From d2daf7ef5d003b5c5ae6a7083ccf676cc87a1d7b Mon Sep 17 00:00:00 2001 From: Pamela Dragosh Date: Wed, 27 Mar 2019 06:40:18 -0400 Subject: Adding guard PIP Adding the PIP support into the translator to setup the count attribute as an attribute generated by PIP and not sent by calling application. Added JUnit for OperationsHistoryPipEngine. Issue-ID: POLICY-1471 Change-Id: I71773ee8ea0e6c02873506d973a604899383d4b5 Signed-off-by: Pamela Dragosh --- .../common/OnapOperationsHistoryDbao.java | 82 +++++ .../common/OnapOperationsHistoryPipEngine.java | 353 +++++++++++++++++++++ .../xacml/application/common/ToscaDictionary.java | 2 + .../xacml/application/common/XacmlPolicyUtils.java | 17 +- 4 files changed, 453 insertions(+), 1 deletion(-) create mode 100644 applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/OnapOperationsHistoryDbao.java create mode 100644 applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/OnapOperationsHistoryPipEngine.java (limited to 'applications/common/src/main/java') diff --git a/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/OnapOperationsHistoryDbao.java b/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/OnapOperationsHistoryDbao.java new file mode 100644 index 00000000..3075a6bd --- /dev/null +++ b/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/OnapOperationsHistoryDbao.java @@ -0,0 +1,82 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP + * ================================================================================ + * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.pdp.xacml.application.common; + +import java.io.Serializable; +import java.util.Date; + +import javax.persistence.Column; +import javax.persistence.Entity; +import javax.persistence.GeneratedValue; +import javax.persistence.Id; +import javax.persistence.Table; + +import lombok.Data; + +@Entity +@Table(name = "operationshistory") +@Data +public class OnapOperationsHistoryDbao implements Serializable { + + private static final long serialVersionUID = -551420180714993577L; + + @Id + @GeneratedValue + @Column(name = "id") + private Long id; + + @Column(name = "closedLoopName", length = 255) + private String clName; + + @Column(name = "requestId", length = 50) + private String requestId; + + @Column(name = "subrequestId", length = 50) + private String subrequestId; + + @Column(name = "actor", length = 50) + private String actor; + + @Column(name = "operation", length = 50) + private String operation; + + @Column(name = "target", length = 50) + private String target; + + @Column(name = "starttime") + private Date starttime; + + @Column(name = "outcome", length = 50) + private String outcome; + + @Column(name = "message", length = 255) + private String message; + + @Column(name = "endtime") + private Date endtime; + + public OnapOperationsHistoryDbao() { + super(); + } + +} diff --git a/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/OnapOperationsHistoryPipEngine.java b/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/OnapOperationsHistoryPipEngine.java new file mode 100644 index 00000000..3d316b9a --- /dev/null +++ b/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/OnapOperationsHistoryPipEngine.java @@ -0,0 +1,353 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.pdp.xacml.application.common; + +import com.att.research.xacml.api.Attribute; +import com.att.research.xacml.api.AttributeValue; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.XACML3; +import com.att.research.xacml.api.pip.PIPException; +import com.att.research.xacml.api.pip.PIPFinder; +import com.att.research.xacml.api.pip.PIPRequest; +import com.att.research.xacml.api.pip.PIPResponse; +import com.att.research.xacml.std.StdMutableAttribute; +import com.att.research.xacml.std.datatypes.DataTypes; +import com.att.research.xacml.std.pip.StdMutablePIPResponse; +import com.att.research.xacml.std.pip.StdPIPRequest; +import com.att.research.xacml.std.pip.StdPIPResponse; +import com.att.research.xacml.std.pip.engines.StdConfigurableEngine; +import com.google.common.base.Strings; + +import java.math.BigInteger; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.Iterator; +import java.util.Properties; + +import javax.persistence.EntityManager; +import javax.persistence.Persistence; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class OnapOperationsHistoryPipEngine extends StdConfigurableEngine { + private static Logger logger = LoggerFactory.getLogger(OnapOperationsHistoryPipEngine.class); + + private static final PIPRequest PIP_REQUEST_ACTOR = new StdPIPRequest( + XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE, + ToscaDictionary.ID_RESOURCE_GUARD_ACTOR, + XACML3.ID_DATATYPE_STRING); + + private static final PIPRequest PIP_REQUEST_RECIPE = new StdPIPRequest( + XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE, + ToscaDictionary.ID_RESOURCE_GUARD_RECIPE, + XACML3.ID_DATATYPE_STRING); + + private static final PIPRequest PIP_REQUEST_TARGET = new StdPIPRequest( + XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE, + ToscaDictionary.ID_RESOURCE_GUARD_TARGETID, + XACML3.ID_DATATYPE_STRING); + + private Properties properties; + + public OnapOperationsHistoryPipEngine() { + super(); + } + + @Override + public Collection