SOURCE" refId="3"/> - <end type="TARGET" refId="9"/> - </dependency> - <generalization id="14"> - <end type="SOURCE" refId="7"/> - <end type="TARGET" refId="9"/> - </generalization> - <dependency id="15"> - <end type="SOURCE" refId="1"/> - <end type="TARGET" refId="7"/> - </dependency> - <dependency id="16"> - <end type="SOURCE" refId="8"/> - <end type="TARGET" refId="9"/> - </dependency> - <dependency id="17"> - <end type="SOURCE" refId="4"/> - <end type="TARGET" refId="7"/> - </dependency> - <classifier-display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" - accessors="true" visibility="true"> - <attributes public="true" package="true" protected="true" private="false" static="true"/> - <operations public="true" package="true" protected="true" private="false" static="true"/> - </classifier-display> - <association-display labels="true" multiplicity="true"/> -</class-diagram>
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/credential_auth_sequence.png b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/credential_auth_sequence.png Binary files differdeleted file mode 100644 index 52d63650..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/credential_auth_sequence.png +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/credential_auth_sequence.wsd b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/credential_auth_sequence.wsd deleted file mode 100644 index 383d4031..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/credential_auth_sequence.wsd +++ /dev/null @@ -1,18 +0,0 @@ -title Credential Authentication Sequence - -# This walks through the credential authentication use case where a credential -# (typically username/password) is used to authenticate directly with the ODL -# controller. - -Client -> ServletContainer: request access token -note right of Client -(credentials, scope=domain) -end note -ServletContainer -> TokenEndpoint: credentials, domain -TokenEndpoint -> CredentialAuth: authenticate(Credentials, domain) -CredentialAuth -> TokenEndpoint: Claim -note left of CredentialAuth -(user/domain/roles) -end note -TokenEndpoint -> TokenEndpoint: createToken -TokenEndpoint -> Client: access token
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/federated_auth_sequence.png b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/federated_auth_sequence.png Binary files differdeleted file mode 100644 index 799cc909..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/federated_auth_sequence.png +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/federated_auth_sequence.wsd b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/federated_auth_sequence.wsd deleted file mode 100644 index 22d1d916..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/federated_auth_sequence.wsd +++ /dev/null @@ -1,24 +0,0 @@ -title Federated Authentication Sequence (w/ Claim Transformation) - -# This walks through the federated authentication sequence where a claim from a -# third-party IdP system is posted to the ODL token endpoint in exchange for an -# access token. The claim information is assumed to be in format specific to the -# third-party IdP system and assumed to be captured via either Apache environment -# variables (Servlet attributes) or HTTP headers. - -Client -> ServletContainer: request access token -note right of Client -(claim as Apache env/HTTP headers) -end note -ServletContainer -> ClaimAuthFilter: Servlet attributes/headers -loop foreach ClaimAuth - ClaimAuthFilter -> ClaimAuth: transform(Map<String, Object> claim) - ClaimAuth -> ClaimAuth: transformClaim -end -ClaimAuth -> ClaimAuthFilter: Claim -note left of ClaimAuth -(user/domain/roles) -end note -ClaimAuthFilter --> TokenEndpoint: Claim -TokenEndpoint -> TokenEndpoint: createToken -TokenEndpoint -> Client: access token
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/mapping.rst b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/mapping.rst deleted file mode 100644 index 33635502..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/mapping.rst +++ /dev/null @@ -1,1609 +0,0 @@ -Operation Model -=============== - -The assertions from an IdP are stored in an associative array. A -sequence of rules are applied, the first rule which returns success is -considered a match. During the execution of each rule values from the -assertion can be tested and transformed with the results selectively -stored in variables local to the rule. If the rule succeeds an -associative array of mapped values is returned. The mapped values are -taken from the local variables set during the rule execution. The -definition of the rules and mapped results are expressed in JSON -notation. - -A rule is somewhat akin to a function in a programming language. It -starts execution with a set of predefined local variables. It executes -statements which are grouped together in blocks. Execution continues -until an `exit`_ statement returning a success/fail result is -executed or until the last statement is reached which implies -success. The remaining statements in a block may be skipped via a -`continue`_ statement which tests a condition, this is equivalent to -an "if" control flow of logic in a programming language. - -Rule execution continues until a rule returns success. Each rule has a -`mapping`_ associative array bound to it which is a template for the -transformed result. Upon success the `mapping`_ template for the -rule is loaded and the local variables from the successful rule are -used to populate the values in the `mapping`_ template yielding the -final mapped result. - -If no rules returns success authentication fails. - - -Pseudo Code Illustrating Operational Model ------------------------------------------- - -:: - - mapped = null - foreach rule in rules { - result = null - initialize rule.variables with pre-defined values - - foreach block in rule.statement_blocks { - for statement in block.statements { - if statement.verb is exit { - result = exit.status - break - } - elif statement.verb is continue { - break - } - } - if result { - break - } - if result == null { - result = success - } - if result == success { - mapped = rule.mapping(rule.variables) - } - return mapped - - - -Structure Of Rule Definitions -============================= - -Rules are loaded by the rule processor via a JSON document called a -rule definition. A definition has an *optional* set of mapping -templates and a list of rules. Each rule has specifies a mapping -template and has a list of statement blocks. Each statement block has -a list of statements. - -In pseudo-JSON (JSON does not have comments, the ... ellipsis is a -place holder): - -:: - - { - "mappings": { - "template1": "{...}", - "template2": "{...}" - }, - "rules": [ - { # Rule 0. A rule has a mapping or a mapping name - # and a list of statement blocks - - "mapping": {...}, - # -OR- - "mapping_name": "template1", - - "statement_blocks": [ - [ # Block 0 - [statement 0] - [statement 1] - ], - [ # Block 1 - [statement 0] - [statement 1] - ], - - ] - }, - { # Rule 1 ... - } - ] - - } - -Mapping -------- - -A mapping template is used to produce the final associative array of -name/value pairs. The template is a JSON Object. The value in a -name/value pair can be a constant or a variable. If the template value -is a variable the value of the variable is retrieved from the set of -local variables bound to the rule thereby replacing it in the final -result. - -For example given this mapping template and rule variables in JSON: - -template: - -:: - - { - "organization": "BigCorp.com", - "user: "$subject", - "roles": "$roles" - } - -local variables: - -:: - - { - "subject": "Sally", - "roles": ["user", "admin"] - } - -The final mapped results would be: - -:: - - { - "organization": "BigCorp.com", - "user: "Sally", - "roles": ["user", "admin"] - } - - -Each rule must bind a mapping template to the rule. The mapping -template may either be defined directly in the rule via the -``mapping`` key or referenced by name via the ``mapping_name`` key. - -If the ``mapping_name`` is specified the mapping is looked up in a -table of mapping templates bound to the Rule Processor. Using the name -of a mapping template is useful when many rules generate the exact -same template values. - -If both ``mapping`` and ``mapping_name`` are defined the locally bound -``mapping`` takes precedence. - -Syntax ------- - -The logic for a rule consists of a sequence of statements grouped in -blocks. A statement is similar to a function call in a programming -language. - -A statement is a list of values the first of which is a verb which -defines the operation the statement will perform. Think of the -`verbs`_ as function names or operators. Following the verb are -parameters which may be constants or variables. If the statement -assigns a value to a variable left hand side of the assignment (lhs) -is always the first parameter following the verb in the list of -statement values. - -For example this statement in JSON: - -:: - - ["split", "$groups", "$assertion[Groups]", ":"] - -will assign an array to the variable ``$groups``. It looks up the -string named ``Groups`` in the assertion which is a colon (:) -separated list of group names splitting that string on the colon -character. - -Statements **must** be grouped together in blocks. Therefore a rule is -a sequence of blocks and block is a sequence of statements. The -purpose of blocks is allow for crude flow of control logic. For -example this JSON rule has 4 blocks. - -:: - - [ - [ - ["set", $user, ""], - ["set", $roles, []] - ], - [ - ["in", "UserName", "$assertion"], - ["continue", "if_not_success"], - ["set", "$user", "$assertion[UserName"], - ], - [ - ["in", "subject", "$assertion"], - ["continue", "if_not_success"], - ["set", "$user", "$assertion[subject]"], - ], - [ - ["length", "$temp", "$user"], - ["compare", "$temp", ">", 0], - ["exit", "rule_fails", "if_not_success"] - ["append" "$roles", "unprivileged"] - ] - ] - -The rule will succeed if either ``UserName`` or ``subject`` is defined -in the assertion and if so the local variable ``$user`` will be set to -the value found in the assertion and the "unprivileged" role will be -appended to the roles array. - -The first block performs initialization. The second block tests to see -if the assertion has the key ``UserName`` if not execution continues -at the next block otherwise the value of UserName in the assertion is -copied into the variable ``$user``. The third block performs a similar -operation looking for a ``subject`` in the assertion. The fourth block -checks to see if the ``$user`` variable is empty, if it is empty the -rule fails because it didn't find either a ``UserName`` nor a -``subject`` in the assertion. If ``$user`` is not empty the -"unprivileged" role is appended and the rule succeeds. - -Data Types ----------- - -There are 7 supported types which equate to the types available in -JSON. At the time of this writing there are 2 implementations of this -Mapping specification, one in Python and one in Java. This table -illustrates how each data type is represented. The first two columns -are definitions from an abstract specification. The JSON column -enumerates the data type JSON supports. The Mapping column lists the -7 enumeration names used by the Mapping implemenation in each -language. The following columns list the concrete data type used in -that language. - -+-----------+------------+--------------------+---------------------+ -| JSON | Mapping | Python | Java | -+===========+============+====================+=====================+ -| object | MAP | dict | Map<String, Object> | -+-----------+------------+--------------------+---------------------+ -| array | ARRAY | list | List<Object> | -+-----------+------------+--------------------+---------------------+ -| string | STRING | unicode (Python 2) | String | -| | +--------------------+ | -| | | str (Python 3) | | -+-----------+------------+--------------------+---------------------+ -| | INTEGER | int | Long | -| number +------------+--------------------+---------------------+ -| | REAL | float | Double | -+-----------+------------+--------------------+---------------------+ -| true | | | | -+-----------+ BOOLEAN | bool | Boolean | -| false | | | | -+-----------+------------+--------------------+---------------------+ -| null | NULL | None | null | -+-----------+------------+--------------------+---------------------+ - - -Rule Debugging and Documentation --------------------------------- - -If the rule processor reports an error or if you're debugging your -rules by enabling DEBUG log tracing then you must be able to correlate -the reported statement to where it appears in your rule JSON source. A -message will always identify a statement by the rule number, block -number within that rule and the statement number within that -block. However once your rules become moderately complex it will -become increasingly difficult to identify a statement by counting -rules, blocks and statements. - -A better approach is to tag rules and blocks with a name or other -identifying string. You can set the `Reserved Variables`_ -``rule_name`` and ``block_name`` to a string of your choice. These -strings will be reported in all messages along with the rule, block -and statement numbers. - -JSON does not permit comments, as such you cannot include explanatory -comments next to your rules, blocks and statements in the JSON -source. The ``rule_name`` and ``block_name`` can serve a similar -purpose. By putting assignments to these variables as the first -statement in a block you'll both document your rules and be able to -identify specific statements in log messages. - -During rule execution the ``rule_name`` and ``block_name`` are -initialized to the empty string at the beginning of each rule and -block respectively. - -The above example is augmented to include this information. The rule -name is set in the first statement in the first block. - -:: - - [ - [ - ["set", "$rule_name", "Must have UserName or subject"], - ["set", "block_name", "Initialization"], - ["set", $user, ""], - ["set", $roles, []] - ], - [ - ["set", "block_name", "Test for UserName, set $user"], - ["in", "UserName", "$assertion"], - ["continue", "if_not_success"], - ["set", "$user", "$assertion[UserName"], - ], - [ - ["set", "block_name", "Test for subject, set $user"], - ["in", "subject", "$assertion"], - ["continue", "if_not_success"], - ["set", "$user", "$assertion[subject]"], - ], - [ - ["set", "block_name", "If not $user fail, else append unprivileged to roles"], - ["length", "$temp", "$user"], - ["compare", "$temp", ">", 0], - ["exit", "rule_fails", "if_not_success"] - ["append" "$roles", "unprivileged"] - ] - ] - - - - -Variables ---------- - - -Variables always begin with a dollar sign ($) and are followed by an -identifier which is any alpha character followed by zero or more -alphanumeric or underscore characters. The variable may optionally be -delimited with braces ({}) to separate the variable from surrounding -text. Three types of variables are supported: - -* scalar -* array (indexed by zero based integer) -* associative array (indexed by string) - -Both arrays and associative arrays use square brackets ([]) to specify -a member of the array. Examples of variable usage: - -:: - - $name - ${name} - $groups[0] - ${groups[0]} - $properties[key] - ${properties[key]} - -An array or an associative array may be referenced by it's base name -(omitting the indexing brackets). For example the associative array -array named "properties" is referenced using it's base name -``$properties`` but if you want to access a member of the "properties" -associative array named "duration" you would do this ``$properties[duration]`` - -This is not a general purpose language with full expression -syntax. Only one level of variable lookup is supported. Therefore -compound references like this - -:: - - $properties[$groups[2]] - -will not work. - - -Escaping -^^^^^^^^ - -If you need to include a dollar sign in a string (where it is -immediately followed by either an identifier or a brace and identifier) -and do not want to have it be interpreted as representing a variable -you must escape the dollar sign with a backslash, for example -"$amount" is interpreted as the variable ``amount`` but "\\$amount" -is interpreted as the string "$amount" . - - -Reserved Variables ------------------- - -A rule has the following reserved variables: - -assertion - The current assertion values from the federated IdP. It is a - dictionary of key/value pairs. - -regexp_array - The regular expression groups from the last successful regexp match - indexed by number. Group 0 is the entire match. Groups 1..n are - the corresponding parenthesized group counting from the left. For - example regexp_array[1] is the first group. - -regexp_map - The regular expression groups from the last successful regexp match - indexed by group name. - -rule_number - The zero based index of the currently executing rule. - -rule_name - The name of the currently executing rule. If the rule name has not - been set it will be the empty string. - -block_number - The zero based index of the currently executing block within the - currently executing rule. - -block_name - The name of the currently executing block. If the block name has not - been set it will be the empty string. - - -statement_number - The zero based index of the currently executing statement within the - currently executing block. - - -Examples -======== - -Split a fully qualified username into user and realm components ---------------------------------------------------------------- - -It's common for some IdP's to return a fully qualified username -(e.g. principal or subject). The fully qualified username is the -concatenation of the user name, separator and realm name. A common -separator is the @ character. In this example lets say the fully -qualified username is ``bob@example.com`` and you want to return the -user and realm as independent values in your mapped result. The -username appears in the assertion as the value ``Principal``. - -Our strategy will be to use a regular expression identify the user and -realm components and then assign them to local variables which will -then populate the mapped result. - -The mapping in JSON is: - -:: - - { - "user": "$username", - "realm": "$domain" - } - -The assertion in JSON is: - -:: - - { - "Principal": "bob@example.com" - } - -Our rule is: - -:: - - [ - [ - ["in", "Principal", "assertion"], - ["exit", "rule_fails", "if_not_success"], - ["regexp", "$assertion[Principal]", (?P<username>\\w+)@(?P<domain>.+)"], - ["set", "$username", "$regexp_map[username]"], - ["set", "$domain", "$regexp_map[domain]"], - ["exit, "rule_succeeds", "always"] - ] - ] - -Rule explanation: - -Block 0: - -0. Test if the assertion contains a Principal value. -1. Abort the rule if the assertion does not contain a Principal - value. -2. Apply a regular expression the the Principal value. Use named - groupings for the username and domain components for clarity. -3. Assign the regexp group username to the $username local variable. -4. Assign the regexp group domain to the $domain local variable. -5. Exit the rule, apply the mapping, return the mapped values. Note, an - explicit `exit`_ is not required if there are no further statements - in the rule, as is the case here. - -The mapped result in JSON is: - -:: - - { - "user": "bob", - "realm": "example.com" - } - -Build a set of roles based on group membership ----------------------------------------------- - -Often one wants to grant roles to a user based on their membership in -certain groups. In this example let's say the assertion contains a -``Groups`` value which is a colon separated list of group names. Our -strategy is to split the ``Groups`` assertion value into an array of -group names. Then we'll test if a specific group is in the groups -array, if it is we'll add a role. Finally if no roles have been mapped -we fail. Users in the group "student" will get the role "unprivileged" -and users in the group "helpdesk" will get the role "admin". - -The mapping in JSON is: - -:: - - { - "roles": "$roles", - } - -The assertion in JSON is: - -:: - - { - "Groups": "student:helpdesk" - } - -Our rule is: - -:: - - [ - [ - ["in", "Groups", "assertion"], - ["exit", "rule_fails", "if_not_success"], - ["set", "$roles", []], - ["split", "$groups", "$assertion[Groups]", ":"], - ], - [ - ["in", "student", "$groups"], - ["continue", "if_not_success"], - ["append", "$roles", "unprivileged"] - ], - [ - ["in", "helpdesk", "$groups"], - ["continue", "if_not_success"], - ["append", "$roles", "admin"] - ], - [ - ["unique", "$roles", "$roles"], - ["length", "$temp", "roles"], - ["compare", $temp", ">", 0], - ["exit", "rule_fails", "if_not_success"] - ] - - ] - -Rule explanation: - -Block 0 - -0. Test if the assertion contains a Groups value. -1. Abort the rule if the assertion does not contain a Groups - value. -2. Initialize the $roles variable to an empty array. -3. Split the colon separated list of group names into an array of - individual group names - -Block 1 - -0. Test if "student" is in the $groups array -1. Exit the block if it's not. -2. Append "unprivileged" to the $roles array - -Block 2 - -0. Test if "helpdesk" is in the $groups array -1. Exit the block if it's not. -2. Append "admin" to the $roles array - -Block 3 - -0. Strip any duplicate roles that might have been appended to the - $roles array to assure each role is unique. -1. Count how many members are in the $roles array, assign the - length to the $temp variable. -2. Test to see if the $roles array had any members. -3. Fail if no roles had been assigned. - -The mapped result in JSON is: - -:: - - { - "roles": ["unprivileged", "admin"] - } - -However, suppose whatever is receiving your mapped results is not -expecting an array of roles. Instead it expects a comma separated list -in a string. To accomplish this add the following statement as the -last one in the final block: - -:: - - ["join", "$roles", "$roles", ","] - -Then the mapped result will be: - -:: - - { - "roles": "unprivileged,admin"] - } - - - - -White list certain users and grant them specific roles ------------------------------------------------------- - -Suppose you have certain users you always want to unconditionally -accept and authorize with specific roles. For example if the user is -"head_of_IT" then assign her the "user" and "admin" roles. Otherwise -keep processing. The list of white listed users is hard-coded into the -rule. - -The mapping in JSON is: - -:: - - { - "user": $user, - "roles": "$roles", - } - -The assertion in JSON is: - -:: - - { - "UserName": "head_of_IT" - } - -Our rule in JSON is: - -:: - - [ - [ - ["in", "UserName", "assertion"], - ["exit", "rule_fails", "if_not_success"], - ["in", "$assertion[UserName]", ["head_of_IT", "head_of_Engineering"]], - ["continue", "if_not_success"], - ["set", "$user", "$assertion[UserName"] - ["set", "$roles", ["user", "admin"]], - ["exit", "rule_succeeds", "always"] - ], - [ - ... - ] - ] - -Rule explanation: - -Block 0 - -0. Test if the assertion contains a UserName value. -1. Abort the rule if the assertion does not contain a UserName - value. -2. Test if the user is in the hardcoded list of white listed users. -3. If the user isn't in the white listed array then exit the block and - continue execution at the next block. -4. Set the $user local variable to $assertion[UserName] -5. Set the $roles local variable to the hardcoded array containing - "user" and "admin" -6. We're done, unconditionally exit and return the mapped result. - -Block 1 - -0. Further processing - -The mapped result in JSON is: - -:: - - { - "user": "head_of_IT", - "roles": ["users", "admin"] - } - - -Black list certain users ------------------------- - -Suppose you have certain users you always want to unconditionally -deny access to by placing them in a black list. In this example the -user "BlackHat" will try to gain access. The black list includes the -users "BlackHat" and "Spook". - -The mapping in JSON is: - -:: - - { - "user": $user, - "roles": "$roles", - } - -The assertion in JSON is: - -:: - - { - "UserName": "BlackHat" - } - -Our rule in JSON is: - -:: - - [ - [ - ["in", "UserName", "assertion"], - ["exit", "rule_fails", "if_not_success"], - ["in", "$assertion[UserName]", ["BlackHat", "Spook"]], - ["exit", "rule_fails", "if_success"] - ], - [ - ... - ] - ] - -Rule explanation: - -Block 0 - -0. Test if the assertion contains a UserName value. -1. Abort the rule if the assertion does not contain a UserName - value. -2. Test if the user is in the hard-coded list of black listed users. -3. If the test succeeds then immediately abort and return failure. - -Block 1 - -0. Further processing - -The mapped result in JSON is: - -:: - - Null - -Format Strings and/or Concatenate Strings ------------------------------------------ - -You can replace variables in a format string using the `interpolate`_ -verb. String concatenation is trivially placing two variables adjacent -to one another in a format string. Suppose you want to form an email -address from the username and domain in an assertion. - -The mapping in JSON is: - -:: - - { - "email": $email, - } - -The assertion in JSON is: - -:: - - { - "UserName": "Bob", - "Domain": "example.com" - } - -Our rule in JSON is: - -:: - - [ - [ - ["interpolate", "$email", "$assertion[UserName]@$assertion[Domain]"], - ] - ] - -Rule explanation: - -Block 0 - -0. Replace the variable $assertion[UserName] with it's value and - replace the variable $assertion[Domain] with it's value. - -The mapped result in JSON is: - -:: - - { - "email": "Bob@example.com", - } - - -Note, sometimes it's necessary to utilize braces to separate variables -from surrounding text by using the brace notation. This can also make -the format string more readable. Using braces to delimit variables the -above would be: - -:: - - [ - [ - ["interpolate", "$email", "${assertion[UserName]}@${assertion[Domain]}"], - ] - ] - - - -Make associative array lookups case insensitive ------------------------------------------------ - -Many systems treat field names as case insensitive. By default -associative array indexing is case sensitive. The solution is to lower -case all the keys in an associative array and then only use lower case -indices. Suppose you want the assertion associative array to be case -insensitive. - -The mapping in JSON is: - -:: - - { - "user": $user, - } - -The assertion in JSON is: - -:: - - { - "UserName": "Bob" - } - -Our rule in JSON is: - -:: - - [ - [ - ["lower", "$assertion", "$assertion"], - ["in", "username", "assertion"], - ["exit", "rule_fails", "if_not_success"], - ["set", "$user", "$assertion[username"] - ] - ] - -Rule explanation: - -Block 0 - -0. Lower case all the keys in the assertion associative array. -1. Test if the assertion contains a username value. -2. Abort the rule if the assertion does not contain a username - value. -3. Assign the username value in the assertion to $user - -The mapped result in JSON is: - -:: - - { - "user": "Bob", - } - - -Verbs -===== - -The following verbs are supported: - -* `set`_ -* `length`_ -* `interpolate`_ -* `append`_ -* `unique`_ -* `regexp`_ -* `regexp_replace`_ -* `split`_ -* `join`_ -* `lower`_ -* `upper`_ -* `compare`_ -* `in`_ -* `not_in`_ -* `exit`_ -* `continue`_ - -Some verbs have a side effects. A verb may set a boolean success/fail -result which may then be tested with a subsequent verb. For example -the ``fail`` verb can be used to indicate the rule fails if a prior -result is either ``success`` or ``not_success``. The ``regexp`` verb -which performs a regular expression search on a string stores the -regular expression sub-matches as a side effect in the variables -``$regexp_array`` and ``$regexp_map``. - - -Verb Definitions -================ - -set ---- - -``set $variable value`` - -$variable - The variable being assigned (i.e. lhs) - -value - The value to assign to the variable (i.e. rhs). The value may be - another variable or a constant. - -**set** assigns a value to a variable, in other words it's an -assignment statement. - -Examples: -^^^^^^^^^ - -Initialize a variable to an empty array. - -:: - - ["set", "$groups", []] - -Initialize a variable to an empty associative array. - -:: - - ["set", "$groups", {}] - -Assign a string. - -:: - - ["set", "$version", "1.2.3"] - -Copy the ``UserName`` value from the assertion to a temporary variable. - -:: - - ["set", "$temp", "$assertion[UserName]"], - - -Get the 2nd item in an array (array indexing is zero based) - -:: - - ["set", "$group", "$groups[1]"] - - -Set the associative array entry "IdP" to "kdc.example.com". - -:: - - ["set", "$metadata[IdP]", "kdc.example.com""] - --------------------------------------------------------------------------------- - -length ------- - -``length $variable value`` - -$variable - The variable which receives the length value - -value - The value whose length is to be determined. May be one of array, - associative array, or string. - -**length** computes the number of items in the value. How this is done -depends upon the type of value: - -array - The length is the number of items in the array. - -associative array - The length is the number of key/value pairs in the associative - array. - -string - The length is the number of *characters* (not octets) in the - string. - -Examples: -^^^^^^^^^ - -Count how many items are in the ``$groups`` array and assign that -value to the ``$groups_length`` variable. - -:: - - ["length", "$groups_length", "$groups"] - -Count how many key/value pairs are in the ``$assertion`` associative -array and assign that value to the ``$num_assertion_values`` variable. - -:: - - ["length", "$num_assertion_values", "$assertion"] - -Count how many characters are in the assertion's UserName and assign -the value to ``$username_length``. - -:: - - ["length", "$user_name_length", "$assertion[UserName]"] - - --------------------------------------------------------------------------------- - -interpolate ------------ - -``interpolate $variable string`` - -$variable - This variable is assigned the result of the interpolation. - -string - A string containing references to variables which will be replaced - in the string. - -**interpolate** replaces each occurrence of a variable in a string with -it's value. The result is assigned to $variable. - -Examples: -^^^^^^^^^ - -Form an email address given the username and domain. If the username -is "jane" and the domain is "example.com" then $email will be -"jane@example.com" - -:: - - ["interpolate", "$email", "${username}@${domain}"] - - --------------------------------------------------------------------------------- - - -append ------- - -``append $variable value`` - -$variable - This variable **must** be an array. It is modified in place by - appending ``value`` to the end of the array. - -value - The value to append to the end of the array. - -**append** adds a value to end of an array. - -Examples: -^^^^^^^^^ - -Append the role "qa_test" to the roles list. - -:: - - ["append", "$roles", "qa_test"] - - --------------------------------------------------------------------------------- - - -unique ------- - -``unique $variable value`` - -$variable - This variable is assigned the unique values in the ``value`` - array. - -value - An array of values. **must** be an array. - -**unique** builds an array of unique values in ``value`` by stripping -out duplicates and assigns the array of unique values to -``$variable``. The order of items in the ``value`` array are -preserved. - -Examples: -^^^^^^^^^ - -$one_of_a_kind will be assigned ["a", "b"] - -:: - - ["unique", "$one_of_a_kind", ["a", "b", "a"]] - - --------------------------------------------------------------------------------- - -regexp ------- - -``regexp string pattern`` - -string - The string the regular expression pattern is applied to. - -pattern - The regular expression pattern. - -**regexp** performs a regular expression match against ``string``. The -regular expression pattern syntax is defined by the regular expression -implementation of the language this API is written in. - -Pattern groups are a convenient way to select sub-matches. Pattern -groups may accessed by either group number or group name. After a -successful regular expression match the groups are stored in the -special variables ``$regexp_array`` and -``$regexp_map``. - -``$regexp_array`` is used to access the groups by -numerical index. Groups are numbered by counting the left parenthesis -group delimiter starting at 1. Group 0 is the entire -match. ``$regexp_array`` is valid irregardless of whether you used -named groups or not. - -``$regexp_map`` is used to access the groups by -name. ``$regexp_map`` is only valid if you used named groups in the -pattern. - -Examples: -^^^^^^^^^ - -Many user names are of the form "user@domain", to split the username -from the domain and to be able to work with those values independently -use a regular expression and then assign the results to a variable. In -this example there are two regular expression groups, the first group -is the username and the second group is the domain. In the first -example we use named groups and then access the match information in -the special variable ``$regexp_map`` via the name of the group. - -:: - - ["regexp", "$assertion[UserName]", "(?P<username>\\w+)@(?P<domain>.+)"], - ["continue", "if_not_success"], - ["set", "$username", "$regexp_map[username]"], - ["set", "$domain", "$regexp_map[domain]"], - - -This is exactly equivalent but uses numbered groups instead of named -groups. In this instance the group matches are stored in the special -variable ``$regexp_array`` and accessed by numerical index. - -:: - - ["regexp", "$assertion[UserName]", "(\\w+)@(.+)"], - ["continue", "if_not_success"], - ["set", "$username", "$regexp_array[1]"], - ["set", "$domain", "$regexp_array[2]"], - - - --------------------------------------------------------------------------------- - -regexp_replace --------------- - -``regexp_replace $variable string pattern replacement`` - -$variable - The variable which receives result of the replacement. - -string - The string to perform the replacement on. - -pattern - The regular expression pattern. - -replacement - The replacement specification. - -**regexp_replace** replaces each occurrence of ``pattern`` in -``$string`` with ``replacement``. See `regexp`_ for details of using -regular expressions. - -Examples: -^^^^^^^^^ - -Convert hyphens in a name to underscores. - -:: - - ["regexp_replace", "$name", "$name", "-", "_"] - - --------------------------------------------------------------------------------- - -split ------ - -``split $variable string pattern`` - -$variable - This variable is assigned an array containing the split items. - -string - The string to split into separate items. - -pattern - The regular expression pattern used to split the string. - -**split** splits ``string`` into separate pieces and assigns the -result to ``$variable`` as an array of pieces. The split occurs -wherever the regular expression ``pattern`` occurs in ``string``. See -`regexp`_ for details of using regular expressions. - -Examples: -^^^^^^^^^ - -Split a list of groups separated by a colon (:) into an array of -individual group names. If $assertion[Groups] contained the string -"user:admin" then $group_list will set to ["user", "admin"]. - -:: - - ["split", "$group_list", "$assertion[Groups]", ":"] - - - --------------------------------------------------------------------------------- - -join ----- - -``join $variable array join_string`` - -$variable - This variable is assigned the string result of the join operation. - -array - An array of string items to be joined together with - ``$join_string``. - -join_string - The string inserted between each element in ``array``. - -**join** accepts an array of strings and produces a single string -where each element in the array is separated by ``join_string``. - -Examples: -^^^^^^^^^ - -Convert a list of group names into a single string where each group -name is separated by a colon (:). If the array ``$group_list`` is -["user", "admin"] and the ``join_string`` is ":" then the -``$group_string`` variable will be set to "user:admin". - -:: - - ["join", "$group_string", "$groups", ":"] - - --------------------------------------------------------------------------------- - -lower ------ - -``lower $variable value`` - -$variable - This variable is assigned the result of the lower operation. - -value - The value to lower case, may be either a string, array, or - associative array. - -**lower** lower cases the input value. The input value may be one of -the following types: - -string - The string is lower cased. - -array - Each member of the array must be a string, the result is an array - with the items replaced by their lower case value. - -associative array - Each key in the associative array is lower cased. The values - associated with the key are **not** modified. - -Examples: -^^^^^^^^^ - -Lookup ``UserName`` in the assertion and set the variable -``$username`` to it's lower case value. - -:: - - ["lower", "$username", "$assertion[UserName]"], - -Set each member of the ``$groups`` array to it's lower case value. If -``$groups`` was ["User", "Admin"] then ``$groups`` will become -["user", "admin"]. - -:: - - ["lower", "$groups", "$groups"], - -To enable case insensitive lookup's in an associative array lower case -each key in the associative array. If ``$assertion`` was {"UserName": -"JoeUser"} then ``$assertion`` will become {"username": "JoeUser"} - -:: - - ["lower", "$assertion", $assertion"] - --------------------------------------------------------------------------------- - -upper ------ - -``upper $variable value`` - -$variable - This variable is assigned the result of the upper operation. - -value - The value to upper case, may be either a string, array, or - associative array. - -**upper** is exactly analogous to `lower`_ except the values are upper -cased, see `lower`_ for details. - - --------------------------------------------------------------------------------- - -in --- - -``in member collection`` - -member - The value whose membership is being tested. - -collection - A collection of members. May be string, array or associative array. - -**in** tests to see if ``member`` is a member of ``collection``. The -membership test depends on the type of collection, the following are -supported: - -array - If any item in the array is equal to ``member`` then the result is - success. - -associative array - If the associative array contains a key equal to ``member`` then - the result is success. - -string - If the string contains a sub-string equal to ``member`` then the - result is success. - -Examples: -^^^^^^^^^ - -Test to see if the assertion contains a UserName value. - -:: - - ["in", "UserName", "$assertion"] - ["continue", "if_not_success"] - -Test to see if a group is one of "user" or "admin". - -:: - - ["in", "$group", ["user", "admin"]] - ["continue", "if_not_success"] - -Test to see if the sub-string "BigCorp" is in -the assertion's ``Provider`` value. - -:: - - ["in", "BigCorp", "$assertion[Provider]"] - ["continue", "if_not_success"] - - --------------------------------------------------------------------------------- - -not_in ------- - -``in member collection`` - -member - The value whose membership is being tested. - -collection - A collection of members. May be string, array or associative array. - -**not_in** is exactly analogous to `in`_ except the sense of the test -is reversed. See `in`_ for details. - --------------------------------------------------------------------------------- - -compare -------- - -``compare left operator right`` - -left - The left hand value of the binary operator. - -operator - The binary operator used for comparing left to right. - -right - The right hand value of the binary operator. - - -**compare** compares the left value to the right value according the -operator and sets success if the comparison evaluates to True. The -following relational operators are supported. - -+----------+-----------------------+ -| Operator | Description | -+==========+=======================+ -| == | equal | -+----------+-----------------------+ -| != | not equal | -+----------+-----------------------+ -| < | less than | -+----------+-----------------------+ -| <= | less than or equal | -+----------+-----------------------+ -| > | greater than | -+----------+-----------------------+ -| >= | greater than or equal | -+----------+-----------------------+ - - -The left and right hand sides of the comparison operator *must* be -the same type, no type conversions are performed. Not all combinations -of operator and type are supported. The table below illustrates the -supported combinations. Essentially you can test for equality or -inequality on any type. But only strings and numbers support the -magnitude relational operators. - - -+----------+--------+---------+------+---------+-----+------+------+ -| Operator | STRING | INTEGER | REAL | BOOLEAN | MAP | LIST | NULL | -+==========+========+=========+======+=========+=====+======+======+ -| == | X | X | X | X | X | X | X | -+----------+--------+---------+------+---------+-----+------+------+ -| != | X | X | X | X | X | X | X | -+----------+--------+---------+------+---------+-----+------+------+ -| < | X | X | X | | | | | -+----------+--------+---------+------+---------+-----+------+------+ -| <= | X | X | X | | | | | -+----------+--------+---------+------+---------+-----+------+------+ -| > | X | X | X | | | | | -+----------+--------+---------+------+---------+-----+------+------+ -| >= | X | X | X | | | | | -+----------+--------+---------+------+---------+-----+------+------+ - - -Examples: -^^^^^^^^^ - -Test to see if the ``$groups`` array has at least 2 members - -:: - - ["length", "$group_length", "$groups"], - ["compare", "$group_length", ">=", 2] - - --------------------------------------------------------------------------------- - -exit ----- - -``exit status criteria`` - -status - The result for the rule. - -criteria - The criteria upon which will cause the rule will be immediately - exited with a failed status. - -**exit** causes the rule being executed to immediately exit and a rule -result if the specified criteria is met. Statement verbs such as `in`_ -or `compare`_ set the result status which may be tested with the -``success`` and ``not_success`` criteria. - -The exit ``status`` may be one of: - -rule_fails - The rule has failed and no mapping will occur. - -rule_succeeds - The rule succeeded and the mapping will be applied. - -The ``criteria`` may be one of: - -if_success - If current result status is success then exit with ``status``. - -if_not_success - If current result status is not success then exit with ``status``. - -always - Unconditionally exit with ``status``. - -never - Effectively a no-op. Useful for debugging. - -Examples: -^^^^^^^^^ - -The rule requires ``UserName`` to be in the assertion. - -:: - - ["in", "UserName", "$assertion"] - ["exit", "rule_fails", "if_not_success"] - --------------------------------------------------------------------------------- - - -continue --------- - -``continue criteria`` - -criteria - The criteria which causes the remainder of the *block* to be - skipped. - -**continue** is used to control execution for statement blocks. It -mirrors in a crude way the `if` expression in a procedural -language. ``continue`` does *not* affect the success or failure of a -rule, rather it controls whether subsequent statements in a block are -executed or not. Control continues at the next statement block. - -Statement verbs such as `in`_ or `compare`_ set the result status -which may be tested with the ``success`` and ``not_success`` criteria. - -The criteria may be one of: - -if_success - If current result status is success then exit the statement - block and continue execution at the next statement block. - -if_not_success - If current result status is not success then exit the statement - block and continue execution at the next statement block. - -always - Immediately exit the statement block and continue execution at the - next statement block. - -never - Effectively a no-op. Useful for debugging. Execution continues at - the next statement. - -Examples: -^^^^^^^^^ - -The following pseudo code: - -:: - - roles = []; - if ("Groups" in assertion) { - groups = assertion["Groups"].split(":"); - if ("qa_test" in groups) { - roles.append("tester"); - } - } - -could be implemented this way: - -:: - - [ - ["set", "$roles", []], - ["in", "Groups", "$assertion"], - ["continue", "if_not_success"], - ["split" "$groups", $assertion[Groups]", ":"], - ["in", "qa_test", "$groups"], - ["continue", "if_not_success"], - ["append", "$roles", "tester"] - ] diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/resource_access_sequence.png b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/resource_access_sequence.png Binary files differdeleted file mode 100644 index 728b86ce..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/resource_access_sequence.png +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/resource_access_sequence.wsd b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/resource_access_sequence.wsd deleted file mode 100644 index 3a1c1474..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/resource_access_sequence.wsd +++ /dev/null @@ -1,25 +0,0 @@ -title Resource Access Sequence with Access Token - - This walks through a listing request of a secured resource (MD-SAL topology) - from a client to the ODL controller using an access token (either one generated - by the ODL token endpoint, or a token from a third-party IdP) and shows how the - authentication context get set upon successful token validation. If token - validation fails, the TokenAuthFilter will return a 401, and the REST layer - will be oblivious to the failed request. - -Client -> ServletContainer: list topologies -note right of Client -(Authorization = access token) -end note -ServletContainer -> TokenAuthFilter: access token -loop foreach TokenAuth - TokenAuthFilter -> TokenAuth: validate(token) - TokenAuth -> TokenAuth: validateToken -end -TokenAuth -> TokenAuthFilter: Authentication -note left of TokenAuth -(user/domain/roles/expiration) -end note -TokenAuthFilter -> AuthenticationService: set(Authentication) -TokenAuthFilter -> RestConf: list topologies -RestConf -> AuthenticationService: get: Authentication
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_01.diag b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_01.diag deleted file mode 100644 index 28317393..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_01.diag +++ /dev/null @@ -1,6 +0,0 @@ -blockdiag { - User <-> AAA; - User [numbered = 1, shape = actor] - AAA [numbered = 2, label = "App Server\nAAA"] -} - diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_01.svg b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_01.svg deleted file mode 100644 index 4056b10a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_01.svg +++ /dev/null @@ -1,32 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd"> -<svg viewBox="0 0 448 120" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink"> - <defs id="defs_block"> - <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252"> - <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" /> - </filter> - </defs> - <title>blockdiag</title> - <desc>blockdiag { - User <-> AAA; - User [numbered = 1, shape = actor] - AAA [numbered = 2, label = "App Server\nAAA"] -} - -</desc> - <polygon fill="rgb(0,0,0)" points="134,56 134,61 151,61 151,66 134,66 134,71 148,86 141,86 131,76 121,86 114,86 128,71 128,66 111,66 111,61 128,61 128,56" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" /> - <ellipse cx="131" cy="51" fill="rgb(0,0,0)" rx="7" ry="7" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="259" y="46" /> - <polygon fill="rgb(255,255,255)" points="131,50 131,55 148,55 148,60 131,60 131,65 145,80 138,80 128,70 118,80 111,80 125,65 125,60 108,60 108,55 125,55 125,50" stroke="rgb(0,0,0)" /> - <ellipse cx="128" cy="45" fill="rgb(255,255,255)" rx="7" ry="7" stroke="rgb(0,0,0)" /> - <ellipse cx="64" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="61" y="44">1</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="256" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="293" y="60">App Server</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="310" y="70">AAA</text> - <ellipse cx="256" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="253" y="44">2</text> - <path d="M 156 60 L 248 60" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="149,60 156,56 156,64 149,60" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="255,60 248,56 248,64 255,60" stroke="rgb(0,0,0)" /> -</svg> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_02.diag b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_02.diag deleted file mode 100644 index 2076dd16..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_02.diag +++ /dev/null @@ -1,18 +0,0 @@ -blockdiag { - span_width = 30 - User <-> Apache; - Proxy <-> AAA; - group { - Apache <-> Proxy; - group { - orientation = portrait - Apache <-> SSSD; - } - } - User [numbered = 1, shape = actor, width = 60] - Apache [numbered = 2, label = "Apache\nAuthenticates user"] - SSSD [numbered = 3, label = "SSSD\nProvides user info"] - Proxy [numbered = 4, label = "Proxy Transport\nRequest + Metadata"] - AAA [numbered = 5, label = "App Server\nAAA"] -} - diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_02.svg b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_02.svg deleted file mode 100644 index 42196b60..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_02.svg +++ /dev/null @@ -1,79 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd"> -<svg viewBox="0 0 594 200" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink"> - <defs id="defs_block"> - <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252"> - <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" /> - </filter> - </defs> - <title>blockdiag</title> - <desc>blockdiag { - span_width = 30 - User <-> Apache; - Proxy <-> AAA; - group { - Apache <-> Proxy; - group { - orientation = portrait - Apache <-> SSSD; - } - } - User [numbered = 1, shape = actor, width = 60] - Apache [numbered = 2, label = "Apache\nAuthenticates user"] - SSSD [numbered = 3, label = "SSSD\nProvides user info"] - Proxy [numbered = 4, label = "Proxy Transport\nRequest + Metadata"] - AAA [numbered = 5, label = "App Server\nAAA"] -} - -</desc> - <rect fill="rgb(243,152,0)" height="140" style="filter:url(#filter_blur)" width="292" x="117" y="30" /> - <rect fill="rgb(243,152,0)" height="140" style="filter:url(#filter_blur)" width="134" x="117" y="30" /> - <polygon fill="rgb(0,0,0)" points="66,56 66,61 83,61 83,66 66,66 66,71 80,86 73,86 63,76 53,86 46,86 60,71 60,66 43,66 43,61 60,61 60,56" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" /> - <ellipse cx="63" cy="51" fill="rgb(0,0,0)" rx="7" ry="7" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="123" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="123" y="126" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="281" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="439" y="46" /> - <polygon fill="rgb(255,255,255)" points="63,50 63,55 80,55 80,60 63,60 63,65 77,80 70,80 60,70 50,80 43,80 57,65 57,60 40,60 40,55 57,55 57,50" stroke="rgb(0,0,0)" /> - <ellipse cx="60" cy="45" fill="rgb(255,255,255)" rx="7" ry="7" stroke="rgb(0,0,0)" /> - <ellipse cx="30" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="27" y="44">1</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="120" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="166" y="60">Apache</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="133" y="70">Authenticates user</text> - <ellipse cx="120" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="117" y="44">2</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="120" y="120" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="170" y="139">SSSD</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="138" y="149">Provides user info</text> - <ellipse cx="120" cy="120" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="117" y="124">3</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="278" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="300" y="59">Proxy Transport</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="289" y="71">Request + Metadata</text> - <ellipse cx="278" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="275" y="44">4</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="436" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="473" y="60">App Server</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="490" y="70">AAA</text> - <ellipse cx="436" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="433" y="44">5</text> - <path d="M 88 60 L 112 60" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="81,60 88,56 88,64 81,60" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="119,60 112,56 112,64 119,60" stroke="rgb(0,0,0)" /> - <path d="M 414 60 L 428 60" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="407,60 414,56 414,64 407,60" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="435,60 428,56 428,64 435,60" stroke="rgb(0,0,0)" /> - <path d="M 184 88 L 184 112" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="184,81 180,88 188,88 184,81" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="184,119 180,112 188,112 184,119" stroke="rgb(0,0,0)" /> - <path d="M 256 60 L 270 60" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="249,60 256,56 256,64 249,60" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="277,60 270,56 270,64 277,60" stroke="rgb(0,0,0)" /> - <path d="M 184 88 L 184 112" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="184,81 180,88 188,88 184,81" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="184,119 180,112 188,112 184,119" stroke="rgb(0,0,0)" /> - <path d="M 256 60 L 270 60" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="249,60 256,56 256,64 249,60" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="277,60 270,56 270,64 277,60" stroke="rgb(0,0,0)" /> -</svg> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_03.diag b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_03.diag deleted file mode 100644 index 6ece3760..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_03.diag +++ /dev/null @@ -1,31 +0,0 @@ -seqdiag { - // Set edge properties - //edge_length = 300; // default value is 192 - //span_height = 80; // default value is 40 - - // Set fontsize. - //default_fontsize = 12; // default value is 11 - - // Numbering edges automaticaly - autonumber = False; - - // Change note color - default_note_color = lightblue; - - Client -> Apache [label = "Request"]; - === Apache mod_auth_kerb === - Client <- Apache [label = "401 Unauthorized"]; - Client -> Apache [label = "Authorization: Credentials"]; - Apache -> Apache [label = "Set\nUser Name\nAuth Type"]; - === Apache mod_lookup_identity === - Apache -> SSSD [label = "Get User Info"]; - SSSD --> IdP [label = "Get User Info", leftnote = "Only if\nnot cached\nby SSSD"]; - SSSD <-- IdP [label = "Return User Info"]; - Apache <- SSSD [label = "Return User Info"]; - Apache -> Apache [label = "Set User specific\nenvironment\nvariables"]; - === Apache mod_proxy === - Apache -> Container [label = "Proxy With User's Metadata"]; - Apache <- Container [label = "Response"]; - Client <- Apache [label = "Response"]; - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_03.svg b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_03.svg deleted file mode 100644 index 91e8b1be..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_03.svg +++ /dev/null @@ -1,143 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd"> -<svg viewBox="0 0 1024 1227" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink"> - <defs id="defs_block"> - <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252"> - <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" /> - </filter> - </defs> - <title>blockdiag</title> - <desc>seqdiag { - // Set edge properties - //edge_length = 300; // default value is 192 - //span_height = 80; // default value is 40 - - // Set fontsize. - //default_fontsize = 12; // default value is 11 - - // Numbering edges automaticaly - autonumber = False; - - // Change note color - default_note_color = lightblue; - - Client -> Apache [label = "Request"]; - === Apache mod_auth_kerb === - Client <- Apache [label = "401 Unauthorized"]; - Client -> Apache [label = "Authorization: Credentials"]; - Apache -> Apache [label = "Set\nUser Name\nAuth Type"]; - === Apache mod_lookup_identity === - Apache -> SSSD [label = "Get User Info"]; - SSSD --> IdP [label = "Get User Info", leftnote = "Only if\nnot cached\nby SSSD"]; - SSSD <-- IdP [label = "Return User Info"]; - Apache <- SSSD [label = "Return User Info"]; - Apache -> Apache [label = "Set User specific\nenvironment\nvariables"]; - === Apache mod_proxy === - Apache -> Container [label = "Proxy With User's Metadata"]; - Apache <- Container [label = "Response"]; - Client <- Apache [label = "Response"]; - -} -</desc> - <rect fill="rgb(0,0,0)" height="1065" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="127" y="140" /> - <rect fill="rgb(0,0,0)" height="142" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="319" y="140" /> - <rect fill="rgb(0,0,0)" height="815" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="319" y="344" /> - <rect fill="rgb(0,0,0)" height="200" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="511" y="586" /> - <rect fill="rgb(0,0,0)" height="70" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="703" y="654" /> - <rect fill="rgb(0,0,0)" height="64" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="895" y="1031" /> - <polygon fill="rgb(0,0,0)" points="420,636 491,636 499,644 499,672 420,672 420,636" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="259" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="451" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="643" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="835" y="46" /> - <path d="M 128 80 L 128 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" /> - <rect fill="moccasin" height="1065" stroke="rgb(0,0,0)" width="8" x="124" y="134" /> - <path d="M 320 80 L 320 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" /> - <rect fill="moccasin" height="142" stroke="rgb(0,0,0)" width="8" x="316" y="134" /> - <rect fill="moccasin" height="815" stroke="rgb(0,0,0)" width="8" x="316" y="338" /> - <path d="M 512 80 L 512 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" /> - <rect fill="moccasin" height="200" stroke="rgb(0,0,0)" width="8" x="508" y="580" /> - <path d="M 704 80 L 704 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" /> - <rect fill="moccasin" height="70" stroke="rgb(0,0,0)" width="8" x="700" y="648" /> - <path d="M 896 80 L 896 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" /> - <rect fill="moccasin" height="64" stroke="rgb(0,0,0)" width="8" x="892" y="1025" /> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="113" y="64">Client</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="256" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="302" y="65">Apache</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="448" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="498" y="64">SSSD</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="640" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="697" y="64">IdP</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="832" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="871" y="64">Container</text> - <path d="M 136 134 L 312 134" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="304,130 312,134 304,138" stroke="rgb(0,0,0)" /> - <path d="M 136 276 L 312 276" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="144,272 136,276 144,280" stroke="rgb(0,0,0)" /> - <path d="M 136 338 L 312 338" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="304,334 312,338 304,342" stroke="rgb(0,0,0)" /> - <path d="M 328 422 L 416 422" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 416 422 L 416 438" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 416 438 L 328 438" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="336,434 328,438 336,442" stroke="rgb(0,0,0)" /> - <path d="M 328 580 L 504 580" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="496,576 504,580 496,584" stroke="rgb(0,0,0)" /> - <path d="M 520 648 L 696 648" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="4" /> - <polygon fill="rgb(0,0,0)" points="688,644 696,648 688,652" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(173,216,230)" points="417,630 488,630 496,638 496,666 417,666 417,630" stroke="rgb(0,0,0)" /> - <path d="M 488 630 L 488 638" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 488 638 L 496 638" fill="none" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="425" y="642">Only if</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="425" y="652">not cached</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="425" y="664">by SSSD</text> - <path d="M 520 718 L 696 718" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="4" /> - <polygon fill="rgb(0,0,0)" points="528,714 520,718 528,722" stroke="rgb(0,0,0)" /> - <path d="M 328 780 L 504 780" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="336,776 328,780 336,784" stroke="rgb(0,0,0)" /> - <path d="M 328 864 L 416 864" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 416 864 L 416 880" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 416 880 L 328 880" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="336,876 328,880 336,884" stroke="rgb(0,0,0)" /> - <path d="M 328 1025 L 888 1025" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="880,1021 888,1025 880,1029" stroke="rgb(0,0,0)" /> - <path d="M 328 1089 L 888 1089" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="336,1085 328,1089 336,1093" stroke="rgb(0,0,0)" /> - <path d="M 136 1153 L 312 1153" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="144,1149 136,1153 144,1157" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="140" y="132">Request</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="217" y="274">401 Unauthorized</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="140" y="336">Authorization: Credentials</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="398">Set</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="408">User Name</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="420">Auth Type</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="332" y="578">Get User Info</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="524" y="646">Get User Info</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="608" y="716">Return User Info</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="416" y="778">Return User Info</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="842">Set User specific</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="852">environment</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="862">variables</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="332" y="1023">Proxy With User's Metadata</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="841" y="1087">Response</text> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="265" y="1151">Response</text> - <path d="M 40 202 L 442 202" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 40 206 L 442 206" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 581 202 L 984 202" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 581 206 L 984 206" fill="none" stroke="rgb(0,0,0)" /> - <rect fill="rgb(208,208,208)" height="18" stroke="rgb(0,0,0)" width="139" x="442" y="195" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="452" y="209">Apache mod_auth_kerb</text> - <path d="M 40 506 L 429 506" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 40 510 L 429 510" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 594 506 L 984 506" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 594 510 L 984 510" fill="none" stroke="rgb(0,0,0)" /> - <rect fill="rgb(208,208,208)" height="18" stroke="rgb(0,0,0)" width="165" x="429" y="499" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="439" y="513">Apache mod_lookup_identity</text> - <path d="M 40 948 L 455 948" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 40 952 L 455 952" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 568 948 L 984 948" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 568 952 L 984 952" fill="none" stroke="rgb(0,0,0)" /> - <rect fill="rgb(208,208,208)" height="18" stroke="rgb(0,0,0)" width="113" x="455" y="941" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="465" y="955">Apache mod_proxy</text> -</svg> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_04.diag b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_04.diag deleted file mode 100644 index 8f69a0b8..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_04.diag +++ /dev/null @@ -1,25 +0,0 @@ -blockdiag { - Connector -> SssdFilter; - SssdFilter -> ClaimAuthFilter; - ClaimAuthFilter -> SssdClaimAuth; - SssdClaimAuth -> Assertion [folded]; - - group { - orientation = portrait - Assertion -> JsonAssertion; - JsonAssertion -> IdPMapper; - IdPMapper -> JsonMapped; - } - - JsonMapped -> Claim; - - Connector [numbered = 1] - SssdFilter [numbered = 2] - ClaimAuthFilter [numbered = 3] - SssdClaimAuth [numbered = 4] - Assertion [numbered = 4.1] - JsonAssertion [numbered = 4.2] - IdPMapper [numbered = 4.3] - JsonMapped [numbered = 4.4] - Claim [numbered = 5] -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_04.svg b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_04.svg deleted file mode 100644 index 74850a85..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_04.svg +++ /dev/null @@ -1,100 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd"> -<svg viewBox="0 0 832 440" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink"> - <defs id="defs_block"> - <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252"> - <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" /> - </filter> - </defs> - <title>blockdiag</title> - <desc>blockdiag { - Connector -> SssdFilter; - SssdFilter -> ClaimAuthFilter; - ClaimAuthFilter -> SssdClaimAuth; - SssdClaimAuth -> Assertion [folded]; - - group { - orientation = portrait - Assertion -> JsonAssertion; - JsonAssertion -> IdPMapper; - IdPMapper -> JsonMapped; - } - - JsonMapped -> Claim; - - Connector [numbered = 1] - SssdFilter [numbered = 2] - ClaimAuthFilter [numbered = 3] - SssdClaimAuth [numbered = 4] - Assertion [numbered = 4.1] - JsonAssertion [numbered = 4.2] - IdPMapper [numbered = 4.3] - JsonMapped [numbered = 4.4] - Claim [numbered = 5] -} -</desc> - <rect fill="rgb(243,152,0)" height="300" style="filter:url(#filter_blur)" width="144" x="56" y="110" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="259" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="451" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="643" y="46" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="126" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="206" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="286" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="366" /> - <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="259" y="366" /> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="103" y="64">Connector</text> - <ellipse cx="64" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="61" y="44">1</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="256" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="294" y="64">SssdFilter</text> - <ellipse cx="256" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="253" y="44">2</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="448" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="471" y="64">ClaimAuthFilter</text> - <ellipse cx="448" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="445" y="44">3</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="640" y="40" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="665" y="64">SssdClaimAuth</text> - <ellipse cx="640" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="637" y="44">4</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="120" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="103" y="144">Assertion</text> - <ellipse cx="64" cy="120" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="56" y="124">4.1</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="200" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="91" y="224">JsonAssertion</text> - <ellipse cx="64" cy="200" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="56" y="204">4.2</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="280" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="102" y="305">IdPMapper</text> - <ellipse cx="64" cy="280" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="56" y="284">4.3</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="360" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="97" y="385">JsonMapped</text> - <ellipse cx="64" cy="360" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="56" y="364">4.4</text> - <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="256" y="360" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="307" y="384">Claim</text> - <ellipse cx="256" cy="360" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" /> - <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="253" y="364">5</text> - <path d="M 192 60 L 248 60" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="255,60 248,56 248,64 255,60" stroke="rgb(0,0,0)" /> - <path d="M 384 60 L 440 60" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="447,60 440,56 440,64 447,60" stroke="rgb(0,0,0)" /> - <path d="M 576 60 L 632 60" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="639,60 632,56 632,64 639,60" stroke="rgb(0,0,0)" /> - <path d="M 704 80 L 704 100" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 128 100 L 704 100" fill="none" stroke="rgb(0,0,0)" /> - <path d="M 128 100 L 128 112" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="128,119 124,112 132,112 128,119" stroke="rgb(0,0,0)" /> - <path d="M 128 160 L 128 192" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="128,199 124,192 132,192 128,199" stroke="rgb(0,0,0)" /> - <path d="M 128 240 L 128 272" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="128,279 124,272 132,272 128,279" stroke="rgb(0,0,0)" /> - <path d="M 128 320 L 128 352" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="128,359 124,352 132,352 128,359" stroke="rgb(0,0,0)" /> - <path d="M 192 380 L 248 380" fill="none" stroke="rgb(0,0,0)" /> - <polygon fill="rgb(0,0,0)" points="255,380 248,376 248,384 255,380" stroke="rgb(0,0,0)" /> -</svg> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_05.svg b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_05.svg deleted file mode 100644 index f4657f06..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_05.svg +++ /dev/null @@ -1,613 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!-- Created with Inkscape (http://www.inkscape.org/) --> - -<svg - xmlns:osb="http://www.openswatchbook.org/uri/2009/osb" - xmlns:dc="http://purl.org/dc/elements/1.1/" - xmlns:cc="http://creativecommons.org/ns#" - xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" - xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" - width="689.19269" - height="212.05057" - id="svg2" - version="1.1" - inkscape:version="0.48.5 r10040" - sodipodi:docname="sssd_05.svg"> - <defs - id="defs4"> - <linearGradient - inkscape:collect="always" - id="linearGradient12785" - osb:paint="gradient"> - <stop - style="stop-color:#000000;stop-opacity:1;" - offset="0" - id="stop12787" /> - <stop - style="stop-color:#000000;stop-opacity:0;" - offset="1" - id="stop12789" /> - </linearGradient> - <linearGradient - id="linearGradient12777"> - <stop - style="stop-color:#ffcc00;stop-opacity:1;" - offset="0" - id="stop12779" /> - <stop - style="stop-color:#ffcc00;stop-opacity:0;" - offset="1" - id="stop12781" /> - </linearGradient> - <marker - inkscape:stockid="Scissors" - orient="auto" - refY="0" - refX="0" - id="Scissors" - style="overflow:visible"> - <path - id="schere" - d="M 9.0898857,-3.6061018 C 8.1198849,-4.7769976 6.3697607,-4.7358294 5.0623558,-4.2327734 l -8.2124046,3.0779029 c -2.3882933,-1.3067135 -4.7482873,-0.9325372 -4.7482873,-1.5687873 0,-0.4973164 0.4566662,-0.3883222 0.3883068,-1.6831941 -0.065635,-1.2432767 -1.3635771,-2.1630796 -2.5903987,-2.0816435 -1.227271,-0.00735 -2.499439,0.9331613 -2.510341,2.2300611 -0.09143,1.3063864 1.007209,2.5196896 2.306764,2.6052316 1.5223406,0.2266616 4.218258,-0.6955566 5.482945,1.57086006 -0.9422847,1.73825774 -2.6140244,1.74307674 -4.1255107,1.65607034 -1.2548743,-0.072235 -2.7620933,0.2873979 -3.3606483,1.5208605 -0.578367,1.1820862 -0.0112,2.8646022 1.316749,3.226412 1.3401912,0.4918277 3.1806689,-0.129711 3.4993722,-1.6707242 0.2456585,-1.187823 -0.5953659,-1.7459574 -0.2725074,-2.1771537 0.2436135,-0.32536 1.7907806,-0.1368452 4.5471053,-1.3748244 L 5.6763468,4.2330688 C 6.8000164,4.5467672 8.1730685,4.5362646 9.1684433,3.4313614 L -0.05164093,-0.05372222 9.0898857,-3.6061018 z m -18.3078016,-1.900504 c 1.294559,0.7227998 1.1888392,2.6835702 -0.1564272,3.0632889 -1.2165179,0.423661 -2.7710269,-0.7589694 -2.3831779,-2.0774648 0.227148,-1.0818519 1.653387,-1.480632 2.5396051,-0.9858241 z m 0.056264,8.0173649 c 1.3508301,0.4988648 1.1214429,2.7844356 -0.2522207,3.091609 -0.9110594,0.3163391 -2.2135494,-0.1387976 -2.3056964,-1.2121394 -0.177609,-1.305055 1.356085,-2.4841482 2.5579171,-1.8794696 z" - style="fill:#000000" - inkscape:connector-curvature="0" /> - </marker> - <marker - inkscape:stockid="DotL" - orient="auto" - refY="0" - refX="0" - id="DotL" - style="overflow:visible"> - <path - id="path4170" - d="m -2.5,-1 c 0,2.76 -2.24,5 -5,5 -2.76,0 -5,-2.24 -5,-5 0,-2.76 2.24,-5 5,-5 2.76,0 5,2.24 5,5 z" - style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt" - transform="matrix(0.8,0,0,0.8,5.92,0.8)" - inkscape:connector-curvature="0" /> - </marker> - <marker - inkscape:stockid="StopL" - orient="auto" - refY="0" - refX="0" - id="StopL" - style="overflow:visible"> - <path - id="path4278" - d="M 0,5.65 0,-5.65" - style="fill:none;stroke:#000000;stroke-width:1pt" - transform="scale(0.8,0.8)" - inkscape:connector-curvature="0" /> - </marker> - <marker - inkscape:stockid="Arrow2Mstart" - orient="auto" - refY="0" - refX="0" - id="Arrow2Mstart" - style="overflow:visible"> - <path - id="path4133" - style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round" - d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" - transform="scale(0.6,0.6)" - inkscape:connector-curvature="0" /> - </marker> - <marker - inkscape:stockid="Arrow2Mend" - orient="auto" - refY="0" - refX="0" - id="Arrow2Mend" - style="overflow:visible"> - <path - id="path4136" - style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round" - d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" - transform="scale(-0.6,-0.6)" - inkscape:connector-curvature="0" /> - </marker> - <marker - inkscape:stockid="Arrow1Mend" - orient="auto" - refY="0" - refX="0" - id="Arrow1Mend" - style="overflow:visible"> - <path - id="path4118" - d="M 0,0 5,-5 -12.5,0 5,5 0,0 z" - style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt" - transform="matrix(-0.4,0,0,-0.4,-4,0)" - inkscape:connector-curvature="0" /> - </marker> - <marker - inkscape:stockid="Arrow2Lend" - orient="auto" - refY="0" - refX="0" - id="Arrow2Lend" - style="overflow:visible"> - <path - id="path4130" - style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round" - d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" - transform="matrix(-1.1,0,0,-1.1,-1.1,0)" - inkscape:connector-curvature="0" /> - </marker> - <filter - color-interpolation-filters="sRGB" - height="1.5039999" - id="filter_blur" - inkscape:collect="always" - width="1.1575" - x="-0.078749999" - y="-0.252"> - <feGaussianBlur - id="feGaussianBlur3780" - inkscape:collect="always" - stdDeviation="4.2" /> - </filter> - <marker - inkscape:stockid="Arrow2Mstart" - orient="auto" - refY="0" - refX="0" - id="Arrow2Mstart-7" - style="overflow:visible"> - <path - inkscape:connector-curvature="0" - id="path4133-8" - style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round" - d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" - transform="scale(0.6,0.6)" /> - </marker> - <marker - inkscape:stockid="Arrow2Mend" - orient="auto" - refY="0" - refX="0" - id="Arrow2Mend-1" - style="overflow:visible"> - <path - inkscape:connector-curvature="0" - id="path4136-9" - style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round" - d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" - transform="scale(-0.6,-0.6)" /> - </marker> - <filter - color-interpolation-filters="sRGB" - height="1.5039999" - id="filter_blur-1" - inkscape:collect="always" - width="1.1575" - x="-0.078749999" - y="-0.252"> - <feGaussianBlur - id="feGaussianBlur3780-1" - inkscape:collect="always" - stdDeviation="4.2" /> - </filter> - <filter - inkscape:collect="always" - id="filter18355"> - <feGaussianBlur - inkscape:collect="always" - stdDeviation="6.2598764" - id="feGaussianBlur18357" /> - </filter> - </defs> - <sodipodi:namedview - id="base" - pagecolor="#ffffff" - bordercolor="#666666" - borderopacity="1.0" - inkscape:pageopacity="0.0" - inkscape:pageshadow="2" - inkscape:zoom="1.4" - inkscape:cx="405.52492" - inkscape:cy="110.18507" - inkscape:document-units="px" - inkscape:current-layer="layer1" - showgrid="false" - inkscape:snap-grids="true" - inkscape:window-width="1920" - inkscape:window-height="992" - inkscape:window-x="0" - inkscape:window-y="27" - inkscape:window-maximized="1" - fit-margin-top="0" - fit-margin-left="0" - fit-margin-right="0" - fit-margin-bottom="0" /> - <metadata - id="metadata7"> - <rdf:RDF> - <cc:Work - rdf:about=""> - <dc:format>image/svg+xml</dc:format> - <dc:type - rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> - <dc:title /> - </cc:Work> - </rdf:RDF> - </metadata> - <g - inkscape:label="Layer 1" - inkscape:groupmode="layer" - id="layer1" - transform="translate(-22.986913,-110.53072)"> - <rect - y="136.89983" - x="254.85715" - height="185.19879" - width="456.83981" - id="rect12822" - style="fill:#f39800;fill-opacity:1;stroke:#000000;stroke-width:0.96499999999999997;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;filter:url(#filter18355)" /> - <g - id="g18452"> - <rect - y="244.58766" - x="105.58965" - height="41.710945" - width="129.83621" - id="rect2987" - style="fill:#ffffff;stroke:#000000;stroke-width:1.41119610999999989px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" /> - <text - sodipodi:linespacing="125%" - id="text2991" - y="261.25369" - x="112.20991" - style="font-size:12px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans" - xml:space="preserve"><tspan - id="tspan2995" - y="261.25369" - x="112.20991" - sodipodi:role="line">Apache mod_proxy:</tspan><tspan - id="tspan2997" - y="276.25369" - x="112.20991" - sodipodi:role="line">forward port 8383</tspan></text> - </g> - <g - id="g18364"> - <rect - y="167.43681" - x="304.33868" - height="50.483749" - width="98.582535" - id="rect2987-7" - style="fill:#ffffff;stroke:#000000;stroke-width:1.35282063000000008px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" /> - <text - sodipodi:linespacing="125%" - id="text2991-2" - y="181.34079" - x="353.99908" - style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans" - xml:space="preserve"><tspan - id="tspan2997-2" - y="181.34079" - x="353.99908" - sodipodi:role="line">Connector:</tspan><tspan - id="tspan3813" - y="196.34079" - x="353.99908" - sodipodi:role="line">port = 80</tspan><tspan - id="tspan3908" - y="211.34079" - x="353.99908" - sodipodi:role="line">(web)</tspan></text> - </g> - <flowRoot - xml:space="preserve" - id="flowRoot3815" - style="font-size:40px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans"><flowRegion - id="flowRegion3817"><rect - id="rect3819" - width="201.02036" - height="90.913727" - x="174.25131" - y="117.466" /></flowRegion><flowPara - id="flowPara3821" /></flowRoot> <g - id="g18419"> - <rect - y="240.20126" - x="304.33868" - height="50.483749" - width="98.582535" - id="rect2987-7-6" - style="fill:#ffffff;stroke:#000000;stroke-width:1.35282063000000008px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" /> - <text - sodipodi:linespacing="125%" - id="text2991-2-6" - y="253.64822" - x="353.63287" - style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans" - xml:space="preserve"><tspan - id="tspan2997-2-4" - y="253.64822" - x="353.63287" - sodipodi:role="line">Connector:</tspan><tspan - id="tspan3813-5" - y="268.64822" - x="353.63287" - sodipodi:role="line">port = 8383</tspan><tspan - id="tspan3908-2" - y="283.64822" - x="353.63287" - sodipodi:role="line">(auth proxy)</tspan></text> - </g> - <g - id="g7018" - transform="translate(-14,35.850205)"> - <g - id="g7023" - transform="translate(218.19295,1.0101525)"> - <g - id="g7028" - transform="translate(-97.984797,178.797)"> - <polygon - id="polygon6858" - style="opacity:0.7;fill:#000000;fill-opacity:1;filter:url(#filter_blur)" - points="60,61 60,56 66,56 66,61 83,61 83,66 66,66 66,71 80,86 73,86 63,76 53,86 46,86 60,71 60,66 43,66 43,61 " - transform="translate(-115.02286,-17.004219)" /> - <polygon - id="polygon6872" - points="57,55 57,50 63,50 63,55 80,55 80,60 63,60 63,65 77,80 70,80 60,70 50,80 43,80 57,65 57,60 40,60 40,55 " - style="fill:#ffffff;stroke:#000000" - transform="translate(-115.02286,-17.004219)" /> - <ellipse - d="m 67,45 c 0,3.865993 -3.134007,7 -7,7 -3.865993,0 -7,-3.134007 -7,-7 0,-3.865993 3.134007,-7 7,-7 3.865993,0 7,3.134007 7,7 z" - id="ellipse6874" - ry="7" - rx="7" - cy="45" - cx="60" - sodipodi:cx="60" - sodipodi:cy="45" - sodipodi:rx="7" - sodipodi:ry="7" - style="fill:#ffffff;stroke:#000000" - transform="translate(-115.02286,-17.004219)" /> - </g> - </g> - </g> - <rect - style="fill:#ffffff;stroke:#000000;stroke-width:1.35282063000000008px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" - id="rect2987-7-5" - width="98.582535" - height="50.483749" - x="589.35858" - y="239.54141" /> - <text - xml:space="preserve" - style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans" - x="638.74945" - y="254.25693" - id="text2991-2-67" - sodipodi:linespacing="125%"><tspan - id="tspan10147" - sodipodi:role="line" - x="638.74945" - y="254.25693">AAA Servlet</tspan><tspan - id="tspan10204" - sodipodi:role="line" - x="638.74945" - y="269.25693">executes</tspan><tspan - id="tspan10206" - sodipodi:role="line" - x="638.74945" - y="284.25693">with roles</tspan></text> - <flowRoot - xml:space="preserve" - id="flowRoot10151" - style="font-size:40px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans"><flowRegion - id="flowRegion10153"><rect - id="rect10155" - width="139.90613" - height="110.10663" - x="648.01288" - y="147.2655" /></flowRegion><flowPara - id="flowPara10157" /></flowRoot> <g - id="g18431"> - <rect - y="169.04143" - x="589.86121" - height="50.483749" - width="98.582535" - id="rect2987-7-5-0" - style="fill:#ffffff;stroke:#000000;stroke-width:1.35282063000000008px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" /> - <text - sodipodi:linespacing="125%" - id="text2991-2-67-9" - y="191.07236" - x="638.61047" - style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans" - xml:space="preserve"><tspan - y="191.07236" - x="638.61047" - sodipodi:role="line" - id="tspan10147-8">Non-AAA</tspan><tspan - y="206.07236" - x="638.61047" - sodipodi:role="line" - id="tspan10198">Servlet</tspan><tspan - y="221.07236" - x="638.61047" - sodipodi:role="line" - id="tspan10196" /></text> - </g> - <g - id="g18474"> - <rect - y="168.30391" - x="437.00925" - height="122.27845" - width="121.29423" - id="rect2987-7-2-2" - style="fill:#ffffff;stroke:#000000;stroke-width:2.33539009000000020px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" /> - <text - sodipodi:linespacing="125%" - id="text2991-2-9-8" - y="181.0443" - x="497.75305" - style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans" - xml:space="preserve"><tspan - id="tspan3908-4-7" - y="181.0443" - x="497.75305" - sodipodi:role="line">ClaimAuthFilter:</tspan><tspan - id="tspan4038" - y="196.0443" - x="497.75305" - sodipodi:role="line">localPort in</tspan><tspan - id="tspan4040" - y="211.0443" - x="497.75305" - sodipodi:role="line">secureProxyPorts?</tspan><tspan - id="tspan4044" - y="226.0443" - x="497.75305" - sodipodi:role="line" /></text> - <g - id="g18469"> - <rect - style="fill:#ff0000;stroke:#000000;stroke-width:0.81352955000000005;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;fill-opacity:1" - id="rect10241" - width="98.994949" - height="23.733509" - x="448.15887" - y="220.00537" /> - <text - xml:space="preserve" - style="font-size:12px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans" - x="488.27258" - y="236.16118" - id="text10243" - sodipodi:linespacing="125%"><tspan - sodipodi:role="line" - id="tspan10245" - x="488.27258" - y="236.16118">No</tspan></text> - </g> - <g - id="g18461"> - <rect - style="fill:#00ff00;stroke:#000000;stroke-width:0.81352955000000005;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;fill-opacity:1" - id="rect10241-9" - width="98.994949" - height="23.733509" - x="448.15887" - y="253.81883" /> - <text - xml:space="preserve" - style="font-size:12px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans" - x="488.27258" - y="269.97464" - id="text10243-4" - sodipodi:linespacing="125%"><tspan - sodipodi:role="line" - id="tspan10245-6" - x="488.27258" - y="269.97464">Yes</tspan></text> - </g> - </g> - <g - id="g7018-9" - transform="translate(-15.11838,-36.914245)"> - <g - id="g7023-0" - transform="translate(218.19295,1.0101525)"> - <g - id="g7028-1" - transform="translate(-97.984797,178.797)"> - <polygon - id="polygon6858-6" - style="opacity:0.7;fill:#000000;fill-opacity:1;filter:url(#filter_blur-1)" - points="60,71 60,66 43,66 43,61 60,61 60,56 66,56 66,61 83,61 83,66 66,66 66,71 80,86 73,86 63,76 53,86 46,86 " - transform="translate(-115.02286,-17.004219)" /> - <polygon - id="polygon6872-6" - points="57,65 57,60 40,60 40,55 57,55 57,50 63,50 63,55 80,55 80,60 63,60 63,65 77,80 70,80 60,70 50,80 43,80 " - style="fill:#ffffff;stroke:#000000" - transform="translate(-115.02286,-17.004219)" /> - <ellipse - d="m 67,45 c 0,3.865993 -3.134007,7 -7,7 -3.865993,0 -7,-3.134007 -7,-7 0,-3.865993 3.134007,-7 7,-7 3.865993,0 7,3.134007 7,7 z" - id="ellipse6874-1" - ry="7" - rx="7" - cy="45" - cx="60" - sodipodi:cx="60" - sodipodi:cy="45" - sodipodi:rx="7" - sodipodi:ry="7" - style="fill:#ffffff;stroke:#000000" - transform="translate(-115.02286,-17.004219)" /> - </g> - </g> - </g> - <text - xml:space="preserve" - style="font-size:12px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans" - x="430.15594" - y="119.6479" - id="text12879" - sodipodi:linespacing="125%"><tspan - sodipodi:role="line" - id="tspan12881" - x="430.15594" - y="119.6479">Java EE Container</tspan></text> - <path - style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)" - d="m 57.185293,265.44314 48.404357,0" - id="path13365" - inkscape:connector-type="polyline" - inkscape:connector-curvature="0" - inkscape:connection-start="#g7018" - inkscape:connection-start-point="d4" /> - <path - style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)" - d="m 235.42587,265.44314 68.91281,0" - id="path14574" - inkscape:connector-type="polyline" - inkscape:connector-curvature="0" /> - <path - style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)" - d="m 402.92122,265.52611 45.23767,0.0762" - id="path14999" - inkscape:connector-type="polyline" - inkscape:connector-curvature="0" /> - <path - style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow1Mend)" - d="m 402.92122,206.09216 51.12769,13.91321" - id="path15397" - inkscape:connector-type="polyline" - inkscape:connector-curvature="0" /> - <path - style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)" - d="m 542.32654,220.00537 47.53467,-12.62771" - id="path15795" - inkscape:connector-type="polyline" - inkscape:connector-curvature="0" /> - <path - style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)" - d="m 547.15383,265.36883 42.20475,-0.2701" - id="path16193" - inkscape:connector-type="polyline" - inkscape:connector-curvature="0" /> - <path - style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)" - d="m 56.066913,192.67869 248.271767,0" - id="path17038" - inkscape:connector-type="polyline" - inkscape:connector-curvature="0" - inkscape:connection-start="#g7018-9" - inkscape:connection-start-point="d4" /> - </g> -</svg> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.png b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.png Binary files differdeleted file mode 100644 index 9f9a0b49..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.png +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd deleted file mode 100644 index f97ed1ee..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd +++ /dev/null @@ -1,23 +0,0 @@ -title Federated Authentication with SSSD - -# This walks through the federated authentication sequence where a claim from a -# third-party IdP system is posted to the ODL token endpoint in exchange for an -# access token. The claim information is assumed to be in format specific to the -# third-party IdP system and assumed to be captured via either Apache environment -# variables (Servlet attributes) or HTTP headers. - -Client -> Apache WebServer: authenticate -note right of Client -credentials -end note -Apache WebServer -> SSSD: authenticate -SSSD -> LDAP/AD : authenticate -SSSD -> Apache WebServer: claim -Apache WebServer -> ServletContainer: CGI variables -ServletContainer -> SSSD Plugin: Servlet attributes/headers -SSSD Plugin -> SSSD Plugin : transformClaim -SSSD Plugin -> TokenEndPoint : claim -TokenEndPoint -> TokenEndPoint : createToken -TokenEndPoint -> Client : refresh token, list of authorized domains -Client -> TokenEndPoint : refresh token, domain -TokenEndPoint -> Client : access token diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_configuration.rst b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_configuration.rst deleted file mode 100644 index 7f912d94..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/docs/sssd_configuration.rst +++ /dev/null @@ -1,1687 +0,0 @@ -################################################ -Federated Authentication Utilizing Apache & SSSD -################################################ - -:Author: John Dennis -:Email: jdennis@redhat.com - -.. contents:: Table of Contents - -************ -Introduction -************ - -Applications should not need to handle the burden of authentication -and authorization. These are complex technologies further complicated -by the existence of a wide variety of authentication -mechanisms. Likewise there are numerous identity providers (IdP) which -one may wish to utilize, perhaps in a federated manner. The potential -to make critical mistakes are high while consuming significant -engineering resources. Ideally an application should "outsource" it's -authentication to an "expert" and avoid unnecessary development costs. - -For web based applications (both conventional HTML and REST API) there -has been a trend to embed a simple HTTP server in the application or -application server which handles the HTTP requests eschewing the use -of a traditional web server such as Apache. - -.. figure:: sssd_01.png - :align: center - - _`Figure 1.` - -But traditional web servers have a lot of advantages. They often come -with extensive support for technologies you might wish to utilize in -your application. It would require signification software engineering -to add support for those technologies in your application. The problem -is compounded by the fact many of these technologies demand domain -expertise which is unlikely to be available in the application -development team. Another problem is the libraries needed to utilize -the technology may not even be available in the programming language -the application is being developed in. Fundamentally an application -developer should focus on developing their application instead of -investing resources into implementing complex code for the ancillary -technologies the application may wish to utilize. - -Therefore fronting your application with a web server such as Apache -makes a lot of sense. One should allow Apache to handle complex tasks -such as multiple authentication mechanisms talking to multiple -IdP's. Suppose you want your application to handle Single Sign-On -(SSO) via Kerberos or authentication based on X509 certificates -(i.e. PKI). Apache already has extensions to handle these which have -been field proven, it would be silly to try and support these in your -application. Apache also comes with other useful extensions such as -``mod_identity_lookup`` which can extract metadata about an -authenticated user from multiple sources such as LDAP, -Active Directory, NIS, etc. - -By fronting your application with Apache and allowing Apache to handle -the complex task of authentication, identity lookups etc. you've -greatly increased the features of your application while at the same -time reducing application development time along with increasing -application security and robustness. - -.. figure:: sssd_02.png - :align: center - - _`Figure 2.` - -When Apache fronts your application you will be passed the results of -authentication and identity lookups. Your application only needs a -simple mechanism to accept these values. There are a variety of ways -the values can be passed from Apache to your application which will be -discussed in later sections. - -Authentication & Identity Properties -==================================== - -Authentication is proving that a user is who they claim to be, in -other words after authentication the user has a proven identity. In -security parlance the authenticated entity is call a -principal. Principals may be humans, machines or -services. Authorization is distinct from authentication. Authorization -declares what actions an authenticated principal may perform. For -example, does a principal have permission to read a certain file, run -a specific command, etc. Identity metadata is typically bound to the -principal to provide extra information. Examples include the users -full name, their organization, the groups they are members of, etc. - -Apache can provide both authentication and identity metadata to an -application freeing the application of this task. Authorization -usually will remain the province of the application. A typical -design pattern is to assign roles to a principal based on identity -properties. As the application executes on behalf of a principal the -application will check if the principal has the necessary role needed -to perform the operation. - -Apache ships with a wide variety of authentication modules. After an -Apache authentication module successfully authenticates a principal, it -sets internal variables identifying the principal and the -authentication method used to authenticate the principal. These are -exported as the CGI variables REMOTE_USER and AUTH_TYPE respectively -(see `CGI Export Issues`_ for further information). - -Identity Properties -------------------- - -Most Apache authentication modules do not have access to any of the -identity properties bound to the authenticated principal. Those -identity properties must be provided by some other mechanism. Typical -mechanisms include lookups in LDAP, Active Directory, NIS, POSIX -passwd/gecos and SQL. Managing these lookups can be difficult -especially in a networked environment where services may be -temporarily unavailable and/or in a enterprise deployment where -identity sources must be multiplexed across a variety of services -according to enterprise wide policy. - -`SSSD`_ (System Security Services Daemon) is designed to alleviate many -of the problems surrounding authentication and identity property -lookup. SSSD can provide identity properties via D-Bus using it's -InfoPipe (IFP) feature. The `mod_identity_lookup`_ Apache module is -given the name of the authenticated principal and makes available -identity properties via Apache environment variables (see `Configure -SSSD IFP`_ for details). - -Exporting & Consuming Identity Metadata -======================================= - -The authenticated principal (REMOTE_USER), the mechanism used to -authenticate the principal (AUTH_TYPE) and identity properties -(supplied by SSSD IFP) are exported to the application which trusts -this metadata to be valid. - -How is this identity metadata exported from Apache and then be -consumed by a Java EE Servlet? - -The architectural design inside Apache tries to capitalize on the -existing CGI standard (`CGI RFC`_) as much as possible. CGI defines -these relevant environment variables: - - * REMOTE_USER - * AUTH_TYPE - * REMOTE_ADDR - * REMOTE_HOST - - -Transporting Identity Metadata from Apache to a Java EE Servlet -=============================================================== - -In following figure we can see that the user connects to Apache -instead of the servlet container. Apache authenticates the user, looks -up the principal's identity information and then proxies the request -to the servlet container. The additional identity metadata must be -included in the proxy request in order for the servlet to extract it. - -.. figure:: sssd_03.png - :align: center - - _`Figure 3.` - -The Java EE Servlet API is designed with the HTTP protocol in mind -however the servlet never directly accesses the HTTP protocol stream. -Instead it uses the servlet API to get access to HTTP request -data. The responsibility for HTTP communication rests with the -container's ``Connector`` objects. When the servlet API needs -information it works in conjunction with the ``Connector`` to supply -it. For example the ``HttpServletRequest.getRemoteHost()`` method -interrogates information the ``Connector`` placed on the internal -request object. Analogously ``HttpServletRequest.getRemoteUser()`` -interrogates information placed on the internal request object by an -authentication filter. - -But what happens when a HTTP request is proxied to a servlet container -by Apache and ``getRemoteHost()`` or ``getRemoteUser()`` is called? Most -``Connector`` objects do not understand the proxy scenario, to them -a request from a proxy looks just like a request sent directly to the -servlet container. Therefore ``getRemoteHost()`` or ``getRemoteUser()`` -ends up returning information relative to the proxy instead of the -user who connected to the proxy because it's the proxy who connected -to the servlet container and not the end user. There are 2 fundamental -approaches which allow the servlet API to return data supplied by the -proxy: - - 1. Proxy uses special protocol (e.g. AJP) to embed metadata. - 2. Metadata is embedded in an HTTP extension by the proxy (i.e. headers) - -Proxy With AJP Protocol ------------------------ - -The AJP_ protocol was designed as a protocol to exchange HTTP requests -and responses between Apache and a Java EE Servlet Container. One of -its design goals was to improve performance by translating common text -values appearing in HTTP requests to a more compact binary form. At -the same time AJP provided a mechanism to supply metadata about the -request to the servlet container. That metadata is encoded in an AJP -attribute (a name/value pair). The Apache AJP Proxy module looks up -information in the internal Apache request object (e.g. remote user, -remote address, etc.) and encodes that metadata in AJP attributes. On -the servlet container side a AJP ``Connector`` object is aware of these -metadata attributes, extracts them from the protocol and supplies -their values to the upper layers of the servlet API. Thus a call to -``HttpServletRequest.getRemoteUser()`` made by a servlet will receive -the value set by Apache prior to the proxy. This is the desired and -expected behavior. A servlet should be ignorant of the consequences of -proxies; the servlet API should behave the same regardless of the -presence of a proxy. - -The AJP protocol also has a general purpose attribute mechanism whereby -any arbitrary name/value pair can be passed. This proxy metadata can -be retrieved by a servlet by calling ``ServletRequest.getAttribute()`` -[1]_ When Apache mod_proxy_ajp is being used the authentication -metadata for the remote user and auth type are are automatically -inserted into the AJP protocol and the AJP ``Connector`` object on -the servlet receiving end supplies those values to -``HttpServletRequest.getRemoteHost()`` and -``HttpServletRequest.getRemoteUser()`` respectively. But the identity -metadata supplied by ``mod_identity_lookup`` needs to be explicitly -encoded into an AJP attribute (see `Configure SSSD IFP`_ for details) -that can later be retrieved by ``ServletRequest.getAttribute()``. - -Proxy With HTTP Protocol ------------------------- - -Although the AJP protocol offers a number of nice advantages sometimes -it's not an option. Not all servlet containers support AJP or there -may be some other deployment constraint that precludes its use. In this -case option 2 from above needs to be used. Option 2 requires only the -defined HTTP protocol be used without any "out of band" metadata. The -conventional way to attach extension metadata to a HTTP request is to -add extension HTTP headers. - -One problem with using extension HTTP headers to pass metadata to a -servlet is the expectation the servlet API will have the same -behavior. In other words the value returned by -``HttpServletRequest.getRemoteUser()`` should not depend on whether the -proxy request was exchanged with the AJP protocol or the HTTP -protocol. The solution to this is to wrap the ``HttpServletRequest`` -object in a servlet filter. The wrapper overrides certain request -methods (e.g. ``getRemoteUser()``). The override method looks to see if -the metadata is in the extension HTTP headers, if so it returns the -value found in the extension HTTP header otherwise it defers to the -existing servlet implementation. The ``ServletRequest.getAttribute()`` is -overridden in an analogous manner in the wrapper filter. Any call to -``ServletRequest.getAttribute()`` is first checked to see if the value -exists in the extension HTTP header first. - -Metadata supplied by Apache that is **not** part of the normal Java -EE Servlet API **always** appears to the servlet via the -``ServletRequest.getAttribute()`` method regardless of the proxy -transport mechanism. The consequence of this is a servlet -continues to utilize the existing Java EE Servlet API without concern -for intermediary proxies, *and* any other metadata supplied by a proxy -is *always* retrieved via ``ServletRequest.getAttribute()`` (see the -caveat about ``ServletRequest.getAttributeNames()`` [1]_). - -******************* -Configuration Guide -******************* - -Although Apache authentication and SSSD identity lookup can operate -with a variety of authentication mechanisms, IdP's and identity -metadata providers we will demonstrate a configuration example which -utilizes the FreeIPA_ IdP. FreeIPA excels at Kerberos SSO authentication, -Active Directory integration, LDAP based identity metadata storage and -lookup, DNS services, host based RBAC, SSH key management, certificate -management, friendly web based console, command line tools and many -other advanced IdP features. - -The following configuration steps will need to be performed: - -1. Install FreeIPA_ by following the installation guides in the FreeIPA_ - documentation area. When you install FreeIPA_ you will need to select a - realm (a.k.a domain) in which your users and hosts will exist. In - our example we will use the ``EXAMPLE.COM`` realm. - -2. Install and configure the Apache HTTP web server. The - recommendation is to install and run the Apache HTTP web server on - the same system the Java EE Container running AAA is installed on. - -3. Configure the proxy connector in the Java EE Container and set the - ``secureProxyPorts``. - -We will also illustrate the operation of the system by adding an -example user named ``testuser`` who will be a member of the -``odl_users`` and ``odl_admin`` groups. - -Add Example User and Groups to FreeIPA -====================================== - -After installing FreeIPA you will need to populate FreeIPA with your users, -groups and other data. Refer to the documentation in FreeIPA_ for the -variety of ways this task can be performed; it runs the gamut from web -based console to command line utilities. For simplicity we will use -the command line utilities. - -Identify yourself to FreeIPA as an administrator; this will give you the -necessary privileges needed to create and modify data in FreeIPA. You do -this by obtaining a Kerberos ticket for the ``admin`` user (or any -other user in FreeIPA with administrator privileges. - -:: - - % kinit admin@EXAMPLE.COM - -Create the example ``odl_users`` and `odl_admin`` groups. - -:: - - % ipa group-add odl_users --desc 'OpenDaylight Users' - % ipa group-add odl_admin --desc 'OpenDaylight Administrators' - -Create the example user ``testuser`` with the first name "Test" and a -last name of "User" and an email address of "test.user@example.com" - -:: - - % ipa user-add testuser --first Test --last User --email test.user@example.com - -Now add ``testuser`` to the ``odl_users`` and ``odl_admin`` groups. - -:: - - % ipa group-add-member odl_users --user testuser - % ipa group-add-member odl_admin --user testuser - -Configure Apache -================ - -A number of Apache configuration directives will need to be specified -to implement the Apache to application binding. Although these -configuration directives can be located in any number of different -Apache configuration files the most sensible approach is to co-locate -them in a single application configuration file. This greatly -simplifies the deployment of your application and isolates your -application configuration from other applications and services sharing -the Apache installation. In the examples that follow our application -will be named ``my_app`` and the Apache application configuration file -will be named ``my_app.conf`` which should be located in Apache's -``conf.d/`` directory. The web resource we are protecting and -supplying identity metadata for will be named ``my_resource``. - - -Configure Apache for Kerberos ------------------------------ - -When FreeIPA is deployed Kerberos is the preferred authentication mechanism -for Single Sign-On (SSO). FreeIPA also provides identity metadata via -Apache ``mod_identity_lookup``. To protect your ``my_resource`` resource -with Kerberos authentication identify your resource as requiring -Kerberos authentication in your ``my_app.conf`` Apache -configuration. For example: - -:: - - <Location my_resource> - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate On - KrbMethodK5Passwd Off - KrbAuthRealms EXAMPLE.COM - Krb5KeyTab /etc/http.keytab - require valid-user - </Location> - -You will need to replace EXAMPLE.COM in the KrbAuthRealms declaration -with the Kerberos realm for your deployment. - - -Configure SSSD IFP ------------------- - -To use the Apache ``mod_identity_lookup`` module to supply identity -metadata you need to do the following in ``my_app.conf``: - -1. Enable the module - - :: - - LoadModule lookup_identity_module modules/mod_lookup_identity.so - -2. Apply the identity metadata lookup to specific URL's - (e.g. ``my_resource``) via an Apache location directive. In this - example we look up the "mail" attribute and assign it to the - REMOTE_USER_EMAIL environment variable. - - :: - - <LocationMatch "my_resource"> - LookupUserAttr mail REMOTE_USER_EMAIL - </LocationMatch> - -3. Export the environment variable via the desired proxy protocol, see - `Exporting Environment Variables to the Proxy`_ - -Exporting Environment Variables to the Proxy --------------------------------------------- - -First you need to decide which proxy protocol you're going to use, AJP -or HTTP and then determine the target address and port to proxy to. The -recommended configuration is to run both the Apache server and the -servlet container on the same host and to proxy requests over the -local loopback interface (see `Declaring the Connector Ports for -Authentication Proxies`_). In our examples we'll use port 8383. Thus -in ``my_app.conf`` add a proxy declaration. - -For HTTP Proxy - -:: - - ProxyPass / http://localhost:8383/ - ProxyPassReverse / http://localhost:8383/ - -For AJP Proxy - -:: - - ProxyPass / ajp://localhost:8383/ - ProxyPassReverse / ajp://localhost:8383/ - -AJP Exports -^^^^^^^^^^^ - -AJP automatically forwards REMOTE_USER and AUTH_TYPE making them -available to the ``HttpServletRequest`` API, thus you do not need to -explicitly forward these in the proxy configuration. However all other -``mod_identity_lookup`` metadata must be explicitly forwarded as an AJP -attribute. These AJP attributes become visible in the -``ServletRequest.getAttribute()`` method [1]_. - -The Apache ``mod_proxy_ajp`` module automatically sends any Apache -environment variable prefixed with "AJP\_" as an AJP attribute which -can be retrieved with ``ServletRequest.getAttribute()``. Therefore the -``mod_identity_lookup`` directives which specify the Apache environment -variable to set with the result of a lookup must be prefixed with -"AJP\_". Using the above example of looking up the principal's email -address we modify the environment variable to include the "AJP\_" -prefix. Thusly: - - :: - - <LocationMatch "my_resource"> - LookupUserAttr mail AJP_REMOTE_USER_EMAIL - </LocationMatch> - -The sequence of events is as follows: - - 1. When the URL matches "my_resource". - - 2. ``mod_identity_lookup`` retrieves the mail attribute for the - principal. - - 3. ``mod_identity_lookup`` assigns the value of the mail attribute - lookup to the AJP_REMOTE_USER_EMAIL Apache environment variable. - - 4. ``mod_proxy_ajp`` encodes AJP_REMOTE_USER_EMAIL environment - variable into an AJP attribute in the AJP protocol because the - environment variable is prefixed with "AJP\_". The name of the - attribute is stripped of it's "AJP\_" prefix thus the - AJP_REMOTE_USER_EMAIL environment variable is transferred as the - AJP attribute REMOTE_USER_EMAIL. - - 5. The request is forwarded (i.e. proxied) to servlet container - using the AJP protocol. - - 6. The servlet container's AJP ``Connector`` object is assigned each AJP - attribute to the set of attributes on the ``ServletRequest`` - attribute list. Thus a call to - ``ServletRequest.getAttribute("REMOTE_USER_EMAIL")`` yields the - value set by ``mod_identity_lookup``. - - -HTTP Exports -^^^^^^^^^^^^ - -When HTTP proxy is used there are no automatic or implicit metadata -transfers; every metadata attribute must be explicitly handled on both -ends of the proxy connection. All identity metadata attributes are -transferred as extension HTTP headers, by convention those headers are -prefixed with "X-SSSD-". - -Using the original example of looking up the principal's email -address we must now perform two independent actions: - - 1. Lookup the value via ``mod_identity_lookup`` and assign to an - Apache environment variable. - - 2. Export the environment variable in the request header with the - "X-SSSD-" prefix. - - :: - - <LocationMatch "my_resource"> - LookupUserAttr mail REMOTE_USER_EMAIL - RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - </LocationMatch> - -The sequence of events is as follows: - - 1. When the URL matches "my_resource". - - 2. ``mod_identity_lookup`` retrieves the mail attribute for the - principal. - - 3. ``mod_identity_lookup`` assigns the value of the mail attribute - lookup to the REMOTE_USER_EMAIL Apache environment variable. - - 4. Apache's RequestHeader directive executes just prior to the - request being forwarded (i.e. in the Apache fixup stage). It adds - the header X-SSSD-REMOTE_USER_EMAIL and assigns the value for - REMOTE_USER_EMAIL found in the set of environment variables. It - does this because the syntax %{XXX} is a variable reference for - the name XXX and the 'e' appended after the closing brace - indicates the lookup is to be performed in the set of environment - variables. - - 5. The request is forwarded (i.e. proxied) to the servlet container - using the HTTP protocol. - - 6. When ``ServletRequest.getAttribute()`` is called the ``SssdFilter`` - wrapper intercepts the ``getAttribute()`` method. It looks for an - HTTP header of the same name with "X-SSSD-" prefixed to it. In - this case ``getAttribute("REMOTE_USER_EMAIL")`` causes the lookup of - "X-SSSD-REMOTE_USER_EMAIL" in the HTTP headers, if found that - value is returned. - -AJP Proxy Example Configuration -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -If you are using AJP proxy to the Java EE Container on port 8383 your -``my_app.conf`` Apache configuration file will probably look like -this: - -:: - - <LocationMatch "my_resource"> - - ProxyPass / ajp://localhost:8383/ - ProxyPassReverse / ajp://localhost:8383/ - - LookupUserAttr mail AJP_REMOTE_USER_EMAIL " " - LookupUserAttr givenname AJP_REMOTE_USER_FIRSTNAME - LookupUserAttr sn AJP_REMOTE_USER_LASTNAME - LookupUserGroups AJP_REMOTE_USER_GROUPS ":" - - </LocationMatch> - -Note the specification of the colon separator for the -``LookupUserGroups`` operation. [3]_ - -HTTP Proxy Example Configuration -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -If you are using a conventional HTTP proxy to the Java EE Container on -port 8383 your ``my_app.conf`` Apache configuration file will probably -look like this: - -:: - - <LocationMatch "my_resource"> - - ProxyPass / http://localhost:8383/ - ProxyPassReverse / http://localhost:8383/ - - RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} - RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} - RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} - RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} - - LookupUserAttr mail REMOTE_USER_EMAIL - RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - - LookupUserAttr givenname REMOTE_USER_FIRSTNAME - RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e - - LookupUserAttr sn REMOTE_USER_LASTNAME - RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e - - LookupUserGroups REMOTE_USER_GROUPS ":" - RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e - - </LocationMatch> - -Note the specification of the colon separator for the -``LookupUserGroups`` operation. [3]_ - - -Configure Java EE Container Proxy Connector -=========================================== - -The Java EE Container must be configured to listen for connections -from the Apache web server. A Java EE Container specifies connections -via a ``Connector`` object. A ``Connector`` **must** be dedicated -**exclusively** for handling authenticated requests from the Apache -web server. The reason for this is explained in `The Proxy -Problem`_. In addition ``ClaimAuthFilter`` needs to validate that any -request it processes originated from the trusted Apache instance. This -is accomplished by dedicating one or more ports exclusively for use by -the trusted Apache server and enumerating them in the -``secureProxyPorts`` configuration as explained in `Locking Down the -Apache to Java EE Container Channel`_ and `Declaring the Connector -Ports for Authentication Proxies`_. - -Configure Tomcat Proxy Connector --------------------------------- - -The Tomcat Java EE Container defines Connectors in its ``server.xml`` -configuration file. - -:: - - <Connector - address="127.0.0.1" - port="8383" - protocol="HTTP/1.1" - tomcatAuthentication="false" - connectionTimeout="20000" - redirectPort="8443" - /> - - -:address: - This should be the loopback address as explained `Locking Down the - Apache to Java EE Container Channel`_. - -:port: - In our examples we've been using port 8383 as the proxy port. The - exact port is not important but it must be consistent with the - Apache proxy port, the ``Connector`` declaration, and the port value - in ``secureProxyPorts``. - -:protocol: - As explained in `Transporting Identity Metadata from Apache to a - Java EE Servlet`_ you will need to decide if you are using HTTP or - AJP as the proxy protocol. In the example above the protocol is set - for HTTP, if you use AJP instead the protocol should instead be - "AJP/1.3". - -:tomcatAuthentication: - This boolean flag tells Tomcat whether Tomcat should perform - authentication on the incoming requests or not. Since authentication - is performed by Apache we do not want Tomcat to perform - authentication therefore this flag must be set to false. - -The AAA system needs to know which port(s) the trusted Apache proxy -will be sending requests on so it can trust the request authentication -metadata. See `Declaring the Connector Ports for Authentication -Proxies`_ for more information). Set ``secureProxyPorts`` in the -FederationConfiguration. - -:: - - secureProxyPorts=8383 - - -Configure Jetty Proxy Connector -------------------------------- - -The Jetty Java EE Container defines Connectors in its ``jetty.xml`` -configuration file. - -:: - - <!