aboutsummaryrefslogtreecommitdiffstats
path: root/moon_authz
diff options
context:
space:
mode:
Diffstat (limited to 'moon_authz')
-rw-r--r--moon_authz/Changelog39
-rw-r--r--moon_authz/Dockerfile15
-rw-r--r--moon_authz/LICENSE202
-rw-r--r--moon_authz/MANIFEST.in9
-rw-r--r--moon_authz/README.md8
-rw-r--r--moon_authz/moon_authz/__init__.py6
-rw-r--r--moon_authz/moon_authz/__main__.py4
-rw-r--r--moon_authz/moon_authz/api/__init__.py0
-rw-r--r--moon_authz/moon_authz/api/authorization.py397
-rw-r--r--moon_authz/moon_authz/api/update.py42
-rw-r--r--moon_authz/moon_authz/http_server.py142
-rw-r--r--moon_authz/moon_authz/server.py56
-rw-r--r--moon_authz/requirements.txt5
-rw-r--r--moon_authz/setup.py47
-rw-r--r--moon_authz/tests/unit_python/conftest.py29
-rw-r--r--moon_authz/tests/unit_python/mock_pods.py545
-rw-r--r--moon_authz/tests/unit_python/requirements.txt5
-rw-r--r--moon_authz/tests/unit_python/test_authz.py116
-rw-r--r--moon_authz/tests/unit_python/utilities.py182
19 files changed, 0 insertions, 1849 deletions
diff --git a/moon_authz/Changelog b/moon_authz/Changelog
deleted file mode 100644
index ae1ec4d1..00000000
--- a/moon_authz/Changelog
+++ /dev/null
@@ -1,39 +0,0 @@
-# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-
-CHANGES
-=======
-
-1.0.0
------
-- First version of the manager
-
-2.0.0
------
-- Version built inside the Keystone component
-
-3.0.0
------
-- Version built outside the Keystone component
-
-4.0.0
------
-- First micro-architecture version
-
-4.3.3
------
-- use the threading capability of Flask app
-- set the number of manager to 1
-- update to the latest version of the python-moondb library
-
-4.3.4
------
-- apply PyLint rules
-- fix a bug in instructions management
-
-4.4.0
------
-- add the update API
diff --git a/moon_authz/Dockerfile b/moon_authz/Dockerfile
deleted file mode 100644
index 7081e31c..00000000
--- a/moon_authz/Dockerfile
+++ /dev/null
@@ -1,15 +0,0 @@
-FROM python:3
-
-LABEL Name=Authz_plugin
-LABEL Description="Authz plugin for the Moon platform"
-LABEL Maintainer="Thomas Duval"
-LABEL Url="https://wiki.opnfv.org/display/moon/Moon+Project+Proposal"
-
-USER root
-
-ADD . /root
-WORKDIR /root/
-RUN pip3 install --no-cache-dir -r requirements.txt
-RUN pip3 install --no-cache-dir .
-
-CMD ["python3", "-m", "moon_authz"] \ No newline at end of file
diff --git a/moon_authz/LICENSE b/moon_authz/LICENSE
deleted file mode 100644
index d6456956..00000000
--- a/moon_authz/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/moon_authz/MANIFEST.in b/moon_authz/MANIFEST.in
deleted file mode 100644
index 1f674d50..00000000
--- a/moon_authz/MANIFEST.in
+++ /dev/null
@@ -1,9 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-include README.rst
-include LICENSE
-include setup.py
-include requirements.txt
diff --git a/moon_authz/README.md b/moon_authz/README.md
deleted file mode 100644
index 696c29a1..00000000
--- a/moon_authz/README.md
+++ /dev/null
@@ -1,8 +0,0 @@
-# moon_authz
-
-This package contains the core module for the Moon project
-It is designed to provide authorization features to all OpenStack components.
-
-For any other information, refer to the parent project:
-
- https://git.opnfv.org/moon
diff --git a/moon_authz/moon_authz/__init__.py b/moon_authz/moon_authz/__init__.py
deleted file mode 100644
index 85c245e0..00000000
--- a/moon_authz/moon_authz/__init__.py
+++ /dev/null
@@ -1,6 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-__version__ = "4.4.0"
diff --git a/moon_authz/moon_authz/__main__.py b/moon_authz/moon_authz/__main__.py
deleted file mode 100644
index 6f1f9807..00000000
--- a/moon_authz/moon_authz/__main__.py
+++ /dev/null
@@ -1,4 +0,0 @@
-from moon_authz.server import create_server
-
-SERVER = create_server()
-SERVER.run()
diff --git a/moon_authz/moon_authz/api/__init__.py b/moon_authz/moon_authz/api/__init__.py
deleted file mode 100644
index e69de29b..00000000
--- a/moon_authz/moon_authz/api/__init__.py
+++ /dev/null
diff --git a/moon_authz/moon_authz/api/authorization.py b/moon_authz/moon_authz/api/authorization.py
deleted file mode 100644
index 59af295d..00000000
--- a/moon_authz/moon_authz/api/authorization.py
+++ /dev/null
@@ -1,397 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import itertools
-import pickle
-import logging
-import flask
-from flask import request
-from flask_restful import Resource
-from python_moonutilities import exceptions
-
-LOGGER = logging.getLogger("moon.authz.api." + __name__)
-
-
-class Authz(Resource):
- """
- Endpoint for authz requests
- """
- __version__ = "4.3.1"
-
- __urls__ = (
- "/authz",
- "/authz/",
- )
-
- pdp_id = None
- meta_rule_id = None
- keystone_project_id = None
- payload = None
-
- def __init__(self, **kwargs):
- component_data = kwargs.get("component_data", {})
- self.component_id = component_data['component_id']
- self.pdp_id = component_data['pdp_id']
- self.meta_rule_id = component_data['meta_rule_id']
- self.keystone_project_id = component_data['keystone_project_id']
- self.cache = kwargs.get("cache")
- self.context = None
-
- def post(self):
- """Get a response on an authorization request
-
- :request:
-
- :return: {
- "args": {},
- "ctx": {
- "action_name": "4567",
- "id": "123456",
- "method": "authz",
- "object_name": "234567",
- "subject_name": "123456",
- "user_id": "admin"
- },
- "error": {
- "code": 500,
- "description": "",
- "title": "Moon Error"
- },
- "intra_extension_id": "123456",
- "result": false
- }
- :internal_api: authz
- """
- self.context = pickle.loads(request.data)
- self.context.set_cache(self.cache)
- self.context.increment_index()
- self.context.update_target()
- # FIXME (asteroide): force the update but we should not do that
- # a better way is to build the bilateral link between Master and Slaves
- self.cache.update()
- if not self.run():
- raise exceptions.MoonError("Error in the request status={}".format(
- self.context.current_state))
- self.context.delete_cache()
- response = flask.make_response(pickle.dumps(self.context))
- response.headers['content-type'] = 'application/octet-stream'
- return response
-
- def run(self):
- result, message = self.__check_rules()
- if result:
- return self.__exec_instructions(result)
- self.context.current_state = "deny"
- # self.__exec_next_state(result)
- return
-
- def __check_rules(self):
- scopes_list = list()
- current_header_id = self.context.headers[self.context.index]
- # Context.update_target(context)
- if not self.context.pdp_set:
- raise exceptions.PdpUnknown
- if current_header_id not in self.context.pdp_set:
- raise Exception('Invalid index')
- current_pdp = self.context.pdp_set[current_header_id]
- category_list = list()
- if 'meta_rules' not in current_pdp:
- raise exceptions.PdpContentError
- try:
- category_list.extend(current_pdp["meta_rules"]["subject_categories"])
- category_list.extend(current_pdp["meta_rules"]["object_categories"])
- category_list.extend(current_pdp["meta_rules"]["action_categories"])
- except Exception:
- raise exceptions.MetaRuleContentError
- if 'target' not in current_pdp:
- raise exceptions.PdpContentError
- for category in category_list:
- scope = list(current_pdp['target'][category])
- if not scope:
- LOGGER.warning("Scope in category {} is empty".format(category))
- raise exceptions.AuthzException
- scopes_list.append(scope)
- # policy_id = self.cache.get_policy_from_meta_rules("admin", current_header_id)
- if self.context.current_policy_id not in self.cache.rules:
- raise exceptions.PolicyUnknown
- if 'rules' not in self.cache.rules[self.context.current_policy_id]:
- raise exceptions.RuleUnknown
- for item in itertools.product(*scopes_list):
- req = list(item)
- for rule in self.cache.rules[self.context.current_policy_id]["rules"]:
- if req == rule['rule']:
- return rule['instructions'], ""
- LOGGER.warning("No rule match the request...")
