Wojciech Dec [Thu, 23 Apr 2015 15:24:32 +0000 (15:24 +0000)]
Merge "Remove redundant restconf connector config file"
Wojciech Dec [Thu, 23 Apr 2015 09:19:11 +0000 (09:19 +0000)]
Merge "Implementation of MD-SAL Token Cache"
Wojciech Dec [Thu, 16 Apr 2015 12:44:29 +0000 (14:44 +0200)]
Implementation of MD-SAL Token Cache
Change-Id: I7d966b52edc1e6d62860285630ee3e215917b26c
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Wed, 22 Apr 2015 11:26:26 +0000 (13:26 +0200)]
Remove redundant restconf connector config file
Change-Id: I7be4f31ddcd11eb95fa26c52350ac15a5d3f62ad
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Kailash Khalasi [Thu, 16 Apr 2015 22:01:12 +0000 (15:01 -0700)]
Adding unit tests to idmlite
Change-Id: I5ebd86085cf3e1ac88843c656f10480203879da4
Signed-off-by: Kailash Khalasi <kailash.khalasi@hp.com>
Wojciech Dec [Fri, 17 Apr 2015 10:39:45 +0000 (12:39 +0200)]
Revert db path
Change-Id: I694122d8616a650d2c78776c3eb3613cff4f6e8f
Signed-off-by: Wojciech Dec <wdec@cisco.com>
EduardoPerez [Tue, 14 Apr 2015 05:22:20 +0000 (22:22 -0700)]
Replacement from SQLite to H2 as JDBC provider
Updated to fix issues with H2 persistence replacement code.
Change-Id: I2c589e8f48576bdf02ac923c7f8d838d4185fb89
Signed-off-by: EduardoPerez <eduardo.perez2@hp.com>
Thanh Ha [Tue, 31 Mar 2015 15:03:16 +0000 (11:03 -0400)]
Add <relativePath/> to ensure Maven pulls artifact from Nexus
Needed by autorelease to be able to find and replace this value
prebuild.
Change-Id: Ida4e11bd27a7e72f278dd90e6152ba240299859c
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Robert Varga [Mon, 30 Mar 2015 17:40:50 +0000 (19:40 +0200)]
Use dependencyManagement imports
Upstream projects provide their declarations in artifacts artiffact --
import it to get coherent version management.
Change-Id: I0d1b1cc400167f9e63a1ad730e3405c5d0cf2823
Signed-off-by: Robert Varga <rovarga@cisco.com>
Robert Varga [Sun, 29 Mar 2015 11:03:55 +0000 (13:03 +0200)]
Fix JDK8 javadoc compatibility
JDK8 is more picky about javadocs. Fix them up so the project can be
built using JDK8.
Change-Id: I423570f532338f6253dc31b16a8ca73324c38970
Signed-off-by: Robert Varga <rovarga@cisco.com>
Robert Varga [Sun, 29 Mar 2015 10:50:58 +0000 (12:50 +0200)]
Make sure insertion order is retained
Tests require toString() to be stable, which in turn requires we do not
use HashMaps, as their iteration order is undefined.
Change-Id: Iba53a84acb53a249e64acc604d831c7f4bd57f69
Signed-off-by: Robert Varga <rovarga@cisco.com>
Wojciech Dec [Mon, 23 Mar 2015 10:03:16 +0000 (10:03 +0000)]
Merge "delete hello example"
Wojciech Dec [Mon, 23 Mar 2015 09:59:22 +0000 (09:59 +0000)]
Merge "Adding Yang based token-cache-api"
Wojciech Dec [Mon, 23 Mar 2015 09:58:00 +0000 (09:58 +0000)]
Merge "Do not instantiate Booleans, Strings and Longs"
Robert Varga [Sun, 22 Mar 2015 22:54:33 +0000 (23:54 +0100)]
Do not instantiate Booleans, Strings and Longs
The two possible values are available as constants, so use them
directly, lowering the amount of garbage we generate.
