summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTemoc Rodriguez <cr056n@att.com>2017-09-19 11:13:34 -0700
committerAli Hockla <ah999m@att.com>2017-09-21 14:59:48 +0000
commitfa9ed5f98a4eed3d82a440b719dd1db184260e94 (patch)
tree1a1af474d20f08a1798b66eecb0cf5aad65fcf15
parent2313dd4767975e7d814e52613afab8054b84208c (diff)
Implement restful call to xacml pdp guard
Removed the embedded guard decision and replace with restful call to xacml pdp to restore guard functionality. Set guard URL with PolicyEngine env properties. Modified templates accordingly. Issue-Id: POLICY-260 Change-Id: Ic1558a6ebdd5f6d1b74a748f69433f6213dbf984 Signed-off-by: Temoc Rodriguez <cr056n@att.com> Signed-off-by: Hockla, Ali (ah999m) <ah999m@att.com>
-rw-r--r--controlloop/common/guard/pom.xml6
-rw-r--r--controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java39
-rw-r--r--controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java116
-rw-r--r--controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl5
-rw-r--r--controlloop/templates/template.demo/pom.xml6
-rw-r--r--controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl5
-rw-r--r--controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java10
-rw-r--r--controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml2
8 files changed, 122 insertions, 67 deletions
diff --git a/controlloop/common/guard/pom.xml b/controlloop/common/guard/pom.xml
index e0283589a..0fe442e43 100644
--- a/controlloop/common/guard/pom.xml
+++ b/controlloop/common/guard/pom.xml
@@ -48,5 +48,11 @@
<version>2.7.0</version>
<scope>provided</scope>
</dependency>
+ <dependency>
+ <groupId>org.onap.policy.drools-pdp</groupId>
+ <artifactId>policy-management</artifactId>
+ <version>1.1.0-SNAPSHOT</version>
+ <scope>provided</scope>
+ </dependency>
</dependencies>
</project>
diff --git a/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java b/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java
index 6b311bf45..8ea4ec1b3 100644
--- a/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java
+++ b/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java
@@ -20,22 +20,21 @@
package org.onap.policy.guard;
-import com.att.research.xacml.api.DataTypeException;
-import com.att.research.xacml.api.pdp.PDPEngine;
-import com.att.research.xacml.std.annotations.RequestParser;
-
import java.util.UUID;
import org.drools.core.WorkingMemory;
+import org.onap.policy.drools.system.PolicyEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.att.research.xacml.api.DataTypeException;
+import com.att.research.xacml.std.annotations.RequestParser;
+
public class CallGuardTask implements Runnable {
private static final Logger logger = LoggerFactory.getLogger(CallGuardTask.class);
WorkingMemory workingMemory;
- PDPEngine embeddedPdpEngine;
String restfulPdpUrl;
String clname;
String actor;
@@ -43,10 +42,9 @@ public class CallGuardTask implements Runnable {
String target;
String requestId;
- public CallGuardTask(PDPEngine engine, String url, WorkingMemory wm, String cl, String act, String rec, String tar, String reqId) {
+ public CallGuardTask(String guardUrl, WorkingMemory wm, String cl, String act, String rec, String tar, String reqId) {
- embeddedPdpEngine = engine;
- restfulPdpUrl = url;
+ restfulPdpUrl = guardUrl;
workingMemory = wm;
clname = cl;
actor = act;
@@ -71,13 +69,30 @@ public class CallGuardTask implements Runnable {
logger.debug("{}", request);
logger.debug("********** XACML REQUEST END ********\n");
- com.att.research.xacml.api.Response xacmlResponse = PolicyGuardXacmlHelper.callPDP(embeddedPdpEngine, "", request, false);
+ String guardUrl = PolicyEngine.manager.getEnvironmentProperty("guard.url");
+ String guardDecision = null;
+ //
+ // Check if guard url property exists
+ //
+ if(guardUrl != null){
+ guardDecision = PolicyGuardXacmlHelper.callPDP(guardUrl, xacmlReq);
+ }
+
logger.debug("\n********** XACML RESPONSE START ********");
- logger.debug("{}", xacmlResponse);
+ logger.debug("{}", guardDecision);
