diff options
Diffstat (limited to 'moon_manager/moon_manager/api')
| -rw-r--r-- | moon_manager/moon_manager/api/__init__.py | 0 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/assignments.py | 334 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/containers.py | 178 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/data.py | 335 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/generic.py | 131 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/meta_data.py | 267 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/meta_rules.py | 164 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/models.py | 127 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/pdp.py | 181 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/perimeter.py | 447 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/policies.py | 132 | ||||
| -rw-r--r-- | moon_manager/moon_manager/api/rules.py | 140 |
12 files changed, 2436 insertions, 0 deletions
diff --git a/moon_manager/moon_manager/api/__init__.py b/moon_manager/moon_manager/api/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/moon_manager/moon_manager/api/__init__.py diff --git a/moon_manager/moon_manager/api/assignments.py b/moon_manager/moon_manager/api/assignments.py new file mode 100644 index 00000000..c3ac45c8 --- /dev/null +++ b/moon_manager/moon_manager/api/assignments.py @@ -0,0 +1,334 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Assignments allow to connect data with elements of perimeter + +""" + +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moondb.core import PolicyManager + +__version__ = "0.2.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class SubjectAssignments(Resource): + """ + Endpoint for subject assignment requests + """ + + __urls__ = ( + "/policies/<string:uuid>/subject_assignments", + "/policies/<string:uuid>/subject_assignments/", + "/policies/<string:uuid>/subject_assignments/<string:perimeter_id>", + "/policies/<string:uuid>/subject_assignments/<string:perimeter_id>/<string:category_id>", + "/policies/<string:uuid>/subject_assignments/<string:perimeter_id>/<string:category_id>/<string:data_id>", + ) + + @check_auth + def get(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Retrieve all subject assignments or a specific one for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the subject + :param category_id: uuid of the subject category + :param data_id: uuid of the subject scope + :param user_id: user ID who do the request + :return: { + "subject_data_id": { + "policy_id": "ID of the policy", + "subject_id": "ID of the subject", + "category_id": "ID of the category", + "assignments": "Assignments list (list of data_id)", + } + } + :internal_api: get_subject_assignments + """ + # return call(ctx={"id": uuid, "method": "get_subject_assignments", "perimeter_id": perimeter_id, "category_id": category_id, "user_id": user_id}, + # args={"data_id": data_id}) + try: + # if "perimeter_name" in ctx: + # ctx["perimeter_id"] = self.__get_subject_id(ctx, ctx['perimeter_name']) + data = PolicyManager.get_subject_assignments(user_id=user_id, policy_id=uuid, + subject_id=perimeter_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subject_assignments": data} + + @check_auth + def post(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Create a subject assignment. + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the subject (not used here) + :param category_id: uuid of the subject category (not used here) + :param data_id: uuid of the subject scope (not used here) + :param user_id: user ID who do the request + :request body: { + "id": "UUID of the subject", + "category_id": "UUID of the category" + "data_id": "UUID of the scope" + } + :return: { + "subject_data_id": { + "policy_id": "ID of the policy", + "subject_id": "ID of the subject", + "category_id": "ID of the category", + "assignments": "Assignments list (list of data_id)", + } + } + :internal_api: update_subject_assignment + """ + try: + data_id = request.json.get("data_id") + category_id = request.json.get("category_id") + perimeter_id = request.json.get("id") + data = PolicyManager.add_subject_assignment(user_id=user_id, policy_id=uuid, + subject_id=perimeter_id, category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subject_assignments": data} + + @check_auth + def delete(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Delete a subject assignment for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the subject + :param category_id: uuid of the subject category + :param data_id: uuid of the subject scope + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_subject_assignment + """ + try: + data = PolicyManager.delete_subject_assignment(user_id=user_id, policy_id=uuid, + subject_id=perimeter_id, category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + +class ObjectAssignments(Resource): + """ + Endpoint for object assignment requests + """ + + __urls__ = ( + "/policies/<string:uuid>/object_assignments", + "/policies/<string:uuid>/object_assignments/", + "/policies/<string:uuid>/object_assignments/<string:perimeter_id>", + "/policies/<string:uuid>/object_assignments/<string:perimeter_id>/<string:category_id>", + "/policies/<string:uuid>/object_assignments/<string:perimeter_id>/<string:category_id>/<string:data_id>", + ) + + @check_auth + def get(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Retrieve all object assignment or a specific one for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the object + :param category_id: uuid of the object category + :param data_id: uuid of the object scope + :param user_id: user ID who do the request + :return: { + "object_data_id": { + "policy_id": "ID of the policy", + "object_id": "ID of the object", + "category_id": "ID of the category", + "assignments": "Assignments list (list of data_id)", + } + } + :internal_api: get_object_assignments + """ + try: + data = PolicyManager.get_object_assignments(user_id=user_id, policy_id=uuid, + object_id=perimeter_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"object_assignments": data} + + @check_auth + def post(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Create an object assignment. + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the object (not used here) + :param category_id: uuid of the object category (not used here) + :param data_id: uuid of the object scope (not used here) + :param user_id: user ID who do the request + :request body: { + "id": "UUID of the action", + "category_id": "UUID of the category" + "data_id": "UUID of the scope" + } + :return: { + "object_data_id": { + "policy_id": "ID of the policy", + "object_id": "ID of the object", + "category_id": "ID of the category", + "assignments": "Assignments list (list of data_id)", + } + } + :internal_api: update_object_assignment + """ + try: + data_id = request.json.get("data_id") + category_id = request.json.get("category_id") + perimeter_id = request.json.get("id") + data = PolicyManager.add_object_assignment(user_id=user_id, policy_id=uuid, + object_id=perimeter_id, category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"object_assignments": data} + + @check_auth + def delete(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Delete