Modified to make AAF configurable in policy/engine

Added property to enable or disable AAF
Added logic to the code to check the property and use old authentication
logic to authenticate the user rather than AAF if disabled.

Fixed license issue
Modified cadi_truststore_password value to use proper variable
Added comment to local development enviroment properties file
Modified test resources to fix Junit failures

Change-Id: I962895154716092c9cc0bc6c48f6419f3b5900fe
Issue-ID: POLICY-1217
Signed-off-by: Michael Mokry <michael.mokry@att.com>
(cherry picked from commit 6accdc2ae0340ed84a59c739bd345ced2ff323c5)

diff --git a/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java b/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java
index d06321d..246f5a2 100644 (file)
--- a/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java
+++ b/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/config/PDPApiAuth.java
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * ONAP-PDP-REST
  * ================================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -90,7 +90,7 @@ public class PDPApiAuth {
      */
     public static boolean checkPermissions(String clientEncoding, String requestID,
             String resource) {
-        try{
+        try{            
             String[] userNamePass = PolicyUtils.decodeBasicEncoding(clientEncoding);
             if(userNamePass==null || userNamePass.length==0){
                 String usernameAndPassword = null;
@@ -105,7 +105,14 @@ public class PDPApiAuth {
             Boolean result = false;
             // Check Backward Compatibility. 
             try{
-                result = clientAuth(userNamePass);
+                /*
+                 * If AAF is NOT enabled in the properties we will allow the user to 
+                 * continue to use the client.properties file to authenticate.
+                 * Note: Disabling AAF is for testing purposes and not intended for production.
+                 */
+                if ("false".equals(XACMLProperties.getProperty("enable_aaf"))) {
+                    result = clientAuth(userNamePass);
+                }
             }catch(Exception e){
                 LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
             }

diff --git a/ONAP-PDP-REST/src/test/resources/notification.xacml.pdp.properties b/ONAP-PDP-REST/src/test/resources/notification.xacml.pdp.properties
index 2a36005..345de16 100644 (file)
--- a/ONAP-PDP-REST/src/test/resources/notification.xacml.pdp.properties
+++ b/ONAP-PDP-REST/src/test/resources/notification.xacml.pdp.properties
@@ -167,5 +167,7 @@ xacml.rest.pep.idfile = src/test/resources/client.properties
 #Not Mandatory for Open Onap
 policy.aaf.namespace = 
 policy.aaf.resource = 
+enable_aaf=false
+
 #
 DMAAP_AAF_LOGIN =

diff --git a/ONAP-PDP-REST/src/test/resources/pass.xacml.pdp.properties b/ONAP-PDP-REST/src/test/resources/pass.xacml.pdp.properties
index c3eda59..cf6d927 100644 (file)
--- a/ONAP-PDP-REST/src/test/resources/pass.xacml.pdp.properties
+++ b/ONAP-PDP-REST/src/test/resources/pass.xacml.pdp.properties
@@ -167,5 +167,7 @@ xacml.rest.pep.idfile = src/test/resources/client.properties
 #Not Mandatory for Open Onap
 policy.aaf.namespace = 
 policy.aaf.resource = 
+enable_aaf=false
+
 #
 DMAAP_AAF_LOGIN =

diff --git a/ONAP-PDP-REST/xacml.pdp.properties b/ONAP-PDP-REST/xacml.pdp.properties
index 57e1d70..a707678 100644 (file)
--- a/ONAP-PDP-REST/xacml.pdp.properties
+++ b/ONAP-PDP-REST/xacml.pdp.properties
@@ -19,7 +19,7 @@
 ###
 
 # Default XACML Properties File for PDP RESTful servlet
-#
+# NOTE:  All properties in this file are for local development environments only.
 # Standard API Factories
 #
 xacml.dataTypeFactory=com.att.research.xacml.std.StdDataTypeFactory
@@ -165,12 +165,34 @@ dependency_groups=site_1.pdplp_1;site_1.astragw_1;site_1.brmsgw_1
 
 # this can be DEVL, TEST, PROD 
 ENVIRONMENT=DEVL
-xacml.rest.pep.idfile = client.properties
+xacml.rest.pep.idfile=client.properties
+
+
+#AAF cadi properties
+enable_aaf=false
+policy.aaf.namespace=org.onap.policy
+policy.aaf.root.permission=org.onap.policy.pdpx
+cm_url=https://aaf-onap-test.osaaf.org:8095/AAF_NS.cm:2.1
+cadi_latitude=38.000
+cadi.longitude=72.000
+cadi_alias=policy@policy.onap.org
+cadi_loglevel=DEBUG
+cadi_keyfile=/media/sf_SourceTree/gerrit-pe/engine/packages/base/src/files/etc/ssl/aaf-cadi.keyfile
+cadi_protocols=TLSv1.1,TLSv1.2
+cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US
+cadi_keystore=/media/sf_SourceTree/gerrit-pe/engine/packages/base/src/files/etc/ssl/policy-keystore
+cadi_keystore_password=Pol1cy_0nap
+cadi_truststore=/media/sf_SourceTree/gerrit-pe/engine/packages/base/src/files/etc/ssl/policy-truststore
+cadi_truststore_password=Pol1cy_0nap
+aaf_env=DEV
+aaf_url=https://aaf-onap-test.osaaf.org:8095/AAF_NS.service:2.1
+aaf_fqdn=aaf-onap-test.osaaf.org
+aaf_oauth2_introspect_url=https://aaf-onap-test.osaaf.org:8095/AAF_NS.introspect:2.1/introspect
+aaf_oauth2_token_url=https://aaf-onap-test.osaaf.org:8095/AAF_NS.token:2.1/token
+fs_url=https://aaf-onap-test.osaaf.org:8095/AAF_NS.fs.2.1
+gui_url=https://aaf-onap-test.osaaf.org:8095/AAF_NS.gui.2.1
+
 
-#AAF Policy Name space
-#Not Mandatory for Open Onap
-policy.aaf.namespace = 
-policy.aaf.resource = 
 # Decision Response settings. 
 # can be either PERMIT or DENY. 
 decision.indeterminate.response=PERMIT
\ No newline at end of file

diff --git a/packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties b/packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties
index ad27cd0..315fb4d 100644 (file)
--- a/packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties
+++ b/packages/base/src/files/install/servers/pdp/bin/xacml.pdp.properties
@@ -137,6 +137,7 @@ ENVIRONMENT=${{ENVIRONMENT}}
 xacml.rest.pep.idfile = client.properties
 
 #AAF cadi properties
+enable_aaf=false
 policy.aaf.namespace = ${{AAF_NAMESPACE}}
 policy.aaf.root.permission=${{AAF_NAMESPACE}}.pdpx
 cm_url=https://${{AAF_HOST}}:8095/AAF_NS.cm:2.1
@@ -150,6 +151,8 @@ cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_
 cadi_keystore=${{POLICY_HOME}}/etc/ssl/policy-keystore
 cadi_keystore_password=${{KEYSTORE_PASSWD}}
 cadi_key_password=${{KEYSTORE_PASSWD}}
+cadi_truststore=${{POLICY_HOME}}/etc/ssl/policy-truststore
+cadi_truststore_password=${{TRUSTSTORE_PASSWD}}
 aaf_env=DEV
 aaf_url=https://${{AAF_HOST}}:8095/AAF_NS.service:2.1
 aaf_fqdn=${{AAF_HOST}}