OOF Casablanca (R3) PWT (Pair Wise Testing)



Pairwise testing is the process of validating the interconnections between OOF components and external dependencies in a lab environment. OOF supports functional testing in the form of simulations of some external dependencies, and PWT further validates the system with 'live' testing.

OOF-HAS → AAF 

PWT of the Homing and Allocation Service (HAS) and the Application Authorization Service (AAF) is has been performed by executing HAS in a local environment (a Mac laptop) accessing test instance of AAF in the WindRiver lab. 

Debug statements in OOF provide the following messages during authentication

2018-10-27 09:43:08.552 706 INFO conductor.api.adapters.aaf.aaf_authentication [-] Authenticating username:password admin1 : plan.15:
2018-10-27 09:43:08.552 706 INFO conductor.api.adapters.aaf.aaf_authentication [-] Get permisions for user oof@oof.onap.org
2018-10-27 09:43:08.553 706 INFO conductor.api.adapters.aaf.aaf_authentication [-] Call AAF: URL https://aaf-onap-test.osaaf.org:8100/authz/perms/user/oof@oof.onap.org
2018-10-27 09:43:11.680 706 INFO conductor.api.adapters.aaf.aaf_authentication [-] Validate permisions: acquired permissions {"perm":[{"type":"org.onap.aai.resources","instance":"*","action":"delete"},{"type":"org.onap.aai.resources","instance":"*","action":"get"},{"type":"org.onap.aai.resources","instance":"*","action":"patch"},{"type":"org.onap.aai.resources","instance":"*","action":"post"},{"type":"org.onap.aai.resources","instance":"*","action":"put"},{"type":"org.onap.aai.traversal","instance":"*","action":"advanced"},{"type":"org.onap.oof.access","instance":"*","action":"*"}]}
2018-10-27 09:43:11.681 706 INFO conductor.api.adapters.aaf.aaf_authentication [-] Validate permisions: allowed permissions ['{"type": "org.onap.oof.access","instance": "*","action": "*"}']
2018-10-27 09:43:51.896 706 INFO conductor.api.adapters.aaf.aaf_authentication [-] User has valid permissions

In this scenario, authentication has been invoked as the result of a request to create a plan, e.g.

    $ curl -X POST --user admin1:plan.15 -H 'Content-Type: application/json' -d @homing.json localhost:8091/v1/plans

The user admin1 has been associated with the AAF identify oof@oof.onap.org, and the permissions associated with that user as returned by AAF are compared to a set of permissions granting access to OOF resources. In this case, because of the pre-populated data in AAF, there is a match

AAF test instance

A test instance of AAF is running in the WindRiver lab. Access to the lab can be granted by contacting Stephen Gooch at stephen.gooch@windriver.com. Jonathan Gathman is a resource on the AAF team that may be of help with questions (jg1555@att.com).

See here Integration / Developer Lab Access for more detail

The AAF instance is populated with a number of objects. Those relevant for HAS PWT are:

namespace:

    org.onap.oof

users:

    oof@oof.onap.org

roles:

    org.onap.admin

    org.onap.oof.owner

    org.onap.oof.service

permissions:

    org.onap.oof.access|*|*

    org.onap.oof.access|*|read

    org.onap.oof.certman|local|request, ignoreIPs, showpass

Once VPN access is established, the following curl command will provide the associated response:

$ curl -u <username>:<password> --header "Accept: application/Perms+json;q=1.0;charset=utf-8;version=2.1,application/json;q=1.0;version=2.1,*/*;q=1.0" https://aaf-onap-test.osaaf.org:8100/authz/perms/org.onap.oof.org

{"perm" : [
{
    "action" : "*",
    "instance" : "*",
    "type" : "org.onap.oof.access"
}]}

TBD:

1) This framework allows us to define multiple users (identities), each with separate sets of permissions, such that different HAS clients could be granted different access to HAS API resources. At this point, only one user, identified by conductor_api username and password and associated with AAF user org.onap.oof.org, is supported. Authentication logic could be extended to support additional users, but a model for mapping credentials to users must be defined.

2) HTTPS authentication with AAF is currently based on basic auth. There remain unsolved issues in connecting to AAF using certs.

3) OOM tests. OOF-AAF integration has been performed in the integration lab, see TBD