a object assignment for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the object + :param category_id: uuid of the object category + :param data_id: uuid of the object scope + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_object_assignment + """ + try: + data = PolicyManager.delete_object_assignment(user_id=user_id, policy_id=uuid, + object_id=perimeter_id, category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + +class ActionAssignments(Resource): + """ + Endpoint for action assignment requests + """ + + __urls__ = ( + "/policies/<string:uuid>/action_assignments", + "/policies/<string:uuid>/action_assignments/", + "/policies/<string:uuid>/action_assignments/<string:perimeter_id>", + "/policies/<string:uuid>/action_assignments/<string:perimeter_id>/<string:category_id>", + "/policies/<string:uuid>/action_assignments/<string:perimeter_id>/<string:category_id>/<string:data_id>", + ) + + @check_auth + def get(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Retrieve all action assignment or a specific one for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the action + :param category_id: uuid of the action category + :param data_id: uuid of the action scope + :param user_id: user ID who do the request + :return: { + "action_data_id": { + "policy_id": "ID of the policy", + "object_id": "ID of the action", + "category_id": "ID of the category", + "assignments": "Assignments list (list of data_id)", + } + } + :internal_api: get_action_assignments + """ + try: + data = PolicyManager.get_action_assignments(user_id=user_id, policy_id=uuid, + action_id=perimeter_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"action_assignments": data} + + @check_auth + def post(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Create an action assignment. + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the action (not used here) + :param category_id: uuid of the action category (not used here) + :param data_id: uuid of the action scope (not used here) + :param user_id: user ID who do the request + :request body: { + "id": "UUID of the action", + "category_id": "UUID of the category", + "data_id": "UUID of the scope" + } + :return: { + "action_data_id": { + "policy_id": "ID of the policy", + "object_id": "ID of the action", + "category_id": "ID of the category", + "assignments": "Assignments list (list of data_id)", + } + } + :internal_api: update_action_assignment + """ + try: + data_id = request.json.get("data_id") + category_id = request.json.get("category_id") + perimeter_id = request.json.get("id") + data = PolicyManager.add_action_assignment(user_id=user_id, policy_id=uuid, + action_id=perimeter_id, category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"action_assignments": data} + + @check_auth + def delete(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): + """Delete a action assignment for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the action + :param category_id: uuid of the action category + :param data_id: uuid of the action scope + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_action_assignment + """ + try: + data = PolicyManager.delete_action_assignment(user_id=user_id, policy_id=uuid, + action_id=perimeter_id, category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} diff --git a/moon_manager/moon_manager/api/containers.py b/moon_manager/moon_manager/api/containers.py new file mode 100644 index 00000000..6dc50ea5 --- /dev/null +++ b/moon_manager/moon_manager/api/containers.py @@ -0,0 +1,178 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +PDP are Policy Decision Point. + +""" + +import copy +from docker import Client +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moonutilities import configuration + +docker_conf = configuration.get_configuration("docker")['docker'] +docker = Client(base_url=docker_conf['url']) + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class Container(Resource): + """ + Endpoint for container requests + """ + + __urls__ = ( + "/containers", + "/containers/", + "/containers/<string:uuid>", + "/containers/<string:uuid>/", + ) + + def __init__(self): + self.containers = {} + self.update() + + def update(self): + for _container in docker.containers(): + if _container['Id'] not in self.containers: + self.containers[_container['Id']] = { + "name": _container["Names"], + "port": _container["Ports"], + } + + @check_auth + def get(self, uuid=None, user_id=None): + """Retrieve all containers + + :param uuid: uuid of the container + :param user_id: user ID who do the request + :return: { + "containers": { + "da0fd80fc1dc146e1b...a2e07d240cde09f0a": { + "name": [ + "/wrapper" + ], + "port": [ + { + "PrivatePort": 8080, + "Type": "tcp", + "IP": "0.0.0.0", + "PublicPort": 8080 + } + ] + }, + } + } + :internal_api: get_containers + """ + # try: + # data = [{"name": item["Names"], "port": item["Ports"], } for item in docker.containers()] + # except Exception as e: + # LOG.error(e, exc_info=True) + # return {"result": False, + # "error": str(e)} + return {"containers": self.containers} + + @check_auth + def post(self, uuid=None, user_id=None): + """Add a new container. + + :param uuid: uuid of the pdp (not used here) + :param user_id: user ID who do the request + :request body: { + "id": "id of the new container", + "name": "name of the new container", + "hostname": "hostname of the new container", + "port": { + "PrivatePort": 8080, + "Type": "tcp", + "IP": "0.0.0.0", + "PublicPort": 8080 + }, + "keystone_project_id": "keystone_project_id1", + "pdp_id": "PDP UUID", + "container_name": "wukongsun/moon_authz:v4.1" + } + :return: { + "containers": { + "da0fd80fc1dc146e1b...a2e07d240cde09f0a": { + "name": [ + "/wrapper" + ], + "port": [ + { + "PrivatePort": 8080, + "Type": "tcp", + "IP": "0.0.0.0", + "PublicPort": 8080 + } + ] + }, + } + } + :internal_api: add_container + """ + try: + self.update() + self.containers[request.json.get('id')] = copy.deepcopy(request.json) + LOG.info("Added a new container {}".format(request.json.get('name'))) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"containers": self.containers} + + @check_auth + def delete(self, uuid=None, user_id=None): + """Delete a pdp + + :param uuid: uuid of the pdp to delete + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_pdp + """ + # try: + # data = PDPManager.delete_pdp(user_id=user_id, pdp_id=uuid) + # except Exception as e: + # LOG.error(e, exc_info=True) + # return {"result": False, + # "error": str(e)} + # return {"result": True} + raise NotImplementedError + + @check_auth + def patch(self, uuid=None, user_id=None): + """Update a pdp + + :param uuid: uuid of the pdp to update + :param user_id: user ID who do the request + :return: { + "pdp_id1": { + "name": "...", + "security_pipeline": [...], + "keystone_project_id": "keystone_project_id1", + "description": "...", + } + } + :internal_api: update_pdp + """ + # try: + # data = PDPManager.update_pdp(user_id=user_id, pdp_id=uuid, value=request.json) + # add_container(uuid=uuid, pipeline=data[uuid]['security_pipeline']) + # except Exception as e: + # LOG.error(e, exc_info=True) + # return {"result": False, + # "error": str(e)} + # return {"pdps": data} + raise NotImplementedError + diff --git a/moon_manager/moon_manager/api/data.py b/moon_manager/moon_manager/api/data.py new file mode 100644 index 00000000..61fe92bf --- /dev/null +++ b/moon_manager/moon_manager/api/data.py @@ -0,0 +1,335 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Data are elements used to create rules + +""" + +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moondb.core import PolicyManager + +__version__ = "0.2.