Ryan Goulding [Fri, 19 Jun 2015 17:44:43 +0000 (13:44 -0400)]
Bug 3820 Incorrect database initialization
Added username and password parameters to database initialization. This is
necessary in order to access the database from a psql client. This change
enforces the Singleton design pattern for IdmLightApplication. The
getDbConnect() functionality included in UserStore, RoleStore, GrantStore
and DomainStore is consolidated in
IdmLightApplication.getConnection(Connection existingConnection) function.
Change-Id: Ib001e05548acf401c4633712cd7ab3ff6a2d2b44
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
(cherry picked from commit
8f97e87daccb3f9f9eb8bec620ff2088fef10826)
Ryan Goulding [Wed, 1 Jul 2015 18:42:48 +0000 (14:42 -0400)]
Bug 2923 Restarting the controller causes multiple insertions users
Changes criteria of StoreBuilder.init() so it is called when
"idmlight.db.mv.db" does not exist. Previously, the code checked for the
existence of "idmlight.db". This convention changed with the addition of
H2 as the data store backing AAA data.
Change-Id: I54dcc896aec57b8b89b3be7dfe0c50a7973d49ce
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Thanh Ha [Thu, 25 Jun 2015 22:18:50 +0000 (18:18 -0400)]
Revert disabling yangtools features-test
This patch is part 2 of 2 patches:
* Re-enables the feature tests for features-authz.
Change-Id: Iea441bd3fe2fed2a2bd4b86ccae1f3b0e2b919cc
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Thu, 25 Jun 2015 18:29:35 +0000 (14:29 -0400)]
Bumping versions by 0.0.1 for next dev cycle
This patch is part 1 of 2 patches.
* To break the cyclic dependency, this patch temporarily stops running
the authz feature tests.
Change-Id: I059c96be0f702a98df11ba7c85ed2db96861cfcd
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Tue, 23 Jun 2015 01:47:13 +0000 (01:47 +0000)]
Release Lithium
Change-Id: I87c37a381c5d798874e4abb9511e8324553f1289
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Debalina Ghosh [Thu, 4 Jun 2015 22:39:56 +0000 (15:39 -0700)]
Bug 2809:Fix AAA error reporting
Change-Id: I61c923cec41fbe2244151c354ccba0fc49703faf
Signed-off-by: Debalina Ghosh <debalina.ghosh@hp.com>
(cherry picked from commit
35a932cc6c9303d518dc19912ed8de28d77a14fd)
Wojciech Dec [Tue, 9 Jun 2015 14:58:32 +0000 (14:58 +0000)]
Merge "Bug 2321 - Adding Authentication to IdmLight API" into stable/lithium
Wojciech Dec [Thu, 4 Jun 2015 17:37:53 +0000 (19:37 +0200)]
Bug 2321 - Adding Authentication to IdmLight API
Change-Id: I6197c4e518202e9d285958df741228a1dec268ad
Signed-off-by: Wojciech Dec <wdec@cisco.com>
(cherry picked from commit
0e88625f4a2f438f5995ef7fa12b2ebbe35ef66b)
Debalina Ghosh [Mon, 4 May 2015 21:27:46 +0000 (14:27 -0700)]
BUG 3323 - Changing sql queries to prepared statements in idmlite
Change-Id: I609aaccb718dfcbd8f02bd45a6568adeb1cd5b7e
Signed-off-by: Debalina Ghosh <debalina.ghosh@hp.com>
(cherry picked from commit
e98c1a75ea913a713e89c13ec323dfa54b8540ee)
Wojciech Dec [Thu, 4 Jun 2015 17:31:28 +0000 (19:31 +0200)]
Bug 3578 - Fixing reachability of IdmLight + cleanup of Idmlight feature bundles.
