aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--compose/compose.yaml28
-rw-r--r--compose/config/api/apiParameters.yaml1
-rw-r--r--compose/config/opa-pdp/config.json24
-rw-r--r--compose/config/opa-pdp/data/abac/data.json94
-rw-r--r--compose/config/opa-pdp/data/account/data.json16
-rw-r--r--compose/config/opa-pdp/data/action/data.json43
-rw-r--r--compose/config/opa-pdp/data/organization/data.json32
-rw-r--r--compose/config/opa-pdp/data/role/data.json63
-rw-r--r--compose/config/opa-pdp/groups.json24
-rw-r--r--compose/config/opa-pdp/opa-pdp.env9
-rw-r--r--compose/config/opa-pdp/policies/abac/policy.rego20
-rw-r--r--compose/config/opa-pdp/policies/account/policy.rego17
-rw-r--r--compose/config/opa-pdp/policies/action/policy.rego21
-rw-r--r--compose/config/opa-pdp/policies/data/abac/data.json94
-rw-r--r--compose/config/opa-pdp/policies/data/account/data.json16
-rw-r--r--compose/config/opa-pdp/policies/data/action/data.json43
-rw-r--r--compose/config/opa-pdp/policies/data/organization/data.json32
-rw-r--r--compose/config/opa-pdp/policies/data/role/data.json63
-rw-r--r--compose/config/opa-pdp/policies/example/policy.rego13
-rw-r--r--compose/config/opa-pdp/policies/organization/policy.rego38
-rw-r--r--compose/config/opa-pdp/policies/role/policy.rego53
-rwxr-xr-xcompose/config/opa-pdp/policy-opa-pdp.sh6
-rwxr-xr-xcompose/export-ports.sh1
-rwxr-xr-xcompose/get-versions.sh5
-rwxr-xr-xcsit/resources/scripts/run-test.sh2
-rw-r--r--csit/resources/tests/api-test.robot2
-rw-r--r--csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json2
-rw-r--r--csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json1
-rw-r--r--csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json2
-rw-r--r--csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json1
-rw-r--r--csit/resources/tests/opa-pdp-test.robot53
-rwxr-xr-xcsit/run-project-csit.sh12
32 files changed, 829 insertions, 2 deletions
diff --git a/compose/compose.yaml b/compose/compose.yaml
index a151ad42..6d1abad0 100644
--- a/compose/compose.yaml
+++ b/compose/compose.yaml
@@ -130,6 +130,34 @@ services:
'kafka', '9092'
]
+
+ opa-pdp:
+ image: ${CONTAINER_LOCATION}onap/policy-opa-pdp:${POLICY_OPA_PDP_VERSION}
+ container_name: policy-opa-pdp
+ depends_on:
+ - kafka
+ - pap
+ hostname: policy-opa-pdp
+ volumes:
+ - ./config/opa-pdp/config.json:/app/config/config.json:ro
+ - ./config/opa-pdp/policy-opa-pdp.sh:/app/policy-opa-pdp.sh:ro
+ - ./wait_for_port.sh:/app/wait_for_port.sh
+ - type: bind
+ source: ./config/opa-pdp/policies
+ target: /opt/policies
+ - type: bind
+ source: ./config/opa-pdp/data
+ target: /opt/data
+ env_file: "./config/opa-pdp/opa-pdp.env"
+ entrypoint: sh wait_for_port.sh
+ command: [
+ '-c', './policy-opa-pdp.sh',
+ 'kafka', '9092',
+ 'pap', '6969'
+ ]
+ ports:
+ - ${OPA_PDP_PORT}:8282
+
drools-pdp:
image: ${CONTAINER_LOCATION}onap/policy-drools:${POLICY_DROOLS_PDP_VERSION}
container_name: policy-drools-pdp
diff --git a/compose/config/api/apiParameters.yaml b/compose/config/api/apiParameters.yaml
index 3d8de256..f6fafa06 100644
--- a/compose/config/api/apiParameters.yaml
+++ b/compose/config/api/apiParameters.yaml
@@ -69,6 +69,7 @@ policy-preload:
- policytypes/onap.policies.controlloop.operational.Common.yaml
- policytypes/onap.policies.controlloop.operational.common.Apex.yaml
- policytypes/onap.policies.controlloop.operational.common.Drools.yaml
+ - policytypes/onap.policies.native.opa.yaml
policies:
