aboutsummaryrefslogtreecommitdiffstats
path: root/controlloop/common/guard/src/main/java/org
diff options
context:
space:
mode:
Diffstat (limited to 'controlloop/common/guard/src/main/java/org')
-rw-r--r--controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java22
-rw-r--r--controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java415
-rw-r--r--controlloop/common/guard/src/main/java/org/onap/policy/guard/Util.java23
3 files changed, 68 insertions, 392 deletions
diff --git a/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java b/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java
index 046b7cfd6..22fce1999 100644
--- a/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java
+++ b/controlloop/common/guard/src/main/java/org/onap/policy/guard/CallGuardTask.java
@@ -7,9 +7,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -20,12 +20,11 @@
package org.onap.policy.guard;
-import com.att.research.xacml.api.DataTypeException;
-import com.att.research.xacml.std.annotations.RequestParser;
import java.util.HashSet;
import java.util.Set;
import java.util.UUID;
import java.util.function.Supplier;
+
import org.drools.core.WorkingMemory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -69,7 +68,7 @@ public class CallGuardTask implements Runnable {
/**
* Guard url is grabbed from PolicyEngine.manager properties
*/
- public CallGuardTask(WorkingMemory wm, String cl, String act,
+ public CallGuardTask(WorkingMemory wm, String cl, String act,
String rec, String tar, String reqId, Supplier<Integer> vfcnt) {
workingMemory = wm;
clname = cl;
@@ -108,22 +107,14 @@ public class CallGuardTask implements Runnable {
workingMemory.insert(guardResponse);
return;
}
-
+
final long startTime = System.nanoTime();
- com.att.research.xacml.api.Request request = null;
PolicyGuardXacmlRequestAttributes xacmlReq =
new PolicyGuardXacmlRequestAttributes(clname, actor, recipe, target, requestId, vfCount);
- try {
- request = RequestParser.parseRequest(xacmlReq);
- } catch (IllegalArgumentException | IllegalAccessException | DataTypeException e) {
- logger.error("CallGuardTask.run threw: {}", e);
- }
-
-
logger.debug("\n********** XACML REQUEST START ********");
- logger.debug("{}", request);
+ logger.debug("{}", xacmlReq);
logger.debug("********** XACML REQUEST END ********\n");
String guardDecision = null;
@@ -147,7 +138,6 @@ public class CallGuardTask implements Runnable {
guardResponse = new PolicyGuardResponse(guardDecision, UUID.fromString(this.requestId), this.recipe);
-
//
// Create an artificial Guard response in case we didn't get a clear Permit or Deny
//
diff --git a/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java b/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java
index 6d1fd315e..2d43c885e 100644
--- a/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java
+++ b/controlloop/common/guard/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelper.java
@@ -21,31 +21,20 @@
package org.onap.policy.guard;
-import com.att.research.xacml.api.Attribute;
-import com.att.research.xacml.api.AttributeCategory;
-import com.att.research.xacml.api.AttributeValue;
-import com.att.research.xacml.api.Result;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.Serializable;
-import java.net.HttpURLConnection;
-import java.net.URL;
-import java.util.ArrayList;
-import java.util.Base64;
-import java.util.Iterator;
-import java.util.Properties;
+import java.util.HashMap;
+import java.util.Map;
import java.util.UUID;
-import org.apache.commons.io.IOUtils;
-import org.apache.http.entity.ContentType;
-import org.json.JSONObject;
import org.onap.policy.common.endpoints.event.comm.Topic.CommInfrastructure;
import org.onap.policy.common.endpoints.utils.NetLoggerUtil;
import org.onap.policy.common.endpoints.utils.NetLoggerUtil.EventType;
+import org.onap.policy.common.utils.coder.CoderException;
+import org.onap.policy.common.utils.coder.StandardCoder;
import org.onap.policy.drools.system.PolicyEngine;
+import org.onap.policy.models.decisions.concepts.DecisionRequest;
+import org.onap.policy.models.decisions.concepts.DecisionResponse;
+import org.onap.policy.rest.RestManager;
+import org.onap.policy.rest.RestManager.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -53,28 +42,17 @@ import org.slf4j.LoggerFactory;
public class PolicyGuardXacmlHelper {
private static final Logger logger = LoggerFactory.getLogger(PolicyGuardXacmlHelper.class);
- private UrlEntry[] restUrls = null;
- private int restUrlIndex = 0;
-
- // REST timeout, initialized from 'pdpx.timeout' property
- private int timeout = 20000;
+ private String url;
+ private String user;
+ private String pwd;
+ /**
+ * Constructor.
