new approach for trust

CHANGES_NEXT_RELEASE

@@ -1,3 +1,4 @@
+- Add: new approach to handle trust auth (urbo-deployer#868)
 - Add: allow use expandVar with JSON objects (#703)
 - Add: apply expandVar with JSON.parse to all fields of all actions (sms, smpp, email, post, update) (#746)
 - Fix: check domain before access domain

config.js

@@ -157,17 +157,6 @@ config.pep = {
     URL: 'http://pep-endpoint:1026'
 };
 
-/**
- * Authorization endpoint
- */
-config.authentication = {
-    host: 'keystone',
-    port: '5001',
-    user: 'user',
-    password: 'password',
-    service: 'admin_domain'
-};
-
 /**
  * Collections
  * @type {String}

configTrust.js

@@ -0,0 +1,25 @@
+'use strict';
+
+/**
+ * List of pre-configured trusts
+ */
+var configTrust = {};
+
+configTrust.trusts = [
+    {
+        host: 'keystone',
+        port: '5001',
+        id: 'trust1',
+        user: 'user1',
+        password: 'password',
+        service: 'domain1'
+    },
+    {
+        host: 'keystone',
+        port: '5001',
+        id: 'trust2',
+        user: 'user2',
+        password: 'password2',
+        service: 'domain2'
+    }
+];

docs/API/plain_rules.md

@@ -396,23 +396,21 @@ the Perseo configuration). The `parameters` map includes the following fields:
     -   UPDATE: update attributes, asumming they exist (otherwise the update operation fails at CB)
     -   DELETE: delete attributes (or the entity itself if the attributes list is empty)
 -   trust: optional, trust for getting an access token from Auth Server which can be used to get to a Context Broker
-    behind a PEP. A trust is a way of Keystone to allow an user (trustor) delegates a role to another user (trustee) for
-    a subservice. Complete info could be found at:
-    -   [Trusts concept](https://docs.openstack.org/keystone/stein/user/trusts)
-    -   [Trusts API](https://docs.openstack.org/keystone/stein/api_curl_examples.html#post-v3-os-trust-trusts)
-    -   [Trust token flow example](./trust_token.md)
--   authentication: optional, authentication (host, port, user, password and service) configuration values that will be
-    used by updateAction rule (instead of default authentication defined by configuration) which will be used when a
-    trust token should be negotiated. i.e.:
-    ```json
-    "authentication": {
-        "host": "ext-keystone",
-        "port": 5001,
-        "user": "mycepuser",
-        "password": "myceppassword",
-        "service": "mycepuserservice"
-     }
+    behind a PEP. This trust is indexed by `id` in a configuration file named configTrust.js which has the following
+    format which describe full client credentials including idm endpoint:
+
+    ```
+    configTrust.trusts = [
+       {
+           host: 'keystone',
+           port: '5001',
+           id: 'trust1',
+           user: 'user1',
+           password: 'password',
+           service: 'domain1'
+       }
     ```
+
 -   service: optional, service that will be used by updateAction rule instead of current event service. In this case,
     externalCBUrl or configured Orion PEP URL will be used instead of Orion URL, and then no token for auth will be
     negotiated.

lib/models/keystone.js

@@ -25,19 +25,19 @@
 var util = require('util'),
     request = require('request'),
     logger = require('logops'),
-    config = require('../../config'),
+    configTrust = require('../../configTrust'),
     alarm = require('../alarm'),
     errors = {};
 
-function getToken(trust, authentication, callback) {
-    const host = authentication && authentication.host ? authentication.host : config.authentication.host;
-    const port = authentication && authentication.port ? authentication.port : config.authentication.port;
-    const user = authentication && authentication.user ? authentication.user : config.authentication.user;
-    const password =
-        authentication && authentication.password ? authentication.password : config.authentication.password;
-    const domain = authentication && authentication.service ? authentication.service : config.authentication.service;
+function getToken(trust, callback) {
+    var trustConf = configTrust.trusts.find((item) => item.id === trust);
+    // check trust was found or log it
+    if (!trustConf) {
+        logger.error('Trust [%s] not found in configTrust file', trust);
+        callback(new errors.TokenRetrievalError(trust, 'trust not found' + trust));
+    }
     var options = {
-        url: 'http://' + host + ':' + port + '/v3/auth/tokens',
+        url: 'http://' + trustConf.host + ':' + trustConf.port + '/v3/auth/tokens',
         method: 'POST',
         json: {
             auth: {
@@ -46,23 +46,23 @@ function getToken(trust, authentication, callback) {
                     password: {
                         user: {
                             domain: {
-                                name: domain
+                                name: trustConf.service
                             },
-                            name: user,
-                            password: password
+                            name: trustConf.user,
+                            password: trustConf.password
                         }
                     }
                 },
                 scope: {
-                    'OS-TRUST:trust': {
-                        id: trust
+                    domain: {
+                        name: trustConf.service
                     }
                 }
             }
         }
     };
 
