Nathan Harmon [Fri, 27 Feb 2015 05:25:22 +0000 (21:25 -0800)]
yang model for storing security credentials
Change-Id: I8045ca9b752bd777e7048837382d646503982455
Signed-off-by: Steve Dean <sdean@hp.com>
Signed-off-by: Nathan Harmon <nathan.harmon@hp.com>
Sherry Krell [Fri, 6 Mar 2015 21:41:24 +0000 (13:41 -0800)]
Refactor ClaimBuilder, update unit tests.
- fix builder to only create object within build()
- make built object immutable
- add validation
Change-Id: Icbd39ab06d9de444dfebaf110cc42fac2065bbf9
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Wojciech Dec [Wed, 18 Mar 2015 11:48:20 +0000 (11:48 +0000)]
Merge "Refactor AuthenticationBuilder, update unit tests. - fix builder to only create object within build() - make built object immutable - use composition instead of inheritance for Claim - add validation"
Wojciech Dec [Wed, 18 Mar 2015 11:37:44 +0000 (11:37 +0000)]
Merge "Initial AAA Karaf features for cluster capable MD-SAL based token cache"
Sherry Krell [Tue, 3 Mar 2015 23:35:30 +0000 (15:35 -0800)]
Refactor AuthenticationBuilder, update unit tests.
- fix builder to only create object within build()
- make built object immutable
- use composition instead of inheritance for Claim
- add validation
Change-Id: I324210f0743ce113d8bcafd5861d74414c5dfa0d
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Tony Tkacik [Tue, 17 Mar 2015 15:11:39 +0000 (16:11 +0100)]
Bug 868: Migrated AuthZ to use Forwarding Sessions.
Change-Id: I65ca5c694694ce52853c2ec7ce69fd73eb0062e2
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Tony Tkacik [Tue, 17 Mar 2015 08:28:08 +0000 (09:28 +0100)]
Removed override of checkstyle version.
Change-Id: Iaa9a92d9cab025ffa68fb2f1323d72feaffcca50
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Wojciech Dec [Wed, 25 Feb 2015 10:51:22 +0000 (11:51 +0100)]
Initial AAA Karaf features for cluster capable MD-SAL based token cache
Change-Id: Iae808ffcc966ce77018612338930fad9a10f1f85
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Tue, 29 Jul 2014 17:31:20 +0000 (19:31 +0200)]
Removing Authz RPC timeout in response
Change-Id: I04d7965cdf3d839b429423195d35b262fd9c1b0e
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Tue, 10 Mar 2015 10:47:52 +0000 (10:47 +0000)]
Merge "Workaround for sqlite wrapping issue in Karaf 3.0.3."
Wojciech Dec [Mon, 2 Mar 2015 13:23:02 +0000 (13:23 +0000)]
Merge "Remove <repositories> and <pluginRepositories> sections"
Thanh Ha [Thu, 12 Feb 2015 15:51:18 +0000 (10:51 -0500)]
Remove <repositories> and <pluginRepositories> sections
It is recommended that developers and servers configure this locally via
settings.xml.
https://lists.opendaylight.org/pipermail/discuss/2015-January/004482.html
Change-Id: I58b9a6991ebd60b3bfdfcccb2e37a13e711134a3
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Sherry Krell [Wed, 25 Feb 2015 23:08:59 +0000 (15:08 -0800)]
Refactor and add unit tests for AuthenticationManager and fix bug that was found in updated method.
Change-Id: I56243d90c502852005031d0238e8e06ddbbe244e
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Nathan Harmon [Sat, 21 Feb 2015 00:54:25 +0000 (16:54 -0800)]
Workaround for sqlite wrapping issue in Karaf 3.0.3.
