From 726faa724804ee355f24e87daea367d098de9185 Mon Sep 17 00:00:00 2001 From: srinivasyanamadala Date: Mon, 10 Feb 2025 10:21:31 +0100 Subject: Updated csit tests for Decision parameter changes Issue-ID: POLICY-5261 Change-Id: Ib8f5b4295d05cdced4f7196d57595b0a3f448060 Signed-off-by: srinivasyanamadala --- compose/get-versions.sh | 2 +- .../onap.policy.opa.pdp.decision.badRequest.json | 2 - ...icy.opa.pdp.decision.empty_filter_response.json | 61 ++++++ ...ap.policy.opa.pdp.decision.filter_response.json | 23 ++ .../data/onap.policy.opa.pdp.decision.request.json | 2 +- ...nap.policy.opa.pdp.decision.request.output.json | 5 + ...licy.opa.pdp.decision.requestIndeterminate.json | 2 - ...nap.policy.opa.pdp.decision.request_filter.json | 1 + ...licy.opa.pdp.decision.request_filter_empty.json | 1 + ...nap.policy.opa.pdp.decision.requestfailure.json | 1 - csit/resources/tests/opa-pdp-test.robot | 59 +++--- helm/policy/components/policy-opa-pdp/Chart.yaml | 46 ++-- helm/policy/components/policy-opa-pdp/values.yaml | 234 ++++++++++----------- helm/policy/values.yaml | 2 +- 14 files changed, 269 insertions(+), 172 deletions(-) delete mode 100644 csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json create mode 100644 csit/resources/tests/data/onap.policy.opa.pdp.decision.empty_filter_response.json create mode 100644 csit/resources/tests/data/onap.policy.opa.pdp.decision.filter_response.json create mode 100644 csit/resources/tests/data/onap.policy.opa.pdp.decision.request.output.json delete mode 100644 csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json create mode 100644 csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter.json create mode 100644 csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter_empty.json delete mode 100644 csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json diff --git a/compose/get-versions.sh b/compose/get-versions.sh index fbda7b0c..2de4e7f0 100755 --- a/compose/get-versions.sh +++ b/compose/get-versions.sh @@ -142,7 +142,7 @@ else getDockerVersion xacml-pdp export POLICY_XACML_PDP_VERSION="$docker_image_version" - export POLICY_OPA_PDP_VERSION="1.0.0-SNAPSHOT" + export POLICY_OPA_PDP_VERSION="1.0.2-SNAPSHOT" getDockerVersion distribution export POLICY_DISTRIBUTION_VERSION="$docker_image_version" diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json deleted file mode 100644 index b92aa88e..00000000 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.badRequest.json +++ /dev/null @@ -1,2 +0,0 @@ -{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z" "policyName":"role/allow","input":{"user":"carol","action":"write","object":"id123","type":"dog"}} - diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.empty_filter_response.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.empty_filter_response.json new file mode 100644 index 00000000..040f0624 --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.empty_filter_response.json @@ -0,0 +1,61 @@ +{ + "output": { + "allow": true, + "role_grants": { + "billing": [ + { + "action": "read", + "type": "finance" + }, + { + "action": "update", + "type": "finance" + } + ], + "customer": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "adopt", + "type": "dog" + }, + { + "action": "adopt", + "type": "cat" + } + ], + "employee": [ + { + "action": "read", + "type": "dog" + }, + { + "action": "read", + "type": "cat" + }, + { + "action": "update", + "type": "dog" + }, + { + "action": "update", + "type": "cat" + } + ] + }, + "user_is_admin": true, + "user_is_granted": [], + "user_roles": { + "alice": ["admin"], + "bob": ["employee", "billing"], + "eve": ["customer"] + } + }, + "policyName": "role" +} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.filter_response.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.filter_response.json new file mode 100644 index 00000000..d19f5fed --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.filter_response.json @@ -0,0 +1,23 @@ +{ + "output": { + "role_grants": { + "billing": [ + {"action": "read", "type": "finance"}, + {"action": "update", "type": "finance"} + ], + "customer": [ + {"action": "read", "type": "dog"}, + {"action": "read", "type": "cat"}, + {"action": "adopt", "type": "dog"}, + {"action": "adopt", "type": "cat"} + ], + "employee": [ + {"action": "read", "type": "dog"}, + {"action": "read", "type": "cat"}, + {"action": "update", "type": "dog"}, + {"action": "update", "type": "cat"} + ] + } + }, + "policyName": "role" +} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json index 66132ea7..748a5529 100644 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.json @@ -1 +1 @@ -{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role/allow","input":{"user":"alice","action":"write","object":"id123","type":"dog"}} +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role","input":{"user":"alice","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.output.