diff options
| author |   asteroide <thomas.duval@orange.com> | 2017-10-04 09:04:38 +0200 |
|---|---|---|
| committer | asteroide <thomas.duval@orange.com> | 2017-10-04 09:04:38 +0200 |
| commit | f28f884b86ad6a01afb3ebe7959a86aed0701539 (patch) | |
| tree | 5c2c50bef281274a1aa6f432071a20c03b3a9678 /moonv4/moon_utilities | |
| parent | e2099e074250dd2a2f556fbb78b3db8f77e2c553 (diff) | |
Update code to the latest working version: version 4.2
Change-Id: I25d222ce9c8f4af8755886b79852d99b6870d515
Diffstat (limited to 'moonv4/moon_utilities')
| -rw-r--r-- | moonv4/moon_utilities/Changelog | 4 | ||||
| -rw-r--r-- | moonv4/moon_utilities/build.sh | 21 | ||||
| -rw-r--r-- | moonv4/moon_utilities/moon_utilities/__init__.py | 2 | ||||
| -rw-r--r-- | moonv4/moon_utilities/moon_utilities/cache.py | 520 | ||||
| -rw-r--r-- | moonv4/moon_utilities/moon_utilities/configuration.py | 4 | ||||
| -rw-r--r-- | moonv4/moon_utilities/moon_utilities/get_os_apis.py | 16 | ||||
| -rw-r--r-- | moonv4/moon_utilities/moon_utilities/security_functions.py | 232 |
7 files changed, 711 insertions, 88 deletions
diff --git a/moonv4/moon_utilities/Changelog b/moonv4/moon_utilities/Changelog index e39a8b53..51a007c2 100644 --- a/moonv4/moon_utilities/Changelog +++ b/moonv4/moon_utilities/Changelog @@ -35,3 +35,7 @@ CHANGES ----- - Add authentication features for interface +1.3.0 +----- +- Add cache functionality + diff --git a/moonv4/moon_utilities/build.sh b/moonv4/moon_utilities/build.sh new file mode 100644 index 00000000..4c7db18d --- /dev/null +++ b/moonv4/moon_utilities/build.sh @@ -0,0 +1,21 @@ + + +VERSION=moon_utilities-1.2.0 + +python3 setup.py sdist bdist_wheel + +rm dist/*.asc + +gpg --detach-sign -u "A0A96E75" -a dist/${VERSION}-py3-none-any.whl +gpg --detach-sign -u "A0A96E75" -a dist/${VERSION}.linux-x86_64.tar.gz + +if [ "$1" = "upload" ]; then + twine upload dist/${VERSION}-py3-none-any.whl dist/${VERSION}-py3-none-any.whl.asc + twine upload dist/${VERSION}.linux-x86_64.tar.gz dist/${VERSION}.linux-x86_64.tar.gz.asc +fi + +cp dist/${VERSION}-py3-none-any.whl ../moon_orchestrator/dist/ +cp dist/${VERSION}-py3-none-any.whl ../moon_router/dist/ +cp dist/${VERSION}-py3-none-any.whl ../moon_interface/dist/ +cp dist/${VERSION}-py3-none-any.whl ../moon_manager/dist/ +cp dist/${VERSION}-py3-none-any.whl ../moon_authz/dist/ diff --git a/moonv4/moon_utilities/moon_utilities/__init__.py b/moonv4/moon_utilities/moon_utilities/__init__.py index 2c7f8f5c..6e5782ce 100644 --- a/moonv4/moon_utilities/moon_utilities/__init__.py +++ b/moonv4/moon_utilities/moon_utilities/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "1.2.0" +__version__ = "1.3.0" diff --git a/moonv4/moon_utilities/moon_utilities/cache.py b/moonv4/moon_utilities/moon_utilities/cache.py new file mode 100644 index 00000000..7c938b39 --- /dev/null +++ b/moonv4/moon_utilities/moon_utilities/cache.py @@ -0,0 +1,520 @@ +import logging +import time +import requests +from uuid import uuid4 +from moon_utilities import configuration, exceptions + +LOG = logging.getLogger("moon.utilities.cache") + + +class Cache(object): + # TODO (asteroide): set cache integer in CONF file + __UPDATE_INTERVAL = 10 + + __CONTAINERS = {} + __CONTAINERS_UPDATE = 0 + + __CONTAINER_CHAINING_UPDATE = 0 + __CONTAINER_CHAINING = {} + + __PDP = {} + __PDP_UPDATE = 0 + + __POLICIES = {} + __POLICIES_UPDATE = 0 + + __MODELS = {} + __MODELS_UPDATE = 0 + + __SUBJECTS = {} + __OBJECTS = {} + __ACTIONS = {} + + __SUBJECT_ASSIGNMENTS = {} + __OBJECT_ASSIGNMENTS = {} + __ACTION_ASSIGNMENTS = {} + + __SUBJECT_CATEGORIES = {} + __SUBJECT_CATEGORIES_UPDATE = 0 + __OBJECT_CATEGORIES = {} + __OBJECT_CATEGORIES_UPDATE = 0 + __ACTION_CATEGORIES = {} + __ACTION_CATEGORIES_UPDATE = 0 + + __META_RULES = {} + __META_RULES_UPDATE = 0 + + __RULES = {} + __RULES_UPDATE = 0 + + __AUTHZ_REQUESTS = {} + + + def __init__(self): + self.manager_url = "{}://{}:{}".format( + configuration.get_components()['manager'].get('protocol', 'http'), + configuration.get_components()['manager']['hostname'], + configuration.get_components()['manager']['port'] + ) + self.orchestrator_url = "{}://{}:{}".format( + configuration.get_components()['orchestrator'].get('protocol', 'http'), + configuration.get_components()['orchestrator']['hostname'], + configuration.get_components()['orchestrator']['port'] + ) + + def update(self): + self.