2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
6 * Modifications Copyright (C) 2021 Nordix Foundation.
7 * ================================================================================
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
20 * SPDX-License-Identifier: Apache-2.0
21 * ============LICENSE_END=========================================================
24 package org.onap.policy.xacml.pdp.application.guard;
26 import static org.assertj.core.api.Assertions.assertThat;
27 import static org.assertj.core.api.Assertions.assertThatCode;
29 import com.att.research.xacml.api.Response;
31 import java.io.FileNotFoundException;
32 import java.io.IOException;
34 import java.time.Instant;
35 import java.time.OffsetDateTime;
36 import java.util.Iterator;
37 import java.util.List;
39 import java.util.Properties;
40 import java.util.ServiceLoader;
41 import java.util.UUID;
42 import javax.persistence.EntityManager;
43 import javax.persistence.Persistence;
44 import org.apache.commons.lang3.tuple.Pair;
45 import org.junit.AfterClass;
46 import org.junit.Before;
47 import org.junit.BeforeClass;
48 import org.junit.ClassRule;
49 import org.junit.FixMethodOrder;
50 import org.junit.Test;
51 import org.junit.rules.TemporaryFolder;
52 import org.junit.runners.MethodSorters;
53 import org.onap.policy.common.endpoints.event.comm.bus.internal.BusTopicParams;
54 import org.onap.policy.common.utils.coder.CoderException;
55 import org.onap.policy.common.utils.coder.StandardCoder;
56 import org.onap.policy.common.utils.resources.TextFileUtils;
57 import org.onap.policy.guard.OperationsHistory;
58 import org.onap.policy.models.decisions.concepts.DecisionRequest;
59 import org.onap.policy.models.decisions.concepts.DecisionResponse;
60 import org.onap.policy.models.tosca.authorative.concepts.ToscaConceptIdentifier;
61 import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicy;
62 import org.onap.policy.pdp.xacml.application.common.XacmlApplicationException;
63 import org.onap.policy.pdp.xacml.application.common.XacmlApplicationServiceProvider;
64 import org.onap.policy.pdp.xacml.application.common.XacmlPolicyUtils;
65 import org.onap.policy.pdp.xacml.application.common.operationshistory.CountRecentOperationsPip;
66 import org.onap.policy.pdp.xacml.xacmltest.TestUtils;
67 import org.slf4j.Logger;
68 import org.slf4j.LoggerFactory;
70 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
71 public class GuardPdpApplicationTest {
73 private static final Logger LOGGER = LoggerFactory.getLogger(GuardPdpApplicationTest.class);
74 private static Properties properties = new Properties();
75 private static File propertiesFile;
76 private static BusTopicParams clientParams = new BusTopicParams();
77 private static XacmlApplicationServiceProvider service;
78 private static DecisionRequest requestVfCount;
79 private static StandardCoder gson = new StandardCoder();
80 private static EntityManager em;
81 private static final String DENY = "Deny";
82 private static final String PERMIT = "Permit";
85 public static final TemporaryFolder policyFolder = new TemporaryFolder();
88 * Copies the xacml.properties and policies files into temporary folder and loads the service provider saving
89 * instance of provider off for other tests to use.
92 public static void setup() throws Exception {
93 LOGGER.info("Setting up class");
95 // Setup our temporary folder
97 XacmlPolicyUtils.FileCreator myCreator = (String filename) -> policyFolder.newFile(filename);
98 propertiesFile = XacmlPolicyUtils.copyXacmlPropertiesContents("src/test/resources/xacml.properties", properties,
103 ServiceLoader<XacmlApplicationServiceProvider> applicationLoader =
104 ServiceLoader.load(XacmlApplicationServiceProvider.class);
106 // Find the guard service application and save for use in all the tests
108 StringBuilder strDump = new StringBuilder("Loaded applications:" + XacmlPolicyUtils.LINE_SEPARATOR);
109 Iterator<XacmlApplicationServiceProvider> iterator = applicationLoader.iterator();
110 while (iterator.hasNext()) {
111 XacmlApplicationServiceProvider application = iterator.next();
113 // Is it our service?
115 if (application instanceof GuardPdpApplication) {
117 // Should be the first and only one
119 assertThat(service).isNull();
120 service = application;
122 strDump.append(application.applicationName());
123 strDump.append(" supports ");
124 strDump.append(application.supportedPolicyTypes());
125 strDump.append(XacmlPolicyUtils.LINE_SEPARATOR);
127 LOGGER.info("{}", strDump);
129 // Tell it to initialize based on the properties file
130 // we just built for it.
