From b2904eb52f85938a18f55520ce2b4cf4dcb0269f Mon Sep 17 00:00:00 2001 From: WuKong Date: Sun, 24 Dec 2017 13:09:46 +0100 Subject: moon doc cleanup Change-Id: Iccc0858e305d724fd8c3341e27f9fa90ffeb916f Signed-off-by: WuKong --- DEV.md | 206 ------- TODO | 33 -- conf/moon.conf | 87 --- docs/2015-10-meeting-repport.rst | 66 --- docs/2015-11-03-meeting-repport.rst | 54 -- docs/2015-11-03.txt | 194 ------- docs/DEV.md | 206 +++++++ docs/TODO.md | 33 ++ docs/moon.rst | 4 - templates/glance/policy.json | 62 --- templates/moon/moon.conf | 87 +++ templates/moon_forming/Dockerfile | 10 + templates/moon_forming/README.md | 12 + templates/moon_forming/conf/mls.py | 59 ++ templates/moon_forming/conf/rbac.py | 61 +++ templates/moon_forming/conf2consul.py | 103 ++++ templates/moon_forming/moon.conf | 79 +++ templates/moon_forming/populate_default_values.py | 235 ++++++++ templates/moon_forming/run.sh | 44 ++ templates/moon_forming/utils/__init__.py | 0 templates/moon_forming/utils/config.py | 22 + templates/moon_forming/utils/models.py | 270 +++++++++ templates/moon_forming/utils/pdp.py | 163 ++++++ templates/moon_forming/utils/policies.py | 635 ++++++++++++++++++++++ templates/moon_pythonunittest/Dockerfile | 8 + templates/moon_pythonunittest/README.md | 8 + templates/moon_pythonunittest/requirements.txt | 10 + templates/moon_pythonunittest/run_tests.sh | 13 + templates/moonforming/Dockerfile | 10 - templates/moonforming/README.md | 12 - templates/moonforming/conf/mls.py | 59 -- templates/moonforming/conf/rbac.py | 61 --- templates/moonforming/conf2consul.py | 103 ---- templates/moonforming/moon.conf | 79 --- templates/moonforming/populate_default_values.py | 235 -------- templates/moonforming/run.sh | 44 -- templates/moonforming/utils/__init__.py | 0 templates/moonforming/utils/config.py | 22 - templates/moonforming/utils/models.py | 270 --------- templates/moonforming/utils/pdp.py | 163 ------ templates/moonforming/utils/policies.py | 635 ---------------------- templates/nova/policy.json | 488 ----------------- templates/openstack/glance/policy.json | 62 +++ templates/openstack/nova/policy.json | 488 +++++++++++++++++ templates/python_unit_test/Dockerfile | 8 - templates/python_unit_test/README.md | 8 - templates/python_unit_test/requirements.txt | 10 - templates/python_unit_test/run_tests.sh | 13 - 48 files changed, 2608 insertions(+), 2926 deletions(-) delete mode 100644 DEV.md delete mode 100644 TODO delete mode 100644 conf/moon.conf delete mode 100644 docs/2015-10-meeting-repport.rst delete mode 100644 docs/2015-11-03-meeting-repport.rst delete mode 100644 docs/2015-11-03.txt create mode 100644 docs/DEV.md create mode 100644 docs/TODO.md delete mode 100644 docs/moon.rst delete mode 100644 templates/glance/policy.json create mode 100644 templates/moon/moon.conf create mode 100644 templates/moon_forming/Dockerfile create mode 100644 templates/moon_forming/README.md create mode 100644 templates/moon_forming/conf/mls.py create mode 100644 templates/moon_forming/conf/rbac.py create mode 100644 templates/moon_forming/conf2consul.py create mode 100644 templates/moon_forming/moon.conf create mode 100644 templates/moon_forming/populate_default_values.py create mode 100644 templates/moon_forming/run.sh create mode 100644 templates/moon_forming/utils/__init__.py create mode 100644 templates/moon_forming/utils/config.py create mode 100644 templates/moon_forming/utils/models.py create mode 100644 templates/moon_forming/utils/pdp.py create mode 100644 templates/moon_forming/utils/policies.py create mode 100644 templates/moon_pythonunittest/Dockerfile create mode 100644 templates/moon_pythonunittest/README.md create mode 100644 templates/moon_pythonunittest/requirements.txt create mode 100644 templates/moon_pythonunittest/run_tests.sh delete mode 100644 templates/moonforming/Dockerfile delete mode 100644 templates/moonforming/README.md delete mode 100644 templates/moonforming/conf/mls.py delete mode 100644 templates/moonforming/conf/rbac.py delete mode 100644 templates/moonforming/conf2consul.py delete mode 100644 templates/moonforming/moon.conf delete mode 100644 templates/moonforming/populate_default_values.py delete mode 100644 templates/moonforming/run.sh delete mode 100644 templates/moonforming/utils/__init__.py delete mode 100644 templates/moonforming/utils/config.py delete mode 100644 templates/moonforming/utils/models.py delete mode 100644 templates/moonforming/utils/pdp.py delete mode 100644 templates/moonforming/utils/policies.py delete mode 100644 templates/nova/policy.json create mode 100644 templates/openstack/glance/policy.json create mode 100644 templates/openstack/nova/policy.json delete mode 100644 templates/python_unit_test/Dockerfile delete mode 100644 templates/python_unit_test/README.md delete mode 100644 templates/python_unit_test/requirements.txt delete mode 100644 templates/python_unit_test/run_tests.sh diff --git a/DEV.md b/DEV.md deleted file mode 100644 index 0dff2f17..00000000 --- a/DEV.md +++ /dev/null @@ -1,206 +0,0 @@ -# Developer Tutorial - -## Gerrit Setup -### Git Install -- `sudo apt-get install git` -- `git config --global user.email "example@wikimedia.org"` -- `git config --global user.name "example"` - -### ssh key -- `cd ~/.ssh` -- `ssh-keygen -t rsa -C your_email@youremail.com` -- `~/.ssh/id_rsa`: identification (private) key` -- `~/.ssh/id_rsa.pub`: public key -- copy the public key to Gerrit web -- add Gerrit web上 entry to `~/.ssh/known_hosts` -- eval `ssh-agent`: start ssh-agent -- `ssh-add ~/.ssh/id_rsa`: add private key to ssh -- `ssh -p 29418 @gerrit.opnfv.org`: test - -### Gerrit clone -- `git clone https://WuKong@gerrit.opnfv.org:29418/moon` -- the password is dynamically generated on the Gerrit web - -### Gerrit Setting -- `sudo apt-get install python-pip` -- `sudo pip install git-review` -- `git remote add gerrit ssh://@gerrit.opnfv.org:29418/moon.git` -- add the ssh public key to the Gerrit web -- `git review –s`: test the Gerrit review connection -- add Contributor Agreement, from settings/Agreement - -### Gerrit-Review -- git add XXX -- git commit --signoff --all -- git review - -### Review Correction -- `git clone https://git.opnfv.org/moon` -- `cd moon` -- get the commit id from Gerrit dashboard -- `git checkout commit_id` -- `git checkout -b 48957-1` (where '48957' is the change number and '1' is the patch_number) -- do your changes ex:`vi specs/policy/external-pdp.rst` -- `git add specs/policy/external-pdp.rst` -- `git commit –amend` -- `git review` - - -## Build Python Package -### pre-requist -Get the code -```bash -git clone https://git.opnfv.org/moon -cd moon/moonv4 -export MOON_HOME=$(pwd) -sudo ln -s $(pwd)/conf /etc/moon -``` - -Install python wheel -```bash -sudo apt install python3-wheel -``` - -Install pip twine -```bash -sudo pip install twine -``` - -Package code, wheel is a new format instead of `tar.gz` -```bash -python setup.py sdist bdist_wheel -``` - -Upload to PyPi -```bash -twine upload dist/moon_xxx-y.y.y.whl -twine upload dist/moon_xxx-y.y.y.tar.gz -``` - -Install a package from PyPi -```bash -sudo pypi install moon_xxx --upgrade -``` - -### moon_db -- change version in `moon_db/__init__.py` -- add `Changelog` - -### moon_utilities -- change version in `moon_utilities/__init__.py` -- add `Changelog` - -### moon_orchestrator -- change version in `moon_orchestrator/__init__.py` -- add `Changelog` - - -### Build All Pip -```bash -sudo pip3 install pip --upgrade -cd ${MOON_HOME}/bin -source build_all_pip.sh -``` - - -## Container -## keystone_mitaka -see `templates/docker/keystone/README.md` to build the `keystone_mitaka` container - - -### moon_router - - -### moon_interface - - -### moon_manager - - -### moon_authz - - -### moon_gui - - -## How to hack the Moon platform -### Force the build of components - -If you want to rebuild one or more component, you have to modify the configuration file `moon.conf`. - -For example, if you want to rebuild the moon_interface, got to the `[interface]` section and delete the -value of the container key like this: - -``` -[interface] -host=172.18.0.11 -port=38001 -# Name of the container to download (if empty build from scratch) -# example: container=moon/moon_interface:latest -container= -``` - -You can configure the interface, the router and both the security_function and security_policy. -You can also force the version of the component like this: `container=moon/moon_interface:4.0.0` - -### Update the moon_interface - -Go to the directory `${MOON_HOME}/moon_interface` and update the code accordingly to your needs, -then update the python package. - -```bash -cd ${MOON_HOME}/moon_interface -python setup.py