Change-Id: I6ab84171703b365b5d05bd900bc30c2634711796
Signed-off-by: Wojciech Dec <wdec@cisco.com>
(cherry picked from commit
9899d88ea341c70f474e5627aa4ee26c97767f93)
Wojciech Dec [Fri, 22 May 2015 18:53:58 +0000 (18:53 +0000)]
Merge "BUG 3342 - call super.finalize in stores" into stable/lithium
Wojciech Dec [Fri, 22 May 2015 18:52:55 +0000 (18:52 +0000)]
Merge "BUG 3343 - Fix encrypter's stack trace as log... continued..." into stable/lithium
Wojciech Dec [Fri, 22 May 2015 16:03:55 +0000 (18:03 +0200)]
BUG 3342 - call super.finalize in stores
Change-Id: I45bac5d48a08dc9d103e3b66890781351ee2e740
Signed-off-by: Wojciech Dec <wdec@cisco.com>
(cherry picked from commit
53216f7cca455131a323d185ffaad2af16b39ee8)
Wojciech Dec [Fri, 22 May 2015 17:38:09 +0000 (19:38 +0200)]
BUG 3343 - Fix encrypter's stack trace as log
Change-Id: I40b5a21d0cbf891abede31fee7d55114d26ab0ac
Signed-off-by: Wojciech Dec <wdec@cisco.com>
(cherry picked from commit
ef69a4751fdf26e4a695769d4928200582eb7bca)
Wojciech Dec [Fri, 22 May 2015 17:45:53 +0000 (19:45 +0200)]
BUG 3343 - Fix encrypter's stack trace as log... continued...
Change-Id: Id9ae459e29800f75285804bd3a225b831c434d26
Signed-off-by: Wojciech Dec <wdec@cisco.com>
(cherry picked from commit
d5bd6a267972a9ff5452b8f3b0b6574e27fe72a0)
Moiz Raja [Thu, 7 May 2015 02:34:34 +0000 (19:34 -0700)]
Ensure that the TokenStore is unregistered when closed
The ServiceLocator maintains a reference to all registered token stores and
when a request for get is made it goes through all the registered token stores
to see which one might have the token.
If we have a stale token store then it will also have a reference to a stale
data broker which will throw an exception when a transaction is created on it -
this exception happens to be a runtime exception and if ignored will result in
the exception surfacing all the way to the filter.
Change-Id: I4a66b144529ab5a99a6f53e5bb2ab176e18de703
Signed-off-by: Moiz Raja <moraja@cisco.com>
Wojciech Dec [Wed, 6 May 2015 11:40:58 +0000 (13:40 +0200)]
Changing .gitreview to use the stable/lithium branch
Change-Id: Icf6798d4ff647174a634d930dfdc5a9bc7a4905c
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Wed, 6 May 2015 11:09:53 +0000 (13:09 +0200)]
Do not override odlparent properties.
Change-Id: Ic7217c8bfd67dbd380a79b8ed5c7c60af93009e8
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Wed, 6 May 2015 10:57:08 +0000 (10:57 +0000)]
Merge "Do not override Karaf version"
Wojciech Dec [Fri, 1 May 2015 10:06:52 +0000 (12:06 +0200)]
Add authorisation data
Change-Id: If1a332b929a2dcb0bfcda0e578d99c20b2de3168
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Tony Tkacik [Tue, 21 Apr 2015 09:13:48 +0000 (11:13 +0200)]
Do not override Karaf version
Change-Id: I4407c8d8ed90a37f0a55c5e4db092faa28d0ab08
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Wojciech Dec [Fri, 24 Apr 2015 15:07:57 +0000 (15:07 +0000)]
Merge "Cleanup after sql-lite"
Wojciech Dec [Fri, 24 Apr 2015 14:53:13 +0000 (16:53 +0200)]
Cleanup after sql-lite
Change-Id: I4d0270aa8c9cdfba45aa2f6ca1cb7398d31e5bed
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Michal Rehak [Fri, 24 Apr 2015 14:40:18 +0000 (16:40 +0200)]
Reverted config location line formatting
- looks like karaf is sensitive to whitespaces here
https://issues.apache.org/jira/browse/KARAF-3506
Change-Id: I98a58023015ab2cb64c0522fbe8a3d9fc7586034
Signed-off-by: Michal Rehak <mirehak@cisco.com>
Tony Tkacik [Fri, 24 Apr 2015 13:25:05 +0000 (15:25 +0200)]
Fixed missing dependency on authn config.
