diff options
29 files changed, 833 insertions, 24 deletions
diff --git a/packages/policy-clamp-docker/src/main/docker/ClRuntimeDockerfile b/packages/policy-clamp-docker/src/main/docker/ClRuntimeDockerfile index 9167b226a..01b150bd2 100644 --- a/packages/policy-clamp-docker/src/main/docker/ClRuntimeDockerfile +++ b/packages/policy-clamp-docker/src/main/docker/ClRuntimeDockerfile @@ -46,6 +46,8 @@ RUN chown -R policy:policy * && \ chmod 755 bin/*.sh && \ chown -R policy:policy /app +EXPOSE 6969 + USER policy WORKDIR $POLICY_HOME/bin ENTRYPOINT [ "./controlloop-runtime.sh" ] diff --git a/packages/policy-clamp-docker/src/main/docker/HttpParticipantDockerfile b/packages/policy-clamp-docker/src/main/docker/HttpParticipantDockerfile index 88bf34579..294a59754 100644 --- a/packages/policy-clamp-docker/src/main/docker/HttpParticipantDockerfile +++ b/packages/policy-clamp-docker/src/main/docker/HttpParticipantDockerfile @@ -47,6 +47,8 @@ RUN chown -R policy:policy * && \ chmod 755 bin/*.sh && \ chown -R policy:policy /app +EXPOSE 8084 + USER policy WORKDIR $POLICY_HOME/bin ENTRYPOINT [ "./http-participant.sh" ] diff --git a/packages/policy-clamp-docker/src/main/docker/PolicyParticipantDockerfile b/packages/policy-clamp-docker/src/main/docker/PolicyParticipantDockerfile index 08a731c0c..14f10dd6f 100644 --- a/packages/policy-clamp-docker/src/main/docker/PolicyParticipantDockerfile +++ b/packages/policy-clamp-docker/src/main/docker/PolicyParticipantDockerfile @@ -46,6 +46,8 @@ RUN chown -R policy:policy * && \ chmod 755 bin/*.sh && \ chown -R policy:policy /app +EXPOSE 8085 + USER policy WORKDIR $POLICY_HOME/bin ENTRYPOINT [ "./policy-participant.sh" ] diff --git a/packages/policy-clamp-tarball/src/main/resources/etc/ClRuntimeParameters.yaml b/packages/policy-clamp-tarball/src/main/resources/etc/ClRuntimeParameters.yaml index a01c49881..1a57f2347 100644 --- a/packages/policy-clamp-tarball/src/main/resources/etc/ClRuntimeParameters.yaml +++ b/packages/policy-clamp-tarball/src/main/resources/etc/ClRuntimeParameters.yaml @@ -1,7 +1,7 @@ spring: security: user: - name: healthcheck + name: runtimeUser password: zb!XztG34 http: converters: diff --git a/packages/policy-clamp-tarball/src/main/resources/etc/HttpParticipantParameters.yaml b/packages/policy-clamp-tarball/src/main/resources/etc/HttpParticipantParameters.yaml index be421fcae..b13059a69 100644 --- a/packages/policy-clamp-tarball/src/main/resources/etc/HttpParticipantParameters.yaml +++ b/packages/policy-clamp-tarball/src/main/resources/etc/HttpParticipantParameters.yaml @@ -1,3 +1,10 @@ +spring: + security: + user: + name: participantUser + password: zb!XztG34 +security: + enable-csrf: false participant: intermediaryParameters: reportingTimeIntervalMs: 120000 @@ -22,3 +29,12 @@ participant: - ${topicServer:message-router} topicCommInfrastructure: dmaap useHttps: true +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus +server: + port: 8084 + servlet: + context-path: /onap/httpparticipant diff --git a/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml b/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml index d605cfa1d..3b0a97113 100644 --- a/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml +++ b/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml @@ -1,7 +1,7 @@ spring: security: user: - name: healthcheck + name: participantUser password: zb!XztG34 security: enable-csrf: false @@ -39,10 +39,8 @@ management: endpoints: web: exposure: - include: "loggers,logfile,health,info,metrics,threaddump,heapdump" + include: health, metrics, prometheus server: - # Configuration of the HTTP/REST server. The parameters are defined and handled by the springboot framework. - # See springboot documentation. port: 8083 servlet: context-path: /onap/k8sparticipant diff --git a/packages/policy-clamp-tarball/src/main/resources/etc/PolicyParticipantParameters.yaml b/packages/policy-clamp-tarball/src/main/resources/etc/PolicyParticipantParameters.yaml index 625b15b89..b357ae424 100644 --- a/packages/policy-clamp-tarball/src/main/resources/etc/PolicyParticipantParameters.yaml +++ b/packages/policy-clamp-tarball/src/main/resources/etc/PolicyParticipantParameters.yaml @@ -1,3 +1,8 @@ +spring: + security: + user: + name: participantUser + password: zb!XztG34 participant: pdpGroup: defaultGroup @@ -43,3 +48,12 @@ participant: - ${topicServer:message-router} topicCommInfrastructure: dmaap useHttps: true +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus +server: + port: 8085 + servlet: + context-path: /onap/policyparticipant diff --git a/participant/participant-impl/participant-impl-http/src/main/java/org/onap/policy/clamp/controlloop/participant/http/config/SecurityConfig.java b/participant/participant-impl/participant-impl-http/src/main/java/org/onap/policy/clamp/controlloop/participant/http/config/SecurityConfig.java