diff options
author | Alex Shatov <alexs@att.com> | 2018-09-14 16:54:05 -0400 |
---|---|---|
committer | Alex Shatov <alexs@att.com> | 2018-09-14 16:54:05 -0400 |
commit | 6556fd79eb177d8ed7c390d56410b42afb4a0c70 (patch) | |
tree | a45f57fbdd4ba1468390868371484d299d23ed8c /policyhandler | |
parent | 1d693376205c66af93283d04e8e9740c947a7d02 (diff) |
4.3.0 policy-handler - tls to policy-engine
- tls to policy-engine
- tls on web-socket to policy-engine
- tls to deployment-handler
- no tls on the web-server side
= that is internal API
= will add TLS in R4
- policy-handler expecting the deployment process
to mount certs at /opt/app/policy_handler/etc/tls/certs/
- blueprint for policy-handler will be updated to contain
cert_directory : /opt/app/policy_handler/etc/tls/certs/
- the matching local etc/config.json has new part tls with:
= cert_directory : etc/tls/certs/
= cacert : cacert.pem
- new optional fields tls_ca_mode in config on consul that
specify where to find the cacert.pem for tls per each https/web-socket
values are:
"cert_directory" - use the cacert.pem stored locally in cert_directory
this is the default if cacert.pem file is found
"os_ca_bundle" - use the public ca_bundle provided by linux system.
this is the default if cacert.pem file not found
"do_not_verify" - special hack to turn off the verification by cacert
and hostname
- config on consul now has 2 new fields for policy_engine
= "tls_ca_mode" : "cert_directory"
= "tls_wss_ca_mode" : "cert_directory"
- config on consul now has 1 new field for deploy_handler
= "tls_ca_mode" : "cert_directory"
- removed customization for verify -- it is now a built-in feature
Change-Id: Ibe9120504ed6036d1ed4c84ff4cd8ad1d9e80f17
Signed-off-by: Alex Shatov <alexs@att.com>
Issue-ID: DCAEGEN2-611
Diffstat (limited to 'policyhandler')
-rw-r--r-- | policyhandler/config.py | 101 | ||||
-rw-r--r-- | policyhandler/customize/customizer_base.py | 8 | ||||
-rw-r--r-- | policyhandler/deploy_handler.py | 104 | ||||
-rw-r--r-- | policyhandler/policy_receiver.py | 55 | ||||
-rw-r--r-- | policyhandler/policy_rest.py | 47 | ||||
-rw-r--r-- | policyhandler/policy_updater.py | 2 |
6 files changed, 228 insertions, 89 deletions
diff --git a/policyhandler/config.py b/policyhandler/config.py index 3d68235..a69954f 100644 --- a/policyhandler/config.py +++ b/policyhandler/config.py @@ -56,6 +56,12 @@ class Settings(object): def __str__(self): """get str of the config""" + if not self._changed: + return Audit.json_dumps({ + "config_keys": self._config_keys, + "config": self._config + }) + return Audit.json_dumps({ "config_keys": self._config_keys, "changed": self._changed, @@ -129,6 +135,7 @@ class Config(object): FIELD_SYSTEM = "system" FIELD_WSERVICE_PORT = "wservice_port" + FIELD_TLS = "tls" FIELD_POLICY_ENGINE = "policy_engine" POOL_CONNECTIONS = "pool_connections" DEPLOY_HANDLER = "deploy_handler" @@ -137,13 +144,74 @@ class Config(object): POLICY_RETRY_SLEEP = "policy_retry_sleep" RECONFIGURE = "reconfigure" TIMER_INTERVAL = "interval" + REQUESTS_VERIFY = "verify" + TLS_CA_MODE = "tls_ca_mode" + TLS_WSS_CA_MODE = "tls_wss_ca_mode" + TLS_CA_MODE_DO_NOT_VERIFY = "do_not_verify" system_name = SERVICE_NAME_POLICY_HANDLER wservice_port = 25577 + tls_cacert_file = None + tls_server_cert_file = None + tls_private_key_file = None + _local_config = Settings() discovered_config = Settings() @staticmethod + def _set_tls_config(tls_config): + """verify and set tls certs in config""" + try: + Config.tls_cacert_file = None + Config.tls_server_cert_file = None + Config.tls_private_key_file = None + + if not (tls_config and isinstance(tls_config, dict)): + Config._logger.info("no tls in config: %s", json.dumps(tls_config)) + return + + cert_directory = tls_config.get("cert_directory") + + if not (cert_directory and isinstance(cert_directory, str)): + Config._logger.info("unexpected tls.cert_directory: %r", cert_directory) + return + + cert_directory = os.path.join( + os.path.dirname(os.path.dirname(os.path.realpath(__file__))), cert_directory) + if not (cert_directory and os.path.isdir(cert_directory)): + Config._logger.info("ignoring invalid cert_directory: %s", cert_directory) + return + + cacert = tls_config.get("cacert") + if cacert: + tls_cacert_file = os.path.join(cert_directory, cacert) + if not os.path.isfile(tls_cacert_file): + Config._logger.error("invalid tls_cacert_file: %s", tls_cacert_file) + else: + Config.tls_cacert_file = tls_cacert_file + + server_cert = tls_config.get("server_cert") + if server_cert: + tls_server_cert_file = os.path.join(cert_directory, server_cert) + if not os.path.isfile(tls_server_cert_file): + Config._logger.error("invalid tls_server_cert_file: %s", tls_server_cert_file) + else: + Config.tls_server_cert_file = tls_server_cert_file + + private_key = tls_config.get("private_key") + if private_key: + tls_private_key_file = os.path.join(cert_directory, private_key) + if not os.path.isfile(tls_private_key_file): + Config._logger.error("invalid tls_private_key_file: %s", tls_private_key_file) + else: + Config.tls_private_key_file = tls_private_key_file + + finally: + Config._logger.info("tls_cacert_file = %s", Config.tls_cacert_file) + Config._logger.info("tls_server_cert_file = %s", Config.tls_server_cert_file) + Config._logger.info("tls_private_key_file = %s", Config.tls_private_key_file) + + @staticmethod def init_config(file_path=None): """read and store the config from config file""" if Config._local_config.is_loaded(): @@ -169,9 +237,11 @@ class Config(object): Config.wservice_port = loaded_config.get(Config.FIELD_WSERVICE_PORT, Config.wservice_port) - local_config = loaded_config.get(Config.SERVICE_NAME_POLICY_HANDLER) + local_config = loaded_config.get(Config.SERVICE_NAME_POLICY_HANDLER, {}) Config.system_name = local_config.get(Config.FIELD_SYSTEM, Config.system_name) + Config._set_tls_config(local_config.get(Config.FIELD_TLS)) + Config._local_config.set_config(local_config, auto_commit=True) Config._logger.info("config loaded from file(%s): %s", file_path, Config._local_config) @@ -190,3 +260,32 @@ class Config(object): Config.discovered_config.set_config(new_config.get(Config.SERVICE_NAME_POLICY_HANDLER)) Config._logger.info("config from discovery: %s", Config.discovered_config) + + + @staticmethod + def get_tls_verify(tls_ca_mode=None): + """ + generate verify value based on tls_ca_mode + + tls_ca_mode can be one of: + + "cert_directory" - use the cacert.pem stored locally in cert_directory. + this is the default if cacert.pem file is found + + "os_ca_bundle" - use the public ca_bundle provided by linux system. + this is the default if cacert.pem file not found + + "do_not_verify" - special hack to turn off the verification by cacert and hostname + """ + if tls_ca_mode == Config.TLS_CA_MODE_DO_NOT_VERIFY: + return False + + if tls_ca_mode == "os_ca_bundle" or not Config.tls_cacert_file: + return True + + return Config.tls_cacert_file + + @staticmethod + def get_requests_kwargs(tls_ca_mode=None): + """generate kwargs with verify for requests based on the tls_ca_mode""" + return {Config.REQUESTS_VERIFY: Config.get_tls_verify(tls_ca_mode)} diff --git a/policyhandler/customize/customizer_base.py b/policyhandler/customize/customizer_base.py index 561891f..33b8c7d 100644 --- a/policyhandler/customize/customizer_base.py +++ b/policyhandler/customize/customizer_base.py @@ -53,11 +53,3 @@ class CustomizerBase(object): self._logger.info(info) audit.info(info) return