aboutsummaryrefslogtreecommitdiffstats
path: root/moonv4/moon_authz
diff options
context:
space:
mode:
Diffstat (limited to 'moonv4/moon_authz')
-rw-r--r--moonv4/moon_authz/Dockerfile7
-rw-r--r--moonv4/moon_authz/LICENSE54
-rw-r--r--moonv4/moon_authz/moon_authz/__main__.py3
-rw-r--r--moonv4/moon_authz/moon_authz/api/authorization.py387
-rw-r--r--moonv4/moon_authz/moon_authz/api/generic.py123
-rw-r--r--moonv4/moon_authz/moon_authz/http_server.py140
-rw-r--r--moonv4/moon_authz/moon_authz/messenger.py50
-rw-r--r--moonv4/moon_authz/moon_authz/server.py50
-rw-r--r--moonv4/moon_authz/requirements.txt9
-rw-r--r--moonv4/moon_authz/tests/unit_python/conftest.py29
-rw-r--r--moonv4/moon_authz/tests/unit_python/mock_pods.py545
-rw-r--r--moonv4/moon_authz/tests/unit_python/requirements.txt5
-rw-r--r--moonv4/moon_authz/tests/unit_python/test_authz.py50
-rw-r--r--moonv4/moon_authz/tests/unit_python/utilities.py173
14 files changed, 1336 insertions, 289 deletions
diff --git a/moonv4/moon_authz/Dockerfile b/moonv4/moon_authz/Dockerfile
index 6ecc8f2d..4189c333 100644
--- a/moonv4/moon_authz/Dockerfile
+++ b/moonv4/moon_authz/Dockerfile
@@ -1,13 +1,12 @@
FROM ubuntu:latest
-ENV UUID=null
-
RUN apt update && apt install python3.5 python3-pip -y
-RUN pip3 install moon_utilities moon_db pip --upgrade
+RUN pip3 install pip --upgrade
ADD . /root
WORKDIR /root/
-RUN pip3 install -r requirements.txt
+RUN pip3 install -r requirements.txt --upgrade
+#RUN pip3 install /root/dist/* --upgrade
RUN pip3 install .
CMD ["python3", "-m", "moon_authz"] \ No newline at end of file
diff --git a/moonv4/moon_authz/LICENSE b/moonv4/moon_authz/LICENSE
index 4143aac2..d6456956 100644
--- a/moonv4/moon_authz/LICENSE
+++ b/moonv4/moon_authz/LICENSE
@@ -174,31 +174,29 @@
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
---- License for python-keystoneclient versions prior to 2.1 ---
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- 3. Neither the name of this project nor the names of its contributors may
- be used to endorse or promote products derived from this software without
- specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/moonv4/moon_authz/moon_authz/__main__.py b/moonv4/moon_authz/moon_authz/__main__.py
index be483962..699c008c 100644
--- a/moonv4/moon_authz/moon_authz/__main__.py
+++ b/moonv4/moon_authz/moon_authz/__main__.py
@@ -1,3 +1,4 @@
from moon_authz.server import main
-main()
+server = main()
+server.run()
diff --git a/moonv4/moon_authz/moon_authz/api/authorization.py b/moonv4/moon_authz/moon_authz/api/authorization.py
index 94f1e13d..caa41082 100644
--- a/moonv4/moon_authz/moon_authz/api/authorization.py
+++ b/moonv4/moon_authz/moon_authz/api/authorization.py
@@ -3,17 +3,15 @@
# license which can be found in the file 'LICENSE' in this package distribution
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-import hashlib
+import binascii
import itertools
-from oslo_log import log as logging
-from oslo_config import cfg
-import oslo_messaging
-from moon_utilities.security_functions import call, Context, notify
-from moon_utilities.misc import get_uuid_from_name
+import pickle
+from uuid import uuid4
+import logging
from moon_utilities import exceptions
-from moon_db.core import PDPManager
-from moon_db.core import ModelManager
-from moon_db.core import PolicyManager
+import flask
+from flask import request
+from flask_restful import Resource
# TODO (asteroide):
# - end the dev of the context
@@ -21,43 +19,85 @@ from moon_db.core import PolicyManager
# - call the next security function
# - call the master if an element is absent
-LOG = logging.getLogger(__name__)
-CONF = cfg.CONF
+LOG = logging.getLogger("moon.api." + __name__)
-class Authorization(object):
+class Authz(Resource):
"""
- Retrieve the current status of all components.
+ Endpoint for authz requests
"""
+ __urls__ = (
+ "/authz",
+ "/authz/",
+ "/authz/<string:uuid>/<string:subject_name>/<string:object_name>/<string:action_name>",
+ )
__version__ = "0.1.0"
pdp_id = None
meta_rule_id = None
keystone_project_id = None
payload = None
- def __init__(self, component_desc):
- self.component_id = component_desc
- LOG.info("ext={}".format(component_desc))
- self.filter_rule = oslo_messaging.NotificationFilter(
- event_type='^authz$',
- context={'container_id': "\w+_"+hashlib.sha224(component_desc.encode("utf-8")).hexdigest()}
- )
+ def __init__(self, **kwargs):
+ component_data = kwargs.get("component_data", {})
+ self.component_id = component_data['component_id']
+ self.pdp_id = component_data['pdp_id']
+ self.meta_rule_id = component_data['meta_rule_id']
+ self.keystone_project_id = component_data['keystone_project_id']
+ self.cache = kwargs.get("cache")
+ self.context = None
- for _id_value in component_desc.split("_"):
- _type, _id = _id_value.split(":")
- if _type == "pdp":
- self.pdp_id = _id
- elif _type == "metarule":
- self.meta_rule_id = _id
- elif _type == "project":
- self.keystone_project_id = _id
+ def post(self, uuid=None, subject_name=None, object_name=None, action_name=None):
+ """Get a response on an authorization request
- def __check_rules(self, context):
+ :param uuid: uuid of a tenant or an intra_extension
+ :param subject_name: name of the subject or the request
+ :param object_name: name of the object
+ :param action_name: name of the action
+ :return: {
+ "args": {},
+ "ctx": {
+ "action_name": "4567",
+ "id": "123456",
+ "method": "authz",
+ "object_name": "234567",
+ "subject_name": "123456",
+ "user_id": "admin"
+ },
+ "error": {
+ "code": 500,
+ "description": "",
+ "title": "Moon Error"
+ },
+ "intra_extension_id": "123456",
+ "result": false
+ }
+ :internal_api: authz
+ """
+ self.context = pickle.loads(request.data)
+ self.context.set_cache(self.cache)
+ self.context.increment_index()
+ self.run()
+ self.context.delete_cache()
+ response = flask.make_response(pickle.dumps(self.context))
+ response.headers['content-type'] = 'application/octet-stream'
+ return response
+
+ def run(self):
+ LOG.info("self.context.pdp_set={}".format(self.context.pdp_set))
+ result, message = self.__check_rules()
+ if result:
+ return self.__exec_instructions(result)
+ else:
+ self.context.current_state = "deny"
+ # self.__exec_next_state(result)
+ return
+
+ def __check_rules(self):
scopes_list = list()
- current_header_id = context['headers'][context['index']]
- Context.update_target(context)
- current_pdp = context['pdp_set'][current_header_id]
+ current_header_id = self.context.headers[self.context.index]
+ # Context.update_target(context)
+ current_pdp = self.context.pdp_set[current_header_id]
category_list = list()
category_list.extend(current_pdp["meta_rules"]["subject_categories"])
category_list.extend(current_pdp["meta_rules"]["object_categories"])
@@ -65,13 +105,12 @@ class Authorization(object):
for category in category_list:
scope = list(current_pdp['target'][category])
scopes_list.append(scope)
- policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id)
- rules = PolicyManager.get_rules(user_id="admin",
- policy_id=policy_id,
- meta_rule_id=current_header_id)
+ # policy_id = self.cache.get_policy_from_meta_rules("admin", current_header_id)
+
for item in itertools.product(*scopes_list):
req = list(item)
- for rule in rules['rules']:
+ for rule in self.cache.rules[self.context.current_policy_id]["rules"]:
+ LOG.info("rule={}".format(rule))
if req == rule['rule']:
return rule['instructions'], ""
LOG.warning("No rule match the request...")
