diff options
| author |   asteroide <thomas.duval@orange.com> | 2015-12-10 17:10:06 +0100 |
|---|---|---|
| committer | asteroide <thomas.duval@orange.com> | 2015-12-10 17:10:06 +0100 |
| commit | db85c9feca8f769f0e5bd6efc6a6eb9acb8cb863 (patch) | |
| tree | 04a4fb151aaae4d989bae765993236e501129922 | |
| parent | 3ade2304c10c1741f50728c9ef226c64ad99ce5c (diff) | |
Change API calls to have less loops and change the API calls in the enforce function.
Change-Id: Ia8a2eebcd014967a34fd0f7bf6cd09e7cdad64ed
8 files changed, 171 insertions, 221 deletions
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py index 1d9b2725..8541b477 100644 --- a/keystone-moon/keystone/contrib/moon/controllers.py +++ b/keystone-moon/keystone/contrib/moon/controllers.py @@ -15,7 +15,7 @@ CONF = config.CONF LOG = log.getLogger(__name__) -@dependency.requires('configuration_api', 'root_api', 'moonlog_api') +@dependency.requires('configuration_api') class Configuration(controller.V3Controller): collection_name = 'configurations' member_name = 'configuration' @@ -141,7 +141,7 @@ class Authz_v3(controller.V3Controller): return {'authz': False, 'comment': unicode(e)} -@dependency.requires('admin_api', 'authz_api') +@dependency.requires('admin_api', 'root_api') class IntraExtensions(controller.V3Controller): collection_name = 'intra_extensions' member_name = 'intra_extension' @@ -210,7 +210,7 @@ class IntraExtensions(controller.V3Controller): @controller.protected() def load_root_intra_extension(self, context, **kw): - self.admin_api.load_root_intra_extension_dict() + self.root_api.load_root_intra_extension_dict() # Metadata functions @controller.protected() @@ -346,7 +346,6 @@ class IntraExtensions(controller.V3Controller): subject_dict['description'] = kw.get('subject_description', None) subject_dict['password'] = kw.get('subject_password', None) subject_dict['email'] = kw.get('subject_email', None) - LOG.debug("controllers.add_subject {}".format(subject_dict)) return self.admin_api.add_subject_dict(user_id, intra_extension_id, subject_dict) @controller.protected() diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index 586356bf..7d3c8ce9 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -42,34 +42,6 @@ EXTENSION_DATA = { extension.register_admin_extension(EXTENSION_DATA['alias'], EXTENSION_DATA) extension.register_public_extension(EXTENSION_DATA['alias'], EXTENSION_DATA) -# _OPTS = [ -# cfg.StrOpt('configuration_driver', -# default='keystone.contrib.moon.backends.memory.ConfigurationConnector', -# help='Configuration backend driver.'), -# cfg.StrOpt('tenant_driver', -# default='keystone.contrib.moon.backends.sql.TenantConnector', -# help='Tenant backend driver.'), -# cfg.StrOpt('authz_driver', -# default='keystone.contrib.moon.backends.flat.SuperExtensionConnector', -# help='Authorisation backend driver.'), -# cfg.StrOpt('intraextension_driver', -# default='keystone.contrib.moon.backends.sql.IntraExtensionConnector', -# help='IntraExtension backend driver.'), -# cfg.StrOpt('interextension_driver', -# default='keystone.contrib.moon.backends.sql.InterExtensionConnector', -# help='InterExtension backend driver.'), -# cfg.StrOpt('log_driver', -# default='keystone.contrib.moon.backends.flat.LogConnector', -# help='Logs backend driver.'), -# cfg.StrOpt('policy_directory', -# default='/etc/keystone/policies', -# help='Local directory where all policies are stored.'), -# cfg.StrOpt('root_policy_directory', -# default='policy_root', -# help='Local directory where Root IntraExtension configuration is stored.'), -# ] -# CONF.register_opts(_OPTS, group='moon') - def filter_input(func_or_str): @@ -133,33 +105,18 @@ def filter_input(func_or_str): def enforce(action_names, object_name, **extra): - _action_name_list = action_names - _object_name = object_name - - # def get_root_extension(self, args, kwargs): - # if not ROOT_EXTENSION_ID: - # global ROOT_EXTENSION_MODEL, ROOT_EXTENSION_ID, ADMIN_ID - # try: - # # if it is the first time we passed here, the root extension may be not initialized - # # specially during unittest. So we raise RootExtensionNotInitialized to authorize the - # # current creation process - # if 'intra_extension_dict' in kwargs: - # intra_extension_dict = kwargs['intra_extension_dict'] - # else: - # intra_extension_dict = args[2] - # if isinstance(intra_extension_dict, dict) and \ - # "model" in intra_extension_dict and \ - # intra_extension_dict["model"] == "policy_root": - # raise RootExtensionNotInitialized() - # except KeyError: - # pass - # return ROOT_EXTENSION_ID def wrap(func): + _action_name_list = action_names + _object_name = object_name + dependency.resolve_future_dependencies() def wrapped(*args, **kwargs): + root_api = dependency._REGISTRY["root_api"][0] + admin_api = dependency._REGISTRY["admin_api"][0] + moonlog_api = dependency._REGISTRY["moonlog_api"][0] + tenant_api = dependency._REGISTRY["tenant_api"][0] returned_value_for_func = None - self = args[0] try: user_id = args[1] except IndexError: @@ -167,7 +124,7 @@ def enforce(action_names, object_name, **extra): intra_extension_id = None intra_admin_extension_id = None - intra_root_extension_id = self.root_api.get_root_extension_id() + intra_root_extension_id = root_api.root_extension_id try: intra_extension_id = args[2] except IndexError: @@ -176,16 +133,13 @@ def enforce(action_names, object_name, **extra): else: intra_extension_id = intra_root_extension_id - try: - tenants_dict = self.tenant_api.driver.get_tenants_dict() - except AttributeError: - tenants_dict = self.driver.get_tenants_dict() - if self.root_api.is_admin_subject(user_id): + tenants_dict = tenant_api.driver.get_tenants_dict() + if root_api.is_admin_subject(user_id): # TODO: check if there is no security hole here - self.moonlog_api.driver.info("Authorizing because it is the user admin of the root intra-extension") + moonlog_api.driver.info("Authorizing because it is the user admin of the root intra-extension") returned_value_for_func = func(*args, **kwargs) else: - intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() + intra_extensions_dict = admin_api.driver.get_intra_extensions_dict() if intra_extension_id not in intra_extensions_dict: # if id is not an intra_extension, maybe it is a tenant id intra_extension_id = intra_root_extension_id @@ -196,19 +150,17 @@ def enforce(action_names, object_name, **extra): else: # id is not a known tenant ID, so we must check against the Root intra_extension intra_extension_id = intra_root_extension_id - LOG.warning("Cannot enforce because the intra-extension is unknown (fallback to the root intraextension)") + LOG.warning("Cannot emanager because the intra-extension is unknown (fallback to the root intraextension)") for _tenant_id in tenants_dict: if tenants_dict[_tenant_id]['intra_authz_extension_id'] == intra_extension_id or \ tenants_dict[_tenant_id]['intra_admin_extension_id'] == intra_extension_id: intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id'] break if not intra_admin_extension_id: - self.moonlog_api.driver.warning("No Intra_Admin_Extension found, authorization granted by default.") + moonlog_api.driver.warning("No Intra_Admin_Extension found, authorization granted by default.") returned_value_for_func = func(*args, **kwargs) else: - # subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id) - # keystone_user_id = subjects_dict[subject_id]["keystone_id"] - objects_dict = self.admin_api.driver.get_objects_dict(intra_admin_extension_id) + objects_dict = admin_api.driver.get_objects_dict(intra_admin_extension_id) object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name object_id = None for _object_id in objects_dict: @@ -216,7 +168,7 @@ def enforce(action_names, object_name, **extra): object_id = _object_id break if not object_id: - objects_dict = self.admin_api.driver.get_objects_dict(intra_root_extension_id) + objects_dict = admin_api.driver.get_objects_dict(intra_root_extension_id) object_name = object_name.split(".")[-1] for _object_id in objects_dict: if objects_dict[_object_id]['name'] == object_name: @@ -226,7 +178,7 @@ def enforce(action_names, object_name, **extra): raise ObjectUnknown("Unknown object name: {}".format(object_name)) # if we found the object in intra_root_extension_id, so we change the intra_admin_extension_id # into intra_root_extension_id and we modify the ID of the subject - subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id) + subjects_dict = admin_api.driver.get_subjects_dict(intra_admin_extension_id) try: subject_name = subjects_dict[user_id]["name"] except KeyError: @@ -239,7 +191,7 @@ def enforce(action_names, object_name, **extra): except KeyError: raise SubjectUnknown() intra_admin_extension_id = intra_root_extension_id - subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id) + subjects_dict = admin_api.driver.get_subjects_dict(intra_admin_extension_id) user_id = None for _subject_id in subjects_dict: if subjects_dict[_subject_id]["name"] == subject_name: @@ -250,7 +202,7 @@ def enforce(action_names, object_name, **extra): action_name_list = (_action_name_list, ) else: action_name_list = _action_name_list - actions_dict = self.admin_api.driver.get_actions_dict(intra_admin_extension_id) + actions_dict = admin_api.driver.get_actions_dict(intra_admin_extension_id) action_id_list = list() for _action_name in action_name_list: for _action_id in actions_dict: @@ -260,12 +212,12 @@ def enforce(action_names, object_name, **extra): authz_result = False for action_id in action_id_list: - res = self.admin_api.authz(intra_admin_extension_id, user_id, object_id, action_id) - self.moonlog_api.info("res={}".format(res)) + res = admin_api.authz(intra_admin_extension_id, user_id, object_id, action_id) + moonlog_api.info("res={}".format(res)) if res: authz_result = True else: - self.moonlog_api.authz("No authorization for ({} {}-{}-{})".format( + moonlog_api.authz("No authorization for ({} {}-{}-{})".format( intra_admin_extension_id, user_id, object_name, @@ -282,7 +234,6 @@ def enforce(action_names, object_name, **extra): @dependency.provider('configuration_api') -@dependency.requires('moonlog_api', 'admin_api', 'tenant_api', 'root_api') class ConfigurationManager(manager.Manager): driver_namespace = 'keystone.moon.configuration' @@ -352,7 +303,7 @@ class ConfigurationManager(manager.Manager): @dependency.provider('tenant_api') -@dependency.requires('moonlog_api', 'admin_api', 'configuration_api', 'root_api', 'resource_api') +@dependency.requires('moonlog_api', 'admin_api', 