diff options
Diffstat (limited to 'controlloop/m2/guard/src')
-rw-r--r-- | controlloop/m2/guard/src/main/java/org/onap/policy/guard/GuardContext.java | 400 | ||||
-rw-r--r-- | controlloop/m2/guard/src/test/java/org/onap/policy/guard/GuardContextTest.java | 139 |
2 files changed, 539 insertions, 0 deletions
diff --git a/controlloop/m2/guard/src/main/java/org/onap/policy/guard/GuardContext.java b/controlloop/m2/guard/src/main/java/org/onap/policy/guard/GuardContext.java new file mode 100644 index 000000000..d0d1b831f --- /dev/null +++ b/controlloop/m2/guard/src/main/java/org/onap/policy/guard/GuardContext.java @@ -0,0 +1,400 @@ +/*- + * ============LICENSE_START======================================================= + * guard + * ================================================================================ + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.guard; + +import java.io.ObjectStreamException; +import java.io.Serializable; +import java.sql.Timestamp; +import java.time.Instant; +import java.util.HashMap; +import java.util.Properties; +import java.util.UUID; +import java.util.function.Supplier; + +import javax.persistence.EntityManager; +import javax.persistence.EntityManagerFactory; +import javax.persistence.Persistence; + +import org.drools.core.WorkingMemory; + +import org.onap.policy.database.operationshistory.Dbao; +import org.onap.policy.drools.controller.DroolsController; +import org.onap.policy.drools.core.PolicyContainer; +import org.onap.policy.drools.core.PolicySession; +import org.onap.policy.drools.system.PolicyController; +import org.onap.policy.drools.system.PolicyControllerConstants; +import org.onap.policy.drools.system.PolicyEngineConstants; +import org.onap.policy.guard.Util; +import org.onap.policy.util.DroolsSessionCommonSerializable; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Each instance of this class is initialized from a 'Properties' object, + * which is most likely a '*-controller.properties' file. The expectation is + * that it will be initialized within a '.drl' file, and be referenced by + * the associated 'Context' object. + */ +public class GuardContext implements Serializable { + private static final long serialVersionUID = 1L; + + private static final String ECLIPSE_LINK_KEY_DRIVER = "javax.persistence.jdbc.driver"; + + private static Logger logger = LoggerFactory.getLogger(GuardContext.class); + + // object that should be serialized + private Object namedSerializable; + + /*==================================*/ + /* fields extracted from properties */ + /*==================================*/ + // contains the four database properties, 'javax.persistence.jdbc.*', + private Properties dbProperties = null; + + // initialized from 'guard.disabled', but may also be set to 'true' if + // there is an initialization error + private boolean disabled = false; + + // errors that forced 'disabled' to be set to 'true' + private String errorMessage = null; + + /*======================================================*/ + /* fields that shouldn't be included in serialized data */ + /*======================================================*/ + + // derived from DB properties + private transient EntityManagerFactory emf = null; + + /** + * Constructor - initialize the 'GuardContext' instance using the + * controller's properties file. The properties file is located using a + * 'PolicySession' instance, but the way this mapping is done isn't + * perfect -- it may use the wrong properties file if there is another + * 'PolicyContainer' instance using the same 'artifactId' and 'groupId'. + * + * @param session the 'PolicySession' instance used to locate the associated + * 'Properties' instance + */ + public GuardContext(PolicySession session) { + this(session, null); + } + + /** + * Constructor - initialize the 'GuardContext' instance using the + * controller's properties file. The properties file is located using a + * 'PolicySession' instance, but the way this mapping is done isn't + * perfect -- it may use the wrong properties file if there is another + * 'PolicyContainer' instance using the same 'artifactId' and 'groupId'. + * + * @param session the 'PolicySession' instance used to locate the associated + * 'Properties' instance + * @param serializableName a String name unique within the Drools session + * that can be used to locate the corresponding 'GuardContext' object + * on the remote host + */ + public GuardContext(PolicySession session, String serializableName) { + namedSerializable = + (serializableName == null ? this : + new DroolsSessionCommonSerializable(serializableName, this)); + + // At present, there is no simple way to get the properties based + // upon a 'PolicyContainer'. Instead, we search through all of the + // 