diff options
| author |   muraliparthatechm <muraliparthasarathy.k@techmahindra.com> | 2024-12-18 18:15:17 +0100 |
|---|---|---|
| committer | muraliparthatechm <muraliparthasarathy.k@techmahindra.com> | 2024-12-19 13:39:05 +0100 |
| commit | 32fd1f3c1e22dbeb69e3cc150a6fb1b72ea0ed53 (patch) | |
| tree | a068657e6b3d7f87506a30f4ec3ce639cf06c5bc | |
| parent | 522cfc28114b076fbcb1da8b2a16894e647ed10c (diff) | |
Issue-ID: POLICY-5211
Change-Id: I8b75e6e850fae171fbc75fc67cb59171a78df4e0
Signed-off-by: muraliparthatechm <muraliparthasarathy.k@techmahindra.com>
32 files changed, 829 insertions, 2 deletions
diff --git a/compose/compose.yaml b/compose/compose.yaml index a151ad42..6d1abad0 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -130,6 +130,34 @@ services: 'kafka', '9092' ] + + opa-pdp: + image: ${CONTAINER_LOCATION}onap/policy-opa-pdp:${POLICY_OPA_PDP_VERSION} + container_name: policy-opa-pdp + depends_on: + - kafka + - pap + hostname: policy-opa-pdp + volumes: + - ./config/opa-pdp/config.json:/app/config/config.json:ro + - ./config/opa-pdp/policy-opa-pdp.sh:/app/policy-opa-pdp.sh:ro + - ./wait_for_port.sh:/app/wait_for_port.sh + - type: bind + source: ./config/opa-pdp/policies + target: /opt/policies + - type: bind + source: ./config/opa-pdp/data + target: /opt/data + env_file: "./config/opa-pdp/opa-pdp.env" + entrypoint: sh wait_for_port.sh + command: [ + '-c', './policy-opa-pdp.sh', + 'kafka', '9092', + 'pap', '6969' + ] + ports: + - ${OPA_PDP_PORT}:8282 + drools-pdp: image: ${CONTAINER_LOCATION}onap/policy-drools:${POLICY_DROOLS_PDP_VERSION} container_name: policy-drools-pdp diff --git a/compose/config/api/apiParameters.yaml b/compose/config/api/apiParameters.yaml index 3d8de256..f6fafa06 100644 --- a/compose/config/api/apiParameters.yaml +++ b/compose/config/api/apiParameters.yaml @@ -69,6 +69,7 @@ policy-preload: - policytypes/onap.policies.controlloop.operational.Common.yaml - policytypes/onap.policies.controlloop.operational.common.Apex.yaml - policytypes/onap.policies.controlloop.operational.common.Drools.yaml + - policytypes/onap.policies.native.opa.yaml policies: - policies/sdnc.policy.naming.input.tosca.yaml diff --git a/compose/config/opa-pdp/config.json b/compose/config/opa-pdp/config.json new file mode 100644 index 00000000..3f2aa437 --- /dev/null +++ b/compose/config/opa-pdp/config.json @@ -0,0 +1,24 @@ +{ + "logging": { + "level": "debug" + }, + "services": [ + { + "name": "opa-bundle-server", + "url": "http://localhost:8282/opa/bundles" + } + ], + "bundles": { + "opabundle": { + "service": "opa-bundle-server", + "resource": "bundle.tar.gz", + "polling": { + "min_delay_seconds": 60, + "max_delay_seconds": 120 + } + } + }, + "decision_logs": { + "console": true + } +} diff --git a/compose/config/opa-pdp/data/abac/data.json b/compose/config/opa-pdp/data/abac/data.json new file mode 100644 index 00000000..77b5668e --- /dev/null +++ b/compose/config/opa-pdp/data/abac/data.json @@ -0,0 +1,94 @@ +{ + "sensor_data": [ + { + "id": "0001", + "location": "Sri Lanka", + "temperature": "28 C", + "precipitation": "1000 mm", + "windspeed": "5.5 m/s", + "humidity": "40%", + "particle_density": "1.3 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0002", + "location": "Colombo", + "temperature": "30 C", + "precipitation": "1200 mm", + "windspeed": "6.0 m/s", + "humidity": "45%", + "particle_density": "1.5 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0003", + "location": "Kandy", + "temperature": "25 C", + "precipitation": "800 mm", + "windspeed": "4.5 m/s", + "humidity": "60%", + "particle_density": "1.1 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0004", + "location": "Galle", + "temperature": "35 C", + "precipitation": "500 mm", + "windspeed": "7.2 