diff options
12 files changed, 269 insertions, 172 deletions
diff --git a/compose/get-versions.sh b/compose/get-versions.sh index fbda7b0c..2de4e7f0 100755 --- a/compose/get-versions.sh +++ b/compose/get-versions.sh @@ -142,7 +142,7 @@ else getDockerVersion xacml-pdp export POLICY_XACML_PDP_VERSION="$docker_image_version" - export POLICY_OPA_PDP_VERSION="1.0.0-SNAPSHOT" + export POLICY_OPA_PDP_VERSION="1.0.2-SNAPSHOT" getDockerVersion distribution export POLICY_DISTRIBUTION_VERSION="$docker_image_version" diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.empty_filter_response.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.empty_filter_response.json new file mode 100644 index 00000000..040f0624 --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.empty_filter_response.json @@ -0,0 +1,61 @@ +{ + "output": { + "allow": true, + "role_grants": { + "billing": [ + { + "action": "read", + "type": "finance" + }, + { + "action": "update", + "type": "finance" + } + ], + "customer": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "adopt", + "type": "dog" + }, + { + "action": "adopt", + "type": "cat" + } + ], + "employee": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "update", + "type": "dog" + }, + { + "action": "update", + "type": "cat" + } + ] + }, + "user_is_admin": true, + "user_is_granted": [], + "user_roles": { + "alice": ["admin"], + "bob": ["employee", "billing"], + "eve": ["customer"] + } + }, + "policyName": "role" +} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.filter_response.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.filter_response.json new file mode 100644 index 00000000..d19f5fed --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.filter_response.json @@ -0,0 +1,23 @@ +{ + "output": { + "role_grants": { + "billing": [ + {"action": "read", "type": "finance"}, + {"action": "update", "type": "finance"} + ], + "customer": [ + {"action": "read", "type": "dog"}, + {"action": "read", "type": "cat"}, + {"action": "adopt", "type": "dog"}, + {"action": "adopt", "type": "cat"} + ], + "employee": [ + {"action": "read", "type": "dog"}, + {"action": "read", "type": "cat"}, + {"action": "update", "type": "dog"}, + {"action": "update", "type": "cat"} + ] + } + }, + "policyName": "role" +} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json index 66132ea7..748a5529 100644 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json @@ -1 +1 @@ -{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role/allow","input":{"user":"alice","action":"write","object":"id123","type":"dog"}} +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role","input":{"user":"alice","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.output.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.output.json new file mode 100644 index 00000000..bf035c4b --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.output.json @@ -0,0 +1,5 @@ +{ + "errorMessage": "Policy Filter is nil.", + "policyName": "", + "responseCode": "bad_request" +} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter.json index 352ddb55..1a621c26 100644 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter.json @@ -1,2 +1 @@ -{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role1/allow","input":{"user":"alice","action":"write","object":"id123","type":"dog"}} - +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role","policyFilter": ["role_grants"],"input":{"user":"alice","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter_empty.json index b92aa88e..fec2ba48 100644 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter_empty.json @@ -1,2 +1 @@ -{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z" "policyName":"role/allow","input":{"user":"carol","action":"write","object":"id123","type":"dog"}} - +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role","policyFilter": [""],"input":{"user":"alice","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json deleted file mode 100644 index e9aea14a..00000000 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json +++ /dev/null @@ -1 +0,0 @@ -{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role/allow","input":{"user":"carol","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/opa-pdp-test.robot b/csit/resources/tests/opa-pdp-test.robot index a6d4c6d2..8e059ffd 100644 --- a/csit/resources/tests/opa-pdp-test.robot +++ b/csit/resources/tests/opa-pdp-test.robot @@ -15,22 +15,18 @@ Healthcheck [Documentation] Verify OPA PDP health check PdpxGetReq ${OPA_PDP_HOST} <Response [200]> -RetrieveSuccessfulRequest - [Documentation] Get Decision Request Successful for