#
# Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
#
# This program and the accompanying materials are made available under the
# terms of the Eclipse Public License v1.0 which accompanies this distribution,
# and is available at http://www.eclipse.org/legal/epl-v10.html
#

###############################################################################
# shiro.ini                                                                   #
#                                                                             #
# Configuration of OpenDaylight's aaa-shiro feature.  Provided Realm          #
# implementations include:                                                    #
# - TokenAuthRealm (enabled by default)                                       #
# - ODLJndiLdapRealm (disabled by default)                                    #
# - ODLJndiLdapRealmAuthNOnly (disabled by default)                           #
# Basic user configuration through shiro.ini is disabled for security         #
# purposes.                                                                   #
###############################################################################



[main]
###############################################################################
# realms                                                                      #
#                                                                             #
# This section is dedicated to setting up realms for OpenDaylight.  Realms    #
# are essentially different methods for providing AAA.  ODL strives to provide#
# highly-configurable AAA by providing pluggable infrastructure.  By deafult, #
# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
# mechanisms).  More than one realm can be enabled, and the realms are        #
# tried Round-Robin until:                                                    #
# 1) a realm successfully authenticates the incoming request                  #
# 2) all realms are exhausted, and 401 is returned                            #
###############################################################################

# ODL provides a few LDAP implementations, which are disabled out of the box.
# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
# extracted through and LDAP search.  This requires a bit of knowledge about
# how your LDAP system is setup.  An example is provided below:
#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
#ldapRealm.contextFactory.url = ldap://<URL>:389
#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
#ldapRealm.ldapAttributeForComparison = objectClass

# ODL also provides ODLJndiLdapRealmAuthNOnly.  Essentially, this allows
# access through AAAFilter to any user that can authenticate against the
# provided LDAP server.
#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
#ldapRealm.contextFactory.url = ldap://<URL>:389

# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
# This realm is enabled by default, and utilizes h2-store by default.
#tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
# Defining moon realm
moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm

# The CSV list of enabled realms.  In order to enable a realm, add it to the
# list below:
#securityManager.realms = $tokenAuthRealm
# Configure the Shiro Security Manager to use Moon Realm
securityManager.realms = $moonAuthRealm

# adds a custom AuthenticationFilter to support OAuth2 for backwards
# compatibility.  To disable OAuth2 access, just comment out the next line
# and authcBasic will default to BasicHttpAuthenticationFilter, a
# Shiro-provided class.
authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
# OAuth2 Filer for moon token AuthN
rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter

# add in AuthenticationListener, a Listener that records whether
# authentication attempts are successful or unsuccessful.  This audit
# information is disabled by default, to avoid log flooding.  To enable,
# issue the following in karaf:
# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
securityManager.authenticator.authenticationListeners = $accountingListener



[urls]
###############################################################################
# url authorization section                                                   #
#                                                                             #
# This section is dedicated to defining url-based authorization according to: #
# http://shiro.apache.org/web.html                                            #
###############################################################################

# Restrict AAA endpoints to users w/ admin role
/v1/users/** = authcBasic
/v1/domains/** = authcBasic
/v1/roles/** = authcBasic

#Filter OAuth2 request$
/token = rest

# General access through AAAFilter requires valid credentials (AuthN only).
/** = authcBasic

# Access to the credential store is limited to the valid users who have the
# admin role. The following line is only needed if the mdsal store is enabled
#(the mdsal store is disabled by default).
/config/aaa-authn-model** = authcBasic,roles[admin]