m/s", + "humidity": "30%", + "particle_density": "1.8 g/l", + "timestamp": "2024-02-27" + }, + { + "id": "0005", + "location": "Jaffna", + "temperature": "-5 C", + "precipitation": "300 mm", + "windspeed": "3.8 m/s", + "humidity": "20%", + "particle_density": "0.9 g/l", + "timestamp": "2024-02-27" + }, + { + "id": "0006", + "location": "Trincomalee", + "temperature": "20 C", + "precipitation": "1000 mm", + "windspeed": "5.0 m/s", + "humidity": "55%", + "particle_density": "1.2 g/l", + "timestamp": "2024-02-28" + }, + { + "id": "0007", + "location": "Nuwara Eliya", + "temperature": "25 C", + "precipitation": "600 mm", + "windspeed": "4.0 m/s", + "humidity": "50%", + "particle_density": "1.3 g/l", + "timestamp": "2024-02-28" + }, + { + "id": "0008", + "location": "Anuradhapura", + "temperature": "28 C", + "precipitation": "700 mm", + "windspeed": "5.8 m/s", + "humidity": "40%", + "particle_density": "1.4 g/l", + "timestamp": "2024-02-29" + }, + { + "id": "0009", + "location": "Matara", + "temperature": "32 C", + "precipitation": "900 mm", + "windspeed": "6.5 m/s", + "humidity": "65%", + "particle_density": "1.6 g/l", + "timestamp": "2024-02-29" + } + ] +} diff --git a/compose/config/opa-pdp/data/account/data.json b/compose/config/opa-pdp/data/account/data.json new file mode 100644 index 00000000..df263d36 --- /dev/null +++ b/compose/config/opa-pdp/data/account/data.json @@ -0,0 +1,16 @@ +{ + "account_attributes":{ + "11111":{ + "owner":"alice", + "amount":10000 + }, + "22222":{ + "owner":"bob", + "amount":10000 + }, + "33333":{ + "owner":"cam", + "amount":10000 + } + } +} diff --git a/compose/config/opa-pdp/data/action/data.json b/compose/config/opa-pdp/data/action/data.json new file mode 100644 index 00000000..99145b74 --- /dev/null +++ b/compose/config/opa-pdp/data/action/data.json @@ -0,0 +1,43 @@ +{ + "user_roles": { + "alice": [ + "admin" + ], + "bob": [ + "editor" + ], + "charlie": [ + "viewer" + ] + }, + "role_permissions": { + "admin": { + "actions": [ + "read", + "write", + "delete" + ], + "resources": [ + "server", + "database" + ] + }, + "editor": { + "actions": [ + "read", + "write" + ], + "resources": [ + "server" + ] + }, + "viewer": { + "actions": [ + "read" + ], + "resources": [ + "server" + ] + } + } +} diff --git a/compose/config/opa-pdp/data/organization/data.json b/compose/config/opa-pdp/data/organization/data.json new file mode 100644 index 00000000..35fe4a14 --- /dev/null +++ b/compose/config/opa-pdp/data/organization/data.json @@ -0,0 +1,32 @@ +{ + "acls": [ + { + "user": "alice", + "actions": [ + "edit", + "read" + ], + "component": "component_A", + "project": "project_A", + "organization": "org_A" + }, + { + "user": "bob", + "actions": ["read"], + "organization": "org_A" + }, + { + "user": "bob", + "action": ["edit"], + "component": "component_A", + "project": "project_B", + "organization": "org_A" + }, + { + "user": "charlie", + "action": ["read"], + "project": "project_B", + "organization": "org_A" + } + ] +} diff --git a/compose/config/opa-pdp/data/role/data.json b/compose/config/opa-pdp/data/role/data.json new file mode 100644 index 00000000..88ac41b8 --- /dev/null +++ b/compose/config/opa-pdp/data/role/data.json @@ -0,0 +1,63 @@ +{ + "user_roles": { + "alice": [ + "admin" + ], + "bob": [ + "employee", + "billing" + ], + "eve": [ + "customer" + ] + }, + "role_grants": { + "customer": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "adopt", + "type": "dog" + }, + { + "action": "adopt", + "type": "cat" + } + ], + "employee": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "update", + "type": "dog" + }, + { + "action": "update", + "type": "cat" + } + ], + "billing": [ + { + "action": "read", + "type": "finance" + }, + { + "action": "update", + "type": "finance" + } + ] + } +} + diff --git a/compose/config/opa-pdp/groups.json b/compose/config/opa-pdp/groups.json new file mode 100644 index 00000000..ef4ee5f4 --- /dev/null +++ b/compose/config/opa-pdp/groups.json @@ -0,0 +1,24 @@ +{ + "groups": [ + { + "name": "opaGroup", + "version": "1.0.0", + "description": "The default group that registers all supported policy types and pdps.", + "pdpGroupState": "ACTIVE", + "pdpSubgroups": [ + { + "pdpType": "opa", + "desiredInstanceCount": 1, + "properties": {}, + "supportedPolicyTypes": [ + { + "name": "onap.policies.native.opa", + "version": "1.0.0" + } + ], + "policies": [] + } + ] + } + ] +} diff --git a/compose/config/opa-pdp/opa-pdp.env b/compose/config/opa-pdp/opa-pdp.env new file mode 100644 index 00000000..7e2a9070 --- /dev/null +++ b/compose/config/opa-pdp/opa-pdp.env @@ -0,0 +1,9 @@ +#env variables# + +LOG_LEVEL=debug +BOOSTSTRAP_SERVER="kafka:9092" +TOPIC=policy-pdp-pap +GROUPID=opa-pdp +USER_NAME=policyadmin +PASSWORD="zb!XztG34" +JAASLOGIN="org.apache.kafka.common.security.scram.ScramLoginModule required username=\"policy-opa-pdp-ku\" password=\"\"" diff --git a/compose/config/opa-pdp/policies/abac/policy.rego b/compose/config/opa-pdp/policies/abac/policy.rego new file mode 100644 index 00000000..9dc6ea9b --- /dev/null +++ b/compose/config/opa-pdp/policies/abac/policy.rego @@ -0,0 +1,20 @@ +package abac + +import rego.v1 + +default allow := false + +allow if { + viewable_sensor_data + action_is_read +} + +action_is_read if "read" in input.actions + +viewable_sensor_data contains view_data if { + some sensor_data in data.abac.sensor_data + sensor_data.timestamp >= input.time_period.from + sensor_data.timestamp < input.time_period.to + + view_data := {datatype: sensor_data[datatype] | datatype in input.datatypes} +} diff --git a/compose/config/opa-pdp/policies/account/policy.rego b/compose/config/opa-pdp/policies/account/policy.rego new file mode 100644 index 00000000..f99e8eb0 --- /dev/null +++ b/compose/config/opa-pdp/policies/account/policy.rego @@ -0,0 +1,17 @@ +package account + +import rego.v1 + +default allow := false + +allow if { + creditor_is_valid + debtor_is_valid + period_is_valid + amount_is_valid +} +creditor_is_valid if data.account.account_attributes[input.creditor_account].owner == input.creditor +debtor_is_valid if data.account.account_attributes[input.debtor_account].owner == input.debtor + +period_is_valid if input.period <= 30 +amount_is_valid if data.account.account_attributes[input.debtor_account].amount >= input.amount diff --git a/compose/config/opa-pdp/policies/action/policy.rego b/compose/config/opa-pdp/policies/action/policy.rego new file mode 100644 index 00000000..300fe501 --- /dev/null +++ b/compose/config/opa-pdp/policies/action/policy.rego @@ -0,0 +1,21 @@ +package action + +import rego.v1 + +# By default, deny requests. +default allow := false + + +# Allow the action if admin role is granted permission to perform the action. +allow if { + some i + data.action.user_roles[input.user][i] == role + some j + data.action.role_permissions[role].actions[j] == input.action + some k + data.action.role_permissions[role].resources[k] == input.type +} +# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/ +# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration + + diff --git a/compose/config/opa-pdp/policies/data/abac/data.json b/compose/config/opa-pdp/policies/data/abac/data.json new file mode 100644 index 00000000..77b5668e --- /dev/null +++ b/compose/config/opa-pdp/policies/data/abac/data.json @@ -0,0 +1,94 @@ +{ + "sensor_data": [ + { + "id": "0001", + "location": "Sri Lanka", + "temperature": "28 C", + "precipitation": "1000 mm", + "windspeed": "5.5 m/s", + "humidity": "40%", + "particle_density": "1.3 