new file mode 100644 index 000000000..499bbe153 --- /dev/null +++ b/participant/participant-impl/participant-impl-http/src/main/java/org/onap/policy/clamp/controlloop/participant/http/config/SecurityConfig.java @@ -0,0 +1,45 @@ +/*- + * ========================LICENSE_START================================= + * Copyright (C) 2021 Nordix Foundation. All rights reserved. + * ====================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ========================LICENSE_END=================================== + */ + +package org.onap.policy.clamp.controlloop.participant.http.config; + +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + +@Configuration +public class SecurityConfig extends WebSecurityConfigurerAdapter { + + @Value("${security.enable-csrf:true}") + private boolean csrfEnabled = true; + + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http.authorizeRequests() + .antMatchers().authenticated() + .anyRequest().authenticated() + .and().httpBasic(); + // @formatter:on + + if (!csrfEnabled) { + http.csrf().disable(); + } + } +} diff --git a/participant/participant-impl/participant-impl-http/src/main/resources/config/application.yaml b/participant/participant-impl/participant-impl-http/src/main/resources/config/application.yaml index 664c6e878..df0ad7df3 100644 --- a/participant/participant-impl/participant-impl-http/src/main/resources/config/application.yaml +++ b/participant/participant-impl/participant-impl-http/src/main/resources/config/application.yaml @@ -1,3 +1,10 @@ +spring: + security: + user: + name: participantUser + password: zb!XztG34 +security: + enable-csrf: false participant: intermediaryParameters: reportingTimeIntervalMs: 120000 @@ -20,3 +27,12 @@ participant: servers: - ${topicServer:message-router} topicCommInfrastructure: dmaap +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus +server: + port: 8084 + servlet: + context-path: /onap/httpparticipant diff --git a/participant/participant-impl/participant-impl-http/src/test/java/handler/ClElementHandlerTest.java b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/handler/ClElementHandlerTest.java index d1556ea08..d80436ef3 100644 --- a/participant/participant-impl/participant-impl-http/src/test/java/handler/ClElementHandlerTest.java +++ b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/handler/ClElementHandlerTest.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package handler; +package org.onap.policy.clamp.controlloop.participant.http.handler; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; import static org.mockito.ArgumentMatchers.any; @@ -33,13 +33,14 @@ import org.mockito.Mock; import org.mockito.Spy; import org.onap.policy.clamp.controlloop.models.controlloop.concepts.ControlLoopElement; import org.onap.policy.clamp.controlloop.participant.http.main.handler.ControlLoopElementHandler; +import org.onap.policy.clamp.controlloop.participant.http.utils.CommonTestData; +import org.onap.policy.clamp.controlloop.participant.http.utils.ToscaUtils; import org.onap.policy.clamp.controlloop.participant.intermediary.api.ParticipantIntermediaryApi; import org.onap.policy.common.utils.coder.CoderException; import org.onap.policy.models.tosca.authorative.concepts.ToscaNodeTemplate; import org.onap.policy.models.tosca.authorative.concepts.ToscaServiceTemplate; import org.springframework.test.context.junit.jupiter.SpringExtension; -import utils.CommonTestData; -import utils.ToscaUtils; + @ExtendWith(SpringExtension.class) class ClElementHandlerTest { diff --git a/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/rest/ActuatorControllerTest.java b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/rest/ActuatorControllerTest.java new file mode 100644 index 000000000..8efff8f6a --- /dev/null +++ b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/rest/ActuatorControllerTest.java @@ -0,0 +1,92 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.clamp.controlloop.participant.http.rest; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import javax.ws.rs.client.Invocation; +import javax.ws.rs.core.Response; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.onap.policy.clamp.controlloop.participant.http.utils.CommonActuatorController; +import org.springframework.boot.test.autoconfigure.actuate.metrics.AutoConfigureMetrics; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; +import org.springframework.boot.web.server.LocalServerPort; +import org.springframework.test.context.TestPropertySource; +import org.springframework.test.context.junit.jupiter.SpringExtension; + +@AutoConfigureMetrics +@ExtendWith(SpringExtension.class) +@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) +@TestPropertySource(locations = {"classpath:application_test.properties"}) +class ActuatorControllerTest extends CommonActuatorController { + + private static final