For an empty String, we can just use a literal. For Longs, instead of
explicit construction, we can use valueOf(), which can end up using the
same instance. Also, we can use autoboxing to let JVM promote a value as
appropriate.
Change-Id: Icf9405d691a08c20dde78a5fe05bd4fab5947741
Signed-off-by: Robert Varga <rovarga@cisco.com>
John Borz [Sat, 21 Mar 2015 03:36:36 +0000 (20:36 -0700)]
Added Karaf feature for the keystone plugin.
Change-Id: I7660b6d50ad8dbe3f47b242494fbbd209bba4995
Signed-off-by: John Borz <john.borz@hp.com>
Tony Tkacik [Fri, 20 Mar 2015 13:55:05 +0000 (14:55 +0100)]
Fixed typo in credential model.
Change-Id: If9b83393e81d7eacf0f364f6155cb9dc64dadcae
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Tony Tkacik [Fri, 20 Mar 2015 09:17:24 +0000 (10:17 +0100)]
Fixed AuthZ DataBroker not implementing getExtensions
Change-Id: I9d0cb13043576060c1aa0acf2788e19c493dee97
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Wojciech Dec [Thu, 19 Mar 2015 17:13:30 +0000 (18:13 +0100)]
Adding Yang based token-cache-api
Change-Id: I141d5a2b970a2913309f159a4db9224dc8958153
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Sherry Krell [Wed, 25 Feb 2015 18:12:12 +0000 (10:12 -0800)]
Re-enable running of SingleFeaturesTest.Fix failing tests.
- switch to using odlparent:features-test instead of yangtools:features-test.
- fix failing features tests
Change-Id: Icb61adef1e06feda40f7c934ee87ba7b4fe7e53e
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Tony Tkacik [Wed, 18 Mar 2015 14:07:56 +0000 (15:07 +0100)]
Added feature dependencies to features/api
Change-Id: Ib0ac42d2fb0d46d45c81f868a7ae500c9d65ae68
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Nathan Harmon [Fri, 27 Feb 2015 05:25:22 +0000 (21:25 -0800)]
yang model for storing security credentials
Change-Id: I8045ca9b752bd777e7048837382d646503982455
Signed-off-by: Steve Dean <sdean@hp.com>
Signed-off-by: Nathan Harmon <nathan.harmon@hp.com>
Sherry Krell [Fri, 6 Mar 2015 21:41:24 +0000 (13:41 -0800)]
Refactor ClaimBuilder, update unit tests.
- fix builder to only create object within build()
- make built object immutable
- add validation
Change-Id: Icbd39ab06d9de444dfebaf110cc42fac2065bbf9
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Wojciech Dec [Wed, 18 Mar 2015 11:48:20 +0000 (11:48 +0000)]
Merge "Refactor AuthenticationBuilder, update unit tests. - fix builder to only create object within build() - make built object immutable - use composition instead of inheritance for Claim - add validation"
Wojciech Dec [Wed, 18 Mar 2015 11:37:44 +0000 (11:37 +0000)]
Merge "Initial AAA Karaf features for cluster capable MD-SAL based token cache"
Sherry Krell [Tue, 3 Mar 2015 23:35:30 +0000 (15:35 -0800)]
Refactor AuthenticationBuilder, update unit tests.
- fix builder to only create object within build()
- make built object immutable
- use composition instead of inheritance for Claim
- add validation
Change-Id: I324210f0743ce113d8bcafd5861d74414c5dfa0d
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Tony Tkacik [Tue, 17 Mar 2015 15:11:39 +0000 (16:11 +0100)]
Bug 868: Migrated AuthZ to use Forwarding Sessions.
Change-Id: I65ca5c694694ce52853c2ec7ce69fd73eb0062e2
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Tony Tkacik [Tue, 17 Mar 2015 08:28:08 +0000 (09:28 +0100)]
Removed override of checkstyle version.
