AAF Configuration in PDP-D
AAF is disabled by default until pairwise testing is completed.
Change-Id: Ica83873a2605742689ed0c2e06dfade20bef8bf0
Signed-off-by: Jorge Hernandez <jh1730@att.com>
Issue-ID: POLICY-1043
Signed-off-by: Jorge Hernandez <jh1730@att.com>
diff --git a/.gitignore b/.gitignore
index eb32cca..144f267 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,8 +10,8 @@
.metadata/
.idea/
target/
+*/config/
*/logs/
*/sql/
*/testingLogs/
-*/config/
**/*.iml
diff --git a/config/policy-engine.properties b/config/policy-engine.properties
deleted file mode 100644
index 56c2a67..0000000
--- a/config/policy-engine.properties
+++ /dev/null
@@ -1,38 +0,0 @@
-###
-# ============LICENSE_START=======================================================
-# policy-management
-# ================================================================================
-# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ============LICENSE_END=========================================================
-###
-
-# Policy Engine Configuration
-
-# Configuration Channel Settings: PDPD_CONFIGURATION
-
-http.server.services=CONFIG,SECURED-CONFIG
-http.server.services.CONFIG.host=0.0.0.0
-http.server.services.CONFIG.port=9696
-http.server.services.CONFIG.restPackages=org.onap.policy.drools.server.restful
-http.server.services.CONFIG.managed=false
-http.server.services.CONFIG.swagger=true
-http.server.services.CONFIG.https=false
-
-http.server.services.SECURED-CONFIG.host=0.0.0.0
-http.server.services.SECURED-CONFIG.port=9697
-http.server.services.SECURED-CONFIG.restPackages=org.onap.policy.drools.server.restful
-http.server.services.SECURED-CONFIG.managed=false
-http.server.services.SECURED-CONFIG.swagger=true
-http.server.services.SECURED-CONFIG.https=true
diff --git a/config/policy-keystore b/config/policy-keystore
deleted file mode 100644
index b92217c..0000000
--- a/config/policy-keystore
+++ /dev/null
Binary files differ
diff --git a/config/policy-truststore b/config/policy-truststore
deleted file mode 100644
index 8834ac2..0000000
--- a/config/policy-truststore
+++ /dev/null
Binary files differ
diff --git a/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties b/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties
index ec457b7..e44543a 100644
--- a/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties
+++ b/feature-healthcheck/src/main/feature/config/feature-healthcheck.properties
@@ -27,6 +27,8 @@
http.server.services.HEALTHCHECK.userName=${{HEALTHCHECK_USER}}
http.server.services.HEALTHCHECK.password=${{HEALTHCHECK_PASSWORD}}
http.server.services.HEALTHCHECK.https=true
+http.server.services.HEALTHCHECK.aaf=false
+http.server.services.HEALTHCHECK.filterClasses=
http.client.services=PAP,PDP
diff --git a/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java b/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java
new file mode 100644
index 0000000..3cb9def
--- /dev/null
+++ b/feature-healthcheck/src/main/java/org/onap/policy/drools/healthcheck/AafHealthCheckFilter.java
@@ -0,0 +1,35 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.healthcheck;
+
+import org.onap.policy.common.endpoints.http.server.aaf.AafGranularAuthFilter;
+import org.onap.policy.drools.server.restful.aaf.AafBase;
+
+/**
+ * Healthcheck AAF Authorization Filter
+ */
+public class AafHealthCheckFilter extends AafGranularAuthFilter {
+
+ @Override
+ public String getPermissionTypeRoot() {
+ return AafBase.AAF_ROOT_PERMISSION;
+ }
+}
diff --git a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java
index 8ae7343..e0312f1 100644
--- a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java
+++ b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/HealthCheckFeatureTest.java
@@ -25,6 +25,7 @@
import java.io.File;
import java.io.FileWriter;
