fixed oauth scenario

add oauth aaa-app-config into container to cp if flag is set

Issue-ID: SDNC-1486
Signed-off-by: Michael DÜrre <michael.duerre@highstreet-technologies.com>
Change-Id: I30fcced6f49341110b9ec259d629d2bf86700f3a

Former-commit-id: 3e0ba3015118b87223fdc6d5e876536fd4ac847b
diff --git a/installation/sdnc/pom.xml b/installation/sdnc/pom.xml
index 57b560e..be951d2 100644
--- a/installation/sdnc/pom.xml
+++ b/installation/sdnc/pom.xml
@@ -347,6 +347,7 @@
                                     <directory>src/main/resources</directory>
                                     <includes>
                                         <include>*.dump</include>
+                                        <include>oauth-aaa-app-config.xml</include>
                                     </includes>
                                     <filtering>false</filtering>
                                 </resource>
diff --git a/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml b/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml
new file mode 100644
index 0000000..a8c44d3
--- /dev/null
+++ b/installation/sdnc/src/main/resources/oauth-aaa-app-config.xml
@@ -0,0 +1,347 @@
+<?xml version="1.0" ?>
+<!--
+     Copyright (c) 2017 Inocybe Technologies and others.  All rights reserved.
+
+     This program and the accompanying materials are made available under the
+     terms of the Eclipse Public License v1.0 which accompanies this distribution,
+     and is available at http://www.eclipse.org/legal/epl-v10.html
+-->
+
+<!--
+  ///////////////////////////////////////////////////////////////////////////////////////
+  // clustered-app-config instance responsible for AAA configuration.  In the future,  //
+  // this will contain all AAA related configuration.                                  //
+  ///////////////////////////////////////////////////////////////////////////////////////
+-->
+
+<shiro-configuration xmlns="urn:opendaylight:aaa:app:config">
+
+    <!--
+      ///////////////////////////////////////////////////////////////////////////////////
+      // shiro-configuration is the model based container that contains all shiro      //
+      // related information used in ODL AAA configuration.  It is the sole pain of    //
+      // glass for shiro related configuration, and is how to configure shiro concepts //
+      // such as:                                                                      //
+      // * realms                                                                      //
+      // * urls                                                                        //
+      // * security manager settings                                                   //
+      //                                                                               //
+      // In general, you really shouldn't muck with the settings in this file.  The    //
+      // way an operator should configure AAA shiro settings is through one of ODL's   //
+      // northbound interfaces (i.e., RESTCONF or NETCONF).  These are just the        //
+      // defaults if no values are specified in MD-SAL.  The reason this file is so    //
+      // verbose is for two reasons:                                                   //
+      // 1) to demonstrate payload examples for plausible configuration scenarios      //
+      // 2) to allow bootstrap of the controller (first time start) since otherwise    //
+      //    configuration becomes a chicken and the egg problem.                       //
+      //                                                                               //
+      ///////////////////////////////////////////////////////////////////////////////////
+    -->
+
+    <!--
+      ===================================================================================
+      =                                                                                 =
+      =                                                                                 =
+      =                                      MAIN                                       =
+      =                                                                                 =
+      =                                                                                 =
+      ===================================================================================
+    -->
+
+    <!--
+      ===================================================================================
+      ============================ ODLJndiLdapRealmAuthNOnly ============================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with an external LDAP  =
+      =               server for authentication only.  For authorization support, refer =
+      =               to ODLJndiLdapRealm.                                              =
+      ===================================================================================
+    -->
+    <!-- Start ldapRealm commented out
+    <main>
+        <pair-key>ldapRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.userDnTemplate</pair-key>
+        <pair-value>uid={0},ou=People,dc=DOMAIN,dc=TLD</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.contextFactory.url</pair-key>
+        <pair-value>ldap://&lt;URL&gt;:389</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.searchBase</pair-key>
+        <pair-value>dc=DOMAIN,dc=TLD</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.groupRolesMap</pair-key>
+        <pair-value>&quot;person&quot;:&quot;admin&quot;, &quot;organizationalPerson&quot;:&quot;user&quot;</pair-value>
+    </main>
+    <main>
+        <pair-key>ldapRealm.ldapAttributeForComparison</pair-key>
+        <pair-value>objectClass</pair-value>
+    </main>
+    End ldapRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ============================= ODLActiveDirectoryRealm =============================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with an external AD    =
+      =               IDP server.                                                       =
+      ===================================================================================
+    -->
+    <!-- Start adRealm commented out
+    <main>
+        <pair-key>adRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.ODLActiveDirectoryRealm</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.searchBase</pair-key>
+        <pair-value>&quot;CN=Users,DC=example,DC=com&quot;</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.systemUsername</pair-key>
+        <pair-value>aduser@example.com</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.systemPassword</pair-key>
+        <pair-value>adpassword</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.url</pair-key>
+        <pair-value>ldaps://adserver:636</pair-value>
+    </main>
+    <main>
+        <pair-key>adRealm.groupRolesMap</pair-key>
+        <pair-value>&quot;CN=sysadmin,CN=Users,DC=example,DC=com&quot;:&quot;admin&quot;, &quot;CN=unprivileged,CN=Users,DC=example,DC=com&quot;:&quot;user&quot;</pair-value>
+    </main>
+    End adRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ================================== ODLJdbcRealm ===================================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with an external JDBC  =
+      =               DBMS.                                                             =
+      ===================================================================================
+    -->
+    <!-- Start jdbcRealm commented out
+    <main>
+        <pair-key>ds</pair-key>
+        <pair-value>com.mysql.jdbc.Driver</pair-value>
+    </main>
+    <main>
+        <pair-key>ds.serverName</pair-key>
+        <pair-value>localhost</pair-value>
+    </main>
+    <main>
+        <pair-key>ds.user</pair-key>
+        <pair-value>user</pair-value>
+    </main>
+    <main>
+        <pair-key>ds.password</pair-key>
+        <pair-value>password</pair-value>
+    </main>
+    <main>
+        <pair-key>ds.databaseName</pair-key>
