From: tierno Date: Fri, 14 Jun 2019 12:07:15 +0000 (+0000) Subject: Fix bug 771 Do not revoke token when try to do a non allowed operation X-Git-Tag: v6.0.0~1 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=c844536bb27c39aa48988284c5a0d7b404930a8a;p=osm%2FNBI.git Fix bug 771 Do not revoke token when try to do a non allowed operation Fix nslcmop and nsilcmo (ns and nsi opeartions) URLs Change-Id: I21d87b5ed210b03237898b726a0386e1d65b591a Signed-off-by: tierno --- diff --git a/osm_nbi/auth.py b/osm_nbi/auth.py index 6c44499..dc7c0ff 100644 --- a/osm_nbi/auth.py +++ b/osm_nbi/auth.py @@ -42,7 +42,7 @@ from time import time from os import path from base_topic import BaseTopic # To allow project names in project_id -from authconn import AuthException +from authconn import AuthException, AuthExceptionUnauthorized from authconn_keystone import AuthconnKeystone from osm_common import dbmongo from osm_common import dbmemory @@ -292,21 +292,18 @@ class Authenticator: if not token: raise AuthException("Needed a token or Authorization http header", http_code=HTTPStatus.UNAUTHORIZED) - try: - token_info = self.backend.validate_token(token) - # TODO add to token info remote host, port - - self.check_permissions(token_info, cherrypy.request.path_info, - cherrypy.request.method) - return token_info - except AuthException: - self.del_token(token) - raise + token_info = self.backend.validate_token(token) + # TODO add to token info remote host, port + + self.check_permissions(token_info, cherrypy.request.path_info, + cherrypy.request.method) + return token_info except AuthException as e: - if cherrypy.session.get('Authorization'): - del cherrypy.session['Authorization'] - cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e) - raise AuthException(str(e)) + if not isinstance(e, AuthExceptionUnauthorized): + if cherrypy.session.get('Authorization'): + del cherrypy.session['Authorization'] + cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e) + raise def new_token(self, session, indata, remote): if self.config["authentication"]["backend"] == "internal": @@ -429,7 +426,7 @@ class Authenticator: if role in roles_required: return - raise AuthException("Access denied: lack of permissions.") + raise AuthExceptionUnauthorized("Access denied: lack of permissions.") def get_user_list(self): return self.backend.get_user_list() diff --git a/osm_nbi/authconn.py b/osm_nbi/authconn.py index b408052..140e024 100644 --- a/osm_nbi/authconn.py +++ b/osm_nbi/authconn.py @@ -31,13 +31,20 @@ from http import HTTPStatus class AuthException(Exception): """ - Authentication error. + Authentication error, because token, user password not recognized """ def __init__(self, message, http_code=HTTPStatus.UNAUTHORIZED): super(AuthException, self).__init__(message) self.http_code = http_code +class AuthExceptionUnauthorized(AuthException): + """ + Authentication error, because not having rights to make this operation + """ + pass + + class AuthconnException(Exception): """ Common and base class Exception for all authconn exceptions. diff --git a/osm_nbi/resources_to_operations.yml b/osm_nbi/resources_to_operations.yml index ff659d4..88421e6 100644 --- a/osm_nbi/resources_to_operations.yml +++ b/osm_nbi/resources_to_operations.yml @@ -126,9 +126,9 @@ resources_to_operations: "POST /nslcm/v1/ns_instances//scale": "ns_instances:id:scale:post" - "GET /nslcm/v1/ns_instances//ns_lcm_op_occs": "ns_instances:id:opps:get" + "GET /nslcm/v1/ns_lcm_op_occs": "ns_instances:opps:get" - "GET /nslcm/v1/ns_instances//ns_lcm_op_occs/": "ns_instances:id:opps:id:get" + "GET /nslcm/v1/ns_lcm_op_occs/": "ns_instances:opps:id:get" ################################################################################ ################################# VNF Instances ################################ @@ -355,12 +355,12 @@ resources_to_operations: "POST /nsilcm/v1/netslice_instances//action": "slice_instances:id:action:post" - "GET /nsilcm/v1/netslice_instances//nsi_lcm_op_occs": "slice_instances:id:opps:get" + "GET /nsilcm/v1/nsi_lcm_op_occs": "slice_instances:opps:get" - "GET /nsilcm/v1/netslice_instances//nsi_lcm_op_occs/": "slice_instances:id:opps:id:get" + "GET /nsilcm/v1/nsi_lcm_op_occs/": "slice_instances:opps:id:get" ################################################################################ -############################ Admin #################################### +############################ QUERY STRING admin operations ##################### ################################################################################ "GET ADMIN": "admin"