@@ -84,13 +123,12 @@ class Authorization(object):
except ValueError:
LOG.error("Cannot understand value in instruction ({})".format(target))
return False
- pdp_set = self.payload["authz_context"]['pdp_set']
- for meta_rule_id in self.payload["authz_context"]['pdp_set']:
- policy_id = PolicyManager.get_policy_from_meta_rules("admin", meta_rule_id)
+ # pdp_set = self.payload["authz_context"]['pdp_set']
+ for meta_rule_id in self.context.pdp_set:
if meta_rule_id == "effect":
continue
- if pdp_set[meta_rule_id]["meta_rules"]["name"] == policy_name:
- for category_id, category_value in ModelManager.get_subject_categories("admin").items():
+ if self.context.pdp_set[meta_rule_id]["meta_rules"]["name"] == policy_name:
+ for category_id, category_value in self.cache.subject_categories.items():
if category_value["name"] == "role":
subject_category_id = category_id
break
@@ -131,95 +169,96 @@ class Authorization(object):
return self.payload["container_chaining"][index]
def __update_headers(self, name):
- context = self.payload["authz_context"]
- for meta_rule_id, meta_rule_value in context["pdp_set"].items():
+ # context = self.payload["authz_context"]
+ for meta_rule_id, meta_rule_value in self.context.pdp_set.items():
if meta_rule_id == "effect":
continue
if meta_rule_value["meta_rules"]["name"] == name:
- self.payload["authz_context"]['headers'].append(meta_rule_id)
+ self.context.headers.append(meta_rule_id)
return True
return False
- def __exec_next_state(self, rule_found):
- index = self.payload["authz_context"]['index']
- current_meta_rule = self.payload["authz_context"]['headers'][index]
- current_container = self.__get_container_from_meta_rule(current_meta_rule)
- current_container_genre = current_container["genre"]
- try:
- next_meta_rule = self.payload["authz_context"]['headers'][index+1]
- except IndexError:
- next_meta_rule = None
- if current_container_genre == "authz":
- if rule_found:
- return self.__return_to_router()
- pass
- if next_meta_rule:
- # next will be session if current is deny and session is unset
- if self.payload["authz_context"]['pdp_set'][next_meta_rule]['effect'] == "unset":
- return notify(
- request_id=self.payload["authz_context"]["request_id"],
- container_id=self.__get_container_from_meta_rule(next_meta_rule)['container_id'],
- payload=self.payload)
- # next will be delegation if current is deny and session is passed or deny and delegation is unset
- else:
- LOG.error("Delegation is not developed!")
+ # def __exec_next_state(self, rule_found):
+ # index = self.context.index
+ # current_meta_rule = self.context.headers[index]
+ # current_container = self.__get_container_from_meta_rule(current_meta_rule)
+ # current_container_genre = current_container["genre"]
+ # try:
+ # next_meta_rule = self.context.headers[index + 1]
+ # except IndexError:
+ # next_meta_rule = None
+ # if current_container_genre == "authz":
+ # if rule_found:
+ # return True
+ # pass
+ # if next_meta_rule:
+ # # next will be session if current is deny and session is unset
+ # if self.payload["authz_context"]['pdp_set'][next_meta_rule]['effect'] == "unset":
+ # return notify(
+ # request_id=self.payload["authz_context"]["request_id"],
+ # container_id=self.__get_container_from_meta_rule(next_meta_rule)['container_id'],
+ # payload=self.payload)
+ # # next will be delegation if current is deny and session is passed or deny and delegation is unset
+ # else:
+ # LOG.error("Delegation is not developed!")
+ #
+ # else:
+ # # else next will be None and the request is sent to router
+ # return self.__return_to_router()
+ # elif current_container_genre == "session":
+ # pass
+ # # next will be next container in headers if current is passed
+ # if self.payload["authz_context"]['pdp_set'][current_meta_rule]['effect'] == "passed":
+ # return notify(
+ # request_id=self.payload["authz_context"]["request_id"],
+ # container_id=self.__get_container_from_meta_rule(next_meta_rule)['container_id'],
+ # payload=self.payload)
+ # # next will be None if current is grant and the request is sent to router
+ # else:
+ # return self.__return_to_router()
+ # elif current_container_genre == "delegation":
+ # LOG.error("Delegation is not developed!")
+ # # next will be authz if current is deny
+ # # next will be None if current is grant and the request is sent to router
- else:
- # else next will be None and the request is sent to router
- return self.__return_to_router()
- elif current_container_genre == "session":
- pass
- # next will be next container in headers if current is passed
- if self.payload["authz_context"]['pdp_set'][current_meta_rule]['effect'] == "passed":
- return notify(
- request_id=self.payload["authz_context"]["request_id"],
- container_id=self.__get_container_from_meta_rule(next_meta_rule)['container_id'],
- payload=self.payload)
- # next will be None if current is grant and the request is sent to router
- else:
- return self.__return_to_router()
- elif current_container_genre == "delegation":
- LOG.error("Delegation is not developed!")
- # next will be authz if current is deny
- # next will be None if current is grant and the request is sent to router
-
- def __return_to_router(self):
- call(endpoint="security_router",
- ctx={"id": self.component_id,
- "call_master": False,
- "method": "return_authz",
- "request_id": self.payload["authz_context"]["request_id"]},
- method="route",
- args=self.payload["authz_context"])
+ # def __return_to_router(self):
+ # call(endpoint="security_router",
+ # ctx={"id": self.component_id,
+ # "call_master": False,
+ # "method": "return_authz",
+ # "request_id": self.payload["authz_context"]["request_id"]},
+ # method="route",
+ # args=self.payload["authz_context"])
def __exec_instructions(self, instructions):
- current_header_id = self.payload["authz_context"]['headers'][self.payload["authz_context"]['index']]
for instruction in instructions:
for key in instruction:
if key == "decision":
if instruction["decision"] == "grant":
- self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "grant"
- self.__return_to_router()
+ self.context.current_state = "grant"
+ LOG.info("__exec_instructions True {}".format(
+ self.context.current_state))
+ return True
else:
- self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = instruction["decision"]
+ self.context.current_state = instruction["decision"].lower()
elif key == "chain":
result = self.__update_headers(**instruction["chain"])
if not result:
- self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "deny"
+ self.context.current_state = "deny"
else:
- self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "passed"
+ self.context.current_state = "passed"
elif key == "update":
result = self.__update_subject_category_in_policy(**instruction["update"])
if not result:
- self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "deny"
+ self.context.current_state = "deny"
else:
- self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "passed"
- # LOG.info("__exec_instructions {}".format(self.payload["authz_context"]))
+ self.context.current_state = "passed"
+ LOG.info("__exec_instructions False {}".format(self.context.current_state))
def __update_current_request(self):
index = self.payload["authz_context"]["index"]
current_header_id = self.payload["authz_context"]['headers'][index]
- previous_header_id = self.payload["authz_context"]['headers'][index-1]
+ previous_header_id = self.payload["authz_context"]['headers'][index - 1]
current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id)
previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id)
# FIXME (asteroide): must change those lines to be ubiquitous against any type of policy
@@ -233,11 +272,11 @@ class Authorization(object):
break
for assignment_id, assignment_value in PolicyManager.get_subject_assignments(
"admin", previous_policy_id, subject, subject_category_id).items():
- for data_id in assignment_value["assignments"]:
- data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id)