Change-Id: Iaa9a92d9cab025ffa68fb2f1323d72feaffcca50
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Wojciech Dec [Wed, 25 Feb 2015 10:51:22 +0000 (11:51 +0100)]
Initial AAA Karaf features for cluster capable MD-SAL based token cache
Change-Id: Iae808ffcc966ce77018612338930fad9a10f1f85
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Tue, 29 Jul 2014 17:31:20 +0000 (19:31 +0200)]
Removing Authz RPC timeout in response
Change-Id: I04d7965cdf3d839b429423195d35b262fd9c1b0e
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Tue, 10 Mar 2015 10:47:52 +0000 (10:47 +0000)]
Merge "Workaround for sqlite wrapping issue in Karaf 3.0.3."
Wojciech Dec [Mon, 2 Mar 2015 13:23:02 +0000 (13:23 +0000)]
Merge "Remove <repositories> and <pluginRepositories> sections"
Thanh Ha [Thu, 12 Feb 2015 15:51:18 +0000 (10:51 -0500)]
Remove <repositories> and <pluginRepositories> sections
It is recommended that developers and servers configure this locally via
settings.xml.
https://lists.opendaylight.org/pipermail/discuss/2015-January/004482.html
Change-Id: I58b9a6991ebd60b3bfdfcccb2e37a13e711134a3
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Sherry Krell [Wed, 25 Feb 2015 23:08:59 +0000 (15:08 -0800)]
Refactor and add unit tests for AuthenticationManager and fix bug that was found in updated method.
Change-Id: I56243d90c502852005031d0238e8e06ddbbe244e
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Nathan Harmon [Sat, 21 Feb 2015 00:54:25 +0000 (16:54 -0800)]
Workaround for sqlite wrapping issue in Karaf 3.0.3.
Embed sqlite in idmlight using an older version of bnd (2.1.0). See https://lists.opendaylight.org/pipermail/discuss/2015-February/004653.html
Change-Id: I1965156f13cc37ef2714af114eebdfe56f688d52
Signed-off-by: Nathan Harmon <nathan.harmon@hp.com>
Thanh Ha [Sun, 14 Dec 2014 20:30:55 +0000 (15:30 -0500)]
Fix checkstyle if-statements must use braces in aaa-idmlight
- Fix missing braces
- Fix indentation level
Change-Id: I5e81fb561b550a2085ceddf6403273dcb503c5ca
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:25:06 +0000 (15:25 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn
- Fix if-statements must use braces
- Add missing License headers
Change-Id: I5c9279d1702ec8c3ce0d1b5ea82aef5c7325e620
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:23:11 +0000 (15:23 -0500)]
Fix checkstyle if-else-for-statements must use braces in aaa-authn-sts
Change-Id: I3c9ad139c47d0e4a07f29ce8b7dea681184c0b60
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:21:05 +0000 (15:21 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn-keystone
Change-Id: I84c3f8f0342148f71f5968d55d76a80084046a77
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:20:27 +0000 (15:20 -0500)]
Fix checkstyle for-statements must use braces in aaa-authn-federation
Change-Id: I0a9fa5ebd078eb429d910a5d139153f13bf31937
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:18:35 +0000 (15:18 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn-store
- Fix checkstyle if-statement brances
- Fix missing License header
Change-Id: Iac67a50e459b363fd3b83f56011028d82b828c62
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Fri, 9 Jan 2015 21:56:31 +0000 (16:56 -0500)]
Set root pom.xml <name> for Sonar
As mentioned on the mailing list Sonar uses the <name> field of the
pom.xml that is passed to the mvn command as the name of the project in
Sonar. In most cases this is the root pom.xml file in a project. This
patch sets the name to the project shortname.
https://lists.opendaylight.org/pipermail/discuss/2014-November/004024.html
Change-Id: Ic8eabf78c37d6e449a837d34600ed3b86e7947a8
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Wojciech Dec [Mon, 15 Dec 2014 15:52:31 +0000 (15:52 +0000)]
Merge "Change ENUMS used in config yangs for Strings"
Liem Nguyen [Fri, 5 Dec 2014 20:48:58 +0000 (12:48 -0800)]
Removed the pax-exam it tests in favor of Robot tests.