-- Trusted Authentication Federation proxy connection --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host">127.0.0.1</Set> - <Set name="port">8383</Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8445</Set> - <Set name="name">federationConn</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - -:host: - This should be the loopback address as explained `Locking Down the - Apache to Java EE Container Channel`_. - -:port: - In our examples we've been using port 8383 as the proxy port. The - exact port is not important but it must be consistent with the - Apache proxy port, the ``Connector`` declaration, and the port value - in ``secureProxyPorts``. - - -Note, values in Jetty XML can also be parameterized so that they may -be passed from property files or set on the command line. Thus -typically the port is set within Jetty XML, but uses the Property -element to be customizable. Thus the above ``host`` and ``port`` -properties could be specificed this way: - -:: - - <Set name="host"> - <Property name="jetty.host" default="127.0.0.1"/> - </Set> - <Set name="port"> - <Property name="jetty.port" default="8383"/> - </Set> - - -The AAA system needs to know which port(s) the trusted Apache proxy -will be sending requests on so it can trust the request authentication -metadata. See `Declaring the Connector Ports for Authentication -Proxies`_ for more information). Set ``secureProxyPorts`` in the -FederationConfiguration. - -************************************************ -How Apache Identity Metadata is Processed in AAA -************************************************ - -`Figure 2.`_ and `Figure 3.`_ illustrates the fact the first stage in -processing a request from a user begins with Apache where the user is -authenticated and SSSD supplies additional metadata about the -user. The original request along with the metadata are subsequently -forwarded by Apache to the Java EE Container. `Figure 4.`_ illustrates -the processing inside the Java EE Container once it receives the -request on one of its secure connectors. - - -.. figure:: sssd_04.png - :align: center - - _`Figure 4.` - -:Step 1: - One or more Connectors have been configured to listen for requests - being forwarded from a trusted Apache instance. The Connector is - configured to communicate using either the HTTP or AJP protocols. - See `Exporting Environment Variables to the Proxy`_ for more - information on selecting a proxy transport protocol. - -:Step 2: - The identity metadata bound to the request needs to be extracted - differently depending upon whether HTTP or AJP is the transport - protocol. To allow later stages in the pipeline to be ignorant of - the transport protocol semantics the ``SssdFilter`` servlet filter - is introduced. The ``SssdFilter`` wraps the ``HttpServletRequest`` - class and intercepts calls which might return the identity - metadata. The wrapper in the filter looks in protocol specific - locations for the metadata. In this manner users of the - ``HttpServletRequest`` are isolated from protocol differences. - - -:Step 3: - - The ``ClaimAuthFilter`` is responsible for determining if identity - metadata is bound to the request. If so all identity metadata is - packaged into an assertion which is then handed off to - ``SssdClaimAuth`` which will transform the identity metadata in the - assertion into a AAA Claim which is the authorizing token for the user. - -:Step 4: - The ``SssdClaimAuth`` object is responsible for transforming the - external federated identity metadata provided by Apache and SSSD into - a AAA claim. The AAA claim is an authorization token which includes - information about the user plus a set of roles. These roles provide the - authorization to perform AAA tasks. Although how roles are assigned is - flexible the expectation is domain and/or group membership will be the - primary criteria for role assignment. Because deciding how to handle - external federated identity metadata is site and deployment specific - we need a loadable policy mechanism. This is accomplished by a set of - transformation rules which transforms the incoming IdP identity - metadata into a AAA claim. For greater clarity this important step is - broken down into smaller units in the shaded box in `Figure 4.`_. - -:Step 4.1: - `The Mapping Rule Processor`_ is designed to accept a JSON object - (set of key/value pairs) as input and emit a different JSON object - as output effectively operating as a transformation engine on - key/value pairs. - -:Step 4.2: - The input assertion is rewritten as a JSON object in the format - required by the Mapping Rule Processor. The JSON assertion is then - passed into the Mapping Rule Processor. - -:Step 4.3: - `The Mapping Rule Processor`_ identified as ``IdPMapper`` evaluates - the input JSON assertion in the context of the mapping rules defined - for the site deployment. If ``IdPMapper`` is able to successfully - transform the input it will return a JSON object which we called the - *mapped* result. If the input JSON assertion is not compatible with - the site specific rules loaded into the ``IdPMapper`` then NULL is - returned by the ``IdPMapper``. - -:Step 4.4: - If a mapped JSON object is returned by the ``IdPMapper`` the mapping - was successful. The values in the mapped result are re-written into - an AAA Claim token. - -How Apache Identity Metadata is Mapped to AAA Values -==================================================== - -A federated IdP supplies metadata in a form unique to the IdP. This is -called an assertion. That assertion must be transformed into a format -and data understood by AAA. More importantly that assertion needs to -yield *authorization roles specific to AAA*. In `Figure 4.`_ Step 4.3 -the ``IdPMapper`` provides the transformation from an external IdP -assertion to an AAA specific claim. It does this via a Mapping Rule -Processor which reads a site specific set of transformation -rules. These mapping rules define how to transform an external IdP -assertion into a AAA claim. The mapping rules also are responsible for -validating the external IdP claim to make sure it is consistent with -the site specific requirements. The operation of the Mapping Rule -Processor and the syntax of the mapping rules are defined in `The -Mapping Rule Processor`_. - -Below is an example mapping rule which might be loaded into the -Mapping Rule Processor. It is assumed there are two AAA roles which -may be assigned [4]_: - -``user`` - A role granting standard permissions for normal ODL users. - -``admin`` - A special role granting full administrative permissions. - -In this example assigning the ``user`` and ``admin`` roles -will be based on group membership in the following groups: - -``odl_users`` - Members of this group are normal ODL users with restricted permissions. - -``odl_admin`` - Members of this group are ODL administrators with permission to - perform all operations. - -Granting of the ``user`` and/or ``admin`` roles based on -membership in the ``odl_users`` and ``odl_admin`` is illustrated in -the follow mapping rule example which also extracts the user principal -and domain information in the preferred format for the site -(e.g. usernames are lowercase without domain suffixes and the domain -is uppercase and supplied separately). - -_`Mapping Rule Example 1.` - -:: - - 1 [ - 2 {"mapping": {"ClientId": "$client_id", - 3 "UserId": "$user_id", - 4 "User": "$username", - 5 "Domain": "$domain", - 6 "roles": "$roles", - 7 }, - 8 "statement_blocks": [ - 9 [ - 10 ["set", "$groups", []], - 11 ["set", "$roles", []] - 12 ], - 13 [ - 14 ["in", "REMOTE_USER", "$assertion"], - 15 ["exit", "rule_fails", "if_not_success"], - 16 ["regexp", "$assertion[REMOTE_USER]", "(?<username>\\w+)@(?<domain>.+)"], - 17 ["exit", "rule_fails", "if_not_success"], - 18 ["lower", "$username", "$regexp_map[username]"], - 19 ["upper", "$domain", "$regexp_map[domain]"], - 20 ], - 21 [ - 22 ["in", "REMOTE_USER_GROUPS", "$assertion"], - 23 ["exit", "rule_fails", "if_not_success"], - 24 ["split", "$groups", "$assertion[REMOTE_USER_GROUPS]", ":"], - 25 ], - 26 [ - 27 ["in", "odl_users", "$groups"], - 28 ["continue", "if_not_success"], - 29 ["append", "$roles", "user"], - 30 ], - 31 [ - 32 ["in", "odl_admin", "$groups"], - 33 ["continue", "if_not_success"], - 34 ["append", "$roles", "admin"] - 35 ], - 36 [ - 37 ["unique", "$roles", "$roles"], - 38 ["length", "$n_roles", "$roles"], - 39 ["compare", "$n_roles", ">", 0], - 40 ["exit", "rule_fails", "if_not_success"], - 41 ], - 42 ] - 43 } - 44 ] - -:Line 1: - Starts a list of rules. In this example only 1 rule is defined. Each - rule is a JSON object containing a ``mapping`` and a required list - of ``statement_blocks``. The ``mapping`` may either be specified - inside a rule as it is here or may be referenced by name in a table - of mappings (this is easier to manage if you have a large number of - rules and small number of mappings). - -:Lines 2-7: - Defines the JSON mapped result. Each key maps to AAA claim. The - value is a rule variable whose value will be substituted if the rule - succeeds. Thus for example the AAA claim value ``User`` will be - assigned the value from the ``$username`` rule variable. -:Line 8: - Begins the list of statement blocks. A statement must be contained - inside a block. -:Lines 9-12: - The first block usually initializes variables that will be - referenced later. Here we initialize ``$groups`` and ``$roles`` to - empty arrays. These arrays may be appended to in later blocks and - may be referenced in the final ``mapping`` output. -:Lines 13-20: - This block sets the user and domain information based on - ``REMOTE_USER`` and exits the rule if ``REMOTE_USER`` is not defined. -:Lines 14-15: - This test is critical, it assures ``REMOTE_USER`` is defined in the - assertion, if not the rule is skipped because we depend on - ``REMOTE_USER``. -:Lines 16-17: - Performs a regular expression match against ``REMOTE_USER`` to split - the username from the domain. The regular expression uses named - groups, in this instance ``username`` and ``domain``. If the regular - expression does not match the rule is skipped. -:Lines 18-19: - These lines reference the previous result of the regular expression - match which are stored in the special variable ``$regexp_map``. The - username is converted to lower case and stored in ``$username`` and - the domain is converted to upper case and stored in ``$domain``. The - choice of case is purely by convention and site requirements. -:Lines 21-35: - These 3 blocks assign roles based on group membership. -:Lines 21-25: - Assures ``REMOTE_USER_GROUPS`` is defined in the assertion; if not, the - rule is skipped. ``REMOTE_USER_GROUPS`` is colon separated list of group - names. In order to operate on the individual group names appearing - in ``REMOTE_USER_GROUPS`` line 24 splits the string on the colon - separator and stores the result in the ``$groups`` array. -:Lines 27-30: - This block assigns the ``user`` role if the user is a member of the - ``odl_users`` group. -:Lines 31-35: - This block assigns the ``admin`` role if the user is a - member of the ``odl_admin`` group. -:Lines 36-41: - This block performs final clean up actions for the rule. First it - assures there are no duplicates in the ``$roles`` array by calling - the ``unique`` function. Then it gets a count of how many items are - in the ``$roles`` array and tests to see if it's empty. If there are - no roles assigned the rule is skipped. -:Line 43: - This is the end of the rule. If we reach the end of the rule it - succeeds. When a rule succeeds the mapping associated with the rule - is looked up. Any rule variable appearing in the mapping is - substituted with its value. - -Using the rules in `Mapping Rule Example 1.`_ and following example assertion -in JSON format: - -_`Assertion Example 1.` - -:: - - { - "REMOTE_USER": "TestUser@example.com", - "REMOTE_AUTH_TYPE": "Negotiate", - "REMOTE_USER_GROUPS": "odl_users:odl_admin", - "REMOTE_USER_EMAIL": "test.user@example.com", - "REMOTE_USER_FIRSTNAME": "Test", - "REMOTE_USER_LASTNAME": "User" - } - -Then the mapper will return the following mapped JSON document. This -is the ``mapping`` defined on line 2 of `Mapping Rule Example 1.`_ with the -variables substituted after the rule successfully executed. Note any -valid JSON data type can be returned, in this example the ``null`` -value is returned for ``ClientId`` and ``UserId``, normal strings for -``User`` and ``Domain`` and an array of strings for the ``roles`` value. - -_`Mapped Result Example 1.` - -:: - - { - "ClientId": null, - "UserId": null, - "User": "testuser", - "Domain": "EXAMPLE.COM", - "roles": ["user", "admin"] - } - - -************************** -The Mapping Rule Processor -************************** - -The Mapping Rule Processor is designed to be as flexible and generic -as possible. It accepts a JSON object as input and returns a JSON -object as output. JSON was chosen because virtually all data can be -represented in JSON, JSON has extensive support and JSON is human -readable. The rules loaded into the Mapping Rule Processor are also -expressed in JSON. One advantage of this is it makes it easy for a -site administrator to define hardcoded values which are always -returned and/or static tables of white and black listed users or users -who are always mapped into certain roles. - -.. include:: mapping.rst - -*********************** -Security Considerations -*********************** - -Attack Vectors -============== - -A Java EE Container fronted by Apache has by definition 2 major -components: - -* Apache -* Java EE Container - -Each of these needs to be secure in its own right. There is extensive -documentation on securing each of these components and the reader is -encouraged to review this material. For the purpose of this discussion -we are most interested in how Apache and the Java EE -Container cooperate to form an integrated security system. Because -Apache is performing authentication on behalf of the Java EE Container, -it views Apache as a trusted partner. Our primary concern is the -communication channel between Apache and the Java EE Container. We -must assure the Java EE Container knows who it's trusted partner is -and that it only accepts security sensitive data from that partner, -this can best be described as `The Proxy Problem`_. - -Forged REMOTE_USER ------------------- - -HTTP request handling is often implemented as a processing pipeline -where individual handlers are passed the request, they may then attach -additional metadata to the request or transform it in some manner -before handing it off to the next stage in the pipeline. A request -handler may also short circuit the request processing pipeline and -cause a response to be generated. Authentication is typically -implemented an as early stage request handler. If a request gets past -an authentication handler later stage handlers can safely assume the -request belongs to an authenticated user. Authorization metadata may -also have been attached to the request. Later stage handlers use the -authentication/authorization metadata to make decisions as to whether -the operations in the request can be satisfied. - -When a request is fielded by a traditional web server with CGI (Common -Gateway Interface, RFC 3875) the request metadata is passed via CGI -meta-variables. CGI meta-variables are often implemented as environment -variables, but in practical terms CGI metadata is really just a set of -name/value pairs a later stage (i.e. CGI script, servlet, etc.) can -reference to learn information about the request. - -The CGI meta-variables REMOTE_USER and AUTH_TYPE relate to -authentication. REMOTE_USER is the identity of the authenticated user -and AUTH_TYPE is the authentication mechanism that was used to -authenticate the user. - -**If a later stage request handler sees REMOTE_USER and AUTH_TYPE as -non-null values it assumes the user is fully authenticated! Therefore -is it essential REMOTE_USER and AUTH_TYPE can only enter the request -pipeline via a trusted source.** - -The Proxy Problem -================= - -In a traditional monolithic web server the CGI meta-variables are -created and managed by the web server, which then passes them to CGI -scripts and executables in a very controlled environment where they -execute in the context of the web server. Forgery of CGI -meta-variables is generally not possible unless the web server has -been compromised in some fashion. - -However in our configuration the Apache web server acts as an identity -processor, which then forwards (i.e. proxies) the request to the Java -EE container (i.e Tomcat, Jetty, etc.). One could think of the Java -EE container as just another CGI script which receives CGI -meta-variables provided by the Apache web server. Where this analogy -breaks down is how Apache invokes the CGI script. Instead of forking a -child process where the child's environment and input/output pipes are -carefully controlled by Apache the request along with its additional -metadata is forwarded over a transport (typically TCP/IP) to another -process, the proxy, which listens on socket. - -The proxy (in this case the Java EE container) reads the request and -the attached metadata and acts upon it. If the request read by the -proxy contains the REMOTE_USER and AUTH_TYPE CGI meta-variables the -proxy will consider the request **fully authenticated!**. Therefore -when the Java EE container is configured as a proxy it is -**essential** it only reads requests from a **trusted** Apache web -server. If any other client aside from the trusted Apache web server -is permitted to connect to the Java EE container that client could -present forged REMOTE_USER and AUTH_TYPE meta-variables, which would be -automatically accepted as valid thus opening a huge security hole. - - -Possible Approaches to Lock Down a Proxy Channel -================================================ - -Tomcat Valves -------------- - -You can use a `Tomcat Remote Address Valve`_ valve to filter by IP or -hostname to only allow a subset of machines to connect. This can be -configured at the Engine, Host, or Context level in the -conf/server.xml by adding something like the following: - -:: - - <!-- allow only LAN IPs to connect --> - <Valve className="org.apache.catalina.valves.RemoteAddrValve" - allow="192.168.1.*"> - </Valve> - -The problem with valves is they are a Tomcat only concept, the -``RemoteAddrValve`` only checks addresses, not port numbers (although -it should be easy to add port checking) and they don't offer anything -better than what is described in `Locking Down the Apache to Java EE -Container Channel`_, which is not container specific. Servlet filters -are always available regardless of the container the servlet is -running in. A filter can check both the address and port number and -refuse to operate on the request if the address and port are not known to -be a trusted authentication proxy. Also note that if the Java EE -Container is configured to accept connections other than from the -trusted HTTP proxy server (a very likely scenario) then filtering at -the connector level is not sufficient because a servlet which trusts -``REMOTE_USER`` must be assured the request arrived only on a -trusted HTTP proxy server connection, not one of the other possible -connections. - -SSL/TLS with client auth ------------------------- - -SSL with client authentication is the ultimate way to lock down a HTTP -Server to Java EE Container proxy connection. SSL with client -authentication provides authenticity, integrity, and -confidentiality. However those desirable attributes come at a -performance cost which may be excessive. Unless a persistent TCP -connection is established between the HTTP server and the Java EE -Container a SSL handshake will need to occur on each request being -proxied, SSL handshakes are expensive. Given that the HTTP server and -the Java EE Container will likely be deployed on the same compute node -(or at a minimum on a secure subnet) the advantage of SSL for proxy -connections may not be warranted because other options are available -for these configuration scenarios; see `Locking Down the Apache to Java EE -Container Channel`_. Also note that if the Java EE -Container is configured to accept connections other than from the -trusted HTTP proxy server (a very likely scenario), then filtering at -the connector level is not sufficient because a servlet which trusts -``REMOTE_USER`` must be assured that the request arrived only on a -trusted HTTP proxy server connection, not one of the other possible -connections. - - -Java Security Manager Permissions ---------------------------------- - -The Java Security Manager allows you define permissions which are -checked at run time before code executes. -``java.net.SocketPermission`` and ``java.net.NetPermission`` would -appear to offer solutions for restricting which host and port a -request containing ``REMOTE_USER`` will be trusted. However security -permissions are applied *after* a request is accepted by a -connector. They are also more geared towards what connections code can -subsequently utilize as opposed to what connection a request was -presented on. Therefore security manager permissions seem to offer little -value for our purpose. One can simply test to see which host sent the -proxy request and on what port it arrived on by looking at the -connection information in the request. Restricting which proxies can -submit trusted requests is better handled at the level of the -connector, which unfortunately is a container implementation -issue. Tomcat and Jetty have different ways of handling connector -specifications. - -AJP requiredSecret ------------------- - -The AJP protocol includes an attribute called ``requiredSecret``, which -can be used to secure the connection between AJP endpoints. When an -HTTP server sends an AJP proxy request to a Java EE Container it -embeds in the protocol transmission a string (``requiredSecret``) -known only to the HTTP server and the Java EE Container. The AJP -connector on the Java EE Container is configured with the -``requiredSecret`` value and will reject as unauthorized any AJP -requests whose ``requiredSecret`` does not match. - -There are two problems with `requiredSecret``. First of all it's not -particularly secure. In fact, it's fundamentally no different than -sending a cleartext password. If the AJP request is not encrypted it -means the ``requiredSecret`` will be sent in the clear which is -probably one of the most egregious security mistakes. If the AJP -request is transmitted in a manner where the traffic can be sniffed, it -would be trivial to recover the ``requiredSecret`` and forge a request -with it. On the other hand encrypting the communication channel -between the HTTP server and the Java EE Container means using SSL -which is fairly heavyweight. But more to the point, if one is using -SSL to encrypt the channel there is a *far better* mechanism to ensure -the HTTP server is who it claims to be than embedding -``requiredSecret``. If one is using SSL you might as well use SSL -client authentication where the HTTP identifies itself via a client -certificate. SSL client authentication is a very robust authentication -mechanism. But doing SSL client authentication, or for that matter -just SSL encryption, for *every* AJP protocol request is prohibitively -expensive from a performance standpoint. - -The second problem with ``requiredSecret`` is that despite being documented -in a number of places it's not actually implemented in Apache -``mod_proxy_ajp``. This is detailed in `bug 53098`_. You can set -``requiredSecret`` in the ``mod_proxy_ajp`` configuration, but it won't -be included in the wire protocol. There is a patch to implement -``requiredSecret`` but, it hasn't made it into any shipping version of -Apache yet. But even if ``requiredSecret`` was implemented it's not -useful. Also one could construct the equivalent of ``requiredSecret`` -from other AJP attributes and/or an HTTP extension header but those -would suffer from the same security issues ``requiredSecret`` has, -therefore it's mostly pointless. - -Java EE Container Issues -======================== - -Jetty Issues ------------- - -Jetty is a Java EE Container which can be used -as alternative to Tomcat. Jetty is an Eclipse project. Recent versions -of Jetty have dropped support for AJP; this is described in the -`Jetty AJP Configuration Guide`_ which states: - - Configuring AJP13 Using mod_jk or mod_proxy_ajp. Support for this - feature has been dropped with Jetty 9. If you feel this should be - brought back please file a bug. - -Eclipse `Bug 387928`_ *Retire jetty-ajp* was opened to track the -removal of AJP in Jetty and is now closed. - -Tomcat Issues -------------- - -You should refer the `Tomcat Security How-To`_ for a full discussion -of Tomcat security issues. - -The tomcatAuthentication attribute is used with the AJP connectors to -determine if Tomcat should authenticate the user or if authentication -can be delegated to the reverse proxy that will then pass the -authenticated username to Tomcat as part of the AJP protocol. - -The requiredSecret attribute in AJP connectors configures a shared -secret between Tomcat and the reverse proxy in front of Tomcat. It is used -to prevent unauthorized connections over AJP protocol. - -Locking Down the Apache to Java EE Container Channel -==================================================== - -The recommended approach to lock down the proxy channel is: - - * Run both Apache and the servlet container on the same host. - - * Configure Apache to forward the proxy request on the loopback - interface (e.g. 127.0.0.1 also known as ``localhost``). This - prohibits any external IP address from connecting, only processes - running on the locked down host can communicate over - ``localhost``. - - * Reserve one or more ports for communication **exclusively** for - proxy communication between Apache and the servlet container. The - servlet container may listen on other ports for non-critical - non-authenticated requests. - - * The ``ClaimAuthFilter`` that reads the identity metadata **must** - assure that requests have arrived only on a **trusted port**. To - achieve this the ``FederationConfiguration`` defines the - ``secureProxyPorts`` configuration option. ``secureProxyPorts`` is - a space delimited list of ports which during deployment the - administrator has configured such that they are **exclusively** - dedicated for use by the Apache server(s) providing authentication - and identity information. These ports are set in the servlet - container's ``Connector`` declarations. See `Declaring the - Connector Ports for Authentication Proxies`_ for more - information). - - * When the ``ClaimAuthFilter`` receives a request, the first thing - it does is check the ``ServletRequest.getLocalPort()`` value and - verifies it is a member of the ``secureProxyPorts`` configuration - option. If the port is a member of ``secureProxyPorts``, it will - trust every identity assertion found in the request. If the local - port is not a member of ``secureProxyPorts``, a HTTP 401 - (unauthorized) error status will be returned for the request. A - warning message will be logged the first time this occurs. - - -Declaring the Connector Ports for Authentication Proxies --------------------------------------------------------- - -As described in `The Proxy Problem`_ the AAA authentication system -**must** confirm the request it is processing originated from a *trusted -HTTP proxy server*. This is accomplished with port isolation. - -The administrator deploying a federated AAA solution with SSSD -identity lookups must declare in the AAA federation configuration -which ports the proxy requests from the trusted HTTP server will -arrive on by setting the ``secureProxyPorts`` configuration -item. These ports **must** only be used for the trusted HTTP proxy -server. The AAA federation software will not perform authentication -for any request arriving on a port other than those listed in -``secureProxyPorts``. - -.. figure:: sssd_05.png - :align: center - - _`Figure 5.` - -``secureProxyPorts`` configuration option is set either in the -``federation.cfg`` file or in the -``org.opendaylight.aaa.federation.secureProxyPorts`` bundle -configuration. ``secureProxyPorts`` is a space-delimited list of port -numbers on which a trusted HTTP proxy performing authentication -forwards pre-authenticated requests. For example: - -:: - - secureProxyPorts=8383 - -Means a request which arrived on port 8383 is from a trusted HTTP -proxy server and the value of ``REMOTE_USER`` and other authentication -metadata in request can be trusted. - -######## -Appendix -######## - -***************** -CGI Export Issues -***************** - -Apache processes requests as a series of steps in a pipeline -fashion. The ordering of these steps is important. Core Apache is -fairly minimal, most of Apache's features are supplied by loadable -modules. When a module is loaded it registers a set of *hooks* -(function pointers) which are to be run at specific stages in the -Apache request processing pipeline. Thus a module can execute code at -any of a number of stages in the request pipeline. - -The user metadata supplied by Apache is initialized in two distinct -parts of Apache. - - 1. an authentication module (e.g. mod_auth_kerb) - 2. the ``mod_lookup_identity`` module. - -After successful authentication the authentication module will set the -name of the user principal and the mechanism used for authentication -in the request structure. - - * ``request->user`` - * ``request->ap_auth_type`` - -Authentication hooks run early in the request pipeline for the obvious -reason a request should not be processed if not authenticated. The -specific authentication module that runs is defined by ``Location`` -directive in the Apache configuration which binds specific -authentication to specific URL's. The ``mod_lookup_identity`` module -must run *after* authentication module runs because it depends on -knowing who the authenticated principal is so it can lookup the data -on that principal. - -When reading ``mod_lookup_identity`` documentation one often sees -references to the ``REMOTE_USER`` CGI environment variable with the -implication ``REMOTE_USER`` is how one accesses the name of the -authenticated principal. This is a bit misleading, ``REMOTE_USER`` is -a CGI environment variable. CGI environment variables are only set by -Apache when it believes the request is going to be processed by a CGI -implementation. In this case ``REMOTE_USER`` is initialized from the -``request->user`` value. - -How is the authenticated principal actually forwarded to our proxy? -=================================================================== - -If we are using the AJP proxy protocol the ``mod_proxy_ajp`` module -when preparing the proxy request will read the value of -``request->user`` and insert it into the ``SC_A_REMOTE_USER`` AJP -attribute. On the receiving end ``SC_A_REMOTE_USER`` will be extracted -from the AJP request and used to populate the value returned -by``HttpServletRequest.getRemoteUser()``. The exchange of the -authenticated principal when using AJP is transparent to both the -sender and receiver, nothing special needs to be done. See -`Transporting Identity Metadata from Apache to a Java EE Servlet`_ -for details on how metadata can be exchanged with the proxy. - -However, if AJP is not being used to proxy the request the -authenticated principal must be passed through some other mechanism, -an HTTP extension header is the obvious solution. The Apache -``mod_headers`` module can be used to add HTTP request headers to the -proxy request, for example: - -:: - - RequestHeader set MY_HEADER MY_VALUE - -Where does the value MY_VALUE come from? It can be hardcoded into the -``RequestHeader`` statement or it can reference an existing -environment variable like this: - -:: - - RequestHeader set MY_HEADER %{FOOBAR}e - -where the notation ``%{FOOBAR}e`` is the contents of the environment -variable FOOBAR. Thus we might expect we could do this: - -:: - - RequestHeader set REMOTE_USER %{REMOTE_USER}e - -The conundrum is the presumption the ``REMOTE_USER`` environment -variable has already been set at the time ``mod_headers`` executes the -``RequestHeader`` statement. Unfortunately this often is not the -case. - -The Apache environment variables ``REMOTE_USER`` and ``AUTH_TYPE`` are -set by the Apache function ``ap_add_common_vars()`` defined in -server/util_script.c. ``ap_add_common_vars()`` and is called by the -following modules: - - * mod_authnz_fcgi - * mod_proxy_fcgi - * mod_proxy_scgi - * mod_isapi - * mod_ext_filter - * mod_include - * mod_cgi - * mod_cgid - -Apache variables -================ - -Apache modules provide access to variables which can be referenced by -configuration directives. Unfortunately there isn't a lot of -uniformity to what the variables are and how they're referenced; it -mostly depends on how a given Apache module was implemented. As you -might imagine a bit of inconsistent historical cruft has accumulated -over the years, it can be confusing. The Apache Foundation is trying -to clean some of this up bringing uniformity to modules by utilizing -the common ``expr`` (expression) module `ap_expr`_. The idea being modules will -forgo their home grown expression syntax with its numerous quirks and -instead expose the common ``expr`` language. However this is a work in -progress and at the time of this writing only a few modules have acquired -``expr`` expression support. - -Among the existing Apache modules there currently are three different -sets of variables. - - 1. Server variables. - 2. Environment variables. - 3. SSL variables. - -Server variables (item 1) are names given to internal values. The set -of names for server variables and what they map to are defined by the -module implementing the server variable lookup. For example -``mod_rewrite`` has its own variable lookup implementation. - -Environment variables (item 2) are variables *exported* to a -subprocess. Internally they are stored in -``request->subprocess_env``. The most common use of environment -variables exported to a subprocess are the CGI variables. - -SSL variables are connection specific values describing the SSL -connection. The lookup is implemented by ``ssl_var_lookup()``, which -given a variable name looks in a variety of internal data structures to -find the matching value. - -The important thing to remember is **server variables != environment -variables**. This can be confusing because they often share the same -name. For example, there is the server variable ``REMOTE_USER`` and -there is the environment variable ``REMOTE_USER``. The environment -variable ``REMOTE_USER`` only exists if some module has called -``ap_add_common_vars()``. To complicate matters, some modules allow you -to access *server variables*, other modules allow you to access -*environment variables* and some modules provide access to both -*server variables* and *environment variables*. - -Coming back to our goal of setting an HTTP extension header to the -value of ``REMOTE_USER``, we observe that ``mod_headers`` provides the -needed ``RequestHeader`` operation to set a HTTP header in the -request. Looking at the documentation for ``RequestHeader`` we see a -value can be specified with one of the following lookups: - -%{VARNAME}e - The contents of the environment variable VARNAME. - -%{VARNAME}s - The contents of the SSL environment variable VARNAME, if mod_ssl is enabled. - -But wait! This only gives us access to *environment variables* and the -``REMOTE_USER`` environment variable is only set if -``ap_add_common_vars()`` is called by a module **after** an -authentication module runs! ``ap_add_common_vars()`` is usually only -invoked if the request is going to be passed to a CGI script. But -we're not doing CGI; instead we're proxying the request. The -likelihood the ``REMOTE_USER`` environment variable will be set is -quite low. See `Setting the REMOTE_USER environment variable`_. - -``mod_headers`` is the only way to set a HTTP extension header and -``mod_headers`` only gives you access to environment variables and the -``REMOTE_USER`` environment variable is not set. Therefore if we're -not using AJP and must depend on setting a HTTP extension header for -``REMOTE_USER``, we have a **serious problem**. - -But there is a solution; you can either try the machinations described -in `Setting the REMOTE_USER environment variable`_ or assure you're -running at least Apache version 2.4.10. In Apache 2.4.10 the -``mod_headers`` module added support for `ap_expr`_. `ap_expr`_ -provides access to *server variables* by using the ``%{VARIABLE}`` -notation. `ap_expr`_ also can lookup subprocess environment variables -and operating system environment variables using its ``reqenv()`` and -``osenv()`` functions respectively. - -Thus the simple solution for exporting the ``REMOTE_USER`` HTTP -extension header if you're running Apache 2.4.10 or later is: - -:: - - RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} - -The ``expr=%{REMOTE_USER}`` in the above statement says pass -``%{REMOTE_USER}`` as an expression to `ap_expr`_, evaluate the -expression and return the value. In this case the expression -``%{REMOTE_USER}`` is very simple, just the value of the server -variables ``REMOTE_USER``. Because ``RequestHeader`` runs after -authentication ``request->user`` will have been set. - -Setting the REMOTE_USER environment variable -============================================ - -If you do a web search on how to export ``REMOTE_USER`` in a HTTP -extension header for a proxy you will discover this is a common -problem that has frustrated a lot of people [2]_. The usual advice seems to -be to use ``mod_rewrite`` with a look-ahead. In fact this is even -documented in the `mod_rewrite documentation for REMOTE_USER`_ which says: - - %{LA-U:variable} can be used for look-aheads which perform an - internal (URL-based) sub-request to determine the final value of - variable. This can be used to access variable for rewriting which is - not available at the current stage, but will be set in a later - phase. - - For instance, to rewrite according to the REMOTE_USER variable from - within the per-server context (httpd.conf file) you must use - %{LA-U:REMOTE_USER} - this variable is set by the authorization - phases, which come after the URL translation phase (during which - mod_rewrite operates). - -One suggested solution is this: - -:: - - RewriteCond %{LA-U:REMOTE_USER} (.+) - RewriteRule .* - [E=RU:%1] - RequestHeader set X_REMOTE_USER %{RU}e - -1. The RewriteCond with the %{LA-U:} construct performs an internal - redirect to obtain the value of ``REMOTE_USER`` *server variable*, - if that value is non-empty because the (.+) regular expression - matched the rewrite condition succeeds and the following - RewriteRule executes. - -2. The RewriteRule executes, the first parameter is a pattern, the - second parameter is the replacement which can be followed by - optional flags inside brackets. The .* pattern is a regular - expression that matches anything, the - replacement is a special - value which indicates no replacement is to be performed. In other - words the pattern and replacement are no-ops and the RewriteRule is - just being used for it's side effect defined in the flags. The - E=NAME:VALUE notation says set the NAME environment variable to - VALUE. In this case the environment variable is RU and the value is - %1. The documentation for RewriteRule tells us that %N are - back-references to the last matched RewriteCond pattern, in this - case it's the value of ``REMOTE_USER``. - -3. Finally ``RequestHeader`` sets the request header - ``X_REMOTE_USER`` to the value of the ``RU`` environment variable. - -Another suggested solution is this: - -:: - - RewriteRule .* - [E=REMOTE_USER:%{LA-U:REMOTE_USER}] - -The Problem with mod_rewrite lookahead --------------------------------------- - -I **do not recommend** using mod_rewrite's lookahead to gain access to -authentication data values. Although the above suggestions will work -to get access to ``REMOTE_USER`` it is *extremely inefficient* because -it causes Apache to reprocess the request with an internal -redirect. The documentation suggests a lookahead reference will cause -one internal redirect. However from examining Apache debug logs the -``mod_rewite`` lookahead caused ``mod_lookup_identity`` to be invoked -**11 times** while handling one request. If the ``mod_rewrite`` -lookahead is removed and another technique is used to get access to -``REMOTE_USER`` then ``mod_lookup_identity`` is invoked exactly once -as expected. - -But it's not just ``REMOTE_USER`` which we need access to, we also need -to reference ``AUTH_TYPE`` which has the identical issues associated -with ``REMOTE_USER``. If an equivalent ``mod_rewrite`` block is added -to the configuration for ``AUTH_TYPE`` so that both ``REMOTE_USER`` -and ``auth_type`` are resolved using a lookahead Apache appears to go -into an infinite loop and the request stalls. - -I tried to debug what was occurring when Apache was configured this way -and why it seemed to be executing the same code over and over but I -was not able to figure it out. My conclusion is **using mod_rewrite -lookahead's is not a viable solution!** Other web posts also make -reference to the inefficiency but they seem to be unaware of just how -bad it is. - -.. [1] - Tomcat has a bug/feature, not all attributes are enumerated by - getAttributeNames() therefore getAttributeNames() cannot be used to - obtain the full set of attributes. However if you know the name of - the attribute a priori you can call getAttribute() and obtain the - value. Therefore we maintain a list of attribute names - (httpAttributes) which will be used to call getAttribute() with so we - don't miss essential attributes. - - This is the Tomcat bug, note it is marked WONTFIX. Bug 25363 - - request.getAttributeNames() not working properly Status: RESOLVED - WONTFIX https://issues.apache.org/bugzilla/show_bug.cgi?id=25363 - - The solution adopted by Tomcat is to document the behavior in the - "The Apache Tomcat Connector - Reference Guide" under the JkEnvVar - property where is says: - - You can retrieve the variables on Tomcat as request attributes via - request.getAttribute(attributeName). Note that the variables send via - JkEnvVar will not be listed in request.getAttributeNames(). - -.. [2] - Some examples of posts concerning the export of ``REMOTE_USER`` include: - http://www.jaddog.org/2010/03/22/how-to-proxy-pass-remote_user/ and - http://serverfault.com/questions/23273/apache-proxy-passing-on-remote-user-to-backend-server/ - -.. [3] - The ``mod_lookup_identity`` ``LookupUserGroups`` option accepts an - optional parameter to specify the separator used to separate group - names. By convention this is normally the colon (:) character. In - our examples we explicitly specify the colon separator because the - mapping rules split the value found in ``REMOTE_USER_GROUPS`` on - the colon character. - -.. [4] - The example of using the `The Mapping Rule Processor`_ to establish - the set of roles assigned to a user based on group membership is - for illustrative purposes in order to show features of the - federated IdP and mapping mechanism. Role assignment in AAA may be - done in other ways. For example an unscoped token without roles can - be used to acquire a scoped token with roles by presenting it to - the appropriate REST API endpoint. In actual deployments this may - be preferable because it places the responsibility of deciding who - has what role/permission on what part of the controller/network - resources more in the hands of the SDN controller administrator - than the IdP administrator. - -.. _FreeIPA: http://www.freeipa.org/ - -.. _SSSD: https://fedorahosted.org/sssd/ - -.. _mod_identity_lookup: http://www.adelton.com/apache/mod_lookup_identity/ - -.. _AJP: http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html - -.. _Tomcat Security How-To: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html - -.. _The Apache Tomcat Connector - Generic HowTo: http://tomcat.apache.org/connectors-doc/generic_howto/printer/proxy.html - -.. _CGI RFC: http://www.ietf.org/rfc/rfc3875 - -.. _ap_expr: http://httpd.apache.org/docs/current/expr.html - -.. _mod_rewrite documentation for REMOTE_USER: http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond - -.. _bug 53098: https://issues.apache.org/bugzilla/show_bug.cgi?id=53098 - -.. _Jetty AJP Configuration Guide: http://wiki.eclipse.org/Jetty/Howto/Configure_AJP13 - -.. _Bug 387928: https://bugs.eclipse.org/bugs/show_bug.cgi?id=387928 - -.. _Tomcat Remote Address Valve: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java deleted file mode 100644 index 25ba898b..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -/** - * An immutable authentication context. - * - * @author liemmn - */ -public interface Authentication extends Claim { - - /** - * Get the authentication expiration date/time in number of milliseconds - * since start of epoch. - * - * @return expiration milliseconds since start of UTC epoch - */ - long expiration(); - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationException.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationException.java deleted file mode 100644 index d4621527..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationException.java +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -/** - * A catch-all authentication exception. - * - * @author liemmn - * - */ -public class AuthenticationException extends RuntimeException { - private static final long serialVersionUID = -187422301135305719L; - - public AuthenticationException(String msg) { - super(msg); - } - - public AuthenticationException(String msg, Throwable cause) { - super(msg, cause); - } - - public AuthenticationException(Throwable cause) { - super(cause); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java deleted file mode 100644 index 24ae9238..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -/** - * Authentication service to provide authentication context. - */ -public interface AuthenticationService { - /** - * Retrieve the current security context, or null if none exists. - * - * @return security context - */ - Authentication get(); - - /** - * Set the current security context. Only {@link TokenAuth} should set - * security context based on the authentication result. - * - * @param auth - * security context - */ - void set(Authentication auth); - - /** - * Clear the current security context. - */ - void clear(); - - /** - * Checks to see if authentication is enabled. - * - * @return true if it is, false otherwise - */ - boolean isAuthEnabled(); -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java deleted file mode 100644 index 7d9a229a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -import java.util.Set; - -/** - * A claim typically provided by an identity provider after validating the - * needed identity and credentials. - * - * @author liemmn - * - */ -public interface Claim { - /** - * Get the id of the authorized client. If the id is an empty string, it - * means that the client is anonymous. - * - * @return id of the authorized client, or empty string if anonymous - */ - String clientId(); - - /** - * Get the user id. User IDs are system-created. - * - * @return unique user id - */ - String userId(); - - /** - * Get the user name. User names are externally created. - * - * @return unique user name - */ - String user(); - - /** - * Get the fully-qualified domain name. Domain names are externally created. - * - * @return unique domain name, or empty string for a claim tied to no domain - */ - String domain(); - - /** - * Get a set of user roles. Roles are externally created. - * - * @return set of user roles - */ - Set<String> roles(); -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java deleted file mode 100644 index 447ffb35..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -import java.util.Map; - -/** - * An interface for in-bound claim transformation. - * - * @author liemmn - * - */ -public interface ClaimAuth { - - /** - * Transform a map of opaque in-bound claims into a {@link Claim} object. An - * example of an opaque claim map entry is - * <code>"USER_NAME" -> "joe".</code> - * <p> - * If there is no applicable claim information for the current - * implementation, this method should return a <code>null</code>. - * <p> - * In-bound claims are extracted from HttpServletRequest attributes, - * headers, and CGI variables as documented per Servlet specs. - * - * @param claim - * opaque claim - * @return normalized claim, or null if not applicable - */ - Claim transform(Map<String, Object> claim); -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClientService.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClientService.java deleted file mode 100644 index c11eec1c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClientService.java +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -/** - * A service for managing authorized clients to the controller. - * - * @author liemmn - * - */ -public interface ClientService { - - void validate(String clientId, String clientSecret) throws AuthenticationException; -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java deleted file mode 100644 index 341e49ae..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -/** - * An interface for direct authentication with some given credentials. - * - * @author liemmn - */ -public interface CredentialAuth<T extends Credentials> { - - /** - * Authenticate a claim with the given credentials and domain scope. - * - * @param cred - * credentials - * @throws AuthenticationException - * if failed authentication - * @return authenticated claim - */ - Claim authenticate(T cred) throws AuthenticationException; -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java deleted file mode 100644 index 7d2f19e5..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -/** - * An interface to represent user credentials. - */ -public interface Credentials { -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreException.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreException.java deleted file mode 100644 index 026c11ce..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreException.java +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.api; - -/* - * @author - Sharon Aicler (saichler@cisco.com) - */ -public class IDMStoreException extends Exception { - - private static final long serialVersionUID = -7534127680943957878L; - - public IDMStoreException(Exception e) { - super(e); - } - - public IDMStoreException(String msg) { - super(msg); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreUtil.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreUtil.java deleted file mode 100644 index 07dd522f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreUtil.java +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.api; - -import javax.naming.OperationNotSupportedException; - -/* - * This class is a utility to construct the different elements keys for the different data stores. - * For not making mistakes around the code constructing an element key, this class standardize the - * way the key is constructed to be used by the different data stores. - * - * @author - Sharon Aicler (saichler@cisco.com) - */ - -public class IDMStoreUtil { - private IDMStoreUtil() throws OperationNotSupportedException { - throw new OperationNotSupportedException(); - } - - public static String createDomainid(String domainName) { - return domainName; - } - - public static String createUserid(String username, String domainid) { - return username + "@" + domainid; - } - - public static String createRoleid(String rolename, String domainid) { - return rolename + "@" + domainid; - } - - public static String createGrantid(String userid, String domainid, String roleid) { - return userid + "@" + roleid + "@" + domainid; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IIDMStore.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IIDMStore.java deleted file mode 100644 index 7b031e05..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IIDMStore.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.api; - -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Domains; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Grants; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.Roles; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; - -/** - * @author - Sharon Aicler (saichler@cisco.com) - **/ -public interface IIDMStore { - public String DEFAULT_DOMAIN = "sdn"; - - // Domain methods - public Domain writeDomain(Domain domain) throws IDMStoreException; - - public Domain readDomain(String domainid) throws IDMStoreException; - - public Domain deleteDomain(String domainid) throws IDMStoreException; - - public Domain updateDomain(Domain domain) throws IDMStoreException; - - public Domains getDomains() throws IDMStoreException; - - // Role methods - public Role writeRole(Role role) throws IDMStoreException; - - public Role readRole(String roleid) throws IDMStoreException; - - public Role deleteRole(String roleid) throws IDMStoreException; - - public Role updateRole(Role role) throws IDMStoreException; - - public Roles getRoles() throws IDMStoreException; - - // User methods - public User writeUser(User user) throws IDMStoreException; - - public User readUser(String userid) throws IDMStoreException; - - public User deleteUser(String userid) throws IDMStoreException; - - public User updateUser(User user) throws IDMStoreException; - - public Users getUsers() throws IDMStoreException; - - public Users getUsers(String username, String domain) throws IDMStoreException; - - // Grant methods - public Grant writeGrant(Grant grant) throws IDMStoreException; - - public Grant readGrant(String grantid) throws IDMStoreException; - - public Grant deleteGrant(String grantid) throws IDMStoreException; - - public Grants getGrants(String domainid, String userid) throws IDMStoreException; - - public Grants getGrants(String userid) throws IDMStoreException; - - public Grant readGrant(String domainid, String userid, String roleid) throws IDMStoreException; -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IdMService.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IdMService.java deleted file mode 100644 index 1d698da5..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IdMService.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -import java.util.List; - -/** - * A service to provide identity information. - * - * @author liemmn - * - */ -public interface IdMService { - /** - * List all domains that the given user has at least one role on. - * - * @param userId - * id of user - * @return list of all domains that the given user has access to - */ - List<String> listDomains(String userId); - - /** - * List all roles that the given user has on the given domain. - * - * @param userId - * id of user - * @param domain - * domain - * @return list of roles - */ - List<String> listRoles(String userId, String domain); -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java deleted file mode 100644 index e5fa346d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -/** - * Good 'ole username/password. - */ -public interface PasswordCredentials extends Credentials { - String username(); - - String password(); - - String domain(); -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/SHA256Calculator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/SHA256Calculator.java deleted file mode 100644 index 903fe3de..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/SHA256Calculator.java +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.api; - -import java.security.MessageDigest; -import java.util.concurrent.locks.ReentrantReadWriteLock; -import java.util.concurrent.locks.ReentrantReadWriteLock.WriteLock; -import javax.xml.bind.DatatypeConverter; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * @author Sharon Aicler (saichler@cisco.com) - */ -public class SHA256Calculator { - - private static final Logger LOG = LoggerFactory.getLogger(SHA256Calculator.class); - - private static MessageDigest md = null; - private static ReentrantReadWriteLock lock = new ReentrantReadWriteLock(); - private static WriteLock writeLock = lock.writeLock(); - - public static String generateSALT() { - StringBuffer salt = new StringBuffer(); - for (int i = 0; i < 12; i++) { - int random = (int) (Math.random() * 24 + 1); - salt.append((char) (65 + random)); - } - return salt.toString(); - } - - public static String getSHA256(byte data[], String salt) { - byte SALT[] = salt.getBytes(); - byte temp[] = new byte[data.length + SALT.length]; - System.arraycopy(data, 0, temp, 0, data.length); - System.arraycopy(SALT, 0, temp, data.length, SALT.length); - - if (md == null) { - try { - writeLock.lock(); - if (md == null) { - try { - md = MessageDigest.getInstance("SHA-256"); - } catch (Exception err) { - LOG.error("Error calculating SHA-256 for SALT", err); - } - } - } finally { - writeLock.unlock(); - } - } - - byte by[] = null; - - try { - writeLock.lock(); - md.update(temp); - by = md.digest(); - } finally { - writeLock.unlock(); - } - //Make sure the outcome hash does not contain special characters - return DatatypeConverter.printBase64Binary(by); - } - - public static String getSHA256(String password, String salt) { - return getSHA256(password.getBytes(), salt); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java deleted file mode 100644 index bbf6fa2b..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -import java.util.List; -import java.util.Map; - -/** - * An interface for in-bound token authentication. - * - * @author liemmn - */ -public interface TokenAuth { - - /** - * Validate the given token contained in the in-bound headers. - * <p> - * If there is no token signature in the given headers for this - * implementation, this method should return a null. If there is an - * applicable token signature, but the token validation fails, this method - * should throw an {@link AuthenticationException}. - * - * @param headers - * headers containing token to validate - * @return authenticated context, or null if not applicable - * @throws AuthenticationException - * if authentication fails - */ - Authentication validate(Map<String, List<String>> headers) throws AuthenticationException; - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java deleted file mode 100644 index 4cd7aa78..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api; - -/** - * A datastore for auth tokens. - * - * @author liemmn - * - */ -public interface TokenStore { - void put(String token, Authentication auth); - - Authentication get(String token); - - boolean delete(String token); - - long tokenExpiration(); -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Claim.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Claim.java deleted file mode 100644 index 180bddfb..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Claim.java +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import java.util.List; - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "Claim") -public class Claim { - private String domainid; - private String userid; - private String username; - private List<Role> roles; - - public String getDomainid() { - return domainid; - } - - public void setDomainid(String id) { - this.domainid = id; - } - - public String getUserid() { - return userid; - } - - public void setUserid(String id) { - this.userid = id; - } - - public String getUsername() { - return username; - } - - public void setUsername(String name) { - this.username = name; - } - - public List<Role> getRoles() { - return roles; - } - - public void setRoles(List<Role> roles) { - this.roles = roles; - } - -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domain.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domain.java deleted file mode 100644 index a42e0b6d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domain.java +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "domain") -public class Domain { - private String domainid; - private String name; - private String description; - private Boolean enabled; - - public String getDomainid() { - return domainid; - } - - public void setDomainid(String id) { - this.domainid = id; - } - - public String getName() { - return name; - } - - public void setName(String name) { - this.name = name; - } - - public String getDescription() { - return description; - } - - public void setDescription(String description) { - this.description = description; - } - - public Boolean isEnabled() { - return enabled; - } - - public void setEnabled(Boolean enabled) { - this.enabled = enabled; - } - - @Override - public int hashCode() { - return this.name.hashCode(); - } - - @Override - public boolean equals(Object obj) { - Domain other = (Domain) obj; - if (other == null) - return false; - if (compareValues(getName(), other.getName()) - && compareValues(getDomainid(), other.getDomainid()) - && compareValues(getDescription(), other.getDescription())) - return true; - return false; - } - - private boolean compareValues(Object a, Object b) { - if (a == null && b != null) - return false; - if (a != null && b == null) - return false; - if (a == null && b == null) - return true; - if (a.equals(b)) - return true; - return false; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domains.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domains.java deleted file mode 100644 index a8f2064b..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domains.java +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import java.util.ArrayList; -import java.util.List; - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "domains") -public class Domains { - private List<Domain> domains = new ArrayList<Domain>(); - - public void setDomains(List<Domain> domains) { - this.domains = domains; - } - - public List<Domain> getDomains() { - return domains; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grant.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grant.java deleted file mode 100644 index 20c2d128..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grant.java +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "grant") -public class Grant { - private String grantid; - private String domainid; - private String userid; - private String roleid; - - public String getGrantid() { - return this.grantid; - } - - public void setGrantid(String id) { - this.grantid = id; - } - - public String getDomainid() { - return domainid; - } - - public void setDomainid(String id) { - this.domainid = id; - } - - public String getUserid() { - return userid; - } - - public void setUserid(String id) { - this.userid = id; - } - - public String getRoleid() { - return roleid; - } - - public void setRoleid(String id) { - this.roleid = id; - } - - @Override - public int hashCode() { - return this.getUserid().hashCode(); - } - - @Override - public boolean equals(Object obj) { - Grant other = (Grant) obj; - if (other == null) - return false; - if (compareValues(getDomainid(), other.getDomainid()) - && compareValues(getRoleid(), other.getRoleid()) - && compareValues(getUserid(), other.getUserid())) - return true; - return false; - } - - private boolean compareValues(Object a, Object b) { - if (a == null && b != null) - return false; - if (a != null && b == null) - return false; - if (a == null && b == null) - return true; - if (a.equals(b)) - return true; - return false; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grants.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grants.java deleted file mode 100644 index ce0d9b85..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grants.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - - -import java.util.ArrayList; -import java.util.List; - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "grants") -public class Grants { - private List<Grant> grants = new ArrayList<Grant>(); - - public void setGrants(List<Grant> grants) { - this.grants = grants; - } - - public List<Grant> getGrants() { - return grants; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/IDMError.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/IDMError.java deleted file mode 100644 index f44c43d9..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/IDMError.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import javax.ws.rs.core.Response; -import javax.xml.bind.annotation.XmlRootElement; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -@XmlRootElement(name = "idmerror") -public class IDMError { - private static final Logger LOG = LoggerFactory.getLogger(IDMError.class); - - private String message; - private String details; - private int code = 500; - - public IDMError() { - }; - - public IDMError(int statusCode, String msg, String msgDetails) { - code = statusCode; - message = msg; - details = msgDetails; - } - - public String getMessage() { - return message; - } - - public void setMessage(String msg) { - this.message = msg; - } - - public String getDetails() { - return details; - } - - public void setDetails(String details) { - this.details = details; - } - - public Response response() { - LOG.error("error: {} details: {} status: {}", this.message, this.details, code); - return Response.status(this.code).entity(this).build(); - } - -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Role.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Role.java deleted file mode 100644 index de707496..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Role.java +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "role") -public class Role { - private String roleid; - private String name; - private String description; - private String domainid; - - public String getRoleid() { - return roleid; - } - - public void setRoleid(String id) { - this.roleid = id; - } - - public String getName() { - return name; - } - - public void setName(String name) { - this.name = name; - } - - public String getDescription() { - return description; - } - - public void setDescription(String description) { - this.description = description; - } - - @Override - public int hashCode() { - return this.name.hashCode(); - } - - @Override - public boolean equals(Object obj) { - Role other = (Role) obj; - if (other == null) - return false; - if (compareValues(getName(), other.getName()) - && compareValues(getRoleid(), other.getRoleid()) - && compareValues(getDescription(), other.getDescription())) - return true; - return false; - } - - public void setDomainid(String domainid) { - this.domainid = domainid; - } - - public String getDomainid() { - return this.domainid; - } - - private boolean compareValues(Object a, Object b) { - if (a == null && b != null) - return false; - if (a != null && b == null) - return false; - if (a == null && b == null) - return true; - if (a.equals(b)) - return true; - return false; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Roles.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Roles.java deleted file mode 100644 index 33521028..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Roles.java +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import java.util.ArrayList; -import java.util.List; - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "roles") -public class Roles { - private List<Role> roles = new ArrayList<Role>(); - - public void setRoles(List<Role> roles) { - this.roles = roles; - } - - public List<Role> getRoles() { - return roles; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/User.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/User.java deleted file mode 100644 index c6c1f9a6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/User.java +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "user") -public class User { - private String userid; - private String name; - private String description; - private Boolean enabled; - private String email; - private String password; - private String salt; - private String domainid; - - public String getUserid() { - return userid; - } - - public void setUserid(String id) { - this.userid = id; - } - - public String getName() { - return name; - } - - public void setName(String name) { - this.name = name; - } - - public String getDescription() { - return description; - } - - public void setDescription(String description) { - this.description = description; - } - - public Boolean isEnabled() { - return enabled; - } - - public void setEnabled(Boolean enabled) { - this.enabled = enabled; - } - - public void setEmail(String email) { - this.email = email; - } - - public String getEmail() { - return email; - } - - public void setPassword(String password) { - this.password = password; - } - - public String getPassword() { - return password; - } - - public void setSalt(String s) { - this.salt = s; - } - - public String getSalt() { - return this.salt; - } - - public String getDomainid() { - return domainid; - } - - public void setDomainid(String domainid) { - this.domainid = domainid; - } - - @Override - public int hashCode() { - return this.name.hashCode(); - } - - @Override - public boolean equals(Object obj) { - User other = (User) obj; - if (other == null) - return false; - if (compareValues(getName(), other.getName()) - && compareValues(getEmail(), other.getEmail()) - && compareValues(isEnabled(), other.isEnabled()) - && compareValues(getPassword(), other.getPassword()) - && compareValues(getSalt(), other.getSalt()) - && compareValues(getUserid(), other.getUserid()) - && compareValues(getDescription(), other.getDescription())) - return true; - return false; - } - - private boolean compareValues(Object a, Object b) { - if (a == null && b != null) - return false; - if (a != null && b == null) - return false; - if (a == null && b == null) - return true; - if (a.equals(b)) - return true; - return false; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/UserPwd.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/UserPwd.java deleted file mode 100644 index 4750616d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/UserPwd.java +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "userpwd") -public class UserPwd { - private String username; - private String userpwd; - - public String getUsername() { - return username; - } - - public void setUsername(String name) { - this.username = name; - } - - public String getUserpwd() { - return userpwd; - } - - public void setUserpwd(String pwd) { - this.userpwd = pwd; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Users.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Users.java deleted file mode 100644 index a0a001bd..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Users.java +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import java.util.ArrayList; -import java.util.List; - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "users") -public class Users { - private List<User> users = new ArrayList<User>(); - - public void setUsers(List<User> users) { - this.users = users; - } - - public List<User> getUsers() { - return users; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Version.java b/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Version.java deleted file mode 100644 index a88c1f80..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Version.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.api.model; - -/** - * - * @author peter.mellquist@hp.com - * - */ - -import javax.xml.bind.annotation.XmlRootElement; - -@XmlRootElement(name = "version") -public class Version { - private String id; - private String updated; - private String status; - - public String getId() { - return id; - } - - public void setId(String id) { - this.id = id; - } - - public String getUpdated() { - return updated; - } - - public void setUpdated(String name) { - this.updated = name; - } - - public String getStatus() { - return status; - } - - public void setStatus(String status) { - this.status = status; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-basic/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-basic/pom.xml deleted file mode 100644 index 47562896..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-basic/pom.xml +++ /dev/null @@ -1,76 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn-basic</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <!-- Testing Dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Activator>org.opendaylight.aaa.basic.Activator</Bundle-Activator> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/Activator.java deleted file mode 100644 index bd57c9d3..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/Activator.java +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.basic; - -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.opendaylight.aaa.api.CredentialAuth; -import org.opendaylight.aaa.api.TokenAuth; -import org.osgi.framework.BundleContext; - -public class Activator extends DependencyActivatorBase { - - @Override - public void init(BundleContext context, DependencyManager manager) throws Exception { - manager.add(createComponent() - .setInterface(new String[] { TokenAuth.class.getName() }, null) - .setImplementation(HttpBasicAuth.class) - .add(createServiceDependency().setService(CredentialAuth.class).setRequired(true))); - } - - @Override - public void destroy(BundleContext context, DependencyManager manager) throws Exception { - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/HttpBasicAuth.java b/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/HttpBasicAuth.java deleted file mode 100644 index eff47e63..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/HttpBasicAuth.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.basic; - -import com.sun.jersey.core.util.Base64; -import java.util.List; -import java.util.Map; -import org.opendaylight.aaa.AuthenticationBuilder; -import org.opendaylight.aaa.PasswordCredentialBuilder; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.AuthenticationException; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.api.CredentialAuth; -import org.opendaylight.aaa.api.PasswordCredentials; -import org.opendaylight.aaa.api.TokenAuth; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * An HTTP Basic authenticator. Note that this is provided as a Hydrogen - * backward compatible authenticator, but usage of this authenticator or HTTP - * Basic Authentication is highly discouraged due to its vulnerability. - * - * To obtain a token using the HttpBasicAuth Strategy, add a header to your HTTP - * request in the form: - * <code>Authorization: Basic BASE_64_ENCODED_CREDENTIALS</code> - * - * Where <code>BASE_64_ENCODED_CREDENTIALS</code> is the base 64 encoded value - * of the user's credentials in the following form: <code>user:password</code> - * - * For example, assuming the user is "admin" and the password is "admin": - * <code>Authorization: Basic YWRtaW46YWRtaW4=</code> - * - * @author liemmn - * - */ -public class HttpBasicAuth implements TokenAuth { - - public static final String AUTH_HEADER = "Authorization"; - - public static final String AUTH_SEP = ":"; - - public static final String BASIC_PREFIX = "Basic "; - - // TODO relocate this constant - public static final String DEFAULT_DOMAIN = "sdn"; - - /** - * username and password - */ - private static final int NUM_HEADER_CREDS = 2; - - /** - * username, password and domain - */ - private static final int NUM_TOKEN_CREDS = 3; - - private static final Logger LOG = LoggerFactory.getLogger(HttpBasicAuth.class); - - volatile CredentialAuth<PasswordCredentials> credentialAuth; - - private static boolean checkAuthHeaderFormat(final String authHeader) { - return (authHeader != null && authHeader.startsWith(BASIC_PREFIX)); - } - - private static String extractAuthHeader(final Map<String, List<String>> headers) { - return headers.get(AUTH_HEADER).get(0); - } - - private static String[] extractCredentialArray(final String authHeader) { - return new String(Base64.base64Decode(authHeader.substring(BASIC_PREFIX.length()))) - .split(AUTH_SEP); - } - - private static boolean verifyCredentialArray(final String[] creds) { - return (creds != null && creds.length == NUM_HEADER_CREDS); - } - - private static String[] addDomainToCredentialArray(final String[] creds) { - String newCredentialArray[] = new String[NUM_TOKEN_CREDS]; - System.arraycopy(creds, 0, newCredentialArray, 0, creds.length); - newCredentialArray[2] = DEFAULT_DOMAIN; - return newCredentialArray; - } - - private static Authentication generateAuthentication( - CredentialAuth<PasswordCredentials> credentialAuth, final String[] creds) - throws ArrayIndexOutOfBoundsException { - final PasswordCredentials pc = new PasswordCredentialBuilder().setUserName(creds[0]) - .setPassword(creds[1]).setDomain(creds[2]).build(); - final Claim claim = credentialAuth.authenticate(pc); - return new AuthenticationBuilder(claim).build(); - } - - @Override - public Authentication validate(final Map<String, List<String>> headers) - throws AuthenticationException { - if (headers.containsKey(AUTH_HEADER)) { - final String authHeader = extractAuthHeader(headers); - if (checkAuthHeaderFormat(authHeader)) { - // HTTP Basic Auth - String[] creds = extractCredentialArray(authHeader); - // If no domain was supplied then use the default one, which is - // "sdn". - if (verifyCredentialArray(creds)) { - creds = addDomainToCredentialArray(creds); - } - // Assumes correct formatting in form Base64("user:password"). - // Throws an exception if an unknown format is used. - try { - return generateAuthentication(this.credentialAuth, creds); - } catch (ArrayIndexOutOfBoundsException e) { - final String message = "Login Attempt in Bad Format." - + " Please provide user:password in Base64 format."; - LOG.info(message); - throw new AuthenticationException(message); - } - } - } - return null; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/test/java/org/opendaylight/aaa/basic/HttpBasicAuthTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/test/java/org/opendaylight/aaa/basic/HttpBasicAuthTest.java deleted file mode 100644 index 4ee439df..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-basic/src/test/java/org/opendaylight/aaa/basic/HttpBasicAuthTest.java +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.basic; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import com.sun.jersey.core.util.Base64; -import java.io.UnsupportedEncodingException; -import java.util.Arrays; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import org.junit.Before; -import org.junit.Test; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.PasswordCredentialBuilder; -import org.opendaylight.aaa.api.AuthenticationException; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.api.CredentialAuth; - -public class HttpBasicAuthTest { - private static final String USERNAME = "admin"; - private static final String PASSWORD = "admin"; - private static final String DOMAIN = "sdn"; - private HttpBasicAuth auth; - - @SuppressWarnings("unchecked") - @Before - public void setup() { - auth = new HttpBasicAuth(); - auth.credentialAuth = mock(CredentialAuth.class); - when( - auth.credentialAuth.authenticate(new PasswordCredentialBuilder() - .setUserName(USERNAME).setPassword(PASSWORD).setDomain(DOMAIN).build())) - .thenReturn( - new ClaimBuilder().setUser("admin").addRole("admin").setUserId("123") - .build()); - when( - auth.credentialAuth.authenticate(new PasswordCredentialBuilder() - .setUserName(USERNAME).setPassword("bozo").setDomain(DOMAIN).build())) - .thenThrow(new AuthenticationException("barf")); - } - - @Test - public void testValidateOk() throws UnsupportedEncodingException { - String data = USERNAME + ":" + PASSWORD + ":" + DOMAIN; - Map<String, List<String>> headers = new HashMap<>(); - headers.put("Authorization", - Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8"))))); - Claim claim = auth.validate(headers); - assertNotNull(claim); - assertEquals(USERNAME, claim.user()); - assertEquals("admin", claim.roles().iterator().next()); - } - - @Test(expected = AuthenticationException.class) - public void testValidateBadPassword() throws UnsupportedEncodingException { - String data = USERNAME + ":bozo:" + DOMAIN; - Map<String, List<String>> headers = new HashMap<>(); - headers.put("Authorization", - Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8"))))); - auth.validate(headers); - } - - @Test(expected = AuthenticationException.class) - public void testValidateBadPasswordNoDOMAIN() throws UnsupportedEncodingException { - String data = USERNAME + ":bozo"; - Map<String, List<String>> headers = new HashMap<>(); - headers.put("Authorization", - Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8"))))); - auth.validate(headers); - } - - @Test(expected = AuthenticationException.class) - public void testBadHeaderFormatNoPassword() throws UnsupportedEncodingException { - // just provide the username - String data = USERNAME; - Map<String, List<String>> headers = new HashMap<>(); - headers.put("Authorization", - Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8"))))); - auth.validate(headers); - } - - @Test(expected = AuthenticationException.class) - public void testBadHeaderFormat() throws UnsupportedEncodingException { - // provide username: - String data = USERNAME + "$" + PASSWORD; - Map<String, List<String>> headers = new HashMap<>(); - headers.put("Authorization", - Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8"))))); - auth.validate(headers); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/pom.xml deleted file mode 100644 index e217f48c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/pom.xml +++ /dev/null @@ -1,132 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn-federation</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.authzserver</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.common</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <!-- Testing Dependencies --> - <dependency> - <groupId>com.sun.jersey.jersey-test-framework</groupId> - <artifactId>jersey-test-framework-grizzly2</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.eclipse.jetty</groupId> - <artifactId>jetty-servlet-tester</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Import-Package>*,com.sun.jersey.spi.container.servlet</Import-Package> - <Web-ContextPath>/oauth2/federation</Web-ContextPath> - <Web-Connectors>federationConn</Web-Connectors> - <Bundle-Activator>org.opendaylight.aaa.federation.Activator</Bundle-Activator> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </instructions> - </configuration> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <phase>package</phase> - <goals> - <goal>attach-artifact</goal> - </goals> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/federation.cfg</file> - <type>cfg</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/Activator.java deleted file mode 100644 index 4ae027c8..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/Activator.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.federation; - -import java.util.Dictionary; -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.opendaylight.aaa.api.ClaimAuth; -import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.api.TokenStore; -import org.osgi.framework.BundleContext; -import org.osgi.framework.Constants; -import org.osgi.service.cm.ManagedService; - -/** - * An activator for the secure token server to inject in a - * <code>CredentialAuth</code> implementation. - * - * @author liemmn - * - */ -public class Activator extends DependencyActivatorBase { - private static final String FEDERATION_PID = "org.opendaylight.aaa.federation"; - - @Override - public void init(BundleContext context, DependencyManager manager) throws Exception { - manager.add(createComponent() - .setImplementation(ServiceLocator.getInstance()) - .add(createServiceDependency().setService(TokenStore.class).setRequired(true)) - .add(createServiceDependency().setService(IdMService.class).setRequired(true)) - .add(createServiceDependency().setService(ClaimAuth.class).setRequired(false) - .setCallbacks("claimAuthAdded", "claimAuthRemoved"))); - context.registerService(ManagedService.class, FederationConfiguration.instance(), - addPid(FederationConfiguration.defaults)); - } - - @Override - public void destroy(BundleContext context, DependencyManager manager) throws Exception { - } - - private Dictionary<String, ?> addPid(Dictionary<String, String> dict) { - dict.put(Constants.SERVICE_PID, FEDERATION_PID); - return dict; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ClaimAuthFilter.java b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ClaimAuthFilter.java deleted file mode 100644 index 10a1277d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ClaimAuthFilter.java +++ /dev/null @@ -1,249 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.federation; - -import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; -import static org.opendaylight.aaa.federation.FederationEndpoint.AUTH_CLAIM; - -import java.io.IOException; -import java.io.UnsupportedEncodingException; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.api.ClaimAuth; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * A generic {@link Filter} for {@link ClaimAuth} implementations. - * <p> - * This filter trusts any authentication metadata bound to a request. A request - * with fake authentication claims could be forged by an attacker and submitted - * to one of the Connector ports the engine is listening on and we would blindly - * accept the forged information in this filter. Therefore it is vital we only - * accept authentication claims from a trusted proxy. It is incumbent upon the - * site administrator to dedicate specific connector ports on which previously - * authenticated requests from a trusted proxy will be sent to and to assure - * only a trusted proxy can connect to that port. The site administrator must - * enumerate those ports in the configuration. We reject any request which did - * not originate on one of the configured secure proxy ports. - * - * @author liemmn - * - */ -public class ClaimAuthFilter implements Filter { - private static final Logger LOG = LoggerFactory.getLogger(ClaimAuthFilter.class); - - private static final String CGI_AUTH_TYPE = "AUTH_TYPE"; - private static final String CGI_PATH_INFO = "PATH_INFO"; - private static final String CGI_PATH_TRANSLATED = "PATH_TRANSLATED"; - private static final String CGI_QUERY_STRING = "QUERY_STRING"; - private static final String CGI_REMOTE_ADDR = "REMOTE_ADDR"; - private static final String CGI_REMOTE_HOST = "REMOTE_HOST"; - private static final String CGI_REMOTE_PORT = "REMOTE_PORT"; - private static final String CGI_REMOTE_USER = "REMOTE_USER"; - private static final String CGI_REMOTE_USER_GROUPS = "REMOTE_USER_GROUPS"; - private static final String CGI_REQUEST_METHOD = "REQUEST_METHOD"; - private static final String CGI_SCRIPT_NAME = "SCRIPT_NAME"; - private static final String CGI_SERVER_PROTOCOL = "SERVER_PROTOCOL"; - - static final String UNAUTHORIZED_PORT_ERR = "Unauthorized proxy port"; - - @Override - public void init(FilterConfig fc) throws ServletException { - } - - @Override - public void destroy() { - } - - @Override - public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) - throws IOException, ServletException { - Set<Integer> secureProxyPorts; - int localPort; - - // Check to see if we are communicated over an authorized port or not - secureProxyPorts = FederationConfiguration.instance().secureProxyPorts(); - localPort = req.getLocalPort(); - if (!secureProxyPorts.contains(localPort)) { - ((HttpServletResponse) resp).sendError(SC_UNAUTHORIZED, UNAUTHORIZED_PORT_ERR); - return; - } - - // Let's do some transformation! - List<ClaimAuth> claimAuthCollection = ServiceLocator.getInstance().getClaimAuthCollection(); - for (ClaimAuth ca : claimAuthCollection) { - Claim claim = ca.transform(claims((HttpServletRequest) req)); - if (claim != null) { - req.setAttribute(AUTH_CLAIM, claim); - // No need to do further transformation since it has been done - break; - } - } - chain.doFilter(req, resp); - } - - // Extract attributes and headers out of the request - private Map<String, Object> claims(HttpServletRequest req) { - String name; - Object objectValue; - String stringValue; - Map<String, Object> claims = new HashMap<>(); - - /* - * Tomcat has a bug/feature, not all attributes are enumerated by - * getAttributeNames() therefore getAttributeNames() cannot be used to - * obtain the full set of attributes. However if you know the name of - * the attribute a priori you can call getAttribute() and obtain the - * value. Therefore we maintain a list of attribute names - * (httpAttributes) which will be used to call getAttribute() with so we - * don't miss essential attributes. - * - * This is the Tomcat bug, note it is marked WONTFIX. Bug 25363 - - * request.getAttributeNames() not working properly Status: RESOLVED - * WONTFIX https://issues.apache.org/bugzilla/show_bug.cgi?id=25363 - * - * The solution adopted by Tomcat is to document the behavior in the - * "The Apache Tomcat Connector - Reference Guide" under the JkEnvVar - * property where is says: - * - * You can retrieve the variables on Tomcat as request attributes via - * request.getAttribute(attributeName). Note that the variables send via - * JkEnvVar will not be listed in request.getAttributeNames(). - */ - - // Capture attributes which can be enumerated ... - @SuppressWarnings("unchecked") - Enumeration<String> attrs = req.getAttributeNames(); - while (attrs.hasMoreElements()) { - name = attrs.nextElement(); - objectValue = req.getAttribute(name); - if (objectValue instanceof String) { - // metadata might be i18n, assume UTF8 and decode - stringValue = decodeUTF8((String) objectValue); - objectValue = stringValue; - } - claims.put(name, objectValue); - } - - // Capture specific attributes which cannot be enumerated ... - for (String attr : FederationConfiguration.instance().httpAttributes()) { - name = attr; - objectValue = req.getAttribute(name); - if (objectValue instanceof String) { - // metadata might be i18n, assume UTF8 and decode - stringValue = decodeUTF8((String) objectValue); - objectValue = stringValue; - } - claims.put(name, objectValue); - } - - /* - * In general we should not utilize HTTP headers as validated security - * assertions because they are too easy to forge. Therefore in general - * we don't include HTTP headers, however in certain circumstances - * specific headers may be acceptable, thus we permit an admin to - * configure the capture of specific headers. - */ - for (String header : FederationConfiguration.instance().httpHeaders()) { - claims.put(header, req.getHeader(header)); - } - - // Capture standard CGI variables... - claims.put(CGI_AUTH_TYPE, req.getAuthType()); - claims.put(CGI_PATH_INFO, req.getPathInfo()); - claims.put(CGI_PATH_TRANSLATED, req.getPathTranslated()); - claims.put(CGI_QUERY_STRING, req.getQueryString()); - claims.put(CGI_REMOTE_ADDR, req.getRemoteAddr()); - claims.put(CGI_REMOTE_HOST, req.getRemoteHost()); - claims.put(CGI_REMOTE_PORT, req.getRemotePort()); - // remote user might be i18n, assume UTF8 and decode - claims.put(CGI_REMOTE_USER, decodeUTF8(req.getRemoteUser())); - claims.put(CGI_REMOTE_USER_GROUPS, req.getAttribute(CGI_REMOTE_USER_GROUPS)); - claims.put(CGI_REQUEST_METHOD, req.getMethod()); - claims.put(CGI_SCRIPT_NAME, req.getServletPath()); - claims.put(CGI_SERVER_PROTOCOL, req.getProtocol()); - - if (LOG.isDebugEnabled()) { - LOG.debug("ClaimAuthFilter claims = {}", claims.toString()); - } - - return claims; - } - - /** - * Decode from UTF-8, return Unicode. - * - * If we're unable to UTF-8 decode the string the fallback is to return the - * string unmodified and log a warning. - * - * Some data, especially metadata attached to a user principal may be - * internationalized (i18n). The classic examples are the user's name, - * location, organization, etc. We need to be able to read this metadata and - * decode it into unicode characters so that we properly handle i18n string - * values. - * - * One of the the prolems is we often don't know the encoding (i.e. charset) - * of the string. RFC-5987 is supposed to define how non-ASCII values are - * transmitted in HTTP headers, this is a follow on from the work in - * RFC-2231. However at the time of this writing these RFC's are not - * implemented in the Servlet Request classes. Not only are these RFC's - * unimplemented but they are specific to HTTP headers, much of our metadata - * arrives via attributes as opposed to being in a header. - * - * Note: ASCII encoding is a subset of UTF-8 encoding therefore any strings - * which are pure ASCII will decode from UTF-8 just fine. However on the - * other hand Latin-1 (ISO-8859-1) encoding is not compatible with UTF-8 for - * code points in the range 128-255 (i.e. beyond 7-bit ascii). ISO-8859-1 is - * the default encoding for HTTP and HTML 4, however the consensus is the - * use of ISO-8859-1 was a mistake and Unicode with UTF-8 encoding is now - * the norm. If a string value is transmitted encoded in ISO-8859-1 - * contaiing code points in the range 128-255 and we try to UTF-8 decode it - * it will either not be the correct decoded string or it will throw a - * decoding exception. - * - * Conventional practice at the moment is for the sending side to encode - * internationalized values in UTF-8 with the receving end decoding the - * value back from UTF-8. We do not expect the use of ISO-8859-1 on these - * attributes. However due to peculiarities of the Java String - * implementation we have to specify the raw bytes are encoded in ISO-8859-1 - * just to get back the raw bytes to be able to feed into the UTF-8 decoder. - * This doesn't seem right but it is because we need the full 8-bit byte and - * the only way to say "unmodified 8-bit bytes" in Java is to call it - * ISO-8859-1. Ugh! - * - * @param string - * The input string in UTF-8 to be decoded. - * @return Unicode string - */ - private String decodeUTF8(String string) { - if (string == null) { - return null; - } - try { - return new String(string.getBytes("ISO8859-1"), "UTF-8"); - } catch (UnsupportedEncodingException e) { - LOG.warn("Unable to UTF-8 decode: ", string, e); - return string; - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationConfiguration.java b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationConfiguration.java deleted file mode 100644 index a68dc15c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationConfiguration.java +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.federation; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Dictionary; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.TreeSet; -import java.util.concurrent.ConcurrentHashMap; -import org.osgi.service.cm.ConfigurationException; -import org.osgi.service.cm.ManagedService; - -/** - * AAA federation configurations in OSGi. - * - * @author liemmn - * - */ -public class FederationConfiguration implements ManagedService { - private static final String FEDERATION_CONFIG_ERR = "Error saving federation configuration"; - - static final String HTTP_HEADERS = "httpHeaders"; - static final String HTTP_ATTRIBUTES = "httpAttributes"; - static final String SECURE_PROXY_PORTS = "secureProxyPorts"; - - static FederationConfiguration instance = new FederationConfiguration(); - - static final Hashtable<String, String> defaults = new Hashtable<>(); - static { - defaults.put(HTTP_HEADERS, ""); - defaults.put(HTTP_ATTRIBUTES, ""); - } - private static Map<String, String> configs = new ConcurrentHashMap<>(); - - // singleton - private FederationConfiguration() { - } - - public static FederationConfiguration instance() { - return instance; - } - - @Override - public void updated(Dictionary<String, ?> props) throws ConfigurationException { - if (props == null) { - configs.clear(); - configs.putAll(defaults); - } else { - try { - Enumeration<String> keys = props.keys(); - while (keys.hasMoreElements()) { - String key = keys.nextElement(); - configs.put(key, (String) props.get(key)); - } - } catch (Throwable t) { - throw new ConfigurationException(null, FEDERATION_CONFIG_ERR, t); - } - } - } - - public List<String> httpHeaders() { - String headers = configs.get(HTTP_HEADERS); - return (headers == null) ? new ArrayList<String>() : Arrays.asList(headers.split(" ")); - } - - public List<String> httpAttributes() { - String attributes = configs.get(HTTP_ATTRIBUTES); - return (attributes == null) ? new ArrayList<String>() : Arrays - .asList(attributes.split(" ")); - } - - public Set<Integer> secureProxyPorts() { - String ports = configs.get(SECURE_PROXY_PORTS); - Set<Integer> secureProxyPorts = new TreeSet<Integer>(); - - if (ports != null && !ports.isEmpty()) { - for (String port : ports.split(" ")) { - secureProxyPorts.add(Integer.parseInt(port)); - } - } - return secureProxyPorts; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationEndpoint.java b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationEndpoint.java deleted file mode 100644 index 6ac76c0a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationEndpoint.java +++ /dev/null @@ -1,149 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.federation; - -import static javax.servlet.http.HttpServletResponse.SC_CREATED; -import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; - -import java.io.IOException; -import java.io.PrintWriter; -import java.util.List; -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.apache.oltu.oauth2.as.issuer.OAuthIssuer; -import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl; -import org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator; -import org.apache.oltu.oauth2.as.response.OAuthASResponse; -import org.apache.oltu.oauth2.common.exception.OAuthSystemException; -import org.apache.oltu.oauth2.common.message.OAuthResponse; -import org.opendaylight.aaa.AuthenticationBuilder; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.AuthenticationException; -import org.opendaylight.aaa.api.Claim; - -/** - * An endpoint for claim-based authentication federation (in-bound). - * - * @author liemmn - * - */ -public class FederationEndpoint extends HttpServlet { - - private static final long serialVersionUID = -5553885846238987245L; - - /** An in-bound authentication claim */ - static final String AUTH_CLAIM = "AAA-CLAIM"; - - private static final String UNAUTHORIZED = "unauthorized"; - - private transient OAuthIssuer oi; - - @Override - public void init(ServletConfig config) throws ServletException { - oi = new OAuthIssuerImpl(new UUIDValueGenerator()); - } - - @Override - protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, - ServletException { - try { - createRefreshToken(req, resp); - } catch (Exception e) { - error(resp, SC_UNAUTHORIZED, e.getMessage()); - } - } - - // Create a refresh token - private void createRefreshToken(HttpServletRequest req, HttpServletResponse resp) - throws OAuthSystemException, IOException { - Claim claim = (Claim) req.getAttribute(AUTH_CLAIM); - oauthRefreshTokenResponse(resp, claim); - } - - // Build OAuth refresh token response from the given claim mapped and - // injected by the external IdP - private void oauthRefreshTokenResponse(HttpServletResponse resp, Claim claim) - throws OAuthSystemException, IOException { - if (claim == null) { - throw new AuthenticationException(UNAUTHORIZED); - } - - String userName = claim.user(); - // Need to have at least a mapped username! - if (userName == null) { - throw new AuthenticationException(UNAUTHORIZED); - } - - String domain = claim.domain(); - // Need to have at least a domain! - if (domain == null) { - throw new AuthenticationException(UNAUTHORIZED); - } - - String userId = userName + "@" + domain; - - // Create an unscoped ODL context from the external claim - Authentication auth = new AuthenticationBuilder(new ClaimBuilder(claim).setUserId(userId) - .build()).setExpiration(tokenExpiration()).build(); - - // Create OAuth response - String token = oi.refreshToken(); - OAuthResponse r = OAuthASResponse - .tokenResponse(SC_CREATED) - .setRefreshToken(token) - .setExpiresIn(Long.toString(auth.expiration())) - .setScope( - // Use mapped domain if there is one, else list - // all the ones that this user has access to - (claim.domain().isEmpty()) ? listToString(ServiceLocator.getInstance() - .getIdmService().listDomains(userId)) : claim.domain()) - .buildJSONMessage(); - // Cache this token... - ServiceLocator.getInstance().getTokenStore().put(token, auth); - write(resp, r); - } - - // Token expiration - private long tokenExpiration() { - return ServiceLocator.getInstance().getTokenStore().tokenExpiration(); - } - - // Space-delimited string from a list of strings - private String listToString(List<String> list) { - StringBuffer sb = new StringBuffer(); - for (String s : list) { - sb.append(s).append(" "); - } - return sb.toString().trim(); - } - - // Emit an error OAuthResponse with the given HTTP code - private void error(HttpServletResponse resp, int httpCode, String error) { - try { - OAuthResponse r = OAuthResponse.errorResponse(httpCode).setError(error) - .buildJSONMessage(); - write(resp, r); - } catch (Exception e1) { - // Nothing to do here - } - } - - // Write out an OAuthResponse - private void write(HttpServletResponse resp, OAuthResponse r) throws IOException { - resp.setStatus(r.getResponseStatus()); - PrintWriter pw = resp.getWriter(); - pw.print(r.getBody()); - pw.flush(); - pw.close(); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ServiceLocator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ServiceLocator.java deleted file mode 100644 index dd861514..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ServiceLocator.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.federation; - -import java.util.List; -import java.util.Vector; -import org.opendaylight.aaa.api.ClaimAuth; -import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.api.TokenStore; - -/** - * A service locator to bridge between the web world and OSGi world. - * - * @author liemmn - * - */ -public class ServiceLocator { - - private static final ServiceLocator instance = new ServiceLocator(); - - protected volatile List<ClaimAuth> claimAuthCollection = new Vector<>(); - - protected volatile TokenStore tokenStore; - - protected volatile IdMService idmService; - - private ServiceLocator() { - } - - public static ServiceLocator getInstance() { - return instance; - } - - /** - * Called through reflection from the federation Activator - * - * @see org.opendaylight.aaa.federation.ServiceLocator - * @param ca the injected claims implementation - */ - protected void claimAuthAdded(ClaimAuth ca) { - this.claimAuthCollection.add(ca); - } - - /** - * Called through reflection from the federation Activator - * - * @see org.opendaylight.aaa.federation.Activator - * @param ca the claims implementation to remove - */ - protected void claimAuthRemoved(ClaimAuth ca) { - this.claimAuthCollection.remove(ca); - } - - public List<ClaimAuth> getClaimAuthCollection() { - return claimAuthCollection; - } - - public void setClaimAuthCollection(List<ClaimAuth> claimAuthCollection) { - this.claimAuthCollection = claimAuthCollection; - } - - public TokenStore getTokenStore() { - return tokenStore; - } - - public void setTokenStore(TokenStore tokenStore) { - this.tokenStore = tokenStore; - } - - public IdMService getIdmService() { - return idmService; - } - - public void setIdmService(IdMService idmService) { - this.idmService = idmService; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/SssdFilter.java b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/SssdFilter.java deleted file mode 100644 index 9223c6dd..