Change-Id: I0ca414e8c1e76c47290323b84740480a2b46bcce
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Wojciech Dec [Fri, 24 Apr 2015 12:12:04 +0000 (12:12 +0000)]
Merge "Change AAA features to default to cluster capable"
Wojciech Dec [Thu, 23 Apr 2015 15:24:32 +0000 (15:24 +0000)]
Merge "Remove redundant restconf connector config file"
Wojciech Dec [Thu, 23 Apr 2015 09:22:35 +0000 (11:22 +0200)]
Change AAA features to default to cluster capable
Change-Id: Id6478d446da94cd58000fcda05a0bec28916f194
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Thu, 23 Apr 2015 09:19:11 +0000 (09:19 +0000)]
Merge "Implementation of MD-SAL Token Cache"
Wojciech Dec [Thu, 16 Apr 2015 12:44:29 +0000 (14:44 +0200)]
Implementation of MD-SAL Token Cache
Change-Id: I7d966b52edc1e6d62860285630ee3e215917b26c
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Wed, 22 Apr 2015 11:26:26 +0000 (13:26 +0200)]
Remove redundant restconf connector config file
Change-Id: I7be4f31ddcd11eb95fa26c52350ac15a5d3f62ad
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Kailash Khalasi [Thu, 16 Apr 2015 22:01:12 +0000 (15:01 -0700)]
Adding unit tests to idmlite
Change-Id: I5ebd86085cf3e1ac88843c656f10480203879da4
Signed-off-by: Kailash Khalasi <kailash.khalasi@hp.com>
Wojciech Dec [Fri, 17 Apr 2015 10:39:45 +0000 (12:39 +0200)]
Revert db path
Change-Id: I694122d8616a650d2c78776c3eb3613cff4f6e8f
Signed-off-by: Wojciech Dec <wdec@cisco.com>
EduardoPerez [Tue, 14 Apr 2015 05:22:20 +0000 (22:22 -0700)]
Replacement from SQLite to H2 as JDBC provider
Updated to fix issues with H2 persistence replacement code.
Change-Id: I2c589e8f48576bdf02ac923c7f8d838d4185fb89
Signed-off-by: EduardoPerez <eduardo.perez2@hp.com>
Thanh Ha [Tue, 31 Mar 2015 15:03:16 +0000 (11:03 -0400)]
Add <relativePath/> to ensure Maven pulls artifact from Nexus
Needed by autorelease to be able to find and replace this value
prebuild.
Change-Id: Ida4e11bd27a7e72f278dd90e6152ba240299859c
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Robert Varga [Mon, 30 Mar 2015 17:40:50 +0000 (19:40 +0200)]
Use dependencyManagement imports
Upstream projects provide their declarations in artifacts artiffact --
import it to get coherent version management.
Change-Id: I0d1b1cc400167f9e63a1ad730e3405c5d0cf2823
Signed-off-by: Robert Varga <rovarga@cisco.com>
Robert Varga [Sun, 29 Mar 2015 11:03:55 +0000 (13:03 +0200)]
Fix JDK8 javadoc compatibility
JDK8 is more picky about javadocs. Fix them up so the project can be
built using JDK8.
Change-Id: I423570f532338f6253dc31b16a8ca73324c38970
Signed-off-by: Robert Varga <rovarga@cisco.com>
Robert Varga [Sun, 29 Mar 2015 10:50:58 +0000 (12:50 +0200)]
Make sure insertion order is retained
Tests require toString() to be stable, which in turn requires we do not
use HashMaps, as their iteration order is undefined.
Change-Id: Iba53a84acb53a249e64acc604d831c7f4bd57f69
Signed-off-by: Robert Varga <rovarga@cisco.com>
Wojciech Dec [Mon, 23 Mar 2015 10:03:16 +0000 (10:03 +0000)]
Merge "delete hello example"
Wojciech Dec [Mon, 23 Mar 2015 09:59:22 +0000 (09:59 +0000)]
Merge "Adding Yang based token-cache-api"
Wojciech Dec [Mon, 23 Mar 2015 09:58:00 +0000 (09:58 +0000)]
Merge "Do not instantiate Booleans, Strings and Longs"
Robert Varga [Sun, 22 Mar 2015 22:54:33 +0000 (23:54 +0100)]
Do not instantiate Booleans, Strings and Longs
The two possible values are available as constants, so use them
directly, lowering the amount of garbage we generate.
