diff options
Diffstat (limited to 'keystone-moon/keystone/contrib')
| -rw-r--r-- | keystone-moon/keystone/contrib/moon/algorithms.py | 34 | ||||
| -rw-r--r-- | keystone-moon/keystone/contrib/moon/backends/memory.py | 17 | ||||
| -rw-r--r-- | keystone-moon/keystone/contrib/moon/backends/sql.py | 23 | ||||
| -rw-r--r-- | keystone-moon/keystone/contrib/moon/core.py | 601 | ||||
| -rw-r--r-- | keystone-moon/keystone/contrib/moon/extension.py | 740 | ||||
| -rw-r--r-- | keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py | 12 |
6 files changed, 401 insertions, 1026 deletions
diff --git a/keystone-moon/keystone/contrib/moon/algorithms.py b/keystone-moon/keystone/contrib/moon/algorithms.py index 8644e02d..30305fc1 100644 --- a/keystone-moon/keystone/contrib/moon/algorithms.py +++ b/keystone-moon/keystone/contrib/moon/algorithms.py @@ -22,18 +22,19 @@ sub_meta_rule_dict = { } rule_dict = [ - ["high", "vm_admin", "medium"], - ["high", "vm_admin", "low"], - ["medium", "vm_admin", "low"], - ["high", "vm_access", "high"], - ["high", "vm_access", "medium"], - ["high", "vm_access", "low"], - ["medium", "vm_access", "medium"], - ["medium", "vm_access", "low"], - ["low", "vm_access", "low"] + ["high", "vm_admin", "medium", True], + ["high", "vm_admin", "low", True], + ["medium", "vm_admin", "low", True], + ["high", "vm_access", "high", True], + ["high", "vm_access", "medium", True], + ["high", "vm_access", "low", True], + ["medium", "vm_access", "medium", True], + ["medium", "vm_access", "low", True], + ["low", "vm_access", "low", True] ] """ + def inclusion(authz_buffer, sub_meta_rule_dict, rule_list): _cat = [] for subject_cat in sub_meta_rule_dict['subject_categories']: @@ -46,14 +47,10 @@ def inclusion(authz_buffer, sub_meta_rule_dict, rule_list): if object_cat in authz_buffer['object_assignments']: _cat.append(authz_buffer['object_assignments'][object_cat]) - print("authz_buffer", authz_buffer) - print("rule_list", rule_list) - print("_cat", _cat) for _element in itertools.product(*_cat): # Add the boolean at the end _element = list(_element) _element.append(True) - print("_element", _element) if _element in rule_list: return True @@ -66,6 +63,13 @@ def comparison(authz_buffer, sub_meta_rule_dict, rule_list): def all_true(decision_buffer): for _rule in decision_buffer: - if decision_buffer[_rule] is False: + if decision_buffer[_rule] == False: return False - return True
\ No newline at end of file + return True + + +def one_true(decision_buffer): + for _rule in decision_buffer: + if decision_buffer[_rule] == True: + return True + return False diff --git a/keystone-moon/keystone/contrib/moon/backends/memory.py b/keystone-moon/keystone/contrib/moon/backends/memory.py index 675240e5..7a996847 100644 --- a/keystone-moon/keystone/contrib/moon/backends/memory.py +++ b/keystone-moon/keystone/contrib/moon/backends/memory.py @@ -6,6 +6,7 @@ from uuid import uuid4 from glob import glob import os +import json from keystone import config from keystone.contrib.moon.core import ConfigurationDriver @@ -19,12 +20,12 @@ class ConfigurationConnector(ConfigurationDriver): super(ConfigurationConnector, self).__init__() self.aggregation_algorithms_dict = dict() self.aggregation_algorithms_dict[uuid4().hex] = {'name': 'all_true', 'description': 'all_true'} + self.aggregation_algorithms_dict[uuid4().hex] = {'name': 'one_true', 'description': 'one_true'} self.sub_meta_rule_algorithms_dict = dict() self.sub_meta_rule_algorithms_dict[uuid4().hex] = {'name': 'inclusion', 'description': 'inclusion'} self.sub_meta_rule_algorithms_dict[uuid4().hex] = {'name': 'comparison', 'description': 'comparison'} def get_policy_templates_dict(self): - # TODO (dthom): this function should return a dictionary of all policy templates as: """ :return: { template_id1: {name: template_name, description: template_description}, @@ -33,11 +34,15 @@ class ConfigurationConnector(ConfigurationDriver): } """ nodes = glob(os.path.join(CONF.moon.policy_directory, "*")) - return { - "authz_templates": [os.path.basename(n) for n in nodes if os.path.isdir(n)] - } - - def get_aggregation_algorithm_dict(self): + templates = dict() + for node in nodes: + templates[os.path.basename(node)] = dict() + metadata = json.load(open(os.path.join(node, "metadata.json"))) + templates[os.path.basename(node)]["name"] = metadata["name"] + templates[os.path.basename(node)]["description"] = metadata["description"] + return templates + + def get_aggregation_algorithms_dict(self): return self.aggregation_algorithms_dict def get_sub_meta_rule_algorithms_dict(self): diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py index 7a75af39..cb64c1f7 100644 --- a/keystone-moon/keystone/contrib/moon/backends/sql.py +++ b/keystone-moon/keystone/contrib/moon/backends/sql.py @@ -887,7 +887,7 @@ class IntraExtensionConnector(IntraExtensionDriver): def set_aggregation_algorithm_dict(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): with sql.transaction() as session: query = session.query(AggregationAlgorithm) - query = query.filter_by(intra_extension_id=intra_extension_id, id=aggregation_algorithm_id) + query = query.filter_by(intra_extension_id=intra_extension_id) ref = query.first() new_ref = AggregationAlgorithm.from_dict( { @@ -896,21 +896,18 @@ class IntraExtensionConnector(IntraExtensionDriver): 'intra_extension_id': intra_extension_id } ) - if not ref: - session.add(new_ref) - else: - for attr in AggregationAlgorithm.attributes: - if attr != 'id': - setattr(ref, attr, getattr(new_ref, attr)) + if ref: + session.delete(ref) + session.add(new_ref) session.flush() return self.get_aggregation_algorithm_dict(intra_extension_id) - # def del_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id): - # with sql.transaction() as session: - # query = session.query(AggregationAlgorithm) - # query = query.filter_by(intra_extension_id=intra_extension_id, id=aggregation_algorithm_id) - # ref = query.first() - # session.delete(ref) + def del_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id): + with sql.transaction() as session: + query = session.query(AggregationAlgorithm) + query = query.filter_by(intra_extension_id=intra_extension_id, id=aggregation_algorithm_id) + ref = query.first() + session.delete(ref) # Getter and Setter for sub_meta_rule diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index d82c9fcc..a1255fe2 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -25,9 +25,9 @@ from keystone.contrib.moon.algorithms import * CONF = config.CONF LOG = log.getLogger(__name__) -ADMIN_ID = None # default user_id for internal invocation -ROOT_EXTENSION_ID = None -ROOT_EXTENSION_MODEL = "policy_root" +# ADMIN_ID = None # default user_id for internal invocation +# ROOT_EXTENSION_ID = None +# ROOT_EXTENSION_MODEL = "policy_root" _OPTS = [ @@ -52,9 +52,9 @@ _OPTS = [ cfg.StrOpt('policy_directory', default='/etc/keystone/policies', help='Local directory where all policies are stored.'), - cfg.StrOpt('super_extension_directory', - default='/etc/keystone/super_extension', - help='Local directory where SuperExtension configuration is stored.'), + cfg.StrOpt('root_policy_directory', + default='policy_root', + help='Local directory where Root IntraExtension configuration is stored.'), ] CONF.register_opts(_OPTS, group='moon') @@ -108,29 +108,29 @@ def enforce(action_names, object_name, **extra): _action_name_list = action_names _object_name = object_name - def get_root_extension(self, args, kwargs): - if not ROOT_EXTENSION_ID: - global ROOT_EXTENSION_MODEL, ROOT_EXTENSION_ID, ADMIN_ID - try: - # if it is the first time we passed here, the root extension may be not initialized - # specially during unittest. So we raise RootExtensionNotInitialized to authorize the - # current creation process - if 'intra_extension_dict' in kwargs: - intra_extension_dict = kwargs['intra_extension_dict'] - else: - intra_extension_dict = args[2] - if isinstance(intra_extension_dict, dict) and \ - "model" in intra_extension_dict and \ - intra_extension_dict["model"] == "policy_root": - raise RootExtensionNotInitialized() - except KeyError: - pass - return ROOT_EXTENSION_ID + # def get_root_extension(self, args, kwargs): + # if not ROOT_EXTENSION_ID: + # global ROOT_EXTENSION_MODEL, ROOT_EXTENSION_ID, ADMIN_ID + # try: + # # if it is the first time we passed here, the root extension may be not initialized + # # specially during unittest. So we raise RootExtensionNotInitialized to authorize the + # # current creation process + # if 'intra_extension_dict' in kwargs: + # intra_extension_dict = kwargs['intra_extension_dict'] + # else: + # intra_extension_dict = args[2] + # if isinstance(intra_extension_dict, dict) and \ + # "model" in intra_extension_dict and \ + # intra_extension_dict["model"] == "policy_root": + # raise RootExtensionNotInitialized() + # except KeyError: + # pass + # return ROOT_EXTENSION_ID def wrap(func): def wrapped(*args, **kwargs): - global ADMIN_ID, ROOT_EXTENSION_ID + # global ADMIN_ID, ROOT_EXTENSION_ID returned_value_for_func = None self = args[0] try: @@ -140,46 +140,42 @@ def enforce(action_names, object_name, **extra): intra_extension_id = None intra_admin_extension_id = None - try: - intra_root_extension_id = get_root_extension(self, args, kwargs) - # FIXME (asteroide): intra_root_extension_id is not used at all... - except RootExtensionNotInitialized: - # Root extension is not initialized, the current requested function must be the creation - # of this root extension - returned_value_for_func = func(*args, **kwargs) - # after the creation, we