__update_container() + self.__update_pdp() + self.__update_policies() + self.__update_models() + for key, value in self.__PDP.items(): + # LOG.info("Updating container_chaining with {}".format(value["keystone_project_id"])) + self.__update_container_chaining(value["keystone_project_id"]) + + @property + def authz_requests(self): + return self.__AUTHZ_REQUESTS + + # perimeter functions + + @property + def subjects(self): + return self.__SUBJECTS + + def update_subjects(self, policy_id=None): + req = requests.get("{}/policies/{}/subjects".format(self.manager_url, policy_id)) + self.__SUBJECTS[policy_id] = req.json()['subjects'] + + def get_subject(self, policy_id, name): + try: + for _subject_id, _subject_dict in self.__SUBJECTS[policy_id].items(): + if _subject_dict["name"] == name: + return _subject_id + except KeyError: + pass + self.update_subjects(policy_id) + for _subject_id, _subject_dict in self.__SUBJECTS[policy_id].items(): + if _subject_dict["name"] == name: + return _subject_id + raise exceptions.SubjectUnknown("Cannot find subject {}".format(name)) + + @property + def objects(self): + return self.__OBJECTS + + def update_objects(self, policy_id=None): + req = requests.get("{}/policies/{}/objects".format(self.manager_url, policy_id)) + self.__OBJECTS[policy_id] = req.json()['objects'] + + def get_object(self, policy_id, name): + try: + for _object_id, _object_dict in self.__OBJECTS[policy_id].items(): + if _object_dict["name"] == name: + return _object_id + except KeyError: + pass + self.update_objects(policy_id) + for _object_id, _object_dict in self.__OBJECTS[policy_id].items(): + if _object_dict["name"] == name: + return _object_id + raise exceptions.SubjectUnknown("Cannot find object {}".format(name)) + + @property + def actions(self): + return self.__ACTIONS + + def update_actions(self, policy_id=None): + req = requests.get("{}/policies/{}/actions".format(self.manager_url, policy_id)) + self.__ACTIONS[policy_id] = req.json()['actions'] + + def get_action(self, policy_id, name): + try: + for _action_id, _action_dict in self.__ACTIONS[policy_id].items(): + if _action_dict["name"] == name: + return _action_id + except KeyError: + pass + self.update_actions(policy_id) + for _action_id, _action_dict in self.__ACTIONS[policy_id].items(): + if _action_dict["name"] == name: + return _action_id + raise exceptions.SubjectUnknown("Cannot find action {}".format(name)) + + # meta_rule functions + + @property + def meta_rules(self): + current_time = time.time() + if self.__META_RULES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_meta_rules() + self.__META_RULES_UPDATE = current_time + return self.__META_RULES + + def __update_meta_rules(self): + req = requests.get("{}/meta_rules".format(self.manager_url)) + self.__META_RULES = req.json()['meta_rules'] + + # rule functions + + @property + def rules(self): + current_time = time.time() + if self.__RULES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_rules() + self.__RULES_UPDATE = current_time + return self.__RULES + + def __update_rules(self): + for policy_id in self.__POLICIES: + LOG.info("Get {}".format("{}/policies/{}/rules".format( + self.manager_url, policy_id))) + req = requests.get("{}/policies/{}/rules".format( + self.manager_url, policy_id)) + self.__RULES[policy_id] = req.json()['rules'] + LOG.info("UPDATE RULES {}".format(self.__RULES)) + + # assignment functions + + @property + def subject_assignments(self): + return self.__SUBJECT_ASSIGNMENTS + + def update_subject_assignments(self, policy_id=None, perimeter_id=None): + if perimeter_id: + req = requests.get("{}/policies/{}/subject_assignments/{}".format( + self.manager_url, policy_id, perimeter_id)) + else: + req = requests.get("{}/policies/{}/subject_assignments".format(self.manager_url, policy_id)) + if policy_id not in self.__SUBJECT_ASSIGNMENTS: + self.__SUBJECT_ASSIGNMENTS[policy_id] = {} + self.