2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2017-2019 AT&T Intellectual Property. All rights reserved.
6 * Modifications Copyright (C) 2019 Nordix Foundation.
7 * ================================================================================
8 * Licensed under the Apache License, Version 2.0 (the "License");
9 * you may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS,
16 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 * ============LICENSE_END=========================================================
22 package org.onap.policy.pap.xacml.rest;
24 import com.att.research.xacml.api.pap.PAPException;
25 import com.att.research.xacml.api.pap.PDPPolicy;
26 import com.att.research.xacml.api.pap.PDPStatus;
27 import com.att.research.xacml.util.FactoryException;
28 import com.att.research.xacml.util.XACMLProperties;
29 import com.fasterxml.jackson.databind.ObjectMapper;
30 import com.google.common.annotations.VisibleForTesting;
31 import com.google.common.base.Splitter;
33 import java.io.FileInputStream;
34 import java.io.IOException;
35 import java.io.InputStream;
36 import java.io.OutputStream;
37 import java.net.InetAddress;
38 import java.net.UnknownHostException;
39 import java.nio.file.Files;
40 import java.nio.file.Path;
41 import java.nio.file.Paths;
42 import java.util.List;
43 import java.util.Properties;
45 import java.util.UUID;
46 import java.util.concurrent.CopyOnWriteArrayList;
47 import javax.persistence.PersistenceException;
48 import javax.servlet.Servlet;
49 import javax.servlet.ServletConfig;
50 import javax.servlet.ServletException;
51 import javax.servlet.annotation.WebInitParam;
52 import javax.servlet.annotation.WebServlet;
53 import javax.servlet.http.HttpServlet;
54 import javax.servlet.http.HttpServletRequest;
55 import javax.servlet.http.HttpServletResponse;
56 import org.apache.commons.io.IOUtils;
57 import org.onap.policy.common.ia.IntegrityAudit;
58 import org.onap.policy.common.im.AdministrativeStateException;
59 import org.onap.policy.common.im.ForwardProgressException;
60 import org.onap.policy.common.im.IntegrityMonitor;
61 import org.onap.policy.common.im.IntegrityMonitorException;
62 import org.onap.policy.common.im.IntegrityMonitorProperties;
63 import org.onap.policy.common.im.StandbyStatusException;
64 import org.onap.policy.common.logging.OnapLoggingContext;
65 import org.onap.policy.common.logging.OnapLoggingUtils;
66 import org.onap.policy.common.logging.eelf.MessageCodes;
67 import org.onap.policy.common.logging.eelf.PolicyLogger;
68 import org.onap.policy.common.logging.flexlogger.FlexLogger;
69 import org.onap.policy.common.logging.flexlogger.Logger;
70 import org.onap.policy.pap.xacml.rest.components.HandleIncomingNotifications;
71 import org.onap.policy.pap.xacml.rest.components.PolicyDbDao;
72 import org.onap.policy.pap.xacml.rest.components.PolicyDbDaoTransaction;
73 import org.onap.policy.pap.xacml.rest.handler.APIRequestHandler;
74 import org.onap.policy.pap.xacml.rest.handler.PushPolicyHandler;
75 import org.onap.policy.pap.xacml.rest.handler.SavePolicyHandler;
76 import org.onap.policy.pap.xacml.restAuth.CheckPDP;
77 import org.onap.policy.rest.XacmlRest;
78 import org.onap.policy.rest.XacmlRestProperties;
79 import org.onap.policy.rest.dao.PolicyDbException;
80 import org.onap.policy.utils.PeCryptoUtils;
81 import org.onap.policy.utils.PolicyUtils;
82 import org.onap.policy.xacml.api.XACMLErrorConstants;
83 import org.onap.policy.xacml.api.pap.ONAPPapEngineFactory;
84 import org.onap.policy.xacml.api.pap.OnapPDP;
85 import org.onap.policy.xacml.api.pap.OnapPDPGroup;
86 import org.onap.policy.xacml.api.pap.PAPPolicyEngine;
87 import org.onap.policy.xacml.std.pap.StdPDP;
88 import org.onap.policy.xacml.std.pap.StdPDPGroup;
89 import org.onap.policy.xacml.std.pap.StdPDPItemSetChangeNotifier.StdItemSetChangeListener;
90 import org.onap.policy.xacml.std.pap.StdPDPPolicy;
91 import org.onap.policy.xacml.std.pap.StdPDPStatus;
94 * Servlet implementation class XacmlPapServlet.
97 description = "Implements the XACML PAP RESTful API.",
100 initParams = {@WebInitParam(
101 name = "XACML_PROPERTIES_NAME",
102 value = "xacml.pap.properties",
103 description = "The location of the properties file holding configuration information.")})
104 public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeListener, Runnable {
105 private static final long serialVersionUID = 1L;
106 private static final Logger LOGGER = FlexLogger.getLogger(XACMLPapServlet.class);
107 // audit (transaction) LOGGER
108 private static final Logger auditLogger = FlexLogger.getLogger("auditLogger");
109 // Persistence Unit for JPA
110 private static final String PERSISTENCE_UNIT = "XACML-PAP-REST";
111 private static final String AUDIT_PAP_PERSISTENCE_UNIT = "auditPapPU";
113 private static final String ENVIRONMENT_HEADER = "Environment";
114 private static final String ADD_GROUP_ERROR = "addGroupError";
115 private static final String PERSISTENCE_JDBC_PWD = "javax.persistence.jdbc.password";
117 private static final String REGEX = "[0-9a-zA-Z._ ]*";
120 * List of Admin Console URLs. Used to send notifications when configuration changes.
122 * The CopyOnWriteArrayList *should* protect from concurrency errors. This list is seldom
123 * changed but often read, so the costs of this approach make sense.
125 private static final CopyOnWriteArrayList<String> adminConsoleURLStringList = new CopyOnWriteArrayList<>();
127 private static String configHome;
128 private static String actionHome;
130 * This PAP instance's own URL. Need this when creating URLs to send to the PDPs so they can GET
131 * the Policy files from this process.
133 private static String papUrl = null;
134 // The heartbeat thread.
135 private static Heartbeat heartbeat = null;
136 private static Thread heartbeatThread = null;
137 private static PolicyDbDao policyDbDao;
139 * papEngine - This is our engine workhorse that manages the PDP Groups and Nodes.
141 private static PAPPolicyEngine papEngine = null;
143 * These are the parameters needed for DB access from the PAP
145 private static int papIntegrityAuditPeriodSeconds = -1;
146 private static String papDbDriver = null;
147 private static String papDbUrl = null;
148 private static String papDbUser = null;
149 private static String papDbPd = null;
150 private static String papResourceName = null;
151 private static String[] papDependencyGroupsFlatArray = null;
152 private static String environment = null;
153 private static String pdpFile = null;
155 private transient IntegrityMonitor im;
156 private transient IntegrityAudit ia;
158 // MicroService Model Properties
159 private static String msOnapName;
160 private static String msPolicyName;
162 * This thread may be invoked upon startup to initiate sending PDP policy/pip configuration when
163 * this servlet starts. Its configurable by the admin.