Embed sqlite in idmlight using an older version of bnd (2.1.0). See https://lists.opendaylight.org/pipermail/discuss/2015-February/004653.html
Change-Id: I1965156f13cc37ef2714af114eebdfe56f688d52
Signed-off-by: Nathan Harmon <nathan.harmon@hp.com>
Thanh Ha [Sun, 14 Dec 2014 20:30:55 +0000 (15:30 -0500)]
Fix checkstyle if-statements must use braces in aaa-idmlight
- Fix missing braces
- Fix indentation level
Change-Id: I5e81fb561b550a2085ceddf6403273dcb503c5ca
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:25:06 +0000 (15:25 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn
- Fix if-statements must use braces
- Add missing License headers
Change-Id: I5c9279d1702ec8c3ce0d1b5ea82aef5c7325e620
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:23:11 +0000 (15:23 -0500)]
Fix checkstyle if-else-for-statements must use braces in aaa-authn-sts
Change-Id: I3c9ad139c47d0e4a07f29ce8b7dea681184c0b60
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:21:05 +0000 (15:21 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn-keystone
Change-Id: I84c3f8f0342148f71f5968d55d76a80084046a77
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:20:27 +0000 (15:20 -0500)]
Fix checkstyle for-statements must use braces in aaa-authn-federation
Change-Id: I0a9fa5ebd078eb429d910a5d139153f13bf31937
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:18:35 +0000 (15:18 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn-store
- Fix checkstyle if-statement brances
- Fix missing License header
Change-Id: Iac67a50e459b363fd3b83f56011028d82b828c62
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Fri, 9 Jan 2015 21:56:31 +0000 (16:56 -0500)]
Set root pom.xml <name> for Sonar
As mentioned on the mailing list Sonar uses the <name> field of the
pom.xml that is passed to the mvn command as the name of the project in
Sonar. In most cases this is the root pom.xml file in a project. This
patch sets the name to the project shortname.
https://lists.opendaylight.org/pipermail/discuss/2014-November/004024.html
Change-Id: Ic8eabf78c37d6e449a837d34600ed3b86e7947a8
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Wojciech Dec [Mon, 15 Dec 2014 15:52:31 +0000 (15:52 +0000)]
Merge "Change ENUMS used in config yangs for Strings"
Liem Nguyen [Fri, 5 Dec 2014 20:48:58 +0000 (12:48 -0800)]
Removed the pax-exam it tests in favor of Robot tests.
Change-Id: I33e0974795d92a4083129b37cb407d7847614c5f
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Fri, 5 Dec 2014 19:31:55 +0000 (11:31 -0800)]
Removed all* features as well as fixing circular dependencies with restconf.
Change-Id: I4de1af27c275d3877f1c5f3cc10fb188bfa28c2c
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Maros Marsalek [Thu, 27 Nov 2014 13:43:17 +0000 (14:43 +0100)]
Change ENUMS used in config yangs for Strings
ENUMs are not properly serialzied in config/netconf and it causes failure when reading/writing data using RESTCONF + Loopback connection
Change-Id: I8f9da4d009cdd3a432dd031ecc3a7cb551454d3d
Signed-off-by: Maros Marsalek <mmarsale@cisco.com>
Liem Nguyen [Fri, 14 Nov 2014 20:25:22 +0000 (20:25 +0000)]
Merge "Documentation for SSSD Federated IdP authentication"
Abhishek Kumar [Fri, 14 Nov 2014 01:13:21 +0000 (17:13 -0800)]
Adds a validate token API
Adds another API to validate token
The api can be invoked as
curl -s -d "some-previously generated-token"
http://<controller-ip:<port>/oauth2/validate
Returns:
HTTP 200 - if the token is valid
HTTP 401 - If the token is not valid
Change-Id: Ie39d154fb77e873d6b0b8d13feca7917f527cbb8
Signed-off-by: Abhishek Kumar <abhishk2@cisco.com>
Mayank Agarwal [Wed, 5 Nov 2014 02:28:30 +0000 (18:28 -0800)]
Enabling CORS in the idmlight app so that apps
from different domains can call the APIs.