__SUBJECT_ASSIGNMENTS[policy_id].update(req.json()['subject_assignments']) + + def get_subject_assignments(self, policy_id, perimeter_id, category_id): + if policy_id not in self.subject_assignments: + self.update_subject_assignments(policy_id, perimeter_id) + if policy_id not in self.subject_assignments: + raise Exception("Cannot found the policy {}".format(policy_id)) + for key, value in self.subject_assignments[policy_id].items(): + if perimeter_id == value['subject_id'] and category_id == value['category_id']: + return value['assignments'] + return [] + + @property + def object_assignments(self): + return self.__OBJECT_ASSIGNMENTS + + def update_object_assignments(self, policy_id=None, perimeter_id=None): + if perimeter_id: + req = requests.get("{}/policies/{}/object_assignments/{}".format( + self.manager_url, policy_id, perimeter_id)) + else: + req = requests.get("{}/policies/{}/object_assignments".format(self.manager_url, policy_id)) + if policy_id not in self.__OBJECT_ASSIGNMENTS: + self.__OBJECT_ASSIGNMENTS[policy_id] = {} + self.__OBJECT_ASSIGNMENTS[policy_id].update(req.json()['object_assignments']) + + def get_object_assignments(self, policy_id, perimeter_id, category_id): + if policy_id not in self.object_assignments: + self.update_object_assignments(policy_id, perimeter_id) + if policy_id not in self.object_assignments: + raise Exception("Cannot found the policy {}".format(policy_id)) + for key, value in self.object_assignments[policy_id].items(): + if perimeter_id == value['object_id'] and category_id == value['category_id']: + return value['assignments'] + return [] + + @property + def action_assignments(self): + return self.__ACTION_ASSIGNMENTS + + def update_action_assignments(self, policy_id=None, perimeter_id=None): + if perimeter_id: + req = requests.get("{}/policies/{}/action_assignments/{}".format( + self.manager_url, policy_id, perimeter_id)) + else: + req = requests.get("{}/policies/{}/action_assignments".format(self.manager_url, policy_id)) + if policy_id not in self.__ACTION_ASSIGNMENTS: + self.__ACTION_ASSIGNMENTS[policy_id] = {} + self.__ACTION_ASSIGNMENTS[policy_id].update(req.json()['action_assignments']) + + def get_action_assignments(self, policy_id, perimeter_id, category_id): + if policy_id not in self.action_assignments: + self.update_action_assignments(policy_id, perimeter_id) + if policy_id not in self.action_assignments: + raise Exception("Cannot found the policy {}".format(policy_id)) + for key, value in self.action_assignments[policy_id].items(): + if perimeter_id == value['action_id'] and category_id == value['category_id']: + return value['assignments'] + return [] + + # category functions + + @property + def subject_categories(self): + current_time = time.time() + if self.__SUBJECT_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_subject_categories() + self.__SUBJECT_CATEGORIES_UPDATE = current_time + return self.__SUBJECT_CATEGORIES + + def __update_subject_categories(self): + req = requests.get("{}/policies/subject_categories".format( + self.manager_url)) + self.__SUBJECT_CATEGORIES.update(req.json()['subject_categories']) + + @property + def object_categories(self): + current_time = time.time() + if self.__OBJECT_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_object_categories() + self.__OBJECT_CATEGORIES_UPDATE = current_time + return self.__OBJECT_CATEGORIES + + def __update_object_categories(self): + req = requests.get("{}/policies/object_categories".format( + self.manager_url)) + self.__OBJECT_CATEGORIES.update(req.json()['object_categories']) + + @property + def action_categories(self): + current_time = time.time() + if self.__ACTION_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_action_categories() + self.__ACTION_CATEGORIES_UPDATE = current_time + return self.__ACTION_CATEGORIES + + def __update_action_categories(self): + req = requests.get("{}/policies/action_categories".format( + self.manager_url)) + self.__ACTION_CATEGORIES.update(req.json()['action_categories']) + + # PDP functions + + def __update_pdp(self): + req = requests.get("{}/pdp".format(self.manager_url)) + pdp = req.json() + for _pdp in pdp["pdps"].values(): + if _pdp['keystone_project_id'] not in self.__CONTAINER_CHAINING: + self.__CONTAINER_CHAINING[_pdp['keystone_project_id']] = {} + # Note (asteroide): force update of chaining + self.