From a91076ff372a49d080b78b3608bb0d7d26055741 Mon Sep 17 00:00:00 2001 From: Joshua Reich Date: Mon, 15 Apr 2019 11:54:48 -0700 Subject: Removing no longer needed demo code. Coordination code has been merged into xacml-pdp, this code is no longer needed. Change-Id: I96995c89d7248744c4261b7c02348c0d30d545b5 Issue-ID: POLICY-1471 Signed-off-by: Joshua Reich --- .../onap/policy/guard/CallGuardTaskEmbedded.java | 166 ------- .../guard/PolicyGuardXacmlHelperEmbedded.java | 514 --------------------- 2 files changed, 680 deletions(-) delete mode 100644 controlloop/templates/template.demo.clc/src/main/java/org/onap/policy/guard/CallGuardTaskEmbedded.java delete mode 100644 controlloop/templates/template.demo.clc/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelperEmbedded.java (limited to 'controlloop/templates/template.demo.clc/src/main/java') diff --git a/controlloop/templates/template.demo.clc/src/main/java/org/onap/policy/guard/CallGuardTaskEmbedded.java b/controlloop/templates/template.demo.clc/src/main/java/org/onap/policy/guard/CallGuardTaskEmbedded.java deleted file mode 100644 index 1c4cada61..000000000 --- a/controlloop/templates/template.demo.clc/src/main/java/org/onap/policy/guard/CallGuardTaskEmbedded.java +++ /dev/null @@ -1,166 +0,0 @@ -/*- - * ============LICENSE_START======================================================= - * guard - * ================================================================================ - * Copyright (C) 2018-2019 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.onap.policy.guard; - -import com.att.research.xacml.api.DataTypeException; -import com.att.research.xacml.std.annotations.RequestParser; -import java.util.HashSet; -import java.util.Set; -import java.util.UUID; -import java.util.function.Supplier; -import org.drools.core.WorkingMemory; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class CallGuardTaskEmbedded implements Runnable { - - private static final Logger logger = LoggerFactory.getLogger(CallGuardTaskEmbedded.class); - - /** - * Actor/recipe pairs whose guard requests need a VF Module count. Each element is of - * the form "<actor>:<recipe>". - */ - private static final Set NEEDS_VF_COUNT = new HashSet<>(); - - /** - * Actor/recipe pairs whose guard requests need the VF Module count to be incremented - * (i.e., because a module is being added). Each element is of the form - * "<actor>:<recipe>". - */ - private static final Set INCR_VF_COUNT = new HashSet<>(); - - static { - INCR_VF_COUNT.add("SO:VF Module Create"); - NEEDS_VF_COUNT.addAll(INCR_VF_COUNT); - } - - private WorkingMemory workingMemory; - private String clname; - private String actor; - private String recipe; - private String target; - private String requestId; - private Integer vfCount; - - /** - * Populated once the response has been determined, which may happen during the - * constructor or later, during {@link #run()}. - */ - private PolicyGuardResponse guardResponse; - - /** - * Guard url is grabbed from PolicyEngine.manager properties - */ - public CallGuardTaskEmbedded(WorkingMemory wm, String cl, String act, String rec, - String tar, String reqId, Supplier vfcnt) { - workingMemory = wm; - clname = cl; - actor = act; - recipe = rec; - requestId = reqId; - target = tar; - - vfCount = null; - - String key = act + ":" + rec; - - if (NEEDS_VF_COUNT.contains(key)) { - // this actor/recipe needs the count - get it - if ((vfCount = vfcnt.get()) == null) { - /* - * The count is missing - create an artificial Deny, which will be - * inserted into working memory when "run()" is called. - */ - guardResponse = new PolicyGuardResponse(Util.DENY, UUID.fromString(requestId), recipe); - logger.error("CallEmbeddedGuardTask.run missing VF Module count; requestId={}", requestId); - return; - } - - if (INCR_VF_COUNT.contains(key)) { - // this actor/recipe needs the count to be incremented - ++vfCount; - } - } - } - - @Override - public void run() { - if (guardResponse != null) { - // already have a response - just insert it - workingMemory.insert(guardResponse); - return; - } - - final long startTime = System.nanoTime(); - com.att.research.xacml.api.Request request = null; - - PolicyGuardXacmlRequestAttributes xacmlReq = - new PolicyGuardXacmlRequestAttributes(clname, actor, recipe, target, requestId, vfCount); - - try { - request = RequestParser.parseRequest(xacmlReq); - } catch (IllegalArgumentException | IllegalAccessException | DataTypeException e) { - logger.error("CallEmbeddedGuardTask.run threw: {}", e); - } - - - logger.debug("\n********** XACML REQUEST START ********"); - logger.debug("{}", request); - logger.debug("********** XACML REQUEST END ********\n"); - - String guardDecision = null; - - // - // Make guard request - // - guardDecision = new PolicyGuardXacmlHelperEmbedded().callPdp(xacmlReq); - - logger.debug("\n********** XACML RESPONSE START ********"); - logger.debug("{}", guardDecision); - logger.debug("********** XACML RESPONSE END ********\n"); - - // - // Check if the restful call was unsuccessful or property doesn't exist - // - if (guardDecision == null) { - logger.error("********** XACML FAILED TO CONNECT ********"); - guardDecision = Util.INDETERMINATE; - } - - guardResponse = new PolicyGuardResponse(guardDecision, UUID.fromString(this.requestId), this.recipe); - - - // - // Create an artificial Guard response in case we didn't get a clear Permit or Deny - // - if ("Indeterminate".equals(guardResponse.getResult())) { - guardResponse.setOperation(recipe); - guardResponse.setRequestId(UUID.fromString(requestId)); - } - - long estimatedTime = System.nanoTime() - startTime; - logger.debug("\n\n============ Guard inserted with decision {} !!! =========== time took: {} mili sec \n\n", - guardResponse.getResult(), (double) estimatedTime / 1000 / 1000); - workingMemory.insert(guardResponse); - - } - -} diff --git a/controlloop/templates/template.demo.clc/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelperEmbedded.java b/controlloop/templates/template.demo.clc/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelperEmbedded.java deleted file mode 100644 index e0cd2c9c4..000000000 --- a/controlloop/templates/template.demo.clc/src/main/java/org/onap/policy/guard/PolicyGuardXacmlHelperEmbedded.java +++ /dev/null @@ -1,514 +0,0 @@ -/*- - * ============LICENSE_START======================================================= - * guard - * ================================================================================ - * Copyright (C) 2018-2019 AT&T Intellectual Property. All rights reserved. - * Modifications Copyright (C) 2019 Samsung Electronics Co., Ltd. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.onap.policy.guard; - -import com.att.research.xacml.api.Attribute; -import com.att.research.xacml.api.AttributeCategory; -import com.att.research.xacml.api.AttributeValue; -import com.att.research.xacml.api.Result; -import com.att.research.xacml.api.pdp.PDPEngine; -import com.att.research.xacml.std.annotations.RequestParser; -import com.att.research.xacmlatt.pdp.ATTPDPEngineFactory; - -import java.io.BufferedReader; -import java.io.ByteArrayInputStream; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.OutputStream; -import java.io.Serializable; -import java.net.HttpURLConnection; -import java.net.URL; -import java.util.ArrayList; -import java.util.Base64; -import java.util.Iterator; -import java.util.Properties; -import java.util.UUID; - -import org.apache.commons.io.IOUtils; -import org.apache.http.entity.ContentType; -import org.json.JSONObject; -import org.onap.policy.common.endpoints.event.comm.Topic.CommInfrastructure; -import org.onap.policy.common.endpoints.utils.NetLoggerUtil; -import org.onap.policy.common.endpoints.utils.NetLoggerUtil.EventType; -import org.onap.policy.database.operationshistory.Dbao; -import org.onap.policy.drools.system.PolicyEngine; -import org.onap.policy.guard.PolicyGuardResponse; -import org.onap.policy.guard.PolicyGuardXacmlRequestAttributes; -import org.onap.policy.guard.Util; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - - -public class PolicyGuardXacmlHelperEmbedded { - private static final Logger logger = LoggerFactory.getLogger(PolicyGuardXacmlHelperEmbedded.class); - - private String propfile; - private UrlEntry[] restUrls = null; - private int restUrlIndex = 0; - - // REST timeout, initialized from 'pdpx.timeout' property - private int timeout = 20000; - - public PolicyGuardXacmlHelperEmbedded() { - init(PolicyEngine.manager.getEnvironment()); - } - - // initialized from 'pdpx.url' property -- - // Each entry in 'restUrls' contains a destination URL, and an optional - // 'Authorization' header entry. 