- policies/sdnc.policy.naming.input.tosca.yaml
diff --git a/compose/config/opa-pdp/config.json b/compose/config/opa-pdp/config.json
new file mode 100644
index 00000000..3f2aa437
--- /dev/null
+++ b/compose/config/opa-pdp/config.json
@@ -0,0 +1,24 @@
+{
+ "logging": {
+ "level": "debug"
+ },
+ "services": [
+ {
+ "name": "opa-bundle-server",
+ "url": "http://localhost:8282/opa/bundles"
+ }
+ ],
+ "bundles": {
+ "opabundle": {
+ "service": "opa-bundle-server",
+ "resource": "bundle.tar.gz",
+ "polling": {
+ "min_delay_seconds": 60,
+ "max_delay_seconds": 120
+ }
+ }
+ },
+ "decision_logs": {
+ "console": true
+ }
+}
diff --git a/compose/config/opa-pdp/data/abac/data.json b/compose/config/opa-pdp/data/abac/data.json
new file mode 100644
index 00000000..77b5668e
--- /dev/null
+++ b/compose/config/opa-pdp/data/abac/data.json
@@ -0,0 +1,94 @@
+{
+ "sensor_data": [
+ {
+ "id": "0001",
+ "location": "Sri Lanka",
+ "temperature": "28 C",
+ "precipitation": "1000 mm",
+ "windspeed": "5.5 m/s",
+ "humidity": "40%",
+ "particle_density": "1.3 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0002",
+ "location": "Colombo",
+ "temperature": "30 C",
+ "precipitation": "1200 mm",
+ "windspeed": "6.0 m/s",
+ "humidity": "45%",
+ "particle_density": "1.5 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0003",
+ "location": "Kandy",
+ "temperature": "25 C",
+ "precipitation": "800 mm",
+ "windspeed": "4.5 m/s",
+ "humidity": "60%",
+ "particle_density": "1.1 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0004",
+ "location": "Galle",
+ "temperature": "35 C",
+ "precipitation": "500 mm",
+ "windspeed": "7.2 m/s",
+ "humidity": "30%",
+ "particle_density": "1.8 g/l",
+ "timestamp": "2024-02-27"
+ },
+ {
+ "id": "0005",
+ "location": "Jaffna",
+ "temperature": "-5 C",
+ "precipitation": "300 mm",
+ "windspeed": "3.8 m/s",
+ "humidity": "20%",
+ "particle_density": "0.9 g/l",
+ "timestamp": "2024-02-27"
+ },
+ {
+ "id": "0006",
+ "location": "Trincomalee",
+ "temperature": "20 C",
+ "precipitation": "1000 mm",
+ "windspeed": "5.0 m/s",
+ "humidity": "55%",
+ "particle_density": "1.2 g/l",
+ "timestamp": "2024-02-28"
+ },
+ {
+ "id": "0007",
+ "location": "Nuwara Eliya",
+ "temperature": "25 C",
+ "precipitation": "600 mm",
+ "windspeed": "4.0 m/s",
+ "humidity": "50%",
+ "particle_density": "1.3 g/l",
+ "timestamp": "2024-02-28"
+ },
+ {
+ "id": "0008",
+ "location": "Anuradhapura",
+ "temperature": "28 C",
+ "precipitation": "700 mm",
+ "windspeed": "5.8 m/s",
+ "humidity": "40%",
+ "particle_density": "1.4 g/l",
+ "timestamp": "2024-02-29"
+ },
+ {
+ "id": "0009",
+ "location": "Matara",
+ "temperature": "32 C",
+ "precipitation": "900 mm",
+ "windspeed": "6.5 m/s",
+ "humidity": "65%",
+ "particle_density": "1.6 g/l",
+ "timestamp": "2024-02-29"
+ }
+ ]
+}
diff --git a/compose/config/opa-pdp/data/account/data.json b/compose/config/opa-pdp/data/account/data.json
new file mode 100644
index 00000000..df263d36
--- /dev/null
+++ b/compose/config/opa-pdp/data/account/data.json
@@ -0,0 +1,16 @@
+{
+ "account_attributes":{
+ "11111":{
+ "owner":"alice",
+ "amount":10000
+ },
+ "22222":{
+ "owner":"bob",
+ "amount":10000
+ },
+ "33333":{
+ "owner":"cam",
+ "amount":10000
+ }
+ }
+}
diff --git a/compose/config/opa-pdp/data/action/data.json b/compose/config/opa-pdp/data/action/data.json
new file mode 100644
index 00000000..99145b74
--- /dev/null
+++ b/compose/config/opa-pdp/data/action/data.json
@@ -0,0 +1,43 @@
