diff options
Diffstat (limited to 'moonv4/moon_interface')
41 files changed, 1173 insertions, 5396 deletions
diff --git a/moonv4/moon_interface/Dockerfile b/moonv4/moon_interface/Dockerfile index de5447b6..268aba48 100644 --- a/moonv4/moon_interface/Dockerfile +++ b/moonv4/moon_interface/Dockerfile @@ -6,6 +6,7 @@ RUN pip3 install moon_utilities moon_db pip --upgrade ADD . /root WORKDIR /root/ RUN pip3 install -r requirements.txt --upgrade +#RUN pip3 install /root/dist/* --upgrade RUN pip3 install . CMD ["python3", "-m", "moon_interface"]
\ No newline at end of file diff --git a/moonv4/moon_interface/LICENSE b/moonv4/moon_interface/LICENSE index 4143aac2..d6456956 100644 --- a/moonv4/moon_interface/LICENSE +++ b/moonv4/moon_interface/LICENSE @@ -174,31 +174,29 @@ incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. ---- License for python-keystoneclient versions prior to 2.1 --- - -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - 3. Neither the name of this project nor the names of its contributors may - be used to endorse or promote products derived from this software without - specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/moonv4/moon_interface/moon_interface/__main__.py b/moonv4/moon_interface/moon_interface/__main__.py index 2dac7b1d..517fdd60 100644 --- a/moonv4/moon_interface/moon_interface/__main__.py +++ b/moonv4/moon_interface/moon_interface/__main__.py @@ -1,3 +1,4 @@ from moon_interface.server import main -main() +server = main() +server.run() diff --git a/moonv4/moon_interface/moon_interface/api/assignments.py b/moonv4/moon_interface/moon_interface/api/assignments.py deleted file mode 100644 index 855a9049..00000000 --- a/moonv4/moon_interface/moon_interface/api/assignments.py +++ /dev/null @@ -1,264 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Assignments allow to connect data with elements of perimeter - -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.2.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class SubjectAssignments(Resource): - """ - Endpoint for subject assignment requests - """ - - __urls__ = ( - "/policies/<string:uuid>/subject_assignments", - "/policies/<string:uuid>/subject_assignments/", - "/policies/<string:uuid>/subject_assignments/<string:perimeter_id>", - "/policies/<string:uuid>/subject_assignments/<string:perimeter_id>/<string:category_id>", - "/policies/<string:uuid>/subject_assignments/<string:perimeter_id>/<string:category_id>/<string:data_id>", - ) - - @check_auth - def get(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Retrieve all subject assignments or a specific one for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the subject - :param category_id: uuid of the subject category - :param data_id: uuid of the subject scope - :param user_id: user ID who do the request - :return: { - "subject_data_id": { - "policy_id": "ID of the policy", - "subject_id": "ID of the subject", - "category_id": "ID of the category", - "assignments": "Assignments list (list of data_id)", - } - } - :internal_api: get_subject_assignments - """ - return call(ctx={"id": uuid, "method": "get_subject_assignments", "perimeter_id": perimeter_id, "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - @check_auth - def post(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Create a subject assignment. - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the subject (not used here) - :param category_id: uuid of the subject category (not used here) - :param data_id: uuid of the subject scope (not used here) - :param user_id: user ID who do the request - :request body: { - "id": "UUID of the subject", - "category_id": "UUID of the category" - "data_id": "UUID of the scope" - } - :return: { - "subject_data_id": { - "policy_id": "ID of the policy", - "subject_id": "ID of the subject", - "category_id": "ID of the category", - "assignments": "Assignments list (list of data_id)", - } - } - :internal_api: update_subject_assignment - """ - return call("security_router", - ctx={"id": uuid, "method": "update_subject_assignment", "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Delete a subject assignment for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the subject - :param category_id: uuid of the subject category - :param data_id: uuid of the subject scope - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_subject_assignment - """ - return call("security_router", - ctx={"id": uuid, "method": "delete_subject_assignment", "perimeter_id": perimeter_id, "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - -class ObjectAssignments(Resource): - """ - Endpoint for object assignment requests - """ - - __urls__ = ( - "/policies/<string:uuid>/object_assignments", - "/policies/<string:uuid>/object_assignments/", - "/policies/<string:uuid>/object_assignments/<string:perimeter_id>", - "/policies/<string:uuid>/object_assignments/<string:perimeter_id>/<string:category_id>", - "/policies/<string:uuid>/object_assignments/<string:perimeter_id>/<string:category_id>/<string:data_id>", - ) - - @check_auth - def get(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Retrieve all object assignment or a specific one for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the object - :param category_id: uuid of the object category - :param data_id: uuid of the object scope - :param user_id: user ID who do the request - :return: { - "object_data_id": { - "policy_id": "ID of the policy", - "object_id": "ID of the object", - "category_id": "ID of the category", - "assignments": "Assignments list (list of data_id)", - } - } - :internal_api: get_object_assignments - """ - return call("security_router", - ctx={"id": uuid, "method": "get_object_assignments", "perimeter_id": perimeter_id, "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - @check_auth - def post(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Create an object assignment. - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the object (not used here) - :param category_id: uuid of the object category (not used here) - :param data_id: uuid of the object scope (not used here) - :param user_id: user ID who do the request - :request body: { - "id": "UUID of the action", - "category_id": "UUID of the category" - "data_id": "UUID of the scope" - } - :return: { - "object_data_id": { - "policy_id": "ID of the policy", - "object_id": "ID of the object", - "category_id": "ID of the category", - "assignments": "Assignments list (list of data_id)", - } - } - :internal_api: update_object_assignment - """ - return call("security_router", - ctx={"id": uuid, "method": "update_object_assignment", "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Delete a object assignment for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the object - :param category_id: uuid of the object category - :param data_id: uuid of the object scope - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_object_assignment - """ - return call("security_router", - ctx={"id": uuid, "method": "delete_object_assignment", "perimeter_id": perimeter_id, "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - -class ActionAssignments(Resource): - """ - Endpoint for action assignment requests - """ - - __urls__ = ( - "/policies/<string:uuid>/action_assignments", - "/policies/<string:uuid>/action_assignments/", - "/policies/<string:uuid>/action_assignments/<string:perimeter_id>", - "/policies/<string:uuid>/action_assignments/<string:perimeter_id>/<string:category_id>", - "/policies/<string:uuid>/action_assignments/<string:perimeter_id>/<string:category_id>/<string:data_id>", - ) - - @check_auth - def get(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Retrieve all action assignment or a specific one for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the action - :param category_id: uuid of the action category - :param data_id: uuid of the action scope - :param user_id: user ID who do the request - :return: { - "action_data_id": { - "policy_id": "ID of the policy", - "object_id": "ID of the action", - "category_id": "ID of the category", - "assignments": "Assignments list (list of data_id)", - } - } - :internal_api: get_action_assignments - """ - return call("security_router", ctx={"id": uuid, "method": "get_action_assignments", "perimeter_id": perimeter_id, "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - @check_auth - def post(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Create an action assignment. - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the action (not used here) - :param category_id: uuid of the action category (not used here) - :param data_id: uuid of the action scope (not used here) - :param user_id: user ID who do the request - :request body: { - "id": "UUID of the action", - "category_id": "UUID of the category", - "data_id": "UUID of the scope" - } - :return: { - "action_data_id": { - "policy_id": "ID of the policy", - "object_id": "ID of the action", - "category_id": "ID of the category", - "assignments": "Assignments list (list of data_id)", - } - } - :internal_api: update_action_assignment - """ - return call("security_router", ctx={"id": uuid, "method": "update_action_assignment", "user_id": user_id}, - args=request.json) - - @check_auth - def delete(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): - """Delete a action assignment for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the action - :param category_id: uuid of the action category - :param data_id: uuid of the action scope - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_action_assignment - """ - return call("security_router", ctx={"id": uuid, "method": "delete_action_assignment", "perimeter_id": perimeter_id, "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) diff --git a/moonv4/moon_interface/moon_interface/api/authz.py b/moonv4/moon_interface/moon_interface/api/authz.py index 69de0f80..c9f4697f 100644 --- a/moonv4/moon_interface/moon_interface/api/authz.py +++ b/moonv4/moon_interface/moon_interface/api/authz.py @@ -6,23 +6,120 @@ Authz is the endpoint to get authorization response """ -from uuid import uuid4 -import time +from flask import request from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call +import logging +import pickle +import requests +import time +from uuid import uuid4 + +from moon_interface.authz_requests import AuthzRequest __version__ = "0.1.0" LOG = logging.getLogger("moon.interface.api." + __name__) +def pdp_in_cache(cache, uuid): + """Check if a PDP exist with this Keystone Project ID in the cache of this component + + :param cache: Cache to use + :param uuid: Keystone Project ID + :return: True or False + """ + for item_uuid, item_value in cache.pdp.items(): + if uuid == item_value['keystone_project_id']: + return item_uuid, item_value + return None, None + + +def pdp_in_manager(cache, uuid): + """Check if a PDP exist with this Keystone Project ID in the Manager component + + :param cache: Cache to use + :param uuid: Keystone Project ID + :return: True or False + """ + cache.update() + return pdp_in_cache(cache, uuid) + + +def container_exist(cache, uuid): + """Check if a PDP exist with this Keystone Project ID in the Manager component + + :param cache: Cache to use + :param uuid: Keystone Project ID + :return: True or False + """ + for key, value in cache.containers.items(): + if "keystone_project_id" not in value: + continue + if value["keystone_project_id"] == uuid: + try: + req = requests.head("http://{}:{}/".format( + value.get("hostname"), + value.get("port")[0].get("PublicPort"))) + LOG.info("container_exist {}".format(req.status_code)) + if req.status_code in (200, 201): + return value + return + except requests.exceptions.ConnectionError: + pass + # maybe hostname is not working so trying with IP address + try: + req = requests.head("http://{}:{}/".format( + value.get("ip"), + value.get("port")[0].get("PublicPort"))) + if req.status_code in (200, 201): + return value + return + except requests.exceptions.ConnectionError: + return + + +def create_authz_request(cache, interface_name, manager_url, uuid, subject_name, object_name, action_name): + """Create the authorization request and make the first call to the Authz function + + :param cache: Cache to use + :param interface_name: hostname of the interface + :param manager_url: URL of the manager + :param uuid: Keystone Project ID + :param subject_name: name of the subject + :param object_name: name of the object + :param action_name: name of the action + :return: Authorisation request + """ + req_id = uuid4().hex + ctx = { + "project_id": uuid, + "subject_name": subject_name, + "object_name": object_name, + "action_name": action_name, + "request_id": req_id, + "interface_name": interface_name, + "manager_url": manager_url, + "cookie": uuid4().hex + } + cache.authz_requests[req_id] = AuthzRequest(ctx) + return cache.authz_requests[req_id] + + class Authz(Resource): """ Endpoint for authz requests """ - __urls__ = ("/authz/<string:uuid>/<string:subject_name>/<string:object_name>/<string:action_name>", ) + __urls__ = ( + "/authz/<string:uuid>", + "/authz/<string:uuid>/<string:subject_name>/<string:object_name>/<string:action_name>", + ) + + def __init__(self, **kwargs): + self.CACHE = kwargs.get("cache") + self.INTERFACE_NAME = kwargs.get("interface_name", "interface") + self.MANAGER_URL = kwargs.get("manager_url", "http://manager:8080") + self.TIMEOUT = 5 def get(self, uuid=None, subject_name=None, object_name=None, action_name=None): """Get a response on an authorization request @@ -51,17 +148,46 @@ class Authz(Resource): } :internal_api: authz """ - # Note (asteroide): user_id default to admin to be able to read the database - # it would be better to have a read-only user. - start_time = time.time() - result = call("security_router", ctx={"id": uuid, - "call_master": False, - "method": "authz", - "subject_name": subject_name, - "object_name": object_name, - "action_name": action_name, - "user_id": "admin", - "request_id": uuid4().hex}, args={}) - end_time = time.time() - result['time'] = {"start": start_time, "end": end_time} - return result + pdp_id, pdp_value = pdp_in_cache(self.CACHE, uuid) + if not pdp_id: + pdp_id, pdp_value = pdp_in_manager(self.CACHE, uuid) + if not pdp_id: + return { + "result": False, + "message": "Unknown Project ID or " + "Project ID is not bind to a PDP."}, 403 + authz_request = create_authz_request( + cache=self.CACHE, + uuid=uuid, + interface_name=self.INTERFACE_NAME, + manager_url=self.MANAGER_URL, + subject_name=subject_name, + object_name=object_name, + action_name=action_name) + cpt = 0 + while True: + if cpt > self.TIMEOUT*10: + return {"result": False, + "message": "Authz request had timed out."}, 500 + if authz_request.is_authz(): + if authz_request.final_result == "Grant": + return {"result": True, "message": ""}, 200 + return {"result": False, "message": ""}, 401 + cpt += 1 + time.sleep(0.1) + + def patch(self, uuid=None, subject_name=None, object_name=None, action_name=None): + """Get a response on an authorization request + + :param uuid: uuid of the authorization request + :param subject_name: not used + :param object_name: not used + :param action_name: not used + :request body: a Context object + :return: {} + :internal_api: authz + """ + if uuid in self.CACHE.authz_requests: + self.CACHE.authz_requests[uuid].set_result(pickle.loads(request.data)) + return "", 201 + return {"result": False, "message": "The request ID is unknown"}, 500 diff --git a/moonv4/moon_interface/moon_interface/api/data.py b/moonv4/moon_interface/moon_interface/api/data.py deleted file mode 100644 index 6d959095..00000000 --- a/moonv4/moon_interface/moon_interface/api/data.py +++ /dev/null @@ -1,259 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Data are elements used to create rules - -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.2.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class SubjectData(Resource): - """ - Endpoint for subject data requests - """ - - __urls__ = ( - "/policies/<string:uuid>/subject_data", - "/policies/<string:uuid>/subject_data/", - "/policies/<string:uuid>/subject_data/<string:category_id>", - "/policies/<string:uuid>/subject_data/<string:category_id>/<string:data_id>", - ) - - @check_auth - def get(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Retrieve all subject categories or a specific one if sid is given for a given policy - - :param uuid: uuid of the policy - :param category_id: uuid of the subject category - :param data_id: uuid of the subject data - :param user_id: user ID who do the request - :return: [{ - "policy_id": "policy_id1", - "category_id": "category_id1", - "data": { - "subject_data_id": { - "name": "name of the data", - "description": "description of the data" - } - } - }] - :internal_api: get_subject_data - """ - return call("security_router", ctx={"id": uuid, "method": "get_subject_data", "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - @check_auth - def post(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Create or update a subject. - - :param uuid: uuid of the policy - :param category_id: uuid of the subject category - :param data_id: uuid of the subject data - :param user_id: user ID who do the request - :request body: { - "name": "name of the data", - "description": "description of the data" - } - :return: { - "policy_id": "policy_id1", - "category_id": "category_id1", - "data": { - "subject_data_id": { - "name": "name of the data", - "description": "description of the data" - } - } - } - :internal_api: add_subject_data - """ - return call("security_router", ctx={"id": uuid, "method": "add_subject_data", "category_id": category_id, "user_id": user_id}, - args=request.json) - - @check_auth - def delete(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Delete a subject for a given policy - - :param uuid: uuid of the policy - :param category_id: uuid of the subject category - :param data_id: uuid of the subject data - :param user_id: user ID who do the request - :return: [{ - "result": "True or False", - "message": "optional message" - }] - :internal_api: delete_subject_data - """ - return call("security_router", ctx={"id": uuid, "method": "delete_subject_data", "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - -class ObjectData(Resource): - """ - Endpoint for object data requests - """ - - __urls__ = ( - "/policies/<string:uuid>/object_data", - "/policies/<string:uuid>/object_data/", - "/policies/<string:uuid>/object_data/<string:category_id>", - "/policies/<string:uuid>/object_data/<string:category_id>/<string:data_id>", - ) - - @check_auth - def get(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Retrieve all object categories or a specific one if sid is given for a given policy - - :param uuid: uuid of the policy - :param category_id: uuid of the object category - :param data_id: uuid of the object data - :param user_id: user ID who do the request - :return: [{ - "policy_id": "policy_id1", - "category_id": "category_id1", - "data": { - "object_data_id": { - "name": "name of the data", - "description": "description of the data" - } - } - }] - :internal_api: get_object_data - """ - return call("security_router", ctx={"id": uuid, "method": "get_object_data", "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - @check_auth - def post(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Create or update a object. - - :param uuid: uuid of the policy - :param category_id: uuid of the object category - :param data_id: uuid of the object data - :param user_id: user ID who do the request - :request body: { - "name": "name of the data", - "description": "description of the data" - } - :return: { - "policy_id": "policy_id1", - "category_id": "category_id1", - "data": { - "object_data_id": { - "name": "name of the data", - "description": "description of the data" - } - } - } - :internal_api: add_object_data - """ - return call("security_router", ctx={"id": uuid, "method": "add_object_data", "category_id": category_id, "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Delete a object for a given policy - - :param uuid: uuid of the policy - :param category_id: uuid of the object category - :param data_id: uuid of the object data - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_object_data - """ - return call("security_router", ctx={"id": uuid, "method": "delete_object_data", "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - -class ActionData(Resource): - """ - Endpoint for action data requests - """ - - __urls__ = ( - "/policies/<string:uuid>/action_data", - "/policies/<string:uuid>/action_data/", - "/policies/<string:uuid>/action_data/<string:category_id>", - "/policies/<string:uuid>/action_data/<string:category_id>/<string:data_id>", - ) - - @check_auth - def get(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Retrieve all action categories or a specific one if sid is given for a given policy - - :param uuid: uuid of the policy - :param category_id: uuid of the action category - :param data_id: uuid of the action data - :param user_id: user ID who do the request - :return: [{ - "policy_id": "policy_id1", - "category_id": "category_id1", - "data": { - "action_data_id": { - "name": "name of the data", - "description": "description of the data" - } - } - }] - :internal_api: get_action_data - """ - return call("security_router", ctx={"id": uuid, "method": "get_action_data", "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - @check_auth - def post(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Create or update a action. - - :param uuid: uuid of the policy - :param category_id: uuid of the action category - :param data_id: uuid of the action data - :param user_id: user ID who do the request - :request body: { - "name": "name of the data", - "description": "description of the data" - } - :return: { - "policy_id": "policy_id1", - "category_id": "category_id1", - "data": { - "action_data_id": { - "name": "name of the data", - "description": "description of the data" - } - } - } - :internal_api: add_action_data - """ - return call("security_router", ctx={"id": uuid, "method": "add_action_data", "category_id": category_id, "user_id": user_id}, - args=request.json) - - @check_auth - def delete(self, uuid=None, category_id=None, data_id=None, user_id=None): - """Delete a action for a given policy - - :param uuid: uuid of the policy - :param category_id: uuid of the action category - :param data_id: uuid of the action data - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_action_data - """ - return call("security_router", ctx={"id": uuid, "method": "delete_action_data", "category_id": category_id, "user_id": user_id}, - args={"data_id": data_id}) - - diff --git a/moonv4/moon_interface/moon_interface/api/generic.py b/moonv4/moon_interface/moon_interface/api/generic.py index 80e8abff..702f33cf 100644 --- a/moonv4/moon_interface/moon_interface/api/generic.py +++ b/moonv4/moon_interface/moon_interface/api/generic.py @@ -7,8 +7,7 @@ Those API are helping API used to manage the Moon platform. """ from flask_restful import Resource, request -from oslo_log import log as logging -from moon_utilities.security_functions import call +import logging import moon_interface.api from moon_utilities.security_functions import check_auth @@ -36,7 +35,7 @@ class Status(Resource): } } """ - return call("security_router", method="get_status", ctx={"component_id": component_id}) + raise NotImplemented class Logs(Resource): @@ -71,7 +70,7 @@ class Logs(Resource): args["to"] = to_str args["event_number"] = event_number - return call("security_router", method="get_logs", ctx={"component_id": component_id}, args=args) + raise NotImplemented class API(Resource): @@ -130,22 +129,3 @@ class API(Resource): return {"error": "Unknown endpoint_id {}".format(endpoint_id)} return {group_id: api_desc[group_id]} return api_desc - - -class InternalAPI(Resource): - """ - Endpoint for status requests - """ - - __urls__ = ("/internal_api", "/internal_api/", "/internal_api/<string:component_id>") - - def get(self, component_id=None, user_id=""): - api_list = ("orchestrator", "security_router") - if not component_id: - return {"api": api_list} - if component_id in api_list: - api_desc = dict() - api_desc["name"] = component_id - api_desc["endpoints"] = call("security_router", component_id, {}, "list_api") - return api_desc - diff --git a/moonv4/moon_interface/moon_interface/api/meta_data.py b/moonv4/moon_interface/moon_interface/api/meta_data.py deleted file mode 100644 index 3c933759..00000000 --- a/moonv4/moon_interface/moon_interface/api/meta_data.py +++ /dev/null @@ -1,204 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Meta Data are elements used to create Meta data (skeleton of security policies) - -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.2.