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class SubjectData(Resource): + """ + Endpoint for subject data requests + """ + + __urls__ = ( + "/policies/<string:uuid>/subject_data", + "/policies/<string:uuid>/subject_data/", + "/policies/<string:uuid>/subject_data/<string:category_id>", + "/policies/<string:uuid>/subject_data/<string:category_id>/" + "<string:data_id>", + ) + + @check_auth + def get(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Retrieve all subject categories or a specific one if sid is given + for a given policy + + :param uuid: uuid of the policy + :param category_id: uuid of the subject category + :param data_id: uuid of the subject data + :param user_id: user ID who do the request + :return: [{ + "policy_id": "policy_id1", + "category_id": "category_id1", + "data": { + "subject_data_id": { + "name": "name of the data", + "description": "description of the data" + } + } + }] + :internal_api: get_subject_data + """ + try: + data = PolicyManager.get_subject_data(user_id=user_id, + policy_id=uuid, + category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subject_data": data} + + @check_auth + def post(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Create or update a subject. + + :param uuid: uuid of the policy + :param category_id: uuid of the subject category + :param data_id: uuid of the subject data + :param user_id: user ID who do the request + :request body: { + "name": "name of the data", + "description": "description of the data" + } + :return: { + "policy_id": "policy_id1", + "category_id": "category_id1", + "data": { + "subject_data_id": { + "name": "name of the data", + "description": "description of the data" + } + } + } + :internal_api: add_subject_data + """ + try: + data = PolicyManager.set_subject_data(user_id=user_id, + policy_id=uuid, + category_id=category_id, + value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subject_data": data} + + @check_auth + def delete(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Delete a subject for a given policy + + :param uuid: uuid of the policy + :param category_id: uuid of the subject category + :param data_id: uuid of the subject data + :param user_id: user ID who do the request + :return: [{ + "result": "True or False", + "message": "optional message" + }] + :internal_api: delete_subject_data + """ + try: + data = PolicyManager.delete_subject_data(user_id=user_id, + policy_id=uuid, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + +class ObjectData(Resource): + """ + Endpoint for object data requests + """ + + __urls__ = ( + "/policies/<string:uuid>/object_data", + "/policies/<string:uuid>/object_data/", + "/policies/<string:uuid>/object_data/<string:category_id>", + "/policies/<string:uuid>/object_data/<string:category_id>/" + "<string:data_id>", + ) + + @check_auth + def get(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Retrieve all object categories or a specific one if sid is given + for a given policy + + :param uuid: uuid of the policy + :param category_id: uuid of the object category + :param data_id: uuid of the object data + :param user_id: user ID who do the request + :return: [{ + "policy_id": "policy_id1", + "category_id": "category_id1", + "data": { + "object_data_id": { + "name": "name of the data", + "description": "description of the data" + } + } + }] + :internal_api: get_object_data + """ + try: + data = PolicyManager.get_object_data(user_id=user_id, + policy_id=uuid, + category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"object_data": data} + + @check_auth + def post(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Create or update a object. + + :param uuid: uuid of the policy + :param category_id: uuid of the object category + :param data_id: uuid of the object data + :param user_id: user ID who do the request + :request body: { + "name": "name of the data", + "description": "description of the data" + } + :return: { + "policy_id": "policy_id1", + "category_id": "category_id1", + "data": { + "object_data_id": { + "name": "name of the data", + "description": "description of the data" + } + } + } + :internal_api: add_object_data + """ + try: + data = PolicyManager.add_object_data(user_id=user_id, + policy_id=uuid, + category_id=category_id, + value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"object_data": data} + + @check_auth + def delete(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Delete a object for a given policy + + :param uuid: uuid of the policy + :param category_id: uuid of the object category + :param data_id: uuid of the object data + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_object_data + """ + try: + data = PolicyManager.delete_object_data(user_id=user_id, + policy_id=uuid, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + +class ActionData(Resource): + """ + Endpoint for action data requests + """ + + __urls__ = ( + "/policies/<string:uuid>/action_data", + "/policies/<string:uuid>/action_data/", + "/policies/<string:uuid>/action_data/<string:category_id>", + "/policies/<string:uuid>/action_data/<string:category_id>/" + "<string:data_id>", + ) + + @check_auth + def get(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Retrieve all action categories or a specific one if sid is given + for a given policy + + :param uuid: uuid of the policy + :param category_id: uuid of the action category + :param data_id: uuid of the action data + :param user_id: user ID who do the request + :return: [{ + "policy_id": "policy_id1", + "category_id": "category_id1", + "data": { + "action_data_id": { + "name": "name of the data", + "description": "description of the data" + } + } + }] + :internal_api: get_action_data + """ + try: + data = PolicyManager.get_action_data(user_id=user_id, + policy_id=uuid, + category_id=category_id, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"action_data": data} + + @check_auth + def post(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Create or update a action. + + :param uuid: uuid of the policy + :param category_id: uuid of the action category + :param data_id: uuid of the action data + :param user_id: user ID who do the request + :request body: { + "name": "name of the data", + "description": "description of the data" + } + :return: { + "policy_id": "policy_id1", + "category_id": "category_id1", + "data": { + "action_data_id": { + "name": "name of the data", + "description": "description of the data" + } + } + } + :internal_api: add_action_data + """ + try: + data = PolicyManager.add_action_data(user_id=user_id, + policy_id=uuid, + category_id=category_id, + value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"action_data": data} + + @check_auth + def delete(self, uuid=None, category_id=None, data_id=None, user_id=None): + """Delete a action for a given policy + + :param