From 2472ebabc12bd4d333a7df5b707bef0c8e43fe01 Mon Sep 17 00:00:00 2001
From: Alvaro Vega <alvaro.vegagarcia@telefonica.com>
Date: Wed, 20 Sep 2023 15:39:37 +0200
Subject: [PATCH] new approach for trust

---
 config.js                     | 18 ++++++++++++++++++
 docs/API/plain_rules.md       | 18 +-----------------
 lib/models/keystone.js        | 24 +++++++++++-------------
 lib/models/updateAction.js    |  8 ++++----
 lib/myutils.js                | 20 --------------------
 lib/routes/rulesController.js |  2 --
 test/component/auth_test.js   |  8 ++++++++
 7 files changed, 42 insertions(+), 56 deletions(-)

diff --git a/config.js b/config.js
index c9ae4220..a6a30b69 100644
--- a/config.js
+++ b/config.js
@@ -168,6 +168,24 @@ config.authentication = {
     service: 'admin_domain'
 };
 
+/**
+ * List of pre-configured trusts
+ */
+config.trusts = [
+    {
+        id: 'trust1',
+        user: 'user1',
+        password: 'password',
+        service: 'domain1'
+    },
+    {
+        id: 'trust2',
+        user: 'user2',
+        password: 'password2',
+        service: 'domain2'
+    }
+];
+
 /**
  * Collections
  * @type {String}
diff --git a/docs/API/plain_rules.md b/docs/API/plain_rules.md
index 062438a0..d9ff0004 100644
--- a/docs/API/plain_rules.md
+++ b/docs/API/plain_rules.md
@@ -396,23 +396,7 @@ the Perseo configuration). The `parameters` map includes the following fields:
     -   UPDATE: update attributes, asumming they exist (otherwise the update operation fails at CB)
     -   DELETE: delete attributes (or the entity itself if the attributes list is empty)
 -   trust: optional, trust for getting an access token from Auth Server which can be used to get to a Context Broker
-    behind a PEP. A trust is a way of Keystone to allow an user (trustor) delegates a role to another user (trustee) for
-    a subservice. Complete info could be found at:
-    -   [Trusts concept](https://docs.openstack.org/keystone/stein/user/trusts)
-    -   [Trusts API](https://docs.openstack.org/keystone/stein/api_curl_examples.html#post-v3-os-trust-trusts)
-    -   [Trust token flow example](./trust_token.md)
--   authentication: optional, authentication (host, port, user, password and service) configuration values that will be
-    used by updateAction rule (instead of default authentication defined by configuration) which will be used when a
-    trust token should be negotiated. i.e.:
-    ```json
-    "authentication": {
-        "host": "ext-keystone",
-        "port": 5001,
-        "user": "mycepuser",
-        "password": "myceppassword",
-        "service": "mycepuserservice"
-     }
-    ```
+    behind a PEP.
 -   service: optional, service that will be used by updateAction rule instead of current event service. In this case,
     externalCBUrl or configured Orion PEP URL will be used instead of Orion URL, and then no token for auth will be
     negotiated.
diff --git a/lib/models/keystone.js b/lib/models/keystone.js
index ccff8483..eab6cc4b 100644
--- a/lib/models/keystone.js
+++ b/lib/models/keystone.js
@@ -29,13 +29,11 @@ var util = require('util'),
     alarm = require('../alarm'),
     errors = {};
 
-function getToken(trust, authentication, callback) {
-    const host = authentication && authentication.host ? authentication.host : config.authentication.host;
-    const port = authentication && authentication.port ? authentication.port : config.authentication.port;
-    const user = authentication && authentication.user ? authentication.user : config.authentication.user;
-    const password =
-        authentication && authentication.password ? authentication.password : config.authentication.password;
-    const domain = authentication && authentication.service ? authentication.service : config.authentication.service;
+function getToken(trust, callback) {
+    const host = config.authentication.host;
+    const port = config.authentication.port;
+    var trustConf = config.trusts.find((item) => item.id === trust);
+
     var options = {
         url: 'http://' + host + ':' + port + '/v3/auth/tokens',
         method: 'POST',
@@ -46,23 +44,23 @@ function getToken(trust, authentication, callback) {
                     password: {
                         user: {
                             domain: {
-                                name: domain
+                                name: trustConf.service
                             },
-                            name: user,
-                            password: password
+                            name: trustConf.user,
+                            password: trustConf.password
                         }
                     }
                 },
                 scope: {
-                    'OS-TRUST:trust': {
-                        id: trust
+                    domain: {
+                        name: trustConf.service
                     }
                 }
             }
         }
     };
 
