diff options
| author |   asteroide <thomas.duval@orange.com> | 2017-05-15 14:19:43 +0200 |
|---|---|---|
| committer | asteroide <thomas.duval@orange.com> | 2017-05-15 14:19:43 +0200 |
| commit | 019b10d95976bb80bcce60ee93099b0fd57fcab5 (patch) | |
| tree | 9e2b5c68dd8dadfc97346b77bf5549edbdf2c57a /moonv4/moon_interface | |
| parent | 80ca346a4cb183a6a1e684f6d8a9e19e3fc55d0e (diff) | |
Update Moon engine to allow a session policy
Change-Id: I63a80597710f08a6641e159cc2306d3cc68b1240
Diffstat (limited to 'moonv4/moon_interface')
6 files changed, 102 insertions, 42 deletions
diff --git a/moonv4/moon_interface/moon_interface/api/rules.py b/moonv4/moon_interface/moon_interface/api/rules.py index 81639a37..7757d275 100644 --- a/moonv4/moon_interface/moon_interface/api/rules.py +++ b/moonv4/moon_interface/moon_interface/api/rules.py @@ -62,13 +62,34 @@ class Rules(Resource): :request body: post = { "meta_rule_id": "meta_rule_id1", "rule": ["subject_data_id2", "object_data_id2", "action_data_id2"], + "instructions": ( + {"decision": "grant"}, + ) "enabled": True } :return: { "rules": [ "meta_rule_id": "meta_rule_id1", - "rule_id1": ["subject_data_id1", "object_data_id1", "action_data_id1"], - "rule_id2": ["subject_data_id2", "object_data_id2", "action_data_id2"], + "rule_id1": { + "rule": ["subject_data_id1", "object_data_id1", "action_data_id1"], + "instructions": ( + {"decision": "grant"}, # "grant" to immediately exit, + # "continue" to wait for the result of next policy + # "deny" to deny the request + ) + } + "rule_id2": { + "rule": ["subject_data_id2", "object_data_id2", "action_data_id2"], + "instructions": ( + { + "update": { + "operation": "add", # operations may be "add" or "delete" + "target": "rbac:role:admin" # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} # chain with the policy named rbac + ) + } ] } :internal_api: add_rule diff --git a/moonv4/moon_interface/tests/apitests/populate_default_values.py b/moonv4/moon_interface/tests/apitests/populate_default_values.py index 5ad6098f..0e3438db 100644 --- a/moonv4/moon_interface/tests/apitests/populate_default_values.py +++ b/moonv4/moon_interface/tests/apitests/populate_default_values.py @@ -56,7 +56,7 @@ def create_model(): def create_policy(model_id, meta_rule_list): if args.verbose: logger.warning("Creating policy {}".format(scenario.policy_name)) - policy_id = add_policy(name=scenario.policy_name) + policy_id = add_policy(name=scenario.policy_name, genre=scenario.policy_genre) update_policy(policy_id, model_id) @@ -90,23 +90,52 @@ def create_policy(model_id, meta_rule_list): scenario.actions[name] = add_action(policy_id, name=name) for subject_name in scenario.subject_assignments: - for subject_category_name in scenario.subject_assignments[subject_name]: - subject_id = scenario.subjects[subject_name] - subject_cat_id = scenario.subject_categories[subject_category_name] - subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]] - add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) + if type(scenario.subject_assignments[subject_name]) in (list, tuple): + for items in scenario.subject_assignments[subject_name]: + for subject_category_name in items: + subject_id = scenario.subjects[subject_name] + subject_cat_id = scenario.subject_categories[subject_category_name] + for data in scenario.subject_assignments[subject_name]: + subject_data_id = scenario.subject_data[subject_category_name][data[subject_category_name]] + add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) + else: + for subject_category_name in scenario.subject_assignments[subject_name]: + subject_id = scenario.subjects[subject_name] + subject_cat_id = scenario.subject_categories[subject_category_name] + subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]] + add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) + for object_name in scenario.object_assignments: - for object_category_name in scenario.object_assignments[object_name]: - object_id = scenario.objects[object_name] - object_cat_id = scenario.object_categories[object_category_name] - object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]] - add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) + if