uuid: uuid of the policy + :param category_id: uuid of the action category + :param data_id: uuid of the action data + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_action_data + """ + try: + data = PolicyManager.delete_action_data(user_id=user_id, + policy_id=uuid, + data_id=data_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + diff --git a/moon_manager/moon_manager/api/generic.py b/moon_manager/moon_manager/api/generic.py new file mode 100644 index 00000000..bd7dcdac --- /dev/null +++ b/moon_manager/moon_manager/api/generic.py @@ -0,0 +1,131 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Those API are helping API used to manage the Moon platform. +""" + +from flask_restful import Resource, request +from oslo_log import log as logging +import moon_manager.api +from python_moonutilities.security_functions import check_auth + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class Status(Resource): + """ + Endpoint for status requests + """ + + __urls__ = ("/status", "/status/", "/status/<string:component_id>") + + def get(self, component_id=None): + """Retrieve status of all components + + :return: { + "orchestrator": { + "status": "Running" + }, + "security_router": { + "status": "Running" + } + } + """ + raise NotImplemented + + +class Logs(Resource): + """ + Endpoint for logs requests + """ + + __urls__ = ("/logs", "/logs/", "/logs/<string:component_id>") + + def get(self, component_id=None): + """Get logs from the Moon platform + + :param component_id: the ID of the component your are looking for (optional) + :return: [ + "2015-04-15-13:45:20 + "2015-04-15-13:45:21 + "2015-04-15-13:45:22 + "2015-04-15-13:45:23 + ] + """ + filter_str = request.args.get('filter', '') + from_str = request.args.get('from', '') + to_str = request.args.get('to', '') + event_number = request.args.get('event_number', '') + try: + event_number = int(event_number) + except ValueError: + event_number = None + args = dict() + args["filter"] = filter_str + args["from"] = from_str + args["to"] = to_str + args["event_number"] = event_number + + raise NotImplemented + + +class API(Resource): + """ + Endpoint for API requests + """ + + __urls__ = ( + "/api", + "/api/", + "/api/<string:group_id>", + "/api/<string:group_id>/", + "/api/<string:group_id>/<string:endpoint_id>") + + @check_auth + def get(self, group_id="", endpoint_id="", user_id=""): + """Retrieve all API endpoints or a specific endpoint if endpoint_id is given + + :param group_id: the name of one existing group (ie generic, ...) + :param endpoint_id: the name of one existing component (ie Logs, Status, ...) + :return: { + "group_name": { + "endpoint_name": { + "description": "a description", + "methods": { + "get": "description of the HTTP method" + }, + "urls": ('/api', '/api/', '/api/<string:endpoint_id>') + } + } + """ + __methods = ("get", "post", "put", "delete", "options", "patch") + api_list = filter(lambda x: "__" not in x, dir(moon_manager.api)) + api_desc = dict() + for api_name in api_list: + api_desc[api_name] = {} + group_api_obj = eval("moon_manager.api.{}".format(api_name)) + api_desc[api_name]["description"] = group_api_obj.__doc__ + if "__version__" in dir(group_api_obj): + api_desc[api_name]["version"] = group_api_obj.__version__ + object_list = list(filter(lambda x: "__" not in x, dir(group_api_obj))) + for obj in map(lambda x: eval("moon_manager.api.{}.{}".format(api_name, x)), object_list): + if "__urls__" in dir(obj): + api_desc[api_name][obj.__name__] = dict() + api_desc[api_name][obj.__name__]["urls"] = obj.__urls__ + api_desc[api_name][obj.__name__]["methods"] = dict() + for _method in filter(lambda x: x in __methods, dir(obj)): + docstring = eval("moon_manager.api.{}.{}.{}.__doc__".format(api_name, obj.__name__, _method)) + api_desc[api_name][obj.__name__]["methods"][_method] = docstring + api_desc[api_name][obj.__name__]["description"] = str(obj.__doc__) + if group_id in api_desc: + if endpoint_id in api_desc[group_id]: + return {group_id: {endpoint_id: api_desc[group_id][endpoint_id]}} + elif len(endpoint_id) > 0: + LOG.error("Unknown endpoint_id {}".format(endpoint_id)) + return {"error": "Unknown endpoint_id {}".format(endpoint_id)} + return {group_id: api_desc[group_id]} + return api_desc diff --git a/moon_manager/moon_manager/api/meta_data.py b/moon_manager/moon_manager/api/meta_data.py new file mode 100644 index 00000000..9dc04cc7 --- /dev/null +++ b/moon_manager/moon_manager/api/meta_data.py @@ -0,0 +1,267 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Meta Data are elements used to create Meta data (skeleton of security policies) + +""" + +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moondb.core import ModelManager + +__version__ = "0.2.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class SubjectCategories(Resource): + """ + Endpoint for subject categories requests + """ + + __urls__ = ( + "/subject_categories", + "/subject_categories/", + "/subject_categories/<string:category_id>", + ) + + @check_auth + def get(self, category_id=None, user_id=None): + """Retrieve all subject categories or a specific one + + :param category_id: uuid of the subject category + :param user_id: user ID who do the request + :return: { + "subject_category_id": { + "name": "name of the category", + "description": "description of the category" + } + } + :internal_api: get_subject_categories + """ + try: + data = ModelManager.get_subject_categories( + user_id=user_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subject_categories": data} + + @check_auth + def post(self, category_id=None, user_id=None): + """Create or update a subject category. + + :param category_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "name": "name of the category", + "description": "description of the category" + } + :return: { + "subject_category_id": { + "name": "name of the category", + "description": "description of the category" + } + } + :internal_api: add_subject_category + """ + try: + data = ModelManager.add_subject_category( + user_id=user_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subject_categories": data} + + @check_auth + def delete(self, category_id=None, user_id=None): + """Delete a subject category + + :param category_id: uuid of the subject category to delete + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_subject_category + """ + try: + data = ModelManager.delete_subject_category( + user_id=user_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + +class ObjectCategories(Resource): + """ + Endpoint for object categories requests + """ + + __urls__ = ( + "/object_categories", + "/object_categories/", + "/object_categories/<string:category_id>", + ) + + @check_auth + def get(self, category_id=None, user_id=None): + """Retrieve all object categories or a specific one + + :param category_id: uuid of the object category + :param user_id: user ID who do the request + :return: { + "object_category_id": { + "name": "name of the category", + "description": "description of the category" + } + } + :internal_api: get_object_categories + """ + try: + data = ModelManager.get_object_categories( + user_id=user_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"object_categories": data} + + @check_auth + def