From 88d1b6ccc92a42c94c2cd462789a90fcf245efb2 Mon Sep 17 00:00:00 2001 From: Jorge Hernandez Date: Wed, 19 Sep 2018 14:35:22 -0500 Subject: AAF Configuration in PDP-D AAF is disabled by default until pairwise testing is completed. Change-Id: Ica83873a2605742689ed0c2e06dfade20bef8bf0 Signed-off-by: Jorge Hernandez Issue-ID: POLICY-1043 Signed-off-by: Jorge Hernandez --- .gitignore | 2 +- config/policy-engine.properties | 38 ----------------- config/policy-keystore | Bin 4535 -> 0 bytes config/policy-truststore | Bin 124180 -> 0 bytes .../feature/config/feature-healthcheck.properties | 2 + .../drools/healthcheck/AafHealthCheckFilter.java | 35 ++++++++++++++++ .../drools/healthcheck/HealthCheckFeatureTest.java | 23 ++++++++--- .../healthcheck/TestAafHealthCheckFilter.java | 46 +++++++++++++++++++++ packages/docker/src/main/docker/do-start.sh | 20 ++++++++- packages/install/src/files/base.conf | 5 +++ .../policy/drools/server/restful/aaf/AafBase.java | 35 ++++++++++++++++ .../server/restful/aaf/AafTelemetryAuthFilter.java | 41 ++++++++++++++++++ .../server-gen/bin/policy-management-controller | 4 +- .../src/main/server-gen/bin/rest-add-controller | 8 ++-- .../src/main/server-gen/bin/rest-delete-controller | 8 ++-- .../src/main/server/config/aaf-cadi.keyfile | 27 ++++++++++++ .../main/server/config/aaf-credentials.properties | 9 ++++ .../src/main/server/config/aaf-location.properties | 2 + .../src/main/server/config/aaf.properties | 11 +++++ .../main/server/config/policy-engine.properties | 3 ++ .../src/main/server/config/system.properties | 4 ++ .../server/restful/test/RestManagerTest.java | 39 +++++++++++++---- .../restful/test/TestAafTelemetryAuthFilter.java | 43 +++++++++++++++++++ 23 files changed, 340 insertions(+), 65 deletions(-) delete mode 100644 config/policy-engine.properties delete mode 100644 config/policy-keystore delete mode 100644 config/policy-truststore create mode 100644 feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java create mode 100644 feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java create mode 100644 policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java create mode 100644 policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java create mode 100644 policy-management/src/main/server/config/aaf-cadi.keyfile create mode 100644 policy-management/src/main/server/config/aaf-credentials.properties create mode 100644 policy-management/src/main/server/config/aaf-location.properties create mode 100644 policy-management/src/main/server/config/aaf.properties create mode 100644 policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java diff --git a/.gitignore b/.gitignore index eb32cca6..144f2678 100644 --- a/.gitignore +++ b/.gitignore @@ -10,8 +10,8 @@ .metadata/ .idea/ target/ +*/config/ */logs/ */sql/ */testingLogs/ -*/config/ **/*.iml diff --git a/config/policy-engine.properties b/config/policy-engine.properties deleted file mode 100644 index 56c2a673..00000000 --- a/config/policy-engine.properties +++ /dev/null @@ -1,38 +0,0 @@ -### -# ============LICENSE_START======================================================= -# policy-management -# ================================================================================ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### - -# Policy Engine Configuration - -# Configuration Channel Settings: PDPD_CONFIGURATION - -http.server.services=CONFIG,SECURED-CONFIG -http.server.services.CONFIG.host=0.0.0.0 -http.server.services.CONFIG.port=9696 -http.server.services.CONFIG.restPackages=org.onap.policy.drools.server.restful -http.server.services.CONFIG.managed=false -http.server.services.CONFIG.swagger=true -http.server.services.CONFIG.https=false - -http.server.services.SECURED-CONFIG.host=0.0.0.0 -http.server.services.SECURED-CONFIG.port=9697 -http.server.services.SECURED-CONFIG.restPackages=org.onap.policy.drools.server.restful -http.server.services.SECURED-CONFIG.managed=false -http.server.services.SECURED-CONFIG.swagger=true -http.server.services.SECURED-CONFIG.https=true diff --git a/config/policy-keystore b/config/policy-keystore deleted file mode 100644 index b92217cf..00000000 Binary files a/config/policy-keystore and /dev/null differ diff --git a/config/policy-truststore b/config/policy-truststore deleted file mode 100644 index 8834ac25..00000000 Binary files a/config/policy-truststore and /dev/null differ diff --git a/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties b/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties index ec457b7d..e44543a8 100644 --- a/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties +++ b/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties @@ -27,6 +27,8 @@ http.server.services.HEALTHCHECK.swagger=true http.server.services.HEALTHCHECK.userName=${{HEALTHCHECK_USER}} http.server.services.HEALTHCHECK.password=${{HEALTHCHECK_PASSWORD}} http.server.services.HEALTHCHECK.https=true +http.server.services.HEALTHCHECK.aaf=false +http.server.services.HEALTHCHECK.filterClasses= http.client.services=PAP,PDP diff --git a/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java b/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java new file mode 100644 index 00000000..3cb9def6 --- /dev/null +++ b/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java @@ -0,0 +1,35 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.drools.healthcheck; + +import org.onap.policy.common.endpoints.http.server.aaf.AafGranularAuthFilter; +import org.onap.policy.drools.server.restful.aaf.AafBase; + +/** + * Healthcheck AAF Authorization Filter + */ +public class AafHealthCheckFilter extends AafGranularAuthFilter { + + @Override + public String getPermissionTypeRoot() { + return AafBase.AAF_ROOT_PERMISSION; + } +} diff --git a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java index 8ae73435..e0312f1f 100644 --- a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java +++ b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java @@ -25,6 +25,7 @@ import static org.junit.Assert.assertTrue; import java.io.File; import java.io.FileWriter; +import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; @@ -34,6 +35,7 @@ import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; import org.onap.policy.common.endpoints.properties.PolicyEndPointProperties; +import org.onap.policy.common.utils.network.NetworkUtil; import org.onap.policy.drools.healthcheck.HealthCheck.Report; import org.onap.policy.drools.healthcheck.HealthCheck.Reports; import org.onap.policy.drools.persistence.SystemPersistence; @@ -81,7 +83,11 @@ public class HealthCheckFeatureTest { PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK" + PolicyEndPointProperties.PROPERTY_HTTP_REST_CLASSES_SUFFIX, org.onap.policy.drools.healthcheck.RestMockHealthCheck.class.getName()); - httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_CLIENT_SERVICES + "." + "HEALTHCHECK" + httpProperties.setProperty( + PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK" + + PolicyEndPointProperties.PROPERTY_HTTP_FILTER_CLASSES_SUFFIX, + org.onap.policy.drools.healthcheck.TestAafHealthCheckFilter.class.getName()); + httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK" + PolicyEndPointProperties.PROPERTY_MANAGED_SUFFIX, "true"); @@ -101,7 +107,6 @@ public class HealthCheckFeatureTest { httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_CLIENT_SERVICES + "." + "HEALTHCHECK" + PolicyEndPointProperties.PROPERTY_MANAGED_SUFFIX, "true"); - configDirSetup(); } @@ -117,15 +122,21 @@ public class HealthCheckFeatureTest { } @Test - public void test() { + public void test() throws IOException, InterruptedException { HealthCheckFeature feature = new HealthCheckFeature(); feature.afterStart(PolicyEngine.manager); + if (!NetworkUtil.isTcpPortOpen("localhost", 7777, 