__update_container_chaining(_pdp['keystone_project_id']) + for key, value in pdp["pdps"].items(): + self.__PDP[key] = value + + @property + def pdp(self): + """Policy Decision Point + Example of content: + { + "pdp_id": { + "keystone_project_id": "keystone_project_id", + "name": "pdp1", + "description": "test", + "security_pipeline": [ + "policy_id" + ] + } + } + + :return: + """ + current_time = time.time() + if self.__PDP_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_pdp() + self.__PDP_UPDATE = current_time + return self.__PDP + + # policy functions + def __update_policies(self): + req = requests.get("{}/policies".format(self.manager_url)) + policies = req.json() + for key, value in policies["policies"].items(): + self.__POLICIES[key] = value + + @property + def policies(self): + current_time = time.time() + if self.__POLICIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_policies() + self.__POLICIES_UPDATE = current_time + return self.__POLICIES + + # model functions + + def __update_models(self): + req = requests.get("{}/models".format(self.manager_url)) + models = req.json() + for key, value in models["models"].items(): + self.__MODELS[key] = value + + @property + def models(self): + current_time = time.time() + if self.__MODELS_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_models() + self.__MODELS_UPDATE = current_time + return self.__MODELS + + # helper functions + + def get_policy_from_meta_rules(self, meta_rule_id): + for pdp_key, pdp_value in self.pdp.items(): + for policy_id in pdp_value["security_pipeline"]: + model_id = self.policies[policy_id]["model_id"] + if meta_rule_id in self.models[model_id]["meta_rules"]: + return policy_id + + def get_pdp_from_keystone_project(self, keystone_project_id): + for pdp_key, pdp_value in self.pdp.items(): + if keystone_project_id == pdp_value["keystone_project_id"]: + return pdp_key + + def get_keystone_project_id_from_policy_id(self, policy_id): + for pdp_key, pdp_value in self.pdp.items(): + if policy_id in pdp_value["security_pipeline"]: + return pdp_value["keystone_project_id"] + # for policy_id in pdp_value["security_pipeline"]: + # model_id = self.policies[policy_id]["model_id"] + # if meta_rule_id in self.models[model_id]["meta_rules"]: + # return pdp_value["keystone_project_id"] + + def get_containers_from_keystone_project_id(self, keystone_project_id, meta_rule_id=None): + for container_id, container_value in self.containers.items(): + if 'keystone_project_id' not in container_value: + continue + if container_value['keystone_project_id'] == keystone_project_id: + if not meta_rule_id: + yield container_id, container_value + elif container_value['meta_rule_id'] == meta_rule_id: + yield container_id, container_value + break + + # containers functions + + def __update_container(self): + req = requests.get("{}/containers".format(self.manager_url)) + containers = req.json() + for key, value in containers["containers"].items(): + if key not in self.__CONTAINERS: + self.__CONTAINERS[key] = value + else: + self.__CONTAINERS[key].update(value) + + def add_container(self, container_data): + """Add a new container in the cache + + :param container_data: dictionary with information for the container + Example: + { + "name": name, + "hostname": name, + "port": { + "PrivatePort": tcp_port, + "Type": "tcp", + "IP": "0.0.0.0", + "PublicPort": tcp_port + }, + "keystone_project_id": uuid, + "pdp_id": self.CACHE.get_pdp_from_keystone_project(uuid), + "meta_rule_id": meta_rule_id, + "container_name": container_name, + "plugin_name": plugin_name + "container_id": "container_id" + } + + :return: + """ + self.__CONTAINERS[uuid4().hex] = { + "keystone_project_id": container_data['keystone_project_id'], + "name": container_data['name'], + "container_id": container_data['container_id'], + "hostname": container_data['name'], + "policy_id": container_data['policy_id'], + "meta_rule_id": container_data['meta_rule_id'], + "port": [ + { + "PublicPort": container_data['port']["PublicPort"], + "Type": container_data['port']["Type"], + "IP": container_data['port']["IP"], + "PrivatePort": container_data['port']["PrivatePort"] + } + ], + "genre": container_data['plugin_name'] + } + self.