From 82c1a1040666d1ba33b37ae520076eb8b3bbaa41 Mon Sep 17 00:00:00 2001 From: Pamela Dragosh Date: Fri, 7 Aug 2020 14:03:31 -0400 Subject: [PATCH] Update XACML Tutorial More code fixes and pointing to src/test/resources artifacts vs separate yaml/json files. Added instructions on how to incorporate as Docker image. Can download the example and import into Eclipse or other tool. Made sure links point to Frankfurt branch. Added POSTMAN Collection Issue-ID: POLICY-2565 Change-Id: I65c596b8c89cd87a72660a3d4dfa1085a60a41d2 Signed-off-by: Pamela Dragosh --- ...licyApplicationTutorial.postman_collection.json | 723 +++++++++++++++++++++ docs/xacml/tutorial/app/pom.xml | 58 ++ docs/xacml/tutorial/app/src/main/docker/Dockerfile | 7 + docs/xacml/tutorial/app/src/main/docker/README.txt | 36 + .../tutorial/app/src/main/docker/config/db/db.conf | 20 + .../tutorial/app/src/main/docker/config/db/db.sh | 26 + .../app/src/main/docker/docker-compose.yml | 102 +++ .../src/main/docker/xacml.properties} | 2 +- .../tutorial/tutorial/TutorialApplication.java | 2 +- .../tutorial/tutorial/TutorialTranslator.java | 27 +- .../tutorial/tutorial/TutorialApplicationTest.java | 12 +- .../test/resources/tutorial-decision-request.json | 2 +- .../src/test/resources/tutorial-policy-type.yaml | 28 +- docs/xacml/tutorial/tutorial-decision-request.json | 12 - docs/xacml/tutorial/tutorial-policies.yaml | 30 - docs/xacml/tutorial/tutorial-policy-type.yaml | 34 - docs/xacml/tutorial/tutorial.tar | Bin 0 -> 9949 bytes docs/xacml/xacml-tutorial.rst | 68 +- docs/xacml/xacml.rst | 20 +- 19 files changed, 1074 insertions(+), 135 deletions(-) create mode 100644 docs/xacml/tutorial/PolicyApplicationTutorial.postman_collection.json create mode 100644 docs/xacml/tutorial/app/src/main/docker/Dockerfile create mode 100644 docs/xacml/tutorial/app/src/main/docker/README.txt create mode 100644 docs/xacml/tutorial/app/src/main/docker/config/db/db.conf create mode 100644 docs/xacml/tutorial/app/src/main/docker/config/db/db.sh create mode 100644 docs/xacml/tutorial/app/src/main/docker/docker-compose.yml rename docs/xacml/tutorial/{tutorial-xacml.properties => app/src/main/docker/xacml.properties} (97%) delete mode 100644 docs/xacml/tutorial/tutorial-decision-request.json delete mode 100644 docs/xacml/tutorial/tutorial-policies.yaml delete mode 100644 docs/xacml/tutorial/tutorial-policy-type.yaml create mode 100644 docs/xacml/tutorial/tutorial.tar diff --git a/docs/xacml/tutorial/PolicyApplicationTutorial.postman_collection.json b/docs/xacml/tutorial/PolicyApplicationTutorial.postman_collection.json new file mode 100644 index 00000000..23aa0eb8 --- /dev/null +++ b/docs/xacml/tutorial/PolicyApplicationTutorial.postman_collection.json @@ -0,0 +1,723 @@ +{ + "info": { + "_postman_id": "20eb42db-f0a7-4b65-8ccd-c3a5f56cb526", + "name": "Policy Application Tutorial", + "description": "Collection of Postman API calls to support the Policy Enforcement Tutorial", + "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" + }, + "item": [ + { + "name": "Api Healthcheck", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-API-URL}}/policy/api/v1/healthcheck", + "host": [ + "{{POLICY-API-URL}}" + ], + "path": [ + "policy", + "api", + "v1", + "healthcheck" + ] + } + }, + "response": [] + }, + { + "name": "Create Authorization Policy Type", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Accept", + "type": "text", + "value": "application/yaml" + }, + { + "key": "Content-Type", + "type": "text", + "value": "application/yaml" + } + ], + "body": { + "mode": "raw", + "raw": "tosca_definitions_version: tosca_simple_yaml_1_1_0\npolicy_types:\n onap.policies.Authorization:\n derived_from: tosca.policies.Root\n version: 1.0.0\n description: Example tutorial policy type for doing user authorization\n properties:\n user:\n type: string\n required: true\n description: The unique user name\n permissions:\n type: list\n required: true\n description: A list of resource permissions\n entry_schema:\n type: onap.datatypes.Tutorial\ndata_types:\n onap.datatypes.Tutorial:\n derived_from: tosca.datatypes.Root\n version: 1.0.0\n properties:\n entity:\n type: string\n required: true\n description: The resource\n permission:\n type: string\n required: true\n description: The permission level\n constraints:\n - valid_values: [read, write, delete]\n", + "options": { + "raw": { + "language": "text" + } + } + }, + "url": { + "raw": "{{POLICY-API-URL}}/policy/api/v1/policytypes", + "host": [ + "{{POLICY-API-URL}}" + ], + "path": [ + "policy", + "api", + "v1", + "policytypes" + ] + } + }, + "response": [] + }, + { + "name": "Create policies", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Accept", + "type": "text", + "value": "application/yaml" + }, + { + "key": "Content-Type", + "type": "text", + "value": "application/yaml" + } + ], + "body": { + "mode": "raw", + "raw": "tosca_definitions_version: tosca_simple_yaml_1_1_0\ntopology_template:\n policies:\n -\n onap.policy.tutorial.demo:\n type: onap.policies.Authorization\n type_version: 1.0.0\n version: 1.0.0\n metadata:\n policy-id: onap.policy.tutorial.demo\n policy-version: 1\n properties:\n user: demo\n permissions:\n -\n entity: foo\n permission: read\n -\n entity: foo\n permission: write\n -\n onap.policy.tutorial.audit:\n type: onap.policies.Authorization\n version: 1.0.0\n type_version: 1.0.0\n metadata:\n policy-id: onap.policy.tutorial.bar\n policy-version: 1\n properties:\n user: audit\n permissions:\n -\n entity: foo\n permission: read\n", + "options": { + "raw": { + "language": "text" + } + } + }, + "url": { + "raw": "{{POLICY-API-URL}}/policy/api/v1/policytypes/onap.policies.Authorization/versions/1.0.0/policies", + "host": [ + "{{POLICY-API-URL}}" + ], + "path": [ + "policy", + "api", + "v1", + "policytypes", + "onap.policies.Authorization", + "versions", + "1.0.0", + "policies" + ] + } + }, + "response": [] + }, + { + "name": "PAP Healthcheck", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/healthcheck", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "healthcheck" + ] + } + }, + "response": [] + }, + { + "name": "PAP Get PDPs", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Accept", + "type": "text", + "value": "application/json" + }, + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps" + ] + } + }, + "response": [] + }, + { + "name": "PdpGroup State Change PASSIVE", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Accept", + "value": "application/json", + "type": "text" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/defaultGroup?state=PASSIVE", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "groups", + "defaultGroup" + ], + "query": [ + { + "key": "state", + "value": "PASSIVE" + } + ] + }, + "description": "This is an API to change the current state of a PdpGroup (example - \"defaultGroup\") resulting in changing state of all the PDP instances registered with the PdpGroup. As of now, the allowed states are ACTIVE and PASSIVE." + }, + "response": [] + }, + { + "name": "Delete PdpGroup", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "DELETE", + "header": [ + { + "key": "Accept", + "type": "text", + "value": "application/json" + }, + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/defaultGroup", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "groups", + "defaultGroup" + ] + }, + "description": "This is an API to delete a specific PdpGroup (example - \"SampleGroup\") currently available in Policy DB, resulting in removing all the PDP instances registered with the group." + }, + "response": [] + }, + { + "name": "Create/Update PdpGroup", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\n \"groups\": [\n {\n \"name\": \"defaultGroup\",\n \"pdpGroupState\": \"ACTIVE\",\n \"properties\": {},\n \"pdpSubgroups\": [\n {\n \"pdpType\": \"xacml\",\n \"desiredInstanceCount\": 1,\n \"properties\": {},\n \"supportedPolicyTypes\": [\n {\n \"name\": \"onap.policies.Authorization\",\n \"version\": \"1.0.0\"\n }\n ],\n \"policies\": []\n }\n ]\n }\n ]\n}" + }, + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/batch", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "groups", + "batch" + ] + }, + "description": "This is a generic API to create/update PdpGroups in Policy DB. However, the supportedPolicyTypes field of PdpSubGroup cannot be changed once created." + }, + "response": [] + }, + { + "name": "Simple Deploy Policy - onap.policy.tutorial.demo", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"policies\" : [\r\n {\r\n \"policy-id\": \"onap.policy.tutorial.demo\",\r\n \"policy-version\": \"1.0.0\"\r\n },\r\n {\r\n \"policy-id\": \"onap.policy.tutorial.audit\",\r\n \"policy-version\": \"1.0.0\"\r\n }\r\n ]\r\n}" + }, + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/policies", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "policies" + ] + } + }, + "response": [] + }, + { + "name": "Dmaap Simulator - Policy Update Notification", + "protocolProfileBehavior": { + "disableBodyPruning": true + }, + "request": { + "auth": { + "type": "noauth" + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "" + }, + "url": { + "raw": "{{DMAAP-URL}}/events/POLICY-NOTIFICATION/group/id?timeout=5000", + "host": [ + "{{DMAAP-URL}}" + ], + "path": [ + "events", + "POLICY-NOTIFICATION", + "group", + "id" + ], + "query": [ + { + "key": "timeout", + "value": "5000" + } + ] + } + }, + "response": [] + }, + { + "name": "Xacml Healthcheck", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/healthcheck", + "host": [ + "{{POLICY-XACML-URL}}" + ], + "path": [ + "policy", + "pdpx", + "v1", + "healthcheck" + ] + } + }, + "response": [] + }, + { + "name": "Xacml Statistics", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/statistics", + "host": [ + "{{POLICY-XACML-URL}}" + ], + "path": [ + "policy", + "pdpx", + "v1", + "statistics" + ] + } + }, + "response": [] + }, + { + "name": "Xacml Decision - Authorization policy-type", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\n \"ONAPName\": \"TutorialPEP\",\n \"ONAPComponent\": \"TutorialPEPComponent\",\n \"ONAPInstance\": \"TutorialPEPInstance\",\n \"requestId\": \"unique-request-id-tutorial\",\n \"action\": \"authorize\",\n \"resource\": {\n \"user\": \"audit\",\n \"entity\": \"foo\",\n \"permission\" : \"read\"\n }\n}" + }, + "url": { + "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/decision", + "host": [ + "{{POLICY-XACML-URL}}" + ], + "path": [ + "policy", + "pdpx", + "v1", + "decision" + ] + } + }, + "response": [] + }, + { + "name": "Simple Undeploy Policy", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "DELETE", + "header": [ + { + "key": "Accept", + "value": "application/json", + "type": "text" + }, + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/policies/onap.policy.tutorial.demo", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "policies", + "onap.policy.tutorial.demo" + ] + } + }, + "response": [] + } + ], + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "", + "type": "string" + }, + { + "key": "username", + "value": "", + "type": "string" + } + ] + }, + "protocolProfileBehavior": {} +} \ No newline at end of file diff --git a/docs/xacml/tutorial/app/pom.xml b/docs/xacml/tutorial/app/pom.xml index f8afc552..380ee512 100644 --- a/docs/xacml/tutorial/app/pom.xml +++ b/docs/xacml/tutorial/app/pom.xml @@ -1,3 +1,23 @@ + + @@ -33,6 +53,7 @@ test + @@ -43,6 +64,43 @@ 11 + + io.fabric8 + docker-maven-plugin + 0.33.0 + + true + + + onap/policy-xacml-tutorial + xacml-pdp + + ${project.basedir}/src/main/docker + + artifact-with-dependencies + + + + + + + + clean-images + pre-clean + + remove + + + + + generate-images + package + + build + + + + diff --git a/docs/xacml/tutorial/app/src/main/docker/Dockerfile b/docs/xacml/tutorial/app/src/main/docker/Dockerfile new file mode 100644 index 00000000..639e94fb --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/Dockerfile @@ -0,0 +1,7 @@ +FROM onap/policy-xacml-pdp:2.2.2 + +ADD maven/${project.build.finalName}.jar /opt/app/policy/pdpx/lib/${project.build.finalName}.jar + +RUN mkdir -p /opt/app/policy/pdpx/apps/tutorial + +COPY --chown=policy:policy xacml.properties /opt/app/policy/pdpx/apps/tutorial \ No newline at end of file diff --git a/docs/xacml/tutorial/app/src/main/docker/README.txt b/docs/xacml/tutorial/app/src/main/docker/README.txt new file mode 100644 index 00000000..a29a44b2 --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/README.txt @@ -0,0 +1,36 @@ +docker-compose -f docker-compose.yml run --rm start_dependencies + +docker-compose -f docker-compose.yml run --rm start_all + + +curl -X POST http://0.0.0.0:3904/events/POLICY-PDP-PAP + +Should return JSON similar to this: +{"serverTimeMs":0,"count":0} + + +curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6969/policy/pdpx/v1/healthcheck' + +Should return JSON similar to this: +{"name":"Policy Xacml PDP","url":"self","healthy":true,"code":200,"message":"alive"} + + +curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6767/policy/api/v1/healthcheck' +Should return JSON similar to this: +{ + "name": "Policy API", + "url": "policy-api", + "healthy": true, + "code": 200, + "message": "alive" +} + +curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6868/policy/pap/v1/healthcheck' +Should return JSON similar to this: +{ + "name": "Policy PAP", + "url": "policy-pap", + "healthy": true, + "code": 200, + "message": "alive" +} \ No newline at end of file diff --git a/docs/xacml/tutorial/app/src/main/docker/config/db/db.conf b/docs/xacml/tutorial/app/src/main/docker/config/db/db.conf new file mode 100644 index 00000000..42f35844 --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/config/db/db.conf @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +MYSQL_ROOT_PASSWORD=secret +MYSQL_USER=policy_user +MYSQL_PASSWORD=policy_user \ No newline at end of file diff --git a/docs/xacml/tutorial/app/src/main/docker/config/db/db.sh b/docs/xacml/tutorial/app/src/main/docker/config/db/db.sh new file mode 100644 index 00000000..499764df --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/config/db/db.sh @@ -0,0 +1,26 @@ +#!/bin/bash -xv +# ============LICENSE_START======================================================= +# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +for db in policyadmin operationshistory +do + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" +done + +mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/docs/xacml/tutorial/app/src/main/docker/docker-compose.yml b/docs/xacml/tutorial/app/src/main/docker/docker-compose.yml new file mode 100644 index 00000000..b65098c1 --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/docker-compose.yml @@ -0,0 +1,102 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +version: '2' +services: + mariadb: + image: mariadb:10.2.14 + container_name: mariadb + hostname: mariadb + command: ['--lower-case-table-names=1', '--wait_timeout=28800'] + env_file: config/db/db.conf + volumes: + - ./config/db:/docker-entrypoint-initdb.d + expose: + - 3306 + message-router: + image: dmaap/simulator + container_name: dmaap-simulator + hostname: dmaap-simulator + ports: + - "3904:3904" + expose: + - 3904 + api: + image: nexus3.onap.org:10001/onap/policy-api:2.2.4 + container_name: policy-api + depends_on: + - mariadb + hostname: policy-api + ports: + - "6767:6969" + expose: + - 6767 + pap: + image: nexus3.onap.org:10001/onap/policy-pap:2.2.3 + container_name: policy-pap + depends_on: + - mariadb + - message-router + - api + hostname: policy-pap + ports: + - "6868:6969" + expose: + - 6868 + xacml-pdp: + image: onap/policy-xacml-tutorial + container_name: policy-xacml-pdp + depends_on: + - mariadb + - message-router + - api + - pap + hostname: policy-xacml-pdp + ports: + - "6969:6969" + expose: + - 6969 + start_dependencies: + image: dadarek/wait-for-dependencies + environment: + TIMEOUT_LENGTH: 60 + container_name: policy-wait + depends_on: + - mariadb + - message-router + hostname: policy-wait + command: + mariadb:3306 + message-router:3904 + start_all: + image: dadarek/wait-for-dependencies + environment: + TIMEOUT_LENGTH: 60 + container_name: policy-wait-all + depends_on: + - mariadb + - message-router + - api + - pap + - xacml-pdp + hostname: policy-wait-all + command: + mariadb:3306 + message-router:3904 + api:6969 + pap:6969 + xacml-pdp:6969 diff --git a/docs/xacml/tutorial/tutorial-xacml.properties b/docs/xacml/tutorial/app/src/main/docker/xacml.properties similarity index 97% rename from docs/xacml/tutorial/tutorial-xacml.properties rename to docs/xacml/tutorial/app/src/main/docker/xacml.properties index e10ad63f..277b098e 100644 --- a/docs/xacml/tutorial/tutorial-xacml.properties +++ b/docs/xacml/tutorial/app/src/main/docker/xacml.properties @@ -28,4 +28,4 @@ xacml.att.policyFinderFactory.combineRootPolicies=urn:oasis:names:tc:xacml:3.0:p # Policies to load # xacml.rootPolicies= -xacml.referencedPolicies= +xacml.referencedPolicies= \ No newline at end of file diff --git a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java