5, 10000L)) { + throw new IllegalStateException("cannot connect to port " + 7777); + } + Reports reports = HealthCheck.monitor.healthCheck(); + assertTrue(reports.getDetails().size() > 0); + for (Report rpt : reports.getDetails()) { - if (rpt.getName() == "HEALTHCHECK") { + if ("HEALTHCHECK".equals(rpt.getName())) { assertTrue(rpt.isHealthy()); assertEquals(200, rpt.getCode()); assertEquals("All Alive", rpt.getMessage()); @@ -141,7 +152,7 @@ public class HealthCheckFeatureTest { /** * setup up config directory. */ - protected static void configDirSetup() { + private static void configDirSetup() { File origPropsFile = new File(healthCheckPropsPath.toString()); File backupPropsFile = new File(healthCheckPropsBackupPath.toString()); @@ -167,7 +178,7 @@ public class HealthCheckFeatureTest { /** * cleanup up config directory. */ - protected static void configDirCleanup() { + private static void configDirCleanup() { File origPropsFile = new File(healthCheckPropsBackupPath.toString()); File backupPropsFile = new File(healthCheckPropsPath.toString()); diff --git a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java new file mode 100644 index 00000000..03ca6897 --- /dev/null +++ b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java @@ -0,0 +1,46 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.drools.healthcheck; + +import javax.servlet.http.HttpServletRequest; +import org.onap.policy.common.utils.network.NetworkUtil; + +/** + * Healthcheck AAF Authorization Filter + */ +public class TestAafHealthCheckFilter extends AafHealthCheckFilter { + + @Override + protected String getRole(HttpServletRequest request) { + String expectedPerm = "org.onap.policy.pdpd.healthcheck.test|" + + NetworkUtil.getHostname() + "|get"; + if (!expectedPerm.equals(super.getRole(request))) { + throw new IllegalStateException("unexpected AAF granular permission"); + } else { + return "user"; + } + } + + @Override + public String getPermissionTypeRoot() { + return "org.onap.policy.pdpd"; + } +} diff --git a/packages/docker/src/main/docker/do-start.sh b/packages/docker/src/main/docker/do-start.sh index 9e4659df..af7b3d9c 100644 --- a/packages/docker/src/main/docker/do-start.sh +++ b/packages/docker/src/main/docker/do-start.sh @@ -56,7 +56,7 @@ else . /opt/app/policy/etc/profile.d/env.sh - # override the policy keystore and truststore if present + # allow user to override the key or/and the trust stores if [[ -f config/policy-keystore ]]; then cp -f config/policy-keystore ${POLICY_HOME}/etc/ssl @@ -66,6 +66,24 @@ else cp -f config/policy-truststore ${POLICY_HOME}/etc/ssl fi + # allow user to override all or some aaf configuration + + if [[ -f config/aaf.properties ]]; then + cp -f config/aaf.properties ${POLICY_HOME}/config/aaf.properties + fi + + if [[ -f config/aaf-location.properties ]]; then + cp -f config/aaf-location.properties ${POLICY_HOME}/config/aaf-location.properties + fi + + if [[ -f config/aaf-credentials.properties ]]; then + cp -f config/aaf-credentials.properties ${POLICY_HOME}/config/aaf-credentials.properties + fi + + if [[ -f config/aaf-cadi.keyfile ]]; then + cp -f config/aaf-cadi.keyfile ${POLICY_HOME}/config/aaf-cadi.keyfile + fi + if [[ -f config/drools-tweaks.sh ]] ; then echo "Executing tweaks" # file may not be executable; running it as an diff --git a/packages/install/src/files/base.conf b/packages/install/src/files/base.conf index 0c440937..dd9e7c56 100644 --- a/packages/install/src/files/base.conf +++ b/packages/install/src/files/base.conf @@ -59,6 +59,11 @@ PDPD_CONFIGURATION_CONSUMER_GROUP= PDPD_CONFIGURATION_CONSUMER_INSTANCE= PDPD_CONFIGURATION_PARTITION_KEY= +# AAF + +AAF_NAMESPACE=org.onap.policy +AAF_HOST=aaf-onap-test.osaaf.org + # PAP PAP_HOST= diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java new file mode 100644 index 00000000..0c8465a7 --- /dev/null +++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java @@ -0,0 +1,35 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.drools.server.restful.aaf; + +import org.onap.policy.common.endpoints.http.server.aaf.AafAuthFilter; +import org.onap.policy.drools.system.PolicyEngine; + +/** + * AAF Base Class + */ +public abstract class AafBase extends AafAuthFilter { + public static final String AAF_NODETYPE = "pdpd"; + public static final String AAF_ROOT_PERMISSION_PROPERTY = "aaf.root.permission"; + public static final String AAF_ROOT_PERMISSION = + PolicyEngine.manager.getProperties().getProperty + (AAF_ROOT_PERMISSION_PROPERTY, DEFAULT_NAMESPACE + "." + AAF_NODETYPE); +} diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java new file mode 100644 index 00000000..f2e50ee2 --- /dev/null +++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java @@ -0,0 +1,41 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.drools.server.restful.aaf; + +import javax.servlet.http.HttpServletRequest; +import org.onap.policy.common.utils.network.NetworkUtil; + +/** + * AAF Telemetry Authorization + */ +public class AafTelemetryAuthFilter extends AafBase { + private static final String RESOURCE_TYPE = AAF_ROOT_PERMISSION + "." + "telemetry"; + + @Override + protected String getPermissionType(HttpServletRequest request) { + return RESOURCE_TYPE; + } + + @Override + protected String getPermissionInstance(HttpServletRequest request) { + return NetworkUtil.getHostname(); + } +} diff --git a/policy-management/src/main/server-gen/bin/policy-management-controller b/policy-management/src/main/server-gen/bin/policy-management-controller index cc6a8c7d..bad1783f 100644 --- a/policy-management/src/main/server-gen/bin/policy-management-controller +++ b/policy-management/src/main/server-gen/bin/policy-management-controller @@ -96,9 +96,9 @@ function um_stop() { remove_pid_file else if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then - http_proxy= curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null + http_proxy= curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null else - http_proxy= curl --silent -X DELETE http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null + http_proxy= curl -k --silent -X DELETE https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null fi sleep 5 echo "Stopping $SNAME..." diff --git a/policy-management/src/main/server-gen/bin/rest-add-controller b/policy-management/src/main/server-gen/bin/rest-add-controller index 187b2916..0dd82eec 100644 --- a/policy-management/src/main/server-gen/bin/rest-add-controller +++ b/policy-management/src/main/server-gen/bin/rest-add-controller @@ -26,11 +26,11 @@ json=$1-controller.rest.json if [ -f ${json} ]; then if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then - curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \ - http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers + curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \ + https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers else - curl --silent -X POST --data @${json} --header "Content-Type: application/json" \ - http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers + curl -k --silent -X POST --data @${json} --header "Content-Type: application/json" \ + https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers fi else echo "Usage: rest-add-controller.sh closed-loop-sample|reporter|sepc|vsegw|.. (or any other config file ending with *-controller.rest.json)" diff --git a/policy-management/src/main/server-gen/bin/rest-delete-controller b/policy-management/src/main/server-gen/bin/rest-delete-controller index de1d601c..03e67483 100644 --- a/policy-management/src/main/server-gen/bin/rest-delete-controller +++ b/policy-management/src/main/server-gen/bin/rest-delete-controller @@ -24,11 +24,11 @@ source $POLICY_HOME/etc/profile.d/env.sh if [[ -n $1 ]]; then if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then - curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE --header "Content-Type: application/json" \ - http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1} + curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE --header "Content-Type: application/json" \ + https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1} else - curl --silent -X DELETE --header "Content-Type: application/json" \ - http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1} + curl -k --silent -X DELETE --header "Content-Type: application/json" \ + https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1} fi echo exit diff --git a/policy-management/src/main/server/config/aaf-cadi.keyfile b/policy-management/src/main/server/config/aaf-cadi.keyfile new file mode 100644 index 00000000..59d544f3 --- /dev/null +++ b/policy-management/src/main/server/config/aaf-cadi.keyfile @@ -0,0 +1,27 @@ +N3INM2bAlQ8cNODnjR3Fuvo5z4GeID0KnRYlELmt-oHCFxq_XYVyepBVR591CIbJI9prNd_LLuv7 +tQD8xX_ypcNA-jQsecTwtw4GxvpqkZPhq6Q8BWNQaCegtXGDVTQ8gG2biKiQ7v-2C6Qhx4zj62b6 +bRPS5j1bfxqcAZu7082V00oQjbn40T2zFcLwCuBChZfx5DXTW49bwtLbkCbGqJSzFcIJpbGQ8gLg +ussIoL8VE2Vee7bPJmUAdT4x9B1wrMIuvKlUMppeq0Bj-6ZJgxhM9F0WT8eEBh6NFANdK3LUgZrk +D3kY3LrK-MT9u1TOMx13nOU7vOaVjl7_rkp5Q65gFd9VYbnJBYvJcc7asOQMsrugiSiRIoXH0Fyy +-f9L3ROGae042J4M8qxcoOihMbcjVkEXqn6eRIFbDe0eIAlkSRYfaxg9v4tf8GbBjQcShBjzGaI2 +g6QxTA5G6Aa7p63aVRGv3ZODCHcbsbxnkyByXgmkON4cTk9vR0RbT6YYhT5t8xTU3rhqV3jeE0Bz +KbU0c4188xTnhdq_bje2TuuLvtEvevdvDsbtAj7chQmWMOW7GMF3MnqdEpcw1NCoNRdN8wpAdE-5 +mkG-jlYHljSRh9qZK5wdEoO4IXgpFktdGj50XuzcskqqURNfDGHGb29fHznL1-ssdQK6EXcKN0AU +nYyGLAie3VfFxWKj5dGODBs5RttvkX4PHyLcLD3kOrVgtQrz7d0PWWYCxDRqKT6qnJkLB1CUwghn +XweEiDfoQmuUmwFEQNRDp0NGLnde5nsw7NYgLrv5VafGK8EyT4GeVhuu5Tnb6T-HalxCq2p5JaIA +SG8zlDmRx_TykrhfQEJe7sr0pRcAMwgxEhwunG2oBiKnzdRx5jxMfqnVC8xGirumhmOQNterfnd5 +0pIsfvIuntyxRQ48yzIb2gb5kaSkfSzCaVnlqK-_jpj1T74qO86eaKVee4faQAbXDPYF2z5w06nD +WS2dd54wBjGmkFNzi13ejTrAJeA6UzOd1CF_WSpc9XSJJPTPUGxmnfLjmGThErFBYuQxjhpH7vKN +uZgokkIXX78rVcO3zpfa5kTYWjE8lk9y3WA7sGNtTWfG8bR3WLWNLPCnrzxtKZdhq2JsQYC0gwW7 +ZgJSXhgPoaC_RrtCn7haj1_601G_MkD-jcUEsO-4XOBVicsCgG8hn7B-SpgKspqv8gulbeKoORqa +CkrtiFPlXEqdNuaBSHcQ0MWJ3tpXzWtIPM3ouEFOR32xVfptfz4sRPOkM_PNiVXxQtLOn_z3uC7K +VVJCKZxVaavQ6QiZvRRANS9_GD3kDILX15EnbEvh-2DfycDrEo330vMwvNJP7i9eM5vo0YADe--G +r5UDqctmFjl1ulc1yAQkDBGWGxT92x-hhLqCnCXcYPu_aeWssfDpRj573PHPaTiM0SYxJixjszRD +6-AMC1DqugkjiGA5_enQORn-G_H4ZVtoQ_zebizEfIxKv5-8uRdyZDHGG3mDu6_nasEffry-UyVu +STU3oJMycZ1qf5GR1evRJ7gxkrtPXHWKNnVgxfrBC72ON6wJnr7KaY-l9L44epIsk1pEmXm3YQu1 +N0NxiAwdus9OnCXQ7GgZPRXCpxjJPNs7EIKFrYjKJfdtSzT85ZrTpHQtjim2L1ZP9iIlq2QVKD1v +bKSjCwjtb9ztjrV-Bw1BHcAApPcfpXHLhYkJ7iL1XUhxjXp_DGUkD7ZN9S5tuyrsMXz5hh6wMfcq +NPR_XqHaS2ur-ONNrHuFFCmY7Ehc5FArFzb_Xn1JTpOQJTcy6_3r3u3B_euT8GmXHahtVN1Rv8RM +kAD5m_UBx-nHoZDVDYZkfR9k4hF2Sz5rfrWs6Zrl0r8FBrVFtU1j2vOTvTGwrkO9yZvgIqOkX_eq +TnGIpM4paHxEGTP8H8A3Y0ZpsvLttmh0rT_OwzBPa1Mof3RQKhyTzfbptxuUJyVxU0Ln-9f--5Mk +wEFqhuSrgssI6b1iMqm97PqFQMYrWX3SV8l0V-PKxFxDM1bguHq4mOXEtmZBUtMBepwSsI96 \ No newline at end of file diff --git a/policy-management/src/main/server/config/aaf-credentials.properties b/policy-management/src/main/server/config/aaf-credentials.properties new file mode 100644 index 00000000..aaa5f161 --- /dev/null +++ b/policy-management/src/main/server/config/aaf-credentials.properties @@ -0,0 +1,9 @@ +cm_url=https://AAF_LOCATE_URL/AAF_NS.cm:2.1 +cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US +cadi_keyfile=${{POLICY_HOME}}/config/aaf-cadi.keyfile +cadi_keystore=${{POLICY_HOME}}/etc/ssl/policy-keystore +cadi_keystore_password=${{KEYSTORE_PASSWD}} +cadi_key_password=${{KEYSTORE_PASSWD}} +cadi_alias=policy@policy.onap.org +cadi_truststore=${{POLICY_HOME}}/etc/ssl/policy-truststore +cadi_truststore_password=${{TRUSTSTORE_PASSWD}} \ No newline at end of file diff --git a/policy-management/src/main/server/config/aaf-location.properties