For an empty String, we can just use a literal. For Longs, instead of
explicit construction, we can use valueOf(), which can end up using the
same instance. Also, we can use autoboxing to let JVM promote a value as
appropriate.
Change-Id: Icf9405d691a08c20dde78a5fe05bd4fab5947741
Signed-off-by: Robert Varga <rovarga@cisco.com>
John Borz [Sat, 21 Mar 2015 03:36:36 +0000 (20:36 -0700)]
Added Karaf feature for the keystone plugin.
Change-Id: I7660b6d50ad8dbe3f47b242494fbbd209bba4995
Signed-off-by: John Borz <john.borz@hp.com>
Tony Tkacik [Fri, 20 Mar 2015 13:55:05 +0000 (14:55 +0100)]
Fixed typo in credential model.
Change-Id: If9b83393e81d7eacf0f364f6155cb9dc64dadcae
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Tony Tkacik [Fri, 20 Mar 2015 09:17:24 +0000 (10:17 +0100)]
Fixed AuthZ DataBroker not implementing getExtensions
Change-Id: I9d0cb13043576060c1aa0acf2788e19c493dee97
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Wojciech Dec [Thu, 19 Mar 2015 17:13:30 +0000 (18:13 +0100)]
Adding Yang based token-cache-api
Change-Id: I141d5a2b970a2913309f159a4db9224dc8958153
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Sherry Krell [Wed, 25 Feb 2015 18:12:12 +0000 (10:12 -0800)]
Re-enable running of SingleFeaturesTest.Fix failing tests.
- switch to using odlparent:features-test instead of yangtools:features-test.
- fix failing features tests
Change-Id: Icb61adef1e06feda40f7c934ee87ba7b4fe7e53e
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Tony Tkacik [Wed, 18 Mar 2015 14:07:56 +0000 (15:07 +0100)]
Added feature dependencies to features/api
Change-Id: Ib0ac42d2fb0d46d45c81f868a7ae500c9d65ae68
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Nathan Harmon [Fri, 27 Feb 2015 05:25:22 +0000 (21:25 -0800)]
yang model for storing security credentials
Change-Id: I8045ca9b752bd777e7048837382d646503982455
Signed-off-by: Steve Dean <sdean@hp.com>
Signed-off-by: Nathan Harmon <nathan.harmon@hp.com>
Sherry Krell [Fri, 6 Mar 2015 21:41:24 +0000 (13:41 -0800)]
Refactor ClaimBuilder, update unit tests.
- fix builder to only create object within build()
- make built object immutable
- add validation
Change-Id: Icbd39ab06d9de444dfebaf110cc42fac2065bbf9
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Wojciech Dec [Wed, 18 Mar 2015 11:48:20 +0000 (11:48 +0000)]
Merge "Refactor AuthenticationBuilder, update unit tests. - fix builder to only create object within build() - make built object immutable - use composition instead of inheritance for Claim - add validation"
Wojciech Dec [Wed, 18 Mar 2015 11:37:44 +0000 (11:37 +0000)]
Merge "Initial AAA Karaf features for cluster capable MD-SAL based token cache"
Sherry Krell [Tue, 3 Mar 2015 23:35:30 +0000 (15:35 -0800)]
Refactor AuthenticationBuilder, update unit tests.
- fix builder to only create object within build()
- make built object immutable
- use composition instead of inheritance for Claim
- add validation
Change-Id: I324210f0743ce113d8bcafd5861d74414c5dfa0d
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Tony Tkacik [Tue, 17 Mar 2015 15:11:39 +0000 (16:11 +0100)]
Bug 868: Migrated AuthZ to use Forwarding Sessions.
Change-Id: I65ca5c694694ce52853c2ec7ce69fd73eb0062e2
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Tony Tkacik [Tue, 17 Mar 2015 08:28:08 +0000 (09:28 +0100)]
Removed override of checkstyle version.