String HEALTH_ENDPOINT = "health"; + private static final String METRICS_ENDPOINT = "metrics"; + private static final String PROMETHEUS_ENDPOINT = "prometheus"; + + @LocalServerPort + private int randomServerPort; + + @BeforeEach + public void setUpPort() { + super.setHttpPrefix(randomServerPort); + } + + @Test + void testGetHealth_Unauthorized() throws Exception { + assertUnauthorizedActGet(HEALTH_ENDPOINT); + } + + @Test + void testGetMetrics_Unauthorized() throws Exception { + assertUnauthorizedActGet(METRICS_ENDPOINT); + } + + @Test + void testGetPrometheus_Unauthorized() throws Exception { + assertUnauthorizedActGet(PROMETHEUS_ENDPOINT); + } + + @Test + void testGetHealth() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(HEALTH_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + + @Test + void testGetMetrics() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(METRICS_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + + @Test + void testGePrometheus() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(PROMETHEUS_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + +} diff --git a/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/utils/CommonActuatorController.java b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/utils/CommonActuatorController.java new file mode 100644 index 000000000..5ebce8126 --- /dev/null +++ b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/utils/CommonActuatorController.java @@ -0,0 +1,114 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.clamp.controlloop.participant.http.utils; + +import static org.junit.Assert.assertEquals; + +import javax.ws.rs.client.Client; +import javax.ws.rs.client.ClientBuilder; +import javax.ws.rs.client.Invocation; +import javax.ws.rs.client.WebTarget; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import org.glassfish.jersey.client.ClientProperties; +import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature; +import org.onap.policy.common.gson.GsonMessageBodyHandler; +import org.onap.policy.common.utils.network.NetworkUtil; + +/** + * Class to perform Rest unit tests. + * + */ +public class CommonActuatorController { + + public static final String SELF = NetworkUtil.getHostname(); + public static final String CONTEXT_PATH = "onap/httpparticipant"; + public static final String ACTUATOR_ENDPOINT = CONTEXT_PATH + "/actuator/"; + + private static String httpPrefix; + + /** + * Sends a request to an actuator endpoint. + * + * @param endpoint the target endpoint + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendActRequest(final String endpoint) throws Exception { + return sendFqeRequest(httpPrefix + ACTUATOR_ENDPOINT + endpoint, true); + } + + /** + * Sends a request to an actuator endpoint, without any authorization header. + * + * @param endpoint the target endpoint + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendNoAuthActRequest(final String endpoint) throws Exception { + return sendFqeRequest(httpPrefix + ACTUATOR_ENDPOINT + endpoint, false); + } + + /** + * Sends a request to a fully qualified endpoint. + * + * @param fullyQualifiedEndpoint the fully qualified target endpoint + * @param includeAuth if authorization header should be included + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendFqeRequest(final String fullyQualifiedEndpoint, boolean includeAuth) + throws Exception { + final Client client = ClientBuilder.newBuilder().build(); + + client.property(ClientProperties.METAINF_SERVICES_LOOKUP_DISABLE, "true"); + client.register(GsonMessageBodyHandler.class); + + if (includeAuth) { + client.register(HttpAuthenticationFeature.basic("participantUser", "zb!XztG34")); + } + + final WebTarget webTarget = client.target(fullyQualifiedEndpoint); + + return webTarget.request(MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN); + } + + /** + * Assert that GET call to actuator endpoint is Unauthorized. + * + * @param endPoint the endpoint + * @throws Exception if an error occurs + */ + protected void assertUnauthorizedActGet(final String endPoint) throws Exception { + Response rawresp = sendNoAuthActRequest(endPoint).buildGet().invoke(); + assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), rawresp.getStatus()); + } + + /** + * Set Up httpPrefix. + * + * @param port the port + */ + protected void setHttpPrefix(int port) { + httpPrefix = "http://" + SELF + ":" + port + "/"; + } + +} diff --git a/participant/participant-impl/participant-impl-http/src/test/java/utils/CommonTestData.java b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/utils/CommonTestData.java index 0ebf9212a..1f92a86e0 100644 --- a/participant/participant-impl/participant-impl-http/src/test/java/utils/CommonTestData.java +++ b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/utils/CommonTestData.java @@ -19,7 +19,7 @@ * ============LICENSE_END========================================================= */ -package utils; +package org.onap.policy.clamp.controlloop.participant.http.utils; import java.util.List; import java.util.Map; diff --git a/participant/participant-impl/participant-impl-http/src/test/java/utils/ToscaUtils.java b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/utils/ToscaUtils.java index 0bad5ed96..fdba28c0e 100644 --- a/participant/participant-impl/participant-impl-http/src/test/java/utils/ToscaUtils.java +++ b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/utils/ToscaUtils.