+import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
@@ -34,6 +35,7 @@
import org.junit.BeforeClass;
import org.junit.Test;
import org.onap.policy.common.endpoints.properties.PolicyEndPointProperties;
+import org.onap.policy.common.utils.network.NetworkUtil;
import org.onap.policy.drools.healthcheck.HealthCheck.Report;
import org.onap.policy.drools.healthcheck.HealthCheck.Reports;
import org.onap.policy.drools.persistence.SystemPersistence;
@@ -81,7 +83,11 @@
PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK"
+ PolicyEndPointProperties.PROPERTY_HTTP_REST_CLASSES_SUFFIX,
org.onap.policy.drools.healthcheck.RestMockHealthCheck.class.getName());
- httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_CLIENT_SERVICES + "." + "HEALTHCHECK"
+ httpProperties.setProperty(
+ PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK"
+ + PolicyEndPointProperties.PROPERTY_HTTP_FILTER_CLASSES_SUFFIX,
+ org.onap.policy.drools.healthcheck.TestAafHealthCheckFilter.class.getName());
+ httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "." + "HEALTHCHECK"
+ PolicyEndPointProperties.PROPERTY_MANAGED_SUFFIX, "true");
@@ -101,7 +107,6 @@
httpProperties.setProperty(PolicyEndPointProperties.PROPERTY_HTTP_CLIENT_SERVICES + "." + "HEALTHCHECK"
+ PolicyEndPointProperties.PROPERTY_MANAGED_SUFFIX, "true");
-
configDirSetup();
}
@@ -117,15 +122,21 @@
}
@Test
- public void test() {
+ public void test() throws IOException, InterruptedException {
HealthCheckFeature feature = new HealthCheckFeature();
feature.afterStart(PolicyEngine.manager);
+ if (!NetworkUtil.isTcpPortOpen("localhost", 7777, 5, 10000L)) {
+ throw new IllegalStateException("cannot connect to port " + 7777);
+ }
+
Reports reports = HealthCheck.monitor.healthCheck();
+ assertTrue(reports.getDetails().size() > 0);
+
for (Report rpt : reports.getDetails()) {
- if (rpt.getName() == "HEALTHCHECK") {
+ if ("HEALTHCHECK".equals(rpt.getName())) {
assertTrue(rpt.isHealthy());
assertEquals(200, rpt.getCode());
assertEquals("All Alive", rpt.getMessage());
@@ -141,7 +152,7 @@
/**
* setup up config directory.
*/
- protected static void configDirSetup() {
+ private static void configDirSetup() {
File origPropsFile = new File(healthCheckPropsPath.toString());
File backupPropsFile = new File(healthCheckPropsBackupPath.toString());
@@ -167,7 +178,7 @@
/**
* cleanup up config directory.
*/
- protected static void configDirCleanup() {
+ private static void configDirCleanup() {
File origPropsFile = new File(healthCheckPropsBackupPath.toString());
File backupPropsFile = new File(healthCheckPropsPath.toString());
diff --git a/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java
new file mode 100644
index 0000000..03ca689
--- /dev/null
+++ b/feature-healthcheck/src/test/java/org/onap/policy/drools/healthcheck/TestAafHealthCheckFilter.java
@@ -0,0 +1,46 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.healthcheck;
+
+import javax.servlet.http.HttpServletRequest;
+import org.onap.policy.common.utils.network.NetworkUtil;
+
+/**
+ * Healthcheck AAF Authorization Filter
+ */
+public class TestAafHealthCheckFilter extends AafHealthCheckFilter {
+
+ @Override
+ protected String getRole(HttpServletRequest request) {
+ String expectedPerm = "org.onap.policy.pdpd.healthcheck.test|"
+ + NetworkUtil.getHostname() + "|get";
+ if (!expectedPerm.equals(super.getRole(request))) {
+ throw new IllegalStateException("unexpected AAF granular permission");
+ } else {
+ return "user";
+ }
+ }
+
+ @Override
+ public String getPermissionTypeRoot() {
+ return "org.onap.policy.pdpd";
+ }
+}
diff --git a/packages/docker/src/main/docker/do-start.sh b/packages/docker/src/main/docker/do-start.sh
index 9e4659d..af7b3d9 100644
--- a/packages/docker/src/main/docker/do-start.sh
+++ b/packages/docker/src/main/docker/do-start.sh
@@ -56,7 +56,7 @@