132 service.initialize(propertiesFile.toPath().getParent(), clientParams);
134 // Load Decision Requests
137 gson.decode(TextFileUtils.getTextFileAsString("src/test/resources/requests/guard.vfCount.json"),
138 DecisionRequest.class);
140 // Create EntityManager for manipulating DB
142 String persistenceUnit = CountRecentOperationsPip.ISSUER_NAME + ".persistenceunit";
144 .createEntityManagerFactory(GuardPdpApplicationTest.properties.getProperty(persistenceUnit), properties)
145 .createEntityManager();
149 * Close the entity manager.
152 public static void cleanup() throws Exception {
159 * Clears the database before each test so there are no operations in it.
163 public void startClean() throws Exception {
164 em.getTransaction().begin();
165 em.createQuery("DELETE FROM OperationsHistory").executeUpdate();
166 em.getTransaction().commit();
170 * Check that decision matches expectation.
172 * @param expected from the response
173 * @param response received
176 public void checkDecision(String expected, DecisionResponse response) throws CoderException {
177 LOGGER.info("Looking for {} Decision", expected);
178 assertThat(response).isNotNull();
179 assertThat(response.getStatus()).isNotNull();
180 assertThat(response.getStatus()).isEqualTo(expected);
182 // Dump it out as Json
184 LOGGER.info(gson.encode(response));
188 * Request a decision and check that it matches expectation.
190 * @param request to send to Xacml PDP
191 * @param expected from the response
194 public void requestAndCheckDecision(DecisionRequest request, String expected) throws CoderException {
196 // Ask for a decision
198 Pair<DecisionResponse, Response> decision = service.makeDecision(request, null);
202 checkDecision(expected, decision.getKey());
206 public void test1Basics() throws CoderException, IOException {
207 LOGGER.info("**************** Running test1Basics ****************");
209 // Make sure there's an application name
211 assertThat(service.applicationName()).isNotEmpty();
215 assertThat(service.actionDecisionsSupported().size()).isEqualTo(1);
216 assertThat(service.actionDecisionsSupported()).contains("guard");
218 // Ensure it has the supported policy types and
219 // can support the correct policy types.
221 assertThat(service.supportedPolicyTypes()).isNotEmpty();
222 assertThat(service.supportedPolicyTypes().size()).isEqualTo(5);
223 assertThat(service.canSupportPolicyType(
224 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.FrequencyLimiter", "1.0.0")))
226 assertThat(service.canSupportPolicyType(
227 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.FrequencyLimiter", "1.0.1")))
229 assertThat(service.canSupportPolicyType(
230 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.MinMax", "1.0.0"))).isTrue();
231 assertThat(service.canSupportPolicyType(
232 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.MinMax", "1.0.1"))).isFalse();
233 assertThat(service.canSupportPolicyType(
234 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.Blacklist", "1.0.0"))).isTrue();
235 assertThat(service.canSupportPolicyType(
236 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.Blacklist", "1.0.1"))).isFalse();
237 assertThat(service.canSupportPolicyType(new ToscaConceptIdentifier(
238 "onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "1.0.0"))).isTrue();
239 assertThat(service.canSupportPolicyType(new ToscaConceptIdentifier(
240 "onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "1.0.1"))).isFalse();
241 assertThat(service.canSupportPolicyType(new ToscaConceptIdentifier("onap.foo", "1.0.1"))).isFalse();
242 assertThat(service.canSupportPolicyType(
243 new ToscaConceptIdentifier("onap.policies.controlloop.guard.common.Filter", "1.0.0"))).isTrue();
247 public void test2NoPolicies() throws CoderException {
248 LOGGER.info("**************** Running test2NoPolicies ****************");
249 assertThatCode(() -> requestAndCheckDecision(requestVfCount, PERMIT)).doesNotThrowAnyException();
253 public void test3FrequencyLimiter()
254 throws CoderException, FileNotFoundException, IOException, XacmlApplicationException {
