2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
6 * Modifications Copyright (C) 2021 Nordix Foundation.
7 * ================================================================================
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
20 * SPDX-License-Identifier: Apache-2.0
21 * ============LICENSE_END=========================================================
24 package org.onap.policy.xacml.pdp.application.guard;
26 import static org.assertj.core.api.Assertions.assertThat;
27 import static org.assertj.core.api.Assertions.assertThatCode;
29 import com.att.research.xacml.api.Response;
31 import java.io.FileNotFoundException;
32 import java.io.IOException;
34 import java.time.Instant;
35 import java.time.OffsetDateTime;
36 import java.util.Iterator;
37 import java.util.List;
39 import java.util.Properties;
40 import java.util.ServiceLoader;
41 import java.util.UUID;
42 import javax.persistence.EntityManager;
43 import javax.persistence.Persistence;
44 import org.apache.commons.lang3.tuple.Pair;
45 import org.junit.AfterClass;
46 import org.junit.Before;
47 import org.junit.BeforeClass;
48 import org.junit.ClassRule;
49 import org.junit.FixMethodOrder;
50 import org.junit.Test;
51 import org.junit.rules.TemporaryFolder;
52 import org.junit.runners.MethodSorters;
53 import org.onap.policy.common.utils.coder.CoderException;
54 import org.onap.policy.common.utils.coder.StandardCoder;
55 import org.onap.policy.common.utils.resources.TextFileUtils;
56 import org.onap.policy.guard.OperationsHistory;
57 import org.onap.policy.models.decisions.concepts.DecisionRequest;
58 import org.onap.policy.models.decisions.concepts.DecisionResponse;
59 import org.onap.policy.models.tosca.authorative.concepts.ToscaConceptIdentifier;
60 import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicy;
61 import org.onap.policy.pdp.xacml.application.common.XacmlApplicationException;
62 import org.onap.policy.pdp.xacml.application.common.XacmlApplicationServiceProvider;
63 import org.onap.policy.pdp.xacml.application.common.XacmlPolicyUtils;
64 import org.onap.policy.pdp.xacml.application.common.operationshistory.CountRecentOperationsPip;
65 import org.onap.policy.pdp.xacml.xacmltest.TestUtils;
66 import org.slf4j.Logger;
67 import org.slf4j.LoggerFactory;
69 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
70 public class GuardPdpApplicationTest {
72 private static final Logger LOGGER = LoggerFactory.getLogger(GuardPdpApplicationTest.class);
73 private static Properties properties = new Properties();
74 private static File propertiesFile;
75 private static XacmlApplicationServiceProvider service;
76 private static DecisionRequest requestVfCount;
77 private static StandardCoder gson = new StandardCoder();
78 private static EntityManager em;
79 private static final String DENY = "Deny";
80 private static final String PERMIT = "Permit";
83 public static final TemporaryFolder policyFolder = new TemporaryFolder();
86 * Copies the xacml.properties and policies files into temporary folder and loads the service provider saving
87 * instance of provider off for other tests to use.
90 public static void setup() throws Exception {
91 LOGGER.info("Setting up class");
93 // Setup our temporary folder
95 XacmlPolicyUtils.FileCreator myCreator = (String filename) -> policyFolder.newFile(filename);
96 propertiesFile = XacmlPolicyUtils.copyXacmlPropertiesContents("src/test/resources/xacml.properties", properties,
101 ServiceLoader<XacmlApplicationServiceProvider> applicationLoader =
102 ServiceLoader.load(XacmlApplicationServiceProvider.class);
104 // Find the guard service application and save for use in all the tests
106 StringBuilder strDump = new StringBuilder("Loaded applications:" + XacmlPolicyUtils.LINE_SEPARATOR);
107 Iterator<XacmlApplicationServiceProvider> iterator = applicationLoader.iterator();
108 while (iterator.hasNext()) {
109 XacmlApplicationServiceProvider application = iterator.next();
111 // Is it our service?
113 if (application instanceof GuardPdpApplication) {
115 // Should be the first and only one
117 assertThat(service).isNull();
118 service = application;
120 strDump.append(application.applicationName());
121 strDump.append(" supports ");
122 strDump.append(application.supportedPolicyTypes());
123 strDump.append(XacmlPolicyUtils.LINE_SEPARATOR);
125 LOGGER.info("{}", strDump);
127 // Tell it to initialize based on the properties file
128 // we just built for it.