-    logger.debug('retrieving token from Keystone using trust [%s]', trust);
+    logger.debug('retrieving token with trust [%s]', trust);
 
     request(options, function handleResponse(error, response /*, body*/) {
         if (error) {

lib/models/updateAction.js

@@ -56,11 +56,11 @@ function getCachedToken(service, subservice, name) {
     return tokens[service][subservice][name];
 }
 
-function generateToken(trust, cached, authentication) {
+function generateToken(trust, cached) {
     cached.generating = true;
     logger.info('start generating token');
     // Here we call KeyStone to generate a token, we'll entry into the event loop
-    keystone.getToken(trust, authentication, function(error, token) {
+    keystone.getToken(trust, function(error, token) {
         if (!error) {
             cached.token = token;
             logger.info('token generated successfully');
@@ -498,7 +498,7 @@ function doItWithToken(action, event, version, callback) {
             // v2 response using ngsijs
             cached.emitter.once(newTokenEventName, newTokenListener);
             if (cached.generating === false) {
-                generateToken(action.parameters.trust, cached, action.parameters.authentication);
+                generateToken(action.parameters.trust, cached);
             }
         } else {
             return callback(error, data);
@@ -516,7 +516,7 @@ function doItWithToken(action, event, version, callback) {
         cached.emitter.once(newTokenEventName, newTokenListener);
         if (cached.generating === false) {
             logger.debug('generating token for %s %s %s', service, subservice, ruleName);
-            generateToken(action.parameters.trust, cached, action.parameters.authentication);
+            generateToken(action.parameters.trust, cached);
         }
     } else if (cached.generating === true) {
         // In the middle of getting a new one

lib/myutils.js

@@ -399,19 +399,6 @@ function ruleWithContextTimedRule(rule) {
         .trim();
 }
 
-function purgeRuleAuthPassword(rule) {
-    if (
-        rule &&
-        rule.action &&
-        rule.action.parameters &&
-        rule.action.parameters.authentication &&
-        rule.action.parameters.authentication.password
-    ) {
-        rule.action.parameters.authentication.password = constants.OBFUSCATED_PWD;
-    }
-    return rule;
-}
-
 /**
  * expandVar substitutes every variable in val (denoted as $(var}) with the value
  * in mappings (as dictionary), getting the key 'var' from the object
@@ -515,10 +502,3 @@ module.exports.contextEPLTimedRule = contextEPLTimedRule;
  * @param  {Object} Object rule
  */
 module.exports.ruleWithContextTimedRule = ruleWithContextTimedRule;
-
-/**
- * ruleWithContextTimedRule returns the rule with action auth password obfuscated
- *
- * @param  {Object} Object rule
- */
-module.exports.purgeRuleAuthPassword = purgeRuleAuthPassword;

lib/routes/rulesController.js

@@ -41,7 +41,6 @@ function GetAllRules(req, resp) {
             data = data.splice(offset, limit);
             var dataPurged = [];
             data.forEach(function(rule) {
-                rule = myutils.purgeRuleAuthPassword(rule);
                 dataPurged.push(rule);
             });
             data = dataPurged;
@@ -57,7 +56,6 @@ function GetRules(req, resp) {
     };
     logger.debug({}, 'getting rule %j', rule);
     rules.Find(rule, function(err, data) {
-        data = myutils.purgeRuleAuthPassword(data);
         myutils.respond(resp, err, data);
     });
 }

test/component/auth_test.js

@@ -43,8 +43,16 @@ describe('Auth', function() {
                 action = utilsT.loadExample('./test/data/good_actions/action_update_trust.json'),
                 date = new Date();
             action.ev.id += date.getTime();
-            utilsT.getConfig().authentication.host = 'localhost';
-            utilsT.getConfig().authentication.port = utilsT.fakeHttpServerPort;
+            utilsT.getConfigTrust().trusts = [
+                {
+                    host: 'localhost',
+                    port: utilsT.fakeHttpServerPort,
+                    id: 'thisIsATriustToken',
+                    user: 'user1',
+                    password: 'password',
+                    service: 'domain1'
+                }
+            ];
             utilsT.getConfig().orion.URL = new URL(util.format('http://localhost:%s', utilsT.fakeHttpServerPort));
             updateDone.once('updated_renew', done);
             updateDone.once('updated_first', function(error) {

test/utils/utilsT.js

@@ -27,6 +27,7 @@ var fs = require('fs'),
     path = require('path'),
     MongoClient = require('mongodb').MongoClient,
     config = require('../../config'),
+    configTrust = require('../../configTrust'),
     fakeServerPort = 9753,
     fakeServerCode = 200,
     fakeServerMessage = 'All right',
@@ -244,6 +245,10 @@ function getConfig() {
     return config;
 }
 
+function getConfigTrust() {
+    return configTrust;
+}
+
 function fakeHttpServer(cb) {
     var server = require('http')
         .createServer(function(req, res) {
@@ -289,3 +294,4 @@ module.exports.setServerCallback = function(fxn) {
     fakeServerCallback = fxn;
 };
 module.exports.getConfig = getConfig;
+module.exports.getConfigTrust = getConfigTrust;