Opa Pdp - DecisionRequest onap.policy.opa.pdp.decision.request.json PERMIT 200 - -RetrieveDenyRequest - [Documentation] Get Decision Request DENY for Opa Pdp - DecisionRequest onap.policy.opa.pdp.decision.requestfailure.json DENY 200 - -*** comments *** -| RetrieveFailureRequest -| |[Documentation] | Get Decision Request INDETERMINATE for Opa Pdp *** -| | |DecisionRequest onap.policy.opa.pdp.decision.requestIndeterminate.json INDETERMINATE 200 *** - -RetrieveFailureBadRequest - [Documentation] Get Decision Request Failure Bad Request for Opa Pdp - DecisionRequest onap.policy.opa.pdp.decision.badRequest.json BAD_REQUEST 400 +ValidatingPolicyWithoutPolicyFilter + [Documentation] Validating the policy without giving policy filter + ValidatePolicyResponseWithoutFilter onap.policy.opa.pdp.decision.request.json 400 onap.policy.opa.pdp.decision.request.output.json + +ValidatingPolicyWithPolicyFilter + [Documentation] Validating the policy with policy filter + ValidatePolicyResponse onap.policy.opa.pdp.decision.request_filter.json 200 onap.policy.opa.pdp.decision.filter_response.json + +ValidatingPolicyWithEmptyPolicyFilter + [Documentation] Validating the policy with empty policy filter + ValidatePolicyResponse onap.policy.opa.pdp.decision.request_filter_empty.json 200 onap.policy.opa.pdp.decision.empty_filter_response.json + *** Keywords *** PdpxGetReq [Documentation] Verify the response of Health Check is Successful @@ -39,15 +35,30 @@ PdpxGetReq ${resp}= PerformGetRequest ${POLICY_OPA_IP} ${url} 200 null ${hcauth} Should Be Equal As Strings ${resp} ${status} -DecisionRequest - [Arguments] ${jsonfile} ${keyword} ${status} +ValidatePolicyResponse + [Documentation] Validating the output for the policy + [Arguments] ${jsonfile} ${status} ${jsonfile1} + ${expectedStatus}= Set Variable ${status} ${postjson}= Get file ${CURDIR}/data/${jsonfile} - ${resp}= DecisionPostReq ${postjson} ${status} abbrev=true - Should Contain ${resp.text} ${keyword} + ${expected_data}= Get file ${CURDIR}/data/${jsonfile1} + ${hcauth}= PolicyAdminAuth + ${resp}= PerformPostRequest ${POLICY_OPA_IP} ${url} ${expectedStatus} ${postjson} abbrev=true ${hcauth} + ${response_data}= Get From Dictionary ${resp.json()} output + ${expected_value}= Evaluate json.loads('''${expected_data}''') json + ${expected_output}= Get From Dictionary ${expected_value} output + Dictionaries Should Be Equal ${response_data} ${expected_output} -DecisionPostReq - [Arguments] ${postjson} ${status} ${abbr} +ValidatePolicyResponseWithoutFilter + [Documentation] Validating the output for the policy + [Arguments] ${jsonfile} ${status} ${jsonfile1} ${expectedStatus}= Set Variable ${status} + ${postjson}= Get file ${CURDIR}/data/${jsonfile} + ${expected_data}= Get file ${CURDIR}/data/${jsonfile1} ${hcauth}= PolicyAdminAuth - ${resp}= PerformPostRequest ${POLICY_OPA_IP} ${url} ${expectedStatus} ${postjson} ${abbr} ${hcauth} - RETURN ${resp} + ${resp}= PerformPostRequest ${POLICY_OPA_IP} ${url} ${expectedStatus} ${postjson} abbrev=true ${hcauth} + ${response_data}= Get From Dictionary ${resp.json()} responseCode + ${expected_value}= Evaluate json.loads('''${expected_data}''') json + ${expected_output}= Get From Dictionary ${expected_value} responseCode + Should Be Equal As Strings ${response_data} ${expected_output} + + diff --git a/helm/policy/components/policy-opa-pdp/Chart.yaml b/helm/policy/components/policy-opa-pdp/Chart.yaml index b3c34fc6..3235b018 100755 --- a/helm/policy/components/policy-opa-pdp/Chart.yaml +++ b/helm/policy/components/policy-opa-pdp/Chart.yaml @@ -1,23 +1,23 @@ -# ============LICENSE_START=======================================================
-# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-
-apiVersion: v2
-description: ONAP Policy OPA PDP
-name: policy-opa-pdp
-version: 11.0.0
-
+# ============LICENSE_START======================================================= +# Copyright (C) 2024-2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy OPA PDP +name: policy-opa-pdp +version: 11.0.1 + diff --git a/helm/policy/components/policy-opa-pdp/values.yaml b/helm/policy/components/policy-opa-pdp/values.yaml index 615b6523..a25f48a1 100755 --- a/helm/policy/components/policy-opa-pdp/values.yaml +++ b/helm/policy/components/policy-opa-pdp/values.yaml @@ -1,117 +1,117 @@ -# ============LICENSE_START=======================================================
-# Copyright (C) 2024-2025 Deutsche Telekom Intellectual Property. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-
-#################################################################
-# Global configuration defaults.