-    logger.debug('retrieving token from Keystone using trust [%s]', trust);
+    logger.debug('retrieving token with trust [%s]', trust);
 
     request(options, function handleResponse(error, response /*, body*/) {
         if (error) {
diff --git a/lib/models/updateAction.js b/lib/models/updateAction.js
index a013ae27..dae70a58 100644
--- a/lib/models/updateAction.js
+++ b/lib/models/updateAction.js
@@ -56,11 +56,11 @@ function getCachedToken(service, subservice, name) {
     return tokens[service][subservice][name];
 }
 
-function generateToken(trust, cached, authentication) {
+function generateToken(trust, cached) {
     cached.generating = true;
     logger.info('start generating token');
     // Here we call KeyStone to generate a token, we'll entry into the event loop
-    keystone.getToken(trust, authentication, function(error, token) {
+    keystone.getToken(trust, function(error, token) {
         if (!error) {
             cached.token = token;
             logger.info('token generated successfully');
@@ -498,7 +498,7 @@ function doItWithToken(action, event, version, callback) {
             // v2 response using ngsijs
             cached.emitter.once(newTokenEventName, newTokenListener);
             if (cached.generating === false) {
-                generateToken(action.parameters.trust, cached, action.parameters.authentication);
+                generateToken(action.parameters.trust, cached);
             }
         } else {
             return callback(error, data);
@@ -516,7 +516,7 @@ function doItWithToken(action, event, version, callback) {
         cached.emitter.once(newTokenEventName, newTokenListener);
         if (cached.generating === false) {
             logger.debug('generating token for %s %s %s', service, subservice, ruleName);
-            generateToken(action.parameters.trust, cached, action.parameters.authentication);
+            generateToken(action.parameters.trust, cached);
         }
     } else if (cached.generating === true) {
         // In the middle of getting a new one
diff --git a/lib/myutils.js b/lib/myutils.js
index de3ac720..3cfb2395 100644
--- a/lib/myutils.js
+++ b/lib/myutils.js
@@ -376,19 +376,6 @@ function ruleWithContextTimedRule(rule) {
         .trim();
 }
 
-function purgeRuleAuthPassword(rule) {
-    if (
-        rule &&
-        rule.action &&
-        rule.action.parameters &&
-        rule.action.parameters.authentication &&
-        rule.action.parameters.authentication.password
-    ) {
-        rule.action.parameters.authentication.password = constants.OBFUSCATED_PWD;
-    }
-    return rule;
-}
-
 /**
  * expandVar substitutes every variable in val (denoted as $(var}) with the value
  * in mappings (as dictionary), getting the key 'var' from the object
@@ -492,10 +479,3 @@ module.exports.contextEPLTimedRule = contextEPLTimedRule;
  * @param  {Object} Object rule
  */
 module.exports.ruleWithContextTimedRule = ruleWithContextTimedRule;
-
-/**
- * ruleWithContextTimedRule returns the rule with action auth password obfuscated
- *
- * @param  {Object} Object rule
- */
-module.exports.purgeRuleAuthPassword = purgeRuleAuthPassword;
diff --git a/lib/routes/rulesController.js b/lib/routes/rulesController.js
index 9fcfc62f..e54df19a 100644
--- a/lib/routes/rulesController.js
+++ b/lib/routes/rulesController.js
@@ -41,7 +41,6 @@ function GetAllRules(req, resp) {
             data = data.splice(offset, limit);
             var dataPurged = [];
             data.forEach(function(rule) {
-                rule = myutils.purgeRuleAuthPassword(rule);
                 dataPurged.push(rule);
             });
             data = dataPurged;
@@ -57,7 +56,6 @@ function GetRules(req, resp) {
     };
     logger.debug({}, 'getting rule %j', rule);
     rules.Find(rule, function(err, data) {
-        data = myutils.purgeRuleAuthPassword(data);
         myutils.respond(resp, err, data);
     });
 }
diff --git a/test/component/auth_test.js b/test/component/auth_test.js
index 1ee97993..f026e1e3 100644
--- a/test/component/auth_test.js
+++ b/test/component/auth_test.js
@@ -45,6 +45,14 @@ describe('Auth', function() {
             action.ev.id += date.getTime();
             utilsT.getConfig().authentication.host = 'localhost';
             utilsT.getConfig().authentication.port = utilsT.fakeHttpServerPort;
+            utilsT.getConfig().trusts = [
+                {
+                    id: 'thisIsATriustToken',
+                    user: 'user1',
+                    password: 'password',
+                    service: 'domain1'
+                }
+            ];
             utilsT.getConfig().orion.URL = new URL(util.format('http://localhost:%s', utilsT.fakeHttpServerPort));
             updateDone.once('updated_renew', done);
             updateDone.once('updated_first', function(error) {