diff options
author | Jorge Hernandez <jh1730@att.com> | 2017-09-21 17:49:29 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2017-09-21 17:49:29 +0000 |
commit | f5431672cc07c00f3d4e0a8a0a28d3edffb7d37e (patch) | |
tree | ffb53c5a396aad9399f007fcb854e6c2993772bf | |
parent | 1c48a72e93e79f270089bdbe5b0b9f733539ab23 (diff) | |
parent | fa9ed5f98a4eed3d82a440b719dd1db184260e94 (diff) |
Merge "Implement restful call to xacml pdp guard"
8 files changed, 122 insertions, 67 deletions
diff --git a/controlloop/common/guard/pom.xml b/controlloop/common/guard/pom.xml index e0283589a..0fe442e43 100644 --- a/controlloop/common/guard/pom.xml +++ b/controlloop/common/guard/pom.xml @@ -48,5 +48,11 @@ <version>2.7.0</version> <scope>provided</scope> </dependency> + <dependency> + <groupId>org.onap.policy.drools-pdp</groupId> + <artifactId>policy-management</artifactId> + <version>1.1.0-SNAPSHOT</version> + <scope>provided</scope> + </dependency> </dependencies> </project> diff --git a/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java b/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java index 6b311bf45..8ea4ec1b3 100644 --- a/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java +++ b/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java @@ -20,22 +20,21 @@ package org.onap.policy.guard; -import com.att.research.xacml.api.DataTypeException; -import com.att.research.xacml.api.pdp.PDPEngine; -import com.att.research.xacml.std.annotations.RequestParser; - import java.util.UUID; import org.drools.core.WorkingMemory; +import org.onap.policy.drools.system.PolicyEngine; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.att.research.xacml.api.DataTypeException; +import com.att.research.xacml.std.annotations.RequestParser; + public class CallGuardTask implements Runnable { private static final Logger logger = LoggerFactory.getLogger(CallGuardTask.class); WorkingMemory workingMemory; - PDPEngine embeddedPdpEngine; String restfulPdpUrl; String clname; String actor; @@ -43,10 +42,9 @@ public class CallGuardTask implements Runnable { String target; String requestId; - public CallGuardTask(PDPEngine engine, String url, WorkingMemory wm, String cl, String act, String rec, String tar, String reqId) { + public CallGuardTask(String guardUrl, WorkingMemory wm, String cl, String act, String rec, String tar, String reqId) { - embeddedPdpEngine = engine; - restfulPdpUrl = url; + restfulPdpUrl = guardUrl; workingMemory = wm; clname = cl; actor = act; @@ -71,13 +69,30 @@ public class CallGuardTask implements Runnable { logger.debug("{}", request); logger.debug("********** XACML REQUEST END ********\n"); - com.att.research.xacml.api.Response xacmlResponse = PolicyGuardXacmlHelper.callPDP(embeddedPdpEngine, "", request, false); + String guardUrl = PolicyEngine.manager.getEnvironmentProperty("guard.url"); + String guardDecision = null; + // + // Check if guard url property exists + // + if(guardUrl != null){ + guardDecision = PolicyGuardXacmlHelper.callPDP(guardUrl, xacmlReq); + } + logger.debug("\n********** XACML RESPONSE START ********"); - logger.debug("{}", xacmlResponse); + logger.debug("{}", guardDecision); logger.debug("********** XACML RESPONSE END ********\n"); - - PolicyGuardResponse guardResponse = PolicyGuardXacmlHelper.ParseXacmlPdpResponse(xacmlResponse); + + // + // Check if the restful call was unsuccessful or property doesn't exist + // + if(guardDecision == null){ + logger.error("********** XACML FAILED TO CONNECT ********"); + guardDecision = "Indeterminate"; + } + + PolicyGuardResponse guardResponse = new PolicyGuardResponse(guardDecision, UUID.fromString(this.requestId), this.recipe); + // //Create an artificial Guard response in case we didn't get a clear Permit or Deny diff --git a/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java b/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java index 5ecb44162..72c498d0e 100644 --- a/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java +++ b/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java @@ -20,8 +20,10 @@ package org.onap.policy.guard; +import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.InputStream; +import java.io.InputStreamReader; import java.io.OutputStream; import java.net.HttpURLConnection; import java.net.URL; @@ -30,6 +32,7 @@ import java.util.UUID; import org.apache.commons.io.IOUtils; import org.apache.http.entity.ContentType; +import org.json.