- for _data in data:
- for key, value in _data["data"].items():
- role_names.append(value["name"])
+ for data_id in assignment_value["assignments"]:
+ data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id)
+ for _data in data:
+ for key, value in _data["data"].items():
+ role_names.append(value["name"])
new_role_ids = []
for perimeter_id, perimeter_value in PolicyManager.get_objects("admin", current_policy_id).items():
if perimeter_value["name"] in role_names:
@@ -251,72 +290,65 @@ class Authorization(object):
self.payload["authz_context"]['current_request']['object'] = new_role_ids[0]
self.payload["authz_context"]['current_request']['action'] = perimeter_id
elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac":
- self.payload["authz_context"]['current_request']['subject'] = self.payload["authz_context"]['initial_request']['subject']
- self.payload["authz_context"]['current_request']['object'] = self.payload["authz_context"]['initial_request']['object']
- self.payload["authz_context"]['current_request']['action'] = self.payload["authz_context"]['initial_request']['action']
+ self.payload["authz_context"]['current_request']['subject'] = \
+ self.payload["authz_context"]['initial_request']['subject']
+ self.payload["authz_context"]['current_request']['object'] = \
+ self.payload["authz_context"]['initial_request']['object']
+ self.payload["authz_context"]['current_request']['action'] = \
+ self.payload["authz_context"]['initial_request']['action']
- def critical(self, ctxt, publisher_id, event_type, payload, metadata):
- """This is the authz endpoint
- but due to the oslo_messaging notification architecture, we must call it "critical"
-
- :param ctxt: context of the request
- :param publisher_id: ID of the publisher
- :param event_type: type of event ("authz" here)
- :param payload: content of the authz request
- :param metadata: metadata of the notification
- :return: result of the authorization for the current component
- """
- LOG.info("calling authz {} {}".format(ctxt, payload))
- self.keystone_project_id = payload["id"]
- self.payload = payload
+ def get_authz(self):
+ # self.keystone_project_id = payload["id"]
+ # LOG.info("get_authz {}".format(payload))
+ # self.payload = payload
try:
- if "authz_context" not in payload:
- try:
- self.payload["authz_context"] = Context(self.keystone_project_id,
- self.payload["subject_name"],
- self.payload["object_name"],
- self.payload["action_name"],
- self.payload["request_id"]).to_dict()
- except exceptions.SubjectUnknown:
- ctx = {
- "subject_name": self.payload["subject_name"],
- "object_name": self.payload["object_name"],
- "action_name": self.payload["action_name"],
- }
- call("moon_manager", method="update_from_master", ctx=ctx, args={})
- self.payload["authz_context"] = Context(self.keystone_project_id,
- self.payload["subject_name"],
- self.payload["object_name"],
- self.payload["action_name"],
- self.payload["request_id"]).to_dict()
- except exceptions.ObjectUnknown:
- ctx = {
- "subject_name": self.payload["subject_name"],
- "object_name": self.payload["object_name"],
- "action_name": self.payload["action_name"],
- }
- call("moon_manager", method="update_from_master", ctx=ctx, args={})
- self.payload["authz_context"] = Context(self.keystone_project_id,
- self.payload["subject_name"],
- self.payload["object_name"],
- self.payload["action_name"],
- self.payload["request_id"]).to_dict()
- except exceptions.ActionUnknown:
- ctx = {
- "subject_name": self.payload["subject_name"],
- "object_name": self.payload["object_name"],
- "action_name": self.payload["action_name"],
- }
- call("moon_manager", method="update_from_master", ctx=ctx, args={})
- self.payload["authz_context"] = Context(self.keystone_project_id,
- self.payload["subject_name"],
- self.payload["object_name"],
- self.payload["action_name"],
- self.payload["request_id"]).to_dict()
- self.__update_container_chaining()
- else:
- self.payload["authz_context"]["index"] += 1
- self.__update_current_request()
+ # if "authz_context" not in payload:
+ # try:
+ # self.payload["authz_context"] = Context(self.keystone_project_id,
+ # self.payload["subject_name"],
+ # self.payload["object_name"],
+ # self.payload["action_name"],
+ # self.payload["request_id"]).to_dict()
+ # except exceptions.SubjectUnknown:
+ # ctx = {
+ # "subject_name": self.payload["subject_name"],
+ # "object_name": self.payload["object_name"],
+ # "action_name": self.payload["action_name"],
+ # }
+ # call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ # self.payload["authz_context"] = Context(self.keystone_project_id,
+ # self.payload["subject_name"],
+ # self.payload["object_name"],
+ # self.payload["action_name"],
+ # self.payload["request_id"]).to_dict()
+ # except exceptions.ObjectUnknown:
+ # ctx = {
+ # "subject_name": self.payload["subject_name"],
+ # "object_name": self.payload["object_name"],
+ # "action_name": self.payload["action_name"],
+ # }
+ # call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ # self.payload["authz_context"] = Context(self.keystone_project_id,
+ # self.payload["subject_name"],
+ # self.payload["object_name"],
+ # self.payload["action_name"],
+ # self.payload["request_id"]).to_dict()
+ # except exceptions.ActionUnknown:
+ # ctx = {
+ # "subject_name": self.payload["subject_name"],
+ # "object_name": self.payload["object_name"],
+ # "action_name": self.payload["action_name"],
+ # }
+ # call("moon_manager", method="update_from_master", ctx=ctx, args={})
+ # self.payload["authz_context"] = Context(self.keystone_project_id,
+ # self.payload["subject_name"],
+ # self.payload["object_name"],
+ # self.payload["action_name"],
+ # self.payload["request_id"]).to_dict()
+ # self.__update_container_chaining()
+ # else:
+ # self.payload["authz_context"]["index"] += 1
+ # self.__update_current_request()
result, message = self.__check_rules(self.payload["authz_context"])
current_header_id = self.payload["authz_context"]['headers'][self.payload["authz_context"]['index']]
if result:
@@ -327,7 +359,7 @@ class Authorization(object):
return {"authz": result,
"error": message,
"pdp_id": self.pdp_id,
- "ctx": ctxt, "args": self.payload}
+ "args": self.payload}
except Exception as e:
try:
LOG.error(self.payload["authz_context"])
@@ -337,5 +369,8 @@ class Authorization(object):
return {"authz": False,
"error": str(e),
"pdp_id": self.pdp_id,
- "ctx": ctxt, "args": self.payload}
+ "args": self.payload}
+ def head(self, uuid=None, subject_name=None, object_name=None, action_name=None):
+ LOG.info("HEAD request")
+ return "", 200 \ No newline at end of file
diff --git a/moonv4/moon_authz/moon_authz/api/generic.py b/moonv4/moon_authz/moon_authz/api/generic.py
index db61188b..66169b15 100644
--- a/moonv4/moon_authz/moon_authz/api/generic.py
+++ b/moonv4/moon_authz/moon_authz/api/generic.py
@@ -2,27 +2,130 @@
# This software is distributed under the terms and conditions of the 'Apache-2.0'
# license which can be found in the file 'LICENSE' in this package distribution
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+"""
+Those API are helping API used to manage the Moon platform.
+"""
+from flask_restful import Resource, request
+from oslo_log import log as logging
+import moon_authz.api
+from moon_utilities.security_functions import check_auth
-class Status(object):
+__version__ = "0.1.0"
+
+LOG = logging.getLogger("moon.authz.api." + __name__)
+
+
+class Status(Resource):
"""
- Retrieve the current status of all components.
+ Endpoint for status requests
"""
- __version__ = "0.1.0"
+ __urls__ = ("/status", "/status/", "/status/<string:component_id>")
- def get_status(self, ctx, args):
- return {"status": "Running"}
+ def get(self, component_id=None):
+ """Retrieve status of all components
+ :return: {
+ "orchestrator": {
+ "status": "Running"
+ },
+ "security_router": {
+ "status": "Running"
+ }
+ }
+ """
+ raise NotImplemented
-class Logs(object):
+
+class Logs(Resource):
"""
- Retrieve the current status of all components.