must update ROOT_EXTENSION_ID and ADMIN_ID - intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() - for ext in intra_extensions_dict: - if intra_extensions_dict[ext]["model"] == ROOT_EXTENSION_MODEL: - ROOT_EXTENSION_ID = ext - break - if not ROOT_EXTENSION_ID: - raise RootExtensionUnknown() - subjects_dict = self.admin_api.driver.get_subjects_dict(returned_value_for_func['id']) - for subject_id in subjects_dict: - if subjects_dict[subject_id]["name"] == "admin": - ADMIN_ID = subject_id - break - if not ADMIN_ID: - raise RootExtensionUnknown() - # if all is OK, return values from func (creation of the root extension) - return returned_value_for_func + # try: + intra_root_extension_id = self.root_api.get_root_extension_id() + # except RootExtensionNotInitialized: + # # Root extension is not initialized, the current requested function must be the creation + # # of this root extension + # returned_value_for_func = func(*args, **kwargs) + # # after the creation, we must update ROOT_EXTENSION_ID and ADMIN_ID + # intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() + # for ext in intra_extensions_dict: + # if intra_extensions_dict[ext]["model"] == ROOT_EXTENSION_MODEL: + # ROOT_EXTENSION_ID = ext + # break + # if not ROOT_EXTENSION_ID: + # raise RootExtensionUnknown() + # subjects_dict = self.admin_api.driver.get_subjects_dict(returned_value_for_func['id']) + # for subject_id in subjects_dict: + # if subjects_dict[subject_id]["name"] == "admin": + # ADMIN_ID = subject_id + # break + # if not ADMIN_ID: + # raise RootExtensionUnknown() + # # if all is OK, return values from func (creation of the root extension) + # return returned_value_for_func try: intra_extension_id = args[2] except IndexError: - print("IndexError", kwargs) if 'intra_extension_id' in kwargs: intra_extension_id = kwargs['intra_extension_id'] else: - print("in else", intra_root_extension_id) intra_extension_id = intra_root_extension_id - if ADMIN_ID and user_id == ADMIN_ID: + if user_id == self.root_api.get_root_admin_id(): # TODO: check if there is no security hole here returned_value_for_func = func(*args, **kwargs) else: intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() - print(intra_extension_id, intra_extensions_dict) if intra_extension_id not in intra_extensions_dict: raise IntraExtensionUnknown() tenants_dict = self.tenant_api.driver.get_tenants_dict() @@ -213,7 +209,10 @@ def enforce(action_names, object_name, **extra): # if we found the object in intra_root_extension_id, so we change the intra_admin_extension_id # into intra_root_extension_id and we modify the ID of the subject subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id) - subject_name = subjects_dict[user_id]["name"] + try: + subject_name = subjects_dict[user_id]["name"] + except KeyError: + raise SubjectUnknown() intra_admin_extension_id = intra_root_extension_id subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id) user_id = None @@ -221,7 +220,7 @@ def enforce(action_names, object_name, **extra): if subjects_dict[_subject_id]["name"] == subject_name: user_id = _subject_id if not user_id: - raise SubjectUnknown("Subject Unknown for Root intraExtension...") + raise SubjectUnknown("Subject {} Unknown for Root IntraExtension...".format(subject_name)) if type(_action_name_list) in (str, unicode): action_name_list = (_action_name_list, ) else: @@ -256,7 +255,7 @@ def enforce(action_names, object_name, **extra): @dependency.provider('configuration_api') -@dependency.requires('moonlog_api', 'admin_api', 'tenant_api') +@dependency.requires('moonlog_api', 'admin_api', 'tenant_api', 'root_api') class ConfigurationManager(manager.Manager): def __init__(self): @@ -278,7 +277,7 @@ class ConfigurationManager(manager.Manager): def get_policy_template_id_from_name(self, user_id, policy_template_name): policy_templates_dict = self.driver.get_policy_templates_dict() for policy_template_id in policy_templates_dict: - if policy_templates_dict[policy_template_id]['name'] is policy_template_name: + if policy_templates_dict[policy_template_id]['name'] == policy_template_name: return policy_template_id return None @@ -298,7 +297,7 @@ class ConfigurationManager(manager.Manager): def get_aggregation_algorithm_id_from_name(self, user_id, aggregation_algorithm_name): aggregation_algorithms_dict = self.driver.get_aggregation_algorithms_dict() for aggregation_algorithm_id in aggregation_algorithms_dict: - if aggregation_algorithms_dict[aggregation_algorithm_id]['name'] is aggregation_algorithm_name: + if aggregation_algorithms_dict[aggregation_algorithm_id]['name'] == aggregation_algorithm_name: return aggregation_algorithm_id return None @@ -318,13 +317,13 @@ class ConfigurationManager(manager.Manager): def get_sub_meta_rule_algorithm_id_from_name(self, sub_meta_rule_algorithm_name): sub_meta_rule_algorithms_dict = self.driver.get_sub_meta_rule_algorithms_dict() for sub_meta_rule_algorithm_id in sub_meta_rule_algorithms_dict: - if sub_meta_rule_algorithms_dict[sub_meta_rule_algorithm_id]['name'] is sub_meta_rule_algorithm_name: + if sub_meta_rule_algorithms_dict[sub_meta_rule_algorithm_id]['name'] == sub_meta_rule_algorithm_name: return sub_meta_rule_algorithm_id return None @dependency.provider('tenant_api') -@dependency.requires('moonlog_api', 'admin_api', 'configuration_api') +@dependency.requires('moonlog_api', 'admin_api', 'configuration_api', 'root_api', 'resource_api') class TenantManager(manager.Manager): def __init__(self): @@ -348,38 +347,66 @@ class TenantManager(manager.Manager): """ return self.driver.get_tenants_dict() + def __get_keystone_tenant_dict(self, tenant_id="", tenant_name=""): + tenants = self.resource_api.list_projects() + for tenant in tenants: + if tenant_id and tenant_id == tenant['id']: + return tenant + if tenant_name and tenant_name == tenant['name']: + return tenant + if not tenant_id: + tenant_id = uuid4().hex + if not tenant_name: + tenant_name = tenant_id + tenant = { + "id": tenant_id, + "name": tenant_name, + "description": "Auto generated tenant from Moon platform", + "enabled": True, + "domain_id": "default" + } + keystone_tenant = self.resource_api.create_project(tenant["id"], tenant) + return keystone_tenant + @filter_input @enforce(("read", "write"), "tenants") def add_tenant_dict(self, user_id, tenant_dict): tenants_dict = self.driver.get_tenants_dict() for tenant_id in tenants_dict: - if tenants_dict[tenant_id]['name'] is tenant_dict['name']: + if tenants_dict[tenant_id]['name'] == tenant_dict['name']: raise TenantAddedNameExisting() + # Check (and eventually sync) Keystone tenant + if 'id' not in tenant_dict: + tenant_dict['id'] = None + keystone_tenant = self.__get_keystone_tenant_dict(tenant_dict['id'], tenant_dict['name']) + tenant_dict.update(keystone_tenant) # Sync users between intra_authz_extension and intra_admin_extension if tenant_dict['intra_admin_extension_id']: if not tenant_dict['intra_authz_extension_id']: raise TenantNoIntraAuthzExtension() - authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id']) - admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id']) - for _subject_id in authz_subjects_dict: - if _subject_id not in admin_subjects_dict: - self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) - for _subject_id in admin_subjects_dict: - if _subject_id not in authz_subjects_dict: - self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) - - # TODO (dthom): check whether we can replace the below code by the above one - # authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id']) - # authz_subject_names_list = [authz_subjects_dict[subject_id]["name"] for subject_id in authz_subjects_dict] - # admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id']) - # admin_subject_names_list = [admin_subjects_dict[subject_id]["name"] for subject_id in admin_subjects_dict] + # authz_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id']) + # admin_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id']) # for _subject_id in authz_subjects_dict: - # if authz_subjects_dict[_subject_id]["name"] not in admin_subject_names_list: - # self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) + # if _subject_id not in admin_subjects_dict: + # self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) # for _subject_id in admin_subjects_dict: - # if admin_subjects_dict[_subject_id]["name"] not in authz_subject_names_list: - # self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) + # if _subject_id not in authz_subjects_dict: + # self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) + + # TODO (ateroide): check whether we can replace the below code by the above one + # NOTE (ateroide): at a first glance: no, subject_id changes depending on which intra_extesion is used + # we must use name which is constant. + authz_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id']) + authz_subject_names_list = [authz_subjects_dict[subject_id]["name"] for subject_id in authz_subjects_dict] + admin_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id']) + admin_subject_names_list = [admin_subjects_dict[subject_id]["name"] for subject_id in admin_subjects_dict] + for _subject_id in authz_subjects_dict: + if authz_subjects_dict[_subject_id]["name"] not in admin_subject_names_list: + self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) + for _subject_id in admin_subjects_dict: + if admin_subjects_dict[_subject_id]["name"] not in authz_subject_names_list: + self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) return