diff options
Diffstat (limited to 'moon_authz')
-rw-r--r-- | moon_authz/Changelog | 39 | ||||
-rw-r--r-- | moon_authz/Dockerfile | 15 | ||||
-rw-r--r-- | moon_authz/LICENSE | 202 | ||||
-rw-r--r-- | moon_authz/MANIFEST.in | 9 | ||||
-rw-r--r-- | moon_authz/README.md | 8 | ||||
-rw-r--r-- | moon_authz/moon_authz/__init__.py | 6 | ||||
-rw-r--r-- | moon_authz/moon_authz/__main__.py | 4 | ||||
-rw-r--r-- | moon_authz/moon_authz/api/__init__.py | 0 | ||||
-rw-r--r-- | moon_authz/moon_authz/api/authorization.py | 397 | ||||
-rw-r--r-- | moon_authz/moon_authz/api/update.py | 42 | ||||
-rw-r--r-- | moon_authz/moon_authz/http_server.py | 142 | ||||
-rw-r--r-- | moon_authz/moon_authz/server.py | 56 | ||||
-rw-r--r-- | moon_authz/requirements.txt | 5 | ||||
-rw-r--r-- | moon_authz/setup.py | 47 | ||||
-rw-r--r-- | moon_authz/tests/unit_python/conftest.py | 29 | ||||
-rw-r--r-- | moon_authz/tests/unit_python/mock_pods.py | 545 | ||||
-rw-r--r-- | moon_authz/tests/unit_python/requirements.txt | 5 | ||||
-rw-r--r-- | moon_authz/tests/unit_python/test_authz.py | 116 | ||||
-rw-r--r-- | moon_authz/tests/unit_python/utilities.py | 182 |
19 files changed, 0 insertions, 1849 deletions
diff --git a/moon_authz/Changelog b/moon_authz/Changelog deleted file mode 100644 index ae1ec4d1..00000000 --- a/moon_authz/Changelog +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - - -CHANGES -======= - -1.0.0 ------ -- First version of the manager - -2.0.0 ------ -- Version built inside the Keystone component - -3.0.0 ------ -- Version built outside the Keystone component - -4.0.0 ------ -- First micro-architecture version - -4.3.3 ------ -- use the threading capability of Flask app -- set the number of manager to 1 -- update to the latest version of the python-moondb library - -4.3.4 ------ -- apply PyLint rules -- fix a bug in instructions management - -4.4.0 ------ -- add the update API diff --git a/moon_authz/Dockerfile b/moon_authz/Dockerfile deleted file mode 100644 index 7081e31c..00000000 --- a/moon_authz/Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -FROM python:3 - -LABEL Name=Authz_plugin -LABEL Description="Authz plugin for the Moon platform" -LABEL Maintainer="Thomas Duval" -LABEL Url="https://wiki.opnfv.org/display/moon/Moon+Project+Proposal" - -USER root - -ADD . /root -WORKDIR /root/ -RUN pip3 install --no-cache-dir -r requirements.txt -RUN pip3 install --no-cache-dir . - -CMD ["python3", "-m", "moon_authz"]
\ No newline at end of file diff --git a/moon_authz/LICENSE b/moon_authz/LICENSE deleted file mode 100644 index d6456956..00000000 --- a/moon_authz/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/moon_authz/MANIFEST.in b/moon_authz/MANIFEST.in deleted file mode 100644 index 1f674d50..00000000 --- a/moon_authz/MANIFEST.in +++ /dev/null @@ -1,9 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -include README.rst -include LICENSE -include setup.py -include requirements.txt diff --git a/moon_authz/README.md b/moon_authz/README.md deleted file mode 100644 index 696c29a1..00000000 --- a/moon_authz/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# moon_authz - -This package contains the core module for the Moon project -It is designed to provide authorization features to all OpenStack components. - -For any other information, refer to the parent project: - - https://git.opnfv.org/moon diff --git a/moon_authz/moon_authz/__init__.py b/moon_authz/moon_authz/__init__.py deleted file mode 100644 index 85c245e0..00000000 --- a/moon_authz/moon_authz/__init__.py +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -__version__ = "4.4.0" diff --git a/moon_authz/moon_authz/__main__.py b/moon_authz/moon_authz/__main__.py deleted file mode 100644 index 6f1f9807..00000000 --- a/moon_authz/moon_authz/__main__.py +++ /dev/null @@ -1,4 +0,0 @@ -from moon_authz.server import create_server - -SERVER = create_server() -SERVER.run() diff --git a/moon_authz/moon_authz/api/__init__.py b/moon_authz/moon_authz/api/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/moon_authz/moon_authz/api/__init__.py +++ /dev/null diff --git a/moon_authz/moon_authz/api/authorization.py b/moon_authz/moon_authz/api/authorization.py deleted file mode 100644 index 59af295d..00000000 --- a/moon_authz/moon_authz/api/authorization.py +++ /dev/null @@ -1,397 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import itertools -import pickle -import logging -import flask -from flask import request -from flask_restful import Resource -from python_moonutilities import exceptions - -LOGGER = logging.getLogger("moon.authz.api." + __name__) - - -class Authz(Resource): - """ - Endpoint for authz requests - """ - __version__ = "4.3.1" - - __urls__ = ( - "/authz", - "/authz/", - ) - - pdp_id = None - meta_rule_id = None - keystone_project_id = None - payload = None - - def __init__(self, **kwargs): - component_data = kwargs.get("component_data", {}) - self.component_id = component_data['component_id'] - self.pdp_id = component_data['pdp_id'] - self.meta_rule_id = component_data['meta_rule_id'] - self.keystone_project_id = component_data['keystone_project_id'] - self.cache = kwargs.get("cache") - self.context = None - - def post(self): - """Get a response on an authorization request - - :request: - - :return: { - "args": {}, - "ctx": { - "action_name": "4567", - "id": "123456", - "method": "authz", - "object_name": "234567", - "subject_name": "123456", - "user_id": "admin" - }, - "error": { - "code": 500, - "description": "", - "title": "Moon Error" - }, - "intra_extension_id": "123456", - "result": false - } - :internal_api: authz - """ - self.context = pickle.loads(request.data) - self.context.set_cache(self.cache) - self.context.increment_index() - self.context.update_target() - # FIXME (asteroide): force the update but we should not do that - # a better way is to build the bilateral link between Master and Slaves - self.cache.update() - if not self.run(): - raise exceptions.MoonError("Error in the request status={}".format( - self.context.current_state)) - self.context.delete_cache() - response = flask.make_response(pickle.dumps(self.context)) - response.headers['content-type'] = 'application/octet-stream' - return response - - def run(self): - result, message = self.