Signed-off-by: Mayank Agarwal <mayagarw@cisco.com>
Change-Id: I6d960b867eb2dd2f48e6e0ce0b7cee3ff40ce731
Wojciech Dec [Wed, 5 Nov 2014 16:51:35 +0000 (16:51 +0000)]
Merge "Bug 2292 : CORS access control fix"
Liem Nguyen [Tue, 4 Nov 2014 18:54:35 +0000 (10:54 -0800)]
Updated pom.xml to use odlparent and add authz back into odl-aaa-all.
Also, segmented features into 3 main buckets:
1) APIs
2) Core features (AuthN and AuthZ)
3) Plugins
Change-Id: I7858b8f6302f34d22cbc548570a4bc15e93df9ec
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Harman Singh [Sat, 1 Nov 2014 00:56:34 +0000 (17:56 -0700)]
Bug 2292 : CORS access control fix
when browser sends cross-origin request, it first sends the OPTIONS method
with a list of access control request headers, which has a list of custom headers and access control method
such as GET. POST etc. You custom header "Authorization will not be present in request header, instead it
will be present as a value inside Access-Control-Request-Headers.
We should not do any authorization against such request.
Change-Id: I290f409a4685ed10685249b8514621ecb2159176
Signed-off-by: Harman Singh <harmasin@cisco.com>
John Dennis [Wed, 29 Oct 2014 13:58:54 +0000 (09:58 -0400)]
Add REMOTE_USER_GROUPS to ClaimAuthFilter
The REMOTE_USER_GROUPS IdP attribute was mistakenly omitted from
the medtadata collected in ClaimAuthFilter, this corrects that.
Bug #2272
Change-Id: Ibe7f9afb7b94341beb24ea5474c419b592261ce6
Signed-off-by: John Dennis <jdennis@redhat.com>
John Dennis [Fri, 5 Sep 2014 15:42:21 +0000 (11:42 -0400)]
Documentation for SSSD Federated IdP authentication
Change-Id: I8fd47de74486c1de37d12be3c7f259b5038b66b3
Signed-off-by: John Dennis <jdennis@redhat.com>
Colin Dixon [Wed, 8 Oct 2014 21:54:52 +0000 (16:54 -0500)]
Adding back the dependency on restconf in the authz feature
This is the second half of the post-Helium master version bump. It puts
the dependency from the authz feautre onto the restconf feature back in.
Change-Id: Ibe1da210147490acfcfaebf8d93dcd99c998587e
Signed-off-by: Colin Dixon <colin@colindixon.com>
Colin Dixon [Wed, 8 Oct 2014 20:20:49 +0000 (15:20 -0500)]
Incrementing versions by 0.1.0 for post-Helium master branch
Also temporarily removing the dependency from the authz feature onto the
restconf feature to solve the cyclic dependency issue. This will be fixed
in a second patch.
Change-Id: I9342717185094335bd5aab34e6ad8574126a2b61
Signed-off-by: Colin Dixon <colin@colindixon.com>
Liem Nguyen [Sun, 28 Sep 2014 17:25:27 +0000 (10:25 -0700)]
Added a sequence diagram for SSSD Authentication
Change-Id: I7acc23701a8340c1ab9f0992309e326528346312
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Wed, 24 Sep 2014 00:10:35 +0000 (00:10 +0000)]
Merge "Bug 1948: Separate out restconf features"
Ed Warnicke [Tue, 23 Sep 2014 02:10:54 +0000 (21:10 -0500)]
Bug 1948: Separate out restconf features
In order to avoid a maven project cycle in solving
Bug 1948, we need to separate restconf features.
Note, this is a first step, suffixing everything
with -new. Subsquently, after everywhere using
odl-restconf has been fixed to use this new repo,
we will deprecate the ones in the mdsal features.xml
and rename these to not have the -new.