__update_container_chaining(self.get_keystone_project_id_from_policy_id(container_data['policy_id'])) + + @property + def containers(self): + """Containers cache + example of content : + { + "policy_uuid1": "component_hostname1", + "policy_uuid2": "component_hostname2", + } + :return: + """ + current_time = time.time() + if self.__CONTAINERS_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_container() + self.__CONTAINERS_UPDATE = current_time + return self.__CONTAINERS + + @property + def container_chaining(self): + """Cache for mapping Keystone Project ID with meta_rule ID and container ID + Example of content: + { + "keystone_project_id": [ + { + "container_id": "container_id", + "genre": "genre", + "policy_id": "policy_id", + "meta_rule_id": "meta_rule_id", + } + ] + } + + :return: + """ + current_time = time.time() + if self.__CONTAINER_CHAINING_UPDATE + self.__UPDATE_INTERVAL < current_time: + for key, value in self.pdp.items(): + self.__update_container_chaining(value["keystone_project_id"]) + self.__CONTAINER_CHAINING_UPDATE = current_time + LOG.info(self.__CONTAINER_CHAINING_UPDATE) + return self.__CONTAINER_CHAINING + + def __update_container_chaining(self, keystone_project_id): + container_ids = [] + for pdp_id, pdp_value, in self.__PDP.items(): + # LOG.info("pdp_id, pdp_value = {}, {}".format(pdp_id, pdp_value)) + # LOG.info("__POLICIES = {}".format(self.__POLICIES)) + if pdp_value: + if pdp_value["keystone_project_id"] == keystone_project_id: + for policy_id in pdp_value["security_pipeline"]: + model_id = self.__POLICIES[policy_id]['model_id'] + # LOG.info("model_id = {}".format(model_id)) + # LOG.info("CACHE = {}".format(self.__MODELS[model_id])) + # LOG.info("CACHE.containers = {}".format(self.__CONTAINERS)) + # LOG.info("CACHE.models = {}".format(self.__MODELS)) + for meta_rule_id in self.__MODELS[model_id]["meta_rules"]: + # LOG.info("meta_rule = {}".format(self.__MODELS[model_id]["meta_rules"])) + for container_id, container_value in self.get_containers_from_keystone_project_id( + keystone_project_id, + meta_rule_id + ): + # LOG.info("CONTAINER: {} {}".format(container_id, container_value)) + container_ids.append( + { + "container_id": self.__CONTAINERS[container_id]["container_id"], + "genre": self.__CONTAINERS[container_id]["genre"], + "policy_id": policy_id, + "meta_rule_id": meta_rule_id, + "hostname": self.__CONTAINERS[container_id]["hostname"], + "hostip": self.__CONTAINERS[container_id]["port"][0]["IP"], + "port": self.__CONTAINERS[container_id]["port"][0]["PublicPort"], + } + ) + # LOG.info("__update_container_chaining={}".format(container_ids)) + self.__CONTAINER_CHAINING[keystone_project_id] = container_ids + diff --git a/moonv4/moon_utilities/moon_utilities/configuration.py b/moonv4/moon_utilities/moon_utilities/configuration.py index 32eeff13..d1c5545f 100644 --- a/moonv4/moon_utilities/moon_utilities/configuration.py +++ b/moonv4/moon_utilities/moon_utilities/configuration.py @@ -53,8 +53,8 @@ def get_configuration(key): url = "http://{}:{}/v1/kv/{}".format(CONSUL_HOST, CONSUL_PORT, key) req = requests.get(url) if req.status_code != 200: - LOG.info("url={}".format(url)) - raise exceptions.ConsulComponentNotFound + LOG.error("url={}".format(url)) + raise exceptions.ConsulComponentNotFound("error={}: {}".format(req.status_code, req.text)) data = req.json() if len(data) == 1: data = data[0] diff --git a/moonv4/moon_utilities/moon_utilities/get_os_apis.py b/moonv4/moon_utilities/moon_utilities/get_os_apis.py index dea2a878..d019c1cd 100644 --- a/moonv4/moon_utilities/moon_utilities/get_os_apis.py +++ b/moonv4/moon_utilities/moon_utilities/get_os_apis.py @@ -1,4 +1,5 @@ import json +import yaml import logging import requests import argparse @@ -26,6 +27,7 @@ def init(): parser.add_argument("--debug", "-d", action='store_true', help="debug mode") parser.add_argument("--format", "-f", help="Output format (txt, json)", default="json") parser.add_argument("--output", "-o", help="Output filename") + parser.add_argument("--from-policies", "-p", help="Get API from policy.