- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Ended Successfully");
- im.endTransaction();
- return;
- }
- //Catch anything that fell through
- PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " Request does not have groupId");
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- setResponseError(response,HttpServletResponse.SC_BAD_REQUEST, "Request does not have groupId");
- im.endTransaction();
- }
-
- private boolean isPDPCurrent(Properties policies, Properties pipconfig, Properties pdpProperties) {
- String localRootPolicies = policies.getProperty(XACMLProperties.PROP_ROOTPOLICIES);
- String localReferencedPolicies = policies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES);
- if (localRootPolicies == null || localReferencedPolicies == null) {
- LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + "Missing property on PAP server: RootPolicies="+localRootPolicies+" ReferencedPolicies="+localReferencedPolicies);
- return false;
- }
- // Compare the policies and pipconfig properties to the pdpProperties
- try {
- // the policy properties includes only xacml.rootPolicies and
- // xacml.referencedPolicies without any .url entries
- Properties pdpPolicies = XACMLProperties.getPolicyProperties(pdpProperties, false);
- Properties pdpPipConfig = XACMLProperties.getPipProperties(pdpProperties);
- if (localRootPolicies.equals(pdpPolicies.getProperty(XACMLProperties.PROP_ROOTPOLICIES)) &&
- localReferencedPolicies.equals(pdpPolicies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES)) &&
- pdpPipConfig.equals(pipconfig)) {
- // The PDP is current
- return true;
- }
- } catch (Exception e) {
- // we get here if the PDP did not include either xacml.rootPolicies or xacml.pip.engines,
- // or if there are policies that do not have a corresponding ".url" property.
- // Either of these cases means that the PDP is not up-to-date, so just drop-through to return false.
- PolicyLogger.error(MessageCodes.ERROR_SCHEMA_INVALID, e, "XACMLPapServlet", " PDP Error");
- }
- return false;
- }
-
- private void populatePolicyURL(StringBuffer urlPath, Properties policies) {
- String lists[] = new String[2];
- lists[0] = policies.getProperty(XACMLProperties.PROP_ROOTPOLICIES);
- lists[1] = policies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES);
- for (String list : lists) {
- if (list != null && list.isEmpty() == false) {
- for (String id : Splitter.on(',').trimResults().omitEmptyStrings().split(list)) {
- String url = urlPath + "?id=" + id;
- LOGGER.info("Policy URL for " + id + ": " + url);
- policies.setProperty(id + ".url", url);
- }
- }
- }
- }
-
- protected String getPDPID(HttpServletRequest request) {
- String pdpURL = request.getHeader(XACMLRestProperties.PROP_PDP_HTTP_HEADER_ID);
- if (pdpURL == null || pdpURL.isEmpty()) {
- // Should send back its port for identification
- LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + "PDP did not send custom header");
- pdpURL = "";
- }
- return pdpURL;
- }
-
- protected String getPDPJMX(HttpServletRequest request) {
- String pdpJMMX = request.getHeader(XACMLRestProperties.PROP_PDP_HTTP_HEADER_JMX_PORT);
- if (pdpJMMX == null || pdpJMMX.isEmpty()) {
- // Should send back its port for identification
- LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + "PDP did not send custom header for JMX Port so the value of 0 is assigned");
- return null;
- }
- return pdpJMMX;
- }
-
- /**
- * Requests from the PolicyEngine API to update the PDP Group with pushed policy
- *
- * @param request
- * @param response
- * @param groupId
- * @param loggingContext
- * @throws ServletException
- * @throws IOException
- */
- public void updateGroupsFromAPI(HttpServletRequest request, HttpServletResponse response, String groupId, ONAPLoggingContext loggingContext) throws IOException {
- PolicyDBDaoTransaction acPutTransaction = policyDBDao.getNewTransaction();
- PolicyLogger.audit("PolicyDBDaoTransaction started for updateGroupsFromAPI");
- try {
- // for PUT operations the group may or may not need to exist before the operation can be done
- StdPDPGroup group = (StdPDPGroup) papEngine.getGroup(groupId);
-
- // get the request input stream content into a String
- String json = null;
- java.util.Scanner scanner = new java.util.Scanner(request.getInputStream());
- scanner.useDelimiter("\\A");
- json = scanner.hasNext() ? scanner.next() : "";
- scanner.close();
-
- PolicyLogger.info("pushPolicy request from API: " + json);
-
- // convert Object sent as JSON into local object
- StdPDPPolicy policy = PolicyUtils.jsonStringToObject(json, StdPDPPolicy.class);
-
- //Get the current policies from the Group and Add the new one
- Set<PDPPolicy> currentPoliciesInGroup = new HashSet<>();
- currentPoliciesInGroup = group.getPolicies();
- //If the selected policy is in the group we must remove the old version of it
- LOGGER.info("Removing old version of the policy");
- for(PDPPolicy existingPolicy : currentPoliciesInGroup) {
- if (existingPolicy.getName().equals(policy.getName()) && !existingPolicy.getId().equals(policy.getId())){
- group.removePolicy(existingPolicy);
- LOGGER.info("Removing policy: " + existingPolicy);
- break;
- }
- }
-
- // Assume that this is an update of an existing PDP Group
- loggingContext.setServiceName("PolicyEngineAPI:PAP.updateGroup");
- try{
- acPutTransaction.updateGroup(group, "XACMLPapServlet.doACPut");
- } catch(Exception e){
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " Error while updating group in the database: "
- +"group="+group.getId());
- throw new PAPException(e.getMessage());
- }
-
- LOGGER.info("Calling updatGroup() with new group");
- papEngine.updateGroup(group);
- String policyId = "empty";
- if(policy !=null && policy.getId() != null){
- policyId = policy.getId();
- }
- if(!policyId.matches(REGEX) ){
- response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- response.addHeader("error",ADD_GROUP_ERROR);
- response.addHeader("message", "Policy Id is not valid");
- return;
- }
- response.setStatus(HttpServletResponse.SC_NO_CONTENT);
- response.addHeader("operation", "push");
- response.addHeader("policyId", policyId);
- response.addHeader("groupId", groupId);
-
- LOGGER.info("Group '" + group.getId() + "' updated");
-
- loggingContext.metricStarted();
- acPutTransaction.commitTransaction();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI commitTransaction");
- loggingContext.metricStarted();
- notifyAC();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI notifyAC");
-
- // Group changed, which might include changing the policies