service_url - - def get_deploy_handler_kwargs(self, audit): - """returns the optional dict-kwargs for requests.put to deploy_handler""" - info = "no optional kwargs for requests.put to deploy_handler" - self._logger.info(info) - audit.info(info) - kwargs = {} - return kwargs diff --git a/policyhandler/deploy_handler.py b/policyhandler/deploy_handler.py index e308c1a..b4b2468 100644 --- a/policyhandler/deploy_handler.py +++ b/policyhandler/deploy_handler.py @@ -26,7 +26,6 @@ from threading import Lock import requests from .config import Config, Settings -from .customize import CustomizerUser from .discovery import DiscoveryClient from .onap.audit import (REQUEST_X_ECOMP_REQUESTID, AuditHttpCode, AuditResponseCode, Metrics) @@ -157,18 +156,14 @@ class DeployHandler(object): _max_msg_length_mb = 10 _query = {} _target_entity = None - _custom_kwargs = None + _custom_kwargs = {} _server_instance_uuid = None server_instance_changed = False @staticmethod def _init(audit): """set config""" - DeployHandler._custom_kwargs = (CustomizerUser.get_customizer() - .get_deploy_handler_kwargs(audit)) - if (not DeployHandler._custom_kwargs - or not isinstance(DeployHandler._custom_kwargs, dict)): - DeployHandler._custom_kwargs = {} + DeployHandler._custom_kwargs = {} if not DeployHandler._requests_session: DeployHandler._requests_session = requests.Session() @@ -188,11 +183,12 @@ class DeployHandler(object): # config for policy-handler >= 2.4.0 # "deploy_handler" : { # "target_entity" : "deployment_handler", - # "url" : "http://deployment_handler:8188", + # "url" : "https://deployment_handler:8188", # "max_msg_length_mb" : 10, # "query" : { # "cfy_tenant_name" : "default_tenant" - # } + # }, + # "tls_ca_mode" : "cert_directory" # } DeployHandler._target_entity = config_dh.get(TARGET_ENTITY, DeployHandler.DEFAULT_TARGET_ENTITY) @@ -200,8 +196,13 @@ class DeployHandler(object): DeployHandler._max_msg_length_mb = config_dh.get("max_msg_length_mb", DeployHandler._max_msg_length_mb) DeployHandler._query = deepcopy(config_dh.get("query", {})) - DeployHandler._logger.info("dns based routing to %s: url(%s)", - DeployHandler._target_entity, DeployHandler._url) + tls_ca_mode = config_dh.get(Config.TLS_CA_MODE) + DeployHandler._custom_kwargs = Config.get_requests_kwargs(tls_ca_mode) + + DeployHandler._logger.info( + "dns based routing to %s: url(%s) tls_ca_mode(%s) custom_kwargs(%s)", + DeployHandler._target_entity, DeployHandler._url, + tls_ca_mode, json.dumps(DeployHandler._custom_kwargs)) if not DeployHandler._url: # discover routing to deployment-handler at consul-services @@ -258,11 +259,11 @@ class DeployHandler(object): DeployHandler._lazy_init(audit) - str_metrics = "policy_update {0}".format(str(policy_update_message)) + str_metrics = "policy_update {}".format(str(policy_update_message)) metrics_total = Metrics( aud_parent=audit, - targetEntity="{0} total policy_update".format(DeployHandler._target_entity), + targetEntity="{} total policy_update".format(DeployHandler._target_entity), targetServiceName=DeployHandler._url_policy) metrics_total.metrics_start("started {}".format(str_metrics)) @@ -284,15 +285,23 @@ class DeployHandler(object): if not message: return - metrics = Metrics(aud_parent=audit, targetEntity=DeployHandler._target_entity, - targetServiceName=DeployHandler._url_policy) + with DeployHandler._lock: + session = DeployHandler._requests_session + target_entity = DeployHandler._target_entity + url = DeployHandler._url_policy + params = deepcopy(DeployHandler._query) + custom_kwargs = deepcopy(DeployHandler._custom_kwargs) + + metrics = Metrics(aud_parent=audit, targetEntity="{} policy_update".format(target_entity), + targetServiceName=url) headers = {REQUEST_X_ECOMP_REQUESTID : metrics.request_id} - log_action = "put to {0} at {1}".format( - DeployHandler._target_entity, DeployHandler._url_policy) - log_data = " msg={} headers={}, params={}".format(json.dumps(message), json.dumps(headers), - json.dumps(DeployHandler._query)) - log_line = log_action + log_data + log_action = "put to {} at {}".format(target_entity, url) + log_data = "msg={} headers={}, params={} custom_kwargs({})".format( + json.dumps(message), json.dumps(headers), + json.dumps(params), json.dumps(custom_kwargs)) + log_line = log_action + " " + log_data + DeployHandler._logger.info(log_line) metrics.metrics_start(log_line) @@ -306,20 +315,13 @@ class DeployHandler(object): res = None try: - with DeployHandler._lock: - session = DeployHandler._requests_session - url = DeployHandler._url_policy - params = deepcopy(DeployHandler._query) - custom_kwargs = deepcopy(DeployHandler._custom_kwargs) - - res = session.put(url, json=message, - headers=headers, params=params, **custom_kwargs) + res = session.put(url, json=message, headers=headers, params=params, **custom_kwargs) except Exception as ex: error_code = (AuditHttpCode.SERVICE_UNAVAILABLE_ERROR.value if isinstance(ex, requests.exceptions.RequestException) else AuditHttpCode.SERVER_INTERNAL_ERROR.value) - error_msg = ("failed to {0} {1}: {2}{3}" - .format(log_action, type(ex).__name__, str(ex), log_data)) + error_msg = "failed to {} {}: {} {}".format( + log_action, type(ex).__name__, str(ex), log_data) DeployHandler._logger.exception(error_msg) metrics.set_http_status_code(error_code) audit.set_http_status_code(error_code) @@ -329,8 +331,8 @@ class DeployHandler(object): metrics.set_http_status_code(res.status_code) audit.set_http_status_code(res.status_code) - log_line = "response {0} from {1}: text={2}{3}".format(res.status_code, log_action, - res.text, log_data) + log_line = "response {} from {}: text={} {}".format( + res.status_code, log_action, res.text, log_data) metrics.metrics(log_line) if res.status_code != requests.codes.ok: @@ -349,19 +351,29 @@ class DeployHandler(object): that were deployed by deployment-handler """ DeployHandler._lazy_init(audit) - metrics = Metrics(aud_parent=audit, targetEntity=DeployHandler._target_entity, - targetServiceName=DeployHandler._url_policy) + + with DeployHandler._lock: + session = DeployHandler._requests_session + target_entity = DeployHandler._target_entity + url = DeployHandler._url_policy + params = deepcopy(DeployHandler._query) + custom_kwargs = deepcopy(DeployHandler._custom_kwargs) + + metrics = Metrics(aud_parent=audit, + targetEntity="{} get_deployed_policies".format(target_entity), + targetServiceName=url) headers = {REQUEST_X_ECOMP_REQUESTID : metrics.request_id} - log_action = "get {0}: {1}".format(DeployHandler._target_entity, DeployHandler._url_policy) - log_data = " headers={}, params={}".format(json.dumps(headers), - json.dumps(DeployHandler._query)) - log_line = log_action + log_data + log_action = "get from {} at {}".format(target_entity, url) + log_data = "headers={}, params={} custom_kwargs({})".format( + json.dumps(headers), json.dumps(params), json.dumps(custom_kwargs)) + log_line = log_action + " " + log_data + DeployHandler._logger.info(log_line) metrics.metrics_start(log_line) if not DeployHandler._url: - error_msg = "no url found to {0}".format(log_line) + error_msg = "no url found to {}".format(log_line) DeployHandler._logger.error(error_msg) metrics.set_http_status_code(AuditHttpCode.SERVICE_UNAVAILABLE_ERROR.value) audit.set_http_status_code(AuditHttpCode.SERVICE_UNAVAILABLE_ERROR.value) @@ -370,19 +382,13 @@ class DeployHandler(object): res = None try: - with DeployHandler._lock: - session = DeployHandler._requests_session - url = DeployHandler._url_policy - params = deepcopy(DeployHandler._query) - custom_kwargs = deepcopy(DeployHandler._custom_kwargs) - res = session.get(url, headers=headers, params=params, **custom_kwargs) except Exception as ex: error_code = (AuditHttpCode.SERVICE_UNAVAILABLE_ERROR.value if isinstance(ex, requests.exceptions.RequestException) else AuditHttpCode.SERVER_INTERNAL_ERROR.value) - error_msg = ("failed to {0} {1}: {2}{3}" - .format(log_action, type(ex).