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/SssdFilter.java +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Red Hat, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.federation; - -import java.io.IOException; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; - -class SssdHeadersRequest extends HttpServletRequestWrapper { - private static final String headerPrefix = "X-SSSD-"; - - public SssdHeadersRequest(HttpServletRequest request) { - super(request); - } - - public Object getAttribute(String name) { - HttpServletRequest request = (HttpServletRequest) getRequest(); - String headerValue; - - headerValue = request.getHeader(headerPrefix + name); - if (headerValue != null) { - return headerValue; - } else { - return request.getAttribute(name); - } - } - - @Override - public String getRemoteUser() { - HttpServletRequest request = (HttpServletRequest) getRequest(); - String headerValue; - - headerValue = request.getHeader(headerPrefix + "REMOTE_USER"); - if (headerValue != null) { - return headerValue; - } else { - return request.getRemoteUser(); - } - } - - @Override - public String getAuthType() { - HttpServletRequest request = (HttpServletRequest) getRequest(); - String headerValue; - - headerValue = request.getHeader(headerPrefix + "AUTH_TYPE"); - if (headerValue != null) { - return headerValue; - } else { - return request.getAuthType(); - } - } - - @Override - public String getRemoteAddr() { - HttpServletRequest request = (HttpServletRequest) getRequest(); - String headerValue; - - headerValue = request.getHeader(headerPrefix + "REMOTE_ADDR"); - if (headerValue != null) { - return headerValue; - } else { - return request.getRemoteAddr(); - } - } - - @Override - public String getRemoteHost() { - HttpServletRequest request = (HttpServletRequest) getRequest(); - String headerValue; - - headerValue = request.getHeader(headerPrefix + "REMOTE_HOST"); - if (headerValue != null) { - return headerValue; - } else { - return request.getRemoteHost(); - } - } - - @Override - public int getRemotePort() { - HttpServletRequest request = (HttpServletRequest) getRequest(); - String headerValue; - - headerValue = request.getHeader(headerPrefix + "REMOTE_PORT"); - if (headerValue != null) { - return Integer.parseInt(headerValue); - } else { - return request.getRemotePort(); - } - } - -} - -/** - * Populate HttpRequestServlet API data from HTTP extension headers. - * - * When SSSD is used for authentication and identity lookup those actions occur - * in an Apache HTTP server which is fronting the servlet container. After - * successful authentication Apache will proxy the request to the container - * along with additional authentication and identity metadata. - * - * The preferred way to transport the metadata and have it appear seamlessly in - * the servlet API is via the AJP protocol. However AJP may not be available or - * desirable. An alternative method is to transport the metadata in extension - * HTTP headers. However we still want the standard servlet request API methods - * to work. Another way to say this is we do not want upper layers to be aware - * of the transport mechanism. To achieve this we wrap the HttpServletRequest - * class and override specific methods which need to extract the data from the - * extension HTTP headers. (This is roughly equivalent to what happens when AJP - * is implemented natively in the container). - * - * The extension HTTP headers are identified by the prefix "X-SSSD-". The - * overridden methods check for the existence of the appropriate extension - * header and if present returns the value found in the extension header, - * otherwise it returns the value from the method it's wrapping. - * - */ -public class SssdFilter implements Filter { - @Override - public void init(FilterConfig fc) throws ServletException { - } - - @Override - public void destroy() { - } - - @Override - public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, - FilterChain filterChain) throws IOException, ServletException { - if (servletRequest instanceof HttpServletRequest) { - HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; - SssdHeadersRequest request = new SssdHeadersRequest(httpServletRequest); - filterChain.doFilter(request, servletResponse); - } else { - filterChain.doFilter(servletRequest, servletResponse); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.properties b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.properties deleted file mode 100644 index 4323c04d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.properties +++ /dev/null @@ -1,11 +0,0 @@ -org.opendaylight.aaa.federation.name = Opendaylight AAA Federation Configuration -org.opendaylight.aaa.federation.description = Configuration for AAA federation -org.opendaylight.aaa.federation.httpHeaders.name = Custom HTTP Headers -org.opendaylight.aaa.federation.httpHeaders.description = Space-delimited list of \ -specific HTTP headers to capture for authentication federation. -org.opendaylight.aaa.federation.httpAttributes.name = Custom HTTP Attributes -org.opendaylight.aaa.federation.httpAttributes.description = Space-delimited list of \ -specific HTTP attributes to capture for authentication federation. -org.opendaylight.aaa.federation.secureProxyPorts.name = Secure Proxy Ports -org.opendaylight.aaa.federation.secureProxyPorts.description = Space-delimited list of \ -port numbers on which a trusted HTTP proxy performing authentication forwards pre-authenticated requests. diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.xml deleted file mode 100644 index e2efd3d4..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.xml +++ /dev/null @@ -1,19 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<metatype:MetaData xmlns:metatype="http://www.osgi.org/xmlns/metatype/v1.0.0" - localization="OSGI-INF/metatype/metatype"> - <OCD id="org.opendaylight.aaa.federation" name="%org.opendaylight.aaa.federation.name" - description="%org.opendaylight.aaa.federation.description"> - <AD id="httpHeaders" type="String" default="" - name="%org.opendaylight.aaa.federation.httpHeaders.name" - description="%org.opendaylight.aaa.federation.httpHeaders.description" /> - <AD id="httpAttributes" type="String" default="" - name="%org.opendaylight.aaa.federation.httpAttributes.name" - description="%org.opendaylight.aaa.federation.httpAttributes.description" /> - <AD id="secureProxyPorts" type="String" default="" - name="%org.opendaylight.aaa.federation.secureProxyPorts.name" - description="%org.opendaylight.aaa.federation.secureProxyPorts.description" /> - </OCD> - <Designate pid="org.opendaylight.aaa.federation"> - <Object ocdref="org.opendaylight.aaa.federation" /> - </Designate> -</metatype:MetaData> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/WEB-INF/web.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/WEB-INF/web.xml deleted file mode 100644 index 9fd9751f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/WEB-INF/web.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" - version="3.0"> - - <servlet> - <servlet-name>federation</servlet-name> - <servlet-class>org.opendaylight.aaa.federation.FederationEndpoint</servlet-class> - <load-on-startup>1</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>federation</servlet-name> - <url-pattern>/*</url-pattern> - </servlet-mapping> - - <!-- Federation Auth filter --> - <filter> - <filter-name>SssdFilter</filter-name> - <filter-class>org.opendaylight.aaa.federation.SssdFilter</filter-class> - </filter> - <filter-mapping> - <filter-name>SssdFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - <filter> - <filter-name>ClaimAuthFilter</filter-name> - <filter-class>org.opendaylight.aaa.federation.ClaimAuthFilter</filter-class> - </filter> - <filter-mapping> - <filter-name>ClaimAuthFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - -</web-app> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/federation.cfg b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/federation.cfg deleted file mode 100644 index 60ef1c46..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/main/resources/federation.cfg +++ /dev/null @@ -1,3 +0,0 @@ -httpHeaders= -httpAttributes= -secureProxyPorts= diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/test/java/org/opendaylight/aaa/federation/FederationEndpointTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/test/java/org/opendaylight/aaa/federation/FederationEndpointTest.java deleted file mode 100644 index ae098652..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-federation/src/test/java/org/opendaylight/aaa/federation/FederationEndpointTest.java +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.federation; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.mockito.Matchers.anyMap; -import static org.mockito.Matchers.anyString; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import java.util.Arrays; -import java.util.TreeSet; -import org.eclipse.jetty.testing.HttpTester; -import org.eclipse.jetty.testing.ServletTester; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.api.ClaimAuth; -import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.api.TokenStore; - -/** - * A unit test for federation endpoint. - * - * @author liemmn - * - */ -public class FederationEndpointTest { - private static final long TOKEN_TIMEOUT_SECS = 10; - private static final String CONTEXT = "/oauth2/federation"; - - private final static ServletTester server = new ServletTester(); - private static final Claim claim = new ClaimBuilder().setUser("bob").setUserId("1234") - .addRole("admin").build(); - - @BeforeClass - public static void init() throws Exception { - // Set up server - server.setContextPath(CONTEXT); - - // Add our servlet under test - server.addServlet(FederationEndpoint.class, "/*"); - - // Add ClaimAuth filter - server.addFilter(ClaimAuthFilter.class, "/*", 0); - - // Let's do dis - server.start(); - } - - @AfterClass - public static void shutdown() throws Exception { - server.stop(); - } - - @Before - public void setup() { - mockServiceLocator(); - when(ServiceLocator.getInstance().getTokenStore().tokenExpiration()).thenReturn( - TOKEN_TIMEOUT_SECS); - } - - @After - public void teardown() { - ServiceLocator.getInstance().getClaimAuthCollection().clear(); - } - - @Test - public void testFederationUnconfiguredProxyPort() throws Exception { - HttpTester req = new HttpTester(); - req.setMethod("POST"); - req.setURI(CONTEXT + "/"); - req.setVersion("HTTP/1.0"); - - HttpTester resp = new HttpTester(); - resp.parse(server.getResponses(req.generate())); - assertEquals(401, resp.getStatus()); - } - - @Test - @SuppressWarnings("unchecked") - public void testFederation() throws Exception { - when(ServiceLocator.getInstance().getClaimAuthCollection().get(0).transform(anyMap())) - .thenReturn(claim); - when(ServiceLocator.getInstance().getIdmService().listDomains(anyString())).thenReturn( - Arrays.asList("pepsi", "coke")); - - // Configure secure port (of zero) - FederationConfiguration.instance = mock(FederationConfiguration.class); - when(FederationConfiguration.instance.secureProxyPorts()).thenReturn( - new TreeSet<Integer>(Arrays.asList(0))); - - HttpTester req = new HttpTester(); - req.setMethod("POST"); - req.setURI(CONTEXT + "/"); - req.setVersion("HTTP/1.0"); - - HttpTester resp = new HttpTester(); - resp.parse(server.getResponses(req.generate())); - assertEquals(201, resp.getStatus()); - String content = resp.getContent(); - assertTrue(content.contains("pepsi coke")); - } - - private static void mockServiceLocator() { - ServiceLocator.getInstance().setIdmService(mock(IdMService.class)); - ServiceLocator.getInstance().setTokenStore(mock(TokenStore.class)); - ServiceLocator.getInstance().getClaimAuthCollection().add(mock(ClaimAuth.class)); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/pom.xml deleted file mode 100644 index e85d620d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/pom.xml +++ /dev/null @@ -1,106 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn-keystone</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-annotations</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-databind</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpcore-osgi</artifactId> - <version>${httpclient.version}</version> - </dependency> - <dependency> - <groupId>org.apache.httpcomponents</groupId> - <artifactId>httpclient-osgi</artifactId> - <version>${httpclient.version}</version> - </dependency> - <!-- Testing Dependencies --> - <dependency> - <groupId>com.sun.jersey.jersey-test-framework</groupId> - <artifactId>jersey-test-framework-grizzly2</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Activator>org.opendaylight.aaa.keystone.Activator</Bundle-Activator> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/Activator.java deleted file mode 100644 index c3c3bfb1..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/Activator.java +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.keystone; - -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.opendaylight.aaa.api.TokenAuth; -import org.osgi.framework.BundleContext; - -/** - * An activator for {@link KeystoneTokenAuth}. - * - * @author liemmn - * - */ -public class Activator extends DependencyActivatorBase { - - @Override - public void init(BundleContext context, DependencyManager manager) throws Exception { - manager.add(createComponent().setInterface(new String[] { TokenAuth.class.getName() }, null) - .setImplementation(KeystoneTokenAuth.class)); - } - - @Override - public void destroy(BundleContext context, DependencyManager manager) throws Exception { - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/KeystoneTokenAuth.java b/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/KeystoneTokenAuth.java deleted file mode 100644 index 6f4b4bb1..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/KeystoneTokenAuth.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.keystone; - -import java.util.List; -import java.util.Map; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.TokenAuth; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * A Keystone {@link TokenAuth} filter. - * - * @author liemmn - */ -public class KeystoneTokenAuth implements TokenAuth { - private static final Logger LOG = LoggerFactory.getLogger(KeystoneTokenAuth.class); - - static final String TOKEN = "X-Auth-Token"; - - @Override - public Authentication validate(Map<String, List<String>> headers) { - if (!headers.containsKey(TOKEN)) { - return null; // Not a Keystone token - } - - // TODO: Call into Keystone to get security context... - LOG.info("Not yet validating token {}", headers.get(TOKEN).get(0)); - return null; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-api/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-api/pom.xml deleted file mode 100644 index da6f27f1..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-api/pom.xml +++ /dev/null @@ -1,99 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../../parent</relativePath> - </parent> - - <artifactId>aaa-authn-mdsal-api</artifactId> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>yang-binding</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal.model</groupId> - <artifactId>ietf-inet-types</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal.model</groupId> - <artifactId>ietf-yang-types</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal.model</groupId> - <artifactId>yang-ext</artifactId> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <version>${bundle.plugin.version}</version> - <extensions>true</extensions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-javadoc-plugin</artifactId> - <configuration> - <stylesheet>maven</stylesheet> - </configuration> - <executions> - <execution> - <goals> - <goal>aggregate</goal> - </goals> - <phase>site</phase> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yang-maven-plugin</artifactId> - <version>${yangtools.version}</version> - <executions> - <execution> - <goals> - <goal>generate-sources</goal> - </goals> - <configuration> - <yangFilesRootDir>src/main/yang</yangFilesRootDir> - <codeGenerators> - <generator> - <codeGeneratorClass> - org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl - </codeGeneratorClass> - <outputBaseDir>${salGeneratorPath}</outputBaseDir> - </generator> - </codeGenerators> - <inspectDependencies>true</inspectDependencies> - </configuration> - </execution> - </executions> - - <dependencies> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>maven-sal-api-gen-plugin</artifactId> - <version>${yangtools.version}</version> - <type>jar</type> - </dependency> - </dependencies> - </plugin> - </plugins> - </build> - <packaging>bundle</packaging> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-api/src/main/yang/aaa-authn-model.yang b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-api/src/main/yang/aaa-authn-model.yang deleted file mode 100644 index 227cb313..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-api/src/main/yang/aaa-authn-model.yang +++ /dev/null @@ -1,154 +0,0 @@ -module aaa-authn-model { - yang-version 1; - namespace "urn:aaa:yang:authn:claims"; - prefix "authn"; - organization "TBD"; - - contact "wdec@cisco.com"; - - revision 2014-10-29 { - description - "Initial revision."; - } - -//Main module begins - -// Following container provides the AuthN Claims data-structure - - container tokencache { - config false; - list claims { - key "token"; - - leaf token { - type string; - description "Token"; - } - leaf clientId { - type string; - description "id of the authorized client, or null if anonymous"; - } - leaf userId { - type string; - description "Unique user-id. User IDs are system-created"; - } - leaf user { - type string; - description "User name"; - } - leaf domain { - type string; - description "Fully-qualified domain name"; - } - leaf-list roles { - type string; - description "Assigned user roles"; - } - } - } - - container token_cache_times { - - list token_list { - key userId; - - leaf userId { - //TODO: Change to instance-ref - type string; - } - - list user_tokens { - key tokenid; - leaf tokenid { - type leafref {path "/tokencache/claims/token";} - } - leaf timestamp { - type uint64; - } - leaf expiration { - type int64; - description "Expiration milliseconds since start of UTC epoch"; - } - } - } - } - - //authentication model is for generating objects to be stores in the - //data store for all the prev idm model objects. - container authentication{ - list domain{ - key domainid; - leaf domainid { - type string; - } - leaf name { - type string; - } - leaf description { - type string; - } - leaf enabled { - type boolean; - } - } - - list user { - key userid; - leaf userid { - type string; - } - leaf name { - type string; - } - leaf description { - type string; - } - leaf enabled { - type boolean; - } - leaf email { - type string; - } - leaf password { - type string; - } - leaf salt { - type string; - } - leaf domainid { - type string; - } - } - list role { - key roleid; - leaf roleid { - type string; - } - leaf name { - type string; - } - leaf description { - type string; - } - leaf domainid { - type string; - } - } - - list grant { - key grantid; - leaf grantid { - type string; - } - leaf domainid { - type string; - } - leaf userid { - type string; - } - leaf roleid { - type string; - } - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-config/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-config/pom.xml deleted file mode 100644 index 3ac6e57f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-config/pom.xml +++ /dev/null @@ -1,40 +0,0 @@ -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../../parent</relativePath> - </parent> - - <artifactId>aaa-authn-mdsal-config</artifactId> - <description>AuthN Token Store Service Configuration file </description> - <packaging>jar</packaging> - - <build> - <plugins> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <goals> - <goal>attach-artifact</goal> - </goals> - <phase>package</phase> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/initial/${config.authn.store.configfile}</file> - <type>xml</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-config/src/main/resources/initial/08-authn-config.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-config/src/main/resources/initial/08-authn-config.xml deleted file mode 100644 index e4a78f4d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-config/src/main/resources/initial/08-authn-config.xml +++ /dev/null @@ -1,43 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- vi: set et smarttab sw=4 tabstop=4: --> -<!-- - Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - - This program and the accompanying materials are made available under the - terms of the Eclipse Public License v1.0 which accompanies this distribution, - and is available at http://www.eclipse.org/legal/epl-v10.html ---> -<snapshot> - <configuration> - <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> - <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> - - <!-- defines an implementation module --> - <module> - <type xmlns:authn="config:aaa:authn:mdsal:store">authn:aaa-authn-mdsal-store</type> - <name>aaa-authn-mdsal-store</name> - <dom-broker> - <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom"> - dom:dom-broker-osgi-registry - </type> - <name>dom-broker</name> - </dom-broker> - <data-broker> - <type xmlns:binding="urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding"> - binding:binding-async-data-broker - </type> - <name>binding-data-broker</name> - </data-broker> - <timeToLive>3600000</timeToLive> - <timeToWait>15</timeToWait> - <password>CHANGE_ME</password> - </module> - </modules> - </data> - - </configuration> - <required-capabilities> - <capability>config:aaa:authn:mdsal:store?module=aaa-authn-mdsal-store-cfg&revision=2014-10-31</capability> - </required-capabilities> - -</snapshot> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/pom.xml deleted file mode 100644 index 069ec60c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/pom.xml +++ /dev/null @@ -1,169 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - ~ Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - ~ - ~ This program and the accompanying materials are made available under the - ~ terms of the Eclipse Public License v1.0 which accompanies this distribution, - ~ and is available at http://www.eclipse.org/legal/epl-v10.html - ~ - --> - -<project xmlns="http://maven.apache.org/POM/4.0.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../../parent</relativePath> - </parent> - - <artifactId>aaa-authn-mdsal-store-impl</artifactId> - <packaging>bundle</packaging> - - <properties> - <powermock.version>1.5.2</powermock.version> - </properties> - - <dependencies> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-util</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-common-util</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yang-data-api</artifactId> - </dependency> - <dependency> - <groupId>commons-codec</groupId> - <artifactId>commons-codec</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>config-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-config</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-core-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-mdsal-api</artifactId> - </dependency> - - <!-- Test dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.powermock</groupId> - <artifactId>powermock-api-mockito</artifactId> - <version>${powermock.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.powermock</groupId> - <artifactId>powermock-module-junit4</artifactId> - <version>${powermock.version}</version> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <!-- <Bundle-Activator>/Bundle-Activator> --> - <Export-Package>org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.* - </Export-Package> - </instructions> - </configuration> - <!-- <configuration> <Export-Package> </Export-Package> </configuration> --> - </plugin> - <plugin> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yang-maven-plugin</artifactId> - <version>${yangtools.version}</version> - <executions> - <execution> - <id>config</id> - <goals> - <goal>generate-sources</goal> - </goals> - <configuration> - <codeGenerators> - <generator> - <codeGeneratorClass> - org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator - </codeGeneratorClass> - <outputBaseDir>${jmxGeneratorPath}</outputBaseDir> - <additionalConfiguration> - <namespaceToPackage1> - urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang - </namespaceToPackage1> - </additionalConfiguration> - </generator> - <generator> - <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass> - <outputBaseDir>${salGeneratorPath}</outputBaseDir> - </generator> - </codeGenerators> - <inspectDependencies>true</inspectDependencies> - </configuration> - </execution> - </executions> - <dependencies> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>yang-jmx-generator-plugin</artifactId> - <version>${config.version}</version> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>maven-sal-api-gen-plugin</artifactId> - <version>${yangtools.version}</version> - </dependency> - </dependencies> - </plugin> - </plugins> - </build> - - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/AuthNStore.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/AuthNStore.java deleted file mode 100644 index 09170182..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/AuthNStore.java +++ /dev/null @@ -1,263 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store; - -import com.google.common.base.Optional; -import com.google.common.util.concurrent.CheckedFuture; -import com.google.common.util.concurrent.FutureCallback; -import com.google.common.util.concurrent.Futures; -import java.math.BigInteger; -import java.util.concurrent.ExecutorService; -import java.util.concurrent.Executors; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.TokenStore; -import org.opendaylight.aaa.authn.mdsal.store.util.AuthNStoreUtil; -import org.opendaylight.controller.md.sal.binding.api.DataBroker; -import org.opendaylight.controller.md.sal.binding.api.ReadTransaction; -import org.opendaylight.controller.md.sal.binding.api.WriteTransaction; -import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; -import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; -import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.TokenCacheTimes; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenList; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenListKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokens; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.Claims; -import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class AuthNStore implements AutoCloseable, TokenStore { - - private static final Logger LOG = LoggerFactory.getLogger(AuthNStore.class); - private DataBroker broker; - private static BigInteger timeToLive; - private static Integer timeToWait; - private final ExecutorService deleteExpiredTokenThread = Executors.newFixedThreadPool(1); - private final DataEncrypter dataEncrypter; - - public AuthNStore(final DataBroker dataBroker, final String config_key) { - this.broker = dataBroker; - this.dataEncrypter = new DataEncrypter(config_key); - LOG.info("Created MD-SAL AAA Token Cache Service..."); - } - - @Override - public void close() throws Exception { - deleteExpiredTokenThread.shutdown(); - LOG.info("MD-SAL AAA Token Cache closed..."); - - } - - @Override - public void put(String token, Authentication auth) { - token = dataEncrypter.encrypt(token); - Claims claims = AuthNStoreUtil.createClaimsRecord(token, auth); - - // create and insert parallel struct - UserTokens userTokens = AuthNStoreUtil.createUserTokens(token, timeToLive.longValue()); - TokenList tokenlist = AuthNStoreUtil.createTokenList(userTokens, auth.userId()); - - writeClaimAndTokenToStore(claims, userTokens, tokenlist); - deleteExpiredTokenThread.execute(deleteOldTokens(claims)); - } - - @Override - public Authentication get(String token) { - token = dataEncrypter.encrypt(token); - Authentication authentication = null; - Claims claims = readClaims(token); - if (claims != null) { - UserTokens userToken = readUserTokensFromDS(claims.getToken(), claims.getUserId()); - authentication = AuthNStoreUtil.convertClaimToAuthentication(claims, - userToken.getExpiration()); - } - deleteExpiredTokenThread.execute(deleteOldTokens(claims)); - return authentication; - } - - @Override - public boolean delete(String token) { - token = dataEncrypter.encrypt(token); - boolean result = false; - Claims claims = readClaims(token); - result = deleteClaims(token); - if (result) { - deleteUserTokenFromDS(token, claims.getUserId()); - } - deleteExpiredTokenThread.execute(deleteOldTokens(claims)); - return result; - } - - @Override - public long tokenExpiration() { - return timeToLive.longValue(); - } - - public void setTimeToLive(BigInteger timeToLive) { - this.timeToLive = timeToLive; - } - - public void setTimeToWait(Integer timeToWait) { - this.timeToWait = timeToWait; - } - - private void writeClaimAndTokenToStore(final Claims claims, UserTokens usertokens, - final TokenList tokenlist) { - - final InstanceIdentifier<Claims> claims_iid = AuthNStoreUtil.createInstIdentifierForTokencache(claims.getToken()); - WriteTransaction tx = broker.newWriteOnlyTransaction(); - tx.put(LogicalDatastoreType.OPERATIONAL, claims_iid, claims, true); - - final InstanceIdentifier<UserTokens> userTokens_iid = AuthNStoreUtil.createInstIdentifierUserTokens( - tokenlist.getUserId(), usertokens.getTokenid()); - tx.put(LogicalDatastoreType.OPERATIONAL, userTokens_iid, usertokens, true); - - CheckedFuture<Void, TransactionCommitFailedException> commitFuture = tx.submit(); - Futures.addCallback(commitFuture, new FutureCallback<Void>() { - - @Override - public void onSuccess(Void result) { - LOG.trace("Token {} was written to datastore.", claims.getToken()); - LOG.trace("Tokenlist for userId {} was written to datastore.", - tokenlist.getUserId()); - } - - @Override - public void onFailure(Throwable t) { - LOG.error("Inserting token {} to datastore failed.", claims.getToken()); - LOG.trace("Inserting for userId {} tokenlist to datastore failed.", - tokenlist.getUserId()); - } - - }); - } - - private Claims readClaims(String token) { - final InstanceIdentifier<Claims> claims_iid = AuthNStoreUtil.createInstIdentifierForTokencache(token); - Claims claims = null; - ReadTransaction rt = broker.newReadOnlyTransaction(); - CheckedFuture<Optional<Claims>, ReadFailedException> claimsFuture = rt.read( - LogicalDatastoreType.OPERATIONAL, claims_iid); - try { - Optional<Claims> maybeClaims = claimsFuture.checkedGet(); - if (maybeClaims.isPresent()) { - claims = maybeClaims.get(); - } - } catch (ReadFailedException e) { - LOG.error( - "Something wrong happened in DataStore. Getting Claim for token {} failed.", - token, e); - } - return claims; - } - - private TokenList readTokenListFromDS(String userId) { - InstanceIdentifier<TokenList> tokenList_iid = InstanceIdentifier.builder( - TokenCacheTimes.class).child(TokenList.class, new TokenListKey(userId)).build(); - TokenList tokenList = null; - ReadTransaction rt = broker.newReadOnlyTransaction(); - CheckedFuture<Optional<TokenList>, ReadFailedException> userTokenListFuture = rt.read( - LogicalDatastoreType.OPERATIONAL, tokenList_iid); - try { - Optional<TokenList> maybeTokenList = userTokenListFuture.checkedGet(); - if (maybeTokenList.isPresent()) { - tokenList = maybeTokenList.get(); - } - } catch (ReadFailedException e) { - LOG.error( - "Something wrong happened in DataStore. Getting TokenList for userId {} failed.", - userId, e); - } - return tokenList; - } - - private UserTokens readUserTokensFromDS(String token, String userId) { - final InstanceIdentifier<UserTokens> userTokens_iid = AuthNStoreUtil.createInstIdentifierUserTokens( - userId, token); - UserTokens userTokens = null; - - ReadTransaction rt = broker.newReadOnlyTransaction(); - CheckedFuture<Optional<UserTokens>, ReadFailedException> userTokensFuture = rt.read( - LogicalDatastoreType.OPERATIONAL, userTokens_iid); - - try { - Optional<UserTokens> maybeUserTokens = userTokensFuture.checkedGet(); - if (maybeUserTokens.isPresent()) { - userTokens = maybeUserTokens.get(); - } - } catch (ReadFailedException e) { - LOG.error( - "Something wrong happened in DataStore. Getting UserTokens for token {} failed.", - token, e); - } - - return userTokens; - } - - private boolean deleteClaims(String token) { - final InstanceIdentifier<Claims> claims_iid = AuthNStoreUtil.createInstIdentifierForTokencache(token); - boolean result = false; - WriteTransaction tx = broker.newWriteOnlyTransaction(); - tx.delete(LogicalDatastoreType.OPERATIONAL, claims_iid); - CheckedFuture<Void, TransactionCommitFailedException> commitFuture = tx.submit(); - - try { - commitFuture.checkedGet(); - result = true; - } catch (TransactionCommitFailedException e) { - LOG.error("Something wrong happened in DataStore. Claim " - + "deletion for token {} from DataStore failed.", token, e); - } - return result; - } - - private void deleteUserTokenFromDS(String token, String userId) { - final InstanceIdentifier<UserTokens> userTokens_iid = AuthNStoreUtil.createInstIdentifierUserTokens( - userId, token); - - WriteTransaction tx = broker.newWriteOnlyTransaction(); - tx.delete(LogicalDatastoreType.OPERATIONAL, userTokens_iid); - CheckedFuture<Void, TransactionCommitFailedException> commitFuture = tx.submit(); - try { - commitFuture.checkedGet(); - } catch (TransactionCommitFailedException e) { - LOG.error("Something wrong happened in DataStore. UserToken " - + "deletion for token {} from DataStore failed.", token, e); - } - } - - private Runnable deleteOldTokens(final Claims claims) { - return new Runnable() { - - @Override - public void run() { - TokenList tokenList = null; - if (claims != null) { - tokenList = readTokenListFromDS(claims.getUserId()); - } - if (tokenList != null) { - for (UserTokens currUserToken : tokenList.getUserTokens()) { - long diff = System.currentTimeMillis() - - currUserToken.getTimestamp().longValue(); - if (diff > currUserToken.getExpiration() - && currUserToken.getExpiration() != 0) { - if (deleteClaims(currUserToken.getTokenid())) { - deleteUserTokenFromDS(currUserToken.getTokenid(), - claims.getUserId()); - LOG.trace("Expired tokens for UserId {} deleted.", - claims.getUserId()); - } - } - } - } - } - }; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypter.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypter.java deleted file mode 100644 index ca0a74be..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypter.java +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store; - -import java.security.spec.KeySpec; -import javax.crypto.Cipher; -import javax.crypto.SecretKey; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.PBEKeySpec; -import javax.crypto.spec.SecretKeySpec; -import javax.xml.bind.DatatypeConverter; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * @author - Sharon Aicler (saichler@cisco.com) - **/ -public class DataEncrypter { - - final protected SecretKey k; - private static final Logger LOG = LoggerFactory.getLogger(DataEncrypter.class); - private static final byte[] iv = { 0, 5, 0, 0, 7, 81, 0, 3, 0, 0, 0, 0, 0, 43, 0, 1 }; - private static final IvParameterSpec ivspec = new IvParameterSpec(iv); - public static final String ENCRYPTED_TAG = "Encrypted:"; - - public DataEncrypter(final String ckey) { - SecretKey tmp = null; - if (ckey != null && !ckey.isEmpty()) { - - try { - SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); - KeySpec spec = new PBEKeySpec(ckey.toCharArray(), iv, 32768, 128); - tmp = keyFactory.generateSecret(spec); - } catch (Exception e) { - LOG.error("Couldn't initialize key factory", e); - } - if (tmp != null) { - k = new SecretKeySpec(tmp.getEncoded(), "AES"); - } else { - throw new RuntimeException("Couldn't initalize encryption key"); - } - } else { - k = null; - LOG.warn("Void crypto key passed! AuthN Store Encryption disabled"); - } - - } - - protected String encrypt(String token) { - - if (k == null) { - return token; - } - - String cryptostring = null; - try { - Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding"); - c.init(Cipher.ENCRYPT_MODE, k, ivspec); - byte[] cryptobytes = c.doFinal(token.getBytes()); - cryptostring = DatatypeConverter.printBase64Binary(cryptobytes); - return ENCRYPTED_TAG + cryptostring; - } catch (Exception e) { - LOG.error("Couldn't encrypt token", e); - return null; - } - } - - protected String decrypt(String eToken) { - if (k == null) { - return eToken; - } - - if (eToken == null || eToken.length() == 0) { - return null; - } - - if (!eToken.startsWith(ENCRYPTED_TAG)) { - return eToken; - } - - try { - Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding"); - c.init(Cipher.DECRYPT_MODE, k, ivspec); - - byte[] cryptobytes = DatatypeConverter.parseBase64Binary(eToken.substring(ENCRYPTED_TAG.length())); - byte[] clearbytes = c.doFinal(cryptobytes); - return DatatypeConverter.printBase64Binary(clearbytes); - - } catch (Exception e) { - LOG.error("Couldn't decrypt token", e); - return null; - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMMDSALStore.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMMDSALStore.java deleted file mode 100644 index 88fba0ba..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMMDSALStore.java +++ /dev/null @@ -1,483 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.authn.mdsal.store; - -import com.google.common.base.Optional; -import com.google.common.base.Preconditions; -import com.google.common.util.concurrent.CheckedFuture; -import java.util.List; -import java.util.concurrent.ExecutionException; -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.aaa.api.SHA256Calculator; -import org.opendaylight.controller.md.sal.binding.api.DataBroker; -import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction; -import org.opendaylight.controller.md.sal.binding.api.WriteTransaction; -import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; -import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; -import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.Authentication; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserKey; -import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * @author Sharon Aicler - saichler@cisco.com - * - */ -public class IDMMDSALStore { - - private static final Logger LOG = LoggerFactory.getLogger(IDMMDSALStore.class); - private final DataBroker dataBroker; - - public IDMMDSALStore(DataBroker dataBroker) { - this.dataBroker = dataBroker; - } - - public static final String getString(String aValue, String bValue) { - if (aValue != null) - return aValue; - return bValue; - } - - public static final Boolean getBoolean(Boolean aValue, Boolean bValue) { - if (aValue != null) - return aValue; - return bValue; - } - - public static boolean waitForSubmit(CheckedFuture<Void, TransactionCommitFailedException> submit) { - // This can happen only when testing - if (submit == null) - return false; - while (!submit.isDone() && !submit.isCancelled()) { - try { - Thread.sleep(1000); - } catch (Exception err) { - LOG.error("Interrupted", err); - } - } - return submit.isCancelled(); - } - - // Domain methods - public Domain writeDomain(Domain domain) { - Preconditions.checkNotNull(domain); - Preconditions.checkNotNull(domain.getName()); - Preconditions.checkNotNull(domain.isEnabled()); - DomainBuilder b = new DomainBuilder(); - b.setDescription(domain.getDescription()); - b.setDomainid(domain.getName()); - b.setEnabled(domain.isEnabled()); - b.setName(domain.getName()); - b.setKey(new DomainKey(b.getName())); - domain = b.build(); - InstanceIdentifier<Domain> ID = InstanceIdentifier.create(Authentication.class).child( - Domain.class, new DomainKey(domain.getDomainid())); - WriteTransaction wrt = dataBroker.newWriteOnlyTransaction(); - wrt.put(LogicalDatastoreType.CONFIGURATION, ID, domain, true); - CheckedFuture<Void, TransactionCommitFailedException> submit = wrt.submit(); - if (!waitForSubmit(submit)) { - return domain; - } else { - return null; - } - } - - public Domain readDomain(String domainid) { - Preconditions.checkNotNull(domainid); - InstanceIdentifier<Domain> ID = InstanceIdentifier.create(Authentication.class).child( - Domain.class, new DomainKey(domainid)); - ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction(); - CheckedFuture<Optional<Domain>, ReadFailedException> read = rot.read( - LogicalDatastoreType.CONFIGURATION, ID); - if (read == null) { - LOG.error("Failed to read domain from data store"); - return null; - } - Optional<Domain> optional = null; - try { - optional = read.get(); - } catch (InterruptedException | ExecutionException e1) { - LOG.error("Failed to read domain from data store", e1); - return null; - } - - if (optional == null) - return null; - - if (!optional.isPresent()) - return null; - - return optional.get(); - } - - public Domain deleteDomain(String domainid) { - Preconditions.checkNotNull(domainid); - Domain domain = readDomain(domainid); - if (domain == null) { - LOG.error("Failed to delete domain from data store, unknown domain"); - return null; - } - InstanceIdentifier<Domain> ID = InstanceIdentifier.create(Authentication.class).child( - Domain.class, new DomainKey(domainid)); - WriteTransaction wrt = dataBroker.newWriteOnlyTransaction(); - wrt.delete(LogicalDatastoreType.CONFIGURATION, ID); - wrt.submit(); - return domain; - } - - public Domain updateDomain(Domain domain) throws IDMStoreException { - Preconditions.checkNotNull(domain); - Preconditions.checkNotNull(domain.getDomainid()); - Domain existing = readDomain(domain.getDomainid()); - DomainBuilder b = new DomainBuilder(); - b.setDescription(getString(domain.getDescription(), existing.getDescription())); - b.setName(existing.getName()); - b.setEnabled(getBoolean(domain.isEnabled(), existing.isEnabled())); - return writeDomain(b.build()); - } - - public List<Domain> getAllDomains() { - InstanceIdentifier<Authentication> id = InstanceIdentifier.create(Authentication.class); - ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction(); - CheckedFuture<Optional<Authentication>, ReadFailedException> read = rot.read( - LogicalDatastoreType.CONFIGURATION, id); - if (read == null) - return null; - - try { - if (read.get() == null) - return null; - if (read.get().isPresent()) { - Authentication auth = read.get().get(); - return auth.getDomain(); - } - } catch (Exception err) { - LOG.error("Failed to read domains", err); - } - return null; - } - - public List<Role> getAllRoles() { - InstanceIdentifier<Authentication> id = InstanceIdentifier.create(Authentication.class); - ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction(); - CheckedFuture<Optional<Authentication>, ReadFailedException> read = rot.read( - LogicalDatastoreType.CONFIGURATION, id); - if (read == null) - return null; - - try { - if (read.get() == null) - return null; - if (read.get().isPresent()) { - Authentication auth = read.get().get(); - return auth.getRole(); - } - } catch (Exception err) { - LOG.error("Failed to read domains", err); - } - return null; - } - - public List<User> getAllUsers() { - InstanceIdentifier<Authentication> id = InstanceIdentifier.create(Authentication.class); - ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction(); - CheckedFuture<Optional<Authentication>, ReadFailedException> read = rot.read( - LogicalDatastoreType.CONFIGURATION, id); - if (read == null) - return null; - - try { - if (read.get() == null) - return null; - if (read.get().isPresent()) { - Authentication auth = read.get().get(); - return auth.getUser(); - } - } catch (Exception err) { - LOG.error("Failed to read domains", err); - } - return null; - } - - public List<Grant> getAllGrants() { - InstanceIdentifier<Authentication> id = InstanceIdentifier.create(Authentication.class); - ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction(); - CheckedFuture<Optional<Authentication>, ReadFailedException> read = rot.read( - LogicalDatastoreType.CONFIGURATION, id); - if (read == null) - return null; - - try { - if (read.get() == null) - return null; - if (read.get().isPresent()) { - Authentication auth = read.get().get(); - return auth.getGrant(); - } - } catch (Exception err) { - LOG.error("Failed to read domains", err); - } - return null; - } - - // Role methods - public Role writeRole(Role role) { - Preconditions.checkNotNull(role); - Preconditions.checkNotNull(role.getName()); - Preconditions.checkNotNull(role.getDomainid()); - Preconditions.checkNotNull(readDomain(role.getDomainid())); - RoleBuilder b = new RoleBuilder(); - b.setDescription(role.getDescription()); - b.setRoleid(IDMStoreUtil.createRoleid(role.getName(), role.getDomainid())); - b.setKey(new RoleKey(b.getRoleid())); - b.setName(role.getName()); - b.setDomainid(role.getDomainid()); - role = b.build(); - InstanceIdentifier<Role> ID = InstanceIdentifier.create(Authentication.class).child( - Role.class, new RoleKey(role.getRoleid())); - WriteTransaction wrt = dataBroker.newWriteOnlyTransaction(); - wrt.put(LogicalDatastoreType.CONFIGURATION, ID, role, true); - CheckedFuture<Void, TransactionCommitFailedException> submit = wrt.submit(); - if (!waitForSubmit(submit)) { - return role; - } else { - return null; - } - } - - public Role readRole(String roleid) { - Preconditions.checkNotNull(roleid); - InstanceIdentifier<Role> ID = InstanceIdentifier.create(Authentication.class).child( - Role.class, new RoleKey(roleid)); - ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction(); - CheckedFuture<Optional<Role>, ReadFailedException> read = rot.read( - LogicalDatastoreType.CONFIGURATION, ID); - if (read == null) { - LOG.error("Failed to read role from data store"); - return null; - } - Optional<Role> optional = null; - try { - optional = read.get(); - } catch (InterruptedException | ExecutionException e1) { - LOG.error("Failed to read role from data store", e1); - return null; - } - - if (optional == null) - return null; - - if (!optional.isPresent()) - return null; - - return optional.get(); - } - - public Role deleteRole(String roleid) { - Preconditions.checkNotNull(roleid); - Role role = readRole(roleid); - if (role == null) { - LOG.error("Failed to delete role from data store, unknown role"); - return null; - } - InstanceIdentifier<Role> ID = InstanceIdentifier.create(Authentication.class).child( - Role.class, new RoleKey(roleid)); - WriteTransaction wrt = dataBroker.newWriteOnlyTransaction(); - wrt.delete(LogicalDatastoreType.CONFIGURATION, ID); - wrt.submit(); - return role; - } - - public Role updateRole(Role role) { - Preconditions.checkNotNull(role); - Preconditions.checkNotNull(role.getRoleid()); - Role existing = readRole(role.getRoleid()); - RoleBuilder b = new RoleBuilder(); - b.setDescription(getString(role.getDescription(), existing.getDescription())); - b.setName(existing.getName()); - b.setDomainid(existing.getDomainid()); - return writeRole(b.build()); - } - - // User methods - public User writeUser(User user) throws IDMStoreException { - Preconditions.checkNotNull(user); - Preconditions.checkNotNull(user.getName()); - Preconditions.checkNotNull(user.getDomainid()); - Preconditions.checkNotNull(readDomain(user.getDomainid())); - UserBuilder b = new UserBuilder(); - if (user.getSalt() == null) { - b.setSalt(SHA256Calculator.generateSALT()); - } else { - b.setSalt(user.getSalt()); - } - b.setUserid(IDMStoreUtil.createUserid(user.getName(), user.getDomainid())); - b.setDescription(user.getDescription()); - b.setDomainid(user.getDomainid()); - b.setEmail(user.getEmail()); - b.setEnabled(user.isEnabled()); - b.setKey(new UserKey(b.getUserid())); - b.setName(user.getName()); - b.setPassword(SHA256Calculator.getSHA256(user.getPassword(), b.getSalt())); - user = b.build(); - InstanceIdentifier<User> ID = InstanceIdentifier.create(Authentication.class).child( - User.class, new UserKey(user.getUserid())); - WriteTransaction wrt = dataBroker.newWriteOnlyTransaction(); - wrt.put(LogicalDatastoreType.CONFIGURATION, ID, user, true); - CheckedFuture<Void, TransactionCommitFailedException> submit = wrt.submit(); - if (!waitForSubmit(submit)) { - return user; - } else { - return null; - } - } - - public User readUser(String userid) { - Preconditions.checkNotNull(userid); - InstanceIdentifier<User> ID = InstanceIdentifier.create(Authentication.class).child( - User.class, new UserKey(userid)); - ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction(); - CheckedFuture<Optional<User>, ReadFailedException> read = rot.read( - LogicalDatastoreType.CONFIGURATION, ID); - if (read == null) { - LOG.error("Failed to read user from data store"); - return null; - } - Optional<User> optional = null; - try { - optional = read.get(); - } catch (InterruptedException | ExecutionException e1) { - LOG.error("Failed to read domain from data store", e1); - return null; - } - - if (optional == null) - return null; - - if (!optional.isPresent()) - return null; - - return optional.get(); - } - - public User deleteUser(String userid) { - Preconditions.checkNotNull(userid); - User user = readUser(userid); - if (user == null) { - LOG.error("Failed to delete user from data store, unknown user"); - return null; - } - InstanceIdentifier<User> ID = InstanceIdentifier.create(Authentication.class).child( - User.class, new UserKey(userid)); - WriteTransaction wrt = dataBroker.newWriteOnlyTransaction(); - wrt.delete(LogicalDatastoreType.CONFIGURATION, ID); - wrt.submit(); - return user; - } - - public User updateUser(User user) throws IDMStoreException { - Preconditions.checkNotNull(user); - Preconditions.checkNotNull(user.getUserid()); - User existing = readUser(user.getUserid()); - UserBuilder b = new UserBuilder(); - b.setName(existing.getName()); - b.setDomainid(existing.getDomainid()); - b.setDescription(getString(user.getDescription(), existing.getDescription())); - b.setEmail(getString(user.getEmail(), existing.getEmail())); - b.setEnabled(getBoolean(user.isEnabled(), existing.isEnabled())); - b.setPassword(getString(user.getPassword(), existing.getPassword())); - b.setSalt(getString(user.getSalt(), existing.getSalt())); - return writeUser(b.build()); - } - - // Grant methods - public Grant writeGrant(Grant grant) throws IDMStoreException { - Preconditions.checkNotNull(grant); - Preconditions.checkNotNull(grant.getDomainid()); - Preconditions.checkNotNull(grant.getUserid()); - Preconditions.checkNotNull(grant.getRoleid()); - Preconditions.checkNotNull(readDomain(grant.getDomainid())); - Preconditions.checkNotNull(readUser(grant.getUserid())); - Preconditions.checkNotNull(readRole(grant.getRoleid())); - GrantBuilder b = new GrantBuilder(); - b.setDomainid(grant.getDomainid()); - b.setRoleid(grant.getRoleid()); - b.setUserid(grant.getUserid()); - b.setGrantid(IDMStoreUtil.createGrantid(grant.getUserid(), grant.getDomainid(), - grant.getRoleid())); - b.setKey(new GrantKey(b.getGrantid())); - grant = b.build(); - InstanceIdentifier<Grant> ID = InstanceIdentifier.create(Authentication.class).child( - Grant.class, new GrantKey(grant.getGrantid())); - WriteTransaction wrt = dataBroker.newWriteOnlyTransaction(); - wrt.put(LogicalDatastoreType.CONFIGURATION, ID, grant, true); - CheckedFuture<Void, TransactionCommitFailedException> submit = wrt.submit(); - if (!waitForSubmit(submit)) { - return grant; - } else { - return null; - } - } - - public Grant readGrant(String grantid) { - Preconditions.checkNotNull(grantid); - InstanceIdentifier<Grant> ID = InstanceIdentifier.create(Authentication.class).child( - Grant.class, new GrantKey(grantid)); - ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction(); - CheckedFuture<Optional<Grant>, ReadFailedException> read = rot.read( - LogicalDatastoreType.CONFIGURATION, ID); - if (read == null) { - LOG.error("Failed to read grant from data store"); - return null; - } - Optional<Grant> optional = null; - try { - optional = read.get(); - } catch (InterruptedException | ExecutionException e1) { - LOG.error("Failed to read domain from data store", e1); - return null; - } - - if (optional == null) - return null; - - if (!optional.isPresent()) - return null; - - return optional.get(); - } - - public Grant deleteGrant(String grantid) { - Preconditions.checkNotNull(grantid); - Grant grant = readGrant(grantid); - if (grant == null) { - LOG.error("Failed to delete grant from data store, unknown grant"); - return null; - } - InstanceIdentifier<Grant> ID = InstanceIdentifier.create(Authentication.class).child( - Grant.class, new GrantKey(grantid)); - WriteTransaction wrt = dataBroker.newWriteOnlyTransaction(); - wrt.delete(LogicalDatastoreType.CONFIGURATION, ID); - wrt.submit(); - return grant; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMObject2MDSAL.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMObject2MDSAL.java deleted file mode 100644 index 0b58ced7..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMObject2MDSAL.java +++ /dev/null @@ -1,224 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.authn.mdsal.store; - -import java.lang.reflect.Method; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserBuilder; -import org.opendaylight.yangtools.yang.binding.DataObject; -/** - * - * @author saichler@gmail.com - * - * This class is a codec to convert between MDSAL objects and IDM model objects. It is doing so via reflection when it assumes that the MDSAL - * Object and the IDM model object has the same method names. - */ -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * @author Sharon Aicler - saichler@cisco.com - * - */ -public abstract class IDMObject2MDSAL { - private static final Logger LOG = LoggerFactory.getLogger(IDMObject2MDSAL.class); - // this is a Map mapping between the class type of the IDM Model object to a - // structure containing the corresponding setters and getter methods - // in MDSAL object - private static Map<Class<?>, ConvertionMethods> typesMethods = new HashMap<Class<?>, ConvertionMethods>(); - - // This method generically via reflection receive a MDSAL object and the - // corresponding IDM model object class type and - // creates an IDM model element from the MDSAL element - private static Object fromMDSALObject(Object mdsalObject, Class<?> type) throws Exception { - if (mdsalObject == null) - return null; - Object result = type.newInstance(); - ConvertionMethods cm = typesMethods.get(type); - if (cm == null) { - cm = new ConvertionMethods(); - typesMethods.put(type, cm); - Method methods[] = type.getMethods(); - for (Method m : methods) { - if (m.getName().startsWith("set")) { - cm.setMethods.add(m); - Method gm = null; - if (m.getParameterTypes()[0].equals(Boolean.class) - || m.getParameterTypes()[0].equals(boolean.class)) - gm = ((DataObject) mdsalObject).getImplementedInterface().getMethod( - "is" + m.getName().substring(3), (Class[]) null); - else { - try { - gm = ((DataObject) mdsalObject).getImplementedInterface().getMethod( - "get" + m.getName().substring(3), (Class[]) null); - } catch (Exception err) { - LOG.error("Error associating get call", err); - } - } - cm.getMethods.put(m.getName(), gm); - } - } - } - for (Method m : cm.setMethods) { - try { - m.invoke( - result, - new Object[] { cm.getMethods.get(m.getName()).invoke(mdsalObject, - (Object[]) null) }); - } catch (Exception err) { - LOG.error("Error invoking reflection method", err); - } - } - return result; - } - - // This method generically use reflection to receive an IDM model object and - // the corresponsing MDSAL object and creates - // a MDSAL object out of the IDM model object - private static Object toMDSALObject(Object object, Class<?> mdSalBuilderType) throws Exception { - if (object == null) - return null; - Object result = mdSalBuilderType.newInstance(); - ConvertionMethods cm = typesMethods.get(mdSalBuilderType); - if (cm == null) { - cm = new ConvertionMethods(); - typesMethods.put(mdSalBuilderType, cm); - Method methods[] = mdSalBuilderType.getMethods(); - for (Method m : methods) { - if (m.getName().startsWith("set")) { - try { - Method gm = null; - if (m.getParameterTypes()[0].equals(Boolean.class) - || m.getParameterTypes()[0].equals(boolean.class)) - gm = object.getClass().getMethod("is" + m.getName().substring(3), - (Class[]) null); - else - gm = object.getClass().getMethod("get" + m.getName().substring(3), - (Class[]) null); - cm.getMethods.put(m.getName(), gm); - cm.setMethods.add(m); - } catch (NoSuchMethodException err) { - } - } - } - cm.builderMethod = mdSalBuilderType.getMethod("build", (Class[]) null); - } - for (Method m : cm.setMethods) { - m.invoke(result, - new Object[] { cm.getMethods.get(m.getName()).invoke(object, (Object[]) null) }); - } - - return cm.builderMethod.invoke(result, (Object[]) null); - } - - // A struccture class to hold the getters & setters of each type to speed - // things up - private static class ConvertionMethods { - private List<Method> setMethods = new ArrayList<Method>(); - private Map<String, Method> getMethods = new HashMap<String, Method>(); - private Method builderMethod = null; - } - - // Convert Domain - public static org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain toMDSALDomain( - Domain domain) { - try { - return (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain) toMDSALObject( - domain, DomainBuilder.class); - } catch (Exception err) { - LOG.error("Error converting domain to MDSAL object", err); - return null; - } - } - - public static Domain toIDMDomain( - org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain domain) { - try { - return (Domain) fromMDSALObject(domain, Domain.class); - } catch (Exception err) { - LOG.error("Error converting domain from MDSAL to IDM object", err); - return null; - } - } - - // Convert Role - public static org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role toMDSALRole( - Role role) { - try { - return (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role) toMDSALObject( - role, RoleBuilder.class); - } catch (Exception err) { - LOG.error("Error converting role to MDSAL object", err); - return null; - } - } - - public static Role toIDMRole( - org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role role) { - try { - return (Role) fromMDSALObject(role, Role.class); - } catch (Exception err) { - LOG.error("Error converting role fom MDSAL to IDM object", err); - return null; - } - } - - // Convert User - public static org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User toMDSALUser( - User user) { - try { - return (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User) toMDSALObject( - user, UserBuilder.class); - } catch (Exception err) { - LOG.error("Error converting user to MDSAL object", err); - return null; - } - } - - public static User toIDMUser( - org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User user) { - try { - return (User) fromMDSALObject(user, User.class); - } catch (Exception err) { - LOG.error("Error converting user from MDSAL to IDM object", err); - return null; - } - } - - // Convert Grant - public static org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant toMDSALGrant( - Grant grant) { - try { - return (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant) toMDSALObject( - grant, GrantBuilder.class); - } catch (Exception err) { - LOG.error("Error converting grant to MDSAL object", err); - return null; - } - } - - public static Grant toIDMGrant( - org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant grant) { - try { - return (Grant) fromMDSALObject(grant, Grant.class); - } catch (Exception err) { - LOG.error("Error converting grant from MDSAL to IDM object", err); - return null; - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMStore.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMStore.java deleted file mode 100644 index 69bc1d52..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMStore.java +++ /dev/null @@ -1,182 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.authn.mdsal.store; - -import java.util.List; -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Domains; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Grants; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.Roles; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; - -/** - * @author Sharon Aicler - saichler@cisco.com - * - */ -public class IDMStore implements IIDMStore { - private final IDMMDSALStore mdsalStore; - - public IDMStore(IDMMDSALStore mdsalStore) { - this.mdsalStore = mdsalStore; - } - - @Override - public Domain writeDomain(Domain domain) throws IDMStoreException { - return IDMObject2MDSAL.toIDMDomain(mdsalStore.writeDomain(IDMObject2MDSAL.toMDSALDomain(domain))); - } - - @Override - public Domain readDomain(String domainid) throws IDMStoreException { - return IDMObject2MDSAL.toIDMDomain(mdsalStore.readDomain(domainid)); - } - - @Override - public Domain deleteDomain(String domainid) throws IDMStoreException { - return IDMObject2MDSAL.toIDMDomain(mdsalStore.deleteDomain(domainid)); - } - - @Override - public Domain updateDomain(Domain domain) throws IDMStoreException { - return IDMObject2MDSAL.toIDMDomain(mdsalStore.updateDomain(IDMObject2MDSAL.toMDSALDomain(domain))); - } - - @Override - public Domains getDomains() throws IDMStoreException { - Domains domains = new Domains(); - List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain> mdSalDomains = mdsalStore.getAllDomains(); - for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain d : mdSalDomains) { - domains.getDomains().add(IDMObject2MDSAL.toIDMDomain(d)); - } - return domains; - } - - @Override - public Role writeRole(Role role) throws IDMStoreException { - return IDMObject2MDSAL.toIDMRole(mdsalStore.writeRole(IDMObject2MDSAL.toMDSALRole(role))); - } - - @Override - public Role readRole(String roleid) throws IDMStoreException { - return IDMObject2MDSAL.toIDMRole(mdsalStore.readRole(roleid)); - } - - @Override - public Role deleteRole(String roleid) throws IDMStoreException { - return IDMObject2MDSAL.toIDMRole(mdsalStore.deleteRole(roleid)); - } - - @Override - public Role updateRole(Role role) throws IDMStoreException { - return IDMObject2MDSAL.toIDMRole(mdsalStore.writeRole(IDMObject2MDSAL.toMDSALRole(role))); - } - - @Override - public User writeUser(User user) throws IDMStoreException { - return IDMObject2MDSAL.toIDMUser(mdsalStore.writeUser(IDMObject2MDSAL.toMDSALUser(user))); - } - - @Override - public User readUser(String userid) throws IDMStoreException { - return IDMObject2MDSAL.toIDMUser(mdsalStore.readUser(userid)); - } - - @Override - public User deleteUser(String userid) throws IDMStoreException { - return IDMObject2MDSAL.toIDMUser(mdsalStore.deleteUser(userid)); - } - - @Override - public User updateUser(User user) throws IDMStoreException { - return IDMObject2MDSAL.toIDMUser(mdsalStore.writeUser(IDMObject2MDSAL.toMDSALUser(user))); - } - - @Override - public Grant writeGrant(Grant grant) throws IDMStoreException { - return IDMObject2MDSAL.toIDMGrant(mdsalStore.writeGrant(IDMObject2MDSAL.toMDSALGrant(grant))); - } - - @Override - public Grant readGrant(String grantid) throws IDMStoreException { - return IDMObject2MDSAL.toIDMGrant(mdsalStore.readGrant(grantid)); - } - - @Override - public Grant deleteGrant(String grantid) throws IDMStoreException { - return IDMObject2MDSAL.toIDMGrant(mdsalStore.readGrant(grantid)); - } - - @Override - public Roles getRoles() throws IDMStoreException { - Roles roles = new Roles(); - List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role> mdSalRoles = mdsalStore.getAllRoles(); - for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role r : mdSalRoles) { - roles.getRoles().add(IDMObject2MDSAL.toIDMRole(r)); - } - return roles; - } - - @Override - public Users getUsers() throws IDMStoreException { - Users users = new Users(); - List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User> mdSalUsers = mdsalStore.getAllUsers(); - for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User u : mdSalUsers) { - users.getUsers().add(IDMObject2MDSAL.toIDMUser(u)); - } - return users; - } - - @Override - public Users getUsers(String username, String domain) throws IDMStoreException { - Users users = new Users(); - List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User> mdSalUsers = mdsalStore.getAllUsers(); - for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User u : mdSalUsers) { - if (u.getDomainid().equals(domain) && u.getName().equals(username)) { - users.getUsers().add(IDMObject2MDSAL.toIDMUser(u)); - } - } - return users; - } - - @Override - public Grants getGrants(String domainid, String userid) throws IDMStoreException { - Grants grants = new Grants(); - List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant> mdSalGrants = mdsalStore.getAllGrants(); - String currentGrantUserId, currentGrantDomainId; - for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant g : mdSalGrants) { - currentGrantUserId = g.getUserid(); - currentGrantDomainId = g.getDomainid(); - if (currentGrantUserId.equals(userid) && currentGrantDomainId.equals(domainid)) { - grants.getGrants().add(IDMObject2MDSAL.toIDMGrant(g)); - } - } - return grants; - } - - @Override - public Grants getGrants(String userid) throws IDMStoreException { - Grants grants = new Grants(); - List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant> mdSalGrants = mdsalStore.getAllGrants(); - for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant g : mdSalGrants) { - if (g.getUserid().equals(userid)) { - grants.getGrants().add(IDMObject2MDSAL.toIDMGrant(g)); - } - } - return grants; - } - - @Override - public Grant readGrant(String domainid, String userid, String roleid) throws IDMStoreException { - return readGrant(IDMStoreUtil.createGrantid(userid, domainid, roleid)); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtil.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtil.java deleted file mode 100644 index 6ef58109..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtil.java +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store.util; - -import java.math.BigInteger; -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import org.opendaylight.aaa.AuthenticationBuilder; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.TokenCacheTimes; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.Tokencache; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenList; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenListBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenListKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokens; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokensBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokensKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.Claims; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.ClaimsBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.ClaimsKey; -import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; - -public class AuthNStoreUtil { - - public static InstanceIdentifier<Claims> createInstIdentifierForTokencache(String token) { - if (token == null || token.length() == 0) - return null; - - InstanceIdentifier<Claims> claims_iid = InstanceIdentifier.builder(Tokencache.class) - .child(Claims.class, - new ClaimsKey(token)) - .build(); - return claims_iid; - } - - public static InstanceIdentifier<UserTokens> createInstIdentifierUserTokens(String userId, - String token) { - if (userId == null || userId.length() == 0 || token == null || token.length() == 0) - return null; - - InstanceIdentifier<UserTokens> userTokens_iid = InstanceIdentifier.builder( - TokenCacheTimes.class) - .child(TokenList.class, - new TokenListKey( - userId)) - .child(UserTokens.class, - new UserTokensKey( - token)) - .build(); - return userTokens_iid; - } - - public static Claims createClaimsRecord(String token, Authentication auth) { - if (auth == null || token == null || token.length() == 0) - return null; - - ClaimsKey claimsKey = new ClaimsKey(token); - ClaimsBuilder claimsBuilder = new ClaimsBuilder(); - claimsBuilder.setClientId(auth.clientId()); - claimsBuilder.setDomain(auth.domain()); - claimsBuilder.setKey(claimsKey); - List<String> roles = new ArrayList<String>(); - roles.addAll(auth.roles()); - claimsBuilder.setRoles(roles); - claimsBuilder.setToken(token); - claimsBuilder.setUser(auth.user()); - claimsBuilder.setUserId(auth.userId()); - return claimsBuilder.build(); - } - - public static UserTokens createUserTokens(String token, Long expiration) { - if (expiration == null || token == null || token.length() == 0) - return null; - - UserTokensBuilder userTokensBuilder = new UserTokensBuilder(); - userTokensBuilder.setTokenid(token); - BigInteger timestamp = BigInteger.valueOf(System.currentTimeMillis()); - userTokensBuilder.setTimestamp(timestamp); - userTokensBuilder.setExpiration(expiration); - userTokensBuilder.setKey(new UserTokensKey(token)); - return userTokensBuilder.build(); - } - - public static TokenList createTokenList(UserTokens tokens, String userId) { - if (tokens == null || userId == null || userId.length() == 0) - return null; - - TokenListBuilder tokenListBuilder = new TokenListBuilder(); - tokenListBuilder.setUserId(userId); - tokenListBuilder.setKey(new TokenListKey(userId)); - List<UserTokens> userTokens = new ArrayList<UserTokens>(); - userTokens.add(tokens); - tokenListBuilder.setUserTokens(userTokens); - return tokenListBuilder.build(); - } - - public static Authentication convertClaimToAuthentication(final Claims claims, Long expiration) { - if (claims == null) - return null; - - Claim claim = new Claim() { - @Override - public String clientId() { - return claims.getClientId(); - } - - @Override - public String userId() { - return claims.getUserId(); - } - - @Override - public String user() { - return claims.getUser(); - } - - @Override - public String domain() { - return claims.getDomain(); - } - - @Override - public Set<String> roles() { - return new HashSet<>(claims.getRoles()); - } - }; - AuthenticationBuilder authBuilder = new AuthenticationBuilder(claim); - authBuilder.setExpiration(expiration); - return authBuilder.build(); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModule.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModule.java deleted file mode 100644 index 0631170e..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModule.java +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - * - */ - -package org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031; - -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.TokenStore; -import org.opendaylight.aaa.authn.mdsal.store.AuthNStore; -import org.opendaylight.aaa.authn.mdsal.store.IDMMDSALStore; -import org.opendaylight.aaa.authn.mdsal.store.IDMStore; -import org.opendaylight.controller.md.sal.binding.api.DataBroker; -import org.osgi.framework.BundleContext; -import org.osgi.framework.ServiceRegistration; - -public class AuthNStoreModule - extends - org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031.AbstractAuthNStoreModule { - private BundleContext bundleContext; - - public AuthNStoreModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, - org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) { - super(identifier, dependencyResolver); - } - - public AuthNStoreModule( - org.opendaylight.controller.config.api.ModuleIdentifier identifier, - org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, - org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031.AuthNStoreModule oldModule, - java.lang.AutoCloseable oldInstance) { - super(identifier, dependencyResolver, oldModule, oldInstance); - } - - @Override - public void customValidation() { - // add custom validation form module attributes here. - } - - @Override - public java.lang.AutoCloseable createInstance() { - - DataBroker dataBrokerService = getDataBrokerDependency(); - final AuthNStore authNStore = new AuthNStore(dataBrokerService, getPassword()); - final IDMMDSALStore mdsalStore = new IDMMDSALStore(dataBrokerService); - final IDMStore idmStore = new IDMStore(mdsalStore); - - authNStore.setTimeToLive(getTimeToLive()); - - // Register the MD-SAL Token store with OSGI - final ServiceRegistration<?> serviceRegistration = bundleContext.registerService( - TokenStore.class.getName(), authNStore, null); - final ServiceRegistration<?> idmServiceRegistration = bundleContext.registerService( - IIDMStore.class.getName(), idmStore, null); - final class AutoCloseableStore implements AutoCloseable { - - @Override - public void close() throws Exception { - serviceRegistration.unregister(); - idmServiceRegistration.unregister(); - authNStore.close(); - } - } - - return new AutoCloseableStore(); - - // return authNStore; - - // throw new java.lang.UnsupportedOperationException(); - } - - /** - * @param bundleContext - */ - public void setBundleContext(BundleContext bundleContext) { - this.bundleContext = bundleContext; - } - - /** - * @return the bundleContext - */ - public BundleContext getBundleContext() { - return bundleContext; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModuleFactory.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModuleFactory.java deleted file mode 100644 index b1e278fa..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModuleFactory.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - * - */ - -/* - * Generated file - * - * Generated from: yang module name: aaa-authn-mdsal-store-cfg yang module local name: aaa-authn-mdsal-store - * Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator - * Generated at: Thu Mar 19 18:06:18 CET 2015 - * - * Do not modify this file unless it is present under src/main directory - */ -package org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031; - -import org.opendaylight.controller.config.api.DependencyResolver; -import org.osgi.framework.BundleContext; - -public class AuthNStoreModuleFactory - extends - org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031.AbstractAuthNStoreModuleFactory { - - @Override - public AuthNStoreModule instantiateModule(String instanceName, - DependencyResolver dependencyResolver, BundleContext bundleContext) { - AuthNStoreModule module = super.instantiateModule(instanceName, dependencyResolver, - bundleContext); - module.setBundleContext(bundleContext); - return module; - } - - @Override - public AuthNStoreModule instantiateModule(String instanceName, - DependencyResolver dependencyResolver, AuthNStoreModule oldModule, - AutoCloseable oldInstance, BundleContext bundleContext) { - AuthNStoreModule module = super.instantiateModule(instanceName, dependencyResolver, - oldModule, oldInstance, bundleContext); - module.setBundleContext(bundleContext); - return module; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/yang/aaa-authn-mdsal-store-cfg.yang b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/yang/aaa-authn-mdsal-store-cfg.yang deleted file mode 100644 index eac344b8..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/yang/aaa-authn-mdsal-store-cfg.yang +++ /dev/null @@ -1,77 +0,0 @@ -module aaa-authn-mdsal-store-cfg { - - yang-version 1; - namespace "config:aaa:authn:mdsal:store"; - prefix "aaa-authn-store-cfg"; - - import config { prefix config; revision-date 2013-04-05; } - import rpc-context { prefix rpcx; revision-date 2013-06-17; } - import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; } - import opendaylight-md-sal-dom {prefix dom;} - - - description - "This module contains the base YANG definitions for - AuthN MD-SAL backed data cache implementation."; - - revision "2014-10-31" { - description - "Initial revision."; - } - - identity token-store-service{ - base config:service-type; - config:java-class "org.opendaylight.aaa.api.TokenStore"; - } - - - // This is the definition of the service implementation as a module identity. - identity aaa-authn-mdsal-store { - base config:module-type; - // Specifies the prefix for generated java classes. - config:java-name-prefix AuthNStore; - config:provided-service token-store-service; - } - - // Augments the 'configuration' choice node under modules/module. - - augment "/config:modules/config:module/config:configuration" { - case aaa-authn-mdsal-store { - when "/config:modules/config:module/config:type = 'aaa-authn-mdsal-store'"; - - //Defines reference to the Bundle context and MD-SAL data broker - container dom-broker { - uses config:service-ref { - refine type { - mandatory true; - config:required-identity dom:dom-broker-osgi-registry; - } - } - } - container data-broker { - uses config:service-ref { - refine type { - mandatory true; - config:required-identity mdsal:binding-async-data-broker; - - } - } - } - - leaf timeToLive { - description "Time to live for tokens. When set to 0 = never expire"; - type uint64; - default 360000; - } - leaf timeToWait { - description "Time to wait for future from data store. 10 by default = never expire"; - type uint16; - default 10; - } - leaf password { - description "Encryption password for the Store"; - type string; - } - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataBrokerReadMocker.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataBrokerReadMocker.java deleted file mode 100644 index f821cf16..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataBrokerReadMocker.java +++ /dev/null @@ -1,112 +0,0 @@ -/* - * Copyright (c) 2016 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store; - -import java.lang.reflect.InvocationHandler; -import java.lang.reflect.Method; -import java.lang.reflect.Proxy; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -public class DataBrokerReadMocker implements InvocationHandler { - private Map<Method, List<StubContainer>> stubs = new HashMap<Method, List<StubContainer>>(); - private Class<?> mokingClass = null; - - @Override - public Object invoke(Object arg0, Method arg1, Object[] arg2) throws Throwable { - List<StubContainer> stList = stubs.get(arg1); - if (stList != null) { - for (StubContainer sc : stList) { - if (sc.fitGeneric(arg2)) { - return sc.returnObject; - } - } - } - return null; - } - - public DataBrokerReadMocker(Class<?> cls) { - this.mokingClass = cls; - } - - public static Object addMock(Class<?> cls) { - return Proxy.newProxyInstance(cls.getClassLoader(), new Class[] { cls }, - new DataBrokerReadMocker(cls)); - } - - public static DataBrokerReadMocker getMocker(Object o) { - return (DataBrokerReadMocker) Proxy.getInvocationHandler(o); - } - - public static Method findMethod(Class<?> cls, String name, Object args[]) { - Method methods[] = cls.getMethods(); - for (Method m : methods) { - if (m.getName().equals(name)) { - if ((m.getParameterTypes() == null || m.getParameterTypes().length == 0) - && args == null) { - return m; - } - boolean match = true; - for (int i = 0; i < m.getParameterTypes().length; i++) { - if (!m.getParameterTypes()[i].isAssignableFrom(args[i].getClass())) { - match = false; - } - } - if (match) - return m; - } - } - return null; - } - - public void addWhen(String methodName, Object[] args, Object returnThis) - throws NoSuchMethodException, SecurityException { - Method m = findMethod(this.mokingClass, methodName, args); - if (m == null) - throw new IllegalArgumentException("Unable to find method"); - StubContainer sc = new StubContainer(args, returnThis); - List<StubContainer> lst = stubs.get(m); - if (lst == null) { - lst = new ArrayList<>(); - } - lst.add(sc); - stubs.put(m, lst); - } - - private class StubContainer { - private Class<?>[] parameters = null; - private Class<?>[] generics = null; - private Object args[] = null; - private Object returnObject; - - public StubContainer(Object[] _args, Object ret) { - this.args = _args; - this.returnObject = ret; - } - - public boolean fitGeneric(Object _args[]) { - if (args == null && _args != null) - return false; - if (args != null && _args == null) - return false; - if (args == null && _args == null) - return true; - if (args.length != _args.length) - return false; - for (int i = 0; i < args.length; i++) { - if (!args[i].equals(_args[i])) { - return false; - } - } - return true; - } - } -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypterTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypterTest.java deleted file mode 100644 index eec69bc0..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypterTest.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2016 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store; - -import static org.junit.Assert.assertEquals; - -import javax.xml.bind.DatatypeConverter; -import org.junit.Test; - -public class DataEncrypterTest { - - @Test - public void testEncrypt() { - DataEncrypter dataEncry = new DataEncrypter("foo_key_test"); - String token = "foo_token_test"; - String eToken = dataEncry.encrypt(token); - // check for decryption result - String returnToken = dataEncry.decrypt(eToken); - String tokenBase64 = DatatypeConverter.printBase64Binary(token.getBytes()); - assertEquals(tokenBase64, returnToken); - } - - @Test - public void testDecrypt() { - DataEncrypter dataEncry = new DataEncrypter("foo_key_test"); - String eToken = "foo_etoken_test"; - assertEquals(dataEncry.decrypt(""), null); - // check for encryption Tag - assertEquals(eToken, dataEncry.decrypt(eToken)); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTest.java deleted file mode 100644 index f376dd5f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTest.java +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright (c) 2016 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store; - -import org.junit.Assert; -import org.junit.Test; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.aaa.api.SHA256Calculator; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User; - -public class IDMStoreTest { - - @Test - public void testWriteDomain() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoFordomain(); - Domain domain = testedObject.writeDomain(util.domain); - Assert.assertNotNull(domain); - Assert.assertEquals(domain.getDomainid(), util.domain.getName()); - } - - @Test - public void testReadDomain() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoFordomain(); - Domain domain = testedObject.readDomain(util.domain.getDomainid()); - Assert.assertNotNull(domain); - Assert.assertEquals(domain, util.domain); - } - - @Test - public void testDeleteDomain() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoFordomain(); - Domain domain = testedObject.deleteDomain(util.domain.getDomainid()); - Assert.assertEquals(domain, util.domain); - } - - @Test - public void testUpdateDomain() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoFordomain(); - Domain domain = testedObject.updateDomain(util.domain); - Assert.assertEquals(domain, util.domain); - } - - @Test - public void testWriteRole() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForrole(); - util.addMokitoFordomain(); - Role role = testedObject.writeRole(util.role); - Assert.assertNotNull(role); - Assert.assertEquals(role.getRoleid(), - IDMStoreUtil.createRoleid(role.getName(), role.getDomainid())); - } - - @Test - public void testReadRole() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForrole(); - Role role = testedObject.readRole(util.role.getRoleid()); - Assert.assertNotNull(role); - Assert.assertEquals(role, util.role); - } - - @Test - public void testDeleteRole() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForrole(); - Role role = testedObject.deleteRole(util.role.getRoleid()); - Assert.assertNotNull(role); - Assert.assertEquals(role, util.role); - } - - @Test - public void testUpdateRole() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForrole(); - Role role = testedObject.updateRole(util.role); - Assert.assertNotNull(role); - Assert.assertEquals(role, util.role); - } - - @Test - public void testWriteUser() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForuser(); - User user = testedObject.writeUser(util.user); - Assert.assertNotNull(user); - Assert.assertEquals(user.getUserid(), - IDMStoreUtil.createUserid(user.getName(), util.user.getDomainid())); - } - - @Test - public void testReadUser() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForuser(); - User user = testedObject.readUser(util.user.getUserid()); - Assert.assertNotNull(user); - Assert.assertEquals(user, util.user); - } - - @Test - public void testDeleteUser() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForuser(); - User user = testedObject.deleteUser(util.user.getUserid()); - Assert.assertNotNull(user); - Assert.assertEquals(user, util.user); - } - - @Test - public void testUpdateUser() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForuser(); - User user = testedObject.updateUser(util.user); - Assert.assertNotNull(user); - Assert.assertEquals(user.getPassword(), - SHA256Calculator.getSHA256(util.user.getPassword(), util.user.getSalt())); - } - - @Test - public void testWriteGrant() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoFordomain(); - util.addMokitoForrole(); - util.addMokitoForuser(); - util.addMokitoForgrant(); - Grant grant = testedObject.writeGrant(util.grant); - Assert.assertNotNull(grant); - } - - @Test - public void testReadGrant() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForgrant(); - Grant grant = testedObject.readGrant(util.grant.getGrantid()); - Assert.assertNotNull(grant); - Assert.assertEquals(grant, util.grant); - } - - @Test - public void testDeleteGrant() throws Exception { - IDMStoreTestUtil util = new IDMStoreTestUtil(); - IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker); - util.addMokitoForgrant(); - Grant grant = testedObject.deleteGrant(util.grant.getGrantid()); - Assert.assertNotNull(grant); - Assert.assertEquals(grant, util.grant); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTestUtil.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTestUtil.java deleted file mode 100644 index 39eeadb4..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTestUtil.java +++ /dev/null @@ -1,181 +0,0 @@ -/* - * Copyright (c) 2016 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store; - -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; -import com.google.common.base.Optional; -import com.google.common.util.concurrent.CheckedFuture; -import java.util.concurrent.ExecutionException; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.controller.md.sal.binding.api.DataBroker; -import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction; -import org.opendaylight.controller.md.sal.binding.api.WriteTransaction; -import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; -import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.Authentication; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleKey; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserKey; -import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; - -public class IDMStoreTestUtil { - /* DataBroker mocked with Mokito */ - protected static DataBroker dataBroker = mock(DataBroker.class); - protected static WriteTransaction wrt = mock(WriteTransaction.class); - protected static ReadOnlyTransaction rot = null; - - static { - rot = (ReadOnlyTransaction) DataBrokerReadMocker.addMock(ReadOnlyTransaction.class); - when(dataBroker.newReadOnlyTransaction()).thenReturn(rot); - when(dataBroker.newWriteOnlyTransaction()).thenReturn(wrt); - } - - /* Domain Data Object Instance */ - public Domain domain = createdomain(); - - /* Domain create Method */ - public Domain createdomain() { - /* Start of Domain builder */ - DomainBuilder domainbuilder = new DomainBuilder(); - domainbuilder.setName("SETNAME"); - domainbuilder.setDomainid("SETNAME"); - domainbuilder.setKey(new DomainKey("SETNAME")); - domainbuilder.setDescription("SETDESCRIPTION"); - domainbuilder.setEnabled(true); - /* End of Domain builder */ - return domainbuilder.build(); - } - - /* Role Data Object Instance */ - public Role role = createrole(); - - /* Role create Method */ - public Role createrole() { - /* Start of Role builder */ - RoleBuilder rolebuilder = new RoleBuilder(); - rolebuilder.setRoleid("SETNAME@SETNAME"); - rolebuilder.setName("SETNAME"); - rolebuilder.setKey(new RoleKey(rolebuilder.getRoleid())); - rolebuilder.setDomainid(createdomain().getDomainid()); - rolebuilder.setDescription("SETDESCRIPTION"); - /* End of Role builder */ - return rolebuilder.build(); - } - - /* User Data Object Instance */ - public User user = createuser(); - - /* User create Method */ - public User createuser() { - /* Start of User builder */ - UserBuilder userbuilder = new UserBuilder(); - userbuilder.setUserid("SETNAME@SETNAME"); - userbuilder.setName("SETNAME"); - userbuilder.setKey(new UserKey(userbuilder.getUserid())); - userbuilder.setDomainid(createdomain().getDomainid()); - userbuilder.setEmail("SETEMAIL"); - userbuilder.setPassword("SETPASSWORD"); - userbuilder.setSalt("SETSALT"); - userbuilder.setEnabled(true); - userbuilder.setDescription("SETDESCRIPTION"); - /* End of User builder */ - return userbuilder.build(); - } - - /* Grant Data Object Instance */ - public Grant grant = creategrant(); - - /* Grant create Method */ - public Grant creategrant() { - /* Start of Grant builder */ - GrantBuilder grantbuilder = new GrantBuilder(); - grantbuilder.setDomainid(createdomain().getDomainid()); - grantbuilder.setRoleid(createrole().getRoleid()); - grantbuilder.setUserid(createuser().getUserid()); - grantbuilder.setGrantid(IDMStoreUtil.createGrantid(grantbuilder.getUserid(), - grantbuilder.getDomainid(), grantbuilder.getRoleid())); - grantbuilder.setKey(new GrantKey(grantbuilder.getGrantid())); - /* End of Grant builder */ - return grantbuilder.build(); - } - - /* InstanceIdentifier for Grant instance grant */ - public InstanceIdentifier<Grant> grantID = InstanceIdentifier.create(Authentication.class) - .child(Grant.class, - creategrant().getKey()); - - /* Mokito DataBroker method for grant Data Object */ - public void addMokitoForgrant() throws NoSuchMethodException, SecurityException, InterruptedException, ExecutionException { - CheckedFuture<Optional<Grant>, ReadFailedException> read = mock(CheckedFuture.class); - DataBrokerReadMocker.getMocker(rot).addWhen("read", - new Object[] { LogicalDatastoreType.CONFIGURATION, grantID }, read); - Optional<Grant> optional = mock(Optional.class); - when(read.get()).thenReturn(optional); - when(optional.get()).thenReturn(grant); - when(optional.isPresent()).thenReturn(true); - } - - /* InstanceIdentifier for Domain instance domain */ - public InstanceIdentifier<Domain> domainID = InstanceIdentifier.create(Authentication.class) - .child(Domain.class, - new DomainKey( - new String( - "SETNAME"))); - - /* Mokito DataBroker method for domain Data Object */ - public void addMokitoFordomain() throws NoSuchMethodException, SecurityException, InterruptedException, ExecutionException { - CheckedFuture<Optional<Domain>, ReadFailedException> read = mock(CheckedFuture.class); - DataBrokerReadMocker.getMocker(rot).addWhen("read", - new Object[] { LogicalDatastoreType.CONFIGURATION, domainID }, read); - Optional<Domain> optional = mock(Optional.class); - when(read.get()).thenReturn(optional); - when(optional.get()).thenReturn(domain); - when(optional.isPresent()).thenReturn(true); - } - - /* InstanceIdentifier for Role instance role */ - public InstanceIdentifier<Role> roleID = InstanceIdentifier.create(Authentication.class).child( - Role.class, createrole().getKey()); - - /* Mokito DataBroker method for role Data Object */ - public void addMokitoForrole() throws NoSuchMethodException, SecurityException, InterruptedException, ExecutionException { - CheckedFuture<Optional<Role>, ReadFailedException> read = mock(CheckedFuture.class); - DataBrokerReadMocker.getMocker(rot).addWhen("read", - new Object[] { LogicalDatastoreType.CONFIGURATION, roleID }, read); - Optional<Role> optional = mock(Optional.class); - when(read.get()).thenReturn(optional); - when(optional.get()).thenReturn(role); - when(optional.isPresent()).thenReturn(true); - } - - /* InstanceIdentifier for User instance user */ - public InstanceIdentifier<User> userID = InstanceIdentifier.create(Authentication.class).child( - User.class, createuser().getKey()); - - /* Mokito DataBroker method for user Data Object */ - public void addMokitoForuser() throws NoSuchMethodException, SecurityException, InterruptedException, ExecutionException { - CheckedFuture<Optional<User>, ReadFailedException> read = mock(CheckedFuture.class); - DataBrokerReadMocker.getMocker(rot).addWhen("read", - new Object[] { LogicalDatastoreType.CONFIGURATION, userID }, read); - Optional<User> optional = mock(Optional.class); - when(read.get()).thenReturn(optional); - when(optional.get()).thenReturn(user); - when(optional.isPresent()).thenReturn(true); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/MDSALConvertTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/MDSALConvertTest.java deleted file mode 100644 index 9b7c9712..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/MDSALConvertTest.java +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 2016 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store; - -import org.junit.Assert; -import org.junit.Test; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.User; - -public class MDSALConvertTest { - @Test - public void testConvertDomain() { - Domain d = new Domain(); - d.setDescription("hello"); - d.setDomainid("hello"); - d.setEnabled(true); - d.setName("Hello"); - org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain mdsalDomain = IDMObject2MDSAL.toMDSALDomain(d); - Assert.assertNotNull(mdsalDomain); - Domain d2 = IDMObject2MDSAL.toIDMDomain(mdsalDomain); - Assert.assertNotNull(d2); - Assert.assertEquals(d, d2); - } - - @Test - public void testConvertRole() { - Role r = new Role(); - r.setDescription("hello"); - r.setRoleid("Hello@hello"); - r.setName("Hello"); - r.setDomainid("hello"); - org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role mdsalRole = IDMObject2MDSAL.toMDSALRole(r); - Assert.assertNotNull(mdsalRole); - Role r2 = IDMObject2MDSAL.toIDMRole(mdsalRole); - Assert.assertNotNull(r2); - Assert.assertEquals(r, r2); - } - - @Test - public void testConvertUser() { - User u = new User(); - u.setDescription("hello"); - u.setDomainid("hello"); - u.setUserid("hello@hello"); - u.setName("Hello"); - u.setEmail("email"); - u.setEnabled(true); - u.setPassword("pass"); - u.setSalt("salt"); - org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User mdsalUser = IDMObject2MDSAL.toMDSALUser(u); - Assert.assertNotNull(mdsalUser); - User u2 = IDMObject2MDSAL.toIDMUser(mdsalUser); - Assert.assertNotNull(u2); - Assert.assertEquals(u, u2); - } - - @Test - public void testConvertGrant() { - Grant g = new Grant(); - g.setDomainid("hello"); - g.setUserid("hello@hello"); - g.setRoleid("hello@hello"); - g.setGrantid("hello@hello@Hello"); - org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant mdsalGrant = IDMObject2MDSAL.toMDSALGrant(g); - Assert.assertNotNull(mdsalGrant); - Grant g2 = IDMObject2MDSAL.toIDMGrant(mdsalGrant); - Assert.assertNotNull(g2); - Assert.assertEquals(g, g2); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtilTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtilTest.java deleted file mode 100644 index 10c18790..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtilTest.java +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (c) 2016 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authn.mdsal.store.util; - -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; - -import java.util.ArrayList; -import java.util.List; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mockito.Mock; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokens; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.Claims; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.ClaimsBuilder; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.ClaimsKey; -import org.powermock.modules.junit4.PowerMockRunner; - -@RunWith(PowerMockRunner.class) -public class AuthNStoreUtilTest { - - private String token = "foo_token_test"; - private String userId = "123"; - private Long expire = new Long(365); - @Mock - private Authentication auth; - @Mock - private UserTokens tokens; - @Mock - private Claims claims; - - @Test - public void testCreateInstIdentifierForTokencache() { - assertTrue(AuthNStoreUtil.createInstIdentifierForTokencache("") == null); - assertNotNull(AuthNStoreUtil.createInstIdentifierForTokencache(token)); - } - - @Test - public void testCreateInstIdentifierUserTokens() { - assertTrue(AuthNStoreUtil.createInstIdentifierUserTokens("", "") == null); - assertNotNull(AuthNStoreUtil.createInstIdentifierUserTokens(userId, token)); - } - - @Test - public void testCreateClaimsRecord() { - assertTrue(AuthNStoreUtil.createClaimsRecord("", null) == null); - assertNotNull(AuthNStoreUtil.createClaimsRecord(token, auth)); - } - - @Test - public void testCreateUserTokens() { - assertTrue(AuthNStoreUtil.createUserTokens("", null) == null); - assertNotNull(AuthNStoreUtil.createUserTokens(token, expire)); - } - - @Test - public void testCreateTokenList() { - assertTrue(AuthNStoreUtil.createTokenList(null, "") == null); - assertNotNull(AuthNStoreUtil.createTokenList(tokens, userId)); - } - - @Test - public void testConvertClaimToAuthentication() { - ClaimsKey claimsKey = new ClaimsKey(token); - ClaimsBuilder claimsBuilder = new ClaimsBuilder(); - claimsBuilder.setClientId("123"); - claimsBuilder.setDomain("foo_domain"); - claimsBuilder.setKey(claimsKey); - List<String> roles = new ArrayList<String>(); - roles.add("foo_role"); - claimsBuilder.setRoles(roles); - claimsBuilder.setToken(token); - claimsBuilder.setUser("foo_usr"); - claimsBuilder.setUserId(userId); - Claims fooClaims = claimsBuilder.build(); - - assertTrue(AuthNStoreUtil.convertClaimToAuthentication(null, expire) == null); - assertNotNull(AuthNStoreUtil.convertClaimToAuthentication(fooClaims, expire)); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/pom.xml deleted file mode 100644 index e5e4f92f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-mdsal-store/pom.xml +++ /dev/null @@ -1,22 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - <modelVersion>4.0.0</modelVersion> - - <artifactId>aaa-authn-mdsal-store</artifactId> - <name>${project.artifactId}</name> - <packaging>pom</packaging> - - <modules> - <module>aaa-authn-mdsal-api</module> - <module>aaa-authn-mdsal-config</module> - <module>aaa-authn-mdsal-store-impl</module> - </modules> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/pom.xml deleted file mode 100644 index 4dc7eac9..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/pom.xml +++ /dev/null @@ -1,88 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn-sssd</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.glassfish</groupId> - <artifactId>javax.json</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-idpmapping</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <!-- Testing Dependencies --> - <dependency> - <groupId>com.sun.jersey.jersey-test-framework</groupId> - <artifactId>jersey-test-framework-grizzly2</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Activator>org.opendaylight.aaa.sssd.Activator</Bundle-Activator> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/Activator.java deleted file mode 100644 index b6d5259f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/Activator.java +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sssd; - -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.opendaylight.aaa.api.ClaimAuth; -import org.osgi.framework.BundleContext; - -public class Activator extends DependencyActivatorBase { - - @Override - public void init(BundleContext context, DependencyManager manager) throws Exception { - manager.add(createComponent().setInterface(new String[] { ClaimAuth.class.getName() }, null) - .setImplementation(SssdClaimAuth.class)); - } - - @Override - public void destroy(BundleContext context, DependencyManager manager) throws Exception { - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/SssdClaimAuth.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/SssdClaimAuth.java deleted file mode 100644 index 0ae23b48..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/SssdClaimAuth.java +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sssd; - -import java.io.StringWriter; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import javax.json.Json; -import javax.json.JsonValue; -import javax.json.stream.JsonGenerator; -import javax.json.stream.JsonGeneratorFactory; -import org.apache.felix.dm.Component; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.api.ClaimAuth; -import org.opendaylight.aaa.idpmapping.RuleProcessor; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * An SSSD {@link ClaimAuth} implementation. - * - * @author John Dennis <jdennis@redhat.com> - */ -public class SssdClaimAuth implements ClaimAuth { - private static final Logger LOG = LoggerFactory.getLogger(SssdClaimAuth.class); - - private static final String DEFAULT_MAPPING_RULES_PATHNAME = "etc/idp_mapping_rules.json"; - private JsonGeneratorFactory generatorFactory = null; - private RuleProcessor ruleProcessor = null; - - // Called by DM when all required dependencies are satisfied. - void init(Component c) { - LOG.info("Initializing SSSD Plugin"); - Map<String, Object> properties = new HashMap<String, Object>(1); - properties.put(JsonGenerator.PRETTY_PRINTING, true); - generatorFactory = Json.createGeneratorFactory(properties); - - String mappingRulesFile = DEFAULT_MAPPING_RULES_PATHNAME; - if (mappingRulesFile == null || mappingRulesFile.isEmpty()) { - LOG.warn("mapping rules file is not configured, " + "SssdClaimAuth will be disabled"); - return; - } - - Path mappingRulesPath = Paths.get(mappingRulesFile); - - if (!Files.exists(mappingRulesPath)) { - LOG.warn(String.format("mapping rules file (%s) " - + "does not exist, SssdClaimAuth will be disabled", mappingRulesFile)); - return; - } - - try { - ruleProcessor = new RuleProcessor(mappingRulesPath, null); - } catch (Exception e) { - LOG.error(String.format("mapping rules file (%s) " - + "could not be loaded, SssdClaimAuth will be disabled. " + "error = %s", - mappingRulesFile, e)); - } - } - - /** - * Transform a Map of assertions into a {@link Claim} via a set of mapping - * rules. - * - * A set of mapping rules have been previously loaded. the incoming - * assertion is converted to a JSON document and presented to the - * {@link RuleProcessor}. If the RuleProcessor can successfully transform - * the assertion given the site specific set of rules it will return a Map - * of values which will then be used to build a {@link Claim}. The rule - * should return one or more of the following which will be used to populate - * the Claim. - * - * <dl> - * <dt>ClientId</dt> - * <dd>A string. - * - * @see org.opendaylight.aaa.api.Claim#clientId() </dd> - * - * <dt>UserId</dt> <dd>A string. - * @see org.opendaylight.aaa.api.Claim#userId() </dd> - * - * <dt>User</dt> <dd>A string. - * @see org.opendaylight.aaa.api.Claim#user() </dd> - * - * <dt>Domain</dt> <dd>A string. - * @see org.opendaylight.aaa.api.Claim#domain() </dd> - * - * <dt>Roles</dt> <dd>An array of strings. - * @see org.opendaylight.aaa.api.Claim#roles() </dd> - * - * </dl> - * - * @param assertion - * A Map of name/value assertions provided by an external IdP - * @return A {@link Claim} if successful, null otherwise. - */ - - @Override - public Claim transform(Map<String, Object> assertion) { - String assertionJson; - Map<String, Object> mapped; - assertionJson = claimToJson(assertion); - - if (ruleProcessor == null) { - LOG.debug("ruleProcessor not configured"); - return null; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("assertionJson=\n{}", assertionJson); - } - - mapped = ruleProcessor.process(assertionJson); - if (mapped == null) { - if (LOG.isDebugEnabled()) { - LOG.debug("RuleProcessor returned null"); - } - return null; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("RuleProcessor returned: {}", mapped); - } - - ClaimBuilder cb = new ClaimBuilder(); - if (mapped.containsKey("ClientId")) { - cb.setClientId((String) mapped.get("ClientId")); - } - if (mapped.containsKey("UserId")) { - cb.setUserId((String) mapped.get("UserId")); - } - if (mapped.containsKey("User")) { - cb.setUser((String) mapped.get("User")); - } - if (mapped.containsKey("Domain")) { - cb.setDomain((String) mapped.get("Domain")); - } - if (mapped.containsKey("Roles")) { - @SuppressWarnings("unchecked") - List<String> roles = (List<String>) mapped.get("roles"); - for (String role : roles) { - cb.addRole(role); - } - } - Claim claim = cb.build(); - - if (LOG.isDebugEnabled()) { - LOG.debug("returns claim = {}", claim.toString()); - } - - return claim; - } - - /** - * Convert a Claim Map into a JSON object. - * - * Given a Map of name/value pairs convert it into a JSON object and return - * it as a string. This is not a general purpose routine used to convert any - * Map into JSON because a claim has the restriction that each value must be - * a scalar and those scalars are restricted to the following types: - * - * <ul> - * <li>String</li> - * <li>Integer</li> - * <li>Long</li> - * <li>Double</li> - * <li>Boolean</li> - * <li>null</li> - * </ul> - * - * See also {@link ClaimAuth}. - * - * @param claim - * The Map containing assertion claims to be converted into a - * JSON assertion document. - * @return A string formatted as a JSON object. - */ - - public String claimToJson(Map<String, Object> claim) { - StringWriter stringWriter = new StringWriter(); - JsonGenerator generator = generatorFactory.createGenerator(stringWriter); - - generator.writeStartObject(); - for (Map.Entry<String, Object> entry : claim.entrySet()) { - String name = entry.getKey(); - Object value = entry.getValue(); - - if (value instanceof String) { - generator.write(name, (String) value); - } else if (value instanceof Integer) { - generator.write(name, ((Integer) value).intValue()); - } else if (value instanceof Long) { - generator.write(name, ((Long) value).longValue()); - } else if (value instanceof Double) { - generator.write(name, ((Double) value).doubleValue()); - } else if (value instanceof Boolean) { - generator.write(name, ((Boolean) value).booleanValue()); - } else if (value == null) { - generator.write(name, JsonValue.NULL); - } else { - LOG.warn(String.format("ignoring claim unsupported value type " - + "entry %s has type %s", name, value.getClass().getSimpleName())); - } - } - generator.writeEnd(); - generator.close(); - return stringWriter.toString(); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-store/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-store/pom.xml deleted file mode 100644 index 01fdf252..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-store/pom.xml +++ /dev/null @@ -1,100 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn-store</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>net.sf.ehcache</groupId> - <artifactId>ehcache</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <!-- Testing Dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Activator>org.opendaylight.aaa.store.Activator</Bundle-Activator> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <phase>package</phase> - <goals> - <goal>attach-artifact</goal> - </goals> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/tokens.cfg</file> - <type>cfg</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/Activator.java deleted file mode 100644 index f3299723..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/Activator.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.store; - -import java.util.Dictionary; -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.opendaylight.aaa.api.TokenStore; -import org.osgi.framework.BundleContext; -import org.osgi.framework.Constants; -import org.osgi.service.cm.ManagedService; - -/** - * An activator for the default datastore implementation of {@link TokenStore}. - * - * @author liemmn - */ -public class Activator extends DependencyActivatorBase { - - private static final String TOKEN_PID = "org.opendaylight.aaa.tokens"; - - @Override - public void init(BundleContext context, DependencyManager manager) throws Exception { - DefaultTokenStore ts = new DefaultTokenStore(); - manager.add(createComponent().setInterface(new String[] { TokenStore.class.getName() }, - null).setImplementation(ts)); - context.registerService(ManagedService.class.getName(), ts, - addPid(DefaultTokenStore.defaults)); - } - - @Override - public void destroy(BundleContext context, DependencyManager manager) throws Exception { - } - - private Dictionary<String, ?> addPid(Dictionary<String, String> dict) { - dict.put(Constants.SERVICE_PID, TOKEN_PID); - return dict; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/DefaultTokenStore.java b/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/DefaultTokenStore.java deleted file mode 100644 index df65be32..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/DefaultTokenStore.java +++ /dev/null @@ -1,154 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.store; - -import java.io.File; -import java.lang.management.ManagementFactory; -import java.util.Dictionary; -import java.util.Hashtable; -import java.util.concurrent.locks.ReentrantLock; -import javax.management.MBeanServer; -import net.sf.ehcache.Cache; -import net.sf.ehcache.CacheManager; -import net.sf.ehcache.Element; -import net.sf.ehcache.config.CacheConfiguration; -import net.sf.ehcache.management.ManagementService; -import org.apache.felix.dm.Component; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.TokenStore; -import org.osgi.service.cm.ConfigurationException; -import org.osgi.service.cm.ManagedService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * A default token store for STS. - * - * @author liemmn - * - */ -public class DefaultTokenStore implements TokenStore, ManagedService { - private static final Logger LOG = LoggerFactory.getLogger(DefaultTokenStore.class); - private static final String TOKEN_STORE_CONFIG_ERR = "Token store configuration error"; - - private static final String TOKEN_CACHE_MANAGER = "org.opendaylight.aaa"; - private static final String TOKEN_CACHE = "tokens"; - private static final String EHCACHE_XML = "etc/ehcache.xml"; - - static final String MAX_CACHED_MEMORY = "maxCachedTokensInMemory"; - static final String MAX_CACHED_DISK = "maxCachedTokensOnDisk"; - static final String SECS_TO_LIVE = "secondsToLive"; - static final String SECS_TO_IDLE = "secondsToIdle"; - - // Defaults (needed only for non-Karaf deployments) - static final Dictionary<String, String> defaults = new Hashtable<>(); - static { - defaults.put(MAX_CACHED_MEMORY, Long.toString(10000)); - defaults.put(MAX_CACHED_DISK, Long.toString(1000000)); - defaults.put(SECS_TO_IDLE, Long.toString(3600)); - defaults.put(SECS_TO_LIVE, Long.toString(3600)); - } - - // Token cache lock - private static final ReentrantLock cacheLock = new ReentrantLock(); - - // Token cache - private Cache tokens; - - // This should be a singleton - DefaultTokenStore() { - } - - // Called by DM when all required dependencies are satisfied. - void init(Component c) { - File ehcache = new File(EHCACHE_XML); - CacheManager cm; - if (ehcache.exists()) { - cm = CacheManager.create(ehcache.getAbsolutePath()); - tokens = cm.getCache(TOKEN_CACHE); - LOG.info("Initialized token store with custom cache config"); - } else { - cm = CacheManager.getInstance(); - tokens = new Cache( - new CacheConfiguration(TOKEN_CACHE, - Integer.parseInt(defaults.get(MAX_CACHED_MEMORY))).maxEntriesLocalDisk( - Integer.parseInt(defaults.get(MAX_CACHED_DISK))) - .timeToLiveSeconds( - Long.parseLong(defaults.get(SECS_TO_LIVE))) - .timeToIdleSeconds( - Long.parseLong(defaults.get(SECS_TO_IDLE)))); - cm.addCache(tokens); - LOG.info("Initialized token store with default cache config"); - } - cm.setName(TOKEN_CACHE_MANAGER); - - // JMX for cache management - MBeanServer mBeanServer = ManagementFactory.getPlatformMBeanServer(); - ManagementService.registerMBeans(cm, mBeanServer, false, false, false, true); - } - - // Called on shutdown - void destroy() { - LOG.info("Shutting down token store..."); - CacheManager.getInstance().shutdown(); - } - - @Override - public Authentication get(String token) { - Element elem = tokens.get(token); - return (Authentication) ((elem != null) ? elem.getObjectValue() : null); - } - - @Override - public void put(String token, Authentication auth) { - tokens.put(new Element(token, auth)); - } - - @Override - public boolean delete(String token) { - return tokens.remove(token); - } - - @Override - public long tokenExpiration() { - return tokens.getCacheConfiguration().getTimeToLiveSeconds(); - } - - @Override - public void updated(@SuppressWarnings("rawtypes") Dictionary props) - throws ConfigurationException { - LOG.info("Updating token store configuration..."); - if (props == null) { - // Someone deleted the configuration, use defaults - props = defaults; - } - reconfig(props); - } - - // Refresh cache configuration... - private void reconfig(@SuppressWarnings("rawtypes") Dictionary props) - throws ConfigurationException { - cacheLock.lock(); - try { - long secsToIdle = Long.parseLong(props.get(SECS_TO_IDLE).toString()); - long secsToLive = Long.parseLong(props.get(SECS_TO_LIVE).toString()); - int maxMem = Integer.parseInt(props.get(MAX_CACHED_MEMORY).toString()); - int maxDisk = Integer.parseInt(props.get(MAX_CACHED_DISK).toString()); - CacheConfiguration config = tokens.getCacheConfiguration(); - config.setTimeToIdleSeconds(secsToIdle); - config.setTimeToLiveSeconds(secsToLive); - config.maxEntriesLocalHeap(maxMem); - config.maxEntriesLocalDisk(maxDisk); - } catch (Throwable t) { - throw new ConfigurationException(null, TOKEN_STORE_CONFIG_ERR, t); - } finally { - cacheLock.unlock(); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.properties b/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.properties deleted file mode 100644 index b88d5c10..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.properties +++ /dev/null @@ -1,14 +0,0 @@ -org.opendaylight.aaa.tokens.name = Opendaylight AAA Token Configuration -org.opendaylight.aaa.tokens.description = Configuration for AAA tokens -org.opendaylight.aaa.tokens.maxCachedTokensInMemory.name = Memory Configuration -org.opendaylight.aaa.tokens.maxCachedTokensInMemory.description = Maximum number of \ -tokens in memory -org.opendaylight.aaa.tokens.maxCachedTokensOnDisk.name = Disk Configuration -org.opendaylight.aaa.tokens.maxCachedTokensOnDisk.description = Maximum number of \ -tokens in memory -org.opendaylight.aaa.tokens.secondsToLive.name = Token Expiration -org.opendaylight.aaa.tokens.secondsToLive.description = Maximum number of \ -seconds a token can exist regardless of use. Zero (0) means never expires. -org.opendaylight.aaa.tokens.secondsToIdle.name = Unused Token Expiration -org.opendaylight.aaa.tokens.secondsToIdle.description = Maximum number of \ -seconds a token can exist without being accessed. Zero (0) means never expires.