+ */
public PolicyGuardXacmlHelper() {
- init(PolicyEngine.manager.getEnvironment());
- }
-
- // initialized from 'pdpx.url' property --
- // Each entry in 'restUrls' contains a destination URL, and an optional
- // 'Authorization' header entry. 'restUrlIndex' indicates the next
- // entry to try -- after each failure, the index is advanced to the
- // next entry (wrapping to the beginning, if needed).
- private static class UrlEntry implements Serializable {
- private static final long serialVersionUID = -8859237552195400518L;
-
- URL restUrl;
- String authorization = null;
- String clientAuth = null;
- String environment = null;
+ this.url = PolicyEngine.manager.getEnvironmentProperty("pdpx.host");
+ this.user = PolicyEngine.manager.getEnvironmentProperty("pdpx.username");
+ this.pwd = PolicyEngine.manager.getEnvironmentProperty("pdpx.password");
}
/**
@@ -85,357 +63,72 @@ public class PolicyGuardXacmlHelper {
*/
public String callPdp(PolicyGuardXacmlRequestAttributes xacmlReq) {
//
- // Send it to the PDP
- //
- String response = null;
-
- //
- // Build the json request
+ // Create a request suitable for API
//
- JSONObject attributes = new JSONObject();
- attributes.put("actor", xacmlReq.getActorId());
- attributes.put("recipe", xacmlReq.getOperationId());
- attributes.put("target", xacmlReq.getTargetId());
+ DecisionRequest decisionRequest = new DecisionRequest();
+ decisionRequest.setOnapName("Policy");
+ decisionRequest.setOnapComponent("Drools PDP");
+ decisionRequest.setOnapInstance("usecase template");
+ decisionRequest.setRequestId(UUID.randomUUID().toString());
+ decisionRequest.setAction("guard");
+ Map<String, String> guard = new HashMap<>();
+ guard.put("actor", xacmlReq.getActorId());
+ guard.put("recipe", xacmlReq.getOperationId());
+ guard.put("target", xacmlReq.getTargetId());
if (xacmlReq.getClnameId() != null) {
- attributes.put("clname", xacmlReq.getClnameId());
+ guard.put("clName", xacmlReq.getClnameId());
}
if (xacmlReq.getVfCount() != null) {
- attributes.put("vfCount", xacmlReq.getVfCount());
+ guard.put("vfCount", Integer.toString(xacmlReq.getVfCount()));
}
- JSONObject jsonReq = new JSONObject();
- jsonReq.put("decisionAttributes", attributes);
- jsonReq.put("onapName", "PDPD");
-
+ Map<String, Object> resources = new HashMap<>();
+ resources.put("guard", guard);
+ decisionRequest.setResource(resources);
try {
//
// Call RESTful PDP
//
- UrlEntry urlEntry = restUrls[restUrlIndex];
- String jsonRequestString = jsonReq.toString();
- NetLoggerUtil.log(EventType.OUT, CommInfrastructure.REST, urlEntry.restUrl.toString(), jsonRequestString);
- response = callRestfulPdp(new ByteArrayInputStream(jsonReq.toString().getBytes()), urlEntry.restUrl,
- urlEntry.authorization, urlEntry.clientAuth, urlEntry.environment);
- NetLoggerUtil.log(EventType.IN, CommInfrastructure.REST, urlEntry.restUrl.toString(), response);
+ NetLoggerUtil.log(EventType.OUT, CommInfrastructure.REST, this.url, decisionRequest.toString());
+ String response = callRestfulPdp(decisionRequest);
+ NetLoggerUtil.log(EventType.IN, CommInfrastructure.REST, this.url, response);
+
+ return response;
} catch (Exception e) {
logger.error("Error in sending RESTful request: ", e);
}
- return response;
+ return Util.DENY;
}
/**
* This makes an HTTP POST call to a running PDP RESTful servlet to get a decision.