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -37,45 +40,40 @@ import com.att.research.xacml.api.Attribute; import com.att.research.xacml.api.AttributeCategory; import com.att.research.xacml.api.AttributeValue; import com.att.research.xacml.api.Result; -import com.att.research.xacml.api.pdp.PDPEngine; -import com.att.research.xacml.api.pdp.PDPException; -import com.att.research.xacml.std.dom.DOMResponse; -import com.att.research.xacml.std.json.JSONRequest; -import com.att.research.xacml.std.json.JSONResponse; public class PolicyGuardXacmlHelper { private static final Logger logger = LoggerFactory.getLogger(PolicyGuardXacmlHelper.class); - public static com.att.research.xacml.api.Response callPDP(PDPEngine xacmlEmbeddedPdpEngine, String restfulPdpUrl, com.att.research.xacml.api.Request request, boolean isREST) { + public static String callPDP(String restfulPdpUrl, PolicyGuardXacmlRequestAttributes xacmlReq) { // // Send it to the PDP // - com.att.research.xacml.api.Response response = null; - if (isREST) { - try { - String jsonString = JSONRequest.toString((com.att.research.xacml.api.Request) request, false); - // - // Call RESTful PDP - // - response = (com.att.research.xacml.api.Response) callRESTfulPDP(new ByteArrayInputStream(jsonString.getBytes()), new URL(restfulPdpUrl/*"https://localhost:8443/pdp/"*/)); - } catch (Exception e) { - logger.error("Error in sending RESTful request: ", e); - } - } else if(xacmlEmbeddedPdpEngine != null){ +// com.att.research.xacml.api.Response response = null; + String response = null; + + JSONObject attributes = new JSONObject(); + attributes.put("actor", xacmlReq.getActor_id()); + attributes.put("recipe", xacmlReq.getOperation_id()); + attributes.put("target", xacmlReq.getTarget_id()); + if (xacmlReq.getClname_id() != null){ + attributes.put("clname", xacmlReq.getClname_id()); + } + JSONObject jsonReq = new JSONObject(); + jsonReq.put("decisionAttributes", attributes); + jsonReq.put("onapName", "PDPD"); + + try { // - // Embedded call to PDP + // Call RESTful PDP // - long lTimeStart = System.currentTimeMillis(); - try { - response = (com.att.research.xacml.api.Response) xacmlEmbeddedPdpEngine.decide((com.att.research.xacml.api.Request) request); - } catch (PDPException e) { - logger.error(e.getMessage(), e); - } - long lTimeEnd = System.currentTimeMillis(); - logger.debug("Elapsed Time: {} ms", (lTimeEnd - lTimeStart)); + response = callRESTfulPDP(new ByteArrayInputStream(jsonReq.toString().getBytes()), new URL(restfulPdpUrl/*"https://localhost:8443/pdp/"*/)); + } catch (Exception e) { + logger.error("Error in sending RESTful request: ", e); } + + return response; } @@ -84,10 +82,12 @@ public class PolicyGuardXacmlHelper { * This makes an HTTP POST call to a running PDP RESTful servlet to get a decision. * * @param file - * @return + * @return response from guard which contains "Permit" or "Deny" */ - private static com.att.research.xacml.api.Response callRESTfulPDP(InputStream is, URL restURL) { - com.att.research.xacml.api.Response response = null; + private static String callRESTfulPDP(InputStream is, URL restURL) { +// com.att.research.xacml.api.Response response = null; + String response = null; + String rawDecision = null; HttpURLConnection connection = null; try { @@ -130,28 +130,59 @@ public class PolicyGuardXacmlHelper { contentType = ContentType.parse(connection.getContentType()); if (contentType.getMimeType().equalsIgnoreCase(ContentType.APPLICATION_JSON.getMimeType())) { - response = (com.att.research.xacml.api.Response) JSONResponse.load(connection.getInputStream()); - } else if (contentType.getMimeType().equalsIgnoreCase(ContentType.APPLICATION_XML.getMimeType()) || - contentType.getMimeType().equalsIgnoreCase("application/xacml+xml") ) { - response = (com.att.research.xacml.api.Response) DOMResponse.load(connection.getInputStream()); + InputStream iStream = connection.getInputStream(); + int contentLength = connection.getContentLength(); + + // if content length is -1, respose is chunked, and + // TCP connection will be dropped at the end + byte[] buf = + new byte[contentLength < 0 ? 1024 : contentLength]; + int offset = 0; + for ( ; ; ) + { + if (offset == contentLength) + { + // all expected bytes have been read + response = new String(buf); + break; + } + int size = iStream.read(buf, offset, + buf.length - offset); + if (size < 0) + { + if (contentLength > 0) + { + logger.error("partial input stream"); + } + else + { + // chunked response -- + // dropped connection is expected + response = new String(buf, 0, offset); + } + break; + } + offset += size; + } } else { - logger.error("{}: unknown content-type: ", contentType); + logger.error("unknown content-type: " + contentType); } } catch (Exception e) { - String message = "Parsing Content-Type: " + connection.getContentType() + ", error=" + e.getMessage(); - logger.error("{}: callRESTfulPDP threw: ", message, e); + String message = "Parsing Content-Type: " + connection.getContentType(); + logger.error(message, e); } } else { - logger.error("unknown content-type: {} {}", connection.getResponseCode(), connection.getResponseMessage() ); + logger.error(connection.getResponseCode() + " " + connection.getResponseMessage()); } } catch (Exception e) { - - logger.error("callRESTfulPDP threw: ", e); + logger.error("Exception in 'PolicyGuardXacmlHelper.callRESTfulPDP'", e); } + + rawDecision = new JSONObject(response).getString("decision"); - return response; + return rawDecision; } @@ -191,9 +222,6 @@ public class PolicyGuardXacmlHelper { } - - - return new PolicyGuardResponse(decision_from_xacml_response, req_id_from_xacml_response, operation_from_xacml_response); } diff --git a/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl b/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl index 5e90f052d..a2939a0bf 100644 --- a/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl +++ b/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl @@ -627,7 +627,6 @@ rule "${policyName}.EVENT.MANAGER.OPERATION.LOCKED.GUARD_NOT_YET_QUERIED" if(guardEnabled){ Thread t = new Thread(new org.onap.policy.guard.CallGuardTask( - null, PolicyEngine.manager.getEnvironmentProperty("guard.url"), drools.getWorkingMemory(), $event.closedLoopControlName, @@ -667,7 +666,7 @@ rule "${policyName}.GUARD.RESPONSE" //we will permit the operation if there was no Guard for it - if($guardResponse.result == "Indeterminate"){ + if("Indeterminate".equals($guardResponse.result)){ $guardResponse.result = "Permit"; } @@ -685,7 +684,7 @@ rule "${policyName}.GUARD.RESPONSE" PolicyEngine.manager.deliver("POLICY-CL-MGT", notification); - if($guardResponse.result == "Permit"){ + if("Permit".equals($guardResponse.result)){ modify($operation){setGuardApprovalStatus($guardResponse.result)}; } diff --git a/controlloop/templates/template.demo/pom.xml b/controlloop/templates/template.demo/pom.xml index d3d3ef0ab..69c2da80e 100644 --- a/controlloop/templates/template.demo/pom.xml +++ b/controlloop/templates/template.demo/pom.xml @@ -203,5 +203,11 @@ <version>${project.version}</version> <scope>test</scope> </dependency> + <dependency> + <groupId>org.onap.policy.drools-pdp</groupId> + <artifactId>policy-management</artifactId> + <version>1.1.0-SNAPSHOT</version> + <scope>provided</scope> + </dependency> </dependencies> </project> diff --git a/controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl b/controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl index 82899f08b..ff184b385 100644 --- a/controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl +++ b/controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl @@ -589,7 +589,6 @@ rule "${policyName}.EVENT.MANAGER.OPERATION.LOCKED.GUARD_NOT_YET_QUERIED" if(guardEnabled){ Thread t = new Thread(new org.onap.policy.guard.CallGuardTask( - XacmlPdpEngine, "", drools.getWorkingMemory(), $event.closedLoopControlName, @@ -636,7 +635,7 @@ rule "${policyName}.GUARD.RESPONSE" //we will permit the operation if there was no Guard for it - if($guardResponse.result == "Indeterminate"){ + if("Indeterminate".equals($guardResponse.result)){ $guardResponse.result = "Permit"; } @@ -655,7 +654,7 @@ rule "${policyName}.GUARD.RESPONSE" - if($guardResponse.result == "Permit"){ + if("Permit".equals($guardResponse.result)){ modify($operation){setGuardApprovalStatus($guardResponse.result)}; } diff --git a/controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java b/controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java index 64ad490b2..5fe2f6222 100644 --- a/controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java +++ b/controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java @@ -47,6 +47,7 @@ import org.onap.policy.controlloop.VirtualControlLoopEvent; import org.onap.policy.controlloop.VirtualControlLoopNotification; import org.onap.policy.controlloop.policy.ControlLoopPolicy; import org.onap.policy.controlloop.policy.TargetType; +import org.onap.policy.drools.system.PolicyEngine; import org.onap.policy.drools.http.server.HttpServletServer; import org.onap.policy.drools.impl.PolicyEngineJUnitImpl; import org.onap.policy.guard.PolicyGuard; @@ -75,6 +76,7 @@ public class ControlLoopXacmlGuardTest { @BeforeClass public static void setPUProp(){ System.setProperty(OPSHISTPUPROP, "TestOperationsHistoryPU"); + PolicyEngine.manager.setEnvironmentProperty("guard.url", "http://127.0.0.1:8443/pdp"); } @AfterClass public static void restorePUProp(){ @@ -171,7 +173,7 @@ public class ControlLoopXacmlGuardTest { assertTrue(obj instanceof VirtualControlLoopNotification); assertTrue(((VirtualControlLoopNotification)obj).notification.equals(ControlLoopNotificationType.OPERATION)); - Thread.sleep(4000); + Thread.sleep(2*4000); // "Response from Guard" notification obj = engine.subscribe("UEB", "POLICY-CL-MGT"); assertNotNull(obj); @@ -210,7 +212,7 @@ public class ControlLoopXacmlGuardTest { assertTrue(obj instanceof VirtualControlLoopNotification); assertTrue(((VirtualControlLoopNotification)obj).notification.equals(ControlLoopNotificationType.OPERATION)); - Thread.sleep(4000); + Thread.sleep(2*4000); // "Response from Guard" notification obj = engine.subscribe("UEB", "POLICY-CL-MGT"); @@ -238,7 +240,7 @@ public class ControlLoopXacmlGuardTest { assertTrue(obj instanceof VirtualControlLoopNotification); assertTrue(((VirtualControlLoopNotification)obj).notification.equals(ControlLoopNotificationType.OPERATION)); - Thread.sleep(1000); + Thread.sleep(2*1000); obj = engine.subscribe("UEB", "APPC-CL"); assertNotNull(obj); @@ -277,7 +279,7 @@ public class ControlLoopXacmlGuardTest { // // now wait for it to finish // - Thread.sleep(15000); + Thread.sleep(2*15000); // // Ensure they released the lock // diff --git a/controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml b/controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml index c3740d0b2..820874105 100644 --- a/controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml +++ b/controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml @@ -14,7 +14,7 @@ <property name="javax.persistence.jdbc.url" value="jdbc:h2:mem:test" />
<property name="javax.persistence.jdbc.user" value="sa" />
<property name="javax.persistence.jdbc.password" value="" />
- <property name="eclipselink.logging.level" value="ALL" />
+ <property name="eclipselink.logging.level" value="CONFIG" />
</properties>
</persistence-unit>
|