aboutsummaryrefslogtreecommitdiffstats
path: root/moon_authz/moon_authz
diff options
context:
space:
mode:
Diffstat (limited to 'moon_authz/moon_authz')
-rw-r--r--moon_authz/moon_authz/__init__.py6
-rw-r--r--moon_authz/moon_authz/__main__.py4
-rw-r--r--moon_authz/moon_authz/api/__init__.py0
-rw-r--r--moon_authz/moon_authz/api/authorization.py397
-rw-r--r--moon_authz/moon_authz/api/update.py42
-rw-r--r--moon_authz/moon_authz/http_server.py142
-rw-r--r--moon_authz/moon_authz/server.py56
7 files changed, 0 insertions, 647 deletions
diff --git a/moon_authz/moon_authz/__init__.py b/moon_authz/moon_authz/__init__.py
deleted file mode 100644
index 85c245e0..00000000
--- a/moon_authz/moon_authz/__init__.py
+++ /dev/null
@@ -1,6 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-__version__ = "4.4.0"
diff --git a/moon_authz/moon_authz/__main__.py b/moon_authz/moon_authz/__main__.py
deleted file mode 100644
index 6f1f9807..00000000
--- a/moon_authz/moon_authz/__main__.py
+++ /dev/null
@@ -1,4 +0,0 @@
-from moon_authz.server import create_server
-
-SERVER = create_server()
-SERVER.run()
diff --git a/moon_authz/moon_authz/api/__init__.py b/moon_authz/moon_authz/api/__init__.py
deleted file mode 100644
index e69de29b..00000000
--- a/moon_authz/moon_authz/api/__init__.py
+++ /dev/null
diff --git a/moon_authz/moon_authz/api/authorization.py b/moon_authz/moon_authz/api/authorization.py
deleted file mode 100644
index 59af295d..00000000
--- a/moon_authz/moon_authz/api/authorization.py
+++ /dev/null
@@ -1,397 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import itertools
-import pickle
-import logging
-import flask
-from flask import request
-from flask_restful import Resource
-from python_moonutilities import exceptions
-
-LOGGER = logging.getLogger("moon.authz.api." + __name__)
-
-
-class Authz(Resource):
- """
- Endpoint for authz requests
- """
- __version__ = "4.3.1"
-
- __urls__ = (
- "/authz",
- "/authz/",
- )
-
- pdp_id = None
- meta_rule_id = None
- keystone_project_id = None
- payload = None
-
- def __init__(self, **kwargs):
- component_data = kwargs.get("component_data", {})
- self.component_id = component_data['component_id']
- self.pdp_id = component_data['pdp_id']
- self.meta_rule_id = component_data['meta_rule_id']
- self.keystone_project_id = component_data['keystone_project_id']
- self.cache = kwargs.get("cache")
- self.context = None
-
- def post(self):
- """Get a response on an authorization request
-
- :request:
-
- :return: {
- "args": {},
- "ctx": {
- "action_name": "4567",
- "id": "123456",
- "method": "authz",
- "object_name": "234567",
- "subject_name": "123456",
- "user_id": "admin"
- },
- "error": {
- "code": 500,
- "description": "",
- "title": "Moon Error"
- },
- "intra_extension_id": "123456",
- "result": false
- }
- :internal_api: authz
- """
- self.context = pickle.loads(request.data)
- self.context.set_cache(self.cache)
- self.context.increment_index()
- self.context.update_target()
- # FIXME (asteroide): force the update but we should not do that
- # a better way is to build the bilateral link between Master and Slaves
- self.cache.update()
- if not self.run():
- raise exceptions.MoonError("Error in the request status={}".format(
- self.context.current_state))
- self.context.delete_cache()
- response = flask.make_response(pickle.dumps(self.context))
- response.headers['content-type'] = 'application/octet-stream'
- return response
-
- def run(self):
- result, message = self.__check_rules()
- if result:
- return self.__exec_instructions(result)
- self.context.current_state = "deny"
- # self.__exec_next_state(result)
- return
-
- def __check_rules(self):
- scopes_list = list()
- current_header_id = self.context.headers[self.context.index]
- # Context.update_target(context)
- if not self.context.pdp_set:
- raise exceptions.PdpUnknown
- if current_header_id not in self.context.pdp_set:
- raise Exception('Invalid index')
- current_pdp = self.context.pdp_set[current_header_id]
- category_list = list()
- if 'meta_rules' not in current_pdp:
- raise exceptions.PdpContentError
- try:
- category_list.extend(current_pdp["meta_rules"]["subject_categories"])
- category_list.extend(current_pdp["meta_rules"]["object_categories"])
- category_list.extend(current_pdp["meta_rules"]["action_categories"])
- except Exception:
- raise exceptions.MetaRuleContentError
- if 'target' not in current_pdp:
- raise exceptions.PdpContentError
- for category in category_list:
- scope = list(current_pdp['target'][category])
- if not scope:
- LOGGER.warning("Scope in category {} is empty".format(category))
- raise exceptions.AuthzException
- scopes_list.append(scope)
- # policy_id = self.cache.get_policy_from_meta_rules("admin", current_header_id)
- if self.context.current_policy_id not in self.cache.rules:
- raise exceptions.PolicyUnknown
- if 'rules' not in self.cache.rules[self.context.current_policy_id]:
- raise exceptions.RuleUnknown
- for item in itertools.product(*scopes_list):
- req = list(item)
- for rule in self.cache.rules[self.context.current_policy_id]["rules"]:
- if req == rule['rule']:
- return rule['instructions'], ""
- LOGGER.warning("No rule match the request...")