'root_api', 'resource_api', 'admin_api') class TenantManager(manager.Manager): driver_namespace = 'keystone.moon.tenant' @@ -430,16 +381,16 @@ class TenantManager(manager.Manager): # TODO (ateroide): check whether we can replace the below code by the above one # NOTE (ateroide): at a first glance: no, subject_id changes depending on which intra_extesion is used # we must use name which is constant. - authz_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id']) + authz_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.root_admin_id, tenant_dict['intra_authz_extension_id']) authz_subject_names_list = [authz_subjects_dict[subject_id]["name"] for subject_id in authz_subjects_dict] - admin_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id']) + admin_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.root_admin_id, tenant_dict['intra_admin_extension_id']) admin_subject_names_list = [admin_subjects_dict[subject_id]["name"] for subject_id in admin_subjects_dict] for _subject_id in authz_subjects_dict: if authz_subjects_dict[_subject_id]["name"] not in admin_subject_names_list: - self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) + self.admin_api.add_subject_dict(self.root_api.root_admin_id, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) for _subject_id in admin_subjects_dict: if admin_subjects_dict[_subject_id]["name"] not in authz_subject_names_list: - self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) + self.admin_api.add_subject_dict(self.root_api.root_admin_id, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) return self.driver.add_tenant_dict(tenant_dict['id'], tenant_dict) @@ -468,37 +419,102 @@ class TenantManager(manager.Manager): # Sync users between intra_authz_extension and intra_admin_extension if 'intra_admin_extension_id' in tenant_dict: if 'intra_authz_extension_id' in tenant_dict: - authz_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id']) + authz_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.root_admin_id, tenant_dict['intra_authz_extension_id']) authz_subject_names_list = [authz_subjects_dict[subject_id]["name"] for subject_id in authz_subjects_dict] - admin_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id']) + admin_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.root_admin_id, tenant_dict['intra_admin_extension_id']) admin_subject_names_list = [admin_subjects_dict[subject_id]["name"] for subject_id in admin_subjects_dict] for _subject_id in authz_subjects_dict: if authz_subjects_dict[_subject_id]["name"] not in admin_subject_names_list: - self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) + self.admin_api.add_subject_dict(self.root_api.root_admin_id, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) for _subject_id in admin_subjects_dict: if admin_subjects_dict[_subject_id]["name"] not in authz_subject_names_list: - self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) + self.admin_api.add_subject_dict(self.root_api.root_admin_id, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) return self.driver.set_tenant_dict(tenant_id, tenant_dict) -@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api', 'moonlog_api', 'root_api') +@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'moonlog_api') class IntraExtensionManager(manager.Manager): driver_namespace = 'keystone.moon.intraextension' def __init__(self): super(IntraExtensionManager, self).__init__(CONF.moon.intraextension_driver) - self.__init_aggregation_algorithm() + # self.root_admin_id = self.__compute_admin_id_for_root_extension() + self._root_admin_id = None + self._root_extension_id = None + # self.__init_aggregation_algorithm() + + def __init_root(self, root_extension_id=None): + LOG.debug("__init_root {}".format(root_extension_id)) + LOG.debug(dependency._REGISTRY) + if root_extension_id: + self._root_extension_id = root_extension_id + else: + try: + self._root_extension_id = self.get_root_extension_id() + self.aggregation_algorithm_dict = self.configuration_api.driver.get_aggregation_algorithms_dict() + except AttributeError as e: + LOG.warning("Error on root intraextension initialization ({})".format(e)) + self._root_extension_id = None + self.aggregation_algorithm_dict = {} + if self._root_extension_id: + for subject_id, subject_dict in self.driver.get_subjects_dict(self.root_extension_id).iteritems(): + if subject_dict["name"] == "admin": + self._root_admin_id = subject_id + return + raise RootExtensionNotInitialized() + + @property + def root_extension_id(self): + if not self._root_extension_id: + self.__init_root() + return self._root_extension_id + + @root_extension_id.setter + def root_extension_id(self, value): + self._root_extension_id = value + LOG.info("set root_extension_id={}".format(self._root_extension_id)) + + @property + def root_admin_id(self): + if not self._root_admin_id: + self.