diff options
| -rw-r--r-- | moon_authz/moon_authz/__init__.py | 2 | ||||
| -rw-r--r-- | moon_authz/moon_authz/__main__.py | 4 | ||||
| -rw-r--r-- | moon_authz/moon_authz/api/authorization.py | 39 | ||||
| -rw-r--r-- | moon_authz/moon_authz/http_server.py | 11 | ||||
| -rw-r--r-- | moon_authz/moon_authz/server.py | 22 | ||||
| -rw-r--r-- | moon_authz/setup.py | 2 | ||||
| -rw-r--r-- | moon_authz/tests/unit_python/mock_pods.py | 8 | ||||
| -rw-r--r-- | moon_authz/tests/unit_python/test_authz.py | 8 | ||||
| -rw-r--r-- | moon_manager/tests/unit_python/__init__.py | 0 | ||||
| -rw-r--r-- | moon_manager/tests/unit_python/api/test_perimeter.py | 29 | ||||
| -rw-r--r-- | moon_manager/tests/unit_python/api/utilities.py | 12 | ||||
| -rw-r--r-- | python_moonutilities/python_moonutilities/cache.py | 45 | ||||
| -rw-r--r-- | python_moonutilities/python_moonutilities/exceptions.py | 15 |
13 files changed, 107 insertions, 90 deletions
diff --git a/moon_authz/moon_authz/__init__.py b/moon_authz/moon_authz/__init__.py index 903c6518..6f964a63 100644 --- a/moon_authz/moon_authz/__init__.py +++ b/moon_authz/moon_authz/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "0.1.0" +__version__ = "4.3.2" diff --git a/moon_authz/moon_authz/__main__.py b/moon_authz/moon_authz/__main__.py index 699c008c..2693f687 100644 --- a/moon_authz/moon_authz/__main__.py +++ b/moon_authz/moon_authz/__main__.py @@ -1,4 +1,4 @@ -from moon_authz.server import main +from moon_authz.server import create_server -server = main() +server = create_server() server.run() diff --git a/moon_authz/moon_authz/api/authorization.py b/moon_authz/moon_authz/api/authorization.py index d7832ef0..c83dd72c 100644 --- a/moon_authz/moon_authz/api/authorization.py +++ b/moon_authz/moon_authz/api/authorization.py @@ -3,30 +3,21 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -import binascii import itertools import pickle -from uuid import uuid4 import logging -from python_moonutilities import exceptions import flask from flask import request from flask_restful import Resource -# TODO (asteroide): -# - end the dev of the context -# - rebuild the authorization function according to the context -# - call the next security function -# - call the master if an element is absent - -LOG = logging.getLogger("moon.authz.api." + __name__) +logger = logging.getLogger("moon.authz.api." + __name__) class Authz(Resource): """ Endpoint for authz requests """ - __version__ = "0.1.0" + __version__ = "4.3.1" __urls__ = ( "/authz", @@ -82,7 +73,7 @@ class Authz(Resource): return response def run(self): - LOG.info("self.context.pdp_set={}".format(self.context.pdp_set)) + logger.info("self.context.pdp_set={}".format(self.context.pdp_set)) result, message = self.__check_rules() if result: return self.__exec_instructions(result) @@ -108,10 +99,10 @@ class Authz(Resource): for item in itertools.product(*scopes_list): req = list(item) for rule in self.cache.rules[self.context.current_policy_id]["rules"]: - LOG.info("rule={}".format(rule)) + logger.info("rule={}".format(rule)) if req == rule['rule']: return rule['instructions'], "" - LOG.warning("No rule match the request...") + logger.warning("No rule match the request...") return False, "No rule match the request..." def __update_subject_category_in_policy(self, operation, target): @@ -119,7 +110,7 @@ class Authz(Resource): try: policy_name, category_name, data_name = target.split(":") except ValueError: - LOG.error("Cannot understand value in instruction ({})".format(target)) + logger.error("Cannot understand value in instruction ({})".format(target)) return False # pdp_set = self.payload["authz_context"]['pdp_set'] for meta_rule_id in self.context.pdp_set: @@ -131,7 +122,7 @@ class Authz(Resource): subject_category_id = category_id break else: - LOG.error("Cannot understand category in instruction ({})".format(target)) + logger.error("Cannot understand category in instruction ({})".format(target)) return False subject_data_id = None for data in PolicyManager.get_subject_data("admin", policy_id, category_id=subject_category_id): @@ -142,7 +133,7 @@ class Authz(Resource): if subject_data_id: break else: - LOG.error("Cannot understand data in instruction ({})".format(target)) + logger.error("Cannot