diff options
6 files changed, 128 insertions, 36 deletions
diff --git a/moonv4/moon_authz/moon_authz/api/authorization.py b/moonv4/moon_authz/moon_authz/api/authorization.py index e4d7ad7c..94f1e13d 100644 --- a/moonv4/moon_authz/moon_authz/api/authorization.py +++ b/moonv4/moon_authz/moon_authz/api/authorization.py @@ -271,11 +271,48 @@ class Authorization(object): self.payload = payload try: if "authz_context" not in payload: - self.payload["authz_context"] = Context(self.keystone_project_id, - self.payload["subject_name"], - self.payload["object_name"], - self.payload["action_name"], - self.payload["request_id"]).to_dict() + try: + self.payload["authz_context"] = Context(self.keystone_project_id, + self.payload["subject_name"], + self.payload["object_name"], + self.payload["action_name"], + self.payload["request_id"]).to_dict() + except exceptions.SubjectUnknown: + ctx = { + "subject_name": self.payload["subject_name"], + "object_name": self.payload["object_name"], + "action_name": self.payload["action_name"], + } + call("moon_manager", method="update_from_master", ctx=ctx, args={}) + self.payload["authz_context"] = Context(self.keystone_project_id, + self.payload["subject_name"], + self.payload["object_name"], + self.payload["action_name"], + self.payload["request_id"]).to_dict() + except exceptions.ObjectUnknown: + ctx = { + "subject_name": self.payload["subject_name"], + "object_name": self.payload["object_name"], + "action_name": self.payload["action_name"], + } + call("moon_manager", method="update_from_master", ctx=ctx, args={}) + self.payload["authz_context"] = Context(self.keystone_project_id, + self.payload["subject_name"], + self.payload["object_name"], + self.payload["action_name"], + self.payload["request_id"]).to_dict() + except exceptions.ActionUnknown: + ctx = { + "subject_name": self.payload["subject_name"], + "object_name": self.payload["object_name"], + "action_name": self.payload["action_name"], + } + call("moon_manager", method="update_from_master", ctx=ctx, args={}) + self.payload["authz_context"] = Context(self.keystone_project_id, + self.payload["subject_name"], + self.payload["object_name"], + self.payload["action_name"], + self.payload["request_id"]).to_dict() self.__update_container_chaining() else: self.payload["authz_context"]["index"] += 1 diff --git a/moonv4/moon_interface/tests/apitests/populate_default_values.py b/moonv4/moon_interface/tests/apitests/populate_default_values.py index a0f872a1..740ad8ed 100644 --- a/moonv4/moon_interface/tests/apitests/populate_default_values.py +++ b/moonv4/moon_interface/tests/apitests/populate_default_values.py @@ -8,12 +8,26 @@ from utils.policies import * parser = argparse.ArgumentParser() parser.add_argument('filename', help='scenario filename', nargs=1) parser.add_argument("--verbose", "-v", action='store_true', help="verbose mode") +parser.add_argument("--debug", "-d", action='store_true', help="debug mode") args = parser.parse_args() FORMAT = '%(asctime)-15s %(levelname)s %(message)s' -logging.basicConfig( - format=FORMAT, - level=logging.WARNING) +if args.debug: + logging.basicConfig( + format=FORMAT, + level=logging.DEBUG) +elif args.verbose: + logging.basicConfig( + format=FORMAT, + level=logging.INFO) +else: + logging.basicConfig( + format=FORMAT, + level=logging.WARNING) + +requests_log = logging.getLogger("requests.packages.urllib3") +requests_log.setLevel(logging.WARNING) +requests_log.propagate = True logger = logging.getLogger(__name__) @@ -27,13 +41,17 @@ scenario = m.load_module() def create_model(model_id=None): if args.verbose: - logger.warning("Creating model {}".format(scenario.model_name)) + logger.info("Creating model {}".format(scenario.model_name)) if not model_id: + logger.info("Add model") model_id = add_model(name=scenario.model_name) + logger.info("Add subject categories") for cat in