130 service.initialize(propertiesFile.toPath().getParent(), null);
132 // Load Decision Requests
135 gson.decode(TextFileUtils.getTextFileAsString("src/test/resources/requests/guard.vfCount.json"),
136 DecisionRequest.class);
138 // Create EntityManager for manipulating DB
140 String persistenceUnit = CountRecentOperationsPip.ISSUER_NAME + ".persistenceunit";
142 .createEntityManagerFactory(GuardPdpApplicationTest.properties.getProperty(persistenceUnit), properties)
143 .createEntityManager();
147 * Close the entity manager.
150 public static void cleanup() throws Exception {
157 * Clears the database before each test so there are no operations in it.
161 public void startClean() throws Exception {
162 em.getTransaction().begin();
163 em.createQuery("DELETE FROM OperationsHistory").executeUpdate();
164 em.getTransaction().commit();
168 * Check that decision matches expectation.
170 * @param expected from the response
171 * @param response received
174 public void checkDecision(String expected, DecisionResponse response) throws CoderException {
175 LOGGER.info("Looking for {} Decision", expected);
176 assertThat(response).isNotNull();
177 assertThat(response.getStatus()).isNotNull();
178 assertThat(response.getStatus()).isEqualTo(expected);
180 // Dump it out as Json
182 LOGGER.info(gson.encode(response));
186 * Request a decision and check that it matches expectation.
188 * @param request to send to Xacml PDP
189 * @param expected from the response
192 public void requestAndCheckDecision(DecisionRequest request, String expected) throws CoderException {
194 // Ask for a decision
196 Pair<DecisionResponse, Response> decision = service.makeDecision(request, null);
200 checkDecision(expected, decision.getKey());
204 public void test1Basics() throws CoderException, IOException {
205 LOGGER.info("**************** Running test1Basics ****************");
207 // Make sure there's an application name
209 assertThat(service.applicationName()).isNotEmpty();
213 assertThat(service.actionDecisionsSupported().size()).isEqualTo(1);
214 assertThat(service.actionDecisionsSupported()).contains("guard");
216 // Ensure it has the supported policy types and
217 // can support the correct policy types.
219 assertThat(service.supportedPolicyTypes()).isNotEmpty();
220 assertThat(service.supportedPolicyTypes().size()).isEqualTo(5);
221 assertThat(service.canSupportPolicyType(
222 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.FrequencyLimiter", "1.0.0")))
224 assertThat(service.canSupportPolicyType(
225 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.FrequencyLimiter", "1.0.1")))
227 assertThat(service.canSupportPolicyType(
228 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.MinMax", "1.0.0"))).isTrue();
229 assertThat(service.canSupportPolicyType(
230 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.MinMax", "1.0.1"))).isFalse();
231 assertThat(service.canSupportPolicyType(
232 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.Blacklist", "1.0.0"))).isTrue();
233 assertThat(service.canSupportPolicyType(
234 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.Blacklist", "1.0.1"))).isFalse();
235 assertThat(service.canSupportPolicyType(new ToscaConceptIdentifier(
236 "onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "1.0.0"))).isTrue();
237 assertThat(service.canSupportPolicyType(new ToscaConceptIdentifier(
238 "onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "1.0.1"))).isFalse();
239 assertThat(service.canSupportPolicyType(new ToscaConceptIdentifier("onap.foo", "1.0.1"))).isFalse();
240 assertThat(service.canSupportPolicyType(
241 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.Filter", "1.0.0"))).isTrue();
245 public void test2NoPolicies() throws CoderException {
246 LOGGER.info("**************** Running test2NoPolicies ****************");
247 assertThatCode(() -> requestAndCheckDecision(requestVfCount, PERMIT)).doesNotThrowAnyException();
251 public void test3FrequencyLimiter()
252 throws CoderException, FileNotFoundException, IOException, XacmlApplicationException {