self.driver.add_tenant_dict(tenant_dict['id'], tenant_dict) @@ -409,50 +436,20 @@ class TenantManager(manager.Manager): if tenant_dict['intra_admin_extension_id']: if not tenant_dict['intra_authz_extension_id']: raise TenantNoIntraAuthzExtension - authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id']) - admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id']) + authz_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id']) + authz_subject_names_list = [authz_subjects_dict[subject_id]["name"] for subject_id in authz_subjects_dict] + admin_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id']) + admin_subject_names_list = [admin_subjects_dict[subject_id]["name"] for subject_id in admin_subjects_dict] for _subject_id in authz_subjects_dict: - if _subject_id not in admin_subjects_dict: - self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) + if authz_subjects_dict[_subject_id]["name"] not in admin_subject_names_list: + self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) for _subject_id in admin_subjects_dict: - if _subject_id not in authz_subjects_dict: - self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) + if admin_subjects_dict[_subject_id]["name"] not in authz_subject_names_list: + self.admin_api.add_subject_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) return self.driver.set_tenant_dict(tenant_id, tenant_dict) - # TODO (dthom): move the following 2 functions to perimeter functions - @filter_input - def get_subject_dict_from_keystone_id(self, tenant_id, intra_extension_id, keystone_id): - tenants_dict = self.driver.get_tenants_dict() - if tenant_id not in tenants_dict: - raise TenantUnknown() - if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'], - tenants_dict[tenant_id]['intra_admin_extension_id'], ): - raise IntraExtensionUnknown() - # Note (asteroide): We used ADMIN_ID because the user requesting this information may only know his keystone_id - # and not the subject ID in the requested intra_extension. - subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, intra_extension_id) - for subject_id in subjects_dict: - if keystone_id is subjects_dict[subject_id]['keystone_id']: - return {subject_id: subjects_dict[subject_id]} - - @filter_input - def get_subject_dict_from_keystone_name(self, tenant_id, intra_extension_id, keystone_name): - tenants_dict = self.driver.get_tenants_dict() - if tenant_id not in tenants_dict: - raise TenantUnknown() - if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'], - tenants_dict[tenant_id]['intra_admin_extension_id'], ): - raise IntraExtensionUnknown() - # Note (asteroide): We used ADMIN_ID because the user requesting this information may only know his - # keystone_name and not the subject ID in the requested intra_extension. - subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, intra_extension_id) - for subject_id in subjects_dict: - if keystone_name is subjects_dict[subject_id]['keystone_name']: - return {subject_id: subjects_dict[subject_id]} - - -@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api', 'moonlog_api') +@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api', 'moonlog_api', 'root_api') class IntraExtensionManager(manager.Manager): def __init__(self): @@ -501,6 +498,7 @@ class IntraExtensionManager(manager.Manager): authz_buffer['subject_assignments'] = dict() authz_buffer['object_assignments'] = dict() authz_buffer['action_assignments'] = dict() + for _subject_category in meta_data_dict['subject_categories']: authz_buffer['subject_assignments'][_subject_category] = list(subject_assignment_dict[_subject_category]) for _object_category in meta_data_dict['object_categories']: @@ -543,6 +541,8 @@ class IntraExtensionManager(manager.Manager): aggregation_algorithm_id = aggregation_algorithm_dict.keys()[0] if aggregation_algorithm_dict[aggregation_algorithm_id]['name'] == 'all_true': decision = all_true(decision_buffer) + elif aggregation_algorithm_dict[aggregation_algorithm_id]['name'] == 'one_true': + decision = one_true(decision_buffer) if not decision: raise AuthzException("{} {}-{}-{}".format(intra_extension_id, subject_id, action_id, object_id)) return decision @@ -607,7 +607,12 @@ class IntraExtensionManager(manager.Manager): subject_dict = dict() # We suppose that all subjects can be mapped to a true user in Keystone for _subject in json_perimeter['subjects']: - keystone_user = self.identity_api.get_user_by_name(_subject, "default") + try: + keystone_user = self.identity_api.get_user_by_name(_subject, "default") + except exception.UserNotFound: + # TODO (asteroide): must add a configuration option to allow that exception + # maybe a debug option for unittest + keystone_user = {'id': "", 'name': _subject} subject_id = uuid4().hex subject_dict[subject_id] = keystone_user subject_dict[subject_id]['keystone_id'] = keystone_user["id"] @@ -774,8 +779,6 @@ class IntraExtensionManager(manager.Manager): sub_rule_id = self.driver.get_uuid_from_name(intra_extension_dict["id"], sub_rule_name, self.driver.SUB_META_RULE) - # print(sub_rule_name) - # print(self.get_sub_meta_rule_relations("admin", ie["id"])) # if sub_rule_name not in self.get_sub_meta_rule_relations("admin", ie["id"])["sub_meta_rule_relations"]: # raise IntraExtensionException("Bad sub_rule_name name {} in rules".format(sub_rule_name)) rules[sub_rule_id] = list() @@ -833,6 +836,32 @@ class IntraExtensionManager(manager.Manager): self.__load_rule_file(ie_dict, template_dir) return ref + def load_root_intra_extension_dict(self, policy_template): + # Note (asteroide): Only one root Extension is authorized + # and this extension is created at the very beginning of the server + # so we don't need to use enforce here + for key in self.driver.get_intra_extensions_dict(): + # Note (asteroide): if there is at least one Intra Extension, it implies that + # the Root Intra Extension had already been created... + return + ie_dict = dict() + ie_dict['id'] = uuid4().hex + ie_dict["name"] = "policy_root" + ie_dict["model"] = filter_input(policy_template) + ie_dict["genre"] = "admin" + ie_dict["description"] = "policy_root" + ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict) + self.moonlog_api.debug("Creation of IE: {}".format(ref)) + # read the template given by "model" and populate default variables + template_dir = os.path.join(CONF.moon.policy_directory, ie_dict["model"]) + self.__load_metadata_file(ie_dict, template_dir) + self.__load_perimeter_file(ie_dict, template_dir) + self.__load_scope_file(ie_dict, template_dir) + self.__load_assignment_file(ie_dict, template_dir) + self.__load_metarule_file(ie_dict, template_dir) + self.__load_rule_file(ie_dict, template_dir) + return ref + @enforce("read", "intra_extensions") def get_intra_extension_dict(self, user_id, intra_extension_id): """ @@ -858,7 +887,7 @@ class IntraExtensionManager(manager.Manager): for rule_id in self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id): self.driver.del_rule(intra_extension_id, sub_meta_rule_id, rule_id) self.driver.del_sub_meta_rule(intra_extension_id, sub_meta_rule_id) - for aggregation_algorithm_id in self.driver.get_aggregation_algorithms_dict(intra_extension_id): + for aggregation_algorithm_id in self.driver.get_aggregation_algorithm_dict(intra_extension_id): self.driver.del_aggregation_algorithm(intra_extension_id, aggregation_algorithm_id) for subject_id in self.driver.get_subjects_dict(intra_extension_id): self.driver.del_subject(intra_extension_id, subject_id) @@ -1049,6 +1078,7 @@ class IntraExtensionManager(manager.Manager): def add_subject_dict(self, user_id, intra_extension_id, subject_dict): subjects_dict = self.driver.get_subjects_dict(intra_extension_id) for subject_id in subjects_dict: + print(subjects_dict[subject_id]["name"], subject_dict['name']) if subjects_dict[subject_id]["name"] == subject_dict['name']: raise SubjectNameExisting() # Next line will raise an error if user is not present in Keystone database @@ -1091,6 +1121,37 @@ class IntraExtensionManager(manager.Manager): return self.driver.set_subject_dict(intra_extension_id, subject_dict["id"], subject_dict) @filter_input + def get_subject_dict_from_keystone_id(self, tenant_id, intra_extension_id, keystone_id): + tenants_dict = self.tenant_api.driver.get_tenants_dict() + if tenant_id not in tenants_dict: + raise TenantUnknown() + if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'], + tenants_dict[tenant_id]['intra_admin_extension_id'], ): + raise IntraExtensionUnknown() + # Note (asteroide): We used self.root_api.get_root_admin_id() because the user requesting this information + # may only know his keystone_id and not the subject ID in the requested intra_extension. + subjects_dict = self.get_subjects_dict(self.root_api.get_root_admin_id(), intra_extension_id) + for subject_id in subjects_dict: + if keystone_id == subjects_dict[subject_id]['keystone_id']: + return {subject_id: subjects_dict[subject_id]} + + @filter_input + def get_subject_dict_from_keystone_name(self, tenant_id, intra_extension_id, keystone_name): + tenants_dict = self.tenant_api.driver.get_tenants_dict() + if tenant_id not in tenants_dict: + raise TenantUnknown() + if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'], + tenants_dict[tenant_id]['intra_admin_extension_id'], ): + raise IntraExtensionUnknown() + # Note (asteroide): We used self.root_api.get_root_admin_id() because the user requesting this information + # may only know his keystone_name and not the subject ID in the requested intra_extension. + subjects_dict = self.get_subjects_dict(self.root_api.get_root_admin_id(), intra_extension_id) + for subject_id in subjects_dict: + if keystone_name == subjects_dict[subject_id]['keystone_name']: + return {subject_id: subjects_dict[subject_id]} + + + @filter_input @enforce("read", "objects") def get_objects_dict(self, user_id, intra_extension_id): return self.driver.get_objects_dict(intra_extension_id) @@ -1539,7 +1600,7 @@ class IntraExtensionManager(manager.Manager): @enforce(("read", "write"), "aggregation_algorithm") def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): if aggregation_algorithm_id: - if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms_dict(ADMIN_ID): + if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms_dict(self.root_api.get_root_admin_id()): raise AggregationAlgorithmUnknown() else: aggregation_algorithm_id = uuid4().hex @@ -1577,7 +1638,9 @@ class IntraExtensionManager(manager.Manager): sub_meta_rule_dict['action_categories'] == sub_meta_rules_dict[_sub_meta_rule_id]["action_categories"] and \ sub_meta_rule_dict['algorithm'] == sub_meta_rules_dict[_sub_meta_rule_id]["algorithm"]: raise SubMetaRuleExisting() - if sub_meta_rule_dict['algorithm'] not in self.configuration_api.get_sub_meta_rule_algorithms_dict(user_id): + algorithm_names = map(lambda x: x['name'], + self.configuration_api.get_sub_meta_rule_algorithms_dict(user_id).values()) + if sub_meta_rule_dict['algorithm'] not in algorithm_names: raise SubMetaRuleAlgorithmNotExisting() sub_meta_rule_id = uuid4().hex # TODO (dthom): add new sub-meta-rule to rule dict @@ -1682,10 +1745,10 @@ class IntraExtensionAuthzManager(IntraExtensionManager): elif genre == "admin": genre = "intra_admin_extension_id" - tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) tenant_id = None for _tenant_id in tenants_dict: - if tenants_dict[_tenant_id]["name"] is tenant_name: + if tenants_dict[_tenant_id]["name"] == tenant_name: tenant_id = _tenant_id break if not tenant_id: @@ -1697,8 +1760,9 @@ class IntraExtensionAuthzManager(IntraExtensionManager): subjects_dict = self.driver.get_subjects_dict(intra_extension_id) subject_id = None for _subject_id in subjects_dict: - if subjects_dict[_subject_id]['keystone_name'] is subject_name: - subject_id = subjects_dict[_subject_id]['keystone_id'] + if subjects_dict[_subject_id]['keystone_name'] == subject_name: + # subject_id = subjects_dict[_subject_id]['keystone_id'] + subject_id = _subject_id break if not subject_id: raise SubjectUnknown() @@ -1725,7 +1789,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def add_subject_dict(self, user_id, intra_extension_id, subject_dict): subject = super(IntraExtensionAuthzManager, self).add_subject_dict(user_id, intra_extension_id, subject_dict) subject_id, subject_value = subject.iteritems().next() - tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_admin_extension_id"]) @@ -1742,7 +1806,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def del_subject(self, user_id, intra_extension_id, subject_id): subject_name = self.driver.get_subjects_dict(intra_extension_id)[subject_id]["name"] super(IntraExtensionAuthzManager, self).del_subject(user_id, intra_extension_id, subject_id) - tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_admin_extension_id"], @@ -1760,7 +1824,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): subject = super(IntraExtensionAuthzManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict) subject_id, subject_value = subject.iteritems().next() - tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value) @@ -1770,110 +1834,110 @@ class IntraExtensionAuthzManager(IntraExtensionManager): break return subject - # def add_subject_category(self, user_id, intra_extension_id, subject_category_dict): - # raise AuthzException() - # - # def del_subject_category(self, user_id, intra_extension_id, subject_category_id): - # raise AuthzException() - # - # def set_subject_category(self, user_id, intra_extension_id, subject_category_id, subject_category_dict): - # raise AuthzException() - # - # def add_object_category(self, user_id, intra_extension_id, object_category_dict): - # raise AuthzException() - # - # def del_object_category(self, user_id, intra_extension_id, object_category_id): - # raise AuthzException() - # - # def add_action_category(self, user_id, intra_extension_id, action_category_name): - # raise AuthzException() - # - # def del_action_category(self, user_id, intra_extension_id, action_category_id): - # raise AuthzException() - # - # def add_object_dict(self, user_id, intra_extension_id, object_name): - # raise AuthzException() - # - # def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict): - # raise AuthzException() - # - # def del_object(self, user_id, intra_extension_id, object_id): - # raise AuthzException() - # - # def add_action_dict(self, user_id, intra_extension_id, action_name): - # raise AuthzException() - # - # def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict): - # raise AuthzException() - # - # def del_action(self, user_id, intra_extension_id, action_id): - # raise AuthzException() - # - # def add_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_dict): - # raise AuthzException() - # - # def del_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): - # raise AuthzException() - # - # def set_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_name): - # raise AuthzException() - # - # def add_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_name): - # raise AuthzException() - # - # def del_object_scope(self, user_id, intra_extension_id, object_category_id, object_scope_id): - # raise AuthzException() - # - # def set_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_id, object_scope_name): - # raise AuthzException() - # - # def add_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_name): - # raise AuthzException() - # - # def del_action_scope(self, user_id, intra_extension_id, action_category_id, action_scope_id): - # raise AuthzException() - # - # def add_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - # raise AuthzException() - # - # def del_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - # raise AuthzException() - # - # def add_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): - # raise AuthzException() - # - # def del_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): - # raise AuthzException() - # - # def add_action_assignment_list(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): - # raise AuthzException() - # - # def del_action_assignment(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): - # raise AuthzException() - # - # def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): - # raise AuthzException() - # - # def del_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id): - # raise AuthzException() - # - # def add_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_dict): - # raise AuthzException() - # - # def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): - # raise AuthzException() - # - # def set_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict): - # raise AuthzException() - # - # def add_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_list): - # raise AuthzException() - # - # def del_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): - # raise AuthzException() - # - # def set_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id, rule_list): - # raise AuthzException() + def add_subject_category(self, user_id, intra_extension_id, subject_category_dict): + raise AuthzException() + + def del_subject_category(self, user_id, intra_extension_id, subject_category_id): + raise AuthzException() + + def set_subject_category(self, user_id, intra_extension_id, subject_category_id, subject_category_dict): + raise AuthzException() + + def add_object_category(self, user_id, intra_extension_id, object_category_dict): + raise AuthzException() + + def del_object_category(self, user_id, intra_extension_id, object_category_id): + raise AuthzException() + + def add_action_category(self, user_id, intra_extension_id, action_category_name): + raise AuthzException() + + def del_action_category(self, user_id, intra_extension_id, action_category_id): + raise AuthzException() + + def add_object_dict(self, user_id, intra_extension_id, object_name): + raise AuthzException() + + def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict): + raise AuthzException() + + def del_object(self, user_id, intra_extension_id, object_id): + raise AuthzException() + + def add_action_dict(self, user_id, intra_extension_id, action_name): + raise AuthzException() + + def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict): + raise AuthzException() + + def del_action(self, user_id, intra_extension_id, action_id): + raise AuthzException() + + def add_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_dict): + raise AuthzException() + + def del_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): + raise AuthzException() + + def set_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_name): + raise AuthzException() + + def add_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_name): + raise AuthzException() + + def del_object_scope(self, user_id, intra_extension_id, object_category_id, object_scope_id): + raise AuthzException() + + def set_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_id, object_scope_name): + raise AuthzException() + + def add_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_name): + raise AuthzException() + + def