+ Endpoint for logs requests
"""
- __version__ = "0.1.0"
+ __urls__ = ("/logs", "/logs/", "/logs/<string:component_id>")
+
+ def get(self, component_id=None):
+ """Get logs from the Moon platform
+
+ :param component_id: the ID of the component your are looking for (optional)
+ :return: [
+ "2015-04-15-13:45:20
+ "2015-04-15-13:45:21
+ "2015-04-15-13:45:22
+ "2015-04-15-13:45:23
+ ]
+ """
+ filter_str = request.args.get('filter', '')
+ from_str = request.args.get('from', '')
+ to_str = request.args.get('to', '')
+ event_number = request.args.get('event_number', '')
+ try:
+ event_number = int(event_number)
+ except ValueError:
+ event_number = None
+ args = dict()
+ args["filter"] = filter_str
+ args["from"] = from_str
+ args["to"] = to_str
+ args["event_number"] = event_number
+
+ raise NotImplemented
+
+
+class API(Resource):
+ """
+ Endpoint for API requests
+ """
- def get_logs(self, ctx, args):
- return {"error": "NotImplemented"}
+ __urls__ = (
+ "/api",
+ "/api/",
+ "/api/<string:group_id>",
+ "/api/<string:group_id>/",
+ "/api/<string:group_id>/<string:endpoint_id>")
+ @check_auth
+ def get(self, group_id="", endpoint_id="", user_id=""):
+ """Retrieve all API endpoints or a specific endpoint if endpoint_id is given
+ :param group_id: the name of one existing group (ie generic, ...)
+ :param endpoint_id: the name of one existing component (ie Logs, Status, ...)
+ :return: {
+ "group_name": {
+ "endpoint_name": {
+ "description": "a description",
+ "methods": {
+ "get": "description of the HTTP method"
+ },
+ "urls": ('/api', '/api/', '/api/<string:endpoint_id>')
+ }
+ }
+ """
+ __methods = ("get", "post", "put", "delete", "options", "patch")
+ api_list = filter(lambda x: "__" not in x, dir(moon_authz.api))
+ api_desc = dict()
+ for api_name in api_list:
+ api_desc[api_name] = {}
+ group_api_obj = eval("moon_interface.api.{}".format(api_name))
+ api_desc[api_name]["description"] = group_api_obj.__doc__
+ if "__version__" in dir(group_api_obj):
+ api_desc[api_name]["version"] = group_api_obj.__version__
+ object_list = list(filter(lambda x: "__" not in x, dir(group_api_obj)))
+ for obj in map(lambda x: eval("moon_interface.api.{}.{}".format(api_name, x)), object_list):
+ if "__urls__" in dir(obj):
+ api_desc[api_name][obj.__name__] = dict()
+ api_desc[api_name][obj.__name__]["urls"] = obj.__urls__
+ api_desc[api_name][obj.__name__]["methods"] = dict()
+ for _method in filter(lambda x: x in __methods, dir(obj)):
+ docstring = eval("moon_interface.api.{}.{}.{}.__doc__".format(api_name, obj.__name__, _method))
+ api_desc[api_name][obj.__name__]["methods"][_method] = docstring
+ api_desc[api_name][obj.__name__]["description"] = str(obj.__doc__)
+ if group_id in api_desc:
+ if endpoint_id in api_desc[group_id]:
+ return {group_id: {endpoint_id: api_desc[group_id][endpoint_id]}}
+ elif len(endpoint_id) > 0:
+ LOG.error("Unknown endpoint_id {}".format(endpoint_id))
+ return {"error": "Unknown endpoint_id {}".format(endpoint_id)}
+ return {group_id: api_desc[group_id]}
+ return api_desc
diff --git a/moonv4/moon_authz/moon_authz/http_server.py b/moonv4/moon_authz/moon_authz/http_server.py
new file mode 100644
index 00000000..b6818a9f
--- /dev/null
+++ b/moonv4/moon_authz/moon_authz/http_server.py
@@ -0,0 +1,140 @@
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+from flask import Flask, request
+# from flask_cors import CORS, cross_origin
+from flask_restful import Resource, Api, reqparse
+import logging
+from moon_utilities import exceptions
+from moon_authz import __version__
+from moon_authz.api.authorization import Authz
+from moon_utilities.cache import Cache
+
+logger = logging.getLogger("moon." + __name__)
+
+CACHE = Cache()
+CACHE.update()
+
+
+class Server:
+ """Base class for HTTP server"""
+
+ def __init__(self, host="localhost", port=80, api=None, **kwargs):
+ """Run a server
+
+ :param host: hostname of the server
+ :param port: port for the running server
+ :param kwargs: optional parameters
+ :return: a running server
+ """
+ self._host = host
+ self._port = port
+ self._api = api
+ self._extra = kwargs
+
+ @property
+ def host(self):
+ return self._host
+
+ @host.setter
+ def host(self, name):
+ self._host = name
+
+ @host.deleter
+ def host(self):
+ self._host = ""
+
+ @property
+ def port(self):
+ return self._port
+
+ @port.setter
+ def port(self, number):
+ self._port = number
+
+ @port.deleter
+ def port(self):
+ self._port = 80
+
+ def run(self):
+ raise NotImplementedError()
+
+__API__ = (
+ Authz,
+ )
+
+
+class Root(Resource):
+ """
+ The root of the web service
+ """
+ __urls__ = ("/", )
+ __methods = ("get", "post", "put", "delete", "options")
+
+ def get(self):
+ tree = {"/": {"methods": ("get",), "description": "List all methods for that service."}}
+ for item in __API__:
+ tree[item.__name__] = {"urls": item.__urls__}
+ _methods = []
+ for _method in self.__methods:
+ if _method in dir(item):
+ _methods.append(_method)
+ tree[item.__name__]["methods"] = _methods
+ tree[item.__name__]["description"] = item.__doc__.strip()
+ return {
+ "version": __version__,
+ "tree": tree
+ }
+
+ def head(self):
+ return "", 201
+
+
+class HTTPServer(Server):
+
+ def __init__(self, host="0.0.0.0", port=38001, **kwargs):
+ super(HTTPServer, self).__init__(host=host, port=port, **kwargs)
+ self.component_data = kwargs.get("component_data", {})
+ logger.info("HTTPServer port={} {}".format(port, kwargs))
+ self.app = Flask(__name__)
+ self._port = port
+ self._host = host
+ # Todo : specify only few urls instead of *
+ # CORS(self.app)
+ self.component_id = kwargs.get("component_id")
+ self.keystone_project_id = kwargs.get("keystone_project_id")
+ self.container_chaining = kwargs.get("container_chaining")
+ self.api = Api(self.app)
+ self.__set_route()
+ # self.__hook_errors()
+
+ @self.app.errorhandler(exceptions.AuthException)
+ def _auth_exception(error):
+ return {"error": "Unauthorized"}, 401
+
+ def __hook_errors(self):
+ # FIXME (dthom): it doesn't work
+ def get_404_json(e):
+ return {"error": "Error", "code": 404, "description": e}
+ self.app.register_error_handler(404, get_404_json)
+
+ def get_400_json(e):
+ return {"error": "Error", "code": 400, "description": e}
+ self.app.register_error_handler(400, lambda e: get_400_json)
+ self.app.register_error_handler(403, exceptions.AuthException)
+
+ def __set_route(self):
+ self.api.add_resource(Root, '/')
+
+ for api in __API__:
+ self.api.add_resource(api, *api.__urls__,
+ resource_class_kwargs={
+ "component_data": self.component_data,
+ "cache": CACHE
+ }
+ )
+
+ def run(self):
+ self.app.run(host=self._host, port=self._port) # nosec
diff --git a/moonv4/moon_authz/moon_authz/messenger.py b/moonv4/moon_authz/moon_authz/messenger.py
deleted file mode 100644
index 6fa34770..00000000
--- a/moonv4/moon_authz/moon_authz/messenger.py
+++ /dev/null
@@ -1,50 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-from oslo_config import cfg
-import oslo_messaging
-import time
-from oslo_log import log as logging
-from moon_authz.api.generic import Status, Logs
-from moon_authz.api.authorization import Authorization
-from moon_utilities.api import APIList
-
-LOG = logging.getLogger(__name__)
-CONF = cfg.CONF
-
-
-class Server:
-
- def __init__(self, component_id, keystone_project_id):
- self.TOPIC = "authz-workers"
- transport = oslo_messaging.get_notification_transport(cfg.CONF)
- targets = [
- oslo_messaging.Target(topic=self.TOPIC),
- ]
- self.endpoints = [
- APIList((Status, Logs)),
- Status(),
- Logs(),
- Authorization(component_id)
- ]
- pool = "authz-workers"
- self.server = oslo_messaging.get_notification_listener(transport, targets,
- self.endpoints, executor='threading',
- pool=pool)
- LOG.info("Starting MQ notification server with topic: {}".format(self.TOPIC))
-
- def run(self):
- try:
- self.server.start()
- while True:
- time.sleep(0.1)
- except KeyboardInterrupt:
- print("Stopping server by crtl+c")
- except SystemExit:
- print("Stopping server")
-
- self.server.stop()
-
-
diff --git a/moonv4/moon_authz/moon_authz/server.py b/moonv4/moon_authz/moon_authz/server.py
index 0c2a36ff..40143ba9 100644
--- a/moonv4/moon_authz/moon_authz/server.py
+++ b/moonv4/moon_authz/moon_authz/server.py
@@ -4,32 +4,44 @@
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
import os
-from oslo_config import cfg
from oslo_log import log as logging
-# cfg.CONF.register_cli_opt(cfg.StrOpt('function_type', positional=True,
-# help="The type of function managed by this component (example 'authz')."))