__check_rules() - if result: - return self.__exec_instructions(result) - self.context.current_state = "deny" - # self.__exec_next_state(result) - return - - def __check_rules(self): - scopes_list = list() - current_header_id = self.context.headers[self.context.index] - # Context.update_target(context) - if not self.context.pdp_set: - raise exceptions.PdpUnknown - if current_header_id not in self.context.pdp_set: - raise Exception('Invalid index') - current_pdp = self.context.pdp_set[current_header_id] - category_list = list() - if 'meta_rules' not in current_pdp: - raise exceptions.PdpContentError - try: - category_list.extend(current_pdp["meta_rules"]["subject_categories"]) - category_list.extend(current_pdp["meta_rules"]["object_categories"]) - category_list.extend(current_pdp["meta_rules"]["action_categories"]) - except Exception: - raise exceptions.MetaRuleContentError - if 'target' not in current_pdp: - raise exceptions.PdpContentError - for category in category_list: - scope = list(current_pdp['target'][category]) - if not scope: - LOGGER.warning("Scope in category {} is empty".format(category)) - raise exceptions.AuthzException - scopes_list.append(scope) - # policy_id = self.cache.get_policy_from_meta_rules("admin", current_header_id) - if self.context.current_policy_id not in self.cache.rules: - raise exceptions.PolicyUnknown - if 'rules' not in self.cache.rules[self.context.current_policy_id]: - raise exceptions.RuleUnknown - for item in itertools.product(*scopes_list): - req = list(item) - for rule in self.cache.rules[self.context.current_policy_id]["rules"]: - if req == rule['rule']: - return rule['instructions'], "" - LOGGER.warning("No rule match the request...") - return False, "No rule match the request..." - - def __update_subject_category_in_policy(self, operation, target): - result = False - # try: - # policy_name, category_name, data_name = target.split(":") - # except ValueError: - # LOGGER.error("Cannot understand value in instruction ({})".format(target)) - # return False - # # pdp_set = self.payload["authz_context"]['pdp_set'] - # for meta_rule_id in self.context.pdp_set: - # if meta_rule_id == "effect": - # continue - # if self.context.pdp_set[meta_rule_id]["meta_rules"]["name"] == policy_name: - # for category_id, category_value in self.cache.subject_categories.items(): - # if category_value["name"] == "role": - # subject_category_id = category_id - # break - # else: - # LOGGER.error("Cannot understand category in instruction ({})".format(target)) - # return False - # subject_data_id = None - # for data in PolicyManager.get_subject_data("admin", policy_id, - # category_id=subject_category_id): - # for data_id, data_value in data['data'].items(): - # if data_value["name"] == data_name: - # subject_data_id = data_id - # break - # if subject_data_id: - # break - # else: - # LOGGER.error("Cannot understand data in instruction ({})".format(target)) - # return False - # if operation == "add": - # self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][ - # subject_category_id].append(subject_data_id) - # elif operation == "delete": - # try: - # self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][ - # subject_category_id].remove(subject_data_id) - # except ValueError: - # LOGGER.warning("Cannot remove role {} from target".format(data_name)) - # result = True - # break - return result - - def __update_container_chaining(self): - for index in range(len(self.payload["authz_context"]['headers'])): - self.payload["container_chaining"][index]["meta_rule_id"] = \ - self.payload["authz_context"]['headers'][index] - - def __get_container_from_meta_rule(self, meta_rule_id): - for index in range(len(self.payload["authz_context"]['headers'])): - if self.payload["container_chaining"][index]["meta_rule_id"] == meta_rule_id: - return self.payload["container_chaining"][index] - - def __update_headers(self, name): - # context = self.payload["authz_context"] - for meta_rule_id, meta_rule_value in self.context.pdp_set.items(): - if meta_rule_id == "effect": - continue - if meta_rule_value["meta_rules"]["name"] == name: - self.context.headers.append(meta_rule_id) - return True - return False - - # def __exec_next_state(self, rule_found): - # index = self.context.index - # current_meta_rule = self.context.headers[index] - # current_container = self.__get_container_from_meta_rule(current_meta_rule) - # current_container_genre = current_container["genre"] - # try: - # next_meta_rule = self.context.headers[index + 1] - # except IndexError: - # next_meta_rule = None - # if current_container_genre == "authz": - # if rule_found: - # return True - # pass - # if next_meta_rule: - # # next will be session if current is deny and session is unset - # if self.payload["authz_context"]['pdp_set'][next_meta_rule]['effect'] == "unset": - # return notify( - # request_id=self.payload["authz_context"]["request_id"], - # container_id=self.__get_container_from_meta_rule(next_meta_rule)[ - # 'container_id'],payload=self.payload) - # # next will be delegation if current is deny and session is passed or deny and - # delegation is unset - # else: - # LOG.error("Delegation is not developed!") - # - # else: - # # else next will be None and the request is sent to router - # return self.__return_to_router() - # elif current_container_genre == "session": - # pass - # # next will be next container in headers if current is passed - # if self.payload["authz_context"]['pdp_set'][current_meta_rule]['effect'] == "passed": - # return notify( - # request_id=self.payload["authz_context"]["request_id"], - # container_id=self.__get_container_from_meta_rule(next_meta_rule)[ - # 'container_id'],payload=self.payload) - # # next will be None if current is grant and the request is sent to router - # else: - # return self.