From a9c7e7322eb09672c8dfba32503653d12e685543 Mon Sep 17 00:00:00 2001 From: Michael Mokry Date: Wed, 10 Apr 2019 09:53:44 -0500 Subject: XACML PDP DmaaP Deploy/UnDeploy Function 1. Added PDPUpdate listener 2. Added PDPUpdate Publisher 3. Added code to handle PdpUpdate messages and load policies being deployed 4. Modified Activator to register listener 5. Provided placeholder code to get policies from pdpx for return PdpStatus response to the PAP 6. Other minor modifications 7. Fix XacmlPdpApplicationManager to only load policy if supports policy type. 8. Checkstyle fixes 9. Updated applications to support loadPolicy(ToscaPolicy) and all the translators, JUnit tests. 10. Consolidated some duplicate code in the applications. Can probably do more in that area. 11. Fixed bug in Properties not really having a copy constructor. Change-Id: Ic29ad426061cbdb79c1339314667bb8ff8decb88 Issue-ID: POLICY-1451 Signed-off-by: Michael Mokry Signed-off-by: Pamela Dragosh --- .../pdp/application/guard/GuardPdpApplication.java | 78 +------- .../application/guard/LegacyGuardTranslator.java | 214 +++++++-------------- .../application/guard/GuardPdpApplicationTest.java | 114 ++++------- .../guard/src/test/resources/xacml.properties | 2 +- 4 files changed, 120 insertions(+), 288 deletions(-) (limited to 'applications/guard/src') diff --git a/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java b/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java index 41773ab7..0b3b1542 100644 --- a/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java +++ b/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java @@ -22,26 +22,12 @@ package org.onap.policy.xacml.pdp.application.guard; -import com.att.research.xacml.api.Request; -import com.att.research.xacml.api.Response; -import com.att.research.xacml.util.XACMLPolicyWriter; - -import java.io.IOException; -import java.nio.file.Path; import java.util.ArrayList; import java.util.Arrays; import java.util.List; -import java.util.Map; -import java.util.Properties; - -import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyType; -import org.onap.policy.models.decisions.concepts.DecisionRequest; -import org.onap.policy.models.decisions.concepts.DecisionResponse; import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicyTypeIdentifier; -import org.onap.policy.pdp.xacml.application.common.ToscaPolicyConversionException; -import org.onap.policy.pdp.xacml.application.common.XacmlApplicationException; -import org.onap.policy.pdp.xacml.application.common.XacmlPolicyUtils; +import org.onap.policy.pdp.xacml.application.common.ToscaPolicyTranslator; import org.onap.policy.pdp.xacml.application.common.std.StdXacmlApplicationServiceProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -99,65 +85,7 @@ public class GuardPdpApplication extends StdXacmlApplicationServiceProvider { } @Override - public void loadPolicies(Map toscaPolicies) throws XacmlApplicationException { - try { - // - // Convert the policies first - // - List listPolicies = translator.scanAndConvertPolicies(toscaPolicies); - if (listPolicies.isEmpty()) { - throw new XacmlApplicationException("Converted 0 policies"); - } - // - // Create a copy of the properties object - // - Properties newProperties = this.getProperties(); - // - // Iterate through the policies - // - for (PolicyType newPolicy : listPolicies) { - // - // Construct the filename - // - Path refPath = XacmlPolicyUtils.constructUniquePolicyFilename(newPolicy, this.getDataPath()); - // - // Write the policy to disk - // Maybe check for an error - // - XACMLPolicyWriter.writePolicyFile(refPath, newPolicy); - // - // Add root policy to properties object - // - XacmlPolicyUtils.addRootPolicy(newProperties, refPath); - } - // - // Write the properties to disk - // - XacmlPolicyUtils.storeXacmlProperties(newProperties, - XacmlPolicyUtils.getPropertiesPath(this.getDataPath())); - // - // Reload the engine - // - this.createEngine(newProperties); - } catch (IOException | ToscaPolicyConversionException e) { - LOGGER.error("Failed to loadPolicies {}", e); - } + protected ToscaPolicyTranslator getTranslator() { + return translator; } - - @Override - public DecisionResponse makeDecision(DecisionRequest request) { - // - // Convert to a XacmlRequest - // - Request xacmlRequest = translator.convertRequest(request); - // - // Now get a decision - // - Response xacmlResponse = this.xacmlDecision(xacmlRequest); - // - // Convert to a DecisionResponse - // - return translator.convertResponse(xacmlResponse); - } - } diff --git a/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java b/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java index 48861d86..77dbb353 100644 --- a/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java +++ b/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java @@ -30,15 +30,9 @@ import com.att.research.xacml.api.Response; import com.att.research.xacml.api.Result; import com.att.research.xacml.api.XACML3; import com.att.research.xacml.std.annotations.RequestParser; -import com.att.research.xacml.util.XACMLPolicyWriter; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.util.ArrayList; import java.util.Collection; -import java.util.List; import java.util.Map; -import java.util.Map.Entry; import oasis.names.tc.xacml._3_0.core.schema.wd_17.AdviceExpressionType; import oasis.names.tc.xacml._3_0.core.schema.wd_17.AdviceExpressionsType; @@ -58,6 +52,7 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.TargetType; import org.onap.policy.models.decisions.concepts.DecisionRequest; import org.onap.policy.models.decisions.concepts.DecisionResponse; +import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicy; import org.onap.policy.pdp.xacml.application.common.ToscaDictionary; import org.onap.policy.pdp.xacml.application.common.ToscaPolicyConversionException; import org.onap.policy.pdp.xacml.application.common.ToscaPolicyTranslator; @@ -69,8 +64,6 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { private static final Logger LOGGER = LoggerFactory.getLogger(LegacyGuardTranslator.class); - private static final String FIELD_POLICIES = "policies"; - private static final String FIELD_TOPOLOGY_TEMPLATE = "topology_template"; private static final String FIELD_GUARD_ACTIVE_START = "guardActiveStart"; private static final String FIELD_GUARD_ACTIVE_END = "guardActiveEnd"; @@ -78,73 +71,52 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { super(); } - @SuppressWarnings("unchecked") @Override - public List scanAndConvertPolicies(Map toscaObject) - throws ToscaPolicyConversionException { + public PolicyType convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException { // - // Our return object + // Policy name should be at the root // - List scannedPolicies = new ArrayList<>(); + String policyName = toscaPolicy.getMetadata().get("policy-id"); // - // Find the Policies + // Set it as the policy ID // - List policies; - - if (toscaObject.containsKey(FIELD_POLICIES)) { - policies = (List) toscaObject.get(FIELD_POLICIES); - } else if (toscaObject.containsKey(FIELD_TOPOLOGY_TEMPLATE)) { - Map topologyTemplate = (Map) toscaObject.get(FIELD_TOPOLOGY_TEMPLATE); - if (topologyTemplate.containsKey(FIELD_POLICIES)) { - policies = (List) topologyTemplate.get(FIELD_POLICIES); - } else { - LOGGER.warn("topologyTemplate does not contain policies"); - return scannedPolicies; - } - } else { - LOGGER.warn("Failed to find policies or topologyTemplate"); - return scannedPolicies; - } + PolicyType newPolicyType = new PolicyType(); + newPolicyType.setPolicyId(policyName); // - // Iterate each of the Policies + // Optional description // - for (Object policyObject : policies) { - // - // Get the contents - // - LOGGER.debug("Found policy {}", policyObject.getClass()); - Map policyContents = (Map) policyObject; - for (Entry entrySet : policyContents.entrySet()) { - LOGGER.debug("Entry set {}", entrySet); - // - // Convert this policy - // - PolicyType policy = this.convertPolicy(entrySet); - if (policy == null) { - // - // Somehow there wasn't enough information to create - // a policy - // - LOGGER.debug("Failed to convert policy"); - continue; - } - // - // Debug dump this - // - try (ByteArrayOutputStream os = new ByteArrayOutputStream()) { - XACMLPolicyWriter.writePolicyFile(os, policy); - LOGGER.debug("{}", os); - } catch (IOException e) { - LOGGER.error("Failed to convert {}", e); - } - // - // Convert and add in the new policy - // - scannedPolicies.add(policy); - } + newPolicyType.setDescription(toscaPolicy.getDescription()); + // + // There should be a metadata section + // + this.fillMetadataSection(newPolicyType, toscaPolicy.getMetadata()); + // + // Set the combining rule + // + newPolicyType.setRuleCombiningAlgId(XACML3.ID_RULE_DENY_UNLESS_PERMIT.stringValue()); + // + // Generate the TargetType + // + newPolicyType.setTarget(this.generateTargetType(toscaPolicy.getProperties())); + // + // Now create the Permit Rule + // + RuleType rule = generatePermitRule(policyName, toscaPolicy.getType(), toscaPolicy.getProperties()); + // + // Check