del_action_scope(self, user_id, intra_extension_id, action_category_id, action_scope_id): + raise AuthzException() + + def add_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): + raise AuthzException() + + def del_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): + raise AuthzException() + + def add_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): + raise AuthzException() + + def del_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): + raise AuthzException() + + def add_action_assignment_list(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): + raise AuthzException() + + def del_action_assignment(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): + raise AuthzException() + + def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): + raise AuthzException() + + def del_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id): + raise AuthzException() + + def add_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_dict): + raise AuthzException() + + def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): + raise AuthzException() + + def set_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict): + raise AuthzException() + + def add_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_list): + raise AuthzException() + + def del_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): + raise AuthzException() + + def set_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id, rule_list): + raise AuthzException() @dependency.provider('admin_api') @@ -1885,7 +1949,7 @@ class IntraExtensionAdminManager(IntraExtensionManager): def add_subject_dict(self, user_id, intra_extension_id, subject_dict): subject = super(IntraExtensionAdminManager, self).add_subject_dict(user_id, intra_extension_id, subject_dict) subject_id, subject_value = subject.iteritems().next() - tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_admin_extension_id"]) @@ -1902,7 +1966,7 @@ class IntraExtensionAdminManager(IntraExtensionManager): def del_subject(self, user_id, intra_extension_id, subject_id): subject_name = self.driver.get_subjects_dict(intra_extension_id)[subject_id]["name"] super(IntraExtensionAdminManager, self).del_subject(user_id, intra_extension_id, subject_id) - tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_admin_extension_id"], @@ -1920,7 +1984,7 @@ class IntraExtensionAdminManager(IntraExtensionManager): def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): subject = super(IntraExtensionAdminManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict) subject_id, subject_value = subject.iteritems().next() - tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) + tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value) @@ -1931,27 +1995,74 @@ class IntraExtensionAdminManager(IntraExtensionManager): return subject def add_object_dict(self, user_id, intra_extension_id, object_name): - raise ObjectsWriteNoAuthorized() + if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + raise ObjectsWriteNoAuthorized() + return super(IntraExtensionAdminManager, self).add_object_dict(user_id, intra_extension_id, object_name) def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict): - raise ObjectsWriteNoAuthorized() + if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + raise ObjectsWriteNoAuthorized() + return super(IntraExtensionAdminManager, self).set_object_dict(user_id, intra_extension_id, object_id, object_dict) def del_object(self, user_id, intra_extension_id, object_id): - raise ObjectsWriteNoAuthorized() + if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + raise ObjectsWriteNoAuthorized() + return super(IntraExtensionAdminManager, self).del_object(user_id, intra_extension_id, object_id) def add_action_dict(self, user_id, intra_extension_id, action_name): - raise ActionsWriteNoAuthorized() + if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + raise ActionsWriteNoAuthorized() + return super(IntraExtensionAdminManager, self).add_action_dict(user_id, intra_extension_id, action_name) def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict): - raise ActionsWriteNoAuthorized() + if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + raise ActionsWriteNoAuthorized() + return super(IntraExtensionAdminManager, self).set_action_dict(user_id, intra_extension_id, action_id, action_dict) def del_action(self, user_id, intra_extension_id, action_id): - raise ActionsWriteNoAuthorized() + if "admin" == self.get_intra_extension_dict(self.root_api.get_root_admin_id(), intra_extension_id)['genre']: + raise ActionsWriteNoAuthorized() + return super(IntraExtensionAdminManager, self).del_action(user_id, intra_extension_id, action_id) + + +@dependency.provider('root_api') +@dependency.requires('moonlog_api', 'admin_api', 'tenant_api') +class IntraExtensionRootManager(IntraExtensionManager): + + def __init__(self): + super(IntraExtensionRootManager, self).__init__() + extensions = self.admin_api.driver.get_intra_extensions_dict() + for extension_id, extension_dict in extensions.iteritems(): + if extension_dict["model"] == CONF.moon.root_policy_directory: + self.root_extension_id = extension_id + else: + extension = self.admin_api.load_root_intra_extension_dict(CONF.moon.root_policy_directory) + self.root_extension_id = extension['id'] + self.root_admin_id = self.__compute_admin_id_for_root_extension() + + def get_root_extension_dict(self): + """ + + :return: {id: {"name": "xxx"}} + """ + return {self.root_extension_id: self.admin_api.driver.get_intra_extensions_dict()[self.root_extension_id]} + + def __compute_admin_id_for_root_extension(self): + for subject_id, subject_dict in self.admin_api.driver.get_subjects_dict(self.root_extension_id).iteritems(): + if subject_dict["name"] == "admin": + return subject_id + raise RootExtensionNotInitialized() + + def get_root_extension_id(self): + return self.root_extension_id + + def get_root_admin_id(self): + return self.root_admin_id @dependency.provider('moonlog_api') # Next line is mandatory in order to force keystone to process dependencies. -@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api') +@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api', 'root_api') class LogManager(manager.Manager): def __init__(self): diff --git a/keystone-moon/keystone/contrib/moon/extension.py b/keystone-moon/keystone/contrib/moon/extension.py deleted file mode 100644 index efee55c5..00000000 --- a/keystone-moon/keystone/contrib/moon/extension.py +++ /dev/null @@ -1,740 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import os.path -import copy -import json -import itertools -from uuid import uuid4 -import logging - -LOG = logging.getLogger("moon.authz") - - -class Metadata: - - def __init__(self): - self.__name = '' - self.__model = '' - self.__genre = '' - self.__description = '' - self.__subject_categories = list() - self.__object_categories = list() - self.__meta_rule = dict() - self.__meta_rule['sub_meta_rules'] = list() - self.__meta_rule['aggregation'] = '' - - def load_from_json(self, extension_setting_dir): - metadata_path = os.path.join(extension_setting_dir, 'metadata.json') - f = open(metadata_path) - json_metadata = json.load(f) - self.__name = json_metadata['name'] - self.__model = json_metadata['model'] - self.__genre = json_metadata['genre'] - self.__description = json_metadata['description'] - self.__subject_categories = copy.deepcopy(json_metadata['subject_categories']) - self.__object_categories = copy.deepcopy(json_metadata['object_categories']) - self.__meta_rule = copy.deepcopy(json_metadata['meta_rule']) - - def get_name(self): - return self.__name - - def get_genre(self): - return self.__genre - - def get_model(self): - return self.__model - - def get_subject_categories(self): - return self.__subject_categories - - def get_object_categories(self): - return self.__object_categories - - def get_meta_rule(self): - return self.__meta_rule - - def get_meta_rule_aggregation(self): - return self.__meta_rule['aggregation'] - - def get_data(self): - data = dict() - data["name"] = self.get_name() - data["model"] = self.__model - data["genre"] = self.__genre - data["description"] = self.__description - data["subject_categories"] = self.get_subject_categories() - data["object_categories"] = self.get_object_categories() - data["meta_rule"] = dict(self.get_meta_rule()) - return data - - def set_data(self, data): - self.__name = data["name"] - self.__model = data["model"] - self.__genre = data["genre"] - self.__description = data["description"] - self.__subject_categories = list(data["subject_categories"]) - self.__object_categories = list(data["object_categories"]) - self.__meta_rule = dict(data["meta_rule"]) - - -class Configuration: - def __init__(self): - self.__subject_category_values = dict() - # examples: { "role": {"admin", "dev", }, } - self.__object_category_values = dict() - self.__rules = list() - - def load_from_json(self, extension_setting_dir): - configuration_path = os.path.join(extension_setting_dir, 'configuration.json') - f = open(configuration_path) - json_configuration = json.load(f) - self.__subject_category_values = copy.deepcopy(json_configuration['subject_category_values']) - self.__object_category_values = copy.deepcopy(json_configuration['object_category_values']) - self.__rules = copy.deepcopy(json_configuration['rules']) # TODO: currently a list, will be a dict with sub-meta-rule as key - - def get_subject_category_values(self): - return self.__subject_category_values - - def get_object_category_values(self): - return self.__object_category_values - - def get_rules(self): - return self.