165 private static transient Thread initiateThread = null;
166 private transient OnapLoggingContext baseLoggingContext = null;
167 private static final String GROUPID = "groupId";
170 * @see HttpServlet#HttpServlet()
172 public XACMLPapServlet() {
177 * @see Servlet#init(ServletConfig)
180 public void init(ServletConfig config) throws ServletException {
183 baseLoggingContext = new OnapLoggingContext();
184 // fixed data that will be the same in all logging output goes here
186 String hostname = InetAddress.getLocalHost().getCanonicalHostName();
187 baseLoggingContext.setServer(hostname);
188 } catch (UnknownHostException e) {
189 LOGGER.warn(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "Unable to get hostname for logging", e);
193 XacmlRest.xacmlInit(config);
194 // Load the properties
195 XacmlRest.loadXacmlProperties(null, null);
197 * Retrieve the property values
199 setCommonProperties();
200 String papSiteName = XACMLProperties.getProperty(XacmlRestProperties.PAP_SITE_NAME);
201 if (papSiteName == null) {
202 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, "XACMLPapServlet",
203 " ERROR: Bad papSiteName property entry");
204 throw new PAPException("papSiteName is null");
206 String papNodeType = XACMLProperties.getProperty(XacmlRestProperties.PAP_NODE_TYPE);
207 if (papNodeType == null) {
208 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, "XACMLPapServlet",
209 " ERROR: Bad papNodeType property entry");
210 throw new PAPException("papNodeType is null");
212 // Integer will throw an exception of anything is missing or
214 int papTransWait = Integer.parseInt(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_TRANS_WAIT));
215 int papTransTimeout =
216 Integer.parseInt(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_TRANS_TIMEOUT));
217 int papAuditTimeout =
218 Integer.parseInt(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_AUDIT_TIMEOUT));
219 // Boolean will default to false if anything is missing or
221 boolean papAuditFlag =
222 Boolean.parseBoolean(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_RUN_AUDIT_FLAG));
223 boolean papFileSystemAudit =
224 Boolean.parseBoolean(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_AUDIT_FLAG));
225 String papDependencyGroups = XACMLProperties.getProperty(XacmlRestProperties.PAP_DEPENDENCY_GROUPS);
226 if (papDependencyGroups == null) {
227 throw new PAPException("papDependencyGroups is null");
229 setPAPDependencyGroups(papDependencyGroups);
230 // Integer will throw an exception of anything is missing or
232 int fpMonitorInterval =
233 Integer.parseInt(XACMLProperties.getProperty(IntegrityMonitorProperties.FP_MONITOR_INTERVAL));
234 int failedCounterThreshold =
235 Integer.parseInt(XACMLProperties.getProperty(IntegrityMonitorProperties.FAILED_COUNTER_THRESHOLD));
236 int testTransInterval =
237 Integer.parseInt(XACMLProperties.getProperty(IntegrityMonitorProperties.TEST_TRANS_INTERVAL));
238 int writeFpcInterval =
239 Integer.parseInt(XACMLProperties.getProperty(IntegrityMonitorProperties.WRITE_FPC_INTERVAL));
240 LOGGER.debug("\n\n\n**************************************" + "\n*************************************"
241 + "\n" + "\n papDbDriver = " + papDbDriver + "\n papDbUrl = " + papDbUrl + "\n papDbUser = "
242 + papDbUser + "\n papTransWait = " + papTransWait + "\n papTransTimeout = " + papTransTimeout
243 + "\n papAuditTimeout = " + papAuditTimeout + "\n papAuditFlag = " + papAuditFlag
244 + "\n papFileSystemAudit = " + papFileSystemAudit + "\n papResourceName = " + papResourceName
245 + "\n fpMonitorInterval = " + fpMonitorInterval + "\n failedCounterThreshold = "
246 + failedCounterThreshold + "\n testTransInterval = " + testTransInterval + "\n writeFpcInterval = "
247 + writeFpcInterval + "\n papSiteName = " + papSiteName + "\n papNodeType = " + papNodeType
248 + "\n papDependencyGroupsList = " + papDependencyGroups + "\n papIntegrityAuditPeriodSeconds = "
249 + papIntegrityAuditPeriodSeconds + "\n\n*************************************"
250 + "\n**************************************");
251 // Pull custom persistence settings
252 Properties properties;
254 properties = XACMLProperties.getProperties();
255 LOGGER.debug("\n\n\n**************************************" + "\n**************************************"
256 + "\n\n" + "properties = " + properties + "\n\n**************************************");
257 } catch (IOException e) {
258 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, e, "XACMLPapServlet",
259 " Error loading properties with: " + "XACMLProperties.getProperties()");
260 throw new ServletException(e.getMessage(), e.getCause());
262 // Create an IntegrityMonitor
263 if (properties.getProperty(PERSISTENCE_JDBC_PWD) != null) {
264 properties.setProperty(PERSISTENCE_JDBC_PWD,
265 PeCryptoUtils.decrypt(properties.getProperty(PERSISTENCE_JDBC_PWD, "")));
267 im = IntegrityMonitor.getInstance(papResourceName, properties);
268 // Create an IntegrityAudit
269 ia = new IntegrityAudit(papResourceName, AUDIT_PAP_PERSISTENCE_UNIT, properties);
270 ia.startAuditThread();
271 // we are about to call the PDPs and give them their configuration.
272 // To do that we need to have the URL of this PAP so we can
273 // construct the Policy file URLs
274 setPapUrl(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_URL));
275 // Create the policyDBDao
277 // Load our PAP engine, first create a factory
278 ONAPPapEngineFactory factory = ONAPPapEngineFactory
279 .newInstance(XACMLProperties.getProperty(XACMLProperties.PROP_PAP_PAPENGINEFACTORY));
280 // The factory knows how to go about creating a PAP Engine
281 setPAPEngine(factory.newEngine());
282 if (((org.onap.policy.xacml.std.pap.StdEngine) papEngine).wasDefaultGroupJustAdded) {
283 createDefaultGroupOnInit();
285 policyDbDao.setPapEngine(XACMLPapServlet.papEngine);
286 if (Boolean.parseBoolean(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_RUN_AUDIT_FLAG))) {
288 * Auditing the local File System groups to be in sync with the Database
291 // get an AuditTransaction to lock out all other transactions
292 PolicyDbDaoTransaction auditTrans = policyDbDao.getNewAuditTransaction();
294 LOGGER.info("PapServlet: calling auditLocalFileSystem for PDP group audit");
295 LOGGER.info("PapServlet: old group is " + papEngine.getDefaultGroup().toString());
296 // get the current filesystem group and update from the database
298 StdPDPGroup group = (StdPDPGroup) papEngine.getDefaultGroup();
299 StdPDPGroup updatedGroup = policyDbDao.auditLocalFileSystem(group);
300 if (updatedGroup != null) {
301 papEngine.updateGroup(updatedGroup);
303 LOGGER.info("PapServlet: updated group is " + papEngine.getDefaultGroup().toString());
305 // sync up the config data from DB to file system
306 LOGGER.info("PapServlet: Sync config data from DB to file system");
307 policyDbDao.synchronizeConfigDataInFileSystem();
309 // release the transaction lock
313 // Configurable - have the PAP servlet initiate sending the latest
314 // PDP policy/pip configuration
315 // to all its known PDP nodes.
316 if (Boolean.parseBoolean(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_INITIATE_PDP_CONFIG))) {
317 startInitiateThreadService(new Thread(this));
319 // After startup, the PAP does Heartbeat's to each of the PDPs
321 startHeartBeatService(new Heartbeat(XACMLPapServlet.papEngine));
322 } catch (FactoryException | PAPException e) {
323 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "XACMLPapServlet", " Failed to create engine");
324 throw new ServletException(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "PAP not initialized; error: " + e);
325 } catch (Exception e) {
326 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "XACMLPapServlet",
327 " Failed to create engine - unexpected error");
328 throw new ServletException(
329 XACMLErrorConstants.ERROR_SYSTEM_ERROR + "PAP not initialized; unexpected error: " + e);
334 private void createDefaultGroupOnInit() {
335 PolicyDbDaoTransaction addNewGroup = null;
337 addNewGroup = policyDbDao.getNewTransaction();
338 OnapPDPGroup group = papEngine.getDefaultGroup();
339 addNewGroup.createGroup(group.getId(), group.getName(), group.getDescription(), "automaticallyAdded");
340 addNewGroup.commitTransaction();
341 addNewGroup = policyDbDao.getNewTransaction();
342 addNewGroup.changeDefaultGroup(group, "automaticallyAdded");
343 addNewGroup.commitTransaction();
344 } catch (Exception e) {
345 PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "XACMLPapServlet",
346 " Error creating new default group in the database");
347 if (addNewGroup != null) {
348 addNewGroup.rollbackTransaction();
353 private static void startInitiateThreadService(Thread thread) {
354 initiateThread = thread;
355 initiateThread.start();
359 protected static void mapperWriteValue(ObjectMapper mapper, HttpServletResponse response, Object value) {
361 mapper.writeValue(response.getOutputStream(), value);
362 } catch (Exception e) {
367 private static void startHeartBeatService(Heartbeat heartbeat) {
368 XACMLPapServlet.heartbeat = heartbeat;