post(self, category_id=None, user_id=None): + """Create or update a object category. + + :param category_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "name": "name of the category", + "description": "description of the category" + } + :return: { + "object_category_id": { + "name": "name of the category", + "description": "description of the category" + } + } + :internal_api: add_object_category + """ + try: + data = ModelManager.add_object_category( + user_id=user_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"object_categories": data} + + @check_auth + def delete(self, category_id=None, user_id=None): + """Delete an object category + + :param category_id: uuid of the object category to delete + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_object_category + """ + try: + data = ModelManager.delete_object_category( + user_id=user_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + +class ActionCategories(Resource): + """ + Endpoint for action categories requests + """ + + __urls__ = ( + "/action_categories", + "/action_categories/", + "/action_categories/<string:category_id>", + ) + + @check_auth + def get(self, category_id=None, user_id=None): + """Retrieve all action categories or a specific one + + :param category_id: uuid of the action category + :param user_id: user ID who do the request + :return: { + "action_category_id": { + "name": "name of the category", + "description": "description of the category" + } + } + :internal_api: get_action_categories + """ + try: + data = ModelManager.get_action_categories( + user_id=user_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"action_categories": data} + + @check_auth + def post(self, category_id=None, user_id=None): + """Create or update an action category. + + :param category_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "name": "name of the category", + "description": "description of the category" + } + :return: { + "action_category_id": { + "name": "name of the category", + "description": "description of the category" + } + } + :internal_api: add_action_category + """ + try: + data = ModelManager.add_action_category( + user_id=user_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"action_categories": data} + + @check_auth + def delete(self, category_id=None, user_id=None): + """Delete an action + + :param category_id: uuid of the action category to delete + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_action_category + """ + try: + data = ModelManager.delete_action_category( + user_id=user_id, category_id=category_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} diff --git a/moon_manager/moon_manager/api/meta_rules.py b/moon_manager/moon_manager/api/meta_rules.py new file mode 100644 index 00000000..ceba0ffb --- /dev/null +++ b/moon_manager/moon_manager/api/meta_rules.py @@ -0,0 +1,164 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Meta rules are skeleton for security policies + +""" + +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moondb.core import ModelManager + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class MetaRules(Resource): + """ + Endpoint for meta rules requests + """ + + __urls__ = ("/meta_rules", + "/meta_rules/", + "/meta_rules/<string:meta_rule_id>", + "/meta_rules/<string:meta_rule_id>/") + + @check_auth + def get(self, meta_rule_id=None, user_id=None): + """Retrieve all sub meta rules + + :param meta_rule_id: Meta rule algorithm ID + :param user_id: user ID who do the request + :return: { + "meta_rules": { + "meta_rule_id1": { + "name": "name of the meta rule", + "algorithm": "name of the meta rule algorithm", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + }, + } + } + :internal_api: get_meta_rules + """ + try: + data = ModelManager.get_meta_rules( + user_id=user_id, meta_rule_id=meta_rule_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"meta_rules": data} + + @check_auth + def post(self, meta_rule_id=None, user_id=None): + """Add a meta rule + + :param meta_rule_id: Meta rule ID + :param user_id: user ID who do the request + :request body: post = { + "name": "name of the meta rule", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + } + :return: { + "meta_rules": { + "meta_rule_id1": { + "name": "name of the meta rule", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + }, + } + } + :internal_api: add_meta_rules + """ + try: + data = ModelManager.add_meta_rule( + user_id=user_id, meta_rule_id=None, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"meta_rules": data} + + @check_auth + def patch(self, meta_rule_id=None, user_id=None): + """Update a meta rule + + :param meta_rule_id: Meta rule ID + :param user_id: user ID who do the request + :request body: patch = { + "name": "name of the meta rule", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + } + :return: { + "meta_rules": { + "meta_rule_id1": { + "name": "name of the meta rule", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + }, + } + } + :internal_api: set_meta_rules + """ + try: + data = ModelManager.set_meta_rule( + user_id=user_id, meta_rule_id=meta_rule_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"meta_rules": data} + + @check_auth + def delete(self, meta_rule_id=None, user_id=None): + """Delete a meta rule + + :param meta_rule_id: Meta rule ID + :param user_id: user ID who do the request + :request body: delete = { + "name": "name of the meta rule", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + } + :return: { + "meta_rules": { + "meta_rule_id1": { + "name": "name of the meta rule", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + }, + } + } + :internal_api: delete_meta_rules + """ + try: + data = ModelManager.delete_meta_rule( + user_id=user_id, meta_rule_id=meta_rule_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + diff --git a/moon_manager/moon_manager/api/models.py b/moon_manager/moon_manager/api/models.py new file mode 100644 index 00000000..62866191 --- /dev/null +++ b/moon_manager/moon_manager/api/models.py @@ -0,0 +1,127 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Models aggregate multiple meta rules +""" + +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moondb.core import ModelManager + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class Models(Resource): + """ + Endpoint for model requests + """ + + __urls__ = ( + "/models", + "/models/", + "/models/<string:uuid>", + "/models/<string:uuid>/", + ) + + @check_auth + def get(self, uuid=None, user_id=None): + """Retrieve all models + + :param uuid: uuid of the model + :param user_id: user ID who do the request + :return: { + "model_id1": { + "name": "...", + "description": "...", + "meta_rules": ["meta_rule_id1", ] + } + } + :internal_api: get_models + """ + try: + data = ModelManager.get_models(user_id=user_id, model_id=uuid) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"models": data} + + @check_auth + def post(self, uuid=None, user_id=None): + """Create model. + + :param uuid: uuid of the model (not used here) + :param user_id: user ID who do the request + :request body: { + "name": "...", + "description": "...", + "meta_rules": ["meta_rule_id1", ] + } + :return: { + "model_id1": { + "name": "...", + "description": "...", + "meta_rules": ["meta_rule_id1", ] + } + } + :internal_api: add_model + """ + try: + data = ModelManager.add_model( + user_id=user_id, model_id=uuid, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"models": data} + + @check_auth + def delete(self, uuid=None, user_id=None): + """Delete a model + + :param uuid: uuid of the model to delete + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_model + """ + try: + data = ModelManager.delete_model(user_id=user_id, model_id=uuid) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + @check_auth + def patch(self, uuid=None, user_id=None): + """Update a model + + :param uuid: uuid of the model to update + :param user_id: user ID who do the request + :return: { + "model_id1": { + "name": "...", + "description": "...", + "meta_rules": ["meta_rule_id1", ] + } + } + :internal_api: update_model + """ + try: + data = ModelManager.update_model( + user_id=user_id, model_id=uuid, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"models": data} + diff --git a/moon_manager/moon_manager/api/pdp.py b/moon_manager/moon_manager/api/pdp.py new file mode 100644 index 00000000..9183c25d --- /dev/null +++ b/moon_manager/moon_manager/api/pdp.py @@ -0,0 +1,181 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +PDP are Policy Decision Point. + +""" + +from flask import request +from flask_restful import Resource +import logging +import requests +import time +from python_moonutilities.security_functions import check_auth +from python_moondb.core import PDPManager +from python_moondb.core import PolicyManager +from python_moondb.core import ModelManager +from python_moonutilities import configuration + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +def delete_pod(uuid): + raise NotImplementedError + + +def add_pod(uuid, data): + if not data.get("keystone_project_id"): + return + LOG.info("Add a new pod {}".format(data)) + if "pdp_id" not in data: + data["pdp_id"] = uuid + data['policies'] = PolicyManager.get_policies(user_id="admin") + data['models'] = ModelManager.get_models(user_id="admin") + conf = configuration.get_configuration("components/orchestrator") + hostname = conf["components/orchestrator"].get("hostname", "orchestrator") + port = conf["components/orchestrator"].get("port", 80) + proto = conf["components/orchestrator"].get("protocol", "http") + while True: + try: + req = requests.post( + "{}://{}:{}/pods".format(proto, hostname, port), + json=data, + headers={"content-type": "application/json"}) + except requests.exceptions.ConnectionError: + LOG.warning("Orchestrator is not ready, standby...") + time.sleep(1) + else: + break + LOG.info(req.text) + + +class PDP(Resource): + """ + Endpoint for pdp requests + """ + + __urls__ = ( + "/pdp", + "/pdp/", + "/pdp/<string:uuid>", + "/pdp/<string:uuid>/", + ) + + @check_auth + def get(self, uuid=None, user_id=None): + """Retrieve all pdp + + :param uuid: uuid of the pdp + :param user_id: user ID who do the request + :return: { + "pdp_id1": { + "name": "...", + "security_pipeline": [...], + "keystone_project_id": "keystone_project_id1", + "description": "...", + } + } + :internal_api: get_pdp + """ + try: + data = PDPManager.get_pdp(user_id=user_id, pdp_id=uuid) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"pdps": data} + + @check_auth + def post(self, uuid=None, user_id=None): + """Create pdp. + + :param uuid: uuid of the pdp (not used here) + :param user_id: user ID who do the request + :request body: { + "name": "...", + "security_pipeline": [...], + "keystone_project_id": "keystone_project_id1", + "description": "...", + } + :return: { + "pdp_id1": { + "name": "...", + "security_pipeline": [...], + "keystone_project_id": "keystone_project_id1", + "description": "...", + } + } + :internal_api: add_pdp + """ + try: + data = dict(request.json) + if not data.get("keystone_project_id"): + data["keystone_project_id"] = None + data = PDPManager.add_pdp( + user_id=user_id, pdp_id=None, value=request.json) + uuid = list(data.keys())[0] + LOG.info("data={}".format(data)) + LOG.info("uuid={}".format(uuid)) + add_pod(uuid=uuid, data=data[uuid]) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"pdps": data} + + @check_auth + def delete(self, uuid=None, user_id=None): + """Delete a pdp + + :param uuid: uuid of the pdp to delete + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_pdp + """ + try: + data = PDPManager.delete_pdp(user_id=user_id, pdp_id=uuid) + delete_pod(uuid) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + @check_auth + def patch(self, uuid=None, user_id=None): + """Update a pdp + + :param uuid: uuid of the pdp to update + :param user_id: user ID who do the request + :return: { + "pdp_id1": { + "name": "...", + "security_pipeline": [...], + "keystone_project_id": "keystone_project_id1", + "description": "...", + } + } + :internal_api: update_pdp + """ + try: + _data = dict(request.json) + if not _data.get("keystone_project_id"): + _data["keystone_project_id"] = None + data = PDPManager.update_pdp( + user_id=user_id, pdp_id=uuid, value=_data) + LOG.info("data={}".format(data)) + LOG.info("uuid={}".format(uuid)) + add_pod(uuid=uuid, data=data[uuid]) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"pdps": data} + diff --git a/moon_manager/moon_manager/api/perimeter.py b/moon_manager/moon_manager/api/perimeter.py new file mode 100644 index 00000000..8196e627 --- /dev/null +++ b/moon_manager/moon_manager/api/perimeter.py @@ -0,0 +1,447 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +* Subjects are the source of an action on an object + (examples : users, virtual machines) +* Objects are the destination of an action + (examples virtual machines, virtual Routers) +* Actions are what subject wants to do on an object +""" + +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moondb.core import PolicyManager + +__version__ = "0.2.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class Subjects(Resource): + """ + Endpoint for subjects requests + """ + + __urls__ = ( + "/subjects", + "/subjects/", + "/subjects/<string:perimeter_id>", + "/policies/<string:uuid>/subjects", + "/policies/<string:uuid>/subjects/", + "/policies/<string:uuid>/subjects/<string:perimeter_id>", + ) + + @check_auth + def get(self, uuid=None, perimeter_id=None, user_id=None): + """Retrieve all subjects or a specific one if perimeter_id is + given for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the subject + :param user_id: user ID who do the request + :return: { + "subject_id": { + "name": "name of the subject", + "keystone_id": "keystone id of the subject", + "description": "a description" + } + } + :internal_api: get_subjects + """ + try: + data = PolicyManager.get_subjects( + user_id=user_id, + policy_id=uuid, + perimeter_id=perimeter_id + ) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subjects": data} + + @check_auth + def post(self, uuid=None, perimeter_id=None, user_id=None): + """Create or update a subject. + + :param uuid: uuid of the policy + :param perimeter_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "name": "name of the subject", + "description": "description of the subject", + "password": "password for the subject", + "email": "email address of the subject" + } + :return: { + "subject_id": { + "name": "name