From 0d804ff31a3649105c632500b634927a65683d80 Mon Sep 17 00:00:00 2001 From: Murali Parthasarathy K Date: Tue, 25 Mar 2025 07:49:09 +0100 Subject: [PATCH] Update CSIT with opa-pdp for testcases, Cleanup,Added predeployment Issue-ID: POLICY-5225 Change-Id: I54459edce6ed9a2da491e2041901b8cec194c4f5 Signed-off-by: Murali Parthasarathy K --- compose/compose.yaml | 1 + compose/config/api/apiParameters.yaml | 1 + compose/config/api/groups.json | 24 ++++++ compose/config/opa-pdp/data/abac/data.json | 94 ---------------------- compose/config/opa-pdp/data/account/data.json | 16 ---- compose/config/opa-pdp/data/action/data.json | 43 ---------- compose/config/opa-pdp/data/blacklist/data.json | 6 ++ .../config/opa-pdp/data/cell/consistency/data.json | 5 ++ compose/config/opa-pdp/data/monitor/data.json | 13 +++ compose/config/opa-pdp/data/organization/data.json | 32 -------- compose/config/opa-pdp/groups.json | 24 ------ compose/config/opa-pdp/policies/abac/policy.rego | 20 ----- .../{example => access_method}/policy.rego | 2 +- .../config/opa-pdp/policies/account/policy.rego | 17 ---- compose/config/opa-pdp/policies/action/policy.rego | 21 ----- .../config/opa-pdp/policies/blacklist/policy.rego | 18 +++++ .../opa-pdp/policies/cell/consistency/policy.rego | 17 ++++ .../policies/cell/consistency/topology/policy.rego | 6 ++ .../config/opa-pdp/policies/data/abac/data.json | 94 ---------------------- .../config/opa-pdp/policies/data/account/data.json | 16 ---- .../config/opa-pdp/policies/data/action/data.json | 43 ---------- .../opa-pdp/policies/data/organization/data.json | 32 -------- .../config/opa-pdp/policies/data/role/data.json | 63 --------------- .../config/opa-pdp/policies/monitor/policy.rego | 39 +++++++++ .../opa-pdp/policies/organization/policy.rego | 38 --------- compose/config/pap/groups.json | 24 ++++++ compose/get-versions.sh | 3 +- csit/resources/tests/api-test.robot | 2 +- csit/resources/tests/common-library.robot | 5 +- .../tests/data/onap.policy.opa.pdp.data-empty.json | 9 +++ ...a.pdp.decision.zone-incorrect-policyfilter.json | 20 +++-- ...opa.pdp.decision.zone-incorrect-policyname.json | 20 +++-- ...a.pdp.decision.abac-incorrect-policyfilter.json | 21 ++++- ...opa.pdp.decision.abac-incorrect-policyname.json | 21 ++++- ....policy.opa.pdp.decision.abac-pemit-policy.json | 39 ++++++--- ...pdp.decision.vehicle-incorect-policyfilter.json | 20 +++-- ...a.pdp.decision.vehicle-incorect-policyname.json | 20 +++-- ...licy.policy.opa.pdp.decision.vehicle_input.json | 19 ++++- ....policy.opa.pdp.decision.zone-policy-input.json | 19 ++++- csit/resources/tests/pap-test.robot | 14 ++-- csit/run-project-csit.sh | 2 + 41 files changed, 330 insertions(+), 613 deletions(-) delete mode 100644 compose/config/opa-pdp/data/abac/data.json delete mode 100644 compose/config/opa-pdp/data/account/data.json delete mode 100644 compose/config/opa-pdp/data/action/data.json create mode 100644 compose/config/opa-pdp/data/blacklist/data.json create mode 100644 compose/config/opa-pdp/data/cell/consistency/data.json create mode 100644 compose/config/opa-pdp/data/monitor/data.json delete mode 100644 compose/config/opa-pdp/data/organization/data.json delete mode 100644 compose/config/opa-pdp/groups.json delete mode 100644 compose/config/opa-pdp/policies/abac/policy.rego rename compose/config/opa-pdp/policies/{example => access_method}/policy.rego (89%) delete mode 100644 compose/config/opa-pdp/policies/account/policy.rego delete mode 100644 compose/config/opa-pdp/policies/action/policy.rego create mode 100644 compose/config/opa-pdp/policies/blacklist/policy.rego create mode 100644 compose/config/opa-pdp/policies/cell/consistency/policy.rego create mode 100644 compose/config/opa-pdp/policies/cell/consistency/topology/policy.rego delete mode 100644 compose/config/opa-pdp/policies/data/abac/data.json delete mode 100644 compose/config/opa-pdp/policies/data/account/data.json delete mode 100644 compose/config/opa-pdp/policies/data/action/data.json delete mode 100644 compose/config/opa-pdp/policies/data/organization/data.json delete mode 100644 compose/config/opa-pdp/policies/data/role/data.json create mode 100644 compose/config/opa-pdp/policies/monitor/policy.rego delete mode 100644 compose/config/opa-pdp/policies/organization/policy.rego diff --git a/compose/compose.yaml b/compose/compose.yaml index 9059e63a..c7a2e79f 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -77,6 +77,7 @@ services: - simulator - kafka - pap + - opa-pdp ports: - ${APEX_PORT}:6969 - ${APEX_EVENTS_PORT}:23324 diff --git a/compose/config/api/apiParameters.yaml b/compose/config/api/apiParameters.yaml index 6d92a29f..4b0b20f7 100644 --- a/compose/config/api/apiParameters.yaml +++ b/compose/config/api/apiParameters.yaml @@ -71,6 +71,7 @@ policy-preload: - policytypes/onap.policies.controlloop.operational.common.Drools.yaml - policytypes/onap.policies.native.opa.yaml policies: + - policies/opa.policy.slice.capacity.check.tosca.yaml - policies/sdnc.policy.naming.input.tosca.yaml management: diff --git a/compose/config/api/groups.json b/compose/config/api/groups.json index 6ee30e1c..5bbc0a70 100644 --- a/compose/config/api/groups.json +++ b/compose/config/api/groups.json @@ -130,8 +130,32 @@ "currentInstanceCount": 0, "desiredInstanceCount": 1, "policies": [] + }, + { + "name": "opaGroup", + "pdpGroupState": "ACTIVE", + "properties": {}, + "pdpSubgroups": [ + { + "pdpType": "opa", + "desiredInstanceCount": 1, + "properties": {}, + "supportedPolicyTypes": [ + { + "name": "onap.policies.native.opa", + "version": "1.0.0" + } + ], + "policies": [ + { + "name": "slice.capacity.check", + "version": "1.0.0" + } + ] } ] } + ] + } ] } diff --git a/compose/config/opa-pdp/data/abac/data.json b/compose/config/opa-pdp/data/abac/data.json deleted file mode 100644 index 77b5668e..00000000 --- a/compose/config/opa-pdp/data/abac/data.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "sensor_data": [ - { - "id": "0001", - "location": "Sri Lanka", - "temperature": "28 C", - "precipitation": "1000 mm", - "windspeed": "5.5 m/s", - "humidity": "40%", - "particle_density": "1.3 g/l", - "timestamp": "2024-02-26" - }, - { - "id": "0002", - "location": "Colombo", - "temperature": "30 C", - "precipitation": "1200 mm", - "windspeed": "6.0 m/s", - "humidity": "45%", - "particle_density": "1.5 g/l", - "timestamp": "2024-02-26" - }, - { - "id": "0003", - "location": "Kandy", - "temperature": "25 C", - "precipitation": "800 mm", - "windspeed": "4.5 m/s", - "humidity": "60%", - "particle_density": "1.1 g/l", - "timestamp": "2024-02-26" - }, - { - "id": "0004", - "location": "Galle", - "temperature": "35 C", - "precipitation": "500 mm", - "windspeed": "7.2 m/s", - "humidity": "30%", - "particle_density": "1.8 g/l", - "timestamp": "2024-02-27" - }, - { - "id": "0005", - "location": "Jaffna", - "temperature": "-5 C", - "precipitation": "300 mm", - "windspeed": "3.8 m/s", - "humidity": "20%", - "particle_density": "0.9 g/l", - "timestamp": "2024-02-27" - }, - { - "id": "0006", - "location": "Trincomalee", - "temperature": "20 C", - "precipitation": "1000 mm", - "windspeed": "5.0 m/s", - "humidity": "55%", - "particle_density": "1.2 g/l", - "timestamp": "2024-02-28" - }, - { - "id": "0007", - "location": "Nuwara Eliya", - "temperature": "25 C", - "precipitation": "600 mm", - "windspeed": "4.0 m/s", - "humidity": "50%", - "particle_density": "1.3 g/l", - "timestamp": "2024-02-28" - }, - { - "id": "0008", - "location": "Anuradhapura", - "temperature": "28 C", - "precipitation": "700 mm", - "windspeed": "5.8 m/s", - "humidity": "40%", - "particle_density": "1.4 g/l", - "timestamp": "2024-02-29" - }, - { - "id": "0009", - "location": "Matara", - "temperature": "32 C", - "precipitation": "900 mm", - "windspeed": "6.5 m/s", - "humidity": "65%", - "particle_density": "1.6 g/l", - "timestamp": "2024-02-29" - } - ] -} diff --git a/compose/config/opa-pdp/data/account/data.json b/compose/config/opa-pdp/data/account/data.json deleted file mode 100644 index df263d36..00000000 --- a/compose/config/opa-pdp/data/account/data.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "account_attributes":{ - "11111":{ - "owner":"alice", - "amount":10000 - }, - "22222":{ - "owner":"bob", - "amount":10000 - }, - "33333":{ - "owner":"cam", - "amount":10000 - } - } -} diff --git a/compose/config/opa-pdp/data/action/data.json b/compose/config/opa-pdp/data/action/data.json deleted file mode 100644 index 99145b74..00000000 --- a/compose/config/opa-pdp/data/action/data.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "user_roles": { - "alice": [ - "admin" - ], - "bob": [ - "editor" - ], - "charlie": [ - "viewer" - ] - }, - "role_permissions": { - "admin": { - "actions": [ - "read", - "write", - "delete" - ], - "resources": [ - "server", - "database" - ] - }, - "editor": { - "actions": [ - "read", - "write" - ], - "resources": [ - "server" - ] - }, - "viewer": { - "actions": [ - "read" - ], - "resources": [ - "server" - ] - } - } -} diff --git a/compose/config/opa-pdp/data/blacklist/data.json b/compose/config/opa-pdp/data/blacklist/data.json new file mode 100644 index 00000000..9fd6233f --- /dev/null +++ b/compose/config/opa-pdp/data/blacklist/data.json @@ -0,0 +1,6 @@ +{ + "blacklist" : [ + "the-vfmodule-where-root-is-true", + "another-vfmodule-where-root-is-true" +] +} diff --git a/compose/config/opa-pdp/data/cell/consistency/data.json b/compose/config/opa-pdp/data/cell/consistency/data.json new file mode 100644 index 00000000..1f823a10 --- /dev/null +++ b/compose/config/opa-pdp/data/cell/consistency/data.json @@ -0,0 +1,5 @@ +{ + "allowedCellId" : 445611193265040129, + "minPCI": 1, + "maxPCI": 3000 +} diff --git a/compose/config/opa-pdp/data/monitor/data.json b/compose/config/opa-pdp/data/monitor/data.json new file mode 100644 index 00000000..f28f73cd --- /dev/null +++ b/compose/config/opa-pdp/data/monitor/data.json @@ -0,0 +1,13 @@ +{ "domain": "measurementsForVfScaling", + "metricsPerEventName": [{ + "eventName": "Measurement_vGMUX", + "controlLoopSchemaType": "VNF", + "policyScope": "DCAE", + "policyName": "DCAE.Config_tca-hi-lo", + "policyVersion": "v0.0.1", + "thresholds" : [{"version": "1.0.2", + "closedLoopControlName": "ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e", + "thresholdValue": 0 + }] +}] +} diff --git a/compose/config/opa-pdp/data/organization/data.json b/compose/config/opa-pdp/data/organization/data.json deleted file mode 100644 index 35fe4a14..00000000 --- a/compose/config/opa-pdp/data/organization/data.