-cfg.CONF.register_cli_opt(cfg.StrOpt('uuid', positional=True,
- help="The ID of the component managed here."))
-cfg.CONF.register_cli_opt(cfg.StrOpt('keystone_project_id', positional=True,
- help="The ID of the component managed here."))
-from moon_utilities import options # noqa
-from moon_authz.messenger import Server
-
-LOG = logging.getLogger(__name__)
-CONF = cfg.CONF
+from moon_authz.http_server import HTTPServer as Server
+from moon_utilities import configuration
+
+LOG = logging.getLogger("moon.server")
DOMAIN = "moon_authz"
__CWD__ = os.path.dirname(os.path.abspath(__file__))
def main():
- component_id = CONF.uuid
- keystone_project_id = CONF.keystone_project_id
- # function_type = CONF.intra_extension_id.replace(component_id, "").strip('_')
- LOG.info("Starting server with IP {} on component {}".format(
- CONF.security_router.host, component_id))
- server = Server(component_id=component_id, keystone_project_id=keystone_project_id)
- server.run()
+ component_id = os.getenv("UUID")
+ component_type = os.getenv("TYPE")
+ tcp_port = os.getenv("PORT")
+ pdp_id = os.getenv("PDP_ID")
+ meta_rule_id = os.getenv("META_RULE_ID")
+ keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID")
+ configuration.init_logging()
+ LOG.info("component_type={}".format(component_type))
+ conf = configuration.get_configuration("plugins/{}".format(component_type))
+ conf["plugins/{}".format(component_type)]['id'] = component_id
+ hostname = conf["plugins/{}".format(component_type)].get('hostname', component_id)
+ port = conf["plugins/{}".format(component_type)].get('port', tcp_port)
+ bind = conf["plugins/{}".format(component_type)].get('bind', "0.0.0.0")
+
+ LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind))
+ server = Server(
+ host=bind,
+ port=int(port),
+ component_data={
+ 'component_id': component_id,
+ 'component_type': component_type,
+ 'pdp_id': pdp_id,
+ 'meta_rule_id': meta_rule_id,
+ 'keystone_project_id': keystone_project_id,
+ }
+ )
+ return server
if __name__ == '__main__':
diff --git a/moonv4/moon_authz/requirements.txt b/moonv4/moon_authz/requirements.txt
index 8faf9439..344bec52 100644
--- a/moonv4/moon_authz/requirements.txt
+++ b/moonv4/moon_authz/requirements.txt
@@ -1 +1,8 @@
-kombu !=4.0.1,!=4.0.0 \ No newline at end of file
+kombu !=4.0.1,!=4.0.0
+oslo.log
+flask
+oslo.config
+flask_restful
+flask_cors
+moon_db
+moon_utilities
diff --git a/moonv4/moon_authz/tests/unit_python/conftest.py b/moonv4/moon_authz/tests/unit_python/conftest.py
new file mode 100644
index 00000000..a6e62078
--- /dev/null
+++ b/moonv4/moon_authz/tests/unit_python/conftest.py
@@ -0,0 +1,29 @@
+import pytest
+import requests_mock
+import mock_pods
+import os
+from utilities import CONTEXT
+
+
+@pytest.fixture
+def context():
+ return CONTEXT
+
+
+def set_env_variables():
+ os.environ['UUID'] = "1111111111"
+ os.environ['TYPE'] = "authz"
+ os.environ['PORT'] = "8081"
+ os.environ['PDP_ID'] = "b3d3e18abf3340e8b635fd49e6634ccd"
+ os.environ['META_RULE_ID'] = "f8f49a779ceb47b3ac810f01ef71b4e0"
+ os.environ['KEYSTONE_PROJECT_ID'] = CONTEXT['project_id']
+
+
+@pytest.fixture(autouse=True)
+def no_requests(monkeypatch):
+ """ Modify the response from Requests module
+ """
+ set_env_variables()
+ with requests_mock.Mocker(real_http=True) as m:
+ mock_pods.register_pods(m)
+ yield m
diff --git a/moonv4/moon_authz/tests/unit_python/mock_pods.py b/moonv4/moon_authz/tests/unit_python/mock_pods.py
new file mode 100644
index 00000000..7488f4f3
--- /dev/null
+++ b/moonv4/moon_authz/tests/unit_python/mock_pods.py
@@ -0,0 +1,545 @@
+from utilities import CONF, get_b64_conf, COMPONENTS
+
+pdp_mock = {
+ "b3d3e18abf3340e8b635fd49e6634ccd": {
+ "description": "test",
+ "security_pipeline": [
+ "f8f49a779ceb47b3ac810f01ef71b4e0"
+ ],
+ "name": "pdp_rbac",
+ "keystone_project_id": "a64beb1cc224474fb4badd43173e7101"
+ },
+ "pdp_id1": {
+ "name": "...",
+ "security_pipeline": ["policy_id_1", "policy_id_2"],
+ "keystone_project_id": "keystone_project_id1",
+ "description": "...",
+ },
+ "pdp_id12": {
+ "name": "...",
+ "security_pipeline": ["policy_id_1", "policy_id_2"],
+ "keystone_project_id": "keystone_project_id1",
+ "description": "...",
+ }
+}
+
+meta_rules_mock = {
+ "f8f49a779ceb47b3ac810f01ef71b4e0": {
+ "subject_categories": [
+ "14e6ae0ba34d458b876c791b73aa17bd"
+ ],
+ "action_categories": [
+ "241a2a791554421a91c9f1bc564aa94d"
+ ],
+ "description": "",
+ "name": "rbac",
+ "object_categories": [
+ "6d48500f639d4c2cab2b1f33ef93a1e8"
+ ]
+ },
+ "meta_rule_id1": {
+ "name": "meta_rule1",
+ "algorithm": "name of the meta rule algorithm",
+ "subject_categories": ["subject_category_id1",
+ "subject_category_id2"],
+ "object_categories": ["object_category_id1"],
+ "action_categories": ["action_category_id1"]
+ },
+ "meta_rule_id2": {
+ "name": "name of the meta rules2",
+ "algorithm": "name of the meta rule algorithm",
+ "subject_categories": ["subject_category_id1",
+ "subject_category_id2"],
+ "object_categories": ["object_category_id1"],
+ "action_categories": ["action_category_id1"]
+ }
+}
+
+policies_mock = {
+ "f8f49a779ceb47b3ac810f01ef71b4e0": {
+ "name": "RBAC policy example",
+ "model_id": "cd923d8633ff4978ab0e99938f5153d6",
+ "description": "test",
+ "genre": "authz"
+ },
+ "policy_id_1": {
+ "name": "test_policy1",
+ "model_id": "model_id_1",
+ "genre": "authz",
+ "description": "test",
+ },
+ "policy_id_2": {
+ "name": "test_policy2",
+ "model_id": "model_id_2",
+ "genre": "authz",
+ "description": "test",
+ }
+}
+
+subject_mock = {
+ "f8f49a779ceb47b3ac810f01ef71b4e0": {
+ "89ba91c18dd54abfbfde7a66936c51a6": {
+ "description": "test",
+ "policy_list": [
+ "f8f49a779ceb47b3ac810f01ef71b4e0",
+ "636cd473324f4c0bbd9102cb5b62a16d"
+ ],
+ "name": "testuser",
+ "email": "mail",
+ "id": "89ba91c18dd54abfbfde7a66936c51a6",
+ "partner_id": ""
+ }
+ },
+ "policy_id_1": {
+ "subject_id": {
+ "name": "subject_name",
