AAF Configuration in PDP-D
AAF is disabled by default until pairwise testing is completed.
Change-Id: Ica83873a2605742689ed0c2e06dfade20bef8bf0
Signed-off-by: Jorge Hernandez <jh1730@att.com>
Issue-ID: POLICY-1043
Signed-off-by: Jorge Hernandez <jh1730@att.com>
diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java
new file mode 100644
index 0000000..0c8465a
--- /dev/null
+++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafBase.java
@@ -0,0 +1,35 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.server.restful.aaf;
+
+import org.onap.policy.common.endpoints.http.server.aaf.AafAuthFilter;
+import org.onap.policy.drools.system.PolicyEngine;
+
+/**
+ * AAF Base Class
+ */
+public abstract class AafBase extends AafAuthFilter {
+ public static final String AAF_NODETYPE = "pdpd";
+ public static final String AAF_ROOT_PERMISSION_PROPERTY = "aaf.root.permission";
+ public static final String AAF_ROOT_PERMISSION =
+ PolicyEngine.manager.getProperties().getProperty
+ (AAF_ROOT_PERMISSION_PROPERTY, DEFAULT_NAMESPACE + "." + AAF_NODETYPE);
+}
diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java
new file mode 100644
index 0000000..f2e50ee
--- /dev/null
+++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/aaf/AafTelemetryAuthFilter.java
@@ -0,0 +1,41 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.drools.server.restful.aaf;
+
+import javax.servlet.http.HttpServletRequest;
+import org.onap.policy.common.utils.network.NetworkUtil;
+
+/**
+ * AAF Telemetry Authorization
+ */
+public class AafTelemetryAuthFilter extends AafBase {
+ private static final String RESOURCE_TYPE = AAF_ROOT_PERMISSION + "." + "telemetry";
+
+ @Override
+ protected String getPermissionType(HttpServletRequest request) {
+ return RESOURCE_TYPE;
+ }
+
+ @Override
+ protected String getPermissionInstance(HttpServletRequest request) {
+ return NetworkUtil.getHostname();
+ }
+}
diff --git a/policy-management/src/main/server-gen/bin/policy-management-controller b/policy-management/src/main/server-gen/bin/policy-management-controller
index cc6a8c7..bad1783 100644
--- a/policy-management/src/main/server-gen/bin/policy-management-controller
+++ b/policy-management/src/main/server-gen/bin/policy-management-controller
@@ -96,9 +96,9 @@
remove_pid_file
else
if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
- http_proxy= curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
+ http_proxy= curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
else
- http_proxy= curl --silent -X DELETE http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
+ http_proxy= curl -k --silent -X DELETE https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine -o /dev/null
fi
sleep 5
echo "Stopping $SNAME..."
diff --git a/policy-management/src/main/server-gen/bin/rest-add-controller b/policy-management/src/main/server-gen/bin/rest-add-controller
index 187b291..0dd82ee 100644
--- a/policy-management/src/main/server-gen/bin/rest-add-controller
+++ b/policy-management/src/main/server-gen/bin/rest-add-controller
@@ -26,11 +26,11 @@
if [ -f ${json} ]; then
if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
- curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \
- http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
+ curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \
+ https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
else
- curl --silent -X POST --data @${json} --header "Content-Type: application/json" \