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "acls": [ - { - "user": "alice", - "actions": [ - "edit", - "read" - ], - "component": "component_A", - "project": "project_A", - "organization": "org_A" - }, - { - "user": "bob", - "actions": ["read"], - "organization": "org_A" - }, - { - "user": "bob", - "action": ["edit"], - "component": "component_A", - "project": "project_B", - "organization": "org_A" - }, - { - "user": "charlie", - "action": ["read"], - "project": "project_B", - "organization": "org_A" - } - ] -} diff --git a/compose/config/opa-pdp/groups.json b/compose/config/opa-pdp/groups.json deleted file mode 100644 index ef4ee5f4..00000000 --- a/compose/config/opa-pdp/groups.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "groups": [ - { - "name": "opaGroup", - "version": "1.0.0", - "description": "The default group that registers all supported policy types and pdps.", - "pdpGroupState": "ACTIVE", - "pdpSubgroups": [ - { - "pdpType": "opa", - "desiredInstanceCount": 1, - "properties": {}, - "supportedPolicyTypes": [ - { - "name": "onap.policies.native.opa", - "version": "1.0.0" - } - ], - "policies": [] - } - ] - } - ] -} diff --git a/compose/config/opa-pdp/policies/abac/policy.rego b/compose/config/opa-pdp/policies/abac/policy.rego deleted file mode 100644 index 9dc6ea9b..00000000 --- a/compose/config/opa-pdp/policies/abac/policy.rego +++ /dev/null @@ -1,20 +0,0 @@ -package abac - -import rego.v1 - -default allow := false - -allow if { - viewable_sensor_data - action_is_read -} - -action_is_read if "read" in input.actions - -viewable_sensor_data contains view_data if { - some sensor_data in data.abac.sensor_data - sensor_data.timestamp >= input.time_period.from - sensor_data.timestamp < input.time_period.to - - view_data := {datatype: sensor_data[datatype] | datatype in input.datatypes} -} diff --git a/compose/config/opa-pdp/policies/example/policy.rego b/compose/config/opa-pdp/policies/access_method/policy.rego similarity index 89% rename from compose/config/opa-pdp/policies/example/policy.rego rename to compose/config/opa-pdp/policies/access_method/policy.rego index cc192851..618aacca 100644 --- a/compose/config/opa-pdp/policies/example/policy.rego +++ b/compose/config/opa-pdp/policies/access_method/policy.rego @@ -1,4 +1,4 @@ -package example +package access_method import rego.v1 diff --git a/compose/config/opa-pdp/policies/account/policy.rego b/compose/config/opa-pdp/policies/account/policy.rego deleted file mode 100644 index f99e8eb0..00000000 --- a/compose/config/opa-pdp/policies/account/policy.rego +++ /dev/null @@ -1,17 +0,0 @@ -package account - -import rego.v1 - -default allow := false - -allow if { - creditor_is_valid - debtor_is_valid - period_is_valid - amount_is_valid -} -creditor_is_valid if data.account.account_attributes[input.creditor_account].owner == input.creditor -debtor_is_valid if data.account.account_attributes[input.debtor_account].owner == input.debtor - -period_is_valid if input.period <= 30 -amount_is_valid if data.account.account_attributes[input.debtor_account].amount >= input.amount diff --git a/compose/config/opa-pdp/policies/action/policy.rego b/compose/config/opa-pdp/policies/action/policy.rego deleted file mode 100644 index 300fe501..00000000 --- a/compose/config/opa-pdp/policies/action/policy.rego +++ /dev/null @@ -1,21 +0,0 @@ -package action - -import rego.v1 - -# By default, deny requests. -default allow := false - - -# Allow the action if admin role is granted permission to perform the action. -allow if { - some i - data.action.user_roles[input.user][i] == role - some j - data.action.role_permissions[role].actions[j] == input.action - some k - data.action.role_permissions[role].resources[k] == input.type -} -# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/ -# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration - - diff --git a/compose/config/opa-pdp/policies/blacklist/policy.rego b/compose/config/opa-pdp/policies/blacklist/policy.rego new file mode 100644 index 00000000..b2855933 --- /dev/null +++ b/compose/config/opa-pdp/policies/blacklist/policy.rego @@ -0,0 +1,18 @@ +package blacklist +import future.keywords.in +import rego.v1 + +# Define a rule to check if the operation should be allowed +module_allow[module] := false if { + some module in input.vfmodule + not validate(module) +} + +module_allow[module] := true if{ + some module in input.vfmodule + validate(module) +} + +validate(module) if { + module in data.node.blacklist.blacklist +} diff --git a/compose/config/opa-pdp/policies/cell/consistency/policy.rego b/compose/config/opa-pdp/policies/cell/consistency/policy.rego new file mode 100644 index 00000000..6137df70 --- /dev/null +++ b/compose/config/opa-pdp/policies/cell/consistency/policy.rego @@ -0,0 +1,17 @@ +package cell.consistency +import rego.v1 +default allow = false +# Rule to check cell consistency +check_cell_consistency if { + input.cell != data.node.cell.consistency.allowedCellId +} +# Rule to allow if PCI is within range 1-3000 +allow_if_pci_in_range if { + input.PCI >= data.node.cellconsistency.minPCI + input.PCI <= data.node.cellconsistency.maxPCI +} +# Main rule to determine the final decision +allow if{ + check_cell_consistency + allow_if_pci_in_range +} diff --git a/compose/config/opa-pdp/policies/cell/consistency/topology/policy.rego b/compose/config/opa-pdp/policies/cell/consistency/topology/policy.rego new file mode 100644 index 00000000..dccfac6b --- /dev/null +++ b/compose/config/opa-pdp/policies/cell/consistency/topology/policy.rego @@ -0,0 +1,6 @@ +package cell.consistency.topology +import rego.v1 +# Rule to check cell consistency +check_cell_consistency if { + input.cell != data.node.cell.consistency.allowedCellId +} diff --git a/compose/config/opa-pdp/policies/data/abac/data.json b/compose/config/opa-pdp/policies/data/abac/data.json deleted file mode 100644 index 77b5668e..00000000 --- a/compose/config/opa-pdp/policies/data/abac/data.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "sensor_data": [ - { - "id": "0001", - "location": "Sri Lanka", - "temperature": "28 C", - "precipitation": "1000 mm", - "windspeed": "5.5 m/s", - "humidity": "40%", - "particle_density": "1.3 g/l", - "timestamp": "2024-02-26" - }, - { - "id": "0002", - "location": "Colombo", - "temperature": "30 C", - "precipitation": "1200 mm", - "windspeed": "6.0 m/s", - "humidity": "45%", - "particle_density": "1.5 g/l", - "timestamp": "2024-02-26" - }, - { - "id": "0003", - "location": "Kandy", - "temperature": "25 C", - "precipitation": "800 mm", - "windspeed": "4.5 m/s", - "humidity": "60%", - "particle_density": "1.1 g/l", - "timestamp": "2024-02-26" - }, - { - "id": "0004", - "location": "Galle", - "temperature": "35 C", - "precipitation": "500 mm", - "windspeed": "7.2 m/s", - "humidity": "30%", - "particle_density": "1.8 g/l", - "timestamp": "2024-02-27" - }, - { - "id": "0005", - "location": "Jaffna", - "temperature": "-5 C", - "precipitation": "300 mm", - "windspeed": "3.8 m/s", - "humidity": "20%", - "particle_density": "0.9 g/l", - "timestamp": "2024-02-27" - }, - { - "id": "0006", - "location": "Trincomalee", - "temperature": "20 C", - "precipitation": "1000 mm", - "windspeed": "5.0 m/s", - "humidity": "55%", - "particle_density": "1.2 g/l", - "timestamp": "2024-02-28" - }, - { - "id": "0007", - "location": "Nuwara Eliya", - "temperature": "25 C", - "precipitation": "600 mm", - "windspeed": "4.0 m/s", - "humidity": "50%", - "particle_density": "1.3 g/l", - "timestamp": "2024-02-28" - }, - { - "id": "0008", - "location": "Anuradhapura", - "temperature": "28 C", - "precipitation": "700 mm", - "windspeed": "5.8 m/s", - "humidity": "40%", - "particle_density": "1.4 g/l", - "timestamp": "2024-02-29" - }, - { - "id": "0009", - "location": "Matara", - "temperature": "32 C", - "precipitation": "900 mm", - "windspeed": "6.5 m/s", - "humidity": "65%", - "particle_density": "1.6 g/l", - "timestamp": "2024-02-29" - } - ] -} diff --git a/compose/config/opa-pdp/policies/data/account/data.json b/compose/config/opa-pdp/policies/data/account/data.json deleted file mode 100644 index df263d36..00000000 --- a/compose/config/opa-pdp/policies/data/account/data.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "account_attributes":{ - "11111":{ - "owner":"alice", - "amount":10000 - }, - "22222":{ - "owner":"bob", - "amount":10000 - }, - "33333":{ - "owner":"cam", - "amount":10000 - } - } -} diff --git a/compose/config/opa-pdp/policies/data/action/data.json b/compose/config/opa-pdp/policies/data/action/data.json deleted file mode 100644 index 99145b74..00000000 --- a/compose/config/opa-pdp/policies/data/action/data.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "user_roles": { - "alice": [ - "admin" - ], - "bob": [ - "editor" - ], - "charlie": [ - "viewer" - ] - }, - "role_permissions": { - "admin": { - "actions": [ - "read", - "write", - "delete" - ], - "resources": [ - "server", - "database" - ] - }, - "editor": { - "actions": [ - "read", - "write" - ], - "resources": [ - "server" - ] - }, - "viewer": { - "actions": [ - "read" - ], - "resources": [ - "server" - ] - } - } -} diff --git a/compose/config/opa-pdp/policies/data/organization/data.json b/compose/config/opa-pdp/policies/data/organization/data.json deleted file mode 100644 index 35fe4a14..00000000 --- a/compose/config/opa-pdp/policies/data/organization/data.