__rules - - def get_data(self): - data = dict() - data["subject_category_values"] = self.get_subject_category_values() - data["object_category_values"] = self.get_object_category_values() - data["rules"] = self.get_rules() - return data - - def set_data(self, data): - self.__subject_category_values = list(data["subject_category_values"]) - self.__object_category_values = list(data["object_category_values"]) - self.__rules = list(data["rules"]) - - -class Perimeter: - def __init__(self): - self.__subjects = list() - self.__objects = list() - - def load_from_json(self, extension_setting_dir): - perimeter_path = os.path.join(extension_setting_dir, 'perimeter.json') - f = open(perimeter_path) - json_perimeter = json.load(f) - self.__subjects = copy.deepcopy(json_perimeter['subjects']) - self.__objects = copy.deepcopy(json_perimeter['objects']) - # print(self.__subjects) - # print(self.__objects) - - def get_subjects(self): - return self.__subjects - - def get_objects(self): - return self.__objects - - def get_data(self): - data = dict() - data["subjects"] = self.get_subjects() - data["objects"] = self.get_objects() - return data - - def set_data(self, data): - self.__subjects = list(data["subjects"]) - self.__objects = list(data["objects"]) - - -class Assignment: - def __init__(self): - self.__subject_category_assignments = dict() - # examples: { "role": {"user1": {"dev"}, "user2": {"admin",}}, } TODO: limit to one value for each attr - self.__object_category_assignments = dict() - - def load_from_json(self, extension_setting_dir): - assignment_path = os.path.join(extension_setting_dir, 'assignment.json') - f = open(assignment_path) - json_assignment = json.load(f) - - self.__subject_category_assignments = dict(copy.deepcopy(json_assignment['subject_category_assignments'])) - self.__object_category_assignments = dict(copy.deepcopy(json_assignment['object_category_assignments'])) - - def get_subject_category_assignments(self): - return self.__subject_category_assignments - - def get_object_category_assignments(self): - return self.__object_category_assignments - - def get_data(self): - data = dict() - data["subject_category_assignments"] = self.get_subject_category_assignments() - data["object_category_assignments"] = self.get_object_category_assignments() - return data - - def set_data(self, data): - self.__subject_category_assignments = list(data["subject_category_assignments"]) - self.__object_category_assignments = list(data["object_category_assignments"]) - - -class AuthzData: - def __init__(self, sub, obj, act): - self.validation = "False" # "OK, KO, Out of Scope" # "auth": False, - self.subject = sub - self.object = str(obj) - self.action = str(act) - self.type = "" # intra-tenant, inter-tenant, Out of Scope - self.subject_attrs = dict() - self.object_attrs = dict() - self.requesting_tenant = "" # "subject_tenant": subject_tenant, - self.requested_tenant = "" # "object_tenant": object_tenant, - - def __str__(self): - return """AuthzData: - validation={} - subject={} - object={} - action={} - """.format(self.validation, self.subject, self.object, self.action) - - -class Extension: - def __init__(self): - self.metadata = Metadata() - self.configuration = Configuration() - self.perimeter = Perimeter() - self.assignment = Assignment() - - def load_from_json(self, extension_setting_dir): - self.metadata.load_from_json(extension_setting_dir) - self.configuration.load_from_json(extension_setting_dir) - self.perimeter.load_from_json(extension_setting_dir) - self.assignment.load_from_json(extension_setting_dir) - - def get_name(self): - return self.metadata.get_name() - - def get_genre(self): - return self.metadata.get_genre() - - def authz(self, sub, obj, act): - authz_data = AuthzData(sub, obj, act) - # authz_logger.warning('extension/authz request: [sub {}, obj {}, act {}]'.format(sub, obj, act)) - - if authz_data.subject in self.perimeter.get_subjects() and authz_data.object in self.perimeter.get_objects(): - - for subject_category in self.metadata.get_subject_categories(): - authz_data.subject_attrs[subject_category] = copy.copy( - # self.assignment.get_subject_category_attr(subject_category, sub) - self.assignment.get_subject_category_assignments()[subject_category][sub] - ) - # authz_logger.warning('extension/authz subject attribute: [subject attr: {}]'.format( - # #self.assignment.get_subject_category_attr(subject_category, sub)) - # self.assignment.get_subject_category_assignments()[subject_category][sub]) - # ) - - for object_category in self.metadata.get_object_categories(): - if object_category == 'action': - authz_data.object_attrs[object_category] = [act] - # authz_logger.warning('extension/authz object attribute: [object attr: {}]'.format([act])) - else: - authz_data.object_attrs[object_category] = copy.copy( - self.assignment.get_object_category_assignments()[object_category][obj] - ) - # authz_logger.warning('extension/authz object attribute: [object attr: {}]'.format( - # self.assignment.get_object_category_assignments()[object_category][obj]) - # ) - - _aggregation_data = dict() - - for sub_meta_rule in self.metadata.get_meta_rule()["sub_meta_rules"].values(): - _tmp_relation_args = list() - - for sub_subject_category in sub_meta_rule["subject_categories"]: - _tmp_relation_args.append(authz_data.subject_attrs[sub_subject_category]) - - for sub_object_category in sub_meta_rule["object_categories"]: - _tmp_relation_args.append(authz_data.object_attrs[sub_object_category]) - - _relation_args = list(itertools.product(*_tmp_relation_args)) - - if sub_meta_rule['relation'] == 'relation_super': # TODO: replace by Prolog Engine - _aggregation_data['relation_super'] = dict() - _aggregation_data['relation_super']['result'] = False - for _relation_arg in _relation_args: - if list(_relation_arg) in self.configuration.get_rules()[sub_meta_rule['relation']]: - # authz_logger.warning( - # 'extension/authz relation super OK: [sub_sl: {}, obj_sl: {}, action: {}]'.format( - # _relation_arg[0], _relation_arg[1], _relation_arg[2] - # ) - # ) - _aggregation_data['relation_super']['result'] = True - break - _aggregation_data['relation_super']['status'] = 'finished' - - elif sub_meta_rule['relation'] == 'permission': - _aggregation_data['permission'] = dict() - _aggregation_data['permission']['result'] = False - for _relation_arg in _relation_args: - if list(_relation_arg) in self.configuration.get_rules()[sub_meta_rule['relation']]: - # authz_logger.warning( - # 'extension/authz relation permission OK: [role: {}, object: {}, action: {}]'.format( - # _relation_arg[0], _relation_arg[1], _relation_arg[2] - # ) - # ) - _aggregation_data['permission']['result'] = True - break - _aggregation_data['permission']['status'] = 'finished' - - if self.metadata.get_meta_rule_aggregation() == 'and_true_aggregation': - authz_data.validation = "OK" - for relation in _aggregation_data: - if _aggregation_data[relation]['status'] == 'finished' \ - and _aggregation_data[relation]['result'] == False: - authz_data.validation = "KO" - else: - authz_data.validation = 'Out of Scope' - - return authz_data.validation - - # ---------------- metadate api ---------------- - - def get_subject_categories(self): - return self.metadata.get_subject_categories() - - def add_subject_category(self, category_id): - if category_id in self.get_subject_categories(): - return "[ERROR] Add Subject Category: Subject Category Exists" - else: - self.get_subject_categories().append(category_id) - self.configuration.get_subject_category_values()[category_id] = list() - self.assignment.get_subject_category_assignments()[category_id] = dict() - return self.get_subject_categories() - - def del_subject_category(self, category_id): - if category_id in self.get_subject_categories(): - self.configuration.get_subject_category_values().pop(category_id) - self.assignment.get_subject_category_assignments().pop(category_id) - self.get_subject_categories().remove(category_id) - return self.get_subject_categories() - else: - return "[ERROR] Del Subject Category: Subject Category Unknown" - - def get_object_categories(self): - return self.metadata.get_object_categories() - - def add_object_category(self, category_id): - if category_id in self.get_object_categories(): - return "[ERROR] Add Object Category: Object Category Exists" - else: - self.get_object_categories().append(category_id) - self.configuration.get_object_category_values()[category_id] = list() - self.assignment.get_object_category_assignments()[category_id] = dict() - return self.get_object_categories() - - def del_object_category(self, category_id): - if category_id in self.get_object_categories(): - self.configuration.get_object_category_values().pop(category_id) - self.assignment.get_object_category_assignments().pop(category_id) - self.get_object_categories().remove(category_id) - return self.get_object_categories() - else: - return "[ERROR] Del Object Category: Object Category Unknown" - - def get_meta_rule(self): - return self.metadata.get_meta_rule() - - # ---------------- configuration api ---------------- - - def get_subject_category_values(self, category_id): - return self.configuration.get_subject_category_values()[category_id] - - def add_subject_category_value(self, category_id, category_value): - if category_value in self.configuration.get_subject_category_values()[category_id]: - return "[ERROR] Add Subject Category Value: Subject Category Value Exists" - else: - self.configuration.get_subject_category_values()[category_id].append(category_value) - return