369 XACMLPapServlet.heartbeatThread = new Thread(XACMLPapServlet.heartbeat);
370 XACMLPapServlet.heartbeatThread.start();
373 private static void setPolicyDbDao() throws ServletException {
375 policyDbDao = PolicyDbDao.getPolicyDbDaoInstance();
376 } catch (Exception e) {
377 throw new ServletException("Unable to Create Policy DBDao Instance", e);
381 public static PolicyDbDao getPolicyDbDao() {
385 private static void setPapUrl(String papUrl) {
386 XACMLPapServlet.papUrl = papUrl;
389 public static String getPapUrl() {
394 protected static void setPAPEngine(PAPPolicyEngine newEngine) {
395 XACMLPapServlet.papEngine = newEngine;
398 private static void setPAPDependencyGroups(String papDependencyGroups) throws PAPException {
400 // Now we have flattened the array into a simple comma-separated list
401 papDependencyGroupsFlatArray = papDependencyGroups.split("[;,]");
402 // clean up the entries
403 for (int i = 0; i < papDependencyGroupsFlatArray.length; i++) {
404 papDependencyGroupsFlatArray[i] = papDependencyGroupsFlatArray[i].trim();
407 if (XACMLProperties.getProperty(XacmlRestProperties.PAP_INTEGRITY_AUDIT_PERIOD_SECONDS) != null) {
408 papIntegrityAuditPeriodSeconds = Integer.parseInt(
409 XACMLProperties.getProperty(XacmlRestProperties.PAP_INTEGRITY_AUDIT_PERIOD_SECONDS).trim());
411 } catch (Exception e) {
412 String msg = "integrity_audit_period_seconds ";
413 LOGGER.error("\n\nERROR: " + msg + "Bad property entry: " + e.getMessage() + "\n");
414 PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "XACMLPapServlet",
415 " ERROR: " + msg + "Bad property entry");
418 } catch (Exception e) {
419 PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "XACMLPapServlet", " ERROR: Bad property entry");
420 throw new PAPException(e);
424 private static void setCommonProperties() throws PAPException {
427 papDbDriver = XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_DB_DRIVER);
428 if (papDbDriver == null) {
429 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, "XACMLPapServlet",
430 " ERROR: Bad papDbDriver property entry");
431 throw new PAPException("papDbDriver is null");
433 setPapDbDriver(papDbDriver);
434 papDbUrl = XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_DB_URL);
435 if (papDbUrl == null) {
436 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, "XACMLPapServlet", " ERROR: Bad papDbUrl property entry");
437 throw new PAPException("papDbUrl is null");
439 setPapDbUrl(papDbUrl);
440 papDbUser = XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_DB_USER);
441 if (papDbUser == null) {
442 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, "XACMLPapServlet",
443 " ERROR: Bad papDbUser property entry");
444 throw new PAPException("papDbUser is null");
446 setPapDbUser(papDbUser);
447 PeCryptoUtils.initAesKey(XACMLProperties.getProperty(XacmlRestProperties.PROP_AES_KEY));
448 papDbPd = PeCryptoUtils.decrypt(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_DB_PASSWORD));
449 if (papDbPd == null) {
450 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, "XACMLPapServlet",
451 " ERROR: Bad papDbPassword property entry");
452 throw new PAPException("papDbPassword is null");
454 setPapDbPassword(papDbPd);
455 papResourceName = XACMLProperties.getProperty(XacmlRestProperties.PAP_RESOURCE_NAME);
456 if (papResourceName == null) {
457 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, "XACMLPapServlet",
458 " ERROR: Bad papResourceName property entry");
459 throw new PAPException("papResourceName is null");
461 environment = XACMLProperties.getProperty("ENVIRONMENT", "DEVL");
462 // Micro Service Properties
463 msOnapName = XACMLProperties.getProperty("xacml.policy.msOnapName");
464 setMsOnapName(msOnapName);
465 msPolicyName = XACMLProperties.getProperty("xacml.policy.msPolicyName");
466 setMsPolicyName(msPolicyName);
467 // PDPId File location
468 XACMLPapServlet.pdpFile = XACMLProperties.getProperty(XacmlRestProperties.PROP_PDP_IDFILE);
469 if (XACMLPapServlet.pdpFile == null) {
470 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " The PDP Id Authentication File Property is not valid: "
471 + XacmlRestProperties.PROP_PDP_IDFILE);
472 throw new PAPException(
473 "The PDP Id Authentication File Property :" + XacmlRestProperties.PROP_PDP_IDFILE + " is not Valid. ");
478 * Thread used only during PAP startup to initiate change messages to all known PDPs. This must
479 * be on a separate thread so that any GET requests from the PDPs during this update can be
484 // send the current configuration to all the PDPs that we know about
489 * @see Servlet#destroy()
491 * Depending on how this servlet is run, we may or may not care about cleaning up the
492 * resources. For now we assume that we do care.
495 public void destroy() {
496 // Make sure our threads are destroyed
497 if (XACMLPapServlet.heartbeatThread != null) {
498 // stop the heartbeat
500 if (XACMLPapServlet.heartbeat != null) {
501 XACMLPapServlet.heartbeat.terminate();
503 XACMLPapServlet.heartbeatThread.interrupt();
504 XACMLPapServlet.heartbeatThread.join();
505 } catch (InterruptedException e) {
506 XACMLPapServlet.heartbeatThread.interrupt();
507 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "XACMLPapServlet", " Error stopping heartbeat");
510 if (initiateThread != null) {
512 initiateThread.interrupt();
513 initiateThread.join();
514 } catch (InterruptedException e) {
515 initiateThread.interrupt();
516 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "XACMLPapServlet", " Error stopping thread");
521 private ConsoleAndApiService getAcServiceInstance() {
522 return new ConsoleAndApiService();
526 * Called by: - PDP nodes to register themselves with the PAP, and - Admin Console to make
527 * changes in the PDP Groups.
529 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
532 protected void doPost(HttpServletRequest request, HttpServletResponse response)
533 throws ServletException, IOException {
534 OnapLoggingContext loggingContext = OnapLoggingUtils.getLoggingContextForRequest(request, baseLoggingContext);
535 setLoggingContext(loggingContext, "doPost", "PAP.post");
536 PolicyDbDaoTransaction pdpTransaction = null;
538 loggingContext.metricStarted();
539 im.startTransaction();
540 loggingContext.metricEnded();
541 PolicyLogger.metrics("XACMLPapServlet doPost im startTransaction");
542 } catch (AdministrativeStateException ae) {
544 "POST interface called for PAP " + papResourceName + " but it has an Administrative state of "
545 + im.getStateManager().getAdminState() + "\n Exception Message: " + PolicyUtils.CATCH_EXCEPTION;
546 LOGGER.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message, ae);
547 loggingContext.metricEnded();
548 PolicyLogger.metrics("XACMLPapServlet doPost im startTransaction");
549 loggingContext.transactionEnded();
550 PolicyLogger.audit("Transaction Failed - See Error.log");
551 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
553 } catch (IntegrityMonitorException ime) {
555 "POST interface called for PAP " + papResourceName + " but it has an Administrative state of "
556 + im.getStateManager().getAdminState() + " and a Standby Status of "
557 + im.getStateManager().getStandbyStatus() + "\n Exception Message: " + ime.getMessage();
558 LOGGER.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message, ime);
559 loggingContext.metricEnded();
560 PolicyLogger.metrics("XACMLPapServlet doPost im startTransaction");
561 loggingContext.transactionEnded();
562 PolicyLogger.audit("Transaction Failed - See Error.log");
563 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
567 loggingContext.metricStarted();
568 XacmlRest.dumpRequest(request);
569 loggingContext.metricEnded();
570 PolicyLogger.metrics("XACMLPapServlet doPost dumpRequest");
571 // since getParameter reads the content string, explicitly get the
572 // content before doing that.
573 // Simply getting the inputStream seems to protect it against being
574 // consumed by getParameter.
575 request.getInputStream();
576 String groupId = request.getParameter(GROUPID);
577 String apiflag = request.getParameter("apiflag");
578 if (groupId != null) {
579 // Is this from the Admin Console or API?
580 if (apiflag != null && "api".equalsIgnoreCase(apiflag)) {
581 // this is from the API so we need to check the client
582 // credentials before processing the request
583 if (!authorizeRequest(request)) {
584 String message = "PEP not Authorized for making this Request!!";
585 PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
586 loggingContext.transactionEnded();
587 PolicyLogger.audit("Transaction Failed - See Error.log");
588 setResponseError(response, HttpServletResponse.SC_FORBIDDEN, message);
593 loggingContext.metricStarted();
594 getAcServiceInstance().doAcPost(request, response, groupId, loggingContext, papEngine);
595 loggingContext.metricEnded();
596 PolicyLogger.metrics("XACMLPapServlet doPost doACPost");
597 loggingContext.transactionEnded();
598 PolicyLogger.audit("Transaction Ended Successfully");
602 // Request is from a PDP asking for its config.
