diff options
Diffstat (limited to 'keystone-moon/keystone/contrib')
-rw-r--r-- | keystone-moon/keystone/contrib/moon/backends/sql.py | 8 | ||||
-rw-r--r-- | keystone-moon/keystone/contrib/moon/core.py | 185 | ||||
-rw-r--r-- | keystone-moon/keystone/contrib/moon/exception.py | 6 |
3 files changed, 142 insertions, 57 deletions
diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py index c2f384bd..ceb057bd 100644 --- a/keystone-moon/keystone/contrib/moon/backends/sql.py +++ b/keystone-moon/keystone/contrib/moon/backends/sql.py @@ -306,7 +306,6 @@ class Rule(sql.ModelBase, sql.DictBase): __all_objects__ = ( - Tenant, Subject, Object, Action, @@ -901,6 +900,13 @@ class IntraExtensionConnector(IntraExtensionDriver): ref = query.first() return {ref.id: ref.aggregation_algorithm} + def del_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id): + with sql.transaction() as session: + query = session.query(AggregationAlgorithm) + query = query.filter_by(intra_extension_id=intra_extension_id, id=aggregation_algorithm_id) + ref = query.first() + session.delete(ref) + # Getter and Setter for sub_meta_rule def get_sub_meta_rules_dict(self, intra_extension_id): diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index 5685a538..6f4ba4f2 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -25,9 +25,9 @@ from keystone.contrib.moon.algorithms import * CONF = config.CONF LOG = log.getLogger(__name__) -# TODO: call functions to get these 2 variables -ADMIN_ID = uuid4().hex # default user_id for internal invocation -ROOT_EXTENSION_ID = uuid4().hex +ADMIN_ID = None # default user_id for internal invocation +ROOT_EXTENSION_ID = None +ROOT_EXTENSION_MODEL = "policy_root" _OPTS = [ @@ -107,9 +107,31 @@ def enforce(action_names, object_name, **extra): _action_name_list = action_names _object_name = object_name + def get_root_extension(self, args, kwargs): + if not ROOT_EXTENSION_ID: + global ROOT_EXTENSION_MODEL, ROOT_EXTENSION_ID, ADMIN_ID + try: + # if it is the first time we passed here, the root extension may be not initialized + # specially during unittest. So we raise RootExtensionNotInitialized to authorize the + # current creation process + if 'intra_extension_dict' in kwargs: + intra_extension_dict = kwargs['intra_extension_dict'] + else: + intra_extension_dict = args[2] + print(intra_extension_dict) + if isinstance(intra_extension_dict, dict) and \ + "model" in intra_extension_dict and \ + intra_extension_dict["model"] == "policy_root": + raise RootExtensionNotInitialized() + except KeyError: + pass + return ROOT_EXTENSION_ID + def wrap(func): def wrapped(*args, **kwargs): + global ADMIN_ID, ROOT_EXTENSION_ID + returned_value_for_func = None self = args[0] try: user_id = args[1] @@ -118,64 +140,85 @@ def enforce(action_names, object_name, **extra): intra_extension_id = None intra_admin_extension_id = None - if user_id == ADMIN_ID: - # TODO: check if there is no security hole here - return func(*args, **kwargs) - + try: + intra_admin_extension_id = get_root_extension(self, args, kwargs) + except RootExtensionNotInitialized: + returned_value_for_func = func(*args, **kwargs) + intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() + for ext in intra_extensions_dict: + if intra_extensions_dict[ext]["model"] == ROOT_EXTENSION_MODEL: + ROOT_EXTENSION_ID = ext + break + if not ROOT_EXTENSION_ID: + raise RootExtensionUnknown() + print(returned_value_for_func) + subjects_dict = self.admin_api.driver.get_subjects_dict(returned_value_for_func['id']) + for subject_id in subjects_dict: + if subjects_dict[subject_id]["name"] == "admin": + ADMIN_ID = subject_id + break + if not ADMIN_ID: + raise RootExtensionUnknown() + return returned_value_for_func try: intra_extension_id = args[2] except IndexError: if 'intra_extension_id' in kwargs: intra_extension_id = kwargs['intra_extension_id'] - else: - intra_admin_extension_id = ROOT_EXTENSION_ID - - intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() - if intra_extension_id not in intra_extensions_dict: - raise IntraExtensionUnknown() - tenants_dict = self.tenant_api.driver.get_tenants_dict(ADMIN_ID) - for _tenant_id in tenants_dict: - if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \ - tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id: - intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id'] - if not intra_admin_extension_id: - self.moonlog_api.driver.warning("No Intra_Admin_Extension found, authorization granted by default.") - return func(*args, **kwargs) + # else: + # intra_admin_extension_id = get_root_extension(self) + + if ADMIN_ID and user_id == ADMIN_ID: + # TODO: check if there is no security hole here + returned_value_for_func = func(*args, **kwargs) else: - objects_dict = self.admin_api.driver.get_objects_dict(ADMIN_ID, intra_admin_extension_id) - object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name - object_id = None - for _object_id in objects_dict: - if objects_dict[_object_id]['name'] is object_name: - object_id = _object_id - break - if type(_action_name_list) in (str, unicode): - action_name_list = (_action_name_list, ) + intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() + if intra_extension_id not in intra_extensions_dict: + raise IntraExtensionUnknown() + tenants_dict = self.tenant_api.driver.get_tenants_dict(ADMIN_ID) + for _tenant_id in tenants_dict: + if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \ + tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id: + intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id'] + if not intra_admin_extension_id: + self.moonlog_api.driver.warning("No Intra_Admin_Extension found, authorization granted by default.") + returned_value_for_func = func(*args, **kwargs) else: - action_name_list = _action_name_list - actions_dict = self.admin_api.driver.get_actions_dict(ADMIN_ID, intra_admin_extension_id) - action_id_list = list() - for _action_name in action_name_list: - for _action_id in actions_dict: - if actions_dict[_action_id]['name'] is _action_name: - action_id_list.append(_action_id) + objects_dict = self.admin_api.driver.get_objects_dict(ADMIN_ID, intra_admin_extension_id) + object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name + object_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] is object_name: + object_id = _object_id break - - authz_result = False - for action_id in action_id_list: - if self.driver.authz(intra_admin_extension_id, user_id, object_id, action_id): - authz_result = True + if type(_action_name_list) in (str, unicode): + action_name_list = (_action_name_list, ) else: - authz_result = False - break - if authz_result: - return func(*args, **kwargs) + action_name_list = _action_name_list + actions_dict = self.admin_api.driver.get_actions_dict(ADMIN_ID, intra_admin_extension_id) + action_id_list = list() + for _action_name in action_name_list: + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] is _action_name: + action_id_list.append(_action_id) + break + + authz_result = False + for action_id in action_id_list: + if self.driver.authz(intra_admin_extension_id, user_id, object_id, action_id): + authz_result = True + else: + authz_result = False + break + if authz_result: + returned_value_for_func = func(*args, **kwargs) + return returned_value_for_func return wrapped return wrap @dependency.provider('configuration_api') -@dependency.requires('moonlog_api') +@dependency.requires('moonlog_api', 'admin_api') class ConfigurationManager(manager.Manager): def __init__(self): @@ -230,7 +273,7 @@ class ConfigurationManager(manager.Manager): return None @dependency.provider('tenant_api') -@dependency.requires('moonlog_api', 'admin_api') +@dependency.requires('moonlog_api', 'admin_api', 'configuration_api') class TenantManager(manager.Manager): def __init__(self): @@ -259,8 +302,6 @@ class TenantManager(manager.Manager): def add_tenant_dict(self, user_id, tenant_dict): tenants_dict = self.driver.get_tenants_dict() for tenant_id in tenants_dict: - print(tenants_dict[tenant_id]) - print(tenant_dict) if tenants_dict[tenant_id]['name'] == tenant_dict['name']: raise TenantAddedNameExisting() @@ -396,6 +437,7 @@ class IntraExtensionManager(manager.Manager): """ authz_buffer = self.__get_authz_buffer(intra_extension_id, subject_id, object_id, action_id) decision_buffer = dict() + decision = False meta_rule_dict = self.driver.get_sub_meta_rules_dict(intra_extension_id) @@ -412,9 +454,10 @@ class IntraExtensionManager(manager.Manager): self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values()) if meta_rule_dict['aggregation'] == 'all_true': - return all_true(decision_buffer) - - return False + decision = all_true(decision_buffer) + if not decision: + raise AuthzException() + return decision @enforce("read", "intra_extensions") def get_intra_extensions_dict(self, user_id): @@ -715,6 +758,33 @@ class IntraExtensionManager(manager.Manager): def del_intra_extension(self, user_id, intra_extension_id): if intra_extension_id not in self.driver.get_intra_extensions_dict(): raise