- groupChanged(group, loggingContext);
- loggingContext.transactionEnded();
- LOGGER.info("Success");
-
- if (policy != null && ((policy.getId().contains("Config_MS_")) || (policy.getId().contains("BRMS_Param")))) {
- PushPolicyHandler pushPolicyHandler = PushPolicyHandler.getInstance();
- if (pushPolicyHandler.preSafetyCheck(policy, configHome)) {
- LOGGER.debug("Precheck Successful.");
- }
- }
-
- PolicyLogger.audit("Transaction Ended Successfully");
- return;
- } catch (PAPException e) {
- acPutTransaction.rollbackTransaction();
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " API PUT exception");
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- String message = XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception in request to update group from API - See Error.log on on the PAP.";
- setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
- response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- response.addHeader("error",ADD_GROUP_ERROR);
- response.addHeader("message", message);
- return;
- }
- }
-
- /**
- * Requests from the Admin Console for operations not on single specific objects
- *
- * @param request
- * @param response
- * @param groupId
- * @param loggingContext
- * @throws ServletException
- * @throws IOException
- */
- private void doACPost(HttpServletRequest request, HttpServletResponse response, String groupId, ONAPLoggingContext loggingContext) throws ServletException, IOException {
- PolicyDBDaoTransaction doACPostTransaction = null;
- try {
- String groupName = request.getParameter("groupName");
- String groupDescription = request.getParameter("groupDescription");
- String apiflag = request.getParameter("apiflag");
- if (groupName != null && groupDescription != null) {
- // Args: group=<groupId> groupName=<name> groupDescription=<description> <= create a new group
- loggingContext.setServiceName("AC:PAP.createGroup");
- String unescapedName = null;
- String unescapedDescription = null;
- try{
- unescapedName = URLDecoder.decode(groupName, "UTF-8");
- unescapedDescription = URLDecoder.decode(groupDescription, "UTF-8");
- } catch (UnsupportedEncodingException e) {
- LOGGER.error(e);
- }
- PolicyDBDaoTransaction newGroupTransaction = policyDBDao.getNewTransaction();
- try {
- newGroupTransaction.createGroup(PolicyDBDao.createNewPDPGroupId(unescapedName), unescapedName, unescapedDescription,"XACMLPapServlet.doACPost");
- papEngine.newGroup(unescapedName, unescapedDescription);
- loggingContext.metricStarted();
- newGroupTransaction.commitTransaction();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet doACPost commitTransaction");
- } catch (Exception e) {
- newGroupTransaction.rollbackTransaction();
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " Unable to create new group");
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Unable to create new group '" + groupId + "'");
- return;
- }
- response.setStatus(HttpServletResponse.SC_NO_CONTENT);
- if (LOGGER.isDebugEnabled()) {
- LOGGER.debug("New Group '" + groupId + "' created");
- }
- // tell the Admin Consoles there is a change
- loggingContext.metricStarted();
- notifyAC();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet doACPost notifyAC");
- // new group by definition has no PDPs, so no need to notify them of changes
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- auditLogger.info("Success");
- PolicyLogger.audit("Transaction Ended Successfully");
- return;
- }
- // for all remaining POST operations the group must exist before the operation can be done
- OnapPDPGroup group = null;
- try{
- group = papEngine.getGroup(groupId);
- } catch (PAPException e){
- LOGGER.error(e);
- }
- if (group == null) {
- String message = "Unknown groupId '" + groupId + "'";
- //for fixing Header Manipulation of Fortify issue
- if(!message.matches(REGEX)){
- response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- response.addHeader("error",ADD_GROUP_ERROR);
- response.addHeader("message", "GroupId Id is not valid");
- return;
- }
- PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " " + message);
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- if (apiflag!=null){
- response.addHeader("error", "unknownGroupId");
- response.addHeader("operation", "push");
- response.addHeader("message", message);
- response.setStatus(HttpServletResponse.SC_NOT_FOUND);
- } else {
- setResponseError(response,HttpServletResponse.SC_NOT_FOUND, message);
- }
- return;
- }
-
- // If the request contains a policyId then we know we are pushing the policy to PDP
- if (request.getParameter("policyId") != null) {
-
- if(apiflag!=null){
- loggingContext.setServiceName("PolicyEngineAPI:PAP.postPolicy");
- LOGGER.info("PushPolicy Request From The API");
- } else {
- loggingContext.setServiceName("AC:PAP.postPolicy");
- LOGGER.info("PushPolicy Request From The AC");
- }
-
- String policyId = request.getParameter("policyId");
- PolicyDBDaoTransaction addPolicyToGroupTransaction = policyDBDao.getNewTransaction();
- StdPDPGroup updatedGroup = null;
- try {
- //Copying the policy to the file system and updating groups in database
- LOGGER.info("PapServlet: calling PolicyDBDao.addPolicyToGroup()");
- updatedGroup = addPolicyToGroupTransaction.addPolicyToGroup(group.getId(), policyId,"XACMLPapServlet.doACPost");
- loggingContext.metricStarted();
- addPolicyToGroupTransaction.commitTransaction();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet doACPost commitTransaction");
- LOGGER.info("PapServlet: addPolicyToGroup() succeeded, transaction was committed");
-
- } catch (Exception e) {
- addPolicyToGroupTransaction.rollbackTransaction();
- String message = "Policy '" + policyId + "' not copied to group '" + groupId +"': " + e;
- //for fixing Header Manipulation of Fortify issue
- if(!message.matches(REGEX)){
- response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- response.addHeader("error",ADD_GROUP_ERROR);
- response.addHeader("message", "Policy Id is not valid");
- return;
- }
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW + " " + message);
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- if (apiflag!=null){
- response.addHeader("error", "policyCopyError");
- response.addHeader("message", message);
- response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- } else {
- setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
- }
- return;
- }
-
- if(apiflag != null){
- /*
- * If request comes from the API we need to run the PolicyDBDao updateGroup() to notify other paps of the change.
- * The GUI does this from the POLICY-SDK-APP code.