- return False, "No rule match the request..."
-
- def __update_subject_category_in_policy(self, operation, target):
- result = False
- # try:
- # policy_name, category_name, data_name = target.split(":")
- # except ValueError:
- # LOGGER.error("Cannot understand value in instruction ({})".format(target))
- # return False
- # # pdp_set = self.payload["authz_context"]['pdp_set']
- # for meta_rule_id in self.context.pdp_set:
- # if meta_rule_id == "effect":
- # continue
- # if self.context.pdp_set[meta_rule_id]["meta_rules"]["name"] == policy_name:
- # for category_id, category_value in self.cache.subject_categories.items():
- # if category_value["name"] == "role":
- # subject_category_id = category_id
- # break
- # else:
- # LOGGER.error("Cannot understand category in instruction ({})".format(target))
- # return False
- # subject_data_id = None
- # for data in PolicyManager.get_subject_data("admin", policy_id,
- # category_id=subject_category_id):
- # for data_id, data_value in data['data'].items():
- # if data_value["name"] == data_name:
- # subject_data_id = data_id
- # break
- # if subject_data_id:
- # break
- # else:
- # LOGGER.error("Cannot understand data in instruction ({})".format(target))
- # return False
- # if operation == "add":
- # self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][
- # subject_category_id].append(subject_data_id)
- # elif operation == "delete":
- # try:
- # self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][
- # subject_category_id].remove(subject_data_id)
- # except ValueError:
- # LOGGER.warning("Cannot remove role {} from target".format(data_name))
- # result = True
- # break
- return result
-
- def __update_container_chaining(self):
- for index in range(len(self.payload["authz_context"]['headers'])):
- self.payload["container_chaining"][index]["meta_rule_id"] = \
- self.payload["authz_context"]['headers'][index]
-
- def __get_container_from_meta_rule(self, meta_rule_id):
- for index in range(len(self.payload["authz_context"]['headers'])):
- if self.payload["container_chaining"][index]["meta_rule_id"] == meta_rule_id:
- return self.payload["container_chaining"][index]
-
- def __update_headers(self, name):
- # context = self.payload["authz_context"]
- for meta_rule_id, meta_rule_value in self.context.pdp_set.items():
- if meta_rule_id == "effect":
- continue
- if meta_rule_value["meta_rules"]["name"] == name:
- self.context.headers.append(meta_rule_id)
- return True
- return False
-
- # def __exec_next_state(self, rule_found):
- # index = self.context.index
- # current_meta_rule = self.context.headers[index]
- # current_container = self.__get_container_from_meta_rule(current_meta_rule)
- # current_container_genre = current_container["genre"]
- # try:
- # next_meta_rule = self.context.headers[index + 1]
- # except IndexError:
- # next_meta_rule = None
- # if current_container_genre == "authz":
- # if rule_found:
- # return True
- # pass
- # if next_meta_rule:
- # # next will be session if current is deny and session is unset
- # if self.payload["authz_context"]['pdp_set'][next_meta_rule]['effect'] == "unset":
- # return notify(
- # request_id=self.payload["authz_context"]["request_id"],
- # container_id=self.__get_container_from_meta_rule(next_meta_rule)[
- # 'container_id'],payload=self.payload)
- # # next will be delegation if current is deny and session is passed or deny and
- # delegation is unset
- # else:
- # LOG.error("Delegation is not developed!")
