aboutsummaryrefslogtreecommitdiffstats
path: root/moonv4/moon_utilities/moon_utilities/security_functions.py
diff options
context:
space:
mode:
Diffstat (limited to 'moonv4/moon_utilities/moon_utilities/security_functions.py')
-rw-r--r--moonv4/moon_utilities/moon_utilities/security_functions.py232
1 files changed, 149 insertions, 83 deletions
diff --git a/moonv4/moon_utilities/moon_utilities/security_functions.py b/moonv4/moon_utilities/moon_utilities/security_functions.py
index ad1a44fa..98935996 100644
--- a/moonv4/moon_utilities/moon_utilities/security_functions.py
+++ b/moonv4/moon_utilities/moon_utilities/security_functions.py
@@ -209,59 +209,90 @@ def call(endpoint="security_router", ctx=None, method="route", **kwargs):
class Context:
- def __init__(self, _keystone_project_id, _subject, _object, _action, _request_id):
- from moon_db.core import PDPManager, ModelManager, PolicyManager
- self.PolicyManager = PolicyManager
- self.ModelManager = ModelManager
- self.PDPManager = PDPManager
- self.__keystone_project_id = _keystone_project_id
+ def __init__(self, init_context, cache):
+ self.cache = cache
+ self.__keystone_project_id = init_context.get("project_id")
self.__pdp_id = None
self.__pdp_value = None
- for _pdp_key, _pdp_value in PDPManager.get_pdp("admin").items():
- if _pdp_value["keystone_project_id"] == _keystone_project_id:
+ for _pdp_key, _pdp_value in self.cache.pdp.items():
+ if _pdp_value["keystone_project_id"] == self.__keystone_project_id:
self.__pdp_id = _pdp_key
self.__pdp_value = copy.deepcopy(_pdp_value)
break
- self.__subject = _subject
- self.__object = _object
- self.__action = _action
+ if not self.__pdp_value:
+ raise exceptions.AuthzException(
+ "Cannot create context for authz "
+ "with Keystone project ID {}".format(
+ self.__keystone_project_id
+ ))
+ self.__subject = init_context.get("subject_name")
+ self.__object = init_context.get("object_name")
+ self.__action = init_context.get("action_name")
self.__current_request = None
- self.__request_id = _request_id
- self.__index = 0
- self.__init_initial_request()
+ self.__request_id = init_context.get("req_id")
+ self.__cookie = init_context.get("cookie")
+ self.__manager_url = init_context.get("manager_url")
+ self.__interface_name = init_context.get("interface_name")
+ self.__index = -1
+ # self.__init_initial_request()
self.__headers = []
- policies = PolicyManager.get_policies("admin")
- models = ModelManager.get_models("admin")
+ policies = self.cache.policies
+ models = self.cache.models
for policy_id in self.__pdp_value["security_pipeline"]:
model_id = policies[policy_id]["model_id"]
for meta_rule in models[model_id]["meta_rules"]:
self.__headers.append(meta_rule)
- self.__meta_rules = ModelManager.get_meta_rules("admin")
+ self.__meta_rules = self.cache.meta_rules
self.__pdp_set = {}
+ # self.__init_pdp_set()
+
+ def delete_cache(self):
+ self.cache = {}
+
+ def set_cache(self, cache):
+ self.cache = cache
+
+ def increment_index(self):
+ self.__index += 1
+ self.__init_current_request()
self.__init_pdp_set()
- def __init_initial_request(self):
- subjects = self.PolicyManager.get_subjects("admin", policy_id=None)
- for _subject_id, _subject_dict in subjects.items():
- if _subject_dict["name"] == self.__subject:
- self.__subject = _subject_id
- break
- else:
- raise exceptions.SubjectUnknown("Cannot find subject {}".format(self.__subject))
- objects = self.PolicyManager.get_objects("admin", policy_id=None)
- for _object_id, _object_dict in objects.items():
- if _object_dict["name"] == self.__object:
- self.__object = _object_id
- break
- else:
- raise exceptions.ObjectUnknown("Cannot find object {}".format(self.__object))
- actions = self.PolicyManager.get_actions("admin", policy_id=None)
- for _action_id, _action_dict in actions.items():
- if _action_dict["name"] == self.__action:
- self.__action = _action_id
- break
- else:
- raise exceptions.ActionUnknown("Cannot find action {}".format(self.__action))
+ @property
+ def current_state(self):
+ return self.__pdp_set[self.__headers[self.__index]]['effect']
+
+ @current_state.setter
