summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--keystone-moon/keystone/contrib/moon/core.py163
-rw-r--r--keystone-moon/keystone/contrib/moon/exception.py2
2 files changed, 62 insertions, 103 deletions
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py
index db31f4b9..56a491c9 100644
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -288,15 +288,16 @@ class IntraExtensionManager(manager.Manager):
driver = CONF.moon.intraextension_driver
super(IntraExtensionManager, self).__init__(driver)
- def authz(self, uuid, sub, obj, act):
+ def authz(self, intra_extension_uuid, subject_uuid, object_uuid, action_uuid):
"""Check authorization for a particular action.
- :param uuid: UUID of an IntraExtension
- :param sub: subject of the request
- :param obj: object of the request
- :param act: action of the request
+ :param intra_extension_uuid: UUID of an IntraExtension
+ :param subject_uuid: subject UUID of the request
+ :param object_uuid: object UUID of the request
+ :param action_uuid: action UUID of the request
:return: True or False or raise an exception
:raises: (in that order)
+ IntraExtensionNotFound
SubjectUnknown
ObjectUnknown
ActionUnknown
@@ -307,104 +308,62 @@ class IntraExtensionManager(manager.Manager):
ObjectCategoryAssignmentUnknown
ActionCategoryAssignmentUnknown
"""
- if not self.driver.get_intra_extension(uuid):
+ if not self.driver.get_intra_extension(intra_extension_uuid):
raise IntraExtensionNotFound()
- # self.moonlog_api.authz("Unknown: Authorization framework disabled ({} {} {} {})".format(uuid, sub, obj, act))
- # self.moonlog_api.warning("Unknown: Authorization framework disabled ({} {} {} {})".format(uuid, sub, obj, act))
- users = self.driver.get_subject_dict(uuid)
- if sub in users and users[sub] == "admin":
- return True
- return False
- # #TODO (dthom): must raise IntraExtensionNotAuthorized
- # try:
- # _subject_category_dict = self.driver.get_subject_category_dict(extension_uuid)
- # _object_category_dict = self.driver.get_object_category_dict(extension_uuid)
- # _action_category_dict = self.driver.get_action_category_dict(extension_uuid)
- # _subject_category_value_dict = self.driver.get_subject_category_value_dict(extension_uuid, subject_name)
- # _object_category_value_dict = self.driver.get_object_category_value_dict(extension_uuid, object_name)
- # _action_category_value_dict = self.driver.get_action_category_value_dict(extension_uuid, action_name)
- # _meta_rule = self.driver.get_meta_rule(extension_uuid)
- # _rules = self.driver.get_rules(extension_uuid)
+
+ try:
+ _subject_category_dict = self.driver.get_subject_category_dict(intra_extension_uuid)
+ _object_category_dict = self.driver.get_object_category_dict(intra_extension_uuid)
+ _action_category_dict = self.driver.get_action_category_dict(intra_extension_uuid)
+ _subject_category_value_dict = self.driver.get_subject_category_value_dict(intra_extension_uuid, subject_uuid)
+ _object_category_value_dict = self.driver.get_object_category_value_dict(intra_extension_uuid, object_uuid)
+ _action_category_value_dict = self.driver.get_action_category_value_dict(intra_extension_uuid, action_uuid)
+ _subject_assignment_dict = self.driver.get_subject_category_assignment_dict(intra_extension_uuid)
+ _action_assignment_dict = self.driver.get_action_category_assignment_dict(intra_extension_uuid)
+ _object_assignment_dict = self.driver.get_object_category_assignment_dict(intra_extension_uuid)
+ _meta_rule = self.driver.get_meta_rule(intra_extension_uuid)
+ _rules = self.driver.get_rules(intra_extension_uuid)
# # TODO: algorithm to validate requests
# return True
# except exception: # TODO: exception.IntraExtension.NotAuthorized
# pass
- # sub_meta_rule = self.driver.get_meta_rule(uuid)
- # subject_assignments = self.driver.get_subject_category_assignment_dict(uuid)
- # action_assignments = self.driver.get_action_category_assignment_dict(uuid)
- # object_assignments = self.driver.get_object_category_assignment_dict(uuid)
- # # check if subject exists
- # if sub not in self.driver.get_subject_dict(uuid):
- # self.moonlog_api.authz("KO: Subject {} unknown".format(sub))
- # return False
- # # check if object exists
- # if obj not in self.driver.get_object_dict(uuid):
- # self.moonlog_api.authz("KO: Object {} unknown".format(obj))
- # return False
- # # check if action exists
- # if act not in self.driver.get_action_dict(uuid):
- # self.moonlog_api.authz("KO: Action {} unknown".format(act))
- # return False
- # # check if subject is in subject_assignment
- # for cat in subject_assignments.keys():
- # if sub in subject_assignments[cat]:
- # break
- # else:
- # self.moonlog_api.authz("KO: Subject no found in categories {}".format(
- # subject_assignments.keys()))
- # return False
- # # check if object is in object_assignment
- # for cat in object_assignments.keys():
- # if obj in object_assignments[cat]:
- # break
- # else:
- # self.moonlog_api.authz("KO: Object no found in categories {}".format(
- # object_assignments))
- # return False
- # # check if action is in action_assignment
- # for cat in action_assignments.keys():
- # if act in action_assignments[cat]:
- # break
- # else:
- # self.moonlog_api.authz("KO: Action no found in categories {}".format(
- # action_assignments.keys()))
- # return False
- # # get all rules for intra_extension
- # rules = self.driver.get_rules(uuid)
- # # check if relation exists in rules
- # relation_to_check = None
- # relations = self.driver.get_sub_meta_rule_relations(uuid)
- # for relation in rules:
- # if relation in relations:
- # # hypothesis: only one relation to check
- # relation_to_check = relation
- # break
- # else:
- # self.moonlog_api.authz("KO: No relation can be used {}".format(rules.keys()))
- # return False
- # for sub_rule in rules[relation_to_check]:
- # for cat in sub_meta_rule[relation_to_check]["subject_categories"]:
- # rule_scope = sub_rule.pop(0)
- # if rule_scope in subject_assignments[cat][sub]:
- # break
- # else:
- # continue
- # for cat in sub_meta_rule[relation_to_check]["action_categories"]:
- # rule_scope = sub_rule.pop(0)
- # if rule_scope in action_assignments[cat][act]:
- # break
- # else:
- # continue
- # for cat in sub_meta_rule[relation_to_check]["object_categories"]:
- # rule_scope = sub_rule.pop(0)
- # if rule_scope in object_assignments[cat][obj]:
- # break
- # else:
- # continue
- # self.moonlog_api.authz("OK ({} {},{},{})".format(uuid, sub, act, obj))
- # return True
- # self.moonlog_api.authz("KO ({} {},{},{})".format(uuid, sub, act, obj))
- # return False
+
+ # get all rules for intra_extension
+ rules = self.driver.get_rules(intra_extension_uuid)
+ # check if relation exists in rules
+ relation_to_check = None
+ relations = self.driver.get_sub_meta_rule_relations(intra_extension_uuid)
+ for relation in rules:
+ if relation in relations:
+ # hypothesis: only one relation to check
+ relation_to_check = relation
+ break
+ else:
+ self.moonlog_api.authz("KO: No relation can be used {}".format(rules.keys()))
+ return False
+ for sub_rule in rules[relation_to_check]:
+ for cat in sub_meta_rule[relation_to_check]["subject_categories"]:
+ rule_scope = sub_rule.pop(0)
+ if rule_scope in subject_assignments[cat][subject_uuid]:
+ break
+ else:
+ continue
+ for cat in sub_meta_rule[relation_to_check]["action_categories"]:
+ rule_scope = sub_rule.pop(0)
+ if rule_scope in action_assignments[cat][action_uuid]:
+ break
+ else:
+ continue
+ for cat in sub_meta_rule[relation_to_check]["object_categories"]:
+ rule_scope = sub_rule.pop(0)
+ if rule_scope in object_assignments[cat][object_uuid]:
+ break
+ else:
+ continue
+ self.moonlog_api.authz("OK ({} {},{},{})".format(intra_extension_uuid, subject_uuid, action_uuid, object_uuid))
+ return True
+ self.moonlog_api.authz("KO ({} {},{},{})".format(intra_extension_uuid, subject_uuid, action_uuid, object_uuid))
+ return False
def __get_key_from_value(self, value, values_dict):
return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0]
@@ -1292,17 +1251,17 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
__genre__ = "authz"
- def authz(self, uuid, sub, obj, act):
+ def authz(self, tenant_uuid, sub, obj, act):
"""Check authorization for a particular action.
- :param uuid: UUID of a tenant
+ :param tenant_uuid: UUID of a tenant
:param sub: subject of the request
:param obj: object of the request
:param act: action of the request
:return: True or False or raise an exception
"""
- _uuid = self.tenant_api.get_extension_uuid(uuid, "authz")
- return super(IntraExtensionAuthzManager, self).authz(_uuid, sub, obj, act)
+ _intra_authz_extention_uuid = self.tenant_api.get_extension_uuid(tenant_uuid, "authz")
+ return super(IntraExtensionAuthzManager, self).authz(_intra_authz_extention_uuid, sub, obj, act)
def delete_intra_extension(self, intra_extension_id):
raise AdminException()
diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py
index b206fc76..8ff77b7e 100644
--- a/keystone-moon/keystone/contrib/moon/exception.py
+++ b/keystone-moon/keystone/contrib/moon/exception.py
@@ -193,7 +193,7 @@ class RuleOKNotExisting(AuthzRule):
message_format = _("The positive rule for that request doen't exist.")
code = 400
title = 'Rule OK Not Existing'
- logger = "WARNING"
+ logger = "ERROR"
class RuleKOExisting(AuthzRule):