From c844536bb27c39aa48988284c5a0d7b404930a8a Mon Sep 17 00:00:00 2001
From: tierno <alfonso.tiernosepulveda@telefonica.com>
Date: Fri, 14 Jun 2019 12:07:15 +0000
Subject: [PATCH] Fix bug 771 Do not revoke token when try to do a non allowed
 operation Fix nslcmop and nsilcmo (ns and nsi opeartions) URLs

Change-Id: I21d87b5ed210b03237898b726a0386e1d65b591a
Signed-off-by: tierno <alfonso.tiernosepulveda@telefonica.com>
---
 osm_nbi/auth.py                     | 29 +++++++++++++----------------
 osm_nbi/authconn.py                 |  9 ++++++++-
 osm_nbi/resources_to_operations.yml | 10 +++++-----
 3 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/osm_nbi/auth.py b/osm_nbi/auth.py
index 6c44499..dc7c0ff 100644
--- a/osm_nbi/auth.py
+++ b/osm_nbi/auth.py
@@ -42,7 +42,7 @@ from time import time
 from os import path
 from base_topic import BaseTopic    # To allow project names in project_id
 
-from authconn import AuthException
+from authconn import AuthException, AuthExceptionUnauthorized
 from authconn_keystone import AuthconnKeystone
 from osm_common import dbmongo
 from osm_common import dbmemory
@@ -292,21 +292,18 @@ class Authenticator:
                 if not token:
                     raise AuthException("Needed a token or Authorization http header",
                                         http_code=HTTPStatus.UNAUTHORIZED)
-                try:
-                    token_info = self.backend.validate_token(token)
-                    # TODO add to token info remote host, port
-
-                    self.check_permissions(token_info, cherrypy.request.path_info,
-                                           cherrypy.request.method)
-                    return token_info
-                except AuthException:
-                    self.del_token(token)
-                    raise
+                token_info = self.backend.validate_token(token)
+                # TODO add to token info remote host, port
+
+                self.check_permissions(token_info, cherrypy.request.path_info,
+                                       cherrypy.request.method)
+                return token_info
         except AuthException as e:
-            if cherrypy.session.get('Authorization'):
-                del cherrypy.session['Authorization']
-            cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
-            raise AuthException(str(e))
+            if not isinstance(e, AuthExceptionUnauthorized):
+                if cherrypy.session.get('Authorization'):
+                    del cherrypy.session['Authorization']
+                cherrypy.response.headers["WWW-Authenticate"] = 'Bearer realm="{}"'.format(e)
+            raise
 
     def new_token(self, session, indata, remote):
         if self.config["authentication"]["backend"] == "internal":
@@ -429,7 +426,7 @@ class Authenticator:
             if role in roles_required:
                 return
 
-        raise AuthException("Access denied: lack of permissions.")
+        raise AuthExceptionUnauthorized("Access denied: lack of permissions.")
 
     def get_user_list(self):
         return self.backend.get_user_list()
diff --git a/osm_nbi/authconn.py b/osm_nbi/authconn.py
index b408052..140e024 100644
--- a/osm_nbi/authconn.py
+++ b/osm_nbi/authconn.py
@@ -31,13 +31,20 @@ from http import HTTPStatus
 
 class AuthException(Exception):
     """
-    Authentication error.
+    Authentication error, because token, user password not recognized
     """
     def __init__(self, message, http_code=HTTPStatus.UNAUTHORIZED):
         super(AuthException, self).__init__(message)
         self.http_code = http_code
 
 
+class AuthExceptionUnauthorized(AuthException):
+    """
+    Authentication error, because not having rights to make this operation
+    """
+    pass
+
+
 class AuthconnException(Exception):
     """
     Common and base class Exception for all authconn exceptions.
diff --git a/osm_nbi/resources_to_operations.yml b/osm_nbi/resources_to_operations.yml
index ff659d4..88421e6 100644
--- a/osm_nbi/resources_to_operations.yml
+++ b/osm_nbi/resources_to_operations.yml
@@ -126,9 +126,9 @@ resources_to_operations:
 
   "POST /nslcm/v1/ns_instances/<nsInstanceId>/scale": "ns_instances:id:scale:post"
 
-  "GET /nslcm/v1/ns_instances/<nsInstanceId>/ns_lcm_op_occs": "ns_instances:id:opps:get"
+  "GET /nslcm/v1/ns_lcm_op_occs": "ns_instances:opps:get"
 
-  "GET /nslcm/v1/ns_instances/<nsInstanceId>/ns_lcm_op_occs/<nsLcmOpOccId>": "ns_instances:id:opps:id:get"
+  "GET /nslcm/v1/ns_lcm_op_occs/<nsLcmOpOccId>": "ns_instances:opps:id:get"
 
 ################################################################################
 ################################# VNF Instances ################################
@@ -355,12 +355,12 @@ resources_to_operations:
 
   "POST /nsilcm/v1/netslice_instances/<SliceInstanceId>/action": "slice_instances:id:action:post"
 
-  "GET /nsilcm/v1/netslice_instances/<SliceInstanceId>/nsi_lcm_op_occs": "slice_instances:id:opps:get"
+  "GET /nsilcm/v1/nsi_lcm_op_occs": "slice_instances:opps:get"
 
-  "GET /nsilcm/v1/netslice_instances/<SliceInstanceId>/nsi_lcm_op_occs/<nsiLcmOpOccId>": "slice_instances:id:opps:id:get"
+  "GET /nsilcm/v1/nsi_lcm_op_occs/<nsiLcmOpOccId>": "slice_instances:opps:id:get"
 
 ################################################################################
-############################ Admin          ####################################
+############################ QUERY STRING admin operations #####################
 ################################################################################
 
   "GET ADMIN": "admin"
-- 
2.17.1