- http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
+ curl -k --silent -X POST --data @${json} --header "Content-Type: application/json" \
+ https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers
fi
else
echo "Usage: rest-add-controller.sh closed-loop-sample|reporter|sepc|vsegw|.. (or any other config file ending with *-controller.rest.json)"
diff --git a/policy-management/src/main/server-gen/bin/rest-delete-controller b/policy-management/src/main/server-gen/bin/rest-delete-controller
index de1d601..03e6748 100644
--- a/policy-management/src/main/server-gen/bin/rest-delete-controller
+++ b/policy-management/src/main/server-gen/bin/rest-delete-controller
@@ -24,11 +24,11 @@
if [[ -n $1 ]]; then
if [[ -n ${ENGINE_MANAGEMENT_PASSWORD} ]]; then
- curl --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE --header "Content-Type: application/json" \
- http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
+ curl -k --silent --user ${ENGINE_MANAGEMENT_USER}:${ENGINE_MANAGEMENT_PASSWORD} -X DELETE --header "Content-Type: application/json" \
+ https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
else
- curl --silent -X DELETE --header "Content-Type: application/json" \
- http://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
+ curl -k --silent -X DELETE --header "Content-Type: application/json" \
+ https://localhost:${ENGINE_MANAGEMENT_PORT}/policy/pdp/engine/controllers/${1}
fi
echo
exit
diff --git a/policy-management/src/main/server/config/aaf-cadi.keyfile b/policy-management/src/main/server/config/aaf-cadi.keyfile
new file mode 100644
index 0000000..59d544f
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-cadi.keyfile
@@ -0,0 +1,27 @@
+N3INM2bAlQ8cNODnjR3Fuvo5z4GeID0KnRYlELmt-oHCFxq_XYVyepBVR591CIbJI9prNd_LLuv7
+tQD8xX_ypcNA-jQsecTwtw4GxvpqkZPhq6Q8BWNQaCegtXGDVTQ8gG2biKiQ7v-2C6Qhx4zj62b6
+bRPS5j1bfxqcAZu7082V00oQjbn40T2zFcLwCuBChZfx5DXTW49bwtLbkCbGqJSzFcIJpbGQ8gLg
+ussIoL8VE2Vee7bPJmUAdT4x9B1wrMIuvKlUMppeq0Bj-6ZJgxhM9F0WT8eEBh6NFANdK3LUgZrk
+D3kY3LrK-MT9u1TOMx13nOU7vOaVjl7_rkp5Q65gFd9VYbnJBYvJcc7asOQMsrugiSiRIoXH0Fyy
+-f9L3ROGae042J4M8qxcoOihMbcjVkEXqn6eRIFbDe0eIAlkSRYfaxg9v4tf8GbBjQcShBjzGaI2
+g6QxTA5G6Aa7p63aVRGv3ZODCHcbsbxnkyByXgmkON4cTk9vR0RbT6YYhT5t8xTU3rhqV3jeE0Bz
+KbU0c4188xTnhdq_bje2TuuLvtEvevdvDsbtAj7chQmWMOW7GMF3MnqdEpcw1NCoNRdN8wpAdE-5
+mkG-jlYHljSRh9qZK5wdEoO4IXgpFktdGj50XuzcskqqURNfDGHGb29fHznL1-ssdQK6EXcKN0AU
+nYyGLAie3VfFxWKj5dGODBs5RttvkX4PHyLcLD3kOrVgtQrz7d0PWWYCxDRqKT6qnJkLB1CUwghn
+XweEiDfoQmuUmwFEQNRDp0NGLnde5nsw7NYgLrv5VafGK8EyT4GeVhuu5Tnb6T-HalxCq2p5JaIA
+SG8zlDmRx_TykrhfQEJe7sr0pRcAMwgxEhwunG2oBiKnzdRx5jxMfqnVC8xGirumhmOQNterfnd5
+0pIsfvIuntyxRQ48yzIb2gb5kaSkfSzCaVnlqK-_jpj1T74qO86eaKVee4faQAbXDPYF2z5w06nD
+WS2dd54wBjGmkFNzi13ejTrAJeA6UzOd1CF_WSpc9XSJJPTPUGxmnfLjmGThErFBYuQxjhpH7vKN
+uZgokkIXX78rVcO3zpfa5kTYWjE8lk9y3WA7sGNtTWfG8bR3WLWNLPCnrzxtKZdhq2JsQYC0gwW7
+ZgJSXhgPoaC_RrtCn7haj1_601G_MkD-jcUEsO-4XOBVicsCgG8hn7B-SpgKspqv8gulbeKoORqa
+CkrtiFPlXEqdNuaBSHcQ0MWJ3tpXzWtIPM3ouEFOR32xVfptfz4sRPOkM_PNiVXxQtLOn_z3uC7K
+VVJCKZxVaavQ6QiZvRRANS9_GD3kDILX15EnbEvh-2DfycDrEo330vMwvNJP7i9eM5vo0YADe--G
+r5UDqctmFjl1ulc1yAQkDBGWGxT92x-hhLqCnCXcYPu_aeWssfDpRj573PHPaTiM0SYxJixjszRD
+6-AMC1DqugkjiGA5_enQORn-G_H4ZVtoQ_zebizEfIxKv5-8uRdyZDHGG3mDu6_nasEffry-UyVu
+STU3oJMycZ1qf5GR1evRJ7gxkrtPXHWKNnVgxfrBC72ON6wJnr7KaY-l9L44epIsk1pEmXm3YQu1
+N0NxiAwdus9OnCXQ7GgZPRXCpxjJPNs7EIKFrYjKJfdtSzT85ZrTpHQtjim2L1ZP9iIlq2QVKD1v