__init_root() + return self._root_admin_id - def __init_aggregation_algorithm(self): - try: - self.root_extension_id = self.root_api.get_root_extension_id() - self.aggregation_algorithm_dict = self.configuration_api.get_aggregation_algorithms_dict(self.root_extension_id) - except AttributeError as e: - LOG.warning("Error on init_aggregation_algorithm ({})".format(e)) - self.root_extension_id = None - self.aggregation_algorithm_dict = {} + def get_root_extension_dict(self): + """ + + :return: {id: {"name": "xxx"}} + """ + LOG.debug("self.driver.get_intra_extensions_dict()={}".format(self.driver.get_intra_extensions_dict())) + return {self.root_extension_id: self.driver.get_intra_extensions_dict()[self.root_extension_id]} + + # def __compute_admin_id_for_root_extension(self): + # for subject_id, subject_dict in self.driver.get_subjects_dict(self.root_extension_id).iteritems(): + # if subject_dict["name"] == "admin": + # return subject_id + # raise RootExtensionNotInitialized() + + def get_root_extension_id(self): + extensions = self.driver.get_intra_extensions_dict() + for extension_id, extension_dict in extensions.iteritems(): + if extension_dict["name"] == CONF.moon.root_policy_directory: + return extension_id + else: + extension = self.load_root_intra_extension_dict(CONF.moon.root_policy_directory) + if not extension: + raise IntraExtensionCreationError("The root extension is not created.") + return extension['id'] + + # def __init_aggregation_algorithm(self): + # try: + # self._root_extension_id = self.get_root_extension_id() + # self.aggregation_algorithm_dict = self.configuration_api.get_aggregation_algorithms_dict(self.root_extension_id) + # except AttributeError as e: + # LOG.warning("Error on init_aggregation_algorithm ({})".format(e)) + # self._root_extension_id = None + # self.aggregation_algorithm_dict = {} def __get_authz_buffer(self, intra_extension_id, subject_id, object_id, action_id): """ @@ -586,8 +602,8 @@ class IntraExtensionManager(manager.Manager): meta_rule_dict[sub_meta_rule_id], self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values()) - if not self.root_extension_id: - self.__init_aggregation_algorithm() + # if not self.root_extension_id: + # self.__init_aggregation_algorithm() aggregation_algorithm_id = self.driver.get_aggregation_algorithm_id(intra_extension_id)['aggregation_algorithm'] if self.aggregation_algorithm_dict[aggregation_algorithm_id]['name'] == 'all_true': decision = all_true(decision_buffer) @@ -662,7 +678,8 @@ class IntraExtensionManager(manager.Manager): except exception.UserNotFound: # TODO (asteroide): must add a configuration option to allow that exception # maybe a debug option for unittest - keystone_user = {'id': "", 'name': _subject} + keystone_user = {'id': uuid4().hex, 'name': _subject} + self.moonlog_api.error("Keystone user not found ({})".format(_subject)) subject_id = uuid4().hex subject_dict[subject_id] = keystone_user subject_dict[subject_id]['keystone_id'] = keystone_user["id"] @@ -897,10 +914,15 @@ class IntraExtensionManager(manager.Manager): # Note (asteroide): Only one root Extension is authorized # and this extension is created at the very beginning of the server # so we don't need to use enforce here - for key in self.driver.get_intra_extensions_dict(): - # Note (asteroide): if there is at least one Intra Extension, it implies that - # the Root Intra Extension had already been created... - return + # if self.get_root_extension_id(): + # # for ext in self.driver.get_intra_extensions_dict(): + # # Note (asteroide): if there is at least one Intra Extension, it implies that + # # the Root Intra Extension had already been created... + # return + extensions = self.driver.get_intra_extensions_dict() + for extension_id, extension_dict in extensions.iteritems(): + if extension_dict["name"] == CONF.moon.root_policy_directory: + return {'id': extension_id} ie_dict = dict() ie_dict['id'] = uuid4().hex ie_dict["name"] = "policy_root" @@ -908,10 +930,10 @@ class IntraExtensionManager(manager.Manager): ie_dict["genre"] = "admin" ie_dict["description"] = "policy_root" ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict) - try: - self.moonlog_api.debug("Creation of root IE: {}".format(ref)) - except AttributeError: - LOG.debug("Creation of root IE: {}".format(ref)) + # try: + self.moonlog_api.debug("Creation of root IE: {}".format(ref)) + # except AttributeError: + # LOG.debug("Creation of root IE: {}".format(ref)) # read the template given by "model" and populate default variables template_dir = os.path.join(CONF.moon.policy_directory, ie_dict["model"]) @@ -921,6 +943,7 @@ class IntraExtensionManager(manager.Manager): self.__load_assignment_file(ie_dict, template_dir) self.__load_metarule_file(ie_dict, template_dir) self.__load_rule_file(ie_dict, template_dir) + self.__init_root(root_extension_id=ie_dict['id']) return ref @enforce("read", "intra_extensions") @@ -1209,9 +1232,9 @@ class IntraExtensionManager(manager.Manager): if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'], tenants_dict[tenant_id]['intra_admin_extension_id'], ): raise IntraExtensionUnknown() - # Note (asteroide): We used self.root_api.get_root_admin_id() because the user requesting this information + # Note (asteroide): We used self.root_admin_id because the user requesting this information # may only know his keystone_id and not the subject ID in the requested intra_extension. - subjects_dict = self.get_subjects_dict(self.root_api.get_root_admin_id(), intra_extension_id) + subjects_dict = self.get_subjects_dict(self.root_admin_id, intra_extension_id) for subject_id in subjects_dict: if