- #
- # else:
- # # else next will be None and the request is sent to router
- # return self.__return_to_router()
- # elif current_container_genre == "session":
- # pass
- # # next will be next container in headers if current is passed
- # if self.payload["authz_context"]['pdp_set'][current_meta_rule]['effect'] == "passed":
- # return notify(
- # request_id=self.payload["authz_context"]["request_id"],
- # container_id=self.__get_container_from_meta_rule(next_meta_rule)[
- # 'container_id'],payload=self.payload)
- # # next will be None if current is grant and the request is sent to router
- # else:
- # return self.__return_to_router()
- # elif current_container_genre == "delegation":
- # LOG.error("Delegation is not developed!")
- # # next will be authz if current is deny
- # # next will be None if current is grant and the request is sent to router
-
- # def __return_to_router(self):
- # call(endpoint="security_router",
- # ctx={"id": self.component_id,
- # "call_master": False,
- # "method": "return_authz",
- # "request_id": self.payload["authz_context"]["request_id"]},
- # method="route",
- # args=self.payload["authz_context"])
-
- def __exec_instructions(self, instructions):
- if type(instructions) is dict:
- instructions = [instructions, ]
- if type(instructions) not in (list, tuple):
- raise exceptions.RuleContentError("Bad instructions format")
- for instruction in instructions:
- for key in instruction:
- if key == "decision":
- if instruction["decision"] == "grant":
- self.context.current_state = "grant"
- LOGGER.info("__exec_instructions True %s" % self.context.current_state)
- return True
-
- self.context.current_state = instruction["decision"].lower()
- elif key == "chain":
- result = self.__update_headers(**instruction["chain"])
- if not result:
- self.context.current_state = "deny"
- else:
- self.context.current_state = "passed"
- elif key == "update":
- result = self.__update_subject_category_in_policy(**instruction["update"])
- if not result:
- self.context.current_state = "deny"
- else:
- self.context.current_state = "passed"
- LOGGER.info("__exec_instructions False %s" % self.context.current_state)
-
- # def __update_current_request(self):
- # index = self.payload["authz_context"]["index"]
- # current_header_id = self.payload["authz_context"]['headers'][index]
- # previous_header_id = self.payload["authz_context"]['headers'][index - 1]
- # current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id)
- # previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id)
- # # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy
- # if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules'][
- # 'name'] == "session":
- # subject = self.payload["authz_context"]['current_request'].get("subject")
- # subject_category_id = None
- # role_names = []
- # for category_id, category_value in ModelManager.get_subject_categories("admin").items():
- # if category_value["name"] == "role":
- # subject_category_id = category_id
- # break
- # for assignment_id, assignment_value in PolicyManager.get_subject_assignments(
- # "admin", previous_policy_id, subject, subject_category_id).items():
- # for data_id in assignment_value["assignments"]:
- # data = PolicyManager.get_subject_data(
- # "admin", previous_policy_id, data_id, subject_category_id)
- # for _data in data:
- # for key, value in _data["data"].items():
- # role_names.append(value["name"])
- # new_role_ids = []
- # for perimeter_id, perimeter_value in PolicyManager.get_objects(
- # "admin", current_policy_id).items():
- # if perimeter_value["name"] in role_names:
- # new_role_ids.append(perimeter_id)
- # break
- # perimeter_id = None
- # for perimeter_id, perimeter_value in PolicyManager.get_actions(
- # "admin", current_policy_id).items():
- # if perimeter_value["name"] == "*":
- # break
- #
- # self.payload["authz_context"]['current_request']['object'] = new_role_ids[0]
- # self.payload["authz_context"]['current_request']['action'] = perimeter_id
- # elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac":
- # self.payload["authz_context"]['current_request']['subject'] = \
- # self.payload["authz_context"]['initial_request']['subject']
- # self.payload["authz_context"]['current_request']['object'] = \
- # self.payload["authz_context"]['initial_request']['object']
- # self.payload["authz_context"]['current_request']['action'] = \
- # self.payload["authz_context"]['initial_request']['action']
-
- def get_authz(self):
- # self.keystone_project_id = payload["id"]