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class SubjectCategories(Resource): - """ - Endpoint for subject categories requests - """ - - __urls__ = ( - "/subject_categories", - "/subject_categories/", - "/subject_categories/<string:category_id>", - ) - - @check_auth - def get(self, category_id=None, user_id=None): - """Retrieve all subject categories or a specific one - - :param category_id: uuid of the subject category - :param user_id: user ID who do the request - :return: { - "subject_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - :internal_api: get_subject_categories - """ - return call("security_router", ctx={"method": "get_subject_categories", "user_id": user_id}, args={"category_id": category_id}) - - @check_auth - def post(self, category_id=None, user_id=None): - """Create or update a subject category. - - :param category_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "name": "name of the category", - "description": "description of the category" - } - :return: { - "subject_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - :internal_api: add_subject_category - """ - return call("security_router", ctx={"method": "set_subject_category", "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, category_id=None, user_id=None): - """Delete a subject category - - :param category_id: uuid of the subject category to delete - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_subject_category - """ - return call("security_router", ctx={"method": "delete_subject_category", "user_id": user_id}, args={"category_id": category_id}) - - -class ObjectCategories(Resource): - """ - Endpoint for object categories requests - """ - - __urls__ = ( - "/object_categories", - "/object_categories/", - "/object_categories/<string:category_id>", - ) - - @check_auth - def get(self, category_id=None, user_id=None): - """Retrieve all object categories or a specific one - - :param category_id: uuid of the object category - :param user_id: user ID who do the request - :return: { - "object_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - :internal_api: get_object_categories - """ - return call("security_router", ctx={"method": "get_object_categories", "user_id": user_id}, args={"category_id": category_id}) - - @check_auth - def post(self, category_id=None, user_id=None): - """Create or update a object category. - - :param category_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "name": "name of the category", - "description": "description of the category" - } - :return: { - "object_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - :internal_api: add_object_category - """ - return call("security_router", ctx={"method": "set_object_category", "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, category_id=None, user_id=None): - """Delete an object category - - :param category_id: uuid of the object category to delete - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_object_category - """ - return call("security_router", ctx={"method": "delete_object_category", "user_id": user_id}, args={"category_id": category_id}) - - -class ActionCategories(Resource): - """ - Endpoint for action categories requests - """ - - __urls__ = ( - "/action_categories", - "/action_categories/", - "/action_categories/<string:category_id>", - ) - - @check_auth - def get(self, category_id=None, user_id=None): - """Retrieve all action categories or a specific one - - :param category_id: uuid of the action category - :param user_id: user ID who do the request - :return: { - "action_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - :internal_api: get_action_categories - """ - return call("security_router", ctx={"method": "get_action_categories", "user_id": user_id}, args={"category_id": category_id}) - - @check_auth - def post(self, category_id=None, user_id=None): - """Create or update an action category. - - :param category_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "name": "name of the category", - "description": "description of the category" - } - :return: { - "action_category_id": { - "name": "name of the category", - "description": "description of the category" - } - } - :internal_api: add_action_category - """ - return call("security_router", ctx={"method": "set_action_category", "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, category_id=None, user_id=None): - """Delete an action - - :param category_id: uuid of the action category to delete - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_action_category - """ - return call("security_router", ctx={"method": "delete_action_category", "user_id": user_id}, args={"category_id": category_id}) diff --git a/moonv4/moon_interface/moon_interface/api/meta_rules.py b/moonv4/moon_interface/moon_interface/api/meta_rules.py deleted file mode 100644 index 85072243..00000000 --- a/moonv4/moon_interface/moon_interface/api/meta_rules.py +++ /dev/null @@ -1,138 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Meta rules are skeleton for security policies - -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class MetaRules(Resource): - """ - Endpoint for meta rules requests - """ - - __urls__ = ("/meta_rules", - "/meta_rules/", - "/meta_rules/<string:meta_rule_id>", - "/meta_rules/<string:meta_rule_id>/") - - @check_auth - def get(self, meta_rule_id=None, user_id=None): - """Retrieve all sub meta rules - - :param meta_rule_id: Meta rule algorithm ID - :param user_id: user ID who do the request - :return: { - "meta_rules": { - "meta_rule_id1": { - "name": "name of the meta rule", - "algorithm": "name of the meta rule algorithm", - "subject_categories": ["subject_category_id1", "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - }, - } - } - :internal_api: get_meta_rules - """ - return call("security_router", ctx={"method": "get_meta_rules", - "user_id": user_id, - "meta_rule_id": meta_rule_id}, args={}) - - @check_auth - def post(self, meta_rule_id=None, user_id=None): - """Add a meta rule - - :param meta_rule_id: Meta rule ID - :param user_id: user ID who do the request - :request body: post = { - "name": "name of the meta rule", - "subject_categories": ["subject_category_id1", "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - } - :return: { - "meta_rules": { - "meta_rule_id1": { - "name": "name of the meta rule", - "subject_categories": ["subject_category_id1", "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - }, - } - } - :internal_api: add_meta_rules - """ - return call("security_router", ctx={"method": "add_meta_rules", - "user_id": user_id, - "meta_rule_id": meta_rule_id}, args=request.json) - - @check_auth - def patch(self, meta_rule_id=None, user_id=None): - """Update a meta rule - - :param meta_rule_id: Meta rule ID - :param user_id: user ID who do the request - :request body: patch = { - "name": "name of the meta rule", - "subject_categories": ["subject_category_id1", "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - } - :return: { - "meta_rules": { - "meta_rule_id1": { - "name": "name of the meta rule", - "subject_categories": ["subject_category_id1", "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - }, - } - } - :internal_api: set_meta_rules - """ - return call("security_router", ctx={"method": "set_meta_rules", - "user_id": user_id, - "meta_rule_id": meta_rule_id}, args=request.json) - - @check_auth - def delete(self, meta_rule_id=None, user_id=None): - """Delete a meta rule - - :param meta_rule_id: Meta rule ID - :param user_id: user ID who do the request - :request body: delete = { - "name": "name of the meta rule", - "subject_categories": ["subject_category_id1", "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - } - :return: { - "meta_rules": { - "meta_rule_id1": { - "name": "name of the meta rule", - "subject_categories": ["subject_category_id1", "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - }, - } - } - :internal_api: delete_meta_rules - """ - return call("security_router", ctx={"method": "delete_meta_rules", - "user_id": user_id, - "meta_rule_id": meta_rule_id}, args=request.json) - - diff --git a/moonv4/moon_interface/moon_interface/api/models.py b/moonv4/moon_interface/moon_interface/api/models.py deleted file mode 100644 index f905db63..00000000 --- a/moonv4/moon_interface/moon_interface/api/models.py +++ /dev/null @@ -1,101 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Models aggregate multiple meta rules -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class Models(Resource): - """ - Endpoint for model requests - """ - - __urls__ = ( - "/models", - "/models/", - "/models/<string:uuid>", - "/models/<string:uuid>/", - ) - - @check_auth - def get(self, uuid=None, user_id=None): - """Retrieve all models - - :param uuid: uuid of the model - :param user_id: user ID who do the request - :return: { - "model_id1": { - "name": "...", - "description": "...", - "meta_rules": ["meta_rule_id1", ] - } - } - :internal_api: get_models - """ - return call("security_router", ctx={"id": uuid, "method": "get_models", "user_id": user_id}, args={}) - - @check_auth - def post(self, uuid=None, user_id=None): - """Create model. - - :param uuid: uuid of the model (not used here) - :param user_id: user ID who do the request - :request body: { - "name": "...", - "description": "...", - "meta_rules": ["meta_rule_id1", ] - } - :return: { - "model_id1": { - "name": "...", - "description": "...", - "meta_rules": ["meta_rule_id1", ] - } - } - :internal_api: add_model - """ - return call("security_router", ctx={"id": uuid, "method": "add_model", "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, uuid=None, user_id=None): - """Delete a model - - :param uuid: uuid of the model to delete - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_model - """ - return call("security_router", ctx={"id": uuid, "method": "delete_model", "user_id": user_id}, args={}) - - @check_auth - def patch(self, uuid=None, user_id=None): - """Update a model - - :param uuid: uuid of the model to update - :param user_id: user ID who do the request - :return: { - "model_id1": { - "name": "...", - "description": "...", - "meta_rules": ["meta_rule_id1", ] - } - } - :internal_api: update_model - """ - return call("security_router", ctx={"id": uuid, "method": "update_model", "user_id": user_id}, args=request.json) - diff --git a/moonv4/moon_interface/moon_interface/api/pdp.py b/moonv4/moon_interface/moon_interface/api/pdp.py deleted file mode 100644 index 5316227b..00000000 --- a/moonv4/moon_interface/moon_interface/api/pdp.py +++ /dev/null @@ -1,106 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -PDP are Policy Decision Point. - -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class PDP(Resource): - """ - Endpoint for pdp requests - """ - - __urls__ = ( - "/pdp", - "/pdp/", - "/pdp/<string:uuid>", - "/pdp/<string:uuid>/", - ) - - @check_auth - def get(self, uuid=None, user_id=None): - """Retrieve all pdp - - :param uuid: uuid of the pdp - :param user_id: user ID who do the request - :return: { - "pdp_id1": { - "name": "...", - "security_pipeline": [...], - "keystone_project_id": "keystone_project_id1", - "description": "...", - } - } - :internal_api: get_pdp - """ - return call("security_router", ctx={"id": uuid, "method": "get_pdp", "user_id": user_id}, args={}) - - @check_auth - def post(self, uuid=None, user_id=None): - """Create pdp. - - :param uuid: uuid of the pdp (not used here) - :param user_id: user ID who do the request - :request body: { - "name": "...", - "security_pipeline": [...], - "keystone_project_id": "keystone_project_id1", - "description": "...", - } - :return: { - "pdp_id1": { - "name": "...", - "security_pipeline": [...], - "keystone_project_id": "keystone_project_id1", - "description": "...", - } - } - :internal_api: add_pdp - """ - return call("security_router", ctx={"id": uuid, "method": "add_pdp", "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, uuid=None, user_id=None): - """Delete a pdp - - :param uuid: uuid of the pdp to delete - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_pdp - """ - return call("security_router", ctx={"id": uuid, "method": "delete_pdp", "user_id": user_id}, args={}) - - @check_auth - def patch(self, uuid=None, user_id=None): - """Update a pdp - - :param uuid: uuid of the pdp to update - :param user_id: user ID who do the request - :return: { - "pdp_id1": { - "name": "...", - "security_pipeline": [...], - "keystone_project_id": "keystone_project_id1", - "description": "...", - } - } - :internal_api: update_pdp - """ - return call("security_router", ctx={"id": uuid, "method": "update_pdp", "user_id": user_id}, args=request.json) - diff --git a/moonv4/moon_interface/moon_interface/api/perimeter.py b/moonv4/moon_interface/moon_interface/api/perimeter.py deleted file mode 100644 index 177161f6..00000000 --- a/moonv4/moon_interface/moon_interface/api/perimeter.py +++ /dev/null @@ -1,312 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -* Subjects are the source of an action on an object (examples : users, virtual machines) -* Objects are the destination of an action (examples virtual machines, virtual Routers) -* Actions are what subject wants to do on an object -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.2.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class Subjects(Resource): - """ - Endpoint for subjects requests - """ - - __urls__ = ( - "/subjects", - "/subjects/", - "/subjects/<string:perimeter_id>", - "/policies/<string:uuid>/subjects", - "/policies/<string:uuid>/subjects/", - "/policies/<string:uuid>/subjects/<string:perimeter_id>", - ) - - @check_auth - def get(self, uuid=None, perimeter_id=None, user_id=None): - """Retrieve all subjects or a specific one if perimeter_id is given for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the subject - :param user_id: user ID who do the request - :return: { - "subject_id": { - "name": "name of the subject", - "keystone_id": "keystone id of the subject", - "description": "a description" - } - } - :internal_api: get_subjects - """ - return call("security_router", ctx={"id": uuid, "method": "get_subjects", "user_id": user_id}, args={"perimeter_id": perimeter_id}) - - @check_auth - def post(self, uuid=None, perimeter_id=None, user_id=None): - """Create or update a subject. - - :param uuid: uuid of the policy - :param perimeter_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "name": "name of the subject", - "description": "description of the subject", - "password": "password for the subject", - "email": "email address of the subject" - } - :return: { - "subject_id": { - "name": "name of the subject", - "keystone_id": "keystone id of the subject", - "description": "description of the subject", - "password": "password for the subject", - "email": "email address of the subject" - } - } - :internal_api: set_subject - """ - return call("security_router", ctx={"id": uuid, "method": "set_subject", "user_id": user_id, "perimeter_id": None}, - args=request.json) - - @check_auth - def patch(self, uuid=None, perimeter_id=None, user_id=None): - """Create or update a subject. - - :param uuid: uuid of the policy - :param perimeter_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "name": "name of the subject", - "description": "description of the subject", - "password": "password for the subject", - "email": "email address of the subject" - } - :return: { - "subject_id": { - "name": "name of the subject", - "keystone_id": "keystone id of the subject", - "description": "description of the subject", - "password": "password for the subject", - "email": "email address of the subject" - } - } - :internal_api: set_subject - """ - return call("security_router", ctx={"id": uuid, "method": "set_subject", "user_id": user_id, "perimeter_id": perimeter_id}, - args=request.json) - - @check_auth - def delete(self, uuid=None, perimeter_id=None, user_id=None): - """Delete a subject for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the subject - :param user_id: user ID who do the request - :return: { - "subject_id": { - "name": "name of the subject", - "keystone_id": "keystone id of the subject", - "description": "description of the subject", - "password": "password for the subject", - "email": "email address of the subject" - } - } - :internal_api: delete_subject - """ - return call("security_router", ctx={"id": uuid, "method": "delete_subject", "user_id": user_id}, args={"perimeter_id": perimeter_id}) - - -class Objects(Resource): - """ - Endpoint for objects requests - """ - - __urls__ = ( - "/objects", - "/objects/", - "/objects/<string:perimeter_id>", - "/policies/<string:uuid>/objects", - "/policies/<string:uuid>/objects/", - "/policies/<string:uuid>/objects/<string:perimeter_id>", - ) - - @check_auth - def get(self, uuid=None, perimeter_id=None, user_id=None): - """Retrieve all objects or a specific one if perimeter_id is given for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the object - :param user_id: user ID who do the request - :return: { - "object_id": { - "name": "name of the object", - "description": "description of the object" - } - } - :internal_api: get_objects - """ - return call("security_router", ctx={"id": uuid, "method": "get_objects", "user_id": user_id}, args={"perimeter_id": perimeter_id}) - - @check_auth - def post(self, uuid=None, perimeter_id=None, user_id=None): - """Create or update a object. - - :param uuid: uuid of the policy - :param perimeter_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "object_name": "name of the object", - "object_description": "description of the object" - } - :return: { - "object_id": { - "name": "name of the object", - "description": "description of the object" - } - } - :internal_api: set_object - """ - return call("security_router", ctx={"id": uuid, "method": "set_object", "user_id": user_id, "perimeter_id": None}, - args=request.json) - - @check_auth - def patch(self, uuid=None, perimeter_id=None, user_id=None): - """Create or update a object. - - :param uuid: uuid of the policy - :param perimeter_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "object_name": "name of the object", - "object_description": "description of the object" - } - :return: { - "object_id": { - "name": "name of the object", - "description": "description of the object" - } - } - :internal_api: set_object - """ - return call("security_router", ctx={"id": uuid, "method": "set_object", "user_id": user_id, "perimeter_id": perimeter_id}, - args=request.json) - - @check_auth - def delete(self, uuid=None, perimeter_id=None, user_id=None): - """Delete a object for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the object - :param user_id: user ID who do the request - :return: { - "object_id": { - "name": "name of the object", - "description": "description of the object" - } - } - :internal_api: delete_object - """ - return call("security_router", ctx={"id": uuid, "method": "delete_object", "user_id": user_id}, args={"perimeter_id": perimeter_id}) - - -class Actions(Resource): - """ - Endpoint for actions requests - """ - - __urls__ = ( - "/actions", - "/actions/", - "/actions/<string:perimeter_id>", - "/policies/<string:uuid>/actions", - "/policies/<string:uuid>/actions/", - "/policies/<string:uuid>/actions/<string:perimeter_id>", - ) - - @check_auth - def get(self, uuid=None, perimeter_id=None, user_id=None): - """Retrieve all actions or a specific one if perimeter_id is given for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the action - :param user_id: user ID who do the request - :return: { - "action_id": { - "name": "name of the action", - "description": "description of the action" - } - } - :internal_api: get_actions - """ - return call("security_router", ctx={"id": uuid, "method": "get_actions", "user_id": user_id}, args={"perimeter_id": perimeter_id}) - - @check_auth - def post(self, uuid=None, perimeter_id=None, user_id=None): - """Create or update a action. - - :param uuid: uuid of the policy - :param perimeter_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "name": "name of the action", - "description": "description of the action" - } - :return: { - "action_id": { - "name": "name of the action", - "description": "description of the action" - } - } - :internal_api: set_action - """ - return call("security_router", ctx={"id": uuid, "method": "set_action", "user_id": user_id, "perimeter_id": None}, - args=request.json) - - @check_auth - def patch(self, uuid=None, perimeter_id=None, user_id=None): - """Create or update a action. - - :param uuid: uuid of the policy - :param perimeter_id: must not be used here - :param user_id: user ID who do the request - :request body: { - "name": "name of the action", - "description": "description of the action" - } - :return: { - "action_id": { - "name": "name of the action", - "description": "description of the action" - } - } - :internal_api: set_action - """ - return call("security_router", ctx={"id": uuid, "method": "set_action", "user_id": user_id, "perimeter_id": perimeter_id}, - args=request.json) - - @check_auth - def delete(self, uuid=None, perimeter_id=None, user_id=None): - """Delete a action for a given policy - - :param uuid: uuid of the policy - :param perimeter_id: uuid of the action - :param user_id: user ID who do the request - :return: { - "action_id": { - "name": "name of the action", - "description": "description of the action" - } - } - :internal_api: delete_action - """ - return call("security_router", ctx={"id": uuid, "method": "delete_action", "user_id": user_id}, args={"perimeter_id": perimeter_id}) diff --git a/moonv4/moon_interface/moon_interface/api/policies.py b/moonv4/moon_interface/moon_interface/api/policies.py deleted file mode 100644 index 5a84b612..00000000 --- a/moonv4/moon_interface/moon_interface/api/policies.py +++ /dev/null @@ -1,106 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Policies are instances of security models and implement security policies - -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class Policies(Resource): - """ - Endpoint for policy requests - """ - - __urls__ = ( - "/policies", - "/policies/", - "/policies/<string:uuid>", - "/policies/<string:uuid>/", - ) - - @check_auth - def get(self, uuid=None, user_id=None): - """Retrieve all policies - - :param uuid: uuid of the policy - :param user_id: user ID who do the request - :return: { - "policy_id1": { - "name": "...", - "model_id": "...", - "genre": "...", - "description": "...", - } - } - :internal_api: get_policies - """ - return call("security_router", ctx={"id": uuid, "method": "get_policies", "user_id": user_id}, args={}) - - @check_auth - def post(self, uuid=None, user_id=None): - """Create policy. - - :param uuid: uuid of the policy (not used here) - :param user_id: user ID who do the request - :request body: { - "name": "...", - "model_id": "...", - "genre": "...", - "description": "...", - } - :return: { - "policy_id1": { - "name": "...", - "model_id": "...", - "genre": "...", - "description": "...", - } - } - :internal_api: add_policy - """ - return call("security_router", ctx={"id": uuid, "method": "add_policy", "user_id": user_id}, args=request.json) - - @check_auth - def delete(self, uuid=None, user_id=None): - """Delete a policy - - :param uuid: uuid of the policy to delete - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_policy - """ - return call("security_router", ctx={"id": uuid, "method": "delete_policy", "user_id": user_id}, args={}) - - @check_auth - def patch(self, uuid=None, user_id=None): - """Update a policy - - :param uuid: uuid of the policy to update - :param user_id: user ID who do the request - :return: { - "policy_id1": { - "name": "...", - "model_id": "...", - "genre": "...", - "description": "...", - } - } - :internal_api: update_policy - """ - return call("security_router", ctx={"id": uuid, "method": "update_policy", "user_id": user_id}, args=request.json) - diff --git a/moonv4/moon_interface/moon_interface/api/rules.py b/moonv4/moon_interface/moon_interface/api/rules.py deleted file mode 100644 index 1111729c..00000000 --- a/moonv4/moon_interface/moon_interface/api/rules.py +++ /dev/null @@ -1,114 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Rules (TODO) -""" - -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from moon_utilities.security_functions import call -from moon_utilities.security_functions import check_auth - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.interface.api." + __name__) - - -class Rules(Resource): - """ - Endpoint for rules requests - """ - - __urls__ = ("/policies/<string:uuid>/rules", - "/policies/<string:uuid>/rules/", - "/policies/<string:uuid>/rules/<string:rule_id>", - "/policies/<string:uuid>/rules/<string:rule_id>/", - ) - - @check_auth - def get(self, uuid=None, rule_id=None, user_id=None): - """Retrieve all rules or a specific one - - :param uuid: policy ID - :param rule_id: rule ID - :param user_id: user ID who do the request - :return: { - "rules": [ - "policy_id": "policy_id1", - "meta_rule_id": "meta_rule_id1", - "rule_id1": ["subject_data_id1", "object_data_id1", "action_data_id1"], - "rule_id2": ["subject_data_id2", "object_data_id2", "action_data_id2"], - ] - } - :internal_api: get_rules - """ - return call("security_router", ctx={"id": uuid, - "method": "get_rules", - "user_id": user_id, - "rule_id": rule_id}, args={}) - - @check_auth - def post(self, uuid=None, rule_id=None, user_id=None): - """Add a rule to a meta rule - - :param uuid: policy ID - :param rule_id: rule ID - :param user_id: user ID who do the request - :request body: post = { - "meta_rule_id": "meta_rule_id1", - "rule": ["subject_data_id2", "object_data_id2", "action_data_id2"], - "instructions": ( - {"decision": "grant"}, - ) - "enabled": True - } - :return: { - "rules": [ - "meta_rule_id": "meta_rule_id1", - "rule_id1": { - "rule": ["subject_data_id1", "object_data_id1", "action_data_id1"], - "instructions": ( - {"decision": "grant"}, # "grant" to immediately exit, - # "continue" to wait for the result of next policy - # "deny" to deny the request - ) - } - "rule_id2": { - "rule": ["subject_data_id2", "object_data_id2", "action_data_id2"], - "instructions": ( - { - "update": { - "operation": "add", # operations may be "add" or "delete" - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the policy named rbac - ) - } - ] - } - :internal_api: add_rule - """ - return call("security_router", ctx={"id": uuid, - "method": "add_rule", - "user_id": user_id, - "rule_id": rule_id}, args=request.json) - - @check_auth - def delete(self, uuid=None, rule_id=None, user_id=None): - """Delete one rule linked to a specific sub meta rule - - :param uuid: policy ID - :param rule_id: rule ID - :param user_id: user ID who do the request - :return: { "result": true } - :internal_api: delete_rule - """ - return call("security_router", ctx={"id": uuid, - "method": "delete_rule", - "user_id": user_id, - "rule_id": rule_id}, args={}) - diff --git a/moonv4/moon_interface/moon_interface/authz_requests.py b/moonv4/moon_interface/moon_interface/authz_requests.py new file mode 100644 index 00000000..c09ee957 --- /dev/null +++ b/moonv4/moon_interface/moon_interface/authz_requests.py @@ -0,0 +1,159 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import logging +import itertools +import pickle +import requests +from moon_utilities import configuration, exceptions +from moon_utilities.security_functions import Context +from moon_utilities.cache import Cache + +LOG = logging.getLogger("moon.interface.authz_requests") + + +CACHE = Cache() +CACHE.update() + + +class AuthzRequest: + + result = None + final_result = "Deny" + req_max_delay = 2 + + def __init__(self, ctx, args=None): + self.context = Context(ctx, CACHE) + self.args = args + self.request_id = ctx["request_id"] + if ctx['project_id'] not in CACHE.container_chaining: + raise exceptions.KeystoneProjectError("Unknown Project ID {}".format(ctx['project_id'])) + self.container_chaining = CACHE.container_chaining[ctx['project_id']] + if len(self.container_chaining) == 0: + raise exceptions.MoonError('Void container chaining') + self.pdp_container = self.container_chaining[0]["container_id"] + self.run() + + def run(self): + self.context.delete_cache() + req = None + try: + req = requests.post("http://{}:{}/authz".format( + self.container_chaining[0]["hostip"], + self.container_chaining[0]["port"], + ), data=pickle.dumps(self.context)) + if req.status_code != 200: + raise exceptions.AuthzException( + "Receive bad response from Authz function " + "(with IP address - {})".format( + req.status_code + )) + except requests.exceptions.ConnectionError: + LOG.error("Cannot connect to {}".format( + "http://{}:{}/authz".format( + self.container_chaining[0]["hostip"], + self.container_chaining[0]["port"] + ))) + except ValueError: + try: + req = requests.post("http://{}:{}/authz".format( + self.container_chaining[0]["hostname"], + self.container_chaining[0]["port"], + ), data=pickle.dumps(self.context)) + if req.status_code != 200: + raise exceptions.AuthzException( + "Receive bad response from Authz function " + "(with hostname - {})".format( + req.status_code + )) + except requests.exceptions.ConnectionError: + LOG.error("Cannot connect to {}".format( + "http://{}:{}/authz".format( + self.container_chaining[0]["hostname"], + self.container_chaining[0]["port"] + ))) + raise exceptions.AuthzException( + "Cannot connect to Authz function") + self.context.set_cache(CACHE) + if req and len(self.container_chaining) == 1: + self.result = pickle.loads(req.content) + + # def __exec_next_state(self, rule_found): + # index = self.context.index + # current_meta_rule = self.context.headers[index] + # current_container = self.__get_container_from_meta_rule(current_meta_rule) + # current_container_genre = current_container["genre"] + # try: + # next_meta_rule = self.context.headers[index + 1] + # except IndexError: + # next_meta_rule = None + # if current_container_genre == "authz": + # if rule_found: + # return True + # pass + # if next_meta_rule: + # # next will be session if current is deny and session is unset + # if self.payload["authz_context"]['pdp_set'][next_meta_rule]['effect'] == "unset": + # return notify( + # request_id=self.payload["authz_context"]["request_id"], + # container_id=self.__get_container_from_meta_rule(next_meta_rule)['container_id'], + # payload=self.payload) + # # next will be delegation if current is deny and session is passed or deny and delegation is unset + # else: + # LOG.error("Delegation is not developed!") + # + # else: + # # else next will be None and the request is sent to router + # return self.__return_to_router() + # elif current_container_genre == "session": + # pass + # # next will be next container in headers if current is passed + # if self.payload["authz_context"]['pdp_set'][current_meta_rule]['effect'] == "passed": + # return notify( + # request_id=self.payload["authz_context"]["request_id"], + # container_id=self.__get_container_from_meta_rule(next_meta_rule)['container_id'], + # payload=self.payload) + # # next will be None if current is grant and the request is sent to router + # else: + # return self.__return_to_router() + # elif current_container_genre == "delegation": + # LOG.error("Delegation is not developed!") + # # next will be authz if current is deny + # # next will be None if current is grant and the request is sent to router + + def set_result(self, result): + self.result = result + + def is_authz(self): + if not self.result: + return False + authz_results = [] + for key in self.result.pdp_set: + if "effect" in self.result.pdp_set[key]: + if self.result.pdp_set[key]["effect"] == "grant": + # the pdp is a authorization PDP and grant the request + authz_results.append(True) + elif self.result.pdp_set[key]["effect"] == "passed": + # the pdp is not a authorization PDP (session or delegation) and had run normally + authz_results.append(True) + elif self.result.pdp_set[key]["effect"] == "unset": + # the pdp is not a authorization PDP (session or delegation) and had not yep run + authz_results.append(True) + else: + # the pdp is (or not) a authorization PDP and had run badly + authz_results.append(False) + if list(itertools.accumulate(authz_results, lambda x, y: x & y))[-1]: + self.result.pdp_set["effect"] = "grant" + if self.result: + if self.result.pdp_set["effect"] == "grant": + self.final_result = "Grant" + return True + self.final_result = "Deny" + return True + + # def notify(self, request_id, container_id, payload): + # LOG.info("notify {} {} {}".format(request_id, container_id, payload)) + # # TODO: send the notification and wait for the result + # # req = requests.get() diff --git a/moonv4/moon_interface/moon_interface/containers.py b/moonv4/moon_interface/moon_interface/containers.py new file mode 100644 index 00000000..1ca76a2d --- /dev/null +++ b/moonv4/moon_interface/moon_interface/containers.py @@ -0,0 +1,102 @@ +# Copyright 2017 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import docker +import logging +import re +import requests +import time +from moon_utilities import configuration, exceptions + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.interface.container") + + +class DockerManager: + + def __init__(self): + docker_conf = configuration.get_configuration("docker")['docker'] + self.docker = docker.DockerClient(base_url=docker_conf['url']) + + def create_container(self, data): + """Create the container through the docker client + + :param data: { + "name": "authz", + "hostname": "authz123456789", + "port": { + "PrivatePort": 8090, + "Type": "tcp", + "IP": "0.0.0.0", + "PublicPort": 8090 + }, + "keystone_project_id": "keystone_project_id1", + "pdp_id": "123456789", + "container_name": "wukongsun/moon_authz:v4.1" + } + :return: container output + """ + output = self.docker.containers.run( + image=data.get("container_name"), + hostname=data.get("hostname", data.get("name"))[:63], + name=data.get("name"), + network='moon', + ports={'{}/{}'.format( + data.get("port").get("PrivatePort"), + data.get("port").get("Type") + ): int(data.get("port").get("PrivatePort"))}, + environment={ + "UUID": data.get("hostname"), + "BIND": data.get("port").get("IP"), + "TYPE": data.get("plugin_name"), + "PORT": data.get("port").get("PrivatePort"), + "PDP_ID": data.get("pdp_id"), + "META_RULE_ID": data.get("meta_rule_id"), + "KEYSTONE_PROJECT_ID": data.get("keystone_project_id"), + }, + detach=True + ) + try: + req = requests.head("http://{}:{}/".format(data.get("hostname"), data.get("port").get("PublicPort"))) + except requests.exceptions.ConnectionError: + pass + else: + if req.status_code != 200: + raise exceptions.DockerError("Container {} is not running!".format(data.get("hostname"))) + output.ip = "0.0.0.0" + return output + + # Note: host is not reachable through hostname so trying to find th IP address + res = output.exec_run("ip addr") + find = re.findall("inet (\d+\.\d+\.\d+\.\d+)", res.decode("utf-8")) + ip = "127.0.0.1" + for ip in find: + if ip.startswith("127"): + continue + break + cpt = 0 + while True: + try: + req = requests.head("http://{}:{}/".format(ip, data.get("port").get("PublicPort"))) + except requests.exceptions.ConnectionError: + pass + else: + if req.status_code not in (200, 201): + LOG.error("url={}".format("http://{}:{}/".format(ip, data.get("port").get("PublicPort")))) + LOG.error("req={}".format(req)) + raise exceptions.DockerError("Container {} is not running!".format(data.get("hostname"))) + output.ip = ip + return output + finally: + cpt += 1 + time.sleep(0.1) + if cpt > 20: + break + output.ip = ip + return output + + def delete_container(self, uuid): + raise NotImplementedError diff --git a/moonv4/moon_interface/moon_interface/http_server.py b/moonv4/moon_interface/moon_interface/http_server.py index 046337a2..387699f8 100644 --- a/moonv4/moon_interface/moon_interface/http_server.py +++ b/moonv4/moon_interface/moon_interface/http_server.py @@ -3,23 +3,15 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -from flask import Flask +from flask import Flask, jsonify from flask_cors import CORS, cross_origin from flask_restful import Resource, Api import logging from moon_interface import __version__ from moon_interface.api.generic import Status, Logs, API -from moon_interface.api.models import Models -from moon_interface.api.policies import Policies -from moon_interface.api.pdp import PDP -from moon_interface.api.meta_rules import MetaRules -from moon_interface.api.meta_data import SubjectCategories, ObjectCategories, ActionCategories -from moon_interface.api.perimeter import Subjects, Objects, Actions -from moon_interface.api.data import SubjectData, ObjectData, ActionData -from moon_interface.api.assignments import SubjectAssignments, ObjectAssignments, ActionAssignments -from moon_interface.api.rules import Rules from moon_interface.api.authz import Authz -from moon_utilities import exceptions +from moon_interface.authz_requests import CACHE +from moon_utilities import configuration, exceptions logger = logging.getLogger("moon.interface.http") @@ -68,13 +60,7 @@ class Server: raise NotImplementedError() __API__ = ( - Status, Logs, API, - MetaRules, SubjectCategories, ObjectCategories, ActionCategories, - Subjects, Objects, Actions, - SubjectAssignments, ObjectAssignments, ActionAssignments, - SubjectData, ObjectData, ActionData, - Rules, Authz, - Models, Policies, PDP + Status, Logs, API ) @@ -106,24 +92,28 @@ class HTTPServer(Server): def __init__(self, host="localhost", port=80, **kwargs): super(HTTPServer, self).__init__(host=host, port=port, **kwargs) self.app = Flask(__name__) + self.port = port + conf = configuration.get_configuration("components/manager") + self.manager_hostname = conf["components/manager"].get("hostname", "manager") + self.manager_port = conf["components/manager"].get("port", 80) #Todo : specify only few urls instead of * CORS(self.app) self.api = Api(self.app) self.__set_route() - # self.__hook_errors() + self.__hook_errors() - @self.app.errorhandler(exceptions.AuthException) - def _auth_exception(error): - return {"error": "Unauthorized"}, 401 + # @self.app.errorhandler(exceptions.AuthException) + # def _auth_exception(error): + # return {"error": "Unauthorized"}, 401 def __hook_errors(self): - # FIXME (dthom): it doesn't work + def get_404_json(e): - return {"error": "Error", "code": 404, "description": e} + return jsonify({"result": False, "code": 404, "description": str(e)}), 404 self.app.register_error_handler(404, get_404_json) def get_400_json(e): - return {"error": "Error", "code": 400, "description": e} + return jsonify({"result": False, "code": 400, "description": str(e)}), 400 self.app.register_error_handler(400, lambda e: get_400_json) self.app.register_error_handler(403, exceptions.AuthException) @@ -132,7 +122,15 @@ class HTTPServer(Server): for api in __API__: self.api.add_resource(api, *api.__urls__) + self.api.add_resource(Authz, *Authz.__urls__, + resource_class_kwargs={ + "cache": CACHE, + "interface_name": self.host, + "manager_url": "http://{}:{}".format(self.manager_hostname, self.manager_port), + } + ) def run(self): - self.app.run(debug=True, host=self._host, port=self._port) # nosec + self.app.run(host=self._host, port=self._port) # nosec + # self.app.run(debug=True, host=self._host, port=self._port) # nosec diff --git a/moonv4/moon_interface/moon_interface/server.py b/moonv4/moon_interface/moon_interface/server.py index 711aa00a..7043e2f9 100644 --- a/moonv4/moon_interface/moon_interface/server.py +++ b/moonv4/moon_interface/moon_interface/server.py @@ -14,7 +14,6 @@ def main(): configuration.init_logging() try: conf = configuration.get_configuration("components/interface") - LOG.debug("interface.conf={}".format(conf)) hostname = conf["components/interface"].get("hostname", "interface") port = conf["components/interface"].get("port", 80) bind = conf["components/interface"].get("bind", "127.0.0.1") @@ -25,8 +24,11 @@ def main(): configuration.add_component(uuid="interface", name=hostname, port=port, bind=bind) LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind)) server = HTTPServer(host=bind, port=port) - server.run() + # LOG.info("Starting server") + # server = HTTPServer(host="0.0.0.0", port=8081) + return server if __name__ == '__main__': - main() + server = main() + server.run() diff --git a/moonv4/moon_interface/requirements.txt b/moonv4/moon_interface/requirements.txt index ee4b455e..36332aa4 100644 --- a/moonv4/moon_interface/requirements.txt +++ b/moonv4/moon_interface/requirements.txt @@ -1,9 +1,4 @@ -kombu !=4.0.1,!=4.0.0 -oslo.messaging -oslo.config -vine flask flask_restful flask_cors -babel moon_utilities
\ No newline at end of file diff --git a/moonv4/moon_interface/tests/apitests/README.md b/moonv4/moon_interface/tests/apitests/README.md deleted file mode 100644 index ef74a1e3..00000000 --- a/moonv4/moon_interface/tests/apitests/README.md +++ /dev/null @@ -1,33 +0,0 @@ -Test directory -============== - -API tests ---------- -To test all interfaces, you can use : - -```bash -$ cd moonv4/moon_interface/tests/apitests -$ pytest -============================================================================= test session starts ============================================================================== -platform linux -- Python 3.5.2, pytest-3.0.7, py-1.4.33, pluggy-0.4.0 -rootdir: /home/vdsq3226/projets/opnfv/moonv4/moon_interface, inifile: -collected 15 items - -test_models.py ..... -test_pdp.py . -test_policies.py ......... - -``` - -Populate default variables for a particular demonstration ---------------------------------------------------------- - -```bash -$ cd moonv4/moon_interface/tests/apitests -$ python3 populate_default_values.py scenario/rbac.py -v -Loading: scenario/rbac.py -2017-03-31 09:57:17,243 WARNING Creating model RBAC -2017-03-31 09:57:17,507 WARNING Creating policy Multi policy example -2017-03-31 09:57:18,690 WARNING Creating PDP pdp1 - -```
\ No newline at end of file diff --git a/moonv4/moon_interface/tests/apitests/plot_json.py b/moonv4/moon_interface/tests/apitests/plot_json.py deleted file mode 100644 index f67f1d27..00000000 --- a/moonv4/moon_interface/tests/apitests/plot_json.py +++ /dev/null @@ -1,852 +0,0 @@ -import os -import argparse -import logging -import json -import glob -import time -import datetime -import itertools -import plotly -from plotly.graph_objs import Scatter, Layout, Bar -import plotly.figure_factory as ff - - -logger = None - - -def init(): - global logger - commands = { - "graph": write_graph, - "digraph": write_distgraph, - "average": write_average_graph, - "latency": write_latency, - "request_average": write_request_average, - "throughput": write_throughput, - "global_throughput": write_global_throughput, - "parallel_throughput": write_parallel_throughput, - } - parser = argparse.ArgumentParser() - parser.add_argument("command", - help="Command to throw ({})".format(", ".join(commands.keys()))) - parser.add_argument("input", nargs="+", help="files to use with the form \"file1.json,file2.json,...\"") - parser.add_argument("--verbose", "-v", action='store_true', help="verbose mode") - parser.add_argument("--debug", "-d", action='store_true', help="debug mode") - parser.add_argument("--write", "-w", help="Write test data to a JSON file", default="/tmp/data.json") - parser.add_argument("--legend", "-l", help="Set the legend (by default get from the file names)") - parser.add_argument("--titles", "-t", - help="Set the general title, x title and y title (ex: Title 1,Title X,Title Y)") - # parser.add_argument("--request-per-second", help="Number of requests per seconds", - # type=int, dest="request_second", default=1) - # parser.add_argument("--limit", help="Limit request to LIMIT", type=int) - parser.add_argument("--write-image", help="Write the graph to file IMAGE", dest="write_image") - parser.add_argument("--write-html", help="Write the graph to HTML file HTML", dest="write_html", default="data.html") - parser.add_argument("--plot-result", - help="Use specific data like Grant or Deny responses " - "('*' for all or 'Grant,Deny' to separate granted and denied responses)", - dest="plot_result", - default="*") - args = parser.parse_args() - - FORMAT = '%(levelname)s %(message)s' - - if args.verbose: - logging.basicConfig( - format=FORMAT, - level=logging.INFO) - elif args.debug: - logging.basicConfig( - format=FORMAT, - level=logging.DEBUG) - else: - logging.basicConfig( - format=FORMAT, - level=logging.WARNING) - - logger = logging.getLogger(__name__) - - # args.input = args.input[0] - result_input = [] - for _input in args.input: - if "*" in _input: - filenames = glob.glob(_input) - filenames.sort() - result_input.append(",".join(filenames)) - else: - result_input.append(_input) - args.input = result_input - - if not args.legend: - _legends = [] - for data in args.input: - for filename in data.split(","): - _legends.append(os.path.basename(filename).replace(".json", "")) - args.legend = ",".join(_legends) - - return args, commands - - -def __get_legends(legend_str, default_length=10): - if "|" in legend_str: - secondary_legend = legend_str.split("|")[1].split(",") - else: - secondary_legend = ["average"] * default_length - _legends = legend_str.split("|")[0].split(",") - return _legends, secondary_legend - - -def get_delta_v1(time_data, result=None): - time_delta = list() - x_data = list() - time_delta_sum1 = 0 - cpt = 0 - for key in time_data: - if not result or 'result' not in time_data[key] or time_data[key]['result'].lower() == result.lower() or result == "*": - time_delta.append(time_data[key]['delta']) - time_delta_sum1 += time_data[key]['delta'] - if 'index' in time_data[key]: - print("in index {}".format(time_data[key]['index'])) - x_data.append(time_data[key]['index']) - else: - x_data.append(cpt) - cpt += 1 - time_delta_average1 = time_delta_sum1 / len(time_data.keys()) - return time_delta, time_delta_average1, x_data - - -def get_delta_v2(time_data, result=None): - time_delta = list() - x_data = list() - time_delta_sum1 = 0 - cpt = 0 - for item in time_data: - if not result or 'result' not in item or item['result'].lower() == result.lower() or result == "*": - time_delta.append(item['delta']) - time_delta_sum1 += item['delta'] - x_data.append(cpt) - cpt += 1 - time_delta_average1 = time_delta_sum1 / len(time_data) - return time_delta, time_delta_average1, x_data - - -def get_delta(time_data, result=None): - if type(time_data) is dict: - return get_delta_v1(time_data, result=result) - if type(time_data) is list: - return get_delta_v2(time_data, result=result) - raise Exception("Time data has not a correct profile") - - -def get_latency_v1(time_data, result=None): - time_delta = list() - time_delta_sum1 = 0 - for key in time_data: - if not result or 'result' not in time_data[key] or time_data[key]['result'].lower() == result.lower() or result == "*": - time_delta.append(1/time_data[key]['delta']) - time_delta_sum1 += time_data[key]['delta'] - logger.debug("Adding {} {}".format(1/time_data[key]['delta'], time_data[key]['delta'])) - time_delta_average1 = time_delta_sum1 / len(time_data.keys()) - return time_delta, 1/time_delta_average1 - - -def get_latency_v2(time_data, result=None): - time_delta = list() - time_delta_sum1 = 0 - time_list = list() - for item in time_data: - if not result or 'result' not in item or item['result'].lower() == result.lower() or result == "*": - time_delta.append(1/item['delta']) - time_delta_sum1 += item['delta'] - time_list.append(item['end']) - time_delta_average1 = time_delta_sum1 / len(time_data) - return time_delta, 1/time_delta_average1, time_list - - -def get_latency(time_data, result=None): - if type(time_data) is dict: - return get_latency_v1(time_data, result=result) - if type(time_data) is list: - return get_latency_v2(time_data, result=result) - raise Exception("Time data has not a correct profile") - - -def get_request_per_second_v1(time_data): - result = {} - _min = None - _max = 0 - for key in time_data: - start = str(time_data[key]['start']).split(".")