Add filter to control xacml-pdp rest api

Added a filter class for the REST server that only allows "API" services
(i.e., decision API services) through when the API is enabled,
disallowing them otherwise.  The filter always allows PDP-wide services
(e.g., "healthcheck").
Per review comments:
- modified the new class to "implement Filter" rather than "extends
  AafFilter"

Issue-ID: POLICY-3531
Change-Id: I7055e21045eea270e454a47a443b29476d9a85ee
Signed-off-by: Jim Hahn <jrh3@att.com>

4 files changed, 113 insertions, 21 deletions

diff --git a/main/src/main/java/org/onap/policy/pdpx/main/XacmlState.java b/main/src/main/java/org/onap/policy/pdpx/main/XacmlState.java
index d1e326f1..a2c8ca94 100644
--- a/main/src/main/java/org/onap/policy/pdpx/main/XacmlState.java
+++ b/main/src/main/java/org/onap/policy/pdpx/main/XacmlState.java
@@ -179,10 +179,10 @@ public class XacmlState {
     private void handleXacmlRestController() {
         if (status.getState() == PdpState.ACTIVE) {
             LOGGER.info("State change: {} - Starting rest controller", status.getState());
-            XacmlPdpActivator.getCurrent().startXacmlRestController();
+            XacmlPdpActivator.getCurrent().enableApi();
         } else if (status.getState() == PdpState.PASSIVE) {
             LOGGER.info("State change: {} - Stopping rest controller", status.getState());
-            XacmlPdpActivator.getCurrent().stopXacmlRestController();
+            XacmlPdpActivator.getCurrent().disableApi();
         } else {
             // unsupported state
             LOGGER.warn("Unsupported state: {}", status.getState());
diff --git a/main/src/main/java/org/onap/policy/pdpx/main/rest/XacmlPdpServiceFilter.java b/main/src/main/java/org/onap/policy/pdpx/main/rest/XacmlPdpServiceFilter.java
new file mode 100644
index 00000000..50dafd52
--- /dev/null
+++ b/main/src/main/java/org/onap/policy/pdpx/main/rest/XacmlPdpServiceFilter.java
@@ -0,0 +1,91 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2021 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.pdpx.main.rest;
+
+import java.io.IOException;
+import java.util.Set;
+import java.util.concurrent.atomic.AtomicBoolean;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Filter that verifies that the API services (i.e., decision services) are enabled
+ * before allowing the request through.
+ */
+public class XacmlPdpServiceFilter implements Filter {
+
+    /**
+     * Services the are always available, even when the API is disabled.
+     */
+    public static final Set<String> PERMANENT_SERVICES = Set.of("healthcheck", "statistics");
+
+
+    private static final AtomicBoolean apiDisabled = new AtomicBoolean(true);
+
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
+                    throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest) servletRequest;
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+
+        if (apiDisabled.get() && !PERMANENT_SERVICES.contains(getUriSuffix(request))) {
+            response.setStatus(HttpServletResponse.SC_CONFLICT);
+        } else {
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+    }
+
+    private String getUriSuffix(HttpServletRequest request) {
+        String uri = request.getRequestURI();
+        int index = uri.lastIndexOf('/');
+        return (index < 0 ? uri : uri.substring(index + 1));
+    }
+
+    /**
+     * Determines if API services are enabled.
+     *
+     * @return {@code true}, if API services are enabled
+     */
+    public static boolean isApiEnabled() {
+        return !apiDisabled.get();
+    }
+
+    /**
+     * Enables the API services.
+     */
+    public static void enableApi() {
+        apiDisabled.set(false);
+    }
+
+    /**
+     * Disables the API services.
+     */
+    public static void disableApi() {
+        apiDisabled.set(true);
+    }
+}
diff --git a/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpActivator.java b/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpActivator.java
index 892b3835..531374d0 100644
--- a/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpActivator.java
+++ b/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpActivator.java
@@ -20,6 +20,7 @@
 
 package org.onap.policy.pdpx.main.startstop;
 