This patch just adds the dependency to features/pom.xml
Change-Id: Iedb9dd592e057913b0e083db9488113250dba0b5
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Tue, 23 Sep 2014 20:16:24 +0000 (13:16 -0700)]
Bug 2057
Return 503 (Service Unavailable) status code if AAA service is not started yet and the Auth filter is invoked.
Change-Id: Id152994d9b2e4e10c30e398872ecc1538beee470
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 22 Sep 2014 23:08:37 +0000 (23:08 +0000)]
Merge "BUG2011 Fix"
Peter Mellquist [Mon, 22 Sep 2014 22:22:44 +0000 (22:22 +0000)]
BUG2011 Fix
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Change-Id: I715e7b2569f15353c24857d9f0ee73314a37f2f1
John Dennis [Fri, 19 Sep 2014 13:21:20 +0000 (09:21 -0400)]
Populate HttpRequestServlet API data from HTTP extension headers.
When SSSD is used for authentication and identity lookup those
actions occur in an Apache HTTP server which is fronting the
servlet container. After successful authentication Apache will
proxy the request to the container along with additional
authentication and identity metadata.
The preferred way to transport the metadata and have it appear
seamlessly in the servlet API is via the AJP protocol. However AJP
may not be available or desirable. An alternative method is to
transport the metadata in extension HTTP headers. However we still
want the standard servlet request API methods to work. Another way
to say this is we do not want upper layers to be aware of the
transport mechanism. To achieve this we wrap the HttpServletRequest
class and override specific methods which need to extract the data
from the extension HTTP headers. (This is roughly equivalent to
what happens when AJP is implemented natively in the container).
The extension HTTP headers are identified by the prefix
"X-SSSD-". The overridden methods check for the existence of the
appropriate extension header and if present returns the value found
in the extension header, otherwise it returns the value from the
method it's wrapping.
Bug: 1977
Change-Id: Id3020a4efe903c4c461df918574746dcc797ec37
Signed-off-by: John Dennis <jdennis@redhat.com>
Liem Nguyen [Mon, 22 Sep 2014 22:09:15 +0000 (15:09 -0700)]
Fixed broken (tempermental) unit test failure
Change-Id: I839b6716eac9cf0477c3c9cb2ae783219a6438db
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Ed Warnicke [Sun, 21 Sep 2014 19:50:53 +0000 (14:50 -0500)]
Bug 2010: missing aaa-authn-federation dependency
Change-Id: Iec8c15e738cf29dc9d975b4c4f60d190c45c4d3d
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Sun, 21 Sep 2014 19:11:20 +0000 (12:11 -0700)]
Bug 2009
Added WWW-Authenticate header with realm set to "opendaylight"
Change-Id: I51bce8b4da6ddbd249890ac4e317139372a3dacb
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Sat, 20 Sep 2014 00:35:25 +0000 (17:35 -0700)]
Bug 1964
Several fixes were made in this commit:
1) Separate the federation endpoint into its own webapp (aaa-authn-federation), so it can bind to a separate authorized proxy port.
2) Move initialization code in SssdClaimAuth from the constructor to the init() method to make sure it is initialized via OSGi lifecycle (fixed OSGi loading issue of SssdClaimAuth)
3) Clean up superflous log.info() messages from IdmLight
4) Fix ClaimAuthFilter to emit 401 error right away if we are federating on a non-authorized proxy port.
5) Add basic integration tests (-Paaa-it) for IdMLight and federation.
6) Configure:
a) IdmLight APIs (/auth/*) to listen on "adminConn" Jetty connector.
b) Federation API (/oauth2/federation/) to listen on "federationConn" Jetty connector.
Note: Currently, the aforementioned Jetty connectors are NOT configured on the ODL controller, so that means those APIs in 6) are not available by default.