- */
-
- // Get new transaction to perform updateGroup()
- PolicyDBDaoTransaction acPutTransaction = policyDBDao.getNewTransaction();
- try {
- // get the request content into a String and read the inputStream into a buffer
- java.util.Scanner scanner = new java.util.Scanner(request.getInputStream());
- scanner.useDelimiter("\\A");
- String json = scanner.hasNext() ? scanner.next() : "";
- scanner.close();
-
- // convert Object sent as JSON into local object
- ObjectMapper mapper = new ObjectMapper();
- Object objectFromJSON = mapper.readValue(json, StdPDPPolicy.class);
- StdPDPPolicy policy = (StdPDPPolicy) objectFromJSON;
-
- LOGGER.info("Request JSON Payload: " + json);
-
- // Assume that this is an update of an existing PDP Group
- loggingContext.setServiceName("PolicyEngineAPI:PAP.updateGroup");
- try{
- acPutTransaction.updateGroup(updatedGroup, "XACMLPapServlet.doACPut");
- } catch(Exception e){
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " Error occurred when notifying PAPs of a group change: "
- + e);
- throw new PAPException(e.getMessage());
- }
-
- LOGGER.info("Calling updatGroup() with new group");
- papEngine.updateGroup(updatedGroup);
-
- LOGGER.info("Group '" + updatedGroup.getId() + "' updated");
-
- // Commit transaction to send notification to other PAPs
- loggingContext.metricStarted();
- acPutTransaction.commitTransaction();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI commitTransaction");
- loggingContext.metricStarted();
-
- notifyAC();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI notifyAC");
-
- // Group changed to send notification to PDPs, which might include changing the policies
- groupChanged(updatedGroup,loggingContext);
- loggingContext.transactionEnded();
- LOGGER.info("Success");
-
- if (policy != null && ((policy.getName().contains("Config_MS_")) || (policy.getId().contains("BRMS_Param")))) {
- PushPolicyHandler pushPolicyHandler = PushPolicyHandler.getInstance();
- if (pushPolicyHandler.preSafetyCheck(policy, configHome)) {
- LOGGER.debug("Precheck Successful.");
- }
- }
-
- //delete temporary policy file from the bin directory
- Files.deleteIfExists(Paths.get(policy.getId()));
-
- } catch (Exception e) {
- acPutTransaction.rollbackTransaction();
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " API PUT exception");
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- String message = XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception occurred when updating the group from API.";
- LOGGER.error(message);
- setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
- response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- response.addHeader("error",ADD_GROUP_ERROR);
- response.addHeader("message", message);
- return;
- }
- }
-
- // policy file copied ok and the Group was updated on the PDP
- response.setStatus(HttpServletResponse.SC_NO_CONTENT);
- response.addHeader("operation", "push");
- response.addHeader("policyId", policyId);
- response.addHeader("groupId", groupId);
-
- LOGGER.info("policy '" + policyId + "' copied to directory for group '" + groupId + "'");
- loggingContext.transactionEnded();
- auditLogger.info("Success");
- LOGGER.info("Transaction Ended Successfully");
-
- return;
- } else if (request.getParameter("default") != null) {
- // Args: group=<groupId> default=true <= make default
- // change the current default group to be the one identified in the request.
- loggingContext.setServiceName("AC:PAP.setDefaultGroup");
- // This is a POST operation rather than a PUT "update group" because of the side-effect that the current default group is also changed.
- // It should never be the case that multiple groups are currently marked as the default, but protect against that anyway.
- PolicyDBDaoTransaction setDefaultGroupTransaction = policyDBDao.getNewTransaction();
- try {
- setDefaultGroupTransaction.changeDefaultGroup(group, "XACMLPapServlet.doACPost");
- papEngine.setDefaultGroup(group);
- loggingContext.metricStarted();
- setDefaultGroupTransaction.commitTransaction();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet doACPost commitTransaction");
- } catch (Exception e) {
- setDefaultGroupTransaction.rollbackTransaction();
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " Unable to set group");
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Unable to set group '" + groupId + "' to default");
- return;
- }
- response.setStatus(HttpServletResponse.SC_NO_CONTENT);
- if (LOGGER.isDebugEnabled()) {
- LOGGER.debug("Group '" + groupId + "' set to be default");
- }
- // Notify the Admin Consoles that something changed
- // For now the AC cannot handle anything more detailed than the whole set of PDPGroups, so just notify on that
- //TODO - Future: FIGURE OUT WHAT LEVEL TO NOTIFY: 2 groups or entire set - currently notify AC to update whole configuration of all groups
- loggingContext.metricStarted();
- notifyAC();
- // This does not affect any PDPs in the existing groups, so no need to notify them of this change
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet doACPost notifyAC");
- loggingContext.transactionEnded();
- auditLogger.info("Success");
- LOGGER.info("Transaction Ended Successfully");
- return;
- } else if (request.getParameter("pdpId") != null) {
- doACPostTransaction = policyDBDao.getNewTransaction();
- // Args: group=<groupId> pdpId=<pdpId> <= move PDP to group
- loggingContext.setServiceName("AC:PAP.movePDP");
- String pdpId = request.getParameter("pdpId");
- OnapPDP pdp = papEngine.getPDP(pdpId);
- OnapPDPGroup originalGroup = papEngine.getPDPGroup((OnapPDP) pdp);
- try{
- doACPostTransaction.movePdp(pdp, group, "XACMLPapServlet.doACPost");
- }catch(Exception e){
- doACPostTransaction.rollbackTransaction();
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet",
- " Error while moving pdp in the database: "
- +"pdp="+pdp.getId()+",to group="+group.getId());
- throw new PAPException(e.getMessage());
- }
- papEngine.movePDP((OnapPDP) pdp, group);
- response.setStatus(HttpServletResponse.SC_NO_CONTENT);
- if (LOGGER.isDebugEnabled()) {
- LOGGER.debug("PDP '" + pdp.getId() +"' moved to group '" + group.getId() + "' set to be default");
- }
- // update the status of both the original group and the new one
- ((StdPDPGroup)originalGroup).resetStatus();
- ((StdPDPGroup)group).resetStatus();
- // Notify the Admin Consoles that something changed
- // For now the AC cannot handle anything more detailed than the whole set of PDPGroups, so just notify on that
- loggingContext.metricStarted();
- notifyAC();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet doACPost notifyAC");
- // Need to notify the PDP that it's config may have changed
- pdpChanged(pdp, loggingContext);
- loggingContext.metricStarted();
- doACPostTransaction.commitTransaction();
- loggingContext.metricEnded();
- PolicyLogger.metrics("XACMLPapServlet doACPost commitTransaction");
- loggingContext.transactionEnded();
- auditLogger.info("Success");
- PolicyLogger.audit("Transaction Ended Successfully");
- return;
- }
- } catch (PAPException e) {
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " AC POST exception");
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
- return;
- }
- }
-
- /**
- * Requests from the Admin Console to GET info about the Groups and PDPs
- *
- * @param request
- * @param response
- * @param groupId
- * @param loggingContext
- * @throws ServletException
- * @throws IOException
- */
- private void doACGet(HttpServletRequest request, HttpServletResponse response, String groupId, ONAPLoggingContext loggingContext) throws IOException {
- try {
- String parameterDefault = request.getParameter("default");
- String pdpId = request.getParameter("pdpId");
- String pdpGroup = request.getParameter("getPDPGroup");
- if ("".equals(groupId)) {
- // request IS from AC but does not identify a group by name
- if (parameterDefault != null) {
- // Request is for the Default group (whatever its id)
- loggingContext.setServiceName("AC:PAP.getDefaultGroup");
- OnapPDPGroup group = papEngine.getDefaultGroup();
- // convert response object to JSON and include in the response