Change-Id: I33e0974795d92a4083129b37cb407d7847614c5f
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Fri, 5 Dec 2014 19:31:55 +0000 (11:31 -0800)]
Removed all* features as well as fixing circular dependencies with restconf.
Change-Id: I4de1af27c275d3877f1c5f3cc10fb188bfa28c2c
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Maros Marsalek [Thu, 27 Nov 2014 13:43:17 +0000 (14:43 +0100)]
Change ENUMS used in config yangs for Strings
ENUMs are not properly serialzied in config/netconf and it causes failure when reading/writing data using RESTCONF + Loopback connection
Change-Id: I8f9da4d009cdd3a432dd031ecc3a7cb551454d3d
Signed-off-by: Maros Marsalek <mmarsale@cisco.com>
Liem Nguyen [Fri, 14 Nov 2014 20:25:22 +0000 (20:25 +0000)]
Merge "Documentation for SSSD Federated IdP authentication"
Abhishek Kumar [Fri, 14 Nov 2014 01:13:21 +0000 (17:13 -0800)]
Adds a validate token API
Adds another API to validate token
The api can be invoked as
curl -s -d "some-previously generated-token"
http://<controller-ip:<port>/oauth2/validate
Returns:
HTTP 200 - if the token is valid
HTTP 401 - If the token is not valid
Change-Id: Ie39d154fb77e873d6b0b8d13feca7917f527cbb8
Signed-off-by: Abhishek Kumar <abhishk2@cisco.com>
Mayank Agarwal [Wed, 5 Nov 2014 02:28:30 +0000 (18:28 -0800)]
Enabling CORS in the idmlight app so that apps
from different domains can call the APIs.
Signed-off-by: Mayank Agarwal <mayagarw@cisco.com>
Change-Id: I6d960b867eb2dd2f48e6e0ce0b7cee3ff40ce731
Wojciech Dec [Wed, 5 Nov 2014 16:51:35 +0000 (16:51 +0000)]
Merge "Bug 2292 : CORS access control fix"
Liem Nguyen [Tue, 4 Nov 2014 18:54:35 +0000 (10:54 -0800)]
Updated pom.xml to use odlparent and add authz back into odl-aaa-all.
Also, segmented features into 3 main buckets:
1) APIs
2) Core features (AuthN and AuthZ)
3) Plugins
Change-Id: I7858b8f6302f34d22cbc548570a4bc15e93df9ec
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Harman Singh [Sat, 1 Nov 2014 00:56:34 +0000 (17:56 -0700)]
Bug 2292 : CORS access control fix
when browser sends cross-origin request, it first sends the OPTIONS method
with a list of access control request headers, which has a list of custom headers and access control method
such as GET. POST etc. You custom header "Authorization will not be present in request header, instead it
will be present as a value inside Access-Control-Request-Headers.
We should not do any authorization against such request.
Change-Id: I290f409a4685ed10685249b8514621ecb2159176
Signed-off-by: Harman Singh <harmasin@cisco.com>
John Dennis [Wed, 29 Oct 2014 13:58:54 +0000 (09:58 -0400)]
Add REMOTE_USER_GROUPS to ClaimAuthFilter
The REMOTE_USER_GROUPS IdP attribute was mistakenly omitted from
the medtadata collected in ClaimAuthFilter, this corrects that.
Bug #2272
Change-Id: Ibe7f9afb7b94341beb24ea5474c419b592261ce6
Signed-off-by: John Dennis <jdennis@redhat.com>
John Dennis [Fri, 5 Sep 2014 15:42:21 +0000 (11:42 -0400)]
Documentation for SSSD Federated IdP authentication
Change-Id: I8fd47de74486c1de37d12be3c7f259b5038b66b3
Signed-off-by: John Dennis <jdennis@redhat.com>
Colin Dixon [Wed, 8 Oct 2014 21:54:52 +0000 (16:54 -0500)]
Adding back the dependency on restconf in the authz feature
This is the second half of the post-Helium master version bump. It puts
the dependency from the authz feautre onto the restconf feature back in.