*
- * @param is the InputStream
- * @param authorization the Authorization
- * @param clientauth the ClientAuth
- * @param environment the Environment
+ * @param decisionRequest The Decision request
* @return response from guard which contains "Permit" or "Deny"
+ * @throws CoderException Exception when converting to/from JSON the message body
*/
- private String callRestfulPdp(InputStream is, URL restUrl, String authorization, String clientauth,
- String environment) {
- HttpURLConnection connection = null;
-
- try {
- //
- // Open up the connection
- //
- connection = (HttpURLConnection) restUrl.openConnection();
- connection.setRequestProperty("Content-Type", "application/json");
- //
- // Setup our method and headers
- //
- connection.setRequestProperty("Accept", "application/json");
- if (authorization != null) {
- connection.setRequestProperty("Authorization", authorization);
- }
- if (clientauth != null) {
- connection.setRequestProperty("ClientAuth", clientauth);
- }
- if (environment != null) {
- connection.setRequestProperty("Environment", environment);
- }
- connection.setConnectTimeout(timeout);
- connection.setReadTimeout(timeout);
- connection.setRequestMethod("POST");
- connection.setUseCaches(false);
- //
- // Adding this in. It seems the HttpUrlConnection class does NOT
- // properly forward our headers for POST re-direction. It does so
- // for a GET re-direction.
- //
- // So we need to handle this ourselves.
- //
- connection.setInstanceFollowRedirects(false);
- connection.setDoOutput(true);
- connection.setDoInput(true);
- //
- // Send the request
- //
- try (OutputStream os = connection.getOutputStream()) {
- IOUtils.copy(is, os);
- }
-
- //
- // Do the connect
- //
- connection.connect();
-
- if (connection.getResponseCode() != 200) {
- logger.error(connection.getResponseCode() + " " + connection.getResponseMessage());
- return Util.INDETERMINATE;
- }
- } catch (Exception e) {
- logger.error("Exception in 'PolicyGuardXacmlHelper.callRESTfulPDP'", e);
- return Util.INDETERMINATE;
- }
-
- //
- // Read the response
- //
- try {
- ContentType contentType = ContentType.parse(connection.getContentType());
-
- if (contentType.getMimeType().equalsIgnoreCase(ContentType.APPLICATION_JSON.getMimeType())) {
- InputStream inputStream = connection.getInputStream();
- int contentLength = connection.getContentLength();
-
- return readResponseFromStream(inputStream, contentLength);
- } else {
- logger.error("unknown content-type: {}", contentType);
- return Util.INDETERMINATE;
- }
-
- } catch (Exception e) {
- String message = "Parsing Content-Type: " + connection.getContentType();
- logger.error(message, e);
- return Util.INDETERMINATE;
- }
- }
-
- /**
- * Parse XACML PDP response.
- *
- * @param xacmlResponse the XACML response
- * @return the PolicyGuardResponse
- */
- public static PolicyGuardResponse parseXacmlPdpResponse(com.att.research.xacml.api.Response xacmlResponse) {
- if (xacmlResponse == null) {
- //
- // In case the actual XACML response was null, create an empty
- // response object with decision "Indeterminate"
- //
- return new PolicyGuardResponse("Indeterminate", null, "");
- }
-
- Iterator<Result> itRes = xacmlResponse.getResults().iterator();
-
- Result res = itRes.next();
- String decisionFromXacmlResponse = res.getDecision().toString();
- Iterator<AttributeCategory> itAttrCat = res.getAttributes().iterator();
- UUID reqIdFromXacmlResponse = null;
- String operationFromXacmlResponse = "";
+ private String callRestfulPdp(DecisionRequest decisionRequest) throws CoderException {
+ StandardCoder coder = new StandardCoder();
- while (itAttrCat.hasNext()) {
- Iterator<Attribute> itAttr = itAttrCat.next().getAttributes().iterator();
- while (itAttr.hasNext()) {
- Attribute currentAttr = itAttr.next();
- String attributeId = currentAttr.getAttributeId().stringValue();
- if ("urn:org:onap:guard:request:request-id".equals(attributeId)) {
- Iterator<AttributeValue<?>> itValues = currentAttr.getValues().iterator();
- reqIdFromXacmlResponse = UUID.fromString(itValues.next().getValue().toString());
- }
- if ("urn:org:onap:guard:operation:operation-id".equals(attributeId)) {
- Iterator<AttributeValue<?>> itValues = currentAttr.getValues().iterator();
- operationFromXacmlResponse = itValues.next().getValue().toString();
- }
- }
- }
-
- return new PolicyGuardResponse(decisionFromXacmlResponse, reqIdFromXacmlResponse, operationFromXacmlResponse);
-
- }
-
- private void init(Properties properties) {
- // used to store error messages
- StringBuilder sb = new StringBuilder();
-
- // fetch these parameters, if they exist
- String timeoutString = properties.getProperty("pdpx.timeout");