- return False, "No rule match the request..."
-
- def __update_subject_category_in_policy(self, operation, target):
- result = False
- # try:
- # policy_name, category_name, data_name = target.split(":")
- # except ValueError:
- # LOGGER.error("Cannot understand value in instruction ({})".format(target))
- # return False
- # # pdp_set = self.payload["authz_context"]['pdp_set']
- # for meta_rule_id in self.context.pdp_set:
- # if meta_rule_id == "effect":
- # continue
- # if self.context.pdp_set[meta_rule_id]["meta_rules"]["name"] == policy_name:
- # for category_id, category_value in self.cache.subject_categories.items():
- # if category_value["name"] == "role":
- # subject_category_id = category_id
- # break
- # else:
- # LOGGER.error("Cannot understand category in instruction ({})".format(target))
- # return False
- # subject_data_id = None
- # for data in PolicyManager.get_subject_data("admin", policy_id,
- # category_id=subject_category_id):
- # for data_id, data_value in data['data'].items():
- # if data_value["name"] == data_name:
- # subject_data_id = data_id
- # break
- # if subject_data_id:
- # break
- # else:
- # LOGGER.error("Cannot understand data in instruction ({})".format(target))
- # return False
- # if operation == "add":
- # self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][
- # subject_category_id].append(subject_data_id)
- # elif operation == "delete":
- # try:
- # self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][
- # subject_category_id].remove(subject_data_id)
- # except ValueError:
- # LOGGER.warning("Cannot remove role {} from target".format(data_name))
- # result = True
- # break
- return result
-
- def __update_container_chaining(self):
- for index in range(len(self.payload["authz_context"]['headers'])):
- self.payload["container_chaining"][index]["meta_rule_id"] = \
- self.payload["authz_context"]['headers'][index]
-
- def __get_container_from_meta_rule(self, meta_rule_id):
- for index in range(len(self.payload["authz_context"]['headers'])):
- if self.payload["container_chaining"][index]["meta_rule_id"] == meta_rule_id:
- return self.payload["container_chaining"][index]
-
- def __update_headers(self, name):
- # context = self.payload["authz_context"]
- for meta_rule_id, meta_rule_value in self.context.pdp_set.items():
- if meta_rule_id == "effect":
- continue
- if meta_rule_value["meta_rules"]["name"] == name:
- self.context.headers.append(meta_rule_id)
- return True
- return False
-
- # def __exec_next_state(self, rule_found):
- # index = self.context.index
- # current_meta_rule = self.context.headers[index]
- # current_container = self.__get_container_from_meta_rule(current_meta_rule)
- # current_container_genre = current_container["genre"]
- # try:
- # next_meta_rule = self.context.headers[index + 1]
- # except IndexError:
- # next_meta_rule = None
- # if current_container_genre == "authz":
- # if rule_found:
- # return True
- # pass
- # if next_meta_rule:
- # # next will be session if current is deny and session is unset
- # if self.payload["authz_context"]['pdp_set'][next_meta_rule]['effect'] == "unset":
- # return notify(
- # request_id=self.payload["authz_context"]["request_id"],
- # container_id=self.__get_container_from_meta_rule(next_meta_rule)[
- # 'container_id'],payload=self.payload)
- # # next will be delegation if current is deny and session is passed or deny and
- # delegation is unset
- # else:
- # LOG.error("Delegation is not developed!")
- #
- # else:
- # # else next will be None and the request is sent to router
- # return self.__return_to_router()
- # elif current_container_genre == "session":
- # pass
- # # next will be next container in headers if current is passed
- # if self.payload["authz_context"]['pdp_set'][current_meta_rule]['effect'] == "passed":
- # return notify(
- # request_id=self.payload["authz_context"]["request_id"],
- # container_id=self.__get_container_from_meta_rule(next_meta_rule)[
- # 'container_id'],payload=self.payload)
- # # next will be None if current is grant and the request is sent to router
- # else:
- # return self.__return_to_router()
- # elif current_container_genre == "delegation":
- # LOG.error("Delegation is not developed!")