Change-Id: Ibe1da210147490acfcfaebf8d93dcd99c998587e
Signed-off-by: Colin Dixon <colin@colindixon.com>
Colin Dixon [Wed, 8 Oct 2014 20:20:49 +0000 (15:20 -0500)]
Incrementing versions by 0.1.0 for post-Helium master branch
Also temporarily removing the dependency from the authz feature onto the
restconf feature to solve the cyclic dependency issue. This will be fixed
in a second patch.
Change-Id: I9342717185094335bd5aab34e6ad8574126a2b61
Signed-off-by: Colin Dixon <colin@colindixon.com>
Liem Nguyen [Sun, 28 Sep 2014 17:25:27 +0000 (10:25 -0700)]
Added a sequence diagram for SSSD Authentication
Change-Id: I7acc23701a8340c1ab9f0992309e326528346312
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Wed, 24 Sep 2014 00:10:35 +0000 (00:10 +0000)]
Merge "Bug 1948: Separate out restconf features"
Ed Warnicke [Tue, 23 Sep 2014 02:10:54 +0000 (21:10 -0500)]
Bug 1948: Separate out restconf features
In order to avoid a maven project cycle in solving
Bug 1948, we need to separate restconf features.
Note, this is a first step, suffixing everything
with -new. Subsquently, after everywhere using
odl-restconf has been fixed to use this new repo,
we will deprecate the ones in the mdsal features.xml
and rename these to not have the -new.
This patch just adds the dependency to features/pom.xml
Change-Id: Iedb9dd592e057913b0e083db9488113250dba0b5
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Tue, 23 Sep 2014 20:16:24 +0000 (13:16 -0700)]
Bug 2057
Return 503 (Service Unavailable) status code if AAA service is not started yet and the Auth filter is invoked.
Change-Id: Id152994d9b2e4e10c30e398872ecc1538beee470
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 22 Sep 2014 23:08:37 +0000 (23:08 +0000)]
Merge "BUG2011 Fix"
Peter Mellquist [Mon, 22 Sep 2014 22:22:44 +0000 (22:22 +0000)]
BUG2011 Fix
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Change-Id: I715e7b2569f15353c24857d9f0ee73314a37f2f1
John Dennis [Fri, 19 Sep 2014 13:21:20 +0000 (09:21 -0400)]
Populate HttpRequestServlet API data from HTTP extension headers.
When SSSD is used for authentication and identity lookup those
actions occur in an Apache HTTP server which is fronting the
servlet container. After successful authentication Apache will
proxy the request to the container along with additional
authentication and identity metadata.
The preferred way to transport the metadata and have it appear
seamlessly in the servlet API is via the AJP protocol. However AJP
may not be available or desirable. An alternative method is to
transport the metadata in extension HTTP headers. However we still
want the standard servlet request API methods to work. Another way
to say this is we do not want upper layers to be aware of the
transport mechanism. To achieve this we wrap the HttpServletRequest
class and override specific methods which need to extract the data
from the extension HTTP headers. (This is roughly equivalent to
what happens when AJP is implemented natively in the container).
The extension HTTP headers are identified by the prefix
"X-SSSD-". The overridden methods check for the existence of the
appropriate extension header and if present returns the value found
in the extension header, otherwise it returns the value from the
method it's wrapping.
Bug: 1977
Change-Id: Id3020a4efe903c4c461df918574746dcc797ec37
Signed-off-by: John Dennis <jdennis@redhat.com>
Liem Nguyen [Mon, 22 Sep 2014 22:09:15 +0000 (15:09 -0700)]
Fixed broken (tempermental) unit test failure
Change-Id: I839b6716eac9cf0477c3c9cb2ae783219a6438db
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Ed Warnicke [Sun, 21 Sep 2014 19:50:53 +0000 (14:50 -0500)]
Bug 2010: missing aaa-authn-federation dependency
Change-Id: Iec8c15e738cf29dc9d975b4c4f60d190c45c4d3d
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Sun, 21 Sep 2014 19:11:20 +0000 (12:11 -0700)]
Bug 2009
Added WWW-Authenticate header with realm set to "opendaylight"
Change-Id: I51bce8b4da6ddbd249890ac4e317139372a3dacb
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Sat, 20 Sep 2014 00:35:25 +0000 (17:35 -0700)]
Bug 1964
Several fixes were made in this commit:
1) Separate the federation endpoint into its own webapp (aaa-authn-federation), so it can bind to a separate authorized proxy port.