- String disabledString = properties.getProperty("guard.disabled");
-
- if (disabledString != null && Boolean.parseBoolean(disabledString)) {
- return;
- }
-
- ArrayList<UrlEntry> entries = initEntries(properties, sb);
-
- if (entries.isEmpty()) {
- sb.append("'pdpx.*' -- no URLs specified, ");
- } else {
- restUrls = entries.toArray(new UrlEntry[0]);
- }
-
- if (timeoutString != null) {
- try {
- // decode optional 'pdpx.timeout' parameter
- timeout = Integer.valueOf(timeoutString);
- } catch (NumberFormatException e) {
- sb.append("'pdpx.timeout': " + e + ", ");
- logger.trace(e.getLocalizedMessage());
- }
- }
-
-
- // if there are any errors, update 'errorMessage' & disable guard
- // queries
- if (sb.length() != 0) {
- // remove the terminating ", ", and extract resulting error message
- sb.setLength(sb.length() - 2);
- String errorMessage = sb.toString();
- logger.error("Initialization failure: {}", errorMessage);
- }
- }
-
- private ArrayList<UrlEntry> initEntries(Properties properties, StringBuilder sb) {
- // now, see which numeric entries (1-9) exist
- ArrayList<UrlEntry> entries = new ArrayList<>();
-
- for (int index = 0; index < 10; index += 1) {
- String urlPrefix = "guard.";
- if (index != 0) {
- urlPrefix = urlPrefix + index + ".";
- }
-
- // see if the associated URL exists
- String restUrllist = properties.getProperty(urlPrefix + "url");
- if (nullOrEmpty(restUrllist)) {
- // no entry for this index
- continue;
- }
-
- // support a list of entries separated by semicolons. Each entry
- // can be:
- // URL
- // URL,user
- // URL,user,password
- for (String restUrl : restUrllist.split("\\s*;\\s*")) {
- UrlEntry entry = initRestUrl(properties, sb, restUrl);
- // include this URLEntry in the list
- if (entry != null) {
- entries.add(entry);
- }
- }
- }
-
- return entries;
- }
+ String jsonBody = coder.encode(decisionRequest);
+ RestManager restManager = new RestManager();
- private UrlEntry initRestUrl(Properties properties, StringBuilder sb, String restUrl) {
- String urlPrefix = "guard.";
- String pdpxPrefix = "pdpx.";
+ Map<String, String> headers = new HashMap<>();
+ headers.put("Accepts", "application/json");
- String[] segments = restUrl.split("\\s*,\\s*");
- String user = null;
- String password = null;
+ Pair<Integer, String> httpDetails = restManager.post(url, user, pwd, headers, "application/json", jsonBody);
- if (segments.length >= 2) {
- // user id is provided
- restUrl = segments[0];
- user = segments[1];
- if (segments.length >= 3) {
- // password is also provided
- password = segments[2];
- }
+ if (httpDetails == null) {
+ return Util.DENY;
}
- // URL does exist -- create the entry
- UrlEntry urlEntry = new UrlEntry();
- try {
- urlEntry.restUrl = new URL(restUrl);
- } catch (java.net.MalformedURLException e) {
- // if we don't have a URL,
- // don't bother with the rest on this one
- sb.append("'").append(urlPrefix).append("url' '").append(restUrl).append("': ").append(e).append(",");
- return null;
- }
-
- if (nullOrEmpty(user)) {
- // user id was not provided on '*.url' line --
- // extract it from a separate property
- user = properties.getProperty(pdpxPrefix + "username", properties.getProperty("pdpx.username"));
- }
- if (nullOrEmpty(password)) {
- // password was not provided on '*.url' line --
- // extract it from a separate property
- password = properties.getProperty(pdpxPrefix + "password", properties.getProperty("pdpx.password"));
- }
-
- // see if 'user' and 'password' entries both exist
- if (!nullOrEmpty(user) && !nullOrEmpty(password)) {
- urlEntry.authorization = "Basic " + Base64.getEncoder().encodeToString((user + ":" + password).getBytes());
+ if (httpDetails.first == 200) {
+ DecisionResponse decision = coder.decode(httpDetails.second, DecisionResponse.class);
+ return decision.getStatus();
}
- // see if 'client.user' and 'client.password' entries both exist
- String clientUser =
- properties.getProperty(pdpxPrefix + "client.username", properties.getProperty("pdpx.client.username"));
- String clientPassword =
- properties.getProperty(pdpxPrefix + "client.password", properties.getProperty("pdpx.client.password"));
- if (!nullOrEmpty(clientUser) && !nullOrEmpty(clientPassword)) {
- urlEntry.clientAuth =
- "Basic " + Base64.getEncoder().encodeToString((clientUser + ":" + clientPassword).getBytes());
- }
-
- // see if there is an 'environment' entry
- String environment =
- properties.getProperty(pdpxPrefix + "environment", properties.getProperty("pdpx.environment"));
- if (!nullOrEmpty(environment)) {
- urlEntry.environment = environment;
- }
-
- return urlEntry;
- }
-
- /**
- * Check if a string is null or an empty string.