253 LOGGER.info("**************** Running test3FrequencyLimiter ****************");
255 // Now load the vDNS frequency limiter Policy - make sure
256 // the pdp can support it and have it load
259 List<ToscaPolicy> loadedPolicies =
260 TestUtils.loadPolicies("policies/vDNS.policy.guard.frequencylimiter.input.tosca.yaml", service);
261 assertThat(loadedPolicies).hasSize(1);
262 assertThat(loadedPolicies.get(0).getName()).isEqualTo("guard.frequency.scaleout");
264 // Zero recent actions: should get permit
266 requestAndCheckDecision(requestVfCount, PERMIT);
268 // Add entry into operations history DB
270 insertOperationEvent(requestVfCount);
272 // Two recent actions, more than specified limit of 2: should get deny
274 requestAndCheckDecision(requestVfCount, DENY);
277 @SuppressWarnings("unchecked")
279 public void test4MinMax() throws CoderException, FileNotFoundException, IOException, XacmlApplicationException {
280 LOGGER.info("**************** Running test4MinMax ****************");
282 // Now load the vDNS min max Policy - make sure
283 // the pdp can support it and have it load
286 List<ToscaPolicy> loadedPolicies =
287 TestUtils.loadPolicies("policies/vDNS.policy.guard.minmaxvnfs.input.tosca.yaml", service);
288 assertThat(loadedPolicies).hasSize(1);
289 assertThat(loadedPolicies.get(0).getName()).isEqualTo("guard.minmax.scaleout");
291 // vfcount=0 below min of 1: should get a Permit
293 requestAndCheckDecision(requestVfCount, PERMIT);
295 // vfcount=1 between min of 1 and max of 2: should get a Permit
297 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("vfCount", 1);
298 requestAndCheckDecision(requestVfCount, PERMIT);
300 // vfcount=2 hits the max of 2: should get a Deny
302 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("vfCount", 2);
303 requestAndCheckDecision(requestVfCount, DENY);
305 // vfcount=3 above max of 2: should get a Deny
307 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("vfCount", 3);
308 requestAndCheckDecision(requestVfCount, DENY);
310 // Insert entry into operations history DB - to indicate a successful
313 insertOperationEvent(requestVfCount);
315 // vfcount=1 between min of 1 and max of 2; MinMax should succeed,
316 // BUT the frequency limiter should fail
318 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("vfCount", 1);
319 requestAndCheckDecision(requestVfCount, DENY);
322 @SuppressWarnings("unchecked")
324 public void test5Blacklist() throws CoderException, XacmlApplicationException {
325 LOGGER.info("**************** Running test5Blacklist ****************");
327 // Load the blacklist policy in with the others.
329 List<ToscaPolicy> loadedPolicies =
330 TestUtils.loadPolicies("policies/vDNS.policy.guard.blacklist.input.tosca.yaml", service);
331 assertThat(loadedPolicies).hasSize(1);
332 assertThat(loadedPolicies.get(0).getName()).isEqualTo("guard.blacklist.scaleout");
334 // vfcount=0 below min of 1: should get a Permit because target is NOT blacklisted
336 requestAndCheckDecision(requestVfCount, PERMIT);
338 // vfcount=1 between min of 1 and max of 2: change the
340 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("target",
341 "the-vfmodule-where-root-is-true");
343 // vfcount=0 below min of 1: should get a Deny because target IS blacklisted
345 requestAndCheckDecision(requestVfCount, DENY);
347 // vfcount=1 between min of 1 and max of 2: change the
349 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("target",
350 "another-vfmodule-where-root-is-true");
352 // vfcount=0 below min of 1: should get a Deny because target IS blacklisted
354 requestAndCheckDecision(requestVfCount, DENY);
357 @SuppressWarnings("unchecked")
359 public void test6Filters() throws Exception {
360 LOGGER.info("**************** Running test6Filters ****************");
362 // Re-Load Decision Request - so we can start from scratch
365 gson.decode(TextFileUtils.getTextFileAsString("src/test/resources/requests/guard.vfCount.json"),
366 DecisionRequest.class);
368 // Ensure we are a permit to start
370 requestAndCheckDecision(requestVfCount, PERMIT);
372 // Load the filter policy in with the others.