sdist -cp dist/moon_interface_* ../moon_orchestrator/dist -# kill moon_orchestrator if needed and restart it -``` - -### Update the moon_secrouter - -Go to the directory `${MOON_HOME}/moon_secrouter` and update the code accordingly to your needs, -then update the python package. - -```bash -cd ${MOON_HOME}/moon_secrouter -python setup.py sdist -cp dist/moon_secrouter* ../moon_orchestrator/dist -# kill moon_orchestrator if needed and restart it -``` - -## Problems that may arise - -If the moon_orchestrator doesn't want to start -(with, for example, the following error: `docker.errors.APIError: 409 Client Error: Conflict`), -check if the router and interface containers still exist and kill and delete them: - -```bash -docker kill moon_interface -docker kill moon_router -docker rm moon_interface -docker rm moon_router -``` - -If the moon_orchestrator complains that it cannot request the RabbitMQ server, -check if the messenger server is up and running: - -```bash -docker ps -# you must see the messenger running here -# if not, restart it -docker run -dti --net=moon --hostname messenger --name messenger --link messenger:messenger -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=password -e RABBITMQ_NODENAME=rabbit@messenger -e RABBITMQ_DEFAULT_VHOST=moon -p 5671:5671 -p 5672:5672 rabbitmq:3-management -``` - -## Configure DB -### Relaunch Keystone docker -If error of `get_keystone_projects()`, then relaunch the Keystone docker, and wait 40 seconds!!! -```bash -docker rm -f keystone -docker run -dti --net moon --name keystone --hostname=keystone -e DB_HOST=db -e DB_PASSWORD_ROOT=p4sswOrd1 -p 35357:35357 -p 5000:5000 keystone:mitaka -``` - -### Add default data in DB -Pre-fill the DB with a RBAC policy -```bash -cd ${MOON_HOME}/moon_interface/tests/apitests -python3 populate_default_values.py scenario/ rbac.py -``` diff --git a/TODO b/TODO deleted file mode 100644 index afdadf3c..00000000 --- a/TODO +++ /dev/null @@ -1,33 +0,0 @@ -Here is a list of what must be done to have complete version of the Moon platform. - -Architecture - -- Add a complete logging system -- Replace moon_orchestrator with Kubernetes - -Actions that must be done before the next version: - -- manage a token/uuid (ie session ID) in the moon_interface component -- add a timestamps in moon_router to know if the database has been modified -- rename moon_db and moon_utilities because they are not container but just libraries -- work on moonclient because it doesn't work with the new data model -- check all input from moon_interface (check that input data are correct and safe) -- Move @enforce from moon_db to API in Moon_Manager -- Need to work on unit tests with the new data model - -Bugs to fix: - -- Connect the authz functionality with the enforce decorator -- When adding user or VM in GUI, there is a bug in the backend (manager ?) -- GUI: in the "Projects" tab, move the "Map" link in the "Action" button -- GUI: move tabs in this order : "Models, Policy, PDP, Projects" - -Other actions: - -- Some cleaning in all classes -- Write Installation procedures -- Write User and administrator documentation -- Run unit tests -- Add and run integration tests -- Need to check if the Moon platform still can retrieve users and roles from Keystone -- Need to retrieve VM from Nova diff --git a/conf/moon.conf b/conf/moon.conf deleted file mode 100644 index a5a40ad2..00000000 --- a/conf/moon.conf +++ /dev/null @@ -1,87 +0,0 @@ -database: - url: mysql+pymysql://moon:p4sswOrd1@db/moon - driver: sql - -openstack: - keystone: - url: http://keystone:5000/v3 - user: admin - password: p4ssw0rd - domain: default - project: admin - check_token: false - certificate: false - external: - url: http://keystone:30006/v3 - -plugins: - authz: - container: wukongsun/moon_authz:v4.3 - port: 8081 - session: - container: asteroide/session:latest - port: 8082 - -components: - interface: - port: 8080 - bind: 0.0.0.0 - hostname: interface - container: wukongsun/moon_interface:v4.3 - orchestrator: - port: 8083 - bind: 0.0.0.0 - hostname: orchestrator - container: wukongsun/moon_orchestrator:v4.3 - external: - port: 30003 - hostname: orchestrator - wrapper: - port: 8080 - bind: 0.0.0.0 - hostname: wrapper - container: wukongsun/moon_wrapper:v4.3.1 - timeout: 5 - manager: - port: 8082 - bind: 0.0.0.0 - hostname: manager - container: wukongsun/moon_manager:v4.3.1 - external: - port: 30001 - hostname: manager - port_start: 31001 - -logging: - version: 1 - - formatters: - brief: - format: "%(levelname)s %(name)s %(message)-30s" - custom: - format: "%(asctime)-15s %(levelname)s %(name)s %(message)s" - - handlers: - console: - class : logging.StreamHandler - formatter: brief - level : INFO - stream : ext://sys.stdout - file: - class : logging.handlers.RotatingFileHandler - formatter: custom - level : DEBUG - filename: /tmp/moon.log - maxBytes: 1048576 - backupCount: 3 - - loggers: - moon: - level: DEBUG - handlers: [console, file] - propagate: no - - root: - level: ERROR - handlers: [console] - diff --git a/docs/2015-10-meeting-repport.rst b/docs/2015-10-meeting-repport.rst deleted file mode 100644 index 13b520bf..00000000 --- a/docs/2015-10-meeting-repport.rst +++ /dev/null @@ -1,66 +0,0 @@ -2015-11-03 meeting repport -========================== - -agenda ------- - -* present opnfv-moon-core release2 and its main feature - -* present opnfv-moonclient, a cmd line tool to administrate security - -* present the DevOps environment for code continue integration - -* present the progress moon-webview, a graphic interface for security management - -* discussion about the roadmap: provide a demo next year? integration release C or D? which main features to be integrated? - -* fix a monthly review meeting to follow its dev and establish an acting plan - - -moon core ---------- - -* functional tests will be finished in 2 weeks - - -moonclient ----------- - -* moonclient tests, together with functional tests will be finished in 2 weeks - - -moonwebview ------------ - -* 70% is finished - -* the total will be finished in 4 weeks - -* the log will not be integrated in release 2 - - -dev environment ---------------- - -* no documentation - -* for new committers, please contact ruan.he@orange.com - - -project roadmap ---------------- - -* integrate Moon code to release C - -* Jamil to ask for support from OpenDaylight - -* Nir to ask for support from Huawei - -* prepare Moon demostration with OpenStack/OpenDaylight 03/2016 - - -monthly dev meeting -------------------- - -* all the contributors agree to set up a monthly dev meeting the last Wensday of each month - diff --git a/docs/2015-11-03-meeting-repport.rst b/docs/2015-11-03-meeting-repport.rst deleted file mode 100644 index cf4c46d6..00000000 --- a/docs/2015-11-03-meeting-repport.rst +++ /dev/null @@ -1,54 +0,0 @@ -2015-11-03 meeting repport -========================== - -agenda ------- - -* present opnfv-moon-core release2 progess: main features are almost finished, moon-core release 2 finished by 27 Nov 2015 - -* present opnfv-webview: finished by 4 Dec - -* present moon-release2 code review: finished by 4 Dec - -* present the feedback from OPNFV summit: - - + several presentations during the Security Design, Security Pannel from Nokia, Huawei and Ericsson - - + new contributors (Ericsson, Radware) - - + moon integration in OPNFV release C: propose to show the prototype in TSC - -* synchronize moon/OPNFV with ETSI/NFV security group - - + propose a POD to ETSI/NFV security group - - + to discuss in the next week's ESTI/NFV meeting - -* main features for moon release 3 - - + K2K is a big topic: assigned to thomas - - + inter-tenant requires a lot of work - - + separation of meta-data and meta-rule: assigned to ruan - -* next meeting: 16 Dec - - + Ashutosh will present the feedback about our POC in ETSI/NFV security group - - -attendees ---------- - -* Ruan HE - -* Thomas Duval - -* Maxime Compastie - -* Jamil Chawki - -* Ashutosh Dutta - -* Alioune BA - diff --git a/docs/2015-11-03.txt b/docs/2015-11-03.txt deleted file mode 100644 index e7d31677..00000000 --- a/docs/2015-11-03.txt +++ /dev/null @@ -1,194 +0,0 @@ -2015-11-03 -========== - - (13:00:03) MaximeC left the room (quit: Client Quit). - (13:00:22) MaximeC [c1f83226@gateway/web/freenode/ip.193.248.50.38] entered the room. - (13:01:07) heruan: let's wait 5 mins before starting the meeting - (13:01:36) asteroide: ok - (13:01:54) Nir [c074be92@gateway/web/freenode/ip.192.116.190.146] entered the room. - (13:03:13) alioune [c202ca51@gateway/web/freenode/ip.194.2.202.81] entered the room. - (13:03:27) heruan: Hi all - (13:03:45) heruan: Jamil will join the meeting later - (13:04:24) heruan: in the chat room, there all the moon team from Orange, except Jamil - (13:04:34) heruan: and Nir from Huawei - (13:04:50) heruan: the ordre of today's meeting is: - (13:05:16) heruan: - present opnfv-moon-core release2 and its main feature - (13:05:16) heruan: - present opnfv-moonclient, a cmd line tool to administrate security - (13:05:16) heruan: - present the DevOps environment for code continue integration - (13:05:16) heruan: - present the progress moon-webview, a graphic interface for security management - (13:05:16) heruan: - discussion about the roadmap: provide a demo next year? integration release C or D? which main features to be integrated? - (13:05:16) heruan: - fix a monthly review meeting to follow its dev and establish an acting plan - (13:05:30) heruan: do all of you agree on the schedule? - (13:05:39) asteroide: yes - (13:06:06) MaximeC: That's ok for me - (13:06:17) Nir: me too - (13:06:59) heruan: #present opnfv-moon-cre release2 - (13:07:08) Jamil [a16a0005@gateway/web/freenode/ip.161.106.0.5] entered the room. - (13:07:33) heruan: we started the second release since the beginning of this year - (13:08:16) heruan: the main idea is to refactor the code in order to conform OpenStack's criteria and build a stable policy engine - (13:08:45) heruan: now the core part has almost finished, we on now on the test stage - (13:09:12) heruan: @asteroide, can you talk a little about the ongoing test? - (13:09:18) asteroide: yep - (13:09:36) asteroide: all functionnal tests are OK - (13:09:56) Jamil: What are the main features of this Rel ? - (13:09:59) asteroide: those tests are located in the code of Keystone-moon - (13:10:26) asteroide: and I am testing Moon with moonclient - (13:10:41) asteroide: by adding a test feature inside moonclient - (13:11:19) asteroide: the main feature is the policy engine written in pue python - (13:11:26) asteroide: pure python - (13:11:29) Jamil: waht do you mean by moonclient ? - (13:11:57) heruan: @Jamil, the main features can be found in Jira: https://jira.opnfv.org/browse/MOON-2?jql=project%20%3D%20MOON%20AND%20resolution%20%3D%20Unresolved%20AND%20issuetype%20%3D%20Task%20ORDER%20BY%20priority%20DESChttps://jira.opnfv.org/browse/MOON-2?jql=project%20%3D%20MOON%20AND%20resolution%20%3D%20Unresolved%20AND%20issuetype%20%3D%20Task%20ORDER%20BY%20priority%20DESC - (13:12:07) asteroide: moonclient is a console based client used to configure keystone-moon - (13:12:18) asteroide: through moon API - (13:12:29) alioune left the room (quit: Quit: Page closed). - (13:12:44) heruan: yes, moon has 2 interfaces: moonclient (CLI) and moonwebview (GUI) - (13:12:57) alioune [c202ca51@gateway/web/freenode/ip.194.2.202.81] entered the room. - (13:13:14) asteroide: here is an example of moonclient usage : "moon tenant list" "moon subject add admin --password nomoresecrete", ... - (13:13:37) asteroide: you can add subject object, action, categories rules and so on - (13:13:48) asteroide: on a particular intraextension - (13:14:03) asteroide: on a "selected" intraextension - (13:14:30) heruan: PI: extension in moon is a security manager to protect one tenant - (13:15:09) heruan: in conclusion, now to moon-core, it only lacks tests? - (13:15:39) heruan: @asteroide? - (13:16:06) asteroide: for me, tests in keystone moon are OK in core - (13:16:14) asteroide: but not through moonclient - (13:16:35) heruan: how much time it needs to finish all the tests? - (13:16:45) asteroide: I need to add more test on nova - (13:16:49) asteroide: on swift - (13:17:06) asteroide: and tests with different users (not admin) - (13:17:21) asteroide: all through moonclient - (13:17:34) heruan: yes, the 3 sub-tasks we have listed in Jira - (13:17:39) asteroide: nova tests will be OK at the end of this week - (13:18:17) asteroide: I think that swift and users tests can be done at the end of the next week - (13:18:25) heruan: ok - (13:18:51) heruan: moon core release 2 will be finished in 2 weeks! - (13:19:03) heruan: thank asteroide - (13:19:09) asteroide: :) - (13:19:26) heruan: next topic is about #moonclient - (13:19:37) heruan: since we have already discussed about it - (13:19:56) heruan: my understanding is that moonclient will be finished with moon-core? - (13:20:17) asteroide: yes - (13:20:35) heruan: ok, moonclient will also be finished in 2 weeks!! - (13:20:54) heruan: the 3rd topic is about moonwebview (GUI) - (13:21:01) heruan: @MaximeC? - (13:21:06) MaximeC: Ok, - (13:21:19) Jamil: what are next steps to integrate moon in OPNFV Rel x ? - (13:21:41) heruan: this is the 5th topic - (13:21:41) MaximeC: So, basically, MoonWebUI aims at providing a WebUI for Moon - (13:21:58) Jamil: ok - (13:22:06) MaximeC: to manage tenants, intra-extension & inter-etension - (13:22:19) MaximeC: with an Authc based on Keystone - (13:23:04) MaximeC: This interface is still in development as we refactore the code to be client-side, and independant from Horizon - (13:23:24) MaximeC: This is the actual state of the code: - (13:23:43) MaximeC: * Tenants Management is implemented - (13:24:17) MaximeC: * Intra-etension management is in progress (70% of functionality are working) - (13:24:39) MaximeC: * Inter-extension is not yet developped - (13:24:51) MaximeC: * AuthC dev has just begun - (13:24:51) heruan: inter-extension is not included in release 2 - (13:25:18) heruan: i think maxime needs asteroide's help for a server-side django module - (13:25:34) asteroide: ok no problem - (13:25:45) MaximeC: The WebUI is bound to MoonServer through REST API, so - (13:26:21) MaximeC: even if there are major changes in moon server code, as logn as API will remain the same - (13:26:44) MaximeC: no changes will be due in MoonWebview code - (13:27:00) heruan: Maxime, do you have an idea about the delay? - (13:27:35) MaximeC: To my mind, i think dev will last 1 month - (13:27:58) heruan: ok, 4 weeks for the monwebview - (13:28:00) asteroide: is there a plan to add a link to the log API inside the web client ? - (13:28:14) heruan: not in release 2 - (13:28:28) asteroide: ok - (13:28:50) heruan: the 4th topic is about the dev environment - (13:29:57) heruan: @Nir, it's not so easy to install the whole dev env, so if someone in your team wants, ask him to directly contact us - (13:30:22) heruan: we will try to remotely install all modules for him - (13:31:13) heruan: we switch to the 5th topic - (13:31:28) heruan: moon's roadmap - (13:31:41) Nir: ok, i will inform them - (13:31:46) heruan: @Jamil @Nir, what's your opinion? - (13:32:19) Jamil: its good to have moon in Rel C - (13:32:56) heruan: this depends on @alioune's work on OpenDaylight integration - (13:33:22) Nir: agree, what are we missing to put it into Rel C? - (13:33:56) heruan: we'd like to implement the identity federation use case through moon - (13:34:15) Jamil: my undestanding integration with ODL ID - (13:34:33) heruan: this means that moon at the same time, synchronizes and manages OpenStack's users and OpenDaylight's users - (13:34:54) heruan: to demonstrate that moon is a unified security manager - (13:35:05) Jamil: yes - (13:35:09) heruan: @alioune works on the ODL integration - (13:35:20) heruan: @aliounce, what's your progress? - (13:35:57) heruan: he's maybe offlne - (13:36:34) heruan: my understanding is that the integration will be difficulte to finished for the beginning of 2016 - (13:36:44) Jamil: do we need any support from ODL project ? - (13:36:57) heruan: yes, of cause - (13:37:11) heruan: if we can get some supplementary helps - (13:37:17) Jamil: Rel C will be in Sept 2016 - (13:37:41) heruan: but we should provide a demo at the begining of 2016 - (13:37:46) Jamil: yes I can ask a support - (13:37:51) Nir: I can check if we have someone in Huawei that can help - (13:38:04) heruan: that's great!! - (13:38:07) Nir: Do we have a target date for the demo - (13:38:08) Nir: ? - (13:38:44) heruan: let's fix the date to 15th Jan 2016 - (13:39:36) Nir: OK, I will check internally and update. - (13:39:41) alioune: hi all, currently I am analysing ODL architecture and main used frameworks in the controller - (13:39:43) heruan: thanks - (13:40:28) heruan: so, the roadmap of moon is to push its code to Release C - (13:40:38) Jamil: Jan 2016 will be one month before Rel B - (13:40:52) heruan: we prepare the demo for Jan 2016 - (13:41:15) Jamil: I think Rel c will be discussed in March 2016 - (13:41:33) asteroide: the demo will be on release 2 of Moon or release 3 ? - (13:41:52) heruan: ok, in this case we will have more time - (13:42:04) heruan: the demo will be based on Moon release 2 - (13:42:13) Jamil: for OPNFV, the first integrated code for