- # # next will be authz if current is deny
- # # next will be None if current is grant and the request is sent to router
-
- # def __return_to_router(self):
- # call(endpoint="security_router",
- # ctx={"id": self.component_id,
- # "call_master": False,
- # "method": "return_authz",
- # "request_id": self.payload["authz_context"]["request_id"]},
- # method="route",
- # args=self.payload["authz_context"])
-
- def __exec_instructions(self, instructions):
- if type(instructions) is dict:
- instructions = [instructions, ]
- if type(instructions) not in (list, tuple):
- raise exceptions.RuleContentError("Bad instructions format")
- for instruction in instructions:
- for key in instruction:
- if key == "decision":
- if instruction["decision"] == "grant":
- self.context.current_state = "grant"
- LOGGER.info("__exec_instructions True %s" % self.context.current_state)
- return True
-
- self.context.current_state = instruction["decision"].lower()
- elif key == "chain":
- result = self.__update_headers(**instruction["chain"])
- if not result:
- self.context.current_state = "deny"
- else:
- self.context.current_state = "passed"
- elif key == "update":
- result = self.__update_subject_category_in_policy(**instruction["update"])
- if not result:
- self.context.current_state = "deny"
- else:
- self.context.current_state = "passed"
- LOGGER.info("__exec_instructions False %s" % self.context.current_state)
-
- # def __update_current_request(self):
- # index = self.payload["authz_context"]["index"]
- # current_header_id = self.payload["authz_context"]['headers'][index]
- # previous_header_id = self.payload["authz_context"]['headers'][index - 1]
- # current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id)
- # previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id)
- # # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy
- # if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules'][
- # 'name'] == "session":
- # subject = self.payload["authz_context"]['current_request'].get("subject")
- # subject_category_id = None
- # role_names = []
- # for category_id, category_value in ModelManager.get_subject_categories("admin").items():
- # if category_value["name"] == "role":
- # subject_category_id = category_id
- # break
- # for assignment_id, assignment_value in PolicyManager.get_subject_assignments(
- # "admin", previous_policy_id, subject, subject_category_id).items():
- # for data_id in assignment_value["assignments"]:
- # data = PolicyManager.get_subject_data(
- # "admin", previous_policy_id, data_id, subject_category_id)
- # for _data in data:
- # for key, value in _data["data"].items():
- # role_names.append(value["name"])
- # new_role_ids = []
- # for perimeter_id, perimeter_value in PolicyManager.get_objects(
- # "admin", current_policy_id).items():
- # if perimeter_value["name"] in role_names:
- # new_role_ids.append(perimeter_id)
- # break
- # perimeter_id = None
- # for perimeter_id, perimeter_value in PolicyManager.get_actions(
- # "admin", current_policy_id).items():
- # if perimeter_value["name"] == "*":
- # break
- #
- # self.payload["authz_context"]['current_request']['object'] = new_role_ids[0]
- # self.payload["authz_context"]['current_request']['action'] = perimeter_id
- # elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac":
- # self.payload["authz_context"]['current_request']['subject'] = \
- # self.payload["authz_context"]['initial_request']['subject']
- # self.payload["authz_context"]['current_request']['object'] = \
- # self.payload["authz_context"]['initial_request']['object']
- # self.payload["authz_context"]['current_request']['action'] = \
- # self.payload["authz_context"]['initial_request']['action']
-
- def get_authz(self):
- # self.keystone_project_id = payload["id"]
- # LOG.info("get_authz {}".format(payload))
- # self.payload = payload
- try:
- # if "authz_context" not in payload:
- # try:
- # self.payload["authz_context"] = Context(self.keystone_project_id,
- # self.payload["subject_name"],
- # self.payload["object_name"],
- # self.payload["action_name"],
- # self.payload["request_id"]).to_dict()
- # except exceptions.SubjectUnknown:
- # ctx = {
- # "subject_name": self.payload["subject_name"],
- # "object_name": self.payload["object_name"],
- # "action_name": self.payload["action_name"],
- # }
- # call("moon_manager", method="update_from_master", ctx=ctx, args={})
- # self.payload["authz_context"] = Context(self.keystone_project_id,
- # self.payload["subject_name"],
- # self.payload["object_name"],
- # self.payload["action_name"],
- # self.payload["request_id"]).to_dict()
- # except exceptions.ObjectUnknown:
- # ctx = {
- # "subject_name": self.payload["subject_name"],
- # "object_name": self.payload["object_name"],
- # "action_name": self.payload["action_name"],
- # }
- # call("moon_manager", method="update_from_master", ctx=ctx, args={})
- # self.payload["authz_context"] = Context(self.keystone_project_id,
- # self.payload["subject_name"],
- # self.payload["object_name"],
- # self.payload["action_name"],
- # self.payload["request_id"]).to_dict()
- # except exceptions.ActionUnknown:
- # ctx = {
- # "subject_name": self.payload["subject_name"],
- # "object_name": self.payload["object_name"],
- # "action_name": self.payload["action_name"],
- # }
- # call("moon_manager", method="update_from_master", ctx=ctx, args={})
- # self.payload["authz_context"] = Context(self.keystone_project_id,
- # self.payload["subject_name"],
- # self.payload["object_name"],
- # self.payload["action_name"],
- # self.payload["request_id"]).to_dict()
- # self.__update_container_chaining()
- # else:
- # self.payload["authz_context"]["index"] += 1
- # self.__update_current_request()
- result, message = self.__check_rules()
- current_header_id = self.payload["authz_context"]['headers'][
- self.payload["authz_context"]['index']]
- if result:
- self.__exec_instructions(result)
- else:
- self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "deny"
- self.__exec_next_state(result)
- return {"authz": result,
- "error": message,
- "pdp_id": self.pdp_id,
- "args": self.payload}
- except Exception as e:
- try:
- LOGGER.error(self.payload["authz_context"])
- except KeyError:
- LOGGER.error("Cannot find \"authz_context\" in context")