+{
+ "user_roles": {
+ "alice": [
+ "admin"
+ ],
+ "bob": [
+ "editor"
+ ],
+ "charlie": [
+ "viewer"
+ ]
+ },
+ "role_permissions": {
+ "admin": {
+ "actions": [
+ "read",
+ "write",
+ "delete"
+ ],
+ "resources": [
+ "server",
+ "database"
+ ]
+ },
+ "editor": {
+ "actions": [
+ "read",
+ "write"
+ ],
+ "resources": [
+ "server"
+ ]
+ },
+ "viewer": {
+ "actions": [
+ "read"
+ ],
+ "resources": [
+ "server"
+ ]
+ }
+ }
+}
diff --git a/compose/config/opa-pdp/data/organization/data.json b/compose/config/opa-pdp/data/organization/data.json
new file mode 100644
index 00000000..35fe4a14
--- /dev/null
+++ b/compose/config/opa-pdp/data/organization/data.json
@@ -0,0 +1,32 @@
+{
+ "acls": [
+ {
+ "user": "alice",
+ "actions": [
+ "edit",
+ "read"
+ ],
+ "component": "component_A",
+ "project": "project_A",
+ "organization": "org_A"
+ },
+ {
+ "user": "bob",
+ "actions": ["read"],
+ "organization": "org_A"
+ },
+ {
+ "user": "bob",
+ "action": ["edit"],
+ "component": "component_A",
+ "project": "project_B",
+ "organization": "org_A"
+ },
+ {
+ "user": "charlie",
+ "action": ["read"],
+ "project": "project_B",
+ "organization": "org_A"
+ }
+ ]
+}
diff --git a/compose/config/opa-pdp/data/role/data.json b/compose/config/opa-pdp/data/role/data.json
new file mode 100644
index 00000000..88ac41b8
--- /dev/null
+++ b/compose/config/opa-pdp/data/role/data.json
@@ -0,0 +1,63 @@
+{
+ "user_roles": {
+ "alice": [
+ "admin"
+ ],
+ "bob": [
+ "employee",
+ "billing"
+ ],
+ "eve": [
+ "customer"
+ ]
+ },
+ "role_grants": {
+ "customer": [
+ {
+ "action": "read",
+ "type": "dog"
+ },
+ {
+ "action": "read",
+ "type": "cat"
+ },
+ {
+ "action": "adopt",
+ "type": "dog"
+ },
+ {
+ "action": "adopt",
+ "type": "cat"
+ }
+ ],
+ "employee": [
+ {
+ "action": "read",
+ "type": "dog"
+ },
+ {
+ "action": "read",
+ "type": "cat"
+ },
+ {
+ "action": "update",
+ "type": "dog"
+ },
+ {
+ "action": "update",
+ "type": "cat"
+ }
+ ],
+ "billing": [
+ {
+ "action": "read",
+ "type": "finance"
+ },
+ {
+ "action": "update",
+ "type": "finance"
+ }
+ ]
+ }
+}
+
diff --git a/compose/config/opa-pdp/groups.json b/compose/config/opa-pdp/groups.json
new file mode 100644
index 00000000..ef4ee5f4
--- /dev/null
+++ b/compose/config/opa-pdp/groups.json
@@ -0,0 +1,24 @@
+{
+ "groups": [
+ {
+ "name": "opaGroup",
+ "version": "1.0.0",
+ "description": "The default group that registers all supported policy types and pdps.",
+ "pdpGroupState": "ACTIVE",
+ "pdpSubgroups": [
+ {
+ "pdpType": "opa",
+ "desiredInstanceCount": 1,
+ "properties": {},
+ "supportedPolicyTypes": [
+ {
+ "name": "onap.policies.native.opa",
+ "version": "1.0.0"
+ }
+ ],
+ "policies": []
+ }
+ ]
+ }
+ ]
+}
diff --git a/compose/config/opa-pdp/opa-pdp.env b/compose/config/opa-pdp/opa-pdp.env
new file mode 100644
index 00000000..7e2a9070
--- /dev/null
+++ b/compose/config/opa-pdp/opa-pdp.env
@@ -0,0 +1,9 @@
+#env variables#
+
+LOG_LEVEL=debug
+BOOSTSTRAP_SERVER="kafka:9092"
+TOPIC=policy-pdp-pap
+GROUPID=opa-pdp
+USER_NAME=policyadmin
+PASSWORD="zb!XztG34"
+JAASLOGIN="org.apache.kafka.common.security.scram.ScramLoginModule required username=\"policy-opa-pdp-ku\" password=\"\""
diff --git a/compose/config/opa-pdp/policies/abac/policy.rego b/compose/config/opa-pdp/policies/abac/policy.rego
new file mode 100644
index 00000000..9dc6ea9b
--- /dev/null
+++ b/compose/config/opa-pdp/policies/abac/policy.rego
@@ -0,0 +1,20 @@
+package abac
+
+import rego.v1