keystone_id == subjects_dict[subject_id]['keystone_id']: return {subject_id: subjects_dict[subject_id]} @@ -1224,9 +1247,9 @@ class IntraExtensionManager(manager.Manager): if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'], tenants_dict[tenant_id]['intra_admin_extension_id'], ): raise IntraExtensionUnknown() - # Note (asteroide): We used self.root_api.get_root_admin_id() because the user requesting this information + # Note (asteroide): We used self.root_admin_id because the user requesting this information # may only know his keystone_name and not the subject ID in the requested intra_extension. - subjects_dict = self.get_subjects_dict(self.root_api.get_root_admin_id(), intra_extension_id) + subjects_dict = self.get_subjects_dict(self.root_admin_id, intra_extension_id) for subject_id in subjects_dict: if keystone_name == subjects_dict[subject_id]['keystone_name']: return {subject_id: subjects_dict[subject_id]} @@ -1682,7 +1705,7 @@ class IntraExtensionManager(manager.Manager): def set_aggregation_algorithm_id(self, user_id, intra_extension_id, aggregation_algorithm_id): if aggregation_algorithm_id: if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms_dict( - self.root_api.get_root_admin_id()): + self.root_admin_id): raise AggregationAlgorithmUnknown() return self.driver.set_aggregation_algorithm_id(intra_extension_id, aggregation_algorithm_id) @@ -1814,7 +1837,6 @@ class IntraExtensionManager(manager.Manager): @dependency.provider('authz_api') -#@dependency.requires('resource_api') class IntraExtensionAuthzManager(IntraExtensionManager): def __init__(self): @@ -1829,7 +1851,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): elif genre == "admin": genre = "intra_admin_extension_id" - tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_admin_id) if tenant_id not in tenants_dict: # raise TenantUnknown("Cannot authz because Tenant is unknown {}".format(tenant_id)) @@ -1868,7 +1890,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def add_subject_dict(self, user_id, intra_extension_id, subject_dict): subject = super(IntraExtensionAuthzManager, self).add_subject_dict(user_id, intra_extension_id, subject_dict) subject_id, subject_value = subject.iteritems().next() - tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_admin_id) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_admin_extension_id"] and \ tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: @@ -1887,7 +1909,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def del_subject(self, user_id, intra_extension_id, subject_id): subject_name = self.driver.get_subjects_dict(intra_extension_id)[subject_id]["name"] super(IntraExtensionAuthzManager, self).del_subject(user_id, intra_extension_id, subject_id) - tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_admin_id) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id and \ tenants_dict[tenant_id]["intra_admin_extension_id"]: @@ -1907,7 +1929,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): subject = super(IntraExtensionAuthzManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict) subject_id, subject_value = subject.iteritems().next() - tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_admin_id) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value) @@ -2024,7 +2046,6 @@ class IntraExtensionAuthzManager(IntraExtensionManager): @dependency.provider('admin_api') -#@dependency.requires('resource_api') class IntraExtensionAdminManager(IntraExtensionManager): def __init__(self): @@ -2033,7 +2054,7 @@ class IntraExtensionAdminManager(IntraExtensionManager): def add_subject_dict(self, user_id, intra_extension_id, subject_dict): subject = super(IntraExtensionAdminManager, self).add_subject_dict(user_id, intra_extension_id, subject_dict) subject_id, subject_value = subject.iteritems().next() - tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_admin_id) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_admin_extension_id"] and \ tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: @@ -2052,7 +2073,7 @@ class IntraExtensionAdminManager(IntraExtensionManager): def del_subject(self, user_id, intra_extension_id, subject_id): subject_name = self.driver.get_subjects_dict(intra_extension_id)[subject_id]["name"] super(IntraExtensionAdminManager, self).del_subject(user_id, intra_extension_id, subject_id) - tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_admin_id) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id and \ tenants_dict[tenant_id]["intra_admin_extension_id"]: @@ -2072,7 +2093,7 @@ class IntraExtensionAdminManager(IntraExtensionManager): def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): subject = super(IntraExtensionAdminManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict) subject_id, subject_value = subject.iteritems().next() - tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_admin_id) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value) @@ -2083,75 +2104,45 @@ class IntraExtensionAdminManager(IntraExtensionManager): return subject def add_object_dict(self, user_id, intra_extension_id, object_name): - if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + if "admin" == self.get_intra_extension_dict(self.root_admin_id, intra_extension_id)['genre']: raise ObjectsWriteNoAuthorized() return super(IntraExtensionAdminManager, self).add_object_dict(user_id, intra_extension_id, object_name) def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict): - if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + if "admin" == self.get_intra_extension_dict(self.root_admin_id, intra_extension_id)['genre']: raise ObjectsWriteNoAuthorized() return super(IntraExtensionAdminManager, self).set_object_dict(user_id, intra_extension_id, object_id, object_dict) def del_object(self, user_id, intra_extension_id, object_id): - if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + if "admin" == self.get_intra_extension_dict(self.root_admin_id, intra_extension_id)['genre']: raise ObjectsWriteNoAuthorized() return super(IntraExtensionAdminManager, self).del_object(user_id, intra_extension_id, object_id) def add_action_dict(self, user_id, intra_extension_id, action_name): - if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + if "admin" == self.get_intra_extension_dict(self.root_admin_id, intra_extension_id)['genre']: raise ActionsWriteNoAuthorized() return super(IntraExtensionAdminManager, self).add_action_dict(user_id, intra_extension_id, action_name) def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict): - if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + if "admin" == self.get_intra_extension_dict(self.root_admin_id, intra_extension_id)['genre']: raise ActionsWriteNoAuthorized() return super(IntraExtensionAdminManager, self).set_action_dict(user_id, intra_extension_id, action_id, action_dict) def del_action(self, user_id, intra_extension_id, action_id): - if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + if "admin" == self.get_intra_extension_dict(self.root_admin_id, intra_extension_id)['genre']: raise ActionsWriteNoAuthorized() return super(IntraExtensionAdminManager, self).del_action(user_id, intra_extension_id, action_id) @dependency.provider('root_api') -@dependency.requires('admin_api', 'moonlog_api') +@dependency.requires('identity_api') class IntraExtensionRootManager(IntraExtensionManager): def __init__(self): super(IntraExtensionRootManager, self).__init__() - extensions = self.admin_api.driver.get_intra_extensions_dict() - for extension_id, extension_dict in extensions.iteritems(): - if extension_dict["name"] == CONF.moon.root_policy_directory: - self.root_extension_id = extension_id - break - else: - extension = self.admin_api.load_root_intra_extension_dict(CONF.moon.root_policy_directory) - if not extension: - raise IntraExtensionCreationError("The root extension is not created.") - self.root_extension_id = extension['id'] - self.root_admin_id = self.__compute_admin_id_for_root_extension() - - def get_root_extension_dict(self): - """ - - :return: {id: {"name": "xxx"}} - """ - return {self.root_extension_id: self.admin_api.driver.get_intra_extensions_dict()[self.root_extension_id]} - - def __compute_admin_id_for_root_extension(self): - for subject_id, subject_dict in self.admin_api.driver.get_subjects_dict(self.root_extension_id).iteritems(): - if subject_dict["name"] == "admin": - return subject_id - raise RootExtensionNotInitialized() - - def get_root_extension_id(self): - return self.root_extension_id - - def get_root_admin_id(self): - return self.root_admin_id def is_admin_subject(self, keystone_id): - for subject_id, subject_dict in self.admin_api.driver.get_subjects_dict(self.root_extension_id).iteritems(): + for subject_id, subject_dict in self.driver.get_subjects_dict(self.root_extension_id).iteritems(): if subject_id == keystone_id: # subject_id may be a true id from an intra_extension return True @@ -2159,9 +2150,8 @@ class IntraExtensionRootManager(IntraExtensionManager): return True return False + @dependency.provider('moonlog_api') -# Next line is mandatory in order to force keystone to process dependencies. -#@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api', 'root_api') class LogManager(manager.Manager): driver_namespace = 'keystone.moon.log' diff --git a/keystone-moon/keystone/tests/moon/unit/__init__.py b/keystone-moon/keystone/tests/moon/unit/__init__.py index 149585cd..bf3c1d1e 100644 --- a/keystone-moon/keystone/tests/moon/unit/__init__.py +++ b/keystone-moon/keystone/tests/moon/unit/__init__.py @@ -24,28 +24,12 @@ def create_intra_extension(self, policy_model="policy_authz"): if "authz" in policy_model: genre = "authz" IE["genre"] = genre - ref = self.admin_api.load_intra_extension_dict(self.root_api.get_root_admin_id(), + ref = self.admin_api.load_intra_extension_dict(self.root_api.root_admin_id, intra_extension_dict=IE) self.assertIsInstance(ref, dict) return ref -# def create_tenant(self, authz_uuid): -# tenant = { -# "id": uuid.uuid4().hex, -# "name": "TestAuthzIntraExtensionManager", -# "enabled": True, -# "description": "", -# "domain_id": "default" -# } -# project = self.resource_api.create_project(tenant["id"], tenant) -# mapping = self.tenant_api.set_tenant_dict(project["id"], project["name"], authz_uuid, None) -# self.assertIsInstance(mapping, dict) -# self.assertIn("authz", mapping) -# self.assertEqual(mapping["authz"], authz_uuid) -# return mapping - - def create_user(self, username="TestAdminIntraExtensionManagerUser"): user = { "id": uuid.uuid4().hex, @@ -57,6 +41,7 @@ def create_user(self, username="TestAdminIntraExtensionManagerUser"): _user = self.identity_api.create_user(user) return _user + def create_mapping(self, tenant_name=None, authz_id=None, admin_id=None): if not tenant_name: @@ -72,7 +57,7 @@ def create_mapping(self, tenant_name=None, authz_id=None, admin_id=None): "domain_id": "default" } keystone_tenant = self.resource_api.create_project(tenant["id"], tenant) - mapping = self.tenant_api.add_tenant_dict(self.root_api.get_root_admin_id(), tenant["id"], tenant) + mapping = self.tenant_api.add_tenant_dict(self.root_api.root_admin_id, tenant["id"], tenant) self.assertIsInstance(mapping, dict) self.assertIn("intra_authz_extension_id", mapping[tenant["id"]]) self.assertIn("intra_admin_extension_id", mapping[tenant["id"]]) diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py index 8aa8bcd9..8bd6cb4f 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py @@ -5,12 +5,9 @@ """Unit tests for core configuration.""" -import uuid from oslo_config import cfg from keystone.tests import unit as tests -from keystone.contrib.moon.core import ConfigurationManager from keystone.tests.unit.ksfixtures import database -from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager from keystone.contrib.moon.core import IntraExtensionAdminManager @@ -22,7 +19,6 @@ from keystone.tests.moon.unit import * CONF = cfg.CONF -# @dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') class TestConfigurationManager(tests.TestCase): def setUp(self): @@ -34,9 +30,10 @@ class TestConfigurationManager(tests.TestCase): self.resource_api.create_domain(domain['id'], domain) self.admin = create_user(self, username="admin") self.demo = create_user(self, username="demo") + self.root_api.load_root_intra_extension_dict() self.root_intra_extension = self.root_api.get_root_extension_dict() self.root_intra_extension_id = self.root_intra_extension.keys()[0] - self.ADMIN_ID = self.root_api.get_root_admin_id() + self.ADMIN_ID = self.root_api.root_admin_id self.authz_manager = self.authz_api self.admin_manager = self.admin_api self.configuration_manager = self.configuration_api @@ -72,15 +69,3 @@ class TestConfigurationManager(tests.TestCase): self.assertIsInstance(data, dict) self.assertIn("policy_root", data) - # def test_get_aggregation_algorithm_dict(self): - # admin_intra_extension = create_intra_extension(self, policy_model="policy_rbac_admin") - # print(admin_intra_extension) - # data = self.manager.get_aggregation_algorithm_dict(self.ADMIN_ID, admin_intra_extension['id']) - # print(data) - - # def test_get_sub_meta_rule_algorithm_dict(self): - # data = self.manager.get_sub_meta_rule_algorithm_dict(self.ADMIN_ID) - # print(data) - # - # self.assertEqual("", "ee") - diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py index 424e4cbb..d3f088c0 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py @@ -5,15 +5,11 @@ """Unit tests for core IntraExtensionAdminManager""" -import json -import os -import uuid from oslo_config import cfg from keystone.tests import unit as tests from keystone.contrib.moon.core import IntraExtensionAdminManager, IntraExtensionAuthzManager -from keystone.contrib.moon.core import IntraExtensionRootManager, ConfigurationManager +from keystone.contrib.moon.core import ConfigurationManager from keystone.tests.unit.ksfixtures import database -from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager @@ -47,9 +43,10 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.resource_api.create_domain(domain['id'], domain) self.admin = create_user(self, username="admin") self.demo = create_user(self, username="demo") + self.root_api.load_root_intra_extension_dict() self.root_intra_extension = self.root_api.get_root_extension_dict() self.root_intra_extension_id = self.root_intra_extension.keys()[0] - self.ADMIN_ID = self.root_api.get_root_admin_id() + self.ADMIN_ID = self.root_api.root_admin_id self.authz_manager = self.authz_api self.admin_manager = self.admin_api @@ -63,7 +60,6 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): "admin_api": IntraExtensionAdminManager(), "authz_api": IntraExtensionAuthzManager(), "configuration_api": ConfigurationManager(), - # "resource_api": resource.Manager(), } def config_overrides(self): @@ -969,9 +965,10 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): self.resource_api.create_domain(domain['id'], domain) self.admin = create_user(self, username="admin") self.demo = create_user(self, username="demo") + self.root_api.load_root_intra_extension_dict() self.root_intra_extension = self.root_api.get_root_extension_dict() self.root_intra_extension_id = self.root_intra_extension.keys()[0] - self.ADMIN_ID = self.root_api.get_root_admin_id() + self.ADMIN_ID = self.root_api.root_admin_id self.authz_manager = self.authz_api self.admin_manager = self.admin_api diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py index afe0e7f2..172c6b6d 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py @@ -5,15 +5,11 @@ """Unit tests for core IntraExtensionAuthzManager""" -import json -import os -import uuid from oslo_config import cfg from keystone.tests import unit as tests from keystone.contrib.moon.core import