moon will be the Rel1 for moon - (13:42:13) asteroide: ok - (13:42:45) heruan: release 2 will be ready, son we can directly contribute with release 2 - (13:43:20) heruan: the second sub-topic is about next week's OPNFV summit - (13:43:37) heruan: Jamil will chair a dedicated session on Moon - (13:43:58) heruan: Nir, maybe you can help Jamil for the session? - (13:44:07) Jamil: ODL will be integrated in moon Rel 3 ? - (13:44:13) Nir: I will participate in a security panel presenting Moon in the first day - (13:44:34) Nir: and i have a session about the moon in the theater at teh second day as well - (13:44:41) Nir: :-) - (13:44:46) heruan: great!! - (13:45:11) heruan: @Jamil, ODL doesn't touch Moon-core - (13:45:20) Nir: Unless you think otherwise i recommend to keep all of them so we can reach as many people and increase the community - (13:45:39) Nir: altough we may have some overlap - (13:45:54) heruan: the ecosystem for moon will be important - (13:46:14) heruan: all contributors and commiters will be welcome - (13:46:27) Nir: I am also planning to present moon to TI and Telefonica hoping to get them on board - (13:46:34) asteroide: and all beta-testers also ;) - (13:46:40) Nir: agree :-) - (13:47:11) heruan: we will provide a public testbed of Moon by Descember 2015 - (13:47:35) heruan: based on moon-core release 2 - (13:47:42) Nir: as for our suggestions for Rel 3 I asked my team to analyze Rel 2 and update the offer we have presented on our last meeting - (13:48:10) Jamil: moon session will be Thursday November 12, 2015 12:10pm - 12:30pm - (13:48:25) heruan: yes, some of the issues you mentioned have been already implemented - (13:49:00) heruan: @Jamil, can you annonce Moon's roadmap of OPNFV releaseC integration during your session? - (13:49:29) Jamil: yes It will do - (13:49:58) heruan: ok, i think we finished the fifth topic - (13:49:58) Jamil: I will do - (13:50:19) heruan: last one, I propose to have a monthly moon meeting - (13:50:38) heruan: the last wensday of each month - (13:50:51) heruan: it's ok for everyone? - (13:50:52) Nir: agree - (13:50:56) Jamil: ok - (13:51:01) asteroide: agree - (13:51:02) Jamil: same time ? - (13:51:13) MaximeC: Ok for me - (13:51:32) heruan: at 14h CEST? on hour later - (13:51:38) alioune: ok - (13:52:12) asteroide: ok for 14h CEST - (13:52:30) heruan: @Nir? - (13:52:37) Nir: ok with me - (13:52:41) heruan: ok - (13:52:50) heruan: we finished all the topics - (13:53:03) heruan: do you have anything else to discuss? - (13:53:47) asteroide: nothing to add - (13:54:00) Nir: not on my side. - (13:54:03) heruan: if you don't have anything else, we close today's meeting - (13:54:26) Jamil: have a nice day - (13:54:28) Nir: thanks, and gooddbye everyone - (13:54:34) asteroide: bye! - (13:54:39) heruan: I'll update the meeting report to moon's workspace - (13:54:41) Nir left the room (quit: Quit: Page closed). - (13:54:50) Jamil left the room (quit: Quit: Page closed). - (13:55:03) MaximeC left the room. - (13:55:09) asteroide left the room (quit: Quit: Page closed). - diff --git a/docs/DEV.md b/docs/DEV.md new file mode 100644 index 00000000..0dff2f17 --- /dev/null +++ b/docs/DEV.md @@ -0,0 +1,206 @@ +# Developer Tutorial + +## Gerrit Setup +### Git Install +- `sudo apt-get install git` +- `git config --global user.email "example@wikimedia.org"` +- `git config --global user.name "example"` + +### ssh key +- `cd ~/.ssh` +- `ssh-keygen -t rsa -C your_email@youremail.com` +- `~/.ssh/id_rsa`: identification (private) key` +- `~/.ssh/id_rsa.pub`: public key +- copy the public key to Gerrit web +- add Gerrit web上 entry to `~/.ssh/known_hosts` +- eval `ssh-agent`: start ssh-agent +- `ssh-add ~/.ssh/id_rsa`: add private key to ssh +- `ssh -p 29418 @gerrit.opnfv.org`: test + +### Gerrit clone +- `git clone https://WuKong@gerrit.opnfv.org:29418/moon` +- the password is dynamically generated on the Gerrit web + +### Gerrit Setting +- `sudo apt-get install python-pip` +- `sudo pip install git-review` +- `git remote add gerrit ssh://@gerrit.opnfv.org:29418/moon.git` +- add the ssh public key to the Gerrit web +- `git review –s`: test the Gerrit review connection +- add Contributor Agreement, from settings/Agreement + +### Gerrit-Review +- git add XXX +- git commit --signoff --all +- git review + +### Review Correction +- `git clone https://git.opnfv.org/moon` +- `cd moon` +- get the commit id from Gerrit dashboard +- `git checkout commit_id` +- `git checkout -b 48957-1` (where '48957' is the change number and '1' is the patch_number) +- do your changes ex:`vi specs/policy/external-pdp.rst` +- `git add specs/policy/external-pdp.rst` +- `git commit –amend` +- `git review` + + +## Build Python Package +### pre-requist +Get the code +```bash +git clone https://git.opnfv.org/moon +cd moon/moonv4 +export MOON_HOME=$(pwd) +sudo ln -s $(pwd)/conf /etc/moon +``` + +Install python wheel +```bash +sudo apt install python3-wheel +``` + +Install pip twine +```bash +sudo pip install twine +``` + +Package code, wheel is a new format instead of `tar.gz` +```bash +python setup.py sdist bdist_wheel +``` + +Upload to PyPi +```bash +twine upload dist/moon_xxx-y.y.y.whl +twine upload dist/moon_xxx-y.y.y.tar.gz +``` + +Install a package from PyPi +```bash +sudo pypi install moon_xxx --upgrade +``` + +### moon_db +- change version in `moon_db/__init__.py` +- add `Changelog` + +### moon_utilities +- change version in `moon_utilities/__init__.py` +- add `Changelog` + +### moon_orchestrator +- change version in `moon_orchestrator/__init__.py` +- add `Changelog` + + +### Build All Pip +```bash +sudo pip3 install pip --upgrade +cd ${MOON_HOME}/bin +source build_all_pip.sh +``` + + +## Container +## keystone_mitaka +see `templates/docker/keystone/README.md` to build the `keystone_mitaka` container + + +### moon_router + + +### moon_interface + + +### moon_manager + + +### moon_authz + + +### moon_gui + + +## How to hack the Moon platform +### Force the build of components + +If you want to rebuild one or more component, you have to modify the configuration file `moon.conf`. + +For example, if you want to rebuild the moon_interface, got to the `[interface]` section and delete the +value of the container key like this: + +``` +[interface] +host=172.18.0.11 +port=38001 +# Name of the container to download (if empty build from scratch) +# example: container=moon/moon_interface:latest +container= +``` + +You can configure the interface, the router and both the security_function and security_policy. +You can also force the version of the component like this: `container=moon/moon_interface:4.0.0` + +### Update the moon_interface + +Go to the directory `${MOON_HOME}/moon_interface` and update the code accordingly to your needs, +then update the python package. + +```bash +cd ${MOON_HOME}/moon_interface +python setup.py sdist +cp dist/moon_interface_* ../moon_orchestrator/dist +# kill moon_orchestrator if needed and restart it +``` + +### Update the moon_secrouter + +Go to the directory `${MOON_HOME}/moon_secrouter` and update the code accordingly to your needs, +then update the python package. + +```bash +cd ${MOON_HOME}/moon_secrouter +python setup.py sdist +cp dist/moon_secrouter* ../moon_orchestrator/dist +# kill moon_orchestrator if needed and restart it +``` + +## Problems that may arise + +If the moon_orchestrator doesn't want to start +(with, for example, the following error: `docker.errors.APIError: 409 Client Error: Conflict`), +check if the router and interface containers still exist and kill and delete them: + +```bash +docker kill moon_interface +docker kill moon_router +docker rm moon_interface +docker rm moon_router +``` + +If the moon_orchestrator complains that it cannot request the RabbitMQ server, +check if the messenger server is up and running: + +```bash +docker ps +# you must see the messenger running here +# if not, restart it +docker run -dti --net=moon --hostname messenger --name messenger --link messenger:messenger -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=password -e RABBITMQ_NODENAME=rabbit@messenger -e RABBITMQ_DEFAULT_VHOST=moon -p 5671:5671 -p 5672:5672 rabbitmq:3-management +``` + +## Configure DB +### Relaunch Keystone docker +If error of `get_keystone_projects()`, then relaunch the Keystone docker, and wait 40 seconds!!! +```bash +docker rm -f keystone +docker run -dti --net moon --name keystone --hostname=keystone -e DB_HOST=db -e DB_PASSWORD_ROOT=p4sswOrd1 -p 35357:35357 -p 5000:5000 keystone:mitaka +``` + +### Add default data in DB +Pre-fill the DB with a RBAC policy +```bash +cd ${MOON_HOME}/moon_interface/tests/apitests +python3 populate_default_values.py