- mapperWriteValue(new ObjectMapper(), response, group);
- if (LOGGER.isDebugEnabled()) {
- LOGGER.debug("GET Default group req from '" + request.getRequestURL() + "'");
- }
- response.setStatus(HttpServletResponse.SC_OK);
- response.setHeader("content-type", "application/json");
- try{
+ try (InputStream is = new FileInputStream(((StdPDPGroup)group).getDirectory().toString()+File.separator+policyId); OutputStream os = response.getOutputStream()) {
+ // Send the policy back
+ IOUtils.copy(is, os);
+ response.setStatus(HttpServletResponse.SC_OK);
+ loggingContext.transactionEnded();
+ auditLogger.info("Success");
+ PolicyLogger.audit("Transaction Ended Successfully");
+ } catch (IOException e) {
+ String message = "Failed to open policy id " + policyId;
+ LOGGER.debug(e);
+ PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_NOT_FOUND, message);
+ }
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Ended");
+ im.endTransaction();
+ }
+
+ /**
+ * @see HttpServlet#doPut(HttpServletRequest request, HttpServletResponse response)
+ */
+ protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ ONAPLoggingContext loggingContext = ONAPLoggingUtils.getLoggingContextForRequest(request, baseLoggingContext);
+ loggingContext.transactionStarted();
+ loggingContext.setServiceName("PAP.put");
+ if ((loggingContext.getRequestID() == null) || (loggingContext.getRequestID() == "")){
+ UUID requestID = UUID.randomUUID();
+ loggingContext.setRequestID(requestID.toString());
+ PolicyLogger.info("requestID not provided in call to XACMLPapSrvlet (doPut) so we generated one");
+ } else {
+ PolicyLogger.info("requestID was provided in call to XACMLPapSrvlet (doPut)");
+ }
+ try {
+ loggingContext.metricStarted();
+ im.startTransaction();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doPut im startTransaction");
+ } catch (IntegrityMonitorException e) {
+ String message = "PUT interface called for PAP " + papResourceName;
+ if (e instanceof AdministrativeStateException) {
+ message += " but it has an Administrative state of "
+ + im.getStateManager().getAdminState();
+ } else if (e instanceof StandbyStatusException) {
+ message += " but it has a Standby Status of "
+ + im.getStateManager().getStandbyStatus();
+ } else {
+ message += " but an exception occurred";
+
+ }
+ message += "\n Exception Message: " + e.getMessage();
+
+ LOGGER.info(message, e);
+ PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+ return;
+ }
+
+ loggingContext.metricStarted();
+ XACMLRest.dumpRequest(request);
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doPut dumpRequest");
+ //need to check if request is from the API or Admin console
+ String apiflag = request.getParameter("apiflag");
+ //This would occur if a PolicyDBDao notification was received
+ String policyDBDaoRequestUrl = request.getParameter("policydbdaourl");
+ if(policyDBDaoRequestUrl != null){
+ LOGGER.info("XACMLPapServlet: PolicyDBDao Notification received." );
+ String policyDBDaoRequestEntityId = request.getParameter("entityid");
+ String policyDBDaoRequestEntityType = request.getParameter("entitytype");
+ String policyDBDaoRequestExtraData = request.getParameter("extradata");
+ if(policyDBDaoRequestEntityId == null || policyDBDaoRequestEntityType == null){
+ setResponseError(response,400, "entityid or entitytype not supplied");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Ended Successfully");
+ im.endTransaction();
+ return;
+ }
+ loggingContext.metricStarted();
+ LOGGER.info("XACMLPapServlet: Calling PolicyDBDao to handlIncomingHttpNotification");
+ policyDBDao.handleIncomingHttpNotification(policyDBDaoRequestUrl,policyDBDaoRequestEntityId,policyDBDaoRequestEntityType,policyDBDaoRequestExtraData,this);
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doPut handle incoming http notification");
+ response.setStatus(200);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Ended Successfully");
+ im.endTransaction();
+ return;
+ }
+ /*
+ * Request for ImportService
+ */
+ String importService = request.getParameter("importService");
+ if (importService != null) {
+ if(authorizeRequest(request)){
+ APIRequestHandler apiRequestHandler = new APIRequestHandler();
+ try{
+ loggingContext.metricStarted();
+ apiRequestHandler.doPut(request, response, importService);
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doPut apiRequestHandler doPut");
+ }catch(IOException e){
+ LOGGER.error(e);
+ }
+ im.endTransaction();
+ return;
+ } else {
+ String message = "PEP not Authorized for making this Request!! \n Contact Administrator for this Scope. ";
+ LOGGER.error(XACMLErrorConstants.ERROR_PERMISSIONS + message );
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_FORBIDDEN, message);
+ return;
+ }
+ }
+ //
+ // See if this is Admin Console registering itself with us
+ //
+ String acURLString = request.getParameter("adminConsoleURL");
+ if (acURLString != null) {
+ loggingContext.setServiceName("AC:PAP.register");
+ // remember this Admin Console for future updates
+ if ( ! adminConsoleURLStringList.contains(acURLString)) {
+ adminConsoleURLStringList.add(acURLString);
+ }
+ if (LOGGER.isDebugEnabled()) {
+ LOGGER.debug("Admin Console registering with URL: " + acURLString);
+ }
+ response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+ loggingContext.transactionEnded();
+ auditLogger.info("Success");
+ PolicyLogger.audit("Transaction Ended Successfully");
+ im.endTransaction();
+ return;
+ }
+ /*
+ * This is to update the PDP Group with the policy/policies being pushed
+ * Part of a 2 step process to push policies to the PDP that can now be done
+ * From both the Admin Console and the PolicyEngine API
+ */
+ String groupId = request.getParameter("groupId");
+ if (groupId != null) {
+ if(apiflag!=null){
+ if(!authorizeRequest(request)){
+ String message = "PEP not Authorized for making this Request!! \n Contact Administrator for this Scope. ";
+ PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_FORBIDDEN, message);
+ return;
+ }
+ if(apiflag.equalsIgnoreCase("addPolicyToGroup")){
+ try{
+ updateGroupsFromAPI(request, response, groupId, loggingContext);
+ }catch(IOException e){
+ LOGGER.error(e);
+ }
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Ended Successfully");
+ im.endTransaction();
+ return;
+ }
+ }
+ // this is from the Admin Console, so handle separately
+ try {
+ loggingContext.metricEnded();
+ doACPut(request, response, groupId, loggingContext);
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet goPut doACPut");
+ } catch (IOException e) {
+ LOGGER.error(e);
+ }
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Ended Successfully");
+ im.endTransaction();
+ return;
+ }
+ //
+ // Request is for policy validation and creation
+ //
+ if (apiflag != null && apiflag.equalsIgnoreCase("admin")){
+ // this request is from the Admin Console
+ SavePolicyHandler savePolicyHandler = SavePolicyHandler.getInstance();
+ try{
+ loggingContext.metricStarted();
+ savePolicyHandler.doPolicyAPIPut(request, response);
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet goPut savePolicyHandler");
+ } catch (IOException e) {
+ LOGGER.error(e);
+ }
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Ended Successfully");
+ im.endTransaction();
+ return;
+ } else if (apiflag != null && "api".equalsIgnoreCase(apiflag)) {
+ // this request is from the Policy Creation API
+ if(authorizeRequest(request)){
+ APIRequestHandler apiRequestHandler = new APIRequestHandler();
+ try{
+ loggingContext.metricStarted();
+ apiRequestHandler.doPut(request, response, request.getHeader("ClientScope"));
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet goPut apiRequestHandler doPut");
+ } catch (IOException e) {
+ LOGGER.error(e);
+ }
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Ended Successfully");
+ im.endTransaction();
+ return;
+ } else {
+ String message = "PEP not Authorized for making this Request!!";
+ PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_FORBIDDEN, message);
+ im.endTransaction();
+ return;
+ }
+ }
+ // We do not expect anything from anywhere else.