- LOGGER.error(e, exc_info=True)
- return {"authz": False,
- "error": str(e),
- "pdp_id": self.pdp_id,
- "args": self.payload}
-
- def head(self, uuid=None, subject_name=None, object_name=None, action_name=None):
- LOGGER.info("HEAD request")
- return "", 200
diff --git a/moon_authz/moon_authz/api/update.py b/moon_authz/moon_authz/api/update.py
deleted file mode 100644
index 68b7f0ce..00000000
--- a/moon_authz/moon_authz/api/update.py
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-"""
-Authz is the endpoint to get authorization response
-"""
-
-from flask import request
-from flask_restful import Resource
-import logging
-
-__version__ = "4.4.0"
-
-LOGGER = logging.getLogger("moon.authz.api." + __name__)
-
-
-class Update(Resource):
- """
- Endpoint for update requests
- """
-
- __urls__ = (
- "/update",
- )
-
- def __init__(self, **kwargs):
- self.CACHE = kwargs.get("cache")
- self.INTERFACE_NAME = kwargs.get("interface_name", "interface")
- self.MANAGER_URL = kwargs.get("manager_url", "http://manager:8080")
- self.TIMEOUT = 5
-
- def put(self):
- try:
- self.CACHE.update_assignments(
- request.form.get("policy_id", None),
- request.form.get("perimeter_id", None),
- )
- except Exception as e:
- LOGGER.exception(e)
- return {"result": False, "reason": str(e)}
- return {"result": True}
diff --git a/moon_authz/moon_authz/http_server.py b/moon_authz/moon_authz/http_server.py
deleted file mode 100644
index 86d8a914..00000000
--- a/moon_authz/moon_authz/http_server.py
+++ /dev/null
@@ -1,142 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import logging
-from flask import Flask
-from flask_restful import Resource, Api
-from moon_authz import __version__
-from moon_authz.api.authorization import Authz
-from moon_authz.api.update import Update
-from python_moonutilities.cache import Cache
-from python_moonutilities import exceptions
-
-LOGGER = logging.getLogger("moon.authz.http_server")
-
-CACHE = Cache()
-CACHE.update()
-
-
-class Server:
- """Base class for HTTP server"""
-
- def __init__(self, host="localhost", port=80, api=None, **kwargs):
- """Run a server
-
- :param host: hostname of the server
- :param port: port for the running server
- :param kwargs: optional parameters
- :return: a running server
- """
- self._host = host
- self._port = port
- self._api = api
- self._extra = kwargs
-
- @property
- def host(self):
- return self._host
-
- @host.setter
- def host(self, name):
- self._host = name
-
- @host.deleter
- def host(self):
- self._host = ""
-
- @property
- def port(self):
- return self._port
-
- @port.setter
- def port(self, number):
- self._port = number
-
- @port.deleter
- def port(self):
- self._port = 80
-
- def run(self):
- raise NotImplementedError()
-
-
-__API__ = (
- Authz, Update
-)
-
-
-class Root(Resource):
- """
- The root of the web service
- """
- __urls__ = ("/",)
- __methods = ("get", "post", "put", "delete", "options")
-
- def get(self):
- tree = {"/": {"methods": ("get",),
- "description": "List all methods for that service."}}
- for item in __API__:
- tree[item.__name__] = {"urls": item.__urls__}
- _methods = []
- for _method in self.__methods:
- if _method in dir(item):
- _methods.append(_method)
- tree[item.__name__]["methods"] = _methods
- tree[item.__name__]["description"] = item.__doc__.strip()
- return {
- "version": __version__,
- "tree": tree
- }
-
- def head(self):
- return "", 201
-
-
-class HTTPServer(Server):
- def __init__(self, host="localhost", port=38001, **kwargs):
- super(HTTPServer, self).__init__(host=host, port=port, **kwargs)
- self.component_data = kwargs.get("component_data", {})
- LOGGER.info("HTTPServer port={} {}".format(port, kwargs))
- self.app = Flask(__name__)
- self._port = port
- self._host = host
- self.component_id = kwargs.get("component_id")
- self.keystone_project_id = kwargs.get("keystone_project_id")
- self.container_chaining = kwargs.get("container_chaining")
- self.api = Api(self.app)
- self.__set_route()
-
- # self.__hook_errors()
-
- @self.app.errorhandler(exceptions.AuthException)
- def _auth_exception(error):
- return {"error": "Unauthorized"}, 401
-
- def __hook_errors(self):
- # FIXME (dthom): it doesn't work
- def get_404_json(e):
- return {"error": "Error", "code": 404, "description": e}
-
- self.app.register_error_handler(404, get_404_json)
-
- def get_400_json(e):
- return {"error": "Error", "code": 400, "description": e}
-
- self.app.register_error_handler(400, lambda e: get_400_json)
- self.app.register_error_handler(403, exceptions.AuthException)
-
- def __set_route(self):
- self.api.add_resource(Root, '/')
-
- for api in __API__:
- self.api.add_resource(api, *api.__urls__,
- resource_class_kwargs={
- "component_data": self.component_data,
- "cache": CACHE
- }
- )
-
- def run(self):
- self.app.run(host=self._host, port=self._port, threaded=True) # nosec
diff --git a/moon_authz/moon_authz/server.py b/moon_authz/moon_authz/server.py
deleted file mode 100644
index d1b5a59b..00000000
--- a/moon_authz/moon_authz/server.py
+++ /dev/null
@@ -1,56 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import os
-import logging
-from moon_authz.http_server import HTTPServer as Server
-from python_moonutilities import configuration, exceptions
-
-LOGGER = logging.getLogger("moon.authz.server")
-
-
-def create_server():
- configuration.init_logging()
-
- component_id = os.getenv("UUID")
- component_type = os.getenv("TYPE")
- tcp_port = os.getenv("PORT")
- pdp_id = os.getenv("PDP_ID")
- meta_rule_id = os.getenv("META_RULE_ID")
- keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID")
- LOGGER.info("component_type={}".format(component_type))
- conf = configuration.get_plugins()
- # conf = configuration.get_configuration("plugins/{}".format(component_type))
- # conf["plugins/{}".format(component_type)]['id'] = component_id
- if component_type not in conf:
- raise exceptions.ConsulComponentNotFound("{} not found".format(
- component_type))
- hostname = conf[component_type].get('hostname', component_id)
- port = conf[component_type].get('port', tcp_port)
- bind = conf[component_type].get('bind', "0.0.0.0")
-
- LOGGER.info("Starting server with IP {} on port {} bind to {}".format(
- hostname, port, bind))
- server = Server(
- host=bind,
- port=int(port),