+import java.util.List;
 import lombok.Getter;
 import lombok.Setter;
 import org.onap.policy.common.endpoints.event.comm.TopicEndpointManager;
@@ -44,6 +45,7 @@ import org.onap.policy.pdpx.main.parameters.XacmlPdpParameterGroup;
 import org.onap.policy.pdpx.main.rest.XacmlPdpAafFilter;
 import org.onap.policy.pdpx.main.rest.XacmlPdpApplicationManager;
 import org.onap.policy.pdpx.main.rest.XacmlPdpRestController;
+import org.onap.policy.pdpx.main.rest.XacmlPdpServiceFilter;
 import org.onap.policy.pdpx.main.rest.XacmlPdpStatisticsManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -127,8 +129,11 @@ public class XacmlPdpActivator extends ServiceManagerContainer {
             msgDispatcher.register(PdpMessageType.PDP_UPDATE.name(),
                             new XacmlPdpUpdateListener(sinkClient, state, heartbeat, appmgr));
 
+            XacmlPdpServiceFilter.disableApi();
+
             restServer = new XacmlPdpRestServer(xacmlPdpParameterGroup.getRestServerParameters(),
-                    XacmlPdpAafFilter.class, XacmlPdpRestController.class);
+                                List.of(XacmlPdpServiceFilter.class, XacmlPdpAafFilter.class),
+                                List.of(XacmlPdpRestController.class));
 
         } catch (RuntimeException | HttpClientConfigException | BidirectionalTopicClientException e) {
             throw new PolicyXacmlPdpRuntimeException(e.getMessage(), e);
@@ -158,6 +163,9 @@ public class XacmlPdpActivator extends ServiceManagerContainer {
             heartbeat::terminate);
 
         // @formatter:on
+        addAction("REST Server",
+            restServer::start,
+            restServer::stop);
     }
 
     /*
@@ -212,26 +220,18 @@ public class XacmlPdpActivator extends ServiceManagerContainer {
     /**
      * Start the xacmlpdp rest controller.
      */
-    public void startXacmlRestController() {
-        if (isXacmlRestControllerAlive()) {
-            LOGGER.info("Xacml rest controller already running");
-        } else {
-            restServer.start();
-        }
+    public void enableApi() {
+        XacmlPdpServiceFilter.enableApi();
     }
 
     /**
      * Stop the xacmlpdp rest controller.
      */
-    public void stopXacmlRestController() {
-        if (isXacmlRestControllerAlive()) {
-            restServer.stop();
-        } else {
-            LOGGER.info("Xacml rest controller already stopped");
-        }
+    public void disableApi() {
+        XacmlPdpServiceFilter.disableApi();
     }
 
-    public boolean isXacmlRestControllerAlive() {
-        return restServer.isAlive();
+    public boolean isApiEnabled() {
+        return XacmlPdpServiceFilter.isApiEnabled();
     }
 }
diff --git a/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpRestServer.java b/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpRestServer.java
index 487253b2..683d013e 100644
--- a/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpRestServer.java
+++ b/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpRestServer.java
@@ -20,12 +20,13 @@
 
 package org.onap.policy.pdpx.main.startstop;
 
+import java.util.List;
 import java.util.Properties;
+import javax.servlet.Filter;
 import org.onap.policy.common.endpoints.http.server.JsonExceptionMapper;
 import org.onap.policy.common.endpoints.http.server.RestServer;
 import org.onap.policy.common.endpoints.http.server.YamlExceptionMapper;
 import org.onap.policy.common.endpoints.http.server.YamlMessageBodyHandler;
-import org.onap.policy.common.endpoints.http.server.aaf.AafAuthFilter;
 import org.onap.policy.common.endpoints.parameters.RestServerParameters;
 import org.onap.policy.common.endpoints.properties.PolicyEndPointProperties;
 import org.onap.policy.common.gson.GsonMessageBodyHandler;
@@ -45,13 +46,13 @@ public class XacmlPdpRestServer extends RestServer {
      * Constructs the object.
      *
      * @param restServerParameters the rest server parameters
-     * @param aafFilter class of object to use to filter AAF requests, or {@code null}
+     * @param filters class of object to use to filter requests, or {@code null}
      * @param jaxrsProviders classes providing the services
      */
     public XacmlPdpRestServer(final RestServerParameters restServerParameters,
-            Class<? extends AafAuthFilter> aafFilter, Class<?>... jaxrsProviders) {
+            List<Class<? extends Filter>> filters, List<Class<?>> jaxrsProviders) {
 
-        super(restServerParameters, aafFilter, jaxrsProviders);
+        super(restServerParameters, filters, jaxrsProviders);
     }
 
     @Override