603 loggingContext.setServiceName("PDP:PAP.register");
605 String id = this.getPDPID(request);
606 String jmxport = this.getPDPJMX(request);
607 LOGGER.info("Request(doPost) from PDP coming up: " + id);
608 // Get the PDP Object
609 OnapPDP pdp = XACMLPapServlet.papEngine.getPDP(id);
612 LOGGER.info("Unknown PDP: " + id);
614 if (CheckPDP.validateID(id)) {
615 pdpTransaction = policyDbDao.getNewTransaction();
617 pdpTransaction.addPdpToGroup(id, XACMLPapServlet.papEngine.getDefaultGroup().getId(), id,
618 "Registered on first startup", Integer.parseInt(jmxport), "PDP autoregister");
619 XACMLPapServlet.papEngine.newPDP(id, XACMLPapServlet.papEngine.getDefaultGroup(), id,
620 "Registered on first startup", Integer.parseInt(jmxport));
621 } catch (NullPointerException | PAPException | IllegalArgumentException | IllegalStateException
622 | PersistenceException | PolicyDbException e) {
623 pdpTransaction.rollbackTransaction();
624 String message = "Failed to create new PDP for id: " + id;
625 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " " + message);
626 loggingContext.transactionEnded();
627 PolicyLogger.audit("Transaction Failed - See Error.log");
628 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
632 // get the PDP we just created
634 pdp = XACMLPapServlet.papEngine.getPDP(id);
635 } catch (PAPException e) {
639 if (pdpTransaction != null) {
640 pdpTransaction.rollbackTransaction();
642 String message = "Failed to create new PDP for id: " + id;
643 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW + " " + message);
644 loggingContext.transactionEnded();
645 PolicyLogger.audit("Transaction Failed - See Error.log");
646 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
651 String message = "PDP is Unauthorized to Connect to PAP: " + id;
652 loggingContext.transactionEnded();
653 PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
654 setResponseError(response, HttpServletResponse.SC_UNAUTHORIZED,
655 "PDP not Authorized to connect to this PAP. Please contact the PAP Admin for registration.");
656 PolicyLogger.audit("Transaction Failed - See Error.log");
661 loggingContext.metricStarted();
662 pdpTransaction.commitTransaction();
663 loggingContext.metricEnded();
664 PolicyLogger.metrics("XACMLPapServlet doPost commitTransaction");
665 } catch (Exception e) {
666 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet",
667 "Could not commit transaction to put pdp in the database");
670 if (jmxport != null && !"".equals(jmxport)) {
672 ((StdPDP) pdp).setJmxPort(Integer.valueOf(jmxport));
673 } catch (NumberFormatException e) {
677 // Get the PDP's Group
678 OnapPDPGroup group = null;
680 group = XACMLPapServlet.papEngine.getPDPGroup(pdp);
681 } catch (PAPException e) {
686 .error(MessageCodes.ERROR_PROCESS_FLOW + " PDP not associated with any group, even the default");
687 loggingContext.transactionEnded();
688 PolicyLogger.audit("Transaction Failed - See Error.log");
689 setResponseError(response, HttpServletResponse.SC_UNAUTHORIZED,
690 "PDP not associated with any group, even the default");
694 // Determine what group the PDP node is in and get
695 // its policy/pip properties.
696 Properties policies = group.getPolicyProperties();
697 Properties pipconfig = group.getPipConfigProperties();
698 // Get the current policy/pip configuration that the PDP has
699 Properties pdpProperties = new Properties();
701 pdpProperties.load(request.getInputStream());
702 } catch (IOException e) {
705 LOGGER.info("PDP Current Properties: " + pdpProperties.toString());
706 LOGGER.info("Policies: " + (policies != null ? policies.toString() : "null"));
707 LOGGER.info("Pip config: " + (pipconfig != null ? pipconfig.toString() : "null"));
708 // Validate the node's properties
709 boolean isCurrent = this.isPDPCurrent(policies, pipconfig, pdpProperties);
710 // Send back current configuration
712 // Tell the PDP we are sending back the current policies/pip
714 LOGGER.info("PDP configuration NOT current.");
715 if (policies != null) {
716 // Put URL's into the properties in case the PDP needs to
718 this.populatePolicyURL(request.getRequestURL(), policies);
719 // Copy the properties to the output stream
721 policies.store(response.getOutputStream(), "");
722 } catch (IOException e) {
726 if (pipconfig != null) {
727 // Copy the properties to the output stream
729 pipconfig.store(response.getOutputStream(), "");
730 } catch (IOException e) {
734 // We are good - and we are sending them information
735 response.setStatus(HttpServletResponse.SC_OK);
737 setPDPSummaryStatus(pdp, PDPStatus.Status.OUT_OF_SYNCH);
738 } catch (PAPException e) {
742 // Tell them they are good
743 response.setStatus(HttpServletResponse.SC_NO_CONTENT);
745 setPDPSummaryStatus(pdp, PDPStatus.Status.UP_TO_DATE);
746 } catch (PAPException e) {
750 auditLogger.info("Success");
751 PolicyLogger.audit("Transaction Ended Successfully");
752 } catch (PAPException | IOException | NumberFormatException e) {
753 if (pdpTransaction != null) {
754 pdpTransaction.rollbackTransaction();
756 LOGGER.debug(XACMLErrorConstants.ERROR_PROCESS_FLOW + "POST exception: " + e, e);
757 loggingContext.transactionEnded();
758 PolicyLogger.audit("Transaction Failed - See Error.log");
759 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
763 // Catch anything that fell through
764 loggingContext.transactionEnded();
765 PolicyLogger.audit("Transaction Ended");
769 private void setResponseError(HttpServletResponse response, int responseCode, String message) {
771 if (message != null && !message.isEmpty()) {
772 response.sendError(responseCode, message);
774 } catch (IOException e) {
775 LOGGER.error("Error setting Error response Header ", e);
780 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
783 protected void doGet(HttpServletRequest request, HttpServletResponse response)
784 throws ServletException, IOException {
785 OnapLoggingContext loggingContext = OnapLoggingUtils.getLoggingContextForRequest(request, baseLoggingContext);
786 setLoggingContext(loggingContext, "doGet", "PAP.get");
787 loggingContext.metricStarted();
788 XacmlRest.dumpRequest(request);
789 loggingContext.metricEnded();
790 PolicyLogger.metrics("XACMLPapServlet doGet dumpRequest");
791 String pathInfo = request.getRequestURI();
792 LOGGER.info("path info: " + pathInfo);
793 if (pathInfo != null && "/pap/test".equals(pathInfo)) {
794 // DO NOT do a im.startTransaction for the test request
796 testService(loggingContext, response);
797 } catch (IOException e) {
802 // This im.startTransaction() covers all other Get transactions
804 loggingContext.metricStarted();
805 im.startTransaction();
806 loggingContext.metricEnded();
807 PolicyLogger.metrics("XACMLPapServlet doGet im startTransaction");
808 } catch (IntegrityMonitorException ime) {
810 "GET interface called for PAP " + papResourceName + " but it has an Administrative state of "
811 + im.getStateManager().getAdminState() + " and a Standby Status of "
812 + im.getStateManager().getStandbyStatus() + "\n Exception Message: " + ime.getMessage();
813 LOGGER.info(message, ime);
814 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
815 loggingContext.transactionEnded();
816 PolicyLogger.audit("Transaction Failed - See Error.log");
817 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
820 // Request from the API to get the gitPath
821 String apiflag = request.getParameter("apiflag");
822 if (apiflag != null) {
823 if (authorizeRequest(request)) {
824 APIRequestHandler apiRequestHandler = new APIRequestHandler();
826 loggingContext.metricStarted();
827 apiRequestHandler.doGet(request, response, apiflag);
828 loggingContext.metricEnded();
829 PolicyLogger.metrics("XACMLPapServlet doGet apiRequestHandler doGet");
830 } catch (IOException e) {
833 loggingContext.transactionEnded();
834 PolicyLogger.audit("Transaction Ended Successfully");
839 "PEP not Authorized for making this Request!! \n Contact Administrator for this Scope. ";
840 PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
841 loggingContext.transactionEnded();
842 PolicyLogger.audit("Transaction Failed - See Error.log");
843 setResponseError(response, HttpServletResponse.SC_FORBIDDEN, message);
848 // Is this from the Admin Console?