- component_data={
- 'component_id': component_id,
- 'component_type': component_type,
- 'pdp_id': pdp_id,
- 'meta_rule_id': meta_rule_id,
- 'keystone_project_id': keystone_project_id,
- }
- )
- return server
-
-
-def run():
- server = create_server()
- server.run()
-
-
-if __name__ == '__main__':
- run()
diff --git a/moon_authz/requirements.txt b/moon_authz/requirements.txt
deleted file mode 100644
index 8cad7a7a..00000000
--- a/moon_authz/requirements.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-flask
-flask_restful
-flask_cors
-python_moondb
-python_moonutilities
diff --git a/moon_authz/setup.py b/moon_authz/setup.py
deleted file mode 100644
index ad99b9f8..00000000
--- a/moon_authz/setup.py
+++ /dev/null
@@ -1,47 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-from setuptools import setup, find_packages
-import moon_authz
-
-
-setup(
-
- name='moon_authz',
-
- version=moon_authz.__version__,
-
- packages=find_packages(),
-
- author="Thomas Duval",
-
- author_email="thomas.duval@orange.com",
-
- description="",
-
- long_description=open('README.md').read(),
-
- # install_requires= ,
-
- include_package_data=True,
-
- url='https://git.opnfv.org/moon',
-
- classifiers=[
- "Programming Language :: Python",
- "Development Status :: 1 - Planning",
- "License :: OSI Approved",
- "Natural Language :: French",
- "Operating System :: OS Independent",
- "Programming Language :: Python :: 3",
- ],
-
- entry_points={
- 'console_scripts': [
- 'moon_authz = moon_authz.server:run',
- ],
- }
-
-)
diff --git a/moon_authz/tests/unit_python/conftest.py b/moon_authz/tests/unit_python/conftest.py
deleted file mode 100644
index a6e62078..00000000
--- a/moon_authz/tests/unit_python/conftest.py
+++ /dev/null
@@ -1,29 +0,0 @@
-import pytest
-import requests_mock
-import mock_pods
-import os
-from utilities import CONTEXT
-
-
-@pytest.fixture
-def context():
- return CONTEXT
-
-
-def set_env_variables():
- os.environ['UUID'] = "1111111111"
- os.environ['TYPE'] = "authz"
- os.environ['PORT'] = "8081"
- os.environ['PDP_ID'] = "b3d3e18abf3340e8b635fd49e6634ccd"
- os.environ['META_RULE_ID'] = "f8f49a779ceb47b3ac810f01ef71b4e0"
- os.environ['KEYSTONE_PROJECT_ID'] = CONTEXT['project_id']
-
-
-@pytest.fixture(autouse=True)
-def no_requests(monkeypatch):
- """ Modify the response from Requests module
- """
- set_env_variables()
- with requests_mock.Mocker(real_http=True) as m:
- mock_pods.register_pods(m)
- yield m
diff --git a/moon_authz/tests/unit_python/mock_pods.py b/moon_authz/tests/unit_python/mock_pods.py
deleted file mode 100644
index 39223a57..00000000
--- a/moon_authz/tests/unit_python/mock_pods.py
+++ /dev/null
@@ -1,545 +0,0 @@
-from utilities import CONF, get_b64_conf, COMPONENTS
-
-pdp_mock = {
- "b3d3e18abf3340e8b635fd49e6634ccd": {
- "description": "test",
- "security_pipeline": [
- "f8f49a779ceb47b3ac810f01ef71b4e0"
- ],
- "name": "pdp_rbac",
- "keystone_project_id": "a64beb1cc224474fb4badd43173e7101"
- },
- "pdp_id1": {
- "name": "pdp_id1",
- "security_pipeline": ["policy_id_1", "policy_id_2"],
- "keystone_project_id": "keystone_project_id1",
- "description": "...",
- },
- "pdp_id12": {
- "name": "pdp_id2",
- "security_pipeline": ["policy_id_1", "policy_id_2"],
- "keystone_project_id": "keystone_project_id2",
- "description": "...",
- }
-}
-
-meta_rules_mock = {
- "f8f49a779ceb47b3ac810f01ef71b4e0": {
- "subject_categories": [
- "14e6ae0ba34d458b876c791b73aa17bd"
- ],
- "action_categories": [
- "241a2a791554421a91c9f1bc564aa94d"
- ],
- "description": "",
- "name": "rbac",
- "object_categories": [
- "6d48500f639d4c2cab2b1f33ef93a1e8"
- ]
- },
- "meta_rule_id1": {
- "name": "meta_rule1",
- "algorithm": "name of the meta rule algorithm",
- "subject_categories": ["subject_category_id1",
- "subject_category_id2"],
- "object_categories": ["object_category_id1"],
- "action_categories": ["action_category_id1"]
- },
- "meta_rule_id2": {
- "name": "name of the meta rules2",
- "algorithm": "name of the meta rule algorithm",
- "subject_categories": ["subject_category_id1",
- "subject_category_id2"],
- "object_categories": ["object_category_id1"],
- "action_categories": ["action_category_id1"]
- }
-}
-
-policies_mock = {
- "f8f49a779ceb47b3ac810f01ef71b4e0": {
- "name": "RBAC policy example",
- "model_id": "cd923d8633ff4978ab0e99938f5153d6",
- "description": "test",
- "genre": "authz"
- },
- "policy_id_1": {
- "name": "test_policy1",
- "model_id": "model_id_1",
- "genre": "authz",
- "description": "test",
- },
- "policy_id_2": {
- "name": "test_policy2",
- "model_id": "model_id_2",
- "genre": "authz",
- "description": "test",
- }
-}
-
-subject_mock = {
- "f8f49a779ceb47b3ac810f01ef71b4e0": {
- "89ba91c18dd54abfbfde7a66936c51a6": {
- "description": "test",
- "policy_list": [
- "f8f49a779ceb47b3ac810f01ef71b4e0",
- "636cd473324f4c0bbd9102cb5b62a16d"
- ],
- "name": "testuser",
- "email": "mail",
- "id": "89ba91c18dd54abfbfde7a66936c51a6",
- "extra": {}
- }
- },
- "policy_id_1": {
- "subject_id": {
- "name": "subject_name",
- "keystone_id": "keystone_project_id1",
- "description": "a description"
- }
- },
- "policy_id_2": {
- "subject_id": {
- "name": "subject_name",
- "keystone_id": "keystone_project_id2",
- "description": "a description"
- }
- }
-}
-
-subject_assignment_mock = {
- "826c1156d0284fc9b4b2ddb279f63c52": {
- "category_id": "14e6ae0ba34d458b876c791b73aa17bd",
- "assignments": [
- "24ea95256c5f4c888c1bb30a187788df",
- "6b227b77184c48b6a5e2f3ed1de0c02a",
- "31928b17ec90438ba5a2e50ae7650e63",
- "4e60f554dd3147af87595fb6b37dcb13",
- "7a5541b63a024fa88170a6b59f99ccd7",
- "dd2af27812f742029d289df9687d6126"
- ],
- "id": "826c1156d0284fc9b4b2ddb279f63c52",
- "subject_id": "89ba91c18dd54abfbfde7a66936c51a6",
- "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0"
- },
- "7407ffc1232944279b0cbcb0847c86f7": {
- "category_id": "315072d40d774c43a89ff33937ed24eb",
- "assignments": [
- "6b227b77184c48b6a5e2f3ed1de0c02a",
- "31928b17ec90438ba5a2e50ae7650e63",
- "7a5541b63a024fa88170a6b59f99ccd7",
- "dd2af27812f742029d289df9687d6126"
- ],
- "id": "7407ffc1232944279b0cbcb0847c86f7",
- "subject_id": "89ba91c18dd54abfbfde7a66936c51a6",
- "policy_id": "3e65256389b448cb9897917ea235f0bb"
- }
-}
-
-object_mock = {
- "f8f49a779ceb47b3ac810f01ef71b4e0": {