understand data in instruction ({})".format(target)) return False if operation == "add": self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][subject_category_id].append( @@ -152,7 +143,7 @@ class Authz(Resource): self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][subject_category_id].remove( subject_data_id) except ValueError: - LOG.warning("Cannot remove role {} from target".format(data_name)) + logger.warning("Cannot remove role {} from target".format(data_name)) result = True break return result @@ -234,7 +225,7 @@ class Authz(Resource): if key == "decision": if instruction["decision"] == "grant": self.context.current_state = "grant" - LOG.info("__exec_instructions True {}".format( + logger.info("__exec_instructions True {}".format( self.context.current_state)) return True else: @@ -251,7 +242,7 @@ class Authz(Resource): self.context.current_state = "deny" else: self.context.current_state = "passed" - LOG.info("__exec_instructions False {}".format(self.context.current_state)) + logger.info("__exec_instructions False {}".format(self.context.current_state)) # def __update_current_request(self): # index = self.payload["authz_context"]["index"] @@ -360,15 +351,15 @@ class Authz(Resource): "args": self.payload} except Exception as e: try: - LOG.error(self.payload["authz_context"]) + logger.error(self.payload["authz_context"]) except KeyError: - LOG.error("Cannot find \"authz_context\" in context") - LOG.error(e, exc_info=True) + logger.error("Cannot find \"authz_context\" in context") + logger.error(e, exc_info=True) return {"authz": False, "error": str(e), "pdp_id": self.pdp_id, "args": self.payload} def head(self, uuid=None, subject_name=None, object_name=None, action_name=None): - LOG.info("HEAD request") + logger.info("HEAD request") return "", 200
\ No newline at end of file diff --git a/moon_authz/moon_authz/http_server.py b/moon_authz/moon_authz/http_server.py index d24a02ca..836efbc8 100644 --- a/moon_authz/moon_authz/http_server.py +++ b/moon_authz/moon_authz/http_server.py @@ -3,9 +3,8 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -from flask import Flask, request -# from flask_cors import CORS, cross_origin -from flask_restful import Resource, Api, reqparse +from flask import Flask +from flask_restful import Resource, Api import logging from moon_authz import __version__ from moon_authz.api.authorization import Authz @@ -61,6 +60,7 @@ class Server: def run(self): raise NotImplementedError() + __API__ = ( Authz, ) @@ -74,7 +74,8 @@ class Root(Resource): __methods = ("get", "post", "put", "delete", "options") def get(self): - tree = {"/": {"methods": ("get",), "description": "List all methods for that service."}} + tree = {"/": {"methods": ("get",), + "description": "List all methods for that service."}} for item in __API__: tree[item.__name__] = {"urls": item.__urls__} _methods = [] @@ -101,8 +102,6 @@ class HTTPServer(Server): self.app = Flask(__name__) self._port = port self._host = host - # Todo : specify only few urls instead of * - # CORS(self.app) self.component_id = kwargs.get("component_id") self.keystone_project_id = kwargs.get("keystone_project_id") self.container_chaining = kwargs.get("container_chaining") diff --git a/moon_authz/moon_authz/server.py b/moon_authz/moon_authz/server.py index 1919ebe5..8715bd87 100644 --- a/moon_authz/moon_authz/server.py +++ b/moon_authz/moon_authz/server.py @@ -4,15 +4,14 @@ # or at 'http://www.apache.org/licenses/LICENSE-2.0'. import os -from oslo_log import log as logging +import logging from moon_authz.http_server import HTTPServer as Server from python_moonutilities import configuration -LOG = logging.getLogger("moon.authz.server") -DOMAIN = "moon_authz" +logger = logging.getLogger("moon.authz.server") -def main(): +def create_server(): configuration.init_logging() component_id = os.getenv("UUID") @@ -21,14 +20,16 @@ def main(): pdp_id = os.getenv("PDP_ID") meta_rule_id = os.getenv("META_RULE_ID") keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID") - LOG.info("component_type={}".format(component_type)) + logger.info("component_type={}".format(component_type)) conf = configuration.get_configuration("plugins/{}".format(component_type)) conf["plugins/{}".format(component_type)]['id'] = component_id - hostname = conf["plugins/{}".format(component_type)].get('hostname', component_id) + hostname = conf["plugins/{}".format(component_type)].get('hostname', + component_id) port = conf["plugins/{}".format(component_type)].get('port', tcp_port) bind = conf["plugins/{}".format(component_type)].get('bind', "0.0.0.0") - LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind)) + logger.info("Starting server with IP {} on port {} bind to {}".format( + hostname, port, bind)) server = Server( host=bind, port=int(port), @@ -43,5 +44,10 @@ def main(): return server +def run(): + server = create_server() + server.run() + + if __name__ == '__main__': - main() + run() diff --git a/moon_authz/setup.py b/moon_authz/setup.py index c3ac33c7..ad99b9f8 100644 --- a/moon_authz/setup.py +++ b/moon_authz/setup.py @@ -40,7 +40,7 @@ setup( entry_points={ 'console_scripts': [ - 'moon_authz = moon_authz.server:main', + 'moon_authz = moon_authz.server:run', ], } diff --git a/moon_authz/tests/unit_python/mock_pods.py b/moon_authz/tests/unit_python/mock_pods.py index 7488f4f3..74801cd1 100644 --- a/moon_authz/tests/unit_python/mock_pods.py +++ b/moon_authz/tests/unit_python/mock_pods.py @@ -10,15 +10,15 @@ pdp_mock = { "keystone_project_id": "a64beb1cc224474fb4badd43173e7101" }, "pdp_id1": { - "name": "...", + "name": "pdp_id1", "security_pipeline": ["policy_id_1", "policy_id_2"], "keystone_project_id": "keystone_project_id1", "description": "...", }, "pdp_id12": { - "name": "...", + "name": "pdp_id2", "security_pipeline": ["policy_id_1", "policy_id_2"], - "keystone_project_id": "keystone_project_id1", + "keystone_project_id": "keystone_project_id2", "description": "...", } } @@ -100,7 +100,7 @@ subject_mock = { "policy_id_2": { "subject_id": { "name": "subject_name", - "keystone_id": "keystone_project_id1", + "keystone_id": "keystone_project_id2", "description": "a description" } } diff --git a/moon_authz/tests/unit_python/test_authz.py b/moon_authz/tests/unit_python/test_authz.py index f98abebc..50493c9f 100644 --- a/moon_authz/tests/unit_python/test_authz.py +++ b/moon_authz/tests/unit_python/test_authz.py @@ -12,9 +12,9 @@ def get_json(data): def test_authz_true(context): import moon_authz.server - from python_moonutilities.security_functions import Context + from python_moonutilities.context import Context from python_moonutilities.cache import Cache - server = moon_authz.server.main() + server = moon_authz.server.create_server() client = server.app.test_client() CACHE = Cache() CACHE.update() @@ -33,9 +33,9 @@ def test_authz_true(context): def test_user_not_allowed(context): import moon_authz.server - from python_moonutilities.security_functions import Context + from python_moonutilities.context import Context from python_moonutilities.cache import Cache - server = moon_authz.server.main() + server = moon_authz.server.create_server() client = server.app.test_client() CACHE = Cache() CACHE.update() diff --git a/moon_manager/tests/unit_python/__init__.py b/moon_manager/tests/unit_python/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moon_manager/tests/unit_python/__init__.py +++ /dev/null diff --git a/moon_manager/tests/unit_python/api/test_perimeter.py b/moon_manager/tests/unit_python/api/test_perimeter.py index d255ae65..db09780f 100644 --- a/moon_manager/tests/unit_python/api/test_perimeter.py +++ b/moon_manager/tests/unit_python/api/test_perimeter.py @@ -1,16 +1,13 @@ # import moon_manager # import moon_manager.api import json - - -def get_json(data): - return json.loads(data.decode("utf-8")) +import api.utilities as utilities def get_subjects(client): req = client.get("/subjects") assert req.status_code == 200 - subjects = get_json(req.data) + subjects = utilities.get_json(req.data) assert isinstance(subjects, dict) assert "subjects" in subjects return subjects @@ -26,7 +23,7 @@ def add_subjects(client, name): req = client.post("/subjects", data=json.dumps(data), headers={'Content-Type': 'application/json'}) assert req.status_code == 200 - subjects = get_json(req.data) + subjects = utilities.get_json(req.data) assert isinstance(subjects, dict) key = list(subjects["subjects"].keys())[0] value = list(subjects["subjects"].values())[0] @@ -63,9 +60,7 @@ def delete_subject(client, name): def test_subject(): - import moon_manager.server - server = moon_manager.server.main() - client = server.app.test_client() + client = utilities.register_client() get_subjects(client) add_subjects(client, "testuser") add_subjects_without_name(client, "") @@ -75,7 +70,7 @@ def test_subject(): def get_objects(client): req = client.get("/objects") assert req.status_code == 200 - objects = get_json(req.data) + objects = utilities.get_json(req.data) assert isinstance(objects, dict) assert "objects" in objects return objects @@ -89,7 +84,7 @@ def add_objects(client, name): req = client.post("/objects", data=json.dumps(data), headers={'Content-Type': 'application/json'}) assert req.status_code == 200 - objects = get_json(req.data) + objects = utilities.get_json(req.data) assert isinstance(objects, dict) key = list(objects["objects"].keys())[0] value = list(objects["objects"].values())[0] @@ -111,9 +106,7 @@ def delete_objects(client, name): def test_objects(): - import moon_manager.server - server = moon_manager.server.main() - client = server.app.test_client() + client = utilities.register_client() get_objects(client) add_objects(client, "testuser") delete_objects(client, "testuser") @@ -122,7 +115,7 @@ def test_objects(): def get_actions(client): req = client.get("/actions") assert req.status_code == 200 - actions = get_json(req.data) + actions = utilities.get_json(req.data) assert isinstance(actions, dict) assert "actions" in actions return actions @@ -136,7 +129,7 @@ def add_actions(client, name): req = client.post("/actions", data=json.dumps(data), headers={'Content-Type': 'application/json'}) assert req.status_code == 200 - actions = get_json(req.data) + actions = utilities.get_json(req.data) assert isinstance(actions, dict) key = list(actions["actions"].keys())[0] value = list(actions["actions"].values())[0] @@ -158,9 +151,7 @@ def delete_actions(client, name): def test_actions(): - import moon_manager.server - server = moon_manager.server.main() - client = server.app.test_client() + client = utilities.register_client() get_actions(client) add_actions(client, "testuser") delete_actions(client, "testuser") diff --git a/moon_manager/tests/unit_python/api/utilities.py b/moon_manager/tests/unit_python/api/utilities.py new file mode 100644 index 00000000..1c055da5 --- /dev/null +++ b/moon_manager/tests/unit_python/api/utilities.py @@ -0,0 +1,12 @@ +import json + + +def get_json(data): + return json.loads(data.decode("utf-8")) + + +def register_client(): + import moon_manager.server + server = moon_manager.server.main() + client = server.app.test_client() + return client
\ No newline at end of file diff --git a/python_moonutilities/python_moonutilities/cache.py b/python_moonutilities/python_moonutilities/cache.py index 164be3da..154365a4 100644 --- a/python_moonutilities/python_moonutilities/cache.py +++ b/python_moonutilities/python_moonutilities/cache.py @@ -204,7 +204,7 @@ class Cache(object): def __update_rules(self): for policy_id in self.policies: - logger.info("Get {}".format("{}/policies/{}/rules".format( + logger.debug("Get {}".format("{}/policies/{}/rules".format( self.manager_url, policy_id))) response = requests.get("{}/policies/{}/rules".format( @@ -214,7 +214,7 @@ class Cache(object): else: logger.warning(" no 'rules' found within policy_id: {}".format(policy_id)) - logger.info("UPDATE RULES {}".format(self.__RULES)) + logger.debug("UPDATE RULES {}".format(self.__RULES)) # assignment functions @@ -252,7 +252,7 @@ class Cache(object): return value['assignments'] else: logger.warning("'subject_id' or 'category_id' or'assignments'" - " keys are not found in subject_assignments") + " keys are not found in subject_assignments") return [] @property @@ -289,7 +289,7 @@ class Cache(object): return value['assignments'] else: logger.warning("'object_id' or 'category_id' or'assignments'" - " keys are not found in object_assignments") + " keys are not found in object_assignments") return [] @property @@ -326,7 +326,7 @@ class Cache(object): return value['assignments'] else: logger.warning("'action_id' or 'category_id' or'assignments'" - " keys are not found in action_assignments") + " keys are not found in action_assignments") return [] # category functions @@ -398,7 +398,7 @@ class Cache(object): self.