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.xml deleted file mode 100644 index d04874f4..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.xml +++ /dev/null @@ -1,22 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<metatype:MetaData xmlns:metatype="http://www.osgi.org/xmlns/metatype/v1.0.0" - localization="OSGI-INF/metatype/metatype"> - <OCD id="org.opendaylight.aaa.tokens" name="%org.opendaylight.aaa.tokens.name" - description="%org.opendaylight.aaa.tokens.description"> - <AD id="maxCachedTokensInMemory" type="Long" default="10000" - name="%org.opendaylight.aaa.tokens.maxCachedTokensInMemory.name" - description="%org.opendaylight.aaa.tokens.maxCachedTokensInMemory.description" /> - <AD id="maxCachedTokensOnDisk" type="Long" default="1000000" - name="%org.opendaylight.aaa.tokens.maxCachedTokensOnDisk.name" - description="%org.opendaylight.aaa.tokens.maxCachedTokensOnDisk.description" /> - <AD id="secondsToLive" type="Long" default="3600" - name="%org.opendaylight.aaa.tokens.secondsToLive.name" - description="%org.opendaylight.aaa.tokens.secondsToLive.description" /> - <AD id="secondsToIdle" type="Long" default="3600" - name="%org.opendaylight.aaa.tokens.secondsToIdle.name" - description="%org.opendaylight.aaa.tokens.secondsToIdle.description" /> - </OCD> - <Designate pid="org.opendaylight.aaa.tokens"> - <Object ocdref="org.opendaylight.aaa.tokens" /> - </Designate> -</metatype:MetaData>
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/tokens.cfg b/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/tokens.cfg deleted file mode 100644 index d3dda90e..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/main/resources/tokens.cfg +++ /dev/null @@ -1,4 +0,0 @@ -maxCachedTokensInMemory=10000 -maxCachedTokensOnDisk=1000000 -secondsToLive=3600 -secondsToIdle=3600
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/test/java/org/opendaylight/aaa/store/DefaultTokenStoreTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/test/java/org/opendaylight/aaa/store/DefaultTokenStoreTest.java deleted file mode 100644 index e5c837bf..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-store/src/test/java/org/opendaylight/aaa/store/DefaultTokenStoreTest.java +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.store; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNull; -import static org.mockito.Mockito.mock; -import static org.opendaylight.aaa.store.DefaultTokenStore.MAX_CACHED_DISK; -import static org.opendaylight.aaa.store.DefaultTokenStore.MAX_CACHED_MEMORY; -import static org.opendaylight.aaa.store.DefaultTokenStore.SECS_TO_IDLE; -import static org.opendaylight.aaa.store.DefaultTokenStore.SECS_TO_LIVE; - -import java.util.Dictionary; -import java.util.Hashtable; -import org.apache.felix.dm.Component; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.opendaylight.aaa.AuthenticationBuilder; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.api.Authentication; -import org.osgi.service.cm.ConfigurationException; - -public class DefaultTokenStoreTest { - private static final String FOO_TOKEN = "foo_token"; - private final DefaultTokenStore dts = new DefaultTokenStore(); - private static final Dictionary<String, String> config = new Hashtable<>(); - static { - config.put(MAX_CACHED_MEMORY, Long.toString(3)); - config.put(MAX_CACHED_DISK, Long.toString(3)); - config.put(SECS_TO_IDLE, Long.toString(1)); - config.put(SECS_TO_LIVE, Long.toString(1)); - } - - @Before - public void setup() throws ConfigurationException { - dts.init(mock(Component.class)); - dts.updated(config); - } - - @After - public void teardown() { - dts.destroy(); - } - - @Test - public void testCache() throws InterruptedException { - Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUser("foo") - .setUserId("1234") - .addRole("admin").build()).build(); - dts.put(FOO_TOKEN, auth); - assertEquals(auth, dts.get(FOO_TOKEN)); - dts.delete(FOO_TOKEN); - assertNull(dts.get(FOO_TOKEN)); - dts.put(FOO_TOKEN, auth); - Thread.sleep(1200); - assertNull(dts.get(FOO_TOKEN)); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/pom.xml deleted file mode 100644 index 7dbf86ab..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/pom.xml +++ /dev/null @@ -1,112 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn-sts</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.authzserver</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.common</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <!-- Testing Dependencies --> - <dependency> - <groupId>com.sun.jersey.jersey-test-framework</groupId> - <artifactId>jersey-test-framework-grizzly2</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.eclipse.jetty</groupId> - <artifactId>jetty-servlet-tester</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Import-Package> - *, - com.sun.jersey.spi.container.servlet - </Import-Package> - <Web-ContextPath>/oauth2</Web-ContextPath> - <Bundle-Activator>org.opendaylight.aaa.sts.Activator</Bundle-Activator> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </instructions> - </configuration> - </plugin> - </plugins> - </build> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/Activator.java deleted file mode 100644 index 1bf4591d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/Activator.java +++ /dev/null @@ -1,207 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import com.google.common.base.Function; -import com.google.common.collect.ImmutableList; -import com.google.common.collect.ImmutableList.Builder; -import com.google.common.collect.Lists; -import java.util.List; -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.aaa.api.ClaimAuth; -import org.opendaylight.aaa.api.ClientService; -import org.opendaylight.aaa.api.CredentialAuth; -import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.api.TokenAuth; -import org.opendaylight.aaa.api.TokenStore; -import org.osgi.framework.BundleContext; -import org.osgi.framework.ServiceReference; -import org.osgi.util.tracker.ServiceTracker; -import org.osgi.util.tracker.ServiceTrackerCustomizer; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * An activator for the secure token server to inject in a - * {@link CredentialAuth} implementation. - * - * @author liemmn - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class Activator extends DependencyActivatorBase { - - private static final Logger LOG = LoggerFactory.getLogger(Activator.class); - - // Definition of several methods called in the ServiceLocator through - // Reflection - private static final String AUTHENTICATION_SERVICE_REMOVED = "authenticationServiceRemoved"; - private static final String AUTHENTICATION_SERVICE_ADDED = "authenticationServiceAdded"; - private static final String TOKEN_STORE_REMOVED = "tokenStoreRemoved"; - private static final String TOKEN_STORE_ADDED = "tokenStoreAdded"; - private static final String TOKEN_AUTH_REMOVED = "tokenAuthRemoved"; - private static final String TOKEN_AUTH_ADDED = "tokenAuthAdded"; - private static final String CLAIM_AUTH_REMOVED = "claimAuthRemoved"; - private static final String CLAIM_AUTH_ADDED = "claimAuthAdded"; - private static final String CREDENTIAL_AUTH_REMOVED = "credentialAuthRemoved"; - private static final String CREDENTIAL_AUTH_ADDED = "credentialAuthAdded"; - - // A collection of all services, which is used for closing ServiceTrackers - private ImmutableList<ServiceTracker<?, ?>> services; - - @Override - public void init(BundleContext context, DependencyManager manager) throws Exception { - - LOG.info("STS Activator initializing"); - manager.add(createComponent().setImplementation(ServiceLocator.getInstance()) - .add(createServiceDependency().setService(CredentialAuth.class) - .setRequired(true) - .setCallbacks( - CREDENTIAL_AUTH_ADDED, - CREDENTIAL_AUTH_REMOVED)) - .add(createServiceDependency().setService(ClaimAuth.class) - .setRequired(false) - .setCallbacks(CLAIM_AUTH_ADDED, - CLAIM_AUTH_REMOVED)) - .add(createServiceDependency().setService(TokenAuth.class) - .setRequired(false) - .setCallbacks(TOKEN_AUTH_ADDED, - TOKEN_AUTH_REMOVED)) - .add(createServiceDependency().setService(TokenStore.class) - .setRequired(true) - .setCallbacks(TOKEN_STORE_ADDED, - TOKEN_STORE_REMOVED)) - .add(createServiceDependency().setService(TokenStore.class) - .setRequired(true)) - .add(createServiceDependency().setService( - AuthenticationService.class) - .setRequired(true) - .setCallbacks( - AUTHENTICATION_SERVICE_ADDED, - AUTHENTICATION_SERVICE_REMOVED)) - .add(createServiceDependency().setService(IdMService.class) - .setRequired(true)) - .add(createServiceDependency().setService(ClientService.class) - .setRequired(true))); - - final Builder<ServiceTracker<?, ?>> servicesBuilder = new ImmutableList.Builder<ServiceTracker<?, ?>>(); - - // Async ServiceTrackers to track and load AAA STS bundles - final ServiceTracker<AuthenticationService, AuthenticationService> authenticationService = new ServiceTracker<>( - context, AuthenticationService.class, - new AAAServiceTrackerCustomizer<AuthenticationService>( - new Function<AuthenticationService, Void>() { - @Override - public Void apply(AuthenticationService authenticationService) { - ServiceLocator.getInstance().setAuthenticationService( - authenticationService); - return null; - } - })); - servicesBuilder.add(authenticationService); - authenticationService.open(); - - final ServiceTracker<IdMService, IdMService> idmService = new ServiceTracker<>(context, - IdMService.class, new AAAServiceTrackerCustomizer<IdMService>( - new Function<IdMService, Void>() { - @Override - public Void apply(IdMService idmService) { - ServiceLocator.getInstance().setIdmService(idmService); - return null; - } - })); - servicesBuilder.add(idmService); - idmService.open(); - - final ServiceTracker<TokenAuth, TokenAuth> tokenAuthService = new ServiceTracker<>(context, - TokenAuth.class, new AAAServiceTrackerCustomizer<TokenAuth>( - new Function<TokenAuth, Void>() { - @Override - public Void apply(TokenAuth tokenAuth) { - final List<TokenAuth> tokenAuthCollection = (List<TokenAuth>) Lists.newArrayList(tokenAuth); - ServiceLocator.getInstance().setTokenAuthCollection( - tokenAuthCollection); - return null; - } - })); - servicesBuilder.add(tokenAuthService); - tokenAuthService.open(); - - final ServiceTracker<TokenStore, TokenStore> tokenStoreService = new ServiceTracker<>( - context, TokenStore.class, new AAAServiceTrackerCustomizer<TokenStore>( - new Function<TokenStore, Void>() { - @Override - public Void apply(TokenStore tokenStore) { - ServiceLocator.getInstance().setTokenStore(tokenStore); - return null; - } - })); - servicesBuilder.add(tokenStoreService); - tokenStoreService.open(); - - final ServiceTracker<ClientService, ClientService> clientService = new ServiceTracker<>( - context, ClientService.class, new AAAServiceTrackerCustomizer<ClientService>( - new Function<ClientService, Void>() { - @Override - public Void apply(ClientService clientService) { - ServiceLocator.getInstance().setClientService(clientService); - return null; - } - })); - servicesBuilder.add(clientService); - clientService.open(); - - services = servicesBuilder.build(); - - LOG.info("STS Activator initialized; ServiceTracker may still be processing"); - } - - /** - * Wrapper for AAA generic service loading. - * - * @param <S> - */ - static final class AAAServiceTrackerCustomizer<S> implements ServiceTrackerCustomizer<S, S> { - - private Function<S, Void> callback; - - public AAAServiceTrackerCustomizer(final Function<S, Void> callback) { - this.callback = callback; - } - - @Override - public S addingService(ServiceReference<S> reference) { - S service = reference.getBundle().getBundleContext().getService(reference); - LOG.info("Unable to resolve {}", service.getClass()); - try { - callback.apply(service); - } catch (Exception e) { - LOG.error("Unable to resolve {}", service.getClass(), e); - } - return service; - } - - @Override - public void modifiedService(ServiceReference<S> reference, S service) { - } - - @Override - public void removedService(ServiceReference<S> reference, S service) { - } - } - - @Override - public void destroy(BundleContext context, DependencyManager manager) throws Exception { - - for (ServiceTracker<?, ?> serviceTracker : services) { - serviceTracker.close(); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousPasswordValidator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousPasswordValidator.java deleted file mode 100644 index 55b5b61f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousPasswordValidator.java +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import javax.servlet.http.HttpServletRequest; -import org.apache.oltu.oauth2.common.OAuth; -import org.apache.oltu.oauth2.common.validators.AbstractValidator; - -/** - * A password validator that does not enforce client identification. - * - * @author liemmn - * - */ -public class AnonymousPasswordValidator extends AbstractValidator<HttpServletRequest> { - - public AnonymousPasswordValidator() { - requiredParams.add(OAuth.OAUTH_GRANT_TYPE); - requiredParams.add(OAuth.OAUTH_USERNAME); - requiredParams.add(OAuth.OAUTH_PASSWORD); - - enforceClientAuthentication = false; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousRefreshTokenValidator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousRefreshTokenValidator.java deleted file mode 100644 index 5b50c7da..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousRefreshTokenValidator.java +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import javax.servlet.http.HttpServletRequest; -import org.apache.oltu.oauth2.common.OAuth; -import org.apache.oltu.oauth2.common.validators.AbstractValidator; - -/** - * A refresh token validator that does not enforce client identification. - * - * @author liemmn - * - */ -public class AnonymousRefreshTokenValidator extends AbstractValidator<HttpServletRequest> { - - public AnonymousRefreshTokenValidator() { - requiredParams.add(OAuth.OAUTH_GRANT_TYPE); - requiredParams.add(OAuth.OAUTH_REFRESH_TOKEN); - - enforceClientAuthentication = false; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/OAuthRequest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/OAuthRequest.java deleted file mode 100644 index 2a2b34b6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/OAuthRequest.java +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import javax.servlet.http.HttpServletRequest; -import org.apache.oltu.oauth2.as.request.AbstractOAuthTokenRequest; -import org.apache.oltu.oauth2.as.validator.UnauthenticatedAuthorizationCodeValidator; -import org.apache.oltu.oauth2.common.exception.OAuthProblemException; -import org.apache.oltu.oauth2.common.exception.OAuthSystemException; -import org.apache.oltu.oauth2.common.message.types.GrantType; -import org.apache.oltu.oauth2.common.validators.OAuthValidator; - -/** - * OAuth request wrapper. - * - * @author liemmn - * - */ -public class OAuthRequest extends AbstractOAuthTokenRequest { - - public OAuthRequest(HttpServletRequest request) throws OAuthSystemException, - OAuthProblemException { - super(request); - } - - @Override - public OAuthValidator<HttpServletRequest> initValidator() throws OAuthProblemException, - OAuthSystemException { - validators.put(GrantType.PASSWORD.toString(), AnonymousPasswordValidator.class); - validators.put(GrantType.REFRESH_TOKEN.toString(), AnonymousRefreshTokenValidator.class); - validators.put(GrantType.AUTHORIZATION_CODE.toString(), - UnauthenticatedAuthorizationCodeValidator.class); - return super.initValidator(); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/ServiceLocator.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/ServiceLocator.java deleted file mode 100644 index 2c1f84c3..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/ServiceLocator.java +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import java.util.List; -import java.util.Vector; -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.aaa.api.ClientService; -import org.opendaylight.aaa.api.CredentialAuth; -import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.api.PasswordCredentials; -import org.opendaylight.aaa.api.TokenAuth; -import org.opendaylight.aaa.api.TokenStore; - -/** - * A service locator to bridge between the web world and OSGi world. - * - * @author liemmn - * - */ -public class ServiceLocator { - - private static final ServiceLocator instance = new ServiceLocator(); - - protected volatile List<TokenAuth> tokenAuthCollection = new Vector<>(); - - protected volatile CredentialAuth<PasswordCredentials> credentialAuth; - - protected volatile TokenStore tokenStore; - - protected volatile AuthenticationService authenticationService; - - protected volatile IdMService idmService; - - protected volatile ClientService clientService; - - private ServiceLocator() { - } - - public static ServiceLocator getInstance() { - return instance; - } - - /** - * Called through reflection by the sts activator. - * - * @see org.opendaylight.aaa.sts.Activator - * @param ta - */ - protected void tokenAuthAdded(TokenAuth ta) { - this.tokenAuthCollection.add(ta); - } - - /** - * Called through reflection by the sts activator. - * - * @see org.opendaylight.aaa.sts.Activator - * @param ta - */ - protected void tokenAuthRemoved(TokenAuth ta) { - this.tokenAuthCollection.remove(ta); - } - - protected void tokenStoreAdded(TokenStore ts) { - this.tokenStore = ts; - } - - protected void tokenStoreRemoved(TokenStore ts) { - this.tokenStore = null; - } - - protected void authenticationServiceAdded(AuthenticationService as) { - this.authenticationService = as; - } - - protected void authenticationServiceRemoved(AuthenticationService as) { - this.authenticationService = null; - } - - protected void credentialAuthAdded(CredentialAuth<PasswordCredentials> da) { - this.credentialAuth = da; - } - - protected void credentialAuthAddedRemoved(CredentialAuth<PasswordCredentials> da) { - this.credentialAuth = null; - } - - public List<TokenAuth> getTokenAuthCollection() { - return tokenAuthCollection; - } - - public void setTokenAuthCollection(List<TokenAuth> tokenAuthCollection) { - this.tokenAuthCollection = tokenAuthCollection; - } - - public CredentialAuth<PasswordCredentials> getCredentialAuth() { - return credentialAuth; - } - - public synchronized void setCredentialAuth(CredentialAuth<PasswordCredentials> credentialAuth) { - this.credentialAuth = credentialAuth; - } - - public TokenStore getTokenStore() { - return tokenStore; - } - - public void setTokenStore(TokenStore tokenStore) { - this.tokenStore = tokenStore; - } - - public AuthenticationService getAuthenticationService() { - return authenticationService; - } - - public void setAuthenticationService(AuthenticationService authenticationService) { - this.authenticationService = authenticationService; - } - - public IdMService getIdmService() { - return idmService; - } - - public void setIdmService(IdMService idmService) { - this.idmService = idmService; - } - - public ClientService getClientService() { - return clientService; - } - - public void setClientService(ClientService clientService) { - this.clientService = clientService; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenAuthFilter.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenAuthFilter.java deleted file mode 100644 index 3fa7a66c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenAuthFilter.java +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import com.sun.jersey.spi.container.ContainerRequest; -import com.sun.jersey.spi.container.ContainerRequestFilter; -import java.util.List; -import java.util.Map; -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.Response.Status; -import org.apache.oltu.oauth2.common.exception.OAuthProblemException; -import org.apache.oltu.oauth2.common.exception.OAuthSystemException; -import org.apache.oltu.oauth2.common.message.types.ParameterStyle; -import org.apache.oltu.oauth2.rs.request.OAuthAccessResourceRequest; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.AuthenticationException; -import org.opendaylight.aaa.api.TokenAuth; - -/** - * A token-based authentication filter for resource providers. - * - * Deprecated: Use <code>AAAFilter</code> instead. - * - * @author liemmn - * - */ -@Deprecated -public class TokenAuthFilter implements ContainerRequestFilter { - - private final String OPTIONS = "OPTIONS"; - private final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers"; - private final String AUTHORIZATION = "authorization"; - - @Context - private HttpServletRequest httpRequest; - - @Override - public ContainerRequest filter(ContainerRequest request) { - - // Do the CORS check first - if (checkCORSOptionRequest(request)) { - return request; - } - - // Are we up yet? - if (ServiceLocator.getInstance().getAuthenticationService() == null) { - throw new WebApplicationException( - Response.status(Status.SERVICE_UNAVAILABLE).type(MediaType.APPLICATION_JSON) - .entity("{\"error\":\"Authentication service unavailable\"}").build()); - } - - // Are we doing authentication or not? - if (ServiceLocator.getInstance().getAuthenticationService().isAuthEnabled()) { - Map<String, List<String>> headers = request.getRequestHeaders(); - - // Go through and invoke other TokenAuth first... - List<TokenAuth> tokenAuthCollection = ServiceLocator.getInstance() - .getTokenAuthCollection(); - for (TokenAuth ta : tokenAuthCollection) { - try { - Authentication auth = ta.validate(headers); - if (auth != null) { - ServiceLocator.getInstance().getAuthenticationService().set(auth); - return request; - } - } catch (AuthenticationException ae) { - throw unauthorized(); - } - } - - // OK, last chance to validate token... - try { - OAuthAccessResourceRequest or = new OAuthAccessResourceRequest(httpRequest, - ParameterStyle.HEADER); - validate(or.getAccessToken()); - } catch (OAuthSystemException | OAuthProblemException e) { - throw unauthorized(); - } - } - - return request; - } - - /** - * CORS access control : when browser sends cross-origin request, it first - * sends the OPTIONS method with a list of access control request headers, - * which has a list of custom headers and access control method such as GET. - * POST etc. You custom header "Authorization will not be present in request - * header, instead it will be present as a value inside - * Access-Control-Request-Headers. We should not do any authorization - * against such request. for more details : - * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS - */ - - private boolean checkCORSOptionRequest(ContainerRequest request) { - if (OPTIONS.equals(request.getMethod())) { - List<String> headerList = request.getRequestHeader(ACCESS_CONTROL_REQUEST_HEADERS); - if (headerList != null && !headerList.isEmpty()) { - String header = headerList.get(0); - if (header != null && header.toLowerCase().contains(AUTHORIZATION)) { - return true; - } - } - } - return false; - } - - // Validate an ODL token... - private Authentication validate(final String token) { - Authentication auth = ServiceLocator.getInstance().getTokenStore().get(token); - if (auth == null) { - throw unauthorized(); - } else { - ServiceLocator.getInstance().getAuthenticationService().set(auth); - } - return auth; - } - - // Houston, we got a problem! - private static final WebApplicationException unauthorized() { - ServiceLocator.getInstance().getAuthenticationService().clear(); - return new UnauthorizedException(); - } - - // A custom 401 web exception that handles http basic response as well - static final class UnauthorizedException extends WebApplicationException { - private static final long serialVersionUID = -1732363804773027793L; - static final String WWW_AUTHENTICATE = "WWW-Authenticate"; - static final Object OPENDAYLIGHT = "Basic realm=\"opendaylight\""; - private static final Response response = Response.status(Status.UNAUTHORIZED) - .header(WWW_AUTHENTICATE, OPENDAYLIGHT) - .build(); - - public UnauthorizedException() { - super(response); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenEndpoint.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenEndpoint.java deleted file mode 100644 index a456d702..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenEndpoint.java +++ /dev/null @@ -1,242 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST; -import static javax.servlet.http.HttpServletResponse.SC_CREATED; -import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR; -import static javax.servlet.http.HttpServletResponse.SC_NOT_IMPLEMENTED; -import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT; -import static javax.servlet.http.HttpServletResponse.SC_OK; -import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; - -import java.io.IOException; -import java.io.PrintWriter; -import java.util.List; -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.apache.oltu.oauth2.as.issuer.OAuthIssuer; -import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl; -import org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator; -import org.apache.oltu.oauth2.as.response.OAuthASResponse; -import org.apache.oltu.oauth2.common.OAuth; -import org.apache.oltu.oauth2.common.exception.OAuthProblemException; -import org.apache.oltu.oauth2.common.exception.OAuthSystemException; -import org.apache.oltu.oauth2.common.message.OAuthResponse; -import org.apache.oltu.oauth2.common.message.types.GrantType; -import org.apache.oltu.oauth2.common.message.types.TokenType; -import org.opendaylight.aaa.AuthenticationBuilder; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.PasswordCredentialBuilder; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.AuthenticationException; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.api.PasswordCredentials; - -/** - * Secure Token Service (STS) endpoint. - * - * @author liemmn - * - */ -public class TokenEndpoint extends HttpServlet { - private static final long serialVersionUID = 8272453849539659999L; - - private static final String DOMAIN_SCOPE_REQUIRED = "Domain scope required"; - private static final String NOT_IMPLEMENTED = "not_implemented"; - private static final String UNAUTHORIZED = "unauthorized"; - - static final String TOKEN_GRANT_ENDPOINT = "/token"; - static final String TOKEN_REVOKE_ENDPOINT = "/revoke"; - static final String TOKEN_VALIDATE_ENDPOINT = "/validate"; - - private transient OAuthIssuer oi; - - @Override - public void init(ServletConfig config) throws ServletException { - oi = new OAuthIssuerImpl(new UUIDValueGenerator()); - } - - @Override - protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { - try { - if (req.getServletPath().equals(TOKEN_GRANT_ENDPOINT)) { - createAccessToken(req, resp); - } else if (req.getServletPath().equals(TOKEN_REVOKE_ENDPOINT)) { - deleteAccessToken(req, resp); - } else if (req.getServletPath().equals(TOKEN_VALIDATE_ENDPOINT)) { - validateToken(req, resp); - } - } catch (AuthenticationException e) { - error(resp, SC_UNAUTHORIZED, e.getMessage()); - } catch (OAuthProblemException oe) { - error(resp, oe); - } catch (Exception e) { - error(resp, e); - } - } - - private void validateToken(HttpServletRequest req, HttpServletResponse resp) - throws IOException, OAuthSystemException { - String token = req.getReader().readLine(); - if (token != null) { - Authentication authn = ServiceLocator.getInstance().getTokenStore().get(token.trim()); - if (authn == null) { - throw new AuthenticationException(UNAUTHORIZED); - } else { - ServiceLocator.getInstance().getAuthenticationService().set(authn); - resp.setStatus(SC_OK); - } - } else { - throw new AuthenticationException(UNAUTHORIZED); - } - } - - // Delete an access token - private void deleteAccessToken(HttpServletRequest req, HttpServletResponse resp) - throws IOException { - String token = req.getReader().readLine(); - if (token != null) { - if (ServiceLocator.getInstance().getTokenStore().delete(token.trim())) { - resp.setStatus(SC_NO_CONTENT); - } else { - throw new AuthenticationException(UNAUTHORIZED); - } - } else { - throw new AuthenticationException(UNAUTHORIZED); - } - } - - // Create an access token - private void createAccessToken(HttpServletRequest req, HttpServletResponse resp) - throws OAuthSystemException, OAuthProblemException, IOException { - Claim claim = null; - String clientId = null; - - OAuthRequest oauthRequest = new OAuthRequest(req); - // Any client credentials? - clientId = oauthRequest.getClientId(); - if (clientId != null) { - ServiceLocator.getInstance().getClientService() - .validate(clientId, oauthRequest.getClientSecret()); - } - - // Credential request... - if (oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals(GrantType.PASSWORD.toString())) { - String domain = oauthRequest.getScopes().iterator().next(); - PasswordCredentials pc = new PasswordCredentialBuilder().setUserName( - oauthRequest.getUsername()).setPassword(oauthRequest.getPassword()) - .setDomain(domain).build(); - if (!oauthRequest.getScopes().isEmpty()) { - claim = ServiceLocator.getInstance().getCredentialAuth().authenticate(pc); - } - } else if (oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals( - GrantType.REFRESH_TOKEN.toString())) { - // Refresh token... - String token = oauthRequest.getRefreshToken(); - if (!oauthRequest.getScopes().isEmpty()) { - String domain = oauthRequest.getScopes().iterator().next(); - // Authenticate... - Authentication auth = ServiceLocator.getInstance().getTokenStore().get(token); - if (auth != null && domain != null) { - List<String> roles = ServiceLocator.getInstance().getIdmService() - .listRoles(auth.userId(), domain); - if (!roles.isEmpty()) { - ClaimBuilder cb = new ClaimBuilder(auth); - cb.setDomain(domain); // scope domain - // Add roles for the scoped domain - for (String role : roles) { - cb.addRole(role); - } - claim = cb.build(); - } - } - } else { - error(resp, SC_BAD_REQUEST, DOMAIN_SCOPE_REQUIRED); - } - } else { - // Support authorization code later... - error(resp, SC_NOT_IMPLEMENTED, NOT_IMPLEMENTED); - } - - // Respond with OAuth token - oauthAccessTokenResponse(resp, claim, clientId); - } - - // Build OAuth access token response from the given claim - private void oauthAccessTokenResponse(HttpServletResponse resp, Claim claim, String clientId) - throws OAuthSystemException, IOException { - if (claim == null) { - throw new AuthenticationException(UNAUTHORIZED); - } - String token = oi.accessToken(); - - // Cache this token... - Authentication auth = new AuthenticationBuilder(new ClaimBuilder(claim).setClientId( - clientId).build()).setExpiration(tokenExpiration()).build(); - ServiceLocator.getInstance().getTokenStore().put(token, auth); - - OAuthResponse r = OAuthASResponse.tokenResponse(SC_CREATED).setAccessToken(token) - .setTokenType(TokenType.BEARER.toString()) - .setExpiresIn(Long.toString(auth.expiration())) - .buildJSONMessage(); - write(resp, r); - } - - // Token expiration - private long tokenExpiration() { - return ServiceLocator.getInstance().getTokenStore().tokenExpiration(); - } - - // Emit an error OAuthResponse with the given HTTP code - private void error(HttpServletResponse resp, int httpCode, String error) { - try { - OAuthResponse r = OAuthResponse.errorResponse(httpCode).setError(error) - .buildJSONMessage(); - write(resp, r); - } catch (Exception e1) { - // Nothing to do here - } - } - - // Emit an error OAuthResponse for the given OAuth-related exception - private void error(HttpServletResponse resp, OAuthProblemException e) { - try { - OAuthResponse r = OAuthResponse.errorResponse(SC_BAD_REQUEST).error(e) - .buildJSONMessage(); - write(resp, r); - } catch (Exception e1) { - // Nothing to do here - } - } - - // Emit an error OAuthResponse for the given generic exception - private void error(HttpServletResponse resp, Exception e) { - try { - OAuthResponse r = OAuthResponse.errorResponse(SC_INTERNAL_SERVER_ERROR) - .setError(e.getClass().getName()) - .setErrorDescription(e.getMessage()).buildJSONMessage(); - write(resp, r); - } catch (Exception e1) { - // Nothing to do here - } - } - - // Write out an OAuthResponse - private void write(HttpServletResponse resp, OAuthResponse r) throws IOException { - resp.setStatus(r.getResponseStatus()); - PrintWriter pw = resp.getWriter(); - pw.print(r.getBody()); - pw.flush(); - pw.close(); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/resources/WEB-INF/web.xml b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/resources/WEB-INF/web.xml deleted file mode 100644 index 83a9fa51..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/main/resources/WEB-INF/web.xml +++ /dev/null @@ -1,23 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" - version="3.0"> - - <servlet> - <servlet-name>STS</servlet-name> - <servlet-class>org.opendaylight.aaa.sts.TokenEndpoint</servlet-class> - <load-on-startup>1</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>STS</servlet-name> - <url-pattern>/token</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>STS</servlet-name> - <url-pattern>/revoke</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>STS</servlet-name> - <url-pattern>/validate</url-pattern> - </servlet-mapping> -</web-app> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/RestFixture.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/RestFixture.java deleted file mode 100644 index 0f806d91..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/RestFixture.java +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.GET; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; - -/** - * Fixture for testing RESTful stuff. - * - * @author liemmn - * - */ -@Path("test") -public class RestFixture { - - @Context - private HttpServletRequest httpRequest; - - @GET - @Produces("text/plain") - public String msg() { - return "ok"; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenAuthTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenAuthTest.java deleted file mode 100644 index 7f888455..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenAuthTest.java +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; -import static org.mockito.Matchers.anyMap; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import com.sun.jersey.api.client.ClientResponse; -import com.sun.jersey.api.client.UniformInterfaceException; -import com.sun.jersey.test.framework.JerseyTest; -import com.sun.jersey.test.framework.WebAppDescriptor; -import org.junit.BeforeClass; -import org.junit.Test; -import org.opendaylight.aaa.AuthenticationBuilder; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.aaa.api.TokenAuth; -import org.opendaylight.aaa.api.TokenStore; -import org.opendaylight.aaa.sts.TokenAuthFilter.UnauthorizedException; - -public class TokenAuthTest extends JerseyTest { - - private static final String RS_PACKAGES = "org.opendaylight.aaa.sts"; - private static final String JERSEY_FILTERS = "com.sun.jersey.spi.container.ContainerRequestFilters"; - private static final String AUTH_FILTERS = TokenAuthFilter.class.getName(); - - private static Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUserId( - "1234").setUser("Bob").addRole("admin").addRole("user").setDomain("tenantX").build()).setExpiration( - System.currentTimeMillis() + 1000).build(); - - private static final String GOOD_TOKEN = "9b01b7cf-8a49-346d-8c47-6a61193e2b60"; - private static final String BAD_TOKEN = "9b01b7cf-8a49-346d-8c47-6a611badbeef"; - - public TokenAuthTest() throws Exception { - super(new WebAppDescriptor.Builder(RS_PACKAGES).initParam(JERSEY_FILTERS, AUTH_FILTERS) - .build()); - } - - @BeforeClass - public static void init() { - ServiceLocator.getInstance().setAuthenticationService(mock(AuthenticationService.class)); - ServiceLocator.getInstance().setTokenStore(mock(TokenStore.class)); - when(ServiceLocator.getInstance().getTokenStore().get(GOOD_TOKEN)).thenReturn(auth); - when(ServiceLocator.getInstance().getTokenStore().get(BAD_TOKEN)).thenReturn(null); - when(ServiceLocator.getInstance().getAuthenticationService().isAuthEnabled()).thenReturn( - Boolean.TRUE); - } - - @Test() - public void testGetUnauthorized() { - try { - resource().path("test").get(String.class); - fail("Shoulda failed with 401!"); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(401, resp.getStatus()); - assertTrue(resp.getHeaders().get(UnauthorizedException.WWW_AUTHENTICATE) - .contains(UnauthorizedException.OPENDAYLIGHT)); - } - } - - @Test - public void testGet() { - String resp = resource().path("test").header("Authorization", "Bearer " + GOOD_TOKEN) - .get(String.class); - assertEquals("ok", resp); - } - - @SuppressWarnings("unchecked") - @Test - public void testGetWithValidator() { - try { - // Mock a laxed tokenauth... - TokenAuth ta = mock(TokenAuth.class); - when(ta.validate(anyMap())).thenReturn(auth); - ServiceLocator.getInstance().getTokenAuthCollection().add(ta); - testGet(); - } finally { - ServiceLocator.getInstance().getTokenAuthCollection().clear(); - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenEndpointTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenEndpointTest.java deleted file mode 100644 index 06dd6302..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenEndpointTest.java +++ /dev/null @@ -1,164 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.sts; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.mockito.Matchers.any; -import static org.mockito.Matchers.anyString; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import java.util.Arrays; -import org.eclipse.jetty.testing.HttpTester; -import org.eclipse.jetty.testing.ServletTester; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; -import org.opendaylight.aaa.AuthenticationBuilder; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.api.ClientService; -import org.opendaylight.aaa.api.CredentialAuth; -import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.api.PasswordCredentials; -import org.opendaylight.aaa.api.TokenAuth; -import org.opendaylight.aaa.api.TokenStore; - -/** - * A unit test for token endpoint. - * - * @author liemmn - * - */ -public class TokenEndpointTest { - private static final long TOKEN_TIMEOUT_SECS = 10; - private static final String CONTEXT = "/oauth2"; - private static final String DIRECT_AUTH = "grant_type=password&username=admin&password=admin&scope=pepsi&client_id=dlux&client_secret=secrete"; - private static final String REFRESH_TOKEN = "grant_type=refresh_token&refresh_token=whateverisgood&scope=pepsi"; - - private static final Claim claim = new ClaimBuilder().setUser("bob").setUserId("1234") - .addRole("admin").build(); - private final static ServletTester server = new ServletTester(); - - @BeforeClass - public static void init() throws Exception { - // Set up server - server.setContextPath(CONTEXT); - - // Add our servlet under test - server.addServlet(TokenEndpoint.class, "/revoke"); - server.addServlet(TokenEndpoint.class, "/token"); - - // Let's do dis - server.start(); - } - - @AfterClass - public static void shutdown() throws Exception { - server.stop(); - } - - @Before - public void setup() { - mockServiceLocator(); - when(ServiceLocator.getInstance().getTokenStore().tokenExpiration()).thenReturn( - TOKEN_TIMEOUT_SECS); - } - - @After - public void teardown() { - ServiceLocator.getInstance().getTokenAuthCollection().clear(); - } - - @Test - public void testCreateToken401() throws Exception { - HttpTester req = new HttpTester(); - req.setMethod("POST"); - req.setHeader("Content-Type", "application/x-www-form-urlencoded"); - req.setContent(DIRECT_AUTH); - req.setURI(CONTEXT + TokenEndpoint.TOKEN_GRANT_ENDPOINT); - req.setVersion("HTTP/1.0"); - - HttpTester resp = new HttpTester(); - resp.parse(server.getResponses(req.generate())); - assertEquals(401, resp.getStatus()); - } - - @Test - public void testCreateTokenWithPassword() throws Exception { - when( - ServiceLocator.getInstance().getCredentialAuth() - .authenticate(any(PasswordCredentials.class))).thenReturn(claim); - - HttpTester req = new HttpTester(); - req.setMethod("POST"); - req.setHeader("Content-Type", "application/x-www-form-urlencoded"); - req.setContent(DIRECT_AUTH); - req.setURI(CONTEXT + TokenEndpoint.TOKEN_GRANT_ENDPOINT); - req.setVersion("HTTP/1.0"); - - HttpTester resp = new HttpTester(); - resp.parse(server.getResponses(req.generate())); - assertEquals(201, resp.getStatus()); - assertTrue(resp.getContent().contains("expires_in\":10")); - assertTrue(resp.getContent().contains("Bearer")); - } - - @Test - public void testCreateTokenWithRefreshToken() throws Exception { - when(ServiceLocator.getInstance().getTokenStore().get(anyString())).thenReturn( - new AuthenticationBuilder(claim).build()); - when(ServiceLocator.getInstance().getIdmService().listRoles(anyString(), anyString())).thenReturn( - Arrays.asList("admin", "user")); - - HttpTester req = new HttpTester(); - req.setMethod("POST"); - req.setHeader("Content-Type", "application/x-www-form-urlencoded"); - req.setContent(REFRESH_TOKEN); - req.setURI(CONTEXT + TokenEndpoint.TOKEN_GRANT_ENDPOINT); - req.setVersion("HTTP/1.0"); - - HttpTester resp = new HttpTester(); - resp.parse(server.getResponses(req.generate())); - assertEquals(201, resp.getStatus()); - assertTrue(resp.getContent().contains("expires_in\":10")); - assertTrue(resp.getContent().contains("Bearer")); - } - - @Test - public void testDeleteToken() throws Exception { - when(ServiceLocator.getInstance().getTokenStore().delete("token_to_be_deleted")).thenReturn( - true); - - HttpTester req = new HttpTester(); - req.setMethod("POST"); - req.setHeader("Content-Type", "application/x-www-form-urlencoded"); - req.setContent("token_to_be_deleted"); - req.setURI(CONTEXT + TokenEndpoint.TOKEN_REVOKE_ENDPOINT); - req.setVersion("HTTP/1.0"); - - HttpTester resp = new HttpTester(); - resp.parse(server.getResponses(req.generate())); - assertEquals(204, resp.getStatus()); - } - - @SuppressWarnings("unchecked") - private static void mockServiceLocator() { - ServiceLocator.getInstance().setClientService(mock(ClientService.class)); - ServiceLocator.getInstance().setIdmService(mock(IdMService.class)); - ServiceLocator.getInstance().setAuthenticationService(mock(AuthenticationService.class)); - ServiceLocator.getInstance().setTokenStore(mock(TokenStore.class)); - ServiceLocator.getInstance().setCredentialAuth(mock(CredentialAuth.class)); - ServiceLocator.getInstance().getTokenAuthCollection().add(mock(TokenAuth.class)); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authn/pom.xml deleted file mode 100644 index 01f1c99c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/pom.xml +++ /dev/null @@ -1,103 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Copyright (c) 2014-2015 Hewlett-Packard Development Company, L.P. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.compendium</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <!-- Testing Dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Activator>org.opendaylight.aaa.Activator</Bundle-Activator> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <phase>package</phase> - <goals> - <goal>attach-artifact</goal> - </goals> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/authn.cfg</file> - <type>cfg</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/Activator.java deleted file mode 100644 index cfe27ef0..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/Activator.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa; - -import java.util.Dictionary; -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.aaa.api.ClientService; -import org.osgi.framework.BundleContext; -import org.osgi.framework.Constants; -import org.osgi.service.cm.ManagedService; - -/** - * Activator to register {@link AuthenticationService} with OSGi. - * - * @author liemmn - * - */ -public class Activator extends DependencyActivatorBase { - - private static final String AUTHN_PID = "org.opendaylight.aaa.authn"; - - @Override - public void init(BundleContext context, DependencyManager manager) throws Exception { - manager.add(createComponent().setInterface( - new String[] { AuthenticationService.class.getName() }, null).setImplementation( - AuthenticationManager.instance())); - - ClientManager cm = new ClientManager(); - manager.add(createComponent().setInterface(new String[] { ClientService.class.getName() }, - null).setImplementation(cm)); - context.registerService(ManagedService.class.getName(), cm, addPid(ClientManager.defaults)); - context.registerService(ManagedService.class.getName(), AuthenticationManager.instance(), - addPid(AuthenticationManager.defaults)); - } - - @Override - public void destroy(BundleContext context, DependencyManager manager) throws Exception { - } - - private Dictionary<String, ?> addPid(Dictionary<String, String> dict) { - dict.put(Constants.SERVICE_PID, AUTHN_PID); - return dict; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationBuilder.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationBuilder.java deleted file mode 100644 index 948cbac6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationBuilder.java +++ /dev/null @@ -1,122 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa; - -import static org.opendaylight.aaa.EqualUtil.areEqual; -import static org.opendaylight.aaa.HashCodeUtil.hash; - -import java.io.Serializable; -import java.util.Set; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.Claim; - -/** - * A builder for the authentication context. - * - * The expiration defaults to 0. - * - * @author liemmn - * - */ -public class AuthenticationBuilder { - - private long expiration = 0L; - private Claim claim; - - public AuthenticationBuilder(Claim claim) { - this.claim = claim; - } - - public AuthenticationBuilder setExpiration(long expiration) { - this.expiration = expiration; - return this; - } - - public Authentication build() { - return new ImmutableAuthentication(this); - } - - private static final class ImmutableAuthentication implements Authentication, Serializable { - private static final long serialVersionUID = 4919078164955609987L; - private int hashCode = 0; - long expiration = 0L; - Claim claim; - - private ImmutableAuthentication(AuthenticationBuilder base) { - if (base.claim == null) { - throw new IllegalStateException("The Claim is null."); - } - claim = new ClaimBuilder(base.claim).build(); - expiration = base.expiration; - - if (base.expiration < 0) { - throw new IllegalStateException("The expiration is less than 0."); - } - } - - @Override - public long expiration() { - return expiration; - } - - @Override - public String clientId() { - return claim.clientId(); - } - - @Override - public String userId() { - return claim.userId(); - } - - @Override - public String user() { - return claim.user(); - } - - @Override - public String domain() { - return claim.domain(); - } - - @Override - public Set<String> roles() { - return claim.roles(); - } - - @Override - public boolean equals(Object o) { - if (this == o) { - return true; - } - if (!(o instanceof Authentication)) { - return false; - } - Authentication a = (Authentication) o; - return areEqual(expiration, a.expiration()) && areEqual(claim.roles(), a.roles()) - && areEqual(claim.domain(), a.domain()) && areEqual(claim.userId(), a.userId()) - && areEqual(claim.user(), a.user()) && areEqual(claim.clientId(), a.clientId()); - } - - @Override - public int hashCode() { - if (hashCode == 0) { - int result = HashCodeUtil.SEED; - result = hash(result, expiration); - result = hash(result, claim.hashCode()); - hashCode = result; - } - return hashCode; - } - - @Override - public String toString() { - return "expiration:" + expiration + "," + claim.toString(); - } - } -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationManager.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationManager.java deleted file mode 100644 index 5f6420a3..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationManager.java +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa; - -import java.util.Dictionary; -import java.util.Hashtable; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.AuthenticationService; -import org.osgi.service.cm.ConfigurationException; -import org.osgi.service.cm.ManagedService; - -/** - * An {@link InheritableThreadLocal}-based {@link AuthenticationService}. - * - * @author liemmn - */ -public class AuthenticationManager implements AuthenticationService, ManagedService { - private static final String AUTH_ENABLED_ERR = "Error setting authEnabled"; - - static final String AUTH_ENABLED = "authEnabled"; - static final Dictionary<String, String> defaults = new Hashtable<>(); - static { - defaults.put(AUTH_ENABLED, Boolean.FALSE.toString()); - } - - // In non-Karaf environments, authEnabled is set to false by default - private static volatile boolean authEnabled = false; - - private final static AuthenticationManager am = new AuthenticationManager(); - private final ThreadLocal<Authentication> auth = new InheritableThreadLocal<>(); - - private AuthenticationManager() { - } - - static AuthenticationManager instance() { - return am; - } - - @Override - public Authentication get() { - return auth.get(); - } - - @Override - public void set(Authentication a) { - auth.set(a); - } - - @Override - public void clear() { - auth.remove(); - } - - @Override - public boolean isAuthEnabled() { - return authEnabled; - } - - @Override - public void updated(Dictionary<String, ?> properties) throws ConfigurationException { - if (properties == null) { - return; - } - - String propertyValue = (String) properties.get(AUTH_ENABLED); - boolean isTrueString = Boolean.parseBoolean(propertyValue); - if (!isTrueString && !"false".equalsIgnoreCase(propertyValue)) { - throw new ConfigurationException(AUTH_ENABLED, AUTH_ENABLED_ERR); - } - authEnabled = isTrueString; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/ClaimBuilder.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/ClaimBuilder.java deleted file mode 100644 index 4e4a8ef3..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/ClaimBuilder.java +++ /dev/null @@ -1,160 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa; - -import static org.opendaylight.aaa.EqualUtil.areEqual; -import static org.opendaylight.aaa.HashCodeUtil.hash; - -import com.google.common.base.Strings; -import com.google.common.collect.ImmutableSet; -import java.io.Serializable; -import java.util.LinkedHashSet; -import java.util.Set; -import org.opendaylight.aaa.api.Claim; - -/** - * Builder for a {@link Claim}. The userId, user, and roles information is - * mandatory. - * - * @author liemmn - * - */ -public class ClaimBuilder { - private String userId = ""; - private String user = ""; - private Set<String> roles = new LinkedHashSet<>(); - private String clientId = ""; - private String domain = ""; - - public ClaimBuilder() { - } - - public ClaimBuilder(Claim claim) { - clientId = claim.clientId(); - userId = claim.userId(); - user = claim.user(); - domain = claim.domain(); - roles.addAll(claim.roles()); - } - - public ClaimBuilder setClientId(String clientId) { - this.clientId = Strings.nullToEmpty(clientId).trim(); - return this; - } - - public ClaimBuilder setUserId(String userId) { - this.userId = Strings.nullToEmpty(userId).trim(); - return this; - } - - public ClaimBuilder setUser(String userName) { - user = Strings.nullToEmpty(userName).trim(); - return this; - } - - public ClaimBuilder setDomain(String domain) { - this.domain = Strings.nullToEmpty(domain).trim(); - return this; - } - - public ClaimBuilder addRoles(Set<String> roles) { - for (String role : roles) { - addRole(role); - } - return this; - } - - public ClaimBuilder addRole(String role) { - roles.add(Strings.nullToEmpty(role).trim()); - return this; - } - - public Claim build() { - return new ImmutableClaim(this); - } - - protected static class ImmutableClaim implements Claim, Serializable { - private static final long serialVersionUID = -8115027645190209129L; - private int hashCode = 0; - protected String clientId; - protected String userId; - protected String user; - protected String domain; - protected ImmutableSet<String> roles; - - protected ImmutableClaim(ClaimBuilder base) { - clientId = base.clientId; - userId = base.userId; - user = base.user; - domain = base.domain; - roles = ImmutableSet.<String> builder().addAll(base.roles).build(); - - if (userId.isEmpty() || user.isEmpty() || roles.isEmpty() || roles.contains("")) { - throw new IllegalStateException( - "The Claim is missing one or more of the required fields."); - } - } - - @Override - public String clientId() { - return clientId; - } - - @Override - public String userId() { - return userId; - } - - @Override - public String user() { - return user; - } - - @Override - public String domain() { - return domain; - } - - @Override - public Set<String> roles() { - return roles; - } - - @Override - public boolean equals(Object o) { - if (this == o) - return true; - if (!(o instanceof Claim)) - return false; - Claim a = (Claim) o; - return areEqual(roles, a.roles()) && areEqual(domain, a.domain()) - && areEqual(userId, a.userId()) && areEqual(user, a.user()) - && areEqual(clientId, a.clientId()); - } - - @Override - public int hashCode() { - if (hashCode == 0) { - int result = HashCodeUtil.SEED; - result = hash(result, clientId); - result = hash(result, userId); - result = hash(result, user); - result = hash(result, domain); - result = hash(result, roles); - hashCode = result; - } - return hashCode; - } - - @Override - public String toString() { - return "clientId:" + clientId + "," + "userId:" + userId + "," + "userName:" + user - + "," + "domain:" + domain + "," + "roles:" + roles; - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/ClientManager.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/ClientManager.java deleted file mode 100644 index e7e51424..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/ClientManager.java +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa; - -import java.util.Dictionary; -import java.util.HashMap; -import java.util.Hashtable; -import java.util.Map; -import java.util.concurrent.ConcurrentHashMap; -import org.apache.felix.dm.Component; -import org.opendaylight.aaa.api.AuthenticationException; -import org.opendaylight.aaa.api.ClientService; -import org.osgi.service.cm.ConfigurationException; -import org.osgi.service.cm.ManagedService; - -/** - * A configuration-based client manager. - * - * @author liemmn - * - */ -public class ClientManager implements ClientService, ManagedService { - static final String CLIENTS = "authorizedClients"; - private static final String CLIENTS_FORMAT_ERR = "Clients are space-delimited in the form of <client_id>:<client_secret>"; - private static final String UNAUTHORIZED_CLIENT_ERR = "Unauthorized client"; - - // Defaults (needed only for non-Karaf deployments) - static final Dictionary<String, String> defaults = new Hashtable<>(); - static { - defaults.put(CLIENTS, "dlux:secrete"); - } - - private final Map<String, String> clients = new ConcurrentHashMap<>(); - - // This should be a singleton - ClientManager() { - } - - // Called by DM when all required dependencies are satisfied. - void init(Component c) throws ConfigurationException { - reconfig(defaults); - } - - @Override - public void validate(String clientId, String clientSecret) throws AuthenticationException { - // TODO: Post-Helium, we will support a CRUD API - if (!clients.containsKey(clientId)) { - throw new AuthenticationException(UNAUTHORIZED_CLIENT_ERR); - } - if (!clients.get(clientId).equals(clientSecret)) { - throw new AuthenticationException(UNAUTHORIZED_CLIENT_ERR); - } - } - - @Override - public void updated(Dictionary<String, ?> props) throws ConfigurationException { - if (props == null) { - props = defaults; - } - reconfig(props); - } - - // Reconfigure the client map... - private void reconfig(@SuppressWarnings("rawtypes") Dictionary props) - throws ConfigurationException { - try { - String authorizedClients = (String) props.get(CLIENTS); - Map<String, String> newClients = new HashMap<>(); - if (authorizedClients != null) { - for (String client : authorizedClients.split(" ")) { - String[] aClient = client.split(":"); - newClients.put(aClient[0], aClient[1]); - } - } - clients.clear(); - clients.putAll(newClients); - } catch (Throwable t) { - throw new ConfigurationException(null, CLIENTS_FORMAT_ERR); - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/EqualUtil.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/EqualUtil.java deleted file mode 100644 index 17204d0e..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/EqualUtil.java +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa; - -/** - * Simple class to aide in implementing equals. - * <p> - * - * <em>Arrays are not handled by this class</em>. This is because the - * <code>Arrays.equals</code> methods should be used for array fields. - */ -public final class EqualUtil { - static public boolean areEqual(boolean aThis, boolean aThat) { - return aThis == aThat; - } - - static public boolean areEqual(char aThis, char aThat) { - return aThis == aThat; - } - - static public boolean areEqual(long aThis, long aThat) { - return aThis == aThat; - } - - static public boolean areEqual(float aThis, float aThat) { - return Float.floatToIntBits(aThis) == Float.floatToIntBits(aThat); - } - - static public boolean areEqual(double aThis, double aThat) { - return Double.doubleToLongBits(aThis) == Double.doubleToLongBits(aThat); - } - - static public boolean areEqual(Object aThis, Object aThat) { - return aThis == null ? aThat == null : aThis.equals(aThat); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/HashCodeUtil.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/HashCodeUtil.java deleted file mode 100644 index c295b3ed..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/HashCodeUtil.java +++ /dev/null @@ -1,104 +0,0 @@ -/***************************************************************************** - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - *****************************************************************************/ - -package org.opendaylight.aaa; - -import java.lang.reflect.Array; - -/** - * Collected methods which allow easy implementation of <tt>hashCode</tt>. - * - * Example use case: - * - * <pre> - * public int hashCode() { - * int result = HashCodeUtil.SEED; - * // collect the contributions of various fields - * result = HashCodeUtil.hash(result, fPrimitive); - * result = HashCodeUtil.hash(result, fObject); - * result = HashCodeUtil.hash(result, fArray); - * return result; - * } - * </pre> - */ -public final class HashCodeUtil { - - /** - * An initial value for a <tt>hashCode</tt>, to which is added contributions - * from fields. Using a non-zero value decreases collisions of - * <tt>hashCode</tt> values. - */ - public static final int SEED = 23; - - /** booleans. */ - public static int hash(int aSeed, boolean aBoolean) { - return firstTerm(aSeed) + (aBoolean ? 1 : 0); - } - - /*** chars. */ - public static int hash(int aSeed, char aChar) { - return firstTerm(aSeed) + aChar; - } - - /** ints. */ - public static int hash(int aSeed, int aInt) { - return firstTerm(aSeed) + aInt; - } - - /** longs. */ - public static int hash(int aSeed, long aLong) { - return firstTerm(aSeed) + (int) (aLong ^ (aLong >>> 32)); - } - - /** floats. */ - public static int hash(int aSeed, float aFloat) { - return hash(aSeed, Float.floatToIntBits(aFloat)); - } - - /** doubles. */ - public static int hash(int aSeed, double aDouble) { - return hash(aSeed, Double.doubleToLongBits(aDouble)); - } - - /** - * <tt>aObject</tt> is a possibly-null object field, and possibly an array. - * - * If <tt>aObject</tt> is an array, then each element may be a primitive or - * a possibly-null object. - */ - public static int hash(int aSeed, Object aObject) { - int result = aSeed; - if (aObject == null) { - result = hash(result, 0); - } else if (!isArray(aObject)) { - result = hash(result, aObject.hashCode()); - } else { - int length = Array.getLength(aObject); - for (int idx = 0; idx < length; ++idx) { - Object item = Array.get(aObject, idx); - // if an item in the array references the array itself, prevent - // infinite looping - if (!(item == aObject)) { - result = hash(result, item); - } - } - } - return result; - } - - // PRIVATE - private static final int fODD_PRIME_NUMBER = 37; - - private static int firstTerm(int aSeed) { - return fODD_PRIME_NUMBER * aSeed; - } - - private static boolean isArray(Object aObject) { - return aObject.getClass().isArray(); - } -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/PasswordCredentialBuilder.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/PasswordCredentialBuilder.java deleted file mode 100644 index d8a2e87a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/PasswordCredentialBuilder.java +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa; - -import static org.opendaylight.aaa.EqualUtil.areEqual; -import static org.opendaylight.aaa.HashCodeUtil.hash; - -import org.opendaylight.aaa.api.PasswordCredentials; - -/** - * {@link PasswordCredentials} builder. - * - * @author liemmn - * - */ -public class PasswordCredentialBuilder { - private final MutablePasswordCredentials pc = new MutablePasswordCredentials(); - - public PasswordCredentialBuilder setUserName(String username) { - pc.username = username; - return this; - } - - public PasswordCredentialBuilder setPassword(String password) { - pc.password = password; - return this; - } - - public PasswordCredentialBuilder setDomain(String domain) { - pc.domain = domain; - return this; - } - - public PasswordCredentials build() { - return pc; - } - - private static class MutablePasswordCredentials implements PasswordCredentials { - private int hashCode = 0; - private String username; - private String password; - private String domain; - - @Override - public String username() { - return username; - } - - @Override - public String password() { - return password; - } - - @Override - public String domain() { - return domain; - } - - @Override - public boolean equals(Object o) { - if (this == o) { - return true; - } - if (!(o instanceof PasswordCredentials)) { - return false; - } - PasswordCredentials p = (PasswordCredentials) o; - return areEqual(username, p.username()) && areEqual(password, p.password()); - } - - @Override - public int hashCode() { - if (hashCode == 0) { - int result = HashCodeUtil.SEED; - result = hash(result, username); - result = hash(result, password); - hashCode = result; - } - return hashCode; - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/SecureBlockingQueue.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/SecureBlockingQueue.java deleted file mode 100644 index 3ded52da..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/java/org/opendaylight/aaa/SecureBlockingQueue.java +++ /dev/null @@ -1,258 +0,0 @@ -/* - * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collection; -import java.util.Iterator; -import java.util.concurrent.BlockingQueue; -import java.util.concurrent.TimeUnit; -import org.opendaylight.aaa.api.Authentication; - -/** - * A {@link BlockingQueue} decorator with injected security context. - * - * @author liemmn - * - * @param <T> - * queue element type - */ -public class SecureBlockingQueue<T> implements BlockingQueue<T> { - private final BlockingQueue<SecureData<T>> queue; - - /** - * Constructor. - * - * @param queue - * blocking queue implementation to use - */ - public SecureBlockingQueue(BlockingQueue<SecureData<T>> queue) { - this.queue = queue; - } - - @Override - public T remove() { - return setAuth(queue.remove()); - } - - @Override - public T poll() { - return setAuth(queue.poll()); - } - - @Override - public T element() { - return setAuth(queue.element()); - } - - @Override - public T peek() { - return setAuth(queue.peek()); - } - - @Override - public int size() { - return queue.size(); - } - - @Override - public boolean isEmpty() { - return queue.isEmpty(); - } - - @Override - public Iterator<T> iterator() { - return new Iterator<T>() { - Iterator<SecureData<T>> it = queue.iterator(); - - @Override - public boolean hasNext() { - return it.hasNext(); - } - - @Override - public T next() { - return it.next().data; - } - - @Override - public void remove() { - it.remove(); - } - }; - } - - @Override - public Object[] toArray() { - return toData().toArray(); - } - - @SuppressWarnings("hiding") - @Override - public <T> T[] toArray(T[] a) { - return toData().toArray(a); - } - - @Override - public boolean containsAll(Collection<?> c) { - return toData().containsAll(c); - } - - @Override - public boolean addAll(Collection<? extends T> c) { - return queue.addAll(fromData(c)); - } - - @Override - public boolean removeAll(Collection<?> c) { - return queue.removeAll(fromData(c)); - } - - @Override - public boolean retainAll(Collection<?> c) { - return queue.retainAll(fromData(c)); - } - - @Override - public void clear() { - queue.clear(); - } - - @Override - public boolean add(T e) { - return queue.add(new SecureData<>(e)); - } - - @Override - public boolean offer(T e) { - return queue.offer(new SecureData<>(e)); - } - - @Override - public void put(T e) throws InterruptedException { - queue.put(new SecureData<T>(e)); - } - - @Override - public boolean offer(T e, long timeout, TimeUnit unit) throws InterruptedException { - return queue.offer(new SecureData<>(e), timeout, unit); - } - - @Override - public T take() throws InterruptedException { - return setAuth(queue.take()); - } - - @Override - public T poll(long timeout, TimeUnit unit) throws InterruptedException { - return setAuth(queue.poll(timeout, unit)); - } - - @Override - public int remainingCapacity() { - return queue.remainingCapacity(); - } - - @Override - public boolean remove(Object o) { - Iterator<SecureData<T>> it = queue.iterator(); - while (it.hasNext()) { - SecureData<T> sd = it.next(); - if (sd.data.equals(o)) { - return queue.remove(sd); - } - } - return false; - } - - @Override - public boolean contains(Object o) { - Iterator<SecureData<T>> it = queue.iterator(); - while (it.hasNext()) { - SecureData<T> sd = it.next(); - if (sd.data.equals(o)) { - return true; - } - } - return false; - } - - @Override - public int drainTo(Collection<? super T> c) { - Collection<SecureData<T>> sd = new ArrayList<>(); - int n = queue.drainTo(sd); - c.addAll(toData(sd)); - return n; - } - - @Override - public int drainTo(Collection<? super T> c, int maxElements) { - Collection<SecureData<T>> sd = new ArrayList<>(); - int n = queue.drainTo(sd, maxElements); - c.addAll(toData(sd)); - return n; - } - - // Rehydrate security context - private T setAuth(SecureData<T> i) { - AuthenticationManager.instance().set(i.auth); - return i.data; - } - - // Construct secure data collection from a plain old data collection - @SuppressWarnings("unchecked") - private Collection<SecureData<T>> fromData(Collection<?> c) { - Collection<SecureData<T>> sd = new ArrayList<>(c.size()); - for (Object d : c) { - sd.add((SecureData<T>) new SecureData<>(d)); - } - return sd; - } - - // Extract the data portion out from the secure data - @SuppressWarnings("unchecked") - private Collection<T> toData() { - return toData(Arrays.<SecureData<T>> asList(queue.toArray(new SecureData[0]))); - } - - // Extract the data portion out from the secure data - private Collection<T> toData(Collection<SecureData<T>> secureData) { - Collection<T> data = new ArrayList<>(secureData.size()); - Iterator<SecureData<T>> it = secureData.iterator(); - while (it.hasNext()) { - data.add(it.next().data); - } - return data; - } - - // Inject security context - public static final class SecureData<T> { - private final T data; - private final Authentication auth; - - private SecureData(T data) { - this.data = data; - this.auth = AuthenticationManager.instance().get(); - } - - @SuppressWarnings("rawtypes") - @Override - public boolean equals(Object o) { - if (o == null) { - return false; - } - return (o instanceof SecureData) ? data.equals(((SecureData) o).data) : false; - } - - @Override - public int hashCode() { - return data.hashCode(); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.properties b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.properties deleted file mode 100644 index 75537f6b..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.properties +++ /dev/null @@ -1,12 +0,0 @@ -org.opendaylight.aaa.authn.name = Opendaylight AAA Authentication Configuration -org.opendaylight.aaa.authn.description = Configuration for AAA authorized clients -org.opendaylight.aaa.authn.authorizedClients.name = Authorized Clients -org.opendaylight.aaa.authn.authorizedClients.description = Space-delimited list of authorized \ - clients, with client id and client password separated by a ':'. \ - Example: dlux:secrete <client_id:client_secret> -org.opendaylight.aaa.authn.authEnabled.name = Enable authentication -org.opendaylight.aaa.authn.authEnabled.description = Enable authentication by setting it \ -to the value 'true', or 'false' if bypassing authentication. \ -Note that bypassing authentication may result in your controller being more \ -vulnerable to unauthorized accesses. Authorization, if enabled, will not work if \ -authentication is disabled.
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.xml b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.xml deleted file mode 100644 index 10150587..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.xml +++ /dev/null @@ -1,16 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<metatype:MetaData xmlns:metatype="http://www.osgi.org/xmlns/metatype/v1.0.0" - localization="OSGI-INF/metatype/metatype"> - <OCD id="org.opendaylight.aaa.authn" name="%org.opendaylight.aaa.authn.name" - description="%org.opendaylight.aaa.authn.description"> - <AD id="authorizedClients" type="String" default="dlux:secrete" - name="%org.opendaylight.aaa.authn.authorizedClients.name" - description="%org.opendaylight.aaa.authn.authorizedClients.description" /> - <AD id="authEnabled" type="String" default="true" - name="%org.opendaylight.aaa.authn.authEnabled.name" - description="%org.opendaylight.aaa.authn.authEnabled.description" /> - </OCD> - <Designate pid="org.opendaylight.aaa.authn"> - <Object ocdref="org.opendaylight.aaa.authn" /> - </Designate> -</metatype:MetaData>
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/authn.cfg b/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/authn.cfg deleted file mode 100644 index e7326f86..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/main/resources/authn.cfg +++ /dev/null @@ -1,2 +0,0 @@ -authorizedClients=dlux:secrete -authEnabled=true
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationBuilderTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationBuilderTest.java deleted file mode 100644 index 2f69fe5b..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationBuilderTest.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotEquals; -import static org.junit.Assert.assertTrue; - -import java.util.Arrays; -import java.util.LinkedHashSet; -import java.util.Set; -import org.junit.Test; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.Claim; - -public class AuthenticationBuilderTest { - private Set<String> roles = new LinkedHashSet<>(Arrays.asList("role1", "role2")); - private Claim validClaim = new ClaimBuilder().setDomain("aName").setUserId("1") - .setClientId("2222").setUser("bob").addRole("foo").addRoles(roles).build(); - - @Test - public void testBuildWithExpiration() { - Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build(); - assertEquals(1, a1.expiration()); - assertEquals("aName", a1.domain()); - assertEquals("1", a1.userId()); - assertEquals("2222", a1.clientId()); - assertEquals("bob", a1.user()); - assertTrue(a1.roles().contains("foo")); - assertTrue(a1.roles().containsAll(roles)); - assertEquals(3, a1.roles().size()); - Authentication a2 = new AuthenticationBuilder(a1).build(); - assertNotEquals(a1, a2); - Authentication a3 = new AuthenticationBuilder(a1).setExpiration(1).build(); - assertEquals(a1, a3); - } - - @Test - public void testBuildWithoutExpiration() { - Authentication a1 = new AuthenticationBuilder(validClaim).build(); - assertEquals(0, a1.expiration()); - assertEquals("aName", a1.domain()); - assertEquals("1", a1.userId()); - assertEquals("2222", a1.clientId()); - assertEquals("bob", a1.user()); - assertTrue(a1.roles().contains("foo")); - assertTrue(a1.roles().containsAll(roles)); - assertEquals(3, a1.roles().size()); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithNegativeExpiration() { - AuthenticationBuilder a1 = new AuthenticationBuilder(validClaim).setExpiration(-1); - a1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithNullClaim() { - AuthenticationBuilder a1 = new AuthenticationBuilder(null); - a1.build(); - } - - @Test - public void testToString() { - Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build(); - assertEquals( - "expiration:1,clientId:2222,userId:1,userName:bob,domain:aName,roles:[foo, role1, role2]", - a1.toString()); - } - - @Test - public void testEquals() { - Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build(); - assertTrue(a1.equals(a1)); - Authentication a2 = new AuthenticationBuilder(a1).setExpiration(1).build(); - assertTrue(a1.equals(a2)); - assertTrue(a2.equals(a1)); - Authentication a3 = new AuthenticationBuilder(validClaim).setExpiration(1).build(); - assertTrue(a1.equals(a3)); - assertTrue(a3.equals(a2)); - assertTrue(a1.equals(a2)); - } - - @Test - public void testNotEquals() { - Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build(); - assertFalse(a1.equals(null)); - assertFalse(a1.equals("wrong object")); - Authentication a2 = new AuthenticationBuilder(a1).build(); - assertFalse(a1.equals(a2)); - assertFalse(a2.equals(a1)); - Authentication a3 = new AuthenticationBuilder(validClaim).setExpiration(1).build(); - assertFalse(a1.equals(a2)); - assertTrue(a1.equals(a3)); - assertFalse(a2.equals(a3)); - Authentication a4 = new AuthenticationBuilder(validClaim).setExpiration(9).build(); - assertFalse(a1.equals(a4)); - assertFalse(a4.equals(a1)); - Authentication a5 = new AuthenticationBuilder(a1).setExpiration(9).build(); - assertFalse(a1.equals(a5)); - assertFalse(a5.equals(a1)); - } - - @Test - public void testHashCode() { - Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build(); - assertEquals(a1.hashCode(), a1.hashCode()); - Authentication a2 = new AuthenticationBuilder(a1).setExpiration(1).build(); - assertTrue(a1.equals(a2)); - assertEquals(a1.hashCode(), a2.hashCode()); - Authentication a3 = new AuthenticationBuilder(validClaim).setExpiration(1).build(); - assertTrue(a1.equals(a3)); - assertEquals(a1.hashCode(), a3.hashCode()); - assertEquals(a2.hashCode(), a3.hashCode()); - Authentication a4 = new AuthenticationBuilder(a1).setExpiration(9).build(); - assertFalse(a1.equals(a4)); - assertNotEquals(a1.hashCode(), a4.hashCode()); - Authentication a5 = new AuthenticationBuilder(a1).build(); - assertFalse(a1.equals(a5)); - assertNotEquals(a1.hashCode(), a5.hashCode()); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationManagerTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationManagerTest.java deleted file mode 100644 index 540df287..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationManagerTest.java +++ /dev/null @@ -1,133 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; - -import java.util.Arrays; -import java.util.Dictionary; -import java.util.Hashtable; -import java.util.List; -import java.util.concurrent.Callable; -import java.util.concurrent.ExecutionException; -import java.util.concurrent.Executors; -import java.util.concurrent.Future; -import org.junit.Test; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.AuthenticationService; -import org.osgi.service.cm.ConfigurationException; - -public class AuthenticationManagerTest { - @Test - public void testAuthenticationCrudSameThread() { - Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUser("Bob") - .setUserId("1234").addRole("admin").addRole("guest").build()).build(); - AuthenticationService as = AuthenticationManager.instance(); - - assertNotNull(as); - - as.set(auth); - assertEquals(auth, as.get()); - - as.clear(); - assertNull(as.get()); - } - - @Test - public void testAuthenticationCrudSpawnedThread() throws InterruptedException, - ExecutionException { - AuthenticationService as = AuthenticationManager.instance(); - Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUser("Bob") - .setUserId("1234").addRole("admin").addRole("guest").build()).build(); - - as.set(auth); - Future<Authentication> f = Executors.newSingleThreadExecutor().submit(new Worker()); - assertEquals(auth, f.get()); - - as.clear(); - f = Executors.newSingleThreadExecutor().submit(new Worker()); - assertNull(f.get()); - } - - @Test - public void testAuthenticationCrudSpawnedThreadPool() throws InterruptedException, - ExecutionException { - AuthenticationService as = AuthenticationManager.instance(); - Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUser("Bob") - .setUserId("1234").addRole("admin").addRole("guest").build()).build(); - - as.set(auth); - List<Future<Authentication>> fs = Executors.newFixedThreadPool(2).invokeAll( - Arrays.asList(new Worker(), new Worker())); - for (Future<Authentication> f : fs) { - assertEquals(auth, f.get()); - } - - as.clear(); - fs = Executors.newFixedThreadPool(2).invokeAll(Arrays.asList(new Worker(), new Worker())); - for (Future<Authentication> f : fs) { - assertNull(f.get()); - } - } - - @Test - public void testUpdatedValid() throws ConfigurationException { - Dictionary<String, String> props = new Hashtable<>(); - AuthenticationManager as = AuthenticationManager.instance(); - - assertFalse(as.isAuthEnabled()); - - props.put(AuthenticationManager.AUTH_ENABLED, "TrUe"); - as.updated(props); - assertTrue(as.isAuthEnabled()); - - props.put(AuthenticationManager.AUTH_ENABLED, "FaLsE"); - as.updated(props); - assertFalse(as.isAuthEnabled()); - } - - @Test - public void testUpdatedNullProperty() throws ConfigurationException { - AuthenticationManager as = AuthenticationManager.instance(); - - assertFalse(as.isAuthEnabled()); - as.updated(null); - assertFalse(as.isAuthEnabled()); - } - - @Test(expected = ConfigurationException.class) - public void testUpdatedInvalidValue() throws ConfigurationException { - AuthenticationManager as = AuthenticationManager.instance(); - Dictionary<String, String> props = new Hashtable<>(); - - props.put(AuthenticationManager.AUTH_ENABLED, "yes"); - as.updated(props); - } - - @Test(expected = ConfigurationException.class) - public void testUpdatedInvalidKey() throws ConfigurationException { - AuthenticationManager as = AuthenticationManager.instance(); - Dictionary<String, String> props = new Hashtable<>(); - - props.put("Invalid Key", "true"); - as.updated(props); - } - - private class Worker implements Callable<Authentication> { - @Override - public Authentication call() throws Exception { - AuthenticationService as = AuthenticationManager.instance(); - return as.get(); - } - } -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/ClaimBuilderTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/ClaimBuilderTest.java deleted file mode 100644 index 372eb6d2..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/ClaimBuilderTest.java +++ /dev/null @@ -1,208 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotEquals; -import static org.junit.Assert.assertTrue; - -import java.util.Arrays; -import java.util.HashSet; -import org.junit.Test; -import org.opendaylight.aaa.api.Claim; - -/** - * - * @author liemmn - * - */ -public class ClaimBuilderTest { - @Test - public void testBuildWithAll() { - Claim c1 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john") - .setUserId("1234").addRole("foo").addRole("foo2") - .addRoles(new HashSet<>(Arrays.asList("foo", "bar"))).build(); - assertEquals("dlux", c1.clientId()); - assertEquals("pepsi", c1.domain()); - assertEquals("john", c1.user()); - assertEquals("1234", c1.userId()); - assertTrue(c1.roles().contains("foo")); - assertTrue(c1.roles().contains("foo2")); - assertTrue(c1.roles().contains("bar")); - assertEquals(3, c1.roles().size()); - Claim c2 = new ClaimBuilder(c1).build(); - assertEquals(c1, c2); - } - - @Test - public void testBuildWithRequired() { - Claim c1 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("foo").build(); - assertEquals("john", c1.user()); - assertEquals("1234", c1.userId()); - assertTrue(c1.roles().contains("foo")); - assertEquals(1, c1.roles().size()); - assertEquals("", c1.domain()); - assertEquals("", c1.clientId()); - } - - @Test - public void testBuildWithEmptyOptional() { - Claim c1 = new ClaimBuilder().setDomain(" ").setClientId(" ").setUser("john") - .setUserId("1234").addRole("foo").build(); - assertEquals("", c1.domain()); - assertEquals("", c1.clientId()); - assertEquals("john", c1.user()); - assertEquals("1234", c1.userId()); - assertTrue(c1.roles().contains("foo")); - assertEquals(1, c1.roles().size()); - } - - @Test - public void testBuildWithNullOptional() { - Claim c1 = new ClaimBuilder().setDomain(null).setClientId(null).setUser("john") - .setUserId("1234").addRole("foo").build(); - assertEquals("", c1.domain()); - assertEquals("", c1.clientId()); - assertEquals("john", c1.user()); - assertEquals("1234", c1.userId()); - assertTrue(c1.roles().contains("foo")); - assertEquals(1, c1.roles().size()); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithDefault() { - ClaimBuilder c1 = new ClaimBuilder(); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithoutUser() { - ClaimBuilder c1 = new ClaimBuilder().setUserId("1234").addRole("foo"); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithNullUser() { - ClaimBuilder c1 = new ClaimBuilder().setUser(null).setUserId("1234").addRole("foo"); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithEmptyUser() { - ClaimBuilder c1 = new ClaimBuilder().setUser(" ").setUserId("1234").addRole("foo"); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithoutUserId() { - ClaimBuilder c1 = new ClaimBuilder().setUser("john").addRole("foo"); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithNullUserId() { - ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId(null).addRole("foo"); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithEmptyUserId() { - ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId(" ").addRole("foo"); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithoutRole() { - ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId("1234"); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithNullRole() { - ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId("1234").addRole(null); - c1.build(); - } - - @Test(expected = IllegalStateException.class) - public void testBuildWithEmptyRole() { - ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId("1234").addRole(" "); - c1.build(); - } - - @Test - public void testEquals() { - Claim c1 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john") - .setUserId("1234").addRole("foo").build(); - assertTrue(c1.equals(c1)); - Claim c2 = new ClaimBuilder(c1).addRole("foo").build(); - assertTrue(c1.equals(c2)); - assertTrue(c2.equals(c1)); - Claim c3 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john") - .setUserId("1234").addRole("foo").build(); - assertTrue(c1.equals(c3)); - assertTrue(c3.equals(c2)); - assertTrue(c1.equals(c2)); - } - - @Test - public void testNotEquals() { - Claim c1 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john") - .setUserId("1234").addRole("foo").build(); - assertFalse(c1.equals(null)); - assertFalse(c1.equals("wrong object")); - Claim c2 = new ClaimBuilder(c1).addRoles(new HashSet<>(Arrays.asList("foo", "bar"))) - .build(); - assertEquals(2, c2.roles().size()); - assertFalse(c1.equals(c2)); - assertFalse(c2.equals(c1)); - Claim c3 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john") - .setUserId("1234").addRole("foo").build(); - assertFalse(c1.equals(c2)); - assertTrue(c1.equals(c3)); - assertFalse(c2.equals(c3)); - Claim c5 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("foo").build(); - assertFalse(c1.equals(c5)); - assertFalse(c5.equals(c1)); - } - - @Test - public void testHash() { - Claim c1 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john") - .setUserId("1234").addRole("foo").build(); - assertEquals(c1.hashCode(), c1.hashCode()); - Claim c2 = new ClaimBuilder(c1).addRole("foo").build(); - assertTrue(c1.equals(c2)); - assertEquals(c1.hashCode(), c2.hashCode()); - Claim c3 = new ClaimBuilder(c1).addRoles(new HashSet<>(Arrays.asList("foo", "bar"))) - .build(); - assertFalse(c1.equals(c3)); - assertNotEquals(c1.hashCode(), c3.hashCode()); - Claim c4 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john") - .setUserId("1234").addRole("foo").build(); - assertTrue(c1.equals(c4)); - assertEquals(c1.hashCode(), c4.hashCode()); - assertEquals(c2.hashCode(), c4.hashCode()); - Claim c5 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("foo").build(); - assertFalse(c1.equals(c5)); - assertNotEquals(c1.hashCode(), c5.hashCode()); - } - - @Test - public void testToString() { - Claim c1 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("foo").build(); - assertEquals("clientId:,userId:1234,userName:john,domain:,roles:[foo]", c1.toString()); - c1 = new ClaimBuilder(c1).setClientId("dlux").setDomain("pepsi").build(); - assertEquals("clientId:dlux,userId:1234,userName:john,domain:pepsi,roles:[foo]", - c1.toString()); - c1 = new ClaimBuilder(c1).addRole("bar").build(); - assertEquals("clientId:dlux,userId:1234,userName:john,domain:pepsi,roles:[foo, bar]", - c1.toString()); - } -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/ClientManagerTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/ClientManagerTest.java deleted file mode 100644 index 059ba9a3..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/ClientManagerTest.java +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa; - -import static org.junit.Assert.fail; - -import java.util.Dictionary; -import java.util.Hashtable; -import org.junit.Before; -import org.junit.Test; -import org.opendaylight.aaa.api.AuthenticationException; -import org.osgi.service.cm.ConfigurationException; - -/** - * - * @author liemmn - * - */ -public class ClientManagerTest { - private static final ClientManager cm = new ClientManager(); - - @Before - public void setup() throws ConfigurationException { - cm.init(null); - } - - @Test - public void testValidate() { - cm.validate("dlux", "secrete"); - } - - @Test(expected = AuthenticationException.class) - public void testFailValidate() { - cm.validate("dlux", "what?"); - } - - @Test - public void testUpdate() throws ConfigurationException { - Dictionary<String, String> configs = new Hashtable<>(); - configs.put(ClientManager.CLIENTS, "aws:amazon dlux:xxx"); - cm.updated(configs); - cm.validate("aws", "amazon"); - cm.validate("dlux", "xxx"); - } - - @Test - public void testFailUpdate() { - Dictionary<String, String> configs = new Hashtable<>(); - configs.put(ClientManager.CLIENTS, "aws:amazon dlux"); - try { - cm.updated(configs); - fail("Shoulda failed updating bad configuration"); - } catch (ConfigurationException ce) { - // Expected - } - cm.validate("dlux", "secrete"); - try { - cm.validate("aws", "amazon"); - fail("Shoulda failed updating bad configuration"); - } catch (AuthenticationException ae) { - // Expected - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/PasswordCredentialTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/PasswordCredentialTest.java deleted file mode 100644 index 2dabb77b..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/PasswordCredentialTest.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa; - -import static org.junit.Assert.assertEquals; - -import java.util.HashSet; -import org.junit.Test; -import org.opendaylight.aaa.api.PasswordCredentials; - -public class PasswordCredentialTest { - - @Test - public void testBuilder() { - PasswordCredentials pc1 = new PasswordCredentialBuilder().setUserName("bob") - .setPassword("secrete").build(); - assertEquals("bob", pc1.username()); - assertEquals("secrete", pc1.password()); - - PasswordCredentials pc2 = new PasswordCredentialBuilder().setUserName("bob") - .setPassword("secrete").build(); - assertEquals(pc1, pc2); - - PasswordCredentials pc3 = new PasswordCredentialBuilder().setUserName("bob") - .setPassword("secret").build(); - HashSet<PasswordCredentials> pcs = new HashSet<>(); - pcs.add(pc1); - pcs.add(pc2); - pcs.add(pc3); - assertEquals(2, pcs.size()); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/SecureBlockingQueueTest.java b/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/SecureBlockingQueueTest.java deleted file mode 100644 index 16627d9f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authn/src/test/java/org/opendaylight/aaa/SecureBlockingQueueTest.java +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; - -import java.util.Arrays; -import java.util.Iterator; -import java.util.LinkedList; -import java.util.List; -import java.util.concurrent.ArrayBlockingQueue; -import java.util.concurrent.BlockingQueue; -import java.util.concurrent.Callable; -import java.util.concurrent.ExecutionException; -import java.util.concurrent.ExecutorService; -import java.util.concurrent.Executors; -import java.util.concurrent.ThreadPoolExecutor; -import java.util.concurrent.TimeUnit; -import org.junit.Before; -import org.junit.Test; -import org.opendaylight.aaa.SecureBlockingQueue.SecureData; -import org.opendaylight.aaa.api.Authentication; - -public class SecureBlockingQueueTest { - private final int MAX_TASKS = 100; - - @Before - public void setup() { - AuthenticationManager.instance().clear(); - } - - @Test - public void testSecureThreadPoolExecutor() throws InterruptedException, ExecutionException { - BlockingQueue<Runnable> queue = new SecureBlockingQueue<>( - new ArrayBlockingQueue<SecureData<Runnable>>(10)); - ThreadPoolExecutor executor = new ThreadPoolExecutor(5, 10, 500, TimeUnit.MILLISECONDS, - queue); - executor.prestartAllCoreThreads(); - for (int cnt = 1; cnt <= MAX_TASKS; cnt++) { - assertEquals(Integer.toString(cnt), - executor.submit(new Task(Integer.toString(cnt), "1111", "user")).get().user()); - } - executor.shutdown(); - } - - @Test - public void testNormalThreadPoolExecutor() throws InterruptedException, ExecutionException { - BlockingQueue<Runnable> queue = new ArrayBlockingQueue<Runnable>(10); - ThreadPoolExecutor executor = new ThreadPoolExecutor(5, 10, 500, TimeUnit.MILLISECONDS, - queue); - executor.prestartAllCoreThreads(); - for (int cnt = 1; cnt <= MAX_TASKS; cnt++) { - assertNull(executor.submit(new Task(Integer.toString(cnt), "1111", "user")).get()); - } - executor.shutdown(); - } - - @Test - public void testQueueOps() throws InterruptedException, ExecutionException { - BlockingQueue<String> queue = new SecureBlockingQueue<>( - new ArrayBlockingQueue<SecureData<String>>(3)); - ExecutorService es = Executors.newFixedThreadPool(3); - es.submit(new Producer("foo", "1111", "user", queue)).get(); - assertEquals(1, queue.size()); - assertEquals("foo", es.submit(new Consumer(queue)).get()); - es.submit(new Producer("bar", "2222", "user", queue)).get(); - assertEquals("bar", queue.peek()); - assertEquals("bar", queue.element()); - assertEquals(1, queue.size()); - assertEquals("bar", queue.poll()); - assertTrue(queue.isEmpty()); - es.shutdown(); - } - - @Test - public void testCollectionOps() throws InterruptedException, ExecutionException { - BlockingQueue<String> queue = new SecureBlockingQueue<>( - new ArrayBlockingQueue<SecureData<String>>(6)); - for (int i = 1; i <= 3; i++) - queue.add("User" + i); - Iterator<String> it = queue.iterator(); - while (it.hasNext()) - assertTrue(it.next().startsWith("User")); - assertEquals(3, queue.toArray().length); - List<String> actual = Arrays.asList(queue.toArray(new String[0])); - assertEquals("User1", actual.iterator().next()); - assertTrue(queue.containsAll(actual)); - queue.addAll(actual); - assertEquals(6, queue.size()); - queue.retainAll(Arrays.asList(new String[] { "User2" })); - assertEquals(2, queue.size()); - assertEquals("User2", queue.iterator().next()); - queue.removeAll(actual); - assertTrue(queue.isEmpty()); - queue.add("hello"); - assertEquals(1, queue.size()); - queue.clear(); - assertTrue(queue.isEmpty()); - } - - @Test - public void testBlockingQueueOps() throws InterruptedException { - BlockingQueue<String> queue = new SecureBlockingQueue<>( - new ArrayBlockingQueue<SecureData<String>>(3)); - queue.offer("foo"); - assertEquals(1, queue.size()); - queue.offer("bar", 500, TimeUnit.MILLISECONDS); - assertEquals(2, queue.size()); - assertEquals("foo", queue.poll()); - assertTrue(queue.contains("bar")); - queue.remove("bar"); - assertEquals(3, queue.remainingCapacity()); - queue.addAll(Arrays.asList(new String[] { "foo", "bar", "tom" })); - assertEquals(3, queue.size()); - assertEquals("foo", queue.poll(500, TimeUnit.MILLISECONDS)); - assertEquals(2, queue.size()); - List<String> drain = new LinkedList<>(); - queue.drainTo(drain); - assertTrue(queue.isEmpty()); - assertEquals(2, drain.size()); - queue.addAll(Arrays.asList(new String[] { "foo", "bar", "tom" })); - drain.clear(); - queue.drainTo(drain, 1); - assertEquals(2, queue.size()); - assertEquals(1, drain.size()); - } - - // Task to run in a ThreadPoolExecutor - private class Task implements Callable<Authentication> { - Task(String name, String userId, String role) { - // Mock that each task has its original authentication context - AuthenticationManager.instance().set( - new AuthenticationBuilder(new ClaimBuilder().setUser(name).setUserId(userId) - .addRole(role).build()).build()); - } - - @Override - public Authentication call() throws Exception { - return AuthenticationManager.instance().get(); - } - } - - // Producer sets auth context - private class Producer implements Callable<String> { - private final String name; - private final String userId; - private final String role; - private final BlockingQueue<String> queue; - - Producer(String name, String userId, String role, BlockingQueue<String> queue) { - this.name = name; - this.userId = userId; - this.role = role; - this.queue = queue; - } - - @Override - public String call() throws InterruptedException { - AuthenticationManager.instance().set( - new AuthenticationBuilder(new ClaimBuilder().setUser(name).setUserId(userId) - .addRole(role).build()).build()); - queue.put(name); - return name; - } - } - - // Consumer gets producer's auth context via data element in queue - private class Consumer implements Callable<String> { - private final BlockingQueue<String> queue; - - Consumer(BlockingQueue<String> queue) { - this.queue = queue; - } - - @Override - public String call() { - queue.remove(); - Authentication auth = AuthenticationManager.instance().get(); - return (auth == null) ? null : auth.user(); - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml deleted file mode 100644 index 42237e41..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml +++ /dev/null @@ -1,43 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../../parent</relativePath> - </parent> - - <artifactId>authz-service-config</artifactId> - <description>AuthZ Service Configuration files </description> - <packaging>jar</packaging> - <build> - <plugins> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <goals> - <goal>attach-artifact</goal> - </goals> - <phase>package</phase> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/initial/${config.authz.service.configfile}</file> - <type>xml</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml deleted file mode 100644 index 5b59ca20..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml +++ /dev/null @@ -1,60 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- vi: set et smarttab sw=4 tabstop=4: --> -<!-- - Copyright (c) 2013 Cisco Systems, Inc. and others. All rights reserved. - - This program and the accompanying materials are made available under the - terms of the Eclipse Public License v1.0 which accompanies this distribution, - and is available at http://www.eclipse.org/legal/epl-v10.html ---> -<snapshot> - <configuration> - <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> - <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> - - <!-- defines an implementation module --> - <module> - <type xmlns:authz="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">authz:aaa-authz-service</type> - <name>aaa-authz-service</name> - - <dom-broker> - <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type> - <name>dom-broker</name> - </dom-broker> - - <data-broker> - <type xmlns:binding="urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding">binding:binding-data-broker</type> - <name>binding-data-broker</name> - </data-broker> - - <policies xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv"> - <service xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">RestConfService</service> - <action xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">Any</action> - <resource xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">*</resource> - <role xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">admin</role> - </policies> - - </module> - </modules> - - <services xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> - <service> - <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type> - <instance> - <name>authz-connector-default</name> - <provider> - /modules/module[type='aaa-authz-service'][name='aaa-authz-service'] - </provider> - </instance> - </service> - </services> - - </data> - - - </configuration> - <required-capabilities> - <capability>urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv?module=aaa-authz-service-impl&revision=2014-07-01</capability> - </required-capabilities> - -</snapshot> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml deleted file mode 100644 index ee6108bd..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml +++ /dev/null @@ -1,95 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../../parent</relativePath> - </parent> - - <artifactId>aaa-authz-model</artifactId> - <name>${project.artifactId}</name> - - <dependencies> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>yang-binding</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal.model</groupId> - <artifactId>ietf-inet-types</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal.model</groupId> - <artifactId>ietf-yang-types</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal.model</groupId> - <artifactId>yang-ext</artifactId> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-javadoc-plugin</artifactId> - <configuration> - <stylesheet>maven</stylesheet> - </configuration> - <executions> - <execution> - <goals> - <goal>aggregate</goal> - </goals> - <phase>site</phase> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yang-maven-plugin</artifactId> - <version>${yangtools.version}</version> - <executions> - <execution> - <goals> - <goal>generate-sources</goal> - </goals> - <configuration> - <yangFilesRootDir>src/main/yang</yangFilesRootDir> - <codeGenerators> - <generator> - <codeGeneratorClass> - org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl - </codeGeneratorClass> - <outputBaseDir>${salGeneratorPath}</outputBaseDir> - </generator> - </codeGenerators> - <inspectDependencies>true</inspectDependencies> - </configuration> - </execution> - </executions> - - <dependencies> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>maven-sal-api-gen-plugin</artifactId> - <version>${yangtools.version}</version> - <type>jar</type> - </dependency> - </dependencies> - </plugin> - </plugins> - </build> - <packaging>bundle</packaging> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang deleted file mode 100644 index 2e0cf9cb..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang +++ /dev/null @@ -1,190 +0,0 @@ -module authorization-schema { - yang-version 1; - namespace "urn:aaa:yang:authz:ds"; - prefix "authz"; - organization "TBD"; - - contact "wdec@cisco.com"; - - revision 2014-07-22 { - description - "Initial revision."; - } - - //Main module begins - - //TODO: Refactor service type as URI - - //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly - //the naming will derive from the OSGi bundle name of the AuthZ requesting party. - - typedef service-type { - type string; - } - - //Resource denotes the actual resource that is the subject of the AuthZ request. - - typedef resource-type { - type string; - default "*"; - - //Examples of resources: - //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1 - //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/* - //RPC: /operations/example-ops:reboot - //Wildcarded RPC: /operations/example-ops:* - //Notification: /notifications/example-ops:startup - } - - //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin" - - typedef role-type { - type string; - } - - //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com - - typedef domain-type { - type string; - } - - //Action denotes the requested AuthZ action on the resource - //TODO: Refactor as identities to allow for augmentation. - - typedef action-type { - type enumeration { - enum put; - enum commit; - enum exists; - enum getIdentifier; - enum read; - enum cancel; - enum submit; - enum delete; - enum merge; - enum any; - } - default "any"; - } - - typedef authorization-response-type { - type enumeration { - enum not-authorized { value 0; } - enum authorized { value 1; } - } - } - - typedef authorization-duration-type { - type uint32; - } - - // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action. - // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both? - - grouping authorization-grp { - list policies { - key "service"; - leaf service { - type service-type; - } - leaf action { - type action-type; - } - leaf resource { - type resource-type; - mandatory true; - } - leaf role { - type role-type; - mandatory true; - } - leaf authorization { - type authorization-response-type; - } - } - } - - // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action. - - container simple-authorization { - uses authorization-grp; - } - - // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain, - // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain. - // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com. - - - container domain-authorization { - list domains { - key "domain-name"; - leaf domain-name { - type domain-type; - } - uses authorization-grp; - list authz-domain-chain { - key "priority"; - leaf priority { - type uint32; - } - leaf domain-name { - type leafref { - path "/additional-domain-authz/domains/domain-name"; - } - } - } - } -} - -container additional-domain-authz { - list domains { - key "domain-name"; - leaf domain-name { - type domain-type; - } - uses authorization-grp; - } - } - - - - /* The following is the AuthZ RPC definition */ - - rpc req-authorization { - description - "Check Authorization for a given combination of action and role. - A not-authorized will be returned if unsuccessful."; - - input { - leaf domain-name { - type domain-type; - } - leaf service { - type service-type; - } - leaf action { - type action-type; - mandatory true; - } - - leaf resource { - type resource-type; - mandatory true; - } - leaf role { - type role-type; - mandatory true; - } - - } - - output { - - leaf authorization-response { - type authorization-response-type; - mandatory true; - } - - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml deleted file mode 100644 index 6104be4b..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml +++ /dev/null @@ -1,43 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../../parent</relativePath> - </parent> - - <artifactId>authz-restconf-config</artifactId> - - <description>AuthZ Restconf Connector Configuration file </description> - <packaging>jar</packaging> - <build> - <plugins> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <goals> - <goal>attach-artifact</goal> - </goals> - <phase>package</phase> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/initial/${config.restconf.configfile}</file> - <type>xml</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml deleted file mode 100644 index deba6558..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- -Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - -This program and the accompanying materials are made available under the -terms of the Eclipse Public License v1.0 which accompanies this distribution, -and is available at http://www.eclipse.org/legal/epl-v10.html ---> -<snapshot> - <configuration> - <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> - <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> - - <module> - <type xmlns:rest="urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector">rest:rest-connector-impl</type> - <name>rest-connector-default-impl</name> - <websocket-port>8185</websocket-port> - <dom-broker> - <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type> - <name>authz-connector-default</name> - </dom-broker> - </module> - </modules> - - <services xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> - <service> - <type xmlns:rest="urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector">rest:rest-connector</type> - <instance> - <name>rest-connector-default</name> - <provider> - /modules/module[type='rest-connector-impl'][name='rest-connector-default-impl'] - </provider> - </instance> - </service> - </services> - - </data> - </configuration> - <required-capabilities> - <capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector?module=opendaylight-rest-connector&revision=2014-07-24</capability> - </required-capabilities> -</snapshot> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml deleted file mode 100644 index 2c150ce7..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml +++ /dev/null @@ -1,152 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- ~ Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - ~ ~ This program and the accompanying materials are made available under - the ~ terms of the Eclipse Public License v1.0 which accompanies this distribution, - ~ and is available at http://www.eclipse.org/legal/epl-v10.html --> - -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../../parent</relativePath> - </parent> - <modelVersion>4.0.0</modelVersion> - - <artifactId>aaa-authz-service</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-util</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-common-util</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yang-data-api</artifactId> - </dependency> - <dependency> - <groupId>commons-codec</groupId> - <artifactId>commons-codec</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>config-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-config</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authz-model</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-core-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-core-spi</artifactId> - </dependency> - <dependency> - <groupId>org.jboss.resteasy</groupId> - <artifactId>jaxrs-api</artifactId> - <scope>provided</scope> - </dependency> - - <!-- Test dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <!-- <Bundle-Activator>org.opendaylight.aaa.authz.srv.AuthzProvider</Bundle-Activator> --> - <Export-Package>org.opendaylight.aaa.config.yang.aaa_srv,</Export-Package> - </instructions> - </configuration> - <!-- <configuration> <Export-Package> </Export-Package> </configuration> --> - </plugin> - <plugin> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yang-maven-plugin</artifactId> - <version>${yangtools.version}</version> - <executions> - <execution> - <id>config</id> - <goals> - <goal>generate-sources</goal> - </goals> - <configuration> - <codeGenerators> - <generator> - <codeGeneratorClass> - org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator - </codeGeneratorClass> - <outputBaseDir>${jmxGeneratorPath}</outputBaseDir> - <additionalConfiguration> - <namespaceToPackage1> - urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang - </namespaceToPackage1> - </additionalConfiguration> - </generator> - <generator> - <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass> - <outputBaseDir>${salGeneratorPath}</outputBaseDir> - </generator> - </codeGenerators> - <inspectDependencies>true</inspectDependencies> - </configuration> - </execution> - </executions> - <dependencies> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>yang-jmx-generator-plugin</artifactId> - <version>${config.version}</version> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>maven-sal-api-gen-plugin</artifactId> - <version>${yangtools.version}</version> - </dependency> - </dependencies> - </plugin> - </plugins> - </build> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java deleted file mode 100644 index d4ac79af..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java +++ /dev/null @@ -1,150 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import java.util.Collection; - -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; -import org.opendaylight.controller.sal.core.api.Broker; -import org.opendaylight.controller.sal.core.api.Consumer; -import org.opendaylight.controller.sal.core.api.Provider; -import org.osgi.framework.BundleContext; - -/** - * Created by wdec on 26/08/2014. - */ -public class AuthzBrokerImpl implements Broker, AutoCloseable, Provider { - - private Broker broker; - private ProviderSession providerSession; - private AuthenticationService authenticationService; - - public void setBroker(Broker broker) { - this.broker = broker; - } - - @Override - public void close() throws Exception { - - } - - // Implements AuthzBroker handling of registering consumers or providers. - @Override - public ConsumerSession registerConsumer(Consumer consumer) { - - ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer)); - AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession, - this); - consumer.onSessionInitiated(authzConsumerContext); - return authzConsumerContext; - } - - @Override - public ConsumerSession registerConsumer(Consumer consumer, BundleContext bundleContext) { - - ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer), - bundleContext); - AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession, - this); - consumer.onSessionInitiated(authzConsumerContext); - return authzConsumerContext; - } - - @Override - public ProviderSession registerProvider(Provider provider) { - - ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider)); - AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession, - this); - provider.onSessionInitiated(authzProviderContext); - return authzProviderContext; - } - - @Override - public ProviderSession registerProvider(Provider provider, BundleContext bundleContext) { - - // Allow the real broker to do its thing, while providing a wrapped - // callback - ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider), - bundleContext); - - // Create Authz ProviderContext - AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession, - this); - - // Run onsessionInitiated on injected provider with the AuthZ provider - // context. - provider.onSessionInitiated(authzProviderContext); - return authzProviderContext; - - } - - // Handle the AuthZBroker registration with the real broker - @Override - public void onSessionInitiated(ProviderSession providerSession) { - - // Get now the real DOMDataBroker and register it with the - // AuthzDOMBroker together with the provider session - final DOMDataBroker domDataBroker = providerSession.getService(DOMDataBroker.class); - AuthzDomDataBroker.getInstance().setProviderSession(providerSession); - AuthzDomDataBroker.getInstance().setDomDataBroker(domDataBroker); - AuthzDomDataBroker.getInstance().setAuthService(this.authenticationService); - } - - @Override - public Collection<ProviderFunctionality> getProviderFunctionality() { - return null; - } - - public void setAuthenticationService(AuthenticationService authenticationService) { - this.authenticationService = authenticationService; - } - - // Wrapper for Provider - - public static class ProviderWrapper implements Provider { - private final Provider provider; - - public ProviderWrapper(Provider provider) { - this.provider = provider; - } - - @Override - public void onSessionInitiated(ProviderSession providerSession) { - // Do a Noop when the real broker calls back - } - - @Override - public Collection<ProviderFunctionality> getProviderFunctionality() { - // Allow the RestconfImpl to respond to this - return provider.getProviderFunctionality(); - } - } - - // Wrapper for Consumer - public static class ConsumerWrapper implements Consumer { - - private final Consumer consumer; - - public ConsumerWrapper(Consumer consumer) { - this.consumer = consumer; - } - - @Override - public void onSessionInitiated(ConsumerSession consumerSession) { - // Do a Noop when the real broker calls back - } - - @Override - public Collection<ConsumerFunctionality> getConsumerFunctionality() { - return consumer.getConsumerFunctionality(); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java deleted file mode 100644 index 07ba51cd..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; -import org.opendaylight.controller.sal.core.api.Broker; -import org.opendaylight.controller.sal.core.api.Broker.ConsumerSession; -import org.opendaylight.controller.sal.core.api.BrokerService; -import org.opendaylight.controller.sal.core.spi.ForwardingConsumerSession; - -/** - * Created by wdec on 28/08/2014. - */ -public class AuthzConsumerContextImpl extends ForwardingConsumerSession { - - private final Broker.ConsumerSession realSession; - - public AuthzConsumerContextImpl(Broker.ConsumerSession realSession, AuthzBrokerImpl authzBroker) { - this.realSession = realSession; - } - - @Override - protected ConsumerSession delegate() { - return realSession; - } - - @Override - public <T extends BrokerService> T getService(Class<T> tClass) { - T t; - // Check for class and return Authz broker only for DOMBroker - if (tClass == DOMDataBroker.class) { - t = (T) AuthzDomDataBroker.getInstance(); - } else { - t = realSession.getService(tClass); - } - // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t); - return t; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java deleted file mode 100644 index 4cc232bc..