scenario.subject_categories: scenario.subject_categories[cat] = add_subject_category(name=cat) + logger.info("Add object categories") for cat in scenario.object_categories: scenario.object_categories[cat] = add_object_category(name=cat) + logger.info("Add action categories") for cat in scenario.action_categories: scenario.action_categories[cat] = add_action_category(name=cat) sub_cat = [] @@ -54,6 +72,7 @@ def create_model(model_id=None): meta_rule_id = _meta_rule_id break else: + logger.info("Add meta rule") meta_rule_id = add_meta_rule(item_name, sub_cat, ob_cat, act_cat) item_value["id"] = meta_rule_id if meta_rule_id not in meta_rule_list: @@ -63,7 +82,7 @@ def create_model(model_id=None): def create_policy(model_id, meta_rule_list): if args.verbose: - logger.warning("Creating policy {}".format(scenario.policy_name)) + logger.info("Creating policy {}".format(scenario.policy_name)) _policies = check_policy() for _policy_id, _policy_value in _policies["policies"].items(): if _policy_value['name'] == scenario.policy_name: @@ -75,21 +94,24 @@ def create_policy(model_id, meta_rule_list): update_policy(policy_id, model_id) for meta_rule_id in meta_rule_list: - print("add_meta_rule_to_model {} {}".format(model_id, meta_rule_id)) + logger.debug("add_meta_rule_to_model {} {}".format(model_id, meta_rule_id)) add_meta_rule_to_model(model_id, meta_rule_id) + logger.info("Add subject data") for subject_cat_name in scenario.subject_data: for subject_data_name in scenario.subject_data[subject_cat_name]: data_id = scenario.subject_data[subject_cat_name][subject_data_name] = add_subject_data( policy_id=policy_id, category_id=scenario.subject_categories[subject_cat_name], name=subject_data_name) scenario.subject_data[subject_cat_name][subject_data_name] = data_id + logger.info("Add object data") for object_cat_name in scenario.object_data: for object_data_name in scenario.object_data[object_cat_name]: data_id = scenario.object_data[object_cat_name][object_data_name] = add_object_data( policy_id=policy_id, category_id=scenario.object_categories[object_cat_name], name=object_data_name) scenario.object_data[object_cat_name][object_data_name] = data_id + logger.info("Add action data") for action_cat_name in scenario.action_data: for action_data_name in scenario.action_data[action_cat_name]: data_id = scenario.action_data[action_cat_name][action_data_name] = add_action_data( @@ -97,13 +119,17 @@ def create_policy(model_id, meta_rule_list): category_id=scenario.action_categories[action_cat_name], name=action_data_name) scenario.action_data[action_cat_name][action_data_name] = data_id + logger.info("Add subjects") for name in scenario.subjects: scenario.subjects[name] = add_subject(policy_id, name=name) + logger.info("Add objects") for name in scenario.objects: scenario.objects[name] = add_object(policy_id, name=name) + logger.info("Add actions") for name in scenario.actions: scenario.actions[name] = add_action(policy_id, name=name) + logger.info("Add subject assignments") for subject_name in scenario.subject_assignments: if type(scenario.subject_assignments[subject_name]) in (list, tuple): for items in scenario.subject_assignments[subject_name]: @@ -120,6 +146,7 @@ def create_policy(model_id, meta_rule_list): subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]] add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) + logger.info("Add object assignments") for object_name in scenario.object_assignments: if type(scenario.object_assignments[object_name]) in (list, tuple): for items in scenario.object_assignments[object_name]: @@ -136,6 +163,7 @@ def create_policy(model_id, meta_rule_list): object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]] add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) + logger.info("Add action assignments") for action_name in scenario.action_assignments: if