- *
- * @param value the string to be tested
- * @return 'true' if the string is 'null' or has a length of 0, 'false' otherwise
- */
- private static boolean nullOrEmpty(String value) {
- return (value == null || value.isEmpty());
+ return Util.DENY;
}
- private static String readResponseFromStream(InputStream inputStream, int contentLength) throws IOException {
- // if content length is -1, response is chunked, and
- // TCP connection will be dropped at the end
- byte[] buf = new byte[contentLength < 0 ? 1024 : contentLength];
- int offset = 0;
- do {
- int size = inputStream.read(buf, offset, buf.length - offset);
- if (size < 0) {
- // In a chunked response a dropped connection is expected, but not if the response
- // is not chunked
- if (contentLength > 0) {
- logger.error("partial input stream");
- }
- break;
- }
- offset += size;
- }
- while (offset != contentLength);
-
- String response = new String(buf, 0, offset);
-
- //
- // Connection may have failed or not been 200 OK, return Indeterminate
- //
- if (response.isEmpty()) {
- return Util.INDETERMINATE;
- }
-
- return new JSONObject(response).getString("decision");
-
- }
}
diff --git a/controlloop/common/guard/src/main/java/org/onap/policy/guard/Util.java b/controlloop/common/guard/src/main/java/org/onap/policy/guard/Util.java
index 6298774bb..e378b61c9 100644
--- a/controlloop/common/guard/src/main/java/org/onap/policy/guard/Util.java
+++ b/controlloop/common/guard/src/main/java/org/onap/policy/guard/Util.java
@@ -2,14 +2,14 @@
* ============LICENSE_START=======================================================
* guard
* ================================================================================
- * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2017-2019 AT&T Intellectual Property. All rights reserved.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -39,12 +39,9 @@ public final class Util {
/*
* Keys for guard properties
*/
- public static final String PROP_GUARD_URL = "guard.url";
+ public static final String PROP_GUARD_URL = "pdpx.host";
public static final String PROP_GUARD_USER = "pdpx.username";
public static final String PROP_GUARD_PASS = "pdpx.password";
- public static final String PROP_GUARD_CLIENT_USER = "pdpx.client.username";
- public static final String PROP_GUARD_CLIENT_PASS = "pdpx.client.password";
- public static final String PROP_GUARD_ENV = "pdpx.environment";
public static final String PROP_GUARD_DISABLED = "guard.disabled";
/*
@@ -89,7 +86,7 @@ public final class Util {
/**
* Load a Yaml file.
- *
+ *
* @param testFile the Yaml file
* @return the policies
*/
@@ -113,7 +110,7 @@ public final class Util {
/**
* Load a Yaml guard.
- *
+ *
* @param testFile the Yaml file
* @return the guard
*/
@@ -134,17 +131,13 @@ public final class Util {
/**
* Sets Guard Properties.
- *
+ *
* <p>see /guard/src/test/java/org/onap/policy/guard/UtilTest.java for setting test properties
*/
- public static void setGuardEnvProps(String url, String username, String password, String clientName,
- String clientPassword, String environment) {
+ public static void setGuardEnvProps(String url, String username, String password) {
PolicyEngine.manager.setEnvironmentProperty(org.onap.policy.guard.Util.PROP_GUARD_URL, url);
PolicyEngine.manager.setEnvironmentProperty(org.onap.policy.guard.Util.PROP_GUARD_USER, username);
PolicyEngine.manager.setEnvironmentProperty(org.onap.policy.guard.Util.PROP_GUARD_PASS, password);
- PolicyEngine.manager.setEnvironmentProperty(org.onap.policy.guard.Util.PROP_GUARD_CLIENT_USER, clientName);
- PolicyEngine.manager.setEnvironmentProperty(org.onap.policy.guard.Util.PROP_GUARD_CLIENT_PASS, clientPassword);
- PolicyEngine.manager.setEnvironmentProperty(org.onap.policy.guard.Util.PROP_GUARD_ENV, environment);
}
public static void setGuardEnvProp(String key, String value) {