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import com.google.common.base.Optional; -import com.google.common.util.concurrent.CheckedFuture; -import com.google.common.util.concurrent.Futures; -import com.google.common.util.concurrent.ListenableFuture; - -import org.opendaylight.controller.md.sal.common.api.TransactionStatus; -import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; -import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; -import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; -import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; -import org.opendaylight.yangtools.yang.common.RpcResult; -import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; -import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; - -/** - * Created by wdec on 26/08/2014. - */ -public class AuthzDataReadWriteTransaction implements DOMDataReadWriteTransaction { - - private final DOMDataReadWriteTransaction domDataReadWriteTransaction; - - public AuthzDataReadWriteTransaction(DOMDataReadWriteTransaction domDataReadWriteTransaction) { - this.domDataReadWriteTransaction = domDataReadWriteTransaction; - } - - @Override - public boolean cancel() { - if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) { - return domDataReadWriteTransaction.cancel(); - } - return false; - } - - @Override - public void delete(LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Delete)) { - domDataReadWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier); - } - } - - @Override - public CheckedFuture<Void, TransactionCommitFailedException> submit() { - if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) { - return domDataReadWriteTransaction.submit(); - } - TransactionCommitFailedException e = new TransactionCommitFailedException( - "Unauthorized User"); - return Futures.immediateFailedCheckedFuture(e); - } - - @Deprecated - @Override - public ListenableFuture<RpcResult<TransactionStatus>> commit() { - if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) { - return domDataReadWriteTransaction.commit(); - } - TransactionCommitFailedException e = new TransactionCommitFailedException( - "Unauthorized User"); - return Futures.immediateFailedCheckedFuture(e); - } - - @Override - public CheckedFuture<Optional<NormalizedNode<?, ?>>, ReadFailedException> read( - LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Read)) { - return domDataReadWriteTransaction.read(logicalDatastoreType, yangInstanceIdentifier); - } - ReadFailedException e = new ReadFailedException("Authorization Failed"); - return Futures.immediateFailedCheckedFuture(e); - } - - @Override - public CheckedFuture<Boolean, ReadFailedException> exists( - LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Exists)) { - return domDataReadWriteTransaction.exists(logicalDatastoreType, yangInstanceIdentifier); - } - ReadFailedException e = new ReadFailedException("Authorization Failed"); - return Futures.immediateFailedCheckedFuture(e); - } - - @Override - public void put(LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Put)) { - domDataReadWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier, - normalizedNode); - } - } - - @Override - public void merge(LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Merge)) { - domDataReadWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier, - normalizedNode); - } - } - - @Override - public Object getIdentifier() { - if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { - return domDataReadWriteTransaction.getIdentifier(); - } - return null; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java deleted file mode 100644 index 911f5a48..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java +++ /dev/null @@ -1,100 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import java.util.Map; -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; -import org.opendaylight.controller.md.sal.common.api.data.TransactionChainListener; -import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; -import org.opendaylight.controller.md.sal.dom.api.DOMDataBrokerExtension; -import org.opendaylight.controller.md.sal.dom.api.DOMDataChangeListener; -import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction; -import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction; -import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction; -import org.opendaylight.controller.md.sal.dom.api.DOMTransactionChain; -import org.opendaylight.controller.sal.core.api.Broker; -import org.opendaylight.controller.sal.core.api.BrokerService; -import org.opendaylight.yangtools.concepts.ListenerRegistration; -import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; - -/** - * Created by wdec on 26/08/2014. - */ -public class AuthzDomDataBroker implements BrokerService, DOMDataBroker { - - private DOMDataBroker domDataBroker; - private Broker.ProviderSession providerSession; - - private volatile AuthenticationService authService; - - final static AuthzDomDataBroker INSTANCE = new AuthzDomDataBroker(); - - public static AuthzDomDataBroker getInstance() { - return INSTANCE; - } - - public void setDomDataBroker(DOMDataBroker domDataBroker) { - this.domDataBroker = domDataBroker; - } - - public void setProviderSession(Broker.ProviderSession providerSession) { - this.providerSession = providerSession; - } - - public void setAuthService(AuthenticationService authService) { - this.authService = authService; - } - - public AuthenticationService getAuthService() { - return this.authService; - } - - @Override - public DOMDataReadOnlyTransaction newReadOnlyTransaction() { - // new Authz transaction + inject real DOM Transaction - DOMDataReadOnlyTransaction ro = domDataBroker.newReadOnlyTransaction(); - - // return domDataBroker.newReadOnlyTransaction(); //Return original - return new AuthzReadOnlyTransaction(ro); - } - - @Override - public Map<Class<? extends DOMDataBrokerExtension>, DOMDataBrokerExtension> getSupportedExtensions() { - return domDataBroker.getSupportedExtensions(); - } - - @Override - public DOMDataReadWriteTransaction newReadWriteTransaction() { - // return new Authz transaction + inject real DOM Transaction - DOMDataReadWriteTransaction rw = domDataBroker.newReadWriteTransaction(); - return new AuthzDataReadWriteTransaction(rw); - } - - @Override - public DOMDataWriteTransaction newWriteOnlyTransaction() { - DOMDataWriteTransaction wo = domDataBroker.newWriteOnlyTransaction(); - return new AuthzWriteOnlyTransaction(wo); - } - - @Override - public ListenerRegistration<DOMDataChangeListener> registerDataChangeListener( - LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier, - DOMDataChangeListener domDataChangeListener, DataChangeScope dataChangeScope) { - return domDataBroker.registerDataChangeListener(logicalDatastoreType, - yangInstanceIdentifier, domDataChangeListener, dataChangeScope); - } - - @Override - public DOMTransactionChain createTransactionChain( - TransactionChainListener transactionChainListener) { - return domDataBroker.createTransactionChain(transactionChainListener); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java deleted file mode 100644 index dbfea6ed..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; -import org.opendaylight.controller.sal.core.api.Broker; -import org.opendaylight.controller.sal.core.api.Broker.ProviderSession; -import org.opendaylight.controller.sal.core.api.BrokerService; -import org.opendaylight.controller.sal.core.spi.ForwardingProviderSession; - -/** - * Created by wdec on 28/08/2014. - */ -public class AuthzProviderContextImpl extends ForwardingProviderSession { - - private final Broker.ProviderSession realSession; - - public AuthzProviderContextImpl(Broker.ProviderSession providerSession, - AuthzBrokerImpl authzBroker) { - this.realSession = providerSession; - } - - @Override - protected ProviderSession delegate() { - // TODO Auto-generated method stub - return realSession; - } - - @Override - public <T extends BrokerService> T getService(Class<T> tClass) { - T t; - // Check for class and return Authz broker only for DOMBroker - if (tClass == DOMDataBroker.class) { - t = (T) AuthzDomDataBroker.getInstance(); - } else { - t = realSession.getService(tClass); - } - // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t); - return t; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java deleted file mode 100644 index c46ffe7c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import com.google.common.base.Optional; -import com.google.common.util.concurrent.CheckedFuture; -import com.google.common.util.concurrent.Futures; - -import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; -import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; -import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; -import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; -import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; - -/** - * Created by wdec on 28/08/2014. - */ - -public class AuthzReadOnlyTransaction implements DOMDataReadOnlyTransaction { - - private final DOMDataReadOnlyTransaction ro; - - public AuthzReadOnlyTransaction(DOMDataReadOnlyTransaction ro) { - this.ro = ro; - } - - @Override - public void close() { - ro.close(); - } - - @Override - public CheckedFuture<Optional<NormalizedNode<?, ?>>, ReadFailedException> read( - LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Read)) { - return ro.read(logicalDatastoreType, yangInstanceIdentifier); - } - ReadFailedException e = new ReadFailedException("Authorization Failed"); - return Futures.immediateFailedCheckedFuture(e); - } - - @Override - public CheckedFuture<Boolean, ReadFailedException> exists( - LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { - - if (AuthzServiceImpl.isAuthorized(ActionType.Exists)) { - return ro.exists(logicalDatastoreType, yangInstanceIdentifier); - } - ReadFailedException e = new ReadFailedException("Authorization Failed"); - return Futures.immediateFailedCheckedFuture(e); - } - - @Override - public Object getIdentifier() { - if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { - return ro.getIdentifier(); - } - return null; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java deleted file mode 100644 index fb344812..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import java.util.List; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.controller.config.yang.config.aaa_authz.srv.Policies; -import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.AuthorizationResponseType; -import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; - -/** - * @author lmukkama Date: 9/2/14 - */ -public class AuthzServiceImpl { - - private static List<Policies> listPolicies; - - private static final String WILDCARD_TOKEN = "*"; - - public static boolean isAuthorized(LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier, ActionType actionType) { - - AuthorizationResponseType authorizationResponseType = AuthzServiceImpl.reqAuthorization( - actionType, logicalDatastoreType, yangInstanceIdentifier); - return authorizationResponseType.equals(AuthorizationResponseType.Authorized); - } - - public static boolean isAuthorized(ActionType actionType) { - AuthorizationResponseType authorizationResponseType = AuthzServiceImpl - .reqAuthorization(actionType); - return authorizationResponseType.equals(AuthorizationResponseType.Authorized); - } - - public static void setPolicies(List<Policies> policies) { - - AuthzServiceImpl.listPolicies = policies; - } - - public static AuthorizationResponseType reqAuthorization(ActionType actionType) { - - AuthenticationService authenticationService = AuthzDomDataBroker.getInstance() - .getAuthService(); - if (authenticationService != null && AuthzServiceImpl.listPolicies != null - && AuthzServiceImpl.listPolicies.size() > 0) { - Authentication authentication = authenticationService.get(); - if (authentication != null && authentication.roles() != null - && authentication.roles().size() > 0) { - return checkAuthorization(actionType, authentication); - } - } - return AuthorizationResponseType.NotAuthorized; - } - - public static AuthorizationResponseType reqAuthorization(ActionType actionType, - LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { - - AuthenticationService authenticationService = AuthzDomDataBroker.getInstance() - .getAuthService(); - - if (authenticationService != null && AuthzServiceImpl.listPolicies != null - && AuthzServiceImpl.listPolicies.size() > 0) { - // Authentication Service exists. Can do authorization checks - Authentication authentication = authenticationService.get(); - - if (authentication != null && authentication.roles() != null - && authentication.roles().size() > 0) { - // Authentication claim object exists with atleast one role - return checkAuthorization(actionType, authentication, logicalDatastoreType, - yangInstanceIdentifier); - } - } - - return AuthorizationResponseType.Authorized; - } - - private static AuthorizationResponseType checkAuthorization(ActionType actionType, - Authentication authentication, LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier) { - - for (Policies policy : AuthzServiceImpl.listPolicies) { - - // Action type is compared as string, since its type is string in - // the config yang. Comparison is case insensitive - if (authentication.roles().contains(policy.getRole().getValue()) - && (policy.getResource().getValue().equals(WILDCARD_TOKEN) || policy - .getResource().getValue().equals(yangInstanceIdentifier.toString())) - && (policy.getAction().toLowerCase() - .equals(ActionType.Any.name().toLowerCase()) || actionType.name() - .toLowerCase().equals(policy.getAction().toLowerCase()))) { - - return AuthorizationResponseType.Authorized; - } - - } - - // For helium release we unauthorize other requests. - return AuthorizationResponseType.NotAuthorized; - } - - private static AuthorizationResponseType checkAuthorization(ActionType actionType, - Authentication authentication) { - - for (Policies policy : AuthzServiceImpl.listPolicies) { - if (authentication.roles().contains(policy.getRole().getValue()) - && (policy.getAction().equalsIgnoreCase(ActionType.Any.name()) || policy - .getAction().equalsIgnoreCase(actionType.name()))) { - return AuthorizationResponseType.Authorized; - } - } - return AuthorizationResponseType.NotAuthorized; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java deleted file mode 100644 index 1123b928..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java +++ /dev/null @@ -1,103 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import com.google.common.util.concurrent.CheckedFuture; -import com.google.common.util.concurrent.Futures; -import com.google.common.util.concurrent.ListenableFuture; - -import org.opendaylight.controller.md.sal.common.api.TransactionStatus; -import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; -import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; -import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction; -import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; -import org.opendaylight.yangtools.yang.common.RpcResult; -import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; -import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; - -/** - * Created by wdec on 02/09/2014. - */ -public class AuthzWriteOnlyTransaction implements DOMDataWriteTransaction { - - private final DOMDataWriteTransaction domDataWriteTransaction; - - public AuthzWriteOnlyTransaction(DOMDataWriteTransaction wo) { - this.domDataWriteTransaction = wo; - } - - @Override - public void put(LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Put)) { - domDataWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier, - normalizedNode); - } - } - - @Override - public void merge(LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Merge)) { - domDataWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier, - normalizedNode); - } - } - - @Override - public boolean cancel() { - if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) { - return domDataWriteTransaction.cancel(); - } - return false; - } - - @Override - public void delete(LogicalDatastoreType logicalDatastoreType, - YangInstanceIdentifier yangInstanceIdentifier) { - - if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, - ActionType.Delete)) { - domDataWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier); - } - } - - @Override - public CheckedFuture<Void, TransactionCommitFailedException> submit() { - if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) { - return domDataWriteTransaction.submit(); - } - TransactionCommitFailedException e = new TransactionCommitFailedException( - "Unauthorized User"); - return Futures.immediateFailedCheckedFuture(e); - } - - @Deprecated - @Override - public ListenableFuture<RpcResult<TransactionStatus>> commit() { - if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) { - return domDataWriteTransaction.commit(); - } - TransactionCommitFailedException e = new TransactionCommitFailedException( - "Unauthorized User"); - return Futures.immediateFailedCheckedFuture(e); - } - - @Override - public Object getIdentifier() { - if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { - return domDataWriteTransaction.getIdentifier(); - } - return null; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java deleted file mode 100644 index a590b982..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.controller.config.yang.config.aaa_authz.srv; - -import org.opendaylight.aaa.api.AuthenticationService; -import org.opendaylight.aaa.authz.srv.AuthzBrokerImpl; -import org.opendaylight.aaa.authz.srv.AuthzServiceImpl; -import org.osgi.framework.BundleContext; -import org.osgi.framework.ServiceReference; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class AuthzSrvModule extends - org.opendaylight.controller.config.yang.config.aaa_authz.srv.AbstractAuthzSrvModule { - private static final Logger LOG = LoggerFactory.getLogger(AuthzSrvModule.class); - private static boolean simple_config_switch; - private BundleContext bundleContext; - - public AuthzSrvModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, - org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) { - super(identifier, dependencyResolver); - } - - public AuthzSrvModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, - org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, - org.opendaylight.controller.config.yang.config.aaa_authz.srv.AuthzSrvModule oldModule, - java.lang.AutoCloseable oldInstance) { - super(identifier, dependencyResolver, oldModule, oldInstance); - } - - @Override - public void customValidation() { - // checkNotNull(getDomBroker(), domBrokerJmxAttribute); - } - - @Override - public java.lang.AutoCloseable createInstance() { - - // Get new AuthZ Broker - final AuthzBrokerImpl authzBrokerImpl = new AuthzBrokerImpl(); - - // Provide real broker to the new Authz broker - authzBrokerImpl.setBroker(getDomBrokerDependency()); - - // Get AuthN service reference and register it with the authzBroker - ServiceReference<AuthenticationService> authServiceReference = bundleContext - .getServiceReference(AuthenticationService.class); - AuthenticationService as = bundleContext.getService(authServiceReference); - authzBrokerImpl.setAuthenticationService(as); - - // Set the policies list to authz serviceimpl - AuthzServiceImpl.setPolicies(getPolicies()); - - // Register AuthZ broker with the real Broker as a provider; triggers - // "onSessionInitiated" in AuthzBrokerImpl - getDomBrokerDependency().registerProvider(authzBrokerImpl); - // TODO ActionType is of type string, not ENUM due to improper - // serialization of ENUMs by config/netconf subsystem. This needs to be - // fixed as soon as config/netconf fixes the problem. - getAction(); - - LOG.info("AuthZ Service Initialized from Config subsystem"); - return authzBrokerImpl; - - } - - public void setBundleContext(BundleContext bundleContext) { - this.bundleContext = bundleContext; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java deleted file mode 100644 index 3ff67f54..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -/* - * Generated file - * - * Generated from: yang module name: aaa-authz-service-impl yang module local name: aaa-authz-service - * Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator - * Generated at: Thu Jul 24 11:19:40 CEST 2014 - * - * Do not modify this file unless it is present under src/main directory - */ -package org.opendaylight.controller.config.yang.config.aaa_authz.srv; - -import org.opendaylight.controller.config.api.DependencyResolver; -import org.opendaylight.controller.config.api.DynamicMBeanWithInstance; -import org.opendaylight.controller.config.spi.Module; -import org.osgi.framework.BundleContext; - -public class AuthzSrvModuleFactory extends - org.opendaylight.controller.config.yang.config.aaa_authz.srv.AbstractAuthzSrvModuleFactory { - - @Override - public org.opendaylight.controller.config.spi.Module createModule(String instanceName, - org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, - org.osgi.framework.BundleContext bundleContext) { - - final AuthzSrvModule module = (AuthzSrvModule) super.createModule(instanceName, - dependencyResolver, bundleContext); - - module.setBundleContext(bundleContext); - - return module; - - } - - @Override - public Module createModule(final String instanceName, - final DependencyResolver dependencyResolver, final DynamicMBeanWithInstance old, - final BundleContext bundleContext) throws Exception { - final AuthzSrvModule module = (AuthzSrvModule) super.createModule(instanceName, - dependencyResolver, old, bundleContext); - - module.setBundleContext(bundleContext); - - return module; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang deleted file mode 100644 index 954d0480..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang +++ /dev/null @@ -1,115 +0,0 @@ -module aaa-authz-service-impl { - - yang-version 1; - namespace "urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv"; - prefix "aaa-authz-srv-impl"; - - import config { prefix config; revision-date 2013-04-05; } - import rpc-context { prefix rpcx; revision-date 2013-06-17; } - import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; } - import opendaylight-md-sal-dom {prefix dom;} - import authorization-schema { prefix authzs; revision-date 2014-07-22; } - import ietf-inet-types {prefix inet; revision-date 2010-09-24;} - - description - "This module contains the base YANG definitions for - AuthZ implementation."; - - revision "2014-07-01" { - description - "Initial revision."; - } - - - // This is the definition of the service implementation as a module identity. - identity aaa-authz-service { - base config:module-type; - // Specifies the prefix for generated java classes. - config:java-name-prefix AuthzSrv; - config:provided-service dom:dom-broker-osgi-registry; - } - - // Augments the 'configuration' choice node under modules/module. - - augment "/config:modules/config:module/config:configuration" { - case aaa-authz-service { - when "/config:modules/config:module/config:type = 'aaa-authz-service'"; - -//Defines reference to the intended broker under the AuthZ broker - - container dom-broker { - uses config:service-ref { - refine type { - mandatory true; - config:required-identity dom:dom-broker-osgi-registry; - } - } - } - - container data-broker { - uses config:service-ref { - refine type { - mandatory true; - config:required-identity mdsal:binding-data-broker; - - } - } - } - -//Simple Authz data leafs: - - leaf authz-role { - type string; - } - leaf service { - type authzs:service-type; - } - - // ENUMs cannot be used right now (config subsystem + netconf cannot properly serialize enums), using strings instead - // In the generated module use Enum.valueOf from that string. - // Expected values are following strnigs: create, read, update, delete, execute, subscribe, any; - leaf action { - type string; - description "String representation of enum authzs:action-type expecting following values create, read, update, delete, execute, subscribe, any"; - //type authzs:action-type; - - } - leaf resource { - type authzs:resource-type; - - } - leaf role { - type authzs:role-type; - } - - - - //TODO: Check why uses below doesn't make the outer list be part of the source name-space in yang code generator. - //uses authzs:authorization-grp; - list policies { - key "service"; - leaf service { - type authzs:service-type; - } - // Grouping uses ENUMs and enums are not correctly serialized in Config + Netconf - // Same as with action one level ip - leaf action { - type string; - description "String representation of enum authzs:action-type expecting following values create, read, update, delete, execute, subscribe, any"; - //type authzs:action-type; - } - leaf resource { - type authzs:resource-type; - - } - leaf role { - type authzs:role-type; - - } - } - - - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java b/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java deleted file mode 100644 index fb033341..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.authz.srv; - -import org.junit.Assert; -import org.junit.Before; -import org.mockito.Mockito; -import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; -import org.opendaylight.controller.sal.core.api.Broker; -import org.opendaylight.controller.sal.core.api.Provider; - -public class AuthzConsumerContextImplTest { - - private Broker.ConsumerSession realconsumercontext; - private Provider realprovidercontext; - private AuthzBrokerImpl authzBroker; - private Broker realbroker; - - @Before - public void beforeTest() { - realconsumercontext = Mockito.mock(Broker.ConsumerSession.class); - realprovidercontext = Mockito.mock(Provider.class); - realbroker = Mockito.mock(Broker.class); - realbroker.registerProvider(realprovidercontext); - authzBroker = Mockito.mock(AuthzBrokerImpl.class); - } - - @org.junit.Test - public void testGetService() throws Exception { - AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl( - realconsumercontext, authzBroker); - - Assert.assertEquals("Expected Authz session context", - authzConsumerContext.getService(DOMDataBroker.class).getClass(), - AuthzDomDataBroker.class); - // Assert.assertEquals("Expected Authz session context", - // authzConsumerContext.getService(SchemaService.class).getClass(), - // SchemaService.class); - } -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-authz/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-authz/pom.xml deleted file mode 100644 index a5e37680..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-authz/pom.xml +++ /dev/null @@ -1,23 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authz</artifactId> - <name>${project.artifactId}</name> - <packaging>pom</packaging> - - <modules> - <module>aaa-authz-model</module> - <module>aaa-authz-service</module> - <module>aaa-authz-config</module> - <module>aaa-authz-restconf-config</module> - </modules> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-credential-store-api/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-credential-store-api/pom.xml deleted file mode 100644 index b43ac11c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-credential-store-api/pom.xml +++ /dev/null @@ -1,22 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- -(c) Copyright 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - -This program and the accompanying materials are made available under the -terms of the Eclipse Public License v1.0 which accompanies this distribution, -and is available at http://www.eclipse.org/legal/epl-v10.html ---> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>binding-parent</artifactId> - <version>0.8.2-Beryllium-SR2</version> - <relativePath/> - </parent> - - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-credential-store-api</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>bundle</packaging> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-credential-store-api/src/main/yang/credential-model.yang b/upstream/odl-aaa-moon/aaa/aaa-credential-store-api/src/main/yang/credential-model.yang deleted file mode 100644 index 7d1f55a3..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-credential-store-api/src/main/yang/credential-model.yang +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -module credential-store { - namespace "urn:opendaylight:params:xml:ns:yang:aaa:credential-store"; - prefix "cs"; - - description "Defines and extensible model for storing various types of security credentials."; - - revision "2015-02-26" { description "Initial revision."; } - - identity credential-type { - description - "Credential base type. All credential types must be derived from this identity."; - } - - typedef credential-type-ref { - description "reference to an entry in the credential store based on id."; - type instance-identifier; - } - - container credential-store { - list credential { - key "id"; - - leaf id { - description "Unique identifier for this credential entry."; - type string; - } - - leaf type { - description "The type of credential represented in this entry."; - type identityref { - base credential-type; - } - } - - choice value { - description "Extension point. Contains the data specific to the credential type."; - } - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/.gitignore b/upstream/odl-aaa-moon/aaa/aaa-h2-store/.gitignore deleted file mode 100644 index 1dd33310..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -/target/ -/target/ diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-h2-store/pom.xml deleted file mode 100644 index d40f8858..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/pom.xml +++ /dev/null @@ -1,160 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-h2-store</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>config-api</artifactId> - <version>${config.version}</version> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-config</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-common-util</artifactId> - </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-lang3</artifactId> - </dependency> - - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - - <!-- JDBC --> - <dependency> - <groupId>com.h2database</groupId> - <artifactId>h2</artifactId> - </dependency> - <!-- Testing Dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - - </dependencies> - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <version>${bundle.plugin.version}</version> - <extensions>true</extensions> - <configuration> - <instructions> - <Import-Package>com.google.*,org.opendaylight.aaa.api.*,org.apache.felix.*,org.slf4j.*,org.opendaylight.*,org.osgi.*,org.apache.commons.lang3</Import-Package> - <Private-Package>org.h2.*</Private-Package> - <Embed-Dependency>h2</Embed-Dependency> - </instructions> - </configuration> - </plugin> - <plugin> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yang-maven-plugin</artifactId> - <version>${yangtools.version}</version> - <executions> - <execution> - <id>config</id> - <goals> - <goal>generate-sources</goal> - </goals> - <configuration> - <codeGenerators> - <generator> - <codeGeneratorClass>org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator</codeGeneratorClass> - <outputBaseDir>${jmxGeneratorPath}</outputBaseDir> - <additionalConfiguration> - <namespaceToPackage1>urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang</namespaceToPackage1> - </additionalConfiguration> - </generator> - <generator> - <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass> - <outputBaseDir>${salGeneratorPath}</outputBaseDir> - </generator> - </codeGenerators> - <inspectDependencies>true</inspectDependencies> - </configuration> - </execution> - </executions> - <dependencies> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>maven-sal-api-gen-plugin</artifactId> - <version>${yangtools.version}</version> - <type>jar</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>yang-jmx-generator-plugin</artifactId> - <version>${config.version}</version> - </dependency> - </dependencies> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <goals> - <goal>attach-artifact</goal> - </goals> - <phase>package</phase> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/initial/08-aaa-h2-store-config.xml</file> - <type>xml</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/config/IdmLightConfig.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/config/IdmLightConfig.java deleted file mode 100644 index a35ca48f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/config/IdmLightConfig.java +++ /dev/null @@ -1,133 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.config; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Responsible for providing configuration properties for the IDMLight/H2 - * data store implementation. - * - * @author peter.mellquist@hp.com - * - */ -public class IdmLightConfig { - - private static final Logger LOG = LoggerFactory.getLogger(IdmLightConfig.class); - - /** - * The default timeout for db connections in seconds. - */ - private static final int DEFAULT_DB_TIMEOUT = 3; - - /** - * The default password for the database - */ - private static final String DEFAULT_PASSWORD = "bar"; - - /** - * The default username for the database - */ - private static final String DEFAULT_USERNAME = "foo"; - - /** - * The default driver for the databse is H2; a pure-java implementation - * of JDBC. - */ - private static final String DEFAULT_JDBC_DRIVER = "org.h2.Driver"; - - /** - * The default connection string includes the intention to use h2 as - * the JDBC driver, and the path for the file is located relative to - * KARAF_HOME. - */ - private static final String DEFAULT_CONNECTION_STRING = "jdbc:h2:./"; - - /** - * The default filename for the database file. - */ - private static final String DEFAULT_IDMLIGHT_DB_FILENAME = "idmlight.db"; - - /** - * The database filename - */ - private String dbName; - - /** - * the database connection string - */ - private String dbPath; - - /** - * The database driver (i.e., H2) - */ - private String dbDriver; - - /** - * The database password. This is not the same as AAA credentials! - */ - private String dbUser; - - /** - * The database username. This is not the same as AAA credentials! - */ - private String dbPwd; - - /** - * Timeout for database connections in seconds - */ - private int dbValidTimeOut; - - /** - * Creates an valid database configuration using default values. - */ - public IdmLightConfig() { - // TODO make this configurable - dbName = DEFAULT_IDMLIGHT_DB_FILENAME; - dbPath = DEFAULT_CONNECTION_STRING + dbName; - dbDriver = DEFAULT_JDBC_DRIVER; - dbUser = DEFAULT_USERNAME; - dbPwd = DEFAULT_PASSWORD; - dbValidTimeOut = DEFAULT_DB_TIMEOUT; - } - - /** - * Outputs some debugging information surrounding idmlight config - */ - public void log() { - LOG.info("DB Path : {}", dbPath); - LOG.info("DB Driver : {}", dbDriver); - LOG.info("DB Valid Time Out : {}", dbValidTimeOut); - } - - public String getDbName() { - return this.dbName; - } - - public String getDbPath() { - return this.dbPath; - } - - public String getDbDriver() { - return this.dbDriver; - } - - public String getDbUser() { - return this.dbUser; - } - - public String getDbPwd() { - return this.dbPwd; - } - - public int getDbValidTimeOut() { - return this.dbValidTimeOut; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/AbstractStore.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/AbstractStore.java deleted file mode 100644 index ba00eb84..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/AbstractStore.java +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright © 2016 Red Hat, Inc. and others. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.h2.persistence; - -import java.sql.Connection; -import java.sql.DatabaseMetaData; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.ArrayList; -import java.util.List; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Base class for H2 stores. - */ -abstract class AbstractStore<T> { - /** - * Logger. - */ - private static final Logger LOG = LoggerFactory.getLogger(AbstractStore.class); - - /** - * The name of the table used to represent this store. - */ - private final String tableName; - - /** - * Database connection, only used for tests. - */ - Connection dbConnection = null; - - /** - * Table types we're interested in (when checking tables' existence). - */ - public static final String[] TABLE_TYPES = new String[] { "TABLE" }; - - /** - * Creates an instance. - * - * @param tableName The name of the table being managed. - */ - protected AbstractStore(String tableName) { - this.tableName = tableName; - } - - /** - * Returns a database connection. It is the caller's responsibility to close it. If the managed table does not - * exist, it will be created (using {@link #getTableCreationStatement()}). - * - * @return A database connection. - * - * @throws StoreException if an error occurs. - */ - protected Connection dbConnect() throws StoreException { - Connection conn = H2Store.getConnection(dbConnection); - try { - // Ensure table check/creation is atomic - synchronized (this) { - DatabaseMetaData dbm = conn.getMetaData(); - try (ResultSet rs = dbm.getTables(null, null, tableName, TABLE_TYPES)) { - if (rs.next()) { - LOG.debug("Table {} already exists", tableName); - } else { - LOG.info("Table {} does not exist, creating it", tableName); - try (Statement stmt = conn.createStatement()) { - stmt.executeUpdate(getTableCreationStatement()); - } - } - } - } - } catch (SQLException e) { - LOG.error("Error connecting to the H2 database", e); - throw new StoreException("Cannot connect to database server", e); - } - return conn; - } - - /** - * Empties the store. - * - * @throws StoreException if a connection error occurs. - */ - protected void dbClean() throws StoreException { - try (Connection c = dbConnect()) { - // The table name can't be a parameter in a prepared statement - String sql = "DELETE FROM " + tableName; - c.createStatement().execute(sql); - } catch (SQLException e) { - LOG.error("Error clearing table {}", tableName, e); - throw new StoreException("Error clearing table " + tableName, e); - } - } - - /** - * Returns the SQL code required to create the managed table. - * - * @return The SQL table creation statement. - */ - protected abstract String getTableCreationStatement(); - - /** - * Lists all the stored items. - * - * @return The stored item. - * - * @throws StoreException if an error occurs. - */ - protected List<T> listAll() throws StoreException { - List<T> result = new ArrayList<>(); - String query = "SELECT * FROM " + tableName; - try (Connection conn = dbConnect(); - Statement stmt = conn.createStatement(); - ResultSet rs = stmt.executeQuery(query)) { - while (rs.next()) { - result.add(fromResultSet(rs)); - } - } catch (SQLException e) { - LOG.error("Error listing all items from {}", tableName, e); - throw new StoreException(e); - } - return result; - } - - /** - * Lists the stored items returned by the given statement. - * - * @param ps The statement (which must be ready for execution). It is the caller's reponsibility to close this. - * - * @return The stored items. - * - * @throws StoreException if an error occurs. - */ - protected List<T> listFromStatement(PreparedStatement ps) throws StoreException { - List<T> result = new ArrayList<>(); - try (ResultSet rs = ps.executeQuery()) { - while (rs.next()) { - result.add(fromResultSet(rs)); - } - } catch (SQLException e) { - LOG.error("Error listing matching items from {}", tableName, e); - throw new StoreException(e); - } - return result; - } - - /** - * Extracts the first item returned by the given statement, if any. - * - * @param ps The statement (which must be ready for execution). It is the caller's reponsibility to close this. - * - * @return The first item, or {@code null} if none. - * - * @throws StoreException if an error occurs. - */ - protected T firstFromStatement(PreparedStatement ps) throws StoreException { - try (ResultSet rs = ps.executeQuery()) { - if (rs.next()) { - return fromResultSet(rs); - } else { - return null; - } - } catch (SQLException e) { - LOG.error("Error listing first matching item from {}", tableName, e); - throw new StoreException(e); - } - } - - /** - * Converts a single row in a result set to an instance of the managed type. - * - * @param rs The result set (which is ready for extraction; {@link ResultSet#next()} must <b>not</b> be called). - * - * @return The corresponding instance. - * - * @throws SQLException if an error occurs. - */ - protected abstract T fromResultSet(ResultSet rs) throws SQLException; -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java deleted file mode 100644 index aa8f4b30..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java +++ /dev/null @@ -1,166 +0,0 @@ -/* - * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import com.google.common.base.Preconditions; - -import java.sql.Connection; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -import org.apache.commons.lang3.StringEscapeUtils; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Domains; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * - * @author peter.mellquist@hp.com - * - */ -public class DomainStore extends AbstractStore<Domain> { - private static final Logger LOG = LoggerFactory.getLogger(DomainStore.class); - - protected final static String SQL_ID = "domainid"; - protected final static String SQL_NAME = "name"; - protected final static String SQL_DESCR = "description"; - protected final static String SQL_ENABLED = "enabled"; - private static final String TABLE_NAME = "DOMAINS"; - - protected DomainStore() { - super(TABLE_NAME); - } - - @Override - protected String getTableCreationStatement() { - return "CREATE TABLE DOMAINS " - + "(domainid VARCHAR(128) PRIMARY KEY," - + "name VARCHAR(128) UNIQUE NOT NULL, " - + "description VARCHAR(128) , " - + "enabled INTEGER NOT NULL)"; - } - - @Override - protected Domain fromResultSet(ResultSet rs) throws SQLException { - Domain domain = new Domain(); - domain.setDomainid(rs.getString(SQL_ID)); - domain.setName(rs.getString(SQL_NAME)); - domain.setDescription(rs.getString(SQL_DESCR)); - domain.setEnabled(rs.getInt(SQL_ENABLED) == 1); - return domain; - } - - protected Domains getDomains() throws StoreException { - Domains domains = new Domains(); - domains.setDomains(listAll()); - return domains; - } - - protected Domains getDomains(String domainName) throws StoreException { - LOG.debug("getDomains for: {}", domainName); - Domains domains = new Domains(); - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM DOMAINS WHERE name = ?")) { - pstmt.setString(1, domainName); - LOG.debug("query string: {}", pstmt.toString()); - domains.setDomains(listFromStatement(pstmt)); - } catch (SQLException e) { - LOG.error("Error listing domains matching {}", domainName, e); - throw new StoreException("Error listing domains", e); - } - return domains; - } - - protected Domain getDomain(String id) throws StoreException { - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM DOMAINS WHERE domainid = ? ")) { - pstmt.setString(1, id); - LOG.debug("query string: {}", pstmt.toString()); - return firstFromStatement(pstmt); - } catch (SQLException e) { - LOG.error("Error retrieving domain {}", id, e); - throw new StoreException("Error loading domain", e); - } - } - - protected Domain createDomain(Domain domain) throws StoreException { - Preconditions.checkNotNull(domain); - Preconditions.checkNotNull(domain.getName()); - Preconditions.checkNotNull(domain.isEnabled()); - String query = "insert into DOMAINS (domainid,name,description,enabled) values(?, ?, ?, ?)"; - try (Connection conn = dbConnect(); - PreparedStatement statement = conn.prepareStatement(query)) { - statement.setString(1, domain.getName()); - statement.setString(2, domain.getName()); - statement.setString(3, domain.getDescription()); - statement.setInt(4, domain.isEnabled() ? 1 : 0); - int affectedRows = statement.executeUpdate(); - if (affectedRows == 0) { - throw new StoreException("Creating domain failed, no rows affected."); - } - domain.setDomainid(domain.getName()); - return domain; - } catch (SQLException e) { - LOG.error("Error creating domain {}", domain.getName(), e); - throw new StoreException("Error creating domain", e); - } - } - - protected Domain putDomain(Domain domain) throws StoreException { - Domain savedDomain = this.getDomain(domain.getDomainid()); - if (savedDomain == null) { - return null; - } - - if (domain.getDescription() != null) { - savedDomain.setDescription(domain.getDescription()); - } - if (domain.getName() != null) { - savedDomain.setName(domain.getName()); - } - if (domain.isEnabled() != null) { - savedDomain.setEnabled(domain.isEnabled()); - } - - String query = "UPDATE DOMAINS SET description = ?, enabled = ? WHERE domainid = ?"; - try (Connection conn = dbConnect(); - PreparedStatement statement = conn.prepareStatement(query)) { - statement.setString(1, savedDomain.getDescription()); - statement.setInt(2, savedDomain.isEnabled() ? 1 : 0); - statement.setString(3, savedDomain.getDomainid()); - statement.executeUpdate(); - } catch (SQLException e) { - LOG.error("Error updating domain {}", domain.getDomainid(), e); - throw new StoreException("Error updating domain", e); - } - - return savedDomain; - } - - protected Domain deleteDomain(String domainid) throws StoreException { - domainid = StringEscapeUtils.escapeHtml4(domainid); - Domain deletedDomain = this.getDomain(domainid); - if (deletedDomain == null) { - return null; - } - String query = String.format("DELETE FROM DOMAINS WHERE domainid = '%s'", domainid); - try (Connection conn = dbConnect(); - Statement statement = conn.createStatement()) { - int deleteCount = statement.executeUpdate(query); - LOG.debug("deleted {} records", deleteCount); - return deletedDomain; - } catch (SQLException e) { - LOG.error("Error deleting domain {}", domainid, e); - throw new StoreException("Error deleting domain", e); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/GrantStore.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/GrantStore.java deleted file mode 100644 index ee86e0ba..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/GrantStore.java +++ /dev/null @@ -1,158 +0,0 @@ -/* - * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import java.sql.Connection; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -import org.apache.commons.lang3.StringEscapeUtils; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Grants; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * - * @author peter.mellquist@hp.com - * - */ -public class GrantStore extends AbstractStore<Grant> { - private static final Logger LOG = LoggerFactory.getLogger(GrantStore.class); - - protected final static String SQL_ID = "grantid"; - protected final static String SQL_TENANTID = "domainid"; - protected final static String SQL_USERID = "userid"; - protected final static String SQL_ROLEID = "roleid"; - private static final String TABLE_NAME = "GRANTS"; - - protected GrantStore() { - super(TABLE_NAME); - } - - @Override - protected String getTableCreationStatement() { - return "CREATE TABLE GRANTS " - + "(grantid VARCHAR(128) PRIMARY KEY," - + "domainid VARCHAR(128) NOT NULL, " - + "userid VARCHAR(128) NOT NULL, " - + "roleid VARCHAR(128) NOT NULL)"; - } - - protected Grant fromResultSet(ResultSet rs) throws SQLException { - Grant grant = new Grant(); - try { - grant.setGrantid(rs.getString(SQL_ID)); - grant.setDomainid(rs.getString(SQL_TENANTID)); - grant.setUserid(rs.getString(SQL_USERID)); - grant.setRoleid(rs.getString(SQL_ROLEID)); - } catch (SQLException sqle) { - LOG.error("SQL Exception: ", sqle); - throw sqle; - } - return grant; - } - - protected Grants getGrants(String did, String uid) throws StoreException { - Grants grants = new Grants(); - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn - .prepareStatement("SELECT * FROM grants WHERE domainid = ? AND userid = ?")) { - pstmt.setString(1, did); - pstmt.setString(2, uid); - LOG.debug("query string: {}", pstmt.toString()); - grants.setGrants(listFromStatement(pstmt)); - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - return grants; - } - - protected Grants getGrants(String userid) throws StoreException { - Grants grants = new Grants(); - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM GRANTS WHERE userid = ? ")) { - pstmt.setString(1, userid); - LOG.debug("query string: {}", pstmt.toString()); - grants.setGrants(listFromStatement(pstmt)); - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - return grants; - } - - protected Grant getGrant(String id) throws StoreException { - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM GRANTS WHERE grantid = ? ")) { - pstmt.setString(1, id); - LOG.debug("query string: ", pstmt.toString()); - return firstFromStatement(pstmt); - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } - - protected Grant getGrant(String did, String uid, String rid) throws StoreException { - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn - .prepareStatement("SELECT * FROM GRANTS WHERE domainid = ? AND userid = ? AND roleid = ? ")) { - pstmt.setString(1, did); - pstmt.setString(2, uid); - pstmt.setString(3, rid); - LOG.debug("query string: {}", pstmt.toString()); - return firstFromStatement(pstmt); - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } - - protected Grant createGrant(Grant grant) throws StoreException { - String query = "insert into grants (grantid,domainid,userid,roleid) values(?,?,?,?)"; - try (Connection conn = dbConnect(); - PreparedStatement statement = conn.prepareStatement(query)) { - statement.setString( - 1, - IDMStoreUtil.createGrantid(grant.getUserid(), grant.getDomainid(), - grant.getRoleid())); - statement.setString(2, grant.getDomainid()); - statement.setString(3, grant.getUserid()); - statement.setString(4, grant.getRoleid()); - int affectedRows = statement.executeUpdate(); - if (affectedRows == 0) { - throw new StoreException("Creating grant failed, no rows affected."); - } - grant.setGrantid(IDMStoreUtil.createGrantid(grant.getUserid(), grant.getDomainid(), - grant.getRoleid())); - return grant; - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } - - protected Grant deleteGrant(String grantid) throws StoreException { - grantid = StringEscapeUtils.escapeHtml4(grantid); - Grant savedGrant = this.getGrant(grantid); - if (savedGrant == null) { - return null; - } - - String query = String.format("DELETE FROM GRANTS WHERE grantid = '%s'", grantid); - try (Connection conn = dbConnect(); - Statement statement = conn.createStatement()) { - int deleteCount = statement.executeUpdate(query); - LOG.debug("deleted {} records", deleteCount); - return savedGrant; - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/H2Store.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/H2Store.java deleted file mode 100644 index da40a17b..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/H2Store.java +++ /dev/null @@ -1,316 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import java.sql.Connection; -import java.sql.DriverManager; - -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Domains; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Grants; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.Roles; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; -import org.opendaylight.aaa.h2.config.IdmLightConfig; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class H2Store implements IIDMStore { - - private static final Logger LOG = LoggerFactory.getLogger(H2Store.class); - - private static IdmLightConfig config = new IdmLightConfig(); - private DomainStore domainStore = new DomainStore(); - private UserStore userStore = new UserStore(); - private RoleStore roleStore = new RoleStore(); - private GrantStore grantStore = new GrantStore(); - - public H2Store() { - } - - public static Connection getConnection(Connection existingConnection) throws StoreException { - Connection connection = existingConnection; - try { - if (existingConnection == null || existingConnection.isClosed()) { - new org.h2.Driver(); - connection = DriverManager.getConnection(config.getDbPath(), config.getDbUser(), - config.getDbPwd()); - } - } catch (Exception e) { - throw new StoreException("Cannot connect to database server" + e); - } - - return connection; - } - - public static IdmLightConfig getConfig() { - return config; - } - - @Override - public Domain writeDomain(Domain domain) throws IDMStoreException { - try { - return domainStore.createDomain(domain); - } catch (StoreException e) { - LOG.error("StoreException encountered while writing domain", e); - throw new IDMStoreException(e); - } - } - - @Override - public Domain readDomain(String domainid) throws IDMStoreException { - try { - return domainStore.getDomain(domainid); - } catch (StoreException e) { - LOG.error("StoreException encountered while reading domain", e); - throw new IDMStoreException(e); - } - } - - @Override - public Domain deleteDomain(String domainid) throws IDMStoreException { - try { - return domainStore.deleteDomain(domainid); - } catch (StoreException e) { - LOG.error("StoreException encountered while deleting domain", e); - throw new IDMStoreException(e); - } - } - - @Override - public Domain updateDomain(Domain domain) throws IDMStoreException { - try { - return domainStore.putDomain(domain); - } catch (StoreException e) { - LOG.error("StoreException encountered while updating domain", e); - throw new IDMStoreException(e); - } - } - - @Override - public Domains getDomains() throws IDMStoreException { - try { - return domainStore.getDomains(); - } catch (StoreException e) { - LOG.error("StoreException encountered while reading domains", e); - throw new IDMStoreException(e); - } - } - - @Override - public Role writeRole(Role role) throws IDMStoreException { - try { - return roleStore.createRole(role); - } catch (StoreException e) { - LOG.error("StoreException encountered while writing role", e); - throw new IDMStoreException(e); - } - } - - @Override - public Role readRole(String roleid) throws IDMStoreException { - try { - return roleStore.getRole(roleid); - } catch (StoreException e) { - LOG.error("StoreException encountered while reading role", e); - throw new IDMStoreException(e); - } - } - - @Override - public Role deleteRole(String roleid) throws IDMStoreException { - try { - return roleStore.deleteRole(roleid); - } catch (StoreException e) { - LOG.error("StoreException encountered while deleting role", e); - throw new IDMStoreException(e); - } - } - - @Override - public Role updateRole(Role role) throws IDMStoreException { - try { - return roleStore.putRole(role); - } catch (StoreException e) { - LOG.error("StoreException encountered while updating role", e); - throw new IDMStoreException(e); - } - } - - @Override - public Roles getRoles() throws IDMStoreException { - try { - return roleStore.getRoles(); - } catch (StoreException e) { - LOG.error("StoreException encountered while getting roles", e); - throw new IDMStoreException(e); - } - } - - @Override - public User writeUser(User user) throws IDMStoreException { - try { - return userStore.createUser(user); - } catch (StoreException e) { - LOG.error("StoreException encountered while writing user", e); - throw new IDMStoreException(e); - } - } - - @Override - public User readUser(String userid) throws IDMStoreException { - try { - return userStore.getUser(userid); - } catch (StoreException e) { - LOG.error("StoreException encountered while reading user", e); - throw new IDMStoreException(e); - } - } - - @Override - public User deleteUser(String userid) throws IDMStoreException { - try { - return userStore.deleteUser(userid); - } catch (StoreException e) { - LOG.error("StoreException encountered while deleting user", e); - throw new IDMStoreException(e); - } - } - - @Override - public User updateUser(User user) throws IDMStoreException { - try { - return userStore.putUser(user); - } catch (StoreException e) { - LOG.error("StoreException encountered while updating user", e); - throw new IDMStoreException(e); - } - } - - @Override - public Users getUsers(String username, String domain) throws IDMStoreException { - try { - return userStore.getUsers(username, domain); - } catch (StoreException e) { - LOG.error("StoreException encountered while reading users", e); - throw new IDMStoreException(e); - } - } - - @Override - public Users getUsers() throws IDMStoreException { - try { - return userStore.getUsers(); - } catch (StoreException e) { - LOG.error("StoreException encountered while reading users", e); - throw new IDMStoreException(e); - } - } - - @Override - public Grant writeGrant(Grant grant) throws IDMStoreException { - try { - return grantStore.createGrant(grant); - } catch (StoreException e) { - LOG.error("StoreException encountered while writing grant", e); - throw new IDMStoreException(e); - } - } - - @Override - public Grant readGrant(String grantid) throws IDMStoreException { - try { - return grantStore.getGrant(grantid); - } catch (StoreException e) { - LOG.error("StoreException encountered while reading grant", e); - throw new IDMStoreException(e); - } - } - - @Override - public Grant deleteGrant(String grantid) throws IDMStoreException { - try { - return grantStore.deleteGrant(grantid); - } catch (StoreException e) { - LOG.error("StoreException encountered while deleting grant", e); - throw new IDMStoreException(e); - } - } - - @Override - public Grants getGrants(String domainid, String userid) throws IDMStoreException { - try { - return grantStore.getGrants(domainid, userid); - } catch (StoreException e) { - LOG.error("StoreException encountered while getting grants", e); - throw new IDMStoreException(e); - } - } - - @Override - public Grants getGrants(String userid) throws IDMStoreException { - try { - return grantStore.getGrants(userid); - } catch (StoreException e) { - LOG.error("StoreException encountered while getting grants", e); - throw new IDMStoreException(e); - } - } - - @Override - public Grant readGrant(String domainid, String userid, String roleid) throws IDMStoreException { - return readGrant(IDMStoreUtil.createGrantid(userid, domainid, roleid)); - } - - public static Domain createDomain(String domainName, boolean enable) throws StoreException { - DomainStore ds = new DomainStore(); - Domain d = new Domain(); - d.setName(domainName); - d.setEnabled(enable); - return ds.createDomain(d); - } - - public static User createUser(String name, String password, String domain, String description, - String email, boolean enabled, String SALT) throws StoreException { - UserStore us = new UserStore(); - User u = new User(); - u.setName(name); - u.setDomainid(domain); - u.setDescription(description); - u.setEmail(email); - u.setEnabled(enabled); - u.setPassword(password); - u.setSalt(SALT); - return us.createUser(u); - } - - public static Role createRole(String name, String domain, String description) - throws StoreException { - RoleStore rs = new RoleStore(); - Role r = new Role(); - r.setDescription(description); - r.setName(name); - r.setDomainid(domain); - return rs.createRole(r); - } - - public static Grant createGrant(String domain, String user, String role) throws StoreException { - GrantStore gs = new GrantStore(); - Grant g = new Grant(); - g.setDomainid(domain); - g.setRoleid(role); - g.setUserid(user); - return gs.createGrant(g); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/RoleStore.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/RoleStore.java deleted file mode 100644 index e7defa4a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/RoleStore.java +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import com.google.common.base.Preconditions; - -import java.sql.Connection; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -import org.apache.commons.lang3.StringEscapeUtils; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.Roles; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * - * @author peter.mellquist@hp.com - * - */ -public class RoleStore extends AbstractStore<Role> { - private static final Logger LOG = LoggerFactory.getLogger(RoleStore.class); - - protected final static String SQL_ID = "roleid"; - protected final static String SQL_DOMAIN_ID = "domainid"; - protected final static String SQL_NAME = "name"; - protected final static String SQL_DESCR = "description"; - private static final String TABLE_NAME = "ROLES"; - - protected RoleStore() { - super(TABLE_NAME); - } - - @Override - protected String getTableCreationStatement() { - return "CREATE TABLE ROLES " - + "(roleid VARCHAR(128) PRIMARY KEY," - + "name VARCHAR(128) NOT NULL, " - + "domainid VARCHAR(128) NOT NULL, " - + "description VARCHAR(128) NOT NULL)"; - } - - protected Role fromResultSet(ResultSet rs) throws SQLException { - Role role = new Role(); - try { - role.setRoleid(rs.getString(SQL_ID)); - role.setDomainid(rs.getString(SQL_DOMAIN_ID)); - role.setName(rs.getString(SQL_NAME)); - role.setDescription(rs.getString(SQL_DESCR)); - } catch (SQLException sqle) { - LOG.error("SQL Exception: ", sqle); - throw sqle; - } - return role; - } - - protected Roles getRoles() throws StoreException { - Roles roles = new Roles(); - roles.setRoles(listAll()); - return roles; - } - - protected Role getRole(String id) throws StoreException { - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn - .prepareStatement("SELECT * FROM ROLES WHERE roleid = ? ")) { - pstmt.setString(1, id); - LOG.debug("query string: {}", pstmt.toString()); - return firstFromStatement(pstmt); - } catch (SQLException s) { - throw new StoreException("SQL Exception: " + s); - } - } - - protected Role createRole(Role role) throws StoreException { - Preconditions.checkNotNull(role); - Preconditions.checkNotNull(role.getName()); - Preconditions.checkNotNull(role.getDomainid()); - String query = "insert into roles (roleid,domainid,name,description) values(?,?,?,?)"; - try (Connection conn = dbConnect(); - PreparedStatement statement = conn.prepareStatement(query)) { - role.setRoleid(IDMStoreUtil.createRoleid(role.getName(), role.getDomainid())); - statement.setString(1, role.getRoleid()); - statement.setString(2, role.getDomainid()); - statement.setString(3, role.getName()); - statement.setString(4, role.getDescription()); - int affectedRows = statement.executeUpdate(); - if (affectedRows == 0) { - throw new StoreException("Creating role failed, no rows affected."); - } - return role; - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } - - protected Role putRole(Role role) throws StoreException { - - Role savedRole = this.getRole(role.getRoleid()); - if (savedRole == null) { - return null; - } - - if (role.getDescription() != null) { - savedRole.setDescription(role.getDescription()); - } - if (role.getName() != null) { - savedRole.setName(role.getName()); - } - - String query = "UPDATE roles SET description = ? WHERE roleid = ?"; - try (Connection conn = dbConnect(); - PreparedStatement statement = conn.prepareStatement(query)) { - statement.setString(1, savedRole.getDescription()); - statement.setString(2, savedRole.getRoleid()); - statement.executeUpdate(); - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - - return savedRole; - } - - protected Role deleteRole(String roleid) throws StoreException { - roleid = StringEscapeUtils.escapeHtml4(roleid); - Role savedRole = this.getRole(roleid); - if (savedRole == null) { - return null; - } - - String query = String.format("DELETE FROM ROLES WHERE roleid = '%s'", roleid); - try (Connection conn = dbConnect(); - Statement statement = conn.createStatement()) { - int deleteCount = statement.executeUpdate(query); - LOG.debug("deleted {} records", deleteCount); - return savedRole; - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/StoreException.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/StoreException.java deleted file mode 100644 index 7d2f2b9a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/StoreException.java +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -/** - * Exception indicating an error in an H2 data store. - * - * @author peter.mellquist@hp.com - */ - -public class StoreException extends Exception { - public StoreException(String message) { - super(message); - } - - public StoreException(String message, Throwable cause) { - super(message, cause); - } - - public StoreException(Throwable cause) { - super(cause); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/UserStore.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/UserStore.java deleted file mode 100644 index 96b8013f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/UserStore.java +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import com.google.common.base.Preconditions; - -import java.sql.Connection; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -import org.apache.commons.lang3.StringEscapeUtils; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.aaa.api.SHA256Calculator; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * - * @author peter.mellquist@hp.com - * - */ -public class UserStore extends AbstractStore<User> { - private static final Logger LOG = LoggerFactory.getLogger(UserStore.class); - - protected final static String SQL_ID = "userid"; - protected final static String SQL_DOMAIN_ID = "domainid"; - protected final static String SQL_NAME = "name"; - protected final static String SQL_EMAIL = "email"; - protected final static String SQL_PASSWORD = "password"; - protected final static String SQL_DESCR = "description"; - protected final static String SQL_ENABLED = "enabled"; - protected final static String SQL_SALT = "salt"; - private static final String TABLE_NAME = "USERS"; - - protected UserStore() { - super(TABLE_NAME); - } - - @Override - protected String getTableCreationStatement() { - return "CREATE TABLE users " - + "(userid VARCHAR(128) PRIMARY KEY," - + "name VARCHAR(128) NOT NULL, " - + "domainid VARCHAR(128) NOT NULL, " - + "email VARCHAR(128) NOT NULL, " - + "password VARCHAR(128) NOT NULL, " - + "description VARCHAR(128) NOT NULL, " - + "salt VARCHAR(15) NOT NULL, " - + "enabled INTEGER NOT NULL)"; - } - - @Override - protected User fromResultSet(ResultSet rs) throws SQLException { - User user = new User(); - try { - user.setUserid(rs.getString(SQL_ID)); - user.setDomainid(rs.getString(SQL_DOMAIN_ID)); - user.setName(rs.getString(SQL_NAME)); - user.setEmail(rs.getString(SQL_EMAIL)); - user.setPassword(rs.getString(SQL_PASSWORD)); - user.setDescription(rs.getString(SQL_DESCR)); - user.setEnabled(rs.getInt(SQL_ENABLED) == 1); - user.setSalt(rs.getString(SQL_SALT)); - } catch (SQLException sqle) { - LOG.error("SQL Exception: ", sqle); - throw sqle; - } - return user; - } - - protected Users getUsers() throws StoreException { - Users users = new Users(); - users.setUsers(listAll()); - return users; - } - - protected Users getUsers(String username, String domain) throws StoreException { - LOG.debug("getUsers for: {} in domain {}", username, domain); - - Users users = new Users(); - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM USERS WHERE userid = ? ")) { - pstmt.setString(1, IDMStoreUtil.createUserid(username, domain)); - LOG.debug("query string: {}", pstmt.toString()); - users.setUsers(listFromStatement(pstmt)); - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - return users; - } - - protected User getUser(String id) throws StoreException { - try (Connection conn = dbConnect(); - PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM USERS WHERE userid = ? ")) { - pstmt.setString(1, id); - LOG.debug("query string: {}", pstmt.toString()); - return firstFromStatement(pstmt); - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } - - protected User createUser(User user) throws StoreException { - Preconditions.checkNotNull(user); - Preconditions.checkNotNull(user.getName()); - Preconditions.checkNotNull(user.getDomainid()); - - user.setSalt(SHA256Calculator.generateSALT()); - String query = "insert into users (userid,domainid,name,email,password,description,enabled,salt) values(?,?,?,?,?,?,?,?)"; - try (Connection conn = dbConnect(); - PreparedStatement statement = conn.prepareStatement(query)) { - user.setUserid(IDMStoreUtil.createUserid(user.getName(), user.getDomainid())); - statement.setString(1, user.getUserid()); - statement.setString(2, user.getDomainid()); - statement.setString(3, user.getName()); - statement.setString(4, user.getEmail()); - statement.setString(5, SHA256Calculator.getSHA256(user.getPassword(), user.getSalt())); - statement.setString(6, user.getDescription()); - statement.setInt(7, user.isEnabled() ? 1 : 0); - statement.setString(8, user.getSalt()); - int affectedRows = statement.executeUpdate(); - if (affectedRows == 0) { - throw new StoreException("Creating user failed, no rows affected."); - } - return user; - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } - - protected User putUser(User user) throws StoreException { - - User savedUser = this.getUser(user.getUserid()); - if (savedUser == null) { - return null; - } - - if (user.getDescription() != null) { - savedUser.setDescription(user.getDescription()); - } - if (user.getName() != null) { - savedUser.setName(user.getName()); - } - if (user.isEnabled() != null) { - savedUser.setEnabled(user.isEnabled()); - } - if (user.getEmail() != null) { - savedUser.setEmail(user.getEmail()); - } - if (user.getPassword() != null) { - // If a new salt is provided, use it. Otherwise, derive salt from existing. - String salt = user.getSalt(); - if (salt == null) { - salt = savedUser.getSalt(); - } - savedUser.setPassword(SHA256Calculator.getSHA256(user.getPassword(), salt)); - } - - String query = "UPDATE users SET email = ?, password = ?, description = ?, enabled = ? WHERE userid = ?"; - try (Connection conn = dbConnect(); - PreparedStatement statement = conn.prepareStatement(query)) { - statement.setString(1, savedUser.getEmail()); - statement.setString(2, savedUser.getPassword()); - statement.setString(3, savedUser.getDescription()); - statement.setInt(4, savedUser.isEnabled() ? 1 : 0); - statement.setString(5, savedUser.getUserid()); - statement.executeUpdate(); - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - - return savedUser; - } - - protected User deleteUser(String userid) throws StoreException { - userid = StringEscapeUtils.escapeHtml4(userid); - User savedUser = this.getUser(userid); - if (savedUser == null) { - return null; - } - - String query = String.format("DELETE FROM USERS WHERE userid = '%s'", userid); - try (Connection conn = dbConnect(); - Statement statement = conn.createStatement()) { - int deleteCount = statement.executeUpdate(query); - LOG.debug("deleted {} records", deleteCount); - return savedUser; - } catch (SQLException s) { - throw new StoreException("SQL Exception : " + s); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModule.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModule.java deleted file mode 100644 index fe7dd2a6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModule.java +++ /dev/null @@ -1,49 +0,0 @@ -package org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128; - -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.h2.persistence.H2Store; -import org.osgi.framework.BundleContext; -import org.osgi.framework.ServiceRegistration; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class AAAH2StoreModule extends org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128.AbstractAAAH2StoreModule { - - private BundleContext bundleContext; - private static final Logger LOG = LoggerFactory.getLogger(AAAH2StoreModule.class); - - public AAAH2StoreModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) { - super(identifier, dependencyResolver); - } - - public AAAH2StoreModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128.AAAH2StoreModule oldModule, java.lang.AutoCloseable oldInstance) { - super(identifier, dependencyResolver, oldModule, oldInstance); - } - - @Override - public java.lang.AutoCloseable createInstance() { - final H2Store h2Store = new H2Store(); - final ServiceRegistration<?> serviceRegistration = bundleContext.registerService(IIDMStore.class.getName(), h2Store, null); - LOG.info("AAA H2 Store Initialized"); - return new AutoCloseable() { - @Override - public void close() throws Exception { - serviceRegistration.unregister(); - } - }; - } - - /** - * @param bundleContext - */ - public void setBundleContext(BundleContext bundleContext) { - this.bundleContext = bundleContext; - } - - /** - * @return the bundleContext - */ - public BundleContext getBundleContext() { - return bundleContext; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModuleFactory.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModuleFactory.java deleted file mode 100644 index dc9e7f99..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModuleFactory.java +++ /dev/null @@ -1,29 +0,0 @@ -/* -* Generated file -* -* Generated from: yang module name: aaa-h2-store yang module local name: aaa-h2-store -* Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator -* Generated at: Sat Nov 28 11:00:15 PST 2015 -* -* Do not modify this file unless it is present under src/main directory -*/ -package org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128; - -import org.opendaylight.controller.config.api.DependencyResolver; -import org.osgi.framework.BundleContext; - -public class AAAH2StoreModuleFactory extends org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128.AbstractAAAH2StoreModuleFactory { - @Override - public AAAH2StoreModule instantiateModule(String instanceName, DependencyResolver dependencyResolver, AAAH2StoreModule oldModule, AutoCloseable oldInstance, BundleContext bundleContext) { - AAAH2StoreModule module = super.instantiateModule(instanceName, dependencyResolver, oldModule, oldInstance, bundleContext); - module.setBundleContext(bundleContext); - return module; - } - - @Override - public AAAH2StoreModule instantiateModule(String instanceName, DependencyResolver dependencyResolver, BundleContext bundleContext) { - AAAH2StoreModule module = super.instantiateModule(instanceName, dependencyResolver, bundleContext); - module.setBundleContext(bundleContext); - return module; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/resources/initial/08-aaa-h2-store-config.xml b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/resources/initial/08-aaa-h2-store-config.xml deleted file mode 100644 index cfe60812..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/resources/initial/08-aaa-h2-store-config.xml +++ /dev/null @@ -1,26 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- vi: set et smarttab sw=4 tabstop=4: --> -<!-- - Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - - This program and the accompanying materials are made available under the - terms of the Eclipse Public License v1.0 which accompanies this distribution, - and is available at http://www.eclipse.org/legal/epl-v10.html ---> -<snapshot> - <configuration> - <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> - <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> - <module> - <type xmlns:authn="config:aaa:authn:h2:store">authn:aaa-h2-store</type> - <name>aaa-h2-store</name> - </module> - </modules> - </data> - </configuration> - <required-capabilities> - <capability>config:aaa:authn:h2:store?module=aaa-h2-store&revision=2015-11-28</capability> - </required-capabilities> - -</snapshot> - diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/yang/aaa-h2-store.yang b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/yang/aaa-h2-store.yang deleted file mode 100644 index af2d9bdc..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/main/yang/aaa-h2-store.yang +++ /dev/null @@ -1,28 +0,0 @@ -module aaa-h2-store { - yang-version 1; - namespace "config:aaa:authn:h2:store"; - prefix "aaa-h2-store"; - organization "OpenDayLight"; - - import config { prefix config; revision-date 2013-04-05; } - import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; } - - contact "saichler@gmail.com"; - - revision 2015-11-28 { - description - "Initial revision."; - } - - identity aaa-h2-store { - base config:module-type; - config:java-name-prefix AAAH2Store; - } - - augment "/config:modules/config:module/config:configuration" { - case aaa-h2-store { - when "/config:modules/config:module/config:type = 'aaa-h2-store'"; - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/DomainStoreTest.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/DomainStoreTest.java deleted file mode 100644 index f11a99eb..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/DomainStoreTest.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import static org.junit.Assert.*; -import static org.mockito.Mockito.*; - -import java.sql.Connection; -import java.sql.DatabaseMetaData; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.mockito.Mockito; -import org.opendaylight.aaa.api.model.Domains; -import org.opendaylight.aaa.h2.persistence.DomainStore; - -public class DomainStoreTest { - - Connection connectionMock = mock(Connection.class); - private final DomainStore domainStoreUnderTest = new DomainStore(); - - @Before - public void setup() { - domainStoreUnderTest.dbConnection = connectionMock; - } - - @After - public void teardown() { - // dts.destroy(); - } - - @Test - public void getDomainsTest() throws SQLException, Exception { - // Setup Mock Behavior - String[] tableTypes = { "TABLE" }; - Mockito.when(connectionMock.isClosed()).thenReturn(false); - DatabaseMetaData dbmMock = mock(DatabaseMetaData.class); - Mockito.when(connectionMock.getMetaData()).thenReturn(dbmMock); - ResultSet rsUserMock = mock(ResultSet.class); - Mockito.when(dbmMock.getTables(null, null, "DOMAINS", tableTypes)).thenReturn(rsUserMock); - Mockito.when(rsUserMock.next()).thenReturn(true); - - Statement stmtMock = mock(Statement.class); - Mockito.when(connectionMock.createStatement()).thenReturn(stmtMock); - - ResultSet rsMock = getMockedResultSet(); - Mockito.when(stmtMock.executeQuery(anyString())).thenReturn(rsMock); - - // Run Test - Domains domains = domainStoreUnderTest.getDomains(); - - // Verify - assertTrue(domains.getDomains().size() == 1); - verify(stmtMock).close(); - } - - public ResultSet getMockedResultSet() throws SQLException { - ResultSet rsMock = mock(ResultSet.class); - Mockito.when(rsMock.next()).thenReturn(true).thenReturn(false); - Mockito.when(rsMock.getInt(DomainStore.SQL_ID)).thenReturn(1); - Mockito.when(rsMock.getString(DomainStore.SQL_NAME)).thenReturn("DomainName_1"); - Mockito.when(rsMock.getString(DomainStore.SQL_DESCR)).thenReturn("Desc_1"); - Mockito.when(rsMock.getInt(DomainStore.SQL_ENABLED)).thenReturn(1); - return rsMock; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/GrantStoreTest.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/GrantStoreTest.java deleted file mode 100644 index 168b67e2..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/GrantStoreTest.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import static org.junit.Assert.assertTrue; -import static org.mockito.Matchers.anyString; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.verify; - -import java.sql.Connection; -import java.sql.DatabaseMetaData; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; - -import org.junit.Before; -import org.junit.Test; -import org.mockito.Mockito; -import org.opendaylight.aaa.api.model.Grants; - -public class GrantStoreTest { - - Connection connectionMock = mock(Connection.class); - private final GrantStore grantStoreUnderTest = new GrantStore(); - private String did = "5"; - private String uid = "5"; - - @Before - public void setup() { - grantStoreUnderTest.dbConnection = connectionMock; - } - - @Test - public void getGrantsTest() throws Exception { - // Setup Mock Behavior - String[] tableTypes = { "TABLE" }; - Mockito.when(connectionMock.isClosed()).thenReturn(false); - DatabaseMetaData dbmMock = mock(DatabaseMetaData.class); - Mockito.when(connectionMock.getMetaData()).thenReturn(dbmMock); - ResultSet rsUserMock = mock(ResultSet.class); - Mockito.when(dbmMock.getTables(null, null, "GRANTS", tableTypes)).thenReturn(rsUserMock); - Mockito.when(rsUserMock.next()).thenReturn(true); - - PreparedStatement pstmtMock = mock(PreparedStatement.class); - Mockito.when(connectionMock.prepareStatement(anyString())).thenReturn(pstmtMock); - - ResultSet rsMock = getMockedResultSet(); - Mockito.when(pstmtMock.executeQuery()).thenReturn(rsMock); - - // Run Test - Grants grants = grantStoreUnderTest.getGrants(did, uid); - - // Verify - assertTrue(grants.getGrants().size() == 1); - verify(pstmtMock).close(); - } - - public ResultSet getMockedResultSet() throws SQLException { - ResultSet rsMock = mock(ResultSet.class); - Mockito.when(rsMock.next()).thenReturn(true).thenReturn(false); - Mockito.when(rsMock.getInt(GrantStore.SQL_ID)).thenReturn(1); - Mockito.when(rsMock.getString(GrantStore.SQL_TENANTID)).thenReturn(did); - Mockito.when(rsMock.getString(GrantStore.SQL_USERID)).thenReturn(uid); - Mockito.when(rsMock.getString(GrantStore.SQL_ROLEID)).thenReturn("Role_1"); - - return rsMock; - - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/H2StoreTest.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/H2StoreTest.java deleted file mode 100644 index f583a302..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/H2StoreTest.java +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright (c) 2016 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import java.io.File; -import java.sql.SQLException; - -import org.junit.AfterClass; -import org.junit.Assert; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; -import org.opendaylight.aaa.api.IDMStoreUtil; -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.User; - -public class H2StoreTest { - @BeforeClass - public static void start() { - File f = new File("idmlight.db.mv.db"); - if (f.exists()) { - f.delete(); - } - f = new File("idmlight.db.trace.db"); - if (f.exists()) { - f.delete(); - } - } - - @AfterClass - public static void end() { - File f = new File("idmlight.db.mv.db"); - if (f.exists()) { - f.delete(); - } - f = new File("idmlight.db.trace.db"); - if (f.exists()) { - f.delete(); - } - } - - @Before - public void before() throws StoreException, SQLException { - UserStore us = new UserStore(); - us.dbClean(); - DomainStore ds = new DomainStore(); - ds.dbClean(); - RoleStore rs = new RoleStore(); - rs.dbClean(); - GrantStore gs = new GrantStore(); - gs.dbClean(); - } - - @Test - public void testCreateDefaultDomain() throws StoreException { - Domain d = new Domain(); - Assert.assertEquals(true, d != null); - DomainStore ds = new DomainStore(); - d.setName(IIDMStore.DEFAULT_DOMAIN); - d.setEnabled(true); - d = ds.createDomain(d); - Assert.assertEquals(true, d != null); - } - - @Test - public void testCreateTempRole() throws StoreException { - Role role = H2Store.createRole("temp", "temp domain", "Temp Testing role"); - Assert.assertEquals(true, role != null); - } - - @Test - public void testCreateUser() throws StoreException { - User user = H2Store.createUser("test", "pass", "domain", "desc", "email", true, "SALT"); - Assert.assertEquals(true, user != null); - } - - @Test - public void testCreateGrant() throws StoreException { - Domain d = H2Store.createDomain("sdn", true); - Role role = H2Store.createRole("temp", "temp domain", "Temp Testing role"); - User user = H2Store.createUser("test", "pass", "domain", "desc", "email", true, "SALT"); - Grant g = H2Store.createGrant(d.getDomainid(), user.getUserid(), role.getRoleid()); - Assert.assertEquals(true, g != null); - } - - @Test - public void testUpdatingUserEmail() throws StoreException { - UserStore us = new UserStore(); - Domain d = H2Store.createDomain("sdn", true); - User user = H2Store.createUser("test", "pass", d.getDomainid(), "desc", "email", true, - "SALT"); - - user.setName("test"); - user = us.putUser(user); - Assert.assertEquals(true, user != null); - - user.setEmail("Test@Test.com"); - user = us.putUser(user); - - user = new User(); - user.setName("test"); - user.setDomainid(d.getDomainid()); - user = us.getUser(IDMStoreUtil.createUserid(user.getName(), user.getDomainid())); - - Assert.assertEquals("Test@Test.com", user.getEmail()); - } - /* - * @Test public void testCreateUserViaAPI() throws StoreException { Domain d - * = StoreBuilder.createDomain("sdn",true); - * - * User user = new User(); user.setName("Hello"); user.setPassword("Hello"); - * user.setDomainid(d.getDomainid()); UserHandler h = new UserHandler(); - * h.createUser(null, user); - * - * User u = new User(); u.setName("Hello"); u.setDomainid(d.getDomainid()); - * UserStore us = new UserStore(); u = - * us.getUser(IDMStoreUtil.createUserid(u.getName(),u.getDomainid())); - * - * Assert.assertEquals(true, u != null); } - * - * @Test public void testUpdateUserViaAPI() throws StoreException { Domain d - * = StoreBuilder.createDomain("sdn",true); - * - * User user = new User(); user.setName("Hello"); user.setPassword("Hello"); - * user.setDomainid(d.getDomainid()); UserHandler h = new UserHandler(); - * h.createUser(null, user); - * - * user.setEmail("Hello@Hello.com"); user.setPassword("Test123"); - * h.putUser(null, user, "" + user.getUserid()); - * - * UserStore us = new UserStore(); - * - * User u = new User(); u.setName("Hello"); u.setDomainid(d.getDomainid()); - * u = us.getUser(IDMStoreUtil.createUserid(u.getName(),u.getDomainid())); - * - * Assert.assertEquals("Hello@Hello.com", u.getEmail()); - * - * String hash = SHA256Calculator.getSHA256("Test123", u.getSalt()); - * Assert.assertEquals(u.getPassword(), hash); } - * - * @Test public void testUpdateUserRoleViaAPI() throws StoreException { - * Domain d = StoreBuilder.createDomain("sdn",true); Role role1 = - * StoreBuilder.createRole("temp1",d.getDomainid(),"Temp Testing role"); - * Role role2 = - * StoreBuilder.createRole("temp2",d.getDomainid(),"Temp Testing role"); - * - * User user = new User(); user.setName("Hello"); user.setPassword("Hello"); - * user.setDomainid(d.getDomainid()); - * - * UserHandler h = new UserHandler(); h.createUser(null, user); - * - * user.setEmail("Hello@Hello.com"); user.setPassword("Test123"); - * h.putUser(null, user, user.getUserid()); - * - * Grant g = new Grant(); g.setUserid(user.getUserid()); - * g.setDomainid(d.getDomainid()); g.setRoleid(role1.getRoleid()); - * GrantStore gs = new GrantStore(); g = gs.createGrant(g); - * - * Assert.assertEquals(true, g != null); Assert.assertEquals(g.getRoleid(), - * role1.getRoleid()); - * - * g = gs.deleteGrant(IDMStoreUtil.createGrantid(user.getUserid(), - * d.getDomainid(), role1.getRoleid())); g.setRoleid(role2.getRoleid()); g = - * gs.createGrant(g); - * - * Assert.assertEquals(true, g != null); Assert.assertEquals(g.getRoleid(), - * role2.getRoleid()); - * - * User u = new User(); u.setName("Hello"); u.setDomainid(d.getDomainid()); - * UserStore us = new UserStore(); u = - * us.getUser(IDMStoreUtil.createUserid(u.getName(),u.getDomainid())); - * - * Assert.assertEquals("Hello@Hello.com", u.getEmail()); - * - * String hash = SHA256Calculator.getSHA256("Test123", u.getSalt()); - * Assert.assertEquals(true, hash.equals(u.getPassword())); } - */ -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/RoleStoreTest.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/RoleStoreTest.java deleted file mode 100644 index 37cb17a6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/RoleStoreTest.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import static org.junit.Assert.*; -import static org.mockito.Mockito.*; - -import java.sql.Connection; -import java.sql.DatabaseMetaData; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.mockito.Mockito; -import org.opendaylight.aaa.api.model.Roles; -import org.opendaylight.aaa.h2.persistence.RoleStore; - -public class RoleStoreTest { - - Connection connectionMock = mock(Connection.class); - private final RoleStore RoleStoreUnderTest = new RoleStore(); - - @Before - public void setup() { - RoleStoreUnderTest.dbConnection = connectionMock; - } - - @After - public void teardown() { - // dts.destroy(); - } - - @Test - public void getRolesTest() throws SQLException, Exception { - // Setup Mock Behavior - String[] tableTypes = { "TABLE" }; - Mockito.when(connectionMock.isClosed()).thenReturn(false); - DatabaseMetaData dbmMock = mock(DatabaseMetaData.class); - Mockito.when(connectionMock.getMetaData()).thenReturn(dbmMock); - ResultSet rsUserMock = mock(ResultSet.class); - Mockito.when(dbmMock.getTables(null, null, "ROLES", tableTypes)).thenReturn(rsUserMock); - Mockito.when(rsUserMock.next()).thenReturn(true); - - Statement stmtMock = mock(Statement.class); - Mockito.when(connectionMock.createStatement()).thenReturn(stmtMock); - - ResultSet rsMock = getMockedResultSet(); - Mockito.when(stmtMock.executeQuery(anyString())).thenReturn(rsMock); - - // Run Test - Roles roles = RoleStoreUnderTest.getRoles(); - - // Verify - assertTrue(roles.getRoles().size() == 1); - verify(stmtMock).close(); - - } - - public ResultSet getMockedResultSet() throws SQLException { - ResultSet rsMock = mock(ResultSet.class); - Mockito.when(rsMock.next()).thenReturn(true).thenReturn(false); - Mockito.when(rsMock.getInt(RoleStore.SQL_ID)).thenReturn(1); - Mockito.when(rsMock.getString(RoleStore.SQL_NAME)).thenReturn("RoleName_1"); - Mockito.when(rsMock.getString(RoleStore.SQL_DESCR)).thenReturn("Desc_1"); - return rsMock; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/UserStoreTest.java b/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/UserStoreTest.java deleted file mode 100644 index e214c261..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/UserStoreTest.java +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.h2.persistence; - -import static org.junit.Assert.*; -import static org.mockito.Mockito.*; - -import java.sql.Connection; -import java.sql.DatabaseMetaData; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.mockito.Mockito; -import org.opendaylight.aaa.api.model.Users; -import org.opendaylight.aaa.h2.persistence.UserStore; - -public class UserStoreTest { - - Connection connectionMock = mock(Connection.class); - private final UserStore userStoreUnderTest = new UserStore(); - - @Before - public void setup() { - userStoreUnderTest.dbConnection = connectionMock; - } - - @After - public void teardown() { - // dts.destroy(); - } - - @Test - public void getUsersTest() throws SQLException, Exception { - // Setup Mock Behavior - String[] tableTypes = { "TABLE" }; - Mockito.when(connectionMock.isClosed()).thenReturn(false); - DatabaseMetaData dbmMock = mock(DatabaseMetaData.class); - Mockito.when(connectionMock.getMetaData()).thenReturn(dbmMock); - ResultSet rsUserMock = mock(ResultSet.class); - Mockito.when(dbmMock.getTables(null, null, "USERS", tableTypes)).thenReturn(rsUserMock); - Mockito.when(rsUserMock.next()).thenReturn(true); - - Statement stmtMock = mock(Statement.class); - Mockito.when(connectionMock.createStatement()).thenReturn(stmtMock); - - ResultSet rsMock = getMockedResultSet(); - Mockito.when(stmtMock.executeQuery(anyString())).thenReturn(rsMock); - - // Run Test - Users users = userStoreUnderTest.getUsers(); - - // Verify - assertTrue(users.getUsers().size() == 1); - verify(stmtMock).close(); - - } - - public ResultSet getMockedResultSet() throws SQLException { - ResultSet rsMock = mock(ResultSet.class); - Mockito.when(rsMock.next()).thenReturn(true).thenReturn(false); - Mockito.when(rsMock.getInt(UserStore.SQL_ID)).thenReturn(1); - Mockito.when(rsMock.getString(UserStore.SQL_NAME)).thenReturn("Name_1"); - Mockito.when(rsMock.getString(UserStore.SQL_EMAIL)).thenReturn("Name_1@company.com"); - Mockito.when(rsMock.getString(UserStore.SQL_PASSWORD)).thenReturn("Pswd_1"); - Mockito.when(rsMock.getString(UserStore.SQL_DESCR)).thenReturn("Desc_1"); - Mockito.when(rsMock.getInt(UserStore.SQL_ENABLED)).thenReturn(1); - return rsMock; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-idmlight/pom.xml deleted file mode 100644 index 2ca5ff69..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/pom.xml +++ /dev/null @@ -1,229 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-idmlight</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <!--Yang Binding --> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>config-api</artifactId> - <version>${config.version}</version> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-config</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-binding-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-common-util</artifactId> - </dependency> - - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - </dependency> - - <!-- JSON JAXB Stuff --> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-core</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-annotations</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-databind</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.datatype</groupId> - <artifactId>jackson-datatype-json-org</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.jaxrs</groupId> - <artifactId>jackson-jaxrs-base</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.jaxrs</groupId> - <artifactId>jackson-jaxrs-json-provider</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.module</groupId> - <artifactId>jackson-module-jaxb-annotations</artifactId> - </dependency> - - <dependency> - <groupId>org.eclipse.jetty</groupId> - <artifactId>jetty-servlets</artifactId> - <scope>provided</scope> - </dependency> - - <!-- Testing Dependencies --> - <dependency> - <groupId>com.sun.jersey.jersey-test-framework</groupId> - <artifactId>jersey-test-framework-grizzly2</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yang-maven-plugin</artifactId> - <version>${yangtools.version}</version> - <executions> - <execution> - <id>config</id> - <goals> - <goal>generate-sources</goal> - </goals> - <configuration> - <codeGenerators> - <generator> - <codeGeneratorClass>org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator</codeGeneratorClass> - <outputBaseDir>${jmxGeneratorPath}</outputBaseDir> - <additionalConfiguration> - <namespaceToPackage1>urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang</namespaceToPackage1> - </additionalConfiguration> - </generator> - <generator> - <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass> - <outputBaseDir>${salGeneratorPath}</outputBaseDir> - </generator> - </codeGenerators> - <inspectDependencies>true</inspectDependencies> - </configuration> - </execution> - </executions> - <dependencies> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>maven-sal-api-gen-plugin</artifactId> - <version>${yangtools.version}</version> - <type>jar</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>yang-jmx-generator-plugin</artifactId> - <version>${config.version}</version> - </dependency> - </dependencies> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <goals> - <goal>attach-artifact</goal> - </goals> - <phase>package</phase> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/initial/08-aaa-idmlight-config.xml</file> - <type>xml</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - <execution> - <id>attach-artifacts-idmtool</id> - <goals> - <goal>attach-artifact</goal> - </goals> - <phase>package</phase> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/idmtool.py</file> - <type>py</type> - <classifier>config</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - - </executions> - </plugin> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <!-- override default version so we don't use bnd 2.3.0 when embedding sqlite --> - - <extensions>true</extensions> - <configuration> - <instructions> - <Import-Package>org.opendaylight.aaa.shiro.realm,org.apache.shiro.web.env,org.apache.shiro.authc,org.opendaylight.aaa.shiro.web.env,org.opendaylight.aaa.shiro.filters,javax.servlet.http,javax.ws.rs,javax.ws.rs.core,javax.xml.bind.annotation,org.apache.felix.dm,org.opendaylight.aaa,org.opendaylight.aaa.api.*,org.osgi.framework,org.slf4j,org.eclipse.jetty.servlets,com.sun.jersey.spi.container.servlet,com.google.*,org.opendaylight.*,org.osgi.util.tracker</Import-Package> - <Web-ContextPath>/auth</Web-ContextPath> - <!--<Web-Connectors>adminConn</Web-Connectors> --> - <!--Bundle-Activator>org.opendaylight.aaa.idm.Activator</Bundle-Activator--> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - </plugins> - </build> - -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightApplication.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightApplication.java deleted file mode 100644 index 6fcba5d6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightApplication.java +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm; - -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import javax.ws.rs.core.Application; - -import org.opendaylight.aaa.idm.rest.DomainHandler; -import org.opendaylight.aaa.idm.rest.RoleHandler; -import org.opendaylight.aaa.idm.rest.UserHandler; -import org.opendaylight.aaa.idm.rest.VersionHandler; - -/** - * A JAX-RS application for IdmLight. The REST endpoints delivered by this - * application are in the form: - * <code>http://{HOST}:{PORT}/auth/v1/</code> - * - * For example, the users REST endpoint is: - * <code>http://{HOST}:{PORT}/auth/v1/users</code> - * - * This application is responsible for interaction with the backing h2 - * database store. - * - * @author liemmn - * @author Ryan Goulding (ryandgoulding@gmail.com) - * @see <code>org.opendaylight.aaa.idm.rest.DomainHandler</code> - * @see <code>org.opendaylight.aaa.idm.rest.UserHandler</code> - * @see <code>org.opendaylight.aaa.idm.rest.RoleHandler</code> - */ -public class IdmLightApplication extends Application { - - //TODO create a bug to address the fact that the implementation assumes 128 - // as the max length, even though this claims 256. - /** - * The maximum field length for identity fields. - */ - public static final int MAX_FIELD_LEN = 256; - public IdmLightApplication() { - } - - @Override - public Set<Class<?>> getClasses() { - return new HashSet<Class<?>>(Arrays.asList(VersionHandler.class, - DomainHandler.class, - RoleHandler.class, - UserHandler.class)); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightProxy.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightProxy.java deleted file mode 100644 index d17d2b13..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightProxy.java +++ /dev/null @@ -1,208 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm; - -import com.google.common.base.Preconditions; - -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.concurrent.ConcurrentHashMap; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.api.AuthenticationException; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.api.CredentialAuth; -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.api.PasswordCredentials; -import org.opendaylight.aaa.api.SHA256Calculator; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Grants; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; -import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * An OSGi proxy for the IdmLight server. - * - */ -public class IdmLightProxy implements CredentialAuth<PasswordCredentials>, IdMService { - - private static final Logger LOG = LoggerFactory.getLogger(IdmLightProxy.class); - - /** - * claimCache is responsible for storing the active claims per domain. The - * outer map is keyed by domain, and the inner map is keyed by - * <code>PasswordCredentials</code>. - */ - private static Map<String, Map<PasswordCredentials, Claim>> claimCache = new ConcurrentHashMap<>(); - - // adds a store for the default "sdn" domain - static { - claimCache.put(IIDMStore.DEFAULT_DOMAIN, - new ConcurrentHashMap<PasswordCredentials, Claim>()); - } - - @Override - public Claim authenticate(PasswordCredentials creds) { - Preconditions.checkNotNull(creds); - Preconditions.checkNotNull(creds.username()); - Preconditions.checkNotNull(creds.password()); - String domain = creds.domain() == null ? IIDMStore.DEFAULT_DOMAIN : creds.domain(); - // FIXME: Add cache invalidation - Map<PasswordCredentials, Claim> cache = claimCache.get(domain); - if (cache == null) { - cache = new ConcurrentHashMap<PasswordCredentials, Claim>(); - claimCache.put(domain, cache); - } - Claim claim = cache.get(creds); - if (claim == null) { - synchronized (claimCache) { - claim = cache.get(creds); - if (claim == null) { - claim = dbAuthenticate(creds); - if (claim != null) { - cache.put(creds, claim); - } - } - } - } - return claim; - } - - /** - * Clears the cache of any active claims. - */ - public static synchronized void clearClaimCache() { - LOG.info("Clearing the claim cache"); - for (Map<PasswordCredentials, Claim> cache : claimCache.values()) { - cache.clear(); - } - } - - private static Claim dbAuthenticate(PasswordCredentials creds) { - Domain domain = null; - User user = null; - String credsDomain = creds.domain() == null ? IIDMStore.DEFAULT_DOMAIN : creds.domain(); - // check to see domain exists - // TODO: ensure domain names are unique change to 'getDomain' - LOG.debug("get domain"); - try { - domain = AAAIDMLightModule.getStore().readDomain(credsDomain); - if (domain == null) { - throw new AuthenticationException("Domain :" + credsDomain + " does not exist"); - } - } catch (IDMStoreException e) { - throw new AuthenticationException("Error while fetching domain", e); - } - - // check to see user exists and passes cred check - try { - LOG.debug("check user / pwd"); - Users users = AAAIDMLightModule.getStore().getUsers(creds.username(), credsDomain); - List<User> userList = users.getUsers(); - if (userList.size() == 0) { - throw new AuthenticationException("User :" + creds.username() - + " does not exist in domain " + credsDomain); - } - user = userList.get(0); - if (!SHA256Calculator.getSHA256(creds.password(), user.getSalt()).equals( - user.getPassword())) { - throw new AuthenticationException("UserName / Password not found"); - } - - // get all grants & roles for this domain and user - LOG.debug("get grants"); - List<String> roles = new ArrayList<String>(); - Grants grants = AAAIDMLightModule.getStore().getGrants(domain.getDomainid(), - user.getUserid()); - List<Grant> grantList = grants.getGrants(); - for (int z = 0; z < grantList.size(); z++) { - Grant grant = grantList.get(z); - Role role = AAAIDMLightModule.getStore().readRole(grant.getRoleid()); - if (role != null) { - roles.add(role.getName()); - } - } - - // build up the claim - LOG.debug("build a claim"); - ClaimBuilder claim = new ClaimBuilder(); - claim.setUserId(user.getUserid().toString()); - claim.setUser(creds.username()); - claim.setDomain(credsDomain); - for (int z = 0; z < roles.size(); z++) { - claim.addRole(roles.get(z)); - } - return claim.build(); - } catch (IDMStoreException se) { - throw new AuthenticationException("idm data store exception :" + se.toString() + se); - } - } - - @Override - public List<String> listDomains(String userId) { - LOG.debug("list Domains for userId: {}", userId); - List<String> domains = new ArrayList<String>(); - try { - Grants grants = AAAIDMLightModule.getStore().getGrants(userId); - List<Grant> grantList = grants.getGrants(); - for (int z = 0; z < grantList.size(); z++) { - Grant grant = grantList.get(z); - Domain domain = AAAIDMLightModule.getStore().readDomain(grant.getDomainid()); - domains.add(domain.getName()); - } - return domains; - } catch (IDMStoreException se) { - LOG.warn("error getting domains ", se.toString(), se); - return domains; - } - - } - - @Override - public List<String> listRoles(String userId, String domainName) { - LOG.debug("listRoles"); - List<String> roles = new ArrayList<String>(); - - try { - // find domain name for specied domain name - String did = null; - try { - Domain domain = AAAIDMLightModule.getStore().readDomain(domainName); - if (domain == null) { - LOG.debug("DomainName: {}", domainName + " Not found!"); - return roles; - } - did = domain.getDomainid(); - } catch (IDMStoreException e) { - return roles; - } - - // find all grants for uid and did - Grants grants = AAAIDMLightModule.getStore().getGrants(did, userId); - List<Grant> grantList = grants.getGrants(); - for (int z = 0; z < grantList.size(); z++) { - Grant grant = grantList.get(z); - Role role = AAAIDMLightModule.getStore().readRole(grant.getRoleid()); - roles.add(role.getName()); - } - - return roles; - } catch (IDMStoreException se) { - LOG.warn("error getting roles ", se.toString(), se); - return roles; - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/StoreBuilder.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/StoreBuilder.java deleted file mode 100644 index 111665c6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/StoreBuilder.java +++ /dev/null @@ -1,118 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm; - -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.User; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * StoreBuilder is triggered during feature installation by - * <code>AAAIDMLightModule.createInstance()</code>. StoreBuilder is responsible - * for initializing the H2 database with initial default user account - * information. By default, the following users are created: - * <ol> - * <li>admin</li> - * <li>user</li> - * </ol> - * - * By default, the following domain is created: - * <ol> - * <li>sdn</li> - * </ol> - * - * By default, the following grants are created: - * <ol> - * <li>admin with admin role on sdn</li> - * <li>admin with user role on sdn</li> - * <li>user with user role on sdn</li> - * </ol> - * - * @author peter.mellquist@hp.com - * @author saichler@cisco.com - */ -public class StoreBuilder { - - private static final Logger LOG = LoggerFactory.getLogger(StoreBuilder.class); - - public static void init(IIDMStore store) throws IDMStoreException { - LOG.info("creating idmlight schema in store"); - - // Check whether the default domain exists. If it exists, then do not - // create default data in the store. - // TODO Address the fact that someone may delete the sdn domain, or make - // sdn mandatory. - Domain defaultDomain = store.readDomain(IIDMStore.DEFAULT_DOMAIN); - if (defaultDomain != null) { - LOG.info("Found default domain in Store, skipping insertion of default data"); - return; - } - - // make domain - Domain domain = new Domain(); - User adminUser = new User(); - User userUser = new User(); - Role adminRole = new Role(); - Role userRole = new Role(); - domain.setEnabled(true); - domain.setName(IIDMStore.DEFAULT_DOMAIN); - domain.setDescription("default odl sdn domain"); - domain = store.writeDomain(domain); - - // Create default users - // "admin" user - adminUser.setEnabled(true); - adminUser.setName("admin"); - adminUser.setDomainid(domain.getDomainid()); - adminUser.setDescription("admin user"); - adminUser.setEmail(""); - adminUser.setPassword("admin"); - adminUser = store.writeUser(adminUser); - // "user" user - userUser.setEnabled(true); - userUser.setName("user"); - userUser.setDomainid(domain.getDomainid()); - userUser.setDescription("user user"); - userUser.setEmail(""); - userUser.setPassword("user"); - userUser = store.writeUser(userUser); - - // Create default Roles ("admin" and "user") - adminRole.setName("admin"); - adminRole.setDomainid(domain.getDomainid()); - adminRole.setDescription("a role for admins"); - adminRole = store.writeRole(adminRole); - userRole.setName("user"); - userRole.setDomainid(domain.getDomainid()); - userRole.setDescription("a role for users"); - userRole = store.writeRole(userRole); - - // Create default grants - Grant grant = new Grant(); - grant.setDomainid(domain.getDomainid()); - grant.setUserid(userUser.getUserid()); - grant.setRoleid(userRole.getRoleid()); - grant = store.writeGrant(grant); - - grant.setDomainid(domain.getDomainid()); - grant.setUserid(adminUser.getUserid()); - grant.setRoleid(userRole.getRoleid()); - grant = store.writeGrant(grant); - - grant.setDomainid(domain.getDomainid()); - grant.setUserid(adminUser.getUserid()); - grant.setRoleid(adminRole.getRoleid()); - grant = store.writeGrant(grant); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/DomainHandler.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/DomainHandler.java deleted file mode 100644 index 7ddc0748..