index 7f0c2b99..5727f1c1 100644 --- a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java +++ b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java @@ -26,7 +26,7 @@ import org.onap.policy.pdp.xacml.application.common.std.StdXacmlApplicationServi public class TutorialApplication extends StdXacmlApplicationServiceProvider { - private final ToscaPolicyTypeIdentifier supportedPolicyType = new ToscaPolicyTypeIdentifier(); + private final ToscaPolicyTypeIdentifier supportedPolicyType = new ToscaPolicyTypeIdentifier("onap.policies.Authorization", "1.0.0"); private final TutorialTranslator translator = new TutorialTranslator(); @Override diff --git a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java index 1dd6186e..600c6214 100644 --- a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java +++ b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java @@ -48,10 +48,10 @@ public class TutorialTranslator implements ToscaPolicyTranslator { private static final Identifier ID_TUTORIAL_USER = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-user"); private static final Identifier ID_TUTORIAL_ENTITY = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-entity"); - private static final Identifier ID_TUTORIAL_PERM = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-perm"); + private static final Identifier ID_TUTORIAL_PERM = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-permission"); @SuppressWarnings("unchecked") - public PolicyType convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException { + public PolicyType convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException { // // Here is our policy with a version and default combining algo // @@ -74,7 +74,7 @@ public class TutorialTranslator implements ToscaPolicyTranslator { // For simplicity, let's just match on the action "authorize" and the user // MatchType matchAction = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(XACML3.ID_FUNCTION_STRING_EQUAL, - "authorize", XACML3.ID_DATATYPE_STRING, XACML3.ID_ACTION, XACML3.ID_ATTRIBUTE_CATEGORY_ACTION); + "authorize", XACML3.ID_DATATYPE_STRING, XACML3.ID_ACTION_ACTION_ID, XACML3.ID_ATTRIBUTE_CATEGORY_ACTION); Map props = toscaPolicy.getProperties(); String user = props.get("user").toString(); MatchType matchUser = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(XACML3.ID_FUNCTION_STRING_EQUAL, user, @@ -83,14 +83,14 @@ public class TutorialTranslator implements ToscaPolicyTranslator { // // Create AllOf (AND) of just Policy Id // - anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchAction)); - anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchUser)); + anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchAction, matchUser)); TargetType target = new TargetType(); target.getAnyOf().add(anyOf); newPolicyType.setTarget(target); // // Now add the rule for each permission // + int ruleNumber = 0; List permissions = (List) props.get("permissions"); for (Object permission : permissions) { @@ -102,18 +102,20 @@ public class TutorialTranslator implements ToscaPolicyTranslator { XACML3.ID_FUNCTION_STRING_EQUAL, ((Map) permission).get("permission"), XACML3.ID_DATATYPE_STRING, ID_TUTORIAL_PERM, XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE); anyOf = new AnyOfType(); - anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchEntity)); - anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchPermission)); + anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchEntity, matchPermission)); target = new TargetType(); target.getAnyOf().add(anyOf); RuleType rule = new RuleType(); rule.setDescription("Default is to PERMIT if the policy matches."); - rule.setRuleId(newPolicyType.getPolicyId() + ":rule"); + rule.setRuleId(newPolicyType.getPolicyId() + ":rule" + ruleNumber); + rule.setEffect(EffectType.PERMIT); rule.setTarget(target); newPolicyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule); + + ruleNumber++; } return newPolicyType; } @@ -140,19 +142,12 @@ public class TutorialTranslator implements ToscaPolicyTranslator { // Just simply return a Permit response // decisionResponse.setStatus(Decision.PERMIT.toString()); - } - if (xacmlResult.getDecision() == Decision.DENY) { + } else { // // Just simply return a Deny response // decisionResponse.setStatus(Decision.DENY.toString()); } - if (xacmlResult.getDecision() == Decision.NOTAPPLICABLE) { - // - // There is no guard policy, so we return a permit - // - decisionResponse.setStatus(Decision.PERMIT.toString()); - } } return decisionResponse; diff --git a/docs/xacml/tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java b/docs/xacml/tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java index 65685236..d20c1b38 100644 --- a/docs/xacml/tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java +++ b/docs/xacml/tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java @@ -18,6 +18,8 @@ package org.onap.policy.tutorial.tutorial; +import static org.junit.Assert.assertEquals; + import java.io.File; import java.io.IOException; import java.util.Iterator; @@ -101,10 +103,18 @@ public class TutorialApplicationTest { .getTextFileAsString("src/test/resources/tutorial-decision-request.json"), DecisionRequest.class); // - // Test a decision + // Test a decision - should start with a permit // Pair decision = service.makeDecision(decisionRequest, null); LOGGER.info(decision.getLeft().toString()); + assertEquals("Permit", decision.getLeft().getStatus()); + // + // This should be a deny + // + decisionRequest.getResource().put("user", "audit"); + decision = service.makeDecision(decisionRequest, null); + LOGGER.info(decision.getLeft().toString()); + assertEquals("Deny", decision.getLeft().getStatus()); } } diff --git a/docs/xacml/tutorial/app/src/test/resources/tutorial-decision-request.json b/docs/xacml/tutorial/app/src/test/resources/tutorial-decision-request.json index 8c1ec10c..f3a7f9a2 100644 --- a/docs/xacml/tutorial/app/src/test/resources/tutorial-decision-request.json +++ b/docs/xacml/tutorial/app/src/test/resources/tutorial-decision-request.json @@ -7,6 +7,6 @@ "resource": { "user": "demo", "entity": "foo", - "permission" : "read" + "permission" : "write" } } diff --git a/docs/xacml/tutorial/app/src/test/resources/tutorial-policy-type.yaml b/docs/xacml/tutorial/app/src/test/resources/tutorial-policy-type.yaml index c742cf3e..7948bd28 100644 --- a/docs/xacml/tutorial/app/src/test/resources/tutorial-policy-type.yaml +++ b/docs/xacml/tutorial/app/src/test/resources/tutorial-policy-type.yaml @@ -1,6 +1,5 @@ tosca_definitions_version: tosca_simple_yaml_1_1_0 policy_types: - - onap.policies.Authorization: derived_from: tosca.policies.Root version: 1.0.0 @@ -17,18 +16,17 @@ policy_types: entry_schema: type: onap.datatypes.Tutorial data_types: - - onap.datatypes.Tutorial: - derived_from: tosca.datatypes.Root - version: 1.0.0 - properties: - entity: - type: string - required: true - description: The resource - permission: - type: string - required: true - description: The permission level - constraints: - - valid_values: [read, write, delete] + derived_from: tosca.datatypes.Root + version: 1.0.0 + properties: + entity: + type: string + required: true + description: The resource + permission: + type: string + required: true + description: The permission level + constraints: + - valid_values: [read, write, delete] diff --git a/docs/xacml/tutorial/tutorial-decision-request.json b/docs/xacml/tutorial/tutorial-decision-request.json deleted file mode 100644 index 8c1ec10c..00000000 --- a/docs/xacml/tutorial/tutorial-decision-request.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "ONAPName": "TutorialPEP", - "ONAPComponent": "TutorialPEPComponent", - "ONAPInstance": "TutorialPEPInstance", - "requestId": "unique-request-id-tutorial", - "action": "authorize", - "resource": { - "user": "demo", - "entity": "foo", - "permission" : "read" - } -} diff --git a/docs/xacml/tutorial/tutorial-policies.yaml b/docs/xacml/tutorial/tutorial-policies.yaml deleted file mode 100644 index 45769ead..00000000 --- a/docs/xacml/tutorial/tutorial-policies.yaml +++ /dev/null @@ -1,30 +0,0 @@ -tosca_definitions_version: tosca_simple_yaml_1_0_0 -topology_template: - policies: - - - onap.policy.tutorial.demo: - type: onap.policies.Authorization - version: 1.0.0 - metadata: - policy-id: onap.policy.tutorial.demo - properties: - user: demo - permissions: - - - entity: foo - permission: read - - - entity: foo - permission: write - - - onap.policy.tutorial.audit: - type: onap.policies.Authorization - version: 1.0.0 - metadata: - policy-id: onap.policy.tutorial.bar - properties: - user: audit - permissions: - - - entity: foo - permission: read diff --git a/docs/xacml/tutorial/tutorial-policy-type.yaml b/docs/xacml/tutorial/tutorial-policy-type.yaml deleted file mode 100644 index 181a73c5..00000000 --- a/docs/xacml/tutorial/tutorial-policy-type.yaml +++ /dev/null @@ -1,34 +0,0 @@ -tosca_definitions_version: tosca_simple_yaml_1_0_0 -policy_types: - - - onap.policies.Authorization: - derived_from: tosca.policies.Root - version: 1.0.0 - description: Example tutorial policy type for doing user authorization - properties: - user: - type: string - required: true - description: The unique user name - permissions: - type: list - required: true - description: A list of resource permissions - entry_schema: - type: onap.datatypes.Tutorial -data_types: - - - onap.datatypes.Tutorial: - derived_from: tosca.datatypes.Root - version: 1.0.0 - properties: - entity: - type: string - required: true - description: The resource - permission: - type: string - required: true - description: The permission level - constraints: - - valid_values: [read, write, delete] diff --git a/docs/xacml/tutorial/tutorial.tar b/docs/xacml/tutorial/tutorial.tar new file mode 100644 index 0000000000000000000000000000000000000000..329041d4d0541da305fed8171900e4801f7b1b8a GIT binary patch literal 9949 zcmV<3CL-A%iwFRk+cIAO1MPilciT9UXzxAep1sizxSuh~+>Mg4sJGmsjyrMVwBvNba*P5+Xt6gi5YOT3nZGS~tPe@acW}dIR zK+05~P)j#l{l@WbQ_4ZH>+3miL_31Nzmeoi{!bmxpXl~e$iWKyZ`2t7+l_WL=l?E} z!vBf(X<|JE4(N||vzf{N_I_=j@xRfiwp;uA$p3m1_+NbrV&dr!&i~hcDwhj{94P6e zf7Cl2^sWZO?#1w6y#yf7PP^yi+_B8@1L@f}rcFtiyzd^pJ0aca6khAT>DXi_1TaR# zHWGk5a;6Wid2{QN($Py&uhy%iJN%a+>DxZFEIRgQx<$@iXG&fFK_gwuBCNPaT=Dno_V0C<0u;maeAgV!{77F(;-JZD0q8B=CdKZ6 z^an-qU3btQ>;a4)`@`?gE{EjD?!`s-blC3=$k_!sIy*h?5Bq1Q@brdsPk$o+);~So zBNTcH(9lm)7wHEgP3%Q33Ij?b1YA3uAa6>?=CwJ7cG)*G{f3eo=Z?BIG>3q2O-v7Y z=>d5LK(Wk;=`;EFl8uT>oE(q6)8kDfu3SDW6kbnV=NAxr0;=Bj4vK=K6a9|bDo@YP z-c_1fRjU@ECM(=kG(!|_-J1O zA;~K7$us!NGApOSbMX+cyq-7)wZvdKWO=VEk#{JJuWwvuHtidS07`RgeX32FYSQEc z__`uXU}@d;&1-$^!(&)Ld5LB21b8H-Rvv)58+?B@d|i?6u?