- "9089b3d2ce5b4e929ffc7e35b55eba1a": {
- "name": "vm1",
- "description": "test",
- "id": "9089b3d2ce5b4e929ffc7e35b55eba1a",
- "extra": {},
- "policy_list": [
- "f8f49a779ceb47b3ac810f01ef71b4e0",
- "636cd473324f4c0bbd9102cb5b62a16d"
- ]
- },
- },
- "policy_id_1": {
- "object_id": {
- "name": "object_name",
- "description": "a description"
- }
- },
- "policy_id_2": {
- "object_id": {
- "name": "object_name",
- "description": "a description"
- }
- }
-}
-
-object_assignment_mock = {
- "201ad05fd3f940948b769ab9214fe295": {
- "object_id": "9089b3d2ce5b4e929ffc7e35b55eba1a",
- "assignments": [
- "030fbb34002e4236a7b74eeb5fd71e35",
- "06bcb8655b9d46a9b90e67ef7c825b50",
- "34eb45d7f46d4fb6bc4965349b8e4b83",
- "4b7793dbae434c31a77da9d92de9fa8c"
- ],
- "id": "201ad05fd3f940948b769ab9214fe295",
- "category_id": "6d48500f639d4c2cab2b1f33ef93a1e8",
- "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0"
- },
- "90c5e86f8be34c0298fbd1973e4fb043": {
- "object_id": "67b8008a3f8d4f8e847eb628f0f7ca0e",
- "assignments": [
- "a098918e915b4b12bccb89f9a3f3b4e4",
- "06bcb8655b9d46a9b90e67ef7c825b50",
- "7dc76c6142af47c88b60cc2b0df650ba",
- "4b7793dbae434c31a77da9d92de9fa8c"
- ],
- "id": "90c5e86f8be34c0298fbd1973e4fb043",
- "category_id": "33aece52d45b4474a20dc48a76800daf",
- "policy_id": "3e65256389b448cb9897917ea235f0bb"
- }
-}
-
-action_mock = {
- "f8f49a779ceb47b3ac810f01ef71b4e0": {
- "cdb3df220dc05a6ea3334b994827b068": {
- "name": "boot",
- "description": "test",
- "id": "cdb3df220dc04a6ea3334b994827b068",
- "extra": {},
- "policy_list": [
- "f8f49a779ceb47b3ac810f01ef71b4e0",
- "636cd473324f4c0bbd9102cb5b62a16d"
- ]
- },
- "cdb3df220dc04a6ea3334b994827b068": {
- "name": "stop",
- "description": "test",
- "id": "cdb3df220dc04a6ea3334b994827b068",
- "extra": {},
- "policy_list": [
- "f8f49a779ceb47b3ac810f01ef71b4e0",
- "636cd473324f4c0bbd9102cb5b62a16d"
- ]
- },
- "9f5112afe9b34a6c894eb87246ccb7aa": {
- "name": "start",
- "description": "test",
- "id": "9f5112afe9b34a6c894eb87246ccb7aa",
- "extra": {},
- "policy_list": [
- "f8f49a779ceb47b3ac810f01ef71b4e0",
- "636cd473324f4c0bbd9102cb5b62a16d"
- ]
- }
- },
- "policy_id_1": {
- "action_id": {
- "name": "action_name",
- "description": "a description"
- }
- },
- "policy_id_2": {
- "action_id": {
- "name": "action_name",
- "description": "a description"
- }
- }
-}
-
-action_assignment_mock = {
- "2128e3ffbd1c4ef5be515d625745c2d4": {
- "category_id": "241a2a791554421a91c9f1bc564aa94d",
- "action_id": "cdb3df220dc05a6ea3334b994827b068",
- "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0",
- "id": "2128e3ffbd1c4ef5be515d625745c2d4",
- "assignments": [
- "570c036781e540dc9395b83098c40ba7",
- "7fe17d7a2e3542719f8349c3f2273182",
- "015ca6f40338422ba3f692260377d638",
- "23d44c17bf88480f83e8d57d2aa1ea79"
- ]
- },
- "cffb98852f3a4110af7a0ddfc4e19201": {
- "category_id": "4a2c5abaeaf644fcaf3ca8df64000d53",
- "action_id": "cdb3df220dc04a6ea3334b994827b068",
- "policy_id": "3e65256389b448cb9897917ea235f0bb",
- "id": "cffb98852f3a4110af7a0ddfc4e19201",
- "assignments": [
- "570c036781e540dc9395b83098c40ba7",
- "7fe17d7a2e3542719f8349c3f2273182",
- "015ca6f40338422ba3f692260377d638",
- "23d44c17bf88480f83e8d57d2aa1ea79"
- ]
- }
-}
-
-models_mock = {
- "cd923d8633ff4978ab0e99938f5153d6": {
- "name": "RBAC",
- "meta_rules": [
- "f8f49a779ceb47b3ac810f01ef71b4e0"
- ],
- "description": "test"
- },
- "model_id_1": {
- "name": "test_model",
- "description": "test",
- "meta_rules": ["meta_rule_id1"]
- },
- "model_id_2": {
- "name": "test_model",
- "description": "test",
- "meta_rules": ["meta_rule_id2"]
- },
-}
-
-rules_mock = {
- "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0",
- "rules": [
- {
- "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0",
- "rule": [
- "24ea95256c5f4c888c1bb30a187788df",
- "030fbb34002e4236a7b74eeb5fd71e35",
- "570c036781e540dc9395b83098c40ba7"
- ],
- "enabled": True,
- "id": "0201a2bcf56943c1904dbac016289b71",
- "instructions": [
- {
- "decision": "grant"
- }
- ],
- "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0"
- },
- {
- "policy_id": "ecc2451c494e47b5bca7250cd324a360",
- "rule": [
- "54f574cd2043468da5d65e4f6ed6e3c9",
- "6559686961a3490a978f246ac9f85fbf",
- "ac0d1f600bf447e8bd2f37b7cc47f2dc"
- ],
- "enabled": True,
- "id": "a83fed666af8436192dfd8b3c83a6fde",
- "instructions": [
- {
- "decision": "grant"
- }
- ],
- "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0"
- }
- ]
-}
-
-
-def register_pods(m):
- """ Modify the response from Requests module
- """
- register_consul(m)
- register_pdp(m)
- register_meta_rules(m)
- register_policies(m)
- register_models(m)
- register_orchestrator(m)
- register_policy_subject(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
- # register_policy_subject(m, "policy_id_2")
- register_policy_object(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
- # register_policy_object(m, "policy_id_2")
- register_policy_action(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
- # register_policy_action(m, "policy_id_2")
- register_policy_subject_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "89ba91c18dd54abfbfde7a66936c51a6")
- register_policy_subject_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
- register_policy_subject_assignment(m, "policy_id_2", "subject_id")
- # register_policy_subject_assignment_list(m1, "policy_id_2")
- register_policy_object_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "9089b3d2ce5b4e929ffc7e35b55eba1a")
- register_policy_object_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
- register_policy_object_assignment(m, "policy_id_2", "object_id")
- # register_policy_object_assignment_list(m1, "policy_id_2")
- register_policy_action_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "cdb3df220dc05a6ea3334b994827b068")
- register_policy_action_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
- register_policy_action_assignment(m, "policy_id_2", "action_id")
- # register_policy_action_assignment_list(m1, "policy_id_2")
- register_rules(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
- register_rules(m, "policy_id_1")
- register_rules(m, "policy_id_2")
-
-
-def register_consul(m):
- for component in COMPONENTS:
- m.register_uri(
- 'GET', 'http://consul:8500/v1/kv/{}'.format(component),