255 LOGGER.info("**************** Running test3FrequencyLimiter ****************");
257 // Now load the vDNS frequency limiter Policy - make sure
258 // the pdp can support it and have it load
261 List<ToscaPolicy> loadedPolicies =
262 TestUtils.loadPolicies("policies/vDNS.policy.guard.frequencylimiter.input.tosca.yaml", service);
263 assertThat(loadedPolicies).hasSize(1);
264 assertThat(loadedPolicies.get(0).getName()).isEqualTo("guard.frequency.scaleout");
266 // Zero recent actions: should get permit
268 requestAndCheckDecision(requestVfCount, PERMIT);
270 // Add entry into operations history DB
272 insertOperationEvent(requestVfCount);
274 // Two recent actions, more than specified limit of 2: should get deny
276 requestAndCheckDecision(requestVfCount, DENY);
279 @SuppressWarnings("unchecked")
281 public void test4MinMax() throws CoderException, FileNotFoundException, IOException, XacmlApplicationException {
282 LOGGER.info("**************** Running test4MinMax ****************");
284 // Now load the vDNS min max Policy - make sure
285 // the pdp can support it and have it load
288 List<ToscaPolicy> loadedPolicies =
289 TestUtils.loadPolicies("policies/vDNS.policy.guard.minmaxvnfs.input.tosca.yaml", service);
290 assertThat(loadedPolicies).hasSize(1);
291 assertThat(loadedPolicies.get(0).getName()).isEqualTo("guard.minmax.scaleout");
293 // vfcount=0 below min of 1: should get a Permit
295 requestAndCheckDecision(requestVfCount, PERMIT);
297 // vfcount=1 between min of 1 and max of 2: should get a Permit
299 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("vfCount", 1);
300 requestAndCheckDecision(requestVfCount, PERMIT);
302 // vfcount=2 hits the max of 2: should get a Deny
304 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("vfCount", 2);
305 requestAndCheckDecision(requestVfCount, DENY);
307 // vfcount=3 above max of 2: should get a Deny
309 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("vfCount", 3);
310 requestAndCheckDecision(requestVfCount, DENY);
312 // Insert entry into operations history DB - to indicate a successful
315 insertOperationEvent(requestVfCount);
317 // vfcount=1 between min of 1 and max of 2; MinMax should succeed,
318 // BUT the frequency limiter should fail
320 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("vfCount", 1);
321 requestAndCheckDecision(requestVfCount, DENY);
324 @SuppressWarnings("unchecked")
326 public void test5Blacklist() throws CoderException, XacmlApplicationException {
327 LOGGER.info("**************** Running test5Blacklist ****************");
329 // Load the blacklist policy in with the others.
331 List<ToscaPolicy> loadedPolicies =
332 TestUtils.loadPolicies("policies/vDNS.policy.guard.blacklist.input.tosca.yaml", service);
333 assertThat(loadedPolicies).hasSize(1);
334 assertThat(loadedPolicies.get(0).getName()).isEqualTo("guard.blacklist.scaleout");
336 // vfcount=0 below min of 1: should get a Permit because target is NOT blacklisted
338 requestAndCheckDecision(requestVfCount, PERMIT);
340 // vfcount=1 between min of 1 and max of 2: change the
342 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("target",
343 "the-vfmodule-where-root-is-true");
345 // vfcount=0 below min of 1: should get a Deny because target IS blacklisted
347 requestAndCheckDecision(requestVfCount, DENY);
349 // vfcount=1 between min of 1 and max of 2: change the
351 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("target",
352 "another-vfmodule-where-root-is-true");
354 // vfcount=0 below min of 1: should get a Deny because target IS blacklisted
356 requestAndCheckDecision(requestVfCount, DENY);
359 @SuppressWarnings("unchecked")
361 public void test6Filters() throws Exception {
362 LOGGER.info("**************** Running test6Filters ****************");
364 // Re-Load Decision Request - so we can start from scratch
367 gson.decode(TextFileUtils.getTextFileAsString("src/test/resources/requests/guard.vfCount.json"),
368 DecisionRequest.class);
370 // Ensure we are a permit to start
372 requestAndCheckDecision(requestVfCount, PERMIT);
374 // Load the filter policy in with the others.