'restUrlIndex' indicates the next - // entry to try -- after each failure, the index is advanced to the - // next entry (wrapping to the beginning, if needed). - private static class UrlEntry implements Serializable { - private static final long serialVersionUID = -8859237552195400518L; - - URL restUrl; - String authorization = null; - String clientAuth = null; - String environment = null; - } - - /** - * Call PDP. - * - * @param xacmlReq the XACML request - * @return the response - */ - public String callPdp(PolicyGuardXacmlRequestAttributes xacmlReq) { - // - // Send it to the PDP - // - String response = null; - - if ( propfile != null ) { - logger.debug("callEmbeddedPdp"); - return callEmbeddedPdp(xacmlReq); - } - // - // Build the json request - // - JSONObject attributes = new JSONObject(); - attributes.put("actor", xacmlReq.getActorId()); - attributes.put("recipe", xacmlReq.getOperationId()); - attributes.put("target", xacmlReq.getTargetId()); - if (xacmlReq.getClnameId() != null) { - attributes.put("clname", xacmlReq.getClnameId()); - } - if (xacmlReq.getVfCount() != null) { - attributes.put("vfCount", xacmlReq.getVfCount()); - } - JSONObject jsonReq = new JSONObject(); - jsonReq.put("decisionAttributes", attributes); - jsonReq.put("onapName", "PDPD"); - - - try { - // - // Call RESTful PDP - // - UrlEntry urlEntry = restUrls[restUrlIndex]; - String jsonRequestString = jsonReq.toString(); - NetLoggerUtil.log(EventType.OUT, CommInfrastructure.REST, urlEntry.restUrl.toString(), jsonRequestString); - response = callRestfulPdp(new ByteArrayInputStream(jsonReq.toString().getBytes()), urlEntry.restUrl, - urlEntry.authorization, urlEntry.clientAuth, urlEntry.environment); - NetLoggerUtil.log(EventType.IN, CommInfrastructure.REST, urlEntry.restUrl.toString(), response); - } catch (Exception e) { - logger.error("Error in sending RESTful request", e); - } - - return response; - } - - /** - * This makes an HTTP POST call to a running PDP RESTful servlet to get a decision. - * - * @param is the InputStream - * @param authorization the Authorization - * @param clientauth the ClientAuth - * @param environment the Environment - * @return response from guard which contains "Permit" or "Deny" - */ - private String callRestfulPdp(InputStream is, URL restUrl, String authorization, String clientauth, - String environment) { - HttpURLConnection connection = null; - - try { - // - // Open up the connection - // - connection = (HttpURLConnection) restUrl.openConnection(); - connection.setRequestProperty("Content-Type", "application/json"); - // - // Setup our method and headers - // - connection.setRequestProperty("Accept", "application/json"); - if (authorization != null) { - connection.setRequestProperty("Authorization", authorization); - } - if (clientauth != null) { - connection.setRequestProperty("ClientAuth", clientauth); - } - if (environment != null) { - connection.setRequestProperty("Environment", environment); - } - connection.setConnectTimeout(timeout); - connection.setReadTimeout(timeout); - connection.setRequestMethod("POST"); - connection.setUseCaches(false); - // - // Adding this in. It seems the HttpUrlConnection class does NOT - // properly forward our headers for POST re-direction. It does so - // for a GET re-direction. - // - // So we need to handle this ourselves. - // - connection.setInstanceFollowRedirects(false); - connection.setDoOutput(true); - connection.setDoInput(true); - // - // Send the request - // - try (OutputStream os = connection.getOutputStream()) { - IOUtils.copy(is, os); - } - - // - // Do the connect - // - connection.connect(); - - if (connection.getResponseCode() != 200) { - logger.error("{} {}", connection.getResponseCode(), connection.getResponseMessage()); - return Util.INDETERMINATE; - } - } catch (Exception e) { - logger.error("Exception in 'PolicyGuardEmbeddedHelper.callRESTfulPDP'", e); - return Util.INDETERMINATE; - } - - // - // Read the response - // - try { - ContentType contentType = ContentType.parse(connection.getContentType()); - - if (contentType.getMimeType().equalsIgnoreCase(ContentType.APPLICATION_JSON.getMimeType())) { - InputStream inputStream = connection.getInputStream(); - int contentLength = connection.getContentLength(); - - return readResponseFromStream(inputStream, contentLength); - } else { - logger.error("unknown content-type: {}", contentType); - return Util.INDETERMINATE; - } - - } catch (Exception e) { - String message = "Parsing Content-Type: " + connection.getContentType(); - logger.error(message, e); - return