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/DomainHandler.java +++ /dev/null @@ -1,591 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest; - -import java.util.ArrayList; -import java.util.List; -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.UriInfo; -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.model.Claim; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Domains; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Grants; -import org.opendaylight.aaa.api.model.IDMError; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.Roles; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.UserPwd; -import org.opendaylight.aaa.api.model.Users; -import org.opendaylight.aaa.idm.IdmLightProxy; -import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * REST application used to manipulate the H2 database domains table. The REST - * endpoint is <code>/auth/v1/domains</code>. - * - * The following provides examples of curl commands and payloads to utilize the - * domains REST endpoint: - * - * <b>Get All Domains</b> - * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/domains</code> - * - * <b>Get A Specific Domain</b> - * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/domains/{id}</code> - * - * <b>Create A Domain</b> - * <code>curl -u admin:admin -X POST -H "Content-Type: application/json" --data-binary {@literal @}domain.json http://{HOST}:{PORT}/auth/v1/domains</code> - * Example domain.json <code>{ - * "description": "new domain", - * "enabled", "true", - * "name", "not sdn" - * }</code> - * - * <b>Update A Domain</b> - * <code>curl -u admin:admin -X PUT -H "Content-Type: application/json" --data-binary {@literal @}domain.json http://{HOST}:{PORT}/auth/v1/domains</code> - * Example domain.json <code>{ - * "description": "new domain description", - * "enabled", "true", - * "name", "not sdn" - * }</code> - * - * @author peter.mellquist@hp.com - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -@Path("/v1/domains") -public class DomainHandler { - - private static final Logger LOG = LoggerFactory.getLogger(DomainHandler.class); - - /** - * Extracts all domains. - * - * @return a response with all domains stored in the H2 database - */ - @GET - @Produces("application/json") - public Response getDomains() { - LOG.info("Get /domains"); - Domains domains = null; - try { - domains = AAAIDMLightModule.getStore().getDomains(); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting domains"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - return Response.ok(domains).build(); - } - - /** - * Extracts the domain represented by <code>domainId</code>. - * - * @param domainId the string domain (i.e., "sdn") - * @return a response with the specified domain - */ - @GET - @Path("/{id}") - @Produces("application/json") - public Response getDomain(@PathParam("id") String domainId) { - LOG.info("Get /domains/{}", domainId); - Domain domain = null; - try { - domain = AAAIDMLightModule.getStore().readDomain(domainId); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting domain"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - - if (domain == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! domain id :" + domainId); - return Response.status(404).entity(idmerror).build(); - } - return Response.ok(domain).build(); - } - - /** - * Creates a domain. The name attribute is required for domain creation. - * Enabled and description fields are optional. Optional fields default - * in the following manner: - * <code>enabled</code>: <code>false</code> - * <code>description</code>: An empty string (<code>""</code>). - * - * @param info passed from Jersey - * @param domain designated by the REST payload - * @return A response stating success or failure of domain creation. - */ - @POST - @Consumes("application/json") - @Produces("application/json") - public Response createDomain(@Context UriInfo info, Domain domain) { - LOG.info("Post /domains"); - try { - if (domain.isEnabled() == null) { - domain.setEnabled(false); - } - if (domain.getName() == null) { - domain.setName(""); - } - if (domain.getDescription() == null) { - domain.setDescription(""); - } - domain = AAAIDMLightModule.getStore().writeDomain(domain); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error creating domain"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - return Response.status(201).entity(domain).build(); - } - - /** - * Updates a domain. - * - * @param info passed from Jersey - * @param domain the REST payload - * @param domainId the last part of the path, containing the specified domain id - * @return A response stating success or failure of domain update. - */ - @PUT - @Path("/{id}") - @Consumes("application/json") - @Produces("application/json") - public Response putDomain(@Context UriInfo info, Domain domain, @PathParam("id") String domainId) { - LOG.info("Put /domains/{}", domainId); - try { - domain.setDomainid(domainId); - domain = AAAIDMLightModule.getStore().updateDomain(domain); - if (domain == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! Domain id :" + domainId); - return Response.status(404).entity(idmerror).build(); - } - IdmLightProxy.clearClaimCache(); - return Response.status(200).entity(domain).build(); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error putting domain"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - } - - /** - * Deletes a domain. - * - * @param info passed from Jersey - * @param domainId the last part of the path, containing the specified domain id - * @return A response stating success or failure of domain deletion. - */ - @DELETE - @Path("/{id}") - public Response deleteDomain(@Context UriInfo info, @PathParam("id") String domainId) { - LOG.info("Delete /domains/{}", domainId); - - try { - Domain domain = AAAIDMLightModule.getStore().deleteDomain(domainId); - if (domain == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! Domain id :" + domainId); - return Response.status(404).entity(idmerror).build(); - } - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error deleting Domain"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - IdmLightProxy.clearClaimCache(); - return Response.status(204).build(); - } - - /** - * Creates a grant. A grant defines the role a particular user is given on - * a particular domain. For example, by default, AAA installs a grant for - * the "admin" user, granting permission to act with "admin" role on the - * "sdn" domain. - * - * @param info passed from Jersey - * @param domainId the domain the user is allowed to access - * @param userId the user that is allowed to access the domain - * @param grant the payload containing role access controls - * @return A response stating success or failure of grant creation. - */ - @POST - @Path("/{did}/users/{uid}/roles") - @Consumes("application/json") - @Produces("application/json") - public Response createGrant(@Context UriInfo info, @PathParam("did") String domainId, - @PathParam("uid") String userId, Grant grant) { - LOG.info("Post /domains/{}/users/{}/roles", domainId, userId); - Domain domain = null; - User user = null; - Role role = null; - String roleId = null; - - // validate domain id - try { - domain = AAAIDMLightModule.getStore().readDomain(domainId); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting domain"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (domain == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! domain id :" + domainId); - return Response.status(404).entity(idmerror).build(); - } - grant.setDomainid(domainId); - - try { - user = AAAIDMLightModule.getStore().readUser(userId); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting user"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (user == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! User id :" + userId); - return Response.status(404).entity(idmerror).build(); - } - grant.setUserid(userId); - - // validate role id - try { - roleId = grant.getRoleid(); - LOG.info("roleid = {}", roleId); - } catch (NumberFormatException nfe) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Invalid Role id :" + grant.getRoleid()); - return Response.status(404).entity(idmerror).build(); - } - try { - role = AAAIDMLightModule.getStore().readRole(roleId); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting role"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (role == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! role :" + grant.getRoleid()); - return Response.status(404).entity(idmerror).build(); - } - - // see if grant already exists for this - try { - Grant existingGrant = AAAIDMLightModule.getStore().readGrant(domainId, userId, roleId); - if (existingGrant != null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Grant already exists for did:" + domainId + " uid:" + userId - + " rid:" + roleId); - return Response.status(403).entity(idmerror).build(); - } - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error creating grant"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - - // create grant - try { - grant = AAAIDMLightModule.getStore().writeGrant(grant); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error creating grant"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - - IdmLightProxy.clearClaimCache(); - return Response.status(201).entity(grant).build(); - } - - /** - * Used to validate user access. - * - * @param info passed from Jersey - * @param domainId the domain in question - * @param userpwd the password attempt - * @return A response stating success or failure of user validation. - */ - @POST - @Path("/{did}/users/roles") - @Consumes("application/json") - @Produces("application/json") - public Response validateUser(@Context UriInfo info, @PathParam("did") String domainId, - UserPwd userpwd) { - - LOG.info("GET /domains/{}/users", domainId); - Domain domain = null; - Claim claim = new Claim(); - List<Role> roleList = new ArrayList<Role>(); - - try { - domain = AAAIDMLightModule.getStore().readDomain(domainId); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting domain"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (domain == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! Domain id :" + domainId); - return Response.status(404).entity(idmerror).build(); - } - - // check request body for username and pwd - String username = userpwd.getUsername(); - if (username == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("username not specfied in request body"); - return Response.status(400).entity(idmerror).build(); - } - String pwd = userpwd.getUserpwd(); - if (pwd == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("userpwd not specfied in request body"); - return Response.status(400).entity(idmerror).build(); - } - - // find userid for user - try { - Users users = AAAIDMLightModule.getStore().getUsers(username, domainId); - List<User> userList = users.getUsers(); - if (userList.size() == 0) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("did not find username: " + username); - return Response.status(404).entity(idmerror).build(); - } - User user = userList.get(0); - String userPwd = user.getPassword(); - String reqPwd = userpwd.getUserpwd(); - if (!userPwd.equals(reqPwd)) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("password does not match for username: " + username); - return Response.status(401).entity(idmerror).build(); - } - claim.setDomainid(domainId); - claim.setUsername(username); - claim.setUserid(user.getUserid()); - try { - Grants grants = AAAIDMLightModule.getStore().getGrants(domainId, user.getUserid()); - List<Grant> grantsList = grants.getGrants(); - for (int i = 0; i < grantsList.size(); i++) { - Grant grant = grantsList.get(i); - Role role = AAAIDMLightModule.getStore().readRole(grant.getRoleid()); - roleList.add(role); - } - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting Roles"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - claim.setRoles(roleList); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting user"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - - return Response.ok(claim).build(); - } - - /** - * Get the grants for a user on a domain. - * - * @param info passed from Jersey - * @param domainId the domain in question - * @param userId the user in question - * @return A response containing the grants for a user on a domain. - */ - @GET - @Path("/{did}/users/{uid}/roles") - @Produces("application/json") - public Response getRoles(@Context UriInfo info, @PathParam("did") String domainId, - @PathParam("uid") String userId) { - LOG.info("GET /domains/{}/users/{}/roles", domainId, userId); - Domain domain = null; - User user = null; - Roles roles = new Roles(); - List<Role> roleList = new ArrayList<Role>(); - - try { - domain = AAAIDMLightModule.getStore().readDomain(domainId); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting domain"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (domain == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! Domain id :" + domainId); - return Response.status(404).entity(idmerror).build(); - } - - try { - user = AAAIDMLightModule.getStore().readUser(userId); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting user"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (user == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! User id :" + userId); - return Response.status(404).entity(idmerror).build(); - } - - try { - Grants grants = AAAIDMLightModule.getStore().getGrants(domainId, userId); - List<Grant> grantsList = grants.getGrants(); - for (int i = 0; i < grantsList.size(); i++) { - Grant grant = grantsList.get(i); - Role role = AAAIDMLightModule.getStore().readRole(grant.getRoleid()); - roleList.add(role); - } - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting Roles"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - - roles.setRoles(roleList); - return Response.ok(roles).build(); - } - - /** - * Delete a grant. - * - * @param info passed from Jersey - * @param domainId the domain for the grant - * @param userId the user for the grant - * @param roleId the role for the grant - * @return A response stating success or failure of the grant deletion. - */ - @DELETE - @Path("/{did}/users/{uid}/roles/{rid}") - public Response deleteGrant(@Context UriInfo info, @PathParam("did") String domainId, - @PathParam("uid") String userId, @PathParam("rid") String roleId) { - Domain domain = null; - User user = null; - Role role = null; - - try { - domain = AAAIDMLightModule.getStore().readDomain(domainId); - } catch (IDMStoreException se) { - LOG.error("Error deleting Grant : ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting domain"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (domain == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! Domain id :" + domainId); - return Response.status(404).entity(idmerror).build(); - } - - try { - user = AAAIDMLightModule.getStore().readUser(userId); - } catch (IDMStoreException se) { - LOG.error("StoreException : ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting user"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (user == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! User id :" + userId); - return Response.status(404).entity(idmerror).build(); - } - - try { - role = AAAIDMLightModule.getStore().readRole(roleId); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error getting Role"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - if (role == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Not found! Role id :" + roleId); - return Response.status(404).entity(idmerror).build(); - } - - // see if grant already exists - try { - Grant existingGrant = AAAIDMLightModule.getStore().readGrant(domainId, userId, roleId); - if (existingGrant == null) { - IDMError idmerror = new IDMError(); - idmerror.setMessage("Grant does not exist for did:" + domainId + " uid:" + userId - + " rid:" + roleId); - return Response.status(404).entity(idmerror).build(); - } - existingGrant = AAAIDMLightModule.getStore().deleteGrant(existingGrant.getGrantid()); - } catch (IDMStoreException se) { - LOG.error("StoreException: ", se); - IDMError idmerror = new IDMError(); - idmerror.setMessage("Internal error creating grant"); - idmerror.setDetails(se.getMessage()); - return Response.status(500).entity(idmerror).build(); - } - IdmLightProxy.clearClaimCache(); - return Response.status(204).build(); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/RoleHandler.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/RoleHandler.java deleted file mode 100644 index 34a60c0c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/RoleHandler.java +++ /dev/null @@ -1,228 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest; - -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.UriInfo; - -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.model.IDMError; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.Roles; -import org.opendaylight.aaa.idm.IdmLightApplication; -import org.opendaylight.aaa.idm.IdmLightProxy; -import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * REST application used to manipulate the H2 database roles table. The REST - * endpoint is <code>/auth/v1/roles</code>. - * - * The following provides examples of curl commands and payloads to utilize the - * roles REST endpoint: - * - * <b>Get All Roles</b> - * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/roles</code> - * - * <b>Get A Specific Role</b> - * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/roles/{id}</code> - * - * <b>Create A Role</b> - * <code>curl -u admin:admin -X POST -H "Content-Type: application/json" --data-binary {@literal @}role.json http://{HOST}:{PORT}/auth/v1/roles</code> - * An example of role.json: - * <code>{ - * "name":"IT Administrator", - * "description":"A user role for IT admins" - * }</code> - * - * <b>Update A Role</b> - * <code>curl -u admin:admin -X PUT -H "Content-Type: application/json" --data-binary {@literal @}role.json http://{HOST}:{PORT}/auth/v1/roles/{id}</code> - * An example of role.json: - * <code>{ - * "name":"IT Administrator Limited", - * "description":"A user role for IT admins who can only do one thing" - * }</code> - * - * @author peter.mellquist@hp.com - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -@Path("/v1/roles") -public class RoleHandler { - private static final Logger LOG = LoggerFactory.getLogger(RoleHandler.class); - - /** - * Extracts all roles. - * - * @return A response with all roles in the H2 database, or internal error if one is encountered - */ - @GET - @Produces("application/json") - public Response getRoles() { - LOG.info("get /roles"); - Roles roles = null; - try { - roles = AAAIDMLightModule.getStore().getRoles(); - } catch (IDMStoreException se) { - return new IDMError(500, "internal error getting roles", se.getMessage()).response(); - } - return Response.ok(roles).build(); - } - - /** - * Extract a specific role identified by <code>id</code> - * - * @param id the String id for the role - * @return A response with the role identified by <code>id</code>, or internal error if one is encountered - */ - @GET - @Path("/{id}") - @Produces("application/json") - public Response getRole(@PathParam("id") String id) { - LOG.info("get /roles/{}", id); - Role role = null; - - try { - role = AAAIDMLightModule.getStore().readRole(id); - } catch (IDMStoreException se) { - return new IDMError(500, "internal error getting roles", se.getMessage()).response(); - } - - if (role == null) { - return new IDMError(404, "role not found id :" + id, "").response(); - } - return Response.ok(role).build(); - } - - /** - * Creates a role. - * - * @param info passed from Jersey - * @param role the role JSON payload - * @return A response stating success or failure of role creation, or internal error if one is encountered - */ - @POST - @Consumes("application/json") - @Produces("application/json") - public Response createRole(@Context UriInfo info, Role role) { - LOG.info("Post /roles"); - try { - // TODO: role names should be unique! - // name - if (role.getName() == null) { - return new IDMError(404, "name must be defined on role create", "").response(); - } else if (role.getName().length() > IdmLightApplication.MAX_FIELD_LEN) { - return new IDMError(400, "role name max length is :" - + IdmLightApplication.MAX_FIELD_LEN, "").response(); - } - - // domain - if (role.getDomainid() == null) { - return new IDMError(404, - "The role's domain must be defined on role when creating a role.", "") - .response(); - } else if (role.getDomainid().length() > IdmLightApplication.MAX_FIELD_LEN) { - return new IDMError(400, "role domain max length is :" - + IdmLightApplication.MAX_FIELD_LEN, "").response(); - } - - // description - if (role.getDescription() == null) { - role.setDescription(""); - } else if (role.getDescription().length() > IdmLightApplication.MAX_FIELD_LEN) { - return new IDMError(400, "role description max length is :" - + IdmLightApplication.MAX_FIELD_LEN, "").response(); - } - - role = AAAIDMLightModule.getStore().writeRole(role); - } catch (IDMStoreException se) { - return new IDMError(500, "internal error creating role", se.getMessage()).response(); - } - - return Response.status(201).entity(role).build(); - } - - /** - * Updates a specific role identified by <code>id</code>. - * - * @param info passed from Jersey - * @param role the role JSON payload - * @param id the String id for the role - * @return A response stating success or failure of role update, or internal error if one occurs - */ - @PUT - @Path("/{id}") - @Consumes("application/json") - @Produces("application/json") - public Response putRole(@Context UriInfo info, Role role, @PathParam("id") String id) { - LOG.info("put /roles/{}", id); - - try { - role.setRoleid(id); - - // name - // TODO: names should be unique - if ((role.getName() != null) - && (role.getName().length() > IdmLightApplication.MAX_FIELD_LEN)) { - return new IDMError(400, "role name max length is :" - + IdmLightApplication.MAX_FIELD_LEN, "").response(); - } - - // description - if ((role.getDescription() != null) - && (role.getDescription().length() > IdmLightApplication.MAX_FIELD_LEN)) { - return new IDMError(400, "role description max length is :" - + IdmLightApplication.MAX_FIELD_LEN, "").response(); - } - - role = AAAIDMLightModule.getStore().updateRole(role); - if (role == null) { - return new IDMError(404, "role id not found :" + id, "").response(); - } - IdmLightProxy.clearClaimCache(); - return Response.status(200).entity(role).build(); - } catch (IDMStoreException se) { - return new IDMError(500, "internal error putting role", se.getMessage()).response(); - } - } - - /** - * Delete a role. - * - * @param info passed from Jersey - * @param id the String id for the role - * @return A response stating success or failure of user deletion, or internal error if one occurs - */ - @DELETE - @Path("/{id}") - public Response deleteRole(@Context UriInfo info, @PathParam("id") String id) { - LOG.info("Delete /roles/{}", id); - - try { - Role role = AAAIDMLightModule.getStore().deleteRole(id); - if (role == null) { - return new IDMError(404, "role id not found :" + id, "").response(); - } - } catch (IDMStoreException se) { - return new IDMError(500, "internal error deleting role", se.getMessage()).response(); - } - IdmLightProxy.clearClaimCache(); - return Response.status(204).build(); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java deleted file mode 100644 index 1649faa2..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java +++ /dev/null @@ -1,420 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest; - -import java.util.Collection; - -import javax.ws.rs.Consumes; -import javax.ws.rs.DELETE; -import javax.ws.rs.GET; -import javax.ws.rs.POST; -import javax.ws.rs.PUT; -import javax.ws.rs.Path; -import javax.ws.rs.PathParam; -import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.UriInfo; - -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.model.IDMError; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; -import org.opendaylight.aaa.idm.IdmLightApplication; -import org.opendaylight.aaa.idm.IdmLightProxy; -import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * REST application used to manipulate the H2 database users table. The REST - * endpoint is <code>/auth/v1/users</code>. - * - * The following provides examples of how curl commands and payloads to utilize - * the users REST endpoint: - * - * <b>Get All Users</b> - * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/users</code> - * - * <b>Get A Specific User</b> - * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/users/{id}</code> - * - * <b>Create A User</b> - * <code>curl -u admin:admin -X POST -H "Content-type: application/json" --data-binary {@literal @}user.json http://{HOST}:{PORT}/auth/v1/users</code> - * An example of user.json file is: - * <code>{ - * "name": "admin2", - * "password", "admin2", - * "domain": "sdn" - * }</code> - * - * <b>Update A User</b> - * <code>curl -u admin:admin -X PUT -H "Content-type: application/json" --data-binary {@literal @}user.json http://{HOST}:{PORT}/auth/v1/users/{id}</code> - * An example of user.json file is: - * <code>{ - * "name": "admin2", - * "password", "admin2", - * "domain": "sdn", - * "description", "Simple description." - * }</code> - * - * <b>Delete A User</b> - * <code>curl -u admin:admin -X DELETE http://{HOST}:{PORT}/auth/v1/users/{id}</code> - * - * @author peter.mellquist@hp.com - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -@Path("/v1/users") -public class UserHandler { - - private static final Logger LOG = LoggerFactory.getLogger(UserHandler.class); - - /** - * If a user is created through the <code>/auth/v1/users</code> rest - * endpoint without a password, the default password is assigned to the - * user. - */ - private final static String DEFAULT_PWD = "changeme"; - - /** - * When an HTTP GET is performed on <code>/auth/v1/users</code>, the - * password field is replaced with <code>REDACTED_PASSWORD</code> for - * security reasons. - */ - private static final String REDACTED_PASSWORD = "**********"; - - /** - * When an HTTP GET is performed on <code>/auth/v1/users</code>, the salt - * field is replaced with <code>REDACTED_SALT</code> for security reasons. - */ - private static final String REDACTED_SALT = "**********"; - - /** - * When creating a user, the description is optional and defaults to an - * empty string. - */ - private static final String DEFAULT_DESCRIPTION = ""; - - /** - * When creating a user, the email is optional and defaults to an empty - * string. - */ - private static final String DEFAULT_EMAIL = ""; - - /** - * Extracts all users. The password and salt fields are redacted for - * security reasons. - * - * @return A response containing the users, or internal error if one occurs - */ - @GET - @Produces("application/json") - public Response getUsers() { - LOG.info("GET /auth/v1/users (extracts all users)"); - - try { - final Users users = AAAIDMLightModule.getStore().getUsers(); - - // Redact the password and salt for security purposes. - final Collection<User> usersList = users.getUsers(); - for (User user : usersList) { - redactUserPasswordInfo(user); - } - - return Response.ok(users).build(); - } catch (IDMStoreException se) { - return internalError("getting", se); - } - } - - /** - * Extracts the user represented by <code>id</code>. The password and salt - * fields are redacted for security reasons. - * - * @param id the unique id of representing the user account - * @return A response with the user information, or internal error if one occurs - */ - @GET - @Path("/{id}") - @Produces("application/json") - public Response getUser(@PathParam("id") String id) { - LOG.info("GET auth/v1/users/ {} (extract user with specified id)", id); - - try { - final User user = AAAIDMLightModule.getStore().readUser(id); - - if (user == null) { - final String error = "user not found! id: " + id; - return new IDMError(404, error, "").response(); - } - - // Redact the password and salt for security purposes. - redactUserPasswordInfo(user); - - return Response.ok(user).build(); - } catch (IDMStoreException se) { - return internalError("getting", se); - } - } - - /** - * REST endpoint to create a user. Name and domain are required attributes, - * and all other fields (description, email, password, enabled) are - * optional. Optional fields default in the following manner: - * <code>description</code>: An empty string (<code>""</code>). - * <code>email</code>: An empty string (<code>""</code>). - * <code>password</code>: <code>changeme</code> <code>enabled</code>: - * <code>true</code> - * - * If a password is not provided, please ensure you change the default - * password ASAP for security reasons! - * - * @param info passed from Jersey - * @param user the user defined in the JSON payload - * @return A response stating success or failure of user creation - */ - @POST - @Consumes("application/json") - @Produces("application/json") - public Response createUser(@Context UriInfo info, User user) { - LOG.info("POST /auth/v1/users (create a user with the specified payload"); - - // The "enabled" field is optional, and defaults to true. - if (user.isEnabled() == null) { - user.setEnabled(true); - } - - // The "name" field is required. - final String userName = user.getName(); - if (userName == null) { - return missingRequiredField("name"); - } - // The "name" field has a maximum length. - if (userName.length() > IdmLightApplication.MAX_FIELD_LEN) { - return providedFieldTooLong("name", IdmLightApplication.MAX_FIELD_LEN); - } - - // The "domain field is required. - final String domainId = user.getDomainid(); - if (domainId == null) { - return missingRequiredField("domain"); - } - // The "domain" field has a maximum length. - if (domainId.length() > IdmLightApplication.MAX_FIELD_LEN) { - return providedFieldTooLong("domain", IdmLightApplication.MAX_FIELD_LEN); - } - - // The "description" field is optional and defaults to "". - final String userDescription = user.getDescription(); - if (userDescription == null) { - user.setDescription(DEFAULT_DESCRIPTION); - } - // The "description" field has a maximum length. - if (userDescription.length() > IdmLightApplication.MAX_FIELD_LEN) { - return providedFieldTooLong("description", IdmLightApplication.MAX_FIELD_LEN); - } - - // The "email" field is optional and defaults to "". - final String userEmail = user.getEmail(); - if (userEmail == null) { - user.setEmail(DEFAULT_EMAIL); - } - if (userEmail.length() > IdmLightApplication.MAX_FIELD_LEN) { - return providedFieldTooLong("email", IdmLightApplication.MAX_FIELD_LEN); - } - // TODO add a check on email format here. - - // The "password" field is optional and defautls to "changeme". - final String userPassword = user.getPassword(); - if (userPassword == null) { - user.setPassword(DEFAULT_PWD); - } else if (userPassword.length() > IdmLightApplication.MAX_FIELD_LEN) { - return providedFieldTooLong("password", IdmLightApplication.MAX_FIELD_LEN); - } - - try { - // At this point, fields have been properly verified. Create the - // user account - final User createdUser = AAAIDMLightModule.getStore().writeUser(user); - user.setUserid(createdUser.getUserid()); - } catch (IDMStoreException se) { - return internalError("creating", se); - } - - // Redact the password and salt for security reasons. - redactUserPasswordInfo(user); - // TODO report back to the client a warning message to change the - // default password if none was specified. - return Response.status(201).entity(user).build(); - } - - /** - * REST endpoint to update a user account. - * - * @param info passed from Jersey - * @param user the user defined in the JSON payload - * @param id the unique id for the user that will be updated - * @return A response stating success or failure of the user update - */ - @PUT - @Path("/{id}") - @Consumes("application/json") - @Produces("application/json") - public Response putUser(@Context UriInfo info, User user, @PathParam("id") String id) { - - LOG.info("PUT /auth/v1/users/{} (Updates a user account)", id); - - try { - user.setUserid(id); - - if (checkInputFieldLength(user.getPassword())) { - return providedFieldTooLong("password", IdmLightApplication.MAX_FIELD_LEN); - } - - if (checkInputFieldLength(user.getName())) { - return providedFieldTooLong("name", IdmLightApplication.MAX_FIELD_LEN); - } - - if (checkInputFieldLength(user.getDescription())) { - return providedFieldTooLong("description", IdmLightApplication.MAX_FIELD_LEN); - } - - if (checkInputFieldLength(user.getEmail())) { - return providedFieldTooLong("email", IdmLightApplication.MAX_FIELD_LEN); - } - - if (checkInputFieldLength(user.getDomainid())) { - return providedFieldTooLong("domain", IdmLightApplication.MAX_FIELD_LEN); - } - - user = AAAIDMLightModule.getStore().updateUser(user); - if (user == null) { - return new IDMError(404, String.format("User not found for id %s", id), "").response(); - } - - IdmLightProxy.clearClaimCache(); - - // Redact the password and salt for security reasons. - redactUserPasswordInfo(user); - return Response.status(200).entity(user).build(); - } catch (IDMStoreException se) { - return internalError("updating", se); - } - } - - /** - * REST endpoint to delete a user account. - * - * @param info passed from Jersey - * @param id the unique id of the user which is being deleted - * @return A response stating success or failure of user deletion - */ - @DELETE - @Path("/{id}") - public Response deleteUser(@Context UriInfo info, @PathParam("id") String id) { - LOG.info("DELETE /auth/v1/users/{} (Delete a user account)", id); - - try { - final User user = AAAIDMLightModule.getStore().deleteUser(id); - - if (user == null) { - return new IDMError(404, - String.format("Error deleting user. " + - "Couldn't find user with id %s", id), - "").response(); - } - } catch (IDMStoreException se) { - return internalError("deleting", se); - } - - // Successfully deleted the user; report success to the client. - IdmLightProxy.clearClaimCache(); - return Response.status(204).build(); - } - - /** - * Creates a <code>Response</code> related to an internal server error. - * - * @param verbal such as "creating", "deleting", "updating" - * @param e The exception, which is propagated in the response - * @return A response containing internal error with specific reasoning - */ - private Response internalError(final String verbal, final Exception e) { - LOG.error("There was an internal error {} the user", verbal, e); - return new IDMError(500, - String.format("There was an internal error %s the user", verbal), - e.getMessage()).response(); - } - - /** - * Creates a <code>Response</code> related to the user not providing a - * required field. - * - * @param fieldName the name of the field which is missing - * @return A response explaining that the request is missing a field - */ - private Response missingRequiredField(final String fieldName) { - - return new IDMError(400, - String.format("%s is required to create the user account. " + - "Please provide a %s in your payload.", fieldName, fieldName), - "").response(); - } - - /** - * Creates a <code>Response</code> related to the user providing a field - * that is too long. - * - * @param fieldName the name of the field that is too long - * @param maxFieldLength the maximum length of <code>fieldName</code> - * @return A response containing the bad field and the maximum field length - */ - private Response providedFieldTooLong(final String fieldName, final int maxFieldLength) { - - return new IDMError(400, - getProvidedFieldTooLongMessage(fieldName, maxFieldLength), - "").response(); - } - - /** - * Creates the client-facing message related to the user providing a field - * that is too long. - * - * @param fieldName the name of the field that is too long - * @param maxFieldLength the maximum length of <code>fieldName</code> - * @return - */ - private static String getProvidedFieldTooLongMessage(final String fieldName, - final int maxFieldLength) { - - return String.format("The provided {} field is too long. " + - "The max length is {}.", fieldName, maxFieldLength); - } - - /** - * Prepares a user account for output by redacting the appropriate fields. - * This method side-effects the <code>user</code> parameter. - * - * @param user the user account which will have fields redacted - */ - private static void redactUserPasswordInfo(final User user) { - user.setPassword(REDACTED_PASSWORD); - user.setSalt(REDACTED_SALT); - } - - /** - * Validate the input field length - * - * @param inputField - * @return true if input field bigger than the MAX_FIELD_LEN - */ - private boolean checkInputFieldLength(final String inputField) { - return inputField != null && (inputField.length() > IdmLightApplication.MAX_FIELD_LEN); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/VersionHandler.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/VersionHandler.java deleted file mode 100644 index f865162a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/VersionHandler.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest; - -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.GET; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; - -import org.opendaylight.aaa.api.model.Version; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * - * @author peter.mellquist@hp.com - * - */ -@Deprecated -@Path("/") -public class VersionHandler { - private static final Logger LOG = LoggerFactory.getLogger(VersionHandler.class);; - - protected static String CURRENT_VERSION = "v1"; - protected static String LAST_UPDATED = "2014-04-18T18:30:02.25Z"; - protected static String CURRENT_STATUS = "CURRENT"; - - @GET - @Produces("application/json") - public Version getVersion(@Context HttpServletRequest request) { - LOG.info("Get /"); - Version version = new Version(); - version.setId(CURRENT_VERSION); - version.setUpdated(LAST_UPDATED); - version.setStatus(CURRENT_STATUS); - return version; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModule.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModule.java deleted file mode 100644 index d6872635..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModule.java +++ /dev/null @@ -1,90 +0,0 @@ -package org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204; - -import org.opendaylight.aaa.api.CredentialAuth; -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.IdMService; -import org.opendaylight.aaa.idm.IdmLightProxy; -import org.opendaylight.aaa.idm.StoreBuilder; -import org.osgi.framework.BundleContext; -import org.osgi.framework.ServiceReference; -import org.osgi.framework.ServiceRegistration; -import org.osgi.util.tracker.ServiceTracker; -import org.osgi.util.tracker.ServiceTrackerCustomizer; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class AAAIDMLightModule extends org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AbstractAAAIDMLightModule { - - private static final Logger LOG = LoggerFactory.getLogger(AAAIDMLightModule.class); - private BundleContext bundleContext = null; - private static volatile IIDMStore store = null; - - public AAAIDMLightModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) { - super(identifier, dependencyResolver); - } - - public AAAIDMLightModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule oldModule, java.lang.AutoCloseable oldInstance) { - super(identifier, dependencyResolver, oldModule, oldInstance); - } - - @Override - public void customValidation() { - // add custom validation form module attributes here. - } - - @Override - public java.lang.AutoCloseable createInstance() { - final IdmLightProxy proxy = new IdmLightProxy(); - final ServiceRegistration<?> idmService = bundleContext.registerService(IdMService.class.getName(), proxy, null); - final ServiceRegistration<?> clientAuthService = bundleContext.registerService(CredentialAuth.class.getName(), proxy, null); - - final ServiceTracker<IIDMStore, IIDMStore> storeServiceTracker = new ServiceTracker<>(bundleContext, IIDMStore.class, - new ServiceTrackerCustomizer<IIDMStore, IIDMStore>() { - @Override - public IIDMStore addingService(ServiceReference<IIDMStore> reference) { - store = reference.getBundle().getBundleContext().getService(reference); - LOG.info("IIDMStore service {} was found", store.getClass()); - try { - StoreBuilder.init(store); - } catch (IDMStoreException e) { - LOG.error("Failed to initialize data in store", e); - } - - return store; - } - - @Override - public void modifiedService(ServiceReference<IIDMStore> reference, IIDMStore service) { - } - - @Override - public void removedService(ServiceReference<IIDMStore> reference, IIDMStore service) { - } - }); - - storeServiceTracker.open(); - - LOG.info("AAA IDM Light Module Initialized"); - return new AutoCloseable() { - @Override - public void close() throws Exception { - idmService.unregister(); - clientAuthService.unregister(); - storeServiceTracker.close(); - } - }; - } - - public void setBundleContext(BundleContext b){ - this.bundleContext = b; - } - - public static final IIDMStore getStore(){ - return store; - } - - public static final void setStore(IIDMStore s){ - store = s; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModuleFactory.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModuleFactory.java deleted file mode 100644 index de277da8..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModuleFactory.java +++ /dev/null @@ -1,29 +0,0 @@ -/* -* Generated file -* -* Generated from: yang module name: aaa-idmlight yang module local name: aaa-idmlight -* Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator -* Generated at: Fri Dec 04 11:37:37 PST 2015 -* -* Do not modify this file unless it is present under src/main directory -*/ -package org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204; - -import org.opendaylight.controller.config.api.DependencyResolver; -import org.osgi.framework.BundleContext; - -public class AAAIDMLightModuleFactory extends org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AbstractAAAIDMLightModuleFactory { - @Override - public AAAIDMLightModule instantiateModule(String instanceName, DependencyResolver dependencyResolver, AAAIDMLightModule oldModule, AutoCloseable oldInstance, BundleContext bundleContext) { - AAAIDMLightModule module = super.instantiateModule(instanceName, dependencyResolver, oldModule, oldInstance, bundleContext); - module.setBundleContext(bundleContext); - return module; - } - - @Override - public AAAIDMLightModule instantiateModule(String instanceName, DependencyResolver dependencyResolver, BundleContext bundleContext) { - AAAIDMLightModule module = super.instantiateModule(instanceName, dependencyResolver, bundleContext); - module.setBundleContext(bundleContext); - return module; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/WEB-INF/web.xml b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/WEB-INF/web.xml deleted file mode 100644 index facba131..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/WEB-INF/web.xml +++ /dev/null @@ -1,77 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" - version="3.0"> - - <servlet> - <servlet-name>IdmLight</servlet-name> - <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class> - <init-param> - <param-name>javax.ws.rs.Application</param-name> - <param-value>org.opendaylight.aaa.idm.IdmLightApplication</param-value> - </init-param> - <init-param> - <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name><param-value>true</param-value> - </init-param> - <load-on-startup>1</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>IdmLight</servlet-name> - <url-pattern>/*</url-pattern> - </servlet-mapping> - - <context-param> - <param-name>shiroEnvironmentClass</param-name> - <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value> - </context-param> - - <listener> - <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> - </listener> - - <filter> - <filter-name>ShiroFilter</filter-name> - <filter-class>org.opendaylight.aaa.shiro.filters.AAAFilter</filter-class> - </filter> - - <filter-mapping> - <filter-name>ShiroFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <filter> - <filter-name>cross-origin-restconf</filter-name> - <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class> - <init-param> - <param-name>allowedOrigins</param-name> - <param-value>*</param-value> - </init-param> - <init-param> - <param-name>allowedMethods</param-name> - <param-value>GET,POST,OPTIONS,DELETE,PUT,HEAD</param-value> - </init-param> - <init-param> - <param-name>allowedHeaders</param-name> - <param-value>origin, content-type, accept, authorization, Authorization</param-value> - </init-param> - </filter> - - <filter-mapping> - <filter-name>cross-origin-restconf</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <security-constraint> - <web-resource-collection> - <web-resource-name>NB api</web-resource-name> - <url-pattern>/*</url-pattern> - <http-method>POST</http-method> - <http-method>GET</http-method> - <http-method>PUT</http-method> - <http-method>PATCH</http-method> - <http-method>DELETE</http-method> - <http-method>HEAD</http-method> - </web-resource-collection> - </security-constraint> - -</web-app> diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/idmtool.py b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/idmtool.py deleted file mode 100755 index b14a8758..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/idmtool.py +++ /dev/null @@ -1,255 +0,0 @@ -#!/usr/bin/env python - -# -# Copyright (c) 2016 Brocade Communications Systems and others. All rights reserved. -# -# This program and the accompanying materials are made available under the -# terms of the Eclipse Public License v1.0 which accompanies this distribution, -# and is available at http://www.eclipse.org/legal/epl-v10.html -# - -''' -idmtool - -Used to manipulate ODL AAA idm on a node-per-node basis. Assumes only one domain (sdn) -since current support in ODL is limited. -''' - -__author__ = "Ryan Goulding" -__copyright__ = "Copyright (c) 2016 Brocade Communications Systems and others" -__credits__ = "Ryan Goulding" -__license__ = "EPL" -__version__ = "1.0" -__maintainer__ = "Ryan Goulding" -__email__ = "ryandgoulding@gmail.com" -__status__ = "Production" - -import argparse, getpass, json, requests, sys - -parser = argparse.ArgumentParser('idmtool') - -user='' -hostname='localhost' -protocol='http' -port='8181' -target_host='{}://{}:{}/'.format(protocol, hostname, port) - -# main program arguments -parser.add_argument('user',help='username for BSC node', nargs=1) -parser.add_argument('--target-host', help="target host node", nargs=1) - -subparsers = parser.add_subparsers(help='sub-command help') - -# users table related -list_users = subparsers.add_parser('list-users', help='list all users') -list_users.set_defaults(func=list_users) -add_user = subparsers.add_parser('add-user', help='add a user') -add_user.set_defaults(func=add_user) -add_user.add_argument('newUser', help='new user name', nargs=1) -change_password = subparsers.add_parser('change-password', help='change a password') -change_password.set_defaults(func=change_password) -change_password.add_argument('userid', help='change the password for a particular userid', nargs=1) -delete_user = subparsers.add_parser('delete-user', help='delete a user') -delete_user.add_argument('userid', help='name@sdn', nargs=1) -delete_user.set_defaults(func=delete_user) - -# domains table related -# only read is defined; this was done on purpose since the "domain" concept -# is mostly unsupported in ODL. -list_domains = subparsers.add_parser('list-domains', help='list all domains') -list_domains.set_defaults(func=list_domains) - -# roles table related -list_roles = subparsers.add_parser('list-roles', help='list all roles') -list_roles.set_defaults(func=list_roles) -add_role = subparsers.add_parser('add-role', help='add a role') -add_role.add_argument('role', help='role name', nargs=1) -add_role.set_defaults(func=add_role) -delete_role = subparsers.add_parser('delete-role', help='delete a role') -delete_role.add_argument('roleid', help='rolename@sdn', nargs=1) -delete_role.set_defaults(func=delete_role) -add_grant = subparsers.add_parser('add-grant', help='add a grant') -add_grant.set_defaults(func=add_grant) -add_grant.add_argument('userid', help="username@sdn", nargs=1) -add_grant.add_argument('roleid', help="role@sdn", nargs=1) -get_grants = subparsers.add_parser('get-grants', help='get grants for userid on sdn') -get_grants.set_defaults(func=get_grants) -get_grants.add_argument('userid', help="username@sdn", nargs=1) -delete_grant = subparsers.add_parser('delete-grant', help='delete a grant') -delete_grant.add_argument('userid', help='username@sdn', nargs=1) -delete_grant.add_argument('roleid', help='role@sdn', nargs=1) -delete_grant.set_defaults(func=delete_grant) - -def process_result(r): - ''' Generic method to print result of a REST call ''' - print '' - sc = r.status_code - if sc >= 200 and sc < 300: - print "command succeeded!" - try: - res = r.json() - if res is not None: - print '\njson:\n', json.dumps(res, indent=4, sort_keys=True) - except(ValueError): - pass - elif sc == 401: - print "Incorrect Credentials Provided" - elif sc == 404: - print "RESTconf is either not installed or not initialized yet" - elif sc >= 500 and sc < 600: - print "Internal Server Error Ocurred" - else: - print "Unknown error; HTTP status code: {}".format(sc) - -def get_request(user, password, url, description, outputResult=True): - if outputResult: - print description - try: - r = requests.get(url, auth=(user,password)) - if outputResult: - process_result(r) - return r - except(requests.exceptions.ConnectionError): - if outputResult: - print "Unable to connect; are you sure the controller is up?" - sys.exit(1) - -def post_request(user, password, url, description, payload, params): - print description - try: - r = requests.post(url, auth=(user,password), data=payload, headers=params) - process_result(r) - except(requests.exceptions.ConnectionError): - print "Unable to connect; are you sure the controller is up?" - sys.exit(1) - -def put_request(user, password, url, description, payload, params): - print description - try: - r = requests.put(url, auth=(user,password), data=payload, headers=params) - process_result(r) - except(requests.exceptions.ConnectionError): - print "Unable to connect; are you sure the controller is up?" - sys.exit(1) - -def delete_request(user, password, url, description, payload='', params={'Content-Type':'application/json'}): - print description - try: - r = requests.delete(url, auth=(user,password), data=payload, headers=params) - process_result(r) - except(requests.exceptions.ConnectionError): - print "Unable to connect; are you sure the controller is up?" - sys.exit(1) - -def poll_new_password(): - new_password = getpass.getpass(prompt="Enter new password: ") - new_password_repeated = getpass.getpass(prompt="Re-enter password: ") - if new_password != new_password_repeated: - print "Passwords did not match; cancelling the add_user request" - sys.exit(1) - return new_password - -def list_users(user, password): - get_request(user, password, target_host + 'auth/v1/users', 'list_users') - -def add_user(user, password, newUser): - new_password = poll_new_password() - description = 'add_user({})'.format(user) - url = target_host + 'auth/v1/users' - payload = {'name':newUser, 'password':new_password, 'description':'', "domainid":"sdn", 'userid':'{}@sdn'.format(newUser), 'email':''} - jsonpayload = json.dumps(payload) - headers={'Content-Type':'application/json'} - post_request(user, password, url, description, jsonpayload, headers) - -def delete_user(user, password, userid): - url = target_host + 'auth/v1/users/{}'.format(userid) - description = 'delete_user({})'.format(userid) - delete_request(user, password, url, description) - -def change_password(user, password, existingUserId): - url = target_host + 'auth/v1/users/{}'.format(existingUserId) - r = get_request(user, password, target_host + 'auth/v1/users/{}'.format(existingUserId), 'list_users', outputResult=False) - try: - existing = r.json() - del existing['salt'] - del existing['password'] - new_password = poll_new_password() - existing['password'] = new_password - description='change_password({})'.format(existingUserId) - headers={'Content-Type':'application/json'} - url = target_host + 'auth/v1/users/{}'.format(existingUserId) - put_request(user, password, url, 'change_password({})'.format(user), json.dumps(existing), headers) - except(AttributeError): - print "Unable to connect; are you sure the controller is up?" - sys.exit(1) - -def list_domains(user, password): - get_request(user, password, target_host + 'auth/v1/domains', 'list_domains') - -def list_roles(user, password): - get_request(user, password, target_host + 'auth/v1/roles', 'list_roles') - -def add_role(user, password, role): - url = target_host + 'auth/v1/roles' - description = 'add_role({})'.format(role) - payload = {"roleid":'{}@sdn'.format(role), 'name':role, 'description':'', 'domainid':'sdn'} - data = json.dumps(payload) - headers={'Content-Type':'application/json'} - post_request(user, password, url, description, data, headers) - -def delete_role(user, password, roleid): - url = target_host + 'auth/v1/roles/{}'.format(roleid) - description = 'delete_role({})'.format(roleid) - delete_request(user, password, url, description) - -def add_grant(user, password, userid, roleid): - description = 'add_grant(userid={},roleid={})'.format(userid, roleid) - payload = {"roleid":roleid, "userid":userid, "grantid":'{}@{}@{}'.format(userid, roleid, "sdn"), "domainid":"sdn"} - url = target_host + 'auth/v1/domains/sdn/users/{}/roles'.format(userid) - data=json.dumps(payload) - headers={'Content-Type':'application/json'} - post_request(user, password, url, description, data, headers) - -def get_grants(user, password, userid): - get_request(user, password, target_host + 'auth/v1/domains/sdn/users/{}/roles'.format(userid), 'get_grants({})'.format(userid)) - -def delete_grant(user, password, userid, roleid): - url = target_host + 'auth/v1/domains/sdn/users/{}/roles/{}'.format(userid, roleid) - print url - description = 'delete_grant(userid={},roleid={})'.format(userid, roleid) - delete_request(user, password, url, description) - -args = parser.parse_args() -command = args.func.prog.split()[1:] -user = args.user[0] -password = getpass.getpass() -temp_host_arr = args.target_host -if temp_host_arr is not None: - temp_host_val = temp_host_arr[0] - if temp_host_val is not None: - target_host = temp_host_val - if not target_host.endswith("/"): - target_host += "/" -if "list-users" in command: - list_users(user,password) -if "list-domains" in command: - list_domains(user,password) -if "list-roles" in command: - list_roles(user,password) -if "add-user" in command: - add_user(user,password, args.newUser[0]) -if "add-grant" in command: - add_grant(user,password, args.userid[0], args.roleid[0]) -if "get-grants" in command: - get_grants(user,password, args.userid[0]) -if "change-password" in command: - change_password(user, password, args.userid[0]) -if "delete-user" in command: - delete_user(user, password, args.userid[0]) -if "delete-role" in command: - delete_role(user, password, args.roleid[0]) -if "add-role" in command: - add_role(user, password, args.role[0]) -if "delete-grant" in command: - delete_grant(user, password, args.userid[0], args.roleid[0]) - diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml deleted file mode 100644 index 695ce762..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml +++ /dev/null @@ -1,26 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- vi: set et smarttab sw=4 tabstop=4: --> -<!-- - Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - - This program and the accompanying materials are made available under the - terms of the Eclipse Public License v1.0 which accompanies this distribution, - and is available at http://www.eclipse.org/legal/epl-v10.html ---> -<snapshot> - <configuration> - <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> - <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> - <module> - <type xmlns:authn="config:aaa:authn:idmlight">authn:aaa-idmlight</type> - <name>aaa-idmlight</name> - </module> - </modules> - </data> - </configuration> - <required-capabilities> - <capability>config:aaa:authn:idmlight?module=aaa-idmlight&revision=2015-12-04</capability> - </required-capabilities> - -</snapshot> - diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/yang/aaa-idmlight.yang b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/yang/aaa-idmlight.yang deleted file mode 100644 index 4f28d755..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/main/yang/aaa-idmlight.yang +++ /dev/null @@ -1,28 +0,0 @@ -module aaa-idmlight { - yang-version 1; - namespace "config:aaa:authn:idmlight"; - prefix "aaa-idmlight"; - organization "OpenDayLight"; - - import config { prefix config; revision-date 2013-04-05; } - import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; } - - contact "saichler@gmail.com"; - - revision 2015-12-04 { - description - "Initial revision."; - } - - identity aaa-idmlight { - base config:module-type; - config:java-name-prefix AAAIDMLight; - } - - augment "/config:modules/config:module/config:configuration" { - case aaa-idmlight { - when "/config:modules/config:module/config:type = 'aaa-idmlight'"; - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/persistence/PasswordHashTest.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/persistence/PasswordHashTest.java deleted file mode 100644 index 44fadf7a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/persistence/PasswordHashTest.java +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (c) 2015 Cisco Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.persistence; - -import java.util.ArrayList; -import java.util.LinkedList; -import java.util.List; - -import org.junit.Before; -import org.junit.Test; -import org.mockito.Mockito; -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.PasswordCredentials; -import org.opendaylight.aaa.api.SHA256Calculator; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Grants; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; -import org.opendaylight.aaa.idm.IdmLightProxy; -import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule; - -/* - * @Author - Sharon Aicler (saichler@cisco.com) -*/ -public class PasswordHashTest { - - @Before - public void before() throws IDMStoreException{ - IIDMStore store = Mockito.mock(IIDMStore.class); - AAAIDMLightModule.setStore(store); - Domain domain = new Domain(); - domain.setName("sdn"); - domain.setDomainid("sdn"); - - Mockito.when(store.readDomain("sdn")).thenReturn(domain); - Creds c = new Creds(); - Users users = new Users(); - User user = new User(); - user.setName("admin"); - user.setUserid(c.username()); - user.setDomainid("sdn"); - user.setSalt("ABCD"); - user.setPassword(SHA256Calculator.getSHA256(c.password(),user.getSalt())); - List<User> lu = new LinkedList<>(); - lu.add(user); - users.setUsers(lu); - - Grants grants = new Grants(); - Grant grant = new Grant(); - List<Grant> g = new ArrayList<>(); - g.add(grant); - grant.setDomainid("sdn"); - grant.setRoleid("admin"); - grant.setUserid("admin"); - grants.setGrants(g); - Role role = new Role(); - role.setRoleid("admin"); - role.setName("admin"); - Mockito.when(store.readRole("admin")).thenReturn(role); - Mockito.when(store.getUsers(c.username(), c.domain())).thenReturn(users); - Mockito.when(store.getGrants(c.domain(), c.username())).thenReturn(grants); - } - - @Test - public void testPasswordHash(){ - IdmLightProxy proxy = new IdmLightProxy(); - proxy.authenticate(new Creds()); - } - - private static class Creds implements PasswordCredentials { - @Override - public String username() { - return "admin"; - } - @Override - public String password() { - return "admin"; - } - @Override - public String domain() { - return "sdn"; - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/DomainHandlerTest.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/DomainHandlerTest.java deleted file mode 100644 index a8b964ae..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/DomainHandlerTest.java +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (c) 2016 Inocybe Technologies and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest.test; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; -import com.sun.jersey.api.client.ClientResponse; -import com.sun.jersey.api.client.UniformInterfaceException; -import java.util.HashMap; -import java.util.Map; -import javax.ws.rs.core.MediaType; -import org.junit.Test; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Domains; -import org.opendaylight.aaa.api.model.IDMError; -import org.opendaylight.aaa.api.model.Roles; - -public class DomainHandlerTest extends HandlerTest{ - - @Test - public void testDomainHandler() { - //check default domains - Domains domains = resource().path("/v1/domains").get(Domains.class); - assertNotNull(domains); - assertEquals(1, domains.getDomains().size()); - assertTrue(domains.getDomains().get(0).getName().equals("sdn")); - - //check existing domain - Domain domain = resource().path("/v1/domains/0").get(Domain.class); - assertNotNull(domain); - assertTrue(domain.getName().equals("sdn")); - - //check not exist domain - try { - resource().path("/v1/domains/5").get(IDMError.class); - fail("Should failed with 404!"); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(404, resp.getStatus()); - assertTrue(resp.getEntity(IDMError.class).getMessage().contains("Not found! domain id")); - } - - // check create domain - Map<String, String> domainData = new HashMap<String, String>(); - domainData.put("name","dom1"); - domainData.put("description","test dom"); - domainData.put("domainid","1"); - domainData.put("enabled","true"); - ClientResponse clientResponse = resource().path("/v1/domains").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, domainData); - assertEquals(201, clientResponse.getStatus()); - - // check update domain data - domainData.put("name","dom1Update"); - clientResponse = resource().path("/v1/domains/1").type(MediaType.APPLICATION_JSON).put(ClientResponse.class, domainData); - assertEquals(200, clientResponse.getStatus()); - domain = resource().path("/v1/domains/1").get(Domain.class); - assertNotNull(domain); - assertTrue(domain.getName().equals("dom1Update")); - - // check create grant - Map<String, String> grantData = new HashMap<String, String>(); - grantData.put("roleid","1"); - clientResponse = resource().path("/v1/domains/1/users/0/roles").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, grantData); - assertEquals(201, clientResponse.getStatus()); - - // check create existing grant - clientResponse = resource().path("/v1/domains/1/users/0/roles").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, grantData); - assertEquals(403, clientResponse.getStatus()); - - // check create grant with invalid domain id - clientResponse = resource().path("/v1/domains/5/users/0/roles").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, grantData); - assertEquals(404, clientResponse.getStatus()); - - // check validate user (admin) - Map<String, String> usrPwdData = new HashMap<String, String>(); - usrPwdData.put("username","admin"); - usrPwdData.put("userpwd","admin"); - clientResponse = resource().path("/v1/domains/0/users/roles").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, usrPwdData); - assertEquals(200, clientResponse.getStatus()); - - // check validate user (admin) with wrong password - usrPwdData.put("userpwd","1234"); - clientResponse = resource().path("/v1/domains/0/users/roles").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, usrPwdData); - assertEquals(401, clientResponse.getStatus()); - - // check get user (admin) roles - Roles usrRoles = resource().path("/v1/domains/0/users/0/roles").get(Roles.class); - assertNotNull(usrRoles); - assertTrue(usrRoles.getRoles().size() > 1); - - // check get invalid user roles - try { - resource().path("/v1/domains/0/users/5/roles").get(IDMError.class); - fail("Should failed with 404!"); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(404, resp.getStatus()); - } - - // check delete grant - clientResponse = resource().path("/v1/domains/0/users/0/roles/0").delete(ClientResponse.class); - assertEquals(204, clientResponse.getStatus()); - - // check delete grant for invalid domain - clientResponse = resource().path("/v1/domains/3/users/0/roles/0").delete(ClientResponse.class); - assertEquals(404, clientResponse.getStatus()); - - // check delete domain - clientResponse = resource().path("/v1/domains/1").delete(ClientResponse.class); - assertEquals(204, clientResponse.getStatus()); - - // check delete not existing domain - try { - resource().path("/v1/domains/1").delete(IDMError.class); - fail("Shoulda failed with 404!"); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(404, resp.getStatus()); - assertTrue(resp.getEntity(IDMError.class).getMessage().contains("Not found! Domain id")); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/HandlerTest.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/HandlerTest.java deleted file mode 100644 index 7b8eebb4..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/HandlerTest.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2016 Inocybe Technologies and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest.test; - -import com.sun.jersey.spi.container.servlet.WebComponent; -import com.sun.jersey.test.framework.AppDescriptor; -import com.sun.jersey.test.framework.JerseyTest; -import com.sun.jersey.test.framework.WebAppDescriptor; -import org.junit.Before; -import org.opendaylight.aaa.idm.IdmLightApplication; -import org.opendaylight.aaa.idm.StoreBuilder; -import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule; - - -public abstract class HandlerTest extends JerseyTest { - - protected IDMTestStore testStore = new IDMTestStore(); - - @Override - protected AppDescriptor configure() { - return new WebAppDescriptor.Builder() - .initParam(WebComponent.RESOURCE_CONFIG_CLASS, IdmLightApplication.class.getName()) - .build(); - } - - @Before - public void setUp() throws Exception { - super.setUp(); - StoreBuilder.init(testStore); - AAAIDMLightModule.setStore(testStore); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/IDMTestStore.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/IDMTestStore.java deleted file mode 100644 index 0fed2789..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/IDMTestStore.java +++ /dev/null @@ -1,271 +0,0 @@ -/* - * Copyright (c) 2016 Inocybe Technologies and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest.test; - -import java.util.ArrayList; -import java.util.List; - -import org.opendaylight.aaa.api.IDMStoreException; -import org.opendaylight.aaa.api.IIDMStore; -import org.opendaylight.aaa.api.model.Domain; -import org.opendaylight.aaa.api.model.Domains; -import org.opendaylight.aaa.api.model.Grant; -import org.opendaylight.aaa.api.model.Grants; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.Roles; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; - -public class IDMTestStore implements IIDMStore { - - private List<Domain> domains = new ArrayList<Domain>(); - private List<Grant> grants = new ArrayList<Grant>(); - private List<Role> roles = new ArrayList<Role>(); - private List<User> users = new ArrayList<User>(); - - public IDMTestStore() { - // TODO Auto-generated constructor stub - } - - @Override - public Domain writeDomain(Domain domain) throws IDMStoreException { - domain.setDomainid(String.valueOf(domains.size())); - domains.add(domain); - return domain; - } - - @Override - public Domain readDomain(String domainid) throws IDMStoreException { - for(Domain dom : domains) { - if (dom.getDomainid().equals(domainid)) { - return dom; - } - } - return null; - } - - @Override - public Domain deleteDomain(String domainid) throws IDMStoreException { - for(Domain dom : domains) { - if (dom.getDomainid().equals(domainid)) { - domains.remove(dom); - return dom; - } - } - return null; - } - - @Override - public Domain updateDomain(Domain domain) throws IDMStoreException { - for(Domain dom : domains) { - if (dom.getDomainid().equals(domain.getDomainid())) { - domains.remove(dom); - domains.add(domain); - return domain; - } - } - return null; - } - - @Override - public Domains getDomains() throws IDMStoreException { - Domains doms = new Domains(); - doms.setDomains(domains); - return doms; - } - - @Override - public Role writeRole(Role role) throws IDMStoreException { - role.setRoleid(String.valueOf(roles.size())); - roles.add(role); - return role; - } - - @Override - public Role readRole(String roleid) throws IDMStoreException { - for (Role role : roles) { - if (role.getRoleid().equals(roleid)) { - return role; - } - } - return null; - } - - @Override - public Role deleteRole(String roleid) throws IDMStoreException { - for (Role role : roles) { - if (role.getRoleid().equals(roleid)) { - roles.remove(role); - return role; - } - } - return null; - } - - @Override - public Role updateRole(Role role) throws IDMStoreException { - for (Role inRole : roles) { - if (inRole.getRoleid().equals(role.getRoleid())) { - roles.remove(inRole); - roles.add(role); - return role; - } - } - return null; - } - - @Override - public Roles getRoles() throws IDMStoreException { - Roles rols = new Roles(); - rols.setRoles(roles); - return rols; - } - - @Override - public User writeUser(User user) throws IDMStoreException { - user.setUserid(String.valueOf(users.size())); - users.add(user); - return user; - } - - @Override - public User readUser(String userid) throws IDMStoreException { - for(User usr : users) { - if (usr.getUserid().equals(userid)) { - return usr; - } - } - return null; - } - - @Override - public User deleteUser(String userid) throws IDMStoreException { - for(User usr : users) { - if (usr.getUserid().equals(userid)) { - users.remove(usr); - return usr; - } - } - return null; - } - - @Override - public User updateUser(User user) throws IDMStoreException { - for(User usr : users) { - if (usr.getUserid().equals(user.getUserid())) { - users.remove(usr); - users.add(user); - return usr; - } - } - return null; - } - - @Override - public Users getUsers() throws IDMStoreException { - Users usrs = new Users(); - usrs.setUsers(users); - return usrs; - } - - @Override - public Users getUsers(String username, String domainId) throws IDMStoreException { - Users usrs = new Users(); - User user = null; - Domain domain = null; - for(User usr : users) { - if (usr.getName().equals(username)) { - user = usr; - break; - } - } - for(Domain dom : domains) { - if (dom.getDomainid().equals(domainId)) { - domain = dom; - break; - } - } - if (user == null || domain == null) - return usrs; - for (Grant grant : grants) { - if (grant.getUserid().equals(user.getUserid()) && grant.getDomainid().equals(domain.getDomainid())) { - List<User> usrList = new ArrayList<User>(); - usrList.add(user); - usrs.setUsers(usrList); - break; - } - } - return usrs; - } - - @Override - public Grant writeGrant(Grant grant) throws IDMStoreException { - grant.setGrantid(String.valueOf(grants.size())); - grants.add(grant); - return grant; - } - - @Override - public Grant readGrant(String grantid) throws IDMStoreException { - for (Grant grant : grants) { - if (grant.getGrantid().equals(grantid)) { - return grant; - } - } - return null; - } - - @Override - public Grant deleteGrant(String grantid) throws IDMStoreException { - for (Grant grant : grants) { - if (grant.getGrantid().equals(grantid)) { - grants.remove(grant); - return grant; - } - } - return null; - } - - @Override - public Grants getGrants(String domainid, String userid) throws IDMStoreException { - Grants usrGrants = new Grants(); - List<Grant> usrGrant = new ArrayList<Grant>(); - for (Grant grant : grants) { - if (grant.getUserid().equals(userid) && grant.getDomainid().equals(domainid)) { - usrGrant.add(grant); - } - } - usrGrants.setGrants(usrGrant); - return usrGrants; - } - - @Override - public Grants getGrants(String userid) throws IDMStoreException { - Grants usrGrants = new Grants(); - List<Grant> usrGrant = new ArrayList<Grant>(); - for (Grant grant : grants) { - if (grant.getUserid().equals(userid)) { - usrGrant.add(grant); - } - } - usrGrants.setGrants(usrGrant); - return usrGrants; - } - - @Override - public Grant readGrant(String domainid, String userid, String roleid) throws IDMStoreException { - for (Grant grant : grants) { - if (grant.getDomainid().equals(domainid) && grant.getUserid().equals(userid) && grant.getRoleid().equals(roleid)) { - return grant; - } - } - return null; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/RoleHandlerTest.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/RoleHandlerTest.java deleted file mode 100644 index baf59558..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/RoleHandlerTest.java +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Copyright (c) 2016 Inocybe Technologies and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest.test; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; -import com.sun.jersey.api.client.ClientResponse; -import com.sun.jersey.api.client.UniformInterfaceException; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import javax.ws.rs.core.MediaType; -import org.junit.Test; -import org.opendaylight.aaa.api.model.IDMError; -import org.opendaylight.aaa.api.model.Role; -import org.opendaylight.aaa.api.model.Roles; - - -public class RoleHandlerTest extends HandlerTest{ - - @Test - public void testRoleHandler() { - //check default roles - Roles roles = resource().path("/v1/roles").get(Roles.class); - assertNotNull(roles); - List<Role> roleList = roles.getRoles(); - assertEquals(2, roleList.size()); - for (Role role : roleList) { - assertTrue(role.getName().equals("admin") || role.getName().equals("user")); - } - - //check existing role - Role role = resource().path("/v1/roles/0").get(Role.class); - assertNotNull(role); - assertTrue(role.getName().equals("admin")); - - //check not exist Role - try { - resource().path("/v1/roles/5").get(IDMError.class); - fail("Should failed with 404!"); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(404, resp.getStatus()); - assertTrue(resp.getEntity(IDMError.class).getMessage().contains("role not found")); - } - - // check create Role - Map<String, String> roleData = new HashMap<String, String>(); - roleData.put("name","role1"); - roleData.put("description","test Role"); - roleData.put("domainid","0"); - ClientResponse clientResponse = resource().path("/v1/roles").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, roleData); - assertEquals(201, clientResponse.getStatus()); - - // check create Role missing name data - roleData.remove("name"); - try { - clientResponse = resource().path("/v1/roles").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, roleData); - assertEquals(404, clientResponse.getStatus()); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(500, resp.getStatus()); - } - - // check update Role data - roleData.put("name","role1Update"); - clientResponse = resource().path("/v1/roles/2").type(MediaType.APPLICATION_JSON).put(ClientResponse.class, roleData); - assertEquals(200, clientResponse.getStatus()); - role = resource().path("/v1/roles/2").get(Role.class); - assertNotNull(role); - assertTrue(role.getName().equals("role1Update")); - - // check delete Role - clientResponse = resource().path("/v1/roles/2").delete(ClientResponse.class); - assertEquals(204, clientResponse.getStatus()); - - // check delete not existing Role - try { - resource().path("/v1/roles/2").delete(IDMError.class); - fail("Should failed with 404!"); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(404, resp.getStatus()); - assertTrue(resp.getEntity(IDMError.class).getMessage().contains("role id not found")); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/UserHandlerTest.java b/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/UserHandlerTest.java deleted file mode 100644 index 115546b6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/rest/test/UserHandlerTest.java +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (c) 2016 Inocybe Technologies and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idm.rest.test; - -import static org.junit.Assert.*; - -import com.sun.jersey.api.client.ClientResponse; -import com.sun.jersey.api.client.UniformInterfaceException; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import javax.ws.rs.core.MediaType; -import org.junit.Test; -import org.opendaylight.aaa.api.model.IDMError; -import org.opendaylight.aaa.api.model.User; -import org.opendaylight.aaa.api.model.Users; - -public class UserHandlerTest extends HandlerTest { - - @Test - public void testUserHandler() { - //check default users - Users users = resource().path("/v1/users").get(Users.class); - assertNotNull(users); - List<User> usrList = users.getUsers(); - assertEquals(2, usrList.size()); - for (User usr : usrList) { - assertTrue(usr.getName().equals("admin") || usr.getName().equals("user")); - } - - //check existing user - User usr = resource().path("/v1/users/0").get(User.class); - assertNotNull(usr); - assertTrue(usr.getName().equals("admin")); - - //check not exist user - try { - resource().path("/v1/users/5").get(IDMError.class); - fail("Should failed with 404!"); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(404, resp.getStatus()); - assertTrue(resp.getEntity(IDMError.class).getMessage().contains("user not found")); - } - - // check create user - Map<String, String> usrData = new HashMap<String, String>(); - usrData.put("name","usr1"); - usrData.put("description","test user"); - usrData.put("enabled","true"); - usrData.put("email","user1@usr.org"); - usrData.put("password","ChangeZbadPa$$w0rd"); - usrData.put("domainid","0"); - ClientResponse clientResponse = resource().path("/v1/users").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, usrData); - assertEquals(201, clientResponse.getStatus()); - - // check create user missing name data - usrData.remove("name"); - try { - clientResponse = resource().path("/v1/users").type(MediaType.APPLICATION_JSON).post(ClientResponse.class, usrData); - assertEquals(400, clientResponse.getStatus()); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(500, resp.getStatus()); - } - - // check update user data - usrData.put("name","usr1Update"); - clientResponse = resource().path("/v1/users/2").type(MediaType.APPLICATION_JSON).put(ClientResponse.class, usrData); - assertEquals(200, clientResponse.getStatus()); - usr = resource().path("/v1/users/2").get(User.class); - assertNotNull(usr); - assertTrue(usr.getName().equals("usr1Update")); - - // check delete user - clientResponse = resource().path("/v1/users/2").delete(ClientResponse.class); - assertEquals(204, clientResponse.getStatus()); - - // check delete not existing user - try { - resource().path("/v1/users/2").delete(IDMError.class); - fail("Should failed with 404!"); - } catch (UniformInterfaceException e) { - ClientResponse resp = e.getResponse(); - assertEquals(404, resp.getStatus()); - assertTrue(resp.getEntity(IDMError.class).getMessage().contains("Couldn't find user")); - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/cleardb.sh b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/cleardb.sh deleted file mode 100755 index 6385b48d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/cleardb.sh +++ /dev/null @@ -1,5 +0,0 @@ -sudo service idmlight stop -echo "dropping all tables..." -sleep 3 -sudo sqlite3 /opt/idmlight/dmlight.db < ../sql/idmlight.sql -sudo service idmlight start diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/domain.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/domain.json deleted file mode 100644 index 4dfd25e9..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/domain.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "domainid": "1", - "name":"R&D", - "enabled":"true" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/domain2.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/domain2.json deleted file mode 100644 index 69244b30..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/domain2.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "domainid": "1", - "name":"ATG", - "enabled":"true" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/grant.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/grant.json deleted file mode 100644 index 0c4a9e90..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/grant.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "roleid":"2", - "description":"role grant" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/grant2.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/grant2.json deleted file mode 100644 index ad685b7a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/grant2.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "roleid":"3", - "description":"role grant" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/result.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/result.json deleted file mode 100644 index a3dd995d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/result.json +++ /dev/null @@ -1 +0,0 @@ -{"domainid":2,"userid":2,"username":"peter","roles":[{"roleid":2,"name":"user","description":"A user role with limited access"},{"roleid":3,"name":"user","description":"A user role with limited access"}]}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/role-admin.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/role-admin.json deleted file mode 100644 index cf93caae..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/role-admin.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "name":"admin", - "description":"An admin role with full access" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/role-user.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/role-user.json deleted file mode 100644 index 78588c9a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/role-user.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "name":"user", - "description":"A user role with limited access" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/test.sh b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/test.sh deleted file mode 100755 index 3589be58..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/test.sh +++ /dev/null @@ -1,308 +0,0 @@ -# GLOBAL VARS -TARGET="localhost:8282/auth" -TESTCOUNT=0 -PASSCOUNT=0 -FAILCOUNT=0 - -getit() { -((TESTCOUNT++)) -echo '['$TESTCOUNT']' $NAME -echo GET $URL -echo "Desired Result=" $PASSCODE -STATUS=$(curl -X GET -k -s -H Accept:application/json -o result.json -w '%{http_code}' $URL) -if [ $STATUS -eq $PASSCODE ]; then - ((PASSCOUNT++)) - cat result.json | python -mjson.tool - echo "[PASS] Status=" $STATUS -else - cat result.json | python -mjson.tool - echo "[FAIL] Status=" $STATUS - ((FAILCOUNT++)) -fi -echo -} - - -deleteit() { -((TESTCOUNT++)) -echo '['$TESTCOUNT']' $NAME -echo DELETE $URL -echo "Desired Result=" $PASSCODE -STATUS=$(curl -X DELETE -k -s -H Accept:application/json -o result.json -w '%{http_code}' $URL) -if [ $STATUS -eq $PASSCODE ]; then - ((PASSCOUNT++)) - echo "[PASS] Status=" $STATUS -else - cat result.json | python -mjson.tool - echo "[FAIL] Status=" $STATUS - ((FAILCOUNT++)) -fi -echo -} - -postit() { -((TESTCOUNT++)) -echo '['$TESTCOUNT']' $NAME -echo POST $URL -echo "Desired Result=" $PASSCODE -echo "POST File=" $POSTFILE -STATUS=$(curl -X POST -k -s -H "Content-type:application/json" --data-binary "@"$POSTFILE -o result.json -w '%{http_code}' $URL) -if [ $STATUS -eq $PASSCODE ]; then - ((PASSCOUNT++)) - cat result.json | python -mjson.tool - echo "[PASS] Status=" $STATUS -else - cat result.json | python -mjson.tool - echo "[FAIL] Status=" $STATUS - ((FAILCOUNT++)) -fi -echo -} - -putit() { -((TESTCOUNT++)) -echo '['$TESTCOUNT']' $NAME -echo PUT $URL -echo "Desired Result=" $PASSCODE -echo "PUT file=" $PUTFILE -STATUS=$(curl -X PUT -k -s -H "Content-type:application/json" --data-binary "@"$PUTFILE -o result.json -w '%{http_code}' $URL) -if [ $STATUS -eq $PASSCODE ]; then - ((PASSCOUNT++)) - cat result.json | python -mjson.tool - echo "[PASS] Status=" $STATUS -else - cat result.json | python -mjson.tool - echo "[FAIL] Status=" $STATUS - ((FAILCOUNT++)) -fi -echo -} - - -# -# DOMAIN TESTS -# - -NAME="get all domains" -URL="http://$TARGET/v1/domains" -PASSCODE=200 -getit - -NAME="create a new domain" -URL="http://$TARGET/v1/domains" -POSTFILE=domain.json -PASSCODE=201 -postit - -NAME="get domain 1" -URL="http://$TARGET/v1/domains/1" -PASSCODE=200 -getit - -NAME="delete domain 1" -URL="http://$TARGET/v1/domains/1" -PASSCODE=204 -deleteit - -NAME="create a new domain" -URL="http://$TARGET/v1/domains" -POSTFILE=domain.json -PASSCODE=201 -postit - -NAME="get all domains" -URL="http://$TARGET/v1/domains" -PASSCODE=200 -getit - -NAME="update domain 2" -URL="http://$TARGET/v1/domains/2" -PUTFILE=domain.json -PASSCODE=200 -putit - -NAME="create a new domain" -URL="http://$TARGET/v1/domains" -POSTFILE=domain2.json -PASSCODE=201 -postit - -NAME="get all domains" -URL="http://$TARGET/v1/domains" -PASSCODE=200 -getit - -# -# USER TESTS -# - -NAME="get all users" -URL="http://$TARGET/v1/users" -PASSCODE=200 -getit - -NAME="create a new user" -URL="http://$TARGET/v1/users" -POSTFILE=user.json -PASSCODE=201 -postit - -NAME="get all users" -URL="http://$TARGET/v1/users" -PASSCODE=200 -getit - -NAME="get user 1" -URL="http://$TARGET/v1/users/1" -PASSCODE=200 -getit - -NAME="delete user 1" -URL="http://$TARGET/v1/users/1" -PASSCODE=204 -deleteit - -NAME="get all users" -URL="http://$TARGET/v1/users" -PASSCODE=200 -getit - -NAME="create a new user" -URL="http://$TARGET/v1/users" -POSTFILE=user.json -PASSCODE=201 -postit - -NAME="update a user" -URL="http://$TARGET/v1/users/2" -PUTFILE=user.json -PASSCODE=200 -putit - -NAME="create a new user" -URL="http://$TARGET/v1/users" -POSTFILE=user2.json -PASSCODE=201 -postit - -NAME="get all users" -URL="http://$TARGET/v1/users" -PASSCODE=200 -getit - -# ROLE TESTS - -NAME="get all roles" -URL="http://$TARGET/v1/roles" -PASSCODE=200 -getit - -NAME="create a new role" -URL="http://$TARGET/v1/roles" -POSTFILE=role-user.json -PASSCODE=201 -postit - -NAME="get all roles" -URL="http://$TARGET/v1/roles" -PASSCODE=200 -getit - -NAME="get role 1" -URL="http://$TARGET/v1/roles/1" -PASSCODE=200 -getit - -NAME="delete role 1" -URL="http://$TARGET/v1/roles/1" -PASSCODE=204 -deleteit - -NAME="create a new role" -URL="http://$TARGET/v1/roles" -POSTFILE=role-user.json -PASSCODE=201 -postit - -NAME="update role 2" -URL="http://$TARGET/v1/roles/2" -PUTFILE=role-user.json -PASSCODE=200 -putit - -NAME="create a new role" -URL="http://$TARGET/v1/roles" -POSTFILE=role-admin.json -PASSCODE=201 -postit - -NAME="get all roles" -URL="http://$TARGET/v1/roles" -PASSCODE=200 -getit - -# Grant tests - -NAME="grant a role" -URL="http://$TARGET/v1/domains/2/users/2/roles" -POSTFILE=grant.json -PASSCODE=201 -postit - -NAME="try to create a double grant" -URL="http://$TARGET/v1/domains/2/users/2/roles" -POSTFILE=grant.json -PASSCODE=403 -postit - -NAME="get all roles for domain and user" -URL="http://$TARGET/v1/domains/2/users/2/roles" -PASSCODE=200 -getit - -NAME="delete a grant" -URL="http://$TARGET/v1/domains/2/users/2/roles/2" -PASSCODE=204 -deleteit - -NAME="delete a grant" -URL="http://$TARGET/v1/domains/2/users/2/roles/2" -PASSCODE=404 -deleteit - -NAME="get all roles for domain and user" -URL="http://$TARGET/v1/domains/2/users/2/roles" -PASSCODE=200 -getit - -NAME="grant a role" -URL="http://$TARGET/v1/domains/2/users/2/roles" -POSTFILE=grant.json -PASSCODE=201 -postit - -NAME="grant a role" -URL="http://$TARGET/v1/domains/2/users/2/roles" -POSTFILE=grant2.json -PASSCODE=201 -postit - -NAME="get all roles for domain and user" -URL="http://$TARGET/v1/domains/2/users/2/roles" -PASSCODE=200 -getit - -NAME="get all roles for domain, user and pwd" -URL="http://$TARGET/v1/domains/2/users/roles" -POSTFILE=userpwd.json -PASSCODE=200 -postit - - -# -# RESULTS -# -echo "SUMMARY" -echo "======================================" -echo 'TESTS:'$TESTCOUNT 'PASS:'$PASSCOUNT 'FAIL:'$FAILCOUNT - diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/user.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/user.json deleted file mode 100644 index 6f30d705..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/user.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name":"peter", - "description":"peter test user", - "enabled":"true", - "email":"user1@gmail.com", - "password":"foobar" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/user2.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/user2.json deleted file mode 100644 index 9864cdb2..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/user2.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name":"liem", - "description":"liem test user", - "enabled":"true", - "email":"user1@gmail.com", - "password":"foobar" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/userpwd.json b/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/userpwd.json deleted file mode 100644 index e5258b98..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idmlight/tests/userpwd.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "username":"peter", - "userpwd":"foobar" -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/pom.xml deleted file mode 100644 index d3d37c40..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/pom.xml +++ /dev/null @@ -1,84 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-authn-idpmapping</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>bundle</packaging> - - <properties> - <powermock.version>1.5.2</powermock.version> - </properties> - - <dependencies> - <dependency> - <groupId>org.glassfish</groupId> - <artifactId>javax.json</artifactId> - </dependency> - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.core</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - <scope>provided</scope> - </dependency> - - <!-- Test dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.powermock</groupId> - <artifactId>powermock-api-mockito</artifactId> - <version>${powermock.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.powermock</groupId> - <artifactId>powermock-module-junit4</artifactId> - <version>${powermock.version}</version> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Activator>org.opendaylight.aaa.idpmapping.Activator</Bundle-Activator> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Activator.java deleted file mode 100644 index 7342485e..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Activator.java +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.osgi.framework.BundleContext; - -public class Activator extends DependencyActivatorBase { - - @Override - public void init(BundleContext context, DependencyManager manager) throws Exception { - } - - @Override - public void destroy(BundleContext context, DependencyManager manager) throws Exception { - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/IdpJson.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/IdpJson.java deleted file mode 100644 index 00328b60..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/IdpJson.java +++ /dev/null @@ -1,248 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -import java.io.BufferedReader; -import java.io.IOException; -import java.io.StringReader; -import java.io.StringWriter; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; -import java.nio.file.Path; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; -import javax.json.Json; -import javax.json.JsonValue; -import javax.json.stream.JsonGenerator; -import javax.json.stream.JsonGeneratorFactory; -import javax.json.stream.JsonLocation; -import javax.json.stream.JsonParser; -import javax.json.stream.JsonParser.Event; - -/** - * Converts between JSON and the internal data structures used in the - * RuleProcessor. - * - * @author John Dennis <jdennis@redhat.com> - */ - -public class IdpJson { - - public IdpJson() { - } - - public Object loadJson(java.io.Reader in) { - JsonParser parser = Json.createParser(in); - Event event = null; - - // Prime the pump. Get the first item from the parser. - event = parser.next(); - - // Act on first item. - return loadJsonItem(parser, event); - } - - public Object loadJson(Path filename) throws IOException { - BufferedReader reader = Files.newBufferedReader(filename, StandardCharsets.UTF_8); - return loadJson(reader); - } - - public Object loadJson(String string) { - StringReader reader = new StringReader(string); - return loadJson(reader); - } - - /* - * Process current parser item indicated by event. Consumes exactly the - * number of parser events necessary to load the item. Caller must advance - * the parser via parser.next() after this method returns. - */ - private Object loadJsonItem(JsonParser parser, Event event) { - switch (event) { - case START_OBJECT: { - return loadJsonObject(parser, event); - } - case START_ARRAY: { - return loadJsonArray(parser, event); - } - case VALUE_NULL: { - return null; - } - case VALUE_NUMBER: { - if (parser.isIntegralNumber()) { - return parser.getLong(); - } else { - return parser.getBigDecimal().doubleValue(); - } - } - case VALUE_STRING: { - return parser.getString(); - } - case VALUE_TRUE: { - return Boolean.TRUE; - } - case VALUE_FALSE: { - return Boolean.FALSE; - } - default: { - JsonLocation location = parser.getLocation(); - throw new IllegalStateException(String.format( - "unknown JSON parsing event %s, location(line=%d column=%d offset=%d)", event, - location.getLineNumber(), location.getColumnNumber(), - location.getStreamOffset())); - } - } - } - - private List<Object> loadJsonArray(JsonParser parser, Event event) { - List<Object> list = new ArrayList<Object>(); - - if (event != Event.START_ARRAY) { - JsonLocation location = parser.getLocation(); - throw new IllegalStateException( - String.format( - "expected JSON parsing event to be START_ARRAY, not %s location(line=%d column=%d offset=%d)", - event, location.getLineNumber(), location.getColumnNumber(), - location.getStreamOffset())); - } - event = parser.next(); // consume START_ARRAY - while (event != Event.END_ARRAY) { - Object obj; - - obj = loadJsonItem(parser, event); - list.add(obj); - event = parser.next(); // next array item or END_ARRAY - } - return list; - } - - private Map<String, Object> loadJsonObject(JsonParser parser, Event event) { - Map<String, Object> map = new LinkedHashMap<String, Object>(); - - if (event != Event.START_OBJECT) { - JsonLocation location = parser.getLocation(); - throw new IllegalStateException(String.format( - "expected JSON parsing event to be START_OBJECT, not %s, ", - "location(line=%d column=%d offset=%d)", event, location.getLineNumber(), - location.getColumnNumber(), location.getStreamOffset())); - } - event = parser.next(); // consume START_OBJECT - while (event != Event.END_OBJECT) { - if (event == Event.KEY_NAME) { - String key; - Object value; - - key = parser.getString(); - event = parser.next(); // consume key - value = loadJsonItem(parser, event); - map.put(key, value); - } else { - JsonLocation location = parser.getLocation(); - throw new IllegalStateException( - String.format( - "expected JSON parsing event to be KEY_NAME, not %s, location(line=%d column=%d offset=%d)", - event, location.getLineNumber(), location.getColumnNumber(), - location.getStreamOffset())); - - } - event = parser.next(); // next key or END_OBJECT - } - return map; - } - - public String dumpJson(Object obj) { - Map<String, Object> properties = new HashMap<String, Object>(1); - properties.put(JsonGenerator.PRETTY_PRINTING, true); - JsonGeneratorFactory generatorFactory = Json.createGeneratorFactory(properties); - StringWriter stringWriter = new StringWriter(); - JsonGenerator generator = generatorFactory.createGenerator(stringWriter); - - dumpJsonItem(generator, obj); - generator.close(); - return stringWriter.toString(); - } - - private void dumpJsonItem(JsonGenerator generator, Object obj) { - // ordered by expected occurrence - if (obj instanceof String) { - generator.write((String) obj); - } else if (obj instanceof List) { - generator.writeStartArray(); - @SuppressWarnings("unchecked") - List<Object> list = (List<Object>) obj; - dumpJsonArray(generator, list); - } else if (obj instanceof Map) { - generator.writeStartObject(); - @SuppressWarnings("unchecked") - Map<String, Object> map = (Map<String, Object>) obj; - dumpJsonObject(generator, map); - } else if (obj instanceof Long) { - generator.write(((Long) obj).longValue()); - } else if (obj instanceof Boolean) { - generator.write(((Boolean) obj).booleanValue()); - } else if (obj == null) { - generator.writeNull(); - } else if (obj instanceof Double) { - generator.write(((Double) obj).doubleValue()); - } else { - throw new IllegalStateException( - String.format( - "unsupported data type, must be String, Long, Double, Boolean, List, Map, or null, not %s", - obj.getClass().getSimpleName())); - } - } - - private void dumpJsonArray(JsonGenerator generator, List<Object> list) { - for (Object obj : list) { - dumpJsonItem(generator, obj); - } - generator.writeEnd(); - } - - private void dumpJsonObject(JsonGenerator generator, Map<String, Object> map) { - - for (Map.Entry<String, Object> entry : map.entrySet()) { - String key = entry.getKey(); - Object obj = entry.getValue(); - - // ordered by expected occurrence - if (obj instanceof String) { - generator.write(key, (String) obj); - } else if (obj instanceof List) { - generator.writeStartArray(key); - @SuppressWarnings("unchecked") - List<Object> list = (List<Object>) obj; - dumpJsonArray(generator, list); - } else if (obj instanceof Map) { - generator.writeStartObject(key); - @SuppressWarnings("unchecked") - Map<String, Object> map1 = (Map<String, Object>) obj; - dumpJsonObject(generator, map1); - } else if (obj instanceof Long) { - generator.write(key, ((Long) obj).longValue()); - } else if (obj instanceof Boolean) { - generator.write(key, ((Boolean) obj).booleanValue()); - } else if (obj == null) { - generator.write(key, JsonValue.NULL); - } else if (obj instanceof Double) { - generator.write(key, ((Double) obj).doubleValue()); - } else { - throw new IllegalStateException( - String.format( - "unsupported data type, must be String, Long, Double, Boolean, List, Map, or null, not %s", - obj.getClass().getSimpleName())); - } - } - generator.writeEnd(); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidRuleException.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidRuleException.java deleted file mode 100644 index 1e42f4f2..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidRuleException.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -/** - * Exception thrown when a mapping rule is improperly defined. - * - * @author John Dennis <jdennis@redhat.com> - */ - -public class InvalidRuleException extends RuntimeException { - - private static final long serialVersionUID = 1948891573270429630L; - - public InvalidRuleException() { - } - - public InvalidRuleException(String message) { - super(message); - } - - public InvalidRuleException(Throwable cause) { - super(cause); - } - - public InvalidRuleException(String message, Throwable cause) { - super(message, cause); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidTypeException.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidTypeException.java deleted file mode 100644 index fb8b132f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidTypeException.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -/** - * Exception thrown when the type of a value is incorrect for a given context. - * - * @author John Dennis <jdennis@redhat.com> - */ - -public class InvalidTypeException extends RuntimeException { - - private static final long serialVersionUID = 4437011247503994368L; - - public InvalidTypeException() { - } - - public InvalidTypeException(String message) { - super(message); - } - - public InvalidTypeException(Throwable cause) { - super(cause); - } - - public InvalidTypeException(String message, Throwable cause) { - super(message, cause); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidValueException.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidValueException.java deleted file mode 100644 index 2f83c13f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidValueException.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -/** - * Exception thrown when a value cannot be used in a given context. - * - * @author John Dennis <jdennis@redhat.com> - */ - -public class InvalidValueException extends RuntimeException { - - private static final long serialVersionUID = -2351651535772692180L; - - public InvalidValueException() { - } - - public InvalidValueException(String message) { - super(message); - } - - public InvalidValueException(Throwable cause) { - super(cause); - } - - public InvalidValueException(String message, Throwable cause) { - super(message, cause); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/RuleProcessor.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/RuleProcessor.java deleted file mode 100644 index 0f86fde6..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/RuleProcessor.java +++ /dev/null @@ -1,1368 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -import java.io.IOException; -import java.io.StringWriter; -import java.nio.file.Path; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.EnumSet; -import java.util.HashMap; -import java.util.HashSet; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.regex.Matcher; -import java.util.regex.Pattern; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -enum ProcessResult { - RULE_FAIL, RULE_SUCCESS, BLOCK_CONTINUE, STATEMENT_CONTINUE -} - -/** - * Evaluate a set of rules against an assertion from an external Identity - * Provider (IdP) mapping those assertion values to local values. - * - * @author John Dennis <jdennis@redhat.com> - */ - -public class RuleProcessor { - private static final Logger LOG = LoggerFactory.getLogger(RuleProcessor.class); - - public String ruleIdFormat = "<rule [${rule_number}:\"${rule_name}\"]>"; - public String statementIdFormat = "<rule [${rule_number}:\"${rule_name}\"] block [${block_number}:\"${block_name}\"] statement ${statement_number}>"; - - /* - * Reserved variables - */ - public static final String ASSERTION = "assertion"; - public static final String RULE_NUMBER = "rule_number"; - public static final String RULE_NAME = "rule_name"; - public static final String BLOCK_NUMBER = "block_number"; - public static final String BLOCK_NAME = "block_name"; - public static final String STATEMENT_NUMBER = "statement_number"; - public static final String REGEXP_ARRAY_VARIABLE = "regexp_array"; - public static final String REGEXP_MAP_VARIABLE = "regexp_map"; - - private static final String REGEXP_NAMED_GROUP_PAT = "\\(\\?<([a-zA-Z][a-zA-Z0-9]*)>"; - private static final Pattern REGEXP_NAMED_GROUP_RE = Pattern.compile(REGEXP_NAMED_GROUP_PAT); - - List<Map<String, Object>> rules = null; - boolean success = true; - Map<String, Map<String, Object>> mappings = null; - - public RuleProcessor(java.io.Reader rulesIn, Map<String, Map<String, Object>> mappings) { - this.mappings = mappings; - IdpJson json = new IdpJson(); - @SuppressWarnings("unchecked") - List<Map<String, Object>> loadJson = (List<Map<String, Object>>) json.loadJson(rulesIn); - rules = loadJson; - } - - public RuleProcessor(Path rulesIn, Map<String, Map<String, Object>> mappings) - throws IOException { - this.mappings = mappings; - IdpJson json = new IdpJson(); - @SuppressWarnings("unchecked") - List<Map<String, Object>> loadJson = (List<Map<String, Object>>) json.loadJson(rulesIn); - rules = loadJson; - } - - public RuleProcessor(String rulesIn, Map<String, Map<String, Object>> mappings) { - this.mappings = mappings; - IdpJson json = new IdpJson(); - @SuppressWarnings("unchecked") - List<Map<String, Object>> loadJson = (List<Map<String, Object>>) json.loadJson(rulesIn); - rules = loadJson; - } - - /* - * For some odd reason the Java Regular Expression API does not include a - * way to retrieve a map of the named groups and their values. The API only - * permits us to retrieve a named group if we already know the group names. - * So instead we parse the pattern string looking for named groups, extract - * the name, look up the value of the named group and build a map from that. - */ - - private Map<String, String> regexpGroupMap(String pattern, Matcher matcher) { - Map<String, String> groupMap = new HashMap<String, String>(); - Matcher groupMatcher = REGEXP_NAMED_GROUP_RE.matcher(pattern); - - while (groupMatcher.find()) { - String groupName = groupMatcher.group(1); - - groupMap.put(groupName, matcher.group(groupName)); - } - return groupMap; - } - - static public String join(List<Object> list, String conjunction) { - StringBuilder sb = new StringBuilder(); - boolean first = true; - for (Object item : list) { - if (first) { - first = false; - } else { - sb.append(conjunction); - } - sb.append(item.toString()); - } - return sb.toString(); - } - - private List<String> regexpGroupList(Matcher matcher) { - List<String> groupList = new ArrayList<String>(matcher.groupCount() + 1); - groupList.add(0, matcher.group(0)); - for (int i = 1; i < matcher.groupCount() + 1; i++) { - groupList.add(i, matcher.group(i)); - } - return groupList; - } - - private String objToString(Object obj) { - StringWriter sw = new StringWriter(); - objToStringItem(sw, obj); - return sw.toString(); - } - - private void objToStringItem(StringWriter sw, Object obj) { - // ordered by expected occurrence - if (obj instanceof String) { - sw.write('"'); - sw.write(((String) obj).replaceAll("\"", "\\\"")); - sw.write('"'); - } else if (obj instanceof List) { - @SuppressWarnings("unchecked") - List<Object> list = (List<Object>) obj; - boolean first = true; - - sw.write('['); - for (Object item : list) { - if (first) { - first = false; - } else { - sw.write(", "); - } - objToStringItem(sw, item); - } - sw.write(']'); - } else if (obj instanceof Map) { - @SuppressWarnings("unchecked") - Map<String, Object> map = (Map<String, Object>) obj; - boolean first = true; - - sw.write('{'); - for (Map.Entry<String, Object> entry : map.entrySet()) { - String key = entry.getKey(); - Object value = entry.getValue(); - - if (first) { - first = false; - } else { - sw.write(", "); - } - - objToStringItem(sw, key); - sw.write(": "); - objToStringItem(sw, value); - - } - sw.write('}'); - } else if (obj instanceof Long) { - sw.write(((Long) obj).toString()); - } else if (obj instanceof Boolean) { - sw.write(((Boolean) obj).toString()); - } else if (obj == null) { - sw.write("null"); - } else if (obj instanceof Double) { - sw.write(((Double) obj).toString()); - } else { - throw new IllegalStateException( - String.format( - "unsupported data type, must be String, Long, Double, Boolean, List, Map, or null, not %s", - obj.getClass().getSimpleName())); - } - } - - private Object deepCopy(Object obj) { - // ordered by expected occurrence - if (obj instanceof String) { - return obj; // immutable - } else if (obj instanceof List) { - List<Object> new_list = new ArrayList<Object>(); - @SuppressWarnings("unchecked") - List<Object> list = (List<Object>) obj; - for (Object item : list) { - new_list.add(deepCopy(item)); - } - return new_list; - } else if (obj instanceof Map) { - Map<String, Object> new_map = new LinkedHashMap<String, Object>(); - @SuppressWarnings("unchecked") - Map<String, Object> map = (Map<String, Object>) obj; - for (Map.Entry<String, Object> entry : map.entrySet()) { - String key = entry.getKey(); // immutable - Object value = entry.getValue(); - new_map.put(key, deepCopy(value)); - } - return new_map; - } else if (obj instanceof Long) { - return obj; // immutable - } else if (obj instanceof Boolean) { - return obj; // immutable - } else if (obj == null) { - return null; - } else if (obj instanceof Double) { - return obj; // immutable - } else { - throw new IllegalStateException( - String.format( - "unsupported data type, must be String, Long, Double, Boolean, List, Map, or null, not %s", - obj.getClass().getSimpleName())); - } - } - - public String ruleId(Map<String, Object> namespace) { - return substituteVariables(ruleIdFormat, namespace); - } - - public String statementId(Map<String, Object> namespace) { - return substituteVariables(statementIdFormat, namespace); - } - - public String substituteVariables(String string, Map<String, Object> namespace) { - StringBuffer sb = new StringBuffer(); - Matcher matcher = Token.VARIABLE_RE.matcher(string); - - while (matcher.find()) { - Token token = new Token(matcher.group(0), namespace); - token.load(); - String replacement; - if (token.type == TokenType.STRING) { - replacement = token.getStringValue(); - } else { - replacement = objToString(token.getObjectValue()); - } - - matcher.appendReplacement(sb, replacement); - } - matcher.appendTail(sb); - return sb.toString(); - } - - Map<String, Object> getMapping(Map<String, Object> namespace, Map<String, Object> rule) { - Map<String, Object> mapping = null; - String mappingName = null; - - try { - @SuppressWarnings("unchecked") - Map<String, Object> map = (Map<String, Object>) rule.get("mapping"); - mapping = map; - } catch (java.lang.ClassCastException e) { - throw new InvalidRuleException(String.format( - "%s rule defines 'mapping' but it is not a Map", this.ruleId(namespace), e)); - } - if (mapping != null) { - return mapping; - } - try { - mappingName = (String) rule.get("mapping_name"); - } catch (java.lang.ClassCastException e) { - throw new InvalidRuleException(String.format( - "%s rule defines 'mapping_name' but it is not a string", - this.ruleId(namespace), e)); - } - if (mappingName == null) { - throw new InvalidRuleException(String.format( - "%s rule does not define mapping nor mapping_name unable to load mapping", - this.ruleId(namespace))); - } - mapping = this.mappings.get(mappingName); - if (mapping == null) { - throw new InvalidRuleException( - String.format( - "%s rule specifies mapping_name '%s' but a mapping by that name does not exist, unable to load mapping", - this.ruleId(namespace))); - } - LOG.debug(String.format("using named mapping '%s' from rule %s mapping=%s", mappingName, - this.ruleId(namespace), mapping)); - return mapping; - } - - private String getVerb(List<Object> statement) { - Token verb; - - if (statement.size() < 1) { - throw new InvalidRuleException("statement has no verb"); - } - - try { - verb = new Token(statement.get(0), null); - } catch (Exception e) { - throw new InvalidRuleException(String.format( - "statement first member (i.e. verb) error %s", e)); - } - - if (verb.type != TokenType.STRING) { - throw new InvalidRuleException(String.format( - "statement first member (i.e. verb) must be a string, not %s", verb.type)); - } - - return (verb.getStringValue()).toLowerCase(); - } - - private Token getToken(String verb, List<Object> statement, int index, - Map<String, Object> namespace, Set<TokenStorageType> storageTypes, - Set<TokenType> tokenTypes) { - Object item; - Token token; - - try { - item = statement.get(index); - } catch (IndexOutOfBoundsException e) { - throw new InvalidRuleException(String.format( - "verb '%s' requires at least %d items but only %d are available.", verb, - index + 1, statement.size(), e)); - } - - try { - token = new Token(item, namespace); - } catch (Exception e) { - throw new StatementErrorException(String.format("parameter %d, %s", index, e)); - } - - if (storageTypes != null) { - if (!storageTypes.contains(token.storageType)) { - throw new InvalidTypeException( - String.format( - "verb '%s' requires parameter #%d to have storage types %s not %s. statement=%s", - verb, index, storageTypes, statement)); - } - } - - if (tokenTypes != null) { - token.load(); // Note, Token.load() sets the Token.type - - if (!tokenTypes.contains(token.type)) { - throw new InvalidTypeException(String.format( - "verb '%s' requires parameter #%d to have types %s, not %s. statement=%s", - verb, index, tokenTypes, statement)); - } - } - - return token; - } - - private Token getParameter(String verb, List<Object> statement, int index, - Map<String, Object> namespace, Set<TokenType> tokenTypes) { - Object item; - Token token; - - try { - item = statement.get(index); - } catch (IndexOutOfBoundsException e) { - throw new InvalidRuleException(String.format( - "verb '%s' requires at least %d items but only %d are available.", verb, - index + 1, statement.size(), e)); - } - - try { - token = new Token(item, namespace); - } catch (Exception e) { - throw new StatementErrorException(String.format("parameter %d, %s", index, e)); - } - - token.load(); - - if (tokenTypes != null) { - try { - token.get(); // Note, Token.get() sets the Token.type - } catch (UndefinedValueException e) { - // OK if not yet defined - } - if (!tokenTypes.contains(token.type)) { - throw new InvalidTypeException(String.format( - "verb '%s' requires parameter #%d to have types %s, not %s. statement=%s", - verb, index, tokenTypes, item.getClass().getSimpleName(), statement)); - } - } - - return token; - } - - private Object getRawParameter(String verb, List<Object> statement, int index, - Set<TokenType> tokenTypes) { - Object item; - - try { - item = statement.get(index); - } catch (IndexOutOfBoundsException e) { - throw new InvalidRuleException(String.format( - "verb '%s' requires at least %d items but only %d are available.", verb, - index + 1, statement.size(), e)); - } - - if (tokenTypes != null) { - TokenType itemType = Token.classify(item); - - if (!tokenTypes.contains(itemType)) { - throw new InvalidTypeException(String.format( - "verb '%s' requires parameter #%d to have types %s, not %s. statement=%s", - verb, index, tokenTypes, statement)); - } - } - - return item; - } - - private Token getVariable(String verb, List<Object> statement, int index, - Map<String, Object> namespace) { - Object item; - Token token; - - try { - item = statement.get(index); - } catch (IndexOutOfBoundsException e) { - throw new InvalidRuleException(String.format( - "verb '%s' requires at least %d items but only %d are available.", verb, - index + 1, statement.size(), e)); - } - - try { - token = new Token(item, namespace); - } catch (Exception e) { - throw new StatementErrorException(String.format("parameter %d, %s", index, e)); - } - - if (token.storageType != TokenStorageType.VARIABLE) { - throw new InvalidTypeException(String.format( - "verb '%s' requires parameter #%d to be a variable not %s. statement=%s", verb, - index, token.storageType, statement)); - } - - return token; - } - - public Map<String, Object> process(String assertionJson) { - ProcessResult result; - IdpJson json = new IdpJson(); - @SuppressWarnings("unchecked") - Map<String, Object> assertion = (Map<String, Object>) json.loadJson(assertionJson); - LOG.info("Assertion JSON: {}", json.dumpJson(assertion)); - this.success = true; - - for (int ruleNumber = 0; ruleNumber < this.rules.size(); ruleNumber++) { - Map<String, Object> namespace = new HashMap<String, Object>(); - Map<String, Object> rule = (Map<String, Object>) this.rules.get(ruleNumber); - namespace.put(RULE_NUMBER, Long.valueOf(ruleNumber)); - namespace.put(RULE_NAME, ""); - namespace.put(ASSERTION, deepCopy(assertion)); - - result = processRule(namespace, rule); - - if (result == ProcessResult.RULE_SUCCESS) { - Map<String, Object> mapped = new LinkedHashMap<String, Object>(); - Map<String, Object> mapping = getMapping(namespace, rule); - for (Map.Entry<String, Object> entry : ((Map<String, Object>) mapping).entrySet()) { - String key = entry.getKey(); - Object value = entry.getValue(); - Object newValue = null; - try { - Token token = new Token(value, namespace); - newValue = token.get(); - } catch (Exception e) { - throw new InvalidRuleException(String.format( - "%s unable to get value for mapping %s=%s, %s", ruleId(namespace), - key, value, e), e); - } - mapped.put(key, newValue); - } - return mapped; - } - } - return null; - } - - private ProcessResult processRule(Map<String, Object> namespace, Map<String, Object> rule) { - ProcessResult result = ProcessResult.BLOCK_CONTINUE; - @SuppressWarnings("unchecked") - List<List<List<Object>>> statementBlocks = (List<List<List<Object>>>) rule.get("statement_blocks"); - if (statementBlocks == null) { - throw new InvalidRuleException("rule missing 'statement_blocks'"); - - } - for (int blockNumber = 0; blockNumber < statementBlocks.size(); blockNumber++) { - List<List<Object>> block = (List<List<Object>>) statementBlocks.get(blockNumber); - namespace.put(BLOCK_NUMBER, Long.valueOf(blockNumber)); - namespace.put(BLOCK_NAME, ""); - - result = processBlock(namespace, block); - if (EnumSet.of(ProcessResult.RULE_SUCCESS, ProcessResult.RULE_FAIL).contains(result)) { - break; - } else if (result == ProcessResult.BLOCK_CONTINUE) { - continue; - } else { - throw new IllegalStateException(String.format("%s unexpected statement result: %s", - result)); - } - } - if (EnumSet.of(ProcessResult.RULE_SUCCESS, ProcessResult.BLOCK_CONTINUE).contains(result)) { - return ProcessResult.RULE_SUCCESS; - } else { - return ProcessResult.RULE_FAIL; - } - } - - private ProcessResult processBlock(Map<String, Object> namespace, List<List<Object>> block) { - ProcessResult result = ProcessResult.STATEMENT_CONTINUE; - - for (int statementNumber = 0; statementNumber < block.size(); statementNumber++) { - List<Object> statement = (List<Object>) block.get(statementNumber); - namespace.put(STATEMENT_NUMBER, Long.valueOf(statementNumber)); - - try { - result = processStatement(namespace, statement); - } catch (Exception e) { - throw new IllegalStateException(String.format("%s statement=%s %s", - statementId(namespace), statement, e), e); - } - if (EnumSet.of(ProcessResult.BLOCK_CONTINUE, ProcessResult.RULE_SUCCESS, - ProcessResult.RULE_FAIL).contains(result)) { - break; - } else if (result == ProcessResult.STATEMENT_CONTINUE) { - continue; - } else { - throw new IllegalStateException(String.format("%s unexpected statement result: %s", - result)); - } - } - if (result == ProcessResult.STATEMENT_CONTINUE) { - result = ProcessResult.BLOCK_CONTINUE; - } - return result; - } - - private ProcessResult processStatement(Map<String, Object> namespace, List<Object> statement) { - ProcessResult result = ProcessResult.STATEMENT_CONTINUE; - String verb = getVerb(statement); - - switch (verb) { - case "set": - result = verbSet(verb, namespace, statement); - break; - case "length": - result = verbLength(verb, namespace, statement); - break; - case "interpolate": - result = verbInterpolate(verb, namespace, statement); - break; - case "append": - result = verbAppend(verb, namespace, statement); - break; - case "unique": - result = verbUnique(verb, namespace, statement); - break; - case "split": - result = verbSplit(verb, namespace, statement); - break; - case "join": - result = verbJoin(verb, namespace, statement); - break; - case "lower": - result = verbLower(verb, namespace, statement); - break; - case "upper": - result = verbUpper(verb, namespace, statement); - break; - case "in": - result = verbIn(verb, namespace, statement); - break; - case "not_in": - result = verbNotIn(verb, namespace, statement); - break; - case "compare": - result = verbCompare(verb, namespace, statement); - break; - case "regexp": - result = verbRegexp(verb, namespace, statement); - break; - case "regexp_replace": - result = verbRegexpReplace(verb, namespace, statement); - break; - case "exit": - result = verbExit(verb, namespace, statement); - break; - case "continue": - result = verbContinue(verb, namespace, statement); - break; - default: - throw new InvalidRuleException(String.format("unknown verb '%s'", verb)); - } - - return result; - } - - private ProcessResult verbSet(String verb, Map<String, Object> namespace, List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - Token parameter = getParameter(verb, statement, 2, namespace, null); - - variable.set(parameter.getObjectValue()); - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s", - statementId(namespace), verb, this.success, variable, variable.get())); - } - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbLength(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - Token parameter = getParameter(verb, statement, 2, namespace, - EnumSet.of(TokenType.ARRAY, TokenType.MAP, TokenType.STRING)); - long length; - - switch (parameter.type) { - case ARRAY: { - length = parameter.getListValue().size(); - } - break; - case MAP: { - length = parameter.getMapValue().size(); - } - break; - case STRING: { - length = parameter.getStringValue().length(); - } - break; - default: - throw new IllegalStateException(String.format("unexpected token type: %s", - parameter.type)); - } - - variable.set(length); - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s parameter=%s", - statementId(namespace), verb, this.success, variable, variable.get(), - parameter.getObjectValue())); - } - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbInterpolate(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - String string = (String) getRawParameter(verb, statement, 2, EnumSet.of(TokenType.STRING)); - String newValue = null; - - try { - newValue = substituteVariables(string, namespace); - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, variable='%s' string='%s': %s", verb, variable, string, e)); - } - variable.set(newValue); - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s string='%s'", - statementId(namespace), verb, this.success, variable, variable.get(), string)); - } - - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbAppend(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getToken(verb, statement, 1, namespace, - EnumSet.of(TokenStorageType.VARIABLE), EnumSet.of(TokenType.ARRAY)); - Token item = getParameter(verb, statement, 2, namespace, null); - - try { - List<Object> list = variable.getListValue(); - list.add(item.getObjectValue()); - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, variable='%s' item='%s': %s", verb, - variable.getObjectValue(), item.getObjectValue(), e)); - } - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s item=%s", - statementId(namespace), verb, this.success, variable, variable.get(), - item.getObjectValue())); - } - - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbUnique(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - Token array = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.ARRAY)); - - List<Object> newValue = new ArrayList<Object>(); - Set<Object> seen = new HashSet<Object>(); - - for (Object member : array.getListValue()) { - if (seen.contains(member)) { - continue; - } else { - newValue.add(member); - seen.add(member); - } - } - - variable.set(newValue); - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s array=%s", - statementId(namespace), verb, this.success, variable, variable.get(), - array.getObjectValue())); - } - - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbSplit(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - Token string = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.STRING)); - Token pattern = getParameter(verb, statement, 3, namespace, EnumSet.of(TokenType.STRING)); - - Pattern regexp; - List<String> newValue; - - try { - regexp = Pattern.compile(pattern.getStringValue()); - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, bad regular expression pattern '%s', %s", verb, - pattern.getObjectValue(), e)); - } - try { - newValue = new ArrayList<String>( - Arrays.asList(regexp.split((String) string.getStringValue()))); - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, string='%s' pattern='%s', %s", verb, - string.getObjectValue(), pattern.getObjectValue(), e)); - } - - variable.set(newValue); - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format( - "%s verb='%s' success=%s variable: %s=%s string='%s' pattern='%s'", - statementId(namespace), verb, this.success, variable, variable.get(), - string.getObjectValue(), pattern.getObjectValue())); - } - - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbJoin(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - Token array = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.ARRAY)); - Token conjunction = getParameter(verb, statement, 3, namespace, - EnumSet.of(TokenType.STRING)); - String newValue; - - try { - newValue = join(array.getListValue(), conjunction.getStringValue()); - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, array=%s conjunction='%s', %s", verb, - array.getObjectValue(), conjunction.getObjectValue(), e)); - } - - variable.set(newValue); - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format( - "%s verb='%s' success=%s variable: %s=%s array='%s' conjunction='%s'", - statementId(namespace), verb, this.success, variable, variable.get(), - array.getObjectValue(), conjunction.getObjectValue())); - } - - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbLower(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - Token parameter = getParameter(verb, statement, 2, namespace, - EnumSet.of(TokenType.STRING, TokenType.ARRAY, TokenType.MAP)); - - try { - switch (parameter.type) { - case STRING: { - String oldValue = parameter.getStringValue(); - String newValue; - newValue = oldValue.toLowerCase(); - variable.set(newValue); - } - break; - case ARRAY: { - List<Object> oldValue = parameter.getListValue(); - List<Object> newValue = new ArrayList<Object>(oldValue.size()); - String oldItem; - String newItem; - - for (Object item : oldValue) { - try { - oldItem = (String) item; - } catch (ClassCastException e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, array item (%s) is not a string, array=%s", - verb, item, parameter.getObjectValue(), e)); - } - newItem = oldItem.toLowerCase(); - newValue.add(newItem); - } - variable.set(newValue); - } - break; - case MAP: { - Map<String, Object> oldValue = parameter.getMapValue(); - Map<String, Object> newValue = new LinkedHashMap<String, Object>(oldValue.size()); - - for (Map.Entry<String, Object> entry : oldValue.entrySet()) { - String oldKey; - String newKey; - Object value = entry.getValue(); - - oldKey = entry.getKey(); - newKey = oldKey.toLowerCase(); - newValue.put(newKey, value); - } - variable.set(newValue); - } - break; - default: - throw new IllegalStateException(String.format("unexpected token type: %s", - parameter.type)); - } - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, variable='%s' parameter='%s': %s", verb, variable, - parameter.getObjectValue(), e), e); - } - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s parameter=%s", - statementId(namespace), verb, this.success, variable, variable.get(), - parameter.getObjectValue())); - } - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbUpper(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - Token parameter = getParameter(verb, statement, 2, namespace, - EnumSet.of(TokenType.STRING, TokenType.ARRAY, TokenType.MAP)); - - try { - switch (parameter.type) { - case STRING: { - String oldValue = parameter.getStringValue(); - String newValue; - newValue = oldValue.toUpperCase(); - variable.set(newValue); - } - break; - case ARRAY: { - List<Object> oldValue = parameter.getListValue(); - List<Object> newValue = new ArrayList<Object>(oldValue.size()); - String oldItem; - String newItem; - - for (Object item : oldValue) { - try { - oldItem = (String) item; - } catch (ClassCastException e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, array item (%s) is not a string, array=%s", - verb, item, parameter.getObjectValue(), e)); - } - newItem = oldItem.toUpperCase(); - newValue.add(newItem); - } - variable.set(newValue); - } - break; - case MAP: { - Map<String, Object> oldValue = parameter.getMapValue(); - Map<String, Object> newValue = new LinkedHashMap<String, Object>(oldValue.size()); - - for (Map.Entry<String, Object> entry : oldValue.entrySet()) { - String oldKey; - String newKey; - Object value = entry.getValue(); - - oldKey = entry.getKey(); - newKey = oldKey.toUpperCase(); - newValue.put(newKey, value); - } - variable.set(newValue); - } - break; - default: - throw new IllegalStateException(String.format("unexpected token type: %s", - parameter.type)); - } - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, variable='%s' parameter='%s': %s", verb, variable, - parameter.getObjectValue(), e), e); - } - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s parameter=%s", - statementId(namespace), verb, this.success, variable, variable.get(), - parameter.getObjectValue())); - } - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbIn(String verb, Map<String, Object> namespace, List<Object> statement) { - Token member = getParameter(verb, statement, 1, namespace, null); - Token collection = getParameter(verb, statement, 2, namespace, - EnumSet.of(TokenType.ARRAY, TokenType.MAP, TokenType.STRING)); - - switch (collection.type) { - case ARRAY: { - this.success = collection.getListValue().contains(member.getObjectValue()); - } - break; - case MAP: { - if (member.type != TokenType.STRING) { - throw new InvalidTypeException(String.format( - "verb '%s' requires parameter #1 to be a %swhen parameter #2 is a %s", - TokenType.STRING, collection.type)); - } - this.success = collection.getMapValue().containsKey(member.getObjectValue()); - } - break; - case STRING: { - if (member.type != TokenType.STRING) { - throw new InvalidTypeException(String.format( - "verb '%s' requires parameter #1 to be a %swhen parameter #2 is a %s", - TokenType.STRING, collection.type)); - } - this.success = (collection.getStringValue()).contains(member.getStringValue()); - } - break; - default: - throw new IllegalStateException(String.format("unexpected token type: %s", - collection.type)); - } - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s member=%s collection=%s", - statementId(namespace), verb, this.success, member.getObjectValue(), - collection.getObjectValue())); - } - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbNotIn(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token member = getParameter(verb, statement, 1, namespace, null); - Token collection = getParameter(verb, statement, 2, namespace, - EnumSet.of(TokenType.ARRAY, TokenType.MAP, TokenType.STRING)); - - switch (collection.type) { - case ARRAY: { - this.success = !collection.getListValue().contains(member.getObjectValue()); - } - break; - case MAP: { - if (member.type != TokenType.STRING) { - throw new InvalidTypeException(String.format( - "verb '%s' requires parameter #1 to be a %swhen parameter #2 is a %s", - TokenType.STRING, collection.type)); - } - this.success = !collection.getMapValue().containsKey(member.getObjectValue()); - } - break; - case STRING: { - if (member.type != TokenType.STRING) { - throw new InvalidTypeException(String.format( - "verb '%s' requires parameter #1 to be a %swhen parameter #2 is a %s", - TokenType.STRING, collection.type)); - } - this.success = !