__name__, str(ex), log_data)) + error_msg = "failed to {} {}: {} {}".format( + log_action, type(ex).__name__, str(ex), log_data) DeployHandler._logger.exception(error_msg) metrics.set_http_status_code(error_code) audit.set_http_status_code(error_code) @@ -392,8 +398,8 @@ class DeployHandler(object): metrics.set_http_status_code(res.status_code) audit.set_http_status_code(res.status_code) - log_line = ("response {0} from {1}: text={2}{3}" - .format(res.status_code, log_action, res.text, log_data)) + log_line = "response {} from {}: text={} {}".format( + res.status_code, log_action, res.text, log_data) metrics.metrics(log_line) if res.status_code != requests.codes.ok: diff --git a/policyhandler/policy_receiver.py b/policyhandler/policy_receiver.py index 1edb24d..96afd59 100644 --- a/policyhandler/policy_receiver.py +++ b/policyhandler/policy_receiver.py @@ -25,8 +25,11 @@ on receiving the policy-notifications, the policy-receiver passes the notifications to policy-updater """ +import copy import json import logging +import os +import ssl import time from threading import Lock, Thread @@ -35,6 +38,7 @@ import websocket from .config import Config, Settings from .policy_consts import MATCHING_CONDITIONS, POLICY_NAME, POLICY_VERSION from .policy_updater import PolicyUpdater +from .policy_utils import Utils LOADED_POLICIES = 'loadedPolicies' REMOVED_POLICIES = 'removedPolicies' @@ -54,6 +58,8 @@ class _PolicyReceiver(Thread): self._settings = Settings(Config.FIELD_POLICY_ENGINE) self._web_socket_url = None + self._web_socket_sslopt = None + self._tls_wss_ca_mode = None self._web_socket = None self.reconfigure() @@ -71,21 +77,39 @@ class _PolicyReceiver(Thread): return False prev_web_socket_url = self._web_socket_url - resturl = config.get("url", "") + config.get("path_pdp", "") + prev_web_socket_sslopt = self._web_socket_sslopt + self._web_socket_sslopt = None + + resturl = (config.get("url", "").lower() + + config.get("path_notifications", "/pdp/notifications")) + + self._tls_wss_ca_mode = config.get(Config.TLS_WSS_CA_MODE) if resturl.startswith("https:"): - self._web_socket_url = resturl.replace("https:", "wss:") + "notifications" + self._web_socket_url = resturl.replace("https:", "wss:") + + verify = Config.get_tls_verify(self._tls_wss_ca_mode) + if verify is False: + self._web_socket_sslopt = {'cert_reqs': ssl.CERT_NONE} + elif verify is True: + pass + else: + self._web_socket_sslopt = {'ca_certs': verify} + else: - self._web_socket_url = resturl.replace("http:", "ws:") + "notifications" + self._web_socket_url = resturl.replace("http:", "ws:") - if self._web_socket_url == prev_web_socket_url: - _PolicyReceiver._logger.info("not changed web_socket_url(%s): %s", - self._web_socket_url, self._settings) + if (self._web_socket_url == prev_web_socket_url + and Utils.are_the_same(prev_web_socket_sslopt, self._web_socket_sslopt)): + _PolicyReceiver._logger.info( + "not changed web_socket_url(%s) or tls_wss_ca_mode(%s): %s", + self._web_socket_url, self._tls_wss_ca_mode, self._settings) self._settings.commit_change() return False - _PolicyReceiver._logger.info("changed web_socket_url(%s): %s", - self._web_socket_url, self._settings) + _PolicyReceiver._logger.info("changed web_socket_url(%s) or