of the subject", + "keystone_id": "keystone id of the subject", + "description": "description of the subject", + "password": "password for the subject", + "email": "email address of the subject" + } + } + :internal_api: set_subject + """ + try: + if not perimeter_id: + data = PolicyManager.get_subjects(user_id=user_id, + policy_id=None) + if 'name' in request.json: + for data_id, data_value in data.items(): + if data_value['name'] == request.json['name']: + perimeter_id = data_id + break + data = PolicyManager.add_subject( + user_id=user_id, policy_id=uuid, + perimeter_id=perimeter_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subjects": data} + + @check_auth + def patch(self, uuid=None, perimeter_id=None, user_id=None): + """Create or update a subject. + + :param uuid: uuid of the policy + :param perimeter_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "name": "name of the subject", + "description": "description of the subject", + "password": "password for the subject", + "email": "email address of the subject" + } + :return: { + "subject_id": { + "name": "name of the subject", + "keystone_id": "keystone id of the subject", + "description": "description of the subject", + "password": "password for the subject", + "email": "email address of the subject" + } + } + :internal_api: set_subject + """ + try: + if not perimeter_id: + data = PolicyManager.get_subjects(user_id=user_id, + policy_id=None) + if 'name' in request.json: + for data_id, data_value in data.items(): + if data_value['name'] == request.json['name']: + perimeter_id = data_id + break + data = PolicyManager.add_subject( + user_id=user_id, policy_id=uuid, + perimeter_id=perimeter_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"subjects": data} + + @check_auth + def delete(self, uuid=None, perimeter_id=None, user_id=None): + """Delete a subject for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the subject + :param user_id: user ID who do the request + :return: { + "subject_id": { + "name": "name of the subject", + "keystone_id": "keystone id of the subject", + "description": "description of the subject", + "password": "password for the subject", + "email": "email address of the subject" + } + } + :internal_api: delete_subject + """ + try: + data = PolicyManager.delete_subject( + user_id=user_id, policy_id=uuid, perimeter_id=perimeter_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + +class Objects(Resource): + """ + Endpoint for objects requests + """ + + __urls__ = ( + "/objects", + "/objects/", + "/objects/<string:perimeter_id>", + "/policies/<string:uuid>/objects", + "/policies/<string:uuid>/objects/", + "/policies/<string:uuid>/objects/<string:perimeter_id>", + ) + + @check_auth + def get(self, uuid=None, perimeter_id=None, user_id=None): + """Retrieve all objects or a specific one if perimeter_id is + given for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the object + :param user_id: user ID who do the request + :return: { + "object_id": { + "name": "name of the object", + "description": "description of the object" + } + } + :internal_api: get_objects + """ + try: + data = PolicyManager.get_objects( + user_id=user_id, + policy_id=uuid, + perimeter_id=perimeter_id + ) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"objects": data} + + @check_auth + def post(self, uuid=None, perimeter_id=None, user_id=None): + """Create or update a object. + + :param uuid: uuid of the policy + :param perimeter_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "object_name": "name of the object", + "object_description": "description of the object" + } + :return: { + "object_id": { + "name": "name of the object", + "description": "description of the object" + } + } + :internal_api: set_object + """ + try: + data = PolicyManager.get_objects(user_id=user_id, policy_id=None) + if 'name' in request.json: + for data_id, data_value in data.items(): + if data_value['name'] == request.json['name']: + perimeter_id = data_id + break + data = PolicyManager.add_object( + user_id=user_id, policy_id=uuid, + perimeter_id=perimeter_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"objects": data} + + @check_auth + def patch(self, uuid=None, perimeter_id=None, user_id=None): + """Create or update a object. + + :param uuid: uuid of the policy + :param perimeter_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "object_name": "name of the object", + "object_description": "description of the object" + } + :return: { + "object_id": { + "name": "name of the object", + "description": "description of the object" + } + } + :internal_api: set_object + """ + try: + data = PolicyManager.get_objects(user_id=user_id, policy_id=None) + if 'name' in request.json: + for data_id, data_value in data.items(): + if data_value['name'] == request.json['name']: + perimeter_id = data_id + break + data = PolicyManager.add_object( + user_id=user_id, policy_id=uuid, + perimeter_id=perimeter_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"objects": data} + + @check_auth + def delete(self, uuid=None, perimeter_id=None, user_id=None): + """Delete a object for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the object + :param user_id: user ID who do the request + :return: { + "object_id": { + "name": "name of the object", + "description": "description of the object" + } + } + :internal_api: delete_object + """ + try: + data = PolicyManager.delete_object( + user_id=user_id, policy_id=uuid, perimeter_id=perimeter_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + +class Actions(Resource): + """ + Endpoint for actions requests + """ + + __urls__ = ( + "/actions", + "/actions/", + "/actions/<string:perimeter_id>", + "/policies/<string:uuid>/actions", + "/policies/<string:uuid>/actions/", + "/policies/<string:uuid>/actions/<string:perimeter_id>", + ) + + @check_auth + def get(self, uuid=None, perimeter_id=None, user_id=None): + """Retrieve all actions or a specific one if perimeter_id + is given for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the action + :param user_id: user ID who do the request + :return: { + "action_id": { + "name": "name of the action", + "description": "description of the action" + } + } + :internal_api: get_actions + """ + try: + data = PolicyManager.get_actions( + user_id=user_id, policy_id=uuid, perimeter_id=perimeter_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"actions": data} + + @check_auth + def post(self, uuid=None, perimeter_id=None, user_id=None): + """Create or update a action. + + :param uuid: uuid of the policy + :param perimeter_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "name": "name of the action", + "description": "description of the action" + } + :return: { + "action_id": { + "name": "name of the action", + "description": "description of the action" + } + } + :internal_api: set_action + """ + try: + data = PolicyManager.get_actions(user_id=user_id, policy_id=None) + if 'name' in request.json: + for data_id, data_value in data.items(): + if data_value['name'] == request.json['name']: + perimeter_id = data_id + break + data = PolicyManager.add_action( + user_id=user_id, policy_id=uuid, + perimeter_id=perimeter_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"actions": data} + + @check_auth + def patch(self, uuid=None, perimeter_id=None, user_id=None): + """Create or update a action. + + :param uuid: uuid of the policy + :param perimeter_id: must not be used here + :param user_id: user ID who do the request + :request body: { + "name": "name of the action", + "description": "description of the action" + } + :return: { + "action_id": { + "name": "name of the action", + "description": "description of the action" + } + } + :internal_api: set_action + """ + try: + data = PolicyManager.get_actions(user_id=user_id, policy_id=None) + if 'name' in request.json: + for data_id, data_value in data.items(): + if data_value['name'] == request.json['name']: + perimeter_id = data_id + break + data = PolicyManager.add_action( + user_id=user_id, policy_id=uuid, + perimeter_id=perimeter_id, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"actions": data} + + @check_auth + def delete(self, uuid=None, perimeter_id=None, user_id=None): + """Delete a action for a given policy + + :param uuid: uuid of the policy + :param perimeter_id: uuid of the action + :param user_id: user ID who do the request + :return: { + "action_id": { + "name": "name of the action", + "description": "description of the action" + } + } + :internal_api: delete_action + """ + try: + data = PolicyManager.delete_action( + user_id=user_id, policy_id=uuid, perimeter_id=perimeter_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} diff --git a/moon_manager/moon_manager/api/policies.py b/moon_manager/moon_manager/api/policies.py new file mode 100644 index 00000000..f34276bb --- /dev/null +++ b/moon_manager/moon_manager/api/policies.py @@ -0,0 +1,132 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Policies are instances of security models and implement security policies + +""" + +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moondb.core import PolicyManager + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class Policies(Resource): + """ + Endpoint for policy requests + """ + + __urls__ = ( + "/policies", + "/policies/", + "/policies/<string:uuid>", + "/policies/<string:uuid>/", + ) + + @check_auth + def get(self, uuid=None, user_id=None): + """Retrieve all policies + + :param uuid: uuid of the policy + :param user_id: user ID who do the request + :return: { + "policy_id1": { + "name": "...", + "model_id": "...", + "genre": "...", + "description": "...", + } + } + :internal_api: get_policies + """ + try: + data = PolicyManager.get_policies(user_id=user_id, policy_id=uuid) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"policies": data} + + @check_auth + def post(self, uuid=None, user_id=None): + """Create policy. + + :param uuid: uuid of the policy (not used here) + :param user_id: user ID who do the request + :request body: { + "name": "...", + "model_id": "...", + "genre": "...", + "description": "...", + } + :return: { + "policy_id1": { + "name": "...", + "model_id": "...", + "genre": "...", + "description": "...", + } + } + :internal_api: add_policy + """ + try: + data = PolicyManager.add_policy( + user_id=user_id, policy_id=uuid, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"policies": data} + + @check_auth + def delete(self, uuid=None, user_id=None): + """Delete a policy + + :param uuid: uuid of the policy to delete + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + :internal_api: delete_policy + """ + try: + data = PolicyManager.delete_policy(user_id=user_id, policy_id=uuid) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + + @check_auth + def patch(self, uuid=None, user_id=None): + """Update a policy + + :param uuid: uuid of the policy to update + :param user_id: user ID who do the request + :return: { + "policy_id1": { + "name": "...", + "model_id": "...", + "genre": "...", + "description": "...", + } + } + :internal_api: update_policy + """ + try: + data = PolicyManager.update_policy( + user_id=user_id, policy_id=uuid, value=request.json) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"policies": data} + diff --git a/moon_manager/moon_manager/api/rules.py b/moon_manager/moon_manager/api/rules.py new file mode 100644 index 00000000..b25365df --- /dev/null +++ b/moon_manager/moon_manager/api/rules.py @@ -0,0 +1,140 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Rules (TODO) +""" + +from flask import request +from flask_restful import Resource +from oslo_log import log as logging +from python_moonutilities.security_functions import check_auth +from python_moondb.core import PolicyManager + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.manager.api." + __name__) + + +class Rules(Resource): + """ + Endpoint for rules requests + """ + + __urls__ = ("/policies/<string:uuid>/rules", + "/policies/<string:uuid>/rules/", + "/policies/<string:uuid>/rules/<string:rule_id>", + "/policies/<string:uuid>/rules/<string:rule_id>/", + ) + + @check_auth + def get(self, uuid=None, rule_id=None, user_id=None): + """Retrieve all rules or a specific one + + :param uuid: policy ID + :param rule_id: rule ID + :param user_id: user ID who do the request + :return: { + "rules": [ + "policy_id": "policy_id1", + "meta_rule_id": "meta_rule_id1", + "rule_id1": + ["subject_data_id1", "object_data_id1", "action_data_id1"], + "rule_id2": + ["subject_data_id2", "object_data_id2", "action_data_id2"], + ] + } + :internal_api: get_rules + """ + try: + data = PolicyManager.get_rules(user_id=user_id, + policy_id=uuid, + rule_id=rule_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"rules": data} + + @check_auth + def post(self, uuid=None, rule_id=None, user_id=None): + """Add a rule to a meta rule + + :param uuid: policy ID + :param rule_id: rule ID + :param user_id: user ID who do the request + :request body: post = { + "meta_rule_id": "meta_rule_id1", + "rule": ["subject_data_id2", "object_data_id2", "action_data_id2"], + "instructions": ( + {"decision": "grant"}, + ) + "enabled": True + } + :return: { + "rules": [ + "meta_rule_id": "meta_rule_id1", + "rule_id1": { + "rule": ["subject_data_id1", + "object_data_id1", + "action_data_id1"], + "instructions": ( + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy + # "deny" to deny the request + ) + } + "rule_id2": { + "rule": ["subject_data_id2", + "object_data_id2", + "action_data_id2"], + "instructions": ( + { + "update": { + "operation": "add", + # operations may be "add" or "delete" + "target": "rbac:role:admin" + # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} + # chain with the policy named rbac + ) + } + ] + } + :internal_api: add_rule + """ + args = request.json + try: + data = PolicyManager.add_rule(user_id=user_id, + policy_id=uuid, + meta_rule_id=args['meta_rule_id'], + value=args) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"rules": data} + + @check_auth + def delete(self, uuid=None, rule_id=None, user_id=None): + """Delete one rule linked to a specific sub meta rule + + :param uuid: policy ID + :param rule_id: rule ID + :param user_id: user ID who do the request + :return: { "result": true } + :internal_api: delete_rule + """ + try: + data = PolicyManager.delete_rule( + user_id=user_id, policy_id=uuid, rule_id=rule_id) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": str(e)}, 500 + return {"result": True} + |