[0] - end = str(time_data[key]['end']).split(".")[0] - middle = str(int((int(end) + int(start)) / 2)) - middle = end - if not _min: - _min = int(middle) - if int(middle) < _min: - _min = int(middle) - if int(middle) > _max: - _max = int(middle) - if middle not in result: - result[middle] = 1 - else: - result[middle] += 1 - for cpt in range(_min+1, _max): - if str(cpt) not in result: - result[str(cpt)] = 0 - # result[str(cpt)] = (result[str(cpt - 1)] + result[str(cpt)]) / 2 - # result[str(cpt - 1)] = result[str(cpt)] - return result - - -def get_request_per_second_v2(time_data): - result = {} - _min = None - _max = 0 - for item in time_data: - start = str(item['start']).split(".")[0] - end = str(item['end']).split(".")[0] - middle = str(int((int(end) + int(start)) / 2)) - middle = end - if not _min: - _min = int(middle) - if int(middle) < _min: - _min = int(middle) - if int(middle) > _max: - _max = int(middle) - if middle not in result: - result[middle] = 1 - else: - result[middle] += 1 - for cpt in range(_min+1, _max): - if str(cpt) not in result: - result[str(cpt)] = 0 - # result[str(cpt)] = (result[str(cpt - 1)] + result[str(cpt)]) / 2 - # result[str(cpt - 1)] = result[str(cpt)] - return result - - -def get_request_per_second(time_data): - if type(time_data) is dict: - return get_request_per_second_v1(time_data) - if type(time_data) is list: - return get_request_per_second_v2(time_data) - raise Exception("Time data has not a correct profile") - - -def write_graph(legend=None, input=None, image_file=None, html_file=None, plot_result="", title=None): - logger.info("Writing graph") - cpt_max = 0 - logger.debug("legend={}".format(legend)) - for data in input: - cpt_max += len(data.split(",")) - legends, secondary_legend = __get_legends(legend, cpt_max) - logger.debug("legends={}".format(legends)) - result_data = [] - cpt_input = 0 - for data in input: - for _input in data.split(","): - try: - current_legend = legends.pop(0) - except IndexError: - current_legend = "" - time_data = json.load(open(_input)) - time_delta, time_delta_average2, x_data = get_delta(time_data) - for item in time_data: - if type(time_data) is dict: - time_delta.append(time_data[item]['delta']) - else: - time_delta.append(item['delta']) - data = Scatter( - x=x_data, - y=time_delta, - name=current_legend, - line=dict( - color="rgb({},{},{})".format(0, cpt_input * 255 / cpt_max, cpt_input * 255 / cpt_max), - # shape='spline' - ) - ) - result_data.append(data) - data_a = Scatter( - x=list(range(len(time_data))), - y=[time_delta_average2 for x in range(len(time_data))], - name=current_legend + " average", - line=dict( - color="rgb({},{},{})".format(255, cpt_input * 255 / cpt_max, cpt_input * 255 / cpt_max), - # shape='spline' - ) - ) - result_data.append(data_a) - cpt_input += 1 - - if image_file: - plotly.offline.plot( - { - "data": result_data, - "layout": Layout( - title="Request times delta", - xaxis=dict(title='Requests'), - yaxis=dict(title='Request duration'), - ) - }, - filename=html_file, - image="svg", - image_filename=image_file, - image_height=1000, - image_width=1200 - ) - else: - plotly.offline.plot( - { - "data": result_data, - "layout": Layout( - title="Request times delta", - xaxis=dict(title='Requests'), - yaxis=dict(title='Request duration'), - ) - }, - filename=html_file, - ) - return 0 - - -def write_distgraph(legend=None, input=None, image_file=None, html_file=None, plot_result="", title=None): - - logger.info("Writing graph") - _legends, secondary_legend = __get_legends(legend, len(input)) - result_data = [] - legends = [] - - # FIXME: deals with multiple input - input = input[0] - for _input in input.split(","): - logger.info("Analysing input {}".format(_input)) - current_legend = _legends.pop(0) - for result in plot_result.split(","): - time_data2 = json.load(open(_input)) - time_delta2, time_delta_average2, x_data = get_delta(time_data2, result=result) - result_data.append(time_delta2) - if result == "*": - legends.append(current_legend) - else: - legends.append("{} ({})".format(current_legend, result)) - - # Create distplot with custom bin_size - if len(legends) < len(result_data): - for _cpt in range(len(result_data)-len(legends)): - legends.append("NC") - fig = ff.create_distplot(result_data, legends, show_hist=False) - - # Plot! - plotly.offline.plot( - fig, - # image="svg", - # image_filename=image_file, - # image_height=1000, - # image_width=1200, - filename=html_file - ) - return 0 - - -def write_average_graph(legend=None, input=None, image_file=None, html_file=None, plot_result="", title=None): - - logger.info("Writing average graph") - _legends, secondary_legend = __get_legends(legend, len(input)) - all_data = [] - legends = [] - legend_done = False - html_file = "latency_" + html_file - - cpt_input = 0 - cpt_max = len(input) - for data in input: - result_data = [] - for _input in data.split(","): - logger.info("Analysing input {}".format(_input)) - if not legend_done: - current_legend = _legends.pop(0) - for result in plot_result.split(","): - time_data2 = json.load(open(_input)) - time_delta2, time_delta_average2 = get_delta(time_data2, result=result) - result_data.append(time_delta_average2) - if not legend_done and result == "*": - legends.append(current_legend) - elif not legend_done: - legends.append("{} ({})".format(current_legend, result)) - - if not legend_done: - if len(legends) < len(result_data): - for _cpt in range(len(result_data)-len(legends)): - legends.append("NC") - - data = Scatter( - x=legends, - y=result_data, - name=secondary_legend.pop(0), - line=dict( - color="rgb({},{},{})".format(158, cpt_input * 255 / cpt_max, cpt_input * 255 / cpt_max) - ) - ) - all_data.append(data) - legend_done = True - cpt_input += 1 - if image_file: - plotly.offline.plot( - { - "data": all_data, - "layout": Layout( - title="Latency", - xaxis=dict(title='Request per second'), - yaxis=dict(title='Request latency'), - ) - }, - filename=html_file, - image="svg", - image_filename=image_file, - image_height=1000, - image_width=1200 - ) - else: - plotly.offline.plot( - { - "data": all_data, - "layout": Layout( - title="Latency", - xaxis=dict(title='Requests'), - yaxis=dict(title='Request latency'), - ) - }, - filename=html_file, - ) - return 0 - - -def __get_titles(title): - if title: - titles = title.split(",") - try: - title_generic = titles[0] - except IndexError: - title_generic = "" - try: - title_x = titles[1] - except IndexError: - title_x = "" - try: - title_y = titles[2] - except IndexError: - title_y = "" - else: - title_generic = "" - title_x = "" - title_y = "" - return title_generic, title_x, title_y - - -def __get_time_axis(data): - result_data = [] - start_time = None - for item in data: - if not start_time: - start_time = item - item = item - start_time - millis = int(str(item).split('.')[-1][:6]) - t = time.gmtime(int(item)) - result_data.append( - datetime.datetime(t.tm_year, t.tm_mon, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec, millis) - ) - return result_data - - -def write_latency(legend=None, input=None, image_file=None, html_file=None, plot_result="", title=None): - - logger.info("Writing latency graph") - _legends, secondary_legend = __get_legends(legend, len(input)) - all_data = [] - legends = [] - legend_done = False - html_file = "latency_" + html_file - title_generic, title_x, title_y = __get_titles(title) - cpt_input = 0 - cpt_max = len(input) - for data in input: - result_data = [] - for _input in data.split(","): - logger.info("Analysing input {}".format(_input)) - if not legend_done: - current_legend = _legends.pop(0) - for result in plot_result.split(","): - time_data2 = json.load(open(_input)) - time_delta2, time_delta_average2, x_data = get_latency(time_data2, result=result) - result_data.append(time_delta_average2) - if not legend_done and result == "*": - legends.append(current_legend) - elif not legend_done: - legends.append("{} ({})".format(current_legend, result)) - - if not legend_done: - if len(legends) < len(result_data): - for _cpt in range(len(result_data)-len(legends)): - legends.append("NC") - - data = Scatter( - x=legends, - y=result_data, - name=secondary_legend.pop(0), - line=dict( - color="rgb({},{},{})".format(158, cpt_input * 255 / cpt_max, cpt_input * 255 / cpt_max) - ) - ) - all_data.append(data) - legend_done = True - cpt_input += 1 - if image_file: - plotly.offline.plot( - { - "data": all_data, - "layout": Layout( - title=title_generic, - xaxis=dict(title=title_x), - yaxis=dict(title=title_y), - ) - }, - filename=html_file, - image="svg", - image_filename=image_file, - image_height=1000, - image_width=1200 - ) - else: - plotly.offline.plot( - { - "data": all_data, - "layout": Layout( - title=title_generic, - xaxis=dict(title=title_x), - yaxis=dict(title=title_y), - font=dict( - size=25 - ) - ) - }, - filename=html_file, - ) - return 0 - - -def write_request_average(legend=None, input=None, image_file=None, html_file=None, plot_result="", title=None): - logger.info("Writing average graph") - _legends, secondary_legend = __get_legends(legend, len(input)) - result_data = [] - html_file = "request_average_" + html_file - - # FIXME: deals with multiple input - input = input[0] - for _input in input.split(","): - logger.info("Analysing input {}".format(_input)) - current_legend = _legends.pop(0) - time_data = json.load(open(_input)) - result = get_request_per_second(time_data) - time_keys = list(result.keys()) - time_keys.sort() - time_value = list(map(lambda x: result[x], time_keys)) - datetime_keys = list() - for _time in time_keys: - t = time.gmtime(int(_time)) - datetime_keys.append(datetime.datetime(t.tm_year, t.tm_mon, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec)) - data = Bar( - x=datetime_keys, - y=time_value, - name=current_legend, - ) - result_data.append(data) - plotly.offline.plot( - { - "data": result_data, - "layout": Layout( - title="Request per second", - xaxis=dict(title='Time'), - yaxis=dict(title='Request number'), - ) - }, - filename=html_file, - ) - - -def write_throughput(legend=None, input=None, image_file=None, html_file=None, plot_result="", title=None): - logger.info("Writing throughput graph") - _legends, secondary_legend = __get_legends(legend, len(input)) - result_data = [] - html_file = "request_throughput_" + html_file - title_generic, title_x, title_y = __get_titles(title) - - cpt_input = 0 - cpt_request = 0 - cpt_max = 0 - average_data_x = [] - average_data_y = [] - for _i in input: - cpt_max += len(_i.split(",")) - - for data in input: - for _input in data.split(","): - logger.info("Analysing input {}".format(_input)) - current_legend = _legends.pop(0) - time_data = json.load(open(_input)) - result = get_request_per_second(time_data) - time_keys = list(result.keys()) - time_keys.sort() - time_value = list(map(lambda x: result[x], time_keys)) - index_list = list(map(lambda x: cpt_request + x, range(len(time_keys)))) - cpt_request += len(index_list) - import itertools - average_data_y.extend( - [list(itertools.accumulate(result.values()))[-1]/len(result.values())]*len(result.values()) - ) - average_data_x.extend(index_list) - data = Scatter( - x=index_list, - y=time_value, - name=current_legend, - line=dict( - color="rgb({},{},{})".format(0, cpt_input*255/cpt_max, cpt_input*255/cpt_max) - ), - mode="lines+markers" - ) - result_data.append(data) - cpt_input += 1 - data = Scatter( - x=average_data_x, - y=average_data_y, - name="Average", - line=dict( - color="rgb({},{},{})".format(255, 0, 0) - ), - mode="lines" - ) - logger.debug(average_data_x) - logger.debug(average_data_y) - result_data.append(data) - plotly.offline.plot( - { - "data": result_data, - "layout": Layout( - title=title_generic, - xaxis=dict(title=title_x), - yaxis=dict(title=title_y), - font=dict( - size=15 - ) - ) - }, - filename=html_file, - ) - - -def write_global_throughput(legend=None, input=None, image_file=None, html_file=None, plot_result="", title=None): - logger.info("Writing global throughput graph") - _legends, secondary_legend = __get_legends(legend, len(input)) - result_data = [] - # html_file = "request_throughput_" + html_file - title_generic, title_x, title_y = __get_titles(title) - - cpt_input = 0 - cpt_global = 0 - cpt_max = 0 - average_data_x = [] - final_time_data = None - average_data_y = [] - continuous_data_x = [] - continuous_data_y = [] - for _i in input: - cpt_max += len(_i.split(",")) - - for data in input: - for _input in data.split(","): - logger.info("Analysing input {}".format(_input)) - # current_legend = _legends.pop(0) - _time_data = json.load(open(_input)) - result, average, time_data = get_latency(_time_data, plot_result) - if not final_time_data: - final_time_data = time_data - continuous_data_y.extend(result) - cpt_global += len(result) - _cpt = 0 - for item in result: - if len(average_data_y) <= _cpt: - average_data_y.append([item, ]) - average_data_x.append(_cpt) - else: - _list = average_data_y[_cpt] - _list.append(item) - average_data_y[_cpt] = _list - _cpt += 1 - # time_keys = list(map(lambda x: x['url'], result)) - # time_keys.sort() - # time_value = list(map(lambda x: result[x], time_keys)) - # index_list = list(map(lambda x: cpt_request + x, range(len(time_keys)))) - # cpt_request += len(index_list) - # average_data_y.extend( - # [list(itertools.accumulate(result.values()))[-1]/len(result.values())]*len(result.values()) - # ) - # average_data_x.extend(index_list) - cpt_input += 1 - data_continuous = Scatter( - x=list(range(len(continuous_data_y))), - y=continuous_data_y, - name="continuous_data_y", - line=dict( - color="rgb({},{},{})".format(0, 0, 255) - ), - mode="lines" - ) - for index, item in enumerate(average_data_y): - av = list(itertools.accumulate(item))[-1]/len(item) - average_data_y[index] = av - - average_data = [] - for cpt in range(len(time_data)): - average_data.append([average_data_y[cpt], time_data[cpt]]) - - sorted(average_data, key=lambda x: x[1]) - - average_data_x = [] - start_time = None - for item in map(lambda x: x[1], average_data): - if not start_time: - start_time = item - item = item - start_time - millis = int(str(item).split('.')[-1][:6]) - t = time.gmtime(int(item)) - average_data_x.append( - datetime.datetime(t.tm_year, t.tm_mon, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec, millis) - ) - - data_average = Scatter( - x=average_data_x, - y=list(map(lambda x: x[0], average_data)), - name="Average", - line=dict( - color="rgb({},{},{})".format(0, 0, 255) - ), - mode="lines" - ) - plotly.offline.plot( - { - "data": [data_average, ], - "layout": Layout( - title=title_generic, - xaxis=dict(title=title_x), - yaxis=dict(title=title_y), - font=dict( - size=15 - ) - ) - }, - filename="average_throughput_" + html_file, - ) - plotly.offline.plot( - { - "data": [data_continuous, ], - "layout": Layout( - title=title_generic, - xaxis=dict(title=title_x), - yaxis=dict(title=title_y), - font=dict( - size=15 - ) - ) - }, - filename="continuous_throughput_" + html_file, - ) - - -def write_parallel_throughput(legend=None, input=None, image_file=None, html_file=None, plot_result="", title=None): - logger.info("Writing global throughput graph") - _legends, secondary_legend = __get_legends(legend, len(input)) - result_data = [] - title_generic, title_x, title_y = __get_titles(title) - - cpt_input = 0 - cpt_global = 0 - cpt_max = 0 - overhead_data = [] - MAX = 60 - for _i in input: - cpt_max += len(_i.split(",")) - for data in input: - for _input in data.split(","): - logger.info("Analysing input {}".format(_input)) - current_legend = _legends.pop(0) - _time_data = json.load(open(_input)) - result, average, time_data = get_latency(_time_data, plot_result) - result = result[:MAX] - cpt_global += len(result) - if not overhead_data: - for _data in result: - overhead_data.append(list()) - for _index, _data in enumerate(result): - _item = overhead_data[_index] - _item.append(_data) - overhead_data[_index] = _item - - data_continuous = Scatter( - x=__get_time_axis(time_data), - # x=list(range(len(result))), - y=result, - name=current_legend, - line=dict( - color="rgb({},{},{})".format(0, cpt_input * 255 / cpt_max, cpt_input * 255 / cpt_max) - ), - mode="lines" - ) - cpt_input += 1 - result_data.append(data_continuous) - - for _index, _data in enumerate(overhead_data): - if len(_data) == 2: - _item = overhead_data[_index] - overhead_data[_index] = 1-_item[1]/_item[0] - data_overhead = Scatter( - x=__get_time_axis(time_data), - # x=list(range(len(result))), - y=overhead_data, - name="Overhead", - line=dict( - color="rgb({},{},{})".format(255, 0, 0) - ), - mode="lines" - ) - # result_data.append(data_overhead) - plotly.offline.plot( - { - "data": result_data, - "layout": Layout( - title=title_generic, - xaxis=dict(title=title_x), - yaxis=dict(title=title_y), - font=dict( - size=20 - ) - ) - }, - filename="parallel_throughput_" + html_file, - ) - - -def main(): - args, commands = init() - if args.command in commands: - commands[args.command]( - legend=args.legend, - input=args.input, - image_file=args.write_image, - html_file=args.write_html, - plot_result=args.plot_result, - title=args.titles - ) - else: - logger.error("Unkwnon command: {}".format(args.command)) - - -if __name__ == "__main__": - main() diff --git a/moonv4/moon_interface/tests/apitests/populate_default_values.py b/moonv4/moon_interface/tests/apitests/populate_default_values.py deleted file mode 100644 index 740ad8ed..00000000 --- a/moonv4/moon_interface/tests/apitests/populate_default_values.py +++ /dev/null @@ -1,231 +0,0 @@ -import argparse -import logging -from importlib.machinery import SourceFileLoader -from utils.pdp import * -from utils.models import * -from utils.policies import * - -parser = argparse.ArgumentParser() -parser.add_argument('filename', help='scenario filename', nargs=1) -parser.add_argument("--verbose", "-v", action='store_true', help="verbose mode") -parser.add_argument("--debug", "-d", action='store_true', help="debug mode") -args = parser.parse_args() - -FORMAT = '%(asctime)-15s %(levelname)s %(message)s' -if args.debug: - logging.basicConfig( - format=FORMAT, - level=logging.DEBUG) -elif args.verbose: - logging.basicConfig( - format=FORMAT, - level=logging.INFO) -else: - logging.basicConfig( - format=FORMAT, - level=logging.WARNING) - -requests_log = logging.getLogger("requests.packages.urllib3") -requests_log.setLevel(logging.WARNING) -requests_log.propagate = True - -logger = logging.getLogger(__name__) - -if args.filename: - print("Loading: {}".format(args.filename[0])) - -m = SourceFileLoader("scenario", args.filename[0]) - -scenario = m.load_module() - - -def create_model(model_id=None): - if args.verbose: - logger.info("Creating model {}".format(scenario.model_name)) - if not model_id: - logger.info("Add model") - model_id = add_model(name=scenario.model_name) - logger.info("Add subject categories") - for cat in scenario.subject_categories: - scenario.subject_categories[cat] = add_subject_category(name=cat) - logger.info("Add object categories") - for cat in scenario.object_categories: - scenario.object_categories[cat] = add_object_category(name=cat) - logger.info("Add action categories") - for cat in scenario.action_categories: - scenario.action_categories[cat] = add_action_category(name=cat) - sub_cat = [] - ob_cat = [] - act_cat = [] - meta_rule_list = [] - for item_name, item_value in scenario.meta_rule.items(): - for item in item_value["value"]: - if item in scenario.subject_categories: - sub_cat.append(scenario.subject_categories[item]) - elif item in scenario.object_categories: - ob_cat.append(scenario.object_categories[item]) - elif item in scenario.action_categories: - act_cat.append(scenario.action_categories[item]) - meta_rules = check_meta_rule(meta_rule_id=None) - for _meta_rule_id, _meta_rule_value in meta_rules['meta_rules'].items(): - if _meta_rule_value['name'] == item_name: - meta_rule_id = _meta_rule_id - break - else: - logger.info("Add meta rule") - meta_rule_id = add_meta_rule(item_name, sub_cat, ob_cat, act_cat) - item_value["id"] = meta_rule_id - if meta_rule_id not in meta_rule_list: - meta_rule_list.append(meta_rule_id) - return model_id, meta_rule_list - - -def create_policy(model_id, meta_rule_list): - if args.verbose: - logger.info("Creating policy {}".format(scenario.policy_name)) - _policies = check_policy() - for _policy_id, _policy_value in _policies["policies"].items(): - if _policy_value['name'] == scenario.policy_name: - policy_id = _policy_id - break - else: - policy_id = add_policy(name=scenario.policy_name, genre=scenario.policy_genre) - - update_policy(policy_id, model_id) - - for meta_rule_id in meta_rule_list: - logger.debug("add_meta_rule_to_model {} {}".format(model_id, meta_rule_id)) - add_meta_rule_to_model(model_id, meta_rule_id) - - logger.info("Add subject data") - for subject_cat_name in scenario.subject_data: - for subject_data_name in scenario.subject_data[subject_cat_name]: - data_id = scenario.subject_data[subject_cat_name][subject_data_name] = add_subject_data( - policy_id=policy_id, - category_id=scenario.subject_categories[subject_cat_name], name=subject_data_name) - scenario.subject_data[subject_cat_name][subject_data_name] = data_id - logger.info("Add object data") - for object_cat_name in scenario.object_data: - for object_data_name in scenario.object_data[object_cat_name]: - data_id = scenario.object_data[object_cat_name][object_data_name] = add_object_data( - policy_id=policy_id, - category_id=scenario.object_categories[object_cat_name], name=object_data_name) - scenario.object_data[object_cat_name][object_data_name] = data_id - logger.info("Add action data") - for action_cat_name in scenario.action_data: - for action_data_name in scenario.action_data[action_cat_name]: - data_id = scenario.action_data[action_cat_name][action_data_name] = add_action_data( - policy_id=policy_id, - category_id=scenario.action_categories[action_cat_name], name=action_data_name) - scenario.action_data[action_cat_name][action_data_name] = data_id - - logger.info("Add subjects") - for name in scenario.subjects: - scenario.subjects[name] = add_subject(policy_id, name=name) - logger.info("Add objects") - for name in scenario.objects: - scenario.objects[name] = add_object(policy_id, name=name) - logger.info("Add actions") - for name in scenario.actions: - scenario.actions[name] = add_action(policy_id, name=name) - - logger.info("Add subject assignments") - for subject_name in scenario.subject_assignments: - if type(scenario.subject_assignments[subject_name]) in (list, tuple): - for items in scenario.subject_assignments[subject_name]: - for subject_category_name in items: - subject_id = scenario.subjects[subject_name] - subject_cat_id = scenario.subject_categories[subject_category_name] - for data in scenario.subject_assignments[subject_name]: - subject_data_id = scenario.subject_data[subject_category_name][data[subject_category_name]] - add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) - else: - for subject_category_name in scenario.subject_assignments[subject_name]: - subject_id = scenario.subjects[subject_name] - subject_cat_id = scenario.subject_categories[subject_category_name] - subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]] - add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) - - logger.info("Add object assignments") - for object_name in scenario.object_assignments: - if type(scenario.object_assignments[object_name]) in (list, tuple): - for items in scenario.object_assignments[object_name]: - for object_category_name in items: - object_id = scenario.objects[object_name] - object_cat_id = scenario.object_categories[object_category_name] - for data in scenario.object_assignments[object_name]: - object_data_id = scenario.object_data[object_category_name][data[object_category_name]] - add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) - else: - for object_category_name in scenario.object_assignments[object_name]: - object_id = scenario.objects[object_name] - object_cat_id = scenario.object_categories[object_category_name] - object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]] - add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) - - logger.info("Add action assignments") - for action_name in scenario.action_assignments: - if type(scenario.action_assignments[action_name]) in (list, tuple): - for items in scenario.action_assignments[action_name]: - for action_category_name in items: - action_id = scenario.actions[action_name] - action_cat_id = scenario.action_categories[action_category_name] - for data in scenario.action_assignments[action_name]: - action_data_id = scenario.action_data[action_category_name][data[action_category_name]] - add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) - else: - for action_category_name in scenario.action_assignments[action_name]: - action_id = scenario.actions[action_name] - action_cat_id = scenario.action_categories[action_category_name] - action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]] - add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) - - logger.info("Add rules") - for meta_rule_name in scenario.rules: - meta_rule_value = scenario.meta_rule[meta_rule_name] - for rule in scenario.rules[meta_rule_name]: - data_list = [] - _meta_rule = list(meta_rule_value["value"]) - for data_name in rule["rule"]: - category_name = _meta_rule.pop(0) - if category_name in scenario.subject_categories: - data_list.append(scenario.subject_data[category_name][data_name]) - elif category_name in scenario.object_categories: - data_list.append(scenario.object_data[category_name][data_name]) - elif category_name in scenario.action_categories: - data_list.append(scenario.action_data[category_name][data_name]) - instructions = rule["instructions"] - add_rule(policy_id, meta_rule_value["id"], data_list, instructions) - return policy_id - - -def create_pdp(policy_id=None): - logger.info("Creating PDP {}".format(scenario.pdp_name)) - projects = get_keystone_projects() - admin_project_id = None - for _project in projects['projects']: - if _project['name'] == "admin": - admin_project_id = _project['id'] - assert admin_project_id - pdps = check_pdp()["pdps"] - for pdp_id, pdp_value in pdps.items(): - if scenario.pdp_name == pdp_value["name"]: - update_pdp(pdp_id, policy_id=policy_id) - logger.debug("Found existing PDP named {} (will add policy {})".format(scenario.pdp_name, policy_id)) - return pdp_id - _pdp_id = add_pdp(name=scenario.pdp_name, policy_id=policy_id) - map_to_keystone(pdp_id=_pdp_id, keystone_project_id=admin_project_id) - return _pdp_id - -if __name__ == "__main__": - _models = check_model() - for _model_id, _model_value in _models['models'].items(): - if _model_value['name'] == scenario.model_name: - model_id = _model_id - meta_rule_list = _model_value['meta_rules'] - create_model(model_id) - break - else: - model_id, meta_rule_list = create_model() - policy_id = create_policy(model_id, meta_rule_list) - pdp_id = create_pdp(policy_id) diff --git a/moonv4/moon_interface/tests/apitests/scenario/delegation.py b/moonv4/moon_interface/tests/apitests/scenario/delegation.py deleted file mode 100644 index 839e74ce..00000000 --- a/moonv4/moon_interface/tests/apitests/scenario/delegation.py +++ /dev/null @@ -1,40 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "Delegation policy example" -model_name = "Delegation" - -subjects = {"user0": "", } -objects = {"user1": "", } -actions = {"delegate": ""} - -subject_categories = {"subjectid": "", } -object_categories = {"delegated": "", } -action_categories = {"delegation-action": "", } - -subject_data = {"subjectid": {"user0": ""}} -object_data = {"delegated": {"user1": ""}} -action_data = {"delegation-action": {"delegate": ""}} - -subject_assignments = {"user0": {"subjectid": "user0"}} -object_assignments = {"user1": {"delegated": "user1"}} -action_assignments = {"delegate": {"delegation-action": "delegate"}} - -meta_rule = { - "session": {"id": "", "value": ("subjectid", "delegated", "delegation-action")}, -} - -rules = { - "session": ( - { - "rule": ("user0", "user1", "delegate"), - "instructions": ( - { - "update": {"request:subject": "user1"} # update the current user with "user1" - }, - {"chain": {"security_pipeline": "rbac"}} - ) - }, - ) -} - - diff --git a/moonv4/moon_interface/tests/apitests/scenario/mls.py b/moonv4/moon_interface/tests/apitests/scenario/mls.py deleted file mode 100644 index 3a3ded43..00000000 --- a/moonv4/moon_interface/tests/apitests/scenario/mls.py +++ /dev/null @@ -1,54 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "MLS Policy example" -model_name = "MLS" - -subjects = {"user0": "", "user1": "", "user2": "", } -objects = {"vm0": "", "vm1": "", } -actions = {"start": "", "stop": ""} - -subject_categories = {"subject-security-level": "", } -object_categories = {"object-security-level": "", } -action_categories = {"action-type": "", } - -subject_data = { - "subject-security-level": {"low": "", "medium": "", "high": ""}, -} -object_data = { - "object-security-level": {"low": "", "medium": "", "high": ""}, -} -action_data = {"action-type": {"vm-action": "", "storage-action": "", }} - -subject_assignments = { - "user0": {"subject-security-level": "high"}, - "user1": {"subject-security-level": "medium"}, -} -object_assignments = { - "vm0": {"object-security-level": "medium"}, - "vm1": {"object-security-level": "low"}, -} -action_assignments = { - "start": {"action-type": "vm-action"}, - "stop": {"action-type": "vm-action"} -} - -meta_rule = { - "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")}, -} - -rules = { - "mls": ( - { - "rules": ("high", "medium", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - { - "rules": ("high", "low", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - { - "rules": ("medium", "low", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - ) -} diff --git a/moonv4/moon_interface/tests/apitests/scenario/rbac.py b/moonv4/moon_interface/tests/apitests/scenario/rbac.py deleted file mode 100644 index 89fd7de8..00000000 --- a/moonv4/moon_interface/tests/apitests/scenario/rbac.py +++ /dev/null @@ -1,44 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "RBAC policy example" -model_name = "RBAC" -policy_genre = "authz" - -subjects = {"user0": "", "user1": "", } -objects = {"vm0": "", "vm1": "", } -actions = {"start": "", "stop": ""} - -subject_categories = {"role": "", } -object_categories = {"id": "", } -action_categories = {"action-type": "", } - -subject_data = {"role": {"admin": "", "employee": "", "*": ""}} -object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} -action_data = {"action-type": {"vm-action": "", "*": ""}} - -subject_assignments = {"user0": ({"role": "employee"}, {"role": "*"}), "user1": ({"role": "employee"}, {"role": "*"}), } -object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} -action_assignments = {"start": ({"action-type": "vm-action"}, {"action-type": "*"}), "stop": ({"action-type": "vm-action"}, {"action-type": "*"})} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, -} - -rules = { - "rbac": ( - { - "rule": ("admin", "vm0", "vm-action"), - "instructions": ( - {"decision": "grant"}, # "grant" to immediately exit, "continue" to wait for the result of next policy - ) - }, - { - "rule": ("employee", "vm1", "vm-action"), - "instructions": ( - {"decision": "grant"}, - ) - }, - ) -} - - diff --git a/moonv4/moon_interface/tests/apitests/scenario/rbac_large.py b/moonv4/moon_interface/tests/apitests/scenario/rbac_large.py deleted file mode 100644 index ef5dd9b2..00000000 --- a/moonv4/moon_interface/tests/apitests/scenario/rbac_large.py +++ /dev/null @@ -1,233 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "RBAC policy example" -model_name = "RBAC" -policy_genre = "authz" - -subjects = { - "user0": "", - "user1": "", - "user2": "", - "user3": "", - "user4": "", - "user5": "", - "user6": "", - "user7": "", - "user8": "", - "user9": "", -} -objects = { - "vm0": "", - "vm1": "", - "vm2": "", - "vm3": "", - "vm4": "", - "vm5": "", - "vm6": "", - "vm7": "", - "vm8": "", - "vm9": "", -} -actions = { - "start": "", - "stop": "", - "pause": "", - "unpause": "", - "destroy": "", -} - -subject_categories = {"role": "", } -object_categories = {"id": "", } -action_categories = {"action-type": "", } - -subject_data = {"role": { - "admin": "", - "employee": "", - "dev1": "", - "dev2": "", - "*": "" -}} -object_data = {"id": { - "vm0": "", - "vm1": "", - "vm2": "", - "vm3": "", - "vm4": "", - "vm5": "", - "vm6": "", - "vm7": "", - "vm8": "", - "vm9": "", - "*": "" -}} -action_data = {"action-type": { - "vm-read": "", - "vm-write": "", - "*": "" -}} - -subject_assignments = { - "user0": ({"role": "employee"}, {"role": "*"}), - "user1": ({"role": "employee"}, {"role": "*"}), - "user2": ({"role": "dev1"}, {"role": "*"}), - "user3": ({"role": "dev1"}, {"role": "*"}), - "user4": ({"role": "dev1"}, {"role": "*"}), - "user5": ({"role": "dev1"}, {"role": "*"}), - "user6": ({"role": "dev2"}, {"role": "*"}), - "user7": ({"role": "dev2"}, {"role": "*"}), - "user8": ({"role": "dev2"}, {"role": "*"}), - "user9": ({"role": "dev2"}, {"role": "*"}), -} -object_assignments = { - "vm0": ({"id": "vm0"}, {"id": "*"}), - "vm1": ({"id": "vm1"}, {"id": "*"}), - "vm2": ({"id": "vm2"}, {"id": "*"}), - "vm3": ({"id": "vm3"}, {"id": "*"}), - "vm4": ({"id": "vm4"}, {"id": "*"}), - "vm5": ({"id": "vm5"}, {"id": "*"}), - "vm6": ({"id": "vm6"}, {"id": "*"}), - "vm7": ({"id": "vm7"}, {"id": "*"}), - "vm8": ({"id": "vm8"}, {"id": "*"}), - "vm9": ({"id": "vm9"}, {"id": "*"}), -} -action_assignments = { - "start": ({"action-type": "vm-write"}, {"action-type": "*"}), - "stop": ({"action-type": "vm-write"}, {"action-type": "*"}), - "pause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "unpause": ({"action-type": "vm-read"}, {"action-type": "*"}), - "destroy": ({"action-type": "vm-write"}, {"action-type": "*"}), -} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, -} - -rules = { - "rbac": ( - { - "rule": ("admin", "vm0", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("admin", "vm0", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - # Rules for grant all employee to do read actions to all VM except vm0 - { - "rule": ("employee", "vm1", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm2", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm3", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm4", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm5", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm6", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm7", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm8", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("employee", "vm9", "vm-read"), - "instructions": ( - {"decision": "grant"}, - ) - }, - # Rules for grant all dev1 to do read actions to some VM - { - "rule": ("dev1", "vm1", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev1", "vm2", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev1", "vm3", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev1", "vm4", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - # Rules for grant all dev2 to do read actions to some VM - { - "rule": ("dev2", "vm5", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev2", "vm6", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev2", "vm7", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev2", "vm8", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - { - "rule": ("dev2", "vm9", "vm-write"), - "instructions": ( - {"decision": "grant"}, - ) - }, - ) -} - - diff --git a/moonv4/moon_interface/tests/apitests/scenario/rbac_mls.py b/moonv4/moon_interface/tests/apitests/scenario/rbac_mls.py deleted file mode 100644 index 8a5362ea..00000000 --- a/moonv4/moon_interface/tests/apitests/scenario/rbac_mls.py +++ /dev/null @@ -1,50 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "Multi policy example" -model_name = "RBAC" - -subjects = {"user0": "", "user1": "", "user2": "", } -objects = {"vm0": "", "vm1": "", } -actions = {"start": "", "stop": ""} - -subject_categories = {"role": "", "subject-security-level": "", } -object_categories = {"id": "", "object-security-level": "", } -action_categories = {"action-type": "", } - -subject_data = { - "role": {"admin": "", "employee": ""}, - "subject-security-level": {"low": "", "medium": "", "high": ""}, -} -object_data = { - "id": {"vm1": "", "vm2": ""}, - "object-security-level": {"low": "", "medium": "", "high": ""}, -} -action_data = {"action-type": {"vm-action": "", "storage-action": "", }} - -subject_assignments = { - "user0": {"role": "admin", "subject-security-level": "high"}, - "user1": {"role": "employee", "subject-security-level": "medium"}, -} -object_assignments = { - "vm0": {"id": "vm1", "object-security-level": "medium"}, - "vm1": {"id": "vm2", "object-security-level": "low"}, -} -action_assignments = { - "start": {"action-type": "vm-action"}, - "stop": {"action-type": "vm-action"} -} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, - "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")}, -} - -rules = { - "rbac": ( - ("admin", "vm1", "vm-action"), - ), - "mls": ( - ("high", "medium", "vm-action"), - ("medium", "low", "vm-action"), - ) -} diff --git a/moonv4/moon_interface/tests/apitests/scenario/session.py b/moonv4/moon_interface/tests/apitests/scenario/session.py deleted file mode 100644 index 97d7aec3..00000000 --- a/moonv4/moon_interface/tests/apitests/scenario/session.py +++ /dev/null @@ -1,60 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "Session policy example" -model_name = "Session" -policy_genre = "session" - -subjects = {"user0": "", "user1": "", } -objects = {"admin": "", "employee": "", } -actions = {"activate": "", "deactivate": ""} - -subject_categories = {"subjectid": "", } -object_categories = {"role": "", } -action_categories = {"session-action": "", } - -subject_data = {"subjectid": {"user0": "", "user1": ""}} -object_data = {"role": {"admin": "", "employee": "", "*": ""}} -action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} - -subject_assignments = {"user0": ({"subjectid": "user0"}, ), "user1": ({"subjectid": "user1"}, ), } -object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), - "employee": ({"role": "employee"}, {"role": "employee"}) - } -action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), - "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) - } - -meta_rule = { - "session": {"id": "", "value": ("subjectid", "role", "session-action")}, -} - -rules = { - "session": ( - { - "rule": ("user0", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user1", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "delete", - "target": "rbac:role:employee" # delete the role employee from the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - ) -} - - diff --git a/moonv4/moon_interface/tests/apitests/scenario/session_large.py b/moonv4/moon_interface/tests/apitests/scenario/session_large.py deleted file mode 100644 index 5b4a64b6..00000000 --- a/moonv4/moon_interface/tests/apitests/scenario/session_large.py +++ /dev/null @@ -1,389 +0,0 @@ - -pdp_name = "pdp1" -policy_name = "Session policy example" -model_name = "Session" -policy_genre = "session" - -subjects = { - "user0": "", - "user1": "", - "user2": "", - "user3": "", - "user4": "", - "user5": "", - "user6": "", - "user7": "", - "user8": "", - "user9": "", -} -objects = {"admin": "", "employee": "", "dev1": "", "dev2": "", } -actions = {"activate": "", "deactivate": ""} - -subject_categories = {"subjectid": "", } -object_categories = {"role": "", } -action_categories = {"session-action": "", } - -subject_data = {"subjectid": { - "user0": "", - "user1": "", - "user2": "", - "user3": "", - "user4": "", - "user5": "", - "user6": "", - "user7": "", - "user8": "", - "user9": "", -}} -object_data = {"role": { - "admin": "", - "employee": "", - "dev1": "", - "dev2": "", - "*": "" -}} -action_data = {"session-action": {"activate": "", "deactivate": "", "*": ""}} - -subject_assignments = { - "user0": ({"subjectid": "user0"}, ), - "user1": ({"subjectid": "user1"}, ), - "user2": ({"subjectid": "user2"}, ), - "user3": ({"subjectid": "user3"}, ), - "user4": ({"subjectid": "user4"}, ), - "user5": ({"subjectid": "user5"}, ), - "user6": ({"subjectid": "user6"}, ), - "user7": ({"subjectid": "user7"}, ), - "user8": ({"subjectid": "user8"}, ), - "user9": ({"subjectid": "user9"}, ), -} -object_assignments = {"admin": ({"role": "admin"}, {"role": "*"}), - "employee": ({"role": "employee"}, {"role": "*"}), - "dev1": ({"role": "employee"}, {"role": "dev1"}, {"role": "*"}), - "dev2": ({"role": "employee"}, {"role": "dev2"}, {"role": "*"}), - } -action_assignments = {"activate": ({"session-action": "activate"}, {"session-action": "*"}, ), - "deactivate": ({"session-action": "deactivate"}, {"session-action": "*"}, ) - } - -meta_rule = { - "session": {"id": "", "value": ("subjectid", "role", "session-action")}, -} - -rules = { - "session": ( - { - "rule": ("user0", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user1", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "delete", - "target": "rbac:role:employee" # delete the role employee from the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user2", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user2", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user2", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user3", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user3", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user3", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user4", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user4", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user4", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user5", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user5", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user5", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user6", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user6", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user6", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user7", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user7", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user7", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user8", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user8", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user8", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user9", "employee", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user9", "dev1", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - { - "rule": ("user9", "dev2", "*"), - "instructions": ( - { - "update": { - "operation": "add", - "target": "rbac:role:admin" # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} # chain with the meta_rule named rbac - ) - }, - ) -} - - diff --git a/moonv4/moon_interface/tests/apitests/set_authz.py b/moonv4/moon_interface/tests/apitests/set_authz.py deleted file mode 100644 index 270c9de2..00000000 --- a/moonv4/moon_interface/tests/apitests/set_authz.py +++ /dev/null @@ -1,388 +0,0 @@ -import sys -import argparse -import logging -import copy -import threading -from importlib.machinery import SourceFileLoader -import itertools -import requests -import time -import json -import random -import plotly -from plotly.graph_objs import Scatter, Layout -import plotly.figure_factory as ff -from uuid import uuid4 -from utils.pdp import check_pdp - - -logger = None -HOST = None -PORT = None -HOST_AUTHZ = None -PORT_AUTHZ = None - -lock = threading.Lock() - - -def init(): - global logger, HOST, PORT, HOST_AUTHZ, PORT_AUTHZ - parser = argparse.ArgumentParser() - parser.add_argument('filename', help='scenario filename', nargs=1) - parser.add_argument("--verbose", "-v", action='store_true', help="verbose mode") - parser.add_argument("--debug", action='store_true', help="debug mode") - parser.add_argument("--dry-run", "-n", action='store_true', help="Dry run", dest="dry_run") - parser.add_argument("--host", - help="Set the name of the host to test (default: 172.18.0.11).", - default="172.18.0.11") - parser.add_argument("--host-authz", - help="Set the name of the host to test authorization (default: 172.18.0.11).", - default="172.18.0.11", - dest="host_authz") - parser.add_argument("--port", "-p", - help="Set the port of the host to test (default: 38001).", - default="38001") - parser.add_argument("--port-authz", - help="Set the port of the host to test authorization (default: 38001).", - default="38001", - dest="port_authz") - parser.add_argument("--test-only", "-t", action='store_true', dest='testonly', help="Do not generate graphs") - parser.add_argument("--stress-test", "-s", action='store_true', dest='stress_test', - help="Execute stressing tests (warning delta measures will be false, implies -t)") - parser.add_argument("--write", "-w", help="Write test data to a JSON file", default="/tmp/data.json") - parser.add_argument("--pdp", help="Test on pdp PDP") - parser.add_argument("--input", "-i", help="Get data from a JSON input file") - parser.add_argument("--legend", "-l", help="Set the legend (default: 'rbac,rbac+session')", - default='rbac,rbac+session') - # parser.add_argument("--distgraph", "-d", - # help="Show a distribution graph instead of a linear graph", - # action='store_true') - parser.add_argument("--request-per-second", help="Number of requests per seconds", - type=int, dest="request_second", default=1) - parser.add_argument("--limit", help="Limit request to LIMIT", type=int) - parser.add_argument("--write-image", help="Write the graph to file IMAGE", dest="write_image") - parser.add_argument("--write-html", help="Write the graph to HTML file HTML", dest="write_html", default="data.html") - args = parser.parse_args() - - FORMAT = '%(asctime)-15s %(levelname)s %(message)s' - if args.debug: - logging.basicConfig( - format=FORMAT, - level=logging.DEBUG) - elif args.verbose: - logging.basicConfig( - format=FORMAT, - level=logging.INFO) - else: - logging.basicConfig( - format=FORMAT, - level=logging.WARNING) - - logger = logging.getLogger(__name__) - - requests_log = logging.getLogger("requests.packages.urllib3") - requests_log.setLevel(logging.WARNING) - requests_log.propagate = True - - if args.stress_test: - args.testonly = True - - if args.filename: - logger.info("Loading: {}".format(args.filename[0])) - - HOST = args.host - PORT = args.port - HOST_AUTHZ = args.host_authz - PORT_AUTHZ = args.port_authz - return args - - -def get_scenario(args): - m = SourceFileLoader("scenario", args.filename[0]) - return m.load_module() - - -def get_keystone_id(pdp_name): - keystone_project_id = None - logger.error("get_keystone_id url={}".format("http://{}:{}".format(HOST, PORT))) - for pdp_key, pdp_value in check_pdp(moon_url="http://{}:{}".format(HOST, PORT))["pdps"].items(): - logger.debug(pdp_value) - if pdp_name: - if pdp_name != pdp_value["name"]: - continue - if pdp_value['security_pipeline'] and pdp_value["keystone_project_id"]: - logger.debug("Found pdp with keystone_project_id={}".format(pdp_value["keystone_project_id"])) - keystone_project_id = pdp_value["keystone_project_id"] - - if not keystone_project_id: - logger.error("Cannot find PDP with keystone project ID") - sys.exit(1) - return keystone_project_id - - -def _send(url, stress_test=False): - current_request = dict() - current_request['url'] = url - try: - if stress_test: - current_request['start'] = time.time() - # with lock: - res = requests.get(url) - current_request['end'] = time.time() - current_request['delta'] = current_request["end"] - current_request["start"] - else: - with lock: - current_request['start'] = time.time() - res = requests.get(url) - current_request['end'] = time.time() - current_request['delta'] = current_request["end"] - current_request["start"] - except requests.exceptions.ConnectionError: - logger.warning("Unable to connect to server") - return {} - if res and not stress_test: - logger.debug(res.status_code) - logger.debug(res.text) - if res.status_code == 200: - # logger.warning("error code 200 for {}".format(self.url)) - logger.info("\033[1m{}\033[m {}".format(url, res.status_code)) - try: - j = res.json() - except Exception as e: - logger.debug(e) - logger.error(res.text) - else: - if j.get("authz"): - logger.warning("{} \033[32m{}\033[m".format(url, j.get("authz"))) - logger.debug("{}".format(j.get("error", ""))) - current_request['result'] = "Grant" - else: - logger.warning("{} \033[31m{}\033[m".format(url, j.get("authz"))) - logger.debug("{}".format(j.get("error", ""))) - current_request['result'] = "Deny" - return current_request - - -class AsyncGet(threading.Thread): - - def __init__(self, url, semaphore=None, *args, **kwargs): - threading.Thread.