+ // This method is here in case we ever need to support other operations.
+ LOGGER.error(XACMLErrorConstants.ERROR_DATA_ISSUE + "Request does not have groupId or apiflag");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_BAD_REQUEST, "Request does not have groupId or apiflag");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See error.log");
+ im.endTransaction();
+ }
+
+ /**
+ * @see HttpServlet#doDelete(HttpServletRequest request, HttpServletResponse response)
+ */
+ protected void doDelete(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ ONAPLoggingContext loggingContext = ONAPLoggingUtils.getLoggingContextForRequest(request, baseLoggingContext);
+ loggingContext.transactionStarted();
+ loggingContext.setServiceName("PAP.delete");
+ if ((loggingContext.getRequestID() == null) || (loggingContext.getRequestID() == "")){
+ UUID requestID = UUID.randomUUID();
+ loggingContext.setRequestID(requestID.toString());
+ PolicyLogger.info("requestID not provided in call to XACMLPapSrvlet (doDelete) so we generated one");
+ } else {
+ PolicyLogger.info("requestID was provided in call to XACMLPapSrvlet (doDelete)");
+ }
+ try {
+ loggingContext.metricStarted();
+ im.startTransaction();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doDelete im startTransaction");
+ } catch (AdministrativeStateException ae){
+ String message = "DELETE interface called for PAP " + papResourceName + " but it has an Administrative"
+ + " state of " + im.getStateManager().getAdminState()
+ + "\n Exception Message: " + ae.getMessage();
+ LOGGER.info(message, ae);
+ PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+ return;
+ }catch (StandbyStatusException se) {
+ String message = "PUT interface called for PAP " + papResourceName + " but it has a Standby Status"
+ + " of " + im.getStateManager().getStandbyStatus()
+ + "\n Exception Message: " + se.getMessage();
+ LOGGER.info(message, se);
+ PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+ return;
+ } catch (IntegrityMonitorException e) {
+ String message = "PUT interface called for PAP " + papResourceName + " but an exception occurred"
+ + "\n Exception Message: " + e.getMessage();
+ LOGGER.info(message, e);
+ PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+ return;
+ }
+ loggingContext.metricStarted();
+ XACMLRest.dumpRequest(request);
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doDelete dumpRequest");
+ String groupId = request.getParameter("groupId");
+ String apiflag = request.getParameter("apiflag");
+ if (groupId != null) {
+ // Is this from the Admin Console or API?
+ if(apiflag!=null) {
+ if(!authorizeRequest(request)){
+ String message = "PEP not Authorized for making this Request!! \n Contact Administrator for this Scope. ";
+ PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_FORBIDDEN, message);
+ return;
+ }
+ APIRequestHandler apiRequestHandler = new APIRequestHandler();
+ try {
+ loggingContext.metricStarted();
+ apiRequestHandler.doDelete(request, response, loggingContext, apiflag);
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doDelete apiRequestHandler doDelete");
+ } catch (Exception e) {
+ LOGGER.error("Exception Occured"+e);
+ }
+ if(apiRequestHandler.getNewGroup()!=null){
+ groupChanged(apiRequestHandler.getNewGroup(), loggingContext);
+ }
+ return;
+ }
+ // this is from the Admin Console, so handle separately
+ try{
+ loggingContext.metricStarted();
+ doACDelete(request, response, groupId, loggingContext);
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doDelete doACDelete");
+ } catch (IOException e) {
+ LOGGER.error(e);
+ }
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Ended Successfully");
+ im.endTransaction();
+ return;
+ }
+ //Catch anything that fell through
+ PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " Request does not have groupId");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_BAD_REQUEST, "Request does not have groupId");
+ im.endTransaction();
+ }
+
+ private boolean isPDPCurrent(Properties policies, Properties pipconfig, Properties pdpProperties) {
+ String localRootPolicies = policies.getProperty(XACMLProperties.PROP_ROOTPOLICIES);
+ String localReferencedPolicies = policies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES);
+ if (localRootPolicies == null || localReferencedPolicies == null) {
+ LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + "Missing property on PAP server: RootPolicies="+localRootPolicies+" ReferencedPolicies="+localReferencedPolicies);
+ return false;
+ }
+ // Compare the policies and pipconfig properties to the pdpProperties
+ try {
+ // the policy properties includes only xacml.rootPolicies and
+ // xacml.referencedPolicies without any .url entries
+ Properties pdpPolicies = XACMLProperties.getPolicyProperties(pdpProperties, false);
+ Properties pdpPipConfig = XACMLProperties.getPipProperties(pdpProperties);
+ if (localRootPolicies.equals(pdpPolicies.getProperty(XACMLProperties.PROP_ROOTPOLICIES)) &&
+ localReferencedPolicies.equals(pdpPolicies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES)) &&
+ pdpPipConfig.equals(pipconfig)) {
+ // The PDP is current
+ return true;
+ }
+ } catch (Exception e) {
+ // we get here if the PDP did not include either xacml.rootPolicies or xacml.pip.engines,
+ // or if there are policies that do not have a corresponding ".url" property.
