diff options
-rw-r--r-- | moon_interface/moon_interface/api/authz.py | 44 | ||||
-rw-r--r-- | moon_interface/tests/unit_python/api/test_authz.py | 2 | ||||
-rw-r--r-- | moon_interface/tests/unit_python/conftest.py | 31 | ||||
-rw-r--r-- | moon_wrapper/moon_wrapper/api/oslowrapper.py | 6 | ||||
-rw-r--r-- | python_moonutilities/python_moonutilities/cache.py | 12 |
5 files changed, 48 insertions, 47 deletions
diff --git a/moon_interface/moon_interface/api/authz.py b/moon_interface/moon_interface/api/authz.py index 5739027d..bd60d3f6 100644 --- a/moon_interface/moon_interface/api/authz.py +++ b/moon_interface/moon_interface/api/authz.py @@ -20,45 +20,46 @@ __version__ = "4.3.1" logger = logging.getLogger("moon.interface.api.authz." + __name__) -def pdp_in_cache(cache, uuid): - """Check if a PDP exist with this Keystone Project ID in the cache of this component +def get_pdp_from_cache(cache, uuid): + """Check if a PDP exist with this ID in the cache of this component :param cache: Cache to use :param uuid: Keystone Project ID :return: True or False """ - for item_uuid, item_value in cache.pdp.items(): - if uuid == item_value['keystone_project_id']: - return item_uuid, item_value - return None, None + if uuid in cache.pdp: + return cache.pdp.get(uuid) + return None -def pdp_in_manager(cache, uuid): - """Check if a PDP exist with this Keystone Project ID in the Manager component +def get_pdp_from_manager(cache, uuid): + """Check if a PDP exist with this ID in the Manager component :param cache: Cache to use :param uuid: Keystone Project ID :return: True or False """ cache.update() - return pdp_in_cache(cache, uuid) + return get_pdp_from_cache(cache, uuid) -def create_authz_request(cache, interface_name, manager_url, uuid, subject_name, object_name, action_name): +def create_authz_request(cache, interface_name, manager_url, pdp_id, subject_name, object_name, action_name): """Create the authorization request and make the first call to the Authz function :param cache: Cache to use :param interface_name: hostname of the interface :param manager_url: URL of the manager - :param uuid: Keystone Project ID + :param pdp_id: Keystone Project ID :param subject_name: name of the subject :param object_name: name of the object :param action_name: name of the action :return: Authorisation request """ req_id = uuid4().hex + keystone_project_id = cache.get_keystone_project_id_from_pdp_id(pdp_id) + logger.info("keystone_project_id={}".format(keystone_project_id)) ctx = { - "project_id": uuid, + "project_id": keystone_project_id, "subject_name": subject_name, "object_name": object_name, "action_name": action_name, @@ -81,8 +82,8 @@ class Authz(Resource): """ __urls__ = ( - "/authz/<string:uuid>", - "/authz/<string:uuid>/<string:subject_name>/<string:object_name>/<string:action_name>", + "/authz/<string:pdp_id>", + "/authz/<string:pdp_id>/<string:subject_name>/<string:object_name>/<string:action_name>", ) def __init__(self, **kwargs): @@ -91,10 +92,10 @@ class Authz(Resource): self.MANAGER_URL = kwargs.get("manager_url", "http://manager:8080") self.TIMEOUT = 5 - def get(self, uuid=None, subject_name=None, object_name=None, action_name=None): + def get(self, pdp_id=None, subject_name=None, object_name=None, action_name=None): """Get a response on an authorization request - :param uuid: uuid of a tenant or an intra_extension + :param pdp_id: uuid of a tenant or an intra_extension :param subject_name: name of the subject or the request :param object_name: name of the object :param action_name: name of the action @@ -118,17 +119,16 @@ class Authz(Resource): } :internal_api: authz """ - pdp_id, pdp_value = pdp_in_cache(self.CACHE, uuid) + pdp_value = get_pdp_from_cache(self.CACHE, pdp_id) if not pdp_id: - pdp_id, pdp_value = pdp_in_manager(self.CACHE, uuid) + pdp_value = get_pdp_from_manager(self.CACHE, pdp_id) if not pdp_id: return { - "result": False, - "message": "Unknown Project ID or " - "Project ID is not bind to a PDP."