. /opt/app/policy/etc/profile.d/env.sh
- # override the policy keystore and truststore if present
+ # allow user to override the key or/and the trust stores
if [[ -f config/policy-keystore ]]; then
cp -f config/policy-keystore ${POLICY_HOME}/etc/ssl
@@ -66,6 +66,24 @@
cp -f config/policy-truststore ${POLICY_HOME}/etc/ssl
fi
+ # allow user to override all or some aaf configuration
+
+ if [[ -f config/aaf.properties ]]; then
+ cp -f config/aaf.properties ${POLICY_HOME}/config/aaf.properties
+ fi
+
+ if [[ -f config/aaf-location.properties ]]; then
+ cp -f config/aaf-location.properties ${POLICY_HOME}/config/aaf-location.properties
+ fi
+
+ if [[ -f config/aaf-credentials.properties ]]; then
+ cp -f config/aaf-credentials.properties ${POLICY_HOME}/config/aaf-credentials.properties
+ fi
+
+ if [[ -f config/aaf-cadi.keyfile ]]; then
+ cp -f config/aaf-cadi.keyfile ${POLICY_HOME}/config/aaf-cadi.keyfile
+ fi
+
if [[ -f config/drools-tweaks.sh ]] ; then
echo "Executing tweaks"
# file may not be executable; running it as an
diff --git a/packages/install/src/files/base.conf b/packages/install/src/files/base.conf
index 0c44093..dd9e7c5 100644
--- a/packages/install/src/files/base.conf
+++ b/packages/install/src/files/base.conf
@@ -59,6 +59,11 @@
PDPD_CONFIGURATION_CONSUMER_INSTANCE=
PDPD_CONFIGURATION_PARTITION_KEY=
+# AAF
+
+AAF_NAMESPACE=org.onap.policy
+AAF_HOST=aaf-onap-test.osaaf.org
+
# PAP
PAP_HOST=
diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java
new file mode 100644
index 0000000..0c8465a
--- /dev/null
+++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java
@@ -0,0 +1,35 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.server.restful.aaf;
+
+import org.onap.policy.common.endpoints.http.server.aaf.AafAuthFilter;
+import org.onap.policy.drools.system.PolicyEngine;
+
+/**
+ * AAF Base Class
+ */
+public abstract class AafBase extends AafAuthFilter {
+ public static final String AAF_NODETYPE = "pdpd";
+ public static final String AAF_ROOT_PERMISSION_PROPERTY = "aaf.root.permission";
+ public static final String AAF_ROOT_PERMISSION =
+ PolicyEngine.manager.getProperties().getProperty
+ (AAF_ROOT_PERMISSION_PROPERTY, DEFAULT_NAMESPACE + "." + AAF_NODETYPE);
+}
diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java
new file mode 100644
index 0000000..f2e50ee
--- /dev/null
+++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java
@@ -0,0 +1,41 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.server.restful.aaf;
+
+import javax.servlet.http.HttpServletRequest;
+import org.onap.policy.common.utils.network.NetworkUtil;
+
+/**
+ * AAF Telemetry Authorization
+ */
+public class AafTelemetryAuthFilter extends AafBase {
+ private static final String RESOURCE_TYPE = AAF_ROOT_PERMISSION + "." + "telemetry";
+
+ @Override
+ protected String getPermissionType(HttpServletRequest request) {
+ return RESOURCE_TYPE;
+ }
+
+ @Override
+ protected String getPermissionInstance(HttpServletRequest request) {
+ return NetworkUtil.getHostname();
+ }
+}
diff --git a/policy-management/src/main/server-gen/bin/policy-management-controller b/policy-management/src/main/server-gen/bin/policy-management-controller
index cc6a8c7..bad1783 100644
--- a/policy-management/src/main/server-gen/bin/policy-management-controller
+++ b/policy-management/src/main/server-gen/bin/policy-management-controller
@@ -96,9 +96,9 @@
remove_pid_file
else
if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
- http_proxy= curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
+ http_proxy= curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
else
- http_proxy= curl --silent -X DELETE http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
+ http_proxy= curl -k --silent -X DELETE https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
fi
sleep 5
echo "Stopping $SNAME..."