To activate them, the sample jetty.xml under aaa-it/src/test/resources should be copied over to the controller's assembly/etc/jetty.xml. The sample jetty.xml
enables the adminConn on port 8282, localhost only, and the federationConn on port 8383. So, for example, a POST to the federation endpoint would be:
curl -i -XPOST http://localhost:8383/oauth2/federation/
Change-Id: I1bc939536806d864e462b5cd0f69d1bb1777058d
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Fri, 19 Sep 2014 16:12:04 +0000 (16:12 +0000)]
Merge "Add secureProxyPorts configuration option."
Wojciech Dec [Fri, 19 Sep 2014 09:57:07 +0000 (11:57 +0200)]
Fix to authz config yang model
Change-Id: Icb06219d85ed164b842a43d9100b9b9c6c7653ec
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Thu, 18 Sep 2014 11:44:31 +0000 (13:44 +0200)]
Fix for checking if authz config has DomBroker + path of test hive
Change-Id: Ic522b972ece1b82e8bc963f2793d63dea3b00099
Signed-off-by: Wojciech Dec <wdec@cisco.com>
John Dennis [Thu, 18 Sep 2014 21:32:40 +0000 (17:32 -0400)]
Add secureProxyPorts configuration option.
The ClaimAuthFilter trusts any authentication metadata bound to a
request. A request with fake authentication claims could be forged by
an attacker and submitted to one of the Connector ports the engine is
listening on and it would blindly accept the forged information in
ClaimAuthFilter. Therefore it is vital we only accept authentication
claims from a trusted proxy.
It is incumbent upon the site administrator to dedicate specific
connector ports on which previously authenticated requests from a
trusted proxy will be sent to and to assure only a trusted proxy can
connect to that port. The site administrator must enumerate those
ports in the configuration. The ClaimAuthfilter will ignore any
request which did not originate on one of the configured secure proxy
ports.
The secureProxyPorts configuraton is a member of
FederationConfiguration.
Bug: 1964
Change-Id: Ieb1f9d464f631e5009939404d978d905e51c06a0
Signed-off-by: John Dennis <jdennis@redhat.com>
Liem Nguyen [Thu, 18 Sep 2014 00:01:32 +0000 (00:01 +0000)]
Merge "Added sonar plugin"
Wojciech Dec [Wed, 17 Sep 2014 18:52:52 +0000 (20:52 +0200)]
Fix to Authz feature dependency + some clean-up
Change-Id: I6a7298e809e7d2d3f3eefca3975012b3166db4d5
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Lakshman Mukkamalla [Tue, 16 Sep 2014 20:46:29 +0000 (13:46 -0700)]
Bug 1912 - Missing config variable in pom
Signed-off-by: Lakshman Kumar Mukkamalla <lmukkama@cisco.com>
Change-Id: Iebc5860c3689529b5dd5a8ca8633f520942bb110
Liem Nguyen [Mon, 15 Sep 2014 23:10:49 +0000 (16:10 -0700)]
Added sonar plugin
Change-Id: If160229aa7fa67ed97dbb07cf44c94e4fd377120
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 15 Sep 2014 17:46:40 +0000 (10:46 -0700)]
Bug 1874
Fixed hard-coded repository URLs.
Change-Id: I0f90440ae923fa3d96a4ef90c3cd0096dd32accb
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 15 Sep 2014 17:19:53 +0000 (17:19 +0000)]
Merge "Added integration test for basic auth with toaster example."
Liem Nguyen [Mon, 15 Sep 2014 17:12:58 +0000 (10:12 -0700)]
Added integration test for basic auth with toaster example.
