From 4212017188b2bf7ec741647cf23c536b0c97f15b Mon Sep 17 00:00:00 2001 From: Jim Hahn Date: Mon, 23 Aug 2021 15:53:55 -0400 Subject: Add filter to control xacml-pdp rest api Added a filter class for the REST server that only allows "API" services (i.e., decision API services) through when the API is enabled, disallowing them otherwise. The filter always allows PDP-wide services (e.g., "healthcheck"). Per review comments: - modified the new class to "implement Filter" rather than "extends AafFilter" Issue-ID: POLICY-3531 Change-Id: I7055e21045eea270e454a47a443b29476d9a85ee Signed-off-by: Jim Hahn --- .../java/org/onap/policy/pdpx/main/CommonRest.java | 2 +- .../org/onap/policy/pdpx/main/XacmlStateTest.java | 4 +- .../main/rest/TestAbbreviateDecisionResults.java | 2 +- .../onap/policy/pdpx/main/rest/TestDecision.java | 4 +- .../pdpx/main/rest/TestXacmlPdpServiceFilter.java | 161 +++++++++++++++++++++ .../pdpx/main/startstop/TestXacmlPdpActivator.java | 14 +- 6 files changed, 174 insertions(+), 13 deletions(-) create mode 100644 main/src/test/java/org/onap/policy/pdpx/main/rest/TestXacmlPdpServiceFilter.java (limited to 'main/src/test') diff --git a/main/src/test/java/org/onap/policy/pdpx/main/CommonRest.java b/main/src/test/java/org/onap/policy/pdpx/main/CommonRest.java index 938fe581..422d4336 100644 --- a/main/src/test/java/org/onap/policy/pdpx/main/CommonRest.java +++ b/main/src/test/java/org/onap/policy/pdpx/main/CommonRest.java @@ -122,7 +122,7 @@ public class CommonRest { main = new Main(xacmlPdpConfigParameters); // start xacml rest controller - XacmlPdpActivator.getCurrent().startXacmlRestController(); + XacmlPdpActivator.getCurrent().enableApi(); if (!NetworkUtil.isTcpPortOpen("localhost", port, 20, 1000L)) { throw new IllegalStateException("server is not listening on port " + port); diff --git a/main/src/test/java/org/onap/policy/pdpx/main/XacmlStateTest.java b/main/src/test/java/org/onap/policy/pdpx/main/XacmlStateTest.java index 5ff3d5c7..0b8d1404 100644 --- a/main/src/test/java/org/onap/policy/pdpx/main/XacmlStateTest.java +++ b/main/src/test/java/org/onap/policy/pdpx/main/XacmlStateTest.java @@ -130,12 +130,12 @@ public class XacmlStateTest { req.setState(PdpState.ACTIVE); status = state.updateInternalState(req); assertEquals(PdpState.ACTIVE, status.getState()); - verify(act).startXacmlRestController(); + verify(act).enableApi(); req.setState(PdpState.PASSIVE); status = state.updateInternalState(req); assertEquals(PdpState.PASSIVE, status.getState()); - verify(act).stopXacmlRestController(); + verify(act).disableApi(); } @Test diff --git a/main/src/test/java/org/onap/policy/pdpx/main/rest/TestAbbreviateDecisionResults.java b/main/src/test/java/org/onap/policy/pdpx/main/rest/TestAbbreviateDecisionResults.java index 8d80b832..3e525e91 100644 --- a/main/src/test/java/org/onap/policy/pdpx/main/rest/TestAbbreviateDecisionResults.java +++ b/main/src/test/java/org/onap/policy/pdpx/main/rest/TestAbbreviateDecisionResults.java @@ -135,7 +135,7 @@ public class TestAbbreviateDecisionResults { // Start the service // main = startXacmlPdpService(fileParams); - XacmlPdpActivator.getCurrent().startXacmlRestController(); + XacmlPdpActivator.getCurrent().enableApi(); // // Make sure it is running // diff --git a/main/src/test/java/org/onap/policy/pdpx/main/rest/TestDecision.java b/main/src/test/java/org/onap/policy/pdpx/main/rest/TestDecision.java index 77e8873f..fb7d7179 100644 --- a/main/src/test/java/org/onap/policy/pdpx/main/rest/TestDecision.java +++ b/main/src/test/java/org/onap/policy/pdpx/main/rest/TestDecision.java @@ -124,7 +124,7 @@ public class TestDecision { // Start the service // main = startXacmlPdpService(fileParams); - XacmlPdpActivator.getCurrent().startXacmlRestController(); + XacmlPdpActivator.getCurrent().enableApi(); // // Make sure it is running // @@ -260,4 +260,4 @@ public class TestDecision { LOGGER.error("Failed to copy {} to {}", source, dest); } } -} \ No newline at end of file +} diff --git a/main/src/test/java/org/onap/policy/pdpx/main/rest/TestXacmlPdpServiceFilter.java b/main/src/test/java/org/onap/policy/pdpx/main/rest/TestXacmlPdpServiceFilter.java new file mode 100644 index 00000000..9f098f78 --- /dev/null +++ b/main/src/test/java/org/onap/policy/pdpx/main/rest/TestXacmlPdpServiceFilter.java @@ -0,0 +1,161 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP + * ================================================================================ + * Copyright (C) 2021 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.policy.pdpx.main.rest; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.lenient; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import javax.servlet.FilterChain; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.ArgumentCaptor; +import org.mockito.Mock; +import org.mockito.junit.MockitoJUnitRunner; + +@RunWith(MockitoJUnitRunner.class) +public class TestXacmlPdpServiceFilter { + + // pick an arbitrary service + private static final String PERM_SVC = XacmlPdpServiceFilter.PERMANENT_SERVICES.iterator().next(); + + @Mock + private HttpServletRequest request; + + @Mock + private HttpServletResponse response; + + private FilterChain filterChain; + + private XacmlPdpServiceFilter filter; + + + /** + * Initializes the fields. + */ + @Before + public void setUp() { + XacmlPdpServiceFilter.disableApi(); + + filterChain = (req, resp) -> { + HttpServletResponse resp2 = (HttpServletResponse) resp; + resp2.setStatus(HttpServletResponse.SC_OK); + }; + + filter = new XacmlPdpServiceFilter(); + } + + @Test + public void testDoFilter() throws Exception { + XacmlPdpServiceFilter.enableApi(); + lenient().when(request.getRequestURI()).thenReturn("/other"); + assertThat(getFilterResponse()).isEqualTo(HttpServletResponse.SC_OK); + } + + /** + * Tests doFilter() when the API is disabled, but a permanent service is requested. + */ + @Test + public void testDoFilter_DisabledPermanentServiceReq() throws Exception { + XacmlPdpServiceFilter.disableApi(); + when(request.getRequestURI()).thenReturn(PERM_SVC); + assertThat(getFilterResponse()).isEqualTo(HttpServletResponse.SC_OK); + } + + /** + * Tests doFilter() when the API is disabled, but a permanent service is requested, with a leading slash. + */ + @Test + public void testDoFilter_DisabledPermanentServiceReqLeadingSlash() throws Exception { + XacmlPdpServiceFilter.disableApi(); + when(request.getRequestURI()).thenReturn("/" + PERM_SVC); + assertThat(getFilterResponse()).isEqualTo(HttpServletResponse.SC_OK); + } + + /** + * Tests doFilter() when the API is disabled, but a permanent service is requested, with extra URI prefix. + */ + @Test + public void testDoFilter_DisabledPermanentServiceReqExtraUri() throws Exception { + XacmlPdpServiceFilter.disableApi(); + when(request.getRequestURI()).thenReturn("/some/stuff/" + PERM_SVC); + assertThat(getFilterResponse()).isEqualTo(HttpServletResponse.SC_OK); + } + + /** + * Tests doFilter() when the API is disabled, but