diff options
-rw-r--r-- | moonv4/moon_authz/moon_authz/api/authorization.py | 47 | ||||
-rw-r--r-- | moonv4/moon_manager/moon_manager/api/master.py | 36 | ||||
-rw-r--r-- | moonv4/moon_manager/moon_manager/api/policies.py | 20 | ||||
-rw-r--r-- | moonv4/moon_secrouter/moon_secrouter/api/route.py | 13 |
4 files changed, 89 insertions, 27 deletions
diff --git a/moonv4/moon_authz/moon_authz/api/authorization.py b/moonv4/moon_authz/moon_authz/api/authorization.py index e4d7ad7c..94f1e13d 100644 --- a/moonv4/moon_authz/moon_authz/api/authorization.py +++ b/moonv4/moon_authz/moon_authz/api/authorization.py @@ -271,11 +271,48 @@ class Authorization(object): self.payload = payload try: if "authz_context" not in payload: - self.payload["authz_context"] = Context(self.keystone_project_id, - self.payload["subject_name"], - self.payload["object_name"], - self.payload["action_name"], - self.payload["request_id"]).to_dict() + try: + self.payload["authz_context"] = Context(self.keystone_project_id, + self.payload["subject_name"], + self.payload["object_name"], + self.payload["action_name"], + self.payload["request_id"]).to_dict() + except exceptions.SubjectUnknown: + ctx = { + "subject_name": self.payload["subject_name"], + "object_name": self.payload["object_name"], + "action_name": self.payload["action_name"], + } + call("moon_manager", method="update_from_master", ctx=ctx, args={}) + self.payload["authz_context"] = Context(self.keystone_project_id, + self.payload["subject_name"], + self.payload["object_name"], + self.payload["action_name"], + self.payload["request_id"]).to_dict() + except exceptions.ObjectUnknown: + ctx = { + "subject_name": self.payload["subject_name"], + "object_name": self.payload["object_name"], + "action_name": self.payload["action_name"], + } + call("moon_manager", method="update_from_master", ctx=ctx, args={}) + self.payload["authz_context"] = Context(self.keystone_project_id, + self.payload["subject_name"], + self.payload["object_name"], + self.payload["action_name"], + self.payload["request_id"]).to_dict() + except exceptions.ActionUnknown: + ctx = { + "subject_name": self.payload["subject_name"], + "object_name": self.payload["object_name"], + "action_name": self.payload["action_name"], + } + call("moon_manager", method="update_from_master", ctx=ctx, args={}) + self.payload["authz_context"] = Context(self.keystone_project_id, + self.payload["subject_name"], + self.payload["object_name"], + self.payload["action_name"], + self.payload["request_id"]).to_dict() self.__update_container_chaining() else: self.payload["authz_context"]["index"] += 1 diff --git a/moonv4/moon_manager/moon_manager/api/master.py b/moonv4/moon_manager/moon_manager/api/master.py index e63406c5..6c1796ad 100644 --- a/moonv4/moon_manager/moon_manager/api/master.py +++ b/moonv4/moon_manager/moon_manager/api/master.py @@ -141,7 +141,6 @@ class Master(object): def __add_meta_rule(self): meta_rules = ModelManager.get_meta_rules("admin") - LOG.info("meta_rules={}".format(meta_rules)) for uuid, value in self.meta_rules.items(): if uuid not in meta_rules: ModelManager.add_meta_rule("admin", uuid, value=value) @@ -305,21 +304,22 @@ class Master(object): def update_from_master(self, ctx, args): LOG.info("update_from_master {}".format(ctx)) - self.__policy_ids = ctx["security_pipeline"] + if "security_pipeline" in ctx: + self.__policy_ids = ctx["security_pipeline"] - for policy_id, policy_value in self.policies.items(): - self.__model_ids.append(policy_value["model_id"]) + for policy_id, policy_value in self.policies.items(): + self.__model_ids.append(policy_value["model_id"]) - for model_id, model_value in self.models.items(): - self.__meta_rule_ids.extend(model_value['meta_rules']) + for model_id, model_value in self.models.items(): + self.__meta_rule_ids.extend(model_value['meta_rules']) - self.__add_meta_data() + self.__add_meta_data() - self.__add_meta_rule() + self.__add_meta_rule() - for policy_id in ctx["security_pipeline"]: - if policy_id in self.policies: - PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id]) + for policy_id in ctx["security_pipeline"]: + if policy_id in self.policies: + res = PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id]) self.