849 String groupId = request.getParameter(GROUPID);
850 if (groupId != null) {
851 // this is from the Admin Console, so handle separately
853 loggingContext.metricStarted();
854 getAcServiceInstance().doAcGet(request, response, groupId, loggingContext, papEngine);
855 loggingContext.metricEnded();
856 PolicyLogger.metrics("XACMLPapServlet doGet doACGet");
857 } catch (IOException e) {
860 loggingContext.transactionEnded();
861 PolicyLogger.audit("Transaction Ended Successfully");
866 String id = this.getPDPID(request);
867 LOGGER.info("doGet from: " + id);
868 // Get the PDP Object
871 pdp = XACMLPapServlet.papEngine.getPDP(id);
872 } catch (PAPException e) {
877 // Check if request came from localhost
878 if ("localhost".equals(request.getRemoteHost()) || request.getRemoteHost().equals(request.getLocalAddr())) {
879 // Return status information - basically all the groups
880 loggingContext.setServiceName("PAP.getGroups");
881 Set<OnapPDPGroup> groups = null;
883 groups = papEngine.getOnapPDPGroups();
884 } catch (PAPException e) {
886 PolicyLogger.error(MessageCodes.ERROR_UNKNOWN, e, "XACMLPapServlet", " GET exception");
887 loggingContext.transactionEnded();
888 PolicyLogger.audit("Transaction Failed - See Error.log");
889 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
893 // convert response object to JSON and include in the response
894 mapperWriteValue(new ObjectMapper(), response, groups);
895 response.setHeader("content-type", "application/json");
896 response.setStatus(HttpServletResponse.SC_OK);
897 loggingContext.transactionEnded();
898 PolicyLogger.audit("Transaction Ended Successfully");
903 "Unknown PDP: " + id + " from " + request.getRemoteHost() + " us: " + request.getLocalAddr();
904 PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
905 loggingContext.transactionEnded();
906 PolicyLogger.audit("Transaction Failed - See Error.log");
907 setResponseError(response, HttpServletResponse.SC_UNAUTHORIZED, message);
911 loggingContext.setServiceName("PAP.getPolicy");
912 // Get the PDP's Group
913 OnapPDPGroup group = null;
915 group = XACMLPapServlet.papEngine.getPDPGroup(pdp);
916 } catch (PAPException e) {
920 String message = "No group associated with pdp " + pdp.getId();
921 LOGGER.warn(XACMLErrorConstants.ERROR_PERMISSIONS + message);
922 loggingContext.transactionEnded();
923 PolicyLogger.audit("Transaction Failed - See Error.log");
924 setResponseError(response, HttpServletResponse.SC_UNAUTHORIZED, message);
928 // Which policy do they want?
929 String policyId = request.getParameter("id");
930 if (policyId == null) {
931 String message = "Did not specify an id for the policy";
932 LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + message);
933 loggingContext.transactionEnded();
934 PolicyLogger.audit("Transaction Failed - See Error.log");
935 setResponseError(response, HttpServletResponse.SC_NOT_FOUND, message);
939 PDPPolicy policy = group.getPolicy(policyId);
940 if (policy == null) {
941 String message = "Unknown policy: " + policyId;
942 LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + message);
943 loggingContext.transactionEnded();
944 PolicyLogger.audit("Transaction Failed - See Error.log");
945 setResponseError(response, HttpServletResponse.SC_NOT_FOUND, message);
950 LOGGER.warn("PolicyDebugging: Policy Validity: " + policy.isValid() + "\n " + "Policy Name : "
951 + policy.getName() + "\n Policy URI: " + policy.getLocation().toString());
952 } catch (PAPException | IOException e) {
957 new FileInputStream(((StdPDPGroup) group).getDirectory().toString() + File.separator + policyId);
958 OutputStream os = response.getOutputStream()) {
959 // Send the policy back
960 IOUtils.copy(is, os);
961 response.setStatus(HttpServletResponse.SC_OK);
962 loggingContext.transactionEnded();
963 auditLogger.info("Success");
964 PolicyLogger.audit("Transaction Ended Successfully");
965 } catch (IOException e) {
966 String message = "Failed to open policy id " + policyId;
968 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " " + message);
969 loggingContext.transactionEnded();
970 PolicyLogger.audit("Transaction Failed - See Error.log");
971 setResponseError(response, HttpServletResponse.SC_NOT_FOUND, message);
973 loggingContext.transactionEnded();
974 PolicyLogger.audit("Transaction Ended");
979 * @see HttpServlet#doPut(HttpServletRequest request, HttpServletResponse response)
982 protected void doPut(HttpServletRequest request, HttpServletResponse response)
983 throws ServletException, IOException {
984 OnapLoggingContext loggingContext = OnapLoggingUtils.getLoggingContextForRequest(request, baseLoggingContext);
985 setLoggingContext(loggingContext, "doPut", "PAP.put");
987 loggingContext.metricStarted();
988 im.startTransaction();
989 loggingContext.metricEnded();
990 PolicyLogger.metrics("XACMLPapServlet doPut im startTransaction");
991 } catch (IntegrityMonitorException e) {
993 "PUT interface called for PAP " + papResourceName + " but it has an Administrative state of "
994 + im.getStateManager().getAdminState() + " and a Standby Status of "
995 + im.getStateManager().getStandbyStatus() + "\n Exception Message: " + e.getMessage();
996 LOGGER.info(message, e);
997 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
998 loggingContext.transactionEnded();
999 PolicyLogger.audit("Transaction Failed - See Error.log");
1000 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
1004 loggingContext.metricStarted();
1005 // need to check if request is from the API or Admin console
1006 String apiflag = request.getParameter("apiflag");
1007 // For Debug purposes
1008 if (!"api".equals(apiflag) && PolicyLogger.isDebugEnabled()) {
1009 XacmlRest.dumpRequest(request);
1010 PolicyLogger.metrics("XACMLPapServlet doPut dumpRequest");
1012 loggingContext.metricEnded();
1014 // This would occur if a PolicyDBDao notification was received
1015 String policyDBDaoRequestUrl = request.getParameter("policydbdaourl");
1016 if (policyDBDaoRequestUrl != null) {
1017 LOGGER.info("XACMLPapServlet: PolicyDBDao Notification received.");
1018 String policyDBDaoRequestEntityId = request.getParameter("entityid");
1019 String policyDBDaoRequestEntityType = request.getParameter("entitytype");
1020 String policyDBDaoRequestExtraData = request.getParameter("extradata");
1021 if (policyDBDaoRequestEntityId == null || policyDBDaoRequestEntityType == null) {
1022 setResponseError(response, 400, "entityid or entitytype not supplied");
1023 loggingContext.transactionEnded();
1024 PolicyLogger.audit("Transaction Ended Successfully");
1025 im.endTransaction();
1028 loggingContext.metricStarted();
1029 LOGGER.info("XACMLPapServlet: Calling PolicyDBDao to handlIncomingHttpNotification");
1030 HandleIncomingNotifications handleIncomingNotifications = new HandleIncomingNotifications();
1031 handleIncomingNotifications.handleIncomingHttpNotification(policyDBDaoRequestUrl,
1032 policyDBDaoRequestEntityId, policyDBDaoRequestEntityType, policyDBDaoRequestExtraData, this);
1033 loggingContext.metricEnded();
1034 PolicyLogger.metrics("XACMLPapServlet doPut handle incoming http notification");
1035 response.setStatus(200);
1036 loggingContext.transactionEnded();
1037 PolicyLogger.audit("Transaction Ended Successfully");
1038 im.endTransaction();
1042 * Request for ImportService
1044 String importService = request.getParameter("importService");
1045 if (importService != null) {
1046 if (authorizeRequest(request)) {
1047 APIRequestHandler apiRequestHandler = new APIRequestHandler();
1049 loggingContext.metricStarted();
1050 apiRequestHandler.doPut(request, response, importService);
1051 loggingContext.metricEnded();
1052 PolicyLogger.metrics("XACMLPapServlet doPut apiRequestHandler doPut");
1053 } catch (IOException e) {
1056 im.endTransaction();
1060 "PEP not Authorized for making this Request!! \n Contact Administrator for this Scope. ";
1061 LOGGER.error(XACMLErrorConstants.ERROR_PERMISSIONS + message);
1062 loggingContext.transactionEnded();
1063 PolicyLogger.audit("Transaction Failed - See Error.log");
1064 setResponseError(response, HttpServletResponse.SC_FORBIDDEN, message);
1069 // See if this is Admin Console registering itself with us
1071 String acURLString = request.getParameter("adminConsoleURL");
1072 if (acURLString != null) {
1073 loggingContext.setServiceName("AC:PAP.register");
1074 // remember this Admin Console for future updates
1075 if (!adminConsoleURLStringList.contains(acURLString)) {
1076 adminConsoleURLStringList.add(acURLString);
1078 if (LOGGER.isDebugEnabled()) {