+ "keystone_id": "keystone_project_id1",
+ "description": "a description"
+ }
+ },
+ "policy_id_2": {
+ "subject_id": {
+ "name": "subject_name",
+ "keystone_id": "keystone_project_id1",
+ "description": "a description"
+ }
+ }
+}
+
+subject_assignment_mock = {
+ "826c1156d0284fc9b4b2ddb279f63c52": {
+ "category_id": "14e6ae0ba34d458b876c791b73aa17bd",
+ "assignments": [
+ "24ea95256c5f4c888c1bb30a187788df",
+ "6b227b77184c48b6a5e2f3ed1de0c02a",
+ "31928b17ec90438ba5a2e50ae7650e63",
+ "4e60f554dd3147af87595fb6b37dcb13",
+ "7a5541b63a024fa88170a6b59f99ccd7",
+ "dd2af27812f742029d289df9687d6126"
+ ],
+ "id": "826c1156d0284fc9b4b2ddb279f63c52",
+ "subject_id": "89ba91c18dd54abfbfde7a66936c51a6",
+ "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0"
+ },
+ "7407ffc1232944279b0cbcb0847c86f7": {
+ "category_id": "315072d40d774c43a89ff33937ed24eb",
+ "assignments": [
+ "6b227b77184c48b6a5e2f3ed1de0c02a",
+ "31928b17ec90438ba5a2e50ae7650e63",
+ "7a5541b63a024fa88170a6b59f99ccd7",
+ "dd2af27812f742029d289df9687d6126"
+ ],
+ "id": "7407ffc1232944279b0cbcb0847c86f7",
+ "subject_id": "89ba91c18dd54abfbfde7a66936c51a6",
+ "policy_id": "3e65256389b448cb9897917ea235f0bb"
+ }
+}
+
+object_mock = {
+ "f8f49a779ceb47b3ac810f01ef71b4e0": {
+ "9089b3d2ce5b4e929ffc7e35b55eba1a": {
+ "name": "vm1",
+ "description": "test",
+ "id": "9089b3d2ce5b4e929ffc7e35b55eba1a",
+ "partner_id": "",
+ "policy_list": [
+ "f8f49a779ceb47b3ac810f01ef71b4e0",
+ "636cd473324f4c0bbd9102cb5b62a16d"
+ ]
+ },
+ },
+ "policy_id_1": {
+ "object_id": {
+ "name": "object_name",
+ "description": "a description"
+ }
+ },
+ "policy_id_2": {
+ "object_id": {
+ "name": "object_name",
+ "description": "a description"
+ }
+ }
+}
+
+object_assignment_mock = {
+ "201ad05fd3f940948b769ab9214fe295": {
+ "object_id": "9089b3d2ce5b4e929ffc7e35b55eba1a",
+ "assignments": [
+ "030fbb34002e4236a7b74eeb5fd71e35",
+ "06bcb8655b9d46a9b90e67ef7c825b50",
+ "34eb45d7f46d4fb6bc4965349b8e4b83",
+ "4b7793dbae434c31a77da9d92de9fa8c"
+ ],
+ "id": "201ad05fd3f940948b769ab9214fe295",
+ "category_id": "6d48500f639d4c2cab2b1f33ef93a1e8",
+ "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0"
+ },
+ "90c5e86f8be34c0298fbd1973e4fb043": {
+ "object_id": "67b8008a3f8d4f8e847eb628f0f7ca0e",
+ "assignments": [
+ "a098918e915b4b12bccb89f9a3f3b4e4",
+ "06bcb8655b9d46a9b90e67ef7c825b50",
+ "7dc76c6142af47c88b60cc2b0df650ba",
+ "4b7793dbae434c31a77da9d92de9fa8c"
+ ],
+ "id": "90c5e86f8be34c0298fbd1973e4fb043",
+ "category_id": "33aece52d45b4474a20dc48a76800daf",
+ "policy_id": "3e65256389b448cb9897917ea235f0bb"
+ }
+}
+
+action_mock = {
+ "f8f49a779ceb47b3ac810f01ef71b4e0": {
+ "cdb3df220dc05a6ea3334b994827b068": {
+ "name": "boot",
+ "description": "test",
+ "id": "cdb3df220dc04a6ea3334b994827b068",
+ "partner_id": "",
+ "policy_list": [
+ "f8f49a779ceb47b3ac810f01ef71b4e0",
+ "636cd473324f4c0bbd9102cb5b62a16d"
+ ]
+ },
+ "cdb3df220dc04a6ea3334b994827b068": {
+ "name": "stop",
+ "description": "test",
+ "id": "cdb3df220dc04a6ea3334b994827b068",
+ "partner_id": "",
+ "policy_list": [
+ "f8f49a779ceb47b3ac810f01ef71b4e0",
+ "636cd473324f4c0bbd9102cb5b62a16d"
+ ]
+ },
+ "9f5112afe9b34a6c894eb87246ccb7aa": {
+ "name": "start",
+ "description": "test",
+ "id": "9f5112afe9b34a6c894eb87246ccb7aa",
+ "partner_id": "",
+ "policy_list": [
+ "f8f49a779ceb47b3ac810f01ef71b4e0",
+ "636cd473324f4c0bbd9102cb5b62a16d"
+ ]
+ }
+ },
+ "policy_id_1": {
+ "action_id": {
+ "name": "action_name",
+ "description": "a description"
+ }
+ },
+ "policy_id_2": {
+ "action_id": {
+ "name": "action_name",
+ "description": "a description"
+ }
+ }
+}
+
+action_assignment_mock = {
+ "2128e3ffbd1c4ef5be515d625745c2d4": {
+ "category_id": "241a2a791554421a91c9f1bc564aa94d",
+ "action_id": "cdb3df220dc05a6ea3334b994827b068",
+ "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0",
+ "id": "2128e3ffbd1c4ef5be515d625745c2d4",
+ "assignments": [
+ "570c036781e540dc9395b83098c40ba7",
+ "7fe17d7a2e3542719f8349c3f2273182",
+ "015ca6f40338422ba3f692260377d638",
+ "23d44c17bf88480f83e8d57d2aa1ea79"
+ ]
+ },
+ "cffb98852f3a4110af7a0ddfc4e19201": {
+ "category_id": "4a2c5abaeaf644fcaf3ca8df64000d53",
+ "action_id": "cdb3df220dc04a6ea3334b994827b068",
+ "policy_id": "3e65256389b448cb9897917ea235f0bb",
+ "id": "cffb98852f3a4110af7a0ddfc4e19201",
+ "assignments": [
+ "570c036781e540dc9395b83098c40ba7",
+ "7fe17d7a2e3542719f8349c3f2273182",
+ "015ca6f40338422ba3f692260377d638",
+ "23d44c17bf88480f83e8d57d2aa1ea79"
+ ]
+ }
+}
+
+models_mock = {
+ "cd923d8633ff4978ab0e99938f5153d6": {
+ "name": "RBAC",
+ "meta_rules": [
+ "f8f49a779ceb47b3ac810f01ef71b4e0"
+ ],
+ "description": "test"
+ },
+ "model_id_1": {
+ "name": "test_model",
+ "description": "test",
+ "meta_rules": ["meta_rule_id1"]
+ },
+ "model_id_2": {
+ "name": "test_model",
+ "description": "test",
+ "meta_rules": ["meta_rule_id2"]
+ },
+}
+
+rules_mock = {
+ "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0",
+ "rules": [
+ {
+ "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0",
+ "rule": [
+ "24ea95256c5f4c888c1bb30a187788df",
+ "030fbb34002e4236a7b74eeb5fd71e35",
+ "570c036781e540dc9395b83098c40ba7"
+ ],
+ "enabled": True,
+ "id": "0201a2bcf56943c1904dbac016289b71",
+ "instructions": [
+ {
+ "decision": "grant"
+ }
+ ],
+ "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0"
+ },
+ {
+ "policy_id": "ecc2451c494e47b5bca7250cd324a360",
+ "rule": [
+ "54f574cd2043468da5d65e4f6ed6e3c9",
+ "6559686961a3490a978f246ac9f85fbf",
+ "ac0d1f600bf447e8bd2f37b7cc47f2dc"
+ ],
+ "enabled": True,
+ "id": "a83fed666af8436192dfd8b3c83a6fde",
+ "instructions": [
+ {
+ "decision": "grant"
+ }
+ ],
+ "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0"
+ }
+ ]
+}
+
+
+def register_pods(m):
+ """ Modify the response from Requests module
+ """
+ register_consul(m)
+ register_pdp(m)
+ register_meta_rules(m)
+ register_policies(m)
+ register_models(m)
+ register_orchestrator(m)