logger.debug("********** XACML RESPONSE END ********\n");
-
- PolicyGuardResponse guardResponse = PolicyGuardXacmlHelper.ParseXacmlPdpResponse(xacmlResponse);
+
+ //
+ // Check if the restful call was unsuccessful or property doesn't exist
+ //
+ if(guardDecision == null){
+ logger.error("********** XACML FAILED TO CONNECT ********");
+ guardDecision = "Indeterminate";
+ }
+
+ PolicyGuardResponse guardResponse = new PolicyGuardResponse(guardDecision, UUID.fromString(this.requestId), this.recipe);
+
//
//Create an artificial Guard response in case we didn't get a clear Permit or Deny
diff --git a/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java b/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java
index 5ecb44162..72c498d0e 100644
--- a/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java
+++ b/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java
@@ -20,8 +20,10 @@
package org.onap.policy.guard;
+import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
+import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
@@ -30,6 +32,7 @@ import java.util.UUID;
import org.apache.commons.io.IOUtils;
import org.apache.http.entity.ContentType;
+import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -37,45 +40,40 @@ import com.att.research.xacml.api.Attribute;
import com.att.research.xacml.api.AttributeCategory;
import com.att.research.xacml.api.AttributeValue;
import com.att.research.xacml.api.Result;
-import com.att.research.xacml.api.pdp.PDPEngine;
-import com.att.research.xacml.api.pdp.PDPException;
-import com.att.research.xacml.std.dom.DOMResponse;
-import com.att.research.xacml.std.json.JSONRequest;
-import com.att.research.xacml.std.json.JSONResponse;
public class PolicyGuardXacmlHelper {
private static final Logger logger = LoggerFactory.getLogger(PolicyGuardXacmlHelper.class);
- public static com.att.research.xacml.api.Response callPDP(PDPEngine xacmlEmbeddedPdpEngine, String restfulPdpUrl, com.att.research.xacml.api.Request request, boolean isREST) {
+ public static String callPDP(String restfulPdpUrl, PolicyGuardXacmlRequestAttributes xacmlReq) {
//
// Send it to the PDP
//
- com.att.research.xacml.api.Response response = null;
- if (isREST) {
- try {
- String jsonString = JSONRequest.toString((com.att.research.xacml.api.Request) request, false);
- //
- // Call RESTful PDP
- //
- response = (com.att.research.xacml.api.Response) callRESTfulPDP(new ByteArrayInputStream(jsonString.getBytes()), new URL(restfulPdpUrl/*"https://localhost:8443/pdp/"*/));
- } catch (Exception e) {
- logger.error("Error in sending RESTful request: ", e);
- }
- } else if(xacmlEmbeddedPdpEngine != null){
+// com.att.research.xacml.api.Response response = null;
+ String response = null;
+
+ JSONObject attributes = new JSONObject();
+ attributes.put("actor", xacmlReq.getActor_id());
+ attributes.put("recipe", xacmlReq.getOperation_id());
+ attributes.put("target", xacmlReq.getTarget_id());
+ if (xacmlReq.getClname_id() != null){
+ attributes.put("clname", xacmlReq.getClname_id());
+ }
+ JSONObject jsonReq = new JSONObject();
+ jsonReq.put("decisionAttributes", attributes);
+ jsonReq.put("onapName", "PDPD");
+
+ try {
//
- // Embedded call to PDP
+ // Call RESTful PDP
//
- long lTimeStart = System.currentTimeMillis();
- try {
- response = (com.att.research.xacml.api.Response) xacmlEmbeddedPdpEngine.decide((com.att.research.xacml.api.Request) request);
- } catch (PDPException e) {
- logger.error(e.getMessage(), e);
- }
- long lTimeEnd = System.currentTimeMillis();
- logger.debug("Elapsed Time: {} ms", (lTimeEnd - lTimeStart));
+ response = callRESTfulPDP(new ByteArrayInputStream(jsonReq.toString().getBytes()), new URL(restfulPdpUrl/*"https://localhost:8443/pdp/"*/));
+ } catch (Exception e) {
+ logger.error("Error in sending RESTful request: ", e);
}
+
+
return response;
}
@@ -84,10 +82,12 @@ public class PolicyGuardXacmlHelper {
* This makes an HTTP POST call to a running PDP RESTful servlet to get a decision.