1079 LOGGER.debug("Admin Console registering with URL: " + acURLString);
1081 response.setStatus(HttpServletResponse.SC_NO_CONTENT);
1082 loggingContext.transactionEnded();
1083 auditLogger.info("Success");
1084 PolicyLogger.audit("Transaction Ended Successfully");
1085 im.endTransaction();
1089 * This is to update the PDP Group with the policy/policies being pushed Part of a 2 step
1090 * process to push policies to the PDP that can now be done From both the Admin Console and
1091 * the PolicyEngine API
1093 String groupId = request.getParameter(GROUPID);
1094 if (groupId != null) {
1095 if (apiflag != null) {
1096 if (!authorizeRequest(request)) {
1098 "PEP not Authorized for making this Request!! \n Contact Administrator for this Scope. ";
1099 PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
1100 loggingContext.transactionEnded();
1101 PolicyLogger.audit("Transaction Failed - See Error.log");
1102 setResponseError(response, HttpServletResponse.SC_FORBIDDEN, message);
1105 if (apiflag.equalsIgnoreCase("addPolicyToGroup")) {
1107 updateGroupsFromAPI(request, response, groupId, loggingContext);
1108 } catch (IOException e) {
1111 loggingContext.transactionEnded();
1112 PolicyLogger.audit("Transaction Ended Successfully");
1113 im.endTransaction();
1117 // this is from the Admin Console, so handle separately
1119 loggingContext.metricEnded();
1120 getAcServiceInstance().doAcPut(request, response, groupId, loggingContext, papEngine);
1121 loggingContext.metricEnded();
1122 PolicyLogger.metrics("XACMLPapServlet goPut doACPut");
1123 } catch (IOException e) {
1126 loggingContext.transactionEnded();
1127 PolicyLogger.audit("Transaction Ended Successfully");
1128 im.endTransaction();
1132 // Request is for policy validation and creation
1134 if (apiflag != null && apiflag.equalsIgnoreCase("admin")) {
1135 // this request is from the Admin Console
1136 SavePolicyHandler savePolicyHandler = SavePolicyHandler.getInstance();
1138 loggingContext.metricStarted();
1139 savePolicyHandler.doPolicyAPIPut(request, response);
1140 loggingContext.metricEnded();
1141 PolicyLogger.metrics("XACMLPapServlet goPut savePolicyHandler");
1142 } catch (IOException e) {
1145 loggingContext.transactionEnded();
1146 PolicyLogger.audit("Transaction Ended Successfully");
1147 im.endTransaction();
1149 } else if (apiflag != null && "api".equalsIgnoreCase(apiflag)) {
1150 // this request is from the Policy Creation API
1151 if (authorizeRequest(request)) {
1152 APIRequestHandler apiRequestHandler = new APIRequestHandler();
1154 loggingContext.metricStarted();
1155 apiRequestHandler.doPut(request, response, request.getHeader("ClientScope"));
1156 loggingContext.metricEnded();
1157 PolicyLogger.metrics("XACMLPapServlet goPut apiRequestHandler doPut");
1158 } catch (IOException e) {
1161 loggingContext.transactionEnded();
1162 PolicyLogger.audit("Transaction Ended Successfully");
1163 im.endTransaction();
1166 String message = "PEP not Authorized for making this Request!!";
1167 PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
1168 loggingContext.transactionEnded();
1169 PolicyLogger.audit("Transaction Failed - See Error.log");
1170 setResponseError(response, HttpServletResponse.SC_FORBIDDEN, message);
1171 im.endTransaction();
1175 // We do not expect anything from anywhere else.
1176 // This method is here in case we ever need to support other operations.
1177 LOGGER.error(XACMLErrorConstants.ERROR_DATA_ISSUE + "Request does not have groupId or apiflag");
1178 loggingContext.transactionEnded();
1179 PolicyLogger.audit("Transaction Failed - See Error.log");
1180 setResponseError(response, HttpServletResponse.SC_BAD_REQUEST, "Request does not have groupId or apiflag");
1181 loggingContext.transactionEnded();
1182 PolicyLogger.audit("Transaction Failed - See error.log");
1183 im.endTransaction();
1187 * @see HttpServlet#doDelete(HttpServletRequest request, HttpServletResponse response)
1190 protected void doDelete(HttpServletRequest request, HttpServletResponse response)
1191 throws ServletException, IOException {
1192 OnapLoggingContext loggingContext = OnapLoggingUtils.getLoggingContextForRequest(request, baseLoggingContext);
1193 setLoggingContext(loggingContext, "doDelete", "PAP.delete");
1195 loggingContext.metricStarted();
1196 im.startTransaction();
1197 loggingContext.metricEnded();
1198 PolicyLogger.metrics("XACMLPapServlet doDelete im startTransaction");
1199 } catch (IntegrityMonitorException ime) {
1201 "DELETE interface called for PAP " + papResourceName + " but it has an Administrative state of "
1202 + im.getStateManager().getAdminState() + " and a Standby Status of "
1203 + im.getStateManager().getStandbyStatus() + "\n Exception Message: " + ime.getMessage();
1204 LOGGER.info(message, ime);
1205 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
1206 loggingContext.transactionEnded();
1207 PolicyLogger.audit("Transaction Failed - See Error.log");
1208 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
1211 loggingContext.metricStarted();
1212 XacmlRest.dumpRequest(request);
1213 loggingContext.metricEnded();
1214 PolicyLogger.metrics("XACMLPapServlet doDelete dumpRequest");
1215 String groupId = request.getParameter(GROUPID);
1216 String apiflag = request.getParameter("apiflag");
1217 if (groupId != null) {
1218 // Is this from the Admin Console or API?
1219 if (apiflag != null) {
1220 if (!authorizeRequest(request)) {
1222 "PEP not Authorized for making this Request!! \n Contact Administrator for this Scope. ";
1223 PolicyLogger.error(MessageCodes.ERROR_PERMISSIONS + " " + message);
1224 loggingContext.transactionEnded();
1225 PolicyLogger.audit("Transaction Failed - See Error.log");
1226 setResponseError(response, HttpServletResponse.SC_FORBIDDEN, message);
1229 APIRequestHandler apiRequestHandler = new APIRequestHandler();
1231 loggingContext.metricStarted();
1232 apiRequestHandler.doDelete(request, response, loggingContext, apiflag);
1233 loggingContext.metricEnded();
1234 PolicyLogger.metrics("XACMLPapServlet doDelete apiRequestHandler doDelete");
1235 } catch (Exception e) {
1236 LOGGER.error("Exception Occured" + e);
1238 if (apiRequestHandler.getNewGroup() != null) {
1239 groupChanged(apiRequestHandler.getNewGroup(), loggingContext);
1243 // this is from the Admin Console, so handle separately
1245 loggingContext.metricStarted();
1246 getAcServiceInstance().doAcDelete(request, response, groupId, loggingContext, papEngine);
1247 loggingContext.metricEnded();
1248 PolicyLogger.metrics("XACMLPapServlet doDelete doACDelete");
1249 } catch (IOException e) {
1252 loggingContext.transactionEnded();
1253 PolicyLogger.audit("Transaction Ended Successfully");
1254 im.endTransaction();
1257 // Catch anything that fell through
1258 PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " Request does not have groupId");
1259 loggingContext.transactionEnded();
1260 PolicyLogger.audit("Transaction Failed - See Error.log");
1261 setResponseError(response, HttpServletResponse.SC_BAD_REQUEST, "Request does not have groupId");
1262 im.endTransaction();
1265 private boolean isPDPCurrent(Properties policies, Properties pipconfig, Properties pdpProperties) {
1266 String localRootPolicies = policies.getProperty(XACMLProperties.PROP_ROOTPOLICIES);
1267 String localReferencedPolicies = policies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES);
1268 if (localRootPolicies == null || localReferencedPolicies == null) {
1269 LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + "Missing property on PAP server: RootPolicies="
1270 + localRootPolicies + " ReferencedPolicies=" + localReferencedPolicies);
1273 // Compare the policies and pipconfig properties to the pdpProperties
1275 // the policy properties includes only xacml.rootPolicies and
1276 // xacml.referencedPolicies without any .url entries
1277 Properties pdpPolicies = XACMLProperties.getPolicyProperties(pdpProperties, false);
1278 Properties pdpPipConfig = XACMLProperties.getPipProperties(pdpProperties);
1279 if (localRootPolicies.equals(pdpPolicies.getProperty(XACMLProperties.PROP_ROOTPOLICIES))
1280 && localReferencedPolicies.equals(pdpPolicies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES))
1281 && pdpPipConfig.equals(pipconfig)) {
1282 // The PDP is current
1285 } catch (Exception e) {
1286 // we get here if the PDP did not include either xacml.rootPolicies
1287 // or xacml.pip.engines,
1288 // or if there are policies that do not have a corresponding ".url"
1290 // Either of these cases means that the PDP is not up-to-date, so
1291 // just drop-through to return false.