type(scenario.object_assignments[object_name]) in (list, tuple): + for items in scenario.object_assignments[object_name]: + for object_category_name in items: + object_id = scenario.objects[object_name] + object_cat_id = scenario.object_categories[object_category_name] + for data in scenario.object_assignments[object_name]: + object_data_id = scenario.object_data[object_category_name][data[object_category_name]] + add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) + else: + for object_category_name in scenario.object_assignments[object_name]: + object_id = scenario.objects[object_name] + object_cat_id = scenario.object_categories[object_category_name] + object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]] + add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) + for action_name in scenario.action_assignments: - for action_category_name in scenario.action_assignments[action_name]: - action_id = scenario.actions[action_name] - action_cat_id = scenario.action_categories[action_category_name] - action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]] - add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) + if type(scenario.action_assignments[action_name]) in (list, tuple): + for items in scenario.action_assignments[action_name]: + for action_category_name in items: + action_id = scenario.actions[action_name] + action_cat_id = scenario.action_categories[action_category_name] + for data in scenario.action_assignments[action_name]: + action_data_id = scenario.action_data[action_category_name][data[action_category_name]] + add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) + else: + for action_category_name in scenario.action_assignments[action_name]: + action_id = scenario.actions[action_name] + action_cat_id = scenario.action_categories[action_category_name] + action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]] + add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) for meta_rule_name in scenario.rules: meta_rule_value = scenario.meta_rule[meta_rule_name] diff --git a/moonv4/moon_interface/tests/apitests/scenario/rbac.py b/moonv4/moon_interface/tests/apitests/scenario/rbac.py index a43bd1f4..89fd7de8 100644 --- a/moonv4/moon_interface/tests/apitests/scenario/rbac.py +++ b/moonv4/moon_interface/tests/apitests/scenario/rbac.py @@ -2,6 +2,7 @@ pdp_name = "pdp1" policy_name = "RBAC policy example" model_name = "RBAC" +policy_genre = "authz" subjects = {"user0": "", "user1": "", } objects = {"vm0": "", "vm1": "", } @@ -11,13 +12,13 @@ subject_categories = {"role": "", } object_categories = {"id": "", } action_categories = {"action-type": "", } -subject_data = {"role": {"admin": "", "employee": ""}} -object_data = {"id": {"vm0": "", "vm1": ""}} -action_data = {"action-type": {"vm-action": "", }} +subject_data = {"role": {"admin": "", "employee": "", "*": ""}} +object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} +action_data = {"action-type": {"vm-action": "", "*": ""}} -subject_assignments = {"user0": {"role": "employee"}, "user1": {"role": "employee"}, } -object_assignments = {"vm0": {"id": "vm0"}, "vm1": {"id": "vm1"}} -action_assignments = {"start": {"action-type": "vm-action"}, "stop": {"action-type": "vm-action"}} +subject_assignments = {"user0": ({"role": "employee"}, {"role": "*"}), "user1": ({"role": "employee"}, {"role": "*"}), } +object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} +action_assignments = {"start": ({"action-type": "vm-action"}, {"action-type": "*"}), "stop": ({"action-type": "vm-action"}, {"action-type": "*"})} meta_rule = { "rbac": {"id": "", "value": ("role", "id", "action-type")}, @@ -28,13 +29,13 @@ rules = { { "rule": ("admin", "vm0", "vm-action"), "instructions": ( - {"decision": "grant"} # "grant" to immediately exit, "continue" to wait for the result of next policy + {"decision": "grant"}, # "grant" to immediately exit, "continue" to wait for the result of next policy ) }, { - "rule": ("admin", "vm1", "vm-action"), + "rule": ("employee", "vm1", "vm-action"), "instructions": ( - {"decision": "grant"} + {"decision": "grant"}, ) }, ) diff --git a/moonv4/moon_interface/tests/apitests/scenario/session.py b/moonv4/moon_interface/tests/apitests/scenario/session.py index 6b7e0f18..97d7aec3 100644 --- a/moonv4/moon_interface/tests/apitests/scenario/session.py +++ b/moonv4/moon_interface/tests/apitests/scenario/session.py @@ -2,6 +2,7 @@ pdp_name = "pdp1" policy_name = "Session policy example" model_name = "Session" +policy_genre = "session" subjects = {"user0": "", "user1": "", } objects = {"admin": "", "employee": "", } @@ -12,12 +13,16 @@ object_categories = {"role": "", } action_categories = {"session-action": "", } subject_data = {"subjectid": {"user0": "", "user1": ""}} -object_data = {"role": {"admin": "", "employee": ""}} -action_data = {"session-action": {"activate": "", "deactivate": ""}} +object_data = {"role": {"admin": "", "employee": "", "*": ""}} +action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} -subject_assignments = {"user0": {"subjectid": "user0"}, "user1": {"subjectid": "user1"}, } -object_assignments = {"admin": {"role": "admin"}, "employee": {"role": "employee"}} -action_assignments = {"activate": {"session-action": "activate"}, "deactivate": {"session-action": "deactivate"}} +subject_assignments = {"user0": ({"subjectid": "user0"}, ), "user1": ({"subjectid": "user1"}, ), } +object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), + "employee": ({"role": "employee"}, {"role": "employee"}) + } +action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), + "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) + } meta_rule = { "session": {"id": "", "value": ("subjectid", "role", "session-action")}, @@ -26,7 +31,7 @@ meta_rule = { rules = { "session": ( { - "rule": ("user0", "admin", "activate"), + "rule": ("user0", "employee", "*"), "instructions": ( { "update": { @@ -34,11 +39,11 @@ rules = { "target": "rbac:role:admin" # add the role admin to the current user } }, - {"chain": [{"security_pipeline": "rbac"}]} # chain with the meta_rule named rbac + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac ) }, { - "rule": ("user1", "employee", "deactivate"), + "rule": ("user1", "employee", "*"), "instructions": ( { "update": { @@ -46,7 +51,7 @@ rules = { "target": "rbac:role:employee" # delete the role employee from the current user } }, - {"chain": [{"security_pipeline": "rbac"}]} # chain with the meta_rule named rbac + {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac ) }, ) diff --git a/moonv4/moon_interface/tests/apitests/set_authz.py b/moonv4/moon_interface/tests/apitests/set_authz.py index 38b63509..f515e4eb 100644 --- a/moonv4/moon_interface/tests/apitests/set_authz.py +++ b/moonv4/moon_interface/tests/apitests/set_authz.py @@ -41,10 +41,13 @@ for rule in rules: url = "http://172.18.0.11:38001/authz/{}/{}".format(keystone_project_id, "/".join(rule)) req = requests.get(url) print("\033[1m{}\033[m {}".format(url, req.status_code)) - j = req.json() - # print(j) - if j.get("authz"): - print("\t\033[32m{}\033[m {}".format(j.get("authz"), j.get("error", ""))) + try: + j = req.json() + except Exception as e: + print(req.text) else: - print("\t\033[31m{}\033[m {}".format(j.get("authz"), j.get("error", ""))) + if j.get("authz"): + print("\t\033[32m{}\033[m {}".format(j.get("authz"), j.get("error", ""))) + else: + print("\t\033[31m{}\033[m {}".format(j.get("authz"), j.get("error", ""))) diff --git a/moonv4/moon_interface/tests/apitests/utils/policies.py b/moonv4/moon_interface/tests/apitests/utils/policies.py index bf75734f..969ab70b 100644 --- a/moonv4/moon_interface/tests/apitests/utils/policies.py +++ b/moonv4/moon_interface/tests/apitests/utils/policies.py @@ -63,8 +63,9 @@ def check_policy(policy_id=None): assert policy_template["name"] == result['policies'][policy_id]["name"] -def add_policy(name="test_policy"): +def add_policy(name="test_policy", genre="authz"): policy_template["name"] = name + policy_template["genre"] = genre req = requests.post(URL.format("/policies"), json=policy_template, headers=HEADERS) assert req.status_code == 200 result = req.json() |