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0002", + "location": "Colombo", + "temperature": "30 C", + "precipitation": "1200 mm", + "windspeed": "6.0 m/s", + "humidity": "45%", + "particle_density": "1.5 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0003", + "location": "Kandy", + "temperature": "25 C", + "precipitation": "800 mm", + "windspeed": "4.5 m/s", + "humidity": "60%", + "particle_density": "1.1 g/l", + "timestamp": "2024-02-26" + }, + { + "id": "0004", + "location": "Galle", + "temperature": "35 C", + "precipitation": "500 mm", + "windspeed": "7.2 m/s", + "humidity": "30%", + "particle_density": "1.8 g/l", + "timestamp": "2024-02-27" + }, + { + "id": "0005", + "location": "Jaffna", + "temperature": "-5 C", + "precipitation": "300 mm", + "windspeed": "3.8 m/s", + "humidity": "20%", + "particle_density": "0.9 g/l", + "timestamp": "2024-02-27" + }, + { + "id": "0006", + "location": "Trincomalee", + "temperature": "20 C", + "precipitation": "1000 mm", + "windspeed": "5.0 m/s", + "humidity": "55%", + "particle_density": "1.2 g/l", + "timestamp": "2024-02-28" + }, + { + "id": "0007", + "location": "Nuwara Eliya", + "temperature": "25 C", + "precipitation": "600 mm", + "windspeed": "4.0 m/s", + "humidity": "50%", + "particle_density": "1.3 g/l", + "timestamp": "2024-02-28" + }, + { + "id": "0008", + "location": "Anuradhapura", + "temperature": "28 C", + "precipitation": "700 mm", + "windspeed": "5.8 m/s", + "humidity": "40%", + "particle_density": "1.4 g/l", + "timestamp": "2024-02-29" + }, + { + "id": "0009", + "location": "Matara", + "temperature": "32 C", + "precipitation": "900 mm", + "windspeed": "6.5 m/s", + "humidity": "65%", + "particle_density": "1.6 g/l", + "timestamp": "2024-02-29" + } + ] +} diff --git a/compose/config/opa-pdp/policies/data/account/data.json b/compose/config/opa-pdp/policies/data/account/data.json new file mode 100644 index 00000000..df263d36 --- /dev/null +++ b/compose/config/opa-pdp/policies/data/account/data.json @@ -0,0 +1,16 @@ +{ + "account_attributes":{ + "11111":{ + "owner":"alice", + "amount":10000 + }, + "22222":{ + "owner":"bob", + "amount":10000 + }, + "33333":{ + "owner":"cam", + "amount":10000 + } + } +} diff --git a/compose/config/opa-pdp/policies/data/action/data.json b/compose/config/opa-pdp/policies/data/action/data.json new file mode 100644 index 00000000..99145b74 --- /dev/null +++ b/compose/config/opa-pdp/policies/data/action/data.json @@ -0,0 +1,43 @@ +{ + "user_roles": { + "alice": [ + "admin" + ], + "bob": [ + "editor" + ], + "charlie": [ + "viewer" + ] + }, + "role_permissions": { + "admin": { + "actions": [ + "read", + "write", + "delete" + ], + "resources": [ + "server", + "database" + ] + }, + "editor": { + "actions": [ + "read", + "write" + ], + "resources": [ + "server" + ] + }, + "viewer": { + "actions": [ + "read" + ], + "resources": [ + "server" + ] + } + } +} diff --git a/compose/config/opa-pdp/policies/data/organization/data.json b/compose/config/opa-pdp/policies/data/organization/data.json new file mode 100644 index 00000000..35fe4a14 --- /dev/null +++ b/compose/config/opa-pdp/policies/data/organization/data.json @@ -0,0 +1,32 @@ +{ + "acls": [ + { + "user": "alice", + "actions": [ + "edit", + "read" + ], + "component": "component_A", + "project": "project_A", + "organization": "org_A" + }, + { + "user": "bob", + "actions": ["read"], + "organization": "org_A" + }, + { + "user": "bob", + "action": ["edit"], + "component": "component_A", + "project": "project_B", + "organization": "org_A" + }, + { + "user": "charlie", + "action": ["read"], + "project": "project_B", + "organization": "org_A" + } + ] +} diff --git a/compose/config/opa-pdp/policies/data/role/data.json b/compose/config/opa-pdp/policies/data/role/data.json