__add_perimeter(subject_name=ctx.get("subject_name"), object_name=ctx.get("object_name")) @@ -334,12 +334,12 @@ class Master(object): if model_id not in models: ModelManager.add_model("admin", model_id, model_value) - pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args) - if "error" in pdp: - LOG.error("Error when adding PDP from master {}".format(pdp)) - return False - LOG.info("pdp={}".format(pdp)) - call("orchestrator", method="add_container", - ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']}) + if args: + pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args) + if "error" in pdp: + LOG.error("Error when adding PDP from master {}".format(pdp)) + return False + call("orchestrator", method="add_container", + ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']}) return True diff --git a/moonv4/moon_manager/moon_manager/api/policies.py b/moonv4/moon_manager/moon_manager/api/policies.py index 27e28a6c..65b6994f 100644 --- a/moonv4/moon_manager/moon_manager/api/policies.py +++ b/moonv4/moon_manager/moon_manager/api/policies.py @@ -325,10 +325,20 @@ class Assignments(object): if _data_value['name'] == object_name: return _data_id + def __get_action_id(self, ctx, action_name): + data = self.manager.get_actions( + user_id=ctx["user_id"], + policy_id=ctx["id"], + perimeter_id=None + ) + for _data_id, _data_value in data.items(): + if _data_value['name'] == action_name: + return _data_id + def get_subject_assignments(self, ctx, args): try: - if "perimeter_name" in args: - ctx["perimeter_id"] = self.__get_subject_id(ctx, args['perimeter_name']) + if "perimeter_name" in ctx: + ctx["perimeter_id"] = self.__get_subject_id(ctx, ctx['perimeter_name']) data = self.manager.get_subject_assignments(user_id=ctx["user_id"], policy_id=ctx["id"], subject_id=ctx["perimeter_id"], category_id=ctx["category_id"]) except Exception as e: @@ -364,8 +374,8 @@ class Assignments(object): def get_object_assignments(self, ctx, args): try: - if "perimeter_name" in args: - ctx["perimeter_id"] = self.__get_object_id(ctx, args['perimeter_name']) + if "perimeter_name" in ctx: + ctx["perimeter_id"] = self.__get_object_id(ctx, ctx['perimeter_name']) data = self.manager.get_object_assignments(user_id=ctx["user_id"], policy_id=ctx["id"], object_id=ctx["perimeter_id"], category_id=ctx["category_id"]) except Exception as e: @@ -401,6 +411,8 @@ class Assignments(object): def get_action_assignments(self, ctx, args): try: + if "perimeter_name" in ctx: + ctx["perimeter_id"] = self.__get_action_id(ctx, ctx['perimeter_name']) data = self.manager.get_action_assignments(user_id=ctx["user_id"], policy_id=ctx["id"], action_id=ctx["perimeter_id"], category_id=ctx["category_id"]) except Exception as e: diff --git a/moonv4/moon_secrouter/moon_secrouter/api/route.py b/moonv4/moon_secrouter/moon_secrouter/api/route.py index 28a9a65f..2a2c54bc 100644 --- a/moonv4/moon_secrouter/moon_secrouter/api/route.py +++ b/moonv4/moon_secrouter/moon_secrouter/api/route.py @@ -135,6 +135,14 @@ class Cache(object): def __update_pdp(self): pdp = call("moon_manager", method="get_pdp", ctx={"user_id": "admin"}, args={}) + if not pdp["pdps"]: + LOG.info("Updating PDP through master") + pdp = call("moon_manager", method="get_pdp", + ctx={ + "user_id": "admin", + 'call_master': True + }, + args={}) for _pdp in pdp["pdps"].values(): if _pdp['keystone_project_id'] not in self.__CONTAINER_CHAINING: self.__CONTAINER_CHAINING[_pdp['keystone_project_id']] = {} @@ -418,6 +426,11 @@ class Router(object): return call(component, method=ctx["method"], ctx=ctx, args=args) if component == "manager": result = call("moon_manager", method=ctx["method"], ctx=ctx, args=args) + if ctx["method"] == "get_pdp": + _ctx = copy.deepcopy(ctx) + _ctx["call_master"] = True + result2 = call("moon_manager", method=ctx["method"], ctx=_ctx, args=args) + result["pdps"].update(result2["pdps"]) self.send_update(api=ctx["method"], ctx=ctx, args=args) return result if component == "function": |