+        <pair-value>db_name</pair-value>
+    </main>
+    <main>
+        <pair-key>jdbcRealm</pair-key>
+        <pair-value>ODLJdbcRealm</pair-value>
+    </main>
+    <main>
+        <pair-key>jdbcRealm.dataSource</pair-key>
+        <pair-value>$ds</pair-value>
+    </main>
+    <main>
+        <pair-key>jdbcRealm.authenticationQuery</pair-key>
+        <pair-value>&quot;SELECT password FROM users WHERE user_name = ?&quot;</pair-value>
+    </main>
+    <main>
+        <pair-key>jdbcRealm.userRolesQuery</pair-key>
+        <pair-value>&quot;SELECT role_name FROM user_rolesWHERE user_name = ?&quot;</pair-value>
+    </main>
+    End jdbcRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ================================= TokenAuthRealm ==================================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation utilizing a per node H2 database store.    =
+      ===================================================================================
+    -->
+<!--     <main> -->
+<!--         <pair-key>tokenAuthRealm</pair-key> -->
+<!--         <pair-value>org.opendaylight.aaa.shiro.realm.TokenAuthRealm</pair-value> -->
+<!--     </main> -->
+    <main>
+        <pair-key>tokenAuthRealm</pair-key>
+        <pair-value>org.onap.ccsdk.features.sdnr.wt.oauthprovider.OAuth2Realm</pair-value>
+    </main>
+
+    <!--
+      ===================================================================================
+      =================================== MdsalRealm ====================================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation utilizing the aaa.yang model.              =
+      ===================================================================================
+    -->
+    <!-- Start mdsalRealm commented out
+    <main>
+        <pair-key>mdsalRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.MdsalRealm</pair-value>
+    </main>
+    End mdsalRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ================================= MoonAuthRealm ===================================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with OPNFV Moon.       =
+      ===================================================================================
+    -->
+    <!-- Start moonAuthRealm commented out
+    <main>
+        <pair-key>moonAuthRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.MoonRealm</pair-value>
+    </main>
+    <main>
+        <pair-key>moonAuthRealm.moonServerURL</pair-key>
+        <pair-value>http://&lt;host&gt;:&lt;port&gt;</pair-value>
+    </main>
+    End moonAuthRealm commented out-->
+
+    <!--
+      ===================================================================================
+      ================================= KeystoneAuthRealm == ============================
+      ===================================================================================
+      =                                                                                 =
+      = Description:  A Realm implementation aimed at federating with an OpenStack      =
+      =               Keystone.                                                         =
+      ===================================================================================
+    -->
+    <!-- Start keystoneAuthRealm commented out
+    <main>
+        <pair-key>keystoneAuthRealm</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm</pair-value>
+    </main>
+    <main>
+        <pair-key>keystoneAuthRealm.url</pair-key>
+        <pair-value>https://&lt;host&gt;:&lt;port&gt;</pair-value>
+    </main>
+    <main>
+        <pair-key>keystoneAuthRealm.sslVerification</pair-key>
+        <pair-value>true</pair-value>
+    </main>
+    <main>
+        <pair-key>keystoneAuthRealm.defaultDomain</pair-key>
+        <pair-value>Default</pair-value>
+    </main>
+    -->
+
+    <!--
+    Add tokenAuthRealm as the only realm.  To enable mdsalRealm, add it to the list to he right of tokenAuthRealm.
+    -->
+    <main>
+        <pair-key>securityManager.realms</pair-key>
+        <pair-value>$tokenAuthRealm</pair-value>
+    </main>
+    <!-- Used to support OAuth2 use case. -->
+    <main>
+        <pair-key>authcBasic</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</pair-value>
+    </main>
+    <main>
+        <pair-key>anyroles</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value>
+    </main>
+    <main>
+        <pair-key>authcBearer</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter2</pair-value>
+    </main>
+   
+    <!-- Start moonAuthRealm commented out
+    <main>
+        <pair-key>rest</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.MoonOAuthFilter</pair-value>
+    </main>
+    End moonAuthRealm commented out-->
+
+    <!-- in order to track AAA challenge attempts -->
+    <main>
+        <pair-key>accountingListener</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.filters.AuthenticationListener</pair-value>
+    </main>
+    <main>
+        <pair-key>securityManager.authenticator.authenticationListeners</pair-key>
+        <pair-value>$accountingListener</pair-value>
+    </main>
+
+    <!-- Model based authorization scheme supporting RBAC for REST endpoints -->
+    <main>
+        <pair-key>dynamicAuthorization</pair-key>
+        <pair-value>org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter</pair-value>
+    </main>
+<!--     <main> -->
+<!--         <pair-key>securityManager.sessionManager.sessionIdCookieEnabled</pair-key> -->
+<!--         <pair-value>false</pair-value> -->
+<!--     </main> -->
+
+    <!--
+      ===================================================================================
+      =                                                                                 =
+      =                                                                                 =
+      =                                      URLS                                       =
+      =                                                                                 =
+      =                                                                                 =
+      ===================================================================================
+    -->
+    <!-- Start moonAuthRealm commented out
+    <urls>
+        <pair-key>/token</pair-key>
+        <pair-value>rest</pair-value>
+    </urls>
+    End moonAuthRealm commented out-->
+    <urls>
+        <pair-key>/**/operations/cluster-admin**</pair-key>
+        <pair-value>authcBearer, roles[admin]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/**/v1/**</pair-key>
+        <pair-value>authcBearer, roles[admin]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/**/config/aaa*/**</pair-key>
+        <pair-value>authcBearer, roles[admin]</pair-value>
+    </urls>
+     <urls>
+        <pair-key>/oauth/**</pair-key>
+        <pair-value>anon</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/odlux/**</pair-key>
+        <pair-value>anon</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/apidoc/**</pair-key>
+        <pair-value>authcBasic</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/rests/**</pair-key>
+        <pair-value>authcBearer, roles[admin]</pair-value>
+    </urls>
+    <urls>
+        <pair-key>/**</pair-key>
+        <pair-value>authcBearer, roles[admin]</pair-value>
+    </urls>
+</shiro-configuration>
+
diff --git a/installation/sdnc/src/main/scripts/startODL.sh b/installation/sdnc/src/main/scripts/startODL.sh
index 81e6d7f..7a22487 100755
--- a/installation/sdnc/src/main/scripts/startODL.sh
+++ b/installation/sdnc/src/main/scripts/startODL.sh
@@ -220,11 +220,7 @@
     rm $ODL_HOME/data/idmlight.db.mv.db
   fi
 fi
-# do not start container if ADMIN_PASSWORD is not set
-if [ -z "$ODL_ADMIN_PASSWORD" ]; then
-  echo "ODL_ADMIN_PASSWORD is not set"
-  exit 1
-fi
+
 SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc}
 SDNC_BIN=${SDNC_BIN:-/opt/onap/sdnc/bin}
 # Whether to intialize MYSql DB or not. Default is to initialize
@@ -329,6 +325,12 @@
   fi
 fi
 