374 List<ToscaPolicy> loadedPolicies =
375 TestUtils.loadPolicies("src/test/resources/test.policy.guard.filters.yaml", service);
376 assertThat(loadedPolicies).hasSize(2);
378 // Although the region is blacklisted, the id is not
380 requestAndCheckDecision(requestVfCount, PERMIT);
382 // Put in a different vnf id
384 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("generic-vnf.vnf-id",
385 "different-vnf-id-should-be-denied");
387 // The region is blacklisted, and the id is not allowed
389 requestAndCheckDecision(requestVfCount, DENY);
391 // Let's switch to a different region
393 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("cloud-region.cloud-region-id",
396 // The region is whitelisted, and the id is also allowed
398 requestAndCheckDecision(requestVfCount, PERMIT);
400 // Put in a blacklisted vnf id
402 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("generic-vnf.vnf-id",
403 "f17face5-69cb-4c88-9e0b-7426db7edddd");
405 // Although region is whitelisted, the id is blacklisted
407 requestAndCheckDecision(requestVfCount, DENY);
409 // Let's switch to a different region
411 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("cloud-region.cloud-region-id",
414 // There is no filter for this region, but the id is still blacklisted
416 requestAndCheckDecision(requestVfCount, DENY);
418 // Put in a different vnf id
420 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("generic-vnf.vnf-id",
421 "different-vnf-id-should-be-permitted");
423 // There is no filter for this region, and the id is not blacklisted
425 requestAndCheckDecision(requestVfCount, PERMIT);
429 public void test7TimeInRange() throws Exception {
430 LOGGER.info("**************** Running test7TimeInRange ****************");
432 // Re-Load Decision Request - so we can start from scratch
434 DecisionRequest requestInRange =
435 gson.decode(TextFileUtils.getTextFileAsString("src/test/resources/requests/guard.timeinrange.json"),
436 DecisionRequest.class);
438 // Load the test policy in with the others.
440 List<ToscaPolicy> loadedPolicies =
441 TestUtils.loadPolicies("src/test/resources/test-time-in-range.yaml", service);
442 assertThat(loadedPolicies).hasSize(1);
444 // Mock what the current date and time is. Set to 12 Noon
445 // We actually do not care about time zone or the date yet, but these are here
448 OffsetDateTime offsetDateTime = OffsetDateTime.parse("2020-01-01T12:00:00+05:00");
449 requestInRange.setCurrentDateTime(offsetDateTime);
450 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
451 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
452 requestInRange.setTimeZone(offsetDateTime.getOffset());
454 requestAndCheckDecision(requestInRange, PERMIT);
456 offsetDateTime = OffsetDateTime.parse("2020-01-01T07:59:59+05:00");
457 requestInRange.setCurrentDateTime(offsetDateTime);
458 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
459 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
460 requestInRange.setTimeZone(offsetDateTime.getOffset());
462 requestAndCheckDecision(requestInRange, DENY);
464 offsetDateTime = OffsetDateTime.parse("2020-01-01T08:00:00+05:00");
465 requestInRange.setCurrentDateTime(offsetDateTime);
466 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
467 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
468 requestInRange.setTimeZone(offsetDateTime.getOffset());
470 requestAndCheckDecision(requestInRange, PERMIT);
472 offsetDateTime = OffsetDateTime.parse("2020-01-01T23:59:59+05:00");
473 requestInRange.setCurrentDateTime(offsetDateTime);
474 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
475 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
476 requestInRange.setTimeZone(offsetDateTime.getOffset());
478 requestAndCheckDecision(requestInRange, PERMIT);
480 offsetDateTime = OffsetDateTime.parse("2020-01-01T00:00:00+05:00");
481 requestInRange.setCurrentDateTime(offsetDateTime);
482 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
483 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
484 requestInRange.setTimeZone(offsetDateTime.getOffset());
486 requestAndCheckDecision(requestInRange, DENY);
489 @SuppressWarnings("unchecked")
490 private void insertOperationEvent(DecisionRequest request) {
492 // Get the properties
494 Map<String, Object> properties = (Map<String, Object>) request.getResource().get("guard");
495 assertThat(properties).isNotNull();
499 OperationsHistory newEntry = new OperationsHistory();
500 newEntry.setActor(properties.get("actor").toString());
501 newEntry.setOperation(properties.get("operation").toString());
502 newEntry.setClosedLoopName(properties.get("clname").toString());
503 newEntry.setOutcome("SUCCESS");
504 newEntry.setStarttime(Date.from(Instant.now().minusMillis(20000)));
505 newEntry.setEndtime(Date.from(Instant.now()));
506 newEntry.setRequestId(UUID.randomUUID().toString());
507 newEntry.setTarget(properties.get("target").toString());
508 LOGGER.info("Inserting {}", newEntry);
509 em.getTransaction().begin();
510 em.persist(newEntry);
511 em.getTransaction().commit();