self.configuration.get_subject_category_values()[category_id] - - def del_subject_category_value(self, category_id, category_value): - if category_value in self.configuration.get_subject_category_values()[category_id]: - self.configuration.get_subject_category_values()[category_id].remove(category_value) - return self.configuration.get_subject_category_values()[category_id] - else: - return "[ERROR] Del Subject Category Value: Subject Category Value Unknown" - - def get_object_category_values(self, category_id): - return self.configuration.get_object_category_values()[category_id] - - def add_object_category_value(self, category_id, category_value): - if category_value in self.configuration.get_object_category_values()[category_id]: - return "[ERROR] Add Object Category Value: Object Category Value Exists" - else: - self.configuration.get_object_category_values()[category_id].append(category_value) - return self.configuration.get_object_category_values()[category_id] - - def del_object_category_value(self, category_id, category_value): - if category_value in self.configuration.get_object_category_values()[category_id]: - self.configuration.get_object_category_values()[category_id].remove(category_value) - return self.configuration.get_object_category_values()[category_id] - else: - return "[ERROR] Del Object Category Value: Object Category Value Unknown" - - def get_meta_rules(self): - return self.metadata.get_meta_rule() - - def _build_rule_from_list(self, relation, rule): - rule = list(rule) - _rule = dict() - _rule["sub_cat_value"] = dict() - _rule["obj_cat_value"] = dict() - if relation in self.metadata.get_meta_rule()["sub_meta_rules"]: - _rule["sub_cat_value"][relation] = dict() - _rule["obj_cat_value"][relation] = dict() - for s_category in self.metadata.get_meta_rule()["sub_meta_rules"][relation]["subject_categories"]: - _rule["sub_cat_value"][relation][s_category] = rule.pop(0) - for o_category in self.metadata.get_meta_rule()["sub_meta_rules"][relation]["object_categories"]: - _rule["obj_cat_value"][relation][o_category] = rule.pop(0) - return _rule - - def get_rules(self, full=False): - if not full: - return self.configuration.get_rules() - rules = dict() - for key in self.configuration.get_rules(): - rules[key] = map(lambda x: self._build_rule_from_list(key, x), self.configuration.get_rules()[key]) - return rules - - def add_rule(self, sub_cat_value_dict, obj_cat_value_dict): - for _relation in self.metadata.get_meta_rule()["sub_meta_rules"]: - _sub_rule = list() - for sub_subject_category in self.metadata.get_meta_rule()["sub_meta_rules"][_relation]["subject_categories"]: - try: - if sub_cat_value_dict[_relation][sub_subject_category] \ - in self.configuration.get_subject_category_values()[sub_subject_category]: - _sub_rule.append(sub_cat_value_dict[_relation][sub_subject_category]) - else: - return "[Error] Add Rule: Subject Category Value Unknown" - except KeyError as e: - # DThom: sometimes relation attribute is buggy, I don't know why... - print(e) - - #BUG: when adding a new category in rules despite it was previously adding - # data = { - # "sub_cat_value": - # {"relation_super": - # {"subject_security_level": "high", "AMH_CAT": "AMH_VAL"} - # }, - # "obj_cat_value": - # {"relation_super": - # {"object_security_level": "medium"} - # } - # } - # traceback = """ - # Traceback (most recent call last): - # File "/moon/gui/views_json.py", line 20, in wrapped - # result = function(*args, **kwargs) - # File "/moon/gui/views_json.py", line 429, in rules - # obj_cat_value=filter_input(data["obj_cat_value"])) - # File "/usr/local/lib/python2.7/dist-packages/moon/core/pap/core.py", line 380, in add_rule - # obj_cat_value) - # File "/usr/local/lib/python2.7/dist-packages/moon/core/pdp/extension.py", line 414, in add_rule - # if obj_cat_value_dict[_relation][sub_object_category] \ - # KeyError: u'action' - # """ - for sub_object_category in self.metadata.get_meta_rule()["sub_meta_rules"][_relation]["object_categories"]: - if obj_cat_value_dict[_relation][sub_object_category] \ - in self.configuration.get_object_category_values()[sub_object_category]: - _sub_rule.append(obj_cat_value_dict[_relation][sub_object_category]) - else: - return "[Error] Add Rule: Object Category Value Unknown" - - if _sub_rule in self.configuration.get_rules()[_relation]: - return "[Error] Add Rule: Rule Exists" - else: - self.configuration.get_rules()[_relation].append(_sub_rule) - return { - sub_cat_value_dict.keys()[0]: ({ - "sub_cat_value": copy.deepcopy(sub_cat_value_dict), - "obj_cat_value": copy.deepcopy(obj_cat_value_dict) - }, ) - } - return self.configuration.get_rules() - - def del_rule(self, sub_cat_value_dict, obj_cat_value_dict): - for _relation in self.metadata.get_meta_rule()["sub_meta_rules"]: - _sub_rule = list() - for sub_subject_category in self.metadata.get_meta_rule()["sub_meta_rules"][_relation]["subject_categories"]: - _sub_rule.append(sub_cat_value_dict[_relation][sub_subject_category]) - - for sub_object_category in self.metadata.get_meta_rule()["sub_meta_rules"][_relation]["object_categories"]: - _sub_rule.append(obj_cat_value_dict[_relation][sub_object_category]) - - if _sub_rule in self.configuration.get_rules()[_relation]: - self.configuration.get_rules()[_relation].remove(_sub_rule) - else: - return "[Error] Del Rule: Rule Unknown" - return self.configuration.get_rules() - - # ---------------- perimeter api ---------------- - - def get_subjects(self): - return self.perimeter.get_subjects() - - def get_objects(self): - return self.perimeter.get_objects() - - def add_subject(self, subject_id): - if subject_id in self.perimeter.get_subjects(): - return "[ERROR] Add Subject: Subject Exists" - else: - self.perimeter.get_subjects().append(subject_id) - return self.perimeter.get_subjects() - - def del_subject(self, subject_id): - if subject_id in self.perimeter.get_subjects(): - self.perimeter.get_subjects().remove(subject_id) - return self.perimeter.get_subjects() - else: - return "[ERROR] Del Subject: Subject Unknown" - - def add_object(self, object_id): - if object_id in self.perimeter.get_objects(): - return "[ERROR] Add Object: Object Exists" - else: - self.perimeter.get_objects().append(object_id) - return self.perimeter.get_objects() - - def del_object(self, object_id): - if object_id in self.perimeter.get_objects(): - self.perimeter.get_objects().remove(object_id) - return self.perimeter.get_objects() - else: - return "[ERROR] Del Object: Object Unknown" - - # ---------------- assignment api ---------------- - - def get_subject_assignments(self, category_id): - if category_id in self.metadata.get_subject_categories(): - return self.assignment.get_subject_category_assignments()[category_id] - else: - return "[ERROR] Get Subject Assignment: Subject Category Unknown" - - def add_subject_assignment(self, category_id, subject_id, category_value): - if category_id in self.metadata.get_subject_categories(): - if subject_id in self.perimeter.get_subjects(): - if category_value in self.configuration.get_subject_category_values()[category_id]: - if category_id in self.assignment.get_subject_category_assignments().keys(): - if subject_id in self.assignment.get_subject_category_assignments()[category_id].keys(): - if category_value in self.assignment.get_subject_category_assignments()[category_id][subject_id]: - return "[ERROR] Add Subject Assignment: Subject Assignment Exists" - else: - self.assignment.get_subject_category_assignments()[category_id][subject_id].extend([category_value]) - else: - self.assignment.get_subject_category_assignments()[category_id][subject_id] = [category_value] - else: - self.assignment.get_subject_category_assignments()[category_id] = {subject_id: [category_value]} - return self.assignment.get_subject_category_assignments() - else: - return "[ERROR] Add Subject Assignment: Subject Category Value Unknown" - else: - return "[ERROR] Add Subject Assignment: Subject Unknown" - else: - return "[ERROR] Add Subject Assignment: Subject Category Unknown" - - def del_subject_assignment(self, category_id, subject_id, category_value): - if category_id in self.metadata.get_subject_categories(): - if subject_id in self.perimeter.get_subjects(): - if category_value in self.configuration.get_subject_category_values()[category_id]: - if len(self.assignment.get_subject_category_assignments()[category_id][subject_id]) >= 2: - self.assignment.get_subject_category_assignments()[category_id][subject_id].remove(category_value) - else: - self.assignment.get_subject_category_assignments()[category_id].pop(subject_id) - return self.assignment.get_subject_category_assignments() - else: - return "[ERROR] Del Subject Assignment: Assignment Unknown" - else: - return "[ERROR] Del Subject Assignment: Subject Unknown" - else: - return "[ERROR] Del Subject Assignment: Subject Category Unknown" - - def get_object_assignments(self, category_id): - if category_id in self.metadata.get_object_categories(): - return self.assignment.get_object_category_assignments()[category_id] - else: - return "[ERROR] Get Object Assignment: Object Category Unknown" - - def add_object_assignment(self, category_id, object_id, category_value): - if category_id in self.metadata.get_object_categories(): - if object_id in self.perimeter.get_objects(): - if category_value in self.configuration.get_object_category_values()[category_id]: - if category_id in self.assignment.get_object_category_assignments().keys(): - if object_id in