- json=[{'Key': component, 'Value': get_b64_conf(component)}]
- )
- m.register_uri(
- 'GET', 'http://consul:8500/v1/kv/components_port_start',
- json=[
- {
- "LockIndex": 0,
- "Key": "components_port_start",
- "Flags": 0,
- "Value": "MzEwMDE=",
- "CreateIndex": 9,
- "ModifyIndex": 9
- }
- ],
- )
- m.register_uri(
- 'PUT', 'http://consul:8500/v1/kv/components_port_start',
- json=[],
- )
- m.register_uri(
- 'GET', 'http://consul:8500/v1/kv/plugins?recurse=true',
- json=[
- {
- "LockIndex": 0,
- "Key": "plugins/authz",
- "Flags": 0,
- "Value": "eyJjb250YWluZXIiOiAid3Vrb25nc3VuL21vb25fYXV0aHo6djQuMyIsICJwb3J0IjogODA4MX0=",
- "CreateIndex": 14,
- "ModifyIndex": 656
- }
- ],
- )
- m.register_uri(
- 'GET', 'http://consul:8500/v1/kv/components?recurse=true',
- json=[
- {"Key": key, "Value": get_b64_conf(key)} for key in COMPONENTS
- ],
- )
- m.register_uri(
- 'GET', 'http://consul:8500/v1/kv/plugins/authz',
- json=[
- {
- "LockIndex": 0,
- "Key": "plugins/authz",
- "Flags": 0,
- "Value": "eyJjb250YWluZXIiOiAid3Vrb25nc3VuL21vb25fYXV0aHo6djQuMyIsICJwb3J0IjogODA4MX0=",
- "CreateIndex": 14,
- "ModifyIndex": 656
- }
- ],
- )
-
-
-def register_orchestrator(m):
- m.register_uri(
- 'GET', 'http://orchestrator:8083/pods',
- json={
- "pods": {
- "1234567890": [
- {"name": "wrapper-quiet", "port": 8080,
- "container": "wukongsun/moon_wrapper:v4.3.1",
- "namespace": "moon"}]}}
- )
-
-
-def register_pdp(m):
- m.register_uri(
- 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'pdp'),
- json={'pdps': pdp_mock}
- )
-
-
-def register_meta_rules(m):
- m.register_uri(
- 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'meta_rules'),
- json={'meta_rules': meta_rules_mock}
- )
-
-
-def register_policies(m):
- m.register_uri(
- 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies'),
- json={'policies': policies_mock}
- )
-
-
-def register_models(m):
- m.register_uri(
- 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'models'),
- json={'models': models_mock}
- )
-
-
-def register_policy_subject(m, policy_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/subjects'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies', policy_id),
- json={'subjects': subject_mock[policy_id]}
- )
-
-
-def register_policy_object(m, policy_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/objects'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies', policy_id),
- json={'objects': object_mock[policy_id]}
- )
-
-
-def register_policy_action(m, policy_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/actions'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies', policy_id),
- json={'actions': action_mock[policy_id]}
- )
-
-
-def register_policy_subject_assignment(m, policy_id, subj_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/subject_assignments/{}'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies',
- policy_id,
- subj_id),
- json={'subject_assignments': subject_assignment_mock}
- )
-
-
-def register_policy_subject_assignment_list(m, policy_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/subject_assignments'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies',
- policy_id),
- json={'subject_assignments': subject_assignment_mock}
- )
-
-
-def register_policy_object_assignment(m, policy_id, obj_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/object_assignments/{}'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies',
- policy_id,
- obj_id),
- json={'object_assignments': object_assignment_mock}
- )
-
-
-def register_policy_object_assignment_list(m, policy_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/object_assignments'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies',
- policy_id),
- json={'object_assignments': object_assignment_mock}
- )
-
-
-def register_policy_action_assignment(m, policy_id, action_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/action_assignments/{}'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies',
- policy_id,
- action_id),
- json={'action_assignments': action_assignment_mock}
- )
-
-
-def register_policy_action_assignment_list(m, policy_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/action_assignments'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies',
- policy_id),
- json={'action_assignments': action_assignment_mock}
- )
-
-
-def register_rules(m, policy_id):
- m.register_uri(
- 'GET', 'http://{}:{}/{}/{}/{}'.format(CONF['components']['manager']['hostname'],
- CONF['components']['manager']['port'], 'policies',
- policy_id, 'rules'),
- json={'rules': rules_mock}
- ) \ No newline at end of file
diff --git a/moon_authz/tests/unit_python/requirements.txt b/moon_authz/tests/unit_python/requirements.txt
deleted file mode 100644
index 21975ce3..00000000
--- a/moon_authz/tests/unit_python/requirements.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-flask
-flask_cors
-flask_restful
-python_moondb
-python_moonutilities \ No newline at end of file
diff --git a/moon_authz/tests/unit_python/test_authz.py b/moon_authz/tests/unit_python/test_authz.py
deleted file mode 100644
index 2352fe06..00000000
--- a/moon_authz/tests/unit_python/test_authz.py
+++ /dev/null
@@ -1,116 +0,0 @@
-import json
-import pickle
-import pytest
-
-
-def get_data(data):
- return pickle.loads(data)
-
-
-def get_json(data):
- return json.loads(data.decode("utf-8"))
-
-
-def run(component_data, cache, context):
- from moon_authz.api.authorization import Authz
- authz = Authz(component_data=component_data, cache=cache)
- authz.context = context
- authz.run()
-
-
-def test_authz_true(context):
- import moon_authz.server
- from python_moonutilities.context import Context
- from python_moonutilities.cache import Cache
- server = moon_authz.server.create_server()
- client = server.app.test_client()
- CACHE = Cache()
- CACHE.update()
- print(CACHE.pdp)
- _context = Context(context, CACHE)
- req = client.post("/authz", data=pickle.dumps(_context))
- assert req.status_code == 200
- data = get_data(req.data)
- assert data
- assert isinstance(data, Context)
- policy_id = data.headers[0]
- assert policy_id
- assert "effect" in data.pdp_set[policy_id]
- assert data.pdp_set[policy_id]['effect'] == "grant"
-
-
-def test_user_not_allowed(context):
- import moon_authz.server