diff --git a/policy-management/src/main/server-gen/bin/rest-add-controller b/policy-management/src/main/server-gen/bin/rest-add-controller
index 187b291..0dd82ee 100644
--- a/policy-management/src/main/server-gen/bin/rest-add-controller
+++ b/policy-management/src/main/server-gen/bin/rest-add-controller
@@ -26,11 +26,11 @@
if [ -f ${json} ]; then
if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
- curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \
- http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
+ curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \
+ https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
else
- curl --silent -X POST --data @${json} --header "Content-Type: application/json" \
- http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
+ curl -k --silent -X POST --data @${json} --header "Content-Type: application/json" \
+ https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
fi
else
echo "Usage: rest-add-controller.sh closed-loop-sample|reporter|sepc|vsegw|.. (or any other config file ending with *-controller.rest.json)"
diff --git a/policy-management/src/main/server-gen/bin/rest-delete-controller b/policy-management/src/main/server-gen/bin/rest-delete-controller
index de1d601..03e6748 100644
--- a/policy-management/src/main/server-gen/bin/rest-delete-controller
+++ b/policy-management/src/main/server-gen/bin/rest-delete-controller
@@ -24,11 +24,11 @@
if [[ -n $1 ]]; then
if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
- curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE --header "Content-Type: application/json" \
- http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
+ curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE --header "Content-Type: application/json" \
+ https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
else
- curl --silent -X DELETE --header "Content-Type: application/json" \
- http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
+ curl -k --silent -X DELETE --header "Content-Type: application/json" \
+ https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
fi
echo
exit
diff --git a/policy-management/src/main/server/config/aaf-cadi.keyfile b/policy-management/src/main/server/config/aaf-cadi.keyfile
new file mode 100644
index 0000000..59d544f
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-cadi.keyfile
@@ -0,0 +1,27 @@
+N3INM2bAlQ8cNODnjR3Fuvo5z4GeID0KnRYlELmt-oHCFxq_XYVyepBVR591CIbJI9prNd_LLuv7
+tQD8xX_ypcNA-jQsecTwtw4GxvpqkZPhq6Q8BWNQaCegtXGDVTQ8gG2biKiQ7v-2C6Qhx4zj62b6
+bRPS5j1bfxqcAZu7082V00oQjbn40T2zFcLwCuBChZfx5DXTW49bwtLbkCbGqJSzFcIJpbGQ8gLg
+ussIoL8VE2Vee7bPJmUAdT4x9B1wrMIuvKlUMppeq0Bj-6ZJgxhM9F0WT8eEBh6NFANdK3LUgZrk
+D3kY3LrK-MT9u1TOMx13nOU7vOaVjl7_rkp5Q65gFd9VYbnJBYvJcc7asOQMsrugiSiRIoXH0Fyy
+-f9L3ROGae042J4M8qxcoOihMbcjVkEXqn6eRIFbDe0eIAlkSRYfaxg9v4tf8GbBjQcShBjzGaI2
+g6QxTA5G6Aa7p63aVRGv3ZODCHcbsbxnkyByXgmkON4cTk9vR0RbT6YYhT5t8xTU3rhqV3jeE0Bz
+KbU0c4188xTnhdq_bje2TuuLvtEvevdvDsbtAj7chQmWMOW7GMF3MnqdEpcw1NCoNRdN8wpAdE-5
+mkG-jlYHljSRh9qZK5wdEoO4IXgpFktdGj50XuzcskqqURNfDGHGb29fHznL1-ssdQK6EXcKN0AU
+nYyGLAie3VfFxWKj5dGODBs5RttvkX4PHyLcLD3kOrVgtQrz7d0PWWYCxDRqKT6qnJkLB1CUwghn