__return_to_router() - # elif current_container_genre == "delegation": - # LOG.error("Delegation is not developed!") - # # next will be authz if current is deny - # # next will be None if current is grant and the request is sent to router - - # def __return_to_router(self): - # call(endpoint="security_router", - # ctx={"id": self.component_id, - # "call_master": False, - # "method": "return_authz", - # "request_id": self.payload["authz_context"]["request_id"]}, - # method="route", - # args=self.payload["authz_context"]) - - def __exec_instructions(self, instructions): - if type(instructions) is dict: - instructions = [instructions, ] - if type(instructions) not in (list, tuple): - raise exceptions.RuleContentError("Bad instructions format") - for instruction in instructions: - for key in instruction: - if key == "decision": - if instruction["decision"] == "grant": - self.context.current_state = "grant" - LOGGER.info("__exec_instructions True %s" % self.context.current_state) - return True - - self.context.current_state = instruction["decision"].lower() - elif key == "chain": - result = self.__update_headers(**instruction["chain"]) - if not result: - self.context.current_state = "deny" - else: - self.context.current_state = "passed" - elif key == "update": - result = self.__update_subject_category_in_policy(**instruction["update"]) - if not result: - self.context.current_state = "deny" - else: - self.context.current_state = "passed" - LOGGER.info("__exec_instructions False %s" % self.context.current_state) - - # def __update_current_request(self): - # index = self.payload["authz_context"]["index"] - # current_header_id = self.payload["authz_context"]['headers'][index] - # previous_header_id = self.payload["authz_context"]['headers'][index - 1] - # current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id) - # previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id) - # # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy - # if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules'][ - # 'name'] == "session": - # subject = self.payload["authz_context"]['current_request'].get("subject") - # subject_category_id = None - # role_names = [] - # for category_id, category_value in ModelManager.get_subject_categories("admin").items(): - # if category_value["name"] == "role": - # subject_category_id = category_id - # break - # for assignment_id, assignment_value in PolicyManager.get_subject_assignments( - # "admin", previous_policy_id, subject, subject_category_id).items(): - # for data_id in assignment_value["assignments"]: - # data = PolicyManager.get_subject_data( - # "admin", previous_policy_id, data_id, subject_category_id) - # for _data in data: - # for key, value in _data["data"].items(): - # role_names.append(value["name"]) - # new_role_ids = [] - # for perimeter_id, perimeter_value in PolicyManager.get_objects( - # "admin", current_policy_id).items(): - # if perimeter_value["name"] in role_names: - # new_role_ids.append(perimeter_id) - # break - # perimeter_id = None - # for perimeter_id, perimeter_value in PolicyManager.get_actions( - # "admin", current_policy_id).items(): - # if perimeter_value["name"] == "*": - # break - # - # self.payload["authz_context"]['current_request']['object'] = new_role_ids[0] - # self.payload["authz_context"]['current_request']['action'] = perimeter_id - # elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac": - # self.payload["authz_context"]['current_request']['subject'] = \ - # self.payload["authz_context"]['initial_request']['subject'] - # self.payload["authz_context"]['current_request']['object'] = \ - # self.payload["authz_context"]['initial_request']['object'] - # self.payload["authz_context"]['current_request']['action'] = \ - # self.payload["authz_context"]['initial_request']['action'] - - def get_authz(self): - # self.keystone_project_id = payload["id"] - # LOG.info("get_authz {}".format(payload)) - # self.payload = payload - try: - # if "authz_context" not in payload: - # try: - # self.payload["authz_context"] = Context(self.keystone_project_id, - # self.payload["subject_name"], - # self.payload["object_name"], - # self.payload["action_name"], - # self.payload["request_id"]).to_dict() - # except exceptions.SubjectUnknown: - # ctx = { - # "subject_name": self.payload["subject_name"], - # "object_name": self.payload["object_name"], - # "action_name": self.payload["action_name"], - # } - # call("moon_manager", method="update_from_master", ctx=ctx, args={}) - # self.payload["authz_context"] = Context(self.keystone_project_id, - # self.payload["subject_name"], - # self.payload["object_name"], - # self.payload["action_name"], - # self.payload["request_id"]).to_dict() - # except exceptions.ObjectUnknown: - # ctx = { - # "subject_name": self.payload["subject_name"], - # "object_name": self.payload["object_name"], - # "action_name": self.payload["action_name"], - # } - # call("moon_manager", method="update_from_master", ctx=ctx, args={}) - # self.payload["authz_context"] = Context(self.keystone_project_id, - # self.payload["subject_name"], - # self.payload["object_name"], - # self.payload["action_name"], - # self.payload["request_id"]).to_dict() - # except exceptions.ActionUnknown: - # ctx = { - # "subject_name": self.payload["subject_name"], - # "object_name": self.payload["object_name"], - # "action_name": self.payload["action_name"], - # } - # call("moon_manager", method="update_from_master", ctx=ctx, args={}) - # self.payload["authz_context"] = Context(self.keystone_project_id, - # self.payload["subject_name"], - # self.payload["object_name"], - # self.payload["action_name"], - # self.payload["request_id"]).to_dict() - # self.__update_container_chaining() - # else: - # self.payload["authz_context"]["index"] += 1 - # self.__update_current_request() - result, message = self.__check_rules() - current_header_id = self.payload["authz_context"]['headers'][ - self.payload["authz_context"]['index']] - if result: - self.__exec_instructions(result) - else: - self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "deny" - self.