diff options
author | Thomas Duval <thomas.duval@orange.com> | 2020-06-03 10:06:52 +0200 |
---|---|---|
committer | Thomas Duval <thomas.duval@orange.com> | 2020-06-03 10:06:52 +0200 |
commit | 7bb53c64da2dcf88894bfd31503accdd81498f3d (patch) | |
tree | 4310e12366818af27947b5e2c80cb162da93a4b5 /old/moon_authz/moon_authz | |
parent | cbea4e360e9bfaa9698cf7c61c83c96a1ba89b8c (diff) |
Update to new version 5.4HEADstable/jermamaster
Signed-off-by: Thomas Duval <thomas.duval@orange.com>
Change-Id: Idcd868133d75928a1ffd74d749ce98503e0555ea
Diffstat (limited to 'old/moon_authz/moon_authz')
-rw-r--r-- | old/moon_authz/moon_authz/__init__.py | 6 | ||||
-rw-r--r-- | old/moon_authz/moon_authz/__main__.py | 4 | ||||
-rw-r--r-- | old/moon_authz/moon_authz/api/__init__.py | 0 | ||||
-rw-r--r-- | old/moon_authz/moon_authz/api/authorization.py | 397 | ||||
-rw-r--r-- | old/moon_authz/moon_authz/api/update.py | 42 | ||||
-rw-r--r-- | old/moon_authz/moon_authz/http_server.py | 142 | ||||
-rw-r--r-- | old/moon_authz/moon_authz/server.py | 56 |
7 files changed, 647 insertions, 0 deletions
diff --git a/old/moon_authz/moon_authz/__init__.py b/old/moon_authz/moon_authz/__init__.py new file mode 100644 index 00000000..85c245e0 --- /dev/null +++ b/old/moon_authz/moon_authz/__init__.py @@ -0,0 +1,6 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +__version__ = "4.4.0" diff --git a/old/moon_authz/moon_authz/__main__.py b/old/moon_authz/moon_authz/__main__.py new file mode 100644 index 00000000..6f1f9807 --- /dev/null +++ b/old/moon_authz/moon_authz/__main__.py @@ -0,0 +1,4 @@ +from moon_authz.server import create_server + +SERVER = create_server() +SERVER.run() diff --git a/old/moon_authz/moon_authz/api/__init__.py b/old/moon_authz/moon_authz/api/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/old/moon_authz/moon_authz/api/__init__.py diff --git a/old/moon_authz/moon_authz/api/authorization.py b/old/moon_authz/moon_authz/api/authorization.py new file mode 100644 index 00000000..59af295d --- /dev/null +++ b/old/moon_authz/moon_authz/api/authorization.py @@ -0,0 +1,397 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import itertools +import pickle +import logging +import flask +from flask import request +from flask_restful import Resource +from python_moonutilities import exceptions + +LOGGER = logging.getLogger("moon.authz.api." + __name__) + + +class Authz(Resource): + """ + Endpoint for authz requests + """ + __version__ = "4.3.1" + + __urls__ = ( + "/authz", + "/authz/", + ) + + pdp_id = None + meta_rule_id = None + keystone_project_id = None + payload = None + + def __init__(self, **kwargs): + component_data = kwargs.get("component_data", {}) + self.component_id = component_data['component_id'] + self.pdp_id = component_data['pdp_id'] + self.meta_rule_id = component_data['meta_rule_id'] + self.keystone_project_id = component_data['keystone_project_id'] + self.cache = kwargs.get("cache") + self.context = None + + def post(self): + """Get a response on an authorization request + + :request: + + :return: { + "args": {}, + "ctx": { + "action_name": "4567", + "id": "123456", + "method": "authz", + "object_name": "234567", + "subject_name": "123456", + "user_id": "admin" + }, + "error": { + "code": 500, + "description": "", + "title": "Moon Error" + }, + "intra_extension_id": "123456", + "result": false + } + :internal_api: authz + """ + self.context = pickle.loads(request.data) + self.context.set_cache(self.cache) + self.context.increment_index() + self.context.update_target() + # FIXME (asteroide): force the update but we should not do that + # a better way is to build the bilateral link between Master and Slaves + self.cache.update() + if not self.run(): + raise exceptions.MoonError("Error in the request status={}".format( + self.context.current_state)) + self.context.delete_cache() + response = flask.make_response(pickle.dumps(self.context)) + response.headers['content-type'] = 'application/octet-stream' + return response + + def run(self): + result, message = self.__check_rules() + if result: + return self.__exec_instructions(result) + self.context.current_state = "deny" + # self.