type(scenario.action_assignments[action_name]) in (list, tuple): for items in scenario.action_assignments[action_name]: @@ -152,6 +180,7 @@ def create_policy(model_id, meta_rule_list): action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]] add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) + logger.info("Add rules") for meta_rule_name in scenario.rules: meta_rule_value = scenario.meta_rule[meta_rule_name] for rule in scenario.rules[meta_rule_name]: @@ -171,8 +200,7 @@ def create_policy(model_id, meta_rule_list): def create_pdp(policy_id=None): - if args.verbose: - logger.warning("Creating PDP {}".format(scenario.pdp_name)) + logger.info("Creating PDP {}".format(scenario.pdp_name)) projects = get_keystone_projects() admin_project_id = None for _project in projects['projects']: @@ -183,7 +211,7 @@ def create_pdp(policy_id=None): for pdp_id, pdp_value in pdps.items(): if scenario.pdp_name == pdp_value["name"]: update_pdp(pdp_id, policy_id=policy_id) - logger.info("Found existing PDP named {} (will add policy {})".format(scenario.pdp_name, policy_id)) + logger.debug("Found existing PDP named {} (will add policy {})".format(scenario.pdp_name, policy_id)) return pdp_id _pdp_id = add_pdp(name=scenario.pdp_name, policy_id=policy_id) map_to_keystone(pdp_id=_pdp_id, keystone_project_id=admin_project_id) diff --git a/moonv4/moon_manager/moon_manager/api/master.py b/moonv4/moon_manager/moon_manager/api/master.py index e63406c5..6c1796ad 100644 --- a/moonv4/moon_manager/moon_manager/api/master.py +++ b/moonv4/moon_manager/moon_manager/api/master.py @@ -141,7 +141,6 @@ class Master(object): def __add_meta_rule(self): meta_rules = ModelManager.get_meta_rules("admin") - LOG.info("meta_rules={}".format(meta_rules)) for uuid, value in self.meta_rules.items(): if uuid not in meta_rules: ModelManager.add_meta_rule("admin", uuid, value=value) @@ -305,21 +304,22 @@ class Master(object): def update_from_master(self, ctx, args): LOG.info("update_from_master {}".format(ctx)) - self.__policy_ids = ctx["security_pipeline"] + if "security_pipeline" in ctx: + self.__policy_ids = ctx["security_pipeline"] - for policy_id, policy_value in self.policies.items(): - self.__model_ids.append(policy_value["model_id"]) + for policy_id, policy_value in self.policies.items(): + self.__model_ids.append(policy_value["model_id"]) - for model_id, model_value in self.models.items(): - self.__meta_rule_ids.extend(model_value['meta_rules']) + for model_id, model_value in self.models.items(): + self.__meta_rule_ids.extend(model_value['meta_rules']) - self.__add_meta_data() + self.__add_meta_data() - self.__add_meta_rule() + self.__add_meta_rule() - for policy_id in ctx["security_pipeline"]: - if policy_id in self.policies: - PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id]) + for policy_id in ctx["security_pipeline"]: + if policy_id in self.policies: + res = PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id]) self.__add_perimeter(subject_name=ctx.get("subject_name"), object_name=ctx.get("object_name")) @@ -334,12 +334,12 @@ class Master(object): if model_id not in models: ModelManager.add_model("admin", model_id, model_value) - pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args) - if "error" in pdp: - LOG.error("Error when adding PDP from master {}".format(pdp)) - return False - LOG.info("pdp={}".format(pdp)) - call("orchestrator", method="add_container", - ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']}) + if args: + pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args) + if "error" in pdp: + LOG.error("Error when adding PDP from master {}".format(pdp)) + return False + call("orchestrator", method="add_container", + ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']}) return True diff --git a/moonv4/moon_manager/moon_manager/api/policies.py b/moonv4/moon_manager/moon_manager/api/policies.py index 27e28a6c..65b6994f 