scenario/ rbac.py +``` diff --git a/docs/TODO.md b/docs/TODO.md new file mode 100644 index 00000000..afdadf3c --- /dev/null +++ b/docs/TODO.md @@ -0,0 +1,33 @@ +Here is a list of what must be done to have complete version of the Moon platform. + +Architecture + +- Add a complete logging system +- Replace moon_orchestrator with Kubernetes + +Actions that must be done before the next version: + +- manage a token/uuid (ie session ID) in the moon_interface component +- add a timestamps in moon_router to know if the database has been modified +- rename moon_db and moon_utilities because they are not container but just libraries +- work on moonclient because it doesn't work with the new data model +- check all input from moon_interface (check that input data are correct and safe) +- Move @enforce from moon_db to API in Moon_Manager +- Need to work on unit tests with the new data model + +Bugs to fix: + +- Connect the authz functionality with the enforce decorator +- When adding user or VM in GUI, there is a bug in the backend (manager ?) +- GUI: in the "Projects" tab, move the "Map" link in the "Action" button +- GUI: move tabs in this order : "Models, Policy, PDP, Projects" + +Other actions: + +- Some cleaning in all classes +- Write Installation procedures +- Write User and administrator documentation +- Run unit tests +- Add and run integration tests +- Need to check if the Moon platform still can retrieve users and roles from Keystone +- Need to retrieve VM from Nova diff --git a/docs/moon.rst b/docs/moon.rst deleted file mode 100644 index 69724b18..00000000 --- a/docs/moon.rst +++ /dev/null @@ -1,4 +0,0 @@ -Moon: Security Management Module -================================ - - diff --git a/templates/glance/policy.json b/templates/glance/policy.json deleted file mode 100644 index 5505f67f..00000000 --- a/templates/glance/policy.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "context_is_admin": "role:admin", - "default": "role:admin", - - "add_image": "http://my_hostname:31001/authz", - "delete_image": "http://my_hostname:31001/authz", - "get_image": "http://my_hostname:31001/authz", - "get_images": "http://my_hostname:31001/authz", - "modify_image": "http://my_hostname:31001/authz", - "publicize_image": "role:admin", - "communitize_image": "", - "copy_from": "", - - "download_image": "", - "upload_image": "", - - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", - - "add_member": "", - "delete_member": "", - "get_member": "", - "get_members": "", - "modify_member": "", - - "manage_image_cache": "role:admin", - - "get_task": "role:admin", - "get_tasks": "role:admin", - "add_task": "role:admin", - "modify_task": "role:admin", - - "deactivate": "", - "reactivate": "", - - "get_metadef_namespace": "", - "get_metadef_namespaces":"", - "modify_metadef_namespace":"", - "add_metadef_namespace":"", - - "get_metadef_object":"", - "get_metadef_objects":"", - "modify_metadef_object":"", - "add_metadef_object":"", - - "list_metadef_resource_types":"", - "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", - - "get_metadef_property":"", - "get_metadef_properties":"", - "modify_metadef_property":"", - "add_metadef_property":"", - - "get_metadef_tag":"", - "get_metadef_tags":"", - "modify_metadef_tag":"", - "add_metadef_tag":"", - "add_metadef_tags":"" - -} diff --git a/templates/moon/moon.conf b/templates/moon/moon.conf new file mode 100644 index 00000000..a5a40ad2 --- /dev/null +++ b/templates/moon/moon.conf @@ -0,0 +1,87 @@ +database: + url: mysql+pymysql://moon:p4sswOrd1@db/moon + driver: sql + +openstack: + keystone: + url: http://keystone:5000/v3 + user: admin + password: p4ssw0rd + domain: default + project: admin + check_token: false + certificate: false + external: + url: http://keystone:30006/v3 + +plugins: + authz: + container: wukongsun/moon_authz:v4.3 + port: 8081 + session: + container: asteroide/session:latest + port: 8082 + +components: + interface: + port: 8080 + bind: 0.0.0.0 + hostname: interface + container: wukongsun/moon_interface:v4.3 + orchestrator: + port: 8083 + bind: 0.0.0.0 + hostname: orchestrator + container: wukongsun/moon_orchestrator:v4.3 + external: + port: 30003 + hostname: orchestrator + wrapper: + port: 8080 + bind: 0.0.0.0 + hostname: wrapper + container: wukongsun/moon_wrapper:v4.3.1 + timeout: 5 + manager: + port: 8082 + bind: 0.0.0.0 + hostname: manager + container: wukongsun/moon_manager:v4.3.1 + external: + port: 30001 + hostname: manager + port_start: 31001 + +logging: + version: 1 + + formatters: + brief: + format: "%(levelname)s %(name)s %(message)-30s" + custom: + format: "%(asctime)-15s %(levelname)s %(name)s %(message)s" + + handlers: + console: + class : logging.StreamHandler + formatter: brief + level : INFO + stream : ext://sys.stdout + file: + class : logging.handlers.RotatingFileHandler + formatter: custom + level : DEBUG + filename: /tmp/moon.log + maxBytes: 1048576 + backupCount: 3 + + loggers: + moon: + level: DEBUG + handlers: [console, file] + propagate: no + + root: + level: ERROR + handlers: [console] + diff --git a/templates/moon_forming/Dockerfile b/templates/moon_forming/Dockerfile new file mode 100644 index 00000000..fe48eee0 --- /dev/null +++ b/templates/moon_forming/Dockerfile @@ -0,0 +1,10 @@ +FROM python:3 +WORKDIR /usr/src/app +RUN pip install --no-cache-dir --upgrade requests pyyaml python_moonutilities python_moondb + +ENV POPULATE_ARGS "-v" + +ADD . /root +WORKDIR /root + +CMD sh /root/run.sh ${POPULATE_ARGS} \ No newline at end of file diff --git a/templates/moon_forming/README.md b/templates/moon_forming/README.md new file mode 100644 index 00000000..f6327693 --- /dev/null +++ b/templates/moon_forming/README.md @@ -0,0 +1,12 @@ +Introduction +============ + +moonforming is a container used to automatize the configuration of the Moon patform + +Usage +===== + +```bash +docker run asteroide/moonforming:v1.1 +``` + diff --git a/templates/moon_forming/conf/mls.py b/templates/moon_forming/conf/mls.py new file mode 100644 index 00000000..0e6285c9 --- /dev/null +++ b/templates/moon_forming/conf/mls.py @@ -0,0 +1,59 @@ + +pdp_name = "pdp_mls" +policy_name = "MLS Policy example" +model_name = "MLS" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", "user2": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"subject-security-level": "", } +object_categories = {"object-security-level": "", } +action_categories = {"action-type": "", } + +subject_data = { + "subject-security-level": {"low": "", "medium": "", "high": ""}, +} +object_data = { + "object-security-level": {"low": "", "medium": "", "high": ""}, +} +action_data = {"action-type": {"vm-action": "", "storage-action": "", }} + +subject_assignments = { + "adminuser": {"subject-security-level": "high"}, + "user1": {"subject-security-level": "medium"}, +} +object_assignments = { + "vm0": {"object-security-level": "medium"}, + "vm1": {"object-security-level": "low"}, +} +action_assignments = { + "start": {"action-type": "vm-action"}, + "stop": {"action-type": "vm-action"} +} + +meta_rule = { + "mls": { + "id": "", + "value": ("subject-security-level", + "object-security-level", + "action-type")}, +} + +rules = { + "mls": ( + { + "rule": ("high", "medium", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("high", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("medium", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + ) +} diff --git a/templates/moon_forming/conf/rbac.py b/templates/moon_forming/conf/rbac.py new file mode 100644 index 00000000..25c010fd --- /dev/null +++ b/templates/moon_forming/conf/rbac.py @@ -0,0 +1,61 @@ + +pdp_name = "pdp_rbac" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "employee": "", "*": ""}} +object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} +action_data = {"action-type": {"vm-action": "", "*": ""}} + +subject_assignments = { + "adminuser": + ({"role": "admin"}, {"role": "employee"}, {"role": "*"}), + "user1": + ({"role": "employee"}, {"role": "*"}), +} +object_assignments = { + "vm0": + ({"id": "vm0"}, {"id": "*"}), + "vm1": + ({"id": "vm1"}, {"id": "*"}) +} +action_assignments = { + "start": + ({"action-type": "vm-action"}, {"action-type": "*"}), + "stop": + ({"action-type": "vm-action"}, {"action-type": "*"}) +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-action"), + "instructions": ( + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy + ) + }, + { + "rule": ("employee", "vm1", "vm-action"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/templates/moon_forming/conf2consul.py b/templates/moon_forming/conf2consul.py new file mode 100644 index 00000000..46c99d5c --- /dev/null +++ b/templates/moon_forming/conf2consul.py @@ -0,0 +1,103 @@ +import os +import sys +import requests +import yaml +import logging +import json +import base64 + +logging.basicConfig(level=logging.INFO) +log = logging.getLogger("moon.conf2consul") +requests_log = logging.getLogger("requests.packages.urllib3") +requests_log.setLevel(logging.WARNING) +requests_log.propagate = True + +if len(sys.argv) == 2: + if os.path.isfile(sys.argv[1]): + CONF_FILENAME = sys.argv[1] + CONSUL_HOST = "consul" + else: + CONF_FILENAME = "moon.conf" + CONSUL_HOST = sys.argv[1] + CONSUL_PORT = 8500 +else: + CONSUL_HOST = sys.argv[1] if len(sys.argv) > 1 else "consul" + CONSUL_PORT = sys.argv[2] if len(sys.argv) > 2 else 8500 + CONF_FILENAME = sys.argv[3] if len(sys.argv) > 3 else "moon.conf" +HEADERS = {"content-type": "application/json"} + + +def search_config_file(): + data_config = None + for _file in ( + CONF_FILENAME, + "conf/moon.conf", + "../moon.conf", + "../conf/moon.conf", + "/etc/moon/moon.conf", + ): + try: + data_config = yaml.safe_load(open(_file)) + except FileNotFoundError: + data_config = None + continue + else: + break + if not data_config: + raise Exception("Configuration file not found...") + return data_config + + +def put(key, value): + url = "http://{host}:{port}/v1/kv/{key}".format(host=CONSUL_HOST, port=CONSUL_PORT, key=key) + log.info(url) + req = requests.put( + url, + headers=HEADERS, + json=value + ) + if req.status_code != 200: + raise Exception("Error connecting to Consul ({}, {})".format(req.status_code, req.text)) + + +def get(key): + url = "http://{host}:{port}/v1/kv/{key}".format(host=CONSUL_HOST, port=CONSUL_PORT, key=key) + req = requests.get(url) + data = req.json() + for item in data: + log.info("{} {} -> {}".format( + req.status_code, + item["Key"], + json.loads(base64.b64decode(item["Value"]).decode("utf-8")) + )) + yield json.loads(base64.b64decode(item["Value"]).decode("utf-8")) + + +def main(): + data_config = search_config_file() + req = requests.head("http://{}:{}/ui/".format(CONSUL_HOST, CONSUL_PORT)) + if req.status_code != 200: + log.critical("Consul is down...") + log.critical("request info: {}/{}".format(req, req.text)) + sys.exit(1) + + put("database", data_config["database"]) + # put("messenger", data_config["messenger"]) + # put("slave", data_config["slave"]) + # put("docker", data_config["docker"]) + put("logging", data_config["logging"]) + put("components_port_start", data_config["components"]["port_start"]) + + for _key, _value in data_config["components"].items(): + if type(_value) is dict: + put("components/{}".format(_key), data_config["components"][_key]) + + for _key, _value in data_config["plugins"].items(): + put("plugins/{}".format(_key), data_config["plugins"][_key]) + + for _key, _value in data_config["openstack"].items(): + put("openstack/{}".format(_key), data_config["openstack"][_key]) + + +main() + diff --git a/templates/moon_forming/moon.conf b/templates/moon_forming/moon.conf new file mode 100644 index 00000000..dc498e34 --- /dev/null +++ b/templates/moon_forming/moon.conf @@ -0,0 +1,79 @@ +database: + url: mysql+pymysql://moon:p4sswOrd1@db/moon + driver: sql + +openstack: + keystone: + url: http://keystone:5000/v3 + user: admin + password: p4ssw0rd + domain: default + project: admin + check_token: false + certificate: false + +plugins: + authz: + container: wukongsun/moon_authz:v4.3 + port: 8081 + session: + container: asteroide/session:latest + port: 8082 + +components: + interface: + port: 8080 + bind: 0.0.0.0 + hostname: interface + container: wukongsun/moon_interface:v4.3 + orchestrator: + port: 8083 + bind: 0.0.0.0 + hostname: orchestrator + container: wukongsun/moon_orchestrator:v4.3 + wrapper: + port: 8080 + bind: 0.0.0.0 + hostname: wrapper + container: wukongsun/moon_wrapper:v4.3.1 + timeout: 5 + manager: + port: 8082 + bind: 0.0.0.0 + hostname: manager + container: wukongsun/moon_manager:v4.3.1 + port_start: 31001 + +logging: + version: 1 + + formatters: + brief: + format: "%(levelname)s %(name)s %(message)-30s" + custom: + format: "%(asctime)-15s %(levelname)s %(name)s %(message)s" + + handlers: + console: + class : logging.StreamHandler + formatter: brief + level : INFO + stream : ext://sys.stdout + file: + class : logging.handlers.RotatingFileHandler + formatter: custom + level : DEBUG + filename: /tmp/moon.log + maxBytes: 1048576 + backupCount: 3 + + loggers: + moon: + level: DEBUG + handlers: [console, file] + propagate: no + + root: + level: ERROR + handlers: [console] + diff --git a/templates/moon_forming/populate_default_values.py b/templates/moon_forming/populate_default_values.py new file mode 100644 index 00000000..fa099458 --- /dev/null +++ b/templates/moon_forming/populate_default_values.py @@ -0,0 +1,235 @@ +import argparse +import logging +from importlib.machinery import SourceFileLoader +from utils.pdp import * +from utils.models import * +from utils.policies import * + +parser = argparse.ArgumentParser() +parser.add_argument('filename', help='scenario filename', nargs=1) +parser.add_argument("--verbose", "-v", action='store_true', + help="verbose mode") +parser.add_argument("--debug", "-d", action='store_true', help="debug mode") +parser.add_argument("--keystone-pid", "-k", dest="keystone_pid", default="", + help="Force a particular Keystone Project ID") +args = parser.parse_args() + +FORMAT = '%(asctime)-15s %(levelname)s %(message)s' +if args.debug: + logging.basicConfig( + format=FORMAT, + level=logging.DEBUG) +elif args.verbose: + logging.basicConfig( + format=FORMAT, + level=logging.INFO) +else: + logging.basicConfig( + format=FORMAT, + level=logging.WARNING) + +requests_log = logging.getLogger("requests.packages.urllib3") +requests_log.setLevel(logging.WARNING) +requests_log.propagate = True + +logger = logging.getLogger("moonforming") + +if args.filename: + print("Loading: {}".format(args.filename[0])) + +m = SourceFileLoader("scenario", args.filename[0]) + +scenario = m.load_module() + + +def create_model(model_id=None): + if args.verbose: + logger.info("Creating model {}".format(scenario.model_name)) + if not model_id: + logger.info("Add model") + model_id = add_model(name=scenario.model_name) + logger.info("Add subject categories") + for cat in scenario.subject_categories: + scenario.subject_categories[cat] = add_subject_category(name=cat) + logger.info("Add object categories") + for cat in scenario.object_categories: + scenario.object_categories[cat] = add_object_category(name=cat) + logger.info("Add action categories") + for cat in scenario.action_categories: + scenario.action_categories[cat] = add_action_category(name=cat) + sub_cat = [] + ob_cat = [] + act_cat = [] + meta_rule_list = [] + for item_name, item_value in scenario.meta_rule.items(): + for item in item_value["value"]: + if item in scenario.subject_categories: + sub_cat.append(scenario.subject_categories[item]) + elif item in scenario.object_categories: + ob_cat.append(scenario.object_categories[item]) + elif item in scenario.action_categories: + act_cat.append(scenario.action_categories[item]) + meta_rules = check_meta_rule(meta_rule_id=None) + for _meta_rule_id, _meta_rule_value in meta_rules['meta_rules'].items(): + if _meta_rule_value['name'] == item_name: + meta_rule_id = _meta_rule_id + break + else: + logger.info("Add meta rule") + meta_rule_id = add_meta_rule(item_name, sub_cat, ob_cat, act_cat) + item_value["id"] = meta_rule_id + if meta_rule_id not in meta_rule_list: + meta_rule_list.append(meta_rule_id) + return model_id, meta_rule_list + + +def create_policy(model_id, meta_rule_list): + if args.verbose: + logger.info("Creating policy {}".format(scenario.policy_name)) + _policies = check_policy() + for _policy_id, _policy_value in _policies["policies"].items(): + if _policy_value['name'] == scenario.policy_name: + policy_id = _policy_id + break + else: + policy_id = add_policy(name=scenario.policy_name, genre=scenario.policy_genre) + + update_policy(policy_id, model_id) + + for meta_rule_id in meta_rule_list: + logger.debug("add_meta_rule_to_model {} {}".format(model_id, meta_rule_id)) + add_meta_rule_to_model(model_id, meta_rule_id) + + logger.info("Add subject data") + for subject_cat_name in scenario.subject_data: + for subject_data_name in scenario.subject_data[subject_cat_name]: + data_id = scenario.subject_data[subject_cat_name][subject_data_name] = add_subject_data( + policy_id=policy_id, + category_id=scenario.subject_categories[subject_cat_name], name=subject_data_name) + scenario.subject_data[subject_cat_name][subject_data_name] = data_id + logger.info("Add object data") + for object_cat_name in scenario.object_data: + for object_data_name in