attributesRequired() { + return Arrays.asList(PIP_REQUEST_ACTOR, PIP_REQUEST_RECIPE, PIP_REQUEST_TARGET); + } + + @Override + public Collection attributesProvided() { + return Collections.emptyList(); + } + + @Override + public PIPResponse getAttributes(PIPRequest pipRequest, PIPFinder pipFinder) throws PIPException { + logger.debug("getAttributes requesting attribute {} of type {} for issuer {}", + pipRequest.getAttributeId(), pipRequest.getDataTypeId(), pipRequest.getIssuer()); + // + // Determine if the issuer is correct + // + if (Strings.isNullOrEmpty(pipRequest.getIssuer())) { + logger.debug("issuer is null - returning empty response"); + // + // We only respond to ourself as the issuer + // + return StdPIPResponse.PIP_RESPONSE_EMPTY; + } + if (! pipRequest.getIssuer().startsWith(ToscaDictionary.GUARD_ISSUER)) { + logger.debug("Issuer does not start with guard"); + // + // We only respond to ourself as the issuer + // + return StdPIPResponse.PIP_RESPONSE_EMPTY; + } + // + // Parse out the issuer which denotes the time window + // + // Eg: urn:org:onapxacml:guard:historydb:tw:10:minute + // + String[] s1 = pipRequest.getIssuer().split("tw:"); + String[] s2 = s1[1].split(":"); + int timeWindowVal = Integer.parseInt(s2[0]); + String timeWindowScale = s2[1]; + // + // Grab other attribute values + // + String actor = getActor(pipFinder); + String operation = getRecipe(pipFinder); + String target = getTarget(pipFinder); + String timeWindow = timeWindowVal + " " + timeWindowScale; + logger.info("Going to query DB about: actor {} operation {} target {} time window {}", + actor, operation, target, timeWindow); + // + // Sanity check + // + if (actor == null || operation == null || target == null) { + // + // See if we have all the values + // + logger.error("missing attributes return empty"); + return StdPIPResponse.PIP_RESPONSE_EMPTY; + } + // + // Ok do the database query + // + int operationCount = doDatabaseQuery(actor, operation, target, timeWindowVal, timeWindowScale); + // + // Right now return empty + // + StdMutablePIPResponse stdPipResponse = new StdMutablePIPResponse(); + this.addIntegerAttribute(stdPipResponse, + XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE, + ToscaDictionary.ID_RESOURCE_GUARD_OPERATIONCOUNT, + operationCount, + pipRequest); + return new StdPIPResponse(stdPipResponse); + } + + @Override + public void configure(String id, Properties properties) throws PIPException { + super.configure(id, properties); + logger.debug("Configuring historyDb PIP {}", properties); + this.properties = properties; + } + + private String getActor(PIPFinder pipFinder) { + // + // Get the actor value + // + PIPResponse pipResponse = this.getAttribute(PIP_REQUEST_ACTOR, pipFinder); + if (pipResponse == null) { + logger.error("Need actor attribute which is not found"); + return null; + } + // + // Find the actor + // + return findFirstAttributeValue(pipResponse); + } + + private String getRecipe(PIPFinder pipFinder) { + // + // Get the actor value + // + PIPResponse pipResponse = this.getAttribute(PIP_REQUEST_RECIPE, pipFinder); + if (pipResponse == null) { + logger.error("Need recipe attribute which is not found"); + return null; + } + // + // Find the actor + // + return findFirstAttributeValue(pipResponse); + } + + private String getTarget(PIPFinder pipFinder) { + // + // Get the actor value + // + PIPResponse pipResponse = this.getAttribute(PIP_REQUEST_TARGET, pipFinder); + if (pipResponse == null) { + logger.error("Need target attribute which is not found"); + return null; + } + // + // Find the actor + // + return findFirstAttributeValue(pipResponse); + } + + private PIPResponse getAttribute(PIPRequest pipRequest, PIPFinder pipFinder) { + PIPResponse pipResponse = null; + try { + pipResponse = pipFinder.getMatchingAttributes(pipRequest, this); + if (pipResponse.getStatus() != null && !pipResponse.getStatus().isOk()) { + if (logger.isInfoEnabled()) { + logger.info("get attribute error retrieving {}: {}", pipRequest.getAttributeId().stringValue(), + pipResponse.getStatus()); + } + pipResponse = null; + } + if (pipResponse != null && pipResponse.getAttributes().isEmpty()) { + if (logger.isInfoEnabled()) { + logger.info("No value for {}", pipRequest.getAttributeId().stringValue()); + } + pipResponse = null; + } + } catch (PIPException ex) { + logger.error("PIPException getting subject-id attribute: " + ex.getMessage(), ex); + } + return pipResponse; + } + + private String findFirstAttributeValue(PIPResponse pipResponse) { + for (Attribute attribute: pipResponse.getAttributes()) { + Iterator> iterAttributeValues = attribute.findValues(DataTypes.DT_STRING); + if (iterAttributeValues != null) { + while (iterAttributeValues.hasNext()) { + String value = iterAttributeValues.next().getValue(); + if (value != null) { + return value; + } + } + } + } + return null; + } + + private void addIntegerAttribute(StdMutablePIPResponse stdPipResponse, Identifier category, + Identifier attributeId, int value, PIPRequest pipRequest) { + AttributeValue attributeValue = null; + try { + attributeValue = DataTypes.DT_INTEGER.createAttributeValue(value); + } catch (Exception e) { + logger.error("Failed to convert {} to integer {}", value, e); + } + if (attributeValue != null) { + stdPipResponse.addAttribute(new StdMutableAttribute(category, attributeId, attributeValue, + pipRequest.getIssuer(), false)); + } + } + + private int doDatabaseQuery(String actor, String operation, String target, int timeWindowVal, + String timeWindowScale) { + logger.info("Querying operations history for {} {} {} {} {}", + actor, operation, target, timeWindowVal, timeWindowScale); + // + // Create our entity manager + // + EntityManager em; + try { + // + // In case there are any overloaded properties for the JPA + // + Properties emProperties = new Properties(properties); + // + // Create the entity manager factory + // + em = Persistence.createEntityManagerFactory( + properties.getProperty("historydb.persistenceunit", "OperationsHistoryPU"), + emProperties).createEntityManager(); + } catch (Exception e) { + logger.error("Persistence failed {} operations history db {}", e.getLocalizedMessage(), e); + return -1; + } + // + // Compute the time window + // + if (! "minute".equalsIgnoreCase(timeWindowScale) + && ! "hour".equalsIgnoreCase(timeWindowScale) + && ! "day".equalsIgnoreCase(timeWindowScale) + && ! "week".equalsIgnoreCase(timeWindowScale) + && ! "month".equalsIgnoreCase(timeWindowScale) + && ! "year".equalsIgnoreCase(timeWindowScale)) { + // + // Unsupported + // + logger.error("Unsupported time window scale value {}", timeWindowScale); + // + // Throw an exception instead? + // + return -1; + } + // + // Do the query + // + Object result = null; + try { + // + // + // + String strQuery = "select count(*) as numops from operationshistory" + + " where outcome<>'Failure_Guard'" + + " and actor=?" + + " and operation=?" + + " and target=?" + + " and endtime between TIMESTAMPADD(" + + timeWindowScale.toUpperCase() + + ", ?, CURRENT_TIMESTAMP)" + + " and CURRENT_TIMESTAMP"; + // + // We are expecting a single result + // + result = em.createNativeQuery(strQuery) + .setParameter(1, actor) + .setParameter(2, operation) + .setParameter(3, target) + .setParameter(4, timeWindowVal * -1) + .getSingleResult(); + } catch (Exception e) { + logger.error("Named query failed ", e); + } + // + // Check our query results + // + if (result != null) { + // + // Success let's see what JPA returned to us + // + logger.info("operations query returned {}", result); + // + // Should get back a long + // + if (result instanceof Long) { + return ((Long) result).intValue(); + } + // + // We shouldn't really get this result, but just + // in case we'll do the dirty work of parsing the + // string representation of the object. + // + return Integer.parseInt(result.toString()); + } + // + // We get here if we didn't get a result. Should + // we propagate back an exception? + // + return -1; + } + +} diff --git a/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/ToscaDictionary.java b/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/ToscaDictionary.java index 0dcafa00..2d3cebd1 100644 --- a/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/ToscaDictionary.java +++ b/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/ToscaDictionary.java @@ -93,6 +93,8 @@ public final class ToscaDictionary { public static final Identifier ID_RESOURCE_GUARD_OPERATIONCOUNT = new IdentifierImpl(URN_ONAP, "guard:operation:operation-count"); + public static final String GUARD_ISSUER = URN_ONAP.stringValue() + "xacml:guard:historydb"; + /* * This id is specifically for advice returned from guard */ diff --git a/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/XacmlPolicyUtils.java b/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/XacmlPolicyUtils.java index 46742af9..30363b43 100644 --- a/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/XacmlPolicyUtils.java +++ b/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/XacmlPolicyUtils.java @@ -34,6 +34,7 @@ import java.io.OutputStream; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; +import java.util.Map.Entry; import java.util.Properties; import java.util.Set; import java.util.StringJoiner; @@ -162,7 +163,7 @@ public class XacmlPolicyUtils { // int id = 1; while (true) { - String refId = "ref" + id; + String refId = "root" + id; if (rootPolicies.contains(refId)) { id++; } else { @@ -326,6 +327,16 @@ public class XacmlPolicyUtils { try (InputStream is = Files.newInputStream(propertyPath)) { Properties properties = new Properties(); properties.load(is); + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("Loaded xacml properties {} {}", System.lineSeparator(), properties); + // + // It would be nice to sort this first + // + properties.list(System.out); + for (Entry entrySet : properties.entrySet()) { + LOGGER.debug("{} -> {}", entrySet.getKey(), entrySet.getValue()); + } + } return properties; } } @@ -336,6 +347,10 @@ public class XacmlPolicyUtils { * @throws IOException If unable to store the file. */ public static void storeXacmlProperties(Properties properties, Path propertyPath) throws IOException { + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("Storing xacml properties {} {} {}", properties, System.lineSeparator(), propertyPath); + properties.list(System.out); + } try (OutputStream os = Files.newOutputStream(propertyPath)) { String strComments = "#"; properties.store(os, strComments); -- cgit 1.2.3-korg