{json,yaml}", target="policies") parser.add_argument("--credentials", "-c", help="Github credential filename (inside format user:pass)") args = parser.parse_args() @@ -98,6 +100,13 @@ def to_str(results): return output +def get_data_from_policies(policies): + for filename in policies.split(","): + try: + obj = json.loads(open(filename.strip()).read()) + + + def save(results, args): if args.output: if args.format == 'json': @@ -114,8 +123,11 @@ def save(results, args): def main(): args = init() results = {} - for key in URLS: - results[key] = get_content(key, args) + if not args.policies: + for key in URLS: + results[key] = get_content(key, args) + else: + get_data_from_policies(args.policies) save(results, args) if __name__ == "__main__": diff --git a/moonv4/moon_utilities/moon_utilities/security_functions.py b/moonv4/moon_utilities/moon_utilities/security_functions.py index ad1a44fa..98935996 100644 --- a/moonv4/moon_utilities/moon_utilities/security_functions.py +++ b/moonv4/moon_utilities/moon_utilities/security_functions.py @@ -209,59 +209,90 @@ def call(endpoint="security_router", ctx=None, method="route", **kwargs): class Context: - def __init__(self, _keystone_project_id, _subject, _object, _action, _request_id): - from moon_db.core import PDPManager, ModelManager, PolicyManager - self.PolicyManager = PolicyManager - self.ModelManager = ModelManager - self.PDPManager = PDPManager - self.__keystone_project_id = _keystone_project_id + def __init__(self, init_context, cache): + self.cache = cache + self.__keystone_project_id = init_context.get("project_id") self.__pdp_id = None self.__pdp_value = None - for _pdp_key, _pdp_value in PDPManager.get_pdp("admin").items(): - if _pdp_value["keystone_project_id"] == _keystone_project_id: + for _pdp_key, _pdp_value in self.cache.pdp.items(): + if _pdp_value["keystone_project_id"] == self.__keystone_project_id: self.__pdp_id = _pdp_key self.__pdp_value = copy.deepcopy(_pdp_value) break - self.__subject = _subject - self.__object = _object - self.__action = _action + if not self.__pdp_value: + raise exceptions.AuthzException( + "Cannot create context for authz " + "with Keystone project ID {}".format( + self.__keystone_project_id + )) + self.__subject = init_context.get("subject_name") + self.__object = init_context.get("object_name") + self.__action = init_context.get("action_name") self.__current_request = None - self.__request_id = _request_id - self.__index = 0 - self.__init_initial_request() + self.__request_id = init_context.get("req_id") + self.__cookie = init_context.get("cookie") + self.__manager_url = init_context.get("manager_url") + self.__interface_name = init_context.get("interface_name") + self.__index = -1 + # self.__init_initial_request() self.__headers = [] - policies = PolicyManager.get_policies("admin") - models = ModelManager.get_models("admin") + policies = self.cache.policies + models = self.cache.models for policy_id in self.__pdp_value["security_pipeline"]: model_id = policies[policy_id]["model_id"] for meta_rule in models[model_id]["meta_rules"]: self.__headers.append(meta_rule) - self.__meta_rules = ModelManager.get_meta_rules("admin") + self.__meta_rules = self.cache.meta_rules self.__pdp_set = {} + # self.__init_pdp_set() + + def delete_cache(self): + self.cache = {} + + def set_cache(self, cache): + self.cache = cache + + def increment_index(self): + self.__index += 1 + self.__init_current_request() self.__init_pdp_set() - def __init_initial_request(self): - subjects = self.PolicyManager.get_subjects("admin", policy_id=None) - for _subject_id, _subject_dict in subjects.items(): - if _subject_dict["name"] == self.__subject: - self.__subject = _subject_id - break - else: - raise exceptions.SubjectUnknown("Cannot find subject {}".format(self.__subject)) - objects = self.PolicyManager.get_objects("admin", policy_id=None) - for _object_id, _object_dict in objects.items(): - if _object_dict["name"] == self.__object: - self.__object = _object_id - break - else: - raise exceptions.ObjectUnknown("Cannot find object {}".format(self.__object)) - actions = self.PolicyManager.get_actions("admin", policy_id=None) - for _action_id, _action_dict in actions.items(): - if _action_dict["name"] == self.__action: - self.__action = _action_id - break - else: - raise exceptions.ActionUnknown("Cannot find action {}".format(self.