&#^Q3u_3bNGwyzOICi zj3yiA90fjmWEoSgkxc3xvau)Grj2H%WoVu=bH}u2j~xSHT@K%rzXss*${^H=3Km}& zbV@<`>~V-Fc=d27Mt#t8zszjYk8~5uR(eI0i1rgJbQiFv)`;{F%k@C-Ku1syD)Zl* zm`a?QdE~_z`$->9tn$>DYI-=`cys9obvbeDxecgm@V{6KwnXP#(s(J}MJtlGd(nP_6Pk$iaLqy^KMTjrJ0+N-p85t2P$OjvQ#9@6ITz$)3~_<^-lIPkkj{M&C(=g~D6m!dn(%8B<}gS~{2@ z-k~Dr{6)N&B59HL&^Dib@{djT@XwzEB?nA1O!u+kxnr0XOuNFnld(@0Pr}kYk4{F` zLo$nH8`K-S<`i0UL9Y)bFUn{;mDQnv14S*FL{!Pb^tzJL&exShe~VY%Ldk>-`iYKb zOufax1{o<7nxOAM_U$sq1NhQ9e|n3f11zC3D-6TnR`(JtM)7xaE5TDG@6e?au!vwx z;6qA>r2u$cQ5vvP%WkMmp_}MZjboEC-JofVqwBXU;nUx_ul=^S=q4uQLB{vs%yjzl)UQKewZ{DF(~(ztN~wTXod``|Vb)|96s-{C6pL z9e7(4fu+ZPqqg6y0{`pPX1$T~e-|mq|6lYweY=yu>h|A$qmj@5J4qS*M~CayaIC_A zFamJ=*J}Cr-$|Oof9B`e29DMF4|YJl|G$&8i2vNrx0x8M&i{I&ncIImNlWtI-y}?I zb^bT&wS4`zle8-T*Aavz`Cn~e*jH^I_zz}aE$9C((%Sr&aXU&ZkA_uKa8&2Ve>H2Z zCL8}X)Bv?QsW$2$40-(5E>h)Hxjo{l@6Xj{XEFQ8s ze3;U{L2V!UlDe5NF}#Lt?5jaG8jquifOB=*vvg?EdZ0Yt&<4Ko9`ltMX8>vfSOrSt z&NPtB!gMx*Oft4~5Sf%Y3dG5$w&9V*(8y=L=R9@IJKYBfGi^{YMzF^)NZB|X z$WBW`!sT4kJ%msy>Y{h3?2vg#y$5@I>pC_RH#h~ETsTZ)owt~vlv+y=HgX({q#$G6 z7L5<9m$Id6s=Q30EQJ;gRK9L`rAWcAy8)K}z4h>DMmPLks*<6R(p zTs=4;PfwmUw*N0c%BbgO+5VUo*#GTjTiXA%dTYOm_CG8Ia{GT5DYyS~`#-n;e`EIl zJAImB{KH$VXZ!BMq7{H4jjz!1m-d*@<^cqdU`_XZ4M(Kzj&Fs9j^?;-gXr^~)7WQS zU1r&>Rdo}z7b0F^t;&Ph2m>dBx|TB;IUlvR)c2KDk9a#seLHlxDFlrAme(tMI}m?m zUg2A{nWYP6Byj_)Z=fv+_BsY=zf51hh!A+5Dq0TJn!ymut{xQ0f*}V>HV9c_aohPg3Y$K!<)UmV zRykG|;gfM|3pyKSN#TpwBWH{|he1^@oq}LkC^VqCQDU=g0vg4)FawZI2w0OZOD|Ok z#bjQSQjzHlxnP%N5%<5*2dEOSqxKzE1-jKrKj_vBsMUNi{iuXvdQ1`^RLFWH@XDJL zp=gx#2nhkKP0V9Kkxu5zaHVm=vwvTHjE&d-p-U*!1u%d8Uu!p8`||vcX0z46^?$oj z%h&(ANcs9dU;pRp|KHg9KeEl2?iSd5>AwyH56nxCZf6H_gFVM%li7^=99PJ)8<$6p zExxwyv0<%xIKI?oXey{nkN|Iy4@94u+Oh8IxEYje&%8>4#mkgU**2b2dP&z0FB+4t z`DI}lx=cy7@@*{RJqjDv2Sv21zezOoTz5TnLtXbwPs7jVVO)$w)vLx;6`1W(jUS() z-5Xc6eXVOhoLwX9)~emRzJ@t>?dtDze|)=k?QmCet?Cyui>_UHsJpmz$*QOO*OX08 zoMPw%`0Qoug2sXZgwKL+$t&Bn{o||Q6cIWn~xyFyQVvS_VJrYS6G#~-Ote5v}Clz5CWQ|DsGUEOUbe)#((*Z{6`ACZ8Rc_7o%^gVT%NrbK@uFtvo zrxO7JjSphbYaLV+s*jP$%oE+Zane94^g|COqDz$U0cBMiDXDqXm+t10(o$R+zoWix zz?=Z9V|ao^I6v9Lgif3XPT0pwLK6*-fQ)w9kGB*I=3B?{SXco%bYRfOdIv1i+sPgo zp=S;H80=N}IWcYHdS(f`S%nE?q9sd&vIiZ_$$4X(533dr3hF*m4mKmRLc1p?jD8u_17t#1pec*C{;hr&feVH*=o}ygt!Aty z4JZ-dmSNtR1}>b0p^(v=eVZ>x#yYNL?s5GA%PYsW9x%+qm;tH$ zC_e0DkCCky#~SHh!@@>+rNYMka=sMgR2eRqx*~yC-`IHRTg~cnu;Neu zIFdJn;@@2kdsj!@VejqP#ZRJ~!jCj>D~=(yKM>U%=fTiY)tItD0##U5u2}e-nCj4r z_3wxe8(hOT8nty1^& z_$8`LCe>mN>>FuS85-t^$C{wnb;Bqv>P=o&k@3Bd8R~!yjWan!#a2u3UTqLB!e~LF z1TBofd2e+T123ULqQssa}`t4 zxJ^g8?3kL@Rp;tn!aCixfU*pYvTT2;7V)A^nA?vyqpq%nFfG(SL7@$_2bb8rI8R>2 z&@7=m!eUtpBvMqaIk_(2faSY5SS*5y=2)BxhlX+SIARcS!v*)b0^9I`Hwu=p#SD0e z5A30+Lc39H`IqD`q}ajYMfeqJp?G5?K<)%6g}wld)0Kfgt~lch$tYFailgqi?!v;{ z2b2HI4XwNA`yX^z*NrR~FR*Yl`3^7R1)@%)p112Se+dZ<_w2+*U4)=WptD#A1`!2( z6_^!L;3h)}eD@)??I>_YygJ$x|46X$2-#>HgG8eA{3Dp_XkC{2mPK!LtLxs(&=nD` zIRA^ttnnCDzG_Cotw$np*~!kDSyoyf#htlfXYuD!kik|&@=3*&0Aa*m@X-`6muvc)iN4-SI%%Q2X;u^j^`sQ6d3+1LW*L9$aPOgEzN@`fz~D$W-i@&jM@XI?2r zn__3jcg_j5fTJ6cehiDntrL!`#yMoq+3=4;|2==gFz@`QcfDb^+&_J@=^-G?fB)aE zHX1cN|D)B)&wtrTn#cdR%WGX63%>uT*X#KGN2}g$HLI=t2JpYpZsp&9?<74hJSU;& zh5IsbdZS=%83r}T`SCfS{Q8cW$DEl&9z#r-x65*Lqkv#Q0o#V|8l-#PC)~LTAR&v( zks%Be;dVWkvu!r;jpJx(0b^=R`BftGfiO?6G1Xux1LQ|)NI-NcK#UqFixj1TF{cq< z@?0<`19RR#k5mzmd{@WQ`j;e$mDWz28@x+kn5fFw!D4NYdwsd3#Xo>eat4vmJKdVG z0!RG(?B#k`aI2S5TR|{ZT)fO{tm+Di>zOS+E|qJFl~BCNs?NHTUuUyycc$z! z9IUj*kFmDrNgxGA%O!>d5!Z3zyGN{J77>!R;c>u1ym3>t!!}hr{-+E<*8jD7e*WW5QYQb8*&hsY*%-$n{okxM-tyfO=yL}IuLXVMsZ<0b1hPSPtMN8>&z@e?$-S4;OrE4luQeBknga# z$4=pMk$pnu4$TRD=M_8Ez2exJ**^Sw3{Zb0|0f6W z+Bg>I|5meA{ZD_NZ|BW?|q*y`rMaoW1b(sFN-(j@N1=x5ES0a z+y5$9d?C{zFX}G}(iz*qd0~Q~a>l45!c^Ferk&tztqRMuT2o}=<+nP<+Fju!6_gUW zw~pthy+>y*^iPNU{YANKIrpgdb!feh0#jxiLI<@MdjxXtb<@A{!KiX({z3igudCG; zKMN?-zPrMK&=DKN6=MYd$8USDMTtAdnoUHjcq$XE5|r-9Nr#=>F?CGaFXK)e0Fi;| zAR90n1pvyV(WtgrC-JGX>;hfDtY}{u6CGxJn9gS`&@`j3SgCTnRM=}arw~*` z%axh0#Y~zZ6Q95siVOmZ6K(U2+7Q@40q5wD6y(tO2|^IHeSmTw)thzLjcK5S>A3qlmhE&xk%K^H&? zdQzL3@6?19)3*Jv@Z%O>{*ZYqCS2FBWtNWa3kD{TLsqx&gD##|o;MGN|~- zt=plVF4g8#l+EB>#B`~Ug+@99$>|Ch)Aiq$T(-d^qdlShWAUUvDw~H)~Li*?;x@Ry()gO6 zH2C+EtBbR<;njI}F!=H8;`qR$W0(3O3r~v?!A@7~bRqsaD6C|yF#ea*|EU^r>9lD5 z-)JWEf3umd|96s}|EU5tePyJ3x1{{(E<>{O{os5)$mfHd&Ibi-kTF7TaLuk86Znlo zgwqRh#ykRsI5Tqc;QgmX$}{E`C{K%j{+u$UJQhj0Oh3^vaETO;E_&TzkKpk@z@i@M zzagh*L(+TS9}EZN&!3Ia<2S{%p}$2Iv(pgIFZw_9PkL{W-KXTke=x`&{zH33hG*o3 z1ceja+xhx`Cn?E)cK^p#aV*Jye*Qp1l9BRj&d68;v&dKllGW zeai3u%kTfo@BjNv-2W#oTEZH?%xu%wx*iM@U(?y29=k6$c3Yt7Xm3Cyzlp!>pCxa9 z3-1x+r!6bD(}h`KsAx*2IQ;3v(G7N;xpKFikX0Vs=4r^A1~hSMQSDqeqxazP#(hVD zqx1;x=}O6E@9}K$l)Pd57DN7;-E;$)_+ED(-Z+*)voGKiVR+Ow*mp=C9_=j-FUPy( z`~myAJUr2S5uh16+#bL9b+se>@8atOQ)%(5e& z3(r#TeB+qO$=Tbt?4G*_C3xyNe^JV^7#Y^|OXZZvbmd4FaqU^+zMxoTly#*VSA;3$ z76Cn~1}(+PrJzK3fP0jw04;$Q4JrOID9R$!L6et?DO+9fuU(4CD^dg`Nw_%7$q-f1}L!Jo~(Jsoq?;xFh8OynXTWr?mQF6WrrQi;ASNY;Mw((k;A(Y-)vk5c7%tkp@@5#JY8l-N>Vm%k3!`8rM!xmRVEu8l*S#=on=3ym5nt;+^NGD38Un3_We)0*{XUAaBd#1&>>*yzBuSb3W;(&NW?@-^>X7t?IbKY|6wXl$x!|@Z1U6^A>}nZ z@i9?mLH0!4T%RN-Xx#%Sr%rZ5=2Z-l&v7iIqei9HA=wDRO^x*Wn97+sn7E4Uz)CG0 zMG{p977)6zLv&0-uOeB@(AU!7=uX~p;lNz2dw4`mef zbxeRo^M7?;*#Gcje;?z&TFw3Z{QsS#HRgZup(#p(Pz!U^X{a|0>Y8`dxVm56&S9+*029!JB$?FH0uL{HW4S;~dtJ~8$X5wYkUwGuVPz+>Ol zF{~k-n`LsRTc&Y^r#e9glE34OyvJ=Ybd*`tr$6U2^zR|foBzMy{lELQ{Qi%fr2PE9 z{QSTC{J;GCzx@2aKV}N%|Ec5o6Wy+8S6uAWC_U+k5@oK&4vXJMab0F7aMAu>qh1fc z|G@iS8r4>Q|KE<%|NP(o{MG;X>Z^D9n4AsBd$|O_cV9h&e|7lx-|!Eg|KD;TVcNYA zKe5LDg@3PNMgA##|7WJ0rx*$z_(`umzB}&wbOMUb9qKn=d5)&IVy#yH`+o@l|D-@t z)3a3?pQpt5-}>lZH2#~_{rY}<{5SIPznk>A@T`cjGi(q2*|Xx6;Dck4La-EAC;%_ziGM5aBS~&WD1EzXHo21=57>sB?~; zEg{CbWicDVn@w3PJFZIv_#Ti9Yg9DDV&J)#3L(oI;P@L1<`Hc}1E_+cTM0$Ea#z=C zTD1}r?qcED;~sVqC?kORcff$%6gIazHOcqkJ#vhOXEMG)bSk_+7i94Ctcd;|tUUsY zYs~AwTmHncU=pPv=ObkS3{&0n?j6^VH6Vw%XfQ9h`%cM}Xt-mkDBeHrWx+>>Bx_g- z{M&dV=V9P~e=aEKilE$Y9VS$7dqV*Np&Be?L$q0vBq+htq|251AUxY7vU2Ba$H zbVV>xZFd|;cZ@Ne8$)M*eirTG7XeCkyZSxW{QOzmWC_w;zPvbje9XRmF%Sy83PX{J z6d;0tpJk1y&SWj9!EuBw;dd~~X4S&qD*6Zq3qkK;%ngfglnAf{%Zd&Q79LMYWGg_9 z-H@00I8l2!F;4Ja)MW?C213jti02QHjfbI%BQj7%j`5%{e8R89WFtnhTa2F7cd9i2D@Qi2lG!0`89P!RY-Q_8k)M>ktNF4M-Mm^XJekZE`&UoS zZrQ(CY<_wQ;@eosD(XH~I&+uW$ogOhs>WgXy-*=Z?GsJ`^0V?l@kMp{V?>v)X9n;m zCN5vX3{cT;#|)5~GoSSpNy%sZr<(PX0jgX(1QDvCvM5LOMs|#9mb#l`PNY}4%2N3< zEy@p^Wa%nznLyRKHADQ#VwuyDOku2Q29CLQf=uP?EKEvF;rxQ}pu*i^WV6g_qQ-+( zw<2qc#Aqp5+)&m=y8G0k#(M16DQmx8tD-VTk}85JUWLg-B|3M1IZGsXIfr%yifBam zhP5UJ+T7g2Iq#n5{=eM+x0?SCgeE#fr}}hd|6c%P)!