scenario.object_data[object_cat_name]: + data_id = scenario.object_data[object_cat_name][object_data_name] = add_object_data( + policy_id=policy_id, + category_id=scenario.object_categories[object_cat_name], name=object_data_name) + scenario.object_data[object_cat_name][object_data_name] = data_id + logger.info("Add action data") + for action_cat_name in scenario.action_data: + for action_data_name in scenario.action_data[action_cat_name]: + data_id = scenario.action_data[action_cat_name][action_data_name] = add_action_data( + policy_id=policy_id, + category_id=scenario.action_categories[action_cat_name], name=action_data_name) + scenario.action_data[action_cat_name][action_data_name] = data_id + + logger.info("Add subjects") + for name in scenario.subjects: + scenario.subjects[name] = add_subject(policy_id, name=name) + logger.info("Add objects") + for name in scenario.objects: + scenario.objects[name] = add_object(policy_id, name=name) + logger.info("Add actions") + for name in scenario.actions: + scenario.actions[name] = add_action(policy_id, name=name) + + logger.info("Add subject assignments") + for subject_name in scenario.subject_assignments: + if type(scenario.subject_assignments[subject_name]) in (list, tuple): + for items in scenario.subject_assignments[subject_name]: + for subject_category_name in items: + subject_id = scenario.subjects[subject_name] + subject_cat_id = scenario.subject_categories[subject_category_name] + for data in scenario.subject_assignments[subject_name]: + subject_data_id = scenario.subject_data[subject_category_name][data[subject_category_name]] + add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) + else: + for subject_category_name in scenario.subject_assignments[subject_name]: + subject_id = scenario.subjects[subject_name] + subject_cat_id = scenario.subject_categories[subject_category_name] + subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]] + add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) + + logger.info("Add object assignments") + for object_name in scenario.object_assignments: + if type(scenario.object_assignments[object_name]) in (list, tuple): + for items in scenario.object_assignments[object_name]: + for object_category_name in items: + object_id = scenario.objects[object_name] + object_cat_id = scenario.object_categories[object_category_name] + for data in scenario.object_assignments[object_name]: + object_data_id = scenario.object_data[object_category_name][data[object_category_name]] + add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) + else: + for object_category_name in scenario.object_assignments[object_name]: + object_id = scenario.objects[object_name] + object_cat_id = scenario.object_categories[object_category_name] + object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]] + add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) + + logger.info("Add action assignments") + for action_name in scenario.action_assignments: + if type(scenario.action_assignments[action_name]) in (list, tuple): + for items in scenario.action_assignments[action_name]: + for action_category_name in items: + action_id = scenario.actions[action_name] + action_cat_id = scenario.action_categories[action_category_name] + for data in scenario.action_assignments[action_name]: + action_data_id = scenario.action_data[action_category_name][data[action_category_name]] + add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) + else: + for action_category_name in scenario.action_assignments[action_name]: + action_id = scenario.actions[action_name] + action_cat_id = scenario.action_categories[action_category_name] + action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]] + add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) + + logger.info("Add rules") + for meta_rule_name in scenario.rules: + meta_rule_value = scenario.meta_rule[meta_rule_name] + for rule in scenario.rules[meta_rule_name]: + data_list = [] + _meta_rule = list(meta_rule_value["value"]) + for data_name in rule["rule"]: + category_name = _meta_rule.pop(0) + if category_name in scenario.subject_categories: + data_list.append(scenario.subject_data[category_name][data_name]) + elif category_name in scenario.object_categories: + data_list.append(scenario.object_data[category_name][data_name]) + elif category_name in scenario.action_categories: + data_list.append(scenario.action_data[category_name][data_name]) + instructions = rule["instructions"] + add_rule(policy_id, meta_rule_value["id"], data_list, instructions) + return policy_id + + +def create_pdp(policy_id=None): + logger.info("Creating PDP {}".format(scenario.pdp_name)) + projects = get_keystone_projects() + project_id = args.keystone_pid + if not project_id: + for _project in projects['projects']: + if _project['name'] == "admin": + project_id = _project['id'] + assert project_id + pdps = check_pdp()["pdps"] + for pdp_id, pdp_value in pdps.items(): + if scenario.pdp_name == pdp_value["name"]: + update_pdp(pdp_id, policy_id=policy_id) + logger.debug("Found existing PDP named {} (will add policy {})".format(scenario.pdp_name, policy_id)) + return pdp_id + _pdp_id = add_pdp(name=scenario.pdp_name, policy_id=policy_id) + map_to_keystone(pdp_id=_pdp_id, keystone_project_id=project_id) + return _pdp_id + +if __name__ == "__main__": + _models = check_model() + for _model_id, _model_value in _models['models'].items(): + if _model_value['name'] == scenario.model_name: + model_id = _model_id + meta_rule_list = _model_value['meta_rules'] + create_model(model_id) + break + else: + model_id, meta_rule_list = create_model() + policy_id = create_policy(model_id, meta_rule_list) + pdp_id = create_pdp(policy_id) diff --git a/templates/moon_forming/run.sh b/templates/moon_forming/run.sh new file mode 100644 index 00000000..71543f9e --- /dev/null +++ b/templates/moon_forming/run.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +populate_args=$* + +echo "Waiting for Consul (http://consul:8500)" +while ! python -c "import requests; req = requests.get('http://consul:8500')" 2>/dev/null ; do + sleep 5 ; + echo "." +done + +echo "Consul (http://consul:8500) is up." + +python3 /root/conf2consul.py /etc/moon/moon.conf + +echo "Waiting for DB (tcp://db:3306)" +while ! python -c "import socket, sys; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(('db', 3306)); sys.exit(0)" 2>/dev/null ; do + sleep 5 ; + echo "." +done + +echo "Database (http://db:3306) is up." + +moon_db_manager upgrade + +echo "Waiting for Keystone (http://keystone:5000)" +while ! python -c "import requests; req = requests.get('http://keystone:5000')" 2>/dev/null ; do + sleep 5 ; + echo "." +done + +echo "Keystone (http://keystone:5000) is up." + +echo "Waiting for Manager (http://manager:8082)" +while ! python -c "import requests; req = requests.get('http://manager:8082')" 2>/dev/null ; do + sleep 5 ; + echo "." +done + +echo "Manager (http://manager:8082) is up." + +cd /root + +python3 populate_default_values.py $populate_args /root/conf/rbac.py +python3 populate_default_values.py $populate_args /root/conf/mls.py diff --git a/templates/moon_forming/utils/__init__.py b/templates/moon_forming/utils/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/templates/moon_forming/utils/config.py b/templates/moon_forming/utils/config.py new file mode 100644 index 00000000..30c8ea4f --- /dev/null +++ b/templates/moon_forming/utils/config.py @@ -0,0 +1,22 @@ +import yaml + + +def get_config_data(filename="moon.conf"): + data_config = None + for _file in ( + filename, + "conf/moon.conf", + "../moon.conf", + "../conf/moon.conf", + "/etc/moon/moon.conf", + ): + try: + data_config = yaml.safe_load(open(_file)) + except FileNotFoundError: + data_config = None + continue + else: + break + if not data_config: + raise Exception("Configuration file not found...") + return data_config diff --git a/templates/moon_forming/utils/models.py b/templates/moon_forming/utils/models.py new file mode 100644 index 00000000..3cf31354 --- /dev/null +++ b/templates/moon_forming/utils/models.py @@ -0,0 +1,270 @@ +import requests +import copy +import utils.config + +config = utils.config.get_config_data() + +URL = "http://{}:{}".format( + config['components']['manager']['hostname'], + config['components']['manager']['port']) +URL = URL + "{}" +HEADERS = {"content-type": "application/json"} + +model_template = { + "name": "test_model", + "description": "test", + "meta_rules": [] +} + +category_template = { + "name": "name of the category", + "description": "description of the category" +} + +meta_rule_template = { + "name": "test_meta_rule", + "subject_categories": [], + "object_categories": [], + "action_categories": [] +} + + +def