new file mode 100644 index 00000000..88ac41b8 --- /dev/null +++ b/compose/config/opa-pdp/policies/data/role/data.json @@ -0,0 +1,63 @@ +{ + "user_roles": { + "alice": [ + "admin" + ], + "bob": [ + "employee", + "billing" + ], + "eve": [ + "customer" + ] + }, + "role_grants": { + "customer": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "adopt", + "type": "dog" + }, + { + "action": "adopt", + "type": "cat" + } + ], + "employee": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "update", + "type": "dog" + }, + { + "action": "update", + "type": "cat" + } + ], + "billing": [ + { + "action": "read", + "type": "finance" + }, + { + "action": "update", + "type": "finance" + } + ] + } +} + diff --git a/compose/config/opa-pdp/policies/example/policy.rego b/compose/config/opa-pdp/policies/example/policy.rego new file mode 100644 index 00000000..cc192851 --- /dev/null +++ b/compose/config/opa-pdp/policies/example/policy.rego @@ -0,0 +1,13 @@ +package example + +import rego.v1 + +allow if { + input.path == ["users"] + input.method == "POST" +} + +allow if { + input.path == ["users", input.user_id] + input.method == "GET" +} diff --git a/compose/config/opa-pdp/policies/organization/policy.rego b/compose/config/opa-pdp/policies/organization/policy.rego new file mode 100644 index 00000000..31e7fb66 --- /dev/null +++ b/compose/config/opa-pdp/policies/organization/policy.rego @@ -0,0 +1,38 @@ +package organization + +import rego.v1 + +default allow := false + +# organization level access +allow if { + some acl in data.organization.acls + acl.user == input.user + acl.organization == input.organization + acl.project == input.project + acl.component == input.component + + some action in acl.actions + action == input.action +} + +# project level access +allow if { + some acl in data.organization.acls + acl.user == input.user + acl.organization == input.organization + acl.project == input.project + + some action in acl.actions + action == input.action +} + +# component level access +allow if { + some acl in data.organization.acls + acl.user == input.user + acl.organization == input.organization + + some action in acl.actions + action == input.action +} diff --git a/compose/config/opa-pdp/policies/role/policy.rego b/compose/config/opa-pdp/policies/role/policy.rego new file mode 100644 index 00000000..54bdecf9 --- /dev/null +++ b/compose/config/opa-pdp/policies/role/policy.rego @@ -0,0 +1,53 @@ +# Role-based Access Control (RBAC) +# -------------------------------- +# +# This example defines an RBAC model for a Pet Store API. The Pet Store API allows +# users to look at pets, adopt them, update their stats, and so on. The policy +# controls which users can perform actions on which resources. The policy implements +# a classic Role-based Access Control model where users are assigned to roles and +# roles are granted the ability to perform some action(s) on some type of resource. +# +# This example shows how to: +# +# * Define an RBAC model in Rego that interprets role mappings represented in JSON. +# * Iterate/search across JSON data structures (e.g., role mappings) +# +# For more information see: +#package app.rbac +package role + +import rego.v1 + +# By default, deny requests. +default allow := false + +# Allow admins to do anything. +allow if user_is_admin + +# Allow the action if the user is granted permission to perform the action. +allow if { + # Find grants for the user. + some grant in user_is_granted + + # Check if the grant permits the action. + input.action == grant.action + input.type == grant.type +} + +# user_is_admin is true if "admin" is among the user's roles as per data.user_roles +user_is_admin if "admin" in data.role.user_roles[input.user] + +# user_is_granted is