- from python_moonutilities.context import Context
- from python_moonutilities.cache import Cache
- server = moon_authz.server.create_server()
- client = server.app.test_client()
- CACHE = Cache()
- CACHE.update()
- context['subject_name'] = "user_not_allowed"
- _context = Context(context, CACHE)
- req = client.post("/authz", data=pickle.dumps(_context))
- assert req.status_code == 400
- data = get_json(req.data)
- assert data
- assert isinstance(data, dict)
- assert "message" in data
- assert data["message"] == "Cannot find subject user_not_allowed"
-
-
-def test_object_not_allowed(context):
- import moon_authz.server
- from python_moonutilities.context import Context
- from python_moonutilities.cache import Cache
- server = moon_authz.server.create_server()
- client = server.app.test_client()
- CACHE = Cache()
- CACHE.update()
- context['subject_name'] = "testuser"
- context['object_name'] = "invalid"
- _context = Context(context, CACHE)
- req = client.post("/authz", data=pickle.dumps(_context))
- assert req.status_code == 400
- data = get_json(req.data)
- assert data
- assert isinstance(data, dict)
- assert "message" in data
- assert data["message"] == "Cannot find object invalid"
-
-
-def test_action_not_allowed(context):
- import moon_authz.server
- from python_moonutilities.context import Context
- from python_moonutilities.cache import Cache
- server = moon_authz.server.create_server()
- client = server.app.test_client()
- CACHE = Cache()
- CACHE.update()
- context['subject_name'] = "testuser"
- context['object_name'] = "vm1"
- context['action_name'] = "invalid"
- _context = Context(context, CACHE)
- req = client.post("/authz", data=pickle.dumps(_context))
- assert req.status_code == 400
- data = get_json(req.data)
- assert data
- assert isinstance(data, dict)
- assert "message" in data
- assert data["message"] == "Cannot find action invalid"
-
-
-def test_authz_with_empty_pdp_set(context):
- from python_moonutilities.context import Context
- from python_moonutilities.cache import Cache
- CACHE = Cache()
- CACHE.update()
- _context = Context(context, CACHE)
- component_data = {
- 'component_id': 'component_id1',
- 'pdp_id': 'pdp_id1',
- 'meta_rule_id': 'meta_rule_id1',
- 'keystone_project_id': 'keystone_project_id1',
- }
- with pytest.raises(Exception) as exception_info:
- run(component_data, CACHE, _context)
- assert str(exception_info.value) == '400: Pdp Unknown'
diff --git a/moon_authz/tests/unit_python/utilities.py b/moon_authz/tests/unit_python/utilities.py
deleted file mode 100644
index e3a111bd..00000000
--- a/moon_authz/tests/unit_python/utilities.py
+++ /dev/null
@@ -1,182 +0,0 @@
-import base64
-import json
-import pytest
-from uuid import uuid4
-
-
-CONF = {
- "openstack": {
- "keystone": {
- "url": "http://keystone:5000/v3",
- "user": "admin",
- "check_token": False,
- "password": "p4ssw0rd",
- "domain": "default",
- "certificate": False,
- "project": "admin"
- }
- },
- "components": {
- "wrapper": {
- "bind": "0.0.0.0",
- "port": 8080,
- "container": "wukongsun/moon_wrapper:v4.3",
- "timeout": 5,
- "hostname": "wrapper"
- },
- "manager": {
- "bind": "0.0.0.0",
- "port": 8082,
- "container": "wukongsun/moon_manager:v4.3",
- "hostname": "manager"
- },
- "port_start": 31001,
- "orchestrator": {
- "bind": "0.0.0.0",
- "port": 8083,
- "container": "wukongsun/moon_orchestrator:v4.3",
- "hostname": "orchestrator"
- },
- "pipeline": {
- "interface": {
- "bind": "0.0.0.0",
- "port": 8080,
- "container": "wukongsun/moon_interface:v4.3",
- "hostname": "interface"
- },
- "authz": {
- "bind": "0.0.0.0",
- "port": 8081,
- "container": "wukongsun/moon_authz:v4.3",
- "hostname": "authz"
- }
- }
- },
- "plugins": {
- "session": {
- "port": 8082,
- "container": "asteroide/session:latest"
- },
- "authz": {
- "port": 8081,
- "container": "wukongsun/moon_authz:v4.3"
- }
- },
- "logging": {
- "handlers": {
- "file": {
- "filename": "/tmp/moon.log",
- "class": "logging.handlers.RotatingFileHandler",
- "level": "DEBUG",
- "formatter": "custom",
- "backupCount": 3,
- "maxBytes": 1048576
- },
- "console": {
- "class": "logging.StreamHandler",
- "formatter": "brief",
- "level": "INFO",
- "stream": "ext://sys.stdout"
- }
- },
- "formatters": {
- "brief": {
- "format": "%(levelname)s %(name)s %(message)-30s"
- },
- "custom": {
- "format": "%(asctime)-15s %(levelname)s %(name)s %(message)s"
- }
- },
- "root": {
- "handlers": [
- "console"
- ],
- "level": "ERROR"
- },
- "version": 1,
- "loggers": {
- "moon": {
- "handlers": [
- "console",
- "file"
- ],
- "propagate": False,
- "level": "DEBUG"
- }
- }
- },
- "slave": {
- "name": None,
- "master": {
- "url": None,
- "login": None,
- "password": None
- }
- },
- "docker": {
- "url": "tcp://172.88.88.1:2376",
- "network": "moon"
- },
- "database": {
- "url": "sqlite:///database.db",
- # "url": "mysql+pymysql://moon:p4sswOrd1@db/moon",
- "driver": "sql"
- },
- "messenger": {
- "url": "rabbit://moon:p4sswOrd1@messenger:5672/moon"
- }
-}
-
-
-CONTEXT = {
- "project_id": "a64beb1cc224474fb4badd43173e7101",
- "subject_name": "testuser",
- "object_name": "vm1",
- "action_name": "boot",
- "request_id": uuid4().hex,
- "interface_name": "interface",
- "manager_url": "http://{}:{}".format(
- CONF["components"]["manager"]["hostname"],
- CONF["components"]["manager"]["port"]
- ),
- "cookie": uuid4().hex,
- "pdp_id": "b3d3e18abf3340e8b635fd49e6634ccd",
- "security_pipeline": ["f8f49a779ceb47b3ac810f01ef71b4e0"]
- }
-
-
-COMPONENTS = (
- "logging",
- "openstack/keystone",
- "database",
- "slave",
- "components/manager",
- "components/orchestrator",
- "components/pipeline",
-
- "components/wrapper",
-)
-
-
-def get_b64_conf(component=None):
- if component == "components":
- return base64.b64encode(
- json.dumps(CONF["components"]).encode('utf-8')+b"\n").decode('utf-8')
- elif component in CONF:
- return base64.b64encode(
- json.dumps(
- CONF[component]).encode('utf-8')+b"\n").decode('utf-8')
- elif not component:
- return base64.b64encode(
- json.dumps(CONF).encode('utf-8')+b"\n").decode('utf-8')
- elif "/" in component:
- key1, _, key2 = component.partition("/")
- return base64.b64encode(
- json.dumps(
- CONF[key1][key2]).encode('utf-8')+b"\n").decode('utf-8')
-
-
-def get_json(data):
- return json.loads(data.decode("utf-8"))
-
-