+
+default allow := false
+
+allow if {
+ viewable_sensor_data
+ action_is_read
+}
+
+action_is_read if "read" in input.actions
+
+viewable_sensor_data contains view_data if {
+ some sensor_data in data.abac.sensor_data
+ sensor_data.timestamp >= input.time_period.from
+ sensor_data.timestamp < input.time_period.to
+
+ view_data := {datatype: sensor_data[datatype] | datatype in input.datatypes}
+}
diff --git a/compose/config/opa-pdp/policies/account/policy.rego b/compose/config/opa-pdp/policies/account/policy.rego
new file mode 100644
index 00000000..f99e8eb0
--- /dev/null
+++ b/compose/config/opa-pdp/policies/account/policy.rego
@@ -0,0 +1,17 @@
+package account
+
+import rego.v1
+
+default allow := false
+
+allow if {
+ creditor_is_valid
+ debtor_is_valid
+ period_is_valid
+ amount_is_valid
+}
+creditor_is_valid if data.account.account_attributes[input.creditor_account].owner == input.creditor
+debtor_is_valid if data.account.account_attributes[input.debtor_account].owner == input.debtor
+
+period_is_valid if input.period <= 30
+amount_is_valid if data.account.account_attributes[input.debtor_account].amount >= input.amount
diff --git a/compose/config/opa-pdp/policies/action/policy.rego b/compose/config/opa-pdp/policies/action/policy.rego
new file mode 100644
index 00000000..300fe501
--- /dev/null
+++ b/compose/config/opa-pdp/policies/action/policy.rego
@@ -0,0 +1,21 @@
+package action
+
+import rego.v1
+
+# By default, deny requests.
+default allow := false
+
+
+# Allow the action if admin role is granted permission to perform the action.
+allow if {
+ some i
+ data.action.user_roles[input.user][i] == role
+ some j
+ data.action.role_permissions[role].actions[j] == input.action
+ some k
+ data.action.role_permissions[role].resources[k] == input.type
+}
+# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
+# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
+
+
diff --git a/compose/config/opa-pdp/policies/data/abac/data.json b/compose/config/opa-pdp/policies/data/abac/data.json
new file mode 100644
index 00000000..77b5668e
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/abac/data.json
@@ -0,0 +1,94 @@
+{
+ "sensor_data": [
+ {
+ "id": "0001",
+ "location": "Sri Lanka",
+ "temperature": "28 C",
+ "precipitation": "1000 mm",
+ "windspeed": "5.5 m/s",
+ "humidity": "40%",
+ "particle_density": "1.3 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0002",
+ "location": "Colombo",
+ "temperature": "30 C",
+ "precipitation": "1200 mm",
+ "windspeed": "6.0 m/s",
+ "humidity": "45%",
+ "particle_density": "1.5 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0003",
+ "location": "Kandy",
+ "temperature": "25 C",
+ "precipitation": "800 mm",
+ "windspeed": "4.5 m/s",
+ "humidity": "60%",
+ "particle_density": "1.1 g/l",
+ "timestamp": "2024-02-26"
+ },
+ {
+ "id": "0004",
+ "location": "Galle",
+ "temperature": "35 C",
+ "precipitation": "500 mm",
+ "windspeed": "7.2 m/s",
+ "humidity": "30%",
+ "particle_density": "1.8 g/l",
+ "timestamp": "2024-02-27"
+ },
+ {
+ "id": "0005",
+ "location": "Jaffna",
+ "temperature": "-5 C",
+ "precipitation": "300 mm",
+ "windspeed": "3.8 m/s",
+ "humidity": "20%",
+ "particle_density": "0.9 g/l",
+ "timestamp": "2024-02-27"
+ },
+ {
+ "id": "0006",
+ "location": "Trincomalee",
+ "temperature": "20 C",
+ "precipitation": "1000 mm",
+ "windspeed": "5.0 m/s",
+ "humidity": "55%",
+ "particle_density": "1.2 g/l",
+ "timestamp": "2024-02-28"