if we were able to create the rule + // + if (rule == null) { + LOGGER.warn("Failed to create rule"); + return null; } - - return scannedPolicies; + // + // Add the rule to the policy + // + newPolicyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule); + // + // Return our new policy + // + return newPolicyType; } @Override @@ -161,7 +133,6 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { return null; } - @Override public DecisionResponse convertResponse(Response xacmlResponse) { LOGGER.debug("Converting Response {}", xacmlResponse); @@ -196,89 +167,31 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { return decisionResponse; } - @SuppressWarnings("unchecked") - private PolicyType convertPolicy(Entry entrySet) throws ToscaPolicyConversionException { - // - // Policy name should be at the root - // - String policyName = entrySet.getKey(); - Map policyDefinition = (Map) entrySet.getValue(); - // - // Set it as the policy ID - // - PolicyType newPolicyType = new PolicyType(); - newPolicyType.setPolicyId(policyName); - // - // Optional description - // - if (policyDefinition.containsKey("description")) { - newPolicyType.setDescription(policyDefinition.get("description").toString()); - } - // - // There should be a metadata section - // - if (! policyDefinition.containsKey("metadata")) { - throw new ToscaPolicyConversionException(policyName + " missing metadata section"); - } - this.fillMetadataSection(newPolicyType, - (Map) policyDefinition.get("metadata")); - // - // Set the combining rule - // - newPolicyType.setRuleCombiningAlgId(XACML3.ID_RULE_DENY_UNLESS_PERMIT.stringValue()); - // - // Generate the TargetType - // - if (! policyDefinition.containsKey("properties")) { - throw new ToscaPolicyConversionException(policyName + " missing properties section"); - } - newPolicyType.setTarget(this.generateTargetType((Map) policyDefinition.get("properties"))); - // - // Now create the Permit Rule - // - RuleType rule = generatePermitRule(policyName, policyDefinition.get("type").toString(), - (Map) policyDefinition.get("properties")); - // - // Check if we were able to create the rule - // - if (rule == null) { - LOGGER.warn("Failed to create rule"); - return null; - } - // - // Add the rule to the policy - // - newPolicyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule); - // - // Return our new policy - // - return newPolicyType; - } /** * From the TOSCA metadata section, pull in values that are needed into the XACML policy. * * @param policy Policy Object to store the metadata - * @param metadata The Metadata TOSCA Map + * @param map The Metadata TOSCA Map * @return Same Policy Object * @throws ToscaPolicyConversionException If there is something missing from the metadata */ protected PolicyType fillMetadataSection(PolicyType policy, - Map metadata) throws ToscaPolicyConversionException { - if (! metadata.containsKey("policy-id")) { + Map map) throws ToscaPolicyConversionException { + if (! map.containsKey("policy-id")) { throw new ToscaPolicyConversionException(policy.getPolicyId() + " missing metadata policy-id"); } else { // // Do nothing here - the XACML PolicyId is used from TOSCA Policy Name field // } - if (! metadata.containsKey("policy-version")) { + if (! map.containsKey("policy-version")) { throw new ToscaPolicyConversionException(policy.getPolicyId() + " missing metadata policy-version"); } else { // // Add in the Policy Version // - policy.setVersion(metadata.get("policy-version").toString()); + policy.setVersion(map.get("policy-version").toString()); } return policy; } @@ -343,7 +256,8 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { return allOf; } - private static RuleType generatePermitRule(String policyName, String policyType, Map properties) { + private static RuleType generatePermitRule(String policyName, String policyType, Map properties) + throws ToscaPolicyConversionException { // // Now determine which policy type we are generating // @@ -352,17 +266,16 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { } else if ("onap.policies.controlloop.guard.MinMax".equals(policyType)) { return generateMinMaxPermit(policyName, properties); } + LOGGER.error("Missing policy type in the policy"); return null; } - private static RuleType generateFrequencyPermit(String policyName, Map properties) { + private static RuleType generateFrequencyPermit(String policyName, Map properties) + throws ToscaPolicyConversionException { // // See if its possible to generate a count // - Integer