1292 PolicyLogger.error(MessageCodes.ERROR_SCHEMA_INVALID, e, "XACMLPapServlet", " PDP Error");
1298 protected void populatePolicyURL(StringBuffer urlPath, Properties policies) {
1299 String lists[] = new String[2];
1300 lists[0] = policies.getProperty(XACMLProperties.PROP_ROOTPOLICIES);
1301 lists[1] = policies.getProperty(XACMLProperties.PROP_REFERENCEDPOLICIES);
1302 for (String list : lists) {
1303 if (list != null && list.isEmpty() == false) {
1304 for (String id : Splitter.on(',').trimResults().omitEmptyStrings().split(list)) {
1305 String url = urlPath + "?id=" + id;
1306 LOGGER.info("Policy URL for " + id + ": " + url);
1307 policies.setProperty(id + ".url", url);
1313 protected String getPDPID(HttpServletRequest request) {
1314 String pdpURL = request.getHeader(XacmlRestProperties.PROP_PDP_HTTP_HEADER_ID);
1315 if (pdpURL == null || pdpURL.isEmpty()) {
1316 // Should send back its port for identification
1317 LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE + "PDP did not send custom header");
1323 protected String getPDPJMX(HttpServletRequest request) {
1324 String pdpJMMX = request.getHeader(XacmlRestProperties.PROP_PDP_HTTP_HEADER_JMX_PORT);
1325 if (pdpJMMX == null || pdpJMMX.isEmpty()) {
1326 // Should send back its port for identification
1327 LOGGER.warn(XACMLErrorConstants.ERROR_DATA_ISSUE
1328 + "PDP did not send custom header for JMX Port so the value of 0 is assigned");
1335 * Requests from the PolicyEngine API to update the PDP Group with pushed policy
1340 * @param loggingContext
1341 * @throws ServletException
1342 * @throws IOException
1344 public void updateGroupsFromAPI(HttpServletRequest request, HttpServletResponse response, String groupId,
1345 OnapLoggingContext loggingContext) throws IOException {
1346 PolicyDbDaoTransaction acPutTransaction = policyDbDao.getNewTransaction();
1347 PolicyLogger.audit("PolicyDBDaoTransaction started for updateGroupsFromAPI");
1349 String userId = request.getParameter("userId");
1350 // for PUT operations the group may or may not need to exist before
1351 // the operation can be done
1352 StdPDPGroup group = (StdPDPGroup) papEngine.getGroup(groupId);
1354 // get the request input stream content into a String
1356 java.util.Scanner scanner = new java.util.Scanner(request.getInputStream());
1357 scanner.useDelimiter("\\A");
1358 json = scanner.hasNext() ? scanner.next() : "";
1361 PolicyLogger.info("pushPolicy request from API: " + json);
1363 // convert Object sent as JSON into local object
1364 StdPDPPolicy policy = PolicyUtils.jsonStringToObject(json, StdPDPPolicy.class);
1366 // Get the current policies from the Group and Add the new one
1367 // If the selected policy is in the group we must remove the old
1369 LOGGER.info("Removing old version of the policy");
1370 for (PDPPolicy existingPolicy : group.getPolicies()) {
1371 if (existingPolicy.getName().equals(policy.getName())
1372 && !existingPolicy.getId().equals(policy.getId())) {
1373 group.removePolicy(existingPolicy);
1374 LOGGER.info("Removing policy: " + existingPolicy);
1379 // Assume that this is an update of an existing PDP Group
1380 loggingContext.setServiceName("PolicyEngineAPI:PAP.updateGroup");
1382 acPutTransaction.updateGroup(group, "XACMLPapServlet.doACPut", userId);
1383 } catch (Exception e) {
1384 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet",
1385 " Error while updating group in the database: " + "group=" + group.getId());
1386 throw new PAPException(e.getMessage());
1389 LOGGER.info("Calling updatGroup() with new group");
1390 papEngine.updateGroup(group);
1391 String policyId = "empty";
1392 if (policy != null && policy.getId() != null) {
1393 policyId = policy.getId();
1395 if (!policyId.matches(REGEX)) {
1396 response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
1397 response.addHeader("error", ADD_GROUP_ERROR);
1398 response.addHeader("message", "Policy Id is not valid");
1401 response.setStatus(HttpServletResponse.SC_NO_CONTENT);
1402 response.addHeader("operation", "push");
1403 response.addHeader("policyId", policyId);
1404 response.addHeader(GROUPID, groupId);
1406 LOGGER.info("Group '" + group.getId() + "' updated");
1408 loggingContext.metricStarted();
1409 acPutTransaction.commitTransaction();
1410 loggingContext.metricEnded();
1411 PolicyLogger.metrics("XACMLPapServlet updateGroupsFromAPI commitTransaction");
1413 // Group changed, which might include changing the policies
1414 groupChanged(group, loggingContext);
1415 loggingContext.transactionEnded();
1416 LOGGER.info("Success");
1419 && ((policy.getId().contains("Config_MS_")) || (policy.getId().contains("BRMS_Param")))) {
1420 PushPolicyHandler pushPolicyHandler = PushPolicyHandler.getInstance();
1421 if (pushPolicyHandler.preSafetyCheck(policy, configHome)) {
1422 LOGGER.debug("Precheck Successful.");
1426 PolicyLogger.audit("Transaction Ended Successfully");
1428 } catch (PAPException e) {
1429 acPutTransaction.rollbackTransaction();
1430 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " API PUT exception");
1431 loggingContext.transactionEnded();
1432 PolicyLogger.audit("Transaction Failed - See Error.log");
1433 String message = XACMLErrorConstants.ERROR_PROCESS_FLOW
1434 + "Exception in request to update group from API - See Error.log on on the PAP.";
1435 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
1436 response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
1437 response.addHeader("error", ADD_GROUP_ERROR);
1438 response.addHeader("message", message);
1444 * HELPER to change Group status when PDP status is changed (Must NOT be called from a method
1445 * that is synchronized on the papEngine or it may deadlock)
1447 public void setPDPSummaryStatus(OnapPDP pdp, PDPStatus.Status newStatus) throws PAPException {
1448 setPDPSummaryStatus(pdp, newStatus.toString());
1451 public void setPDPSummaryStatus(OnapPDP pdp, String newStatus) throws PAPException {
1452 synchronized (papEngine) {
1453 StdPDPStatus status = new StdPDPStatus();
1454 status.setStatus(PDPStatus.Status.valueOf(newStatus));
1455 ((StdPDP) pdp).setStatus(status);
1456 // now adjust the group
1457 StdPDPGroup group = (StdPDPGroup) papEngine.getPDPGroup(pdp);
1458 // if the PDP was just deleted it may transiently exist but not be
1460 if (group != null) {
1461 group.resetStatus();
1467 * Callback methods telling this servlet to notify PDPs of changes made by the PAP StdEngine in
1468 * the PDP group directories
1471 public void changed() {
1472 // all PDPs in all groups need to be updated/sync'd
1473 Set<OnapPDPGroup> groups;
1475 groups = papEngine.getOnapPDPGroups();
1476 } catch (PAPException e) {
1477 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "XACMLPapServlet", " getPDPGroups failed");
1478 throw new IllegalAccessError(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "Unable to get Groups: " + e);
1480 for (OnapPDPGroup group : groups) {
1481 groupChanged(group);
1485 public void changed(OnapLoggingContext loggingContext) {
1486 // all PDPs in all groups need to be updated/sync'd
1487 Set<OnapPDPGroup> groups;
1489 groups = papEngine.getOnapPDPGroups();
1490 } catch (PAPException e) {
1491 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "XACMLPapServlet", " getPDPGroups failed");
1492 throw new IllegalAccessError(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "Unable to get Groups: " + e);
1494 for (OnapPDPGroup group : groups) {
1495 groupChanged(group, loggingContext);
1500 public void groupChanged(OnapPDPGroup group) {
1501 // all PDPs within one group need to be updated/sync'd
1502 for (OnapPDP pdp : group.getOnapPdps()) {
1503 pdpChanged(pdp, getPdpDataByGroup(group));
1507 public void groupChanged(OnapPDPGroup group, OnapLoggingContext loggingContext) {
1508 // all PDPs within one group need to be updated/sync'd
1509 for (OnapPDP pdp : group.getOnapPdps()) {
1510 pdpChanged(pdp, loggingContext, getPdpDataByGroup(group));
1515 public void pdpChanged(OnapPDP pdp) {
1516 // kick off a thread to do an event notification for each PDP.
1517 // This needs to be on a separate thread so that PDPs that do not
1518 // respond (down, non-existent, etc)
1519 // do not block the PSP response to the AC, which would freeze the GUI
1520 // until all PDPs sequentially respond or time-out.