__init__(self) - self.url = url - self.kwargs = kwargs - self.sema = semaphore - self.result = dict() - self.uuid = uuid4().hex - self.index = kwargs.get("index", 0) - - def run(self): - self.result = _send(self.url, self.kwargs.get("stress_test", False)) - self.result['index'] = self.index - - -def send_requests(scenario, keystone_project_id, request_second=1, limit=500, - dry_run=None, stress_test=False): - # sema = threading.BoundedSemaphore(value=request_second) - backgrounds = [] - time_data = list() - start_timing = time.time() - request_cpt = 0 - indexes = [] - # rules = itertools.product(scenario.subjects.keys(), scenario.objects.keys(), scenario.actions.keys()) - SUBJECTS = tuple(scenario.subjects.keys()) - OBJECTS = tuple(scenario.objects.keys()) - ACTIONS = tuple(scenario.actions.keys()) - # for rule in rules: - while request_cpt <= limit: - rule = (random.choice(SUBJECTS), random.choice(OBJECTS), random.choice(ACTIONS)) - url = "http://{}:{}/authz/{}/{}".format(HOST_AUTHZ, PORT_AUTHZ, keystone_project_id, "/".join(rule)) - indexes.append(url) - if dry_run: - logger.info(url) - continue - request_cpt += 1 - if stress_test: - time_data.append(copy.deepcopy(_send(url, stress_test=stress_test))) - else: - background = AsyncGet(url, stress_test=stress_test, index=request_cpt) - backgrounds.append(background) - background.start() - # if limit and limit < request_cpt: - # break - if request_cpt % request_second == 0: - if time.time()-start_timing < 1: - while True: - if time.time()-start_timing > 1: - break - start_timing = time.time() - if not stress_test: - for background in backgrounds: - background.join() - if background.result: - time_data.append(copy.deepcopy(background.result)) - return time_data - - -def save_data(filename, time_data): - json.dump(time_data, open(filename, "w")) - - -def get_delta(time_data): - time_delta = list() - time_delta_sum1 = 0 - for item in time_data: - time_delta.append(item['delta']) - time_delta_sum1 += item['delta'] - time_delta_average1 = time_delta_sum1 / len(time_data) - return time_delta, time_delta_average1 - - -def write_graph(time_data, legend=None, input=None, image_file=None, html_file=None): - logger.info("Writing graph") - legends = legend.split(",") - result_data = [] - time_delta, time_delta_average1 = get_delta(time_data) - time_delta_average2 = None - # if input: - # for _input in input.split(","): - # current_legend = legends.pop(0) - # time_data2 = json.load(open(_input)) - # time_delta2, time_delta_average2 = get_delta(time_data2) - # for item in time_data: - # if key in time_data2: - # time_delta2.append(time_data2[key]['delta']) - # else: - # time_delta2.append(None) - # data2 = Scatter( - # x=list(range(len(time_data))), - # y=time_delta2, - # name=current_legend, - # line=dict( - # color='rgb(255, 192, 118)', - # shape='spline') - # ) - # result_data.append(data2) - # data2_a = Scatter( - # x=list(range(len(time_data))), - # y=[time_delta_average2 for x in range(len(time_data))], - # name=current_legend + " average", - # line=dict( - # color='rgb(255, 152, 33)', - # shape='spline') - # ) - # result_data.append(data2_a) - current_legend = legends.pop(0) - data1 = Scatter( - x=list(range(len(time_data))), - y=time_delta, - name=current_legend, - line=dict( - color='rgb(123, 118, 255)') - ) - result_data.append(data1) - data1_a = Scatter( - x=list(range(len(time_data))), - y=[time_delta_average1 for x in range(len(time_data))], - name=current_legend + " average", - line=dict( - color='rgb(28, 20, 255)') - ) - result_data.append(data1_a) - - if image_file: - plotly.offline.plot( - { - "data": result_data, - "layout": Layout( - title="Request times delta", - xaxis=dict(title='Requests'), - yaxis=dict(title='Request duration'), - ) - }, - filename=html_file, - image="svg", - image_filename=image_file, - image_height=1000, - image_width=1200 - ) - else: - plotly.offline.plot( - { - "data": result_data, - "layout": Layout( - title="Request times delta", - xaxis=dict(title='Requests'), - yaxis=dict(title='Request duration'), - ) - }, - filename=html_file, - ) - if time_delta_average2: - logger.info("Average: {} and {}".format(time_delta_average1, time_delta_average2)) - return 1-time_delta_average2/time_delta_average1 - return 0 - - -# def write_distgraph(time_data, legend=None, input=None, image_file=None, html_file=None): -# -# logger.info("Writing graph") -# legends = legend.split(",") -# result_data = [] -# -# time_delta_average2 = None -# -# if input: -# for _input in input.split(","): -# logger.info("Analysing input {}".format(_input)) -# time_data2 = json.load(open(_input)) -# time_delta2, time_delta_average2 = get_delta(time_data2) -# result_data.append(time_delta2) -# -# time_delta, time_delta_average1 = get_delta(time_data) -# result_data.append(time_delta) -# -# # Create distplot with custom bin_size -# if len(legends) < len(result_data): -# for _cpt in range(len(result_data)-len(legends)): -# legends.append("NC") -# fig = ff.create_distplot(result_data, legends, bin_size=.2) -# -# # Plot! -# plotly.offline.plot( -# fig, -# image="svg", -# image_filename=image_file, -# image_height=1000, -# image_width=1200, -# filename=html_file -# ) -# if time_delta_average2: -# logger.info("Average: {} and {}".format(time_delta_average1, time_delta_average2)) -# return 1-time_delta_average2/time_delta_average1 -# return 0 - - -def main(): - args = init() - scenario = get_scenario(args) - keystone_project_id = get_keystone_id(args.pdp) - time_data = send_requests( - scenario, - keystone_project_id, - request_second=args.request_second, - limit=args.limit, - dry_run=args.dry_run, - stress_test=args.stress_test - ) - if not args.dry_run: - save_data(args.write, time_data) - if not args.testonly: - # if args.distgraph: - # overhead = write_distgraph(time_data, legend=args.legend, input=args.input, image_file=args.write_image, - # html_file=args.write_html) - # else: - overhead = write_graph(time_data, legend=args.legend, input=args.input, image_file=args.write_image, - html_file=args.write_html) - logger.info("Overhead: {:.2%}".format(overhead)) - - -if __name__ == "__main__": - main() diff --git a/moonv4/moon_interface/tests/apitests/test_models.py b/moonv4/moon_interface/tests/apitests/test_models.py deleted file mode 100644 index 0da40ce5..00000000 --- a/moonv4/moon_interface/tests/apitests/test_models.py +++ /dev/null @@ -1,37 +0,0 @@ -from utils.models import * - - -def test_models(): - check_model() - model_id = add_model() - check_model(model_id) - delete_model(model_id) - - -def test_meta_data_subject(): - category_id = add_subject_category() - check_subject_category(category_id) - # TODO (asteroide): must implement the deletion of linked data - # delete_subject_category(category_id) - - -def test_meta_data_object(): - category_id = add_object_category() - check_object_category(category_id) - # TODO (asteroide): must implement the deletion of linked data - # delete_object_category(category_id) - - -def test_meta_data_action(): - category_id = add_action_category() - check_action_category(category_id) - # TODO (asteroide): must implement the deletion of linked data - # delete_action_category(category_id) - - -def test_meta_rule(): - meta_rule_id, scat_id, ocat_id, acat_id = add_categories_and_meta_rule() - check_meta_rule(meta_rule_id, scat_id, ocat_id, acat_id) - delete_meta_rule(meta_rule_id) - - diff --git a/moonv4/moon_interface/tests/apitests/test_pdp.py b/moonv4/moon_interface/tests/apitests/test_pdp.py deleted file mode 100644 index 6cd5365b..00000000 --- a/moonv4/moon_interface/tests/apitests/test_pdp.py +++ /dev/null @@ -1,16 +0,0 @@ -from utils.pdp import * - - -def test_pdp(): - projects = get_keystone_projects() - admin_project_id = None - for _project in projects['projects']: - if _project['name'] == "admin": - admin_project_id = _project['id'] - assert admin_project_id - check_pdp() - pdp_id = add_pdp() - check_pdp(pdp_id) - map_to_keystone(pdp_id=pdp_id, keystone_project_id=admin_project_id) - check_pdp(pdp_id=pdp_id, keystone_project_id=admin_project_id) - delete_pdp(pdp_id) diff --git a/moonv4/moon_interface/tests/apitests/test_policies.py b/moonv4/moon_interface/tests/apitests/test_policies.py deleted file mode 100644 index 8f26d72d..00000000 --- a/moonv4/moon_interface/tests/apitests/test_policies.py +++ /dev/null @@ -1,157 +0,0 @@ -from utils.policies import * -from utils.models import * - - -def test_policies(): - check_policy() - policy_id = add_policy() - check_policy(policy_id) - delete_policy(policy_id) - - -def test_subjects(): - policy_id = add_policy() - subject_id = add_subject() - - update_subject(subject_id=subject_id, policy_id=policy_id) - - check_subject(subject_id=subject_id, policy_id=policy_id) - - delete_subject(subject_id, policy_id=policy_id) - delete_subject(subject_id) - - -def test_objects(): - policy_id = add_policy() - object_id = add_object() - - update_object(object_id=object_id, policy_id=policy_id) - check_object(object_id=object_id, policy_id=policy_id) - - delete_object(object_id=object_id, policy_id=policy_id) - delete_object(object_id=object_id) - - -def test_actions(): - policy_id = add_policy() - action_id = add_action() - - update_action(action_id=action_id, policy_id=policy_id) - check_action(action_id=action_id, policy_id=policy_id) - - delete_action(action_id=action_id, policy_id=policy_id) - delete_action(action_id=action_id) - - -def test_subject_data(): - policy_id = add_policy() - - model_id = add_model() - - update_policy(policy_id, model_id) - - meta_rule_id, subject_cat_id, object_cat_id, action_cat_id = add_categories_and_meta_rule() - add_meta_rule_to_model(model_id, meta_rule_id) - - subject_data_id = add_subject_data(policy_id=policy_id, category_id=subject_cat_id) - check_subject_data(policy_id=policy_id, data_id=subject_data_id, category_id=subject_cat_id) - delete_subject_data(policy_id=policy_id, data_id=subject_data_id, category_id=subject_cat_id) - - -def test_object_data(): - policy_id = add_policy() - - model_id = add_model() - - update_policy(policy_id, model_id) - - meta_rule_id, object_cat_id, object_cat_id, action_cat_id = add_categories_and_meta_rule() - add_meta_rule_to_model(model_id, meta_rule_id) - - object_data_id = add_object_data(policy_id=policy_id, category_id=object_cat_id) - check_object_data(policy_id=policy_id, data_id=object_data_id, category_id=object_cat_id) - delete_object_data(policy_id=policy_id, data_id=object_data_id, category_id=object_cat_id) - - -def test_action_data(): - policy_id = add_policy() - - model_id = add_model() - - update_policy(policy_id, model_id) - - meta_rule_id, action_cat_id, action_cat_id, action_cat_id = add_categories_and_meta_rule() - add_meta_rule_to_model(model_id, meta_rule_id) - - action_data_id = add_action_data(policy_id=policy_id, category_id=action_cat_id) - check_action_data(policy_id=policy_id, data_id=action_data_id, category_id=action_cat_id) - delete_action_data(policy_id=policy_id, data_id=action_data_id, category_id=action_cat_id) - - -def test_assignments(): - policy_id = add_policy() - - model_id = add_model() - - update_policy(policy_id, model_id) - - meta_rule_id, subject_cat_id, object_cat_id, action_cat_id = add_categories_and_meta_rule() - add_meta_rule_to_model(model_id, meta_rule_id) - - subject_data_id = add_subject_data(policy_id=policy_id, category_id=subject_cat_id) - subject_data_id_bis = add_subject_data(policy_id=policy_id, category_id=subject_cat_id) - object_data_id = add_object_data(policy_id=policy_id, category_id=object_cat_id) - object_data_id_bis = add_object_data(policy_id=policy_id, category_id=object_cat_id) - action_data_id = add_action_data(policy_id=policy_id, category_id=action_cat_id) - action_data_id_bis = add_action_data(policy_id=policy_id, category_id=action_cat_id) - - subject_id = add_subject(policy_id) - object_id = add_object(policy_id) - action_id = add_action(policy_id) - - add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) - add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id_bis) - add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) - add_object_assignments(policy_id, object_id, object_cat_id, object_data_id_bis) - add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) - add_action_assignments(policy_id, action_id, action_cat_id, action_data_id_bis) - - check_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) - check_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id_bis) - check_object_assignments(policy_id, object_id, object_cat_id, object_data_id) - check_object_assignments(policy_id, object_id, object_cat_id, object_data_id_bis) - check_action_assignments(policy_id, action_id, action_cat_id, action_data_id) - check_action_assignments(policy_id, action_id, action_cat_id, action_data_id_bis) - - delete_subject_assignment(policy_id, subject_id, subject_cat_id, subject_data_id) - delete_object_assignment(policy_id, object_id, object_cat_id, object_data_id) - delete_action_assignment(policy_id, action_id, action_cat_id, action_data_id) - - -def test_rule(): - policy_id = add_policy() - - model_id = add_model() - - update_policy(policy_id, model_id) - - meta_rule_id, subject_cat_id, object_cat_id, action_cat_id = add_categories_and_meta_rule() - add_meta_rule_to_model(model_id, meta_rule_id) - - subject_data_id = add_subject_data(policy_id=policy_id, category_id=subject_cat_id) - object_data_id = add_object_data(policy_id=policy_id, category_id=object_cat_id) - action_data_id = add_action_data(policy_id=policy_id, category_id=action_cat_id) - - subject_id = add_subject(policy_id) - object_id = add_object(policy_id) - action_id = add_action(policy_id) - - add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) - add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) - add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) - - rule_id = add_rule(policy_id, meta_rule_id, [subject_data_id, object_data_id, action_data_id]) - check_rule(policy_id, meta_rule_id, rule_id, [subject_data_id, object_data_id, action_data_id]) - - delete_rule(policy_id, rule_id) - diff --git a/moonv4/moon_interface/tests/apitests/utils/models.py b/moonv4/moon_interface/tests/apitests/utils/models.py deleted file mode 100644 index 68133b5b..00000000 --- a/moonv4/moon_interface/tests/apitests/utils/models.py +++ /dev/null @@ -1,285 +0,0 @@ -import os -import yaml -import requests -import copy - - -for path in ( - "moon.conf", - "../moon.conf", - "{}/moon_orchestrator/conf/moon.conf".format(os.getenv("MOON_HOME")), - "/etc/moon/moon.conf" -): - try: - config = yaml.safe_load(open(path)) - except FileNotFoundError: - config = None - continue - else: - print("Using {}".format(path)) - break -if not config: - raise Exception("Configuration file not found...") - -URL = "http://{}:{}".format(config['components']['interface']['hostname'], config['components']['interface']['port']) -URL = URL + "{}" -HEADERS = {"content-type": "application/json"} - -model_template = { - "name": "test_model", - "description": "test", - "meta_rules": [] -} - -category_template = { - "name": "name of the category", - "description": "description of the category" -} - -meta_rule_template = { - "name": "test_meta_rule", - "subject_categories": [], - "object_categories": [], - "action_categories": [] -} - - -def check_model(model_id=None, check_model_name=True): - req = requests.get(URL.format("/models")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "models" in result - if model_id: - assert result["models"] - assert model_id in result['models'] - assert "name" in result['models'][model_id] - if check_model_name: - assert model_template["name"] == result['models'][model_id]["name"] - return result - - -def add_model(name=None): - if name: - model_template['name'] = name - req = requests.post(URL.format("/models"), json=model_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - model_id = list(result['models'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['models'][model_id] - assert model_template["name"] == result['models'][model_id]["name"] - return model_id - - -def delete_model(model_id): - req = requests.delete(URL.format("/models/{}".format(model_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - -def add_subject_category(name="subject_cat_1"): - category_template["name"] = name - req = requests.post(URL.format("/subject_categories"), json=category_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "subject_categories" in result - category_id = list(result['subject_categories'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['subject_categories'][category_id] - assert category_template["name"] == result['subject_categories'][category_id]["name"] - return category_id - - -def check_subject_category(category_id): - req = requests.get(URL.format("/subject_categories")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "subject_categories" in result - if "result" in result: - assert result["result"] - assert category_id in result['subject_categories'] - assert "name" in result['subject_categories'][category_id] - assert category_template["name"] == result['subject_categories'][category_id]["name"] - - -def delete_subject_category(category_id): - req = requests.delete(URL.format("/subject_categories/{}".format(category_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - - -def add_object_category(name="object_cat_1"): - category_template["name"] = name - req = requests.post(URL.format("/object_categories"), json=category_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "object_categories" in result - category_id = list(result['object_categories'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['object_categories'][category_id] - assert category_template["name"] == result['object_categories'][category_id]["name"] - return category_id - - -def check_object_category(category_id): - req = requests.get(URL.format("/object_categories")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "object_categories" in result - if "result" in result: - assert result["result"] - assert category_id in result['object_categories'] - assert "name" in result['object_categories'][category_id] - assert category_template["name"] == result['object_categories'][category_id]["name"] - - -def delete_object_category(category_id): - req = requests.delete(URL.format("/object_categories/{}".format(category_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - - -def add_action_category(name="action_cat_1"): - category_template["name"] = name - req = requests.post(URL.format("/action_categories"), json=category_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "action_categories" in result - category_id = list(result['action_categories'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['action_categories'][category_id] - assert category_template["name"] == result['action_categories'][category_id]["name"] - return category_id - - -def check_action_category(category_id): - req = requests.get(URL.format("/action_categories")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "action_categories" in result - if "result" in result: - assert result["result"] - assert category_id in result['action_categories'] - assert "name" in result['action_categories'][category_id] - assert category_template["name"] == result['action_categories'][category_id]["name"] - - -def delete_action_category(category_id): - req = requests.delete(URL.format("/action_categories/{}".format(category_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - - -def add_categories_and_meta_rule(name="test_meta_rule"): - scat_id = add_subject_category() - ocat_id = add_object_category() - acat_id = add_action_category() - _meta_rule_template = copy.deepcopy(meta_rule_template) - _meta_rule_template["name"] = name - _meta_rule_template["subject_categories"].append(scat_id) - _meta_rule_template["object_categories"].append(ocat_id) - _meta_rule_template["action_categories"].append(acat_id) - req = requests.post(URL.format("/meta_rules"), json=_meta_rule_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "meta_rules" in result - meta_rule_id = list(result['meta_rules'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['meta_rules'][meta_rule_id] - assert _meta_rule_template["name"] == result['meta_rules'][meta_rule_id]["name"] - return meta_rule_id, scat_id, ocat_id, acat_id - - -def add_meta_rule(name="test_meta_rule", scat=[], ocat=[], acat=[]): - _meta_rule_template = copy.deepcopy(meta_rule_template) - _meta_rule_template["name"] = name - _meta_rule_template["subject_categories"] = [] - _meta_rule_template["subject_categories"].extend(scat) - _meta_rule_template["object_categories"] = [] - _meta_rule_template["object_categories"].extend(ocat) - _meta_rule_template["action_categories"] = [] - _meta_rule_template["action_categories"].extend(acat) - req = requests.post(URL.format("/meta_rules"), json=_meta_rule_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "meta_rules" in result - meta_rule_id = list(result['meta_rules'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['meta_rules'][meta_rule_id] - assert _meta_rule_template["name"] == result['meta_rules'][meta_rule_id]["name"] - return meta_rule_id - - -def check_meta_rule(meta_rule_id, scat_id=None, ocat_id=None, acat_id=None): - req = requests.get(URL.format("/meta_rules")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "meta_rules" in result - if "result" in result: - assert result["result"] - if not meta_rule_id: - return result - assert meta_rule_id in result['meta_rules'] - assert "name" in result['meta_rules'][meta_rule_id] - if scat_id: - assert scat_id in result['meta_rules'][meta_rule_id]["subject_categories"] - if ocat_id: - assert ocat_id in result['meta_rules'][meta_rule_id]["object_categories"] - if acat_id: - assert acat_id in result['meta_rules'][meta_rule_id]["action_categories"] - - -def delete_meta_rule(meta_rule_id): - req = requests.delete(URL.format("/meta_rules/{}".format(meta_rule_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - - -def add_meta_rule_to_model(model_id, meta_rule_id): - model = check_model(model_id, check_model_name=False)['models'] - meta_rule_list = model[model_id]["meta_rules"] - if meta_rule_id not in meta_rule_list: - meta_rule_list.append(meta_rule_id) - req = requests.patch(URL.format("/models/{}".format(model_id)), - json={"meta_rules": meta_rule_list}, - headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - model_id = list(result['models'].keys())[0] - if "result" in result: - assert result["result"] - assert "meta_rules" in result['models'][model_id] - assert meta_rule_list == result['models'][model_id]["meta_rules"] diff --git a/moonv4/moon_interface/tests/apitests/utils/pdp.py b/moonv4/moon_interface/tests/apitests/utils/pdp.py deleted file mode 100644 index c0c83441..00000000 --- a/moonv4/moon_interface/tests/apitests/utils/pdp.py +++ /dev/null @@ -1,171 +0,0 @@ -import os -import yaml -import requests - -for path in ( - "moon.conf", - "../moon.conf", - "{}/moon_orchestrator/conf/moon.conf".format(os.getenv("MOON_HOME")), - "/etc/moon/moon.conf" -): - try: - config = yaml.safe_load(open(path)) - except FileNotFoundError: - config = None - continue - else: - print("Using {}".format(path)) - break -if not config: - raise Exception("Configuration file not found...") - -URL = "http://{}:{}".format(config['components']['interface']['hostname'], config['components']['interface']['port']) -HEADERS = {"content-type": "application/json"} -KEYSTONE_USER = config['openstack']['keystone']['user'] -KEYSTONE_PASSWORD = config['openstack']['keystone']['password'] -KEYSTONE_PROJECT = config['openstack']['keystone']['project'] -KEYSTONE_SERVER = config['openstack']['keystone']['url'] - -pdp_template = { - "name": "test_pdp", - "security_pipeline": [], - "keystone_project_id": "", - "description": "test", -} - - -def get_keystone_projects(): - - HEADERS = { - "Content-Type": "application/json" - } - - data_auth = { - "auth": { - "identity": { - "methods": [ - "password" - ], - "password": { - "user": { - "name": KEYSTONE_USER, - "domain": { - "name": "Default" - }, - "password": KEYSTONE_PASSWORD - } - } - } - } - } - - req = requests.post("{}/auth/tokens".format(KEYSTONE_SERVER), json=data_auth, headers=HEADERS) - assert req.status_code in (200, 201) - TOKEN = req.headers['X-Subject-Token'] - HEADERS['X-Auth-Token'] = TOKEN - req = requests.get("{}/projects".format(KEYSTONE_SERVER), headers=HEADERS) - if req.status_code not in (200, 201): - data_auth["auth"]["scope"] = { - "project": { - "name": KEYSTONE_PROJECT, - "domain": { - "id": "default" - } - } - } - req = requests.post("{}/auth/tokens".format(KEYSTONE_SERVER), json=data_auth, headers=HEADERS) - assert req.status_code in (200, 201) - TOKEN = req.headers['X-Subject-Token'] - HEADERS['X-Auth-Token'] = TOKEN - req = requests.get("{}/projects".format(KEYSTONE_SERVER), headers=HEADERS) - assert req.status_code in (200, 201) - return req.json() - - -def check_pdp(pdp_id=None, keystone_project_id=None, moon_url=None): - _URL = URL - if moon_url: - _URL = moon_url - req = requests.get(_URL + "/pdp") - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "pdps" in result - if pdp_id: - assert result["pdps"] - assert pdp_id in result['pdps'] - assert "name" in result['pdps'][pdp_id] - assert pdp_template["name"] == result['pdps'][pdp_id]["name"] - if keystone_project_id: - assert result["pdps"] - assert pdp_id in result['pdps'] - assert "keystone_project_id" in result['pdps'][pdp_id] - assert keystone_project_id == result['pdps'][pdp_id]["keystone_project_id"] - return result - - -def add_pdp(name="test_pdp", policy_id=None): - pdp_template['name'] = name - if policy_id: - pdp_template['security_pipeline'].append(policy_id) - req = requests.post(URL + "/pdp", json=pdp_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - pdp_id = list(result['pdps'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['pdps'][pdp_id] - assert pdp_template["name"] == result['pdps'][pdp_id]["name"] - return pdp_id - - -def update_pdp(pdp_id, policy_id=None): - req = requests.get(URL + "/pdp/{}".format(pdp_id)) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "pdps" in result - assert pdp_id in result['pdps'] - pipeline = result['pdps'][pdp_id]["security_pipeline"] - if policy_id not in pipeline: - pipeline.append(policy_id) - req = requests.patch(URL + "/pdp/{}".format(pdp_id), - json={"security_pipeline": pipeline}) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "pdps" in result - assert pdp_id in result['pdps'] - - req = requests.get(URL + "/pdp/{}".format(pdp_id)) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "pdps" in result - assert pdp_id in result['pdps'] - assert policy_id in pipeline - - -def map_to_keystone(pdp_id, keystone_project_id): - req = requests.patch(URL + "/pdp/{}".format(pdp_id), json={"keystone_project_id": keystone_project_id}, - headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - assert pdp_id in result['pdps'] - assert "name" in result['pdps'][pdp_id] - assert pdp_template["name"] == result['pdps'][pdp_id]["name"] - return pdp_id - - -def delete_pdp(pdp_id): - req = requests.delete(URL + "/pdp/{}".format(pdp_id)) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - diff --git a/moonv4/moon_interface/tests/apitests/utils/policies.py b/moonv4/moon_interface/tests/apitests/utils/policies.py deleted file mode 100644 index fdde92ef..00000000 --- a/moonv4/moon_interface/tests/apitests/utils/policies.py +++ /dev/null @@ -1,646 +0,0 @@ -import os -import yaml -import requests - -for path in ( - "moon.conf", - "../moon.conf", - "{}/moon_orchestrator/conf/moon.conf".format(os.getenv("MOON_HOME")), - "/etc/moon/moon.conf" -): - try: - config = yaml.safe_load(open(path)) - except FileNotFoundError: - config = None - continue - else: - print("Using {}".format(path)) - break -if not config: - raise Exception("Configuration file not found...") - -URL = "http://{}:{}".format(config['components']['interface']['hostname'], config['components']['interface']['port']) -URL = URL + "{}" -HEADERS = {"content-type": "application/json"} -FILE = open("/tmp/test.log", "w") - -policy_template = { - "name": "test_policy", - "model_id": "", - "genre": "authz", - "description": "test", -} - -subject_template = { - "name": "test_subject", - "description": "test", - "email": "mail", - "password": "my_pass", -} - -object_template = { - "name": "test_subject", - "description": "test" -} - -action_template = { - "name": "test_subject", - "description": "test" -} - -subject_data_template = { - "name": "subject_data1", - "description": "description of the data subject" -} - -object_data_template = { - "name": "object_data1", - "description": "description of the data subject" -} - -action_data_template = { - "name": "action_data1", - "description": "description of the data subject" -} - -subject_assignment_template = { - "id": "", - "category_id": "", - "scope_id": "" -} - - -def check_policy(policy_id=None): - req = requests.get(URL.format("/policies")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "policies" in result - if policy_id: - assert result["policies"] - assert policy_id in result['policies'] - assert "name" in result['policies'][policy_id] - assert policy_template["name"] == result['policies'][policy_id]["name"] - return result - - -def add_policy(name="test_policy", genre="authz"): - policy_template["name"] = name - policy_template["genre"] = genre - req = requests.post(URL.format("/policies"), json=policy_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - policy_id = list(result['policies'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['policies'][policy_id] - assert policy_template["name"] == result['policies'][policy_id]["name"] - return policy_id - - -def update_policy(policy_id, model_id): - req = requests.patch(URL.format("/policies/{}".format(policy_id)), - json={"model_id": model_id}, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - policy_id = list(result['policies'].keys())[0] - if "result" in result: - assert result["result"] - assert "model_id" in result['policies'][policy_id] - assert model_id == result['policies'][policy_id]["model_id"] - - -def delete_policy(policy_id): - req = requests.delete(URL.format("/policies/{}".format(policy_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - -def add_subject(policy_id=None, name="test_subject"): - subject_template['name'] = name - if policy_id: - req = requests.post(URL.format("/policies/{}/subjects".format(policy_id)), - json=subject_template, headers=HEADERS) - else: - req = requests.post(URL.format("/subjects"), json=subject_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "subjects" in result - subject_id = list(result['subjects'].keys())[0] - return subject_id - - -def update_subject(subject_id, policy_id=None, description=None): - if policy_id and not description: - req = requests.patch(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id)), - json={}) - elif policy_id and description: - req = requests.patch(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id)), - json={"description": description}) - else: - req = requests.patch(URL.format("/subjects/{}".format(subject_id)), - json={"description": description}) - assert req.status_code == 200 - result = req.json() - assert "subjects" in result - assert "name" in result["subjects"][subject_id] - assert subject_template["name"] == result["subjects"][subject_id]["name"] - assert "policy_list" in result["subjects"][subject_id] - if policy_id: - assert policy_id in result["subjects"][subject_id]["policy_list"] - if description: - assert description in result["subjects"][subject_id]["description"] - - -def check_subject(subject_id=None, policy_id=None): - if policy_id: - req = requests.get(URL.format("/policies/{}/subjects".format(policy_id))) - else: - req = requests.get(URL.format("/subjects")) - assert req.status_code == 200 - result = req.json() - assert "subjects" in result - assert "name" in result["subjects"][subject_id] - assert subject_template["name"] == result["subjects"][subject_id]["name"] - if policy_id: - assert "policy_list" in result["subjects"][subject_id] - assert policy_id in result["subjects"][subject_id]["policy_list"] - - -def delete_subject(subject_id, policy_id=None): - if policy_id: - req = requests.delete(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id))) - else: - req = requests.delete(URL.format("/subjects/{}".format(subject_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - if policy_id: - req = requests.get(URL.format("/policies/{}/subjects".format(policy_id))) - else: - req = requests.get(URL.format("/subjects")) - assert req.status_code == 200 - result = req.json() - assert "subjects" in result - if subject_id in result["subjects"]: - assert "name" in result["subjects"][subject_id] - assert subject_template["name"] == result["subjects"][subject_id]["name"] - if policy_id: - assert "policy_list" in result["subjects"][subject_id] - assert policy_id not in result["subjects"][subject_id]["policy_list"] - - -def add_object(policy_id=None, name="test_object"): - object_template['name'] = name - if policy_id: - req = requests.post(URL.format("/policies/{}/objects".format(policy_id)), - json=object_template, headers=HEADERS) - else: - req = requests.post(URL.format("/objects"), json=object_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "objects" in result - object_id = list(result['objects'].keys())[0] - return object_id - - -def update_object(object_id, policy_id): - req = requests.patch(URL.format("/policies/{}/objects/{}".format(policy_id, object_id)), json={}) - assert req.status_code == 200 - result = req.json() - assert "objects" in result - assert "name" in result["objects"][object_id] - assert object_template["name"] == result["objects"][object_id]["name"] - assert "policy_list" in result["objects"][object_id] - assert policy_id in result["objects"][object_id]["policy_list"] - - -def check_object(object_id=None, policy_id=None): - if policy_id: - req = requests.get(URL.format("/policies/{}/objects".format(policy_id))) - else: - req = requests.get(URL.format("/objects")) - assert req.status_code == 200 - result = req.json() - assert "objects" in result - assert "name" in result["objects"][object_id] - assert object_template["name"] == result["objects"][object_id]["name"] - if policy_id: - assert "policy_list" in result["objects"][object_id] - assert policy_id in result["objects"][object_id]["policy_list"] - - -def delete_object(object_id, policy_id=None): - if policy_id: - req = requests.delete(URL.format("/policies/{}/objects/{}".format(policy_id, object_id))) - else: - req = requests.delete(URL.format("/objects/{}".format(object_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - if policy_id: - req = requests.get(URL.format("/policies/{}/objects".format(policy_id))) - else: - req = requests.get(URL.format("/objects")) - assert req.status_code == 200 - result = req.json() - assert "objects" in result - if object_id in result["objects"]: - assert "name" in result["objects"][object_id] - assert object_template["name"] == result["objects"][object_id]["name"] - if policy_id: - assert "policy_list" in result["objects"][object_id] - assert policy_id not in result["objects"][object_id]["policy_list"] - - -def add_action(policy_id=None, name="test_action"): - action_template['name'] = name - if policy_id: - req = requests.post(URL.format("/policies/{}/actions".format(policy_id)), - json=action_template, headers=HEADERS) - else: - req = requests.post(URL.format("/actions"), json=action_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "actions" in result - action_id = list(result['actions'].keys())[0] - return action_id - - -def update_action(action_id, policy_id): - req = requests.patch(URL.format("/policies/{}/actions/{}".format(policy_id, action_id)), json={}) - assert req.status_code == 200 - result = req.json() - assert "actions" in result - assert "name" in result["actions"][action_id] - assert action_template["name"] == result["actions"][action_id]["name"] - assert "policy_list" in result["actions"][action_id] - assert policy_id in result["actions"][action_id]["policy_list"] - - -def check_action(action_id=None, policy_id=None): - if policy_id: - req = requests.get(URL.format("/policies/{}/actions".format(policy_id))) - else: - req = requests.get(URL.format("/actions")) - assert req.status_code == 200 - result = req.json() - assert "actions" in result - assert "name" in result["actions"][action_id] - assert action_template["name"] == result["actions"][action_id]["name"] - if policy_id: - assert "policy_list" in result["actions"][action_id] - assert policy_id in result["actions"][action_id]["policy_list"] - - -def delete_action(action_id, policy_id=None): - if policy_id: - req = requests.delete(URL.format("/policies/{}/actions/{}".format(policy_id, action_id))) - else: - req = requests.delete(URL.format("/actions/{}".format(action_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - if policy_id: - req = requests.get(URL.format("/policies/{}/actions".format(policy_id))) - else: - req = requests.get(URL.format("/actions")) - assert req.status_code == 200 - result = req.json() - assert "actions" in result - if action_id in result["actions"]: - assert "name" in result["actions"][action_id] - assert action_template["name"] == result["actions"][action_id]["name"] - if policy_id: - assert "policy_list" in result["actions"][action_id] - assert policy_id not in result["actions"][action_id]["policy_list"] - - -def add_subject_data(policy_id, category_id, name="subject_data1"): - subject_data_template['name'] = name - req = requests.post(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id)), - json=subject_data_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "subject_data" in result - subject_id = list(result['subject_data']['data'].keys())[0] - return subject_id - - -def check_subject_data(policy_id, data_id, category_id): - req = requests.get(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "subject_data" in result - for _data in result['subject_data']: - assert data_id in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def delete_subject_data(policy_id, category_id, data_id): - req = requests.delete(URL.format("/policies/{}/subject_data/{}/{}".format(policy_id, category_id, data_id)), - headers=HEADERS) - assert req.status_code == 200 - req = requests.get(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "subject_data" in result - for _data in result['subject_data']: - assert data_id not in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def add_object_data(policy_id, category_id, name="object_data1"): - object_data_template['name'] = name - req = requests.post(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id)), - json=object_data_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "object_data" in result - object_id = list(result['object_data']['data'].keys())[0] - return object_id - - -def check_object_data(policy_id, data_id, category_id): - req = requests.get(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "object_data" in result - for _data in result['object_data']: - assert data_id in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def delete_object_data(policy_id, category_id, data_id): - req = requests.delete(URL.format("/policies/{}/object_data/{}/{}".format(policy_id, category_id, data_id)), - headers=HEADERS) - assert req.status_code == 200 - req = requests.get(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "object_data" in result - for _data in result['object_data']: - assert data_id not in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def add_action_data(policy_id, category_id, name="action_data1"): - action_data_template['name'] = name - req = requests.post(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id)), - json=action_data_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "action_data" in result - action_id = list(result['action_data']['data'].keys())[0] - return action_id - - -def check_action_data(policy_id, data_id, category_id): - req = requests.get(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "action_data" in result - for _data in result['action_data']: - assert data_id in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def delete_action_data(policy_id, category_id, data_id): - req = requests.delete(URL.format("/policies/{}/action_data/{}/{}".format(policy_id, category_id, data_id)), - headers=HEADERS) - assert req.status_code == 200 - req = requests.get(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "action_data" in result - for _data in result['action_data']: - assert data_id not in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id): - req = requests.post(URL.format("/policies/{}/subject_assignments".format(policy_id)), - json={ - "id": subject_id, - "category_id": subject_cat_id, - "data_id": subject_data_id - }, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "subject_assignments" in result - assert result["subject_assignments"] - - -def check_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id): - req = requests.get(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( - policy_id, subject_id, subject_cat_id, subject_data_id))) - assert req.status_code == 200 - result = req.json() - assert "subject_assignments" in result - assert result["subject_assignments"] - for key in result["subject_assignments"]: - assert "subject_id" in result["subject_assignments"][key] - assert "category_id" in result["subject_assignments"][key] - assert "assignments" in result["subject_assignments"][key] - if result["subject_assignments"][key]['subject_id'] == subject_id and \ - result["subject_assignments"][key]["category_id"] == subject_cat_id: - assert subject_data_id in result["subject_assignments"][key]["assignments"] - - -def check_object_assignments(policy_id, object_id, object_cat_id, object_data_id): - req = requests.get(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( - policy_id, object_id, object_cat_id, object_data_id))) - assert req.status_code == 200 - result = req.json() - assert "object_assignments" in result - assert result["object_assignments"] - for key in result["object_assignments"]: - assert "object_id" in result["object_assignments"][key] - assert "category_id" in result["object_assignments"][key] - assert "assignments" in result["object_assignments"][key] - if result["object_assignments"][key]['object_id'] == object_id and \ - result["object_assignments"][key]["category_id"] == object_cat_id: - assert object_data_id in result["object_assignments"][key]["assignments"] - - -def check_action_assignments(policy_id, action_id, action_cat_id, action_data_id): - req = requests.get(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( - policy_id, action_id, action_cat_id, action_data_id))) - assert req.status_code == 200 - result = req.json() - assert "action_assignments" in result - assert result["action_assignments"] - for key in result["action_assignments"]: - assert "action_id" in result["action_assignments"][key] - assert "category_id" in result["action_assignments"][key] - assert "assignments" in result["action_assignments"][key] - if result["action_assignments"][key]['action_id'] == action_id and \ - result["action_assignments"][key]["category_id"] == action_cat_id: - assert action_data_id in result["action_assignments"][key]["assignments"] - - -def add_object_assignments(policy_id, object_id, object_cat_id, object_data_id): - req = requests.post(URL.format("/policies/{}/object_assignments".format(policy_id)), - json={ - "id": object_id, - "category_id": object_cat_id, - "data_id": object_data_id - }, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "object_assignments" in result - assert result["object_assignments"] - - -def add_action_assignments(policy_id, action_id, action_cat_id, action_data_id): - req = requests.post(URL.format("/policies/{}/action_assignments".format(policy_id)), - json={ - "id": action_id, - "category_id": action_cat_id, - "data_id": action_data_id - }, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "action_assignments" in result - assert result["action_assignments"] - - -def