aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--moonv4/moon_authz/moon_authz/api/authorization.py47
-rw-r--r--moonv4/moon_manager/moon_manager/api/master.py36
-rw-r--r--moonv4/moon_manager/moon_manager/api/policies.py20
-rw-r--r--moonv4/moon_secrouter/moon_secrouter/api/route.py13
4 files changed, 89 insertions, 27 deletions
diff --git a/moonv4/moon_authz/moon_authz/api/authorization.py b/moonv4/moon_authz/moon_authz/api/authorization.py
index e4d7ad7c..94f1e13d 100644
--- a/moonv4/moon_authz/moon_authz/api/authorization.py
+++ b/moonv4/moon_authz/moon_authz/api/authorization.py
@@ -271,11 +271,48 @@ class Authorization(object):
self.payload = payload
try:
if "authz_context" not in payload:
- self.payload["authz_context"] = Context(self.keystone_project_id,
- self.payload["subject_name"],
- self.payload["object_name"],
- self.payload["action_name"],
- self.payload["request_id"]).to_dict()
+ try:
+ self.payload["authz_context"] = Context(self.keystone_project_id,
+ self.payload["subject_name"],
+ self.payload["object_name"],
+ self.payload["action_name"],
+ self.payload["request_id"]).to_dict()
+ except exceptions.SubjectUnknown:
+ ctx = {
+ "subject_name": self.payload["subject_name"],
+ "object_name": self.payload["object_name"],
+ "action_name": self.payload["action_name"],
+ }
+ call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ self.payload["authz_context"] = Context(self.keystone_project_id,
+ self.payload["subject_name"],
+ self.payload["object_name"],
+ self.payload["action_name"],
+ self.payload["request_id"]).to_dict()
+ except exceptions.ObjectUnknown:
+ ctx = {
+ "subject_name": self.payload["subject_name"],
+ "object_name": self.payload["object_name"],
+ "action_name": self.payload["action_name"],
+ }
+ call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ self.payload["authz_context"] = Context(self.keystone_project_id,
+ self.payload["subject_name"],
+ self.payload["object_name"],
+ self.payload["action_name"],
+ self.payload["request_id"]).to_dict()
+ except exceptions.ActionUnknown:
+ ctx = {
+ "subject_name": self.payload["subject_name"],
+ "object_name": self.payload["object_name"],
+ "action_name": self.payload["action_name"],
+ }
+ call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ self.payload["authz_context"] = Context(self.keystone_project_id,
+ self.payload["subject_name"],
+ self.payload["object_name"],
+ self.payload["action_name"],
+ self.payload["request_id"]).to_dict()
self.__update_container_chaining()
else:
self.payload["authz_context"]["index"] += 1
diff --git a/moonv4/moon_manager/moon_manager/api/master.py b/moonv4/moon_manager/moon_manager/api/master.py
index e63406c5..6c1796ad 100644
--- a/moonv4/moon_manager/moon_manager/api/master.py
+++ b/moonv4/moon_manager/moon_manager/api/master.py
@@ -141,7 +141,6 @@ class Master(object):
def __add_meta_rule(self):
meta_rules = ModelManager.get_meta_rules("admin")
- LOG.info("meta_rules={}".format(meta_rules))
for uuid, value in self.meta_rules.items():
if uuid not in meta_rules:
ModelManager.add_meta_rule("admin", uuid, value=value)
@@ -305,21 +304,22 @@ class Master(object):
def update_from_master(self, ctx, args):
LOG.info("update_from_master {}".format(ctx))
- self.__policy_ids = ctx["security_pipeline"]
+ if "security_pipeline" in ctx:
+ self.__policy_ids = ctx["security_pipeline"]
- for policy_id, policy_value in self.policies.items():
- self.__model_ids.append(policy_value["model_id"])
+ for policy_id, policy_value in self.policies.items():
+ self.__model_ids.append(policy_value["model_id"])
- for model_id, model_value in self.models.items():
- self.__meta_rule_ids.extend(model_value['meta_rules'])
+ for model_id, model_value in self.models.items():
+ self.__meta_rule_ids.extend(model_value['meta_rules'])
- self.__add_meta_data()
+ self.__add_meta_data()
- self.__add_meta_rule()
+ self.__add_meta_rule()
- for policy_id in ctx["security_pipeline"]:
- if policy_id in self.policies:
- PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id])
+ for policy_id in ctx["security_pipeline"]:
+ if policy_id in self.policies:
+ res = PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id])
self.__add_perimeter(subject_name=ctx.get("subject_name"), object_name=ctx.get("object_name"))
@@ -334,12 +334,12 @@ class Master(object):
if model_id not in models:
ModelManager.add_model("admin", model_id, model_value)
- pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args)
- if "error" in pdp:
- LOG.error("Error when adding PDP from master {}".format(pdp))
- return False
- LOG.info("pdp={}".format(pdp))
- call("orchestrator", method="add_container",
- ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']})
+ if args:
+ pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args)
+ if "error" in pdp:
+ LOG.error("Error when adding PDP from master {}".format(pdp))
+ return False
+ call("orchestrator", method="add_container",
+ ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']})
return True
diff --git a/moonv4/moon_manager/moon_manager/api/policies.py b/moonv4/moon_manager/moon_manager/api/policies.py
index 27e28a6c..65b6994f 100644
--- a/moonv4/moon_manager/moon_manager/api/policies.py
+++ b/moonv4/moon_manager/moon_manager/api/policies.py
@@ -325,10 +325,20 @@ class Assignments(object):
if _data_value['name'] == object_name:
return _data_id
+ def __get_action_id(self, ctx, action_name):
+ data = self.manager.get_actions(
+ user_id=ctx["user_id"],
+ policy_id=ctx["id"],
+ perimeter_id=None
+ )
+ for _data_id, _data_value in data.items():
+ if _data_value['name'] == action_name:
+ return _data_id
+
def get_subject_assignments(self, ctx, args):
try:
- if "perimeter_name" in args:
- ctx["perimeter_id"] = self.__get_subject_id(ctx, args['perimeter_name'])
+ if "perimeter_name" in ctx:
+ ctx["perimeter_id"] = self.__get_subject_id(ctx, ctx['perimeter_name'])
data = self.manager.get_subject_assignments(user_id=ctx["user_id"], policy_id=ctx["id"],
subject_id=ctx["perimeter_id"], category_id=ctx["category_id"])
except Exception as e:
@@ -364,8 +374,8 @@ class Assignments(object):
def get_object_assignments(self, ctx, args):
try:
- if "perimeter_name" in args:
- ctx["perimeter_id"] = self.__get_object_id(ctx, args['perimeter_name'])
+ if "perimeter_name" in ctx:
+ ctx["perimeter_id"] = self.__get_object_id(ctx, ctx['perimeter_name'])
data = self.manager.get_object_assignments(user_id=ctx["user_id"], policy_id=ctx["id"],
object_id=ctx["perimeter_id"], category_id=ctx["category_id"])
except Exception as e:
@@ -401,6 +411,8 @@ class Assignments(object):
def get_action_assignments(self, ctx, args):
try:
+ if "perimeter_name" in ctx:
+ ctx["perimeter_id"] = self.__get_action_id(ctx, ctx['perimeter_name'])
data = self.manager.get_action_assignments(user_id=ctx["user_id"], policy_id=ctx["id"],
action_id=ctx["perimeter_id"], category_id=ctx["category_id"])
except Exception as e:
diff --git a/moonv4/moon_secrouter/moon_secrouter/api/route.py b/moonv4/moon_secrouter/moon_secrouter/api/route.py
index 28a9a65f..2a2c54bc 100644
--- a/moonv4/moon_secrouter/moon_secrouter/api/route.py
+++ b/moonv4/moon_secrouter/moon_secrouter/api/route.py
@@ -135,6 +135,14 @@ class Cache(object):
def __update_pdp(self):
pdp = call("moon_manager", method="get_pdp", ctx={"user_id": "admin"}, args={})
+ if not pdp["pdps"]:
+ LOG.info("Updating PDP through master")
+ pdp = call("moon_manager", method="get_pdp",
+ ctx={
+ "user_id": "admin",
+ 'call_master': True
+ },
+ args={})
for _pdp in pdp["pdps"].values():
if _pdp['keystone_project_id'] not in self.__CONTAINER_CHAINING:
self.__CONTAINER_CHAINING[_pdp['keystone_project_id']] = {}
@@ -418,6 +426,11 @@ class Router(object):
return call(component, method=ctx["method"], ctx=ctx, args=args)
if component == "manager":
result = call("moon_manager", method=ctx["method"], ctx=ctx, args=args)
+ if ctx["method"] == "get_pdp":
+ _ctx = copy.deepcopy(ctx)
+ _ctx["call_master"] = True
+ result2 = call("moon_manager", method=ctx["method"], ctx=_ctx, args=args)
+ result["pdps"].update(result2["pdps"])
self.send_update(api=ctx["method"], ctx=ctx, args=args)
return result
if component == "function":