}, 403 + "result": False, + "message": "Unknown PDP ID."}, 403 authz_request = create_authz_request( cache=self.CACHE, - uuid=uuid, + pdp_id=pdp_id, interface_name=self.INTERFACE_NAME, manager_url=self.MANAGER_URL, subject_name=subject_name, diff --git a/moon_interface/tests/unit_python/api/test_authz.py b/moon_interface/tests/unit_python/api/test_authz.py index 84605203..10957218 100644 --- a/moon_interface/tests/unit_python/api/test_authz.py +++ b/moon_interface/tests/unit_python/api/test_authz.py @@ -10,7 +10,7 @@ def test_authz_true(context): server = moon_interface.server.create_server() client = server.app.test_client() req = client.get("/authz/{p_id}/{s_id}/{o_id}/{a_id}".format( - p_id=context["project_id"], + p_id=context["pdp_id"], s_id=context["subject_name"], o_id=context["object_name"], a_id=context["action_name"], diff --git a/moon_interface/tests/unit_python/conftest.py b/moon_interface/tests/unit_python/conftest.py index 35ee19d7..a6acbcdd 100644 --- a/moon_interface/tests/unit_python/conftest.py +++ b/moon_interface/tests/unit_python/conftest.py @@ -39,21 +39,19 @@ CONF = { "container": "wukongsun/moon_orchestrator:v4.3", "hostname": "orchestrator" }, - "interface": { - "bind": "0.0.0.0", - "port": 8080, - "container": "wukongsun/moon_interface:v4.3", - "hostname": "interface" - } - }, - "plugins": { - "session": { - "port": 8082, - "container": "asteroide/session:latest" - }, - "authz": { - "port": 8081, - "container": "wukongsun/moon_authz:v4.3" + "pipeline": { + "interface": { + "bind": "0.0.0.0", + "port": 8080, + "container": "wukongsun/moon_interface:v4.3", + "hostname": "interface" + }, + "authz": { + "bind": "0.0.0.0", + "port": 8081, + "container": "wukongsun/moon_authz:v4.3", + "hostname": "authz" + }, } }, "logging": { @@ -128,10 +126,11 @@ COMPONENTS = ( "slave", "components/manager", "components/orchestrator", - "components/interface", + "components/pipeline", ) CONTEXT = { + "pdp_id": "b3d3e18abf3340e8b635fd49e6634ccd", "project_id": "a64beb1cc224474fb4badd43173e7101", "subject_name": "testuser", "object_name": "vm1", diff --git a/moon_wrapper/moon_wrapper/api/oslowrapper.py b/moon_wrapper/moon_wrapper/api/oslowrapper.py index 03bdfc69..d2836c08 100644 --- a/moon_wrapper/moon_wrapper/api/oslowrapper.py +++ b/moon_wrapper/moon_wrapper/api/oslowrapper.py @@ -99,14 +99,12 @@ class OsloWrapper(Resource): _object = self.__get_object(target, credentials) _action = rule _project_id = self.__get_project_id(target, credentials) - logger.debug("POST with args project={} / " - "subject={} - object={} - action={}".format( - _project_id, _subject, _object, rule)) + _pdp_id = self.CACHE.get_pdp_from_keystone_project(_project_id) interface_url = self.get_interface_url(_project_id) logger.debug("interface_url={}".format(interface_url)) req = requests.get("{}/authz/{}/{}/{}/{}".format( interface_url, - _project_id, + _pdp_id, _subject, _object, _action diff --git a/python_moonutilities/python_moonutilities/cache.py b/python_moonutilities/python_moonutilities/cache.py index 851c5489..1ea59d3a 100644 --- a/python_moonutilities/python_moonutilities/cache.py +++ b/python_moonutilities/python_moonutilities/cache.py @@ -503,10 +503,14 @@ class Cache(object): else: logger.warning(" 'security_pipeline','keystone_project_id' " "key not in pdp {}".format(pdp_value)) - # for policy_id in pdp_value["security_pipeline"]: - # model_id = self.policies[policy_id]["model_id"] - # if meta_rule_id in self.models[model_id]["meta_rules"]: - # return pdp_value["keystone_project_id"] + + def get_keystone_project_id_from_pdp_id(self, pdp_id): + if pdp_id in self.pdp: + pdp_value = self.pdp.get(pdp_id) + if "security_pipeline" in pdp_value and \ + "keystone_project_id" in pdp_value: + return pdp_value["keystone_project_id"] + logger.warning("Unknown PDP ID".format(pdp_id)) def get_containers_from_keystone_project_id(self, keystone_project_id, meta_rule_id=None): |