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "acls": [ - { - "user": "alice", - "actions": [ - "edit", - "read" - ], - "component": "component_A", - "project": "project_A", - "organization": "org_A" - }, - { - "user": "bob", - "actions": ["read"], - "organization": "org_A" - }, - { - "user": "bob", - "action": ["edit"], - "component": "component_A", - "project": "project_B", - "organization": "org_A" - }, - { - "user": "charlie", - "action": ["read"], - "project": "project_B", - "organization": "org_A" - } - ] -} diff --git a/compose/config/opa-pdp/policies/data/role/data.json b/compose/config/opa-pdp/policies/data/role/data.json deleted file mode 100644 index 88ac41b8..00000000 --- a/compose/config/opa-pdp/policies/data/role/data.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "user_roles": { - "alice": [ - "admin" - ], - "bob": [ - "employee", - "billing" - ], - "eve": [ - "customer" - ] - }, - "role_grants": { - "customer": [ - { - "action": "read", - "type": "dog" - }, - { - "action": "read", - "type": "cat" - }, - { - "action": "adopt", - "type": "dog" - }, - { - "action": "adopt", - "type": "cat" - } - ], - "employee": [ - { - "action": "read", - "type": "dog" - }, - { - "action": "read", - "type": "cat" - }, - { - "action": "update", - "type": "dog" - }, - { - "action": "update", - "type": "cat" - } - ], - "billing": [ - { - "action": "read", - "type": "finance" - }, - { - "action": "update", - "type": "finance" - } - ] - } -} - diff --git a/compose/config/opa-pdp/policies/monitor/policy.rego b/compose/config/opa-pdp/policies/monitor/policy.rego new file mode 100644 index 00000000..b3d9aaa4 --- /dev/null +++ b/compose/config/opa-pdp/policies/monitor/policy.rego @@ -0,0 +1,39 @@ +package monitor + +# Policy allows if a matching threshold is met +result contains output if { + input.domain = data.node.monitor.domain + some events in data.node.monitor.metricsPerEventName + events.eventName == input.eventName + events.controlLoopSchemaType == input.controlLoopSchemaType + events.policyScope == input.policyScope + events.policyName == input.policyName + events.policyVersion == input.policyVersion + some value in events.thresholds + input.controlname == value.closedLoopControlName + input.version == value.version + input.thresholdValue == value.thresholdValue + output := { + "severity" : "MAJOR", + "closedLoopEventStatus" : "ABATED" + } +} + +# Policy allows if a matching threshold is met +result contains output if { + input.domain = data.node.monitor.domain + some events in data.node.monitor.metricsPerEventName + events.eventName == input.eventName + events.controlLoopSchemaType == input.controlLoopSchemaType + events.policyScope == input.policyScope + events.policyName == input.policyName + events.policyVersion == input.policyVersion + some value in events.thresholds + input.controlname == value.closedLoopControlName + input.version == value.version + input.thresholdValue > value.thresholdValue + output := { + "severity" : "CRITICAL", + "closedLoopEventStatus" : "ONSET" + } +} diff --git a/compose/config/opa-pdp/policies/organization/policy.rego b/compose/config/opa-pdp/policies/organization/policy.rego deleted file mode 100644 index 31e7fb66..00000000 --- a/compose/config/opa-pdp/policies/organization/policy.rego +++ /dev/null @@ -1,38 +0,0 @@ -package organization - -import rego.v1 - -default allow := false - -# organization level access -allow if { - some acl in data.organization.acls - acl.user == input.user - acl.organization == input.organization - acl.project == input.project - acl.component == input.component - - some action in acl.actions - action == input.action -} - -# project level access -allow if { - some acl in data.organization.acls - acl.user == input.user - acl.organization == input.organization - acl.project == input.project - - some action in acl.actions - action == input.action -} - -# component level access -allow if { - some acl in data.organization.acls - acl.user == input.user - acl.organization == input.organization - - some action in acl.actions - action == input.action -} diff --git a/compose/config/pap/groups.json b/compose/config/pap/groups.json index bd5c2868..e9a9e9a1 100644 --- a/compose/config/pap/groups.json +++ b/compose/config/pap/groups.json @@ -23,6 +23,30 @@ "policies": [] } ] + }, + { + "name": "opaGroup", + "pdpGroupState": "ACTIVE", + "properties": {}, + "pdpSubgroups": [ + { + "pdpType": "opa", + "desiredInstanceCount": 1, + "properties": {}, + "supportedPolicyTypes": [ + { + "name": "onap.policies.native.opa", + "version": "1.0.0" + } + ], + "policies": [ + { + "name": "slice.capacity.check", + "version": "1.0.0" + } + ] + } + ] } ] } diff --git a/compose/get-versions.sh b/compose/get-versions.sh index 2de4e7f0..cb8b83a9 100755 --- a/compose/get-versions.sh +++ b/compose/get-versions.sh @@ -142,7 +142,8 @@ else getDockerVersion xacml-pdp export POLICY_XACML_PDP_VERSION="$docker_image_version" - export POLICY_OPA_PDP_VERSION="1.0.2-SNAPSHOT" + getDockerVersion