2) Move initialization code in SssdClaimAuth from the constructor to the init() method to make sure it is initialized via OSGi lifecycle (fixed OSGi loading issue of SssdClaimAuth)
3) Clean up superflous log.info() messages from IdmLight
4) Fix ClaimAuthFilter to emit 401 error right away if we are federating on a non-authorized proxy port.
5) Add basic integration tests (-Paaa-it) for IdMLight and federation.
6) Configure:
a) IdmLight APIs (/auth/*) to listen on "adminConn" Jetty connector.
b) Federation API (/oauth2/federation/) to listen on "federationConn" Jetty connector.
Note: Currently, the aforementioned Jetty connectors are NOT configured on the ODL controller, so that means those APIs in 6) are not available by default.
To activate them, the sample jetty.xml under aaa-it/src/test/resources should be copied over to the controller's assembly/etc/jetty.xml. The sample jetty.xml
enables the adminConn on port 8282, localhost only, and the federationConn on port 8383. So, for example, a POST to the federation endpoint would be:
curl -i -XPOST http://localhost:8383/oauth2/federation/
Change-Id: I1bc939536806d864e462b5cd0f69d1bb1777058d
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Fri, 19 Sep 2014 16:12:04 +0000 (16:12 +0000)]
Merge "Add secureProxyPorts configuration option."
Wojciech Dec [Fri, 19 Sep 2014 09:57:07 +0000 (11:57 +0200)]
Fix to authz config yang model
Change-Id: Icb06219d85ed164b842a43d9100b9b9c6c7653ec
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Thu, 18 Sep 2014 11:44:31 +0000 (13:44 +0200)]
Fix for checking if authz config has DomBroker + path of test hive
Change-Id: Ic522b972ece1b82e8bc963f2793d63dea3b00099
Signed-off-by: Wojciech Dec <wdec@cisco.com>
John Dennis [Thu, 18 Sep 2014 21:32:40 +0000 (17:32 -0400)]
Add secureProxyPorts configuration option.
The ClaimAuthFilter trusts any authentication metadata bound to a
request. A request with fake authentication claims could be forged by
an attacker and submitted to one of the Connector ports the engine is
listening on and it would blindly accept the forged information in
ClaimAuthFilter. Therefore it is vital we only accept authentication
claims from a trusted proxy.
It is incumbent upon the site administrator to dedicate specific
connector ports on which previously authenticated requests from a
trusted proxy will be sent to and to assure only a trusted proxy can
connect to that port. The site administrator must enumerate those
ports in the configuration. The ClaimAuthfilter will ignore any
request which did not originate on one of the configured secure proxy
ports.
The secureProxyPorts configuraton is a member of
FederationConfiguration.
Bug: 1964
Change-Id: Ieb1f9d464f631e5009939404d978d905e51c06a0
Signed-off-by: John Dennis <jdennis@redhat.com>
Liem Nguyen [Thu, 18 Sep 2014 00:01:32 +0000 (00:01 +0000)]
Merge "Added sonar plugin"
Wojciech Dec [Wed, 17 Sep 2014 18:52:52 +0000 (20:52 +0200)]
Fix to Authz feature dependency + some clean-up
Change-Id: I6a7298e809e7d2d3f3eefca3975012b3166db4d5
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Lakshman Mukkamalla [Tue, 16 Sep 2014 20:46:29 +0000 (13:46 -0700)]
Bug 1912 - Missing config variable in pom
Signed-off-by: Lakshman Kumar Mukkamalla <lmukkama@cisco.com>
Change-Id: Iebc5860c3689529b5dd5a8ca8633f520942bb110
Liem Nguyen [Mon, 15 Sep 2014 23:10:49 +0000 (16:10 -0700)]
Added sonar plugin
Change-Id: If160229aa7fa67ed97dbb07cf44c94e4fd377120
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 15 Sep 2014 17:46:40 +0000 (10:46 -0700)]
Bug 1874
Fixed hard-coded repository URLs.
