diff options
Diffstat (limited to 'ms')
3 files changed, 126 insertions, 62 deletions
diff --git a/ms/blueprintsprocessor/functions/python-executor/src/main/kotlin/org/onap/ccsdk/cds/blueprintsprocessor/functions/python/executor/ComponentRemotePythonExecutor.kt b/ms/blueprintsprocessor/functions/python-executor/src/main/kotlin/org/onap/ccsdk/cds/blueprintsprocessor/functions/python/executor/ComponentRemotePythonExecutor.kt index 59c448407..9ed13c146 100644 --- a/ms/blueprintsprocessor/functions/python-executor/src/main/kotlin/org/onap/ccsdk/cds/blueprintsprocessor/functions/python/executor/ComponentRemotePythonExecutor.kt +++ b/ms/blueprintsprocessor/functions/python-executor/src/main/kotlin/org/onap/ccsdk/cds/blueprintsprocessor/functions/python/executor/ComponentRemotePythonExecutor.kt @@ -160,7 +160,7 @@ open class ComponentRemotePythonExecutor( // there are no artifacts for env. prepare, but we reuse it for err_log... if (prepareEnvOutput.status != StatusType.SUCCESS) { - setNodeOutputErrors(STEP_PREPARE_ENV, "".asJsonPrimitive(), prepareEnvOutput.payload, isLogResponseEnabled) + setNodeOutputErrors(STEP_PREPARE_ENV, "[]".asJsonPrimitive(), prepareEnvOutput.payload, isLogResponseEnabled) addError(StatusType.FAILURE.name, STEP_PREPARE_ENV, logs.toString()) } else { setNodeOutputProperties(prepareEnvOutput.status, STEP_PREPARE_ENV, logs, prepareEnvOutput.payload, isLogResponseEnabled) @@ -177,14 +177,14 @@ open class ComponentRemotePythonExecutor( // no execution log in case of timeout (as cmd-exec side hasn't finished to transfer output) // set prepare-env-log to the error msg, and cmd-exec-log to empty setAttribute(ATTRIBUTE_PREPARE_ENV_LOG, grpcErrMsg.asJsonPrimitive()) - setNodeOutputErrors(STEP_PREPARE_ENV, "".asJsonPrimitive(), "".asJsonPrimitive(), isLogResponseEnabled) + setNodeOutputErrors(STEP_PREPARE_ENV, "[]".asJsonPrimitive(), "{}".asJsonPrimitive(), isLogResponseEnabled) addError(StatusType.FAILURE.name, STEP_PREPARE_ENV, grpcErrMsg) log.error(grpcErrMsg, grpcEx) } catch (e: Exception) { val catchallErrMsg = "Command executor failed during env. preparation.. catch-all case. timeout($envPrepTimeout) requestId ($processId). exception msg: ${e.message}" // no environment prepare log from executor in case of timeout (as cmd-exec side hasn't finished to transfer output), set it to error msg. Execution logs is empty. setAttribute(ATTRIBUTE_PREPARE_ENV_LOG, catchallErrMsg.asJsonPrimitive()) - setNodeOutputErrors(STEP_PREPARE_ENV, "".asJsonPrimitive(), "".asJsonPrimitive(), isLogResponseEnabled) + setNodeOutputErrors(STEP_PREPARE_ENV, "[]".asJsonPrimitive(), "{}".asJsonPrimitive(), isLogResponseEnabled) addError(StatusType.FAILURE.name, STEP_PREPARE_ENV, catchallErrMsg) log.error(catchallErrMsg, e) } @@ -225,17 +225,17 @@ open class ComponentRemotePythonExecutor( } catch (timeoutEx: TimeoutCancellationException) { val componentLevelWarningMsg = if (timeout < executionTimeout) "Note: component-level timeout ($timeout) is shorter than execution timeout ($executionTimeout). " else "" val timeoutErrMsg = "Command executor execution timeout. DetailedMessage: (${timeoutEx.message}) requestId ($processId). $componentLevelWarningMsg" - setNodeOutputErrors(STEP_EXEC_CMD, timeoutErrMsg.asJsonPrimitive(), logging = isLogResponseEnabled) + setNodeOutputErrors(STEP_EXEC_CMD, listOf(timeoutErrMsg).asJsonPrimitive(), logging = isLogResponseEnabled) addError(StatusType.FAILURE.name, STEP_EXEC_CMD, timeoutErrMsg) log.error(timeoutErrMsg, timeoutEx) } catch (grpcEx: io.grpc.StatusRuntimeException) { val timeoutErrMsg = "Command executor timed out executing after $executionTimeout seconds requestId ($processId) grpcErr: ${grpcEx.status}" - setNodeOutputErrors(STEP_EXEC_CMD, timeoutErrMsg.asJsonPrimitive(), logging = isLogResponseEnabled) + setNodeOutputErrors(STEP_EXEC_CMD, listOf(timeoutErrMsg).asJsonPrimitive(), logging = isLogResponseEnabled) addError(StatusType.FAILURE.name, STEP_EXEC_CMD, timeoutErrMsg) log.error(timeoutErrMsg, grpcEx) } catch (e: Exception) { val catchAllErrMsg = "Command executor failed during process catch-all case requestId ($processId) timeout($envPrepTimeout) exception msg: ${e.message}" - setNodeOutputErrors(STEP_PREPARE_ENV, catchAllErrMsg.asJsonPrimitive(), logging = isLogResponseEnabled) + setNodeOutputErrors(STEP_PREPARE_ENV, listOf(catchAllErrMsg).asJsonPrimitive(), logging = isLogResponseEnabled) addError(StatusType.FAILURE.name, STEP_EXEC_CMD, catchAllErrMsg) log.error(catchAllErrMsg, e) } @@ -286,8 +286,8 @@ open class ComponentRemotePythonExecutor( */ private fun setNodeOutputErrors( step: String, - executionLogs: JsonNode = "N/A".asJsonPrimitive(), - artifacts: JsonNode = "N/A".asJsonPrimitive(), + executionLogs: JsonNode = "[]".asJsonPrimitive(), + artifacts: JsonNode = "{}".asJsonPrimitive(), logging: Boolean = true ) { val status = StatusType.FAILURE.name diff --git a/ms/blueprintsprocessor/modules/blueprints/blueprint-core/src/main/kotlin/org/onap/ccsdk/cds/controllerblueprints/core/BluePrintConstants.kt b/ms/blueprintsprocessor/modules/blueprints/blueprint-core/src/main/kotlin/org/onap/ccsdk/cds/controllerblueprints/core/BluePrintConstants.kt index cb78f4132..76662d4ee 100644 --- a/ms/blueprintsprocessor/modules/blueprints/blueprint-core/src/main/kotlin/org/onap/ccsdk/cds/controllerblueprints/core/BluePrintConstants.kt +++ b/ms/blueprintsprocessor/modules/blueprints/blueprint-core/src/main/kotlin/org/onap/ccsdk/cds/controllerblueprints/core/BluePrintConstants.kt @@ -242,4 +242,6 @@ object BluePrintConstants { const val PROPERTY_CLUSTER_CONFIG_FILE = "CLUSTER_CONFIG_FILE" const val NODE_TEMPLATE_TYPE_COMPONENT_RESOURCE_RESOLUTION = "component-resource-resolution" + const val NODE_TEMPLATE_TYPE_DG = "dg-generic" + const val PROPERTY_DG_DEPENDENCY_NODE_TEMPLATE = "dependency-node-templates" } diff --git a/ms/blueprintsprocessor/modules/inbounds/selfservice-api/src/main/kotlin/org/onap/ccsdk/cds/blueprintsprocessor/selfservice/api/KafkaPublishAuditService.kt b/ms/blueprintsprocessor/modules/inbounds/selfservice-api/src/main/kotlin/org/onap/ccsdk/cds/blueprintsprocessor/selfservice/api/KafkaPublishAuditService.kt index 93885bfa2..145c37b01 100644 --- a/ms/blueprintsprocessor/modules/inbounds/selfservice-api/src/main/kotlin/org/onap/ccsdk/cds/blueprintsprocessor/selfservice/api/KafkaPublishAuditService.kt +++ b/ms/blueprintsprocessor/modules/inbounds/selfservice-api/src/main/kotlin/org/onap/ccsdk/cds/blueprintsprocessor/selfservice/api/KafkaPublishAuditService.kt @@ -17,6 +17,7 @@ package org.onap.ccsdk.cds.blueprintsprocessor.selfservice.api import com.fasterxml.jackson.databind.JsonNode +import com.fasterxml.jackson.databind.node.ArrayNode import com.fasterxml.jackson.databind.node.ObjectNode import org.onap.ccsdk.cds.blueprintsprocessor.core.api.data.ExecutionServiceInput import org.onap.ccsdk.cds.blueprintsprocessor.core.api.data.ExecutionServiceOutput @@ -27,6 +28,8 @@ import org.onap.ccsdk.cds.controllerblueprints.core.BluePrintConstants import org.onap.ccsdk.cds.controllerblueprints.core.asJsonPrimitive import org.onap.ccsdk.cds.controllerblueprints.core.common.ApplicationConstants import org.onap.ccsdk.cds.controllerblueprints.core.interfaces.BluePrintCatalogService +import org.onap.ccsdk.cds.controllerblueprints.core.service.BluePrintContext +import org.onap.ccsdk.cds.controllerblueprints.core.service.BluePrintRuntimeService