+ },
+ {
+ "id": "0007",
+ "location": "Nuwara Eliya",
+ "temperature": "25 C",
+ "precipitation": "600 mm",
+ "windspeed": "4.0 m/s",
+ "humidity": "50%",
+ "particle_density": "1.3 g/l",
+ "timestamp": "2024-02-28"
+ },
+ {
+ "id": "0008",
+ "location": "Anuradhapura",
+ "temperature": "28 C",
+ "precipitation": "700 mm",
+ "windspeed": "5.8 m/s",
+ "humidity": "40%",
+ "particle_density": "1.4 g/l",
+ "timestamp": "2024-02-29"
+ },
+ {
+ "id": "0009",
+ "location": "Matara",
+ "temperature": "32 C",
+ "precipitation": "900 mm",
+ "windspeed": "6.5 m/s",
+ "humidity": "65%",
+ "particle_density": "1.6 g/l",
+ "timestamp": "2024-02-29"
+ }
+ ]
+}
diff --git a/compose/config/opa-pdp/policies/data/account/data.json b/compose/config/opa-pdp/policies/data/account/data.json
new file mode 100644
index 00000000..df263d36
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/account/data.json
@@ -0,0 +1,16 @@
+{
+ "account_attributes":{
+ "11111":{
+ "owner":"alice",
+ "amount":10000
+ },
+ "22222":{
+ "owner":"bob",
+ "amount":10000
+ },
+ "33333":{
+ "owner":"cam",
+ "amount":10000
+ }
+ }
+}
diff --git a/compose/config/opa-pdp/policies/data/action/data.json b/compose/config/opa-pdp/policies/data/action/data.json
new file mode 100644
index 00000000..99145b74
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/action/data.json
@@ -0,0 +1,43 @@
+{
+ "user_roles": {
+ "alice": [
+ "admin"
+ ],
+ "bob": [
+ "editor"
+ ],
+ "charlie": [
+ "viewer"
+ ]
+ },
+ "role_permissions": {
+ "admin": {
+ "actions": [
+ "read",
+ "write",
+ "delete"
+ ],
+ "resources": [
+ "server",
+ "database"
+ ]
+ },
+ "editor": {
+ "actions": [
+ "read",
+ "write"
+ ],
+ "resources": [
+ "server"
+ ]
+ },
+ "viewer": {
+ "actions": [
+ "read"
+ ],
+ "resources": [
+ "server"
+ ]
+ }
+ }
+}
diff --git a/compose/config/opa-pdp/policies/data/organization/data.json b/compose/config/opa-pdp/policies/data/organization/data.json
new file mode 100644
index 00000000..35fe4a14
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/organization/data.json
@@ -0,0 +1,32 @@
+{
+ "acls": [
+ {
+ "user": "alice",
+ "actions": [
+ "edit",
+ "read"
+ ],
+ "component": "component_A",
+ "project": "project_A",
+ "organization": "org_A"
+ },
+ {
+ "user": "bob",
+ "actions": ["read"],
+ "organization": "org_A"
+ },
+ {
+ "user": "bob",
+ "action": ["edit"],
+ "component": "component_A",
+ "project": "project_B",
+ "organization": "org_A"
+ },
+ {
+ "user": "charlie",
+ "action": ["read"],
+ "project": "project_B",
+ "organization": "org_A"
+ }
+ ]
+}
diff --git a/compose/config/opa-pdp/policies/data/role/data.json b/compose/config/opa-pdp/policies/data/role/data.json
new file mode 100644
index 00000000..88ac41b8
--- /dev/null
+++ b/compose/config/opa-pdp/policies/data/role/data.json
@@ -0,0 +1,63 @@
+{
+ "user_roles": {
+ "alice": [
+ "admin"
+ ],
+ "bob": [
+ "employee",
+ "billing"
+ ],
+ "eve": [
+ "customer"
+ ]
+ },
+ "role_grants": {
+ "customer": [
+ {
+ "action": "read",
+ "type": "dog"
+ },
+ {
+ "action": "read",
+ "type": "cat"
+ },
+ {
+ "action": "adopt",
+ "type": "dog"
+ },
+ {
+ "action": "adopt",
+ "type": "cat"
+ }
+ ],
+ "employee": [
+ {
+ "action": "read",
+ "type": "dog"
+ },
+ {
+ "action": "read",
+ "type": "cat"
+ },
+ {
+ "action": "update",
+ "type": "dog"
+ },
+ {
+ "action": "update",
+ "type": "cat"
+ }
+ ],
+ "billing": [
+ {
+ "action": "read",
+ "type": "finance"
+ },
+ {
+ "action": "update",