Change-Id: I95e9f4eef2ecdcebf13f4933573145a353f75a16
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Peter Mellquist [Sun, 14 Sep 2014 17:35:05 +0000 (17:35 +0000)]
BUG 1855
Error handling fixes and refactor
Change-Id: Iead5da76cdc8ed68e81d565e250aad5274ae8d6c
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Peter Mellquist [Fri, 12 Sep 2014 00:13:31 +0000 (00:13 +0000)]
Bug 1835
Bug 1749
IDM DM initialization fix
Change-Id: Iad8f9338b613d44e450ab2b6679152fd5f7738ee
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Liem Nguyen [Wed, 10 Sep 2014 17:44:08 +0000 (17:44 +0000)]
Merge "Added integration tests back (and cleaned up poms). Integration tests can be triggered by: mvn clean install -Paaa-it"
Liem Nguyen [Fri, 5 Sep 2014 05:37:29 +0000 (22:37 -0700)]
Added integration tests back (and cleaned up poms). Integration tests can be triggered by:
mvn clean install -Paaa-it
Change-Id: Ibb3c8a7a7bbce159530effaf653d02c690324b23
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Mathieu Lemay [Tue, 9 Sep 2014 00:53:32 +0000 (20:53 -0400)]
Added .gitreview file
Created a basic .gitreview file for AAA project so that we can use git
review instead of normal git operations with gerrit.
Change-Id: Ia7a60839f33c9220a5991f3479c79e00fdfc86e1
Signed-off-by: Mathieu Lemay <mlemay@inocybe.com>
John Dennis [Fri, 5 Sep 2014 18:45:56 +0000 (14:45 -0400)]
Decode i18n values from UTF-8 in ClamiAuthFilter.
Some of the attributes we extract in ClaimAuthFilter are
internationalized strings (i18n). We expect these will be encoded in
UTF-8 therefore we must decode them from UTF-8. There are extensive
comments in the code explaining the issues.
Change-Id: I7b4a437432c0e6d3b6c24f552a8886f54aabb1b5
Signed-off-by: John Dennis <jdennis@redhat.com>
John Dennis [Fri, 5 Sep 2014 14:24:43 +0000 (10:24 -0400)]
Remove the wholesale collection of HTTP headers since in general
they cannot be trusted, but retain the selected capture of specific
HTTP headers configured by an admin.
These changes were supposed to have been part of commit
0c20dce but
due to a mistake they were inadvertantly omitted. This finishes the
intent of commit
0c20dce.
Change-Id: I6e9f451ece62e021ed06432d7135242eb9e03844
Signed-off-by: John Dennis <jdennis@redhat.com>
Wojciech Dec [Fri, 5 Sep 2014 09:03:37 +0000 (11:03 +0200)]
Fixed formatting in README
Change-Id: Iaa3723bed99dc973f110578c9103ced12c900e78
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Lakshman Mukkamalla [Thu, 4 Sep 2014 20:57:30 +0000 (13:57 -0700)]
Adding policy checks read transactions as a POC for the Authz service
Signed-off-by: Lakshman Kumar Mukkamalla <lmukkama@cisco.com>
Change-Id: Iee622780b6876ac6f16553811bfcd934851aa515
Liem Nguyen [Thu, 4 Sep 2014 21:22:42 +0000 (14:22 -0700)]
Way too many authz dependencies
Change-Id: I913fd197e736c2dbe2c14185b327394e9682db79
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Thu, 4 Sep 2014 21:15:29 +0000 (21:15 +0000)]
Merge "Fix broken feature dependencies."
Ed Warnicke [Thu, 4 Sep 2014 21:06:36 +0000 (16:06 -0500)]
Fix broken feature dependencies.
Change-Id: I8fe77e5f0718e64ee03464e213dbd7f49755db9d
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Thu, 4 Sep 2014 20:59:25 +0000 (20:59 +0000)]
Merge "Remove some captured values, add comment, add logging"
Liem Nguyen [Thu, 4 Sep 2014 20:43:12 +0000 (13:43 -0700)]
Fixed missing authz_service in integration
Change-Id: Iecb305fed5a0efe24553e06e21155040478cc398
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
John Dennis [Tue, 2 Sep 2014 20:48:57 +0000 (16:48 -0400)]
Remove some captured values, add comment, add logging
CGI_CONTENT_TYPE and CGI_CONTENT_LENGTH are not relevant to an
authentication claim, so remove them.