+ // Either of these cases means that the PDP is not up-to-date, so just drop-through to return false.
+ PolicyLogger.error(MessageCodes.ERROR_SCHEMA_INVALID, e, "XACMLPapServlet", " PDP Error");
+ }
+ return false;
+ }
+
+ private void populatePolicyURL(StringBuffer urlPath, Properties policies) {
+ String lists[] = new String[2];
+ lists[0] = policies.getProperty(XACMLProperties.PROP_ROOTPOLICIES);
+ lists[1] = policies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES);
+ for (String list : lists) {
+ if (list != null && list.isEmpty() == false) {
+ for (String id : Splitter.on(',').trimResults().omitEmptyStrings().split(list)) {
+ String url = urlPath + "?id=" + id;
+ LOGGER.info("Policy URL for " + id + ": " + url);
+ policies.setProperty(id + ".url", url);
+ }
+ }
+ }
+ }
+
+ protected String getPDPID(HttpServletRequest request) {
+ String pdpURL = request.getHeader(XACMLRestProperties.PROP_PDP_HTTP_HEADER_ID);
+ if (pdpURL == null || pdpURL.isEmpty()) {
+ // Should send back its port for identification
+ LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + "PDP did not send custom header");
+ pdpURL = "";
+ }
+ return pdpURL;
+ }
+
+ protected String getPDPJMX(HttpServletRequest request) {
+ String pdpJMMX = request.getHeader(XACMLRestProperties.PROP_PDP_HTTP_HEADER_JMX_PORT);
+ if (pdpJMMX == null || pdpJMMX.isEmpty()) {
+ // Should send back its port for identification
+ LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + "PDP did not send custom header for JMX Port so the value of 0 is assigned");
+ return null;
+ }
+ return pdpJMMX;
+ }
+
+ /**
+ * Requests from the PolicyEngine API to update the PDP Group with pushed policy
+ *
+ * @param request
+ * @param response
+ * @param groupId
+ * @param loggingContext
+ * @throws ServletException
+ * @throws IOException
+ */
+ public void updateGroupsFromAPI(HttpServletRequest request, HttpServletResponse response, String groupId, ONAPLoggingContext loggingContext) throws IOException {
+ PolicyDBDaoTransaction acPutTransaction = policyDBDao.getNewTransaction();
+ PolicyLogger.audit("PolicyDBDaoTransaction started for updateGroupsFromAPI");
+ try {
+ // for PUT operations the group may or may not need to exist before the operation can be done
+ StdPDPGroup group = (StdPDPGroup) papEngine.getGroup(groupId);
+
+ // get the request input stream content into a String
+ String json = null;
+ java.util.Scanner scanner = new java.util.Scanner(request.getInputStream());
+ scanner.useDelimiter("\\A");
+ json = scanner.hasNext() ? scanner.next() : "";
+ scanner.close();
+
+ PolicyLogger.info("pushPolicy request from API: " + json);
+
+ // convert Object sent as JSON into local object
+ StdPDPPolicy policy = PolicyUtils.jsonStringToObject(json, StdPDPPolicy.class);
+
+ //Get the current policies from the Group and Add the new one
+ Set<PDPPolicy> currentPoliciesInGroup = new HashSet<>();
+ currentPoliciesInGroup = group.getPolicies();
+ //If the selected policy is in the group we must remove the old version of it
+ LOGGER.info("Removing old version of the policy");
+ for(PDPPolicy existingPolicy : currentPoliciesInGroup) {
+ if (existingPolicy.getName().equals(policy.getName()) && !existingPolicy.getId().equals(policy.getId())){
+ group.removePolicy(existingPolicy);
+ LOGGER.info("Removing policy: " + existingPolicy);
+ break;
+ }
+ }
+
+ // Assume that this is an update of an existing PDP Group
+ loggingContext.setServiceName("PolicyEngineAPI:PAP.updateGroup");
+ try{
+ acPutTransaction.updateGroup(group, "XACMLPapServlet.doACPut");
+ } catch(Exception e){
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " Error while updating group in the database: "
+ +"group="+group.getId());
+ throw new PAPException(e.getMessage());
+ }
+
+ LOGGER.info("Calling updatGroup() with new group");
+ papEngine.updateGroup(group);
+ String policyId = "empty";
+ if(policy !=null && policy.getId() != null){
+ policyId = policy.getId();
+ }
+ if(!policyId.matches(REGEX) ){
+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ response.addHeader("error",ADD_GROUP_ERROR);
+ response.addHeader("message", "Policy Id is not valid");
+ return;
+ }
+ response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+ response.addHeader("operation", "push");
+ response.addHeader("policyId", policyId);
+ response.addHeader("groupId", groupId);
+
+ LOGGER.info("Group '" + group.getId() + "' updated");
+
+ loggingContext.metricStarted();
+ acPutTransaction.commitTransaction();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI commitTransaction");
+ loggingContext.metricStarted();
+ notifyAC();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI notifyAC");
+
+ // Group changed, which might include changing the policies
+ groupChanged(group, loggingContext);
+ loggingContext.transactionEnded();
+ LOGGER.info("Success");
+
+ if (policy != null && ((policy.getId().contains("Config_MS_")) || (policy.getId().contains("BRMS_Param")))) {
+ PushPolicyHandler pushPolicyHandler = PushPolicyHandler.getInstance();
+ if (pushPolicyHandler.preSafetyCheck(policy, configHome)) {
+ LOGGER.debug("Precheck Successful.");
+ }
+ }
+
+ PolicyLogger.audit("Transaction Ended Successfully");
+ return;
+ } catch (PAPException e) {
+ acPutTransaction.rollbackTransaction();
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " API PUT exception");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ String message = XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception in request to update group from API - See Error.log on on the PAP.";
+ setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ response.addHeader("error",ADD_GROUP_ERROR);
+ response.addHeader("message", message);
+ return;
+ }
+ }
+
+ /**
+ * Requests from the Admin Console for operations not on single specific objects
+ *
+ * @param request
+ * @param response
+ * @param groupId
+ * @param loggingContext
+ * @throws ServletException
+ * @throws IOException
+ */
+ private void doACPost(HttpServletRequest request, HttpServletResponse response, String groupId, ONAPLoggingContext loggingContext) throws ServletException, IOException {
+ PolicyDBDaoTransaction doACPostTransaction = null;
+ try {
+ String groupName = request.getParameter("groupName");
+ String groupDescription = request.getParameter("groupDescription");
+ String apiflag = request.getParameter("apiflag");
+ if (groupName != null && groupDescription != null) {
+ // Args: group=<groupId> groupName=<name> groupDescription=<description> <= create a new group
+ loggingContext.setServiceName("AC:PAP.createGroup");
+ String unescapedName = null;
+ String unescapedDescription = null;
+ try{
+ unescapedName = URLDecoder.decode(groupName, "UTF-8");
+ unescapedDescription = URLDecoder.decode(groupDescription, "UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ LOGGER.error(e);
+ }
+ PolicyDBDaoTransaction newGroupTransaction = policyDBDao.getNewTransaction();
+ try {
+ newGroupTransaction.createGroup(PolicyDBDao.createNewPDPGroupId(unescapedName), unescapedName, unescapedDescription,"XACMLPapServlet.doACPost");
+ papEngine.newGroup(unescapedName, unescapedDescription);
+ loggingContext.metricStarted();
+ newGroupTransaction.commitTransaction();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doACPost commitTransaction");