Change-Id: Iaa9a92d9cab025ffa68fb2f1323d72feaffcca50
Signed-off-by: Tony Tkacik <ttkacik@cisco.com>
Wojciech Dec [Wed, 25 Feb 2015 10:51:22 +0000 (11:51 +0100)]
Initial AAA Karaf features for cluster capable MD-SAL based token cache
Change-Id: Iae808ffcc966ce77018612338930fad9a10f1f85
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Tue, 29 Jul 2014 17:31:20 +0000 (19:31 +0200)]
Removing Authz RPC timeout in response
Change-Id: I04d7965cdf3d839b429423195d35b262fd9c1b0e
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Tue, 10 Mar 2015 10:47:52 +0000 (10:47 +0000)]
Merge "Workaround for sqlite wrapping issue in Karaf 3.0.3."
Wojciech Dec [Mon, 2 Mar 2015 13:23:02 +0000 (13:23 +0000)]
Merge "Remove <repositories> and <pluginRepositories> sections"
Thanh Ha [Thu, 12 Feb 2015 15:51:18 +0000 (10:51 -0500)]
Remove <repositories> and <pluginRepositories> sections
It is recommended that developers and servers configure this locally via
settings.xml.
https://lists.opendaylight.org/pipermail/discuss/2015-January/004482.html
Change-Id: I58b9a6991ebd60b3bfdfcccb2e37a13e711134a3
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Sherry Krell [Wed, 25 Feb 2015 23:08:59 +0000 (15:08 -0800)]
Refactor and add unit tests for AuthenticationManager and fix bug that was found in updated method.
Change-Id: I56243d90c502852005031d0238e8e06ddbbe244e
Signed-off-by: Sherry Krell <sherry.krell@hp.com>
Nathan Harmon [Sat, 21 Feb 2015 00:54:25 +0000 (16:54 -0800)]
Workaround for sqlite wrapping issue in Karaf 3.0.3.
Embed sqlite in idmlight using an older version of bnd (2.1.0). See https://lists.opendaylight.org/pipermail/discuss/2015-February/004653.html
Change-Id: I1965156f13cc37ef2714af114eebdfe56f688d52
Signed-off-by: Nathan Harmon <nathan.harmon@hp.com>
Thanh Ha [Sun, 14 Dec 2014 20:30:55 +0000 (15:30 -0500)]
Fix checkstyle if-statements must use braces in aaa-idmlight
- Fix missing braces
- Fix indentation level
Change-Id: I5e81fb561b550a2085ceddf6403273dcb503c5ca
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:25:06 +0000 (15:25 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn
- Fix if-statements must use braces
- Add missing License headers
Change-Id: I5c9279d1702ec8c3ce0d1b5ea82aef5c7325e620
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:23:11 +0000 (15:23 -0500)]
Fix checkstyle if-else-for-statements must use braces in aaa-authn-sts
Change-Id: I3c9ad139c47d0e4a07f29ce8b7dea681184c0b60
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:21:05 +0000 (15:21 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn-keystone
Change-Id: I84c3f8f0342148f71f5968d55d76a80084046a77
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:20:27 +0000 (15:20 -0500)]
Fix checkstyle for-statements must use braces in aaa-authn-federation
Change-Id: I0a9fa5ebd078eb429d910a5d139153f13bf31937
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Sun, 14 Dec 2014 20:18:35 +0000 (15:18 -0500)]
Fix checkstyle if-statements must use braces in aaa-authn-store
- Fix checkstyle if-statement brances
- Fix missing License header
Change-Id: Iac67a50e459b363fd3b83f56011028d82b828c62
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Thanh Ha [Fri, 9 Jan 2015 21:56:31 +0000 (16:56 -0500)]
Set root pom.xml <name> for Sonar
As mentioned on the mailing list Sonar uses the <name> field of the
pom.xml that is passed to the mvn command as the name of the project in
Sonar. In most cases this is the root pom.xml file in a project. This
patch sets the name to the project shortname.
https://lists.opendaylight.org/pipermail/discuss/2014-November/004024.html
Change-Id: Ic8eabf78c37d6e449a837d34600ed3b86e7947a8
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Wojciech Dec [Mon, 15 Dec 2014 15:52:31 +0000 (15:52 +0000)]
Merge "Change ENUMS used in config yangs for Strings"
Liem Nguyen [Fri, 5 Dec 2014 20:48:58 +0000 (12:48 -0800)]
Removed the pax-exam it tests in favor of Robot tests.