376 List<ToscaPolicy> loadedPolicies =
377 TestUtils.loadPolicies("src/test/resources/test.policy.guard.filters.yaml", service);
378 assertThat(loadedPolicies).hasSize(2);
380 // Although the region is blacklisted, the id is not
382 requestAndCheckDecision(requestVfCount, PERMIT);
384 // Put in a different vnf id
386 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("generic-vnf.vnf-id",
387 "different-vnf-id-should-be-denied");
389 // The region is blacklisted, and the id is not allowed
391 requestAndCheckDecision(requestVfCount, DENY);
393 // Let's switch to a different region
395 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("cloud-region.cloud-region-id",
398 // The region is whitelisted, and the id is also allowed
400 requestAndCheckDecision(requestVfCount, PERMIT);
402 // Put in a blacklisted vnf id
404 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("generic-vnf.vnf-id",
405 "f17face5-69cb-4c88-9e0b-7426db7edddd");
407 // Although region is whitelisted, the id is blacklisted
409 requestAndCheckDecision(requestVfCount, DENY);
411 // Let's switch to a different region
413 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("cloud-region.cloud-region-id",
416 // There is no filter for this region, but the id is still blacklisted
418 requestAndCheckDecision(requestVfCount, DENY);
420 // Put in a different vnf id
422 ((Map<String, Object>) requestVfCount.getResource().get("guard")).put("generic-vnf.vnf-id",
423 "different-vnf-id-should-be-permitted");
425 // There is no filter for this region, and the id is not blacklisted
427 requestAndCheckDecision(requestVfCount, PERMIT);
431 public void test7TimeInRange() throws Exception {
432 LOGGER.info("**************** Running test7TimeInRange ****************");
434 // Re-Load Decision Request - so we can start from scratch
436 DecisionRequest requestInRange =
437 gson.decode(TextFileUtils.getTextFileAsString("src/test/resources/requests/guard.timeinrange.json"),
438 DecisionRequest.class);
440 // Load the test policy in with the others.
442 List<ToscaPolicy> loadedPolicies =
443 TestUtils.loadPolicies("src/test/resources/test-time-in-range.yaml", service);
444 assertThat(loadedPolicies).hasSize(1);
446 // Mock what the current date and time is. Set to 12 Noon
447 // We actually do not care about time zone or the date yet, but these are here
450 OffsetDateTime offsetDateTime = OffsetDateTime.parse("2020-01-01T12:00:00+05:00");
451 requestInRange.setCurrentDateTime(offsetDateTime);
452 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
453 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
454 requestInRange.setTimeZone(offsetDateTime.getOffset());
456 requestAndCheckDecision(requestInRange, PERMIT);
458 offsetDateTime = OffsetDateTime.parse("2020-01-01T07:59:59+05:00");
459 requestInRange.setCurrentDateTime(offsetDateTime);
460 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
461 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
462 requestInRange.setTimeZone(offsetDateTime.getOffset());
464 requestAndCheckDecision(requestInRange, DENY);
466 offsetDateTime = OffsetDateTime.parse("2020-01-01T08:00:00+05:00");
467 requestInRange.setCurrentDateTime(offsetDateTime);
468 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
469 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
470 requestInRange.setTimeZone(offsetDateTime.getOffset());
472 requestAndCheckDecision(requestInRange, PERMIT);
474 offsetDateTime = OffsetDateTime.parse("2020-01-01T23:59:59+05:00");
475 requestInRange.setCurrentDateTime(offsetDateTime);
476 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
477 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
478 requestInRange.setTimeZone(offsetDateTime.getOffset());
480 requestAndCheckDecision(requestInRange, PERMIT);
482 offsetDateTime = OffsetDateTime.parse("2020-01-01T00:00:00+05:00");
483 requestInRange.setCurrentDateTime(offsetDateTime);
484 requestInRange.setCurrentDate(offsetDateTime.toLocalDate());
485 requestInRange.setCurrentTime(offsetDateTime.toOffsetTime());
486 requestInRange.setTimeZone(offsetDateTime.getOffset());
488 requestAndCheckDecision(requestInRange, DENY);
491 @SuppressWarnings("unchecked")
492 private void insertOperationEvent(DecisionRequest request) {
494 // Get the properties
496 Map<String, Object> properties = (Map<String, Object>) request.getResource().get("guard");
497 assertThat(properties).isNotNull();
501 OperationsHistory newEntry = new OperationsHistory();
502 newEntry.setActor(properties.get("actor").toString());
503 newEntry.setOperation(properties.get("operation").toString());
504 newEntry.setClosedLoopName(properties.get("clname").toString());
505 newEntry.setOutcome("SUCCESS");
506 newEntry.setStarttime(Date.from(Instant.now().minusMillis(20000)));
507 newEntry.setEndtime(Date.from(Instant.now()));
508 newEntry.setRequestId(UUID.randomUUID().toString());
509 newEntry.setTarget(properties.get("target").toString());
510 LOGGER.info("Inserting {}", newEntry);
511 em.getTransaction().begin();
512 em.persist(newEntry);
513 em.getTransaction().commit();