- # LOG.info("get_authz {}".format(payload))
- # self.payload = payload
- try:
- # if "authz_context" not in payload:
- # try:
- # self.payload["authz_context"] = Context(self.keystone_project_id,
- # self.payload["subject_name"],
- # self.payload["object_name"],
- # self.payload["action_name"],
- # self.payload["request_id"]).to_dict()
- # except exceptions.SubjectUnknown:
- # ctx = {
- # "subject_name": self.payload["subject_name"],
- # "object_name": self.payload["object_name"],
- # "action_name": self.payload["action_name"],
- # }
- # call("moon_manager", method="update_from_master", ctx=ctx, args={})
- # self.payload["authz_context"] = Context(self.keystone_project_id,
- # self.payload["subject_name"],
- # self.payload["object_name"],
- # self.payload["action_name"],
- # self.payload["request_id"]).to_dict()
- # except exceptions.ObjectUnknown:
- # ctx = {
- # "subject_name": self.payload["subject_name"],
- # "object_name": self.payload["object_name"],
- # "action_name": self.payload["action_name"],
- # }
- # call("moon_manager", method="update_from_master", ctx=ctx, args={})
- # self.payload["authz_context"] = Context(self.keystone_project_id,
- # self.payload["subject_name"],
- # self.payload["object_name"],
- # self.payload["action_name"],
- # self.payload["request_id"]).to_dict()
- # except exceptions.ActionUnknown:
- # ctx = {
- # "subject_name": self.payload["subject_name"],
- # "object_name": self.payload["object_name"],
- # "action_name": self.payload["action_name"],
- # }
- # call("moon_manager", method="update_from_master", ctx=ctx, args={})
- # self.payload["authz_context"] = Context(self.keystone_project_id,
- # self.payload["subject_name"],
- # self.payload["object_name"],
- # self.payload["action_name"],
- # self.payload["request_id"]).to_dict()
- # self.__update_container_chaining()
- # else:
- # self.payload["authz_context"]["index"] += 1
- # self.__update_current_request()
- result, message = self.__check_rules()
- current_header_id = self.payload["authz_context"]['headers'][
- self.payload["authz_context"]['index']]
- if result:
- self.__exec_instructions(result)
- else:
- self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "deny"
- self.__exec_next_state(result)
- return {"authz": result,
- "error": message,
- "pdp_id": self.pdp_id,
- "args": self.payload}
- except Exception as e:
- try:
- LOGGER.error(self.payload["authz_context"])
- except KeyError:
- LOGGER.error("Cannot find \"authz_context\" in context")
- LOGGER.error(e, exc_info=True)
- return {"authz": False,
- "error": str(e),
- "pdp_id": self.pdp_id,
- "args": self.payload}
-
- def head(self, uuid=None, subject_name=None, object_name=None, action_name=None):
- LOGGER.info("HEAD request")
- return "", 200
diff --git a/moon_authz/moon_authz/api/update.py b/moon_authz/moon_authz/api/update.py
deleted file mode 100644
index 68b7f0ce..00000000
--- a/moon_authz/moon_authz/api/update.py
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-"""
-Authz is the endpoint to get authorization response
-"""
-
-from flask import request
-from flask_restful import Resource
-import logging
-
-__version__ = "4.4.0"
-
-LOGGER = logging.getLogger("moon.authz.api." + __name__)
-
-
-class Update(Resource):
- """
- Endpoint for update requests
- """
-
- __urls__ = (
- "/update",
- )
-
- def __init__(self, **kwargs):
- self.CACHE = kwargs.get("cache")
- self.INTERFACE_NAME = kwargs.get("interface_name", "interface")
- self.MANAGER_URL = kwargs.get("manager_url", "http://manager:8080")
- self.TIMEOUT = 5
-
- def put(self):
- try:
- self.CACHE.update_assignments(
- request.form.get("policy_id", None),
- request.form.get("perimeter_id", None),
- )
- except Exception as e:
- LOGGER.exception(e)
- return {"result": False, "reason": str(e)}
- return {"result": True}
diff --git a/moon_authz/moon_authz/http_server.py b/moon_authz/moon_authz/http_server.py
deleted file mode 100644
index 86d8a914..00000000
--- a/moon_authz/moon_authz/http_server.py
+++ /dev/null
@@ -1,142 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import logging
-from flask import Flask
-from flask_restful import Resource, Api
-from moon_authz import __version__
-from moon_authz.api.authorization import Authz
-from moon_authz.api.update import Update
-from python_moonutilities.cache import Cache
-from python_moonutilities import exceptions
-
-LOGGER = logging.getLogger("moon.authz.http_server")
-
-CACHE = Cache()
-CACHE.update()
-
-
-class Server:
- """Base class for HTTP server"""
-