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package utils; +package org.onap.policy.clamp.controlloop.participant.http.utils; import lombok.AccessLevel; import lombok.NoArgsConstructor; diff --git a/participant/participant-impl/participant-impl-http/src/test/java/webclient/ClHttpClientTest.java b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/webclient/ClHttpClientTest.java index cf9619d41..e3ff9dbba 100644 --- a/participant/participant-impl/participant-impl-http/src/test/java/webclient/ClHttpClientTest.java +++ b/participant/participant-impl/participant-impl-http/src/test/java/org/onap/policy/clamp/controlloop/participant/http/webclient/ClHttpClientTest.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package webclient; +package org.onap.policy.clamp.controlloop.participant.http.webclient; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; @@ -41,10 +41,10 @@ import org.mockserver.model.Parameter; import org.onap.policy.clamp.controlloop.participant.http.main.models.ConfigRequest; import org.onap.policy.clamp.controlloop.participant.http.main.models.ConfigurationEntity; import org.onap.policy.clamp.controlloop.participant.http.main.webclient.ClHttpClient; +import org.onap.policy.clamp.controlloop.participant.http.utils.CommonTestData; import org.onap.policy.common.utils.network.NetworkUtil; import org.onap.policy.models.tosca.authorative.concepts.ToscaConceptIdentifier; import org.springframework.test.context.junit.jupiter.SpringExtension; -import utils.CommonTestData; @ExtendWith(SpringExtension.class) class ClHttpClientTest { diff --git a/participant/participant-impl/participant-impl-http/src/test/resources/application_test.properties b/participant/participant-impl/participant-impl-http/src/test/resources/application_test.properties new file mode 100644 index 000000000..698a965b8 --- /dev/null +++ b/participant/participant-impl/participant-impl-http/src/test/resources/application_test.properties @@ -0,0 +1,24 @@ +spring.security.user.name=participantUser +spring.security.user.password=zb!XztG34 + +server.servlet.context-path=/onap/httpparticipant +server.error.path=/error +server.http-port=8084 + +participant.name=ControlLoopParticipant Http Test +participant.intermediaryParameters.name=Participant parameters +participant.intermediaryParameters.reportingTimeInterval=120000 +participant.intermediaryParameters.description=Participant Description +participant.intermediaryParameters.participantId.name=HttpParticipant0 +participant.intermediaryParameters.participantId.version=1.0.0 +participant.intermediaryParameters.participantType.name=org.onap.k8s.controlloop.HttpControlLoopParticipant +participant.intermediaryParameters.participantType.version=2.3.4 +participant.intermediaryParameters.clampControlLoopTopics.name=ControlLoop Topics +participant.intermediaryParameters.clampControlLoopTopics.topicSources[0].topic=POLICY-CLRUNTIME-PARTICIPANT +participant.intermediaryParameters.clampControlLoopTopics.topicSources[0].servers[0]=localhost +participant.intermediaryParameters.clampControlLoopTopics.topicSources[0].topicCommInfrastructure=dmaap +participant.intermediaryParameters.clampControlLoopTopics.topicSources[0].fetchTimeout=15000 +participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].topic=POLICY-CLRUNTIME-PARTICIPANT +participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].servers[0]=localhost +participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].topicCommInfrastructure=dmaap +management.endpoints.web.exposure.include=health,metrics,prometheus diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml b/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml index e1693318e..f77153a25 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml +++ b/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml @@ -1,7 +1,7 @@ spring: security: user: - name: healthcheck + name: participantUser password: zb!XztG34 security: enable-csrf: false @@ -37,10 +37,8 @@ management: endpoints: web: exposure: - include: "loggers,logfile,health,info,metrics,threaddump,heapdump" + include: health, metrics, prometheus server: - # Configuration of the HTTP/REST server. The parameters are defined and handled by the springboot framework. - # See springboot documentation. port: 8083 servlet: context-path: /onap/k8sparticipant diff --git a/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/controlloop/participant/kubernetes/rest/ActuatorControllerTest.java b/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/controlloop/participant/kubernetes/rest/ActuatorControllerTest.java new file mode 100644 index 000000000..1442e9f1f --- /dev/null +++ b/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/controlloop/participant/kubernetes/rest/ActuatorControllerTest.java @@ -0,0 +1,92 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.clamp.controlloop.participant.kubernetes.rest; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import javax.ws.rs.client.Invocation; +import javax.ws.rs.core.Response; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.onap.policy.clamp.controlloop.participant.kubernetes.utils.CommonActuatorController; +import org.springframework.boot.test.autoconfigure.actuate.metrics.AutoConfigureMetrics; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; +import org.springframework.boot.web.server.LocalServerPort; +import org.springframework.test.context.TestPropertySource; +import org.springframework.test.context.junit.jupiter.SpringExtension; + +@AutoConfigureMetrics +@ExtendWith(SpringExtension.class) +@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) +@TestPropertySource(locations = {"classpath:application_test.properties"}) +class ActuatorControllerTest extends CommonActuatorController { + + private static final String HEALTH_ENDPOINT = "health"; + private static final String METRICS_ENDPOINT = "metrics"; + private static final String PROMETHEUS_ENDPOINT = "prometheus"; + + @LocalServerPort + private int randomServerPort; + + @BeforeEach + public void setUpPort() { + super.setHttpPrefix(randomServerPort); + } + + @Test + void testGetHealth_Unauthorized() throws Exception { + assertUnauthorizedActGet(HEALTH_ENDPOINT); + } + + @Test + void testGetMetrics_Unauthorized() throws Exception { + assertUnauthorizedActGet(METRICS_ENDPOINT); + } + + @Test + void testGetPrometheus_Unauthorized() throws Exception { + assertUnauthorizedActGet(PROMETHEUS_ENDPOINT); + } + + @Test + void testGetHealth() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(HEALTH_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + + @Test + void testGetMetrics() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(METRICS_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + + @Test + void testGePrometheus() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(PROMETHEUS_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + +} diff --git a/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/controlloop/participant/kubernetes/utils/CommonActuatorController.java b/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/controlloop/participant/kubernetes/utils/CommonActuatorController.java new file mode 100644 index 000000000..35ffbb5e9 --- /dev/null +++ b/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/controlloop/participant/kubernetes/utils/CommonActuatorController.java @@ -0,0 +1,114 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.clamp.controlloop.participant.kubernetes.utils; + +import static org.junit.Assert.assertEquals; + +import javax.ws.rs.client.Client; +import javax.ws.rs.client.ClientBuilder; +import javax.ws.rs.client.Invocation; +import javax.ws.rs.client.WebTarget; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import org.glassfish.jersey.client.ClientProperties; +import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature; +import org.onap.policy.common.gson.GsonMessageBodyHandler; +import org.onap.policy.common.utils.network.NetworkUtil; + +/** + * Class to perform Rest unit tests. + * + */ +public class CommonActuatorController { + + public static final String SELF = NetworkUtil.getHostname(); + public static final String CONTEXT_PATH = "onap/k8sparticipant"; + public static final String ACTUATOR_ENDPOINT = CONTEXT_PATH + "/actuator/"; + + private static String httpPrefix; + + /** + * Sends a request to an actuator endpoint. + * + * @param endpoint the target endpoint + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendActRequest(final String endpoint) throws Exception { + return sendFqeRequest(httpPrefix + ACTUATOR_ENDPOINT + endpoint, true); + } + + /** + * Sends a request to an actuator endpoint, without any authorization header. + * + * @param endpoint the target endpoint + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendNoAuthActRequest(final String endpoint) throws Exception { + return sendFqeRequest(httpPrefix + ACTUATOR_ENDPOINT + endpoint, false); + } + + /** + * Sends a request to a fully qualified endpoint. + * + * @param fullyQualifiedEndpoint the fully qualified target endpoint + * @param includeAuth if authorization header should be included + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendFqeRequest(final String fullyQualifiedEndpoint, boolean includeAuth) + throws Exception { + final Client client = ClientBuilder.newBuilder().build(); + + client.property(ClientProperties.METAINF_SERVICES_LOOKUP_DISABLE, "true"); + client.register(GsonMessageBodyHandler.class); + + if (includeAuth) { + client.register(HttpAuthenticationFeature.basic("participantUser", "zb!XztG34")); + } + + final WebTarget webTarget = client.target(fullyQualifiedEndpoint); + + return webTarget.request(MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN); + } + + /** + * Assert that GET call to actuator endpoint is Unauthorized. + * + * @param endPoint the endpoint + * @throws Exception if an error occurs + */ + protected void assertUnauthorizedActGet(final String endPoint) throws Exception { + Response rawresp = sendNoAuthActRequest(endPoint).buildGet().invoke(); + assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), rawresp.getStatus()); + } + + /** + * Set Up httpPrefix. + * + * @param port the port + */ + protected void setHttpPrefix(int port) { + httpPrefix = "http://" + SELF + ":" + port + "/"; + } + +} diff --git a/participant/participant-impl/participant-impl-kubernetes/src/test/resources/application_test.properties b/participant/participant-impl/participant-impl-kubernetes/src/test/resources/application_test.properties index 5c61535a7..b5b209fd1 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/test/resources/application_test.properties +++ b/participant/participant-impl/participant-impl-kubernetes/src/test/resources/application_test.properties @@ -1,7 +1,7 @@ -spring.security.user.name=healthcheck +spring.security.user.name=participantUser spring.security.user.password=zb!XztG34 -server.servlet.context-path=/onap/participantsim +server.servlet.context-path=/onap/k8sparticipant server.error.path=/error server.http-port=8083 @@ -21,3 +21,4 @@ participant.intermediaryParameters.clampControlLoopTopics.topicSources[0].fetchT participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].topic=POLICY-CLRUNTIME-PARTICIPANT participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].servers[0]=localhost participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].topicCommInfrastructure=dmaap +management.endpoints.web.exposure.include=health,metrics,prometheus diff --git a/participant/participant-impl/participant-impl-policy/src/main/java/org/onap/policy/clamp/controlloop/participant/policy/config/SecurityConfig.java b/participant/participant-impl/participant-impl-policy/src/main/java/org/onap/policy/clamp/controlloop/participant/policy/config/SecurityConfig.java new file mode 100644 index 000000000..4ee8c41b0 --- /dev/null +++ b/participant/participant-impl/participant-impl-policy/src/main/java/org/onap/policy/clamp/controlloop/participant/policy/config/SecurityConfig.java @@ -0,0 +1,45 @@ +/*- + * ========================LICENSE_START================================= + * Copyright (C) 2021 Nordix Foundation. All rights reserved. + * ====================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ========================LICENSE_END=================================== + */ + +package org.onap.policy.clamp.controlloop.participant.policy.config; + +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + +@Configuration +public class SecurityConfig extends WebSecurityConfigurerAdapter { + + @Value("${security.enable-csrf:true}") + private boolean csrfEnabled = true; + + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http.authorizeRequests() + .antMatchers().authenticated() + .anyRequest().authenticated() + .and().httpBasic(); + // @formatter:on + + if (!csrfEnabled) { + http.csrf().disable(); + } + } +} diff --git a/participant/participant-impl/participant-impl-policy/src/main/resources/config/application.yaml b/participant/participant-impl/participant-impl-policy/src/main/resources/config/application.yaml index 62f8920a4..5839aae66 100644 --- a/participant/participant-impl/participant-impl-policy/src/main/resources/config/application.yaml +++ b/participant/participant-impl/participant-impl-policy/src/main/resources/config/application.yaml @@ -1,5 +1,8 @@ -server: - port: 8082 +spring: + security: + user: + name: participantUser + password: zb!XztG34 participant: pdpGroup: defaultGroup @@ -43,3 +46,12 @@ participant: servers: - ${topicServer:localhost} topicCommInfrastructure: dmaap +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus +server: + port: 8085 + servlet: + context-path: /onap/policyparticipant diff --git a/participant/participant-impl/participant-impl-policy/src/test/java/org/onap/policy/clamp/controlloop/participant/policy/main/rest/ActuatorControllerTest.java b/participant/participant-impl/participant-impl-policy/src/test/java/org/onap/policy/clamp/controlloop/participant/policy/main/rest/ActuatorControllerTest.java