IntraExtensionUnknown() + for sub_meta_rule_id in self.driver.get_sub_meta_rules_dict(intra_extension_id): + for rule_id in self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id): + self.driver.del_rule(intra_extension_id, sub_meta_rule_id, rule_id) + self.driver.del_sub_meta_rule(intra_extension_id, sub_meta_rule_id) + for aggregation_algorithm_id in self.driver.get_aggregation_algorithms_dict(intra_extension_id): + self.driver.del_aggregation_algorithm(intra_extension_id, aggregation_algorithm_id) + for subject_id in self.driver.get_subjects_dict(intra_extension_id): + self.driver.del_subject(intra_extension_id, subject_id) + for object_id in self.driver.get_objects_dict(intra_extension_id): + self.driver.del_object(intra_extension_id, object_id) + for action_id in self.driver.get_actions_dict(intra_extension_id): + self.driver.del_action(intra_extension_id, action_id) + for subject_category_id in self.driver.get_subject_categories_dict(intra_extension_id): + for subject_scope_id in self.driver.get_subject_assignment_list(intra_extension_id, subject_id, subject_category_id): + self.driver.del_subject_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) + self.driver.del_subject_scope(intra_extension_id, subject_category_id, subject_scope_id) + self.driver.del_subject_category(intra_extension_id, subject_category_id) + for object_category_id in self.driver.get_object_categories_dict(intra_extension_id): + for object_scope_id in self.driver.get_object_assignment_list(intra_extension_id, object_id, object_category_id): + self.driver.del_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id) + self.driver.del_object_scope(intra_extension_id, object_category_id, object_scope_id) + self.driver.del_object_category(intra_extension_id, object_category_id) + for action_category_id in self.driver.get_action_categories_dict(intra_extension_id): + for action_scope_id in self.driver.get_action_assignment_list(intra_extension_id, action_id, action_category_id): + self.driver.del_action_assignment(intra_extension_id, action_id, action_category_id, action_scope_id) + self.driver.del_action_scope(intra_extension_id, action_category_id, action_scope_id) + self.driver.del_action_category(intra_extension_id, action_category_id) return self.driver.del_intra_extension(intra_extension_id) @enforce(("read", "write"), "intra_extensions") @@ -1418,8 +1488,8 @@ class IntraExtensionManager(manager.Manager): def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): raise SubMetaRuleUnknown() - # TODO (dthom): destroy sub-meta-rule-related rules - # self.driver.del_rule(intra_extension_id, sub_meta_rule_id, "*") + for rule_id in self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id): + self.del_rule(intra_extension_id, sub_meta_rule_id, rule_id) self.driver.del_sub_meta_rule(intra_extension_id, sub_meta_rule_id) @filter_input @@ -1499,7 +1569,6 @@ class IntraExtensionAuthzManager(IntraExtensionManager): super(IntraExtensionAuthzManager, self).__init__() def authz(self, tenant_name, subject_name, object_name, action_name, genre="authz"): - # TODO (dthom) add moon log """Check authorization for a particular action. :return: True or False or raise an exception """ @@ -1576,6 +1645,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): @dependency.provider('admin_api') +# @dependency.requires('configuration_api') class IntraExtensionAdminManager(IntraExtensionManager): def __init__(self): @@ -2009,6 +2079,9 @@ class IntraExtensionDriver(object): def get_aggregation_algorithm(self, intra_extension_id): raise exception.NotImplemented() # pragma: no cover + def del_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id): + raise exception.NotImplemented() # pragma: no cover + def get_sub_meta_rules_dict(self, intra_extension_id): raise exception.NotImplemented() # pragma: no cover diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py index a53a3397..75ccd187 100644 --- a/keystone-moon/keystone/contrib/moon/exception.py +++ b/keystone-moon/keystone/contrib/moon/exception.py @@ -97,6 +97,12 @@ class RootExtensionUnknown(IntraExtensionUnknown): title = 'Root Extension Unknown' logger = "Error" +class RootExtensionNotInitialized(IntraExtensionException): + message_format = _("The root_extension is not initialized.") + code = 400 + title = 'Root Extension Not Initialized' + logger = "Error" + class IntraExtensionCreationError(IntraExtensionException): message_format = _("The arguments for the creation of this Extension were malformed.") |