self.assignment.get_object_category_assignments()[category_id].keys(): - if category_value in self.assignment.get_object_category_assignments()[category_id][object_id]: - return "[ERROR] Add Object Assignment: Object Assignment Exists" - else: - self.assignment.get_object_category_assignments()[category_id][object_id].extend([category_value]) - else: - self.assignment.get_object_category_assignments()[category_id][object_id] = [category_value] - else: - self.assignment.get_object_category_assignments()[category_id] = {object_id: [category_value]} - return self.assignment.get_object_category_assignments() - else: - return "[ERROR] Add Object Assignment: Object Category Value Unknown" - else: - return "[ERROR] Add Object Assignment: Object Unknown" - else: - return "[ERROR] Add Object Assignment: Object Category Unknown" - - def del_object_assignment(self, category_id, object_id, category_value): - if category_id in self.metadata.get_object_categories(): - if object_id in self.perimeter.get_objects(): - if category_value in self.configuration.get_object_category_values()[category_id]: - if len(self.assignment.get_object_category_assignments()[category_id][object_id]) >= 2: - self.assignment.get_object_category_assignments()[category_id][object_id].remove(category_value) - else: - self.assignment.get_object_category_assignments()[category_id].pop(object_id) - return self.assignment.get_object_category_assignments() - else: - return "[ERROR] Del Object Assignment: Assignment Unknown" - else: - return "[ERROR] Del Object Assignment: Object Unknown" - else: - return "[ERROR] Del Object Assignment: Object Category Unknown" - - # ---------------- inter-extension API ---------------- - - def create_requesting_collaboration(self, sub_list, vent_uuid, act): - _sub_cat_values = dict() - _obj_cat_values = dict() - - if type(self.add_object(vent_uuid)) is not list: - return "[Error] Create Requesting Collaboration: No Success" - for _relation in self.get_meta_rule()["sub_meta_rules"]: - for _sub_cat_id in self.get_meta_rule()["sub_meta_rules"][_relation]["subject_categories"]: - _sub_cat_value = str(uuid4()) - if type(self.add_subject_category_value(_sub_cat_id, _sub_cat_value)) is not list: - return "[Error] Create Requesting Collaboration: No Success" - _sub_cat_values[_relation] = {_sub_cat_id: _sub_cat_value} - for _sub in sub_list: - if type(self.add_subject_assignment(_sub_cat_id, _sub, _sub_cat_value)) is not dict: - return "[Error] Create Requesting Collaboration: No Success" - - for _obj_cat_id in self.get_meta_rule()["sub_meta_rules"][_relation]["object_categories"]: - if _obj_cat_id == 'action': - _obj_cat_values[_relation][_obj_cat_id] = act - else: - _obj_cat_value = str(uuid4()) - if type(self.add_object_category_value(_obj_cat_id, _obj_cat_value)) is not list: - return "[Error] Create Requesting Collaboration: No Success" - if type(self.add_object_assignment(_obj_cat_id, vent_uuid, _obj_cat_value)) is not dict: - return "[Error] Create Requesting Collaboration: No Success" - _obj_cat_values[_relation] = {_obj_cat_id: _obj_cat_value} - - _rule = self.add_rule(_sub_cat_values, _obj_cat_values) - if type(_rule) is not dict: - return "[Error] Create Requesting Collaboration: No Success" - return {"subject_category_value_dict": _sub_cat_values, "object_category_value_dict": _obj_cat_values, - "rule": _rule} - - def destroy_requesting_collaboration(self, sub_list, vent_uuid, sub_cat_value_dict, obj_cat_value_dict): - for _relation in self.get_meta_rule()["sub_meta_rules"]: - for _sub_cat_id in self.get_meta_rule()["sub_meta_rules"][_relation]["subject_categories"]: - for _sub in sub_list: - if type(self.del_subject_assignment(_sub_cat_id, _sub, sub_cat_value_dict[_relation][_sub_cat_id]))\ - is not dict: - return "[Error] Destroy Requesting Collaboration: No Success" - if type(self.del_subject_category_value(_sub_cat_id, sub_cat_value_dict[_relation][_sub_cat_id])) \ - is not list: - return "[Error] Destroy Requesting Collaboration: No Success" - - for _obj_cat_id in self.get_meta_rule()["sub_meta_rules"][_relation]["object_categories"]: - if _obj_cat_id == "action": - pass # TODO: reconsidering the action as object attribute - else: - if type(self.del_object_assignment(_obj_cat_id, vent_uuid, obj_cat_value_dict[_relation][_obj_cat_id])) is not dict: - return "[Error] Destroy Requesting Collaboration: No Success" - if type(self.del_object_category_value(_obj_cat_id, obj_cat_value_dict[_relation][_obj_cat_id])) is not list: - return "[Error] Destroy Requesting Collaboration: No Success" - - if type(self.del_rule(sub_cat_value_dict, obj_cat_value_dict)) is not dict: - return "[Error] Destroy Requesting Collaboration: No Success" - if type(self.del_object(vent_uuid)) is not list: - return "[Error] Destroy Requesting Collaboration: No Success" - return "[Destroy Requesting Collaboration] OK" - - def create_requested_collaboration(self, vent_uuid, obj_list, act): - _sub_cat_values = dict() - _obj_cat_values = dict() - - if type(self.add_subject(vent_uuid)) is not list: - return "[Error] Create Requested Collaboration: No Success" - - for _relation in self.get_meta_rule()["sub_meta_rules"]: - for _sub_cat_id in self.get_meta_rule()["sub_meta_rules"][_relation]["subject_categories"]: - _sub_cat_value = str(uuid4()) - if type(self.add_subject_category_value(_sub_cat_id, _sub_cat_value)) is not list: - return "[Error] Create Requested Collaboration: No Success" - _sub_cat_values[_relation] = {_sub_cat_id: _sub_cat_value} - if type(self.add_subject_assignment(_sub_cat_id, vent_uuid, _sub_cat_value)) is not dict: - return "[Error] Create Requested Collaboration: No Success" - - for _obj_cat_id in self.get_meta_rule()["sub_meta_rules"][_relation]["object_categories"]: - if _obj_cat_id == 'action': - _obj_cat_values[_relation][_obj_cat_id] = act - else: - _obj_cat_value = str(uuid4()) - if type(self.add_object_category_value(_obj_cat_id, _obj_cat_value)) is not list: - return "[Error] Create Requested Collaboration: No Success" - _obj_cat_values[_relation] = {_obj_cat_id: _obj_cat_value} - for _obj in obj_list: - if type(self.add_object_assignment(_obj_cat_id, _obj, _obj_cat_value)) is not dict: - return "[Error] Create Requested Collaboration: No Success" - - _rule = self.add_rule(_sub_cat_values, _obj_cat_values) - if type(_rule) is not dict: - return "[Error] Create Requested Collaboration: No Success" - return {"subject_category_value_dict": _sub_cat_values, "object_category_value_dict": _obj_cat_values, - "rule": _rule} - - def destroy_requested_collaboration(self, vent_uuid, obj_list, sub_cat_value_dict, obj_cat_value_dict): - for _relation in self.get_meta_rule()["sub_meta_rules"]: - for _sub_cat_id in self.get_meta_rule()["sub_meta_rules"][_relation]["subject_categories"]: - if type(self.del_subject_assignment(_sub_cat_id, vent_uuid, sub_cat_value_dict[_relation][_sub_cat_id])) is not dict: - return "[Error] Destroy Requested Collaboration: No Success" - if type(self.del_subject_category_value(_sub_cat_id, sub_cat_value_dict[_relation][_sub_cat_id])) is not list: - return "[Error] Destroy Requested Collaboration: No Success" - - for _obj_cat_id in self.get_meta_rule()["sub_meta_rules"][_relation]["object_categories"]: - if _obj_cat_id == "action": - pass # TODO: reconsidering the action as object attribute - else: - for _obj in obj_list: - if type(self.del_object_assignment(_obj_cat_id, _obj, obj_cat_value_dict[_relation][_obj_cat_id])) is not dict: - return "[Error] Destroy Requested Collaboration: No Success" - if type(self.del_object_category_value(_obj_cat_id, obj_cat_value_dict[_relation][_obj_cat_id])) is not list: - return "[Error] Destroy Requested Collaboration: No Success" - - if type(self.del_rule(sub_cat_value_dict, obj_cat_value_dict)) is not dict: - return "[Error] Destroy Requested Collaboration: No Success" - if type(self.del_subject(vent_uuid)) is not list: - return "[Error] Destroy Requested Collaboration: No Success" - return "[Destroy Requested Collaboration] OK" - - # ---------------- sync_db api ---------------- - - def get_data(self): - data = dict() - data["metadata"] = self.metadata.get_data() - data["configuration"] = self.configuration.get_data() - data["perimeter"] = self.perimeter.get_data() - data["assignment"] = self.assignment.get_data() - return data - - def set_data(self, extension_data): - self.metadata.set_data(extension_data["metadata"]) - self.configuration.set_data(extension_data["configuration"]) - self.perimeter.set_data(extension_data["perimeter"]) - self.assignment.set_data(extension_data["assignment"]) diff --git a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py index af4d80bb..4fd26bef 100644 --- a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py +++ b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py @@ -21,11 +21,11 @@ def upgrade(migrate_engine): mysql_charset='utf8') intra_extension_table.create(migrate_engine, checkfirst=True) - intra_extension_table.insert().values(id=uuid4().hex, intra_extension={ - 'name': "Root Extension", - 'description': "The root intra extension", - 'model': 'admin' - }) + # intra_extension_table.insert().values(id=uuid4().hex, intra_extension={ + # 'name': "Root Extension", + # 'description': "The root intra extension", + # 'model': 'admin' + # }) tenant_table = sql.Table( 'tenants', @@ -195,8 +195,6 @@ def upgrade(migrate_engine): mysql_charset='utf8') rules_table.create(migrate_engine, checkfirst=True) - # TODO: load root_extension - def downgrade(migrate_engine): meta = sql.MetaData() |