__PDP[key] = value else: - raise exceptions.PDPNotFound("Cannot find 'pdps' key") + raise exceptions.PdpError("Cannot find 'pdps' key") @property def pdp(self): @@ -476,24 +476,33 @@ class Cache(object): if meta_rule_id in self.models[model_id]["meta_rules"]: return policy_id else: - logger.warning("Cannot find model_id: {} within models and 'meta_rules' key".format(model_id)) + logger.warning( + "Cannot find model_id: {} within " + "models and 'meta_rules' key".format(model_id)) else: - logger.warning("Cannot find policy_id: {} within policies and 'model_id' key".format(policy_id)) + logger.warning( + "Cannot find policy_id: {} " + "within policies and 'model_id' key".format( + policy_id)) else: - logger.warning("Cannot find 'security_pipeline' key within pdp ") + logger.warning("Cannot find 'security_pipeline' " + "key within pdp ") def get_pdp_from_keystone_project(self, keystone_project_id): for pdp_key, pdp_value in self.pdp.items(): - if "keystone_project_id" in pdp_value and keystone_project_id == pdp_value["keystone_project_id"]: + if "keystone_project_id" in pdp_value and \ + keystone_project_id == pdp_value["keystone_project_id"]: return pdp_key def get_keystone_project_id_from_policy_id(self, policy_id): for pdp_key, pdp_value in self.pdp.items(): - if "security_pipeline" in pdp_value and "keystone_project_id" in pdp_value: + if "security_pipeline" in pdp_value and \ + "keystone_project_id" in pdp_value: if policy_id in pdp_value["security_pipeline"]: return pdp_value["keystone_project_id"] else: - logger.warning(" 'security_pipeline','keystone_project_id' key not in pdp {}".format(pdp_value)) + logger.warning(" 'security_pipeline','keystone_project_id' " + "key not in pdp {}".format(pdp_value)) # for policy_id in pdp_value["security_pipeline"]: # model_id = self.policies[policy_id]["model_id"] # if meta_rule_id in self.models[model_id]["meta_rules"]: @@ -508,7 +517,8 @@ class Cache(object): if container_value['keystone_project_id'] == keystone_project_id: if not meta_rule_id: yield container_id, container_value - elif "meta_rule_id" in container_value and container_value.get('meta_rule_id') == meta_rule_id: + elif "meta_rule_id" in container_value and \ + container_value.get('meta_rule_id') == meta_rule_id: yield container_id, container_value break @@ -622,12 +632,11 @@ class Cache(object): else: logger.warning("no 'keystone_project_id' found") self.__CONTAINER_CHAINING_UPDATE = current_time - logger.info(self.__CONTAINER_CHAINING_UPDATE) return self.__CONTAINER_CHAINING def __update_container_chaining(self, keystone_project_id): container_ids = [] - for pdp_id, pdp_value, in self.pdp.items(): + for pdp_id, pdp_value, in self.__PDP.items(): if pdp_value: if "keystone_project_id" and "security_pipeline" in pdp_value \ and pdp_value["keystone_project_id"] == keystone_project_id: @@ -641,10 +650,6 @@ class Cache(object): meta_rule_id ): if "name" in container_value: - _raw = requests.get("{}/pods/{}".format( - self.orchestrator_url, container_value["name"]) - ) - logger.debug("_raw={}".format(_raw.text)) if "genre" and "port" in container_value: container_ids.append( { @@ -667,8 +672,6 @@ class Cache(object): else: raise exceptions.PolicyUnknown("Cannot find policy within policy_id: {}, " "and may not contains 'model_id' key".format(policy_id)) - else: - raise exceptions.PDPError("Cannot find 'keystone_project_id','security_pipeline' pdp keys") self.__CONTAINER_CHAINING[keystone_project_id] = container_ids diff --git a/python_moonutilities/python_moonutilities/exceptions.py b/python_moonutilities/python_moonutilities/exceptions.py index f14d6abf..1abb5aa7 100644 --- a/python_moonutilities/python_moonutilities/exceptions.py +++ b/python_moonutilities/python_moonutilities/exceptions.py @@ -534,3 +534,18 @@ class PdpExisting(MoonError): code = 409 title = 'Pdp Error' logger = "Error" + + +class PolicyUnknown(MoonError): + description = _("The policy is unknown.") + code = 400 + title = 'Policy Unknown' + logger = "Error" + + +class PolicyExisting(MoonError): + description = _("The policy already exists.") + code = 409 + title = 'Policy Error' + logger = "Error" + |