*
* @param file
- * @return
+ * @return response from guard which contains "Permit" or "Deny"
*/
- private static com.att.research.xacml.api.Response callRESTfulPDP(InputStream is, URL restURL) {
- com.att.research.xacml.api.Response response = null;
+ private static String callRESTfulPDP(InputStream is, URL restURL) {
+// com.att.research.xacml.api.Response response = null;
+ String response = null;
+ String rawDecision = null;
HttpURLConnection connection = null;
try {
@@ -130,28 +130,59 @@ public class PolicyGuardXacmlHelper {
contentType = ContentType.parse(connection.getContentType());
if (contentType.getMimeType().equalsIgnoreCase(ContentType.APPLICATION_JSON.getMimeType())) {
- response = (com.att.research.xacml.api.Response) JSONResponse.load(connection.getInputStream());
- } else if (contentType.getMimeType().equalsIgnoreCase(ContentType.APPLICATION_XML.getMimeType()) ||
- contentType.getMimeType().equalsIgnoreCase("application/xacml+xml") ) {
- response = (com.att.research.xacml.api.Response) DOMResponse.load(connection.getInputStream());
+ InputStream iStream = connection.getInputStream();
+ int contentLength = connection.getContentLength();
+
+ // if content length is -1, respose is chunked, and
+ // TCP connection will be dropped at the end
+ byte[] buf =
+ new byte[contentLength < 0 ? 1024 : contentLength];
+ int offset = 0;
+ for ( ; ; )
+ {
+ if (offset == contentLength)
+ {
+ // all expected bytes have been read
+ response = new String(buf);
+ break;
+ }
+ int size = iStream.read(buf, offset,
+ buf.length - offset);
+ if (size < 0)
+ {
+ if (contentLength > 0)
+ {
+ logger.error("partial input stream");
+ }
+ else
+ {
+ // chunked response --
+ // dropped connection is expected
+ response = new String(buf, 0, offset);
+ }
+ break;
+ }
+ offset += size;
+ }
} else {
- logger.error("{}: unknown content-type: ", contentType);
+ logger.error("unknown content-type: " + contentType);
}
} catch (Exception e) {
- String message = "Parsing Content-Type: " + connection.getContentType() + ", error=" + e.getMessage();
- logger.error("{}: callRESTfulPDP threw: ", message, e);
+ String message = "Parsing Content-Type: " + connection.getContentType();
+ logger.error(message, e);
}
} else {
- logger.error("unknown content-type: {} {}", connection.getResponseCode(), connection.getResponseMessage() );
+ logger.error(connection.getResponseCode() + " " + connection.getResponseMessage());
}
} catch (Exception e) {
-
- logger.error("callRESTfulPDP threw: ", e);
+ logger.error("Exception in 'PolicyGuardXacmlHelper.callRESTfulPDP'", e);
}
+
+ rawDecision = new JSONObject(response).getString("decision");
- return response;
+ return rawDecision;
}
@@ -191,9 +222,6 @@ public class PolicyGuardXacmlHelper {
}
-
-
-
return new PolicyGuardResponse(decision_from_xacml_response, req_id_from_xacml_response, operation_from_xacml_response);
}
diff --git a/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl b/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl
index 5e90f052d..a2939a0bf 100644
--- a/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl
+++ b/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl
@@ -627,7 +627,6 @@ rule "${policyName}.EVENT.MANAGER.OPERATION.LOCKED.GUARD_NOT_YET_QUERIED"
if(guardEnabled){
Thread t = new Thread(new org.onap.policy.guard.CallGuardTask(
- null,
PolicyEngine.manager.getEnvironmentProperty("guard.url"),
drools.getWorkingMemory(),
$event.closedLoopControlName,
@@ -667,7 +666,7 @@ rule "${policyName}.GUARD.RESPONSE"
//we will permit the operation if there was no Guard for it
- if($guardResponse.result == "Indeterminate"){
+ if("Indeterminate".equals($guardResponse.result)){
$guardResponse.result = "Permit";
}
@@ -685,7 +684,7 @@ rule "${policyName}.GUARD.RESPONSE"
PolicyEngine.manager.deliver("POLICY-CL-MGT", notification);
- if($guardResponse.result == "Permit"){
+ if("Permit".equals($guardResponse.result)){
modify($operation){setGuardApprovalStatus($guardResponse.result)};
}
diff --git a/controlloop/templates/template.demo/pom.xml b/controlloop/templates/template.demo/pom.xml
index d3d3ef0ab..69c2da80e 100644
--- a/controlloop/templates/template.demo/pom.xml
+++ b/controlloop/templates/template.demo/pom.xml
@@ -203,5 +203,11 @@
<version>${project.version}</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.onap.policy.drools-pdp</groupId>