Change-Id: I0f90440ae923fa3d96a4ef90c3cd0096dd32accb
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 15 Sep 2014 17:19:53 +0000 (17:19 +0000)]
Merge "Added integration test for basic auth with toaster example."
Liem Nguyen [Mon, 15 Sep 2014 17:12:58 +0000 (10:12 -0700)]
Added integration test for basic auth with toaster example.
Change-Id: I95e9f4eef2ecdcebf13f4933573145a353f75a16
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Peter Mellquist [Sun, 14 Sep 2014 17:35:05 +0000 (17:35 +0000)]
BUG 1855
Error handling fixes and refactor
Change-Id: Iead5da76cdc8ed68e81d565e250aad5274ae8d6c
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Peter Mellquist [Fri, 12 Sep 2014 00:13:31 +0000 (00:13 +0000)]
Bug 1835
Bug 1749
IDM DM initialization fix
Change-Id: Iad8f9338b613d44e450ab2b6679152fd5f7738ee
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Liem Nguyen [Wed, 10 Sep 2014 17:44:08 +0000 (17:44 +0000)]
Merge "Added integration tests back (and cleaned up poms). Integration tests can be triggered by: mvn clean install -Paaa-it"
Liem Nguyen [Fri, 5 Sep 2014 05:37:29 +0000 (22:37 -0700)]
Added integration tests back (and cleaned up poms). Integration tests can be triggered by:
mvn clean install -Paaa-it
Change-Id: Ibb3c8a7a7bbce159530effaf653d02c690324b23
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Mathieu Lemay [Tue, 9 Sep 2014 00:53:32 +0000 (20:53 -0400)]
Added .gitreview file
Created a basic .gitreview file for AAA project so that we can use git
review instead of normal git operations with gerrit.
Change-Id: Ia7a60839f33c9220a5991f3479c79e00fdfc86e1
Signed-off-by: Mathieu Lemay <mlemay@inocybe.com>
John Dennis [Fri, 5 Sep 2014 18:45:56 +0000 (14:45 -0400)]
Decode i18n values from UTF-8 in ClamiAuthFilter.
Some of the attributes we extract in ClaimAuthFilter are
internationalized strings (i18n). We expect these will be encoded in
UTF-8 therefore we must decode them from UTF-8. There are extensive
comments in the code explaining the issues.
Change-Id: I7b4a437432c0e6d3b6c24f552a8886f54aabb1b5
Signed-off-by: John Dennis <jdennis@redhat.com>
John Dennis [Fri, 5 Sep 2014 14:24:43 +0000 (10:24 -0400)]
Remove the wholesale collection of HTTP headers since in general
they cannot be trusted, but retain the selected capture of specific
HTTP headers configured by an admin.
These changes were supposed to have been part of commit
0c20dce but
due to a mistake they were inadvertantly omitted. This finishes the
intent of commit
0c20dce.
Change-Id: I6e9f451ece62e021ed06432d7135242eb9e03844
Signed-off-by: John Dennis <jdennis@redhat.com>
Wojciech Dec [Fri, 5 Sep 2014 09:03:37 +0000 (11:03 +0200)]
Fixed formatting in README
Change-Id: Iaa3723bed99dc973f110578c9103ced12c900e78
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Lakshman Mukkamalla [Thu, 4 Sep 2014 20:57:30 +0000 (13:57 -0700)]
Adding policy checks read transactions as a POC for the Authz service
Signed-off-by: Lakshman Kumar Mukkamalla <lmukkama@cisco.com>
Change-Id: Iee622780b6876ac6f16553811bfcd934851aa515
Liem Nguyen [Thu, 4 Sep 2014 21:22:42 +0000 (14:22 -0700)]
Way too many authz dependencies
Change-Id: I913fd197e736c2dbe2c14185b327394e9682db79
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Thu, 4 Sep 2014 21:15:29 +0000 (21:15 +0000)]
Merge "Fix broken feature dependencies."