Util.INDETERMINATE; - } - } - - /** - * Call embedded PDP. - * - * @param xacmlReq the XACML request - * @return the response - */ - public String callEmbeddedPdp(PolicyGuardXacmlRequestAttributes xacmlReq) { - com.att.research.xacml.api.Response response = null; - Properties props = new Properties(); - // - // Get properties - // - try ( InputStream is = new FileInputStream(propfile); - InputStreamReader isr = new InputStreamReader(is); - BufferedReader br = new BufferedReader(isr) ) { - props.load(br); - } catch (Exception e) { - logger.error("Unable to load properties file {}", propfile, e); - } - // - // Create embedded PDPEngine - // - PDPEngine xacmlPdpEngine; - try { - xacmlPdpEngine = ATTPDPEngineFactory.newInstance().newEngine(props); - } catch (Exception e) { - logger.error("callEmbeddedPdpEngine failed to create new PDPEngine", e); - return null; - } - logger.debug("embedded Engine created"); - // - // Embedded call to PDP - // - long timeStart = System.currentTimeMillis(); - if (xacmlReq.getVfCount() == null ) { - xacmlReq.setVfCount(1); - } - try { - response = xacmlPdpEngine.decide(RequestParser.parseRequest(xacmlReq)); - } catch (Exception e) { - logger.error("callEmbeddedPdpEngine failed on decide", e); - } - long timeEnd = System.currentTimeMillis(); - logger.debug("Elapsed Time: {} ms", (timeEnd - timeStart)); - // - // Convert response to string - // - logger.debug("converting response to string"); - PolicyGuardResponse pgr = parseXacmlPdpResponse(response); - logger.debug("parsed XacmlPdpResponse {}", pgr); - String decision = pgr.getResult(); - logger.debug("decision={}",decision); - return decision; - } - - /** - * Parse XACML PDP response. - * - * @param xacmlResponse the XACML response - * @return the PolicyGuardResponse - */ - public static PolicyGuardResponse parseXacmlPdpResponse(com.att.research.xacml.api.Response xacmlResponse) { - if (xacmlResponse == null) { - // - // In case the actual XACML response was null, create an empty - // response object with decision "Indeterminate" - // - return new PolicyGuardResponse("Indeterminate", null, ""); - } - - Iterator itRes = xacmlResponse.getResults().iterator(); - - Result res = itRes.next(); - String decisionFromXacmlResponse = res.getDecision().toString(); - Iterator itAttrCat = res.getAttributes().iterator(); - UUID reqIdFromXacmlResponse = null; - String operationFromXacmlResponse = ""; - - while (itAttrCat.hasNext()) { - Iterator itAttr = itAttrCat.next().getAttributes().iterator(); - while (itAttr.hasNext()) { - Attribute currentAttr = itAttr.next(); - String attributeId = currentAttr.getAttributeId().stringValue(); - if ("urn:org:onap:guard:request:request-id".equals(attributeId)) { - Iterator> itValues = currentAttr.getValues().iterator(); - reqIdFromXacmlResponse = UUID.fromString(itValues.next().getValue().toString()); - } - if ("urn:org:onap:guard:operation:operation-id".equals(attributeId)) { - Iterator> itValues = currentAttr.getValues().iterator(); - operationFromXacmlResponse = itValues.next().getValue().toString(); - } - } - } - - return new PolicyGuardResponse(decisionFromXacmlResponse, reqIdFromXacmlResponse, operationFromXacmlResponse); - - } - - private void init(Properties properties) { - propfile = properties.getProperty("prop.guard.propfile"); - - // used to store error messages - StringBuilder sb = new StringBuilder(); - - // fetch these parameters, if they exist - String timeoutString = properties.getProperty("pdpx.timeout"); - String disabledString = properties.getProperty("guard.disabled"); - - if (disabledString != null && Boolean.parseBoolean(disabledString)) { - return; - } - - ArrayList entries = initEntries(properties, sb); - - if (entries.isEmpty()) { - sb.append("'pdpx.