__exec_next_state(result) + return + + def __check_rules(self): + scopes_list = list() + current_header_id = self.context.headers[self.context.index] + # Context.update_target(context) + if not self.context.pdp_set: + raise exceptions.PdpUnknown + if current_header_id not in self.context.pdp_set: + raise Exception('Invalid index') + current_pdp = self.context.pdp_set[current_header_id] + category_list = list() + if 'meta_rules' not in current_pdp: + raise exceptions.PdpContentError + try: + category_list.extend(current_pdp["meta_rules"]["subject_categories"]) + category_list.extend(current_pdp["meta_rules"]["object_categories"]) + category_list.extend(current_pdp["meta_rules"]["action_categories"]) + except Exception: + raise exceptions.MetaRuleContentError + if 'target' not in current_pdp: + raise exceptions.PdpContentError + for category in category_list: + scope = list(current_pdp['target'][category]) + if not scope: + LOGGER.warning("Scope in category {} is empty".format(category)) + raise exceptions.AuthzException + scopes_list.append(scope) + # policy_id = self.cache.get_policy_from_meta_rules("admin", current_header_id) + if self.context.current_policy_id not in self.cache.rules: + raise exceptions.PolicyUnknown + if 'rules' not in self.cache.rules[self.context.current_policy_id]: + raise exceptions.RuleUnknown + for item in itertools.product(*scopes_list): + req = list(item) + for rule in self.cache.rules[self.context.current_policy_id]["rules"]: + if req == rule['rule']: + return rule['instructions'], "" + LOGGER.warning("No rule match the request...") + return False, "No rule match the request..." + + def __update_subject_category_in_policy(self, operation, target): + result = False + # try: + # policy_name, category_name, data_name = target.split(":") + # except ValueError: + # LOGGER.error("Cannot understand value in instruction ({})".format(target)) + # return False + # # pdp_set = self.payload["authz_context"]['pdp_set'] + # for meta_rule_id in self.context.pdp_set: + # if meta_rule_id == "effect": + # continue + # if self.context.pdp_set[meta_rule_id]["meta_rules"]["name"] == policy_name: + # for category_id, category_value in self.cache.subject_categories.items(): + # if category_value["name"] == "role": + # subject_category_id = category_id + # break + # else: + # LOGGER.error("Cannot understand category in instruction ({})".format(target)) + # return False + # subject_data_id = None + # for data in PolicyManager.get_subject_data("admin", policy_id, + # category_id=subject_category_id): + # for data_id, data_value in data['data'].items(): + # if data_value["name"] == data_name: + # subject_data_id = data_id + # break + # if subject_data_id: + # break + # else: + # LOGGER.error("Cannot understand data in instruction ({})".format(target)) + # return False + # if operation == "add": + # self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][ + # subject_category_id].append(subject_data_id) + # elif operation == "delete": + # try: + # self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][ + # subject_category_id].remove(subject_data_id) + # except ValueError: + # LOGGER.warning("Cannot remove role {} from target".format(data_name)) + # result = True + # break + return result + + def __update_container_chaining(self): + for index in range(len(self.payload["authz_context"]['headers'])): + self.payload["container_chaining"][index]["meta_rule_id"] = \ + self.payload["authz_context"]['headers'][index] + + def __get_container_from_meta_rule(self, meta_rule_id): + for index in range(len(self.payload["authz_context"]['headers'])): + if self.payload["container_chaining"][index]["meta_rule_id"] == meta_rule_id: + return self.payload["container_chaining"][index] + + def __update_headers(self, name): + # context = self.payload["authz_context"] + for meta_rule_id, meta_rule_value in self.context.pdp_set.items(): + if meta_rule_id == "effect": + continue + if meta_rule_value["meta_rules"]["name"] == name: + self.context.headers.append(meta_rule_id) + return True + return False + + # def __exec_next_state(self, rule_found): + # index = self.context.index + # current_meta_rule = self.context.headers[index] + # current_container = self.__get_container_from_meta_rule(current_meta_rule) + # current_container_genre = current_container["genre"] + # try: + # next_meta_rule = self.context.headers[index + 1] + # except IndexError: + # next_meta_rule = None + # if current_container_genre == "authz": + # if rule_found: + # return True + # pass + # if next_meta_rule: + # # next will be session if current is deny and session is unset + # if self.payload["authz_context"]['pdp_set'][next_meta_rule]['effect'] == "unset": + # return notify( + # request_id=self.payload["authz_context"]["request_id"], + # container_id=self.