-#################################################################
-global:
- persistence: {}
- image:
- opapdp: nexus3.onap.org:10001/onap/policy-opa-pdp:1.0.0-SNAPSHOT
-log:
- loglevel: "debug"
-
-permissions:
- uid: 100
- gid: 102
-
-#################################################################
-# Secrets metaconfig
-#################################################################
-secrets:
- - uid: restserver-creds
- type: basicAuth
- externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}'
- login: '{{ .Values.restServer.user }}'
- password: '{{ .Values.restServer.password }}'
-#################################################################
-# Application configuration defaults.
-#################################################################
-# application image
-pullPolicy: Always
-
-# flag to enable debugging - application support required
-debugEnabled: false
-
-# application configuration
-
-restServer:
- user: policyadmin
- password: zb!XztG34
-
-# default number of instances
-replicaCount: 1
-
-nodeSelector: {}
-
-affinity: {}
-
-# probe configuration parameters
-liveness:
- initialDelaySeconds: 20
- periodSeconds: 10
- # necessary to disable liveness probe when setting breakpoints
- # in debugger so K8s doesn't restart unresponsive container
- enabled: true
-
-readiness:
- initialDelaySeconds: 10
- periodSeconds: 120
- api: /ready
- successThreshold: 1
- failureThreshold: 3
- timeout: 60
-
-service:
- type: ClusterIP
- name: policy-opa-pdp
- portName: http
- externalPort: 8282
- internalPort: 8282
-
-ingress:
- enabled: false
-
-flavor: small
-resources:
- small:
- limits:
- cpu: 1
- memory: 4Gi
- requests:
- cpu: 100m
- memory: 1Gi
- unlimited: {}
-
-dirSizes:
- bundleDir:
- sizeLimit: 1000Mi
-
-#Pods Service Account
-serviceAccount:
- nameOverride: policy-opa-pdp
- roles:
- - read
-kafka:
- groupid: "policy-opa-pdp"
- topic: "policy-pdp-pap"
- useSASL: "false"
- username: ""
- password: ""
- brokers: "kafka.default.svc.cluster.local:9092"
-
+# ============LICENSE_START======================================================= +# Copyright (C) 2024-2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + image: + opapdp: nexus3.onap.org:10001/onap/policy-opa-pdp:1.0.2-SNAPSHOT +log: + loglevel: "debug" + +permissions: + uid: 100 + gid: 102 + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' +################################################################# +# Application configuration defaults. +################################################################# +# application image +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration + +restServer: + user: policyadmin + password: zb!XztG34 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 120 + api: /ready + successThreshold: 1 + failureThreshold: 3 + timeout: 60 + +service: + type: ClusterIP + name: policy-opa-pdp + portName: http + externalPort: 8282 + internalPort: 8282 + +ingress: + enabled: false + +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + unlimited: {} + +dirSizes: + bundleDir: + sizeLimit: 1000Mi + +#Pods Service Account +serviceAccount: + nameOverride: policy-opa-pdp + roles: + - read +kafka: + groupid: "policy-opa-pdp" + topic: "policy-pdp-pap" + useSASL: "false" + username: "" + password: "" + brokers: "kafka.default.svc.cluster.local:9092" + diff --git a/helm/policy/values.yaml b/helm/policy/values.yaml index ecb06e73..49c70394 100644 --- a/helm/policy/values.yaml +++ b/helm/policy/values.yaml @@ -34,7 +34,7 @@ global: simulator: onap/policy-models-simulator:$tag pdpdcl: onap/policy-pdpd-cl:$tag xacml: onap/policy-xacml-pdp:$tag - opa: onap/policy-opa-pdp:1.0.0-SNAPSHOT + opa: onap/policy-opa-pdp:1.0.2-SNAPSHOT distribution: onap/policy-distribution:$tag runtimeacm: onap/policy-clamp-runtime-acm:$tag kserveparticipant: onap/policy-clamp-ac-kserve-ppnt:$tag |