100644 --- a/moonv4/moon_manager/moon_manager/api/policies.py +++ b/moonv4/moon_manager/moon_manager/api/policies.py @@ -325,10 +325,20 @@ class Assignments(object): if _data_value['name'] == object_name: return _data_id + def __get_action_id(self, ctx, action_name): + data = self.manager.get_actions( + user_id=ctx["user_id"], + policy_id=ctx["id"], + perimeter_id=None + ) + for _data_id, _data_value in data.items(): + if _data_value['name'] == action_name: + return _data_id + def get_subject_assignments(self, ctx, args): try: - if "perimeter_name" in args: - ctx["perimeter_id"] = self.__get_subject_id(ctx, args['perimeter_name']) + if "perimeter_name" in ctx: + ctx["perimeter_id"] = self.__get_subject_id(ctx, ctx['perimeter_name']) data = self.manager.get_subject_assignments(user_id=ctx["user_id"], policy_id=ctx["id"], subject_id=ctx["perimeter_id"], category_id=ctx["category_id"]) except Exception as e: @@ -364,8 +374,8 @@ class Assignments(object): def get_object_assignments(self, ctx, args): try: - if "perimeter_name" in args: - ctx["perimeter_id"] = self.__get_object_id(ctx, args['perimeter_name']) + if "perimeter_name" in ctx: + ctx["perimeter_id"] = self.__get_object_id(ctx, ctx['perimeter_name']) data = self.manager.get_object_assignments(user_id=ctx["user_id"], policy_id=ctx["id"], object_id=ctx["perimeter_id"], category_id=ctx["category_id"]) except Exception as e: @@ -401,6 +411,8 @@ class Assignments(object): def get_action_assignments(self, ctx, args): try: + if "perimeter_name" in ctx: + ctx["perimeter_id"] = self.__get_action_id(ctx, ctx['perimeter_name']) data = self.manager.get_action_assignments(user_id=ctx["user_id"], policy_id=ctx["id"], action_id=ctx["perimeter_id"], category_id=ctx["category_id"]) except Exception as e: diff --git a/moonv4/moon_orchestrator/moon_orchestrator/server.py b/moonv4/moon_orchestrator/moon_orchestrator/server.py index 85d7d3f4..c9629c61 100644 --- a/moonv4/moon_orchestrator/moon_orchestrator/server.py +++ b/moonv4/moon_orchestrator/moon_orchestrator/server.py @@ -96,6 +96,7 @@ def _exit(exit_number=0, error=None): LOG.error(e) else: docker.remove_container(container=_container) + LOG.info("Moon orchestrator: offline") # TODO (asteroide): put in the debug log if error: @@ -108,6 +109,7 @@ def __save_pid(): open("/var/run/moon_orchestrator.pid", "w").write(str(os.getpid())) except PermissionError: LOG.warning("You don't have the right to write PID file in /var/run... Continuing anyway.") + LOG.warning("Writing PID file in {}".format(os.getcwd())) open("./moon_orchestrator.pid", "w").write(str(os.getpid())) diff --git a/moonv4/moon_secrouter/moon_secrouter/api/route.py b/moonv4/moon_secrouter/moon_secrouter/api/route.py index 28a9a65f..2a2c54bc 100644 --- a/moonv4/moon_secrouter/moon_secrouter/api/route.py +++ b/moonv4/moon_secrouter/moon_secrouter/api/route.py @@ -135,6 +135,14 @@ class Cache(object): def __update_pdp(self): pdp = call("moon_manager", method="get_pdp", ctx={"user_id": "admin"}, args={}) + if not pdp["pdps"]: + LOG.info("Updating PDP through master") + pdp = call("moon_manager", method="get_pdp", + ctx={ + "user_id": "admin", + 'call_master': True + }, + args={}) for _pdp in pdp["pdps"].values(): if _pdp['keystone_project_id'] not in self.__CONTAINER_CHAINING: self.__CONTAINER_CHAINING[_pdp['keystone_project_id']] = {} @@ -418,6 +426,11 @@ class Router(object): return call(component, method=ctx["method"], ctx=ctx, args=args) if component == "manager": result = call("moon_manager", method=ctx["method"], ctx=ctx, args=args) + if ctx["method"] == "get_pdp": + _ctx = copy.deepcopy(ctx) + _ctx["call_master"] = True + result2 = call("moon_manager", method=ctx["method"], ctx=_ctx, args=args) + result["pdps"].update(result2["pdps"]) self.send_update(api=ctx["method"], ctx=ctx, args=args) return result if component == "function": |