+XweEiDfoQmuUmwFEQNRDp0NGLnde5nsw7NYgLrv5VafGK8EyT4GeVhuu5Tnb6T-HalxCq2p5JaIA
+SG8zlDmRx_TykrhfQEJe7sr0pRcAMwgxEhwunG2oBiKnzdRx5jxMfqnVC8xGirumhmOQNterfnd5
+0pIsfvIuntyxRQ48yzIb2gb5kaSkfSzCaVnlqK-_jpj1T74qO86eaKVee4faQAbXDPYF2z5w06nD
+WS2dd54wBjGmkFNzi13ejTrAJeA6UzOd1CF_WSpc9XSJJPTPUGxmnfLjmGThErFBYuQxjhpH7vKN
+uZgokkIXX78rVcO3zpfa5kTYWjE8lk9y3WA7sGNtTWfG8bR3WLWNLPCnrzxtKZdhq2JsQYC0gwW7
+ZgJSXhgPoaC_RrtCn7haj1_601G_MkD-jcUEsO-4XOBVicsCgG8hn7B-SpgKspqv8gulbeKoORqa
+CkrtiFPlXEqdNuaBSHcQ0MWJ3tpXzWtIPM3ouEFOR32xVfptfz4sRPOkM_PNiVXxQtLOn_z3uC7K
+VVJCKZxVaavQ6QiZvRRANS9_GD3kDILX15EnbEvh-2DfycDrEo330vMwvNJP7i9eM5vo0YADe--G
+r5UDqctmFjl1ulc1yAQkDBGWGxT92x-hhLqCnCXcYPu_aeWssfDpRj573PHPaTiM0SYxJixjszRD
+6-AMC1DqugkjiGA5_enQORn-G_H4ZVtoQ_zebizEfIxKv5-8uRdyZDHGG3mDu6_nasEffry-UyVu
+STU3oJMycZ1qf5GR1evRJ7gxkrtPXHWKNnVgxfrBC72ON6wJnr7KaY-l9L44epIsk1pEmXm3YQu1
+N0NxiAwdus9OnCXQ7GgZPRXCpxjJPNs7EIKFrYjKJfdtSzT85ZrTpHQtjim2L1ZP9iIlq2QVKD1v
+bKSjCwjtb9ztjrV-Bw1BHcAApPcfpXHLhYkJ7iL1XUhxjXp_DGUkD7ZN9S5tuyrsMXz5hh6wMfcq
+NPR_XqHaS2ur-ONNrHuFFCmY7Ehc5FArFzb_Xn1JTpOQJTcy6_3r3u3B_euT8GmXHahtVN1Rv8RM
+kAD5m_UBx-nHoZDVDYZkfR9k4hF2Sz5rfrWs6Zrl0r8FBrVFtU1j2vOTvTGwrkO9yZvgIqOkX_eq
+TnGIpM4paHxEGTP8H8A3Y0ZpsvLttmh0rT_OwzBPa1Mof3RQKhyTzfbptxuUJyVxU0Ln-9f--5Mk
+wEFqhuSrgssI6b1iMqm97PqFQMYrWX3SV8l0V-PKxFxDM1bguHq4mOXEtmZBUtMBepwSsI96
\ No newline at end of file
diff --git a/policy-management/src/main/server/config/aaf-credentials.properties b/policy-management/src/main/server/config/aaf-credentials.properties
new file mode 100644
index 0000000..aaa5f16
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-credentials.properties
@@ -0,0 +1,9 @@
+cm_url=https://AAF_LOCATE_URL/AAF_NS.cm:2.1
+cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US
+cadi_keyfile=${{POLICY_HOME}}/config/aaf-cadi.keyfile
+cadi_keystore=${{POLICY_HOME}}/etc/ssl/policy-keystore
+cadi_keystore_password=${{KEYSTORE_PASSWD}}
+cadi_key_password=${{KEYSTORE_PASSWD}}
+cadi_alias=policy@policy.onap.org
+cadi_truststore=${{POLICY_HOME}}/etc/ssl/policy-truststore
+cadi_truststore_password=${{TRUSTSTORE_PASSWD}}
\ No newline at end of file
diff --git a/policy-management/src/main/server/config/aaf-location.properties b/policy-management/src/main/server/config/aaf-location.properties
new file mode 100644
index 0000000..dc828e7
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-location.properties
@@ -0,0 +1,2 @@
+cadi_latitude=38.000
+cadi_longitude=-72.000
diff --git a/policy-management/src/main/server/config/aaf.properties b/policy-management/src/main/server/config/aaf.properties
new file mode 100644
index 0000000..8084be9
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf.properties
@@ -0,0 +1,11 @@
+cadi_prop_files=${{POLICY_HOME}}/config/aaf-credentials.properties:${{POLICY_HOME}}/config/aaf-location.properties
+cadi_loglevel=DEBUG
+aaf_env=DEV
+aaf_locate_url=https://${{AAF_HOST}}:8095
+aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect
+aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.1/token
+aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.1
+cadi_protocols=TLSv1.1,TLSv1.2
+cm_url=https://AAF_LOCATE_URL/AAF_NS.cm:2.1