__action)) + @property + def current_state(self): + return self.__pdp_set[self.__headers[self.__index]]['effect'] + + @current_state.setter + def current_state(self, state): + if state not in ("grant", "deny", "passed"): + state = "passed" + self.__pdp_set[self.__headers[self.__index]]['effect'] = state + + @current_state.deleter + def current_state(self): + self.__pdp_set[self.__headers[self.__index]]['effect'] = "unset" + + @property + def current_policy_id(self): + return self.__pdp_value["security_pipeline"][self.__index] + + @current_policy_id.setter + def current_policy_id(self, value): + pass + + @current_policy_id.deleter + def current_policy_id(self): + pass + + def __init_current_request(self): + self.__subject = self.cache.get_subject( + self.__pdp_value["security_pipeline"][self.__index], + self.__subject) + self.__object = self.cache.get_object( + self.__pdp_value["security_pipeline"][self.__index], + self.__object) + self.__action = self.cache.get_action( + self.__pdp_value["security_pipeline"][self.__index], + self.__action) self.__current_request = dict(self.initial_request) def __init_pdp_set(self): @@ -269,67 +300,64 @@ class Context: self.__pdp_set[header] = dict() self.__pdp_set[header]["meta_rules"] = self.__meta_rules[header] self.__pdp_set[header]["target"] = self.__add_target(header) - # TODO (asteroide): the following information must be retrieve somewhere self.__pdp_set[header]["effect"] = "unset" self.__pdp_set["effect"] = "deny" - @staticmethod - def update_target(context): - from moon_db.core import PDPManager, ModelManager, PolicyManager - # result = dict() - current_request = context['current_request'] - _subject = current_request.get("subject") - _object = current_request.get("object") - _action = current_request.get("action") - meta_rule_id = context['headers'][context['index']] - policy_id = PolicyManager.get_policy_from_meta_rules("admin", meta_rule_id) - meta_rules = ModelManager.get_meta_rules("admin") - # for meta_rule_id in meta_rules: - for sub_cat in meta_rules[meta_rule_id]['subject_categories']: - if sub_cat not in context["pdp_set"][meta_rule_id]["target"]: - context["pdp_set"][meta_rule_id]["target"][sub_cat] = [] - for assign in PolicyManager.get_subject_assignments("admin", policy_id, _subject, sub_cat).values(): - for assign in assign["assignments"]: - if assign not in context["pdp_set"][meta_rule_id]["target"][sub_cat]: - context["pdp_set"][meta_rule_id]["target"][sub_cat].append(assign) - for obj_cat in meta_rules[meta_rule_id]['object_categories']: - if obj_cat not in context["pdp_set"][meta_rule_id]["target"]: - context["pdp_set"][meta_rule_id]["target"][obj_cat] = [] - for assign in PolicyManager.get_object_assignments("admin", policy_id, _object, obj_cat).values(): - for assign in assign["assignments"]: - if assign not in context["pdp_set"][meta_rule_id]["target"][obj_cat]: - context["pdp_set"][meta_rule_id]["target"][obj_cat].append(assign) - for act_cat in meta_rules[meta_rule_id]['action_categories']: - if act_cat not in context["pdp_set"][meta_rule_id]["target"]: - context["pdp_set"][meta_rule_id]["target"][act_cat] = [] - for assign in PolicyManager.get_action_assignments("admin", policy_id, _action, act_cat).values(): - for assign in assign["assignments"]: - if assign not in context["pdp_set"][meta_rule_id]["target"][act_cat]: - context["pdp_set"][meta_rule_id]["target"][act_cat].append(assign) - # context["pdp_set"][meta_rule_id]["target"].update(result) + # def update_target(self, context): + # # result = dict() + # current_request = context['current_request'] + # _subject = current_request.get("subject") + # _object = current_request.get("object") + # _action = current_request.get("action") + # meta_rule_id = context['headers'][context['index']] + # policy_id = self.cache.get_policy_from_meta_rules(meta_rule_id) + # meta_rules = self.cache.meta_rules() + # # for meta_rule_id in meta_rules: + # for sub_cat in meta_rules[meta_rule_id]['subject_categories']: + # if sub_cat not in context["pdp_set"][meta_rule_id]["target"]: + # context["pdp_set"][meta_rule_id]["target"][sub_cat] = [] + # for assign in