+bKSjCwjtb9ztjrV-Bw1BHcAApPcfpXHLhYkJ7iL1XUhxjXp_DGUkD7ZN9S5tuyrsMXz5hh6wMfcq
+NPR_XqHaS2ur-ONNrHuFFCmY7Ehc5FArFzb_Xn1JTpOQJTcy6_3r3u3B_euT8GmXHahtVN1Rv8RM
+kAD5m_UBx-nHoZDVDYZkfR9k4hF2Sz5rfrWs6Zrl0r8FBrVFtU1j2vOTvTGwrkO9yZvgIqOkX_eq
+TnGIpM4paHxEGTP8H8A3Y0ZpsvLttmh0rT_OwzBPa1Mof3RQKhyTzfbptxuUJyVxU0Ln-9f--5Mk
+wEFqhuSrgssI6b1iMqm97PqFQMYrWX3SV8l0V-PKxFxDM1bguHq4mOXEtmZBUtMBepwSsI96
\ No newline at end of file
diff --git a/policy-management/src/main/server/config/aaf-credentials.properties b/policy-management/src/main/server/config/aaf-credentials.properties
new file mode 100644
index 0000000..aaa5f16
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-credentials.properties
@@ -0,0 +1,9 @@
+cm_url=https://AAF_LOCATE_URL/AAF_NS.cm:2.1
+cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US
+cadi_keyfile=${{POLICY_HOME}}/config/aaf-cadi.keyfile
+cadi_keystore=${{POLICY_HOME}}/etc/ssl/policy-keystore
+cadi_keystore_password=${{KEYSTORE_PASSWD}}
+cadi_key_password=${{KEYSTORE_PASSWD}}
+cadi_alias=policy@policy.onap.org
+cadi_truststore=${{POLICY_HOME}}/etc/ssl/policy-truststore
+cadi_truststore_password=${{TRUSTSTORE_PASSWD}}
\ No newline at end of file
diff --git a/policy-management/src/main/server/config/aaf-location.properties b/policy-management/src/main/server/config/aaf-location.properties
new file mode 100644
index 0000000..dc828e7
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf-location.properties
@@ -0,0 +1,2 @@
+cadi_latitude=38.000
+cadi_longitude=-72.000
diff --git a/policy-management/src/main/server/config/aaf.properties b/policy-management/src/main/server/config/aaf.properties
new file mode 100644
index 0000000..8084be9
--- /dev/null
+++ b/policy-management/src/main/server/config/aaf.properties
@@ -0,0 +1,11 @@
+cadi_prop_files=${{POLICY_HOME}}/config/aaf-credentials.properties:${{POLICY_HOME}}/config/aaf-location.properties
+cadi_loglevel=DEBUG
+aaf_env=DEV
+aaf_locate_url=https://${{AAF_HOST}}:8095
+aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect
+aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.1/token
+aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.1
+cadi_protocols=TLSv1.1,TLSv1.2
+cm_url=https://AAF_LOCATE_URL/AAF_NS.cm:2.1
+fs_url=https://AAF_LOCATE_URL/AAF_NS.fs.2.1
+gui_url=https://AAF_LOCATE_URL/AAF_NS.gui.2.1
diff --git a/policy-management/src/main/server/config/policy-engine.properties b/policy-management/src/main/server/config/policy-engine.properties
index 758d13e..8e51752 100644
--- a/policy-management/src/main/server/config/policy-engine.properties
+++ b/policy-management/src/main/server/config/policy-engine.properties
@@ -49,3 +49,6 @@
http.server.services.SECURED-CONFIG.managed=false
http.server.services.SECURED-CONFIG.swagger=true
http.server.services.SECURED-CONFIG.https=true
+
+aaf.namespace=${{AAF_NAMESPACE}}
+aaf.root.permission=${{AAF_NAMESPACE}}.pdpd
diff --git a/policy-management/src/main/server/config/system.properties b/policy-management/src/main/server/config/system.properties
index 5c024e1..6bac0ea 100644
--- a/policy-management/src/main/server/config/system.properties
+++ b/policy-management/src/main/server/config/system.properties
@@ -34,6 +34,10 @@
javax.net.ssl.keyStore=${{POLICY_HOME}}/etc/ssl/policy-keystore
javax.net.ssl.keyStorePassword=${{KEYSTORE_PASSWD}}
+# aaf
+
+cadi_prop_files=config/aaf.properties
+
# standard logging
logback.configurationFile=config/logback.xml