+ <artifactId>policy-management</artifactId>
+ <version>1.1.0-SNAPSHOT</version>
+ <scope>provided</scope>
+ </dependency>
</dependencies>
</project>
diff --git a/controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl b/controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl
index 82899f08b..ff184b385 100644
--- a/controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl
+++ b/controlloop/templates/template.demo/src/main/resources/ControlLoop_Template_xacml_guard.drl
@@ -589,7 +589,6 @@ rule "${policyName}.EVENT.MANAGER.OPERATION.LOCKED.GUARD_NOT_YET_QUERIED"
if(guardEnabled){
Thread t = new Thread(new org.onap.policy.guard.CallGuardTask(
- XacmlPdpEngine,
"",
drools.getWorkingMemory(),
$event.closedLoopControlName,
@@ -636,7 +635,7 @@ rule "${policyName}.GUARD.RESPONSE"
//we will permit the operation if there was no Guard for it
- if($guardResponse.result == "Indeterminate"){
+ if("Indeterminate".equals($guardResponse.result)){
$guardResponse.result = "Permit";
}
@@ -655,7 +654,7 @@ rule "${policyName}.GUARD.RESPONSE"
- if($guardResponse.result == "Permit"){
+ if("Permit".equals($guardResponse.result)){
modify($operation){setGuardApprovalStatus($guardResponse.result)};
}
diff --git a/controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java b/controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java
index 64ad490b2..5fe2f6222 100644
--- a/controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java
+++ b/controlloop/templates/template.demo/src/test/java/org/onap/policy/template/demo/ControlLoopXacmlGuardTest.java
@@ -47,6 +47,7 @@ import org.onap.policy.controlloop.VirtualControlLoopEvent;
import org.onap.policy.controlloop.VirtualControlLoopNotification;
import org.onap.policy.controlloop.policy.ControlLoopPolicy;
import org.onap.policy.controlloop.policy.TargetType;
+import org.onap.policy.drools.system.PolicyEngine;
import org.onap.policy.drools.http.server.HttpServletServer;
import org.onap.policy.drools.impl.PolicyEngineJUnitImpl;
import org.onap.policy.guard.PolicyGuard;
@@ -75,6 +76,7 @@ public class ControlLoopXacmlGuardTest {
@BeforeClass
public static void setPUProp(){
System.setProperty(OPSHISTPUPROP, "TestOperationsHistoryPU");
+ PolicyEngine.manager.setEnvironmentProperty("guard.url", "http://127.0.0.1:8443/pdp");
}
@AfterClass
public static void restorePUProp(){
@@ -171,7 +173,7 @@ public class ControlLoopXacmlGuardTest {
assertTrue(obj instanceof VirtualControlLoopNotification);
assertTrue(((VirtualControlLoopNotification)obj).notification.equals(ControlLoopNotificationType.OPERATION));
- Thread.sleep(4000);
+ Thread.sleep(2*4000);
// "Response from Guard" notification
obj = engine.subscribe("UEB", "POLICY-CL-MGT");
assertNotNull(obj);
@@ -210,7 +212,7 @@ public class ControlLoopXacmlGuardTest {
assertTrue(obj instanceof VirtualControlLoopNotification);
assertTrue(((VirtualControlLoopNotification)obj).notification.equals(ControlLoopNotificationType.OPERATION));
- Thread.sleep(4000);
+ Thread.sleep(2*4000);
// "Response from Guard" notification
obj = engine.subscribe("UEB", "POLICY-CL-MGT");
@@ -238,7 +240,7 @@ public class ControlLoopXacmlGuardTest {
assertTrue(obj instanceof VirtualControlLoopNotification);
assertTrue(((VirtualControlLoopNotification)obj).notification.equals(ControlLoopNotificationType.OPERATION));
- Thread.sleep(1000);
+ Thread.sleep(2*1000);
obj = engine.subscribe("UEB", "APPC-CL");
assertNotNull(obj);
@@ -277,7 +279,7 @@ public class ControlLoopXacmlGuardTest {
//
// now wait for it to finish
//
- Thread.sleep(15000);
+ Thread.sleep(2*15000);
//
// Ensure they released the lock
//
diff --git a/controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml b/controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml
index c3740d0b2..820874105 100644
--- a/controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml
+++ b/controlloop/templates/template.demo/src/test/resources/META-INF/persistence.xml
@@ -14,7 +14,7 @@
<property name="javax.persistence.jdbc.url" value="jdbc:h2:mem:test" />
<property name="javax.persistence.jdbc.user" value="sa" />
<property name="javax.persistence.jdbc.password" value="" />
- <property name="eclipselink.logging.level" value="ALL" />
+ <property name="eclipselink.logging.level" value="CONFIG" />
</properties>
</persistence-unit>