+ "type": "finance"
+ }
+ ]
+ }
+}
+
diff --git a/compose/config/opa-pdp/policies/example/policy.rego b/compose/config/opa-pdp/policies/example/policy.rego
new file mode 100644
index 00000000..cc192851
--- /dev/null
+++ b/compose/config/opa-pdp/policies/example/policy.rego
@@ -0,0 +1,13 @@
+package example
+
+import rego.v1
+
+allow if {
+ input.path == ["users"]
+ input.method == "POST"
+}
+
+allow if {
+ input.path == ["users", input.user_id]
+ input.method == "GET"
+}
diff --git a/compose/config/opa-pdp/policies/organization/policy.rego b/compose/config/opa-pdp/policies/organization/policy.rego
new file mode 100644
index 00000000..31e7fb66
--- /dev/null
+++ b/compose/config/opa-pdp/policies/organization/policy.rego
@@ -0,0 +1,38 @@
+package organization
+
+import rego.v1
+
+default allow := false
+
+# organization level access
+allow if {
+ some acl in data.organization.acls
+ acl.user == input.user
+ acl.organization == input.organization
+ acl.project == input.project
+ acl.component == input.component
+
+ some action in acl.actions
+ action == input.action
+}
+
+# project level access
+allow if {
+ some acl in data.organization.acls
+ acl.user == input.user
+ acl.organization == input.organization
+ acl.project == input.project
+
+ some action in acl.actions
+ action == input.action
+}
+
+# component level access
+allow if {
+ some acl in data.organization.acls
+ acl.user == input.user
+ acl.organization == input.organization
+
+ some action in acl.actions
+ action == input.action
+}
diff --git a/compose/config/opa-pdp/policies/role/policy.rego b/compose/config/opa-pdp/policies/role/policy.rego
new file mode 100644
index 00000000..54bdecf9
--- /dev/null
+++ b/compose/config/opa-pdp/policies/role/policy.rego
@@ -0,0 +1,53 @@
+# Role-based Access Control (RBAC)
+# --------------------------------
+#
+# This example defines an RBAC model for a Pet Store API. The Pet Store API allows
+# users to look at pets, adopt them, update their stats, and so on. The policy
+# controls which users can perform actions on which resources. The policy implements
+# a classic Role-based Access Control model where users are assigned to roles and
+# roles are granted the ability to perform some action(s) on some type of resource.
+#
+# This example shows how to:
+#
+# * Define an RBAC model in Rego that interprets role mappings represented in JSON.
+# * Iterate/search across JSON data structures (e.g., role mappings)
+#
+# For more information see:
+#package app.rbac
+package role
+
+import rego.v1
+
+# By default, deny requests.
+default allow := false
+
+# Allow admins to do anything.
+allow if user_is_admin
+
+# Allow the action if the user is granted permission to perform the action.
+allow if {
+ # Find grants for the user.
+ some grant in user_is_granted
+
+ # Check if the grant permits the action.
+ input.action == grant.action
+ input.type == grant.type
+}
+
+# user_is_admin is true if "admin" is among the user's roles as per data.user_roles
+user_is_admin if "admin" in data.role.user_roles[input.user]
+
+# user_is_granted is a set of grants for the user identified in the request.
+# The `grant` will be contained if the set `user_is_granted` for every...
+user_is_granted contains grant if {
+ # `role` assigned an element of the user_roles for this user...
+ some role in data.role.user_roles[input.user]
+
+ # `grant` assigned a single grant from the grants list for 'role'...