tls_wss_ca_mode(%s): %s", + self._web_socket_url, self._tls_wss_ca_mode, + self._settings) self._settings.commit_change() self._stop_notifications() @@ -103,18 +127,27 @@ class _PolicyReceiver(Thread): if restarting: time.sleep(5) + if not self._get_keep_running(): + break + + with self._lock: + web_socket_url = self._web_socket_url + sslopt = copy.deepcopy(self._web_socket_sslopt) + tls_wss_ca_mode = self._tls_wss_ca_mode _PolicyReceiver._logger.info( - "connecting to policy-notifications at: %s", self._web_socket_url) + "connecting to policy-notifications at %s with sslopt(%s) tls_wss_ca_mode(%s)", + web_socket_url, json.dumps(sslopt), tls_wss_ca_mode) + self._web_socket = websocket.WebSocketApp( - self._web_socket_url, + web_socket_url, on_message=self._on_pdp_message, on_close=self._on_ws_close, on_error=self._on_ws_error ) _PolicyReceiver._logger.info("waiting for policy-notifications...") - self._web_socket.run_forever() + self._web_socket.run_forever(sslopt=sslopt) restarting = True _PolicyReceiver._logger.info("exit policy-receiver") diff --git a/policyhandler/policy_rest.py b/policyhandler/policy_rest.py index d10f4bf..0713b38 100644 --- a/policyhandler/policy_rest.py +++ b/policyhandler/policy_rest.py @@ -61,6 +61,7 @@ class PolicyRest(object): _url_get_config = None _headers = None _target_entity = None + _custom_kwargs = {} _thread_pool_size = 4 _policy_retry_count = 1 _policy_retry_sleep = 0 @@ -68,6 +69,8 @@ class PolicyRest(object): @staticmethod def _init(): """init static config""" + PolicyRest._custom_kwargs = {} + _, config = PolicyRest._settings.get_by_key(Config.FIELD_POLICY_ENGINE) if not PolicyRest._requests_session: @@ -82,9 +85,9 @@ class PolicyRest(object): 'http://', requests.adapters.HTTPAdapter(pool_connections=pool_size, pool_maxsize=pool_size)) - PolicyRest._url_get_config = (config["url"] + config["path_api"] + PolicyRest._url_get_config = (config.get("url", "") + config.get("path_api", "") + PolicyRest.POLICY_GET_CONFIG) - PolicyRest._headers = config["headers"] + PolicyRest._headers = config.get("headers", {}) PolicyRest._target_entity = config.get("target_entity", Config.FIELD_POLICY_ENGINE) _, PolicyRest._thread_pool_size = PolicyRest._settings.get_by_key( Config.THREAD_POOL_SIZE, 4) @@ -96,9 +99,13 @@ class PolicyRest(object): _, PolicyRest._policy_retry_sleep = PolicyRest._settings.get_by_key( Config.POLICY_RETRY_SLEEP, 0) - PolicyRest._logger.info("PDP url(%s) headers(%s): %s", - PolicyRest._url_get_config, + tls_ca_mode = config.get(Config.TLS_CA_MODE) + PolicyRest._custom_kwargs = Config.get_requests_kwargs(tls_ca_mode) + + PolicyRest._logger.info("PDP(%s) url(%s) headers(%s) tls_ca_mode(%s) custom_kwargs(%s): %s", + PolicyRest._target_entity, PolicyRest._url_get_config, Metrics.json_dumps(PolicyRest._headers), + tls_ca_mode, json.dumps(PolicyRest._custom_kwargs), PolicyRest._settings) PolicyRest._settings.commit_change() @@ -133,25 +140,27 @@ class PolicyRest(object): @staticmethod def _pdp_get_config(audit, json_body): """Communication with the policy-engine""" - metrics = Metrics(aud_parent=audit, targetEntity=PolicyRest._target_entity, - targetServiceName=PolicyRest._url_get_config) - with PolicyRest._lock: session = PolicyRest._requests_session + target_entity = PolicyRest._target_entity url = PolicyRest._url_get_config headers = copy.deepcopy(PolicyRest._headers) + custom_kwargs = copy.deepcopy(PolicyRest._custom_kwargs) + + metrics = Metrics(aud_parent=audit, targetEntity=target_entity, targetServiceName=url) headers[REQUEST_X_ECOMP_REQUESTID] = metrics.request_id - headers_str = Metrics.json_dumps(headers) - msg = json.dumps(json_body) - log_line = "post to PDP {} msg={} headers={}".format(url, msg, headers_str) + log_action = "post to {} at {}".format(target_entity, url) + log_data = "msg={} headers={}, custom_kwargs({})".format( + json.dumps(json_body), Metrics.json_dumps(headers), json.dumps(custom_kwargs)) + log_line = log_action + " " + log_data PolicyRest._logger.info(metrics.metrics_start(log_line)) res = None try: - res = session.post(url, json=json_body, headers=headers) + res = session.post(url, json=json_body, headers=headers, **custom_kwargs) except Exception as ex: error_code = (AuditHttpCode.SERVICE_UNAVAILABLE_ERROR.value if isinstance(ex, requests.exceptions.RequestException) @@ -164,8 +173,8 @@ class PolicyRest(object): metrics.metrics(error_msg) return (error_code, None) - log_line = "response {} from post to PDP {}: msg={} text={} headers={}".format( - res.status_code, url, msg, res.text, + log_line = "response {} from {}: text={} headers={}".format( + res.status_code, log_line, res.text, Metrics.json_dumps(dict(res.request.headers.items()))) status_code, res_data = PolicyRest._extract_pdp_res_data(audit, metrics, log_line, res) @@ -280,13 +289,13 @@ class PolicyRest(object): break if retry == PolicyRest._policy_retry_count: - audit.warn("gave up retrying {0} from PDP after #{1} for policy_id={2}" + audit.warn("gave up retrying {} from PDP after #{} for policy_id={}" .format(PolicyRest._url_get_config, retry, policy_id), error_code=AuditResponseCode.DATA_ERROR) break audit.warn( - "retry #{0} {1} from PDP in {2} secs for policy_id={3}".format( + "retry #{} {} from PDP in {} secs for policy_id={}".format( retry, PolicyRest._url_get_config, PolicyRest._policy_retry_sleep, policy_id), error_code=AuditResponseCode.DATA_ERROR) @@ -301,7 +310,7 @@ class PolicyRest(object): if not PolicyRest._validate_policy(latest_policy): audit.set_http_status_code(AuditHttpCode.DATA_NOT_FOUND_ERROR.value) audit.error( - "received invalid policy from PDP: {0}".format(json.dumps(latest_policy)), + "received invalid policy from PDP: {}".format(json.dumps(latest_policy)), error_code=AuditResponseCode.DATA_ERROR) return latest_policy @@ -322,7 +331,7 @@ class PolicyRest(object): ) if not latest_policy and not expect_policy_removed: - audit.error("received unexpected policy data from PDP for policy_id={0}: {1}" + audit.error("received unexpected policy data from PDP for policy_id={}: {}" .format(policy_id, json.dumps(policy_bodies or [])), error_code=AuditResponseCode.DATA_ERROR) @@ -436,7 +445,7 @@ class PolicyRest(object): if errored_policies: audit.set_http_status_code(AuditHttpCode.DATA_NOT_FOUND_ERROR.value) audit.error( - "errored_policies in PDP: {0}".format(json.dumps(errored_policies)), + "errored_policies in PDP: {}".format(json.dumps(errored_policies)), error_code=AuditResponseCode.DATA_ERROR) return updated_policies, removed_policies @@ -460,7 +469,7 @@ class PolicyRest(object): if not latest_policies: audit.set_http_status_code(AuditHttpCode.DATA_NOT_FOUND_ERROR.value) audit.warn( - "received no policies from PDP for policy_filter {0}: {1}" + "received no policies from PDP for policy_filter {}: {}" .format(str_policy_filter, json.dumps(policy_bodies or [])), error_code=AuditResponseCode.DATA_ERROR) return None, latest_policies diff --git a/policyhandler/policy_updater.py b/policyhandler/policy_updater.py index 8909cc7..235e2b6 100644 --- a/policyhandler/policy_updater.py +++ b/policyhandler/policy_updater.py @@ -420,7 +420,7 @@ class PolicyUpdater(Thread): PolicyUpdater._logger.warning(result) elif not updated_policies and not removed_policies: result = "- not sending empty policy-updates to deployment-handler" - PolicyUpdater._logger.warning(result) + PolicyUpdater._logger.info(result) else: message = PolicyUpdateMessage(updated_policies, removed_policies, policy_filter_matches, False) |