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.output.json new file mode 100644 index 00000000..bf035c4b --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request.output.json @@ -0,0 +1,5 @@ +{ + "errorMessage": "Policy Filter is nil.", + "policyName": "", + "responseCode": "bad_request" +} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json deleted file mode 100644 index 352ddb55..00000000 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestIndeterminate.json +++ /dev/null @@ -1,2 +0,0 @@ -{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role1/allow","input":{"user":"alice","action":"write","object":"id123","type":"dog"}} - diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter.json new file mode 100644 index 00000000..1a621c26 --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter.json @@ -0,0 +1 @@ +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role","policyFilter": ["role_grants"],"input":{"user":"alice","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter_empty.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter_empty.json new file mode 100644 index 00000000..fec2ba48 --- /dev/null +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.request_filter_empty.json @@ -0,0 +1 @@ +{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role","policyFilter": [""],"input":{"user":"alice","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json deleted file mode 100644 index e9aea14a..00000000 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.requestfailure.json +++ /dev/null @@ -1 +0,0 @@ -{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS","currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName":"role/allow","input":{"user":"carol","action":"write","object":"id123","type":"dog"}} diff --git a/csit/resources/tests/opa-pdp-test.robot b/csit/resources/tests/opa-pdp-test.robot index a6d4c6d2..8e059ffd 100644 --- a/csit/resources/tests/opa-pdp-test.robot +++ b/csit/resources/tests/opa-pdp-test.robot @@ -15,22 +15,18 @@ Healthcheck [Documentation] Verify OPA PDP health check PdpxGetReq ${OPA_PDP_HOST} -RetrieveSuccessfulRequest - [Documentation] Get Decision Request Successful for Opa Pdp - DecisionRequest onap.policy.opa.pdp.decision.request.json PERMIT 200 - -RetrieveDenyRequest - [Documentation] Get Decision Request DENY for Opa Pdp - DecisionRequest onap.policy.opa.pdp.decision.requestfailure.json DENY 200 - -*** comments *** -| RetrieveFailureRequest -| |[Documentation] | Get Decision Request INDETERMINATE for Opa Pdp *** -| | |DecisionRequest onap.policy.opa.pdp.decision.requestIndeterminate.json INDETERMINATE 200 *** - -RetrieveFailureBadRequest - [Documentation] Get Decision Request Failure Bad Request for Opa Pdp - DecisionRequest onap.policy.opa.pdp.decision.badRequest.json BAD_REQUEST 400 +ValidatingPolicyWithoutPolicyFilter + [Documentation] Validating the policy without giving policy filter + ValidatePolicyResponseWithoutFilter onap.policy.opa.pdp.decision.request.json 400 onap.policy.opa.pdp.decision.request.output.json + +ValidatingPolicyWithPolicyFilter + [Documentation] Validating the policy with policy filter + ValidatePolicyResponse onap.policy.opa.pdp.decision.request_filter.json 200 onap.policy.opa.pdp.decision.filter_response.json + +ValidatingPolicyWithEmptyPolicyFilter + [Documentation] Validating the policy with empty policy filter + ValidatePolicyResponse onap.policy.opa.pdp.decision.request_filter_empty.json 200 onap.policy.opa.pdp.decision.empty_filter_response.json + *** Keywords *** PdpxGetReq [Documentation] Verify the response of Health Check is Successful @@ -39,15 +35,30 @@ PdpxGetReq ${resp}= PerformGetRequest ${POLICY_OPA_IP} ${url} 200 null ${hcauth} Should Be Equal As Strings ${resp} ${status} -DecisionRequest - [Arguments] ${jsonfile} ${keyword} ${status} +ValidatePolicyResponse + [Documentation] Validating the output for the policy + [Arguments] ${jsonfile} ${status} ${jsonfile1} + ${expectedStatus}= Set Variable ${status} ${postjson}= Get file ${CURDIR}/data/${jsonfile} - ${resp}= DecisionPostReq ${postjson} ${status} abbrev=true - Should Contain ${resp.text} ${keyword} + ${expected_data}= Get file ${CURDIR}/data/${jsonfile1} + ${hcauth}= PolicyAdminAuth + ${resp}= PerformPostRequest ${POLICY_OPA_IP} ${url} ${expectedStatus} ${postjson} abbrev=true ${hcauth} + ${response_data}= Get From Dictionary ${resp.json()} output + ${expected_value}= Evaluate json.loads('''${expected_data}''') json + ${expected_output}= Get From Dictionary ${expected_value} output + Dictionaries Should Be Equal ${response_data} ${expected_output} -DecisionPostReq - [Arguments] ${postjson} ${status} ${abbr} +ValidatePolicyResponseWithoutFilter + [Documentation] Validating