+ } catch (Exception e) {
+ newGroupTransaction.rollbackTransaction();
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " Unable to create new group");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Unable to create new group '" + groupId + "'");
+ return;
+ }
+ response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+ if (LOGGER.isDebugEnabled()) {
+ LOGGER.debug("New Group '" + groupId + "' created");
+ }
+ // tell the Admin Consoles there is a change
+ loggingContext.metricStarted();
+ notifyAC();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doACPost notifyAC");
+ // new group by definition has no PDPs, so no need to notify them of changes
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ auditLogger.info("Success");
+ PolicyLogger.audit("Transaction Ended Successfully");
+ return;
+ }
+ // for all remaining POST operations the group must exist before the operation can be done
+ OnapPDPGroup group = null;
+ try{
+ group = papEngine.getGroup(groupId);
+ } catch (PAPException e){
+ LOGGER.error(e);
+ }
+ if (group == null) {
+ String message = "Unknown groupId '" + groupId + "'";
+ //for fixing Header Manipulation of Fortify issue
+ if(!message.matches(REGEX)){
+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ response.addHeader("error",ADD_GROUP_ERROR);
+ response.addHeader("message", "GroupId Id is not valid");
+ return;
+ }
+ PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ if (apiflag!=null){
+ response.addHeader("error", "unknownGroupId");
+ response.addHeader("operation", "push");
+ response.addHeader("message", message);
+ response.setStatus(HttpServletResponse.SC_NOT_FOUND);
+ } else {
+ setResponseError(response,HttpServletResponse.SC_NOT_FOUND, message);
+ }
+ return;
+ }
+
+ // If the request contains a policyId then we know we are pushing the policy to PDP
+ if (request.getParameter("policyId") != null) {
+
+ if(apiflag!=null){
+ loggingContext.setServiceName("PolicyEngineAPI:PAP.postPolicy");
+ LOGGER.info("PushPolicy Request From The API");
+ } else {
+ loggingContext.setServiceName("AC:PAP.postPolicy");
+ LOGGER.info("PushPolicy Request From The AC");
+ }
+
+ String policyId = request.getParameter("policyId");
+ PolicyDBDaoTransaction addPolicyToGroupTransaction = policyDBDao.getNewTransaction();
+ StdPDPGroup updatedGroup = null;
+ try {
+ //Copying the policy to the file system and updating groups in database
+ LOGGER.info("PapServlet: calling PolicyDBDao.addPolicyToGroup()");
+ updatedGroup = addPolicyToGroupTransaction.addPolicyToGroup(group.getId(), policyId,"XACMLPapServlet.doACPost");
+ loggingContext.metricStarted();
+ addPolicyToGroupTransaction.commitTransaction();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doACPost commitTransaction");
+ LOGGER.info("PapServlet: addPolicyToGroup() succeeded, transaction was committed");
+
+ } catch (Exception e) {
+ addPolicyToGroupTransaction.rollbackTransaction();
+ String message = "Policy '" + policyId + "' not copied to group '" + groupId +"': " + e;
+ //for fixing Header Manipulation of Fortify issue
+ if(!message.matches(REGEX)){
+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ response.addHeader("error",ADD_GROUP_ERROR);
+ response.addHeader("message", "Policy Id is not valid");
+ return;
+ }
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW + " " + message);
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ if (apiflag!=null){
+ response.addHeader("error", "policyCopyError");
+ response.addHeader("message", message);
+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ } else {
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
+ }
+ return;
+ }
+
+ if(apiflag != null){
+ /*
+ * If request comes from the API we need to run the PolicyDBDao updateGroup() to notify other paps of the change.
+ * The GUI does this from the POLICY-SDK-APP code.
+ */
+
+ // Get new transaction to perform updateGroup()
+ PolicyDBDaoTransaction acPutTransaction = policyDBDao.getNewTransaction();
+ try {
+ // get the request content into a String and read the inputStream into a buffer
+ java.util.Scanner scanner = new java.util.Scanner(request.getInputStream());
+ scanner.useDelimiter("\\A");
+ String json = scanner.hasNext() ? scanner.next() : "";
+ scanner.close();
+
+ // convert Object sent as JSON into local object
+ ObjectMapper mapper = new ObjectMapper();
+ Object objectFromJSON = mapper.readValue(json, StdPDPPolicy.class);
+ StdPDPPolicy policy = (StdPDPPolicy) objectFromJSON;
+
+ LOGGER.info("Request JSON Payload: " + json);
+
+ // Assume that this is an update of an existing PDP Group
+ loggingContext.setServiceName("PolicyEngineAPI:PAP.updateGroup");
+ try{
+ acPutTransaction.updateGroup(updatedGroup, "XACMLPapServlet.doACPut");
+ } catch(Exception e){
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " Error occurred when notifying PAPs of a group change: "
+ + e);
+ throw new PAPException(e.getMessage());
+ }
+
+ LOGGER.info("Calling updatGroup() with new group");
+ papEngine.updateGroup(updatedGroup);
+
+ LOGGER.info("Group '" + updatedGroup.getId() + "' updated");
+
+ // Commit transaction to send notification to other PAPs
+ loggingContext.metricStarted();
+ acPutTransaction.commitTransaction();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI commitTransaction");
+ loggingContext.metricStarted();
+
+ notifyAC();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI notifyAC");
+
+ // Group changed to send notification to PDPs, which might include changing the policies
+ groupChanged(updatedGroup,loggingContext);
+ loggingContext.transactionEnded();
+ LOGGER.info("Success");
+
+ if (policy != null && ((policy.getName().contains("Config_MS_")) || (policy.getId().contains("BRMS_Param")))) {
+ PushPolicyHandler pushPolicyHandler = PushPolicyHandler.getInstance();
+ if (pushPolicyHandler.preSafetyCheck(policy, configHome)) {
+ LOGGER.debug("Precheck Successful.");
+ }
+ }
+
+ //delete temporary policy file from the bin directory
+ Files.deleteIfExists(Paths.get(policy.getId()));
+
+ } catch (Exception e) {
+ acPutTransaction.rollbackTransaction();
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " API PUT exception");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ String message = XACMLErrorConstants.ERROR_PROCESS_FLOW + "Exception occurred when updating the group from API.";
+ LOGGER.error(message);
+ setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ response.addHeader("error",ADD_GROUP_ERROR);
+ response.addHeader("message", message);
+ return;
+ }
+ }
+
+ // policy file copied ok and the Group was updated on the PDP
+ response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+ response.addHeader("operation", "push");
+ response.addHeader("policyId", policyId);
+ response.addHeader("groupId", groupId);
+
+ LOGGER.info("policy '" + policyId + "' copied to directory for group '" + groupId + "'");
+ loggingContext.transactionEnded();
+ auditLogger.info("Success");
+ LOGGER.info("Transaction Ended Successfully");
+
+ return;
+ } else if (request.getParameter("default") != null) {
+ // Args: group=<groupId> default=true <= make default
+ // change the current default group to be the one identified in the request.