_!np4|V3!{ROVF<>IM`W5-u z#+cZWygrrDzvVG8HKt3~ISc&w*r{%^23ohbQhbk7q6(HN#HMqUdhcNidd6 zRQU4CU*%E#kB5g`5!!H6SvFpf~3@q=e`-k6?G@pR7Mm{5sMBV7+` z+RptRKb^<2oO^0;m_WWuN%v?7jc38Qq9e58>dNYvc|!xlxq8Z!q)FQ#@eg@h?s2S^l=y$qlu@iaCV4wW>yS=DBap}al zONp!gr2m|QK#AmCVyBa zKDF+}3r>YdGSiyZ;PYTw*}#{G1wTKg0UOLlsT5{V8mWui<0P<{_5=lCVbCPF2`W#+ zIdW#Uk2PzVH5Skw78Fr(B98t6Y07HLf;NRPLvGCTJ!dsHgd^N>92EC87qja;rf2<} z-A95h*4&?yrD6b;5+VoQh{@EJtprO59*Cw?L7WBzRAD=GAx{W95kEk%m@wmw`6*!G`X0id>ASB0h zYB>**!gBWJSU$&v>OP<2mYn0*K9{P92r6E&`}O%luni`P;GS7rug3RiL8~UKr7BWU z>~U{xgnSomb&T@I&-i0|8g%(Rr>EAQ+u9~Np6L3NfGV0<>@ef9R7AqSK6UU`;jyxd zg%iK;j2%3|8qe4Lj^65brsIYR$uK=!F?MMXTd#_wiXg zYC;LhSAffVIX?skY4g>Ra{RUMk$s4srkyCJNI8j$9NlSwSotMGg;^KD4f`6SPo8swSpZ-FxNNqhr7cdPkG8yp7NBZ bJmo1*dCF6s@|34M%}@UyobfAR06+l%`bhMp literal 0 HcmV?d00001 diff --git a/docs/xacml/xacml-tutorial.rst b/docs/xacml/xacml-tutorial.rst index f46c1bb5..e9eee0e2 100644 --- a/docs/xacml/xacml-tutorial.rst +++ b/docs/xacml/xacml-tutorial.rst @@ -18,7 +18,7 @@ Follow :ref:`TOSCA Policy Primer ` for more information. For the tu this example Policy Type in which an ONAP PEP client would like to enforce an action **authorize** for a *user* to execute a *permission* on an *entity*. -.. literalinclude:: tutorial/tutorial-policy-type.yaml +.. literalinclude:: tutorial/app/src/test/resources/tutorial-policy-type.yaml :language: yaml :caption: Example Tutorial Policy Type :linenos: @@ -27,7 +27,7 @@ We would expect then to be able to create the following policies to allow the de an entity called foo, while the audit user can only read the entity called foo. Neither user has Delete permission. -.. literalinclude:: tutorial/tutorial-policies.yaml +.. literalinclude:: tutorial/app/src/test/resources/tutorial-policies.yaml :language: yaml :caption: Example Policies Derived From Tutorial Policy Type :linenos: @@ -37,12 +37,13 @@ Design Decision Request and expected Decision Response For the PEP (Policy Enforcement Point) client applications that call the Decision API, you need to design how the Decision API Request resource fields will be sent via the PEP. -.. literalinclude:: tutorial/tutorial-decision-request.json +.. literalinclude:: tutorial/app/src/test/resources/tutorial-decision-request.json :language: JSON :caption: Example Decision Request :linenos: -For simplicity, we expect only a *Permit* or *Deny* in the Decision Response. +For simplicity, this tutorial expects only a *Permit* or *Deny* in the Decision Response. However, one could +customize the Decision Response object and send back whatever information is desired. .. literalinclude:: tutorial/tutorial-decision-response.json :language: JSON @@ -54,7 +55,8 @@ Create A Maven Project This part of the tutorial assumes you understand how to use Eclipse to create a Maven project. Please follow any examples for the Eclipse installation you have to create an empty application. For the tutorial, use groupId *org.onap.policy.tutorial* and artifactId -*tutorial*. +*tutorial*. If you wish to go directly to the source code, please see the +:ref:`Download Tutorial Application Example` below to download it. .. image:: tutorial/images/eclipse-create-maven.png @@ -67,13 +69,22 @@ Be sure to import the policy/xacml-pdp project into Eclipse. Add Dependencies Into Application pom.xml ***************************************** +Here we import the XACML PDP Application common dependency which has the interfaces we need to implement. In addition, +we are importing a testing dependency that has common code for producing a JUnit test. + .. code-block:: java :caption: pom.xml dependencies org.onap.policy.xacml-pdp.applications common - 2.1.0-SNAPSHOT + 2.2.2 + + + org.onap.policy.xacml-pdp + xacml-test + 2.2.2 + test Create META-INF to expose Java Service @@ -297,19 +308,19 @@ Create xacml.properties for the XACML PDP engine to use In the applications *src/test/resources* directory, create a xacml.properties file that will be used by the embedded XACML PDP Engine when loading. -.. literalinclude:: tutorial/tutorial-xacml.properties +.. literalinclude:: tutorial/app/src/test/resources/xacml.properties :caption: Example xacml.properties file :linenos: :emphasize-lines: 20, 25 -Create a JUnit and use the TestUtils.java class in application/common -********************************************************************* +Create a JUnit and use the TestUtils.java class in xacml-test dependency +************************************************************************ Using Eclipse, create a JUnit and be sure to add a setup() method stub. Here you will be utilizing a TestUtils.java -class from the policy/xamcl-pdp repo's application/common submodule to use some utility methods for building the JUnit test. +class from the policy/xamcl-pdp repo's xacml-test submodule to use some utility methods for building the JUnit test. .. image: tutorial/images/eclipse-junit-create.png -Copy the TOSCA Policy Type :download:`link ` and the TOSCA Policies :download:`link ` +Copy the TOSCA Policy Type :download:`link ` and the TOSCA Policies :download:`link ` into the src/test/resources directory. We will create a temporary folder which is used by the **StdXacmlApplicationServiceProvider** to store working copies of policies as they are loaded @@ -319,12 +330,41 @@ into the application. :caption: Example Translator Implementation :linenos: -Run the JUnit test!! +Run the JUnit test. Its easiest to run it via a terminal command line using maven commands. + -Where To Go From Here +.. code-block:: bash + :caption: Running Maven Commands + :linenos: + + > mvn clean install + +Building Docker Image ********************* Once you have created enough