aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--moon_interface/moon_interface/api/authz.py44
-rw-r--r--moon_interface/tests/unit_python/api/test_authz.py2
-rw-r--r--moon_interface/tests/unit_python/conftest.py31
-rw-r--r--moon_wrapper/moon_wrapper/api/oslowrapper.py6
-rw-r--r--python_moonutilities/python_moonutilities/cache.py12
5 files changed, 48 insertions, 47 deletions
diff --git a/moon_interface/moon_interface/api/authz.py b/moon_interface/moon_interface/api/authz.py
index 5739027d..bd60d3f6 100644
--- a/moon_interface/moon_interface/api/authz.py
+++ b/moon_interface/moon_interface/api/authz.py
@@ -20,45 +20,46 @@ __version__ = "4.3.1"
logger = logging.getLogger("moon.interface.api.authz." + __name__)
-def pdp_in_cache(cache, uuid):
- """Check if a PDP exist with this Keystone Project ID in the cache of this component
+def get_pdp_from_cache(cache, uuid):
+ """Check if a PDP exist with this ID in the cache of this component
:param cache: Cache to use
:param uuid: Keystone Project ID
:return: True or False
"""
- for item_uuid, item_value in cache.pdp.items():
- if uuid == item_value['keystone_project_id']:
- return item_uuid, item_value
- return None, None
+ if uuid in cache.pdp:
+ return cache.pdp.get(uuid)
+ return None
-def pdp_in_manager(cache, uuid):
- """Check if a PDP exist with this Keystone Project ID in the Manager component
+def get_pdp_from_manager(cache, uuid):
+ """Check if a PDP exist with this ID in the Manager component
:param cache: Cache to use
:param uuid: Keystone Project ID
:return: True or False
"""
cache.update()
- return pdp_in_cache(cache, uuid)
+ return get_pdp_from_cache(cache, uuid)
-def create_authz_request(cache, interface_name, manager_url, uuid, subject_name, object_name, action_name):
+def create_authz_request(cache, interface_name, manager_url, pdp_id, subject_name, object_name, action_name):
"""Create the authorization request and make the first call to the Authz function
:param cache: Cache to use
:param interface_name: hostname of the interface
:param manager_url: URL of the manager
- :param uuid: Keystone Project ID
+ :param pdp_id: Keystone Project ID
:param subject_name: name of the subject
:param object_name: name of the object
:param action_name: name of the action
:return: Authorisation request
"""
req_id = uuid4().hex
+ keystone_project_id = cache.get_keystone_project_id_from_pdp_id(pdp_id)
+ logger.info("keystone_project_id={}".format(keystone_project_id))
ctx = {
- "project_id": uuid,
+ "project_id": keystone_project_id,
"subject_name": subject_name,
"object_name": object_name,
"action_name": action_name,
@@ -81,8 +82,8 @@ class Authz(Resource):
"""
__urls__ = (
- "/authz/<string:uuid>",
- "/authz/<string:uuid>/<string:subject_name>/<string:object_name>/<string:action_name>",
+ "/authz/<string:pdp_id>",
+ "/authz/<string:pdp_id>/<string:subject_name>/<string:object_name>/<string:action_name>",
)
def __init__(self, **kwargs):
@@ -91,10 +92,10 @@ class Authz(Resource):
self.MANAGER_URL = kwargs.get("manager_url", "http://manager:8080")
self.TIMEOUT = 5
- def get(self, uuid=None, subject_name=None, object_name=None, action_name=None):
+ def get(self, pdp_id=None, subject_name=None, object_name=None, action_name=None):
"""Get a response on an authorization request
- :param uuid: uuid of a tenant or an intra_extension
+ :param pdp_id: uuid of a tenant or an intra_extension
:param subject_name: name of the subject or the request
:param object_name: name of the object
:param action_name: name of the action
@@ -118,17 +119,16 @@ class Authz(Resource):
}
:internal_api: authz
"""
- pdp_id, pdp_value = pdp_in_cache(self.CACHE, uuid)
+ pdp_value = get_pdp_from_cache(self.CACHE, pdp_id)
if not pdp_id:
- pdp_id, pdp_value = pdp_in_manager(self.CACHE, uuid)
+ pdp_value = get_pdp_from_manager(self.CACHE, pdp_id)
if not pdp_id:
return {
- "result": False,
- "message": "Unknown Project ID or "
- "Project ID is not bind to a PDP."}, 403