+ loggingContext.setServiceName("AC:PAP.setDefaultGroup");
+ // This is a POST operation rather than a PUT "update group" because of the side-effect that the current default group is also changed.
+ // It should never be the case that multiple groups are currently marked as the default, but protect against that anyway.
+ PolicyDBDaoTransaction setDefaultGroupTransaction = policyDBDao.getNewTransaction();
+ try {
+ setDefaultGroupTransaction.changeDefaultGroup(group, "XACMLPapServlet.doACPost");
+ papEngine.setDefaultGroup(group);
+ loggingContext.metricStarted();
+ setDefaultGroupTransaction.commitTransaction();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doACPost commitTransaction");
+ } catch (Exception e) {
+ setDefaultGroupTransaction.rollbackTransaction();
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " Unable to set group");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Unable to set group '" + groupId + "' to default");
+ return;
+ }
+ response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+ if (LOGGER.isDebugEnabled()) {
+ LOGGER.debug("Group '" + groupId + "' set to be default");
+ }
+ // Notify the Admin Consoles that something changed
+ // For now the AC cannot handle anything more detailed than the whole set of PDPGroups, so just notify on that
+ //TODO - Future: FIGURE OUT WHAT LEVEL TO NOTIFY: 2 groups or entire set - currently notify AC to update whole configuration of all groups
+ loggingContext.metricStarted();
+ notifyAC();
+ // This does not affect any PDPs in the existing groups, so no need to notify them of this change
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doACPost notifyAC");
+ loggingContext.transactionEnded();
+ auditLogger.info("Success");
+ LOGGER.info("Transaction Ended Successfully");
+ return;
+ } else if (request.getParameter("pdpId") != null) {
+ doACPostTransaction = policyDBDao.getNewTransaction();
+ // Args: group=<groupId> pdpId=<pdpId> <= move PDP to group
+ loggingContext.setServiceName("AC:PAP.movePDP");
+ String pdpId = request.getParameter("pdpId");
+ OnapPDP pdp = papEngine.getPDP(pdpId);
+ OnapPDPGroup originalGroup = papEngine.getPDPGroup((OnapPDP) pdp);
+ try{
+ doACPostTransaction.movePdp(pdp, group, "XACMLPapServlet.doACPost");
+ }catch(Exception e){
+ doACPostTransaction.rollbackTransaction();
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet",
+ " Error while moving pdp in the database: "
+ +"pdp="+pdp.getId()+",to group="+group.getId());
+ throw new PAPException(e.getMessage());
+ }
+ papEngine.movePDP((OnapPDP) pdp, group);
+ response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+ if (LOGGER.isDebugEnabled()) {
+ LOGGER.debug("PDP '" + pdp.getId() +"' moved to group '" + group.getId() + "' set to be default");
+ }
+ // update the status of both the original group and the new one
+ ((StdPDPGroup)originalGroup).resetStatus();
+ ((StdPDPGroup)group).resetStatus();
+ // Notify the Admin Consoles that something changed
+ // For now the AC cannot handle anything more detailed than the whole set of PDPGroups, so just notify on that
+ loggingContext.metricStarted();
+ notifyAC();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doACPost notifyAC");
+ // Need to notify the PDP that it's config may have changed
+ pdpChanged(pdp, loggingContext);
+ loggingContext.metricStarted();
+ doACPostTransaction.commitTransaction();
+ loggingContext.metricEnded();
+ PolicyLogger.metrics("XACMLPapServlet doACPost commitTransaction");
+ loggingContext.transactionEnded();
+ auditLogger.info("Success");
+ PolicyLogger.audit("Transaction Ended Successfully");
+ return;
+ }
+ } catch (PAPException e) {
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " AC POST exception");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+ return;
+ }
+ }
+
+ /**
+ * Requests from the Admin Console to GET info about the Groups and PDPs
+ *
+ * @param request
+ * @param response
+ * @param groupId
+ * @param loggingContext
+ * @throws ServletException
+ * @throws IOException
+ */
+ private void doACGet(HttpServletRequest request, HttpServletResponse response, String groupId, ONAPLoggingContext loggingContext) throws IOException {
+ try {
+ String parameterDefault = request.getParameter("default");
+ String pdpId = request.getParameter("pdpId");
+ String pdpGroup = request.getParameter("getPDPGroup");
+ if ("".equals(groupId)) {
+ // request IS from AC but does not identify a group by name
+ if (parameterDefault != null) {
+ // Request is for the Default group (whatever its id)
+ loggingContext.setServiceName("AC:PAP.getDefaultGroup");
+ OnapPDPGroup group = papEngine.getDefaultGroup();
+ // convert response object to JSON and include in the response
+ mapperWriteValue(new ObjectMapper(), response, group);
+ if (LOGGER.isDebugEnabled()) {
+ LOGGER.debug("GET Default group req from '" + request.getRequestURL() + "'");
+ }
+ response.setStatus(HttpServletResponse.SC_OK);
+ response.setHeader("content-type", "application/json");
+ try{