JUnit tests that test the TutorialTranslator.java and TutorialRequest.java classes, you are ready to now make your -application available to the ONAP XACML PDP Engine. These steps are covered in another tutorial. +application build a docker image that incorporates your application with the XACML PDP Engine. The XACML PDP Engine +must be able to *find* your Java.Service in the classpath. This is easy to do, just create a jar file for your application +and copy into the same directory used to startup the XACML PDP. + +Here is a Dockerfile as an example: + +.. literalinclude:: tutorial/app/src/main/docker/Dockerfile + :caption: Dockerfile + :linenos: + +Download Tutorial Application Example +************************************* + +If you don't wish to use Eclipse, or go through the steps outlined above. The tutorial is +available for download: + +:download:`Download tutorial tar ` + +After you tar xf tutorial.jar, you can import it into Eclipse or your favorite editor. Or simply +use a terminal command line to build, test and run the tutorial. +In addition, there is a POSTMAN collection available for setting up and running tests against a +running instance of ONAP Policy Components (api, pap, dmaap-simulator, tutorial-xacml-pdp). +:download:`Download tutorial POSTMAN Collection ` diff --git a/docs/xacml/xacml.rst b/docs/xacml/xacml.rst index 4100e800..626c26a4 100644 --- a/docs/xacml/xacml.rst +++ b/docs/xacml/xacml.rst @@ -30,7 +30,7 @@ By cloning the policy/xacml-pdp repository, a developer can run the JUnit tests See the :ref:`policy-development-tools-label` for more information on cloning and developing the policy repositories. -XACML-PDP applications are located in the 'applications' sub-module in the policy/xacml-pdp repo. `Click here to view the applications sub-modules `_ +XACML-PDP applications are located in the 'applications' sub-module in the policy/xacml-pdp repo. `Click here to view the applications sub-modules `_ XACML PDP TOSCA Translators =========================== @@ -41,7 +41,7 @@ StdCombinedPolicyResultsTranslator Translator --------------------------------------------- A simple translator that wraps the TOSCA policy into a XACML policy and performs matching of the policy based on either policy-id and/or policy-type. The use of this translator is discouraged as it behaves like a database call and does not take advantage of the fine-grain decision making features described by the XACML OASIS 3.0 standard. It is used to support backward compatibility of legacy "configure" policies. -`Implementation of Combined Results Translator `_. +`Implementation of Combined Results Translator `_. The Monitoring and Naming applications use this translator. @@ -51,7 +51,7 @@ More robust translator that searches metadata of TOSCA properties for a **matcha Each of the properties designated as "matchable" are treated relative to each other as an "AND" during a Decision request call. In addition, each value of a "matchable property that is an array, is treated as an "OR". The more properties specified in a decision request, the more fine-grained a policy will be returned. In addition, the use of "policy-type" can be used in a decision request to further filter the decision results to a specific type of policy. -`Implementation of Matchable Translator `_. +`Implementation of Matchable Translator `_. The Optimization application uses this translator. @@ -59,16 +59,16 @@ GuardTranslator and CoordinationGuardTranslator ----------------------------------------------- These two translators are used by the Guard application and are very specific to those Policy Types. They are good examples on how to build your own translator for a very specific implementation of a policy type. This can be the case if any of the Std* translators are not appropriate to use directly or override for your application. -`Implementation of Guard Translator `_ +`Implementation of Guard Translator `_ -`Implementation of Coordination Translator `_ +`Implementation of Coordination Translator `_ Native XACML OAISIS 3.0 XML Policy Translator ----------------------------------------------- This translator pulls a URL encoded XML XACML policy from a TOSCA Policy and loads it into a XACML Engine. This allows native XACML policies to be used to support complex use cases in which a translation from TOSCA to XACML is too difficult. -`Implementation of Native Policy Translator `_ +`Implementation of Native Policy Translator `_ Monitoring Policy Types ======================= @@ -177,22 +177,22 @@ In order to support your own custom Policy Type that the XACML PDP Engine can su XacmlApplicationServiceProvider =============================== -`Interface for XacmlApplicationServiceProvider `_ +`Interface for XacmlApplicationServiceProvider `_ See each of the ONAP Policy Type application implementations which re-use the **StdXacmlApplicationServiceProvider** class. This implementation can be used as a basis for your own custom applications. -`Standard Application Service Provider implementation `_ +`Standard Application Service Provider implementation `_ ToscaPolicyTranslator ===================== Your custom **XacmlApplicationServiceProvider** must provide an implementation of a *ToscaPolicyTranslator*. -`Interface for ToscaPolicyTranslator `_ +`Interface for ToscaPolicyTranslator `_ See each of the ONAP Policy type application implementations which each have their own *ToscaPolicyTranslator*. Most use or extend the **StdBaseTranslator**. -`Standard Tosca Policy Translator implementation `. +`Standard Tosca Policy Translator implementation `. XACML Application Tutorial ========================== -- 2.16.6