+fs_url=https://AAF_LOCATE_URL/AAF_NS.fs.2.1
+gui_url=https://AAF_LOCATE_URL/AAF_NS.gui.2.1
diff --git a/policy-management/src/main/server/config/policy-engine.properties b/policy-management/src/main/server/config/policy-engine.properties
index 758d13e..8e51752 100644
--- a/policy-management/src/main/server/config/policy-engine.properties
+++ b/policy-management/src/main/server/config/policy-engine.properties
@@ -49,3 +49,6 @@
http.server.services.SECURED-CONFIG.managed=false
http.server.services.SECURED-CONFIG.swagger=true
http.server.services.SECURED-CONFIG.https=true
+
+aaf.namespace=${{AAF_NAMESPACE}}
+aaf.root.permission=${{AAF_NAMESPACE}}.pdpd
diff --git a/policy-management/src/main/server/config/system.properties b/policy-management/src/main/server/config/system.properties
index 5c024e1..6bac0ea 100644
--- a/policy-management/src/main/server/config/system.properties
+++ b/policy-management/src/main/server/config/system.properties
@@ -34,6 +34,10 @@
javax.net.ssl.keyStore=${{POLICY_HOME}}/etc/ssl/policy-keystore
javax.net.ssl.keyStorePassword=${{KEYSTORE_PASSWD}}
+# aaf
+
+cadi_prop_files=config/aaf.properties
+
# standard logging
logback.configurationFile=config/logback.xml
diff --git a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java
index 68a52ad..ce34ec8 100644
--- a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java
+++ b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/RestManagerTest.java
@@ -29,14 +29,17 @@
import java.util.Properties;
import org.apache.http.HttpEntity;
-import org.apache.http.client.ClientProtocolException;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
+import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.junit.AfterClass;
import org.junit.BeforeClass;
@@ -45,6 +48,7 @@
import org.junit.runners.MethodSorters;
import org.onap.policy.common.endpoints.event.comm.TopicEndpoint;
import org.onap.policy.common.endpoints.properties.PolicyEndPointProperties;
+import org.onap.policy.common.utils.network.NetworkUtil;
import org.onap.policy.drools.persistence.SystemPersistence;
import org.onap.policy.drools.system.PolicyController;
import org.onap.policy.drools.system.PolicyEngine;
@@ -53,10 +57,12 @@
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class RestManagerTest {
- public static final int DEFAULT_TELEMETRY_PORT = 7887;
+ private static final int DEFAULT_TELEMETRY_PORT = 7887;
private static final String HOST = "localhost";
private static final String REST_MANAGER_PATH = "/policy/pdp";
private static final String HOST_URL = "http://" + HOST + ":" + DEFAULT_TELEMETRY_PORT + REST_MANAGER_PATH;
+ private static final String TELEMETRY_USER = "x";
+ private static final String TELEMETRY_PASSWORD = "y";
private static final String FOO_CONTROLLER = "foo";
private static final String UEB_TOPIC = "UEB-TOPIC-TEST";
@@ -100,7 +106,7 @@
* @throws IOException throws an IO exception
*/
@BeforeClass
- public static void setUp() throws IOException {
+ public static void setUp() throws IOException, InterruptedException {
cleanUpWorkingDirs();
SystemPersistence.manager.setConfigurationDir(null);
@@ -110,6 +116,15 @@
engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "."
+ PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_PORT_SUFFIX,
"" + DEFAULT_TELEMETRY_PORT);
+ engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "."
+ + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_FILTER_CLASSES_SUFFIX,
+ TestAafTelemetryAuthFilter.class.getName());
+ engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "."
+ + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_AUTH_USERNAME_SUFFIX,
+ TELEMETRY_USER);
+ engineProps.put(PolicyEndPointProperties.PROPERTY_HTTP_SERVER_SERVICES + "."
+ + PolicyEngine.TELEMETRY_SERVER_DEFAULT_NAME + PolicyEndPointProperties.PROPERTY_HTTP_AUTH_PASSWORD_SUFFIX,
+ TELEMETRY_PASSWORD);
/* other properties */
engineProps.put(PolicyEndPointProperties.PROPERTY_UEB_SOURCE_TOPICS, UEB_TOPIC);
@@ -132,10 +147,16 @@
Properties controllerProps = new Properties();
PolicyEngine.manager.createPolicyController(FOO_CONTROLLER, controllerProps);
+ // client = HttpClients.createDefault();
+ CredentialsProvider provider = new BasicCredentialsProvider();
+ UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(TELEMETRY_USER, TELEMETRY_PASSWORD);
+ provider.setCredentials(AuthScope.ANY, credentials);
- client = HttpClients.createDefault();
+ client = HttpClientBuilder.create().setDefaultCredentialsProvider(provider).build();
-
+ if (!NetworkUtil.isTcpPortOpen("localhost", DEFAULT_TELEMETRY_PORT, 5, 10000L)) {
+ throw new IllegalStateException("cannot connect to port " + DEFAULT_TELEMETRY_PORT);
+ }
}
/**
@@ -157,7 +178,7 @@
@Test
- public void putDeleteTest() throws ClientProtocolException, IOException, InterruptedException {
+ public void putDeleteTest() throws IOException {
HttpDelete httpDelete;
CloseableHttpResponse response;
@@ -358,7 +379,7 @@
@Test
- public void getTest() throws ClientProtocolException, IOException, InterruptedException {
+ public void getTest() throws IOException {
HttpGet httpGet;
CloseableHttpResponse response;
@@ -854,7 +875,7 @@
* @param response incoming response
* @return the body or null
*/
- public String getResponseBody(CloseableHttpResponse response) {
+ private String getResponseBody(CloseableHttpResponse response) {
HttpEntity entity;
try {
diff --git a/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java
new file mode 100644
index 0000000..c7d5232
--- /dev/null
+++ b/policy-management/src/test/java/org/onap/policy/drools/server/restful/test/TestAafTelemetryAuthFilter.java
@@ -0,0 +1,43 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.server.restful.test;
+
+import javax.servlet.http.HttpServletRequest;
+import org.onap.policy.common.utils.network.NetworkUtil;
+import org.onap.policy.drools.server.restful.aaf.AafTelemetryAuthFilter;
+
+/**
+ * Test AAF Telemetry Authorization Filter for Junits
+ */
+public class TestAafTelemetryAuthFilter extends AafTelemetryAuthFilter {
+
+ @Override
+ protected String getRole(HttpServletRequest request) {
+ String expectedPerm = "org.onap.policy.pdpd.telemetry|"
+ + NetworkUtil.getHostname() + "|"
+ + request.getMethod().toLowerCase();
+ if (!expectedPerm.equals(super.getRole(request))) {
+ throw new IllegalStateException("unexpected permission");
+ } else {
+ return "user";
+ }
+ }
+}