Ed Warnicke [Thu, 4 Sep 2014 21:06:36 +0000 (16:06 -0500)]
Fix broken feature dependencies.
Change-Id: I8fe77e5f0718e64ee03464e213dbd7f49755db9d
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Thu, 4 Sep 2014 20:59:25 +0000 (20:59 +0000)]
Merge "Remove some captured values, add comment, add logging"
Liem Nguyen [Thu, 4 Sep 2014 20:43:12 +0000 (13:43 -0700)]
Fixed missing authz_service in integration
Change-Id: Iecb305fed5a0efe24553e06e21155040478cc398
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
John Dennis [Tue, 2 Sep 2014 20:48:57 +0000 (16:48 -0400)]
Remove some captured values, add comment, add logging
CGI_CONTENT_TYPE and CGI_CONTENT_LENGTH are not relevant to an
authentication claim, so remove them.
Reorder the CGI variable name declarations so they are sorted. Makes
it easier to cross check their usage when things are in the same
order.
Remove the wholesale collection of HTTP headers since in general
they cannot be trusted, but retain the selected capture of specific
HTTP headers configured by an admin.
Add comment explaining why getAttributeNames() has problems and how we
adopt.
Add logger and then log the claims map.
Change-Id: I19a274601eceb5e2f24a3c055e9c73d4bb52e9b9
Signed-off-by: John Dennis <jdennis@redhat.com>
Wojciech Dec [Thu, 4 Sep 2014 19:34:07 +0000 (19:34 +0000)]
Merge " Working AuthZ Broker (DOM Data only) + config files AuthZ service still needs to be fully invoked as noted in TODO"
Wojciech Dec [Fri, 29 Aug 2014 18:32:33 +0000 (20:32 +0200)]
Working AuthZ Broker (DOM Data only) + config files
AuthZ service still needs to be fully invoked as noted in TODO
Change-Id: I084926f9c8518e865527be4dafdcd0c3effc5340
Signed-off-by: Wojciech Dec <wdec@cisco.com>
John Dennis [Thu, 4 Sep 2014 15:50:16 +0000 (11:50 -0400)]
Add support for calling the IdP RuleProcessor from SssdClaimAuth.
Initialize the RuleProcessor in SssdClaimAuth and then invoke it
from SssdClaimAuth.transform.
Add all necessary dependencies to the pom.xml files and features.xml file.
Change-Id: Iea5d8eb15a65e4a1d5b808b748f0cf1e208d6c30
Signed-off-by: John Dennis <jdennis@redhat.com>
Peter Mellquist [Wed, 3 Sep 2014 22:34:24 +0000 (22:34 +0000)]
delete hello example
Change-Id: I4d3e1d07f7ce4f9217b5c9510abe51855ff92c27
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Liem Nguyen [Tue, 2 Sep 2014 23:29:17 +0000 (16:29 -0700)]
Fix broken integration test
Change-Id: Ib256a230d1628b5126488df6896cb453a5ebe83f
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Ed Warnicke [Wed, 27 Aug 2014 08:26:02 +0000 (10:26 +0200)]
BUG-1617 AUthProvider implementation for ODL netconf backed by CredentialAuth
Added bew Karaf feature for aaa-authn-odl-plugin.
Change-Id: I41fcf61c17da9d40a9f090a5a5d334125d36aab5
Signed-off-by: Maros Marsalek <mmarsale@cisco.com>
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Fri, 29 Aug 2014 21:38:59 +0000 (21:38 +0000)]
Merge "Moved configs to their respective bundles and added config for ClaimAuth"
Code Review / aaa.git / log