opa-pdp + export POLICY_OPA_PDP_VERSION="$docker_image_version" getDockerVersion distribution export POLICY_DISTRIBUTION_VERSION="$docker_image_version" diff --git a/csit/resources/tests/api-test.robot b/csit/resources/tests/api-test.robot index e1b8fd47..a6130db4 100644 --- a/csit/resources/tests/api-test.robot +++ b/csit/resources/tests/api-test.robot @@ -60,7 +60,7 @@ RetrievePoliciesOfType RetrieveAllPolicies [Documentation] Retrieve all policies - FetchPolicies /policy/api/v1/policies 3 + FetchPolicies /policy/api/v1/policies 4 RetrieveSpecificPolicy [Documentation] Retrieve a policy named 'onap.restart.tca' and version '1.0.0' using generic api diff --git a/csit/resources/tests/common-library.robot b/csit/resources/tests/common-library.robot index 89a9c726..12939a73 100644 --- a/csit/resources/tests/common-library.robot +++ b/csit/resources/tests/common-library.robot @@ -102,7 +102,7 @@ CreateNodeTemplate QueryPdpGroups [Documentation] Verify pdp group query - suphosts upto 2 groups - [Arguments] ${groupsLength} ${group1Name} ${group1State} ${policiesLengthInGroup1} ${group2Name} ${group2State} ${policiesLengthInGroup2} + [Arguments] ${groupsLength} ${group1Name} ${group1State} ${policiesLengthInGroup1} ${group2Name} ${group2State} ${policiesLengthInGroup2} ${group3Name} ${group3State} ${policiesLengthInGroup3} ${policyadmin}= PolicyAdminAuth ${resp}= PerformGetRequest ${POLICY_PAP_IP} /policy/pap/v1/pdps 200 null ${policyadmin} Length Should Be ${resp.json()['groups']} ${groupsLength} @@ -112,6 +112,9 @@ QueryPdpGroups Run Keyword If ${groupsLength}>1 Should Be Equal As Strings ${resp.json()['groups'][1]['name']} ${group2Name} Run Keyword If ${groupsLength}>1 Should Be Equal As Strings ${resp.json()['groups'][1]['pdpGroupState']} ${group2State} Run Keyword If ${groupsLength}>1 Length Should Be ${resp.json()['groups'][1]['pdpSubgroups'][0]['policies']} ${policiesLengthInGroup2} + Run Keyword If ${groupsLength}>2 Should Be Equal As Strings ${resp.json()['groups'][2]['name']} ${group3Name} + Run Keyword If ${groupsLength}>2 Should Be Equal As Strings ${resp.json()['groups'][2]['pdpGroupState']} ${group3State} + Run Keyword If ${groupsLength}>2 Length Should Be ${resp.json()['groups'][2]['pdpSubgroups'][0]['policies']} ${policiesLengthInGroup3} QueryPolicyAudit [Arguments] ${url} ${expectedstatus} ${pdpGroup} ${pdpType} ${policyName} ${expectedAction} diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.data-empty.json b/csit/resources/tests/data/onap.policy.opa.pdp.data-empty.json index 432476a7..cd74b413 100644 --- a/csit/resources/tests/data/onap.policy.opa.pdp.data-empty.json +++ b/csit/resources/tests/data/onap.policy.opa.pdp.data-empty.json @@ -1,5 +1,14 @@ { "data": { + "node": { + "slice": { + "capacity": { + "check": { + "threshold": 70 + } + } + } + }, "system": { "version": { "build_commit": "", diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.zone-incorrect-policyfilter.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.zone-incorrect-policyfilter.json index 1c7f8b8f..ab124b67 100644 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.zone-incorrect-policyfilter.json +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.zone-incorrect-policyfilter.json @@ -2,13 +2,24 @@ "onapName": "CDS", "onapComponent": "CDS", "onapInstance": "CDS", - "currentDate": "2024-11-22", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", "policyName": "zoneB", - "policyFilter": ["has_ze_access"], + "policyFilter": [ + "has_ze_access" + ], "input": { - "actions": ["view"], + "actions": [ + "view" + ], "log_id": "log1", - "datatypes": ["access", "user"], + "datatypes": [ + "access", + "user" + ], "time_period": { "from": "2024-11-01T09:00:00Z", "to": "2024-11-01T10:00:00Z" @@ -16,4 +27,3 @@ "zone_id": "zoneA" } } - diff --git a/csit/resources/tests/data/onap.policy.opa.pdp.decision.zone-incorrect-policyname.json b/csit/resources/tests/data/onap.policy.opa.pdp.decision.zone-incorrect-policyname.json index dfa088b4..199b10d8 100644 --- a/csit/resources/tests/data/onap.policy.opa.pdp.decision.zone-incorrect-policyname.json +++ b/csit/resources/tests/data/onap.policy.opa.pdp.decision.zone-incorrect-policyname.json @@ -2,13 +2,24 @@ "onapName": "CDS", "onapComponent": "CDS", "onapInstance": "CDS", - "currentDate": "2024-11-22", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", "policyName": "zoeB", - "policyFilter": ["has_zone_access"], + "policyFilter": [ + "has_zone_access" + ], "input": { - "actions": ["view"], + "actions": [ + "view" + ], "log_id": "log1", - "datatypes": ["access", "user"], + "datatypes": [ + "access", + "user" + ], "time_period": { "from": "2024-11-01T09:00:00Z", "to": "2024-11-01T10:00:00Z" @@ -16,4 +27,3 @@ "zone_id": "zoneA" } } - diff --git a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-incorrect-policyfilter.json b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-incorrect-policyfilter.json index 223dddbb..80b49f88 100644 --- a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-incorrect-policyfilter.json +++ b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-incorrect-policyfilter.json @@ -2,12 +2,25 @@ "onapName": "CDS", "onapComponent": "CDS", "onapInstance": "CDS", - "currentDate": "2024-11-22", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", "policyName": "abac", - "policyFilter": ["viewable_sesor_data"], + "policyFilter": [ + "viewable_sesor_data" + ], "input": { - "actions": ["read"], - "datatypes": ["location", "temperature", "precipitation", "windspeed"], + "actions": [ + "read" + ], + "datatypes": [ + "location", + "temperature", + "precipitation", + "windspeed" + ], "time_period": { "from": "2024-02-27", "to": "2024-02-29" diff --git a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-incorrect-policyname.json b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-incorrect-policyname.json index a1628bb9..095f3d62 100644 --- a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-incorrect-policyname.json +++ b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-incorrect-policyname.json @@ -2,12 +2,25 @@ "onapName": "CDS", "onapComponent": "CDS", "onapInstance": "CDS", - "currentDate": "2024-11-22", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", "policyName": "abc", - "policyFilter": ["viewable_sensor_data"], + "policyFilter": [ + "viewable_sensor_data" + ], "input": { - "actions": ["read"], - "datatypes": ["location", "temperature", "precipitation", "windspeed"], + "actions": [ + "read" + ], + "datatypes": [ + "location", + "temperature", + "precipitation", + "windspeed" + ], "time_period": { "from": "2024-02-27", "to": "2024-02-29" diff --git a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-pemit-policy.json b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-pemit-policy.json index fadf05bb..9471eec5 100644 --- a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-pemit-policy.json +++ b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.abac-pemit-policy.json @@ -1,16 +1,29 @@ { - "onapName": "CDS", - "onapComponent": "CDS", - "onapInstance": "CDS", - "currentDate": "2024-11-22", - "policyName": "abac", - "policyFilter": ["viewable_sensor_data"], - "input": { - "actions": ["read"], - "datatypes": ["location", "temperature", "precipitation", "windspeed"], - "time_period": { - "from": "2024-02-27", - "to": "2024-02-29" - } + "onapName": "CDS", + "onapComponent": "CDS", + "onapInstance": "CDS", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", + "policyName": "abac", + "policyFilter": [ + "viewable_sensor_data" + ], + "input": { + "actions": [ + "read" + ], + "datatypes": [ + "location", + "temperature", + "precipitation", + "windspeed" + ], + "time_period": { + "from": "2024-02-27", + "to": "2024-02-29" } + } } diff --git a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle-incorect-policyfilter.json b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle-incorect-policyfilter.json index 290fd60d..a3efb3c3 100644 --- a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle-incorect-policyfilter.json +++ b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle-incorect-policyfilter.json @@ -2,14 +2,24 @@ "onapName": "CDS", "onapComponent": "CDS", "onapInstance": "CDS", - "currentDate": "2024-11-22", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", "policyName": "vehicle", - "policyFilter": ["user_has_vecle_access"], + "policyFilter": [ + "user_has_vecle_access" + ], "input": { - "actions": ["use"], + "actions": [ + "use" + ], "user": "user1", "vehicle_id": "v1", - "attributes": ["type", "status"] + "attributes": [ + "type", + "status" + ] } } - diff --git a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle-incorect-policyname.json b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle-incorect-policyname.json index b5f50b64..aaa8f416 100644 --- a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle-incorect-policyname.json +++ b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle-incorect-policyname.json @@ -2,14 +2,24 @@ "onapName": "CDS", "onapComponent": "CDS", "onapInstance": "CDS", - "currentDate": "2024-11-22", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", "policyName": "vehile", - "policyFilter": ["user_has_vehicle_access"], + "policyFilter": [ + "user_has_vehicle_access" + ], "input": { - "actions": ["use"], + "actions": [ + "use" + ], "user": "user1", "vehicle_id": "v1", - "attributes": ["type", "status"] + "attributes": [ + "type", + "status" + ] } } - diff --git a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle_input.json b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle_input.json index 4ea1638a..999a76e1 100644 --- a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle_input.json +++ b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.vehicle_input.json @@ -2,13 +2,24 @@ "onapName": "CDS", "onapComponent": "CDS", "onapInstance": "CDS", - "currentDate": "2024-11-22", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", "policyName": "vehicle", - "policyFilter": ["user_has_vehicle_access"], + "policyFilter": [ + "user_has_vehicle_access" + ], "input": { - "actions": ["use"], + "actions": [ + "use" + ], "user": "user1", "vehicle_id": "v1", - "attributes": ["type", "status"] + "attributes": [ + "type", + "status" + ] } } diff --git a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.zone-policy-input.json b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.zone-policy-input.json index 0dca9cdc..13618ed4 100644 --- a/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.zone-policy-input.json +++ b/csit/resources/tests/data/onap.policy.policy.opa.pdp.decision.zone-policy-input.json @@ -2,13 +2,24 @@ "onapName": "CDS", "onapComponent": "CDS", "onapInstance": "CDS", - "currentDate": "2024-11-22", + "currentDate": "2025-01-17", + "currentTime": "08:26:41.857Z", + "timeZone": "UTC", + "timeOffset": "+05:30", + "currentDateTime": "2025-01-17T08:26:41.857Z", "policyName": "zoneB", - "policyFilter": ["has_zone_access"], + "policyFilter": [ + "has_zone_access" + ], "input": { - "actions": ["view"], + "actions": [ + "view" + ], "log_id": "log1", - "datatypes": ["access", "user"], + "datatypes": [ + "access", + "user" + ], "time_period": { "from": "2024-11-01T09:00:00Z", "to": "2024-11-01T10:00:00Z" diff --git a/csit/resources/tests/pap-test.robot b/csit/resources/tests/pap-test.robot index e66820c7..7021a141 100644 --- a/csit/resources/tests/pap-test.robot +++ b/csit/resources/tests/pap-test.robot @@ -38,7 +38,7 @@ Healthcheck Consolidated Healthcheck [Documentation] Verify policy consolidated health check - sleep 20 + sleep 60 ${resp}= GetReq /policy/pap/v1/components/healthcheck Should Be Equal As Strings ${resp.json()['healthy']} True @@ -48,7 +48,7 @@ Metrics ${resp}= GetMetrics ${POLICY_PAP_IP} ${auth} /policy/pap/v1/ Should Contain ${resp.text} http_server_requests_seconds_count{error="none",exception="none",method="GET",outcome="SUCCESS",status="200",uri="/healthcheck"} Should Contain ${resp.text} http_server_requests_seconds_count{error="none",exception="none",method="GET",outcome="SUCCESS",status="200",uri="/components/healthcheck"} 1 - Should Contain ${resp.text} spring_data_repository_invocations_seconds_count{exception="None",method="save",repository="PdpGroupRepository",state="SUCCESS"} 1 + Should Contain ${resp.text} spring_data_repository_invocations_seconds_count{exception="None",method="save",repository="PdpGroupRepository",state="SUCCESS"} 2 Should Contain ${resp.text} spring_data_repository_invocations_seconds_count{exception="None",method="findByKeyName",repository="PdpGroupRepository",state="SUCCESS"} 1 Should Contain ${resp.text} spring_data_repository_invocations_seconds_count{exception="None",method="findAll",repository="PolicyStatusRepository",state="SUCCESS"} @@ -60,7 +60,7 @@ AddPdpGroup QueryPdpGroupsBeforeActivation [Documentation] Verify PdpGroups before activation - QueryPdpGroups 2 defaultGroup ACTIVE 0 testGroup PASSIVE 0 + QueryPdpGroups 3 defaultGroup ACTIVE 0 opaGroup ACTIVE 1 testGroup PASSIVE 0 ActivatePdpGroup [Documentation] Change the state of PdpGroup named 'testGroup' to ACTIVE @@ -69,7 +69,7 @@ ActivatePdpGroup QueryPdpGroupsAfterActivation [Documentation] Verify PdpGroups after activation - QueryPdpGroups 2 defaultGroup ACTIVE 0 testGroup ACTIVE 0 + QueryPdpGroups 3 defaultGroup ACTIVE 0 opaGroup ACTIVE 1 testGroup ACTIVE 0 DeployPdpGroups [Documentation] Deploy policies in PdpGroups @@ -79,7 +79,7 @@ DeployPdpGroups QueryPdpGroupsAfterDeploy [Documentation] Verify PdpGroups after undeploy - QueryPdpGroups 2 defaultGroup ACTIVE 0 testGroup ACTIVE 1 + QueryPdpGroups 3 defaultGroup ACTIVE 0 opaGroup ACTIVE 1 testGroup ACTIVE 1 QueryPolicyAuditAfterDeploy [Documentation] Verify policy audit record after deploy @@ -101,7 +101,7 @@ UndeployPolicyWithMetadataSet QueryPdpGroupsAfterUndeploy [Documentation] Verify PdpGroups after undeploy - QueryPdpGroups 2 defaultGroup ACTIVE 0 testGroup ACTIVE 0 + QueryPdpGroups 3 defaultGroup ACTIVE 0 opaGroup ACTIVE 1 testGroup ACTIVE 0 QueryPolicyAuditAfterUnDeploy [Documentation] Verify policy audit record after undeploy @@ -123,4 +123,4 @@ DeletePdpGroups QueryPdpGroupsAfterDelete [Documentation] Verify PdpGroups after delete - QueryPdpGroups 1 defaultGroup ACTIVE 0 null null null + QueryPdpGroups 2 defaultGroup ACTIVE 0 opaGroup ACTIVE 1 null null null diff --git a/csit/run-project-csit.sh b/csit/run-project-csit.sh index ad3f41c7..f5bb890a 100755 --- a/csit/run-project-csit.sh +++ b/csit/run-project-csit.sh @@ -128,11 +128,13 @@ function setup_api() { function setup_pap() { export ROBOT_FILES="pap-test.robot pap-slas.robot" + export PROJECT="pap" source "${DOCKER_COMPOSE_DIR}"/start-compose.sh apex-pdp --grafana echo "Waiting 1 minute for policy-pap to start..." sleep 60 check_rest_endpoint "${PAP_PORT}" check_rest_endpoint "${APEX_PORT}" + check_rest_endpoint "${OPA_PDP_PORT}" apex_healthcheck } -- 2.16.6