- def __init__(self, host="localhost", port=80, api=None, **kwargs):
- """Run a server
-
- :param host: hostname of the server
- :param port: port for the running server
- :param kwargs: optional parameters
- :return: a running server
- """
- self._host = host
- self._port = port
- self._api = api
- self._extra = kwargs
-
- @property
- def host(self):
- return self._host
-
- @host.setter
- def host(self, name):
- self._host = name
-
- @host.deleter
- def host(self):
- self._host = ""
-
- @property
- def port(self):
- return self._port
-
- @port.setter
- def port(self, number):
- self._port = number
-
- @port.deleter
- def port(self):
- self._port = 80
-
- def run(self):
- raise NotImplementedError()
-
-
-__API__ = (
- Authz, Update
-)
-
-
-class Root(Resource):
- """
- The root of the web service
- """
- __urls__ = ("/",)
- __methods = ("get", "post", "put", "delete", "options")
-
- def get(self):
- tree = {"/": {"methods": ("get",),
- "description": "List all methods for that service."}}
- for item in __API__:
- tree[item.__name__] = {"urls": item.__urls__}
- _methods = []
- for _method in self.__methods:
- if _method in dir(item):
- _methods.append(_method)
- tree[item.__name__]["methods"] = _methods
- tree[item.__name__]["description"] = item.__doc__.strip()
- return {
- "version": __version__,
- "tree": tree
- }
-
- def head(self):
- return "", 201
-
-
-class HTTPServer(Server):
- def __init__(self, host="localhost", port=38001, **kwargs):
- super(HTTPServer, self).__init__(host=host, port=port, **kwargs)
- self.component_data = kwargs.get("component_data", {})
- LOGGER.info("HTTPServer port={} {}".format(port, kwargs))
- self.app = Flask(__name__)
- self._port = port
- self._host = host
- self.component_id = kwargs.get("component_id")
- self.keystone_project_id = kwargs.get("keystone_project_id")
- self.container_chaining = kwargs.get("container_chaining")
- self.api = Api(self.app)
- self.__set_route()
-
- # self.__hook_errors()
-
- @self.app.errorhandler(exceptions.AuthException)
- def _auth_exception(error):
- return {"error": "Unauthorized"}, 401
-
- def __hook_errors(self):
- # FIXME (dthom): it doesn't work
- def get_404_json(e):
- return {"error": "Error", "code": 404, "description": e}
-
- self.app.register_error_handler(404, get_404_json)
-
- def get_400_json(e):
- return {"error": "Error", "code": 400, "description": e}
-
- self.app.register_error_handler(400, lambda e: get_400_json)
- self.app.register_error_handler(403, exceptions.AuthException)
-
- def __set_route(self):
- self.api.add_resource(Root, '/')
-
- for api in __API__:
- self.api.add_resource(api, *api.__urls__,
- resource_class_kwargs={
- "component_data": self.component_data,
- "cache": CACHE
- }
- )
-
- def run(self):
- self.app.run(host=self._host, port=self._port, threaded=True) # nosec
diff --git a/moon_authz/moon_authz/server.py b/moon_authz/moon_authz/server.py
deleted file mode 100644
index d1b5a59b..00000000
--- a/moon_authz/moon_authz/server.py
+++ /dev/null
@@ -1,56 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import os
-import logging
-from moon_authz.http_server import HTTPServer as Server
-from python_moonutilities import configuration, exceptions
-
-LOGGER = logging.getLogger("moon.authz.server")
-
-
-def create_server():
- configuration.init_logging()
-
- component_id = os.getenv("UUID")
- component_type = os.getenv("TYPE")
- tcp_port = os.getenv("PORT")
- pdp_id = os.getenv("PDP_ID")
- meta_rule_id = os.getenv("META_RULE_ID")
- keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID")
- LOGGER.info("component_type={}".format(component_type))
- conf = configuration.get_plugins()
- # conf = configuration.get_configuration("plugins/{}".format(component_type))
- # conf["plugins/{}".format(component_type)]['id'] = component_id
- if component_type not in conf:
- raise exceptions.ConsulComponentNotFound("{} not found".format(
- component_type))
- hostname = conf[component_type].get('hostname', component_id)
- port = conf[component_type].get('port', tcp_port)
- bind = conf[component_type].get('bind', "0.0.0.0")
-
- LOGGER.info("Starting server with IP {} on port {} bind to {}".format(
- hostname, port, bind))
- server = Server(
- host=bind,
- port=int(port),
- component_data={
- 'component_id': component_id,
- 'component_type': component_type,
- 'pdp_id': pdp_id,
- 'meta_rule_id': meta_rule_id,
- 'keystone_project_id': keystone_project_id,
- }
- )
- return server
-
-
-def run():
- server = create_server()
- server.run()
-
-
-if __name__ == '__main__':
- run()