a set of grants for the user identified in the request. +# The `grant` will be contained if the set `user_is_granted` for every... +user_is_granted contains grant if { + # `role` assigned an element of the user_roles for this user... + some role in data.role.user_roles[input.user] + + # `grant` assigned a single grant from the grants list for 'role'... + some grant in data.role.role_grants[role] +} + +# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/ +# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration + + diff --git a/compose/config/opa-pdp/policy-opa-pdp.sh b/compose/config/opa-pdp/policy-opa-pdp.sh new file mode 100755 index 00000000..4cb2cf01 --- /dev/null +++ b/compose/config/opa-pdp/policy-opa-pdp.sh @@ -0,0 +1,6 @@ +#!/bin/bash + + +#Execution of OPA-PDP bin +sleep 40 +/app/opa-pdp diff --git a/compose/export-ports.sh b/compose/export-ports.sh index 8dd2c163..a1f372f8 100755 --- a/compose/export-ports.sh +++ b/compose/export-ports.sh @@ -23,6 +23,7 @@ export APEX_EVENTS_PORT=23324 export API_PORT=30002 export PAP_PORT=30003 export XACML_PORT=30004 +export OPA_PDP_PORT=30012 export DROOLS_PORT=30005 export DROOLS_TELEMETRY_PORT=30216 export DIST_PORT=30006 diff --git a/compose/get-versions.sh b/compose/get-versions.sh index 0e8f251e..c7378ee7 100755 --- a/compose/get-versions.sh +++ b/compose/get-versions.sh @@ -43,6 +43,7 @@ if [ -n "$LOCAL_IMAGES" ] && [ "$LOCAL_IMAGES" = "true" ]; then export POLICY_APEX_PDP_VERSION="latest" export POLICY_DROOLS_PDP_VERSION="latest" export POLICY_XACML_PDP_VERSION="latest" + export POLICY_OPA_PDP_VERSION="latest" export POLICY_DISTRIBUTION_VERSION="latest" export POLICY_CLAMP_VERSION="latest" export POLICY_CLAMP_PPNT_VERSION=$POLICY_CLAMP_VERSION @@ -145,6 +146,8 @@ else getDockerVersion xacml-pdp export POLICY_XACML_PDP_VERSION="$docker_image_version" + export POLICY_OPA_PDP_VERSION="1.0.5-SNAPSHOT" + getDockerVersion distribution export POLICY_DISTRIBUTION_VERSION="$docker_image_version" @@ -154,4 +157,4 @@ else getDockerVersion drools-applications export POLICY_DROOLS_APPS_VERSION="$docker_image_version" -fi
\ No newline at end of file +fi diff --git a/csit/resources/scripts/run-test.sh b/csit/resources/scripts/run-test.sh index 1e756f6d..1156fd5c 100755 --- a/csit/resources/scripts/run-test.sh +++ b/csit/resources/scripts/run-test.sh @@ -32,6 +32,7 @@ APEX_IP=policy-apex-pdp:${DEFAULT_PORT} APEX_EVENTS_IP=policy-apex-pdp:23324 POLICY_PDPX_IP=policy-xacml-pdp:${DEFAULT_PORT} +POLICY_OPA_IP=policy-opa-pdp:8282 POLICY_DROOLS_IP=policy-drools-pdp:9696 DROOLS_IP_1=policy-drools-apps:${DEFAULT_PORT} @@ -59,6 +60,7 @@ ROBOT_VARIABLES="-v DATA:${DATA} -v KAFKA_IP:${KAFKA_IP} -v PROMETHEUS_IP:${PROMETHEUS_IP} -v POLICY_PDPX_IP:${POLICY_PDPX_IP} +-v POLICY_OPA_IP:${POLICY_OPA_IP} -v POLICY_DROOLS_IP:${POLICY_DROOLS_IP} -v DROOLS_IP:${DROOLS_IP_1} -v DROOLS_IP_2:${DROOLS_IP_2} diff --git a/csit/resources/tests/api-test.robot b/csit/resources/tests/api-test.robot index 29c2fba4..e1b8fd47 100644 --- a/csit/resources/tests/api-test.robot +++ b/csit/resources/tests/api-test.robot @@ -16,7 +16,7 @@ Healthcheck RetrievePolicyTypes [Documentation] Retrieve all policy types - FetchPolicyTypes /policy/api/v1/policytypes 37 + FetchPolicyTypes /policy/api/v1/policytypes 38 CreateTCAPolicyTypeV1 [Documentation] Create an existing policy type with modification and keeping the same version should result in error. diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json new file mode 100644 index 00000000..b92aa88e --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json @@ -0,0 +1,2 @@ +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z" "policyName":"role/allow","input":{"user":"carol","action":"write","object":"id123","type":"dog"}} + diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json