import org.onap.ccsdk.cds.controllerblueprints.core.service.PropertyAssignmentService import org.onap.ccsdk.cds.controllerblueprints.core.utils.BluePrintMetadataUtils import org.onap.ccsdk.cds.controllerblueprints.core.utils.JacksonUtils @@ -40,6 +43,13 @@ import javax.annotation.PostConstruct /** * Audit service used to produce execution service input and output message * sent into dedicated kafka topics. + * + * @param bluePrintMessageLibPropertyService Service used to instantiate audit service producers + * @param blueprintsProcessorCatalogService Service used to get the base path of the current CBA executed + * + * @property inputInstance Request Kakfa Producer instance + * @property outputInstance Response Kakfa Producer instance + * @property log Audit Service logger */ @ConditionalOnProperty( name = ["blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable"], @@ -68,6 +78,7 @@ class KafkaPublishAuditService( * Publish execution input into a kafka topic. * The correlation UUID is used to link the input to its output. * Sensitive data within the request are hidden. + * @param executionServiceInput Audited BP request */ override suspend fun publishExecutionInput(executionServiceInput: ExecutionServiceInput) { val secureExecutionServiceInput = hideSensitiveData(executionServiceInput) @@ -87,6 +98,8 @@ class KafkaPublishAuditService( * Publish execution output into a kafka topic. * The correlation UUID is used to link the output to its input. * A correlation UUID is added to link the input to its output. + * @param correlationUUID UUID used to link the audited response to its audited request + * @param executionServiceOutput Audited BP response */ override suspend fun publishExecutionOutput(correlationUUID: String, executionServiceOutput: ExecutionServiceOutput) { executionServiceOutput.correlationUUID = correlationUUID @@ -96,24 +109,27 @@ class KafkaPublishAuditService( this.outputInstance!!.sendMessage(key, executionServiceOutput) } catch (e: Exception) { var errMsg = - if (e.message != null) "ERROR : $e" - else "ERROR : Failed to send execution request to Kafka." + if (e.message != null) "ERROR : $e" + else "ERROR : Failed to send execution request to Kafka." log.error(errMsg) } } /** - * Return the input kafka producer instance using a selector. + * Return the input kafka producer instance using a [selector] if not already instantiated. + * @param selector Selector to retrieve request kafka producer configuration */ private fun getInputInstance(selector: String): BlueprintMessageProducerService = inputInstance ?: createInstance(selector) /** - * Return the output kafka producer instance using a selector. + * Return the output kafka producer instance using a [selector] if not already instantiated. + * @param selector Selector to retrieve response kafka producer configuration */ private fun getOutputInstance(selector: String): BlueprintMessageProducerService = outputInstance ?: createInstance(selector) /** - * Create a kafka producer instance. + * Create a kafka producer instance using a [selector]. + * @param selector Selector to retrieve kafka producer configuration */ private fun createInstance(selector: String): BlueprintMessageProducerService { log.info("Setting up message producer($selector)...") @@ -121,9 +137,10 @@ class KafkaPublishAuditService( } /** - * Hide sensitive data in the request. + * Hide sensitive data in the [executionServiceInput]. * Sensitive data are declared in the resource resolution mapping using * the property metadata "log-protect" set to true. + * @param executionServiceInput BP Execution Request where data needs to be hidden */ private suspend fun hideSensitiveData( executionServiceInput: ExecutionServiceInput @@ -155,60 +172,105 @@ class KafkaPublishAuditService( val blueprintRuntimeService = BluePrintMetadataUtils.getBluePrintRuntime(requestId, basePath.toString()) val blueprintContext = blueprintRuntimeService.bluePrintContext() - /** Looking for node templates defined as component-resource-resolution */ - val nodeTemplates = blueprintContext.nodeTemplates() - nodeTemplates!!.forEach { nodeTemplate -> - val nodeTemplateName = nodeTemplate.key - val nodeTemplateType = blueprintContext.nodeTemplateByName(nodeTemplateName).type - if (nodeTemplateType == BluePrintConstants.NODE_TEMPLATE_TYPE_COMPONENT_RESOURCE_RESOLUTION) { - val interfaceName = blueprintContext.nodeTemplateFirstInterfaceName(nodeTemplateName) - val operationName = blueprintContext.nodeTemplateFirstInterfaceFirstOperationName(nodeTemplateName) - - val propertyAssignments: MutableMap<String, JsonNode> = - blueprintContext.nodeTemplateInterfaceOperationInputs(nodeTemplateName, interfaceName, operationName) - ?: hashMapOf() - - /** Getting values define in artifact-prefix-names */ - val input = executionServiceInput.payload.get("$workflowName-request") - blueprintRuntimeService.assignWorkflowInputs(workflowName, input) - val artifactPrefixNamesNode = propertyAssignments[ResourceResolutionConstants.INPUT_ARTIFACT_PREFIX_NAMES] - val propertyAssignmentService = PropertyAssignmentService(blueprintRuntimeService) - val artifactPrefixNamesNodeValue = propertyAssignmentService.resolveAssignmentExpression( - BluePrintConstants.MODEL_DEFINITION_TYPE_NODE_TEMPLATE, - nodeTemplateName, - ResourceResolutionConstants.INPUT_ARTIFACT_PREFIX_NAMES, - artifactPrefixNamesNode!!) - - val artifactPrefixNames = JacksonUtils.getListFromJsonNode(artifactPrefixNamesNodeValue!!, String::class.java) - - /** Storing mapping entries with metadata log-protect set to true */ - val sensitiveParameters: List<String> = artifactPrefixNames - .map { "$it-mapping" } - .map { blueprintRuntimeService.resolveNodeTemplateArtifact(nodeTemplateName, it) } - .flatMap { JacksonUtils.getListFromJson(it, ResourceAssignment::class.java) } - .filter { PropertyDefinitionUtils.hasLogProtect(it.property) } - .map { it.name } - - /** Hiding sensitive input parameters from the request */ - var workflowProperties: ObjectNode = clonedExecutionServiceInput.payload - .path("$workflowName-request") - .path("$workflowName-properties") as ObjectNode - - sensitiveParameters.forEach { sensitiveParameter -> - if (workflowProperties.has(sensitiveParameter)) { - workflowProperties.replace(sensitiveParameter, ApplicationConstants.LOG_REDACTED.asJsonPrimitive()) - } + val workflowSteps = blueprintContext.workflowByName(workflowName).steps + checkNotNull(workflowSteps) { "Failed to get step(s) for workflow($workflowName)" } + workflowSteps.forEach { step -> + val nodeTemplateName = step.value.target + checkNotNull(nodeTemplateName) { "Failed to get node template target for workflow($workflowName), step($step)" } + val nodeTemplate = blueprintContext.nodeTemplateByName(nodeTemplateName) + + /** We need to check in his Node Template Dependencies is case of a Node Template DG */ + if (nodeTemplate.type == BluePrintConstants.NODE_TEMPLATE_TYPE_DG) { + val dependencyNodeTemplate = nodeTemplate.properties?.get(BluePrintConstants.PROPERTY_DG_DEPENDENCY_NODE_TEMPLATE) as ArrayNode + dependencyNodeTemplate.forEach { dependencyNodeTemplateName -> + clonedExecutionServiceInput = hideSensitiveDataFromResourceResolution( + blueprintRuntimeService, + blueprintContext, + clonedExecutionServiceInput, + workflowName, + dependencyNodeTemplateName.asText() + ) } + } else { + clonedExecutionServiceInput = hideSensitiveDataFromResourceResolution( + blueprintRuntimeService, + blueprintContext, + clonedExecutionServiceInput, + workflowName, + nodeTemplateName + ) } } } } catch (e: Exception) { - val errMsg = "ERROR : Couldn't hide sensitive data in the execution request." - log.error(errMsg, e) - clonedExecutionServiceInput.payload.replace( - "$workflowName-request", - "$errMsg $e".asJsonPrimitive()) + val errMsg = "ERROR : Couldn't hide sensitive data in the execution request." + log.error(errMsg, e) + clonedExecutionServiceInput.payload.replace( + "$workflowName-request", + "$errMsg $e".asJsonPrimitive()) } return clonedExecutionServiceInput } + + /** + * Hide sensitive data in [executionServiceInput] if the given [nodeTemplateName] is a + * resource resolution component. + * @param blueprintRuntimeService Current blueprint runtime service + * @param blueprintContext Current blueprint runtime context + * @param executionServiceInput BP Execution Request where data needs to be hidden + * @param workflowName Current workflow being executed + * @param nodeTemplateName Node template to check for sensitive data + * @return [executionServiceInput] with sensitive inputs replaced by a generic string + */ + private suspend fun hideSensitiveDataFromResourceResolution( + blueprintRuntimeService: BluePrintRuntimeService<MutableMap<String, JsonNode>>, + blueprintContext: BluePrintContext, + executionServiceInput: ExecutionServiceInput, + workflowName: String, + nodeTemplateName: String + ): ExecutionServiceInput { + + val nodeTemplate = blueprintContext.nodeTemplateByName(nodeTemplateName) + if (nodeTemplate.type == BluePrintConstants.NODE_TEMPLATE_TYPE_COMPONENT_RESOURCE_RESOLUTION) { + val interfaceName = blueprintContext.nodeTemplateFirstInterfaceName(nodeTemplateName) + val operationName = blueprintContext.nodeTemplateFirstInterfaceFirstOperationName(nodeTemplateName) + + val propertyAssignments: MutableMap<String, JsonNode> = + blueprintContext.nodeTemplateInterfaceOperationInputs(nodeTemplateName, interfaceName, operationName) + ?: hashMapOf() + + /** Getting values define in artifact-prefix-names */ + val input = executionServiceInput.payload.get("$workflowName-request") + blueprintRuntimeService.assignWorkflowInputs(workflowName, input) + val artifactPrefixNamesNode = propertyAssignments[ResourceResolutionConstants.INPUT_ARTIFACT_PREFIX_NAMES] + val propertyAssignmentService = PropertyAssignmentService(blueprintRuntimeService) + val artifactPrefixNamesNodeValue = propertyAssignmentService.resolveAssignmentExpression( + BluePrintConstants.MODEL_DEFINITION_TYPE_NODE_TEMPLATE, + nodeTemplateName, + ResourceResolutionConstants.INPUT_ARTIFACT_PREFIX_NAMES, + artifactPrefixNamesNode!!) + + val artifactPrefixNames = JacksonUtils.getListFromJsonNode(artifactPrefixNamesNodeValue!!, String::class.java) + + /** Storing mapping entries with metadata log-protect set to true */ + val sensitiveParameters: List<String> = artifactPrefixNames + .map { "$it-mapping" } + .map { blueprintRuntimeService.resolveNodeTemplateArtifact(nodeTemplateName, it) } + .flatMap { JacksonUtils.getListFromJson(it, ResourceAssignment::class.java) } + .filter { PropertyDefinitionUtils.hasLogProtect(it.property) } + .map { it.name } + + /** Hiding sensitive input parameters from the request */ + var workflowProperties: ObjectNode = executionServiceInput.payload + .path("$workflowName-request") + .path("$workflowName-properties") as ObjectNode + + sensitiveParameters.forEach { sensitiveParameter -> + if (workflowProperties.has(sensitiveParameter)) { + workflowProperties.replace(sensitiveParameter, ApplicationConstants.LOG_REDACTED.asJsonPrimitive()) + } + } + } + return executionServiceInput + } } |