'PolicyController' instances looking for one with a matching + // 'artifactId' and 'groupId'. Note that this may not work correctly + // if there is more than one controller using the same or different + // version of the same artifact. + + PolicyContainer container = session.getPolicyContainer(); + String artifactId = container.getArtifactId(); + String groupId = container.getGroupId(); + + Properties properties = + PolicyControllerConstants.getFactory().get(groupId, artifactId).getProperties(); + init(properties); + } + + /** + * Constructor - initialize the 'GuardContext' instance using the + * specified properties. + * + * @param properties configuration data used to initialize the 'GuardContext' instance + */ + public GuardContext(Properties properties) { + init(properties); + } + + /** + * Common initialization routine code used by both constructors. + * + * @param properties configuration data used to initialize the 'GuardContext' instance + */ + private void init(Properties properties) { + // used to store error messages + StringBuilder sb = new StringBuilder(); + + // fetch these parameters, if they exist + String disabledString = + PolicyEngineConstants.getManager().getEnvironmentProperty(Util.PROP_GUARD_DISABLED); + + if (disabledString != null) { + // decode optional 'guard.disabled' parameter + disabled = Boolean.valueOf(disabledString); + if (disabled) { + // skip everything else + return; + } + } + + // extract 'guard.java.persistence.jdbc.*' parameters, + // which are all mandatory + dbProperties = new Properties(); + setProperty(dbProperties, Util.ONAP_KEY_URL, Util.ECLIPSE_LINK_KEY_URL, sb); + setProperty(dbProperties, Util.ONAP_KEY_USER, Util.ECLIPSE_LINK_KEY_USER, sb); + setProperty(dbProperties, Util.ONAP_KEY_PASS, Util.ECLIPSE_LINK_KEY_PASS, sb); + String driver = properties.getProperty("guard." + ECLIPSE_LINK_KEY_DRIVER); + if (driver != null) { + dbProperties.setProperty(ECLIPSE_LINK_KEY_DRIVER, driver); + } + + // if there are any errors, update 'errorMessage' & disable guard queries + if (sb.length() != 0) { + // remove the terminating ", ", and extract resulting error message + sb.setLength(sb.length() - 2); + errorMessage = sb.toString(); + disabled = true; + logger.error("Initialization failure: " + errorMessage); + } + } + + /** + * Fetch a property from the PolicyEngine environment, and store it in + * a corresponding property in 'properties'. + * + * @param properties the location to store the properties + * @param srcName source environment property name + * @param destName destination property name + * @param log a 'StringBuilder' used to construct an error message, if needed + */ + private void setProperty(Properties properties, String srcName, String destName, StringBuilder log) { + String value = + PolicyEngineConstants.getManager().getEnvironmentProperty(srcName); + if (value == null) { + log.append("'").append(srcName).append("' is not defined, "); + } else { + properties.setProperty(destName, value); + } + } + + /** + * Do an asynchronous (non-blocking) HTTP REST query to see if this + * operation is permitted by 'guard'. The response is returned by + * inserting a 'PolicyGuardResponse' instance into Drools memory. + * + * @param workingMemory the Drools response is inserted here + * @param actor the processor being acted upon (e.g. "APPC") + * @param recipe otherwise known as "operation" (e.g. "Restart") + * @param target a further qualifier on 'actor'? (e.g. "VM") + * @param requestId the UUID string identifying the overall request + */ + public void asyncQuery( + WorkingMemory workingMemory, + String actor, String recipe, String target, + String requestId) { + + asyncQuery(workingMemory, actor, recipe, target, requestId, null); + } + + /** + * Do an asynchronous (non-blocking) HTTP REST query to see if this + * operation is permitted by 'guard'. The response is returned by + * inserting a 'PolicyGuardResponse' instance into Drools memory. + * + * @param workingMemory the Drools response is inserted here + * @param actor the processor being acted upon (e.g. "APPC") + * @param recipe otherwise known as "operation" (e.g. "Restart") + * @param target a further qualifier on 'actor'? (e.g. "VM") + * @param requestId the UUID string identifying the overall request + * @param controlLoopName the 'controlLoopName' value or 'null' + * (if 'null', it is ommitted from the query to 'guard') + */ + public void asyncQuery( + final WorkingMemory workingMemory, + final String actor, final String recipe, final String target, + final String requestId, final String controlLoopName) { + + if (disabled) { + logger.error("query skipped: {}", errorMessage); + workingMemory.insert( + new PolicyGuardResponse("Deny", UUID.fromString(requestId), recipe)); + return; + } + + CallGuardTask