new file mode 100644 index 00000000..66132ea7 --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json @@ -0,0 +1 @@ +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role/allow","input":{"user":"alice","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json new file mode 100644 index 00000000..352ddb55 --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json @@ -0,0 +1,2 @@ +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role1/allow","input":{"user":"alice","action":"write","object":"id123","type":"dog"}} + diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json new file mode 100644 index 00000000..e9aea14a --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json @@ -0,0 +1 @@ +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role/allow","input":{"user":"carol","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/opa-pdp-test.robot b/csit/resources/tests/opa-pdp-test.robot new file mode 100644 index 00000000..908314f8 --- /dev/null +++ b/csit/resources/tests/opa-pdp-test.robot @@ -0,0 +1,53 @@ +*** Settings *** +Library RequestsLibrary +Library Collections +Library OperatingSystem +Library Process +Library json +Resource common-library.robot + +*** Variables *** +${OPA_PDP_HOST} /policy/pdpx/v1/healthcheck +${url} /policy/pdpx/v1/decision + +*** Test Cases *** +Healthcheck + [Documentation] Verify OPA PDP health check + PdpxGetReq ${OPA_PDP_HOST} <Response [200]> + +RetrieveSuccessfulRequest + [Documentation] Get Decision Request Successful for Opa Pdp + DecisionRequest onap.policy.opa.pdp.decision.request.json PERMIT 200 + +RetrieveDenyRequest + [Documentation] Get Decision Request DENY for Opa Pdp + DecisionRequest onap.policy.opa.pdp.decision.requestfailure.json DENY 200 + +*** comments *** +| RetrieveFailureRequest +| |[Documentation] | Get Decision Request INDETERMINATE for Opa Pdp *** +| | |DecisionRequest onap.policy.opa.pdp.decision.requestIndeterminate.json INDETERMINATE 200 *** + +RetrieveFailureBadRequest + [Documentation] Get Decision Request Failure Bad Request for Opa Pdp + DecisionRequest onap.policy.opa.pdp.decision.badRequest.json BAD_REQUEST 400 +*** Keywords *** +PdpxGetReq + [Documentation] Verify the response of Health Check is Successful + [Arguments] ${url} ${status} + ${hcauth}= PolicyAdminAuth + ${resp}= PerformGetRequest ${POLICY_OPA_IP} ${url} 200 null ${hcauth} + Should Be Equal As Strings ${resp} ${status} + +DecisionRequest + [Arguments] ${jsonfile} ${keyword} ${status} + ${postjson}= Get file ${CURDIR}/data/${jsonfile} + ${resp}= DecisionPostReq ${postjson} ${status} abbrev=true + Should Contain ${resp.text} ${keyword} + +DecisionPostReq + [Arguments] ${postjson} ${status} ${abbr} + ${expectedStatus}= Set Variable ${status} + ${hcauth}= PolicyAdminAuth + ${resp}= PerformPostRequest ${POLICY_OPA_IP} ${url} ${expectedStatus} ${postjson} ${abbr} ${hcauth} + RETURN ${resp} diff --git a/csit/run-project-csit.sh b/csit/run-project-csit.sh index e355d5ff..961100bf 100755 --- a/csit/run-project-csit.sh +++ b/csit/run-project-csit.sh @@ -170,6 +170,14 @@ function setup_xacml_pdp() { check_rest_endpoint "${XACML_PORT}" } +function setup_opa_pdp() { + export ROBOT_FILES="opa-pdp-test.robot" + export PROJECT="opa-pdp" + source ${DOCKER_COMPOSE_DIR}/start-compose.sh opa-pdp --grafana + sleep 180 + bash ${SCRIPTS}/wait_for_rest.sh localhost "${OPA_PDP_PORT}" +} + function setup_drools_pdp() { export ROBOT_FILES="drools-pdp-test.robot" source ${DOCKER_COMPOSE_DIR}/start-compose.sh drools-pdp --grafana @@ -240,6 +248,10 @@ function set_project_config() { setup_xacml_pdp ;; + opa-pdp | policy-opa-pdp) + setup_opa_pdp + ;; + drools-pdp | policy-drools-pdp) setup_drools_pdp ;; |