aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--moonv4/moon_authz/moon_authz/api/authorization.py47
-rw-r--r--moonv4/moon_interface/tests/apitests/populate_default_values.py46
-rw-r--r--moonv4/moon_manager/moon_manager/api/master.py36
-rw-r--r--moonv4/moon_manager/moon_manager/api/policies.py20
-rw-r--r--moonv4/moon_orchestrator/moon_orchestrator/server.py2
-rw-r--r--moonv4/moon_secrouter/moon_secrouter/api/route.py13
6 files changed, 128 insertions, 36 deletions
diff --git a/moonv4/moon_authz/moon_authz/api/authorization.py b/moonv4/moon_authz/moon_authz/api/authorization.py
index e4d7ad7c..94f1e13d 100644
--- a/moonv4/moon_authz/moon_authz/api/authorization.py
+++ b/moonv4/moon_authz/moon_authz/api/authorization.py
@@ -271,11 +271,48 @@ class Authorization(object):
self.payload = payload
try:
if "authz_context" not in payload:
- self.payload["authz_context"] = Context(self.keystone_project_id,
- self.payload["subject_name"],
- self.payload["object_name"],
- self.payload["action_name"],
- self.payload["request_id"]).to_dict()
+ try:
+ self.payload["authz_context"] = Context(self.keystone_project_id,
+ self.payload["subject_name"],
+ self.payload["object_name"],
+ self.payload["action_name"],
+ self.payload["request_id"]).to_dict()
+ except exceptions.SubjectUnknown:
+ ctx = {
+ "subject_name": self.payload["subject_name"],
+ "object_name": self.payload["object_name"],
+ "action_name": self.payload["action_name"],
+ }
+ call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ self.payload["authz_context"] = Context(self.keystone_project_id,
+ self.payload["subject_name"],
+ self.payload["object_name"],
+ self.payload["action_name"],
+ self.payload["request_id"]).to_dict()
+ except exceptions.ObjectUnknown:
+ ctx = {
+ "subject_name": self.payload["subject_name"],
+ "object_name": self.payload["object_name"],
+ "action_name": self.payload["action_name"],
+ }
+ call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ self.payload["authz_context"] = Context(self.keystone_project_id,
+ self.payload["subject_name"],
+ self.payload["object_name"],
+ self.payload["action_name"],
+ self.payload["request_id"]).to_dict()
+ except exceptions.ActionUnknown:
+ ctx = {
+ "subject_name": self.payload["subject_name"],
+ "object_name": self.payload["object_name"],
+ "action_name": self.payload["action_name"],
+ }
+ call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ self.payload["authz_context"] = Context(self.keystone_project_id,
+ self.payload["subject_name"],
+ self.payload["object_name"],
+ self.payload["action_name"],
+ self.payload["request_id"]).to_dict()
self.__update_container_chaining()
else:
self.payload["authz_context"]["index"] += 1
diff --git a/moonv4/moon_interface/tests/apitests/populate_default_values.py b/moonv4/moon_interface/tests/apitests/populate_default_values.py
index a0f872a1..740ad8ed 100644
--- a/moonv4/moon_interface/tests/apitests/populate_default_values.py
+++ b/moonv4/moon_interface/tests/apitests/populate_default_values.py
@@ -8,12 +8,26 @@ from utils.policies import *
parser = argparse.ArgumentParser()
parser.add_argument('filename', help='scenario filename', nargs=1)
parser.add_argument("--verbose", "-v", action='store_true', help="verbose mode")
+parser.add_argument("--debug", "-d", action='store_true', help="debug mode")
args = parser.parse_args()
FORMAT = '%(asctime)-15s %(levelname)s %(message)s'
-logging.basicConfig(
- format=FORMAT,
- level=logging.WARNING)
+if args.debug:
+ logging.basicConfig(
+ format=FORMAT,
+ level=logging.DEBUG)
+elif args.verbose:
+ logging.basicConfig(
+ format=FORMAT,
+ level=logging.INFO)
+else:
+ logging.basicConfig(
+ format=FORMAT,
+ level=logging.WARNING)
+
+requests_log = logging.getLogger("requests.packages.urllib3")
+requests_log.setLevel(logging.WARNING)
+requests_log.propagate = True
logger = logging.getLogger(__name__)
@@ -27,13 +41,17 @@ scenario = m.load_module()
def create_model(model_id=None):
if args.verbose:
- logger.warning("Creating model {}".format(scenario.model_name))
+ logger.info("Creating model {}".format(scenario.model_name))
if not model_id:
+ logger.info("Add model")
model_id = add_model(name=scenario.model_name)
+ logger.info("Add subject categories")
for cat in scenario.subject_categories:
scenario.subject_categories[cat] = add_subject_category(name=cat)
+ logger.info("Add object categories")
for cat in scenario.object_categories:
scenario.object_categories[cat] = add_object_category(name=cat)
+ logger.info("Add action categories")
for cat in scenario.action_categories:
scenario.action_categories[cat] = add_action_category(name=cat)
sub_cat = []
@@ -54,6 +72,7 @@ def create_model(model_id=None):
meta_rule_id = _meta_rule_id
break
else:
+ logger.info("Add meta rule")
meta_rule_id = add_meta_rule(item_name, sub_cat, ob_cat, act_cat)
item_value["id"] = meta_rule_id
if meta_rule_id not in meta_rule_list:
@@ -63,7 +82,7 @@ def create_model(model_id=None):
def create_policy(model_id, meta_rule_list):
if args.verbose:
- logger.warning("Creating policy {}".format(scenario.policy_name))
+ logger.info("Creating policy {}".format(scenario.policy_name))
_policies = check_policy()
for _policy_id, _policy_value in _policies["policies"].items():
if _policy_value['name'] == scenario.policy_name:
@@ -75,21 +94,24 @@ def create_policy(model_id, meta_rule_list):
update_policy(policy_id, model_id)
for meta_rule_id in meta_rule_list:
- print("add_meta_rule_to_model {} {}".format(model_id, meta_rule_id))
+ logger.debug("add_meta_rule_to_model {} {}".format(model_id, meta_rule_id))
add_meta_rule_to_model(model_id, meta_rule_id)
+ logger.info("Add subject data")
for subject_cat_name in scenario.subject_data:
for subject_data_name in scenario.subject_data[subject_cat_name]:
data_id = scenario.subject_data[subject_cat_name][subject_data_name] = add_subject_data(
policy_id=policy_id,
category_id=scenario.subject_categories[subject_cat_name], name=subject_data_name)
scenario.subject_data[subject_cat_name][subject_data_name] = data_id
+ logger.info("Add object data")
for object_cat_name in scenario.object_data:
for object_data_name in scenario.object_data[object_cat_name]:
data_id = scenario.object_data[object_cat_name][object_data_name] = add_object_data(
policy_id=policy_id,
category_id=scenario.object_categories[object_cat_name], name=object_data_name)
scenario.object_data[object_cat_name][object_data_name] = data_id
+ logger.info("Add action data")
for action_cat_name in scenario.action_data:
for action_data_name in scenario.action_data[action_cat_name]:
data_id = scenario.action_data[action_cat_name][action_data_name] = add_action_data(
@@ -97,13 +119,17 @@ def create_policy(model_id, meta_rule_list):
category_id=scenario.action_categories[action_cat_name], name=action_data_name)
scenario.action_data[action_cat_name][action_data_name] = data_id
+ logger.info("Add subjects")
for name in scenario.subjects:
scenario.subjects[name] = add_subject(policy_id, name=name)
+ logger.info("Add objects")
for name in scenario.objects:
scenario.objects[name] = add_object(policy_id, name=name)
+ logger.info("Add actions")
for name in scenario.actions:
scenario.actions[name] = add_action(policy_id, name=name)
+ logger.info("Add subject assignments")
for subject_name in scenario.subject_assignments:
if type(scenario.subject_assignments[subject_name]) in (list, tuple):
for items in scenario.subject_assignments[subject_name]:
@@ -120,6 +146,7 @@ def create_policy(model_id, meta_rule_list):
subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]]
add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id)
+ logger.info("Add object assignments")
for object_name in scenario.object_assignments:
if type(scenario.object_assignments[object_name]) in (list, tuple):
for items in scenario.object_assignments[object_name]:
@@ -136,6 +163,7 @@ def create_policy(model_id, meta_rule_list):
object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]]