Change-Id: I33e0974795d92a4083129b37cb407d7847614c5f
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Fri, 5 Dec 2014 19:31:55 +0000 (11:31 -0800)]
Removed all* features as well as fixing circular dependencies with restconf.
Change-Id: I4de1af27c275d3877f1c5f3cc10fb188bfa28c2c
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Maros Marsalek [Thu, 27 Nov 2014 13:43:17 +0000 (14:43 +0100)]
Change ENUMS used in config yangs for Strings
ENUMs are not properly serialzied in config/netconf and it causes failure when reading/writing data using RESTCONF + Loopback connection
Change-Id: I8f9da4d009cdd3a432dd031ecc3a7cb551454d3d
Signed-off-by: Maros Marsalek <mmarsale@cisco.com>
Liem Nguyen [Fri, 14 Nov 2014 20:25:22 +0000 (20:25 +0000)]
Merge "Documentation for SSSD Federated IdP authentication"
Abhishek Kumar [Fri, 14 Nov 2014 01:13:21 +0000 (17:13 -0800)]
Adds a validate token API
Adds another API to validate token
The api can be invoked as
curl -s -d "some-previously generated-token"
http://<controller-ip:<port>/oauth2/validate
Returns:
HTTP 200 - if the token is valid
HTTP 401 - If the token is not valid
Change-Id: Ie39d154fb77e873d6b0b8d13feca7917f527cbb8
Signed-off-by: Abhishek Kumar <abhishk2@cisco.com>
Mayank Agarwal [Wed, 5 Nov 2014 02:28:30 +0000 (18:28 -0800)]
Enabling CORS in the idmlight app so that apps
from different domains can call the APIs.
Signed-off-by: Mayank Agarwal <mayagarw@cisco.com>
Change-Id: I6d960b867eb2dd2f48e6e0ce0b7cee3ff40ce731
Wojciech Dec [Wed, 5 Nov 2014 16:51:35 +0000 (16:51 +0000)]
Merge "Bug 2292 : CORS access control fix"
Liem Nguyen [Tue, 4 Nov 2014 18:54:35 +0000 (10:54 -0800)]
Updated pom.xml to use odlparent and add authz back into odl-aaa-all.
Also, segmented features into 3 main buckets:
1) APIs
2) Core features (AuthN and AuthZ)
3) Plugins
Change-Id: I7858b8f6302f34d22cbc548570a4bc15e93df9ec
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Harman Singh [Sat, 1 Nov 2014 00:56:34 +0000 (17:56 -0700)]
Bug 2292 : CORS access control fix
when browser sends cross-origin request, it first sends the OPTIONS method
with a list of access control request headers, which has a list of custom headers and access control method
such as GET. POST etc. You custom header "Authorization will not be present in request header, instead it
will be present as a value inside Access-Control-Request-Headers.
We should not do any authorization against such request.
Change-Id: I290f409a4685ed10685249b8514621ecb2159176
Signed-off-by: Harman Singh <harmasin@cisco.com>
John Dennis [Wed, 29 Oct 2014 13:58:54 +0000 (09:58 -0400)]
Add REMOTE_USER_GROUPS to ClaimAuthFilter
The REMOTE_USER_GROUPS IdP attribute was mistakenly omitted from
the medtadata collected in ClaimAuthFilter, this corrects that.
Bug #2272
Change-Id: Ibe7f9afb7b94341beb24ea5474c419b592261ce6
Signed-off-by: John Dennis <jdennis@redhat.com>
John Dennis [Fri, 5 Sep 2014 15:42:21 +0000 (11:42 -0400)]
Documentation for SSSD Federated IdP authentication
Change-Id: I8fd47de74486c1de37d12be3c7f259b5038b66b3
Signed-off-by: John Dennis <jdennis@redhat.com>
Colin Dixon [Wed, 8 Oct 2014 21:54:52 +0000 (16:54 -0500)]
Adding back the dependency on restconf in the authz feature
This is the second half of the post-Helium master version bump. It puts
the dependency from the authz feautre onto the restconf feature back in.
