new approach for trust

CHANGES_NEXT_RELEASE

@@ -1,3 +1,6 @@
+- Add: new approach to handle trust auth (urbo-deployer#868)
+- Remove: field "authentication" support in update action
+- Remove: config.authentication (along with related env vars PERSEO_AUTHENTICATION_*)
 - Add: allow use expandVar with JSON objects (#703)
 - Add: apply expandVar with JSON.parse to all fields of all actions (sms, smpp, email, post, update) (#746)
 - Fix: check domain before access domain

bin/perseo

@@ -102,11 +102,6 @@ function loadConfiguration() {
         'PERSEO_NOTICES_PATH',
         'PERSEO_RULES_PATH',
         'PERSEO_CAST_TYPES',
-        'PERSEO_AUTHENTICATION_HOST',
-        'PERSEO_AUTHENTICATION_PORT',
-        'PERSEO_AUTHENTICATION_USER',
-        'PERSEO_AUTHENTICATION_PASSWORD',
-        'PERSEO_AUTHENTICATION_SERVICE',
         'PERSEO_MAX_RULES_BY_CORR',
         'PERSEO_CHECK_NON_SIGNAL_BY_API'
     ];

config.js

@@ -157,17 +157,6 @@ config.pep = {
     URL: 'http://pep-endpoint:1026'
 };
 
-/**
- * Authorization endpoint
- */
-config.authentication = {
-    host: 'keystone',
-    port: '5001',
-    user: 'user',
-    password: 'password',
-    service: 'admin_domain'
-};
-
 /**
  * Collections
  * @type {String}

configTrust.js

@@ -0,0 +1,25 @@
+'use strict';
+
+/**
+ * List of pre-configured trusts
+ */
+var configTrust = {};
+
+configTrust.trusts = [
+    {
+        host: 'keystone',
+        port: '5001',
+        id: 'trust1',
+        user: 'user1',
+        password: 'password',
+        service: 'domain1'
+    },
+    {
+        host: 'keystone',
+        port: '5001',
+        id: 'trust2',
+        user: 'user2',
+        password: 'password2',
+        service: 'domain2'
+    }
+];

docs/API/plain_rules.md

@@ -396,23 +396,21 @@ the Perseo configuration). The `parameters` map includes the following fields:
     -   UPDATE: update attributes, asumming they exist (otherwise the update operation fails at CB)
     -   DELETE: delete attributes (or the entity itself if the attributes list is empty)
 -   trust: optional, trust for getting an access token from Auth Server which can be used to get to a Context Broker
-    behind a PEP. A trust is a way of Keystone to allow an user (trustor) delegates a role to another user (trustee) for
-    a subservice. Complete info could be found at:
-    -   [Trusts concept](https://docs.openstack.org/keystone/stein/user/trusts)
-    -   [Trusts API](https://docs.openstack.org/keystone/stein/api_curl_examples.html#post-v3-os-trust-trusts)
-    -   [Trust token flow example](./trust_token.md)
--   authentication: optional, authentication (host, port, user, password and service) configuration values that will be
-    used by updateAction rule (instead of default authentication defined by configuration) which will be used when a
-    trust token should be negotiated. i.e.:
-    ```json
-    "authentication": {
-        "host": "ext-keystone",
-        "port": 5001,
-        "user": "mycepuser",
-        "password": "myceppassword",
-        "service": "mycepuserservice"
-     }
+    behind a PEP. This trust is indexed by `id` in a configuration file named configTrust.js which has the following
+    format which describe full client credentials including idm endpoint:
+
+    ```
+    configTrust.trusts = [
+       {
+           host: 'keystone',
+           port: '5001',
+           id: 'trust1',
+           user: 'user1',
+           password: 'password',
+           service: 'domain1'
+       }
     ```
+
 -   service: optional, service that will be used by updateAction rule instead of current event service. In this case,
     externalCBUrl or configured Orion PEP URL will be used instead of Orion URL, and then no token for auth will be
     negotiated.