(collection.getStringValue()).contains(member.getStringValue()); - } - break; - default: - throw new IllegalStateException(String.format("unexpected token type: %s", - collection.type)); - } - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s member=%s collection=%s", - statementId(namespace), verb, this.success, member.getObjectValue(), - collection.getObjectValue())); - } - - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbCompare(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token left = getParameter(verb, statement, 1, namespace, null); - Token op = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.STRING)); - Token right = getParameter(verb, statement, 3, namespace, null); - String invalidOp = "operator %s not supported for type %s"; - TokenType tokenType; - String opValue = op.getStringValue(); - boolean result; - - if (left.type != right.type) { - throw new InvalidTypeException(String.format( - "verb '%s' both items must have the same type left is %s and right is %s", - verb, left.type, right.type)); - } else { - tokenType = left.type; - } - - switch (opValue) { - case "==": - case "!=": { - switch (tokenType) { - case STRING: { - String leftValue = left.getStringValue(); - String rightValue = right.getStringValue(); - result = leftValue.equals(rightValue); - } - break; - case INTEGER: { - Long leftValue = left.getLongValue(); - Long rightValue = right.getLongValue(); - result = leftValue.equals(rightValue); - } - break; - case REAL: { - Double leftValue = left.getDoubleValue(); - Double rightValue = right.getDoubleValue(); - result = leftValue.equals(rightValue); - } - break; - case ARRAY: { - List<Object> leftValue = left.getListValue(); - List<Object> rightValue = right.getListValue(); - result = leftValue.equals(rightValue); - } - break; - case MAP: { - Map<String, Object> leftValue = left.getMapValue(); - Map<String, Object> rightValue = right.getMapValue(); - result = leftValue.equals(rightValue); - } - break; - case BOOLEAN: { - Boolean leftValue = left.getBooleanValue(); - Boolean rightValue = right.getBooleanValue(); - result = leftValue.equals(rightValue); - } - break; - case NULL: { - result = (left.getNullValue() == right.getNullValue()); - } - break; - default: { - throw new IllegalStateException(String.format("unexpected token type: %s", - tokenType)); - } - } - if (opValue.equals("!=")) { // negate the sense of the test - result = !result; - } - } - break; - case "<": - case ">=": { - switch (tokenType) { - case STRING: { - String leftValue = left.getStringValue(); - String rightValue = right.getStringValue(); - result = leftValue.compareTo(rightValue) < 0; - } - break; - case INTEGER: { - Long leftValue = left.getLongValue(); - Long rightValue = right.getLongValue(); - result = leftValue < rightValue; - } - break; - case REAL: { - Double leftValue = left.getDoubleValue(); - Double rightValue = right.getDoubleValue(); - result = leftValue < rightValue; - } - break; - case ARRAY: - case MAP: - case BOOLEAN: - case NULL: { - throw new InvalidRuleException(String.format(invalidOp, opValue, tokenType)); - } - default: { - throw new IllegalStateException(String.format("unexpected token type: %s", - tokenType)); - } - } - if (opValue.equals(">=")) { // negate the sense of the test - result = !result; - } - } - break; - case ">": - case "<=": { - switch (tokenType) { - case STRING: { - String leftValue = left.getStringValue(); - String rightValue = right.getStringValue(); - result = leftValue.compareTo(rightValue) > 0; - } - break; - case INTEGER: { - Long leftValue = left.getLongValue(); - Long rightValue = right.getLongValue(); - result = leftValue > rightValue; - } - break; - case REAL: { - Double leftValue = left.getDoubleValue(); - Double rightValue = right.getDoubleValue(); - result = leftValue > rightValue; - } - break; - case ARRAY: - case MAP: - case BOOLEAN: - case NULL: { - throw new InvalidRuleException(String.format(invalidOp, opValue, tokenType)); - } - default: { - throw new IllegalStateException(String.format("unexpected token type: %s", - tokenType)); - } - } - if (opValue.equals("<=")) { // negate the sense of the test - result = !result; - } - } - break; - default: { - throw new InvalidRuleException(String.format( - "verb '%s' has unknown comparison operator '%s'", verb, op.getObjectValue())); - } - } - this.success = result; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format("%s verb='%s' success=%s left=%s op='%s' right=%s", - statementId(namespace), verb, this.success, left.getObjectValue(), - op.getObjectValue(), right.getObjectValue())); - } - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbRegexp(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token string = getParameter(verb, statement, 1, namespace, EnumSet.of(TokenType.STRING)); - Token pattern = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.STRING)); - - Pattern regexp; - Matcher matcher; - - try { - regexp = Pattern.compile(pattern.getStringValue()); - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, bad regular expression pattern '%s', %s", verb, - pattern.getObjectValue(), e)); - } - matcher = regexp.matcher(string.getStringValue()); - - if (matcher.find()) { - this.success = true; - namespace.put(REGEXP_ARRAY_VARIABLE, regexpGroupList(matcher)); - namespace.put(REGEXP_MAP_VARIABLE, regexpGroupMap(pattern.getStringValue(), matcher)); - } else { - this.success = false; - namespace.put(REGEXP_ARRAY_VARIABLE, new ArrayList<Object>()); - namespace.put(REGEXP_MAP_VARIABLE, new HashMap<String, Object>()); - } - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format( - "%s verb='%s' success=%s string='%s' pattern='%s' %s=%s %s=%s", - statementId(namespace), verb, this.success, string.getObjectValue(), - pattern.getObjectValue(), REGEXP_ARRAY_VARIABLE, - namespace.get(REGEXP_ARRAY_VARIABLE), REGEXP_MAP_VARIABLE, - namespace.get(REGEXP_MAP_VARIABLE))); - } - - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbRegexpReplace(String verb, Map<String, Object> namespace, - List<Object> statement) { - Token variable = getVariable(verb, statement, 1, namespace); - Token string = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.STRING)); - Token pattern = getParameter(verb, statement, 3, namespace, EnumSet.of(TokenType.STRING)); - Token replacement = getParameter(verb, statement, 4, namespace, - EnumSet.of(TokenType.STRING)); - - Pattern regexp; - Matcher matcher; - String newValue; - - try { - regexp = Pattern.compile(pattern.getStringValue()); - } catch (Exception e) { - throw new InvalidValueException(String.format( - "verb '%s' failed, bad regular expression pattern '%s', %s", verb, - pattern.getObjectValue(), e)); - } - matcher = regexp.matcher(string.getStringValue()); - - newValue = matcher.replaceAll(replacement.getStringValue()); - variable.set(newValue); - this.success = true; - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format( - "%s verb='%s' success=%s variable: %s=%s string='%s' pattern='%s' replacement='%s'", - statementId(namespace), verb, this.success, variable, variable.get(), - string.getObjectValue(), pattern.getObjectValue(), replacement.getObjectValue())); - } - - return ProcessResult.STATEMENT_CONTINUE; - } - - private ProcessResult verbExit(String verb, Map<String, Object> namespace, - List<Object> statement) { - ProcessResult statementResult = ProcessResult.STATEMENT_CONTINUE; - - Token exitStatusParam = getParameter(verb, statement, 1, namespace, - EnumSet.of(TokenType.STRING)); - Token criteriaParam = getParameter(verb, statement, 2, namespace, - EnumSet.of(TokenType.STRING)); - String exitStatus = (exitStatusParam.getStringValue()).toLowerCase(); - String criteria = (criteriaParam.getStringValue()).toLowerCase(); - ProcessResult result; - boolean doExit; - - if (exitStatus.equals("rule_succeeds")) { - result = ProcessResult.RULE_SUCCESS; - } else if (exitStatus.equals("rule_fails")) { - result = ProcessResult.RULE_FAIL; - } else { - throw new InvalidRuleException(String.format("verb='%s' unknown exit status '%s'", - verb, exitStatus)); - } - - if (criteria.equals("if_success")) { - if (this.success) { - doExit = true; - } else { - doExit = false; - } - } else if (criteria.equals("if_not_success")) { - if (!this.success) { - doExit = true; - } else { - doExit = false; - } - } else if (criteria.equals("always")) { - doExit = true; - } else if (criteria.equals("never")) { - doExit = false; - } else { - throw new InvalidRuleException(String.format("verb='%s' unknown exit criteria '%s'", - verb, criteria)); - } - - if (doExit) { - statementResult = result; - } - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format( - "%s verb='%s' success=%s status=%s criteria=%s exiting=%s result=%s", - statementId(namespace), verb, this.success, exitStatus, criteria, doExit, - statementResult)); - } - - return statementResult; - } - - private ProcessResult verbContinue(String verb, Map<String, Object> namespace, - List<Object> statement) { - ProcessResult statementResult = ProcessResult.STATEMENT_CONTINUE; - Token criteriaParam = getParameter(verb, statement, 1, namespace, - EnumSet.of(TokenType.STRING)); - String criteria = (criteriaParam.getStringValue()).toLowerCase(); - boolean doContinue; - - if (criteria.equals("if_success")) { - if (this.success) { - doContinue = true; - } else { - doContinue = false; - } - } else if (criteria.equals("if_not_success")) { - if (!this.success) { - doContinue = true; - } else { - doContinue = false; - } - } else if (criteria.equals("always")) { - doContinue = true; - } else if (criteria.equals("never")) { - doContinue = false; - } else { - throw new InvalidRuleException(String.format( - "verb='%s' unknown continue criteria '%s'", verb, criteria)); - } - - if (doContinue) { - statementResult = ProcessResult.BLOCK_CONTINUE; - } - - if (LOG.isDebugEnabled()) { - LOG.debug(String.format( - "%s verb='%s' success=%s criteria=%s continuing=%s result=%s", - statementId(namespace), verb, this.success, criteria, doContinue, - statementResult)); - } - - return statementResult; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/StatementErrorException.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/StatementErrorException.java deleted file mode 100644 index 6abab3ee..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/StatementErrorException.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -/** - * Exception thrown when a mapping rule statement fails. - * - * @author John Dennis <jdennis@redhat.com> - */ - -public class StatementErrorException extends RuntimeException { - - private static final long serialVersionUID = 8312665727576018327L; - - public StatementErrorException() { - } - - public StatementErrorException(String message) { - super(message); - } - - public StatementErrorException(Throwable cause) { - super(cause); - } - - public StatementErrorException(String message, Throwable cause) { - super(message, cause); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Token.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Token.java deleted file mode 100644 index 402fb064..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Token.java +++ /dev/null @@ -1,401 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -import java.util.List; -import java.util.Map; -import java.util.regex.Matcher; -import java.util.regex.Pattern; - -enum TokenStorageType { - UNKNOWN, CONSTANT, VARIABLE -} - -enum TokenType { - STRING, // java String - ARRAY, // java List - MAP, // java Map - INTEGER, // java Long - BOOLEAN, // java Boolean - NULL, // java null - REAL, // java Double - UNKNOWN, // undefined -} - -/** - * Rule statements can contain variables or constants, this class encapsulates - * those values, enforces type handling and supports reading and writing of - * those values. - * - * Technically at the syntactic level these are not tokens. A token would have - * finer granularity such as identifier, operator, etc. I just couldn't think of - * a better name for how they're used here and thought token was a reasonable - * compromise as a name. - * - * @author John Dennis <jdennis@redhat.com> - */ - -class Token { - - /* - * Regexp to identify a variable beginning with $ Supports array notation, - * e.g. $foo[bar] Optional delimiting braces may be used to separate - * variable from surrounding text. - * - * Examples: $foo ${foo} $foo[bar] ${foo[bar] where foo is the variable name - * and bar is the array index. - * - * Identifer is any alphabetic followed by alphanumeric or underscore - */ - private static final String VARIABLE_PAT = "(?<!\\\\)\\$" + // non-escaped $ - // sign - "\\{?" + // optional delimiting brace - "([a-zA-Z][a-zA-Z0-9_]*)" + // group 1: variable name - "(\\[" + // group 2: optional index - "([a-zA-Z0-9_]+)" + // group 3: array index - "\\])?" + // end optional index - "\\}?"; // optional delimiting brace - public static final Pattern VARIABLE_RE = Pattern.compile(VARIABLE_PAT); - /* - * Requires only a variable to be present in the string but permits leading - * and trailing whitespace. - */ - private static final String VARIABLE_ONLY_PAT = "^\\s*" + VARIABLE_PAT + "\\s*$"; - public static final Pattern VARIABLE_ONLY_RE = Pattern.compile(VARIABLE_ONLY_PAT); - - private Object value = null; - - public Map<String, Object> namespace = null; - public TokenStorageType storageType = TokenStorageType.UNKNOWN; - public TokenType type = TokenType.UNKNOWN; - public String name = null; - public String index = null; - - Token(Object input, Map<String, Object> namespace) { - this.namespace = namespace; - if (input instanceof String) { - parseVariable((String) input); - if (this.storageType == TokenStorageType.CONSTANT) { - this.value = input; - this.type = classify(input); - } - } else { - this.storageType = TokenStorageType.CONSTANT; - this.value = input; - this.type = classify(input); - } - } - - @Override - public String toString() { - if (this.storageType == TokenStorageType.CONSTANT) { - return String.format("%s", this.value); - } else if (this.storageType == TokenStorageType.VARIABLE) { - if (this.index == null) { - return String.format("$%s", this.name); - } else { - return String.format("$%s[%s]", this.name, this.index); - } - } else { - return "UNKNOWN"; - } - } - - void parseVariable(String string) { - Matcher matcher = VARIABLE_ONLY_RE.matcher(string); - if (matcher.find()) { - String name = matcher.group(1); - String index = matcher.group(3); - - this.storageType = TokenStorageType.VARIABLE; - this.name = name; - this.index = index; - } else { - this.storageType = TokenStorageType.CONSTANT; - } - } - - public static TokenType classify(Object value) { - TokenType tokenType = TokenType.UNKNOWN; - // ordered by expected occurrence - if (value instanceof String) { - tokenType = TokenType.STRING; - } else if (value instanceof List) { - tokenType = TokenType.ARRAY; - } else if (value instanceof Map) { - tokenType = TokenType.MAP; - } else if (value instanceof Long) { - tokenType = TokenType.INTEGER; - } else if (value instanceof Boolean) { - tokenType = TokenType.BOOLEAN; - } else if (value == null) { - tokenType = TokenType.NULL; - } else if (value instanceof Double) { - tokenType = TokenType.REAL; - } else { - throw new InvalidRuleException(String.format( - "Type must be String, Long, Double, Boolean, List, Map, or null, not %s", - value.getClass().getSimpleName(), value)); - } - return tokenType; - } - - Object get() { - return get(null); - } - - Object get(Object index) { - Object base = null; - - if (this.storageType == TokenStorageType.CONSTANT) { - return this.value; - } - - if (this.namespace.containsKey(this.name)) { - base = this.namespace.get(this.name); - } else { - throw new UndefinedValueException(String.format("variable '%s' not defined", this.name)); - } - - if (index == null) { - index = this.index; - } - - if (index == null) { // scalar types - value = base; - } else { - if (base instanceof List) { - @SuppressWarnings("unchecked") - List<Object> list = (List<Object>) base; - Integer idx = null; - - if (index instanceof Long) { - idx = new Integer(((Long) index).intValue()); - } else if (index instanceof String) { - try { - idx = new Integer((String) index); - } catch (NumberFormatException e) { - throw new InvalidTypeException( - String.format( - "variable '%s' is an array indexed by '%s', however the index cannot be converted to an integer", - this.name, index, e)); - } - } else { - throw new InvalidTypeException( - String.format( - "variable '%s' is an array indexed by '%s', however the index must be an integer or string not %s", - this.name, index, index.getClass().getSimpleName())); - } - - try { - value = list.get(idx); - } catch (IndexOutOfBoundsException e) { - throw new UndefinedValueException( - String.format( - "variable '%s' is an array of size %d indexed by '%s', however the index is out of bounds", - this.name, list.size(), idx, e)); - } - } else if (base instanceof Map) { - @SuppressWarnings("unchecked") - Map<String, Object> map = (Map<String, Object>) base; - String idx = null; - if (index instanceof String) { - idx = (String) index; - } else { - throw new InvalidTypeException( - String.format( - "variable '%s' is a map indexed by '%s', however the index must be a string not %s", - this.name, index, index.getClass().getSimpleName())); - } - if (!map.containsKey(idx)) { - throw new UndefinedValueException( - String.format( - "variable '%s' is a map indexed by '%s', however the index does not exist", - this.name, index)); - } - value = map.get(idx); - } else { - throw new InvalidTypeException( - String.format( - "variable '%s' is indexed by '%s', variable must be an array or map, not %s", - this.name, index, base.getClass().getSimpleName())); - - } - } - this.type = classify(value); - return value; - } - - void set(Object value) { - set(value, null); - } - - void set(Object value, Object index) { - - if (this.storageType == TokenStorageType.CONSTANT) { - throw new InvalidTypeException("cannot assign to a constant"); - } - - if (index == null) { - index = this.index; - } - - if (index == null) { // scalar types - this.namespace.put(this.name, value); - } else { - Object base = null; - - if (this.namespace.containsKey(this.name)) { - base = this.namespace.get(this.name); - } else { - throw new UndefinedValueException(String.format("variable '%s' not defined", - this.name)); - } - - if (base instanceof List) { - @SuppressWarnings("unchecked") - List<Object> list = (List<Object>) base; - Integer idx = null; - - if (index instanceof Long) { - idx = new Integer(((Long) index).intValue()); - } else if (index instanceof String) { - try { - idx = new Integer((String) index); - } catch (NumberFormatException e) { - throw new InvalidTypeException( - String.format( - "variable '%s' is an array indexed by '%s', however the index cannot be converted to an integer", - this.name, index, e)); - } - } else { - throw new InvalidTypeException( - String.format( - "variable '%s' is an array indexed by '%s', however the index must be an integer or string not %s", - this.name, index, index.getClass().getSimpleName())); - } - - try { - value = list.set(idx, value); - } catch (IndexOutOfBoundsException e) { - throw new UndefinedValueException( - String.format( - "variable '%s' is an array of size %d indexed by '%s', however the index is out of bounds", - this.name, list.size(), idx, e)); - } - } else if (base instanceof Map) { - @SuppressWarnings("unchecked") - Map<String, Object> map = (Map<String, Object>) base; - String idx = null; - if (index instanceof String) { - idx = (String) index; - } else { - throw new InvalidTypeException( - String.format( - "variable '%s' is a map indexed by '%s', however the index must be a string not %s", - this.name, index, index.getClass().getSimpleName())); - } - if (!map.containsKey(idx)) { - throw new UndefinedValueException( - String.format( - "variable '%s' is a map indexed by '%s', however the index does not exist", - this.name, index)); - } - value = map.put(idx, value); - } else { - throw new InvalidTypeException( - String.format( - "variable '%s' is indexed by '%s', variable must be an array or map, not %s", - this.name, index, base.getClass().getSimpleName())); - - } - } - } - - public Object load() { - this.value = get(); - return this.value; - } - - public Object load(Object index) { - this.value = get(index); - return this.value; - } - - public String getStringValue() { - if (this.type == TokenType.STRING) { - return (String) this.value; - } else { - throw new InvalidTypeException(String.format("expected %s value but token type is %s", - TokenType.STRING, this.type)); - } - } - - public List<Object> getListValue() { - if (this.type == TokenType.ARRAY) { - @SuppressWarnings("unchecked") - List<Object> list = (List<Object>) this.value; - return list; - } else { - throw new InvalidTypeException(String.format("expected %s value but token type is %s", - TokenType.ARRAY, this.type)); - } - } - - public Map<String, Object> getMapValue() { - if (this.type == TokenType.MAP) { - @SuppressWarnings("unchecked") - Map<String, Object> map = (Map<String, Object>) this.value; - return map; - } else { - throw new InvalidTypeException(String.format("expected %s value but token type is %s", - TokenType.MAP, this.type)); - } - } - - public Long getLongValue() { - if (this.type == TokenType.INTEGER) { - return (Long) this.value; - } else { - throw new InvalidTypeException(String.format("expected %s value but token type is %s", - TokenType.INTEGER, this.type)); - } - } - - public Boolean getBooleanValue() { - if (this.type == TokenType.BOOLEAN) { - return (Boolean) this.value; - } else { - throw new InvalidTypeException(String.format("expected %s value but token type is %s", - TokenType.BOOLEAN, this.type)); - } - } - - public Double getDoubleValue() { - if (this.type == TokenType.REAL) { - return (Double) this.value; - } else { - throw new InvalidTypeException(String.format("expected %s value but token type is %s", - TokenType.REAL, this.type)); - } - } - - public Object getNullValue() { - if (this.type == TokenType.NULL) { - return this.value; - } else { - throw new InvalidTypeException(String.format("expected %s value but token type is %s", - TokenType.NULL, this.type)); - } - } - - public Object getObjectValue() { - return this.value; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/UndefinedValueException.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/UndefinedValueException.java deleted file mode 100644 index 7200da3d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/UndefinedValueException.java +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2014 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.idpmapping; - -/** - * Exception thrown when a statement references an undefined value. - * - * @author John Dennis <jdennis@redhat.com> - */ - -public class UndefinedValueException extends RuntimeException { - - private static final long serialVersionUID = -1607453931670834435L; - - public UndefinedValueException() { - } - - public UndefinedValueException(String message) { - super(message); - } - - public UndefinedValueException(Throwable cause) { - super(cause); - } - - public UndefinedValueException(String message, Throwable cause) { - super(message, cause); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/RuleProcessorTest.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/RuleProcessorTest.java deleted file mode 100644 index 84d403f9..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/RuleProcessorTest.java +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (c) 2016 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; -import static org.mockito.Matchers.any; -import static org.mockito.Mockito.times; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mockito.Mock; -import org.mockito.Mockito; -import org.powermock.api.mockito.PowerMockito; -import org.powermock.api.support.membermodification.MemberMatcher; -import org.powermock.api.support.membermodification.MemberModifier; -import org.powermock.core.classloader.annotations.PrepareForTest; -import org.powermock.modules.junit4.PowerMockRunner; -import org.powermock.reflect.Whitebox; - -@PrepareForTest(RuleProcessor.class) -@RunWith(PowerMockRunner.class) -public class RuleProcessorTest { - - @Mock - private RuleProcessor ruleProcess; - - @Before - public void setUp() { - ruleProcess = PowerMockito.mock(RuleProcessor.class, Mockito.CALLS_REAL_METHODS); - } - - @Test - public void testJoin() { - List<Object> list = new ArrayList<Object>(); - list.add("str1"); - list.add("str2"); - list.add("str3"); - assertEquals("str1/str2/str3", RuleProcessor.join(list, "/")); - } - - @Test - public void testSubstituteVariables() { - Map<String, Object> namespace = new HashMap<String, Object>() { - { - put("foo1", new HashMap<String, String>() { - { - put("0", "1"); - } - }); - } - }; - String str = "foo1[0]"; - String subVariable = ruleProcess.substituteVariables(str, namespace); - assertNotNull(subVariable); - assertEquals(subVariable, str); - } - - @Test - public void testGetMapping() { - Map<String, Object> namespace = new HashMap<String, Object>() { - { - put("foo1", new HashMap<String, String>() { - { - put("0", "1"); - } - }); - } - }; - final Map<String, Object> item = new HashMap<String, Object>() { - { - put("str", "val"); - } - }; - Map<String, Object> rules = new HashMap<String, Object>() { - { - put("mapping", item); - put("mapping_name", "mapping"); - } - }; - Map<String, Object> mapping = ruleProcess.getMapping(namespace, rules); - assertNotNull(mapping); - assertTrue(mapping.containsKey("str")); - assertEquals("val", mapping.get("str")); - } - - @Test - public void testProcess() throws Exception { - String json = " {\"rules\":[" + "{\"Name\":\"user\", \"Id\":1}," - + "{\"Name\":\"Admin\", \"Id\":2}]} "; - Map<String, Object> mapping = new HashMap<String, Object>() { - { - put("Name", "Admin"); - } - }; - List<Map<String, Object>> internalRules = new ArrayList<Map<String, Object>>(); - Map<String, Object> internalRule = new HashMap<String, Object>() { - { - put("Name", "Admin"); - put("statement_blocks", "user"); - } - }; - internalRules.add(internalRule); - MemberModifier.field(RuleProcessor.class, "rules").set(ruleProcess, internalRules); - PowerMockito.suppress(MemberMatcher.method(RuleProcessor.class, "processRule", Map.class, - Map.class)); - PowerMockito.when(ruleProcess, "processRule", any(Map.class), any(Map.class)).thenReturn( - ProcessResult.RULE_SUCCESS); - PowerMockito.suppress(MemberMatcher.method(RuleProcessor.class, "getMapping", Map.class, - Map.class)); - when(ruleProcess.getMapping(any(Map.class), any(Map.class))).thenReturn(mapping); - Whitebox.invokeMethod(ruleProcess, "process", json); - verify(ruleProcess, times(3)).getMapping(any(Map.class), any(Map.class)); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/TokenTest.java b/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/TokenTest.java deleted file mode 100644 index d6181051..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/TokenTest.java +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (c) 2016 Red Hat, Inc. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.idpmapping; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Map; -import org.junit.Test; - -public class TokenTest { - - private final Map<String, Object> namespace = new HashMap<String, Object>() { - { - put("foo1", new HashMap<String, String>() { - { - put("0", "1"); - } - }); - } - }; - private Object input = "$foo1[0]"; - private Token token = new Token(input, namespace); - private Token mapToken = new Token(namespace, namespace); - - @Test - public void testToken() { - assertEquals(token.toString(), input); - assertTrue(token.storageType == TokenStorageType.VARIABLE); - assertEquals(mapToken.toString(), "{foo1={0=1}}"); - assertTrue(mapToken.storageType == TokenStorageType.CONSTANT); - } - - @Test - public void testClassify() { - assertEquals(Token.classify(new ArrayList<>()), TokenType.ARRAY); - assertEquals(Token.classify(true), TokenType.BOOLEAN); - assertEquals(Token.classify(new Long(365)), TokenType.INTEGER); - assertEquals(Token.classify(new HashMap<String, Object>()), TokenType.MAP); - assertEquals(Token.classify(null), TokenType.NULL); - assertEquals(Token.classify(365.00), TokenType.REAL); - assertEquals(Token.classify("foo_str"), TokenType.STRING); - } - - @Test - public void testGet() { - assertNotNull(token.get()); - assertTrue(token.get("0") == "1"); - assertNotNull(mapToken.get()); - assertTrue(mapToken.get(0) == namespace); - } - - @Test - public void testGetMapValue() { - assertTrue(mapToken.getMapValue() == namespace); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro-act/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-shiro-act/pom.xml deleted file mode 100644 index fade2aea..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro-act/pom.xml +++ /dev/null @@ -1,84 +0,0 @@ -<!-- Copyright (c) 2015 Brocade Communications Systems, Inc. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-shiro-act</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-shiro</artifactId> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - </dependency> - - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>commons-beanutils</groupId> - <artifactId>commons-beanutils</artifactId> - <version>1.8.3</version> - </dependency> - - <!-- Testing Dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - <build> - <pluginManagement> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <version>${bundle.plugin.version}</version> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Name>${project.groupId}.${project.artifactId}</Bundle-Name> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - </plugins> - </pluginManagement> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Activator>org.opendaylight.aaa.shiroact.Activator</Bundle-Activator> - </instructions> - </configuration> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-jar-plugin</artifactId> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro-act/src/main/java/org/opendaylight/aaa/shiroact/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-shiro-act/src/main/java/org/opendaylight/aaa/shiroact/Activator.java deleted file mode 100644 index 0012a0bd..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro-act/src/main/java/org/opendaylight/aaa/shiroact/Activator.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiroact; - -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.opendaylight.aaa.shiro.ServiceProxy; -import org.osgi.framework.BundleContext; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Responsible for activating the aaa-shiro-act bundle. This bundle is primarily - * responsible for enabling AuthN and AuthZ. If this bundle is not installed, - * then AuthN and AuthZ will not take effect. - * - * To ensure that the AAA is enabled for your feature, make sure to include the - * <code>odl-aaa-shiro</code> feature in your feature definition. - * - * Offers contextual <code>DEBUG</code> level clues concerning the activation of - * the <code>aaa-shiro-act</code> bundle. To enable the enhanced debugging issue - * the following line in the karaf shell: - * <code>log:set debug org.opendaylight.aaa.shiroact.Activator</code> - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class Activator extends DependencyActivatorBase { - - private static final Logger LOG = LoggerFactory.getLogger(Activator.class); - - @Override - public void destroy(BundleContext bc, DependencyManager dm) - throws Exception { - final String DEBUG_MESSAGE = "Destroying the aaa-shiro-act bundle"; - LOG.debug(DEBUG_MESSAGE); - } - - @Override - public void init(BundleContext bc, DependencyManager dm) throws Exception { - final String DEBUG_MESSAGE = "Initializing the aaa-shiro-act bundle"; - LOG.debug(DEBUG_MESSAGE); - ServiceProxy.getInstance().setEnabled(true); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro-act/src/test/java/org/opendaylight/aaa/shiroact/ActivatorTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro-act/src/test/java/org/opendaylight/aaa/shiroact/ActivatorTest.java deleted file mode 100644 index 23eef9db..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro-act/src/test/java/org/opendaylight/aaa/shiroact/ActivatorTest.java +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiroact; - -import static org.junit.Assert.*; - -import org.junit.Test; -import org.opendaylight.aaa.shiro.ServiceProxy; - -public class ActivatorTest { - - @Test - public void testActivatorEnablesServiceProxy() throws Exception { - // should toggle the ServiceProxy enable status to true - new Activator().init(null, null);; - assertTrue(ServiceProxy.getInstance().getEnabled(null)); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/pom.xml b/upstream/odl-aaa-moon/aaa/aaa-shiro/pom.xml deleted file mode 100644 index ea551532..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/pom.xml +++ /dev/null @@ -1,169 +0,0 @@ -<!-- Copyright (c) 2015 Brocade Communications Systems, Inc. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>aaa-shiro</artifactId> - <packaging>bundle</packaging> - - <dependencies> - <!-- jersey client for moon authN --> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-client</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.json</groupId> - <artifactId>json</artifactId> - <version>20140107</version> - </dependency> - <!-- OAuth2 dependencies for moon --> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.authzserver</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.common</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId> - <scope>provided</scope> - </dependency> - <!-- end --> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-sts</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-basic</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-web</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>commons-beanutils</groupId> - <artifactId>commons-beanutils</artifactId> - <version>1.8.3</version> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </dependency> - - <!-- Testing Dependencies --> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.mockito</groupId> - <artifactId>mockito-all</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-core</artifactId> - <version>1.1.6</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-classic</artifactId> - <version>1.1.6</version> - <scope>test</scope> - </dependency> - </dependencies> - <build> - <pluginManagement> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <version>${bundle.plugin.version}</version> - <extensions>true</extensions> - <configuration> - <instructions> - <Bundle-Name>${project.groupId}.${project.artifactId}</Bundle-Name> - </instructions> - <manifestLocation>${project.basedir}/META-INF</manifestLocation> - </configuration> - </plugin> - </plugins> - </pluginManagement> - <plugins> - <plugin> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <instructions> - <Import-Package> - * - </Import-Package> - <Web-ContextPath>/moon</Web-ContextPath> - <Bundle-Activator>org.opendaylight.aaa.shiro.Activator</Bundle-Activator> - </instructions> - </configuration> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-jar-plugin</artifactId> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <id>attach-artifacts</id> - <phase>package</phase> - <goals> - <goal>attach-artifact</goal> - </goals> - <configuration> - <artifacts> - <artifact> - <file>${project.build.directory}/classes/shiro.ini</file> - <type>cfg</type> - <classifier>configuration</classifier> - </artifact> - </artifacts> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> -</project> diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/Activator.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/Activator.java deleted file mode 100644 index 2f1c98f7..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/Activator.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro; - -import org.apache.felix.dm.DependencyActivatorBase; -import org.apache.felix.dm.DependencyManager; -import org.osgi.framework.BundleContext; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * This scaffolding allows the use of AAA Filters without AuthN or AuthZ - * enabled. This is done to support workflows such as those included in the - * <code>odl-restconf-noauth</code> feature. - * - * This class is also responsible for offering contextual <code>DEBUG</code> - * level clues concerning the activation of the <code>aaa-shiro</code> bundle. - * To enable these debug messages, issue the following command in the karaf - * shell: <code>log:set debug org.opendaylight.aaa.shiro.Activator</code> - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class Activator extends DependencyActivatorBase { - - private static final Logger LOG = LoggerFactory.getLogger(Activator.class); - - @Override - public void destroy(BundleContext bc, DependencyManager dm) throws Exception { - final String DEBUG_MESSAGE = "Destroying the aaa-shiro bundle"; - LOG.debug(DEBUG_MESSAGE); - } - - @Override - public void init(BundleContext bc, DependencyManager dm) throws Exception { - final String DEBUG_MESSAGE = "Initializing the aaa-shiro bundle"; - LOG.debug(DEBUG_MESSAGE); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/ServiceProxy.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/ServiceProxy.java deleted file mode 100644 index e4485d73..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/ServiceProxy.java +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro; - -import org.opendaylight.aaa.shiro.filters.AAAFilter; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Responsible for enabling and disabling the AAA service. By default, the - * service is disabled; the AAAFilter will not require AuthN or AuthZ. The - * service is enabled through calling - * <code>ServiceProxy.getInstance().setEnabled(true)</code>. AuthN and AuthZ are - * disabled by default in order to support workflows such as the feature - * <code>odl-restconf-noauth</code>. - * - * The AAA service is enabled through installing the <code>odl-aaa-shiro</code> - * feature. The <code>org.opendaylight.aaa.shiroact.Activator()</code> - * constructor calls enables AAA through the ServiceProxy, which in turn enables - * the AAAFilter. - * - * ServiceProxy is a singleton; access to the ServiceProxy is granted through - * the <code>getInstance()</code> function. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * @see <a - * href="https://github.com/opendaylight/netconf/blob/master/opendaylight/restconf/sal-rest-connector/src/main/resources/WEB-INF/web.xml">resconf - * web,xml</a> - * @see <code>org.opendaylight.aaa.shiro.Activator</code> - * @see <code>org.opendaylight.aaa.shiro.filters.AAAFilter</code> - */ -public class ServiceProxy { - private static final Logger LOG = LoggerFactory.getLogger(ServiceProxy.class); - - /** - * AuthN and AuthZ are disabled by default to support workflows included in - * features such as <code>odl-restconf-noauth</code> - */ - public static final boolean DEFAULT_AA_ENABLE_STATUS = false; - - private static ServiceProxy instance = new ServiceProxy(); - private volatile boolean enabled = false; - private AAAFilter filter; - - /** - * private for singleton pattern - */ - private ServiceProxy() { - final String INFO_MESSAGE = "Creating the ServiceProxy"; - LOG.info(INFO_MESSAGE); - } - - /** - * @return ServiceProxy, a feature level singleton - */ - public static ServiceProxy getInstance() { - return instance; - } - - /** - * Enables/disables the feature, cascading the state information to the - * AAAFilter. - * - * @param enabled A flag indicating whether to enable the Service. - */ - public synchronized void setEnabled(final boolean enabled) { - this.enabled = enabled; - final String SERVICE_ENABLED_INFO_MESSAGE = "Setting ServiceProxy enabled to " + enabled; - LOG.info(SERVICE_ENABLED_INFO_MESSAGE); - // check for null because of non-determinism in bundle load - if (filter != null) { - filter.setEnabled(enabled); - } - } - - /** - * Extract whether the service is enabled. - * - * @param filter - * register an optional Filter for callback if enable state - * changes - * @return Whether the service is enabled - */ - public synchronized boolean getEnabled(final AAAFilter filter) { - this.filter = filter; - return enabled; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/accounting/Accounter.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/accounting/Accounter.java deleted file mode 100644 index e768ea59..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/accounting/Accounter.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.shiro.accounting; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Accounter is a common place to output AAA messages. Use this class through - * invoking <code>Logger.output("message")</code>. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class Accounter { - - private static final Logger LOG = LoggerFactory.getLogger(Accounter.class); - - /* - * Essentially makes Accounter a singleton, avoiding the verbosity of - * <code>Accounter.getInstance().output("message")</code>. - */ - private Accounter() { - } - - /** - * Account for a particular <code>message</code> - * - * @param message A message for the aggregated AAA log. - */ - public static void output(final String message) { - LOG.debug(message); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRules.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRules.java deleted file mode 100644 index 9e84c988..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRules.java +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.shiro.authorization; - -import com.google.common.collect.Sets; -import java.util.Collection; -import java.util.HashSet; - -/** - * A singleton container of default authorization rules that are installed as - * part of Shiro initialization. This class defines an immutable set of rules - * that are needed to provide system-wide security. These include protecting - * certain MD-SAL leaf nodes that contain AAA data from random access. This is - * not a place to define your custom rule set; additional RBAC rules are - * configured through the shiro initialization file: - * <code>$KARAF_HOME/shiro.ini</code> - * - * An important distinction to consider is that Shiro URL rules work to protect - * the system at the Web layer, and <code>AuthzDomDataBroker</code> works to - * protect the system down further at the DOM layer. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * - */ -public class DefaultRBACRules { - - private static DefaultRBACRules instance; - - /** - * a collection of the default security rules - */ - private Collection<RBACRule> rbacRules = new HashSet<RBACRule>(); - - /** - * protects the AAA MD-SAL store by preventing access to the leaf nodes to - * non-admin users. - */ - private static final RBACRule PROTECT_AAA_MDSAL = RBACRule.createAuthorizationRule( - "*/authorization/*", Sets.newHashSet("admin")); - - /* - * private for singleton pattern - */ - private DefaultRBACRules() { - // rbacRules.add(PROTECT_AAA_MDSAL); - } - - /** - * - * @return the container instance for the default RBAC Rules - */ - public static final DefaultRBACRules getInstance() { - if (null == instance) { - instance = new DefaultRBACRules(); - } - return instance; - } - - /** - * - * @return a copy of the default rules, so any modifications to the returned - * reference do not affect the <code>DefaultRBACRules</code>. - */ - public final Collection<RBACRule> getRBACRules() { - // Returns a copy of the rbacRules set such that the original set keeps - // its contract of remaining immutable. Calls to rbacRules.add() are - // encapsulated solely in <code>DefaultRBACRules</code>. - // - // Since this method is only called at shiro initialiation time, - // memory consumption of creating a new set is a non-issue. - return Sets.newHashSet(rbacRules); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/RBACRule.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/RBACRule.java deleted file mode 100644 index 0da95eb4..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/RBACRule.java +++ /dev/null @@ -1,170 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.shiro.authorization; - -import com.google.common.base.Preconditions; -import com.google.common.collect.Sets; -import java.util.Arrays; -import java.util.Collection; -import java.util.HashSet; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * A container for RBAC Rules. An RBAC Rule is composed of a url pattern which - * may contain asterisk characters (*), and a collection of roles. These are - * represented in shiro.ini in the following format: - * <code>urlPattern=roles[atLeastOneCommaSeperatedRole]</code> - * - * RBACRules are immutable; that is, you cannot change the url pattern or the - * roles after creation. This is done for security purposes. RBACRules are - * created through utilizing a static factory method: - * <code>RBACRule.createRBACRule()</code> - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * - */ -public class RBACRule { - - private static final Logger LOG = LoggerFactory.getLogger(RBACRule.class); - - /** - * a url pattern that can optional contain asterisk characters (*) - */ - private String urlPattern; - - /** - * a collection of role names, such as "admin" and "user" - */ - private Collection<String> roles = new HashSet<String>(); - - /** - * Creates an RBAC Rule. Made private for static factory method. - * - * @param urlPattern - * Cannot be null or the empty string. - * @param roles - * Must contain at least one role. - * @throws NullPointerException - * if <code>urlPattern</code> or <code>roles</code> is null - * @throws IllegalArgumentException - * if <code>urlPattern</code> is an empty string or - * <code>roles</code> is an empty collection. - */ - private RBACRule(final String urlPattern, final Collection<String> roles) - throws NullPointerException, IllegalArgumentException { - - this.setUrlPattern(urlPattern); - this.setRoles(roles); - } - - /** - * The static factory method used to create RBACRules. - * - * @param urlPattern - * Cannot be null or the empty string. - * @param roles - * Cannot be null or an emtpy collection. - * @return An immutable RBACRule - */ - public static RBACRule createAuthorizationRule(final String urlPattern, - final Collection<String> roles) { - - RBACRule authorizationRule = null; - try { - authorizationRule = new RBACRule(urlPattern, roles); - } catch (Exception e) { - LOG.error("Cannot instantiate the AuthorizationRule", e); - } - return authorizationRule; - } - - /** - * - * @return the urlPattern for the RBACRule - */ - public String getUrlPattern() { - return urlPattern; - } - - /* - * helper to ensure the url pattern is not the empty string - */ - private static void checkUrlPatternLength(final String urlPattern) - throws IllegalArgumentException { - - final String EXCEPTION_MESSAGE = "Empty String is not allowed for urlPattern"; - if (urlPattern.isEmpty()) { - throw new IllegalArgumentException(EXCEPTION_MESSAGE); - } - } - - private void setUrlPattern(final String urlPattern) throws NullPointerException, - IllegalArgumentException { - - Preconditions.checkNotNull(urlPattern); - checkUrlPatternLength(urlPattern); - this.urlPattern = urlPattern; - } - - /** - * - * @return a copy of the rule, so any modifications to the returned - * reference do not affect the immutable <code>RBACRule</code>. - */ - public Collection<String> getRoles() { - // Returns a copy of the roles collection such that the original set - // keeps - // its contract of remaining immutable. - // - // Since this method is only called at shiro initialiation time, - // memory consumption of creating a new set is a non-issue. - return Sets.newHashSet(roles); - } - - /* - * check to ensure the roles collection is not empty - */ - private static void checkRolesCollectionSize(final Collection<String> roles) - throws IllegalArgumentException { - - final String EXCEPTION_MESSAGE = "roles must contain at least 1 role"; - if (roles.isEmpty()) { - throw new IllegalArgumentException(EXCEPTION_MESSAGE); - } - } - - private void setRoles(final Collection<String> roles) throws NullPointerException, - IllegalArgumentException { - - Preconditions.checkNotNull(roles); - checkRolesCollectionSize(roles); - this.roles = roles; - } - - /** - * Generates a string representation of the <code>RBACRule</code> roles in - * shiro form. - * - * @return roles string representation in the form - * <code>roles[roleOne,roleTwo]</code> - */ - public String getRolesInShiroFormat() { - final String ROLES_STRING = "roles"; - return ROLES_STRING + Arrays.toString(roles.toArray()); - } - - /** - * Generates the string representation of the <code>RBACRule</code> in shiro - * form. For example: <code>urlPattern=roles[admin,user]</code> - */ - @Override - public String toString() { - return String.format("%s=%s", urlPattern, getRolesInShiroFormat()); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAFilter.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAFilter.java deleted file mode 100644 index 47dd9549..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAFilter.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.filters; - -import org.apache.shiro.web.servlet.ShiroFilter; -import org.opendaylight.aaa.shiro.ServiceProxy; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * The RESTCONF AAA JAX-RS 1.X Web Filter. This class is also responsible for - * delivering debug information; to enable these debug statements, please issue - * the following in the karaf shell: - * - * <code>log:set debug org.opendaylight.aaa.shiro.filters.AAAFilter</code> - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * @see <code>javax.servlet.Filter</code> - * @see <code>org.apache.shiro.web.servlet.ShiroFilter</code> - */ -public class AAAFilter extends ShiroFilter { - - private static final Logger LOG = LoggerFactory.getLogger(AAAFilter.class); - - public AAAFilter() { - super(); - final String DEBUG_MESSAGE = "Creating the AAAFilter"; - LOG.debug(DEBUG_MESSAGE); - } - - /* - * (non-Javadoc) - * - * Adds context clues that aid in debugging. Also initializes the enable - * status to correspond with - * <code>ServiceProxy.getInstance.getEnabled()</code>. - * - * @see org.apache.shiro.web.servlet.ShiroFilter#init() - */ - @Override - public void init() throws Exception { - super.init(); - final String DEBUG_MESSAGE = "Initializing the AAAFilter"; - LOG.debug(DEBUG_MESSAGE); - // sets the filter to the startup value. Because of non-determinism in - // bundle loading, this passes an instance of itself along so that if - // the - // enable status changes, then AAAFilter enable status is changed. - setEnabled(ServiceProxy.getInstance().getEnabled(this)); - } - - /* - * (non-Javadoc) - * - * Adds context clues to aid in debugging whether the filter is enabled. - * - * @see - * org.apache.shiro.web.servlet.OncePerRequestFilter#setEnabled(boolean) - */ - @Override - public void setEnabled(boolean enabled) { - super.setEnabled(enabled); - final String DEBUG_MESSAGE = "Setting AAAFilter enabled to " + enabled; - LOG.debug(DEBUG_MESSAGE); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAShiroFilter.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAShiroFilter.java deleted file mode 100644 index 530acfac..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAShiroFilter.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.filters; - -import org.apache.shiro.web.servlet.ShiroFilter; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * The default AAA JAX-RS 1.X Web Filter. Unlike AAAFilter, which is aimed towards - * supporting RESTCONF and its existing API mechanisms, AAAShiroFilter is a generic - * <code>ShiroFilter</code> for use with any other ODL Servlets. The main difference - * is that <code>AAAFilter</code> was designed to support the existing noauth - * mechanism, while this filter cannot be disabled. - * - * This class is also responsible for delivering debug information; to enable these - * debug statements, please issue the following in the karaf shell: - * - * <code>log:set debug org.opendaylight.aaa.shiro.filters.AAAShiroFilter</code> - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * @see <code>javax.servlet.Filter</code> - * @see <code>org.apache.shiro.web.servlet.ShiroFilter</code> - */ -public class AAAShiroFilter extends ShiroFilter { - - private static final Logger LOG = LoggerFactory.getLogger(AAAShiroFilter.class); - - public AAAShiroFilter() { - LOG.debug("Creating the AAAShiroFilter"); - } - - /* - * (non-Javadoc) - * - * Adds context clues that aid in debugging. - * - * @see org.apache.shiro.web.servlet.ShiroFilter#init() - */ - @Override - public void init() throws Exception { - super.init(); - LOG.debug("Initializing the AAAShiroFilter"); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AuthenticationListener.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AuthenticationListener.java deleted file mode 100644 index 080ab114..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AuthenticationListener.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.filters; - -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationInfo; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.subject.PrincipalCollection; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Follows the event-listener pattern; the <code>Authenticator</code> notifies this class about - * authentication attempts. <code>AuthenticationListener</code> logs successful and unsuccessful - * authentication attempts appropriately. Log messages are emitted at the <code>DEBUG</code> log - * level. To enable the messages out of the box, use the following command from karaf: - * <code>log:set DEBUG org.opendaylight.aaa.shiro.authc.AuthenicationListener</code> - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class AuthenticationListener implements org.apache.shiro.authc.AuthenticationListener { - - private static final Logger LOG = LoggerFactory.getLogger(AuthenticationListener.class); - - @Override - public void onSuccess(final AuthenticationToken authenticationToken, final AuthenticationInfo authenticationInfo) { - if (LOG.isDebugEnabled()) { - final String successMessage = AuthenticationTokenUtils.generateSuccessfulAuthenticationMessage(authenticationToken); - LOG.debug(successMessage); - } - } - - @Override - public void onFailure(final AuthenticationToken authenticationToken, final AuthenticationException e) { - if (LOG.isDebugEnabled()) { - final String failureMessage = AuthenticationTokenUtils.generateUnsuccessfulAuthenticationMessage(authenticationToken); - LOG.debug(failureMessage); - } - } - - @Override - public void onLogout(final PrincipalCollection principalCollection) { - // Do nothing; AAA is aimed at RESTCONF, which stateless by definition. - // Including this output would very quickly pollute the log. - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AuthenticationTokenUtils.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AuthenticationTokenUtils.java deleted file mode 100644 index a5f0c10d..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AuthenticationTokenUtils.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.filters; - -import com.google.common.base.Preconditions; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authc.UsernamePasswordToken; - -/** - * Utility methods for forming audit trail output based on an <code>AuthenticationToken</code>. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class AuthenticationTokenUtils { - - /** - * default value used in messaging when the "user" field is unparsable from the HTTP REST request - */ - static final String DEFAULT_USERNAME = "an unknown user"; - - /** - * default value used in messaging when the "user" field is not present in the HTTP REST request, implying - * a different implementation of <code>AuthenticationToken</code> such as <code>CasToken</code>. - */ - static final String DEFAULT_TOKEN = "an un-parsable token type"; - - /** - * default value used in messaging when the "host" field cannot be determined. - */ - static final String DEFAULT_HOSTNAME = "an unknown host"; - - private AuthenticationTokenUtils() { - // private to prevent instantiation - } - - /** - * Determines whether the supplied <code>Token</code> is a <code>UsernamePasswordToken</code>. - * - * @param token A generic <code>Token</code>, which might be a <code>UsernamePasswordToken</code> - * @return Whether the supplied <code>Token</code> is a <code>UsernamePasswordToken</code> - */ - public static boolean isUsernamePasswordToken(final AuthenticationToken token) { - return token instanceof UsernamePasswordToken; - } - - /** - * Extracts the username if possible. If the supplied token is a <code>UsernamePasswordToken</code> - * and the username field is not set, <code>DEFAULT_USERNAME</code> is returned. If the supplied - * token is not a <code>UsernamePasswordToken</code> (i.e., a <code>CasToken</code> or other - * implementation of <code>AuthenticationToken</code>), then <code>DEFAULT_TOKEN</code> is - * returned. - * - * @param token An <code>AuthenticationToken</code>, possibly a <code>UsernamePasswordToken</code> - * @return the username, <code>DEFAULT_USERNAME</code> or <code>DEFAULT_TOKEN</code> depending on input - */ - public static String extractUsername(final AuthenticationToken token) { - if (isUsernamePasswordToken(token)) { - final UsernamePasswordToken upt = (UsernamePasswordToken) token; - return extractField(upt.getUsername(), DEFAULT_USERNAME); - } - return DEFAULT_TOKEN; - } - - /** - * Extracts the hostname if possible. If the supplied token is a <code>UsernamePasswordToken</code> - * and the hostname field is not set, <code>DEFAULT_HOSTNAME</code> is returned. If the supplied - * token is not a <code>UsernamePasswordToken</code> (i.e., a <code>CasToken</code> or other - * implementation of <code>AuthenticationToken</code>), then <code>DEFAULT_HOSTNAME</code> is - * returned. - * - * @param token An <code>AuthenticationToken</code>, possibly a <code>UsernamePasswordToken</code> - * @return the hostname, or <code>DEFAULT_USERNAME</code> depending on input - */ - public static String extractHostname(final AuthenticationToken token) { - if (isUsernamePasswordToken(token)) { - final UsernamePasswordToken upt = (UsernamePasswordToken) token; - return extractField(upt.getHost(), DEFAULT_HOSTNAME); - } - return DEFAULT_HOSTNAME; - } - - /** - * Utility method to generate a generic message indicating Authentication was unsuccessful. - * - * @param token An <code>AuthenticationToken</code>, possibly a <code>UsernamePasswordToken</code> - * @return A message indicating authentication was unsuccessful - */ - public static String generateUnsuccessfulAuthenticationMessage(final AuthenticationToken token) { - final String username = extractUsername(token); - final String remoteHostname = extractHostname(token); - return String.format("Unsuccessful authentication attempt by %s from %s", username, remoteHostname); - } - - /** - * Utility method to generate a generic message indicating Authentication was successful. - * - * @param token An <code>AuthenticationToken</code>, possibly a <code>UsernamePasswordToken</code> - * @return A message indicating authentication was successful - */ - public static String generateSuccessfulAuthenticationMessage(final AuthenticationToken token) { - final String username = extractUsername(token); - final String remoteHostname = extractHostname(token); - return String.format("Successful authentication attempt by %s from %s", username, remoteHostname); - } - - /** - * Utility method that returns <code>field</code>, or <code>defaultValue</code> if <code>field</code> is null. - * - * @param field A generic string, which is possibly null. - * @param defaultValue A non-null value returned if <code>field</code> is null - * @return <code>field</code> or <code>defaultValue</code> if field is null - * @throws IllegalArgumentException If <code>defaultValue</code> is null - */ - private static String extractField(final String field, final String defaultValue) - throws IllegalArgumentException { - - Preconditions.checkNotNull(defaultValue, "defaultValue can't be null"); - if (field != null) { - return field; - } - return defaultValue; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/MoonOAuthFilter.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/MoonOAuthFilter.java deleted file mode 100644 index 241b7c28..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/MoonOAuthFilter.java +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.filters; - -import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST; -import static javax.servlet.http.HttpServletResponse.SC_CREATED; -import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR; -import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; - -import java.io.IOException; -import java.io.PrintWriter; - -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.apache.oltu.oauth2.as.response.OAuthASResponse; -import org.apache.oltu.oauth2.common.exception.OAuthProblemException; -import org.apache.oltu.oauth2.common.exception.OAuthSystemException; -import org.apache.oltu.oauth2.common.message.OAuthResponse; -import org.apache.oltu.oauth2.common.message.types.TokenType; -import org.apache.shiro.SecurityUtils; -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authc.UsernamePasswordToken; -import org.apache.shiro.subject.Subject; -import org.apache.shiro.web.filter.authc.AuthenticatingFilter; -import org.opendaylight.aaa.AuthenticationBuilder; -import org.opendaylight.aaa.ClaimBuilder; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.Claim; -import org.opendaylight.aaa.shiro.moon.MoonPrincipal; -import org.opendaylight.aaa.sts.OAuthRequest; -import org.opendaylight.aaa.sts.ServiceLocator; - -/** - * MoonOAuthFilter filters oauth1 requests form token based authentication - * @author Alioune BA alioune.ba@orange.com - * - */ -public class MoonOAuthFilter extends AuthenticatingFilter{ - - private static final String DOMAIN_SCOPE_REQUIRED = "Domain scope required"; - private static final String NOT_IMPLEMENTED = "not_implemented"; - private static final String UNAUTHORIZED = "unauthorized"; - private static final String UNAUTHORIZED_CREDENTIALS = "Unauthorized: Login/Password incorrect"; - - static final String TOKEN_GRANT_ENDPOINT = "/token"; - static final String TOKEN_REVOKE_ENDPOINT = "/revoke"; - static final String TOKEN_VALIDATE_ENDPOINT = "/validate"; - - @Override - protected UsernamePasswordToken createToken(ServletRequest request, ServletResponse response) throws Exception { - // TODO Auto-generated method stub - HttpServletRequest httpRequest = (HttpServletRequest) request; - OAuthRequest oauthRequest = new OAuthRequest(httpRequest); - return new UsernamePasswordToken(oauthRequest.getUsername(),oauthRequest.getPassword()); - } - - @Override - protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { - // TODO Auto-generated method stub - Subject currentUser = SecurityUtils.getSubject(); - return executeLogin(request, response); - } - - protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, - ServletRequest request, ServletResponse response) throws Exception { - HttpServletResponse httpResponse= (HttpServletResponse) response; - MoonPrincipal principal = (MoonPrincipal) subject.getPrincipals().getPrimaryPrincipal(); - Claim claim = principal.principalToClaim(); - oauthAccessTokenResponse(httpResponse,claim,"",principal.getToken()); - return true; - } - - protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, - ServletRequest request, ServletResponse response) { - HttpServletResponse resp = (HttpServletResponse) response; - error(resp, SC_BAD_REQUEST, UNAUTHORIZED_CREDENTIALS); - return false; - } - - protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception { - - HttpServletRequest req= (HttpServletRequest) request; - HttpServletResponse resp = (HttpServletResponse) response; - try { - if (req.getServletPath().equals(TOKEN_GRANT_ENDPOINT)) { - UsernamePasswordToken token = createToken(request, response); - if (token == null) { - String msg = "A valid non-null AuthenticationToken " + - "must be created in order to execute a login attempt."; - throw new IllegalStateException(msg); - } - try { - Subject subject = getSubject(request, response); - subject.login(token); - return onLoginSuccess(token, subject, request, response); - } catch (AuthenticationException e) { - return onLoginFailure(token, e, request, response); - } - } else if (req.getServletPath().equals(TOKEN_REVOKE_ENDPOINT)) { - //TODO: deleteAccessToken(req, resp); - } else if (req.getServletPath().equals(TOKEN_VALIDATE_ENDPOINT)) { - //TODO: validateToken(req, resp); - } - } catch (AuthenticationException e) { - error(resp, SC_UNAUTHORIZED, e.getMessage()); - } catch (OAuthProblemException oe) { - error(resp, oe); - } catch (Exception e) { - error(resp, e); - } - return false; - } - - private void oauthAccessTokenResponse(HttpServletResponse resp, Claim claim, String clientId, String token) - throws OAuthSystemException, IOException { - if (claim == null) { - throw new AuthenticationException(UNAUTHORIZED); - } - - // Cache this token... - Authentication auth = new AuthenticationBuilder(new ClaimBuilder(claim).setClientId( - clientId).build()).setExpiration(tokenExpiration()).build(); - ServiceLocator.getInstance().getTokenStore().put(token, auth); - - OAuthResponse r = OAuthASResponse.tokenResponse(SC_CREATED).setAccessToken(token) - .setTokenType(TokenType.BEARER.toString()) - .setExpiresIn(Long.toString(auth.expiration())) - .buildJSONMessage(); - write(resp, r); - } - - private void write(HttpServletResponse resp, OAuthResponse r) throws IOException { - resp.setStatus(r.getResponseStatus()); - PrintWriter pw = resp.getWriter(); - pw.print(r.getBody()); - pw.flush(); - pw.close(); - } - - private long tokenExpiration() { - return ServiceLocator.getInstance().getTokenStore().tokenExpiration(); - } - - // Emit an error OAuthResponse with the given HTTP code - private void error(HttpServletResponse resp, int httpCode, String error) { - try { - OAuthResponse r = OAuthResponse.errorResponse(httpCode).setError(error) - .buildJSONMessage(); - write(resp, r); - } catch (Exception e1) { - // Nothing to do here - } - } - - private void error(HttpServletResponse resp, OAuthProblemException e) { - try { - OAuthResponse r = OAuthResponse.errorResponse(SC_BAD_REQUEST).error(e) - .buildJSONMessage(); - write(resp, r); - } catch (Exception e1) { - // Nothing to do here - } - } - - private void error(HttpServletResponse resp, Exception e) { - try { - OAuthResponse r = OAuthResponse.errorResponse(SC_INTERNAL_SERVER_ERROR) - .setError(e.getClass().getName()) - .setErrorDescription(e.getMessage()).buildJSONMessage(); - write(resp, r); - } catch (Exception e1) { - // Nothing to do here - } - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/ODLHttpAuthenticationFilter.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/ODLHttpAuthenticationFilter.java deleted file mode 100644 index 90b0101e..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/ODLHttpAuthenticationFilter.java +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.filters; - -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; - -import org.apache.shiro.codec.Base64; -import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter; -import org.apache.shiro.web.util.WebUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Extends <code>BasicHttpAuthenticationFilter</code> to include ability to - * authenticate OAuth2 tokens, which is needed for backwards compatibility with - * <code>TokenAuthFilter</code>. - * - * This behavior is enabled by default for backwards compatibility. To disable - * OAuth2 functionality, just comment out the following line from the - * <code>etc/shiro.ini</code> file: - * <code>authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</code> - * then restart the karaf container. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * - */ -public class ODLHttpAuthenticationFilter extends BasicHttpAuthenticationFilter { - - private static final Logger LOG = LoggerFactory.getLogger(ODLHttpAuthenticationFilter.class); - - // defined in lower-case for more efficient string comparison - protected static final String BEARER_SCHEME = "bearer"; - - protected static final String OPTIONS_HEADER = "OPTIONS"; - - public ODLHttpAuthenticationFilter() { - super(); - LOG.info("Creating the ODLHttpAuthenticationFilter"); - } - - @Override - protected String[] getPrincipalsAndCredentials(String scheme, String encoded) { - final String decoded = Base64.decodeToString(encoded); - // attempt to decode username/password; otherwise decode as token - if (decoded.contains(":")) { - return decoded.split(":"); - } - return new String[] { encoded }; - } - - @Override - protected boolean isLoginAttempt(String authzHeader) { - final String authzScheme = getAuthzScheme().toLowerCase(); - final String authzHeaderLowerCase = authzHeader.toLowerCase(); - return authzHeaderLowerCase.startsWith(authzScheme) - || authzHeaderLowerCase.startsWith(BEARER_SCHEME); - } - - @Override - protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, - Object mappedValue) { - final HttpServletRequest httpRequest = WebUtils.toHttp(request); - final String httpMethod = httpRequest.getMethod(); - if (OPTIONS_HEADER.equalsIgnoreCase(httpMethod)) { - return true; - } else { - return super.isAccessAllowed(httpRequest, response, mappedValue); - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonPrincipal.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonPrincipal.java deleted file mode 100644 index 9dd2fd4f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonPrincipal.java +++ /dev/null @@ -1,160 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.shiro.moon; - -import com.google.common.collect.ImmutableSet; - -import java.io.Serializable; -import java.util.Set; - -import org.opendaylight.aaa.api.Claim; - -/** - * MoonPrincipal contains all user's information returned by moon on successful authentication - * @author Alioune BA alioune.ba@orange.com - * - */ -public class MoonPrincipal { - - private final String username; - private final String domain; - private final String userId; - private final Set<String> roles; - private final String token; - - - public MoonPrincipal(String username, String domain, String userId, Set<String> roles, String token) { - this.username = username; - this.domain = domain; - this.userId = userId; - this.roles = roles; - this.token = token; - } - - public MoonPrincipal createODLPrincipal(String username, String domain, - String userId, Set<String> roles, String token) { - - return new MoonPrincipal(username, domain, userId, roles,token); - } - - public Claim principalToClaim (){ - return new MoonClaim("", this.getUserId(), this.getUsername(), this.getDomain(), this.getRoles()); - } - - public String getUsername() { - return this.username; - } - - public String getDomain() { - return this.domain; - } - - public String getUserId() { - return this.userId; - } - - public Set<String> getRoles() { - return this.roles; - } - - public String getToken(){ - return this.token; - } - - public class MoonClaim implements Claim, Serializable { - private static final long serialVersionUID = -8115027645190209125L; - private int hashCode = 0; - private String clientId; - private String userId; - private String user; - private String domain; - private ImmutableSet<String> roles; - - public MoonClaim(String clientId, String userId, String user, String domain, Set<String> roles) { - this.clientId = clientId; - this.userId = userId; - this.user = user; - this.domain = domain; - this.roles = ImmutableSet.<String> builder().addAll(roles).build(); - - if (userId.isEmpty() || user.isEmpty() || roles.isEmpty() || roles.contains("")) { - throw new IllegalStateException("The Claim is missing one or more of the required fields."); - } - } - - @Override - public String clientId() { - return clientId; - } - - @Override - public String userId() { - return userId; - } - - @Override - public String user() { - return user; - } - - @Override - public String domain() { - return domain; - } - - @Override - public Set<String> roles() { - return roles; - } - public String getClientId() { - return clientId; - } - - public void setClientId(String clientId) { - this.clientId = clientId; - } - - public String getUserId() { - return userId; - } - - public void setUserId(String userId) { - this.userId = userId; - } - - public String getUser() { - return user; - } - - public void setUser(String user) { - this.user = user; - } - - public String getDomain() { - return domain; - } - - public void setDomain(String domain) { - this.domain = domain; - } - - public ImmutableSet<String> getRoles() { - return roles; - } - - public void setRoles(ImmutableSet<String> roles) { - this.roles = roles; - } - - @Override - public String toString() { - return "clientId:" + clientId + "," + "userId:" + userId + "," + "userName:" + user - + "," + "domain:" + domain + "," + "roles:" + roles ; - } - } -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonTokenEndpoint.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonTokenEndpoint.java deleted file mode 100644 index a954a606..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonTokenEndpoint.java +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.moon; - - -import java.io.IOException; - -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class MoonTokenEndpoint extends HttpServlet{ - - private static final long serialVersionUID = 4980356362831585417L; - private static final Logger LOG = LoggerFactory.getLogger(MoonTokenEndpoint.class); - - protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { - LOG.debug("MoonTokenEndpoint Servlet doPost"); - } - -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/MoonRealm.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/MoonRealm.java deleted file mode 100644 index 9ebbb4d7..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/MoonRealm.java +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.shiro.realm; - -import com.sun.jersey.api.client.Client; -import com.sun.jersey.api.client.ClientResponse; -import com.sun.jersey.api.client.WebResource; -import com.sun.jersey.api.client.config.ClientConfig; -import com.sun.jersey.api.client.config.DefaultClientConfig; - -import java.util.LinkedHashSet; -import java.util.Set; - -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationInfo; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authc.SimpleAuthenticationInfo; -import org.apache.shiro.authc.UsernamePasswordToken; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.realm.AuthorizingRealm; -import org.apache.shiro.subject.PrincipalCollection; -import org.json.JSONException; -import org.json.JSONObject; -import org.json.JSONTokener; -import org.opendaylight.aaa.shiro.moon.MoonPrincipal; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -/** - * MoonRealm is a Shiro Realm that authenticates users from OPNFV/moon platform - * @author Alioune BA alioune.ba@orange.com - * - */ -public class MoonRealm extends AuthorizingRealm{ - - private static final Logger LOG = LoggerFactory.getLogger(MoonRealm.class); - @Override - protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) { - // TODO Auto-generated method stub - return null; - } - - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { - // TODO Auto-generated method stub - String username = ""; - String password = ""; - String domain = "sdn"; - username = (String) authenticationToken.getPrincipal(); - final UsernamePasswordToken upt = (UsernamePasswordToken) authenticationToken; - password = new String(upt.getPassword()); - final MoonPrincipal moonPrincipal = moonAuthenticate(username,password,domain); - if (moonPrincipal!=null){ - return new SimpleAuthenticationInfo(moonPrincipal, password.toCharArray(),getName()); - }else{ - return null; - } - } - - public MoonPrincipal moonAuthenticate(String username, String password, String domain){ - - String output = ""; - ClientConfig config = new DefaultClientConfig(); - Client client = Client.create(config); - JSONTokener tokener; - JSONObject object =null; - Set<String> UserRoles = new LinkedHashSet<>(); - - String server = System.getenv("MOON_SERVER_ADDR"); - String port = System.getenv("MOON_SERVER_PORT"); - String URL = "http://" +server+ ":" +port+ "/moon/auth/tokens"; - LOG.debug("Moon server is at: {} ", server); - WebResource webResource = client.resource(URL); - String input = "{\"username\": \""+ username + "\"," + "\"password\":" + "\"" + password + "\"," + "\"project\":" + "\"" + domain + "\"" + "}";; - ClientResponse response = webResource.type("application/json").post(ClientResponse.class, input); - output = response.getEntity(String.class); - tokener = new JSONTokener(output); - object = new JSONObject(tokener); - try { - if (object.getString("token")!=null){ - String token = object.getString("token"); - String userID = username+"@"+domain; - for (int i=0; i< object.getJSONArray("roles").length(); i++){ - UserRoles.add((String) object.getJSONArray("roles").get(i)); - } - MoonPrincipal principal = new MoonPrincipal(username,domain,userID,UserRoles,token); - return principal; - } - }catch (JSONException e){ - throw new IllegalStateException("Authentication Error : "+ object.getJSONObject("error").getString("title")); - } - return null; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealm.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealm.java deleted file mode 100644 index 7d0bafd7..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealm.java +++ /dev/null @@ -1,315 +0,0 @@ -/* - * Copyright (c) 2015, 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.realm; - -import java.util.Collection; -import java.util.LinkedHashSet; -import java.util.Set; - -import javax.naming.NamingEnumeration; -import javax.naming.NamingException; -import javax.naming.directory.Attribute; -import javax.naming.directory.Attributes; -import javax.naming.directory.SearchControls; -import javax.naming.directory.SearchResult; -import javax.naming.ldap.LdapContext; - -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationInfo; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.authz.SimpleAuthorizationInfo; -import org.apache.shiro.realm.ldap.JndiLdapRealm; -import org.apache.shiro.realm.ldap.LdapContextFactory; -import org.apache.shiro.realm.ldap.LdapUtils; -import org.apache.shiro.subject.PrincipalCollection; -import org.apache.shiro.util.Nameable; -import org.opendaylight.aaa.shiro.accounting.Accounter; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * An extended implementation of - * <code>org.apache.shiro.realm.ldap.JndiLdapRealm</code> which includes - * additional Authorization capabilities. To enable this Realm, add the - * following to <code>shiro.ini</code>: - * - *<code>#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly - *#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD - *#ldapRealm.contextFactory.url = ldap://URL:389 - *#ldapRealm.searchBase = dc=DOMAIN,dc=TLD - *#ldapRealm.ldapAttributeForComparison = objectClass - *# The CSV list of enabled realms. In order to enable a realm, add it to the - *# list below: - * securityManager.realms = $tokenAuthRealm, $ldapRealm</code> - * - * The values above are specific to the deployed LDAP domain. If the defaults - * are not sufficient, alternatives can be derived through enabling - * <code>TRACE</code> level logging. To enable <code>TRACE</code> level - * logging, issue the following command in the karaf shell: - * <code>log:set TRACE org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm</code> - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * @see <code>org.apache.shiro.realm.ldap.JndiLdapRealm</code> - * @see <a - * href="https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/realm/ldap/JndiLdapRealm.html">Shiro - * documentation</a> - */ -public class ODLJndiLdapRealm extends JndiLdapRealm implements Nameable { - - private static final Logger LOG = LoggerFactory.getLogger(ODLJndiLdapRealm.class); - - /** - * When an LDAP Authorization lookup is made for a user account, a list of - * attributes are returned. The attributes are used to determine LDAP - * grouping, which is equivalent to ODL role(s). The default value is - * set to "objectClass", which is common attribute for LDAP systems. - * The actual value may be configured through setting - * <code>ldapAttributeForComparison</code>. - */ - private static final String DEFAULT_LDAP_ATTRIBUTE_FOR_COMPARISON = "objectClass"; - - /** - * The LDAP nomenclature for user ID, which is used in the authorization query process. - */ - private static final String UID = "uid"; - - /** - * The searchBase for the ldap query, which indicates the LDAP realms to - * search. By default, this is set to the - * <code>super.getUserDnSuffix()</code>. - */ - private String searchBase = super.getUserDnSuffix(); - - /** - * When an LDAP Authorization lookup is made for a user account, a list of - * attributes is returned. The attributes are used to determine LDAP - * grouping, which is equivalent to ODL role(s). The default is set to - * <code>DEFAULT_LDAP_ATTRIBUTE_FOR_COMPARISON</code>. - */ - private String ldapAttributeForComparison = DEFAULT_LDAP_ATTRIBUTE_FOR_COMPARISON; - - /* - * Adds debugging information surrounding creation of ODLJndiLdapRealm - */ - public ODLJndiLdapRealm() { - super(); - final String DEBUG_MESSAGE = "Creating ODLJndiLdapRealm"; - LOG.debug(DEBUG_MESSAGE); - } - - /* - * (non-Javadoc) Overridden to expose important audit trail information for - * accounting. - * - * @see - * org.apache.shiro.realm.ldap.JndiLdapRealm#doGetAuthenticationInfo(org - * .apache.shiro.authc.AuthenticationToken) - */ - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) - throws AuthenticationException { - - // Delegates all AuthN lookup responsibility to the super class - try { - final String username = getUsername(token); - logIncomingConnection(username); - return super.doGetAuthenticationInfo(token); - } catch (ClassCastException e) { - LOG.info("Couldn't service the LDAP connection", e); - } - return null; - } - - /** - * Logs an incoming LDAP connection - * - * @param username - * the requesting user - */ - protected void logIncomingConnection(final String username) { - LOG.info("AAA LDAP connection from {}", username); - Accounter.output("AAA LDAP connection from " + username); - } - - /** - * Extracts the username from <code>token</code> - * - * @param token Encoded token which could contain a username - * @return The extracted username - * @throws ClassCastException - * The incoming token is not username/password (i.e., X.509 - * certificate) - */ - public static String getUsername(AuthenticationToken token) throws ClassCastException { - if (null == token) { - return null; - } - return (String) token.getPrincipal(); - } - - @Override - protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { - - AuthorizationInfo ai = null; - try { - ai = this.queryForAuthorizationInfo(principals, getContextFactory()); - } catch (NamingException e) { - LOG.error("Unable to query for AuthZ info", e); - } - return ai; - } - - /** - * extracts a username from <code>principals</code> - * - * @param principals A single principal extracted for the username - * @return The username if possible - * @throws ClassCastException - * the PrincipalCollection contains an element that is not in - * username/password form (i.e., X.509 certificate) - */ - protected String getUsername(final PrincipalCollection principals) throws ClassCastException { - - if (null == principals) { - return null; - } - return (String) getAvailablePrincipal(principals); - } - - /* - * (non-Javadoc) - * - * This method is only called if doGetAuthenticationInfo(...) completes successfully AND - * the requested endpoint has an RBAC restriction. To add an RBAC restriction, edit the - * etc/shiro.ini file and add a url to the url section. E.g., - * - * <code>/** = authcBasic, roles[person]</code> - * - * @see org.apache.shiro.realm.ldap.JndiLdapRealm#queryForAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection, org.apache.shiro.realm.ldap.LdapContextFactory) - */ - @Override - protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, - LdapContextFactory ldapContextFactory) throws NamingException { - - AuthorizationInfo authorizationInfo = null; - try { - final String username = getUsername(principals); - final LdapContext ldapContext = ldapContextFactory.getSystemLdapContext(); - final Set<String> roleNames; - - try { - roleNames = getRoleNamesForUser(username, ldapContext); - authorizationInfo = buildAuthorizationInfo(roleNames); - } finally { - LdapUtils.closeContext(ldapContext); - } - } catch (ClassCastException e) { - LOG.error("Unable to extract a valid user", e); - } - return authorizationInfo; - } - - public static AuthorizationInfo buildAuthorizationInfo(final Set<String> roleNames) { - if (null == roleNames) { - return null; - } - return new SimpleAuthorizationInfo(roleNames); - } - - /** - * extracts the Set of roles associated with a user based on the username - * and ldap context (server). - * - * @param username The username for the request - * @param ldapContext The specific system context provided by <code>shiro.ini</code> - * @return A set of roles - * @throws NamingException If the ldap search fails - */ - protected Set<String> getRoleNamesForUser(final String username, final LdapContext ldapContext) - throws NamingException { - - // Stores the role names, which are equivalent to the set of group names extracted - // from the LDAP query. - final Set<String> roleNames = new LinkedHashSet<String>(); - - final SearchControls searchControls = createSearchControls(); - - LOG.debug("Asking the configured LDAP about which groups uid=\"{}\" belongs to using " - + "searchBase=\"{}\" ldapAttributeForComparison=\"{}\"", - username, searchBase, ldapAttributeForComparison); - final NamingEnumeration<SearchResult> answer = ldapContext.search(searchBase, - String.format("%s=%s", UID, username), searchControls); - - // Cursor based traversal over the LDAP query result - while (answer.hasMoreElements()) { - final SearchResult searchResult = answer.next(); - final Attributes attrs = searchResult.getAttributes(); - if (attrs != null) { - // Extract the attributes from the LDAP search. - // attrs.getAttr(String) was not chosen, since all attributes should be exposed - // in trace logging should the operator wish to use an alternate attribute. - final NamingEnumeration<? extends Attribute> ae = attrs.getAll(); - while (ae.hasMore()) { - final Attribute attr = ae.next(); - LOG.trace("LDAP returned \"{}\" attribute for \"{}\"", attr.getID(), username); - if (attr.getID().equals(ldapAttributeForComparison)) { - // Stresses the point that LDAP groups are EQUIVALENT to ODL role names - // TODO make this configurable via a Strategy pattern so more interesting mappings can be made - final Collection<String> groupNamesExtractedFromLdap = LdapUtils.getAllAttributeValues(attr); - final Collection<String> roleNamesFromLdapGroups = groupNamesExtractedFromLdap; - if (LOG.isTraceEnabled()) { - for (String roleName : roleNamesFromLdapGroups) { - LOG.trace("Mapped the \"{}\" LDAP group to ODL role for \"{}\"", roleName, username); - } - } - roleNames.addAll(roleNamesFromLdapGroups); - } - } - } - } - return roleNames; - } - - /** - * A utility method to help create the search controls for the LDAP lookup - * - * @return A generic set of search controls for LDAP scoped to subtree - */ - protected static SearchControls createSearchControls() { - SearchControls searchControls = new SearchControls(); - searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); - return searchControls; - } - - @Override - public String getUserDnSuffix() { - return super.getUserDnSuffix(); - } - - /** - * Injected from <code>shiro.ini</code> configuration. - * - * @param searchBase The desired value for searchBase - */ - public void setSearchBase(final String searchBase) { - // public for injection reasons - this.searchBase = searchBase; - } - - /** - * Injected from <code>shiro.ini</code> configuration. - * - * @param ldapAttributeForComparison The attribute from which groups are extracted - */ - public void setLdapAttributeForComparison(final String ldapAttributeForComparison) { - // public for injection reasons - this.ldapAttributeForComparison = ldapAttributeForComparison; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmAuthNOnly.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmAuthNOnly.java deleted file mode 100644 index 978266c5..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmAuthNOnly.java +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.realm; - -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationInfo; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.realm.ldap.JndiLdapRealm; -import org.opendaylight.aaa.shiro.accounting.Accounter; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Wrapper class for <code>org.apache.shiro.realm.ldap.JndiLdapRealm</code>. - * This implementation disables Authorization so any LDAP user is able to access - * server resources. This is particularly useful for quickly prototyping ODL - * without worrying about resolving LDAP attributes (groups) to OpenDaylight - * roles. - * - * The motivation for subclassing Shiro's implementation is two-fold: 1) Enhance - * the default logging of Shiro. This allows us to more easily log incoming - * connections, providing some security auditing. 2) Provide a common package in - * the classpath for ODL supported Realm implementations (i.e., - * <code>org.opendaylight.aaa.shiro.realm</code>), which consolidates the number - * of <code>Import-Package</code> statements consumers need to enumerate. For - * example, the netconf project only needs to import - * <code>org.opendaylight.aaa.shiro.realm</code>, and does not need to worry - * about importing Shiro packages. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * - */ -public class ODLJndiLdapRealmAuthNOnly extends JndiLdapRealm { - - private static final Logger LOG = LoggerFactory.getLogger(ODLJndiLdapRealmAuthNOnly.class); - - private static final String LDAP_CONNECTION_MESSAGE = "AAA LDAP connection from "; - - /* - * Adds debugging information surrounding creation of ODLJndiLdapRealm - */ - public ODLJndiLdapRealmAuthNOnly() { - super(); - LOG.debug("Creating ODLJndiLdapRealmAuthNOnly"); - } - - /* - * (non-Javadoc) Overridden to expose important audit trail information for - * accounting. - * - * @see - * org.apache.shiro.realm.ldap.JndiLdapRealm#doGetAuthenticationInfo(org - * .apache.shiro.authc.AuthenticationToken) - */ - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) - throws AuthenticationException { - - try { - final String username = getUsername(token); - logIncomingConnection(username); - return super.doGetAuthenticationInfo(token); - } catch (ClassCastException e) { - LOG.info("Couldn't service the LDAP connection", e); - } - return null; - } - - /** - * Logs an incoming LDAP connection - * - * @param username - * the requesting user - */ - protected void logIncomingConnection(final String username) { - final String message = LDAP_CONNECTION_MESSAGE + username; - LOG.info(message); - Accounter.output(message); - } - - /** - * Extracts the username from <code>token</code> - * - * @param token Which possibly contains a username - * @return the username if it can be extracted - * @throws ClassCastException - * The incoming token is not username/password (i.e., X.509 - * certificate) - */ - public static String getUsername(AuthenticationToken token) throws ClassCastException { - if (null == token) { - return null; - } - return (String) token.getPrincipal(); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/RadiusRealm.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/RadiusRealm.java deleted file mode 100644 index 51d4bfbf..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/RadiusRealm.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ -package org.opendaylight.aaa.shiro.realm; - -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationInfo; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.realm.AuthorizingRealm; -import org.apache.shiro.subject.PrincipalCollection; - -/** - * Implementation of a Radius AuthorizingRealm. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class RadiusRealm extends AuthorizingRealm { - - @Override - protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) { - // TODO use JRadius to extract Authorization Info - return null; - } - - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) - throws AuthenticationException { - // TODO use JRadius to extract Authentication Info - return null; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/TACACSRealm.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/TACACSRealm.java deleted file mode 100644 index 38d7d91a..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/TACACSRealm.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.realm; - -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationInfo; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.realm.AuthorizingRealm; -import org.apache.shiro.subject.PrincipalCollection; - -/** - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * - */ -public class TACACSRealm extends AuthorizingRealm { - - @Override - protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) { - // TODO Extract AuthorizationInfo using JNetLib - return null; - } - - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) - throws AuthenticationException { - // TODO Extract AuthenticationInfo using JNetLib - return null; - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealm.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealm.java deleted file mode 100644 index f9ae5051..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealm.java +++ /dev/null @@ -1,369 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.realm; - -import com.google.common.base.Strings; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationInfo; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authc.SimpleAuthenticationInfo; -import org.apache.shiro.authc.UsernamePasswordToken; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.authz.SimpleAuthorizationInfo; -import org.apache.shiro.codec.Base64; -import org.apache.shiro.realm.AuthorizingRealm; -import org.apache.shiro.subject.PrincipalCollection; -import org.opendaylight.aaa.api.Authentication; -import org.opendaylight.aaa.api.TokenAuth; -import org.opendaylight.aaa.basic.HttpBasicAuth; -import org.opendaylight.aaa.sts.ServiceLocator; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * TokenAuthRealm is an adapter between the AAA shiro subsystem and the existing - * <code>TokenAuth</code> mechanisms. Thus, one can enable use of - * <code>IDMStore</code> and <code>IDMMDSALStore</code>. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class TokenAuthRealm extends AuthorizingRealm { - - private static final String USERNAME_DOMAIN_SEPARATOR = "@"; - - /** - * The unique identifying name for <code>TokenAuthRealm</code> - */ - private static final String TOKEN_AUTH_REALM_DEFAULT_NAME = "TokenAuthRealm"; - - /** - * The message that is displayed if no <code>TokenAuth</code> interface is - * available yet - */ - private static final String AUTHENTICATION_SERVICE_UNAVAILABLE_MESSAGE = "{\"error\":\"Authentication service unavailable\"}"; - - /** - * The message that is displayed if credentials are missing or malformed - */ - private static final String FATAL_ERROR_DECODING_CREDENTIALS = "{\"error\":\"Unable to decode credentials\"}"; - - /** - * The message that is displayed if non-Basic Auth is attempted - */ - private static final String FATAL_ERROR_BASIC_AUTH_ONLY = "{\"error\":\"Only basic authentication is supported by TokenAuthRealm\"}"; - - /** - * The purposefully generic message displayed if <code>TokenAuth</code> is - * unable to validate the given credentials - */ - private static final String UNABLE_TO_AUTHENTICATE = "{\"error\":\"Could not authenticate\"}"; - - private static final Logger LOG = LoggerFactory.getLogger(TokenAuthRealm.class); - - public TokenAuthRealm() { - super(); - super.setName(TOKEN_AUTH_REALM_DEFAULT_NAME); - } - - /* - * (non-Javadoc) - * - * Roles are derived from <code>TokenAuth.authenticate()</code>. Shiro roles - * are identical to existing IDM roles. - * - * @see - * org.apache.shiro.realm.AuthorizingRealm#doGetAuthorizationInfo(org.apache - * .shiro.subject.PrincipalCollection) - */ - @Override - protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { - final Object primaryPrincipal = principalCollection.getPrimaryPrincipal(); - final ODLPrincipal odlPrincipal; - try { - odlPrincipal = (ODLPrincipal) primaryPrincipal; - return new SimpleAuthorizationInfo(odlPrincipal.getRoles()); - } catch(ClassCastException e) { - LOG.error("Couldn't decode authorization request", e); - } - return new SimpleAuthorizationInfo(); - } - - /** - * Bridge new to old style <code>TokenAuth</code> interface. - * - * @param username The request username - * @param password The request password - * @param domain The request domain - * @return <code>username:password:domain</code> - */ - static String getUsernamePasswordDomainString(final String username, final String password, - final String domain) { - return username + HttpBasicAuth.AUTH_SEP + password + HttpBasicAuth.AUTH_SEP + domain; - } - - /** - * - * @param credentialToken - * @return Base64 encoded token - */ - static String getEncodedToken(final String credentialToken) { - return Base64.encodeToString(credentialToken.getBytes()); - } - - /** - * - * @param encodedToken - * @return Basic <code>encodedToken</code> - */ - static String getTokenAuthHeader(final String encodedToken) { - return HttpBasicAuth.BASIC_PREFIX + encodedToken; - } - - /** - * - * @param tokenAuthHeader - * @return a map with the basic auth header - */ - Map<String, List<String>> formHeadersWithToken(final String tokenAuthHeader) { - final Map<String, List<String>> headers = new HashMap<String, List<String>>(); - final List<String> headerValue = new ArrayList<String>(); - headerValue.add(tokenAuthHeader); - headers.put(HttpBasicAuth.AUTH_HEADER, headerValue); - return headers; - } - - /** - * Adapter between basic authentication mechanism and existing - * <code>TokenAuth</code> interface. - * - * @param username Username from the request - * @param password Password from the request - * @param domain Domain from the request - * @return input map for <code>TokenAuth.validate()</code> - */ - Map<String, List<String>> formHeaders(final String username, final String password, - final String domain) { - String usernamePasswordToken = getUsernamePasswordDomainString(username, password, domain); - String encodedToken = getEncodedToken(usernamePasswordToken); - String tokenAuthHeader = getTokenAuthHeader(encodedToken); - return formHeadersWithToken(tokenAuthHeader); - } - - /** - * Adapter to check for available <code>TokenAuth<code> implementations. - * - * @return - */ - boolean isTokenAuthAvailable() { - return ServiceLocator.getInstance().getAuthenticationService() != null; - } - - /* - * (non-Javadoc) - * - * Authenticates against any <code>TokenAuth</code> registered with the - * <code>ServiceLocator</code> - * - * @see - * org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org - * .apache.shiro.authc.AuthenticationToken) - */ - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) - throws AuthenticationException { - - String username = ""; - String password = ""; - String domain = HttpBasicAuth.DEFAULT_DOMAIN; - - try { - final String qualifiedUser = extractUsername(authenticationToken); - if (qualifiedUser.contains(USERNAME_DOMAIN_SEPARATOR)) { - final String [] qualifiedUserArray = qualifiedUser.split(USERNAME_DOMAIN_SEPARATOR); - try { - username = qualifiedUserArray[0]; - domain = qualifiedUserArray[1]; - } catch (ArrayIndexOutOfBoundsException e) { - LOG.trace("Couldn't parse domain from {}; trying without one", - qualifiedUser, e); - } - } else { - username = qualifiedUser; - } - password = extractPassword(authenticationToken); - - } catch (NullPointerException e) { - throw new AuthenticationException(FATAL_ERROR_DECODING_CREDENTIALS, e); - } catch (ClassCastException e) { - throw new AuthenticationException(FATAL_ERROR_BASIC_AUTH_ONLY, e); - } - - // check to see if there are TokenAuth implementations available - if (!isTokenAuthAvailable()) { - throw new AuthenticationException(AUTHENTICATION_SERVICE_UNAVAILABLE_MESSAGE); - } - - // if the password is empty, this is an OAuth2 request, not a Basic HTTP - // Auth request - if (!Strings.isNullOrEmpty(password)) { - if (ServiceLocator.getInstance().getAuthenticationService().isAuthEnabled()) { - Map<String, List<String>> headers = formHeaders(username, password, domain); - // iterate over <code>TokenAuth</code> implementations and - // attempt to - // authentication with each one - final List<TokenAuth> tokenAuthCollection = ServiceLocator.getInstance() - .getTokenAuthCollection(); - for (TokenAuth ta : tokenAuthCollection) { - try { - LOG.debug("Authentication attempt using {}", ta.getClass().getName()); - final Authentication auth = ta.validate(headers); - if (auth != null) { - LOG.debug("Authentication attempt successful"); - ServiceLocator.getInstance().getAuthenticationService().set(auth); - final ODLPrincipal odlPrincipal = ODLPrincipal.createODLPrincipal(auth); - return new SimpleAuthenticationInfo(odlPrincipal, password.toCharArray(), - getName()); - } - } catch (AuthenticationException ae) { - LOG.debug("Authentication attempt unsuccessful"); - throw new AuthenticationException(UNABLE_TO_AUTHENTICATE, ae); - } - } - } - } - - // extract the authentication token and attempt validation of the token - final String token = extractUsername(authenticationToken); - final Authentication auth; - try { - auth = validate(token); - if (auth != null) { - final ODLPrincipal odlPrincipal = ODLPrincipal.createODLPrincipal(auth); - return new SimpleAuthenticationInfo(odlPrincipal, "", getName()); - } - } catch (AuthenticationException e) { - LOG.debug("Unknown OAuth2 Token Access Request", e); - } - - LOG.debug("Authentication failed: exhausted TokenAuth resources"); - return null; - } - - private Authentication validate(final String token) { - Authentication auth = ServiceLocator.getInstance().getTokenStore().get(token); - if (auth == null) { - throw new AuthenticationException("Could not validate the token " + token); - } else { - ServiceLocator.getInstance().getAuthenticationService().set(auth); - } - return auth; - } - - /** - * extract the username from an <code>AuthenticationToken</code> - * - * @param authenticationToken - * @return - * @throws ClassCastException - * @throws NullPointerException - */ - static String extractUsername(final AuthenticationToken authenticationToken) - throws ClassCastException, NullPointerException { - - return (String) authenticationToken.getPrincipal(); - } - - /** - * extract the password from an <code>AuthenticationToken</code> - * - * @param authenticationToken - * @return - * @throws ClassCastException - * @throws NullPointerException - */ - static String extractPassword(final AuthenticationToken authenticationToken) - throws ClassCastException, NullPointerException { - - final UsernamePasswordToken upt = (UsernamePasswordToken) authenticationToken; - return new String(upt.getPassword()); - } - - /** - * Since <code>TokenAuthRealm</code> is an <code>AuthorizingRealm</code>, it supports - * individual steps for authentication and authorization. In ODL's existing <code>TokenAuth</code> - * mechanism, authentication and authorization are currently done in a single monolithic step. - * <code>ODLPrincipal</code> is abstracted as a DTO between the two steps. It fulfills the - * responsibility of a <code>Principal</code>, since it contains identification information - * but no credential information. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ - private static class ODLPrincipal { - - private final String username; - private final String domain; - private final String userId; - private final Set<String> roles; - - private ODLPrincipal(final String username, final String domain, final String userId, final Set<String> roles) { - this.username = username; - this.domain = domain; - this.userId = userId; - this.roles = roles; - } - - /** - * A static factory method to create <code>ODLPrincipal</code> instances. - * - * @param username The authenticated user - * @param domain The domain <code>username</code> belongs to. - * @param userId The unique key for <code>username</code> - * @param roles The roles associated with <code>username</code>@<code>domain</code> - * @return A Principal for the given session; essentially a DTO. - */ - static ODLPrincipal createODLPrincipal(final String username, final String domain, - final String userId, final Set<String> roles) { - - return new ODLPrincipal(username, domain, userId, roles); - } - - /** - * A static factory method to create <code>ODLPrincipal</code> instances. - * - * @param auth Contains identifying information for the particular request. - * @return A Principal for the given session; essentially a DTO. - */ - static ODLPrincipal createODLPrincipal(final Authentication auth) { - return createODLPrincipal(auth.user(), auth.domain(), auth.userId(), auth.roles()); - } - - String getUsername() { - return this.username; - } - - String getDomain() { - return this.domain; - } - - String getUserId() { - return this.userId; - } - - Set<String> getRoles() { - return this.roles; - } - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironment.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironment.java deleted file mode 100644 index acf4022c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironment.java +++ /dev/null @@ -1,125 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.web.env; - -import java.io.File; -import java.io.FileNotFoundException; -import java.util.Collection; -import org.apache.shiro.config.Ini; -import org.apache.shiro.config.Ini.Section; -import org.apache.shiro.web.env.IniWebEnvironment; -import org.opendaylight.aaa.shiro.accounting.Accounter; -import org.opendaylight.aaa.shiro.authorization.DefaultRBACRules; -import org.opendaylight.aaa.shiro.authorization.RBACRule; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Identical to <code>IniWebEnvironment</code> except the Ini is loaded from - * <code>$KARAF_HOME/etc/shiro.ini</code>. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * - */ -public class KarafIniWebEnvironment extends IniWebEnvironment { - - private static final Logger LOG = LoggerFactory.getLogger(KarafIniWebEnvironment.class); - public static final String DEFAULT_SHIRO_INI_FILE = "etc/shiro.ini"; - public static final String SHIRO_FILE_PREFIX = "file:/"; - - public KarafIniWebEnvironment() { - } - - @Override - public void init() { - // Initialize the Shiro environment from etc/shiro.ini then delegate to - // the parent class - Ini ini; - try { - ini = createDefaultShiroIni(); - // appendCustomIniRules(ini); - setIni(ini); - } catch (FileNotFoundException e) { - final String ERROR_MESSAGE = "Could not find etc/shiro.ini"; - LOG.error(ERROR_MESSAGE, e); - } - super.init(); - } - - /** - * A hook for installing custom default RBAC rules for security purposes. - * - * @param ini - */ - private void appendCustomIniRules(final Ini ini) { - final String INSTALL_MESSAGE = "Installing the RBAC rule: %s"; - Section urlSection = getOrCreateUrlSection(ini); - Collection<RBACRule> rbacRules = DefaultRBACRules.getInstance().getRBACRules(); - for (RBACRule rbacRule : rbacRules) { - urlSection.put(rbacRule.getUrlPattern(), rbacRule.getRolesInShiroFormat()); - Accounter.output(String.format(INSTALL_MESSAGE, rbacRule)); - } - } - - /** - * Extracts the url section of the Ini file, or creates one if it doesn't - * already exist - * - * @param ini - * @return - */ - private Section getOrCreateUrlSection(final Ini ini) { - final String URL_SECTION_TITLE = "urls"; - Section urlSection = ini.getSection(URL_SECTION_TITLE); - if (urlSection == null) { - LOG.debug("shiro.ini does not contain a [urls] section; creating one"); - urlSection = ini.addSection(URL_SECTION_TITLE); - } else { - LOG.debug("shiro.ini contains a [urls] section; appending rules to existing"); - } - return urlSection; - } - - /** - * - * @return Ini associated with <code>$KARAF_HOME/etc/shiro.ini</code> - * @throws FileNotFoundException - */ - static Ini createDefaultShiroIni() throws FileNotFoundException { - return createShiroIni(DEFAULT_SHIRO_INI_FILE); - } - - /** - * - * @param path - * the file path, which is either absolute or relative to - * <code>$KARAF_HOME</code> - * @return Ini loaded from <code>path</code> - */ - static Ini createShiroIni(final String path) throws FileNotFoundException { - File f = new File(path); - Ini ini = new Ini(); - final String fileBasedIniPath = createFileBasedIniPath(f.getAbsolutePath()); - ini.loadFromPath(fileBasedIniPath); - return ini; - } - - /** - * - * @param path - * the file path, which is either absolute or relative to - * <code>$KARAF_HOME</code> - * @return <code>file:/$KARAF_HOME/etc/shiro.ini</code> - */ - static String createFileBasedIniPath(final String path) { - String fileBasedIniPath = SHIRO_FILE_PREFIX + path; - LOG.debug(fileBasedIniPath); - return fileBasedIniPath; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/WEB-INF/web.xml b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/WEB-INF/web.xml deleted file mode 100644 index 63288c23..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/WEB-INF/web.xml +++ /dev/null @@ -1,48 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" - version="3.0"> - - <servlet> - <servlet-name>MOON</servlet-name> - <servlet-class>org.opendaylight.aaa.shiro.moon.MoonTokenEndpoint</servlet-class> - <load-on-startup>1</load-on-startup> - </servlet> - - <servlet-mapping> - <servlet-name>MOON</servlet-name> - <url-pattern>/token</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>MOON</servlet-name> - <url-pattern>/revoke</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>MOON</servlet-name> - <url-pattern>/validate</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>MOON</servlet-name> - <url-pattern>/*</url-pattern> - </servlet-mapping> - - <!-- Shiro Filter --> - <context-param> - <param-name>shiroEnvironmentClass</param-name> - <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value> - </context-param> - - <listener> - <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> - </listener> - - <filter> - <filter-name>ShiroFilter</filter-name> - <filter-class>org.opendaylight.aaa.shiro.filters.AAAFilter</filter-class> - </filter> - - <filter-mapping> - <filter-name>ShiroFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> -</web-app>
