2 * ============LICENSE_START=======================================================
3 * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
4 * ================================================================================
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 * ============LICENSE_END=========================================================
19 package org.onap.policy.tutorial.tutorial;
21 import com.att.research.xacml.api.DataTypeException;
22 import com.att.research.xacml.api.Decision;
23 import com.att.research.xacml.api.Identifier;
24 import com.att.research.xacml.api.Request;
25 import com.att.research.xacml.api.Response;
26 import com.att.research.xacml.api.Result;
27 import com.att.research.xacml.api.XACML3;
28 import com.att.research.xacml.std.IdentifierImpl;
29 import com.att.research.xacml.std.annotations.RequestParser;
30 import java.util.List;
32 import oasis.names.tc.xacml._3_0.core.schema.wd_17.AnyOfType;
33 import oasis.names.tc.xacml._3_0.core.schema.wd_17.EffectType;
34 import oasis.names.tc.xacml._3_0.core.schema.wd_17.MatchType;
35 import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyType;
36 import oasis.names.tc.xacml._3_0.core.schema.wd_17.RuleType;
37 import oasis.names.tc.xacml._3_0.core.schema.wd_17.TargetType;
38 import org.onap.policy.models.decisions.concepts.DecisionRequest;
39 import org.onap.policy.models.decisions.concepts.DecisionResponse;
40 import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicy;
41 import org.onap.policy.pdp.xacml.application.common.ToscaDictionary;
42 import org.onap.policy.pdp.xacml.application.common.ToscaPolicyConversionException;
43 import org.onap.policy.pdp.xacml.application.common.ToscaPolicyTranslator;
44 import org.onap.policy.pdp.xacml.application.common.ToscaPolicyTranslatorUtils;
46 public class TutorialTranslator implements ToscaPolicyTranslator {
48 private static final Identifier ID_TUTORIAL_USER = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-user");
49 private static final Identifier ID_TUTORIAL_ENTITY =
50 new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-entity");
51 private static final Identifier ID_TUTORIAL_PERM =
52 new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-permission");
55 * Convert Policy from TOSCA to XACML.
57 @SuppressWarnings("unchecked")
58 public PolicyType convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException {
60 // Here is our policy with a version and default combining algo
62 PolicyType newPolicyType = new PolicyType();
63 newPolicyType.setPolicyId(toscaPolicy.getMetadata().get("policy-id"));
64 newPolicyType.setVersion(toscaPolicy.getMetadata().get("policy-version"));
66 // When choosing the rule combining algorithm, be sure to be mindful of the
67 // setting xacml.att.policyFinderFactory.combineRootPolicies in the
68 // xacml.properties file. As that choice for ALL the policies together may have
69 // an impact on the decision rendered from each individual policy.
71 // In this case, we will only produce XACML rules for permissions. If no permission
72 // combo exists, then the default is to deny.
74 newPolicyType.setRuleCombiningAlgId(XACML3.ID_RULE_DENY_UNLESS_PERMIT.stringValue());
76 // Create the target for the Policy.
78 // For simplicity, let's just match on the action "authorize" and the user
80 MatchType matchAction = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(
81 XACML3.ID_FUNCTION_STRING_EQUAL, "authorize", XACML3.ID_DATATYPE_STRING,
82 XACML3.ID_ACTION_ACTION_ID, XACML3.ID_ATTRIBUTE_CATEGORY_ACTION);
83 Map<String, Object> props = toscaPolicy.getProperties();
84 String user = props.get("user").toString();
85 MatchType matchUser = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(XACML3.ID_FUNCTION_STRING_EQUAL, user,
86 XACML3.ID_DATATYPE_STRING, ID_TUTORIAL_USER, XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE);
87 AnyOfType anyOf = new AnyOfType();
89 // Create AllOf (AND) of just Policy Id
91 anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchAction, matchUser));
92 TargetType target = new TargetType();
93 target.getAnyOf().add(anyOf);
94 newPolicyType.setTarget(target);
96 // Now add the rule for each permission
99 List<Object> permissions = (List<Object>) props.get("permissions");
100 for (Object permission : permissions) {
102 MatchType matchEntity = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(XACML3.ID_FUNCTION_STRING_EQUAL,
103 ((Map<String, String>) permission).get("entity"), XACML3.ID_DATATYPE_STRING, ID_TUTORIAL_ENTITY,
104 XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE);
106 MatchType matchPermission = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(
107 XACML3.ID_FUNCTION_STRING_EQUAL, ((Map<String, String>) permission).get("permission"),
108 XACML3.ID_DATATYPE_STRING, ID_TUTORIAL_PERM, XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE);
109 anyOf = new AnyOfType();
110 anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchEntity, matchPermission));
111 target = new TargetType();
112 target.getAnyOf().add(anyOf);
114 RuleType rule = new RuleType();
115 rule.setDescription("Default is to PERMIT if the policy matches.");
116 rule.setRuleId(newPolicyType.getPolicyId() + ":rule" + ruleNumber);
118 rule.setEffect(EffectType.PERMIT);
119 rule.setTarget(target);
121 newPolicyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule);
125 return newPolicyType;
129 * Convert ONAP DecisionRequest to XACML Request.
131 public Request convertRequest(DecisionRequest request) {
133 return RequestParser.parseRequest(TutorialRequest.createRequest(request));
134 } catch (IllegalArgumentException | IllegalAccessException | DataTypeException e) {
141 * Convert XACML Response to ONAP DecisionResponse.
143 public DecisionResponse convertResponse(Response xacmlResponse) {
144 DecisionResponse decisionResponse = new DecisionResponse();
146 // Iterate through all the results
148 for (Result xacmlResult : xacmlResponse.getResults()) {
152 if (xacmlResult.getDecision() == Decision.PERMIT) {
154 // Just simply return a Permit response
156 decisionResponse.setStatus(Decision.PERMIT.toString());
159 // Just simply return a Deny response
161 decisionResponse.setStatus(Decision.DENY.toString());
165 return decisionResponse;