b/policy-management/src/main/server/config/aaf-location.properties new file mode 100644 index 00000000..dc828e71 --- /dev/null +++ b/policy-management/src/main/server/config/aaf-location.properties @@ -0,0 +1,2 @@ +cadi_latitude=38.000 +cadi_longitude=-72.000 diff --git a/policy-management/src/main/server/config/aaf.properties b/policy-management/src/main/server/config/aaf.properties new file mode 100644 index 00000000..8084be99 --- /dev/null +++ b/policy-management/src/main/server/config/aaf.properties @@ -0,0 +1,11 @@ +cadi_prop_files=${{POLICY_HOME}}/config/aaf-credentials.properties:${{POLICY_HOME}}/config/aaf-location.properties +cadi_loglevel=DEBUG +aaf_env=DEV +aaf_locate_url=https://${{AAF_HOST}}:8095 +aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect +aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.1/token +aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.1 +cadi_protocols=TLSv1.1,TLSv1.2 +cm_url=https://AAF_LOCATE_URL/AAF_NS.cm:2.1 +fs_url=https://AAF_LOCATE_URL/AAF_NS.fs.2.1 +gui_url=https://AAF_LOCATE_URL/AAF_NS.gui.2.1 diff --git a/policy-management/src/main/server/config/policy-engine.properties b/policy-management/src/main/server/config/policy-engine.properties index 758d13eb..8e517528 100644 --- a/policy-management/src/main/server/config/policy-engine.properties +++ b/policy-management/src/main/server/config/policy-engine.properties @@ -49,3 +49,6 @@ http.server.services.SECURED-CONFIG.restPackages=org.onap.policy.drools.server.r http.server.services.SECURED-CONFIG.managed=false http.server.services.SECURED-CONFIG.swagger=true http.server.services.SECURED-CONFIG.https=true + +aaf.namespace=${{AAF_NAMESPACE}} +aaf.root.permission=${{AAF_NAMESPACE}}.pdpd diff --git a/policy-management/src/main/server/config/system.properties b/policy-management/src/main/server/config/system.properties index 5c024e15..6bac0ea6 100644 --- a/policy-management/src/main/server/config/system.properties +++ b/policy-management/src/main/server/config/system.properties @@ -34,6 +34,10 @@ javax.net.ssl.trustStorePassword=${{TRUSTSTORE_PASSWD}} javax.net.ssl.keyStore=${{POLICY_HOME}}/etc/ssl/policy-keystore javax.net.ssl.keyStorePassword=${{KEYSTORE_PASSWD}} +# aaf + +cadi_prop_files=config/aaf.properties + # standard logging logback.configurationFile=config/logback.xml diff --git a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java index 68a52ade..ce34ec8a 100644 --- a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java +++ b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java @@ -29,14 +29,17 @@ import java.nio.file.Paths; import java.util.Properties; import org.apache.http.HttpEntity; -import org.apache.http.client.ClientProtocolException; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.apache.http.client.CredentialsProvider; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpDelete; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpPut; import org.apache.http.entity.StringEntity; +import org.apache.http.impl.client.BasicCredentialsProvider; import org.apache.http.impl.client.CloseableHttpClient; -import org.apache.http.impl.client.HttpClients; +import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.util.EntityUtils; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -45,6 +48,7 @@ import org.junit.Test; import org.junit.runners.MethodSorters; import org.onap.policy.common.endpoints.event.comm.TopicEndpoint; import org.onap.policy.common.endpoints.properties.PolicyEndPointProperties; +import org.onap.policy.common.utils.network.NetworkUtil; import org.onap.policy.drools.persistence.SystemPersistence; import org.onap.policy.drools.system.PolicyController; import org.onap.policy.drools.system.PolicyEngine; @@ -53,10 +57,12 @@ import org.slf4j.LoggerFactory; @FixMethodOrder(MethodSorters.NAME_ASCENDING) public class RestManagerTest { - public static final int DEFAULT_TELEMETRY_PORT = 7887; + private