1521 Thread t = new Thread(new UpdatePdpThread(pdp, getPdpDataByPdpId(pdp)));
1522 if (CheckPDP.validateID(pdp.getId())) {
1527 public void pdpChanged(OnapPDP pdp, OnapLoggingContext loggingContext) {
1528 // kick off a thread to do an event notification for each PDP.
1529 // This needs to be on a separate thread so that PDPs that do not
1530 // respond (down, non-existent, etc)
1531 // do not block the PSP response to the AC, which would freeze the GUI
1532 // until all PDPs sequentially respond or time-out.
1533 Thread t = new Thread(new UpdatePdpThread(pdp, loggingContext, getPdpDataByPdpId(pdp)));
1534 if (CheckPDP.validateID(pdp.getId())) {
1539 private void pdpChanged(OnapPDP pdp, List<Properties> pdpDataByGroup) {
1540 Thread t = new Thread(new UpdatePdpThread(pdp, pdpDataByGroup));
1541 if (CheckPDP.validateID(pdp.getId())) {
1546 private void pdpChanged(OnapPDP pdp, OnapLoggingContext loggingContext, List<Properties> pdpDataByGroup) {
1547 Thread t = new Thread(new UpdatePdpThread(pdp, loggingContext, pdpDataByGroup));
1548 if (CheckPDP.validateID(pdp.getId())) {
1553 private List<Properties> getPdpDataByGroup(OnapPDPGroup group) {
1554 DataToNotifyPdp dataToNotify = new DataToNotifyPdp();
1555 return dataToNotify.setPolicyConfigProperties(group);
1558 private List<Properties> getPdpDataByPdpId(OnapPDP pdp) {
1559 DataToNotifyPdp dataToNotify = new DataToNotifyPdp();
1560 return dataToNotify.setPolicyConfigProperties(pdp, papEngine);
1563 private void testService(OnapLoggingContext loggingContext, HttpServletResponse response) throws IOException {
1564 LOGGER.info("Test request received");
1566 im.evaluateSanity();
1567 // If we make it this far, all is well
1568 String message = "GET:/pap/test called and PAP " + papResourceName + " is OK";
1569 LOGGER.info(message);
1570 loggingContext.transactionEnded();
1571 PolicyLogger.audit("Transaction Failed - See Error.log");
1572 response.setStatus(HttpServletResponse.SC_OK);
1574 } catch (ForwardProgressException | AdministrativeStateException | StandbyStatusException e) {
1576 if (e instanceof ForwardProgressException) {
1577 submsg = " is not making forward progress.";
1578 } else if (e instanceof AdministrativeStateException) {
1579 submsg = " Administrative State is LOCKED.";
1581 submsg = " Standby Status is NOT PROVIDING SERVICE.";
1585 "GET:/pap/test called and PAP " + papResourceName + submsg + " Exception Message: " + e.getMessage();
1586 LOGGER.info(message, e);
1587 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
1588 loggingContext.transactionEnded();
1589 PolicyLogger.audit("Transaction Failed - See Error.log");
1590 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
1592 } catch (Exception e) {
1593 // A subsystem is not making progress, is locked, standby or is not
1595 String eMsg = e.getMessage();
1597 eMsg = "No Exception Message";
1599 String message = "GET:/pap/test called and PAP " + papResourceName + " has had a subsystem failure."
1600 + " Exception Message: " + eMsg;
1601 LOGGER.info(message, e);
1602 PolicyLogger.error(MessageCodes.ERROR_SYSTEM_ERROR + " " + message);
1603 loggingContext.transactionEnded();
1604 PolicyLogger.audit("Transaction Failed - See Error.log");
1605 // Get the specific list of subsystems that failed
1606 String ssFailureList = null;
1607 for (String failedSS : papDependencyGroupsFlatArray) {
1608 if (eMsg.contains(failedSS)) {
1609 if (ssFailureList == null) {
1610 ssFailureList = failedSS;
1612 ssFailureList = ssFailureList.concat("," + failedSS);
1616 if (ssFailureList == null) {
1617 ssFailureList = "UnknownSubSystem";
1619 response.addHeader("X-ONAP-SubsystemFailure", ssFailureList);
1620 setResponseError(response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, message);
1625 private void setLoggingContext(OnapLoggingContext loggingContext, String methodType, String serviceName) {
1626 loggingContext.transactionStarted();
1627 loggingContext.setServiceName(serviceName);
1628 if (loggingContext.getRequestId() == null || "".equals(loggingContext.getRequestId())) {
1629 UUID requestID = UUID.randomUUID();
1630 loggingContext.setRequestId(requestID.toString());
1632 .info("requestID not provided in call to XACMLPapServlet ('" + methodType + "') so we generated one");
1634 PolicyLogger.info("requestID was provided in call to XACMLPapServlet ('" + methodType + "')");
1639 * Authorizing the PEP Requests.
1641 private boolean authorizeRequest(HttpServletRequest request) {
1642 String clientCredentials = request.getHeader(ENVIRONMENT_HEADER);
1643 // Check if the Client is Authorized.
1644 return clientCredentials != null && clientCredentials.equalsIgnoreCase(environment);
1647 private static void loadWebapps() throws PAPException {
1648 if (actionHome == null || configHome == null) {
1649 Path webappsPath = Paths.get(XACMLProperties.getProperty(XacmlRestProperties.PROP_PAP_WEBAPPS));
1651 if (webappsPath == null) {
1652 PolicyLogger.error("Invalid Webapps Path Location property : " + XacmlRestProperties.PROP_PAP_WEBAPPS);
1653 throw new PAPException(
1654 "Invalid Webapps Path Location property : " + XacmlRestProperties.PROP_PAP_WEBAPPS);
1656 Path webappsPathConfig = Paths.get(webappsPath.toString() + File.separator + "Config");
1657 Path webappsPathAction = Paths.get(webappsPath.toString() + File.separator + "Action");
1658 if (Files.notExists(webappsPathConfig)) {
1660 Files.createDirectories(webappsPathConfig);
1661 } catch (IOException e) {
1662 PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet",
1663 "Failed to create config directory: " + webappsPathConfig.toAbsolutePath().toString());
1666 if (Files.notExists(webappsPathAction)) {
1668 Files.createDirectories(webappsPathAction);
1669 } catch (IOException e) {
1670 LOGGER.error(XACMLErrorConstants.ERROR_PROCESS_FLOW + "Failed to create action directory: "
1671 + webappsPathAction.toAbsolutePath().toString(), e);
1674 actionHome = webappsPathAction.toString();
1675 configHome = webappsPathConfig.toString();
1679 public static String getConfigHome() {
1682 } catch (PAPException e) {
1689 private static void setConfigHome() {
1690 configHome = getConfigHome();
1693 public static String getActionHome() {
1696 } catch (PAPException e) {
1703 private static void setActionHome() {
1704 actionHome = getActionHome();
1707 public IntegrityAudit getIa() {
1711 public static String getPDPFile() {
1712 return XACMLPapServlet.pdpFile;
1715 public static String getPersistenceUnit() {
1716 return PERSISTENCE_UNIT;
1719 public static PAPPolicyEngine getPAPEngine() {
1723 public static PolicyDbDaoTransaction getDbDaoTransaction() {
1724 return policyDbDao.getNewTransaction();
1727 public static String getPapDbDriver() {
1731 public static void setPapDbDriver(String papDbDriver) {
1732 XACMLPapServlet.papDbDriver = papDbDriver;
1735 public static String getPapDbUrl() {
1739 public static void setPapDbUrl(String papDbUrl) {
1740 XACMLPapServlet.papDbUrl = papDbUrl;
1743 public static String getPapDbUser() {
1747 public static void setPapDbUser(String papDbUser) {
1748 XACMLPapServlet.papDbUser = papDbUser;
1751 public static String getPapDbPassword() {
1755 public static void setPapDbPassword(String papDbPassword) {
1756 XACMLPapServlet.papDbPd = papDbPassword;
1759 public static String getMsOnapName() {
1763 public static void setMsOnapName(String msOnapName) {
1764 XACMLPapServlet.msOnapName = msOnapName;
1767 public static String getMsPolicyName() {
1768 return msPolicyName;
1771 public static void setMsPolicyName(String msPolicyName) {
1772 XACMLPapServlet.msPolicyName = msPolicyName;
1775 public OnapLoggingContext getBaseLoggingContext() {
1776 return baseLoggingContext;
1779 public void setBaseLoggingContext(OnapLoggingContext baseLoggingContext) {
1780 this.baseLoggingContext = baseLoggingContext;
Code Review / policy / engine.git / blob