the output for the policy + [Arguments] ${jsonfile} ${status} ${jsonfile1} ${expectedStatus}= Set Variable ${status} + ${postjson}= Get file ${CURDIR}/data/${jsonfile} + ${expected_data}= Get file ${CURDIR}/data/${jsonfile1} ${hcauth}= PolicyAdminAuth - ${resp}= PerformPostRequest ${POLICY_OPA_IP} ${url} ${expectedStatus} ${postjson} ${abbr} ${hcauth} - RETURN ${resp} + ${resp}= PerformPostRequest ${POLICY_OPA_IP} ${url} ${expectedStatus} ${postjson} abbrev=true ${hcauth} + ${response_data}= Get From Dictionary ${resp.json()} responseCode + ${expected_value}= Evaluate json.loads('''${expected_data}''') json + ${expected_output}= Get From Dictionary ${expected_value} responseCode + Should Be Equal As Strings ${response_data} ${expected_output} + + diff --git a/helm/policy/components/policy-opa-pdp/Chart.yaml b/helm/policy/components/policy-opa-pdp/Chart.yaml index b3c34fc6..3235b018 100755 --- a/helm/policy/components/policy-opa-pdp/Chart.yaml +++ b/helm/policy/components/policy-opa-pdp/Chart.yaml @@ -1,23 +1,23 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP Policy OPA PDP -name: policy-opa-pdp -version: 11.0.0 - +# ============LICENSE_START======================================================= +# Copyright (C) 2024-2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy OPA PDP +name: policy-opa-pdp +version: 11.0.1 + diff --git a/helm/policy/components/policy-opa-pdp/values.yaml b/helm/policy/components/policy-opa-pdp/values.yaml index 615b6523..a25f48a1 100755 --- a/helm/policy/components/policy-opa-pdp/values.yaml +++ b/helm/policy/components/policy-opa-pdp/values.yaml @@ -1,117 +1,117 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2024-2025 Deutsche Telekom Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - image: - opapdp: nexus3.onap.org:10001/onap/policy-opa-pdp:1.0.0-SNAPSHOT -log: - loglevel: "debug" - -permissions: - uid: 100 - gid: 102 - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: restserver-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' - login: '{{ .Values.restServer.user }}' - password: '{{ .Values.restServer.password }}' -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration - -restServer: - user: policyadmin - password: zb!XztG34 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 20 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 120 - api: /ready - successThreshold: 1 - failureThreshold: 3 - timeout: 60 - -service: - type: ClusterIP - name: policy-opa-pdp - portName: http - externalPort: 8282 - internalPort: 8282 - -ingress: - enabled: false - -flavor: small -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 100m - memory: 1Gi - unlimited: {} - -dirSizes: - bundleDir: - sizeLimit: 1000Mi - -#Pods Service Account -serviceAccount: - nameOverride: policy-opa-pdp - roles: - - read -kafka: - groupid: "policy-opa-pdp" - topic: "policy-pdp-pap" - useSASL: "false" - username: "" - password: "" - brokers: "kafka.default.svc.cluster.local:9092" - +# ============LICENSE_START======================================================= +# Copyright (C) 2024-2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + image: + opapdp: nexus3.onap.org:10001/onap/policy-opa-pdp:1.0.2-SNAPSHOT +log: + loglevel: "debug" + +permissions: + uid: 100 + gid: 102 + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' +################################################################# +# Application configuration defaults. +################################################################# +# application image +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration + +restServer: + user: policyadmin + password: zb!XztG34 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 120 + api: /ready + successThreshold: 1 + failureThreshold: 3 + timeout: 60 + +service: + type: ClusterIP + name: policy-opa-pdp + portName: http + externalPort: 8282 + internalPort: 8282 + +ingress: + enabled: false + +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + unlimited: {} + +dirSizes: + bundleDir: + sizeLimit: 1000Mi + +#Pods Service Account +serviceAccount: + nameOverride: policy-opa-pdp + roles: + - read +kafka: + groupid: "policy-opa-pdp" + topic: "policy-pdp-pap" + useSASL: "false" + username: "" + password: "" + brokers: "kafka.default.svc.cluster.local:9092" + diff --git a/helm/policy/values.yaml b/helm/policy/values.yaml index ecb06e73..49c70394 100644 --- a/helm/policy/values.yaml +++ b/helm/policy/values.yaml @@ -34,7 +34,7 @@ global: simulator: onap/policy-models-simulator:$tag pdpdcl: onap/policy-pdpd-cl:$tag xacml: onap/policy-xacml-pdp:$tag - opa: onap/policy-opa-pdp:1.0.0-SNAPSHOT + opa: onap/policy-opa-pdp:1.0.2-SNAPSHOT distribution: onap/policy-distribution:$tag runtimeacm: onap/policy-clamp-runtime-acm:$tag kserveparticipant: onap/policy-clamp-ac-kserve-ppnt:$tag -- cgit