cgt = new CallGuardTask(workingMemory, controlLoopName, + actor, recipe, target, requestId, () -> null); + + PolicyEngineConstants.getManager().getExecutorService().execute(cgt); + } + + /** + * Create an 'EntityManagerFactory', if needed, and then create a new + * 'EntityManager' instance. + * + * @return a new 'EntityManager' instance + */ + private EntityManager createEntityManager() { + if (emf == null) { + // 'EntityManagerFactory' does not exist yet -- create one + + // copy database properties to a 'HashMap' + HashMap<Object,Object> propertiesMap = new HashMap<>(dbProperties); + + // use 'ClassLoader' from Drools session + propertiesMap.put("eclipselink.classloader", + GuardContext.class.getClassLoader()); + + // create DB tables, if needed + propertiesMap.put("eclipselink.ddl-generation", "create-tables"); + + // create entity manager factory + emf = Persistence.createEntityManagerFactory("OperationsHistoryPU", propertiesMap); + } + + // create and return the 'EntityManager' + return emf.createEntityManager(); + } + + /** + * This is a synchronous (blocking) method, which creates a database entity + * for an in-progress request. + * + * @param starttime this is used as the 'starttime' timestamp in the record + * @param endtime this is used as the 'endtime' timestamp in the record + * @param closedLoopControlName uniquely identifies the Drools rules + * @param actor the processor being acted upon (e.g. "APPC") + * @param recipe otherwise known as "operation" (e.g. "Restart") + * @param target a further qualifier on 'actor'? (e.g. "VM") + * @param requestId the UUID string identifying the overall request + * @param subRequestId further qualifier on 'requestId' + * @param message indicates success status, or reason for failure + * @param outcome 'PolicyResult' enumeration string + * @return 'true' if the operation was successful, and 'false' if not + */ + public boolean createDbEntry( + Instant starttime, Instant endtime, String closedLoopControlName, + String actor, String recipe, String target, + String requestId, String subRequestId, String message, String outcome) { + + if (disabled) { + if (errorMessage != null) { + logger.error("Database update skipped: " + errorMessage); + } + return false; + } + + EntityManager em = null; + boolean rval = false; + + try { + em = createEntityManager(); + + // create the new DB table entry + Dbao newEntry = new Dbao(); + + // populate the new DB table entry + newEntry.setClosedLoopName(closedLoopControlName); + newEntry.setRequestId(requestId); + newEntry.setActor(actor); + newEntry.setOperation(recipe); + newEntry.setTarget(target); + newEntry.setStarttime(new Timestamp(starttime.toEpochMilli())); + newEntry.setSubrequestId(subRequestId); + + newEntry.setEndtime(new Timestamp(endtime.toEpochMilli())); + newEntry.setMessage(message); + newEntry.setOutcome(outcome); + + // store the new entry in the DB + em.getTransaction().begin(); + em.persist(newEntry); + em.getTransaction().commit(); + + rval = true; + } finally { + // free EntityManager + if (em != null) { + em.close(); + } + } + return rval; + } + + /** + * This is an asynchronous (non-blocking) method, which creates a database + * entity for an in-progress request. + * + * @param starttime this is used as the 'starttime' timestamp in the record + * @param endtime this is used as the 'endtime' timestamp in the record + * @param closedLoopControlName uniquely identifies the Drools rules + * @param actor the processor being acted upon (e.g. "APPC") + * @param recipe otherwise known as "operation" (e.g. "Restart") + * @param target a further qualifier on 'actor'? (e.g. "VM") + * @param requestId the UUID string identifying the overall request + * @param subRequestId further qualifier on 'requestId' + * @param message indicates success status, or reason for failure + * @param outcome 'PolicyResult' enumeration string + */ + public void asyncCreateDbEntry( + final Instant starttime, final Instant endtime, + final String closedLoopControlName, + final String actor, final String recipe, final String target, + final String requestId, final String subRequestId, + final String message, final String outcome) { + if (disabled) { + if (errorMessage != null) { + logger.error("Database update skipped: " + errorMessage); + } + return; + } + + PolicyEngineConstants.getManager().getExecutorService().execute(() -> { + try { + // using a separate thread, call the synchronous 'createDbEntry' + // method + createDbEntry(starttime, endtime, closedLoopControlName, + actor, recipe, target, requestId, subRequestId, + message, outcome); + } catch (Exception e) { + logger.error("GuardContext.asyncCreateDbEntry", e); + } + }); + } + + /** + * This method is used as part of serialization -- 'namedSerializable' + * is