__get_container_from_meta_rule(next_meta_rule)[ + # 'container_id'],payload=self.payload) + # # next will be delegation if current is deny and session is passed or deny and + # delegation is unset + # else: + # LOG.error("Delegation is not developed!") + # + # else: + # # else next will be None and the request is sent to router + # return self.__return_to_router() + # elif current_container_genre == "session": + # pass + # # next will be next container in headers if current is passed + # if self.payload["authz_context"]['pdp_set'][current_meta_rule]['effect'] == "passed": + # return notify( + # request_id=self.payload["authz_context"]["request_id"], + # container_id=self.__get_container_from_meta_rule(next_meta_rule)[ + # 'container_id'],payload=self.payload) + # # next will be None if current is grant and the request is sent to router + # else: + # return self.__return_to_router() + # elif current_container_genre == "delegation": + # LOG.error("Delegation is not developed!") + # # next will be authz if current is deny + # # next will be None if current is grant and the request is sent to router + + # def __return_to_router(self): + # call(endpoint="security_router", + # ctx={"id": self.component_id, + # "call_master": False, + # "method": "return_authz", + # "request_id": self.payload["authz_context"]["request_id"]}, + # method="route", + # args=self.payload["authz_context"]) + + def __exec_instructions(self, instructions): + if type(instructions) is dict: + instructions = [instructions, ] + if type(instructions) not in (list, tuple): + raise exceptions.RuleContentError("Bad instructions format") + for instruction in instructions: + for key in instruction: + if key == "decision": + if instruction["decision"] == "grant": + self.context.current_state = "grant" + LOGGER.info("__exec_instructions True %s" % self.context.current_state) + return True + + self.context.current_state = instruction["decision"].lower() + elif key == "chain": + result = self.__update_headers(**instruction["chain"]) + if not result: + self.context.current_state = "deny" + else: + self.context.current_state = "passed" + elif key == "update": + result = self.__update_subject_category_in_policy(**instruction["update"]) + if not result: + self.context.current_state = "deny" + else: + self.context.current_state = "passed" + LOGGER.info("__exec_instructions False %s" % self.context.current_state) + + # def __update_current_request(self): + # index = self.payload["authz_context"]["index"] + # current_header_id = self.payload["authz_context"]['headers'][index] + # previous_header_id = self.payload["authz_context"]['headers'][index - 1] + # current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id) + # previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id) + # # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy + # if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules'][ + # 'name'] == "session": + # subject = self.payload["authz_context"]['current_request'].get("subject") + # subject_category_id = None + # role_names = [] + # for category_id, category_value in ModelManager.get_subject_categories("admin").items(): + # if category_value["name"] == "role": + # subject_category_id = category_id + # break + # for assignment_id, assignment_value in PolicyManager.get_subject_assignments( + # "admin", previous_policy_id, subject, subject_category_id).items(): + # for data_id in assignment_value["assignments"]: + # data = PolicyManager.get_subject_data( + # "admin", previous_policy_id, data_id, subject_category_id) + # for _data in data: + # for key, value in _data["data"].items(): + # role_names.append(value["name"]) + # new_role_ids = [] + # for perimeter_id, perimeter_value in PolicyManager.get_objects( + # "admin", current_policy_id).items(): + # if perimeter_value["name"] in role_names: + # new_role_ids.append(perimeter_id) + # break + # perimeter_id = None + # for perimeter_id, perimeter_value in PolicyManager.get_actions( + # "admin", current_policy_id).items(): + # if perimeter_value["name"] == "*": + # break + # + # self.payload["authz_context"]['current_request']['object'] = new_role_ids[0] + # self.payload["authz_context"]['current_request']['action'] = perimeter_id + # elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac": + # self.payload["authz_context"]['current_request']['subject'] = \ + # self.payload["authz_context"]['initial_request']['subject'] + # self.payload["authz_context"]['current_request']['object'] = \ + # self.payload["authz_context"]['initial_request']['object'] + # self.payload["authz_context"]['current_request']['action'] = \ + # self.payload["authz_context"]['initial_request']['action'] + + def get_authz(self): + # self.keystone_project_id = payload["id"] + # LOG.info("get_authz {}".format(payload)) + # self.payload = payload + try: + # if "authz_context" not in payload: + # try: + # self.payload["authz_context"] = Context(self.keystone_project_id, + # self.payload["subject_name"], + # self.payload["object_name"], + # self.payload["action_name"], + # self.payload["request_id"]).to_dict() + # except exceptions.SubjectUnknown: + # ctx = { + # "subject_name": self.payload["subject_name"], + # "object_name": self.payload["object_name"], + # "action_name": self.payload["action_name"], + # } + # call("moon_manager", method="update_from_master", ctx=ctx, args={}) + # self.payload["authz_context"] = Context(self.keystone_project_id, + # self.payload["subject_name"], + # self.payload["object_name"], + # self.payload["action_name"], + # self.payload["request_id"]).to_dict() + # except exceptions.ObjectUnknown: + # ctx = { + # "subject_name": self.payload["subject_name"], + # "object_name": self.payload["object_name"], + # "action_name": self.payload["action_name"], + # } + # call("moon_manager", method="update_from_master", ctx=ctx, args={}) + # self.payload["authz_context"] = Context(self.keystone_project_id, + # self.payload["subject_name"], + # self.payload["object_name"], + # self.payload["action_name"], + # self.payload["request_id"]).to_dict() + # except exceptions.ActionUnknown: + # ctx = { + # "subject_name": self.payload["subject_name"], + # "object_name": self.payload["object_name"], + # "action_name": self.payload["action_name"], + # } + # call("moon_manager", method="update_from_master", ctx=ctx, args={}) + # self.payload["authz_context"] = Context(self.keystone_project_id, + # self.payload["subject_name"], + # self.payload["object_name"], + # self.payload["action_name"], + # self.payload["request_id"]).to_dict() + # self.__update_container_chaining() + # else: + # self.payload["authz_context"]["index"] += 1 + # self.__update_current_request() + result, message = self.__check_rules() + current_header_id = self.payload["authz_context"]['headers'][ + self.payload["authz_context"]['index']] + if result: + self.__exec_instructions(result) + else: + self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "deny" + self.__exec_next_state(result) + return {"authz": result, + "error": message, + "pdp_id": self.pdp_id, + "args": self.payload} + except Exception as e: + try: + LOGGER.error(self.payload["authz_context"]) + except KeyError: + LOGGER.error("Cannot find \"authz_context\" in context") + LOGGER.error(e, exc_info=True) + return {"authz": False, + "error": str(e), + "pdp_id": self.pdp_id, + "args": self.payload} + + def head(self, uuid=None, subject_name=None, object_name=None, action_name=None): + LOGGER.info("HEAD request") + return "", 200 diff --git a/old/moon_authz/moon_authz/api/update.py b/old/moon_authz/moon_authz/api/update.py new file mode 100644 index 00000000..68b7f0ce --- /dev/null +++ b/old/moon_authz/moon_authz/api/update.py @@ -0,0 +1,42 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Authz is the endpoint to get authorization response +""" + +from flask import request +from flask_restful import Resource +import logging + +__version__ = "4.4.0" + +LOGGER = logging.getLogger("moon.authz.api." + __name__) + + +class Update(Resource): + """ + Endpoint for update requests + """ + + __urls__ = ( + "/update", + ) + + def __init__(self, **kwargs): + self.CACHE = kwargs.get("cache") + self.INTERFACE_NAME = kwargs.get("interface_name", "interface") + self.MANAGER_URL = kwargs.get("manager_url", "http://manager:8080") + self.TIMEOUT = 5 + + def put(self): + try: + self.CACHE.update_assignments( + request.form.get("policy_id", None), + request.form.get("perimeter_id", None), + ) + except Exception as e: + LOGGER.exception(e) + return {"result": False, "reason": str(e)} + return {"result": True} diff --git a/old/moon_authz/moon_authz/http_server.py b/old/moon_authz/moon_authz/http_server.py new file mode 100644 index 00000000..86d8a914 --- /dev/null +++ b/old/moon_authz/moon_authz/http_server.py @@ -0,0 +1,142 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import logging +from flask import Flask +from flask_restful import Resource, Api +from moon_authz import __version__ +from moon_authz.api.authorization import Authz +from moon_authz.api.update import Update +from python_moonutilities.cache import Cache +from python_moonutilities import exceptions + +LOGGER = logging.getLogger("moon.authz.http_server") + +CACHE = Cache() +CACHE.update() + + +class Server: + """Base class for