Change-Id: Ibe1da210147490acfcfaebf8d93dcd99c998587e
Signed-off-by: Colin Dixon <colin@colindixon.com>
Colin Dixon [Wed, 8 Oct 2014 20:20:49 +0000 (15:20 -0500)]
Incrementing versions by 0.1.0 for post-Helium master branch
Also temporarily removing the dependency from the authz feature onto the
restconf feature to solve the cyclic dependency issue. This will be fixed
in a second patch.
Change-Id: I9342717185094335bd5aab34e6ad8574126a2b61
Signed-off-by: Colin Dixon <colin@colindixon.com>
Liem Nguyen [Sun, 28 Sep 2014 17:25:27 +0000 (10:25 -0700)]
Added a sequence diagram for SSSD Authentication
Change-Id: I7acc23701a8340c1ab9f0992309e326528346312
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Wed, 24 Sep 2014 00:10:35 +0000 (00:10 +0000)]
Merge "Bug 1948: Separate out restconf features"
Ed Warnicke [Tue, 23 Sep 2014 02:10:54 +0000 (21:10 -0500)]
Bug 1948: Separate out restconf features
In order to avoid a maven project cycle in solving
Bug 1948, we need to separate restconf features.
Note, this is a first step, suffixing everything
with -new. Subsquently, after everywhere using
odl-restconf has been fixed to use this new repo,
we will deprecate the ones in the mdsal features.xml
and rename these to not have the -new.
This patch just adds the dependency to features/pom.xml
Change-Id: Iedb9dd592e057913b0e083db9488113250dba0b5
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Tue, 23 Sep 2014 20:16:24 +0000 (13:16 -0700)]
Bug 2057
Return 503 (Service Unavailable) status code if AAA service is not started yet and the Auth filter is invoked.
Change-Id: Id152994d9b2e4e10c30e398872ecc1538beee470
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Mon, 22 Sep 2014 23:08:37 +0000 (23:08 +0000)]
Merge "BUG2011 Fix"
Peter Mellquist [Mon, 22 Sep 2014 22:22:44 +0000 (22:22 +0000)]
BUG2011 Fix
Signed-off-by: Peter Mellquist <peter.mellquist@hp.com>
Change-Id: I715e7b2569f15353c24857d9f0ee73314a37f2f1
John Dennis [Fri, 19 Sep 2014 13:21:20 +0000 (09:21 -0400)]
Populate HttpRequestServlet API data from HTTP extension headers.
When SSSD is used for authentication and identity lookup those
actions occur in an Apache HTTP server which is fronting the
servlet container. After successful authentication Apache will
proxy the request to the container along with additional
authentication and identity metadata.
The preferred way to transport the metadata and have it appear
seamlessly in the servlet API is via the AJP protocol. However AJP
may not be available or desirable. An alternative method is to
transport the metadata in extension HTTP headers. However we still
want the standard servlet request API methods to work. Another way
to say this is we do not want upper layers to be aware of the
transport mechanism. To achieve this we wrap the HttpServletRequest
class and override specific methods which need to extract the data
from the extension HTTP headers. (This is roughly equivalent to
what happens when AJP is implemented natively in the container).
The extension HTTP headers are identified by the prefix
"X-SSSD-". The overridden methods check for the existence of the
appropriate extension header and if present returns the value found
in the extension header, otherwise it returns the value from the
method it's wrapping.