+ def current_state(self, state):
+ if state not in ("grant", "deny", "passed"):
+ state = "passed"
+ self.__pdp_set[self.__headers[self.__index]]['effect'] = state
+
+ @current_state.deleter
+ def current_state(self):
+ self.__pdp_set[self.__headers[self.__index]]['effect'] = "unset"
+
+ @property
+ def current_policy_id(self):
+ return self.__pdp_value["security_pipeline"][self.__index]
+
+ @current_policy_id.setter
+ def current_policy_id(self, value):
+ pass
+
+ @current_policy_id.deleter
+ def current_policy_id(self):
+ pass
+
+ def __init_current_request(self):
+ self.__subject = self.cache.get_subject(
+ self.__pdp_value["security_pipeline"][self.__index],
+ self.__subject)
+ self.__object = self.cache.get_object(
+ self.__pdp_value["security_pipeline"][self.__index],
+ self.__object)
+ self.__action = self.cache.get_action(
+ self.__pdp_value["security_pipeline"][self.__index],
+ self.__action)
self.__current_request = dict(self.initial_request)
def __init_pdp_set(self):
@@ -269,67 +300,64 @@ class Context:
self.__pdp_set[header] = dict()
self.__pdp_set[header]["meta_rules"] = self.__meta_rules[header]
self.__pdp_set[header]["target"] = self.__add_target(header)
- # TODO (asteroide): the following information must be retrieve somewhere
self.__pdp_set[header]["effect"] = "unset"
self.__pdp_set["effect"] = "deny"
- @staticmethod
- def update_target(context):
- from moon_db.core import PDPManager, ModelManager, PolicyManager
- # result = dict()
- current_request = context['current_request']
- _subject = current_request.get("subject")
- _object = current_request.get("object")
- _action = current_request.get("action")
- meta_rule_id = context['headers'][context['index']]
- policy_id = PolicyManager.get_policy_from_meta_rules("admin", meta_rule_id)
- meta_rules = ModelManager.get_meta_rules("admin")
- # for meta_rule_id in meta_rules:
- for sub_cat in meta_rules[meta_rule_id]['subject_categories']:
- if sub_cat not in context["pdp_set"][meta_rule_id]["target"]:
- context["pdp_set"][meta_rule_id]["target"][sub_cat] = []
- for assign in PolicyManager.get_subject_assignments("admin", policy_id, _subject, sub_cat).values():
- for assign in assign["assignments"]:
- if assign not in context["pdp_set"][meta_rule_id]["target"][sub_cat]:
- context["pdp_set"][meta_rule_id]["target"][sub_cat].append(assign)
- for obj_cat in meta_rules[meta_rule_id]['object_categories']:
- if obj_cat not in context["pdp_set"][meta_rule_id]["target"]:
- context["pdp_set"][meta_rule_id]["target"][obj_cat] = []
- for assign in PolicyManager.get_object_assignments("admin", policy_id, _object, obj_cat).values():
- for assign in assign["assignments"]:
- if assign not in context["pdp_set"][meta_rule_id]["target"][obj_cat]:
- context["pdp_set"][meta_rule_id]["target"][obj_cat].append(assign)
- for act_cat in meta_rules[meta_rule_id]['action_categories']:
- if act_cat not in context["pdp_set"][meta_rule_id]["target"]:
- context["pdp_set"][meta_rule_id]["target"][act_cat] = []
- for assign in PolicyManager.get_action_assignments("admin", policy_id, _action, act_cat).values():
- for assign in assign["assignments"]:
- if assign not in context["pdp_set"][meta_rule_id]["target"][act_cat]:
- context["pdp_set"][meta_rule_id]["target"][act_cat].append(assign)
- # context["pdp_set"][meta_rule_id]["target"].update(result)
+ # def update_target(self, context):
+ # # result = dict()
+ # current_request = context['current_request']
+ # _subject = current_request.get("subject")
+ # _object = current_request.get("object")
+ # _action = current_request.get("action")
+ # meta_rule_id = context['headers'][context['index']]
+ # policy_id = self.cache.get_policy_from_meta_rules(meta_rule_id)
+ # meta_rules = self.cache.meta_rules()
+ # # for meta_rule_id in meta_rules:
+ # for sub_cat in meta_rules[meta_rule_id]['subject_categories']:
+ # if sub_cat not in context["pdp_set"][meta_rule_id]["target"]:
+ # context["pdp_set"][meta_rule_id]["target"][sub_cat] = []
+ # for assign in self.cache.get_subject_assignments(policy_id, _subject, sub_cat).values():
+ # for assign in assign["assignments"]:
+ # if assign not in context["pdp_set"][meta_rule_id]["target"][sub_cat]:
+ # context["pdp_set"][meta_rule_id]["target"][sub_cat].append(assign)
+ # for obj_cat in meta_rules[meta_rule_id]['object_categories']:
+ # if obj_cat not in context["pdp_set"][meta_rule_id]["target"]:
+ # context["pdp_set"][meta_rule_id]["target"][obj_cat] = []
+ # for assign in self.cache.get_object_assignments(policy_id, _object, obj_cat).values():
+ # for assign in assign["assignments"]:
+ # if assign not in context["pdp_set"][meta_rule_id]["target"][obj_cat]:
+ # context["pdp_set"][meta_rule_id]["target"][obj_cat].append(assign)
+ # for act_cat in meta_rules[meta_rule_id]['action_categories']:
+ # if act_cat not in context["pdp_set"][meta_rule_id]["target"]:
+ # context["pdp_set"][meta_rule_id]["target"][act_cat] = []
+ # for assign in self.cache.get_action_assignments(policy_id, _action, act_cat).values():
+ # for assign in assign["assignments"]:
+ # if assign not in context["pdp_set"][meta_rule_id]["target"][act_cat]:
+ # context["pdp_set"][meta_rule_id]["target"][act_cat].append(assign)
+ # # context["pdp_set"][meta_rule_id]["target"].update(result)
def __add_target(self, meta_rule_id):
result = dict()
_subject = self.__current_request["subject"]
_object = self.__current_request["object"]
_action = self.__current_request["action"]
- meta_rules = self.ModelManager.get_meta_rules("admin")
- policy_id = self.PolicyManager.get_policy_from_meta_rules("admin", meta_rule_id)
+ meta_rules = self.cache.meta_rules
+ policy_id = self.cache.get_policy_from_meta_rules(meta_rule_id)
for sub_cat in meta_rules[meta_rule_id]['subject_categories']:
if sub_cat not in result:
result[sub_cat] = []
- for assign in self.PolicyManager.get_subject_assignments("admin", policy_id, _subject, sub_cat).values():
- result[sub_cat].extend(assign["assignments"])
+ result[sub_cat].extend(
+ self.cache.get_subject_assignments(policy_id, _subject, sub_cat))
for obj_cat in meta_rules[meta_rule_id]['object_categories']:
if obj_cat not in result:
result[obj_cat] = []
- for assign in self.PolicyManager.get_object_assignments("admin", policy_id, _object, obj_cat).values():
- result[obj_cat].extend(assign["assignments"])
+ result[obj_cat].extend(
+ self.cache.get_object_assignments(policy_id, _object, obj_cat))
for act_cat in meta_rules[meta_rule_id]['action_categories']:
if act_cat not in result:
result[act_cat] = []
- for assign in self.PolicyManager.get_action_assignments("admin", policy_id, _action, act_cat).values():
- result[act_cat].extend(assign["assignments"])
+ result[act_cat].extend(
+ self.cache.get_action_assignments(policy_id, _action, act_cat))
return result
def __repr__(self):
@@ -356,6 +384,8 @@ pdp_set: {pdp_set}
"index": copy.deepcopy(self.__index),
"pdp_set": copy.deepcopy(self.__pdp_set),
"request_id": copy.deepcopy(self.__request_id),
+ "manager_url": copy.deepcopy(self.__manager_url),
+ "interface_name": copy.deepcopy(self.__interface_name),
}
@property
@@ -371,6 +401,42 @@ pdp_set: {pdp_set}
raise Exception("You cannot update the request_id")
@property
+ def manager_url(self):
+ return self.__manager_url
+
+ @manager_url.setter
+ def manager_url(self, value):
+ raise Exception("You cannot update the manager_url")
+
+ @manager_url.deleter
+ def manager_url(self):
+ raise Exception("You cannot update the manager_url")
+
+ @property
+ def interface_name(self):
+ return self.__interface_name
+
+ @interface_name.setter
+ def interface_name(self, value):
+ raise Exception("You cannot update the interface_name")
+
+ @interface_name.deleter
+ def interface_name(self):
+ raise Exception("You cannot update the interface_name")
+
+ @property
+ def cookie(self):
+ return self.__cookie
+
+ @cookie.setter
+ def cookie(self, value):
+ raise Exception("You cannot update the cookie")
+
+ @cookie.deleter
+ def cookie(self):
+ raise Exception("You cannot delete the cookie")
+
+ @property
def initial_request(self):
return {
"subject": self.__subject,
@@ -425,7 +491,7 @@ pdp_set: {pdp_set}
@index.deleter
def index(self):
- self.__index = 0
+ self.__index = -1
@property
def pdp_set(self):