self.cache.get_subject_assignments(policy_id, _subject, sub_cat).values(): + # for assign in assign["assignments"]: + # if assign not in context["pdp_set"][meta_rule_id]["target"][sub_cat]: + # context["pdp_set"][meta_rule_id]["target"][sub_cat].append(assign) + # for obj_cat in meta_rules[meta_rule_id]['object_categories']: + # if obj_cat not in context["pdp_set"][meta_rule_id]["target"]: + # context["pdp_set"][meta_rule_id]["target"][obj_cat] = [] + # for assign in self.cache.get_object_assignments(policy_id, _object, obj_cat).values(): + # for assign in assign["assignments"]: + # if assign not in context["pdp_set"][meta_rule_id]["target"][obj_cat]: + # context["pdp_set"][meta_rule_id]["target"][obj_cat].append(assign) + # for act_cat in meta_rules[meta_rule_id]['action_categories']: + # if act_cat not in context["pdp_set"][meta_rule_id]["target"]: + # context["pdp_set"][meta_rule_id]["target"][act_cat] = [] + # for assign in self.cache.get_action_assignments(policy_id, _action, act_cat).values(): + # for assign in assign["assignments"]: + # if assign not in context["pdp_set"][meta_rule_id]["target"][act_cat]: + # context["pdp_set"][meta_rule_id]["target"][act_cat].append(assign) + # # context["pdp_set"][meta_rule_id]["target"].update(result) def __add_target(self, meta_rule_id): result = dict() _subject = self.__current_request["subject"] _object = self.__current_request["object"] _action = self.__current_request["action"] - meta_rules = self.ModelManager.get_meta_rules("admin") - policy_id = self.PolicyManager.get_policy_from_meta_rules("admin", meta_rule_id) + meta_rules = self.cache.meta_rules + policy_id = self.cache.get_policy_from_meta_rules(meta_rule_id) for sub_cat in meta_rules[meta_rule_id]['subject_categories']: if sub_cat not in result: result[sub_cat] = [] - for assign in self.PolicyManager.get_subject_assignments("admin", policy_id, _subject, sub_cat).values(): - result[sub_cat].extend(assign["assignments"]) + result[sub_cat].extend( + self.cache.get_subject_assignments(policy_id, _subject, sub_cat)) for obj_cat in meta_rules[meta_rule_id]['object_categories']: if obj_cat not in result: result[obj_cat] = [] - for assign in self.PolicyManager.get_object_assignments("admin", policy_id, _object, obj_cat).values(): - result[obj_cat].extend(assign["assignments"]) + result[obj_cat].extend( + self.cache.get_object_assignments(policy_id, _object, obj_cat)) for act_cat in meta_rules[meta_rule_id]['action_categories']: if act_cat not in result: result[act_cat] = [] - for assign in self.PolicyManager.get_action_assignments("admin", policy_id, _action, act_cat).values(): - result[act_cat].extend(assign["assignments"]) + result[act_cat].extend( + self.cache.get_action_assignments(policy_id, _action, act_cat)) return result def __repr__(self): @@ -356,6 +384,8 @@ pdp_set: {pdp_set} "index": copy.deepcopy(self.__index), "pdp_set": copy.deepcopy(self.__pdp_set), "request_id": copy.deepcopy(self.__request_id), + "manager_url": copy.deepcopy(self.__manager_url), + "interface_name": copy.deepcopy(self.__interface_name), } @property @@ -371,6 +401,42 @@ pdp_set: {pdp_set} raise Exception("You cannot update the request_id") @property + def manager_url(self): + return self.__manager_url + + @manager_url.setter + def manager_url(self, value): + raise Exception("You cannot update the manager_url") + + @manager_url.deleter + def manager_url(self): + raise Exception("You cannot update the manager_url") + + @property + def interface_name(self): + return self.__interface_name + + @interface_name.setter + def interface_name(self, value): + raise Exception("You cannot update the interface_name") + + @interface_name.deleter + def interface_name(self): + raise Exception("You cannot update the interface_name") + + @property + def cookie(self): + return self.__cookie + + @cookie.setter + def cookie(self, value): + raise Exception("You cannot update the cookie") + + @cookie.deleter + def cookie(self): + raise Exception("You cannot delete the cookie") + + @property def initial_request(self): return { "subject": self.__subject, @@ -425,7 +491,7 @@ pdp_set: {pdp_set} @index.deleter def index(self): - self.__index = 0 + self.__index = -1 @property def pdp_set(self): |