static final int DEFAULT_TELEMETRY_PORT = 7887; private static final String HOST = "localhost"; private static final String REST_MANAGER_PATH = "/policy/pdp"; private static final String HOST_URL = "http://" + HOST + ":" + DEFAULT_TELEMETRY_PORT + REST_MANAGER_PATH; + private static final String TELEMETRY_USER = "x"; + private static final String TELEMETRY_PASSWORD = "y"; private static final String FOO_CONTROLLER = "foo"; private static final String UEB_TOPIC = "UEB-TOPIC-TEST"; @@ -100,7 +106,7 @@ public class RestManagerTest { * @throws IOException throws an IO exception */ @BeforeClass - public static void setUp() throws IOException { + public static void setUp() throws IOException, InterruptedException { cleanUpWorkingDirs(); SystemPersistence.manager.setConfigurationDir(null); @@ -110,6 +116,15 @@ public class RestManagerTest { engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_PORT_SUFFIX, "" + DEFAULT_TELEMETRY_PORT); + engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_FILTER_CLASSES_SUFFIX, + TestAafTelemetryAuthFilter.class.getName()); + engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_AUTH_USERNAME_SUFFIX, + TELEMETRY_USER); + engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_AUTH_PASSWORD_SUFFIX, + TELEMETRY_PASSWORD); /* other properties */ engineProps.put(PolicyEndPointProperties.PROPERTY_UEB_SOURCE_TOPICS, UEB_TOPIC); @@ -132,10 +147,16 @@ public class RestManagerTest { Properties controllerProps = new Properties(); PolicyEngine.manager.createPolicyController(FOO_CONTROLLER, controllerProps); + // client = HttpClients.createDefault(); + CredentialsProvider provider = new BasicCredentialsProvider(); + UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(TELEMETRY_USER, TELEMETRY_PASSWORD); + provider.setCredentials(AuthScope.ANY, credentials); - client = HttpClients.createDefault(); - + client = HttpClientBuilder.create().setDefaultCredentialsProvider(provider).build(); + if (!NetworkUtil.isTcpPortOpen("localhost", DEFAULT_TELEMETRY_PORT, 5, 10000L)) { + throw new IllegalStateException("cannot connect to port " + DEFAULT_TELEMETRY_PORT); + } } /** @@ -157,7 +178,7 @@ public class RestManagerTest { @Test - public void putDeleteTest() throws ClientProtocolException, IOException, InterruptedException { + public void putDeleteTest() throws IOException { HttpDelete httpDelete; CloseableHttpResponse response; @@ -358,7 +379,7 @@ public class RestManagerTest { @Test - public void getTest() throws ClientProtocolException, IOException, InterruptedException { + public void getTest() throws IOException { HttpGet httpGet; CloseableHttpResponse response; @@ -854,7 +875,7 @@ public class RestManagerTest { * @param response incoming response * @return the body or null */ - public String getResponseBody(CloseableHttpResponse response) { + private String getResponseBody(CloseableHttpResponse response) { HttpEntity entity; try { diff --git a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java new file mode 100644 index 00000000..c7d52325 --- /dev/null +++ b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java @@ -0,0 +1,43 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.drools.server.restful.test; + +import javax.servlet.http.HttpServletRequest; +import org.onap.policy.common.utils.network.NetworkUtil; +import org.onap.policy.drools.server.restful.aaf.AafTelemetryAuthFilter; + +/** + * Test AAF Telemetry Authorization Filter for Junits + */ +public class TestAafTelemetryAuthFilter extends AafTelemetryAuthFilter { + + @Override + protected String getRole(HttpServletRequest request) { + String expectedPerm = "org.onap.policy.pdpd.telemetry|" + + NetworkUtil.getHostname() + "|" + + request.getMethod().toLowerCase(); + if (!expectedPerm.equals(super.getRole(request))) { + throw new IllegalStateException("unexpected permission"); + } else { + return "user"; + } + } +} -- cgit 1.2.3-korg