delete_subject_assignment(policy_id, subject_id, subject_cat_id, subject_data_id): - req = requests.delete(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( - policy_id, subject_id, subject_cat_id, subject_data_id))) - assert req.status_code == 200 - result = req.json() - assert "result" in result - assert result["result"] - - req = requests.get(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( - policy_id, subject_id, subject_cat_id, subject_data_id))) - assert req.status_code == 200 - result = req.json() - assert "subject_assignments" in result - assert result["subject_assignments"] - for key in result["subject_assignments"]: - assert "subject_id" in result["subject_assignments"][key] - assert "category_id" in result["subject_assignments"][key] - assert "assignments" in result["subject_assignments"][key] - if result["subject_assignments"][key]['subject_id'] == subject_id and \ - result["subject_assignments"][key]["category_id"] == subject_cat_id: - assert subject_data_id not in result["subject_assignments"][key]["assignments"] - - -def delete_object_assignment(policy_id, object_id, object_cat_id, object_data_id): - req = requests.delete(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( - policy_id, object_id, object_cat_id, object_data_id))) - assert req.status_code == 200 - result = req.json() - assert "result" in result - assert result["result"] - - req = requests.get(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( - policy_id, object_id, object_cat_id, object_data_id))) - assert req.status_code == 200 - result = req.json() - assert "object_assignments" in result - assert result["object_assignments"] - for key in result["object_assignments"]: - assert "object_id" in result["object_assignments"][key] - assert "category_id" in result["object_assignments"][key] - assert "assignments" in result["object_assignments"][key] - if result["object_assignments"][key]['object_id'] == object_id and \ - result["object_assignments"][key]["category_id"] == object_cat_id: - assert object_data_id not in result["object_assignments"][key]["assignments"] - - -def delete_action_assignment(policy_id, action_id, action_cat_id, action_data_id): - req = requests.delete(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( - policy_id, action_id, action_cat_id, action_data_id))) - assert req.status_code == 200 - result = req.json() - assert "result" in result - assert result["result"] - - req = requests.get(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( - policy_id, action_id, action_cat_id, action_data_id))) - assert req.status_code == 200 - result = req.json() - assert "action_assignments" in result - assert result["action_assignments"] - for key in result["action_assignments"]: - assert "action_id" in result["action_assignments"][key] - assert "category_id" in result["action_assignments"][key] - assert "assignments" in result["action_assignments"][key] - if result["action_assignments"][key]['action_id'] == action_id and \ - result["action_assignments"][key]["category_id"] == action_cat_id: - assert action_data_id not in result["action_assignments"][key]["assignments"] - - -def add_rule(policy_id, meta_rule_id, rule, instructions={"chain": [{"security_pipeline": "rbac"}]}): - req = requests.post(URL.format("/policies/{}/rules".format(policy_id)), - json={ - "meta_rule_id": meta_rule_id, - "rule": rule, - "instructions": instructions, - "enabled": True - }, - headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "rules" in result - try: - rule_id = list(result["rules"].keys())[0] - except Exception as e: - return False - assert "policy_id" in result["rules"][rule_id] - assert policy_id == result["rules"][rule_id]["policy_id"] - assert "meta_rule_id" in result["rules"][rule_id] - assert meta_rule_id == result["rules"][rule_id]["meta_rule_id"] - assert rule == result["rules"][rule_id]["rule"] - return rule_id - - -def check_rule(policy_id, meta_rule_id, rule_id, rule): - req = requests.get(URL.format("/policies/{}/rules".format(policy_id))) - assert req.status_code == 200 - result = req.json() - assert "rules" in result - assert "policy_id" in result["rules"] - assert policy_id == result["rules"]["policy_id"] - for item in result["rules"]["rules"]: - assert "meta_rule_id" in item - if meta_rule_id == item["meta_rule_id"]: - if rule_id == item["id"]: - assert rule == item["rule"] - - -def delete_rule(policy_id, rule_id): - req = requests.delete(URL.format("/policies/{}/rules/{}".format(policy_id, rule_id))) - assert req.status_code == 200 - result = req.json() - assert "result" in result - assert result["result"] - - req = requests.get(URL.format("/policies/{}/rules".format(policy_id))) - assert req.status_code == 200 - result = req.json() - assert "rules" in result - assert "policy_id" in result["rules"] - assert policy_id == result["rules"]["policy_id"] - found_rule = False - for item in result["rules"]["rules"]: - if rule_id == item["id"]: - found_rule = True - assert not found_rule diff --git a/moonv4/moon_interface/tests/apitests/utils/__init__.py b/moonv4/moon_interface/tests/unit_python/api/__init__.py index e69de29b..e69de29b 100644 --- a/moonv4/moon_interface/tests/apitests/utils/__init__.py +++ b/moonv4/moon_interface/tests/unit_python/api/__init__.py diff --git a/moonv4/moon_interface/tests/unit_python/api/test_authz.py b/moonv4/moon_interface/tests/unit_python/api/test_authz.py new file mode 100644 index 00000000..a63948f8 --- /dev/null +++ b/moonv4/moon_interface/tests/unit_python/api/test_authz.py @@ -0,0 +1,23 @@ +import json + + +def get_json(data): + return json.loads(data.decode("utf-8")) + + +def test_authz_true(context): + import moon_interface.server + server = moon_interface.server.main() + client = server.app.test_client() + req = client.get("/authz/{p_id}/{s_id}/{o_id}/{a_id}".format( + p_id=context["project_id"], + s_id=context["subject_name"], + o_id=context["object_name"], + a_id=context["action_name"], + )) + assert req.status_code == 200 + data = get_json(req.data) + assert data + assert "result" in data + assert data['result'] == True + diff --git a/moonv4/moon_interface/tests/unit_python/conftest.py b/moonv4/moon_interface/tests/unit_python/conftest.py new file mode 100644 index 00000000..7edcd32d --- /dev/null +++ b/moonv4/moon_interface/tests/unit_python/conftest.py @@ -0,0 +1,678 @@ +import base64 +import json +import os +import pickle +import pytest +import requests_mock +from uuid import uuid4 +from requests.packages.urllib3.response import HTTPResponse + +CONF = { + "openstack": { + "keystone": { + "url": "http://keystone:5000/v3", + "user": "admin", + "check_token": False, + "password": "p4ssw0rd", + "domain": "default", + "certificate": False, + "project": "admin" + } + }, + "components": { + "wrapper": { + "bind": "0.0.0.0", + "port": 8080, + "container": "wukongsun/moon_wrapper:v4.3", + "timeout": 5, + "hostname": "wrapper" + }, + "manager": { + "bind": "0.0.0.0", + "port": 8082, + "container": "wukongsun/moon_manager:v4.3", + "hostname": "manager" + }, + "port_start": 31001, + "orchestrator": { + "bind": "0.0.0.0", + "port": 8083, + "container": "wukongsun/moon_orchestrator:v4.3", + "hostname": "orchestrator" + }, + "interface": { + "bind": "0.0.0.0", + "port": 8080, + "container": "wukongsun/moon_interface:v4.3", + "hostname": "interface" + } + }, + "plugins": { + "session": { + "port": 8082, + "container": "asteroide/session:latest" + }, + "authz": { + "port": 8081, + "container": "wukongsun/moon_authz:v4.3" + } + }, + "logging": { + "handlers": { + "file": { + "filename": "/tmp/moon.log", + "class": "logging.handlers.RotatingFileHandler", + "level": "DEBUG", + "formatter": "custom", + "backupCount": 3, + "maxBytes": 1048576 + }, + "console": { + "class": "logging.StreamHandler", + "formatter": "brief", + "level": "INFO", + "stream": "ext://sys.stdout" + } + }, + "formatters": { + "brief": { + "format": "%(levelname)s %(name)s %(message)-30s" + }, + "custom": { + "format": "%(asctime)-15s %(levelname)s %(name)s %(message)s" + } + }, + "root": { + "handlers": [ + "console" + ], + "level": "ERROR" + }, + "version": 1, + "loggers": { + "moon": { + "handlers": [ + "console", + "file" + ], + "propagate": False, + "level": "DEBUG" + } + } + }, + "slave": { + "name": None, + "master": { + "url": None, + "login": None, + "password": None + } + }, + "docker": { + "url": "tcp://172.88.88.1:2376", + "network": "moon" + }, + "database": { + "url": "sqlite:///database.db", + # "url": "mysql+pymysql://moon:p4sswOrd1@db/moon", + "driver": "sql" + }, + "messenger": { + "url": "rabbit://moon:p4sswOrd1@messenger:5672/moon" + } +} + +COMPONENTS = ( + "logging", + "openstack/keystone", + "database", + "slave", + "components/manager", + "components/orchestrator", + "components/interface", +) + +CONTEXT = { + "project_id": "a64beb1cc224474fb4badd43173e7101", + "subject_name": "testuser", + "object_name": "vm1", + "action_name": "boot", + "request_id": uuid4().hex, + "interface_name": "interface", + "manager_url": "http://{}:{}".format( + CONF["components"]["manager"]["hostname"], + CONF["components"]["manager"]["port"] + ), + "cookie": uuid4().hex + } + + +def get_b64_conf(component=None): + if component == "components": + return base64.b64encode( + json.dumps(CONF["components"]).encode('utf-8')+b"\n").decode('utf-8') + elif component in CONF: + return base64.b64encode( + json.dumps( + CONF[component]).encode('utf-8')+b"\n").decode('utf-8') + elif not component: + return base64.b64encode( + json.dumps(CONF).encode('utf-8')+b"\n").decode('utf-8') + elif "/" in component: + key1, _, key2 = component.partition("/") + return base64.b64encode( + json.dumps( + CONF[key1][key2]).encode('utf-8')+b"\n").decode('utf-8') + + +MOCK_URLS = [ + ('GET', 'http://consul:8500/v1/kv/components?recurse=true', + {'json': {"Key": key, "Value": get_b64_conf(key)} + for key in COMPONENTS} + ), + ('POST', 'http://keystone:5000/v3/auth/tokens', + {'headers': {'X-Subject-Token': "111111111"}}), + ('DELETE', 'http://keystone:5000/v3/auth/tokens', + {'headers': {'X-Subject-Token': "111111111"}}), + ('POST', 'http://keystone:5000/v3/users?name=testuser&domain_id=default', + {'json': {"users": {}}}), + ('GET', 'http://keystone:5000/v3/users?name=testuser&domain_id=default', + {'json': {"users": {}}}), + ('POST', 'http://keystone:5000/v3/users/', + {'json': {"users": [{ + "id": "1111111111111" + }]}}), +] + + +@pytest.fixture +def db(): + return CONF['database'] + + +@pytest.fixture +def context(): + return CONTEXT + + +def set_env_variables(): + os.environ['UUID'] = "1111111111" + os.environ['TYPE'] = "authz" + os.environ['PORT'] = "8081" + os.environ['PDP_ID'] = "b3d3e18abf3340e8b635fd49e6634ccd" + os.environ['META_RULE_ID'] = "f8f49a779ceb47b3ac810f01ef71b4e0" + os.environ['KEYSTONE_PROJECT_ID'] = CONTEXT['project_id'] + + +def get_pickled_context(): + from moon_utilities.security_functions import Context + from moon_utilities.cache import Cache + CACHE = Cache() + CACHE.update() + _context = Context(context(), CACHE) + _context.increment_index() + _context.pdp_set['effect'] = 'grant' + _context.pdp_set[os.environ['META_RULE_ID']]['effect'] = 'grant' + print(_context.pdp_set) + return pickle.dumps(_context) + + +@pytest.fixture(autouse=True) +def set_consul_and_db(monkeypatch): + """ Modify the response from Requests module + """ + set_env_variables() + with requests_mock.Mocker(real_http=True) as m: + for component in COMPONENTS: + m.register_uri( + 'GET', 'http://consul:8500/v1/kv/{}'.format(component), + json=[{'Key': component, 'Value': get_b64_conf(component)}] + ) + # for _data in MOCK_URLS: + # m.register_uri(_data[0], _data[1], **_data[2]) + m.register_uri( + 'GET', 'http://consul:8500/v1/kv/components?recurse=true', + json=[ + {"Key": key, "Value": get_b64_conf(key)} for key in COMPONENTS + ], + ) + m.register_uri( + 'GET', 'http://consul:8500/v1/kv/plugins/authz', + json=[ + { + "LockIndex": 0, + "Key": "plugins/authz", + "Flags": 0, + "Value": "eyJjb250YWluZXIiOiAid3Vrb25nc3VuL21vb25fYXV0aHo6djQuMyIsICJwb3J0IjogODA4MX0=", + "CreateIndex": 14, + "ModifyIndex": 656 + } + ], + ) + m.register_uri( + 'POST', 'http://keystone:5000/v3/auth/tokens', + headers={'X-Subject-Token': "111111111"} + ) + m.register_uri( + 'DELETE', 'http://keystone:5000/v3/auth/tokens', + headers={'X-Subject-Token': "111111111"} + ) + m.register_uri( + 'POST', 'http://keystone:5000/v3/users?name=testuser&domain_id=default', + json={"users": {}} + ) + m.register_uri( + 'GET', 'http://keystone:5000/v3/users?name=testuser&domain_id=default', + json={"users": {}} + ) + m.register_uri( + 'POST', 'http://keystone:5000/v3/users/', + json={"users": [{ + "id": "1111111111111" + }]} + ) + m.register_uri( + 'GET', 'http://orchestrator:8083/pods', + json={ + "pods": { + "721760dd-de5f-11e7-8001-3863bbb766f3": [ + { + "pdp_id": "b3d3e18abf3340e8b635fd49e6634ccd", + "port": 8080, + "genre": "interface", + "name": "interface-paltry", + "keystone_project_id": "a64beb1cc224474fb4badd43173e7101", + "namespace": "moon", + "container": "wukongsun/moon_interface:v4.3" + }, + { + "pdp_id": "b3d3e18abf3340e8b635fd49e6634ccd", + "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0", + "port": 8081, + "genre": "authz", + "name": "authz-economic", + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0", + "keystone_project_id": "a64beb1cc224474fb4badd43173e7101", + "namespace": "moon", + "container": "wukongsun/moon_authz:v4.3" + } + ], + "232399a4-de5f-11e7-8001-3863bbb766f3": [ + { + "port": 8080, + "namespace": "moon", + "name": "wrapper-paltry", + "container": "wukongsun/moon_wrapper:v4.3.1" + } + ] + } + } + ) + m.register_uri( + 'GET', 'http://orchestrator:8083/pods/authz-economic', + json={ + "pods": None + } + ) + m.register_uri( + 'GET', 'http://manager:8082/pdp', + json={ + "pdps": { + "b3d3e18abf3340e8b635fd49e6634ccd": { + "description": "test", + "security_pipeline": [ + "f8f49a779ceb47b3ac810f01ef71b4e0" + ], + "name": "pdp_rbac", + "keystone_project_id": "a64beb1cc224474fb4badd43173e7101" + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies', + json={ + "policies": { + "f8f49a779ceb47b3ac810f01ef71b4e0": { + "name": "RBAC policy example", + "model_id": "cd923d8633ff4978ab0e99938f5153d6", + "description": "test", + "genre": "authz" + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/models', + json={ + "models": { + "cd923d8633ff4978ab0e99938f5153d6": { + "name": "RBAC", + "meta_rules": [ + "f8f49a779ceb47b3ac810f01ef71b4e0" + ], + "description": "test" + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/meta_rules', + json={ + "meta_rules": { + "f8f49a779ceb47b3ac810f01ef71b4e0": { + "subject_categories": [ + "14e6ae0ba34d458b876c791b73aa17bd" + ], + "action_categories": [ + "241a2a791554421a91c9f1bc564aa94d" + ], + "description": "", + "name": "rbac", + "object_categories": [ + "6d48500f639d4c2cab2b1f33ef93a1e8" + ] + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/subjects', + json={ + "subjects": { + "89ba91c18dd54abfbfde7a66936c51a6": { + "description": "test", + "policy_list": [ + "f8f49a779ceb47b3ac810f01ef71b4e0", + "636cd473324f4c0bbd9102cb5b62a16d" + ], + "name": "testuser", + "email": "mail", + "id": "89ba91c18dd54abfbfde7a66936c51a6", + "partner_id": "" + }, + "31fd15ad14784a9696fcc887dddbfaf9": { + "description": "test", + "policy_list": [ + "f8f49a779ceb47b3ac810f01ef71b4e0", + "636cd473324f4c0bbd9102cb5b62a16d" + ], + "name": "adminuser", + "email": "mail", + "id": "31fd15ad14784a9696fcc887dddbfaf9", + "partner_id": "" + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/objects', + json={ + "objects": { + "67b8008a3f8d4f8e847eb628f0f7ca0e": { + "name": "vm1", + "description": "test", + "id": "67b8008a3f8d4f8e847eb628f0f7ca0e", + "partner_id": "", + "policy_list": [ + "f8f49a779ceb47b3ac810f01ef71b4e0", + "636cd473324f4c0bbd9102cb5b62a16d" + ] + }, + "9089b3d2ce5b4e929ffc7e35b55eba1a": { + "name": "vm0", + "description": "test", + "id": "9089b3d2ce5b4e929ffc7e35b55eba1a", + "partner_id": "", + "policy_list": [ + "f8f49a779ceb47b3ac810f01ef71b4e0", + "636cd473324f4c0bbd9102cb5b62a16d" + ] + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/actions', + json={ + "actions": { + "cdb3df220dc05a6ea3334b994827b068": { + "name": "boot", + "description": "test", + "id": "cdb3df220dc04a6ea3334b994827b068", + "partner_id": "", + "policy_list": [ + "f8f49a779ceb47b3ac810f01ef71b4e0", + "636cd473324f4c0bbd9102cb5b62a16d" + ] + }, + "cdb3df220dc04a6ea3334b994827b068": { + "name": "stop", + "description": "test", + "id": "cdb3df220dc04a6ea3334b994827b068", + "partner_id": "", + "policy_list": [ + "f8f49a779ceb47b3ac810f01ef71b4e0", + "636cd473324f4c0bbd9102cb5b62a16d" + ] + }, + "9f5112afe9b34a6c894eb87246ccb7aa": { + "name": "start", + "description": "test", + "id": "9f5112afe9b34a6c894eb87246ccb7aa", + "partner_id": "", + "policy_list": [ + "f8f49a779ceb47b3ac810f01ef71b4e0", + "636cd473324f4c0bbd9102cb5b62a16d" + ] + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/subject_assignments', + json={ + "subject_assignments": { + "826c1156d0284fc9b4b2ddb279f63c52": { + "category_id": "14e6ae0ba34d458b876c791b73aa17bd", + "assignments": [ + "24ea95256c5f4c888c1bb30a187788df", + "6b227b77184c48b6a5e2f3ed1de0c02a", + "31928b17ec90438ba5a2e50ae7650e63", + "4e60f554dd3147af87595fb6b37dcb13", + "7a5541b63a024fa88170a6b59f99ccd7", + "dd2af27812f742029d289df9687d6126" + ], + "id": "826c1156d0284fc9b4b2ddb279f63c52", + "subject_id": "89ba91c18dd54abfbfde7a66936c51a6", + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0" + }, + "7407ffc1232944279b0cbcb0847c86f7": { + "category_id": "315072d40d774c43a89ff33937ed24eb", + "assignments": [ + "6b227b77184c48b6a5e2f3ed1de0c02a", + "31928b17ec90438ba5a2e50ae7650e63", + "7a5541b63a024fa88170a6b59f99ccd7", + "dd2af27812f742029d289df9687d6126" + ], + "id": "7407ffc1232944279b0cbcb0847c86f7", + "subject_id": "89ba91c18dd54abfbfde7a66936c51a6", + "policy_id": "3e65256389b448cb9897917ea235f0bb" + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/object_assignments', + json={ + "object_assignments": { + "201ad05fd3f940948b769ab9214fe295": { + "object_id": "9089b3d2ce5b4e929ffc7e35b55eba1a", + "assignments": [ + "030fbb34002e4236a7b74eeb5fd71e35", + "06bcb8655b9d46a9b90e67ef7c825b50", + "34eb45d7f46d4fb6bc4965349b8e4b83", + "4b7793dbae434c31a77da9d92de9fa8c" + ], + "id": "201ad05fd3f940948b769ab9214fe295", + "category_id": "6d48500f639d4c2cab2b1f33ef93a1e8", + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0" + }, + "90c5e86f8be34c0298fbd1973e4fb043": { + "object_id": "67b8008a3f8d4f8e847eb628f0f7ca0e", + "assignments": [ + "a098918e915b4b12bccb89f9a3f3b4e4", + "06bcb8655b9d46a9b90e67ef7c825b50", + "7dc76c6142af47c88b60cc2b0df650ba", + "4b7793dbae434c31a77da9d92de9fa8c" + ], + "id": "90c5e86f8be34c0298fbd1973e4fb043", + "category_id": "33aece52d45b4474a20dc48a76800daf", + "policy_id": "3e65256389b448cb9897917ea235f0bb" + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/action_assignments', + json={ + "action_assignments": { + "2128e3ffbd1c4ef5be515d625745c2d4": { + "category_id": "241a2a791554421a91c9f1bc564aa94d", + "action_id": "cdb3df220dc05a6ea3334b994827b068", + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0", + "id": "2128e3ffbd1c4ef5be515d625745c2d4", + "assignments": [ + "570c036781e540dc9395b83098c40ba7", + "7fe17d7a2e3542719f8349c3f2273182", + "015ca6f40338422ba3f692260377d638", + "23d44c17bf88480f83e8d57d2aa1ea79" + ] + }, + "cffb98852f3a4110af7a0ddfc4e19201": { + "category_id": "4a2c5abaeaf644fcaf3ca8df64000d53", + "action_id": "cdb3df220dc04a6ea3334b994827b068", + "policy_id": "3e65256389b448cb9897917ea235f0bb", + "id": "cffb98852f3a4110af7a0ddfc4e19201", + "assignments": [ + "570c036781e540dc9395b83098c40ba7", + "7fe17d7a2e3542719f8349c3f2273182", + "015ca6f40338422ba3f692260377d638", + "23d44c17bf88480f83e8d57d2aa1ea79" + ] + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/subject_assignments/89ba91c18dd54abfbfde7a66936c51a6', + json={ + "subject_assignments": { + "826c1156d0284fc9b4b2ddb279f63c52": { + "category_id": "14e6ae0ba34d458b876c791b73aa17bd", + "assignments": [ + "24ea95256c5f4c888c1bb30a187788df", + "6b227b77184c48b6a5e2f3ed1de0c02a", + "31928b17ec90438ba5a2e50ae7650e63", + "4e60f554dd3147af87595fb6b37dcb13", + "7a5541b63a024fa88170a6b59f99ccd7", + "dd2af27812f742029d289df9687d6126" + ], + "id": "826c1156d0284fc9b4b2ddb279f63c52", + "subject_id": "89ba91c18dd54abfbfde7a66936c51a6", + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0" + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/object_assignments/67b8008a3f8d4f8e847eb628f0f7ca0e', + json={ + "object_assignments": { + "201ad05fd3f940948b769ab9214fe295": { + "object_id": "67b8008a3f8d4f8e847eb628f0f7ca0e", + "assignments": [ + "030fbb34002e4236a7b74eeb5fd71e35", + "06bcb8655b9d46a9b90e67ef7c825b50", + "34eb45d7f46d4fb6bc4965349b8e4b83", + "4b7793dbae434c31a77da9d92de9fa8c" + ], + "id": "201ad05fd3f940948b769ab9214fe295", + "category_id": "6d48500f639d4c2cab2b1f33ef93a1e8", + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0" + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/action_assignments/cdb3df220dc05a6ea3334b994827b068', + json={ + "action_assignments": { + "2128e3ffbd1c4ef5be515d625745c2d4": { + "category_id": "241a2a791554421a91c9f1bc564aa94d", + "action_id": "cdb3df220dc05a6ea3334b994827b068", + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0", + "id": "2128e3ffbd1c4ef5be515d625745c2d4", + "assignments": [ + "570c036781e540dc9395b83098c40ba7", + "7fe17d7a2e3542719f8349c3f2273182", + "015ca6f40338422ba3f692260377d638", + "23d44c17bf88480f83e8d57d2aa1ea79" + ] + } + } + } + ) + m.register_uri( + 'GET', 'http://manager:8082/policies/f8f49a779ceb47b3ac810f01ef71b4e0/rules', + json={ + "rules": { + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0", + "rules": [ + { + "policy_id": "f8f49a779ceb47b3ac810f01ef71b4e0", + "rule": [ + "24ea95256c5f4c888c1bb30a187788df", + "030fbb34002e4236a7b74eeb5fd71e35", + "570c036781e540dc9395b83098c40ba7" + ], + "enabled": True, + "id": "0201a2bcf56943c1904dbac016289b71", + "instructions": [ + { + "decision": "grant" + } + ], + "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0" + }, + { + "policy_id": "ecc2451c494e47b5bca7250cd324a360", + "rule": [ + "54f574cd2043468da5d65e4f6ed6e3c9", + "6559686961a3490a978f246ac9f85fbf", + "ac0d1f600bf447e8bd2f37b7cc47f2dc" + ], + "enabled": True, + "id": "a83fed666af8436192dfd8b3c83a6fde", + "instructions": [ + { + "decision": "grant" + } + ], + "meta_rule_id": "f8f49a779ceb47b3ac810f01ef71b4e0" + } + ] + } + } + ) + m.register_uri( + 'POST', 'http://127.0.0.1:8081/authz', + content=get_pickled_context() + ) + # from moon_db.db_manager import init_engine, run + # engine = init_engine() + # run("upgrade", logging.getLogger("db_manager"), engine) + yield m + # os.unlink(CONF['database']['url'].replace("sqlite:///", "")) + + diff --git a/moonv4/moon_interface/tests/unit_python/requirements.txt b/moonv4/moon_interface/tests/unit_python/requirements.txt new file mode 100644 index 00000000..8bd8449f --- /dev/null +++ b/moonv4/moon_interface/tests/unit_python/requirements.txt @@ -0,0 +1,5 @@ +flask +flask_cors +flask_restful +moon_db +moon_utilities
\ No newline at end of file diff --git a/moonv4/moon_interface/tools/get_keystone_token.py b/moonv4/moon_interface/tools/get_keystone_token.py index 63b0d0b6..a153f4db 100644 --- a/moonv4/moon_interface/tools/get_keystone_token.py +++ b/moonv4/moon_interface/tools/get_keystone_token.py @@ -1,7 +1,6 @@ import requests from oslo_config import cfg from oslo_log import log as logging -from moon_utilities import options # noqa from moon_utilities import exceptions CONF = cfg.CONF |