a permanent service is requested, with extra characters before + * the service name. + */ + @Test + public void testDoFilter_DisabledPermanentServiceReqExtraChars() throws Exception { + XacmlPdpServiceFilter.disableApi(); + when(request.getRequestURI()).thenReturn("/ExtraStuff" + PERM_SVC); + assertThat(getFilterResponse()).isEqualTo(HttpServletResponse.SC_CONFLICT); + } + + /** + * Tests doFilter() when the API is disabled and an API service is requested. + */ + @Test + public void testDoFilter_DisabledApiReq() throws Exception { + XacmlPdpServiceFilter.disableApi(); + when(request.getRequestURI()).thenReturn("/other"); + assertThat(getFilterResponse()).isEqualTo(HttpServletResponse.SC_CONFLICT); + } + + /** + * Tests doFilter() when the API is disabled and an API service is requested. + */ + @Test + public void testDoFilter_EnabledApiReq() throws Exception { + XacmlPdpServiceFilter.enableApi(); + lenient().when(request.getRequestURI()).thenReturn("/other"); + assertThat(getFilterResponse()).isEqualTo(HttpServletResponse.SC_OK); + } + + @Test + public void testEnableApi_testDisableApi_testIsApiEnabled() { + + XacmlPdpServiceFilter.enableApi(); + assertThat(XacmlPdpServiceFilter.isApiEnabled()).isTrue(); + + XacmlPdpServiceFilter.disableApi(); + assertThat(XacmlPdpServiceFilter.isApiEnabled()).isFalse(); + } + + /** + * Invokes doFilter(). + * @return the response code set by the filter + */ + private int getFilterResponse() throws Exception { + filter.doFilter(request, response, filterChain); + + // should only be called once + var responseCode = ArgumentCaptor.forClass(Integer.class); + verify(response).setStatus(responseCode.capture()); + + return responseCode.getValue(); + } +} diff --git a/main/src/test/java/org/onap/policy/pdpx/main/startstop/TestXacmlPdpActivator.java b/main/src/test/java/org/onap/policy/pdpx/main/startstop/TestXacmlPdpActivator.java index c874761d..ff084047 100644 --- a/main/src/test/java/org/onap/policy/pdpx/main/startstop/TestXacmlPdpActivator.java +++ b/main/src/test/java/org/onap/policy/pdpx/main/startstop/TestXacmlPdpActivator.java @@ -1,6 +1,6 @@ /*- * ============LICENSE_START======================================================= - * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2019, 2021 AT&T Intellectual Property. All rights reserved. * Modifications Copyright (C) 2019 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -77,21 +77,21 @@ public class TestXacmlPdpActivator extends CommonRest { @Test public void testXacmlPdpActivator() throws Exception { assertFalse(activator.isAlive()); - assertFalse(activator.isXacmlRestControllerAlive()); + assertFalse(activator.isApiEnabled()); activator.start(); assertTrue(activator.isAlive()); // XacmlPdp starts in PASSIVE state so the rest controller should not be alive - assertFalse(activator.isXacmlRestControllerAlive()); + assertFalse(activator.isApiEnabled()); assertTrue(activator.getParameterGroup().isValid()); assertEquals(CommonTestData.PDPX_PARAMETER_GROUP_NAME, activator.getParameterGroup().getName()); assertEquals(CommonTestData.PDPX_GROUP, activator.getParameterGroup().getPdpGroup()); - activator.startXacmlRestController(); - assertTrue(activator.isXacmlRestControllerAlive()); + activator.enableApi(); + assertTrue(activator.isApiEnabled()); - activator.stopXacmlRestController(); - assertFalse(activator.isXacmlRestControllerAlive()); + activator.disableApi(); + assertFalse(activator.isApiEnabled()); } @Test -- cgit 1.2.3-korg