Reorder the CGI variable name declarations so they are sorted. Makes
it easier to cross check their usage when things are in the same
order.
Remove the wholesale collection of HTTP headers since in general
they cannot be trusted, but retain the selected capture of specific
HTTP headers configured by an admin.
Add comment explaining why getAttributeNames() has problems and how we
adopt.
Add logger and then log the claims map.
Change-Id: I19a274601eceb5e2f24a3c055e9c73d4bb52e9b9
Signed-off-by: John Dennis <jdennis@redhat.com>
Wojciech Dec [Thu, 4 Sep 2014 19:34:07 +0000 (19:34 +0000)]
Merge " Working AuthZ Broker (DOM Data only) + config files AuthZ service still needs to be fully invoked as noted in TODO"
Wojciech Dec [Fri, 29 Aug 2014 18:32:33 +0000 (20:32 +0200)]
Working AuthZ Broker (DOM Data only) + config files
AuthZ service still needs to be fully invoked as noted in TODO
Change-Id: I084926f9c8518e865527be4dafdcd0c3effc5340
Signed-off-by: Wojciech Dec <wdec@cisco.com>
John Dennis [Thu, 4 Sep 2014 15:50:16 +0000 (11:50 -0400)]
Add support for calling the IdP RuleProcessor from SssdClaimAuth.
Initialize the RuleProcessor in SssdClaimAuth and then invoke it
from SssdClaimAuth.transform.
Add all necessary dependencies to the pom.xml files and features.xml file.
Change-Id: Iea5d8eb15a65e4a1d5b808b748f0cf1e208d6c30
Signed-off-by: John Dennis <jdennis@redhat.com>
Liem Nguyen [Tue, 2 Sep 2014 23:29:17 +0000 (16:29 -0700)]
Fix broken integration test
Change-Id: Ib256a230d1628b5126488df6896cb453a5ebe83f
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Ed Warnicke [Wed, 27 Aug 2014 08:26:02 +0000 (10:26 +0200)]
BUG-1617 AUthProvider implementation for ODL netconf backed by CredentialAuth
Added bew Karaf feature for aaa-authn-odl-plugin.
Change-Id: I41fcf61c17da9d40a9f090a5a5d334125d36aab5
Signed-off-by: Maros Marsalek <mmarsale@cisco.com>
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Fri, 29 Aug 2014 21:38:59 +0000 (21:38 +0000)]
Merge "Moved configs to their respective bundles and added config for ClaimAuth"
Liem Nguyen [Fri, 29 Aug 2014 21:31:12 +0000 (14:31 -0700)]
Moved configs to their respective bundles and added config for ClaimAuth
Change-Id: Ibf7077c7f3dc3868b3c4bf4e431611f789e53b2a
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
John Dennis [Fri, 22 Aug 2014 15:55:50 +0000 (11:55 -0400)]
Map IdP assertions to local; initial code version
A federated Identity Provider (IdP) provides assertions (i.e. claims)
regarding the subject (i.e. principal) after a successful
authentication. Because a federated IdP is by definition external to
ODL the assertions must be mapped from the IdP into local values.
The mapping is performed by evaluating a series of rules expressed in
JSON notation.
This package implements a RuleProcessor class which accepts a set of
rules and an assertion. It emits the transformed assertions as JSON
object. JSON is the exchange format for the rules, assertion, and
result. As such the package includes the IdpJson class which
transforms between JSON and the Java data structures used by the
RuleProcessor.
There is complete documentation for using the RuleProcessor which will
be added in a later commit.