add_object_assignments(policy_id, object_id, object_cat_id, object_data_id)
+ logger.info("Add action assignments")
for action_name in scenario.action_assignments:
if type(scenario.action_assignments[action_name]) in (list, tuple):
for items in scenario.action_assignments[action_name]:
@@ -152,6 +180,7 @@ def create_policy(model_id, meta_rule_list):
action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]]
add_action_assignments(policy_id, action_id, action_cat_id, action_data_id)
+ logger.info("Add rules")
for meta_rule_name in scenario.rules:
meta_rule_value = scenario.meta_rule[meta_rule_name]
for rule in scenario.rules[meta_rule_name]:
@@ -171,8 +200,7 @@ def create_policy(model_id, meta_rule_list):
def create_pdp(policy_id=None):
- if args.verbose:
- logger.warning("Creating PDP {}".format(scenario.pdp_name))
+ logger.info("Creating PDP {}".format(scenario.pdp_name))
projects = get_keystone_projects()
admin_project_id = None
for _project in projects['projects']:
@@ -183,7 +211,7 @@ def create_pdp(policy_id=None):
for pdp_id, pdp_value in pdps.items():
if scenario.pdp_name == pdp_value["name"]:
update_pdp(pdp_id, policy_id=policy_id)
- logger.info("Found existing PDP named {} (will add policy {})".format(scenario.pdp_name, policy_id))
+ logger.debug("Found existing PDP named {} (will add policy {})".format(scenario.pdp_name, policy_id))
return pdp_id
_pdp_id = add_pdp(name=scenario.pdp_name, policy_id=policy_id)
map_to_keystone(pdp_id=_pdp_id, keystone_project_id=admin_project_id)
diff --git a/moonv4/moon_manager/moon_manager/api/master.py b/moonv4/moon_manager/moon_manager/api/master.py
index e63406c5..6c1796ad 100644
--- a/moonv4/moon_manager/moon_manager/api/master.py
+++ b/moonv4/moon_manager/moon_manager/api/master.py
@@ -141,7 +141,6 @@ class Master(object):
def __add_meta_rule(self):
meta_rules = ModelManager.get_meta_rules("admin")
- LOG.info("meta_rules={}".format(meta_rules))
for uuid, value in self.meta_rules.items():
if uuid not in meta_rules:
ModelManager.add_meta_rule("admin", uuid, value=value)
@@ -305,21 +304,22 @@ class Master(object):
def update_from_master(self, ctx, args):
LOG.info("update_from_master {}".format(ctx))
- self.__policy_ids = ctx["security_pipeline"]
+ if "security_pipeline" in ctx:
+ self.__policy_ids = ctx["security_pipeline"]
- for policy_id, policy_value in self.policies.items():
- self.__model_ids.append(policy_value["model_id"])
+ for policy_id, policy_value in self.policies.items():
+ self.__model_ids.append(policy_value["model_id"])
- for model_id, model_value in self.models.items():
- self.__meta_rule_ids.extend(model_value['meta_rules'])
+ for model_id, model_value in self.models.items():
+ self.__meta_rule_ids.extend(model_value['meta_rules'])
- self.__add_meta_data()
+ self.__add_meta_data()
- self.__add_meta_rule()
+ self.__add_meta_rule()
- for policy_id in ctx["security_pipeline"]:
- if policy_id in self.policies:
- PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id])
+ for policy_id in ctx["security_pipeline"]:
+ if policy_id in self.policies:
+ res = PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id])
self.__add_perimeter(subject_name=ctx.get("subject_name"), object_name=ctx.get("object_name"))
@@ -334,12 +334,12 @@ class Master(object):
if model_id not in models:
ModelManager.add_model("admin", model_id, model_value)
- pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args)
- if "error" in pdp:
- LOG.error("Error when adding PDP from master {}".format(pdp))
- return False
- LOG.info("pdp={}".format(pdp))
- call("orchestrator", method="add_container",
- ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']})
+ if args:
+ pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args)
+ if "error" in pdp:
+ LOG.error("Error when adding PDP from master {}".format(pdp))
+ return False
+ call("orchestrator", method="add_container",
+ ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']})
return True