limit = null; - if (properties.containsKey("limit")) { - limit = Integer.decode(properties.get("limit").toString()); - } + Integer limit = parseInteger(properties.get("limit").toString()); if (limit == null) { LOGGER.debug("Must have a limit value for frequency guard policy to be created"); return null; @@ -372,7 +285,11 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { // String timeWindow = null; if (properties.containsKey("timeWindow")) { - timeWindow = properties.get("timeWindow").toString(); + Integer intTimeWindow = parseInteger(properties.get("timeWindow").toString()); + if (intTimeWindow == null) { + throw new ToscaPolicyConversionException("timeWindow is not an integer"); + } + timeWindow = intTimeWindow.toString(); } String timeUnits = null; if (properties.containsKey("timeUnits")) { @@ -452,11 +369,11 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { // Integer min = null; if (properties.containsKey("min")) { - min = Integer.decode(properties.get("min").toString()); + min = parseInteger(properties.get("min").toString()); } Integer max = null; if (properties.containsKey("max")) { - max = Integer.decode(properties.get("max").toString()); + max = parseInteger(properties.get("max").toString()); } final ApplyType minApply = generateMinCheck(min); final ApplyType maxApply = generateMaxCheck(max); @@ -708,6 +625,23 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator { return applyLessThanEqual; } + private static Integer parseInteger(String strInteger) { + Integer theInt = null; + try { + theInt = Integer.parseInt(strInteger); + } catch (NumberFormatException e) { + LOGGER.warn("Expecting an integer", e); + try { + Double dblLimit = Double.parseDouble(strInteger); + theInt = dblLimit.intValue(); + } catch (NumberFormatException e1) { + LOGGER.error("Failed to parse expected integer as a double", e); + return null; + } + } + return theInt; + } + private static AdviceExpressionsType generateRequestIdAdvice() { AdviceExpressionType adviceExpression = new AdviceExpressionType(); adviceExpression.setAppliesTo(EffectType.PERMIT); diff --git a/applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java b/applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java index be0ee2db..17917af0 100644 --- a/applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java +++ b/applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java @@ -25,10 +25,8 @@ package org.onap.policy.xacml.pdp.application.guard; import static org.assertj.core.api.Assertions.assertThat; import java.io.File; -import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; -import java.io.InputStream; import java.sql.Date; import java.time.Instant; import java.util.HashMap; @@ -56,12 +54,12 @@ import org.onap.policy.models.decisions.concepts.DecisionRequest; import org.onap.policy.models.decisions.concepts.DecisionResponse; import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicyTypeIdentifier; import org.onap.policy.pdp.xacml.application.common.OnapOperationsHistoryDbao; +import org.onap.policy.pdp.xacml.application.common.TestUtils; import org.onap.policy.pdp.xacml.application.common.XacmlApplicationException; import org.onap.policy.pdp.xacml.application.common.XacmlApplicationServiceProvider; import org.onap.policy.pdp.xacml.application.common.XacmlPolicyUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.yaml.snakeyaml.Yaml; @FixMethodOrder(MethodSorters.NAME_ASCENDING) public class GuardPdpApplicationTest { @@ -242,17 +240,7 @@ public class GuardPdpApplicationTest { // the pdp can support it and have it load // into the PDP. // - try (InputStream is = new FileInputStream("src/test/resources/vDNS.policy.guard.frequency.output.tosca.yaml")) { - // - // Have yaml parse it - // - Yaml yaml = new Yaml(); - Map toscaObject = yaml.load(is); - // - // Load the policies - // - service.loadPolicies(toscaObject); - } + TestUtils.loadPolicies("src/test/resources/vDNS.policy.guard.frequency.output.tosca.yaml", service); // // Zero recent actions: should get permit // @@ -283,17 +271,7 @@ public class GuardPdpApplicationTest { // the pdp can support it and have it load // into the PDP. // - try (InputStream is = new FileInputStream("src/test/resources/vDNS.policy.guard.minmax.output.tosca.yaml")) { - // - // Have yaml parse it - // - Yaml yaml = new Yaml(); - Map toscaObject = yaml.load(is); - // - // Load the policies - // - service.loadPolicies(toscaObject); - } + TestUtils.loadPolicies("src/test/resources/vDNS.policy.guard.minmax.output.tosca.yaml", service); // // vfcount=1 