serialized instead of 'this'. + * + * @return the object to be serialized + */ + private Object writeReplace() throws ObjectStreamException { + return namedSerializable; + } +} diff --git a/controlloop/m2/guard/src/test/java/org/onap/policy/guard/GuardContextTest.java b/controlloop/m2/guard/src/test/java/org/onap/policy/guard/GuardContextTest.java new file mode 100644 index 000000000..1a61d9019 --- /dev/null +++ b/controlloop/m2/guard/src/test/java/org/onap/policy/guard/GuardContextTest.java @@ -0,0 +1,139 @@ +/*- + * ============LICENSE_START======================================================= + * guard + * ================================================================================ + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.guard; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.mockito.ArgumentMatchers.isNotNull; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import java.io.IOException; +import java.time.Instant; +import java.util.Properties; +import java.util.UUID; +import java.util.concurrent.LinkedBlockingQueue; +import java.util.concurrent.TimeUnit; + +import org.drools.core.WorkingMemory; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; +import org.mockito.ArgumentMatcher; +import org.onap.policy.drools.system.PolicyEngineConstants; + +public class GuardContextTest { + + private static Properties prop; + private static GuardContext guardContext; + private static WorkingMemory workingMemory; + private static LinkedBlockingQueue<Object> queue = new LinkedBlockingQueue<>(); + + /** + * Class-level initialization. + */ + @BeforeClass + public static void setup() throws IOException { + PolicyEngineConstants.getManager().configure(new Properties()); + PolicyEngineConstants.getManager().start(); + + prop = new Properties(); + prop.setProperty("guard.pdp.rest.url", "http://www.google.com/"); + prop.setProperty("guard.pdp.rest.client.user", "testuser"); + prop.setProperty("guard.pdp.rest.client.password", "testpassword"); + prop.setProperty("guard.pdp.rest.timeout", "1000"); + prop.setProperty("guard.pdp.rest.environment", "dev"); + + workingMemory = mock(WorkingMemory.class); + when(workingMemory.insert(isNotNull())).thenAnswer( + invocation -> { + queue.add(invocation.getArgument(0)); + return null; + }); + } + + @AfterClass + public static void stop() { + PolicyEngineConstants.getManager().stop(); + } + + @Test + public void guardDbResponseTest() throws InterruptedException { + Properties props = new Properties(prop); + props.setProperty("guard.disabled", "false"); + props.setProperty("guard.javax.persistence.jdbc.user", "user"); + props.setProperty("guard.javax.persistence.jdbc.password", "secret"); + props.setProperty("guard.javax.persistence.jdbc.driver", "org.h2.Driver"); + props.setProperty("guard.javax.persistence.jdbc.url", "jdbc:h2:file:./H2DB"); + + guardContext = new GuardContext(props); + assertNotNull(guardContext); + + guardContext.asyncCreateDbEntry(Instant.now().minusSeconds(1), Instant.now(), + "testCLName", "testActor", "testRecipe", "testTarget", + UUID.randomUUID().toString(), "1", "testMessage", "testOutcome"); + + queue.clear(); + guardContext.asyncQuery(workingMemory, "testActor", "testRecipe", + "testTarget", UUID.randomUUID().toString(), "testCLName"); + Object response = queue.poll(10, TimeUnit.SECONDS); + assertNotNull(response); + } + + @Test + public void badValuesTest() throws InterruptedException { + Properties props = new Properties(prop); + props.setProperty("guard.disabled", "true"); + props.setProperty("guard.pdp.rest.client.user", ""); + props.setProperty("guard.pdp.rest.client.password", ""); + props.setProperty("guard.pdp.rest.url", "bad,testuser,testpassword"); + + guardContext = new GuardContext(props); + + guardContext.asyncCreateDbEntry(Instant.now().minusSeconds(1), Instant.now(), + "testCLName", "testActor", "testRecipe", "testTarget", + UUID.randomUUID().toString(), "1", "testMessage", "testOutcome"); + + queue.clear(); + guardContext.asyncQuery(workingMemory, "testActor", "testRecipe", + "testTarget", UUID.randomUUID().toString()); + Object response = queue.poll(10, TimeUnit.SECONDS); + assertNotNull(response); + } + + @Test + public void policyGuardResponseTest() { + UUID requestId = UUID.randomUUID(); + PolicyGuardResponse emptyResponse1 = new PolicyGuardResponse(null, null, null); + + assertNotNull(emptyResponse1); + + PolicyGuardResponse response = new PolicyGuardResponse("Some Result", requestId, "Some Details"); + + response.setRequestId(requestId); + assertEquals(requestId, response.getRequestId()); + + response.setResult("Some Result"); + assertEquals("Some Result", response.getResult()); + + assertEquals("PolicyGuardResponse [requestId=", response.toString().substring(0, 31)); + } +} |