diff options
| author |   RHE <rebirthmonkey@gmail.com> | 2017-12-28 15:19:05 +0100 |
|---|---|---|
| committer | RHE <rebirthmonkey@gmail.com> | 2017-12-28 15:19:05 +0100 |
| commit | b7cf76d39eab9d292b8d58db4b0934557cad4509 (patch) | |
| tree | 556b0e617b5921ad3779b7aed3b669bb475331c6 /moon_authz | |
| parent | 9cf58823b4fa426816acfef81a562054d26afde8 (diff) | |
moonv4.3 review
Change-Id: I0d137df21136292b58194def44ac5b32183368fc
Signed-off-by: RHE <rebirthmonkey@gmail.com>
Diffstat (limited to 'moon_authz')
| -rw-r--r-- | moon_authz/Dockerfile | 8 | ||||
| -rw-r--r-- | moon_authz/README.md (renamed from moon_authz/README.rst) | 3 | ||||
| -rw-r--r-- | moon_authz/moon_authz/api/authorization.py | 96 | ||||
| -rw-r--r-- | moon_authz/moon_authz/api/generic.py | 131 | ||||
| -rw-r--r-- | moon_authz/moon_authz/http_server.py | 2 | ||||
| -rw-r--r-- | moon_authz/moon_authz/server.py | 7 | ||||
| -rw-r--r-- | moon_authz/setup.py | 2 |
7 files changed, 55 insertions, 194 deletions
diff --git a/moon_authz/Dockerfile b/moon_authz/Dockerfile index 7ab172b0..fea9555d 100644 --- a/moon_authz/Dockerfile +++ b/moon_authz/Dockerfile @@ -1,12 +1,8 @@ -FROM ubuntu:latest - -RUN apt update && apt install python3.5 python3-pip -y -RUN pip3 install pip --upgrade +FROM python:3 ADD . /root WORKDIR /root/ -RUN pip3 install -r requirements.txt --upgrade -RUN pip3 install /root/dist/* --upgrade +RUN pip3 install -r requirements.txt RUN pip3 install . CMD ["python3", "-m", "moon_authz"]
\ No newline at end of file diff --git a/moon_authz/README.rst b/moon_authz/README.md index ded4e99a..696c29a1 100644 --- a/moon_authz/README.rst +++ b/moon_authz/README.md @@ -1,5 +1,4 @@ -Core module for the Moon project -================================ +# moon_authz This package contains the core module for the Moon project It is designed to provide authorization features to all OpenStack components. diff --git a/moon_authz/moon_authz/api/authorization.py b/moon_authz/moon_authz/api/authorization.py index 4cd8de06..d7832ef0 100644 --- a/moon_authz/moon_authz/api/authorization.py +++ b/moon_authz/moon_authz/api/authorization.py @@ -19,20 +19,20 @@ from flask_restful import Resource # - call the next security function # - call the master if an element is absent -LOG = logging.getLogger("moon.api." + __name__) +LOG = logging.getLogger("moon.authz.api." + __name__) class Authz(Resource): """ Endpoint for authz requests """ + __version__ = "0.1.0" __urls__ = ( "/authz", "/authz/", - "/authz/<string:uuid>/<string:subject_name>/<string:object_name>/<string:action_name>", ) - __version__ = "0.1.0" + pdp_id = None meta_rule_id = None keystone_project_id = None @@ -47,13 +47,11 @@ class Authz(Resource): self.cache = kwargs.get("cache") self.context = None - def post(self, uuid=None, subject_name=None, object_name=None, action_name=None): + def post(self): """Get a response on an authorization request - :param uuid: uuid of a tenant or an intra_extension - :param subject_name: name of the subject or the request - :param object_name: name of the object - :param action_name: name of the action + :request: + :return: { "args": {}, "ctx": { @@ -255,47 +253,47 @@ class Authz(Resource): self.context.current_state = "passed" LOG.info("__exec_instructions False {}".format(self.context.current_state)) - def __update_current_request(self): - index = self.payload["authz_context"]["index"] - current_header_id = self.payload["authz_context"]['headers'][index] - previous_header_id = self.payload["authz_context"]['headers'][index - 1] - current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id) - previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id) - # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy - if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "session": - subject = self.payload["authz_context"]['current_request'].get("subject") - subject_category_id = None - role_names = [] - for category_id, category_value in ModelManager.get_subject_categories("admin").items(): - if category_value["name"] == "role": - subject_category_id = category_id - break - for assignment_id, assignment_value in PolicyManager.get_subject_assignments( - "admin", previous_policy_id, subject, subject_category_id).items(): - for data_id in assignment_value["assignments"]: - data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id) - for _data in data: - for key, value in _data["data"].items(): - role_names.append(value["name"]) - new_role_ids = [] - for perimeter_id, perimeter_value in PolicyManager.get_objects("admin", current_policy_id).items(): - if perimeter_value["name"] in role_names: - new_role_ids.append(perimeter_id) - break - perimeter_id = None - for perimeter_id, perimeter_value in PolicyManager.get_actions("admin", current_policy_id).items(): - if perimeter_value["name"] == "*": - break - - self.payload["authz_context"]['current_request']['object'] = new_role_ids[0] - self.payload["authz_context"]['current_request']['action'] = perimeter_id - elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac": - self.payload["authz_context"]['current_request']['subject'] = \ - self.payload["authz_context"]['initial_request']['subject'] - self.payload["authz_context"]['current_request']['object'] = \ - self.payload["authz_context"]['initial_request']['object'] - self.payload["authz_context"]['current_request']['action'] = \ - self.payload["authz_context"]['initial_request']['action'] + # def __update_current_request(self): + # index = self.payload["authz_context"]["index"] + # current_header_id = self.payload["authz_context"]['headers'][index] + # previous_header_id = self.payload["authz_context"]['headers'][index - 1] + # current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id) + # previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id) + # # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy + # if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "session": + # subject = self.payload["authz_context"]['current_request'].get("subject") + # subject_category_id = None + # role_names = [] + # for category_id, category_value in ModelManager.get_subject_categories("admin").items(): + # if category_value["name"] == "role": + # subject_category_id = category_id + # break + # for assignment_id, assignment_value in PolicyManager.get_subject_assignments( + # "admin", previous_policy_id, subject, subject_category_id).items(): + # for data_id in assignment_value["assignments"]: + # data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id) + # for _data in data: + # for key, value in _data["data"].items(): + # role_names.append(value["name"]) + # new_role_ids = [] + # for perimeter_id, perimeter_value in PolicyManager.get_objects("admin", current_policy_id).items(): + # if perimeter_value["name"] in role_names: + # new_role_ids.append(perimeter_id) + # break + # perimeter_id = None + # for perimeter_id, perimeter_value in PolicyManager.get_actions("admin", current_policy_id).items(): + # if perimeter_value["name"] == "*": + # break + # + # self.payload["authz_context"]['current_request']['object'] = new_role_ids[0] + # self.payload["authz_context"]['current_request']['action'] = perimeter_id + # elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac": + # self.payload["authz_context"]['current_request']['subject'] = \ + # self.payload["authz_context"]['initial_request']['subject'] + # self.payload["authz_context"]['current_request']['object'] = \ + # self.payload["authz_context"]['initial_request']['object'] + # self.payload["authz_context"]['current_request']['action'] = \ + # self.payload["authz_context"]['initial_request']['action'] def get_authz(self): # self.keystone_project_id = payload["id"] diff --git a/moon_authz/moon_authz/api/generic.py b/moon_authz/moon_authz/api/generic.py deleted file mode 100644 index f4e13e42..00000000 --- a/moon_authz/moon_authz/api/generic.py +++ /dev/null @@ -1,131 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Those API are helping API used to manage the Moon platform. -""" - -from flask_restful import Resource, request -from oslo_log import log as logging -import moon_authz.api -from python_moonutilities.security_functions import check_auth - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.authz.api." + __name__) - - -class Status(Resource): - """ - Endpoint for status requests - """ - - __urls__ = ("/status", "/status/", "/status/<string:component_id>") - - def get(self, component_id=None): - """Retrieve status of all components - - :return: { - "orchestrator": { - "status": "Running" - }, - "security_router": { - "status": "Running" - } - } - """ - raise NotImplemented - - -class Logs(Resource): - """ - Endpoint for logs requests - """ - - __urls__ = ("/logs", "/logs/", "/logs/<string:component_id>") - - def get(self, component_id=None): - """Get logs from the Moon platform - - :param component_id: the ID of the component your are looking for (optional) - :return: [ - "2015-04-15-13:45:20 - "2015-04-15-13:45:21 - "2015-04-15-13:45:22 - "2015-04-15-13:45:23 - ] - """ - filter_str = request.args.get('filter', '') - from_str = request.args.get('from', '') - to_str = request.args.get('to', '') - event_number = request.args.get('event_number', '') - try: - event_number = int(event_number) - except ValueError: - event_number = None - args = dict() - args["filter"] = filter_str - args["from"] = from_str - args["to"] = to_str - args["event_number"] = event_number - - raise NotImplemented - - -class API(Resource): - """ - Endpoint for API requests - """ - - __urls__ = ( - "/api", - "/api/", - "/api/<string:group_id>", - "/api/<string:group_id>/", - "/api/<string:group_id>/<string:endpoint_id>") - - @check_auth - def get(self, group_id="", endpoint_id="", user_id=""): - """Retrieve all API endpoints or a specific endpoint if endpoint_id is given - - :param group_id: the name of one existing group (ie generic, ...) - :param endpoint_id: the name of one existing component (ie Logs, Status, ...) - :return: { - "group_name": { - "endpoint_name": { - "description": "a description", - "methods": { - "get": "description of the HTTP method" - }, - "urls": ('/api', '/api/', '/api/<string:endpoint_id>') - } - } - """ - __methods = ("get", "post", "put", "delete", "options", "patch") - api_list = filter(lambda x: "__" not in x, dir(moon_authz.api)) - api_desc = dict() - for api_name in api_list: - api_desc[api_name] = {} - group_api_obj = eval("moon_interface.api.{}".format(api_name)) - api_desc[api_name]["description"] = group_api_obj.__doc__ - if "__version__" in dir(group_api_obj): - api_desc[api_name]["version"] = group_api_obj.__version__ - object_list = list(filter(lambda x: "__" not in x, dir(group_api_obj))) - for obj in map(lambda x: eval("moon_interface.api.{}.{}".format(api_name, x)), object_list): - if "__urls__" in dir(obj): - api_desc[api_name][obj.__name__] = dict() - api_desc[api_name][obj.__name__]["urls"] = obj.__urls__ - api_desc[api_name][obj.__name__]["methods"] = dict() - for _method in filter(lambda x: x in __methods, dir(obj)): - docstring = eval("moon_interface.api.{}.{}.{}.__doc__".format(api_name, obj.__name__, _method)) - api_desc[api_name][obj.__name__]["methods"][_method] = docstring - api_desc[api_name][obj.__name__]["description"] = str(obj.__doc__) - if group_id in api_desc: - if endpoint_id in api_desc[group_id]: - return {group_id: {endpoint_id: api_desc[group_id][endpoint_id]}} - elif len(endpoint_id) > 0: - LOG.error("Unknown endpoint_id {}".format(endpoint_id)) - return {"error": "Unknown endpoint_id {}".format(endpoint_id)} - return {group_id: api_desc[group_id]} - return api_desc diff --git a/moon_authz/moon_authz/http_server.py b/moon_authz/moon_authz/http_server.py index 50e878d3..d24a02ca 100644 --- a/moon_authz/moon_authz/http_server.py +++ b/moon_authz/moon_authz/http_server.py @@ -12,7 +12,7 @@ from moon_authz.api.authorization import Authz from python_moonutilities.cache import Cache from python_moonutilities import exceptions -logger = logging.getLogger("moon." + __name__) +logger = logging.getLogger("moon.authz.http_server") CACHE = Cache() CACHE.update() diff --git a/moon_authz/moon_authz/server.py b/moon_authz/moon_authz/server.py index 974012dc..1919ebe5 100644 --- a/moon_authz/moon_authz/server.py +++ b/moon_authz/moon_authz/server.py @@ -8,20 +8,19 @@ from oslo_log import log as logging from moon_authz.http_server import HTTPServer as Server from python_moonutilities import configuration -LOG = logging.getLogger("moon.server") +LOG = logging.getLogger("moon.authz.server") DOMAIN = "moon_authz" -__CWD__ = os.path.dirname(os.path.abspath(__file__)) - def main(): + configuration.init_logging() + component_id = os.getenv("UUID") component_type = os.getenv("TYPE") tcp_port = os.getenv("PORT") pdp_id = os.getenv("PDP_ID") meta_rule_id = os.getenv("META_RULE_ID") keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID") - configuration.init_logging() LOG.info("component_type={}".format(component_type)) conf = configuration.get_configuration("plugins/{}".format(component_type)) conf["plugins/{}".format(component_type)]['id'] = component_id diff --git a/moon_authz/setup.py b/moon_authz/setup.py index a8dcd0c4..c3ac33c7 100644 --- a/moon_authz/setup.py +++ b/moon_authz/setup.py @@ -21,7 +21,7 @@ setup( description="", - long_description=open('README.rst').read(), + long_description=open('README.md').read(), # install_requires= , |