__exec_next_state(result) - return {"authz": result, - "error": message, - "pdp_id": self.pdp_id, - "args": self.payload} - except Exception as e: - try: - LOGGER.error(self.payload["authz_context"]) - except KeyError: - LOGGER.error("Cannot find \"authz_context\" in context") - LOGGER.error(e, exc_info=True) - return {"authz": False, - "error": str(e), - "pdp_id": self.pdp_id, - "args": self.payload} - - def head(self, uuid=None, subject_name=None, object_name=None, action_name=None): - LOGGER.info("HEAD request") - return "", 200 diff --git a/moon_authz/moon_authz/api/update.py b/moon_authz/moon_authz/api/update.py deleted file mode 100644 index 68b7f0ce..00000000 --- a/moon_authz/moon_authz/api/update.py +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Authz is the endpoint to get authorization response -""" - -from flask import request -from flask_restful import Resource -import logging - -__version__ = "4.4.0" - -LOGGER = logging.getLogger("moon.authz.api." + __name__) - - -class Update(Resource): - """ - Endpoint for update requests - """ - - __urls__ = ( - "/update", - ) - - def __init__(self, **kwargs): - self.CACHE = kwargs.get("cache") - self.INTERFACE_NAME = kwargs.get("interface_name", "interface") - self.MANAGER_URL = kwargs.get("manager_url", "http://manager:8080") - self.TIMEOUT = 5 - - def put(self): - try: - self.CACHE.update_assignments( - request.form.get("policy_id", None), - request.form.get("perimeter_id", None), - ) - except Exception as e: - LOGGER.exception(e) - return {"result": False, "reason": str(e)} - return {"result": True} diff --git a/moon_authz/moon_authz/http_server.py b/moon_authz/moon_authz/http_server.py deleted file mode 100644 index 86d8a914..00000000 --- a/moon_authz/moon_authz/http_server.py +++ /dev/null @@ -1,142 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import logging -from flask import Flask -from flask_restful import Resource, Api -from moon_authz import __version__ -from moon_authz.api.authorization import Authz -from moon_authz.api.update import Update -from python_moonutilities.cache import Cache -from python_moonutilities import exceptions - -LOGGER = logging.getLogger("moon.authz.http_server") - -CACHE = Cache() -CACHE.update() - - -class Server: - """Base class for HTTP server""" - - def __init__(self, host="localhost", port=80, api=None, **kwargs): - """Run a server - - :param host: hostname of the server - :param port: port for the running server - :param kwargs: optional parameters - :return: a running server - """ - self._host = host - self._port = port - self._api = api - self._extra = kwargs - - @property - def host(self): - return self._host - - @host.setter - def host(self, name): - self._host = name - - @host.deleter - def host(self): - self._host = "" - - @property - def port(self): - return self._port - - @port.setter - def port(self, number): - self._port = number - - @port.deleter - def port(self): - self._port = 80 - - def run(self): - raise NotImplementedError() - - -__API__ = ( - Authz, Update -) - - -class Root(Resource): - """ - The root of the web service - """ - __urls__ = ("/",) - __methods = ("get", "post", "put", "delete", "options") - - def get(self): - tree = {"/": {"methods": ("get",), - "description": "List all methods for that service."}} - for item in __API__: - tree[item.__name__] = {"urls": item.__urls__} - _methods = [] - for _method in self.__methods: - if _method in dir(item): - _methods.append(_method) - tree[item.__name__]["methods"] = _methods - tree[item.__name__]["description"] = item.__doc__.strip() - return { - "version": __version__, - "tree": tree - } - - def head(self): - return "", 201 - - -class HTTPServer(Server): - def __init__(self, host="localhost", port=38001, **kwargs): - super(HTTPServer, self).__init__(host=host, port=port, **kwargs) - self.component_data = kwargs.get("component_data", {}) - LOGGER.info("HTTPServer port={} {}".format(port, kwargs)) - self.app = Flask(__name__) - self._port = port - self._host = host - self.component_id = kwargs.get("component_id") - self.keystone_project_id = kwargs.get("keystone_project_id") - self.container_chaining = kwargs.get("container_chaining") - self.api = Api(self.app) - self.__set_route() - - # self.__hook_errors() - - @self.app.errorhandler(exceptions.AuthException) - def _auth_exception(error): - return {"error": "Unauthorized"}, 401 - - def __hook_errors(self): - # FIXME (dthom): it doesn't work - def get_404_json(e): - return {"error": "Error", "code": 404, "description": e} - - self.app.register_error_handler(404, get_404_json) - - def get_400_json(e): - return {"error": "Error", "code": 400, "description": e} - - self.app.register_error_handler(400, lambda e: get_400_json) - self.app.register_error_handler(403, exceptions.AuthException) - - def __set_route(self): - self.api.add_resource(Root, '/') - - for api in __API__: - self.api.add_resource(api, *api.__urls__, - resource_class_kwargs={ - "component_data": self.component_data, - "cache": CACHE - } - ) - - def run(self): - self.app.run(host=self._host, port=self._port, threaded=True) # nosec diff --git a/moon_authz/moon_authz/server.py b/moon_authz/moon_authz/server.py deleted file mode 100644 index d1b5a59b..00000000 --- a/moon_authz/moon_authz/server.py +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import os -import logging -from moon_authz.http_server import HTTPServer as Server -from python_moonutilities import configuration, exceptions - -LOGGER = logging.getLogger("moon.authz.server") - - -def create_server(): - configuration.init_logging() - - component_id = os.getenv("UUID") - component_type = os.getenv("TYPE") - tcp_port = os.getenv("PORT") - pdp_id = os.getenv("PDP_ID") - meta_rule_id = os.getenv("META_RULE_ID") - keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID") - LOGGER.info("component_type={}".format(component_type)) - conf = configuration.get_plugins() - # conf = configuration.get_configuration("plugins/{}".format(component_type)) - # conf["plugins/{}".format(component_type)]['id'] = component_id - if component_type not in conf: - raise exceptions.ConsulComponentNotFound("{} not found".format( - component_type)) - hostname = conf[component_type].get('hostname', component_id) - port = conf[component_type].get('port', tcp_port) - bind = conf[component_type].get('bind', "0.0.0.0") - - LOGGER.info("Starting server with IP {} on port {} bind to {}".format( - hostname, port, bind)) - server = Server( - host=bind, - port=int(port), - component_data={ - 'component_id': component_id, - 'component_type': component_type, - 'pdp_id': pdp_id, - 'meta_rule_id': meta_rule_id, - 'keystone_project_id': keystone_project_id, - } - ) - return server - - -def run(): - server = create_server() - server.run() - - -if __name__ == '__main__': - run() diff --git a/moon_authz/requirements.txt b/moon_authz/requirements.txt deleted file mode 100644 index 8cad7a7a..00000000 --- a/moon_authz/requirements.txt +++ /dev/null @@ -1,5 +0,0 @@ -flask -flask_restful -flask_cors -python_moondb -python_moonutilities diff --git a/moon_authz/setup.py b/moon_authz/setup.py deleted file mode 100644 index ad99b9f8..00000000 --- a/moon_authz/setup.py +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -from setuptools import setup, find_packages -import moon_authz - - -setup( - - name='moon_authz', - - version=moon_authz.__version__, - - packages=find_packages(), - - author="Thomas Duval", - - author_email="thomas.duval@orange.com", - - description="", - - long_description=open('README.md').read(), - - # install_requires= , - - include_package_data=True, - - url='https://git.opnfv.org/moon', - - classifiers=[ - "Programming Language :: Python", - "Development Status :: 1 - Planning", - "License :: OSI Approved", - "Natural Language :: French", - "Operating System :: OS Independent", - "Programming Language :: Python :: 3", - ], - - entry_points={ - 'console_scripts': [ - 'moon_authz = moon_authz.server:run', - ], - } - -) diff --git a/moon_authz/tests/unit_python/conftest.py b/moon_authz/tests/unit_python/conftest.py deleted file mode 100644 index a6e62078..00000000 --- a/moon_authz/tests/unit_python/conftest.py +++ /dev/null @@ -1,29 +0,0 @@ -import pytest -import requests_mock -import mock_pods -import os -from utilities import CONTEXT - - -@pytest.fixture -def context(): - return CONTEXT - - -def set_env_variables(): - os.environ['UUID'] = "1111111111" - os.environ['TYPE'] = "authz" - os.environ['PORT'] = "8081" - os.environ['PDP_ID'] = "b3d3e18abf3340e8b635fd49e6634ccd" - os.environ['META_RULE_ID'] = "f8f49a779ceb47b3ac810f01ef71b4e0" - os.environ['KEYSTONE_PROJECT_ID'] = CONTEXT['project_id'] - - -@pytest.fixture(autouse=True) -def no_requests(monkeypatch): - """ Modify the response from Requests module - """ - set_env_variables() - with requests_mock.Mocker(real_http=True) as m: - mock_pods.register_pods(m) - yield m diff --git a/moon_authz/tests/unit_python/mock_pods.py b/moon_authz/tests/unit_python/mock_pods.py deleted file mode 100644 index 39223a57..00000000 --- a/moon_authz/tests/unit_python/mock_pods.py +++ /dev/null @@ -1,545 +0,0 @@ -from utilities import CONF, get_b64_conf, COMPONENTS - -pdp_mock = { - "b3d3e18abf3340e8b635fd49e6634ccd": { - "description": "test", - "security_pipeline": [ - "f8f49a779ceb47b3ac810f01ef71b4e0" - ], - "name": "pdp_rbac", - "keystone_project_id": "a64beb1cc224474fb4badd43173e7101" - }, - "pdp_id1": { - "name": "pdp_id1", - "security_pipeline": ["policy_id_1", "policy_id_2"], - "keystone_project_id": "keystone_project_id1", - "description": "...", - }, - "pdp_id12": { - "name": "pdp_id2", - "security_pipeline": ["policy_id_1", "policy_id_2"], - "keystone_project_id": "keystone_project_id2", - "description": "...", - } -} - -meta_rules_mock = { - "f8f49a779ceb47b3ac810f01ef71b4e0": { - "subject_categories": [ - "14e6ae0ba34d458b876c791b73aa17bd" - ], - "action_categories": [ - "241a2a791554421a91c9f1bc564aa94d" - ], - "description": "", - "name": "rbac", - "object_categories": [ - "6d48500f639d4c2cab2b1f33ef93a1e8" - ] - }, - "meta_rule_id1": { - "name": "meta_rule1", - "algorithm": "name of the meta rule algorithm", - "subject_categories": ["subject_category_id1", - "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - }, - "meta_rule_id2": { - "name": "name of the meta rules2", - "algorithm": "name of the meta rule algorithm", - "subject_categories": ["subject_category_id1", - "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - } -} - -policies_mock = { - "f8f49a779ceb47b3ac810f01ef71b4e0": { - "name": "RBAC policy example", - "model_id": "cd923d8633ff4978ab0e99938f5153d6", - "description": "test", - "genre": "authz" - }, - "policy_id_1": { - "name": "test_policy1", - "model_id": "model_id_1", - "genre": "authz", - "description": "test", - }, - "policy_id_2": { - "name": "test_policy2", - "model_id": "model_id_2", - "genre": "authz", - "description": "test", - } -} - -subject_mock = { - "f8f49a779ceb47b3ac810f01ef71b4e0": { - "89ba91c18dd54abfbfde7a66936c51a6": { - "description": "test", - "policy_list": [ - "f8f49a779ceb47b3ac810f01ef71b4e0", - "636cd473324f4c0bbd9102cb5b62a16d" - ], - "name": "testuser", - "email": "mail", - "id": "89ba91c18dd54abfbfde7a66936c51a6", - "extra": {} - } - }, - "policy_id_1": { - "subject_id": { - "name": "subject_name", - "keystone_id": "keystone_project_id1", - "description": "a description" - } - }, - "policy_id_2": { - "subject_id": { - "name": "subject_name", - "keystone_id": "keystone_project_id2", - "description": "a description" - } - } -} - -subject_assignment_mock = { - "826c1156d0284fc9b4b2ddb279f63c52": { - "category_id": "14e6ae0ba34d458b876c791b73aa17bd", - "assignments": [ - "24ea95256c5f4c888c1bb30a187788df", - "6b227b77184c48b6a5e2f3ed1de0c02a", - "31928b17ec90438ba5a2e50ae7650e63", - "4e60f554dd3147af87595fb6b37dcb13", - "7a5541b63a024fa88170a6b59f99ccd7", - "dd2af27812f742029d289df9687d6126" - ], - "id": "826c1156d0284fc9b4b2ddb279f63c52", - "subject_id": "89ba91c18dd54abfbfde7a66936c51a6", - "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0" - }, - "7407ffc1232944279b0cbcb0847c86f7": { - "category_id": "315072d40d774c43a89ff33937ed24eb", - "assignments": [ - "6b227b77184c48b6a5e2f3ed1de0c02a", - "31928b17ec90438ba5a2e50ae7650e63", - "7a5541b63a024fa88170a6b59f99ccd7", - "dd2af27812f742029d289df9687d6126" - ], - "id": "7407ffc1232944279b0cbcb0847c86f7", - "subject_id": "89ba91c18dd54abfbfde7a66936c51a6", - "policy_id": "3e65256389b448cb9897917ea235f0bb" - } -} - -object_mock = { - "f8f49a779ceb47b3ac810f01ef71b4e0": { - "9089b3d2ce5b4e929ffc7e35b55eba1a": { - "name": "vm1", - "description": "test", - "id": "9089b3d2ce5b4e929ffc7e35b55eba1a", - "extra": {}, - "policy_list": [ - "f8f49a779ceb47b3ac810f01ef71b4e0", - "636cd473324f4c0bbd9102cb5b62a16d" - ] - }, - }, - "policy_id_1": { - "object_id": { - "name": "object_name", - "description": "a description" - } - }, - "policy_id_2": { - "object_id": { - "name": "object_name", - "description": "a description" - } - } -} - -object_assignment_mock = { - "201ad05fd3f940948b769ab9214fe295": { - "object_id": "9089b3d2ce5b4e929ffc7e35b55eba1a", - "assignments": [ - "030fbb34002e4236a7b74eeb5fd71e35", - "06bcb8655b9d46a9b90e67ef7c825b50", - "34eb45d7f46d4fb6bc4965349b8e4b83", - "4b7793dbae434c31a77da9d92de9fa8c" - ], - "id": "201ad05fd3f940948b769ab9214fe295", - "category_id": "6d48500f639d4c2cab2b1f33ef93a1e8", - "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0" - }, - "90c5e86f8be34c0298fbd1973e4fb043": { - "object_id": "67b8008a3f8d4f8e847eb628f0f7ca0e", - "assignments": [ - "a098918e915b4b12bccb89f9a3f3b4e4", - "06bcb8655b9d46a9b90e67ef7c825b50", - "7dc76c6142af47c88b60cc2b0df650ba", - "4b7793dbae434c31a77da9d92de9fa8c" - ], - "id": "90c5e86f8be34c0298fbd1973e4fb043", - "category_id": "33aece52d45b4474a20dc48a76800daf", - "policy_id": "3e65256389b448cb9897917ea235f0bb" - } -} - -action_mock = { - "f8f49a779ceb47b3ac810f01ef71b4e0": { - "cdb3df220dc05a6ea3334b994827b068": { - "name": "boot", - "description": "test", - "id": "cdb3df220dc04a6ea3334b994827b068", - "extra": {}, - "policy_list": [ - "f8f49a779ceb47b3ac810f01ef71b4e0", - "636cd473324f4c0bbd9102cb5b62a16d" - ] - }, - "cdb3df220dc04a6ea3334b994827b068": { - "name": "stop", - "description": "test", - "id": "cdb3df220dc04a6ea3334b994827b068", - "extra": {}, - "policy_list": [ - "f8f49a779ceb47b3ac810f01ef71b4e0", - "636cd473324f4c0bbd9102cb5b62a16d" - ] - }, - "9f5112afe9b34a6c894eb87246ccb7aa": { - "name": "start", - "description": "test", - "id": "9f5112afe9b34a6c894eb87246ccb7aa", - "extra": {}, - "policy_list": [ - "f8f49a779ceb47b3ac810f01ef71b4e0", - "636cd473324f4c0bbd9102cb5b62a16d" - ] - } - }, - "policy_id_1": { - "action_id": { - "name": "action_name", - "description": "a description" - } - }, - "policy_id_2": { - "action_id": { - "name": "action_name", - "description": "a description" - } - } -} - -action_assignment_mock = { - "2128e3ffbd1c4ef5be515d625745c2d4": { - "category_id": "241a2a791554421a91c9f1bc564aa94d", - "action_id": "cdb3df220dc05a6ea3334b994827b068", - "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0", - "id": "2128e3ffbd1c4ef5be515d625745c2d4", - "assignments": [ - "570c036781e540dc9395b83098c40ba7", - "7fe17d7a2e3542719f8349c3f2273182", - "015ca6f40338422ba3f692260377d638", - "23d44c17bf88480f83e8d57d2aa1ea79" - ] - }, - "cffb98852f3a4110af7a0ddfc4e19201": { - "category_id": "4a2c5abaeaf644fcaf3ca8df64000d53", - "action_id": "cdb3df220dc04a6ea3334b994827b068", - "policy_id": "3e65256389b448cb9897917ea235f0bb", - "id": "cffb98852f3a4110af7a0ddfc4e19201", - "assignments": [ - "570c036781e540dc9395b83098c40ba7", - "7fe17d7a2e3542719f8349c3f2273182", - "015ca6f40338422ba3f692260377d638", - "23d44c17bf88480f83e8d57d2aa1ea79" - ] - } -} - -models_mock = { - "cd923d8633ff4978ab0e99938f5153d6": { - "name": "RBAC", - "meta_rules": [ - "f8f49a779ceb47b3ac810f01ef71b4e0" - ], - "description": "test" - }, - "model_id_1": { - "name": "test_model", - "description": "test", - "meta_rules": ["meta_rule_id1"] - }, - "model_id_2": { - "name": "test_model", - "description": "test", - "meta_rules": ["meta_rule_id2"] - }, -} - -rules_mock = { - "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0", - "rules": [ - { - "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0", - "rule": [ - "24ea95256c5f4c888c1bb30a187788df", - "030fbb34002e4236a7b74eeb5fd71e35", - "570c036781e540dc9395b83098c40ba7" - ], - "enabled": True, - "id": "0201a2bcf56943c1904dbac016289b71", - "instructions": [ - { - "decision": "grant" - } - ], - "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0" - }, - { - "policy_id": "ecc2451c494e47b5bca7250cd324a360", - "rule": [ - "54f574cd2043468da5d65e4f6ed6e3c9", - "6559686961a3490a978f246ac9f85fbf", - "ac0d1f600bf447e8bd2f37b7cc47f2dc" - ], - "enabled": True, - "id": "a83fed666af8436192dfd8b3c83a6fde", - "instructions": [ - { - "decision": "grant" - } - ], - "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0" - } - ] -} - - -def register_pods(m): - """ Modify the response from Requests module - """ - register_consul(m) - register_pdp(m) - register_meta_rules(m) - register_policies(m) - register_models(m) - register_orchestrator(m) - register_policy_subject(m, "f8f49a779ceb47b3ac810f01ef71b4e0") - # register_policy_subject(m, "policy_id_2") - register_policy_object(m, "f8f49a779ceb47b3ac810f01ef71b4e0") - # register_policy_object(m, "policy_id_2") - register_policy_action(m, "f8f49a779ceb47b3ac810f01ef71b4e0") - # register_policy_action(m, "policy_id_2") - register_policy_subject_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "89ba91c18dd54abfbfde7a66936c51a6") - register_policy_subject_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0") - register_policy_subject_assignment(m, "policy_id_2", "subject_id") - # register_policy_subject_assignment_list(m1, "policy_id_2") - register_policy_object_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "9089b3d2ce5b4e929ffc7e35b55eba1a") - register_policy_object_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0") - register_policy_object_assignment(m, "policy_id_2", "object_id") - # register_policy_object_assignment_list(m1, "policy_id_2") - register_policy_action_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "cdb3df220dc05a6ea3334b994827b068") - register_policy_action_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0") - register_policy_action_assignment(m, "policy_id_2", "action_id") - # register_policy_action_assignment_list(m1, "policy_id_2") - register_rules(m, "f8f49a779ceb47b3ac810f01ef71b4e0") - register_rules(m, "policy_id_1") - register_rules(m, "policy_id_2") - - -def register_consul(m): - for component