*' -- no URLs specified, "); - } else { - restUrls = entries.toArray(new UrlEntry[0]); - } - - if (timeoutString != null) { - try { - // decode optional 'pdpx.timeout' parameter - timeout = Integer.valueOf(timeoutString); - } catch (NumberFormatException e) { - sb.append("'pdpx.timeout': " + e + ", "); - logger.trace(e.getLocalizedMessage()); - } - } - - - // if there are any errors, update 'errorMessage' & disable guard - // queries - if (sb.length() != 0) { - // remove the terminating ", ", and extract resulting error message - sb.setLength(sb.length() - 2); - String errorMessage = sb.toString(); - logger.error("Initialization failure: {}", errorMessage); - } - } - - private ArrayList initEntries(Properties properties, StringBuilder sb) { - // now, see which numeric entries (1-9) exist - ArrayList entries = new ArrayList<>(); - - for (int index = 0; index < 10; index += 1) { - String urlPrefix = "guard."; - if (index != 0) { - urlPrefix = urlPrefix + index + "."; - } - - // see if the associated URL exists - String restUrllist = properties.getProperty(urlPrefix + "url"); - if (nullOrEmpty(restUrllist)) { - // no entry for this index - continue; - } - - // support a list of entries separated by semicolons. Each entry - // can be: - // URL - // URL,user - // URL,user,password - for (String restUrl : restUrllist.split("\\s*;\\s*")) { - UrlEntry entry = initRestUrl(properties, sb, restUrl); - // include this URLEntry in the list - if (entry != null) { - entries.add(entry); - } - } - } - - return entries; - } - - private UrlEntry initRestUrl(Properties properties, StringBuilder sb, String restUrl) { - String urlPrefix = "guard."; - String pdpxPrefix = "pdpx."; - - String[] segments = restUrl.split("\\s*,\\s*"); - String user = null; - String password = null; - - if (segments.length >= 2) { - // user id is provided - restUrl = segments[0]; - user = segments[1]; - if (segments.length >= 3) { - // password is also provided - password = segments[2]; - } - } - - // URL does exist -- create the entry - UrlEntry urlEntry = new UrlEntry(); - try { - urlEntry.restUrl = new URL(restUrl); - } catch (java.net.MalformedURLException e) { - // if we don't have a URL, - // don't bother with the rest on this one - sb.append("'").append(urlPrefix).append("url' '").append(restUrl).append("': ").append(e).append(","); - return null; - } - - if (nullOrEmpty(user)) { - // user id was not provided on '*.url' line -- - // extract it from a separate property - user = properties.getProperty(pdpxPrefix + "username", properties.getProperty("pdpx.username")); - } - if (nullOrEmpty(password)) { - // password was not provided on '*.url' line -- - // extract it from a separate property - password = properties.getProperty(pdpxPrefix + "password", properties.getProperty("pdpx.password")); - } - - // see if 'user' and 'password' entries both exist - if (!nullOrEmpty(user) && !nullOrEmpty(password)) { - urlEntry.authorization = "Basic " + Base64.getEncoder().encodeToString((user + ":" + password).getBytes()); - } - - // see if 'client.user' and 'client.password' entries both exist - String clientUser = - properties.getProperty(pdpxPrefix + "client.username", properties.getProperty("pdpx.client.username")); - String clientPassword = - properties.getProperty(pdpxPrefix + "client.password", properties.getProperty("pdpx.client.password")); - if (!nullOrEmpty(clientUser) && !nullOrEmpty(clientPassword)) { - urlEntry.clientAuth = - "Basic " + Base64.getEncoder().encodeToString((clientUser + ":" + clientPassword).getBytes()); - } - - // see if there is an 'environment' entry - String environment = - properties.getProperty(pdpxPrefix + "environment", properties.getProperty("pdpx.environment")); - if (!nullOrEmpty(environment)) { - urlEntry.environment = environment; - } - - return urlEntry; - } - - /** - * Check if a string is null or an empty string. - * - * @param value the string to be tested - * @return 'true' if the string is 'null' or has a length of 0, 'false' otherwise - */ - private static boolean nullOrEmpty(String value) { - return (value == null || value.isEmpty()); - } - - private static String readResponseFromStream(InputStream inputStream, int contentLength) throws IOException { - // if content length is -1, response is chunked, and - // TCP connection will be dropped at the end - byte[] buf = new byte[contentLength < 0 ? 1024 : contentLength]; - - int offset = 0; - do { - int size = inputStream.read(buf, offset, buf.length - offset); - if (size < 0) { - // In a chunked response a dropped connection is expected, but not if the response - // is not chunked - if (contentLength > 0) { - logger.error("partial input stream"); - } - break; - } - offset += size; - } - while (offset != contentLength); - - String response = new String(buf, 0, offset); - - // - // Connection may have failed or not been 200 OK, return Indeterminate - // - if (response.isEmpty()) { - return Util.INDETERMINATE; - } - - return new JSONObject(response).getString("decision"); - - } -} -- cgit 1.2.3-korg