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/shiro.ini b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/shiro.ini deleted file mode 100644 index b48abe96..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/shiro.ini +++ /dev/null @@ -1,106 +0,0 @@ -# -# Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. -# -# This program and the accompanying materials are made available under the -# terms of the Eclipse Public License v1.0 which accompanies this distribution, -# and is available at http://www.eclipse.org/legal/epl-v10.html -# - -############################################################################### -# shiro.ini # -# # -# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm # -# implementations include: # -# - TokenAuthRealm (enabled by default) # -# - ODLJndiLdapRealm (disabled by default) # -# - ODLJndiLdapRealmAuthNOnly (disabled by default) # -# Basic user configuration through shiro.ini is disabled for security # -# purposes. # -############################################################################### - - - -[main] -############################################################################### -# realms # -# # -# This section is dedicated to setting up realms for OpenDaylight. Realms # -# are essentially different methods for providing AAA. ODL strives to provide# -# highly-configurable AAA by providing pluggable infrastructure. By deafult, # -# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA # -# mechanisms). More than one realm can be enabled, and the realms are # -# tried Round-Robin until: # -# 1) a realm successfully authenticates the incoming request # -# 2) all realms are exhausted, and 401 is returned # -############################################################################### - -# ODL provides a few LDAP implementations, which are disabled out of the box. -# ODLJndiLdapRealm includes authorization functionality based on LDAP elements -# extracted through and LDAP search. This requires a bit of knowledge about -# how your LDAP system is setup. An example is provided below: -#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm -#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD -#ldapRealm.contextFactory.url = ldap://<URL>:389 -#ldapRealm.searchBase = dc=DOMAIN,dc=TLD -#ldapRealm.ldapAttributeForComparison = objectClass - -# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows -# access through AAAFilter to any user that can authenticate against the -# provided LDAP server. -#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly -#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD -#ldapRealm.contextFactory.url = ldap://<URL>:389 - -# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms. -# This realm is enabled by default, and utilizes h2-store by default. -#tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm -# Defining moon realm -moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm - -# The CSV list of enabled realms. In order to enable a realm, add it to the -# list below: -#securityManager.realms = $tokenAuthRealm -# Configure the Shiro Security Manager to use Moon Realm -securityManager.realms = $moonAuthRealm - -# adds a custom AuthenticationFilter to support OAuth2 for backwards -# compatibility. To disable OAuth2 access, just comment out the next line -# and authcBasic will default to BasicHttpAuthenticationFilter, a -# Shiro-provided class. -authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter -# OAuth2 Filer for moon token AuthN -rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter - -# add in AuthenticationListener, a Listener that records whether -# authentication attempts are successful or unsuccessful. This audit -# information is disabled by default, to avoid log flooding. To enable, -# issue the following in karaf: -# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener -accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener -securityManager.authenticator.authenticationListeners = $accountingListener - - - -[urls] -############################################################################### -# url authorization section # -# # -# This section is dedicated to defining url-based authorization according to: # -# http://shiro.apache.org/web.html # -############################################################################### - -# Restrict AAA endpoints to users w/ admin role -/v1/users/** = authcBasic -/v1/domains/** = authcBasic -/v1/roles/** = authcBasic - -#Filter OAuth2 request$ -/token = rest - -# General access through AAAFilter requires valid credentials (AuthN only). -/** = authcBasic - -# Access to the credential store is limited to the valid users who have the -# admin role. The following line is only needed if the mdsal store is enabled -#(the mdsal store is disabled by default). -/config/aaa-authn-model** = authcBasic,roles[admin] diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/ServiceProxyTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/ServiceProxyTest.java deleted file mode 100644 index 2d9c8976..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/ServiceProxyTest.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; - -import org.junit.Test; -import org.opendaylight.aaa.shiro.filters.AAAFilter; - -/** - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class ServiceProxyTest { - - @Test - public void testGetInstance() { - // ensures that singleton pattern is working - assertNotNull(ServiceProxy.getInstance()); - } - - @Test - public void testGetSetEnabled() { - // combines set and get tests. These are important in this instance, - // because getEnabled allows an optional callback Filter. - ServiceProxy.getInstance().setEnabled(true); - assertTrue(ServiceProxy.getInstance().getEnabled(null)); - - AAAFilter testFilter = new AAAFilter(); - // register the filter - ServiceProxy.getInstance().getEnabled(testFilter); - assertTrue(testFilter.isEnabled()); - - ServiceProxy.getInstance().setEnabled(false); - assertFalse(ServiceProxy.getInstance().getEnabled(testFilter)); - assertFalse(testFilter.isEnabled()); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/TestAppender.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/TestAppender.java deleted file mode 100644 index ec9375dc..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/TestAppender.java +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro; - -import ch.qos.logback.classic.spi.LoggingEvent; -import ch.qos.logback.core.AppenderBase; - -import java.util.List; -import java.util.Vector; - -/** - * A custom slf4j <code>Appender</code> which stores <code>LoggingEvent</code>(s) in memory - * for future retrieval. This is useful from inside test resources. This class is specified - * within <code>logback-test.xml</code>. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class TestAppender extends AppenderBase<LoggingEvent> { - - /** - * stores all log events in memory, instead of file - */ - private List<LoggingEvent> events = new Vector<>(); - - /** - * Since junit maven & junit instantiate the logging appender (as provided - * by logback-test.xml), singleton is not possible. The next best thing is to track the - * current instance so it can be retrieved by Test instances. - */ - private static volatile TestAppender currentInstance; - - /** - * keeps track of the current instance - */ - public TestAppender() { - currentInstance = this; - } - - @Override - protected void append(final LoggingEvent e) { - events.add(e); - } - - /** - * Extract the log. - * - * @return the in-memory representation of <code>LoggingEvent</code>(s) - */ - public List<LoggingEvent> getEvents() { - return events; - } - - /** - * A way to extract the appender from Test instances. - * - * @return <code>this</code> - */ - public static TestAppender getCurrentInstance() { - return currentInstance; - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRulesTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRulesTest.java deleted file mode 100644 index 38658f0c..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRulesTest.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.authorization; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; - -import com.google.common.collect.Sets; -import java.util.Collection; -import org.junit.Test; - -/** - * A few basic test cases for the DefualtRBACRules singleton container. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * - */ -public class DefaultRBACRulesTest { - - @Test - public void testGetInstance() { - assertNotNull(DefaultRBACRules.getInstance()); - assertEquals(DefaultRBACRules.getInstance(), DefaultRBACRules.getInstance()); - } - - @Test - public void testGetRBACRules() { - Collection<RBACRule> rbacRules = DefaultRBACRules.getInstance().getRBACRules(); - assertNotNull(rbacRules); - - // check that a copy was returned - int originalSize = rbacRules.size(); - rbacRules.add(RBACRule.createAuthorizationRule("fakeurl/*", Sets.newHashSet("admin"))); - assertEquals(originalSize, DefaultRBACRules.getInstance().getRBACRules().size()); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/RBACRuleTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/RBACRuleTest.java deleted file mode 100644 index 825fe626..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/RBACRuleTest.java +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.authorization; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; - -import com.google.common.collect.Sets; -import java.util.Collection; -import java.util.HashSet; -import org.junit.Test; - -public class RBACRuleTest { - - private static final String BASIC_RBAC_RULE_URL_PATTERN = "/*"; - private static final Collection<String> BASIC_RBAC_RULE_ROLES = Sets.newHashSet("admin"); - private RBACRule basicRBACRule = RBACRule.createAuthorizationRule(BASIC_RBAC_RULE_URL_PATTERN, - BASIC_RBAC_RULE_ROLES); - - private static final String COMPLEX_RBAC_RULE_URL_PATTERN = "/auth/v1/"; - private static final Collection<String> COMPLEX_RBAC_RULE_ROLES = Sets.newHashSet("admin", - "user"); - private RBACRule complexRBACRule = RBACRule.createAuthorizationRule( - COMPLEX_RBAC_RULE_URL_PATTERN, COMPLEX_RBAC_RULE_ROLES); - - @Test - public void testCreateAuthorizationRule() { - // positive test cases - assertNotNull(RBACRule.createAuthorizationRule(BASIC_RBAC_RULE_URL_PATTERN, - BASIC_RBAC_RULE_ROLES)); - assertNotNull(RBACRule.createAuthorizationRule(COMPLEX_RBAC_RULE_URL_PATTERN, - COMPLEX_RBAC_RULE_ROLES)); - - // negative test cases - // both null - assertNull(RBACRule.createAuthorizationRule(null, null)); - - // url pattern is null - assertNull(RBACRule.createAuthorizationRule(null, BASIC_RBAC_RULE_ROLES)); - // url pattern is empty string - assertNull(RBACRule.createAuthorizationRule("", BASIC_RBAC_RULE_ROLES)); - - // roles is null - assertNull(RBACRule.createAuthorizationRule(BASIC_RBAC_RULE_URL_PATTERN, null)); - // roles is empty collection - assertNull(RBACRule.createAuthorizationRule(COMPLEX_RBAC_RULE_URL_PATTERN, - new HashSet<String>())); - } - - @Test - public void testGetUrlPattern() { - assertEquals(BASIC_RBAC_RULE_URL_PATTERN, basicRBACRule.getUrlPattern()); - assertEquals(COMPLEX_RBAC_RULE_URL_PATTERN, complexRBACRule.getUrlPattern()); - } - - @Test - public void testGetRoles() { - assertTrue(BASIC_RBAC_RULE_ROLES.containsAll(basicRBACRule.getRoles())); - basicRBACRule.getRoles().clear(); - // test that getRoles() produces a new object - assertFalse(basicRBACRule.getRoles().isEmpty()); - assertTrue(basicRBACRule.getRoles().containsAll(BASIC_RBAC_RULE_ROLES)); - - assertTrue(COMPLEX_RBAC_RULE_ROLES.containsAll(complexRBACRule.getRoles())); - complexRBACRule.getRoles().add("newRole"); - // test that getRoles() produces a new object - assertFalse(complexRBACRule.getRoles().contains("newRole")); - assertTrue(complexRBACRule.getRoles().containsAll(COMPLEX_RBAC_RULE_ROLES)); - } - - @Test - public void testGetRolesInShiroFormat() { - final String BASIC_RBAC_RULE_EXPECTED_SHIRO_FORMAT = "roles[admin]"; - assertEquals(BASIC_RBAC_RULE_EXPECTED_SHIRO_FORMAT, basicRBACRule.getRolesInShiroFormat()); - - // set ordering is not predictable, so both formats must be considered - final String COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_1 = "roles[admin, user]"; - final String COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_2 = "roles[user, admin]"; - assertTrue(COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_1.equals(complexRBACRule - .getRolesInShiroFormat()) - || COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_2.equals(complexRBACRule - .getRolesInShiroFormat())); - } - - @Test - public void testToString() { - final String BASIC_RBAC_RULE_EXPECTED_SHIRO_FORMAT = "/*=roles[admin]"; - assertEquals(BASIC_RBAC_RULE_EXPECTED_SHIRO_FORMAT, basicRBACRule.toString()); - - // set ordering is not predictable,s o both formats must be considered - final String COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_1 = "/auth/v1/=roles[admin, user]"; - final String COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_2 = "/auth/v1/=roles[user, admin]"; - assertTrue(COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_1.equals(complexRBACRule.toString()) - || COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_2.equals(complexRBACRule.toString())); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/filters/AuthenticationListenerTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/filters/AuthenticationListenerTest.java deleted file mode 100644 index 1c823525..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/filters/AuthenticationListenerTest.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.filters; - -import static org.junit.Assert.*; - -import ch.qos.logback.classic.spi.LoggingEvent; - -import java.util.List; - -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.SimpleAuthenticationInfo; -import org.apache.shiro.authc.UsernamePasswordToken; -import org.junit.Test; -import org.opendaylight.aaa.shiro.TestAppender; -import org.opendaylight.aaa.shiro.filters.AuthenticationListener; - -/** - * Test AuthenticationListener, which is responsible for logging Accounting events. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class AuthenticationListenerTest { - - @Test - public void testOnSuccess() throws Exception { - // sets up a successful authentication attempt - final AuthenticationListener authenticationListener = new AuthenticationListener(); - final UsernamePasswordToken authenticationToken = new UsernamePasswordToken(); - authenticationToken.setUsername("successfulUser1"); - authenticationToken.setHost("successfulHost1"); - final SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(); - // the following call produces accounting output - authenticationListener.onSuccess(authenticationToken, simpleAuthenticationInfo); - - // grab the latest log output and make sure it is in line with what is expected - final List<LoggingEvent> loggingEvents = TestAppender.getCurrentInstance().getEvents(); - // the latest logging event is the one we need to inspect - final int whichLoggingEvent = loggingEvents.size() - 1; - final LoggingEvent latestLoggingEvent = loggingEvents.get(whichLoggingEvent); - final String latestLogMessage = latestLoggingEvent.getMessage(); - assertEquals("Successful authentication attempt by successfulUser1 from successfulHost1", - latestLogMessage); - } - - @Test - public void testOnFailure() throws Exception { - // variables for an unsucessful authentication attempt - final AuthenticationListener authenticationListener = new AuthenticationListener(); - final UsernamePasswordToken authenticationToken = new UsernamePasswordToken(); - authenticationToken.setUsername("unsuccessfulUser1"); - authenticationToken.setHost("unsuccessfulHost1"); - final AuthenticationException authenticationException = - new AuthenticationException("test auth exception"); - // produces unsuccessful authentication attempt output - authenticationListener.onFailure(authenticationToken, authenticationException); - - // grab the latest log output and ensure it is in line with what is expected - final List<LoggingEvent> loggingEvents = TestAppender.getCurrentInstance().getEvents(); - final int whichLoggingEvent = loggingEvents.size() - 1; - final LoggingEvent latestLoggingEvent = loggingEvents.get(whichLoggingEvent); - final String latestLogMessage = latestLoggingEvent.getMessage(); - assertEquals("Unsuccessful authentication attempt by unsuccessfulUser1 from unsuccessfulHost1", - latestLogMessage); - } -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/filters/AuthenticationTokenUtilsTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/filters/AuthenticationTokenUtilsTest.java deleted file mode 100644 index 09331c52..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/filters/AuthenticationTokenUtilsTest.java +++ /dev/null @@ -1,124 +0,0 @@ -/* - * Copyright (c) 2016 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.filters; - -import static org.junit.Assert.*; - -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authc.UsernamePasswordToken; -import org.junit.Test; -import org.opendaylight.aaa.shiro.filters.AuthenticationTokenUtils; - -/** - * Tests authentication token output utilities. - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class AuthenticationTokenUtilsTest { - - /** - * A sample non-UsernamePasswordToken implementation for testing. - */ - private final class NotUsernamePasswordToken implements AuthenticationToken { - - @Override - public Object getPrincipal() { - return null; - } - - @Override - public Object getCredentials() { - return null; - } - } - - @Test - public void testIsUsernamePasswordToken() throws Exception { - // null test - final AuthenticationToken nullUsernamePasswordToken = null; - assertFalse(AuthenticationTokenUtils.isUsernamePasswordToken(nullUsernamePasswordToken)); - - // alternate implementation of AuthenticationToken - final AuthenticationToken notUsernamePasswordToken = new NotUsernamePasswordToken(); - assertFalse(AuthenticationTokenUtils.isUsernamePasswordToken(notUsernamePasswordToken)); - - // positive test case - final AuthenticationToken positiveUsernamePasswordToken = new UsernamePasswordToken(); - assertTrue(AuthenticationTokenUtils.isUsernamePasswordToken(positiveUsernamePasswordToken)); - - } - - @Test - public void testExtractUsername() throws Exception { - // null test - final AuthenticationToken nullAuthenticationToken = null; - assertEquals(AuthenticationTokenUtils.DEFAULT_TOKEN, - AuthenticationTokenUtils.extractUsername(nullAuthenticationToken)); - - // non-UsernamePasswordToken test - final AuthenticationToken notUsernamePasswordToken = new NotUsernamePasswordToken(); - assertEquals(AuthenticationTokenUtils.DEFAULT_TOKEN, - AuthenticationTokenUtils.extractUsername(notUsernamePasswordToken)); - - // null username test - final UsernamePasswordToken nullUsername = new UsernamePasswordToken(); - nullUsername.setUsername(null); - assertEquals(AuthenticationTokenUtils.DEFAULT_USERNAME, - AuthenticationTokenUtils.extractUsername(nullUsername)); - - // positive test - final UsernamePasswordToken positiveUsernamePasswordToken = new UsernamePasswordToken(); - final String testUsername = "testUser1"; - positiveUsernamePasswordToken.setUsername(testUsername); - assertEquals(testUsername, AuthenticationTokenUtils.extractUsername(positiveUsernamePasswordToken)); - } - - @Test - public void testExtractHostname() throws Exception { - // null test - final AuthenticationToken nullAuthenticationToken = null; - assertEquals(AuthenticationTokenUtils.DEFAULT_HOSTNAME, - AuthenticationTokenUtils.extractHostname(nullAuthenticationToken)); - - // non-UsernamePasswordToken test - final AuthenticationToken notUsernamePasswordToken = new NotUsernamePasswordToken(); - assertEquals(AuthenticationTokenUtils.DEFAULT_HOSTNAME, - AuthenticationTokenUtils.extractHostname(notUsernamePasswordToken)); - - // null hostname test - final UsernamePasswordToken nullHostname = new UsernamePasswordToken(); - nullHostname.setHost(null); - assertEquals(AuthenticationTokenUtils.DEFAULT_HOSTNAME, - AuthenticationTokenUtils.extractHostname(nullHostname)); - - // positive test - final UsernamePasswordToken positiveUsernamePasswordToken = new UsernamePasswordToken(); - final String testUsername = "testHostname1"; - positiveUsernamePasswordToken.setHost(testUsername); - assertEquals(testUsername, AuthenticationTokenUtils.extractHostname(positiveUsernamePasswordToken)); - } - - @Test - public void testGenerateUnsuccessfulAuthenticationMessage() throws Exception { - final UsernamePasswordToken unsuccessfulToken = new UsernamePasswordToken(); - unsuccessfulToken.setUsername("unsuccessfulUser1"); - unsuccessfulToken.setHost("unsuccessfulHost1"); - assertEquals("Unsuccessful authentication attempt by unsuccessfulUser1 from unsuccessfulHost1", - AuthenticationTokenUtils.generateUnsuccessfulAuthenticationMessage(unsuccessfulToken)); - } - - @Test - public void testGenerateSuccessfulAuthenticationMessage() throws Exception { - final UsernamePasswordToken successfulToken = new UsernamePasswordToken(); - successfulToken.setUsername("successfulUser1"); - successfulToken.setHost("successfulHost1"); - assertEquals("Successful authentication attempt by successfulUser1 from successfulHost1", - AuthenticationTokenUtils.generateSuccessfulAuthenticationMessage(successfulToken)); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmTest.java deleted file mode 100644 index 22ce203f..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmTest.java +++ /dev/null @@ -1,246 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.realm; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; -import static org.mockito.Matchers.any; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import java.util.Collection; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Set; -import java.util.Vector; -import javax.naming.NamingEnumeration; -import javax.naming.NamingException; -import javax.naming.directory.BasicAttributes; -import javax.naming.directory.SearchControls; -import javax.naming.directory.SearchResult; -import javax.naming.ldap.LdapContext; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authc.UsernamePasswordToken; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.realm.ldap.LdapContextFactory; -import org.apache.shiro.subject.PrincipalCollection; -import org.junit.Test; - -/** - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class ODLJndiLdapRealmTest { - - /** - * throw-away anonymous test class - */ - class TestNamingEnumeration implements NamingEnumeration<SearchResult> { - - /** - * state variable - */ - boolean first = true; - - /** - * returned the first time <code>next()</code> or - * <code>nextElement()</code> is called. - */ - SearchResult searchResult = new SearchResult("testuser", null, new BasicAttributes( - "objectClass", "engineering")); - - /** - * returns true the first time, then false for subsequent calls - */ - @Override - public boolean hasMoreElements() { - return first; - } - - /** - * returns <code>searchResult</code> then null for subsequent calls - */ - @Override - public SearchResult nextElement() { - if (first) { - first = false; - return searchResult; - } - return null; - } - - /** - * does nothing because close() doesn't require any special behavior - */ - @Override - public void close() throws NamingException { - } - - /** - * returns true the first time, then false for subsequent calls - */ - @Override - public boolean hasMore() throws NamingException { - return first; - } - - /** - * returns <code>searchResult</code> then null for subsequent calls - */ - @Override - public SearchResult next() throws NamingException { - if (first) { - first = false; - return searchResult; - } - return null; - } - }; - - /** - * throw away test class - * - * @author ryan - */ - class TestPrincipalCollection implements PrincipalCollection { - /** - * - */ - private static final long serialVersionUID = -1236759619455574475L; - - Vector<String> collection = new Vector<String>(); - - public TestPrincipalCollection(String element) { - collection.add(element); - } - - @Override - public Iterator<String> iterator() { - return collection.iterator(); - } - - @Override - public List<String> asList() { - return collection; - } - - @Override - public Set<String> asSet() { - HashSet<String> set = new HashSet<String>(); - set.addAll(collection); - return set; - } - - @Override - public <T> Collection<T> byType(Class<T> arg0) { - return null; - } - - @Override - public Collection<String> fromRealm(String arg0) { - return collection; - } - - @Override - public Object getPrimaryPrincipal() { - return collection.firstElement(); - } - - @Override - public Set<String> getRealmNames() { - return null; - } - - @Override - public boolean isEmpty() { - return collection.isEmpty(); - } - - @Override - public <T> T oneByType(Class<T> arg0) { - // TODO Auto-generated method stub - return null; - } - }; - - @Test - public void testGetUsernameAuthenticationToken() { - AuthenticationToken authenticationToken = null; - assertNull(ODLJndiLdapRealm.getUsername(authenticationToken)); - AuthenticationToken validAuthenticationToken = new UsernamePasswordToken("test", - "testpassword"); - assertEquals("test", ODLJndiLdapRealm.getUsername(validAuthenticationToken)); - } - - @Test - public void testGetUsernamePrincipalCollection() { - PrincipalCollection pc = null; - assertNull(new ODLJndiLdapRealm().getUsername(pc)); - TestPrincipalCollection tpc = new TestPrincipalCollection("testuser"); - String username = new ODLJndiLdapRealm().getUsername(tpc); - assertEquals("testuser", username); - } - - @Test - public void testQueryForAuthorizationInfoPrincipalCollectionLdapContextFactory() - throws NamingException { - LdapContext ldapContext = mock(LdapContext.class); - // emulates an ldap search and returns the mocked up test class - when( - ldapContext.search((String) any(), (String) any(), - (SearchControls) any())).thenReturn(new TestNamingEnumeration()); - LdapContextFactory ldapContextFactory = mock(LdapContextFactory.class); - when(ldapContextFactory.getSystemLdapContext()).thenReturn(ldapContext); - AuthorizationInfo authorizationInfo = new ODLJndiLdapRealm().queryForAuthorizationInfo( - new TestPrincipalCollection("testuser"), ldapContextFactory); - assertNotNull(authorizationInfo); - assertFalse(authorizationInfo.getRoles().isEmpty()); - assertTrue(authorizationInfo.getRoles().contains("engineering")); - } - - @Test - public void testBuildAuthorizationInfo() { - assertNull(ODLJndiLdapRealm.buildAuthorizationInfo(null)); - Set<String> roleNames = new HashSet<String>(); - roleNames.add("engineering"); - AuthorizationInfo authorizationInfo = ODLJndiLdapRealm.buildAuthorizationInfo(roleNames); - assertNotNull(authorizationInfo); - assertFalse(authorizationInfo.getRoles().isEmpty()); - assertTrue(authorizationInfo.getRoles().contains("engineering")); - } - - @Test - public void testGetRoleNamesForUser() throws NamingException { - ODLJndiLdapRealm ldapRealm = new ODLJndiLdapRealm(); - LdapContext ldapContext = mock(LdapContext.class); - - // emulates an ldap search and returns the mocked up test class - when( - ldapContext.search((String) any(), (String) any(), - (SearchControls) any())).thenReturn(new TestNamingEnumeration()); - - // extracts the roles for "testuser" and ensures engineering is returned - Set<String> roles = ldapRealm.getRoleNamesForUser("testuser", ldapContext); - assertFalse(roles.isEmpty()); - assertTrue(roles.iterator().next().equals("engineering")); - } - - @Test - public void testCreateSearchControls() { - SearchControls searchControls = ODLJndiLdapRealm.createSearchControls(); - assertNotNull(searchControls); - int expectedSearchScope = SearchControls.SUBTREE_SCOPE; - int actualSearchScope = searchControls.getSearchScope(); - assertEquals(expectedSearchScope, actualSearchScope); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealmTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealmTest.java deleted file mode 100644 index f2eb92b5..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealmTest.java +++ /dev/null @@ -1,139 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.realm; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import com.google.common.collect.Lists; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import org.apache.shiro.authc.AuthenticationToken; -import org.junit.Test; - -/** - * - * @author Ryan Goulding (ryandgoulding@gmail.com) - * - */ -public class TokenAuthRealmTest extends TokenAuthRealm { - - private TokenAuthRealm testRealm = new TokenAuthRealm(); - - @Test - public void testTokenAuthRealm() { - assertEquals("TokenAuthRealm", testRealm.getName()); - } - - @Test(expected = NullPointerException.class) - public void testDoGetAuthorizationInfoPrincipalCollectionNullCacheToken() { - testRealm.doGetAuthorizationInfo(null); - } - - @Test - public void testGetUsernamePasswordDomainString() { - final String username = "user"; - final String password = "password"; - final String domain = "domain"; - final String expectedUsernamePasswordString = "user:password:domain"; - assertEquals(expectedUsernamePasswordString, getUsernamePasswordDomainString(username, password, domain)); - } - - @Test - public void testGetEncodedToken() { - final String stringToEncode = "admin1:admin1"; - final byte[] bytesToEncode = stringToEncode.getBytes(); - final String expectedToken = org.apache.shiro.codec.Base64.encodeToString(bytesToEncode); - assertEquals(expectedToken, getEncodedToken(stringToEncode)); - } - - @Test - public void testGetTokenAuthHeader() { - final String encodedCredentials = getEncodedToken(getUsernamePasswordDomainString("user1", - "password", "sdn")); - final String expectedTokenAuthHeader = "Basic " + encodedCredentials; - assertEquals(expectedTokenAuthHeader, getTokenAuthHeader(encodedCredentials)); - } - - @Test - public void testFormHeadersWithToken() { - final String authHeader = getEncodedToken(getTokenAuthHeader(getUsernamePasswordDomainString( - "user1", "password", "sdn"))); - final Map<String, List<String>> expectedHeaders = new HashMap<String, List<String>>(); - expectedHeaders.put("Authorization", Lists.newArrayList(authHeader)); - final Map<String, List<String>> actualHeaders = formHeadersWithToken(authHeader); - List<String> value; - for (String key : expectedHeaders.keySet()) { - value = expectedHeaders.get(key); - assertTrue(actualHeaders.get(key).equals(value)); - } - } - - @Test - public void testFormHeaders() { - final String username = "basicUser"; - final String password = "basicPassword"; - final String domain = "basicDomain"; - final String authHeader = getTokenAuthHeader(getEncodedToken(getUsernamePasswordDomainString( - username, password, domain))); - final Map<String, List<String>> expectedHeaders = new HashMap<String, List<String>>(); - expectedHeaders.put("Authorization", Lists.newArrayList(authHeader)); - final Map<String, List<String>> actualHeaders = formHeaders(username, password, domain); - List<String> value; - for (String key : expectedHeaders.keySet()) { - value = expectedHeaders.get(key); - assertTrue(actualHeaders.get(key).equals(value)); - } - } - - @Test - public void testIsTokenAuthAvailable() { - assertFalse(testRealm.isTokenAuthAvailable()); - } - - @Test(expected = org.apache.shiro.authc.AuthenticationException.class) - public void testDoGetAuthenticationInfoAuthenticationToken() { - testRealm.doGetAuthenticationInfo(null); - } - - @Test - public void testExtractUsernameNullUsername() { - AuthenticationToken at = mock(AuthenticationToken.class); - when(at.getPrincipal()).thenReturn(null); - assertNull(extractUsername(at)); - } - - @Test(expected = ClassCastException.class) - public void testExtractPasswordNullPassword() { - AuthenticationToken at = mock(AuthenticationToken.class); - when(at.getPrincipal()).thenReturn("username"); - when(at.getCredentials()).thenReturn(null); - extractPassword(at); - } - - @Test(expected = ClassCastException.class) - public void testExtractUsernameBadUsernameClass() { - AuthenticationToken at = mock(AuthenticationToken.class); - when(at.getPrincipal()).thenReturn(new Integer(1)); - extractUsername(at); - } - - @Test(expected = ClassCastException.class) - public void testExtractPasswordBadPasswordClass() { - AuthenticationToken at = mock(AuthenticationToken.class); - when(at.getPrincipal()).thenReturn("username"); - when(at.getCredentials()).thenReturn(new Integer(1)); - extractPassword(at); - } -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironmentTest.java b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironmentTest.java deleted file mode 100644 index 141d0ce5..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironmentTest.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. - * - * This program and the accompanying materials are made available under the - * terms of the Eclipse Public License v1.0 which accompanies this distribution, - * and is available at http://www.eclipse.org/legal/epl-v10.html - */ - -package org.opendaylight.aaa.shiro.web.env; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; - -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import org.apache.shiro.config.Ini; -import org.apache.shiro.config.Ini.Section; -import org.junit.AfterClass; -import org.junit.BeforeClass; -import org.junit.Test; - -/** - * @author Ryan Goulding (ryandgoulding@gmail.com) - */ -public class KarafIniWebEnvironmentTest { - private static File iniFile; - - @BeforeClass - public static void setup() throws IOException { - iniFile = createShiroIniFile(); - assertTrue(iniFile.exists()); - } - - @AfterClass - public static void teardown() { - iniFile.delete(); - } - - private static String createFakeShiroIniContents() { - return "[users]\n" + "admin=admin, ROLE_ADMIN \n" + "[roles]\n" + "ROLE_ADMIN = *\n" - + "[urls]\n" + "/** = authcBasic"; - } - - private static File createShiroIniFile() throws IOException { - File shiroIni = File.createTempFile("shiro", "ini"); - FileWriter writer = new FileWriter(shiroIni); - writer.write(createFakeShiroIniContents()); - writer.flush(); - writer.close(); - return shiroIni; - } - - @Test - public void testCreateShiroIni() throws IOException { - Ini ini = KarafIniWebEnvironment.createShiroIni(iniFile.getAbsolutePath()); - assertNotNull(ini); - assertNotNull(ini.getSection("users")); - assertNotNull(ini.getSection("roles")); - assertNotNull(ini.getSection("urls")); - Section usersSection = ini.getSection("users"); - assertTrue(usersSection.containsKey("admin")); - assertTrue(usersSection.get("admin").contains("admin")); - assertTrue(usersSection.get("admin").contains("ROLE_ADMIN")); - } - - @Test - public void testCreateFileBasedIniPath() { - String testPath = "/shiro.ini"; - String expectedFileBasedIniPath = KarafIniWebEnvironment.SHIRO_FILE_PREFIX + testPath; - String actualFileBasedIniPath = KarafIniWebEnvironment.createFileBasedIniPath(testPath); - assertEquals(expectedFileBasedIniPath, actualFileBasedIniPath); - } - -} diff --git a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/resources/logback-test.xml b/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/resources/logback-test.xml deleted file mode 100644 index 68ceeabc..00000000 --- a/upstream/odl-aaa-moon/aaa/aaa-shiro/src/test/resources/logback-test.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<configuration> - - <appender name="TEST-APPENDER" class="org.opendaylight.aaa.shiro.TestAppender"> - <layout class="ch.qos.logback.classic.PatternLayout"> - <Pattern> - %d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %msg%n - </Pattern> - </layout> - </appender> - - <logger name="org.opendaylight.aaa.shiro.authc" level="debug" - additivity="false"> - <appender-ref ref="TEST-APPENDER" /> - </logger> - - <root level="debug"> - <appender-ref ref="TEST-APPENDER" /> - </root> - -</configuration> diff --git a/upstream/odl-aaa-moon/aaa/artifacts/pom.xml b/upstream/odl-aaa-moon/aaa/artifacts/pom.xml deleted file mode 100644 index 3f811507..00000000 --- a/upstream/odl-aaa-moon/aaa/artifacts/pom.xml +++ /dev/null @@ -1,231 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- vi: set et smarttab sw=4 tabstop=4: --> -<!-- - Copyright (c) 2013 Robert Varga. All rights reserved. - - This program and the accompanying materials are made available under the - terms of the Eclipse Public License v1.0 which accompanies this distribution, - and is available at http://www.eclipse.org/legal/epl-v10.html ---> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - - <parent> - <groupId>org.opendaylight.odlparent</groupId> - <artifactId>odlparent-lite</artifactId> - <version>1.6.2-Beryllium-SR2</version> - <relativePath/> - </parent> - - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-artifacts</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>pom</packaging> - - <dependencyManagement> - <dependencies> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn</artifactId> - <version>${project.version}</version> - <type>cfg</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-api</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-basic</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-federation</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-federation</artifactId> - <version>${project.version}</version> - <type>cfg</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-keystone</artifactId> - <version>${project.version}</version> - </dependency> - - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-mdsal-api</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-mdsal-store-impl</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-mdsal-config</artifactId> - <version>${project.version}</version> - <type>xml</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-shiro</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-shiro-act</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-sssd</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-store</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-store</artifactId> - <version>${project.version}</version> - <type>cfg</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-sts</artifactId> - <version>${project.version}</version> - </dependency> - - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authz-model</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authz-service</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>authz-service-config</artifactId> - <version>${project.version}</version> - <type>xml</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>authz-restconf-config</artifactId> - <version>${project.version}</version> - <type>xml</type> - <classifier>config</classifier> - </dependency> - - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-credential-store-api</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-idmlight</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-idmlight</artifactId> - <version>${project.version}</version> - <type>xml</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-authn-idpmapping</artifactId> - <version>${project.version}</version> - </dependency> - - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>features-aaa-api</artifactId> - <version>${project.version}</version> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>features-aaa-authn</artifactId> - <version>${project.version}</version> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>features-aaa-authz</artifactId> - <version>${project.version}</version> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-h2-store</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>aaa-h2-store</artifactId> - <version>${project.version}</version> - <classifier>config</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>features-aaa-shiro</artifactId> - <version>${project.version}</version> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>${project.groupId}</groupId> - <artifactId>features-aaa</artifactId> - <version>${project.version}</version> - <classifier>features</classifier> - <type>xml</type> - </dependency> - </dependencies> - </dependencyManagement> - - <properties> - <nexusproxy>http://nexus.opendaylight.org/content</nexusproxy> - </properties> - - <distributionManagement> - <!-- OpenDayLight Released artifact --> - <repository> - <id>opendaylight-release</id> - <url>${nexusproxy}/repositories/opendaylight.release/</url> - </repository> - <!-- OpenDayLight Snapshot artifact --> - <snapshotRepository> - <id>opendaylight-snapshot</id> - <url>${nexusproxy}/repositories/opendaylight.snapshot/</url> - </snapshotRepository> - </distributionManagement> -</project> diff --git a/upstream/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd b/upstream/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd Binary files differdeleted file mode 100644 index ddd59fb3..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/docs/AuthNusecases.vsd +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/commons/docs/direct_authn.png b/upstream/odl-aaa-moon/aaa/commons/docs/direct_authn.png Binary files differdeleted file mode 100644 index f63f038e..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/docs/direct_authn.png +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/commons/docs/federated_authn1.png b/upstream/odl-aaa-moon/aaa/commons/docs/federated_authn1.png Binary files differdeleted file mode 100644 index 199f6f4d..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/docs/federated_authn1.png +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/commons/docs/federated_authn2.png b/upstream/odl-aaa-moon/aaa/commons/docs/federated_authn2.png Binary files differdeleted file mode 100644 index b71e9aa7..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/docs/federated_authn2.png +++ /dev/null diff --git a/upstream/odl-aaa-moon/aaa/commons/federation/README b/upstream/odl-aaa-moon/aaa/commons/federation/README deleted file mode 100644 index dd9cdbf0..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/federation/README +++ /dev/null @@ -1,271 +0,0 @@ -README -=============================================================================== -Federated AAA is deployed using several config files. This file explains a -simple scenario utilizing two servers: -a) ipa.example.com - - Runs the IPA Server Software -b) odl.example.com - - Runs the IPA Client Software - - Runs an Apache proxy frontend (AuthN through mod_lookup_identity.so) - - Runs ODL - -This setup for this scenario is illustrated in Figure 1 below: - - ----------------------- - | odl.example.com | - | (Fedora 20 Linux) | - | | - | ------------------- | - | | ODL Jetty Server | | - | | (Port 8181 & 8383)| | - | ------------------- | - | ^ . | - | . (Apache . | SSSD Requests/Responses - | . Reverse . | / - | . Proxy) . | / - | . v | / - | ------------------- | | ------------------ - | | Apache |<|..................| ipa.example.com | - | | (Port 80) |.|.................>| (FreeIPA | - | ------------------- | | Kerberos And | - | ______________________| | LDAP) | - ------------------ -Figure 1: Shows the setup for a simple Federated AAA use case utilizing -FreeIPA as an identity provider. - - -These instructions were written for Fedora 20, since SSSD is unique to RHEL based -distributions. SSSD is NOT a requirement for Federation though; you can use -any supported linux flavor. At this time, SSSD is the only Filter available -with regards to capturing IdP attributes that can be used in making advanced mapping -decisions (such as IdP group membership information). - - - -1) Install FreeIPA Server on ipa.example.com. This is achieved through running: -# yum install freeipa-server bind bind-dyndb-ldap -# ipa-server-intall - - - -2) Add a FreeIPA user called testuser: -$ kinit admin@EXAMPLE.COM -$ ipa group-add odl_users --desc "ODL Users" -$ ipa group-add odl_admin --desc "ODL Admin" -$ ipa user-add testuser --first Test --last USER --email test.user@example.com -$ ipa group-add-member odl_users --user testuser -$ ipa group-add-member odl_admin --user testuser - - - -3) Install FreeIPA Client on odl.example.com. This is achieved through running: -# yum install freeipa-client -# ipa-client-install - - - -4) Set up Client keytab for HTTP access on odl.example.com: -# ipa-getkeytab -p HTTP/odl.brcd-sssd-tb.com@BRCD-SSSD-TB.COM \ - -s freeipa.brcd-sssd-tb.com -k /etc/krb5.keytab -# chmod 644 /etc/krb5.keytab -NOTE: The second command allows Apache to read the keytab. There are more -secure methods to support such access through SELINUX, but they are outside -the scope of this tutorial. - - - -5) Install Apache on odl.example.com. This is achieved through running: -# yum install httpd - - - -6) Create an Apache application to broker federation between ODL and FreeIPA. -Create the following file on odl.example.com: - -[root@odl /]# cat /etc/httpd/conf.d/my_app.conf -<Location "/*"> - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate On - KrbMethodK5Passwd on - KrbAuthRealms EXAMPLE.COM - Krb5KeyTab /etc/krb5.keytab - require valid-user -</Location> - - -<LocationMatch "/*"> - - RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} - RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} - RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} - RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} - LookupUserAttr mail REMOTE_USER_EMAIL - RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - LookupUserAttr givenname REMOTE_USER_FIRSTNAME - RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e - LookupUserAttr sn REMOTE_USER_LASTNAME - RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e - LookupUserGroups REMOTE_USER_GROUPS ":" - RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e -</LocationMatch> - -ProxyPass / http://localhost:8383/ -ProxyPassReverse / http://localhost:8383/ - - - -7) Install the ODL distribution in the /opt folder on odl.example.com. - - - -8) Add a federation connector to the jetty server hosting ODL on -odl.example.com: - -[user@odl distribution]$ cat etc/jetty.xml -<?xml version="1.0"?> -<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting// -DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"> - -<Configure class="org.eclipse.jetty.server.Server"> - - <!-- =========================================================== --> - <!-- Set connectors --> - <!-- =========================================================== --> - <!-- One of each type! --> - <!-- =========================================================== --> - - <!-- Use this connector for many frequently idle connections and for - threadless continuations. --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host"> - <Property name="jetty.host" /> - </Set> - <Set name="port"> - <Property name="jetty.port" default="8181" /> - </Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8443</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - <!-- Trusted Authentication Federation proxy connection --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host">127.0.0.1</Set> - <Set name="port">8383</Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8445</Set> - <Set name="name">federationConn</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - <!-- =========================================================== --> - <!-- Configure Authentication Realms --> - <!-- Realms may be configured for the entire server here, or --> - <!-- they can be configured for a specific web app in a context --> - <!-- configuration (see $(jetty.home)/contexts/test.xml for an --> - <!-- example). --> - <!-- =========================================================== --> - <Call name="addBean"> - <Arg> - <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> - <Set name="name">karaf</Set> - <Set name="loginModuleName">karaf</Set> - <Set name="roleClassNames"> - <Array type="java.lang.String"> - <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal - </Item> - </Array> - </Set> - </New> - </Arg> - </Call> - <Call name="addBean"> - <Arg> - <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> - <Set name="name">default</Set> - <Set name="loginModuleName">karaf</Set> - <Set name="roleClassNames"> - <Array type="java.lang.String"> - <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal - </Item> - </Array> - </Set> - </New> - </Arg> - </Call> -</Configure> - - - -9) Add the idp_mapping rules file on odl.example.com - -[user@odl distribution]$ cat etc/idp_mapping_rules.json -[ - { - "mapping":{ - "ClientId":"1", - "UserId":"1", - "User":"admin", - "Domain":"BRCD-SSSD-TB.COM", - "roles":"$roles" - }, - "statement_blocks":[ - [ - [ - "set", - "$groups", - [ - - ] - ], - [ - "set", - "$roles", - [ - "admin", - "user" - ] - ] - ] - ] - } -] - -NOTE: This is a very basic mapping example in which all federated users are -mapped into the default "admin" account. - - - -10) Start ODL and install the following features on odl.example.com: -# bin/karaf -karaf> feature:install odl-aaa-authn-sssd-no-cluster odl-restconf - - - -11) Get a refresh_token on odl.example.com through Apache proxy port (80 forwarded to 8383): -[user@odl distribution]$ kinit testuser -[user@odl distribution]$ curl -s --negotiate -u : -X POST http://odl.example.com/oauth2/federation/ - - - -12) Obtain an access_token on odl.example.com through normal port (8181): -[user@odl distribution]$ curl -s -d 'grant_type=refresh_token&refresh_token=<PUT RESULT FROM ABOVE STEP HERE>&scope=sdn' http://odl.example.com:8181/oauth2/token - - - -13) Use the access_token to make authenticated rest calls from odl.example.com through normal port (8181): -[user@odl distribution]$ curl -s -H 'Authorization: Bearer <PUT RESULT FROM ABOVE STEP HERE>' http://odl.brcd-sssd-tb.com:8181/restconf/streams/ - diff --git a/upstream/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example b/upstream/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example deleted file mode 100644 index 98bacb0a..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/federation/idp_mapping_rules.json.example +++ /dev/null @@ -1,30 +0,0 @@ -[ - { - "mapping":{ - "ClientId":"1", - "UserId":"1", - "User":"admin", - "Domain":"BRCD-SSSD-TB.COM", - "roles":"$roles" - }, - "statement_blocks":[ - [ - [ - "set", - "$groups", - [ - - ] - ], - [ - "set", - "$roles", - [ - "admin", - "user" - ] - ] - ] - ] - } -] diff --git a/upstream/odl-aaa-moon/aaa/commons/federation/jetty.xml.example b/upstream/odl-aaa-moon/aaa/commons/federation/jetty.xml.example deleted file mode 100644 index c4cb2a7d..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/federation/jetty.xml.example +++ /dev/null @@ -1,85 +0,0 @@ -<?xml version="1.0"?> -<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting// -DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"> - -<Configure class="org.eclipse.jetty.server.Server"> - - <!-- =========================================================== --> - <!-- Set connectors --> - <!-- =========================================================== --> - <!-- One of each type! --> - <!-- =========================================================== --> - - <!-- Use this connector for many frequently idle connections and for - threadless continuations. --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host"> - <Property name="jetty.host" /> - </Set> - <Set name="port"> - <Property name="jetty.port" default="8181" /> - </Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8443</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - <!-- Trusted Authentication Federation proxy connection --> - <Call name="addConnector"> - <Arg> - <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> - <Set name="host">127.0.0.1</Set> - <Set name="port">8383</Set> - <Set name="maxIdleTime">300000</Set> - <Set name="Acceptors">2</Set> - <Set name="statsOn">false</Set> - <Set name="confidentialPort">8445</Set> - <Set name="name">federationConn</Set> - <Set name="lowResourcesConnections">20000</Set> - <Set name="lowResourcesMaxIdleTime">5000</Set> - </New> - </Arg> - </Call> - <!-- =========================================================== --> - <!-- Configure Authentication Realms --> - <!-- Realms may be configured for the entire server here, or --> - <!-- they can be configured for a specific web app in a context --> - <!-- configuration (see $(jetty.home)/contexts/test.xml for an --> - <!-- example). --> - <!-- =========================================================== --> - <Call name="addBean"> - <Arg> - <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> - <Set name="name">karaf</Set> - <Set name="loginModuleName">karaf</Set> - <Set name="roleClassNames"> - <Array type="java.lang.String"> - <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal - </Item> - </Array> - </Set> - </New> - </Arg> - </Call> - <Call name="addBean"> - <Arg> - <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> - <Set name="name">default</Set> - <Set name="loginModuleName">karaf</Set> - <Set name="roleClassNames"> - <Array type="java.lang.String"> - <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal - </Item> - </Array> - </Set> - </New> - </Arg> - </Call> -</Configure> - diff --git a/upstream/odl-aaa-moon/aaa/commons/federation/my_app.conf.example b/upstream/odl-aaa-moon/aaa/commons/federation/my_app.conf.example deleted file mode 100644 index 71c8ad87..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/federation/my_app.conf.example +++ /dev/null @@ -1,31 +0,0 @@ -LoadModule lookup_identity_module modules/mod_lookup_identity.so - -<Location "/*"> - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate On - KrbMethodK5Passwd on - KrbAuthRealms EXAMPLE.COM - Krb5KeyTab /etc/krb5.keytab - require valid-user -</Location> - - -<LocationMatch "/*"> - - RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} - RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} - RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} - RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} - LookupUserAttr mail REMOTE_USER_EMAIL - RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - LookupUserAttr givenname REMOTE_USER_FIRSTNAME - RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e - LookupUserAttr sn REMOTE_USER_LASTNAME - RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e - LookupUserGroups REMOTE_USER_GROUPS ":" - RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e -</LocationMatch> - -ProxyPass / http://localhost:8383/ -ProxyPassReverse / http://localhost:8383/ diff --git a/upstream/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection b/upstream/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection deleted file mode 100644 index 15193a70..00000000 --- a/upstream/odl-aaa-moon/aaa/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection +++ /dev/null @@ -1,77 +0,0 @@ -{ - "id": "273974a1-2df8-b0a6-57f9-1397cd1628d7", - "name": "AAA AuthZ MDSAL", - "description": "This Postman collection contains some of the common operations that are necessary to \"provision\" authorization services on top of ODL.", - "order": [ - "7959a1f4-703a-417a-9d4c-70ab56c0e57f", - "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a", - "4df58109-fd50-dbdf-b982-7e59d3475544" - ], - "folders": [], - "timestamp": 1439405060911, - "owner": 0, - "remoteLink": "", - "public": false, - "requests": [ - { - "id": "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a", - "headers": "Authorization: Basic YWRtaW46YWRtaW4=\n", - "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", - "pathVariables": {}, - "preRequestScript": "", - "method": "GET", - "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", - "data": [], - "dataMode": "raw", - "name": "Get configuration authorization schema with admin role", - "description": "", - "descriptionFormat": "html", - "time": 1439405954342, - "version": 2, - "responses": [], - "tests": "", - "currentHelper": "normal", - "helperAttributes": {}, - "rawModeData": "" - }, - { - "id": "4df58109-fd50-dbdf-b982-7e59d3475544", - "headers": "Authorization: Basic dXNlcjp1c2Vy\n", - "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", - "preRequestScript": "", - "pathVariables": {}, - "method": "GET", - "data": [], - "dataMode": "params", - "version": 2, - "tests": "", - "currentHelper": "normal", - "helperAttributes": {}, - "time": 1439406616859, - "name": "Get configuration authorization schema with user role", - "description": "", - "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", - "responses": [] - }, - { - "id": "7959a1f4-703a-417a-9d4c-70ab56c0e57f", - "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", - "url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/", - "preRequestScript": "", - "pathVariables": {}, - "method": "PUT", - "data": [], - "dataMode": "raw", - "version": 2, - "tests": "", - "currentHelper": "normal", - "helperAttributes": {}, - "time": 1439405844861, - "name": "Secure RestConfService for admin role", - "description": "", - "collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7", - "responses": [], - "rawModeData": "{\n \"policies\": {\n \"resource\": \"*\",\n \"service\":\"RestConfService\",\n \"role\": \"admin\"\n }\n}" - } - ] -}
\ No newline at end of file diff --git a/upstream/odl-aaa-moon/aaa/distribution-karaf/pom.xml b/upstream/odl-aaa-moon/aaa/distribution-karaf/pom.xml deleted file mode 100644 index 7f5c9287..00000000 --- a/upstream/odl-aaa-moon/aaa/distribution-karaf/pom.xml +++ /dev/null @@ -1,291 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - - <artifactId>distribution-karaf</artifactId> - <packaging>pom</packaging> - <prerequisites> - <maven>3.0</maven> - </prerequisites> - - <dependencies> - <!-- Basic Karaf dependencies --> - <dependency> - <groupId>org.apache.karaf.features</groupId> - <artifactId>framework</artifactId> - <version>${karaf.version}</version> - <type>kar</type> - </dependency> - <dependency> - <groupId>org.apache.karaf.features</groupId> - <artifactId>standard</artifactId> - <version>${karaf.version}</version> - <classifier>features</classifier> - <type>xml</type> - <scope>runtime</scope> - </dependency> - - <!-- ODL Branding --> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>karaf.branding</artifactId> - <version>${karaf.branding.version}</version> - <scope>compile</scope> - </dependency> - - <!-- ODL Resources needed for karaf --> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>opendaylight-karaf-resources</artifactId> - <version>${karaf.resources.version}</version> - </dependency> - - <!-- Project local feautures --> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa-api</artifactId> - <classifier>features</classifier> - <version>${project.version}</version> - <type>xml</type> - <scope>runtime</scope> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa</artifactId> - <classifier>features</classifier> - <version>${project.version}</version> - <type>xml</type> - <scope>runtime</scope> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa-authz</artifactId> - <classifier>features</classifier> - <version>${project.version}</version> - <type>xml</type> - <scope>runtime</scope> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa-shiro</artifactId> - <classifier>features</classifier> - <version>${project.version}</version> - <type>xml</type> - <scope>runtime</scope> - </dependency> - </dependencies> - - <build> - <pluginManagement> - <plugins> - <plugin> - <groupId>org.eclipse.m2e</groupId> - <artifactId>lifecycle-mapping</artifactId> - <version>1.0.0</version> - <configuration> - <lifecycleMappingMetadata> - <pluginExecutions> - <pluginExecution> - <pluginExecutionFilter> - <groupId>org.apache.felix</groupId> - <artifactId>maven-bundle-plugin</artifactId> - <versionRange>[0,)</versionRange> - <goals> - <goal>cleanVersions</goal> - </goals> - </pluginExecutionFilter> - <action> - <ignore></ignore> - </action> - </pluginExecution> - <pluginExecution> - <pluginExecutionFilter> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-dependency-plugin</artifactId> - <versionRange>[0,)</versionRange> - <goals> - <goal>copy</goal> - <goal>unpack</goal> - </goals> - </pluginExecutionFilter> - <action> - <ignore></ignore> - </action> - </pluginExecution> - <pluginExecution> - <pluginExecutionFilter> - <groupId>org.apache.karaf.tooling</groupId> - <artifactId>karaf-maven-plugin</artifactId> - <versionRange>[0,)</versionRange> - <goals> - <goal>commands-generate-help</goal> - </goals> - </pluginExecutionFilter> - <action> - <ignore></ignore> - </action> - </pluginExecution> - <pluginExecution> - <pluginExecutionFilter> - <groupId>org.fusesource.scalate</groupId> - <artifactId>maven-scalate-plugin</artifactId> - <versionRange>[0,)</versionRange> - <goals> - <goal>sitegen</goal> - </goals> - </pluginExecutionFilter> - <action> - <ignore></ignore> - </action> - </pluginExecution> - <pluginExecution> - <pluginExecutionFilter> - <groupId>org.apache.servicemix.tooling</groupId> - <artifactId>depends-maven-plugin</artifactId> - <versionRange>[0,)</versionRange> - <goals> - <goal>generate-depends-file</goal> - </goals> - </pluginExecutionFilter> - <action> - <ignore></ignore> - </action> - </pluginExecution> - </pluginExecutions> - </lifecycleMappingMetadata> - </configuration> - </plugin> - </plugins> - </pluginManagement> - <plugins> - <plugin> - <groupId>org.apache.karaf.tooling</groupId> - <artifactId>karaf-maven-plugin</artifactId> - <extensions>true</extensions> - <configuration> - <bootFeatures> - <feature>standard</feature> - <!-- Optional TODO: Add entries here for the features - you want in your local distro Note: odl-restconf is a separate feature from - odl-mdsal-broker. If you want restconf, you need to list it here explicitely. - Examples: <feature>odl-toaster</feature> <feature>odl-restconf</feature> --> - <!-- Final TODO: Remove TODO Comments ;) --> - </bootFeatures> - </configuration> - <executions> - <execution> - <id>process-resources</id> - <goals> - <goal>install-kars</goal> - </goals> - <phase>process-resources</phase> - </execution> - <execution> - <id>package</id> - <goals> - <goal>instance-create-archive</goal> - </goals> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-dependency-plugin</artifactId> - <version>2.6</version> - <executions> - <execution> - <id>copy</id> - <goals> - <goal>copy</goal> - </goals> - <phase>generate-resources</phase> - <configuration> - <artifactItems> - <artifactItem> - <groupId>org.opendaylight.controller</groupId> - <artifactId>karaf.branding</artifactId> - <version>${karaf.branding.version}</version> - <outputDirectory>target/assembly/lib</outputDirectory> - <destFileName>karaf.branding-${karaf.branding.version}.jar</destFileName> - </artifactItem> - </artifactItems> - </configuration> - </execution> - <execution> - <id>unpack-karaf-resources</id> - <goals> - <goal>unpack-dependencies</goal> - </goals> - <phase>prepare-package</phase> - <configuration> - <outputDirectory>${project.build.directory}/assembly</outputDirectory> - <groupId>org.opendaylight.controller</groupId> - <includeArtifactIds>opendaylight-karaf-resources</includeArtifactIds> - <excludes>META-INF\/**</excludes> - <excludeTransitive>true</excludeTransitive> - <ignorePermissions>false</ignorePermissions> - </configuration> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-antrun-plugin</artifactId> - <executions> - <execution> - <phase>prepare-package</phase> - <goals> - <goal>run</goal> - </goals> - <configuration> - <tasks> - <chmod perm="755"> - <fileset - dir="${project.build.directory}/assembly/bin"> - <include name="karaf" /> - <include name="instance" /> - <include name="start" /> - <include name="stop" /> - <include name="status" /> - <include name="client" /> - <include name="shell" /> - </fileset> - </chmod> - </tasks> - </configuration> - </execution> - </executions> - </plugin> - - <!-- DO NOT install or deploy the karaf artifact --> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-install-plugin</artifactId> - <configuration> - <skip>true</skip> - </configuration> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-deploy-plugin</artifactId> - <configuration> - <skip>true</skip> - </configuration> - </plugin> - </plugins> - </build> - - <scm> - <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection> - <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection> - <tag>HEAD</tag> - <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url> - </scm> -</project> diff --git a/upstream/odl-aaa-moon/aaa/features/api/pom.xml b/upstream/odl-aaa-moon/aaa/features/api/pom.xml deleted file mode 100644 index 80545866..00000000 --- a/upstream/odl-aaa-moon/aaa/features/api/pom.xml +++ /dev/null @@ -1,91 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.odlparent</groupId> - <artifactId>features-parent</artifactId> - <version>1.6.2-Beryllium-SR2</version> - <relativePath/> - </parent> - - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa-api</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>jar</packaging> - - <properties> - <yangtools.version>0.8.2-Beryllium-SR2</yangtools.version> - <mdsal.version>2.0.2-Beryllium-SR2</mdsal.version> - </properties> - - <dependencyManagement> - <dependencies> - <!-- This project --> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-artifacts</artifactId> - <version>${project.version}</version> - <scope>import</scope> - <type>pom</type> - </dependency> - - <!-- YANG tools --> - <dependency> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yangtools-artifacts</artifactId> - <version>${yangtools.version}</version> - <scope>import</scope> - <type>pom</type> - </dependency> - </dependencies> - </dependencyManagement> - - <dependencies> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-simple</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-credential-store-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>features-yangtools</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>features-mdsal</artifactId> - <version>2.0.2-Beryllium-SR2</version> - <classifier>features</classifier> - <type>xml</type> - </dependency> - </dependencies> - - <scm> - <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection> - <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection> - <tag>HEAD</tag> - <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url> - </scm> -</project> diff --git a/upstream/odl-aaa-moon/aaa/features/api/src/main/features/features.xml b/upstream/odl-aaa-moon/aaa/features/api/src/main/features/features.xml deleted file mode 100644 index c526e174..00000000 --- a/upstream/odl-aaa-moon/aaa/features/api/src/main/features/features.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- vi: set et smarttab sw=4 tabstop=4: --> -<!-- Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<features name="odl-aaa-${project.version}" xmlns="http://karaf.apache.org/xmlns/features/v1.2.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.2.0 http://karaf.apache.org/xmlns/features/v1.2.0"> - <repository>mvn:org.opendaylight.yangtools/features-yangtools/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.mdsal/features-mdsal/{{VERSION}}/xml/features</repository> - <feature name='odl-aaa-api' description='OpenDaylight :: AAA :: APIs' - version='${project.version}'> - <bundle>mvn:com.sun.jersey/jersey-server/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-core/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-api/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-credential-store-api/{{VERSION}}</bundle> - <feature version='${yangtools.version}'>odl-yangtools-common</feature> - <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature> - </feature> -</features> diff --git a/upstream/odl-aaa-moon/aaa/features/authn/pom.xml b/upstream/odl-aaa-moon/aaa/features/authn/pom.xml deleted file mode 100644 index 0df53fbd..00000000 --- a/upstream/odl-aaa-moon/aaa/features/authn/pom.xml +++ /dev/null @@ -1,300 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Copyright (c) 2014-2015 Hewlett-Packard Development Company, L.P. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.odlparent</groupId> - <artifactId>features-parent</artifactId> - <version>1.6.2-Beryllium-SR2</version> - <relativePath/> - </parent> - - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>jar</packaging> - - <properties> - <config.version>0.4.2-Beryllium-SR2</config.version> - <mdsal.version>2.0.2-Beryllium-SR2</mdsal.version> - <controller.mdsal.version>1.3.2-Beryllium-SR2</controller.mdsal.version> - <yangtools.version>0.8.2-Beryllium-SR2</yangtools.version> - </properties> - - <dependencyManagement> - <dependencies> - <!-- This project --> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>${project.version}</version> - <scope>import</scope> - <type>pom</type> - </dependency> - </dependencies> - </dependencyManagement> - - <dependencies> - <!-- odl-aaa-authn --> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-servlet</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-core</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - </dependency> - <!-- jersey client for moon APIs calls --> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-client</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-json</artifactId> - </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-lang3</artifactId> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.metatype</artifactId> - </dependency> - <dependency> - <groupId>net.sf.ehcache</groupId> - <artifactId>ehcache</artifactId> - </dependency> - <dependency> - <groupId>org.apache.geronimo.specs</groupId> - <artifactId>geronimo-jta_1.1_spec</artifactId> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.common</artifactId> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.authzserver</artifactId> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId> - </dependency> - <dependency> - <groupId>commons-codec</groupId> - <artifactId>commons-codec</artifactId> - </dependency> - <dependency> - <groupId>org.json</groupId> - <artifactId>json</artifactId> - </dependency> - <dependency> - <groupId>org.glassfish</groupId> - <artifactId>javax.json</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-core</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-annotations</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-databind</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.datatype</groupId> - <artifactId>jackson-datatype-json-org</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.jaxrs</groupId> - <artifactId>jackson-jaxrs-base</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.jaxrs</groupId> - <artifactId>jackson-jaxrs-json-provider</artifactId> - </dependency> - <dependency> - <groupId>com.fasterxml.jackson.module</groupId> - <artifactId>jackson-module-jaxb-annotations</artifactId> - </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </dependency> - <dependency> - <groupId>com.h2database</groupId> - <artifactId>h2</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa-api</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-shiro</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-shiro-act</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-web</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-sts</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-store</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-basic</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-idmlight</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-idmlight</artifactId> - <type>xml</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-idmlight</artifactId> - <version>${project.version}</version> - <type>py</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-federation</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-mdsal-config</artifactId> - <type>xml</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - <type>cfg</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-store</artifactId> - <type>cfg</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-federation</artifactId> - <type>cfg</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-h2-store</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-h2-store</artifactId> - <type>xml</type> - <classifier>config</classifier> - </dependency> - - - <dependency> - <groupId>org.osgi</groupId> - <artifactId>org.osgi.enterprise</artifactId> - <version>4.2.0</version> - </dependency> - - <!-- AuthN MD-SAL Cache dependencies --> - - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-mdsal-store-impl</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-mdsal-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>features-yangtools</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>features-mdsal</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>features-config</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>sal-common-impl</artifactId> - </dependency> - - <!-- odl-aaa-sssd --> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-sssd</artifactId> - </dependency> - - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-idpmapping</artifactId> - </dependency> - - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-keystone</artifactId> - </dependency> - </dependencies> - <scm> - <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection> - <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection> - <tag>HEAD</tag> - <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url> - </scm> -</project> diff --git a/upstream/odl-aaa-moon/aaa/features/authn/src/main/features/features.xml b/upstream/odl-aaa-moon/aaa/features/authn/src/main/features/features.xml deleted file mode 100644 index 2796e467..00000000 --- a/upstream/odl-aaa-moon/aaa/features/authn/src/main/features/features.xml +++ /dev/null @@ -1,249 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- vi: set et smarttab sw=4 tabstop=4: --> -<!-- Copyright (c) 2014-2015 Hewlett-Packard Development Company, L.P. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<features name="odl-aaa-${project.version}" xmlns="http://karaf.apache.org/xmlns/features/v1.2.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.2.0 http://karaf.apache.org/xmlns/features/v1.2.0"> - <repository>mvn:org.opendaylight.aaa/features-aaa-api/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.yangtools/features-yangtools/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.controller/features-config/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.mdsal/features-mdsal/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.controller/features-mdsal/{{VERSION}}/xml/features</repository> - - <feature name='odl-aaa-authn-no-cluster' description='OpenDaylight :: AAA :: Authentication - NO CLUSTER' - version='${project.version}'> - <feature version='${project.version}'>odl-aaa-api</feature> - - <!-- MD-SAL --> - <feature version='${yangtools.version}'>odl-yangtools-common</feature> - <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature> - <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature> - <feature version='${config.version}'>odl-config-core</feature> - - <!-- REST --> - <feature>war</feature> - <bundle>mvn:com.sun.jersey/jersey-servlet/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-core/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-server/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-client/${jersey.version}</bundle> - - <!-- OSGi --> - <bundle>mvn:org.apache.felix/org.apache.felix.dependencymanager/{{VERSION}}</bundle> - <bundle>mvn:org.apache.felix/org.apache.felix.metatype/{{VERSION}}</bundle> - - <!-- EhCache --> - <bundle>mvn:net.sf.ehcache/ehcache/{{VERSION}}</bundle> - <bundle>mvn:org.apache.geronimo.specs/geronimo-jta_1.1_spec/{{VERSION}}</bundle> - - <!-- OAuth --> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.common/{{VERSION}}</bundle> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.authzserver/{{VERSION}}</bundle> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.resourceserver/{{VERSION}}</bundle> - <bundle>mvn:commons-codec/commons-codec/{{VERSION}}</bundle> - <bundle>wrap:mvn:org.json/json/{{VERSION}}</bundle> - - <!-- commons-lang --> - <bundle>wrap:mvn:org.apache.commons/commons-lang3/{{VERSION}}</bundle> - - <!-- AuthN --> - <bundle>mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-shiro-act/{{VERSION}}</bundle> - <bundle>mvn:org.apache.shiro/shiro-core/{{VERSION}}</bundle> - <bundle>mvn:org.apache.shiro/shiro-web/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-sts/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-store/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-basic/{{VERSION}}</bundle> - <bundle>mvn:com.google.guava/guava/{{VERSION}}</bundle> - - <!--H2 Store --> - <bundle>mvn:org.osgi/org.osgi.enterprise/4.2.0</bundle> - <bundle>wrap:mvn:com.h2database/h2/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-h2-store/{{VERSION}}</bundle> - <configfile finalname="etc/opendaylight/karaf/08-aaa-h2-store-config.xml">mvn:org.opendaylight.aaa/aaa-h2-store/{{VERSION}}/xml/config</configfile> - - <!-- IDMLight --> - <bundle>mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}</bundle> - <configfile finalname="etc/opendaylight/karaf/08-aaa-idmlight-config.xml">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/xml/config</configfile> - <configfile finalname="etc/idmtool">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/py/config</configfile> - - <bundle>mvn:com.fasterxml.jackson.core/jackson-core/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.core/jackson-annotations/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.core/jackson-databind/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.datatype/jackson-datatype-json-org/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.module/jackson-module-jaxb-annotations/{{VERSION}}</bundle> - - <!-- Federation --> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-idpmapping/{{VERSION}}</bundle> - <bundle>mvn:org.glassfish/javax.json/{{VERSION}}</bundle> - - <configfile finalname="/etc/org.opendaylight.aaa.authn.cfg">mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}/cfg/config</configfile> - <configfile finalname="/etc/org.opendaylight.aaa.tokens.cfg">mvn:org.opendaylight.aaa/aaa-authn-store/{{VERSION}}/cfg/config</configfile> - <configfile finalname="/etc/org.opendaylight.aaa.federation.cfg">mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}/cfg/config</configfile> - </feature> - - <feature name='odl-aaa-authn' description='OpenDaylight :: AAA :: Authentication - NO CLUSTER' - version='${project.version}'> - <feature version='${project.version}'>odl-aaa-api</feature> - - <!-- MD-SAL --> - <feature version='${yangtools.version}'>odl-yangtools-common</feature> - <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature> - <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature> - <feature version='${config.version}'>odl-config-core</feature> - - <!-- REST --> - <feature>war</feature> - <bundle>mvn:com.sun.jersey/jersey-servlet/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-core/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-server/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-client/${jersey.version}</bundle> - - <!-- OSGi --> - <bundle>mvn:org.apache.felix/org.apache.felix.dependencymanager/{{VERSION}}</bundle> - <bundle>mvn:org.apache.felix/org.apache.felix.metatype/{{VERSION}}</bundle> - - <!-- EhCache --> - <bundle>mvn:net.sf.ehcache/ehcache/{{VERSION}}</bundle> - <bundle>mvn:org.apache.geronimo.specs/geronimo-jta_1.1_spec/{{VERSION}}</bundle> - - <!-- OAuth --> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.common/{{VERSION}}</bundle> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.authzserver/{{VERSION}}</bundle> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.resourceserver/{{VERSION}}</bundle> - <bundle>mvn:commons-codec/commons-codec/{{VERSION}}</bundle> - <bundle>wrap:mvn:org.json/json/{{VERSION}}</bundle> - - <!-- commons-lang --> - <bundle>wrap:mvn:org.apache.commons/commons-lang3/{{VERSION}}</bundle> - - <!-- AuthN --> - <bundle>mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-shiro-act/{{VERSION}}</bundle> - <bundle>mvn:org.apache.shiro/shiro-core/{{VERSION}}</bundle> - <bundle>mvn:org.apache.shiro/shiro-web/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-sts/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-store/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-basic/{{VERSION}}</bundle> - <bundle>mvn:com.google.guava/guava/{{VERSION}}</bundle> - - <!--H2 Store --> - <bundle>mvn:org.osgi/org.osgi.enterprise/4.2.0</bundle> - <bundle>wrap:mvn:com.h2database/h2/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-h2-store/{{VERSION}}</bundle> - <configfile finalname="etc/opendaylight/karaf/08-aaa-h2-store-config.xml">mvn:org.opendaylight.aaa/aaa-h2-store/{{VERSION}}/xml/config</configfile> - - <!-- IDMLight --> - <bundle>mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}</bundle> - <configfile finalname="etc/opendaylight/karaf/08-aaa-idmlight-config.xml">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/xml/config</configfile> - <configfile finalname="etc/idmtool">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/py/config</configfile> - - <bundle>mvn:com.fasterxml.jackson.core/jackson-core/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.core/jackson-annotations/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.core/jackson-databind/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.datatype/jackson-datatype-json-org/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.module/jackson-module-jaxb-annotations/{{VERSION}}</bundle> - - <!-- Federation --> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-idpmapping/{{VERSION}}</bundle> - <bundle>mvn:org.glassfish/javax.json/{{VERSION}}</bundle> - - <configfile finalname="/etc/org.opendaylight.aaa.authn.cfg">mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}/cfg/config</configfile> - <configfile finalname="/etc/org.opendaylight.aaa.tokens.cfg">mvn:org.opendaylight.aaa/aaa-authn-store/{{VERSION}}/cfg/config</configfile> - <configfile finalname="/etc/org.opendaylight.aaa.federation.cfg">mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}/cfg/config</configfile> - </feature> - - <feature name='odl-aaa-authn-mdsal-cluster' description='OpenDaylight :: AAA :: Authentication :: MD-SAL' - version='${project.version}'> - - <!-- MD-SAL --> - <feature version='${yangtools.version}'>odl-yangtools-common</feature> - <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature> - <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature> - <feature version='${config.version}'>odl-config-core</feature> - - - <!-- OSGi --> - <bundle>mvn:org.apache.felix/org.apache.felix.dependencymanager/{{VERSION}}</bundle> - <bundle>mvn:org.apache.felix/org.apache.felix.metatype/{{VERSION}}</bundle> - - <!-- OAuth --> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.common/{{VERSION}}</bundle> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.authzserver/{{VERSION}}</bundle> - <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.resourceserver/{{VERSION}}</bundle> - <bundle>mvn:commons-codec/commons-codec/1.8</bundle> - <bundle>wrap:mvn:org.json/json/{{VERSION}}</bundle> - - <!-- AuthN --> - <bundle>mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-shiro-act/{{VERSION}}</bundle> - <bundle>mvn:org.apache.shiro/shiro-core/{{VERSION}}</bundle> - <bundle>mvn:org.apache.shiro/shiro-web/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-api/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-sts/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-mdsal-api/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-mdsal-store-impl/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-basic/{{VERSION}}</bundle> - <bundle>mvn:com.google.guava/guava/{{VERSION}}</bundle> - - <!-- IDMLight --> - <bundle>mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}</bundle> - <configfile finalname="etc/opendaylight/karaf/08-aaa-idmlight-config.xml">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/xml/config</configfile> - <bundle>mvn:com.fasterxml.jackson.core/jackson-core/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.core/jackson-annotations/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.core/jackson-databind/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.datatype/jackson-datatype-json-org/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/{{VERSION}}</bundle> - <bundle>mvn:com.fasterxml.jackson.module/jackson-module-jaxb-annotations/{{VERSION}}</bundle> - <bundle>wrap:mvn:com.h2database/h2/{{VERSION}}</bundle> - - <!-- Federation --> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-idpmapping/{{VERSION}}</bundle> - <bundle>mvn:org.glassfish/javax.json/1.0.4</bundle> - - <!-- REST --> - <feature>war</feature> - <bundle>mvn:com.sun.jersey/jersey-servlet/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-core/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-server/{{VERSION}}</bundle> - <bundle>mvn:com.sun.jersey/jersey-client/${jersey.version}</bundle> - - <configfile finalname="etc/opendaylight/karaf/08-authn-config.xml">mvn:org.opendaylight.aaa/aaa-authn-mdsal-config/{{VERSION}}/xml/config</configfile> - <configfile finalname="/etc/org.opendaylight.aaa.authn.cfg">mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}/cfg/config</configfile> - <configfile finalname="/etc/org.opendaylight.aaa.federation.cfg">mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}/cfg/config</configfile> - - </feature> - - <feature name='odl-aaa-keystone-plugin' description='OpenDaylight :: AAA :: Keystone Plugin - NO CLUSTER' - version='${project.version}'> - <feature version='${project.version}'>odl-aaa-authn</feature> - <bundle>mvn:org.apache.httpcomponents/httpclient-osgi/{{VERSION}}</bundle> - <bundle>mvn:org.apache.httpcomponents/httpcore-osgi/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-keystone/{{VERSION}}</bundle> - </feature> - - <feature name='odl-aaa-sssd-plugin' description='OpenDaylight :: AAA :: SSSD Federation Plugin' - version='${project.version}'> - <feature version='${project.version}'>odl-aaa-authn</feature> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-sssd/{{VERSION}}</bundle> - </feature> - - <feature name='odl-aaa-authn-sssd-no-cluster' description='OpenDaylight :: AAA :: SSSD Federation - NO CLUSTER' - version='${project.version}'> - <feature version='${project.version}'>odl-aaa-authn-no-cluster</feature> - <bundle>mvn:org.opendaylight.aaa/aaa-authn-sssd/{{VERSION}}</bundle> - </feature> -</features> diff --git a/upstream/odl-aaa-moon/aaa/features/authz/pom.xml b/upstream/odl-aaa-moon/aaa/features/authz/pom.xml deleted file mode 100644 index 2ff41307..00000000 --- a/upstream/odl-aaa-moon/aaa/features/authz/pom.xml +++ /dev/null @@ -1,101 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.odlparent</groupId> - <artifactId>features-parent</artifactId> - <version>1.6.2-Beryllium-SR2</version> - <relativePath/> - </parent> - - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa-authz</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>jar</packaging> - - <properties> - <config.version>0.4.2-Beryllium-SR2</config.version> - <mdsal.version>2.0.2-Beryllium-SR2</mdsal.version> - <controller.mdsal.version>1.3.2-Beryllium-SR2</controller.mdsal.version> - <yangtools.version>0.8.2-Beryllium-SR2</yangtools.version> - </properties> - - <dependencyManagement> - <dependencies> - <!-- This project --> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>${project.version}</version> - <scope>import</scope> - <type>pom</type> - </dependency> - </dependencies> - </dependencyManagement> - - <dependencies> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa-api</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <!-- odl-aaa-authz --> - <dependency> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>features-yangtools</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>features-mdsal</artifactId> - <classifier>features</classifier> - <version>${mdsal.version}</version> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>features-config</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>features-mdsal</artifactId> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>authz-restconf-config</artifactId> - <type>xml</type> - <classifier>config</classifier> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authz-model</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authz-service</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>authz-service-config</artifactId> - <type>xml</type> - <classifier>config</classifier> - </dependency> - </dependencies> - <scm> - <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection> - <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection> - <tag>HEAD</tag> - <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url> - </scm> -</project> diff --git a/upstream/odl-aaa-moon/aaa/features/authz/src/main/features/features.xml b/upstream/odl-aaa-moon/aaa/features/authz/src/main/features/features.xml deleted file mode 100644 index c5239045..00000000 --- a/upstream/odl-aaa-moon/aaa/features/authz/src/main/features/features.xml +++ /dev/null @@ -1,31 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- vi: set et smarttab sw=4 tabstop=4: --> -<!-- Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<features name="odl-aaa-${project.version}" xmlns="http://karaf.apache.org/xmlns/features/v1.2.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.2.0 http://karaf.apache.org/xmlns/features/v1.2.0"> - <repository>mvn:org.opendaylight.yangtools/features-yangtools/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.controller/features-config/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.mdsal/features-mdsal/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.controller/features-mdsal/{{VERSION}}/xml/features</repository> - <repository>mvn:org.opendaylight.aaa/features-aaa-api/{{VERSION}}/xml/features</repository> - - <feature name='odl-aaa-authz' description='OpenDaylight :: AAA :: Authorization' - version='${project.version}'> - <feature version='${project.version}'>odl-aaa-api</feature> - <feature version='${yangtools.version}'>odl-yangtools-common</feature> - <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature> - <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature> - <feature version='${config.version}'>odl-config-core</feature> - <bundle>mvn:org.opendaylight.aaa/aaa-authz-model/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-authz-service/{{VERSION}}</bundle> - <configfile - finalname="/etc/opendaylight/karaf/08-authz-config.xml">mvn:org.opendaylight.aaa/authz-service-config/{{VERSION}}/xml/config</configfile> - <configfile - finalname="/etc/opendaylight/karaf/09-rest-connector.xml">mvn:org.opendaylight.aaa/authz-restconf-config/{{VERSION}}/xml/config</configfile> - </feature> - -</features> diff --git a/upstream/odl-aaa-moon/aaa/features/pom.xml b/upstream/odl-aaa-moon/aaa/features/pom.xml deleted file mode 100644 index 548a240b..00000000 --- a/upstream/odl-aaa-moon/aaa/features/pom.xml +++ /dev/null @@ -1,19 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>../parent</relativePath> - </parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aggregator</artifactId> - <packaging>pom</packaging> - <modules> - <module>shiro</module> - <module>api</module> - <module>authn</module> - <module>authz</module> - </modules> -</project> diff --git a/upstream/odl-aaa-moon/aaa/features/shiro/pom.xml b/upstream/odl-aaa-moon/aaa/features/shiro/pom.xml deleted file mode 100644 index 04114355..00000000 --- a/upstream/odl-aaa-moon/aaa/features/shiro/pom.xml +++ /dev/null @@ -1,179 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Copyright (c) 2015 Brocade Communications Systems and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.odlparent</groupId> - <artifactId>features-parent</artifactId> - <version>1.6.2-Beryllium-SR2</version> - <relativePath/> - </parent> - - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa-shiro</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>jar</packaging> - - <properties> - <javax.annotation.api.version>1.2</javax.annotation.api.version> - <servicemix.version>1.8.3_2</servicemix.version> - </properties> - <dependencyManagement> - <dependencies> - <!-- This project --> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>${project.version}</version> - <scope>import</scope> - <type>pom</type> - </dependency> - </dependencies> - </dependencyManagement> - - <dependencies> - <dependency> - <groupId>com.google.code.findbugs</groupId> - <artifactId>jsr305</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>features-aaa</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <classifier>features</classifier> - <type>xml</type> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-shiro-act</artifactId> - <version>0.3.2-Beryllium-SR2</version> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-shiro</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <type>cfg</type> - <classifier>configuration</classifier> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-shiro</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-sts</artifactId> - <version>0.3.2-Beryllium-SR2</version> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - <version>0.3.2-Beryllium-SR2</version> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-servlet</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-core</artifactId> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-server</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>javax.servlet</groupId> - <artifactId>javax.servlet-api</artifactId> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.metatype</artifactId> - </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-shiro</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-api</artifactId> - </dependency> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-authn-sts</artifactId> - </dependency> - <dependency> - <groupId>javax.annotation</groupId> - <artifactId>javax.annotation-api</artifactId> - <version>${javax.annotation.api.version}</version> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.dependencymanager</artifactId> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.metatype</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-web</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - </dependency> - <dependency> - <groupId>org.apache.servicemix.bundles</groupId> - <artifactId>org.apache.servicemix.bundles.commons-beanutils</artifactId> - <version>${servicemix.version}</version> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.authzserver</artifactId> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.common</artifactId> - </dependency> - <dependency> - <groupId>javax.ws.rs</groupId> - <artifactId>javax.ws.rs-api</artifactId> - </dependency> - <dependency> - <groupId>org.json</groupId> - <artifactId>json</artifactId> - </dependency> - <dependency> - <groupId>commons-codec</groupId> - <artifactId>commons-codec</artifactId> - </dependency> - </dependencies> - - <scm> - <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection> - <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection> - <tag>HEAD</tag> - <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url> - </scm> -</project> diff --git a/upstream/odl-aaa-moon/aaa/features/shiro/src/main/features/features.xml b/upstream/odl-aaa-moon/aaa/features/shiro/src/main/features/features.xml deleted file mode 100644 index c6073a2a..00000000 --- a/upstream/odl-aaa-moon/aaa/features/shiro/src/main/features/features.xml +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Copyright (c) 2015 Brocade Communications Systems and others. - All rights reserved. This program and the accompanying materials are made - available under the terms of the Eclipse Public License v1.0 which accompanies - this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html --> -<features name="odl-aaa-${project.version}" xmlns="http://karaf.apache.org/xmlns/features/v1.2.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.2.0 http://karaf.apache.org/xmlns/features/v1.2.0"> - - <repository>mvn:org.opendaylight.aaa/features-aaa/{{VERSION}}/xml/features</repository> - - <!-- odl-aaa-shiro feature which combines all aspects of AAA into one feature --> - <feature name='odl-aaa-shiro' description='OpenDaylight :: AAA :: Shiro' - version='${project.version}'> - - <!-- OSGI --> - <bundle>mvn:org.apache.felix/org.apache.felix.dependencymanager/{{VERSION}}</bundle> - <bundle>mvn:org.apache.felix/org.apache.felix.metatype/{{VERSION}}</bundle> - - <!-- Existing AAA infrastructure --> - <feature version='${project.version}'>odl-aaa-authn</feature> - - <bundle>mvn:org.apache.shiro/shiro-web/{{VERSION}}</bundle> - <bundle>mvn:org.apache.shiro/shiro-core/{{VERSION}}</bundle> - - <bundle>mvn:com.google.guava/guava/{{VERSION}}</bundle> - <bundle>wrap:mvn:javax.annotation/javax.annotation-api/{{VERSION}}</bundle> - <bundle>wrap:mvn:com.google.code.findbugs/jsr305/{{VERSION}}</bundle> - <bundle>wrap:mvn:commons-codec/commons-codec/{{VERSION}}</bundle> - <bundle>wrap:mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.resourceserver/{{VERSION}}</bundle> - <bundle>wrap:mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.authzserver/{{VERSION}}</bundle> - <bundle>wrap:mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.common/{{VERSION}}</bundle> - <bundle>wrap:mvn:org.json/json/{{VERSION}}</bundle> - <bundle>mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-beanutils/{{VERSION}}</bundle> - <bundle>mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}</bundle> - - <!-- AAA configuration file --> - <configfile finalname="/etc/shiro.ini">mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}/cfg/configuration</configfile> - </feature> - -</features> diff --git a/upstream/odl-aaa-moon/aaa/parent/pom.xml b/upstream/odl-aaa-moon/aaa/parent/pom.xml deleted file mode 100644 index 42bf03b0..00000000 --- a/upstream/odl-aaa-moon/aaa/parent/pom.xml +++ /dev/null @@ -1,278 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.odlparent</groupId> - <artifactId>odlparent</artifactId> - <version>1.6.2-Beryllium-SR2</version> - <relativePath/> - </parent> - - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>pom</packaging> - <prerequisites> - <maven>3.0.4</maven> - </prerequisites> - - <properties> - <!-- Karaf --> - <karaf.branding.version>1.2.2-Beryllium-SR2</karaf.branding.version> - <karaf.resources.version>1.6.2-Beryllium-SR2</karaf.resources.version> - - <!-- OSGi --> - <osgi.metatype.version>1.0.10</osgi.metatype.version> - - <!-- Local project version, needed for import --> - <aaa.version>${project.version}</aaa.version> - <parent-path>${basedir}</parent-path> - - <!-- AuthZ --> - <yangtools.version>0.8.2-Beryllium-SR2</yangtools.version> - <jmxGeneratorPath>src/main/yang-gen-config</jmxGeneratorPath> - <salGeneratorPath>src/main/yang-gen-sal</salGeneratorPath> - <mdsal.version>2.0.2-Beryllium-SR2</mdsal.version> - <mdsal.model.version>0.8.2-Beryllium-SR2</mdsal.model.version> - <controller.mdsal.version>1.3.2-Beryllium-SR2</controller.mdsal.version> - <restconf.version>1.3.2-Beryllium-SR2</restconf.version> - <config.version>0.4.2-Beryllium-SR2</config.version> - <config.authz.service.configfile>08-authz-config.xml</config.authz.service.configfile> - <config.restconf.configfile>09-rest-connector.xml</config.restconf.configfile> - <config.configfile.directory>etc/opendaylight/karaf</config.configfile.directory> - - <!-- AuthN --> - <glassfish.json.version>1.0.4</glassfish.json.version> - <ehcache.version>2.8.3</ehcache.version> - <jta.version>1.1.1</jta.version> - <oltu.version>1.0.0</oltu.version> - - <config.authn.store.configfile>08-authn-config.xml</config.authn.store.configfile> - - <!-- IdmLight --> - <h2.version>1.4.185</h2.version> - - <!-- Keystone plugin --> - <httpclient.version>4.4</httpclient.version> - - <!-- Test --> - <javax.inject.version>1</javax.inject.version> - <servlet.tester.version>7.0.0.M2</servlet.tester.version> - <features.test.version>1.6.2-Beryllium-SR2</features.test.version> - </properties> - - <dependencyManagement> - <dependencies> - <!-- ODL --> - <dependency> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-artifacts</artifactId> - <version>${aaa.version}</version> - <type>pom</type> - <scope>import</scope> - </dependency> - <dependency> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>yangtools-artifacts</artifactId> - <version>${yangtools.version}</version> - <type>pom</type> - <scope>import</scope> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal</groupId> - <artifactId>mdsal-artifacts</artifactId> - <version>${mdsal.version}</version> - <scope>import</scope> - <type>pom</type> - </dependency> - <dependency> - <groupId>org.opendaylight.mdsal.model</groupId> - <artifactId>mdsal-model-artifacts</artifactId> - <version>${mdsal.model.version}</version> - <scope>import</scope> - <type>pom</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>mdsal-artifacts</artifactId> - <version>${controller.mdsal.version}</version> - <scope>import</scope> - <type>pom</type> - </dependency> - <dependency> - <groupId>org.opendaylight.controller</groupId> - <artifactId>config-artifacts</artifactId> - <version>${config.version}</version> - <type>pom</type> - <scope>import</scope> - </dependency> - - <!-- Third-party --> - <dependency> - <groupId>org.glassfish</groupId> - <artifactId>javax.json</artifactId> - <version>${glassfish.json.version}</version> - </dependency> - <dependency> - <groupId>org.apache.felix</groupId> - <artifactId>org.apache.felix.metatype</artifactId> - <version>${osgi.metatype.version}</version> - </dependency> - <dependency> - <groupId>net.sf.ehcache</groupId> - <artifactId>ehcache</artifactId> - <version>${ehcache.version}</version> - </dependency> - <dependency> - <groupId>org.apache.geronimo.specs</groupId> - <artifactId>geronimo-jta_1.1_spec</artifactId> - <version>${jta.version}</version> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.common</artifactId> - <version>${oltu.version}</version> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.authzserver</artifactId> - <version>${oltu.version}</version> - </dependency> - <dependency> - <groupId>org.apache.oltu.oauth2</groupId> - <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId> - <version>${oltu.version}</version> - </dependency> - <dependency> - <groupId>com.h2database</groupId> - <artifactId>h2</artifactId> - <version>${h2.version}</version> - </dependency> - - <!-- Test stuff --> - <dependency> - <groupId>org.opendaylight.odlparent</groupId> - <artifactId>features-test</artifactId> - <version>${features.test.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>javax.inject</groupId> - <artifactId>javax.inject</artifactId> - <version>${javax.inject.version}</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.eclipse.jetty</groupId> - <artifactId>jetty-servlet-tester</artifactId> - <version>${servlet.tester.version}</version> - <scope>test</scope> - </dependency> - </dependencies> - </dependencyManagement> - - <build> - <plugins> - <plugin> - <groupId>org.jacoco</groupId> - <artifactId>jacoco-maven-plugin</artifactId> - <configuration> - <includes> - <include>org.opendaylight.aaa.*</include> - </includes> - </configuration> - <executions> - <execution> - <id>pre-test</id> - <goals> - <goal>prepare-agent</goal> - </goals> - </execution> - <execution> - <id>post-test</id> - <goals> - <goal>report</goal> - </goals> - <phase>test</phase> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-checkstyle-plugin</artifactId> - <configuration> - <!-- checkstyle is evil --> - <skip>false</skip> - <failOnViolation>true</failOnViolation> - <configLocation>checkstyle-logging.xml</configLocation> - <consoleOutput>true</consoleOutput> - <includeTestSourceDirectory>true</includeTestSourceDirectory> - <sourceDirectory>${project.basedir}</sourceDirectory> - <includes>**\/*.java,**\/*.xml,**\/*.ini,**\/*.sh,**\/*.bat,**\/*.yang</includes> - <excludes>**\/target\/,**\/bin\/,**\/target-ide\/,**\/src/main/yang-gen-config\/,**\/src/main/yang-gen-sal\/</excludes> - </configuration> - <executions> - <execution> - <goals> - <goal>check</goal> - </goals> - <phase>process-sources</phase> - </execution> - </executions> - <dependencies> - <dependency> - <groupId>org.opendaylight.yangtools</groupId> - <artifactId>checkstyle-logging</artifactId> - <version>${yangtools.version}</version> - </dependency> - </dependencies> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>build-helper-maven-plugin</artifactId> - <executions> - <execution> - <phase>generate-sources</phase> - <goals> - <goal>add-source</goal> - </goals> - <configuration> - <sources> - <source>${jmxGeneratorPath}</source> - <source>${salGeneratorPath}</source> - </sources> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> - - <url>https://wiki.opendaylight.org/view/AAA:Main</url> - <scm> - <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection> - <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection> - <tag>HEAD</tag> - </scm> - - <reporting> - <plugins> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>findbugs-maven-plugin</artifactId> - <version>${findbugs.maven.plugin.version}</version> - <configuration> - <effort>Max</effort> - <threshold>Low</threshold> - <goal>site</goal> - </configuration> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>jdepend-maven-plugin</artifactId> - <version>${jdepend.maven.plugin.version}</version> - </plugin> - </plugins> - </reporting> -</project> diff --git a/upstream/odl-aaa-moon/aaa/pom.xml b/upstream/odl-aaa-moon/aaa/pom.xml deleted file mode 100644 index bafd03a2..00000000 --- a/upstream/odl-aaa-moon/aaa/pom.xml +++ /dev/null @@ -1,50 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa-parent</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <relativePath>parent</relativePath> - </parent> - - <groupId>org.opendaylight.aaa</groupId> - <artifactId>aaa.project</artifactId> - <version>0.3.2-Beryllium-SR2</version> - <packaging>pom</packaging> - <name>aaa</name> <!-- Used by Sonar to set project name --> - <prerequisites> - <maven>3.0</maven> - </prerequisites> - - <modules> - <module>aaa-authn-api</module> - <module>aaa-authn</module> - <module>aaa-idp-mapping</module> - <module>aaa-authn-sts</module> - <module>aaa-authn-store</module> - <module>aaa-authn-federation</module> - <module>aaa-authn-sssd</module> - <module>aaa-authn-keystone</module> - <module>aaa-authn-basic</module> - <module>aaa-idmlight</module> - <module>aaa-authn-mdsal-store</module> - <module>aaa-authz</module> - <module>aaa-credential-store-api</module> - <module>artifacts</module> - <module>features</module> - <module>distribution-karaf</module> - <module>parent</module> - <module>aaa-shiro</module> - <module>aaa-shiro-act</module> - <module>aaa-h2-store</module> - </modules> - - <scm> - <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection> - <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection> - <tag>HEAD</tag> - <url>https://wiki.opendaylight.org/view/AAA:Main</url> - </scm> - -</project> |