+ some grant in data.role.role_grants[role]
+}
+
+# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
+# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
+
+
diff --git a/compose/config/opa-pdp/policy-opa-pdp.sh b/compose/config/opa-pdp/policy-opa-pdp.sh
new file mode 100755
index 00000000..4cb2cf01
--- /dev/null
+++ b/compose/config/opa-pdp/policy-opa-pdp.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+
+#Execution of OPA-PDP bin
+sleep 40
+/app/opa-pdp
diff --git a/compose/export-ports.sh b/compose/export-ports.sh
index 8dd2c163..a1f372f8 100755
--- a/compose/export-ports.sh
+++ b/compose/export-ports.sh
@@ -23,6 +23,7 @@ export APEX_EVENTS_PORT=23324
export API_PORT=30002
export PAP_PORT=30003
export XACML_PORT=30004
+export OPA_PDP_PORT=30012
export DROOLS_PORT=30005
export DROOLS_TELEMETRY_PORT=30216
export DIST_PORT=30006
diff --git a/compose/get-versions.sh b/compose/get-versions.sh
index 0e8f251e..c7378ee7 100755
--- a/compose/get-versions.sh
+++ b/compose/get-versions.sh
@@ -43,6 +43,7 @@ if [ -n "$LOCAL_IMAGES" ] && [ "$LOCAL_IMAGES" = "true" ]; then
export POLICY_APEX_PDP_VERSION="latest"
export POLICY_DROOLS_PDP_VERSION="latest"
export POLICY_XACML_PDP_VERSION="latest"
+ export POLICY_OPA_PDP_VERSION="latest"
export POLICY_DISTRIBUTION_VERSION="latest"
export POLICY_CLAMP_VERSION="latest"
export POLICY_CLAMP_PPNT_VERSION=$POLICY_CLAMP_VERSION
@@ -145,6 +146,8 @@ else
getDockerVersion xacml-pdp
export POLICY_XACML_PDP_VERSION="$docker_image_version"
+ export POLICY_OPA_PDP_VERSION="1.0.5-SNAPSHOT"
+
getDockerVersion distribution
export POLICY_DISTRIBUTION_VERSION="$docker_image_version"
@@ -154,4 +157,4 @@ else
getDockerVersion drools-applications
export POLICY_DROOLS_APPS_VERSION="$docker_image_version"
-fi \ No newline at end of file
+fi
diff --git a/csit/resources/scripts/run-test.sh b/csit/resources/scripts/run-test.sh
index 1e756f6d..1156fd5c 100755
--- a/csit/resources/scripts/run-test.sh
+++ b/csit/resources/scripts/run-test.sh
@@ -32,6 +32,7 @@ APEX_IP=policy-apex-pdp:${DEFAULT_PORT}
APEX_EVENTS_IP=policy-apex-pdp:23324
POLICY_PDPX_IP=policy-xacml-pdp:${DEFAULT_PORT}
+POLICY_OPA_IP=policy-opa-pdp:8282
POLICY_DROOLS_IP=policy-drools-pdp:9696
DROOLS_IP_1=policy-drools-apps:${DEFAULT_PORT}
@@ -59,6 +60,7 @@ ROBOT_VARIABLES="-v DATA:${DATA}
-v KAFKA_IP:${KAFKA_IP}
-v PROMETHEUS_IP:${PROMETHEUS_IP}
-v POLICY_PDPX_IP:${POLICY_PDPX_IP}
+-v POLICY_OPA_IP:${POLICY_OPA_IP}
-v POLICY_DROOLS_IP:${POLICY_DROOLS_IP}
-v DROOLS_IP:${DROOLS_IP_1}
-v DROOLS_IP_2:${DROOLS_IP_2}
diff --git a/csit/resources/tests/api-test.robot b/csit/resources/tests/api-test.robot
index 29c2fba4..e1b8fd47 100644
--- a/csit/resources/tests/api-test.robot
+++ b/csit/resources/tests/api-test.robot
@@ -16,7 +16,7 @@ Healthcheck
RetrievePolicyTypes
[Documentation] Retrieve all policy types
- FetchPolicyTypes /policy/api/v1/policytypes 37
+ FetchPolicyTypes /policy/api/v1/policytypes 38
CreateTCAPolicyTypeV1
[Documentation] Create an existing policy type with modification and keeping the same version should result in error.
diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json
new file mode 100644
index 00000000..b92aa88e
--- /dev/null
+++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json
@@ -0,0 +1,2 @@
+{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z" "policyName":"role/allow","input":{"user":"carol","action":"write","object":"id123","type":"dog"}}
+
diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json
new file mode 100644
index 00000000..66132ea7
--- /dev/null
+++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json
@@ -0,0 +1 @@
+{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role/allow","input":{"user":"alice","action":"write","object":"id123","type":"dog"}}
diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json
new file mode 100644
index 00000000..352ddb55
--- /dev/null
+++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json
@@ -0,0 +1,2 @@
+{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role1/allow","input":{"user":"alice","action":"write","object":"id123","type":"dog"}}
+
diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json
new file mode 100644
index 00000000..e9aea14a
--- /dev/null
+++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json
@@ -0,0 +1 @@
+{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role/allow","input":{"user":"carol","action":"write","object":"id123","type":"dog"}}
diff --git a/csit/resources/tests/opa-pdp-test.robot b/csit/resources/tests/opa-pdp-test.robot
new file mode 100644
index 00000000..908314f8
--- /dev/null
+++ b/csit/resources/tests/opa-pdp-test.robot
@@ -0,0 +1,53 @@
+*** Settings ***
+Library RequestsLibrary
+Library Collections
+Library OperatingSystem
+Library Process
+Library json
+Resource common-library.robot
+
+*** Variables ***
+${OPA_PDP_HOST} /policy/pdpx/v1/healthcheck
+${url} /policy/pdpx/v1/decision
+
+*** Test Cases ***
+Healthcheck
+ [Documentation] Verify OPA PDP health check
+ PdpxGetReq ${OPA_PDP_HOST} <Response [200]>
+
+RetrieveSuccessfulRequest
+ [Documentation] Get Decision Request Successful for Opa Pdp
+ DecisionRequest onap.policy.opa.pdp.decision.request.json PERMIT 200
+
+RetrieveDenyRequest
+ [Documentation] Get Decision Request DENY for Opa Pdp
+ DecisionRequest onap.policy.opa.pdp.decision.requestfailure.json DENY 200
+
+*** comments ***
+| RetrieveFailureRequest
+| |[Documentation] | Get Decision Request INDETERMINATE for Opa Pdp ***
+| | |DecisionRequest onap.policy.opa.pdp.decision.requestIndeterminate.json INDETERMINATE 200 ***
+
+RetrieveFailureBadRequest
+ [Documentation] Get Decision Request Failure Bad Request for Opa Pdp
+ DecisionRequest onap.policy.opa.pdp.decision.badRequest.json BAD_REQUEST 400
+*** Keywords ***
+PdpxGetReq
+ [Documentation] Verify the response of Health Check is Successful
+ [Arguments] ${url} ${status}
+ ${hcauth}= PolicyAdminAuth
+ ${resp}= PerformGetRequest ${POLICY_OPA_IP} ${url} 200 null ${hcauth}
+ Should Be Equal As Strings ${resp} ${status}
+
+DecisionRequest
+ [Arguments] ${jsonfile} ${keyword} ${status}
+ ${postjson}= Get file ${CURDIR}/data/${jsonfile}
+ ${resp}= DecisionPostReq ${postjson} ${status} abbrev=true
+ Should Contain ${resp.text} ${keyword}
+
+DecisionPostReq
+ [Arguments] ${postjson} ${status} ${abbr}
+ ${expectedStatus}= Set Variable ${status}
+ ${hcauth}= PolicyAdminAuth
+ ${resp}= PerformPostRequest ${POLICY_OPA_IP} ${url} ${expectedStatus} ${postjson} ${abbr} ${hcauth}
+ RETURN ${resp}
diff --git a/csit/run-project-csit.sh b/csit/run-project-csit.sh
index e355d5ff..961100bf 100755
--- a/csit/run-project-csit.sh
+++ b/csit/run-project-csit.sh
@@ -170,6 +170,14 @@ function setup_xacml_pdp() {
check_rest_endpoint "${XACML_PORT}"
}
+function setup_opa_pdp() {
+ export ROBOT_FILES="opa-pdp-test.robot"
+ export PROJECT="opa-pdp"
+ source ${DOCKER_COMPOSE_DIR}/start-compose.sh opa-pdp --grafana
+ sleep 180
+ bash ${SCRIPTS}/wait_for_rest.sh localhost "${OPA_PDP_PORT}"
+}
+
function setup_drools_pdp() {
export ROBOT_FILES="drools-pdp-test.robot"
source ${DOCKER_COMPOSE_DIR}/start-compose.sh drools-pdp --grafana
@@ -240,6 +248,10 @@ function set_project_config() {
setup_xacml_pdp
;;
+ opa-pdp | policy-opa-pdp)
+ setup_opa_pdp
+ ;;
+
drools-pdp | policy-drools-pdp)
setup_drools_pdp
;;