Change-Id: I707c2b7dd5be381ef25f2fcdfb1c73481a63c9e5
Signed-off-by: John Dennis <jdennis@redhat.com>
Liem Nguyen [Fri, 29 Aug 2014 01:21:14 +0000 (18:21 -0700)]
Added libraries used by idmlight into feature pom.xml
Change-Id: I1486e2f158d6470b96f4897ae810c7480ee6d34e
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Thu, 28 Aug 2014 23:18:27 +0000 (23:18 +0000)]
Merge "initial commit of idmlight"
Peter Mellquist [Thu, 28 Aug 2014 19:30:27 +0000 (19:30 +0000)]
initial commit of idmlight
Change-Id: I67dbd7e9dfa2510b3d600447bcf2e69628e7ad07
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Liem Nguyen [Thu, 28 Aug 2014 15:15:28 +0000 (08:15 -0700)]
Doh, forgot authz in feature.xml
Change-Id: I2d29806f6e3f00bc641bfbcc52139a92c291f012
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Wed, 27 Aug 2014 20:52:26 +0000 (13:52 -0700)]
Karaf integration
Change-Id: I267cbb1a99c3e196f5dc069f9a23ce97b8b00d21
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Tue, 26 Aug 2014 23:51:48 +0000 (16:51 -0700)]
Changed default password to admin
Change-Id: I6c9bf8196b6df73931d2531758c30b238ea2d3cc
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Tue, 26 Aug 2014 19:41:21 +0000 (12:41 -0700)]
Added HTTP basic auth support for backward compatibility
Change-Id: I7702df21f49fe796d17cfc35b76e484ee85d379a
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 25 Aug 2014 17:02:00 +0000 (10:02 -0700)]
Added configuration to turn on/off authentication
Change-Id: Ia0e0f3b236a90be98bddc70186eddaab42798544
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Sun, 24 Aug 2014 17:27:46 +0000 (10:27 -0700)]
Testing push to Nexus
Change-Id: I5afa68e4f0b1b3a1a3af60bd4d573bbf8fc000e8
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Sat, 23 Aug 2014 00:42:52 +0000 (17:42 -0700)]
Added pax-exam integration test for AuthN
Change-Id: I05e77bcc24dc2de9d784d31155a0ec5d77a7ecd1
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Fri, 22 Aug 2014 17:48:35 +0000 (17:48 +0000)]
Merge "Fixed broken karaf features for AAA"
Liem Nguyen [Fri, 22 Aug 2014 17:44:15 +0000 (10:44 -0700)]
Fixed broken karaf features for AAA
Change-Id: I151cf291d662dbf141b7d745fd6fcf94314fafcf
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Wed, 20 Aug 2014 23:38:07 +0000 (16:38 -0700)]
Allows usage of ehcache.xml in etc/
Change-Id: I8734b0ad1afb8fab727874b5db1fb657c1e63a71
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Wed, 20 Aug 2014 17:52:25 +0000 (10:52 -0700)]
Renamed tenant to domain
Change-Id: Ifdad2cd30543e1392f1780fc7157f96c2188106f
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 11 Aug 2014 20:29:32 +0000 (13:29 -0700)]
Removed kar packaging for now
Change-Id: I958e5e2b392d0e1487112dd66d7ca2db1b259257
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Sun, 3 Aug 2014 13:27:24 +0000 (06:27 -0700)]
Added Karaf feature and configuration
Change-Id: I23ef2e996c4e42f676bbb5a84bfdee289373e869
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Wojciech Dec [Tue, 29 Jul 2014 18:16:17 +0000 (18:16 +0000)]
Merge "Finalizinf model + removal of double key on list"
Wojciech Dec [Mon, 28 Jul 2014 19:11:16 +0000 (21:11 +0200)]
Finalizinf model + removal of double key on list
Change-Id: I4daf0160c0bbb813206153fbd0c43939c2bb18cc
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Mon, 28 Jul 2014 19:08:42 +0000 (19:08 +0000)]
Merge "Modified RPC API + removed basic AuthZ double key"
Wojciech Dec [Mon, 28 Jul 2014 19:06:19 +0000 (21:06 +0200)]
Modified RPC API + removed basic AuthZ double key
Change-Id: I418cf313f329d1c5507d9c5ceba3164c209fa919
Signed-off-by: Wojciech Dec <wdec@cisco.com>