HTTP server""" + + def __init__(self, host="localhost", port=80, api=None, **kwargs): + """Run a server + + :param host: hostname of the server + :param port: port for the running server + :param kwargs: optional parameters + :return: a running server + """ + self._host = host + self._port = port + self._api = api + self._extra = kwargs + + @property + def host(self): + return self._host + + @host.setter + def host(self, name): + self._host = name + + @host.deleter + def host(self): + self._host = "" + + @property + def port(self): + return self._port + + @port.setter + def port(self, number): + self._port = number + + @port.deleter + def port(self): + self._port = 80 + + def run(self): + raise NotImplementedError() + + +__API__ = ( + Authz, Update +) + + +class Root(Resource): + """ + The root of the web service + """ + __urls__ = ("/",) + __methods = ("get", "post", "put", "delete", "options") + + def get(self): + tree = {"/": {"methods": ("get",), + "description": "List all methods for that service."}} + for item in __API__: + tree[item.__name__] = {"urls": item.__urls__} + _methods = [] + for _method in self.__methods: + if _method in dir(item): + _methods.append(_method) + tree[item.__name__]["methods"] = _methods + tree[item.__name__]["description"] = item.__doc__.strip() + return { + "version": __version__, + "tree": tree + } + + def head(self): + return "", 201 + + +class HTTPServer(Server): + def __init__(self, host="localhost", port=38001, **kwargs): + super(HTTPServer, self).__init__(host=host, port=port, **kwargs) + self.component_data = kwargs.get("component_data", {}) + LOGGER.info("HTTPServer port={} {}".format(port, kwargs)) + self.app = Flask(__name__) + self._port = port + self._host = host + self.component_id = kwargs.get("component_id") + self.keystone_project_id = kwargs.get("keystone_project_id") + self.container_chaining = kwargs.get("container_chaining") + self.api = Api(self.app) + self.__set_route() + + # self.__hook_errors() + + @self.app.errorhandler(exceptions.AuthException) + def _auth_exception(error): + return {"error": "Unauthorized"}, 401 + + def __hook_errors(self): + # FIXME (dthom): it doesn't work + def get_404_json(e): + return {"error": "Error", "code": 404, "description": e} + + self.app.register_error_handler(404, get_404_json) + + def get_400_json(e): + return {"error": "Error", "code": 400, "description": e} + + self.app.register_error_handler(400, lambda e: get_400_json) + self.app.register_error_handler(403, exceptions.AuthException) + + def __set_route(self): + self.api.add_resource(Root, '/') + + for api in __API__: + self.api.add_resource(api, *api.__urls__, + resource_class_kwargs={ + "component_data": self.component_data, + "cache": CACHE + } + ) + + def run(self): + self.app.run(host=self._host, port=self._port, threaded=True) # nosec diff --git a/old/moon_authz/moon_authz/server.py b/old/moon_authz/moon_authz/server.py new file mode 100644 index 00000000..d1b5a59b --- /dev/null +++ b/old/moon_authz/moon_authz/server.py @@ -0,0 +1,56 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import logging +from moon_authz.http_server import HTTPServer as Server +from python_moonutilities import configuration, exceptions + +LOGGER = logging.getLogger("moon.authz.server") + + +def create_server(): + configuration.init_logging() + + component_id = os.getenv("UUID") + component_type = os.getenv("TYPE") + tcp_port = os.getenv("PORT") + pdp_id = os.getenv("PDP_ID") + meta_rule_id = os.getenv("META_RULE_ID") + keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID") + LOGGER.info("component_type={}".format(component_type)) + conf = configuration.get_plugins() + # conf = configuration.get_configuration("plugins/{}".format(component_type)) + # conf["plugins/{}".format(component_type)]['id'] = component_id + if component_type not in conf: + raise exceptions.ConsulComponentNotFound("{} not found".format( + component_type)) + hostname = conf[component_type].get('hostname', component_id) + port = conf[component_type].get('port', tcp_port) + bind = conf[component_type].get('bind', "0.0.0.0") + + LOGGER.info("Starting server with IP {} on port {} bind to {}".format( + hostname, port, bind)) + server = Server( + host=bind, + port=int(port), + component_data={ + 'component_id': component_id, + 'component_type': component_type, + 'pdp_id': pdp_id, + 'meta_rule_id': meta_rule_id, + 'keystone_project_id': keystone_project_id, + } + ) + return server + + +def run(): + server = create_server() + server.run() + + +if __name__ == '__main__': + run() |