+ register_policy_subject(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
+ # register_policy_subject(m, "policy_id_2")
+ register_policy_object(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
+ # register_policy_object(m, "policy_id_2")
+ register_policy_action(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
+ # register_policy_action(m, "policy_id_2")
+ register_policy_subject_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "89ba91c18dd54abfbfde7a66936c51a6")
+ # register_policy_subject_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
+ # register_policy_subject_assignment(m, "policy_id_2", "subject_id")
+ # register_policy_subject_assignment_list(m1, "policy_id_2")
+ register_policy_object_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "9089b3d2ce5b4e929ffc7e35b55eba1a")
+ # register_policy_object_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
+ # register_policy_object_assignment(m, "policy_id_2", "object_id")
+ # register_policy_object_assignment_list(m1, "policy_id_2")
+ register_policy_action_assignment(m, "f8f49a779ceb47b3ac810f01ef71b4e0", "cdb3df220dc05a6ea3334b994827b068")
+ # register_policy_action_assignment_list(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
+ # register_policy_action_assignment(m, "policy_id_2", "action_id")
+ # register_policy_action_assignment_list(m1, "policy_id_2")
+ register_rules(m, "f8f49a779ceb47b3ac810f01ef71b4e0")
+ register_rules(m, "policy_id_1")
+ register_rules(m, "policy_id_2")
+
+
+def register_consul(m):
+ for component in COMPONENTS:
+ m.register_uri(
+ 'GET', 'http://consul:8500/v1/kv/{}'.format(component),
+ json=[{'Key': component, 'Value': get_b64_conf(component)}]
+ )
+ m.register_uri(
+ 'GET', 'http://consul:8500/v1/kv/components_port_start',
+ json=[
+ {
+ "LockIndex": 0,
+ "Key": "components_port_start",
+ "Flags": 0,
+ "Value": "MzEwMDE=",
+ "CreateIndex": 9,
+ "ModifyIndex": 9
+ }
+ ],
+ )
+ m.register_uri(
+ 'PUT', 'http://consul:8500/v1/kv/components_port_start',
+ json=[],
+ )
+ m.register_uri(
+ 'GET', 'http://consul:8500/v1/kv/plugins?recurse=true',
+ json=[
+ {
+ "LockIndex": 0,
+ "Key": "plugins/authz",
+ "Flags": 0,
+ "Value": "eyJjb250YWluZXIiOiAid3Vrb25nc3VuL21vb25fYXV0aHo6djQuMyIsICJwb3J0IjogODA4MX0=",
+ "CreateIndex": 14,
+ "ModifyIndex": 656
+ }
+ ],
+ )
+ m.register_uri(
+ 'GET', 'http://consul:8500/v1/kv/components?recurse=true',
+ json=[
+ {"Key": key, "Value": get_b64_conf(key)} for key in COMPONENTS
+ ],
+ )
+ m.register_uri(
+ 'GET', 'http://consul:8500/v1/kv/plugins/authz',
+ json=[
+ {
+ "LockIndex": 0,
+ "Key": "plugins/authz",
+ "Flags": 0,
+ "Value": "eyJjb250YWluZXIiOiAid3Vrb25nc3VuL21vb25fYXV0aHo6djQuMyIsICJwb3J0IjogODA4MX0=",
+ "CreateIndex": 14,
+ "ModifyIndex": 656
+ }
+ ],
+ )
+
+
+def register_orchestrator(m):
+ m.register_uri(
+ 'GET', 'http://orchestrator:8083/pods',
+ json={
+ "pods": {
+ "1234567890": [
+ {"name": "wrapper-quiet", "port": 8080,
+ "container": "wukongsun/moon_wrapper:v4.3.1",
+ "namespace": "moon"}]}}
+ )
+
+
+def register_pdp(m):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'pdp'),
+ json={'pdps': pdp_mock}
+ )
+
+
+def register_meta_rules(m):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'meta_rules'),
+ json={'meta_rules': meta_rules_mock}
+ )
+
+
+def register_policies(m):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies'),
+ json={'policies': policies_mock}
+ )
+
+
+def register_models(m):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'models'),
+ json={'models': models_mock}
+ )
+
+
+def register_policy_subject(m, policy_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/subjects'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies', policy_id),
+ json={'subjects': subject_mock[policy_id]}
+ )
+
+
+def register_policy_object(m, policy_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/objects'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies', policy_id),
+ json={'objects': object_mock[policy_id]}
+ )
+
+
+def register_policy_action(m, policy_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/actions'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies', policy_id),
+ json={'actions': action_mock[policy_id]}
+ )
+
+
+def register_policy_subject_assignment(m, policy_id, subj_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/subject_assignments/{}'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies',
+ policy_id,
+ subj_id),
+ json={'subject_assignments': subject_assignment_mock}
+ )
+
+
+def register_policy_subject_assignment_list(m, policy_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/subject_assignments'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies',
+ policy_id),
+ json={'subject_assignments': subject_assignment_mock}
+ )
+
+
+def register_policy_object_assignment(m, policy_id, obj_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/object_assignments/{}'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies',
+ policy_id,
+ obj_id),
+ json={'object_assignments': object_assignment_mock}
+ )
+
+
+def register_policy_object_assignment_list(m, policy_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/object_assignments'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies',
+ policy_id),
+ json={'object_assignments': object_assignment_mock}
+ )
+
+
+def register_policy_action_assignment(m, policy_id, action_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/action_assignments/{}'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies',
+ policy_id,
+ action_id),
+ json={'action_assignments': action_assignment_mock}
+ )
+
+
+def register_policy_action_assignment_list(m, policy_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/action_assignments'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies',
+ policy_id),
+ json={'action_assignments': action_assignment_mock}
+ )
+
+
+def register_rules(m, policy_id):
+ m.register_uri(