new file mode 100644 index 000000000..9cc16e287 --- /dev/null +++ b/participant/participant-impl/participant-impl-policy/src/test/java/org/onap/policy/clamp/controlloop/participant/policy/main/rest/ActuatorControllerTest.java @@ -0,0 +1,92 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.clamp.controlloop.participant.policy.main.rest; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import javax.ws.rs.client.Invocation; +import javax.ws.rs.core.Response; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.onap.policy.clamp.controlloop.participant.policy.main.utils.CommonActuatorController; +import org.springframework.boot.test.autoconfigure.actuate.metrics.AutoConfigureMetrics; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; +import org.springframework.boot.web.server.LocalServerPort; +import org.springframework.test.context.TestPropertySource; +import org.springframework.test.context.junit.jupiter.SpringExtension; + +@AutoConfigureMetrics +@ExtendWith(SpringExtension.class) +@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) +@TestPropertySource(locations = {"classpath:application_test.properties"}) +class ActuatorControllerTest extends CommonActuatorController { + + private static final String HEALTH_ENDPOINT = "health"; + private static final String METRICS_ENDPOINT = "metrics"; + private static final String PROMETHEUS_ENDPOINT = "prometheus"; + + @LocalServerPort + private int randomServerPort; + + @BeforeEach + public void setUpPort() { + super.setHttpPrefix(randomServerPort); + } + + @Test + void testGetHealth_Unauthorized() throws Exception { + assertUnauthorizedActGet(HEALTH_ENDPOINT); + } + + @Test + void testGetMetrics_Unauthorized() throws Exception { + assertUnauthorizedActGet(METRICS_ENDPOINT); + } + + @Test + void testGetPrometheus_Unauthorized() throws Exception { + assertUnauthorizedActGet(PROMETHEUS_ENDPOINT); + } + + @Test + void testGetHealth() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(HEALTH_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + + @Test + void testGetMetrics() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(METRICS_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + + @Test + void testGePrometheus() throws Exception { + Invocation.Builder invocationBuilder = super.sendActRequest(PROMETHEUS_ENDPOINT); + Response rawresp = invocationBuilder.buildGet().invoke(); + assertEquals(Response.Status.OK.getStatusCode(), rawresp.getStatus()); + } + +} diff --git a/participant/participant-impl/participant-impl-policy/src/test/java/org/onap/policy/clamp/controlloop/participant/policy/main/utils/CommonActuatorController.java b/participant/participant-impl/participant-impl-policy/src/test/java/org/onap/policy/clamp/controlloop/participant/policy/main/utils/CommonActuatorController.java new file mode 100644 index 000000000..ec6e30918 --- /dev/null +++ b/participant/participant-impl/participant-impl-policy/src/test/java/org/onap/policy/clamp/controlloop/participant/policy/main/utils/CommonActuatorController.java @@ -0,0 +1,114 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.clamp.controlloop.participant.policy.main.utils; + +import static org.junit.Assert.assertEquals; + +import javax.ws.rs.client.Client; +import javax.ws.rs.client.ClientBuilder; +import javax.ws.rs.client.Invocation; +import javax.ws.rs.client.WebTarget; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import org.glassfish.jersey.client.ClientProperties; +import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature; +import org.onap.policy.common.gson.GsonMessageBodyHandler; +import org.onap.policy.common.utils.network.NetworkUtil; + +/** + * Class to perform Rest unit tests. + * + */ +public class CommonActuatorController { + + public static final String SELF = NetworkUtil.getHostname(); + public static final String CONTEXT_PATH = "onap/policyparticipant"; + public static final String ACTUATOR_ENDPOINT = CONTEXT_PATH + "/actuator/"; + + private static String httpPrefix; + + /** + * Sends a request to an actuator endpoint. + * + * @param endpoint the target endpoint + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendActRequest(final String endpoint) throws Exception { + return sendFqeRequest(httpPrefix + ACTUATOR_ENDPOINT + endpoint, true); + } + + /** + * Sends a request to an actuator endpoint, without any authorization header. + * + * @param endpoint the target endpoint + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendNoAuthActRequest(final String endpoint) throws Exception { + return sendFqeRequest(httpPrefix + ACTUATOR_ENDPOINT + endpoint, false); + } + + /** + * Sends a request to a fully qualified endpoint. + * + * @param fullyQualifiedEndpoint the fully qualified target endpoint + * @param includeAuth if authorization header should be included + * @return a request builder + * @throws