diff options
author | Jim Hahn <jrh3@att.com> | 2021-08-23 15:53:55 -0400 |
---|---|---|
committer | Jim Hahn <jrh3@att.com> | 2021-08-23 15:55:29 -0400 |
commit | 4212017188b2bf7ec741647cf23c536b0c97f15b (patch) | |
tree | 935cb86299826ed50eef7d9fa3cfa27ba1e4bfd2 /main/src/main | |
parent | 6ad3dbfeb528f052b9c3c0ad712fac719157e9f0 (diff) |
Add filter to control xacml-pdp rest api
Added a filter class for the REST server that only allows "API" services
(i.e., decision API services) through when the API is enabled,
disallowing them otherwise. The filter always allows PDP-wide services
(e.g., "healthcheck").
Per review comments:
- modified the new class to "implement Filter" rather than "extends
AafFilter"
Issue-ID: POLICY-3531
Change-Id: I7055e21045eea270e454a47a443b29476d9a85ee
Signed-off-by: Jim Hahn <jrh3@att.com>
Diffstat (limited to 'main/src/main')
4 files changed, 113 insertions, 21 deletions
diff --git a/main/src/main/java/org/onap/policy/pdpx/main/XacmlState.java b/main/src/main/java/org/onap/policy/pdpx/main/XacmlState.java index d1e326f1..a2c8ca94 100644 --- a/main/src/main/java/org/onap/policy/pdpx/main/XacmlState.java +++ b/main/src/main/java/org/onap/policy/pdpx/main/XacmlState.java @@ -179,10 +179,10 @@ public class XacmlState { private void handleXacmlRestController() { if (status.getState() == PdpState.ACTIVE) { LOGGER.info("State change: {} - Starting rest controller", status.getState()); - XacmlPdpActivator.getCurrent().startXacmlRestController(); + XacmlPdpActivator.getCurrent().enableApi(); } else if (status.getState() == PdpState.PASSIVE) { LOGGER.info("State change: {} - Stopping rest controller", status.getState()); - XacmlPdpActivator.getCurrent().stopXacmlRestController(); + XacmlPdpActivator.getCurrent().disableApi(); } else { // unsupported state LOGGER.warn("Unsupported state: {}", status.getState()); diff --git a/main/src/main/java/org/onap/policy/pdpx/main/rest/XacmlPdpServiceFilter.java b/main/src/main/java/org/onap/policy/pdpx/main/rest/XacmlPdpServiceFilter.java new file mode 100644 index 00000000..50dafd52 --- /dev/null +++ b/main/src/main/java/org/onap/policy/pdpx/main/rest/XacmlPdpServiceFilter.java @@ -0,0 +1,91 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP + * ================================================================================ + * Copyright (C) 2021 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.pdpx.main.rest; + +import java.io.IOException; +import java.util.Set; +import java.util.concurrent.atomic.AtomicBoolean; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** + * Filter that verifies that the API services (i.e., decision services) are enabled + * before allowing the request through. + */ +public class XacmlPdpServiceFilter implements Filter { + + /** + * Services the are always available, even when the API is disabled. + */ + public static final Set<String> PERMANENT_SERVICES = Set.of("healthcheck", "statistics"); + + + private static final AtomicBoolean apiDisabled = new AtomicBoolean(true); + + + @Override + public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) + throws IOException, ServletException { + + HttpServletRequest request = (HttpServletRequest) servletRequest; + HttpServletResponse response = (HttpServletResponse) servletResponse; + + if (apiDisabled.get() && !PERMANENT_SERVICES.contains(getUriSuffix(request))) { + response.setStatus(HttpServletResponse.SC_CONFLICT); + } else { + filterChain.doFilter(servletRequest, servletResponse); + } + } + + private String getUriSuffix(HttpServletRequest request) { + String uri = request.getRequestURI(); + int index = uri.lastIndexOf('/'); + return (index < 0 ? uri : uri.substring(index + 1)); + } + + /** + * Determines if API services are enabled. + * + * @return {@code true}, if API services are enabled + */ + public static boolean isApiEnabled() { + return !apiDisabled.get(); + } + + /** + * Enables the API services. + */ + public static void enableApi() { + apiDisabled.set(false); + } + + /** + * Disables the API services. + */ + public static void disableApi() { + apiDisabled.set(true); + } +} diff --git a/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpActivator.java b/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpActivator.java index 892b3835..531374d0 