below min of 2: should get a Deny // @@ -322,7 +300,8 @@ public class GuardPdpApplicationTest { } @Test - public void test5MissingFields() throws FileNotFoundException, IOException, XacmlApplicationException { + public void test5MissingFields() throws FileNotFoundException, IOException, XacmlApplicationException, + CoderException { LOGGER.info("**************** Running test5 ****************"); // // Most likely we would not get a policy with missing fields passed to @@ -330,52 +309,42 @@ public class GuardPdpApplicationTest { // will be optional due to re-working of how the XACML policies are built, // let's add support in for that. // - try (InputStream is = new FileInputStream("src/test/resources/guard.policy-minmax-missing-fields1.yaml")) { - // - // Have yaml parse it - // - Yaml yaml = new Yaml(); - Map toscaObject = yaml.load(is); - // - // Load the policies - // - service.loadPolicies(toscaObject); - // - // We can create a DecisionRequest on the fly - no need - // to have it in the .json files - // - DecisionRequest request = new DecisionRequest(); - request.setOnapName("JUnit"); - request.setOnapComponent("test5MissingFields"); - request.setRequestId(UUID.randomUUID().toString()); - request.setAction("guard"); - Map guard = new HashMap<>(); - guard.put("actor", "FOO"); - guard.put("recipe", "bar"); - guard.put("vfCount", "4"); - Map resource = new HashMap<>(); - resource.put("guard", guard); - request.setResource(resource); - // - // Ask for a decision - should get permit - // - DecisionResponse response = service.makeDecision(request); - LOGGER.info("Looking for Permit Decision {}", response); - assertThat(response).isNotNull(); - assertThat(response.getStatus()).isNotNull(); - assertThat(response.getStatus()).isEqualTo("Permit"); - // - // Try a deny - // - guard.put("vfCount", "10"); - resource.put("guard", guard); - request.setResource(resource); - response = service.makeDecision(request); - LOGGER.info("Looking for Deny Decision {}", response); - assertThat(response).isNotNull(); - assertThat(response.getStatus()).isNotNull(); - assertThat(response.getStatus()).isEqualTo("Deny"); - } + TestUtils.loadPolicies("src/test/resources/guard.policy-minmax-missing-fields1.yaml", service); + // + // We can create a DecisionRequest on the fly - no need + // to have it in the .json files + // + DecisionRequest request = new DecisionRequest(); + request.setOnapName("JUnit"); + request.setOnapComponent("test5MissingFields"); + request.setRequestId(UUID.randomUUID().toString()); + request.setAction("guard"); + Map guard = new HashMap<>(); + guard.put("actor", "FOO"); + guard.put("recipe", "bar"); + guard.put("vfCount", "4"); + Map resource = new HashMap<>(); + resource.put("guard", guard); + request.setResource(resource); + // + // Ask for a decision - should get permit + // + DecisionResponse response = service.makeDecision(request); + LOGGER.info("Looking for Permit Decision {}", response); + assertThat(response).isNotNull(); + assertThat(response.getStatus()).isNotNull(); + assertThat(response.getStatus()).isEqualTo("Permit"); + // + // Try a deny + // + guard.put("vfCount", "10"); + resource.put("guard", guard); + request.setResource(resource); + response = service.makeDecision(request); + LOGGER.info("Looking for Deny Decision {}", response); + assertThat(response).isNotNull(); + assertThat(response.getStatus()).isNotNull(); + assertThat(response.getStatus()).isEqualTo("Deny"); } @SuppressWarnings("unchecked") @@ -397,6 +366,7 @@ public class GuardPdpApplicationTest { newEntry.setEndtime(Date.from(Instant.now())); newEntry.setRequestId(UUID.randomUUID().toString()); newEntry.setTarget(properties.get("target").toString()); + LOGGER.info("Inserting {}", newEntry); em.getTransaction().begin(); em.persist(newEntry); em.getTransaction().commit(); diff --git a/applications/guard/src/test/resources/xacml.properties b/applications/guard/src/test/resources/xacml.properties index d429a32e..25dee375 100644 --- a/applications/guard/src/test/resources/xacml.properties +++ b/applications/guard/src/test/resources/xacml.properties @@ -22,7 +22,7 @@ xacml.att.policyFinderFactory=org.onap.policy.pdp.xacml.application.common.OnapP # # Use a root combining algorithm # -xacml.att.policyFinderFactory.combineRootPolicies=urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny +xacml.att.policyFinderFactory.combineRootPolicies=urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides xacml.pip.engines=historydb -- cgit 1.2.3-korg