+# do not start container if ADMIN_PASSWORD is not set
+if [ -z "$ODL_ADMIN_PASSWORD" ]; then
+  echo "ODL_ADMIN_PASSWORD is not set"
+  exit 1
+fi
+
 # Check for MySQL DB connectivity only if SDNC_DB_INIT is set to "true" 
 if $SDNC_DB_INIT; then
 #
@@ -343,6 +345,7 @@
   printf "\nmysql ready"
 fi
 
+
 if [ ! -d "${INSTALLED_DIR}" ]
 then
     mkdir -p "${INSTALLED_DIR}"
@@ -367,7 +370,10 @@
     fi
 
   if $SDNRWT ; then install_sdnrwt_features ; fi
-  if $ENABLE_OAUTH ; then install_sdnr_oauth_features ; fi
+  if $ENABLE_OAUTH ; then
+    cp $SDNC_HOME/data/oauth-aaa-app-config.xml $ODL_HOME/system/org/opendaylight/aaa/aaa-shiro/0.12.1/aaa-shiro-0.12.1-aaa-app-config.xml
+    install_sdnr_oauth_features 
+  fi
   
   # The enable_odl_cluster call should not be moved above this line as the cleanFeatureBoot will overwrite entries. Ex: odl-jolokia
   if $ENABLE_ODL_CLUSTER ; then enable_odl_cluster ; fi