diff --git a/moonv4/moon_manager/moon_manager/api/policies.py b/moonv4/moon_manager/moon_manager/api/policies.py
index 27e28a6c..65b6994f 100644
--- a/moonv4/moon_manager/moon_manager/api/policies.py
+++ b/moonv4/moon_manager/moon_manager/api/policies.py
@@ -325,10 +325,20 @@ class Assignments(object):
if _data_value['name'] == object_name:
return _data_id
+ def __get_action_id(self, ctx, action_name):
+ data = self.manager.get_actions(
+ user_id=ctx["user_id"],
+ policy_id=ctx["id"],
+ perimeter_id=None
+ )
+ for _data_id, _data_value in data.items():
+ if _data_value['name'] == action_name:
+ return _data_id
+
def get_subject_assignments(self, ctx, args):
try:
- if "perimeter_name" in args:
- ctx["perimeter_id"] = self.__get_subject_id(ctx, args['perimeter_name'])
+ if "perimeter_name" in ctx:
+ ctx["perimeter_id"] = self.__get_subject_id(ctx, ctx['perimeter_name'])
data = self.manager.get_subject_assignments(user_id=ctx["user_id"], policy_id=ctx["id"],
subject_id=ctx["perimeter_id"], category_id=ctx["category_id"])
except Exception as e:
@@ -364,8 +374,8 @@ class Assignments(object):
def get_object_assignments(self, ctx, args):
try:
- if "perimeter_name" in args:
- ctx["perimeter_id"] = self.__get_object_id(ctx, args['perimeter_name'])
+ if "perimeter_name" in ctx:
+ ctx["perimeter_id"] = self.__get_object_id(ctx, ctx['perimeter_name'])
data = self.manager.get_object_assignments(user_id=ctx["user_id"], policy_id=ctx["id"],
object_id=ctx["perimeter_id"], category_id=ctx["category_id"])
except Exception as e:
@@ -401,6 +411,8 @@ class Assignments(object):
def get_action_assignments(self, ctx, args):
try:
+ if "perimeter_name" in ctx:
+ ctx["perimeter_id"] = self.__get_action_id(ctx, ctx['perimeter_name'])
data = self.manager.get_action_assignments(user_id=ctx["user_id"], policy_id=ctx["id"],
action_id=ctx["perimeter_id"], category_id=ctx["category_id"])
except Exception as e:
diff --git a/moonv4/moon_orchestrator/moon_orchestrator/server.py b/moonv4/moon_orchestrator/moon_orchestrator/server.py
index 85d7d3f4..c9629c61 100644
--- a/moonv4/moon_orchestrator/moon_orchestrator/server.py
+++ b/moonv4/moon_orchestrator/moon_orchestrator/server.py
@@ -96,6 +96,7 @@ def _exit(exit_number=0, error=None):
LOG.error(e)
else:
docker.remove_container(container=_container)
+ LOG.info("Moon orchestrator: offline")
# TODO (asteroide): put in the debug log
if error:
@@ -108,6 +109,7 @@ def __save_pid():
open("/var/run/moon_orchestrator.pid", "w").write(str(os.getpid()))
except PermissionError:
LOG.warning("You don't have the right to write PID file in /var/run... Continuing anyway.")
+ LOG.warning("Writing PID file in {}".format(os.getcwd()))
open("./moon_orchestrator.pid", "w").write(str(os.getpid()))
diff --git a/moonv4/moon_secrouter/moon_secrouter/api/route.py b/moonv4/moon_secrouter/moon_secrouter/api/route.py
index 28a9a65f..2a2c54bc 100644
--- a/moonv4/moon_secrouter/moon_secrouter/api/route.py
+++ b/moonv4/moon_secrouter/moon_secrouter/api/route.py
@@ -135,6 +135,14 @@ class Cache(object):
def __update_pdp(self):
pdp = call("moon_manager", method="get_pdp", ctx={"user_id": "admin"}, args={})
+ if not pdp["pdps"]:
+ LOG.info("Updating PDP through master")
+ pdp = call("moon_manager", method="get_pdp",
+ ctx={
+ "user_id": "admin",
+ 'call_master': True
+ },
+ args={})
for _pdp in pdp["pdps"].values():
if _pdp['keystone_project_id'] not in self.__CONTAINER_CHAINING:
self.__CONTAINER_CHAINING[_pdp['keystone_project_id']] = {}
@@ -418,6 +426,11 @@ class Router(object):
return call(component, method=ctx["method"], ctx=ctx, args=args)
if component == "manager":
result = call("moon_manager", method=ctx["method"], ctx=ctx, args=args)
+ if ctx["method"] == "get_pdp":
+ _ctx = copy.deepcopy(ctx)
+ _ctx["call_master"] = True
+ result2 = call("moon_manager", method=ctx["method"], ctx=_ctx, args=args)
+ result["pdps"].update(result2["pdps"])
self.send_update(api=ctx["method"], ctx=ctx, args=args)
return result
if component == "function":