Bug: 1977
Change-Id: Id3020a4efe903c4c461df918574746dcc797ec37
Signed-off-by: John Dennis <jdennis@redhat.com>
Liem Nguyen [Mon, 22 Sep 2014 22:09:15 +0000 (15:09 -0700)]
Fixed broken (tempermental) unit test failure
Change-Id: I839b6716eac9cf0477c3c9cb2ae783219a6438db
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Ed Warnicke [Sun, 21 Sep 2014 19:50:53 +0000 (14:50 -0500)]
Bug 2010: missing aaa-authn-federation dependency
Change-Id: Iec8c15e738cf29dc9d975b4c4f60d190c45c4d3d
Signed-off-by: Ed Warnicke <eaw@cisco.com>
Liem Nguyen [Sun, 21 Sep 2014 19:11:20 +0000 (12:11 -0700)]
Bug 2009
Added WWW-Authenticate header with realm set to "opendaylight"
Change-Id: I51bce8b4da6ddbd249890ac4e317139372a3dacb
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Sat, 20 Sep 2014 00:35:25 +0000 (17:35 -0700)]
Bug 1964
Several fixes were made in this commit:
1) Separate the federation endpoint into its own webapp (aaa-authn-federation), so it can bind to a separate authorized proxy port.
2) Move initialization code in SssdClaimAuth from the constructor to the init() method to make sure it is initialized via OSGi lifecycle (fixed OSGi loading issue of SssdClaimAuth)
3) Clean up superflous log.info() messages from IdmLight
4) Fix ClaimAuthFilter to emit 401 error right away if we are federating on a non-authorized proxy port.
5) Add basic integration tests (-Paaa-it) for IdMLight and federation.
6) Configure:
a) IdmLight APIs (/auth/*) to listen on "adminConn" Jetty connector.
b) Federation API (/oauth2/federation/) to listen on "federationConn" Jetty connector.
Note: Currently, the aforementioned Jetty connectors are NOT configured on the ODL controller, so that means those APIs in 6) are not available by default.
To activate them, the sample jetty.xml under aaa-it/src/test/resources should be copied over to the controller's assembly/etc/jetty.xml. The sample jetty.xml
enables the adminConn on port 8282, localhost only, and the federationConn on port 8383. So, for example, a POST to the federation endpoint would be:
curl -i -XPOST http://localhost:8383/oauth2/federation/
Change-Id: I1bc939536806d864e462b5cd0f69d1bb1777058d
Signed-off-by: Liem Nguyen <liem_m_nguyen@hp.com>
Liem Nguyen [Fri, 19 Sep 2014 16:12:04 +0000 (16:12 +0000)]
Merge "Add secureProxyPorts configuration option."
Wojciech Dec [Fri, 19 Sep 2014 09:57:07 +0000 (11:57 +0200)]
Fix to authz config yang model
Change-Id: Icb06219d85ed164b842a43d9100b9b9c6c7653ec
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Wojciech Dec [Thu, 18 Sep 2014 11:44:31 +0000 (13:44 +0200)]
Fix for checking if authz config has DomBroker + path of test hive
Change-Id: Ic522b972ece1b82e8bc963f2793d63dea3b00099
Signed-off-by: Wojciech Dec <wdec@cisco.com>
John Dennis [Thu, 18 Sep 2014 21:32:40 +0000 (17:32 -0400)]
Add secureProxyPorts configuration option.
The ClaimAuthFilter trusts any authentication metadata bound to a
request. A request with fake authentication claims could be forged by
an attacker and submitted to one of the Connector ports the engine is
listening on and it would blindly accept the forged information in
ClaimAuthFilter. Therefore it is vital we only accept authentication
claims from a trusted proxy.
It is incumbent upon the site administrator to dedicate specific
connector ports on which previously authenticated requests from a
trusted proxy will be sent to and to assure only a trusted proxy can
connect to that port. The site administrator must enumerate those
ports in the configuration. The ClaimAuthfilter will ignore any
request which did not originate on one of the configured secure proxy
ports.
The secureProxyPorts configuraton is a member of
FederationConfiguration.
Bug: 1964
Change-Id: Ieb1f9d464f631e5009939404d978d905e51c06a0
Signed-off-by: John Dennis <jdennis@redhat.com>
Liem Nguyen [Thu, 18 Sep 2014 00:01:32 +0000 (00:01 +0000)]
Merge "Added sonar plugin"
Wojciech Dec [Wed, 17 Sep 2014 18:52:52 +0000 (20:52 +0200)]
Fix to Authz feature dependency + some clean-up
Change-Id: I6a7298e809e7d2d3f3eefca3975012b3166db4d5
Signed-off-by: Wojciech Dec <wdec@cisco.com>
Code Review / aaa.git / log