Exception if an error occurs + */ + protected Invocation.Builder sendFqeRequest(final String fullyQualifiedEndpoint, boolean includeAuth) + throws Exception { + final Client client = ClientBuilder.newBuilder().build(); + + client.property(ClientProperties.METAINF_SERVICES_LOOKUP_DISABLE, "true"); + client.register(GsonMessageBodyHandler.class); + + if (includeAuth) { + client.register(HttpAuthenticationFeature.basic("participantUser", "zb!XztG34")); + } + + final WebTarget webTarget = client.target(fullyQualifiedEndpoint); + + return webTarget.request(MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN); + } + + /** + * Assert that GET call to actuator endpoint is Unauthorized. + * + * @param endPoint the endpoint + * @throws Exception if an error occurs + */ + protected void assertUnauthorizedActGet(final String endPoint) throws Exception { + Response rawresp = sendNoAuthActRequest(endPoint).buildGet().invoke(); + assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), rawresp.getStatus()); + } + + /** + * Set Up httpPrefix. + * + * @param port the port + */ + protected void setHttpPrefix(int port) { + httpPrefix = "http://" + SELF + ":" + port + "/"; + } + +} diff --git a/participant/participant-impl/participant-impl-policy/src/test/resources/application_test.properties b/participant/participant-impl/participant-impl-policy/src/test/resources/application_test.properties index 70d52b413..f857704d3 100644 --- a/participant/participant-impl/participant-impl-policy/src/test/resources/application_test.properties +++ b/participant/participant-impl/participant-impl-policy/src/test/resources/application_test.properties @@ -1,5 +1,8 @@ -server.servlet.context-path=/onap/participantsim +spring.security.user.name=participantUser +spring.security.user.password=zb!XztG34 +server.servlet.context-path=/onap/policyparticipant server.error.path=/error +server.http-port=8085 participant.policyApiParameters.clientName=api participant.policyApiParameters.hostname=localhost @@ -22,3 +25,4 @@ participant.intermediaryParameters.clampControlLoopTopics.topicSources[0].fetchT participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].topic=POLICY-CLRUNTIME-PARTICIPANT participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].servers[0]=localhost participant.intermediaryParameters.clampControlLoopTopics.topicSinks[0].topicCommInfrastructure=dmaap +management.endpoints.web.exposure.include=health,metrics,prometheus diff --git a/participant/pom.xml b/participant/pom.xml index 1134239cd..e679bb227 100644 --- a/participant/pom.xml +++ b/participant/pom.xml @@ -100,6 +100,17 @@ </exclusion> </exclusions> </dependency> + <!-- Actuator dependencies for participants added here to avoid http security conflicts in clamp/runtime --> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-actuator</artifactId> + <version>${version.springboot}</version> + </dependency> + <dependency> + <groupId>io.micrometer</groupId> + <artifactId>micrometer-registry-prometheus</artifactId> + <version>${version.io.micrometer}</version> + </dependency> </dependencies> <build> diff --git a/runtime-controlloop/src/main/resources/application.yaml b/runtime-controlloop/src/main/resources/application.yaml index c4fc77b4d..bae4b9695 100644 --- a/runtime-controlloop/src/main/resources/application.yaml +++ b/runtime-controlloop/src/main/resources/application.yaml @@ -1,7 +1,7 @@ spring: security: user: - name: healthcheck + name: runtimeUser password: zb!XztG34 http: converters: diff --git a/runtime-controlloop/src/test/java/org/onap/policy/clamp/controlloop/runtime/util/rest/CommonRestController.java b/runtime-controlloop/src/test/java/org/onap/policy/clamp/controlloop/runtime/util/rest/CommonRestController.java index ccac0c63b..70b0608d6 100644 --- a/runtime-controlloop/src/test/java/org/onap/policy/clamp/controlloop/runtime/util/rest/CommonRestController.java +++ b/runtime-controlloop/src/test/java/org/onap/policy/clamp/controlloop/runtime/util/rest/CommonRestController.java @@ -121,7 +121,7 @@ public class CommonRestController { client.register(GsonMessageBodyHandler.class); if (includeAuth) { - client.register(HttpAuthenticationFeature.basic("healthcheck", "zb!XztG34")); + client.register(HttpAuthenticationFeature.basic("runtimeUser", "zb!XztG34")); } final WebTarget webTarget = client.target(fullyQualifiedEndpoint); diff --git a/runtime-controlloop/src/test/resources/application_test.properties b/runtime-controlloop/src/test/resources/application_test.properties index 190281415..26822db44 100644 --- a/runtime-controlloop/src/test/resources/application_test.properties +++ b/runtime-controlloop/src/test/resources/application_test.properties @@ -1,4 +1,4 @@ -spring.security.user.name=healthcheck +spring.security.user.name=runtimeUser spring.security.user.password=zb!XztG34 security.enable-csrf=false |