+ 'GET', 'http://{}:{}/{}/{}/{}'.format(CONF['components']['manager']['hostname'],
+ CONF['components']['manager']['port'], 'policies',
+ policy_id, 'rules'),
+ json={'rules': rules_mock}
+ ) \ No newline at end of file
diff --git a/moonv4/moon_authz/tests/unit_python/requirements.txt b/moonv4/moon_authz/tests/unit_python/requirements.txt
new file mode 100644
index 00000000..8bd8449f
--- /dev/null
+++ b/moonv4/moon_authz/tests/unit_python/requirements.txt
@@ -0,0 +1,5 @@
+flask
+flask_cors
+flask_restful
+moon_db
+moon_utilities \ No newline at end of file
diff --git a/moonv4/moon_authz/tests/unit_python/test_authz.py b/moonv4/moon_authz/tests/unit_python/test_authz.py
new file mode 100644
index 00000000..147f7c5d
--- /dev/null
+++ b/moonv4/moon_authz/tests/unit_python/test_authz.py
@@ -0,0 +1,50 @@
+import json
+import pickle
+
+
+def get_data(data):
+ return pickle.loads(data)
+
+
+def get_json(data):
+ return json.loads(data.decode("utf-8"))
+
+
+def test_authz_true(context):
+ import moon_authz.server
+ from moon_utilities.security_functions import Context
+ from moon_utilities.cache import Cache
+ server = moon_authz.server.main()
+ client = server.app.test_client()
+ CACHE = Cache()
+ CACHE.update()
+ print(CACHE.pdp)
+ _context = Context(context, CACHE)
+ req = client.post("/authz", data=pickle.dumps(_context))
+ assert req.status_code == 200
+ data = get_data(req.data)
+ assert data
+ assert isinstance(data, Context)
+ policy_id = data.headers[0]
+ assert policy_id
+ assert "effect" in data.pdp_set[policy_id]
+ assert data.pdp_set[policy_id]['effect'] == "grant"
+
+
+def test_user_not_allowed(context):
+ import moon_authz.server
+ from moon_utilities.security_functions import Context
+ from moon_utilities.cache import Cache
+ server = moon_authz.server.main()
+ client = server.app.test_client()
+ CACHE = Cache()
+ CACHE.update()
+ context['subject_name'] = "user_not_allowed"
+ _context = Context(context, CACHE)
+ req = client.post("/authz", data=pickle.dumps(_context))
+ assert req.status_code == 400
+ data = get_json(req.data)
+ assert data
+ assert isinstance(data, dict)
+ assert "message" in data
+ assert data["message"] == "Cannot find subject user_not_allowed"
diff --git a/moonv4/moon_authz/tests/unit_python/utilities.py b/moonv4/moon_authz/tests/unit_python/utilities.py
new file mode 100644
index 00000000..19b9354c
--- /dev/null
+++ b/moonv4/moon_authz/tests/unit_python/utilities.py
@@ -0,0 +1,173 @@
+import base64
+import json
+import pytest
+from uuid import uuid4
+
+
+CONF = {
+ "openstack": {
+ "keystone": {
+ "url": "http://keystone:5000/v3",
+ "user": "admin",
+ "check_token": False,
+ "password": "p4ssw0rd",
+ "domain": "default",
+ "certificate": False,
+ "project": "admin"
+ }
+ },
+ "components": {
+ "wrapper": {
+ "bind": "0.0.0.0",
+ "port": 8080,
+ "container": "wukongsun/moon_wrapper:v4.3",
+ "timeout": 5,
+ "hostname": "wrapper"
+ },
+ "manager": {
+ "bind": "0.0.0.0",
+ "port": 8082,
+ "container": "wukongsun/moon_manager:v4.3",
+ "hostname": "manager"
+ },
+ "port_start": 31001,
+ "orchestrator": {
+ "bind": "0.0.0.0",
+ "port": 8083,
+ "container": "wukongsun/moon_orchestrator:v4.3",
+ "hostname": "orchestrator"
+ },
+ "interface": {
+ "bind": "0.0.0.0",
+ "port": 8080,
+ "container": "wukongsun/moon_interface:v4.3",
+ "hostname": "interface"
+ }
+ },
+ "plugins": {
+ "session": {
+ "port": 8082,
+ "container": "asteroide/session:latest"
+ },
+ "authz": {
+ "port": 8081,
+ "container": "wukongsun/moon_authz:v4.3"
+ }
+ },
+ "logging": {
+ "handlers": {
+ "file": {
+ "filename": "/tmp/moon.log",
+ "class": "logging.handlers.RotatingFileHandler",
+ "level": "DEBUG",
+ "formatter": "custom",
+ "backupCount": 3,
+ "maxBytes": 1048576
+ },
+ "console": {
+ "class": "logging.StreamHandler",
+ "formatter": "brief",
+ "level": "INFO",
+ "stream": "ext://sys.stdout"
+ }
+ },
+ "formatters": {
+ "brief": {
+ "format": "%(levelname)s %(name)s %(message)-30s"
+ },
+ "custom": {
+ "format": "%(asctime)-15s %(levelname)s %(name)s %(message)s"
+ }
+ },
+ "root": {
+ "handlers": [
+ "console"
+ ],
+ "level": "ERROR"
+ },
+ "version": 1,
+ "loggers": {
+ "moon": {
+ "handlers": [
+ "console",
+ "file"
+ ],
+ "propagate": False,
+ "level": "DEBUG"
+ }
+ }
+ },
+ "slave": {
+ "name": None,
+ "master": {
+ "url": None,
+ "login": None,
+ "password": None
+ }
+ },
+ "docker": {
+ "url": "tcp://172.88.88.1:2376",
+ "network": "moon"
+ },
+ "database": {
+ "url": "sqlite:///database.db",
+ # "url": "mysql+pymysql://moon:p4sswOrd1@db/moon",
+ "driver": "sql"
+ },
+ "messenger": {
+ "url": "rabbit://moon:p4sswOrd1@messenger:5672/moon"
+ }
+}
+
+
+CONTEXT = {
+ "project_id": "a64beb1cc224474fb4badd43173e7101",
+ "subject_name": "testuser",
+ "object_name": "vm1",
+ "action_name": "boot",
+ "request_id": uuid4().hex,
+ "interface_name": "interface",
+ "manager_url": "http://{}:{}".format(
+ CONF["components"]["manager"]["hostname"],
+ CONF["components"]["manager"]["port"]
+ ),
+ "cookie": uuid4().hex,
+ "pdp_id": "b3d3e18abf3340e8b635fd49e6634ccd",
+ "security_pipeline": ["f8f49a779ceb47b3ac810f01ef71b4e0"]
+ }
+
+
+COMPONENTS = (
+ "logging",
+ "openstack/keystone",
+ "database",
+ "slave",
+ "components/manager",
+ "components/orchestrator",
+ "components/interface",
+ "components/wrapper",
+)
+
+
+def get_b64_conf(component=None):
+ if component == "components":
+ return base64.b64encode(
+ json.dumps(CONF["components"]).encode('utf-8')+b"\n").decode('utf-8')
+ elif component in CONF:
+ return base64.b64encode(
+ json.dumps(
+ CONF[component]).encode('utf-8')+b"\n").decode('utf-8')
+ elif not component:
+ return base64.b64encode(
+ json.dumps(CONF).encode('utf-8')+b"\n").decode('utf-8')
+ elif "/" in component:
+ key1, _, key2 = component.partition("/")
+ return base64.b64encode(
+ json.dumps(
+ CONF[key1][key2]).encode('utf-8')+b"\n").decode('utf-8')
+
+
+def get_json(data):
+ return json.loads(data.decode("utf-8"))
+
+