+ "result": False,
+ "message": "Unknown PDP ID."}, 403
authz_request = create_authz_request(
cache=self.CACHE,
- uuid=uuid,
+ pdp_id=pdp_id,
interface_name=self.INTERFACE_NAME,
manager_url=self.MANAGER_URL,
subject_name=subject_name,
diff --git a/moon_interface/tests/unit_python/api/test_authz.py b/moon_interface/tests/unit_python/api/test_authz.py
index 84605203..10957218 100644
--- a/moon_interface/tests/unit_python/api/test_authz.py
+++ b/moon_interface/tests/unit_python/api/test_authz.py
@@ -10,7 +10,7 @@ def test_authz_true(context):
server = moon_interface.server.create_server()
client = server.app.test_client()
req = client.get("/authz/{p_id}/{s_id}/{o_id}/{a_id}".format(
- p_id=context["project_id"],
+ p_id=context["pdp_id"],
s_id=context["subject_name"],
o_id=context["object_name"],
a_id=context["action_name"],
diff --git a/moon_interface/tests/unit_python/conftest.py b/moon_interface/tests/unit_python/conftest.py
index 35ee19d7..a6acbcdd 100644
--- a/moon_interface/tests/unit_python/conftest.py
+++ b/moon_interface/tests/unit_python/conftest.py
@@ -39,21 +39,19 @@ CONF = {
"container": "wukongsun/moon_orchestrator:v4.3",
"hostname": "orchestrator"
},
- "interface": {
- "bind": "0.0.0.0",
- "port": 8080,
- "container": "wukongsun/moon_interface:v4.3",
- "hostname": "interface"
- }
- },
- "plugins": {
- "session": {
- "port": 8082,
- "container": "asteroide/session:latest"
- },
- "authz": {
- "port": 8081,
- "container": "wukongsun/moon_authz:v4.3"
+ "pipeline": {
+ "interface": {
+ "bind": "0.0.0.0",
+ "port": 8080,
+ "container": "wukongsun/moon_interface:v4.3",
+ "hostname": "interface"
+ },
+ "authz": {
+ "bind": "0.0.0.0",
+ "port": 8081,
+ "container": "wukongsun/moon_authz:v4.3",
+ "hostname": "authz"
+ },
}
},
"logging": {
@@ -128,10 +126,11 @@ COMPONENTS = (
"slave",
"components/manager",
"components/orchestrator",
- "components/interface",
+ "components/pipeline",
)
CONTEXT = {
+ "pdp_id": "b3d3e18abf3340e8b635fd49e6634ccd",
"project_id": "a64beb1cc224474fb4badd43173e7101",
"subject_name": "testuser",
"object_name": "vm1",
diff --git a/moon_wrapper/moon_wrapper/api/oslowrapper.py b/moon_wrapper/moon_wrapper/api/oslowrapper.py
index 03bdfc69..d2836c08 100644
--- a/moon_wrapper/moon_wrapper/api/oslowrapper.py
+++ b/moon_wrapper/moon_wrapper/api/oslowrapper.py
@@ -99,14 +99,12 @@ class OsloWrapper(Resource):
_object = self.__get_object(target, credentials)
_action = rule
_project_id = self.__get_project_id(target, credentials)
- logger.debug("POST with args project={} / "
- "subject={} - object={} - action={}".format(
- _project_id, _subject, _object, rule))
+ _pdp_id = self.CACHE.get_pdp_from_keystone_project(_project_id)
interface_url = self.get_interface_url(_project_id)
logger.debug("interface_url={}".format(interface_url))
req = requests.get("{}/authz/{}/{}/{}/{}".format(
interface_url,
- _project_id,
+ _pdp_id,
_subject,
_object,
_action
diff --git a/python_moonutilities/python_moonutilities/cache.py b/python_moonutilities/python_moonutilities/cache.py
index 851c5489..1ea59d3a 100644
--- a/python_moonutilities/python_moonutilities/cache.py
+++ b/python_moonutilities/python_moonutilities/cache.py
@@ -503,10 +503,14 @@ class Cache(object):
else:
logger.warning(" 'security_pipeline','keystone_project_id' "
"key not in pdp {}".format(pdp_value))
- # for policy_id in pdp_value["security_pipeline"]:
- # model_id = self.policies[policy_id]["model_id"]
- # if meta_rule_id in self.models[model_id]["meta_rules"]:
- # return pdp_value["keystone_project_id"]
+
+ def get_keystone_project_id_from_pdp_id(self, pdp_id):
+ if pdp_id in self.pdp:
+ pdp_value = self.pdp.get(pdp_id)
+ if "security_pipeline" in pdp_value and \
+ "keystone_project_id" in pdp_value:
+ return pdp_value["keystone_project_id"]
+ logger.warning("Unknown PDP ID".format(pdp_id))
def get_containers_from_keystone_project_id(self, keystone_project_id,
meta_rule_id=None):