in COMPONENTS: - m.register_uri( - 'GET', 'http://consul:8500/v1/kv/{}'.format(component), - json=[{'Key': component, 'Value': get_b64_conf(component)}] - ) - m.register_uri( - 'GET', 'http://consul:8500/v1/kv/components_port_start', - json=[ - { - "LockIndex": 0, - "Key": "components_port_start", - "Flags": 0, - "Value": "MzEwMDE=", - "CreateIndex": 9, - "ModifyIndex": 9 - } - ], - ) - m.register_uri( - 'PUT', 'http://consul:8500/v1/kv/components_port_start', - json=[], - ) - m.register_uri( - 'GET', 'http://consul:8500/v1/kv/plugins?recurse=true', - json=[ - { - "LockIndex": 0, - "Key": "plugins/authz", - "Flags": 0, - "Value": "eyJjb250YWluZXIiOiAid3Vrb25nc3VuL21vb25fYXV0aHo6djQuMyIsICJwb3J0IjogODA4MX0=", - "CreateIndex": 14, - "ModifyIndex": 656 - } - ], - ) - m.register_uri( - 'GET', 'http://consul:8500/v1/kv/components?recurse=true', - json=[ - {"Key": key, "Value": get_b64_conf(key)} for key in COMPONENTS - ], - ) - m.register_uri( - 'GET', 'http://consul:8500/v1/kv/plugins/authz', - json=[ - { - "LockIndex": 0, - "Key": "plugins/authz", - "Flags": 0, - "Value": "eyJjb250YWluZXIiOiAid3Vrb25nc3VuL21vb25fYXV0aHo6djQuMyIsICJwb3J0IjogODA4MX0=", - "CreateIndex": 14, - "ModifyIndex": 656 - } - ], - ) - - -def register_orchestrator(m): - m.register_uri( - 'GET', 'http://orchestrator:8083/pods', - json={ - "pods": { - "1234567890": [ - {"name": "wrapper-quiet", "port": 8080, - "container": "wukongsun/moon_wrapper:v4.3.1", - "namespace": "moon"}]}} - ) - - -def register_pdp(m): - m.register_uri( - 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'pdp'), - json={'pdps': pdp_mock} - ) - - -def register_meta_rules(m): - m.register_uri( - 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'meta_rules'), - json={'meta_rules': meta_rules_mock} - ) - - -def register_policies(m): - m.register_uri( - 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies'), - json={'policies': policies_mock} - ) - - -def register_models(m): - m.register_uri( - 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'models'), - json={'models': models_mock} - ) - - -def register_policy_subject(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/subjects'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', policy_id), - json={'subjects': subject_mock[policy_id]} - ) - - -def register_policy_object(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/objects'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', policy_id), - json={'objects': object_mock[policy_id]} - ) - - -def register_policy_action(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/actions'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', policy_id), - json={'actions': action_mock[policy_id]} - ) - - -def register_policy_subject_assignment(m, policy_id, subj_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/subject_assignments/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id, - subj_id), - json={'subject_assignments': subject_assignment_mock} - ) - - -def register_policy_subject_assignment_list(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/subject_assignments'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id), - json={'subject_assignments': subject_assignment_mock} - ) - - -def register_policy_object_assignment(m, policy_id, obj_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/object_assignments/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id, - obj_id), - json={'object_assignments': object_assignment_mock} - ) - - -def register_policy_object_assignment_list(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/object_assignments'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id), - json={'object_assignments': object_assignment_mock} - ) - - -def register_policy_action_assignment(m, policy_id, action_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/action_assignments/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id, - action_id), - json={'action_assignments': action_assignment_mock} - ) - - -def register_policy_action_assignment_list(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/action_assignments'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id), - json={'action_assignments': action_assignment_mock} - ) - - -def register_rules(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id, 'rules'), - json={'rules': rules_mock} - )
\ No newline at end of file diff --git a/moon_authz/tests/unit_python/requirements.txt b/moon_authz/tests/unit_python/requirements.txt deleted file mode 100644 index 21975ce3..00000000 --- a/moon_authz/tests/unit_python/requirements.txt +++ /dev/null @@ -1,5 +0,0 @@ -flask -flask_cors -flask_restful -python_moondb -python_moonutilities
\ No newline at end of file diff --git a/moon_authz/tests/unit_python/test_authz.py b/moon_authz/tests/unit_python/test_authz.py deleted file mode 100644 index 2352fe06..00000000 --- a/moon_authz/tests/unit_python/test_authz.py +++ /dev/null @@ -1,116 +0,0 @@ -import json -import pickle -import pytest - - -def get_data(data): - return pickle.loads(data) - - -def get_json(data): - return json.loads(data.decode("utf-8")) - - -def run(component_data, cache, context): - from moon_authz.api.authorization import Authz - authz = Authz(component_data=component_data, cache=cache) - authz.context = context - authz.run() - - -def test_authz_true(context): - import moon_authz.server - from python_moonutilities.context import Context - from python_moonutilities.cache import Cache - server = moon_authz.server.create_server() - client = server.app.test_client() - CACHE = Cache() - CACHE.update() - print(CACHE.pdp) - _context = Context(context, CACHE) - req = client.post("/authz", data=pickle.dumps(_context)) - assert req.status_code == 200 - data = get_data(req.data) - assert data - assert isinstance(data, Context) - policy_id = data.headers[0] - assert policy_id - assert "effect" in data.pdp_set[policy_id] - assert data.pdp_set[policy_id]['effect'] == "grant" - - -def test_user_not_allowed(context): - import moon_authz.server - from python_moonutilities.context import Context - from python_moonutilities.cache import Cache - server = moon_authz.server.create_server() - client = server.app.test_client() - CACHE = Cache() - CACHE.update() - context['subject_name'] = "user_not_allowed" - _context = Context(context, CACHE) - req = client.post("/authz", data=pickle.dumps(_context)) - assert req.status_code == 400 - data = get_json(req.data) - assert data - assert isinstance(data, dict) - assert "message" in data - assert data["message"] == "Cannot find subject user_not_allowed" - - -def test_object_not_allowed(context): - import moon_authz.server - from python_moonutilities.context import Context - from python_moonutilities.cache import Cache - server = moon_authz.server.create_server() - client = server.app.test_client() - CACHE = Cache() - CACHE.update() - context['subject_name'] = "testuser" - context['object_name'] = "invalid" - _context = Context(context, CACHE) - req = client.post("/authz", data=pickle.dumps(_context)) - assert req.status_code == 400 - data = get_json(req.data) - assert data - assert isinstance(data, dict) - assert "message" in data - assert data["message"] == "Cannot find object invalid" - - -def test_action_not_allowed(context): - import moon_authz.server - from python_moonutilities.context import Context - from python_moonutilities.cache import Cache - server = moon_authz.server.create_server() - client = server.app.test_client() - CACHE = Cache() - CACHE.update() - context['subject_name'] = "testuser" - context['object_name'] = "vm1" - context['action_name'] = "invalid" - _context = Context(context, CACHE) - req = client.post("/authz", data=pickle.dumps(_context)) - assert req.status_code == 400 - data = get_json(req.data) - assert data - assert isinstance(data, dict) - assert "message" in data - assert data["message"] == "Cannot find action invalid" - - -def test_authz_with_empty_pdp_set(context): - from python_moonutilities.context import Context - from python_moonutilities.cache import Cache - CACHE = Cache() - CACHE.update() - _context = Context(context, CACHE) - component_data = { - 'component_id': 'component_id1', - 'pdp_id': 'pdp_id1', - 'meta_rule_id': 'meta_rule_id1', - 'keystone_project_id': 'keystone_project_id1', - } - with pytest.raises(Exception) as exception_info: - run(component_data, CACHE, _context) - assert str(exception_info.value) == '400: Pdp Unknown' diff --git a/moon_authz/tests/unit_python/utilities.py b/moon_authz/tests/unit_python/utilities.py deleted file mode 100644 index e3a111bd..00000000 --- a/moon_authz/tests/unit_python/utilities.py +++ /dev/null @@ -1,182 +0,0 @@ -import base64 -import json -import pytest -from uuid import uuid4 - - -CONF = { - "openstack": { - "keystone": { - "url": "http://keystone:5000/v3", - "user": "admin", - "check_token": False, - "password": "p4ssw0rd", - "domain": "default", - "certificate": False, - "project": "admin" - } - }, - "components": { - "wrapper": { - "bind": "0.0.0.0", - "port": 8080, - "container": "wukongsun/moon_wrapper:v4.3", - "timeout": 5, - "hostname": "wrapper" - }, - "manager": { - "bind": "0.0.0.0", - "port": 8082, - "container": "wukongsun/moon_manager:v4.3", - "hostname": "manager" - }, - "port_start": 31001, - "orchestrator": { - "bind": "0.0.0.0", - "port": 8083, - "container": "wukongsun/moon_orchestrator:v4.3", - "hostname": "orchestrator" - }, - "pipeline": { - "interface": { - "bind": "0.0.0.0", - "port": 8080, - "container": "wukongsun/moon_interface:v4.3", - "hostname": "interface" - }, - "authz": { - "bind": "0.0.0.0", - "port": 8081, - "container": "wukongsun/moon_authz:v4.3", - "hostname": "authz" - } - } - }, - "plugins": { - "session": { - "port": 8082, - "container": "asteroide/session:latest" - }, - "authz": { - "port": 8081, - "container": "wukongsun/moon_authz:v4.3" - } - }, - "logging": { - "handlers": { - "file": { - "filename": "/tmp/moon.log", - "class": "logging.handlers.RotatingFileHandler", - "level": "DEBUG", - "formatter": "custom", - "backupCount": 3, - "maxBytes": 1048576 - }, - "console": { - "class": "logging.StreamHandler", - "formatter": "brief", - "level": "INFO", - "stream": "ext://sys.stdout" - } - }, - "formatters": { - "brief": { - "format": "%(levelname)s %(name)s %(message)-30s" - }, - "custom": { - "format": "%(asctime)-15s %(levelname)s %(name)s %(message)s" - } - }, - "root": { - "handlers": [ - "console" - ], - "level": "ERROR" - }, - "version": 1, - "loggers": { - "moon": { - "handlers": [ - "console", - "file" - ], - "propagate": False, - "level": "DEBUG" - } - } - }, - "slave": { - "name": None, - "master": { - "url": None, - "login": None, - "password": None - } - }, - "docker": { - "url": "tcp://172.88.88.1:2376", - "network": "moon" - }, - "database": { - "url": "sqlite:///database.db", - # "url": "mysql+pymysql://moon:p4sswOrd1@db/moon", - "driver": "sql" - }, - "messenger": { - "url": "rabbit://moon:p4sswOrd1@messenger:5672/moon" - } -} - - -CONTEXT = { - "project_id": "a64beb1cc224474fb4badd43173e7101", - "subject_name": "testuser", - "object_name": "vm1", - "action_name": "boot", - "request_id": uuid4().hex, - "interface_name": "interface", - "manager_url": "http://{}:{}".format( - CONF["components"]["manager"]["hostname"], - CONF["components"]["manager"]["port"] - ), - "cookie": uuid4().hex, - "pdp_id": "b3d3e18abf3340e8b635fd49e6634ccd", - "security_pipeline": ["f8f49a779ceb47b3ac810f01ef71b4e0"] - } - - -COMPONENTS = ( - "logging", - "openstack/keystone", - "database", - "slave", - "components/manager", - "components/orchestrator", - "components/pipeline", - - "components/wrapper", -) - - -def get_b64_conf(component=None): - if component == "components": - return base64.b64encode( - json.dumps(CONF["components"]).encode('utf-8')+b"\n").decode('utf-8') - elif component in CONF: - return base64.b64encode( - json.dumps( - CONF[component]).encode('utf-8')+b"\n").decode('utf-8') - elif not component: - return base64.b64encode( - json.dumps(CONF).encode('utf-8')+b"\n").decode('utf-8') - elif "/" in component: - key1, _, key2 = component.partition("/") - return base64.b64encode( - json.dumps( - CONF[key1][key2]).encode('utf-8')+b"\n").decode('utf-8') - - -def get_json(data): - return json.loads(data.decode("utf-8")) - - |