IntraExtensionAdminManager, IntraExtensionAuthzManager, IntraExtensionRootManager from keystone.contrib.moon.core import ConfigurationManager from keystone.tests.unit.ksfixtures import database -from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager @@ -33,7 +29,7 @@ IE = { "description": "a simple description." } -#@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') + class TestIntraExtensionAuthzManagerAuthzOK(tests.TestCase): def setUp(self): @@ -45,9 +41,10 @@ class TestIntraExtensionAuthzManagerAuthzOK(tests.TestCase): self.resource_api.create_domain(domain['id'], domain) self.admin = create_user(self, username="admin") self.demo = create_user(self, username="demo") + self.root_api.load_root_intra_extension_dict() self.root_intra_extension = self.root_api.get_root_extension_dict() self.root_intra_extension_id = self.root_intra_extension.keys()[0] - self.ADMIN_ID = self.root_api.get_root_admin_id() + self.ADMIN_ID = self.root_api.root_admin_id self.authz_manager = self.authz_api self.admin_manager = self.admin_api @@ -938,7 +935,6 @@ class TestIntraExtensionAuthzManagerAuthzOK(tests.TestCase): # TODO: add test for the delete function -#@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api', 'identity_api', 'root_api') class TestIntraExtensionAuthzManagerAuthzKO(tests.TestCase): def setUp(self): @@ -950,9 +946,10 @@ class TestIntraExtensionAuthzManagerAuthzKO(tests.TestCase): self.resource_api.create_domain(domain['id'], domain) self.admin = create_user(self, username="admin") self.demo = create_user(self, username="demo") + self.root_api.load_root_intra_extension_dict() self.root_intra_extension = self.root_api.get_root_extension_dict() self.root_intra_extension_id = self.root_intra_extension.keys()[0] - self.ADMIN_ID = self.root_api.get_root_admin_id() + self.ADMIN_ID = self.root_api.root_admin_id self.authz_manager = self.authz_api self.admin_manager = self.admin_api diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py index 06864cc5..7d205bc9 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py @@ -5,16 +5,12 @@ """Unit tests for LogManager""" -import json -import os -import uuid import time from oslo_config import cfg from keystone.tests import unit as tests from keystone.contrib.moon.core import ConfigurationManager from keystone.contrib.moon.core import IntraExtensionAuthzManager from keystone.tests.unit.ksfixtures import database -from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager @@ -36,7 +32,7 @@ IE = { TIME_FORMAT = '%Y-%m-%d-%H:%M:%S' -@dependency.requires('admin_api', 'tenant_api', 'configuration_api') + class TestIntraExtensionAdminManager(tests.TestCase): def setUp(self): @@ -48,9 +44,10 @@ class TestIntraExtensionAdminManager(tests.TestCase): self.resource_api.create_domain(domain['id'], domain) self.admin = create_user(self, username="admin") self.demo = create_user(self, username="demo") + self.root_api.load_root_intra_extension_dict() self.root_intra_extension = self.root_api.get_root_extension_dict() self.root_intra_extension_id = self.root_intra_extension.keys()[0] - self.ADMIN_ID = self.root_api.get_root_admin_id() + self.ADMIN_ID = self.root_api.root_admin_id self.authz_manager = self.authz_api self.admin_manager = self.admin_api self.tenant_manager = self.tenant_api @@ -64,7 +61,6 @@ class TestIntraExtensionAdminManager(tests.TestCase): "authz_api": IntraExtensionAuthzManager(), "tenant_api": TenantManager(), "configuration_api": ConfigurationManager(), - # "resource_api": resource.Manager(), } def config_overrides(self): diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py index 99fb5965..a74bc240 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py @@ -5,7 +5,6 @@ """Unit tests for core tenant.""" -import uuid from oslo_config import cfg from keystone.tests import unit as tests from keystone.contrib.moon.core import ConfigurationManager @@ -15,7 +14,7 @@ from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager from keystone.contrib.moon.core import IntraExtensionRootManager from keystone.contrib.moon.core import IntraExtensionAdminManager -from keystone.common import dependency +from keystone.contrib.moon.core import IntraExtensionAuthzManager from keystone.tests.moon.unit import * @@ -31,7 +30,7 @@ IE = { "description": "a simple description." } -@dependency.requires('admin_api', 'tenant_api', 'configuration_api') + class TestTenantManager(tests.TestCase): ADMIN_ID = None @@ -44,9 +43,10 @@ class TestTenantManager(tests.TestCase): self.resource_api.create_domain(domain['id'], domain) self.admin = create_user(self, username="admin") self.demo = create_user(self, username="demo") + self.root_api.load_root_intra_extension_dict() self.root_intra_extension = self.root_api.get_root_extension_dict() self.root_intra_extension_id = self.root_intra_extension.keys()[0] - self.ADMIN_ID = self.root_api.get_root_admin_id() + self.ADMIN_ID = self.root_api.root_admin_id self.authz_manager = self.authz_api self.admin_manager = self.admin_api self.tenant_manager = self.tenant_api @@ -55,6 +55,7 @@ class TestTenantManager(tests.TestCase): return { "moonlog_api": LogManager(), "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), "configuration_api": ConfigurationManager(), "root_api": IntraExtensionRootManager(), } |