100644 --- a/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpActivator.java +++ b/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpActivator.java @@ -20,6 +20,7 @@ package org.onap.policy.pdpx.main.startstop; +import java.util.List; import lombok.Getter; import lombok.Setter; import org.onap.policy.common.endpoints.event.comm.TopicEndpointManager; @@ -44,6 +45,7 @@ import org.onap.policy.pdpx.main.parameters.XacmlPdpParameterGroup; import org.onap.policy.pdpx.main.rest.XacmlPdpAafFilter; import org.onap.policy.pdpx.main.rest.XacmlPdpApplicationManager; import org.onap.policy.pdpx.main.rest.XacmlPdpRestController; +import org.onap.policy.pdpx.main.rest.XacmlPdpServiceFilter; import org.onap.policy.pdpx.main.rest.XacmlPdpStatisticsManager; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -127,8 +129,11 @@ public class XacmlPdpActivator extends ServiceManagerContainer { msgDispatcher.register(PdpMessageType.PDP_UPDATE.name(), new XacmlPdpUpdateListener(sinkClient, state, heartbeat, appmgr)); + XacmlPdpServiceFilter.disableApi(); + restServer = new XacmlPdpRestServer(xacmlPdpParameterGroup.getRestServerParameters(), - XacmlPdpAafFilter.class, XacmlPdpRestController.class); + List.of(XacmlPdpServiceFilter.class, XacmlPdpAafFilter.class), + List.of(XacmlPdpRestController.class)); } catch (RuntimeException | HttpClientConfigException | BidirectionalTopicClientException e) { throw new PolicyXacmlPdpRuntimeException(e.getMessage(), e); @@ -158,6 +163,9 @@ public class XacmlPdpActivator extends ServiceManagerContainer { heartbeat::terminate); // @formatter:on + addAction("REST Server", + restServer::start, + restServer::stop); } /* @@ -212,26 +220,18 @@ public class XacmlPdpActivator extends ServiceManagerContainer { /** * Start the xacmlpdp rest controller. */ - public void startXacmlRestController() { - if (isXacmlRestControllerAlive()) { - LOGGER.info("Xacml rest controller already running"); - } else { - restServer.start(); - } + public void enableApi() { + XacmlPdpServiceFilter.enableApi(); } /** * Stop the xacmlpdp rest controller. */ - public void stopXacmlRestController() { - if (isXacmlRestControllerAlive()) { - restServer.stop(); - } else { - LOGGER.info("Xacml rest controller already stopped"); - } + public void disableApi() { + XacmlPdpServiceFilter.disableApi(); } - public boolean isXacmlRestControllerAlive() { - return restServer.isAlive(); + public boolean isApiEnabled() { + return XacmlPdpServiceFilter.isApiEnabled(); } } diff --git a/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpRestServer.java b/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpRestServer.java index 487253b2..683d013e 100644 --- a/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpRestServer.java +++ b/main/src/main/java/org/onap/policy/pdpx/main/startstop/XacmlPdpRestServer.java @@ -20,12 +20,13 @@ package org.onap.policy.pdpx.main.startstop; +import java.util.List; import java.util.Properties; +import javax.servlet.Filter; import org.onap.policy.common.endpoints.http.server.JsonExceptionMapper; import org.onap.policy.common.endpoints.http.server.RestServer; import org.onap.policy.common.endpoints.http.server.YamlExceptionMapper; import org.onap.policy.common.endpoints.http.server.YamlMessageBodyHandler; -import org.onap.policy.common.endpoints.http.server.aaf.AafAuthFilter; import org.onap.policy.common.endpoints.parameters.RestServerParameters; import org.onap.policy.common.endpoints.properties.PolicyEndPointProperties; import org.onap.policy.common.gson.GsonMessageBodyHandler; @@ -45,13 +46,13 @@ public class XacmlPdpRestServer extends RestServer { * Constructs the object. * * @param restServerParameters the rest server parameters - * @param aafFilter class of object to use to filter AAF requests, or {@code null} + * @param filters class of object to use to filter requests, or {@code null} * @param jaxrsProviders classes providing the services */ public XacmlPdpRestServer(final RestServerParameters restServerParameters, - Class<? extends AafAuthFilter> aafFilter, Class<?>... jaxrsProviders) { + List<Class<? extends Filter>> filters, List<Class<?>> jaxrsProviders) { - super(restServerParameters, aafFilter, jaxrsProviders); + super(restServerParameters, filters, jaxrsProviders); } @Override |