check_model(model_id=None, check_model_name=True): + req = requests.get(URL.format("/models")) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "models" in result + if model_id: + assert result["models"] + assert model_id in result['models'] + assert "name" in result['models'][model_id] + if check_model_name: + assert model_template["name"] == result['models'][model_id]["name"] + return result + + +def add_model(name=None): + if name: + model_template['name'] = name + req = requests.post(URL.format("/models"), json=model_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + model_id = list(result['models'].keys())[0] + if "result" in result: + assert result["result"] + assert "name" in result['models'][model_id] + assert model_template["name"] == result['models'][model_id]["name"] + return model_id + + +def delete_model(model_id): + req = requests.delete(URL.format("/models/{}".format(model_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "result" in result + assert result["result"] + + +def add_subject_category(name="subject_cat_1"): + category_template["name"] = name + req = requests.post(URL.format("/subject_categories"), json=category_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "subject_categories" in result + category_id = list(result['subject_categories'].keys())[0] + if "result" in result: + assert result["result"] + assert "name" in result['subject_categories'][category_id] + assert category_template["name"] == result['subject_categories'][category_id]["name"] + return category_id + + +def check_subject_category(category_id): + req = requests.get(URL.format("/subject_categories")) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "subject_categories" in result + if "result" in result: + assert result["result"] + assert category_id in result['subject_categories'] + assert "name" in result['subject_categories'][category_id] + assert category_template["name"] == result['subject_categories'][category_id]["name"] + + +def delete_subject_category(category_id): + req = requests.delete(URL.format("/subject_categories/{}".format(category_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + if "result" in result: + assert result["result"] + + +def add_object_category(name="object_cat_1"): + category_template["name"] = name + req = requests.post(URL.format("/object_categories"), json=category_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "object_categories" in result + category_id = list(result['object_categories'].keys())[0] + if "result" in result: + assert result["result"] + assert "name" in result['object_categories'][category_id] + assert category_template["name"] == result['object_categories'][category_id]["name"] + return category_id + + +def check_object_category(category_id): + req = requests.get(URL.format("/object_categories")) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "object_categories" in result + if "result" in result: + assert result["result"] + assert category_id in result['object_categories'] + assert "name" in result['object_categories'][category_id] + assert category_template["name"] == result['object_categories'][category_id]["name"] + + +def delete_object_category(category_id): + req = requests.delete(URL.format("/object_categories/{}".format(category_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + if "result" in result: + assert result["result"] + + +def add_action_category(name="action_cat_1"): + category_template["name"] = name + req = requests.post(URL.format("/action_categories"), json=category_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "action_categories" in result + category_id = list(result['action_categories'].keys())[0] + if "result" in result: + assert result["result"] + assert "name" in result['action_categories'][category_id] + assert category_template["name"] == result['action_categories'][category_id]["name"] + return category_id + + +def check_action_category(category_id): + req = requests.get(URL.format("/action_categories")) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "action_categories" in result + if "result" in result: + assert result["result"] + assert category_id in result['action_categories'] + assert "name" in result['action_categories'][category_id] + assert category_template["name"] == result['action_categories'][category_id]["name"] + + +def delete_action_category(category_id): + req = requests.delete(URL.format("/action_categories/{}".format(category_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + if "result" in result: + assert result["result"] + + +def add_categories_and_meta_rule(name="test_meta_rule"): + scat_id = add_subject_category() + ocat_id = add_object_category() + acat_id = add_action_category() + _meta_rule_template = copy.deepcopy(meta_rule_template) + _meta_rule_template["name"] = name + _meta_rule_template["subject_categories"].append(scat_id) + _meta_rule_template["object_categories"].append(ocat_id) + _meta_rule_template["action_categories"].append(acat_id) + req = requests.post(URL.format("/meta_rules"), json=_meta_rule_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "meta_rules" in result + meta_rule_id = list(result['meta_rules'].keys())[0] + if "result" in result: + assert result["result"] + assert "name" in result['meta_rules'][meta_rule_id] + assert _meta_rule_template["name"] == result['meta_rules'][meta_rule_id]["name"] + return meta_rule_id, scat_id, ocat_id, acat_id + + +def add_meta_rule(name="test_meta_rule", scat=[], ocat=[], acat=[]): + _meta_rule_template = copy.deepcopy(meta_rule_template) + _meta_rule_template["name"] = name + _meta_rule_template["subject_categories"] = [] + _meta_rule_template["subject_categories"].extend(scat) + _meta_rule_template["object_categories"] = [] + _meta_rule_template["object_categories"].extend(ocat) + _meta_rule_template["action_categories"] = [] + _meta_rule_template["action_categories"].extend(acat) + req = requests.post(URL.format("/meta_rules"), json=_meta_rule_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "meta_rules" in result + meta_rule_id = list(result['meta_rules'].keys())[0] + if "result" in result: + assert result["result"] + assert "name" in result['meta_rules'][meta_rule_id] + assert _meta_rule_template["name"] == result['meta_rules'][meta_rule_id]["name"] + return meta_rule_id + + +def check_meta_rule(meta_rule_id, scat_id=None, ocat_id=None, acat_id=None): + req = requests.get(URL.format("/meta_rules")) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "meta_rules" in result + if "result" in result: + assert result["result"] + if not meta_rule_id: + return result + assert meta_rule_id in result['meta_rules'] + assert "name" in result['meta_rules'][meta_rule_id] + if scat_id: + assert scat_id in result['meta_rules'][meta_rule_id]["subject_categories"] + if ocat_id: + assert ocat_id in result['meta_rules'][meta_rule_id]["object_categories"] + if acat_id: + assert acat_id in result['meta_rules'][meta_rule_id]["action_categories"] + + +def delete_meta_rule(meta_rule_id): + req = requests.delete(URL.format("/meta_rules/{}".format(meta_rule_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + if "result" in result: + assert result["result"] + + +def add_meta_rule_to_model(model_id, meta_rule_id): + model = check_model(model_id, check_model_name=False)['models'] + meta_rule_list = model[model_id]["meta_rules"] + if meta_rule_id not in meta_rule_list: + meta_rule_list.append(meta_rule_id) + req = requests.patch(URL.format("/models/{}".format(model_id)), + json={"meta_rules": meta_rule_list}, + headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + model_id = list(result['models'].keys())[0] + if "result" in result: + assert result["result"] + assert "meta_rules" in result['models'][model_id] + assert meta_rule_list == result['models'][model_id]["meta_rules"] diff --git a/templates/moon_forming/utils/pdp.py b/templates/moon_forming/utils/pdp.py new file mode 100644 index 00000000..f3c6df37 --- /dev/null +++ b/templates/moon_forming/utils/pdp.py @@ -0,0 +1,163 @@ +import logging +import requests +import utils.config + +config = utils.config.get_config_data() +logger = logging.getLogger("moonforming.utils.policies") + +URL = "http://{}:{}".format( + config['components']['manager']['hostname'], + config['components']['manager']['port']) +HEADERS = {"content-type": "application/json"} +KEYSTONE_USER = config['openstack']['keystone']['user'] +KEYSTONE_PASSWORD = config['openstack']['keystone']['password'] +KEYSTONE_PROJECT = config['openstack']['keystone']['project'] +KEYSTONE_SERVER = config['openstack']['keystone']['url'] + +pdp_template = { + "name": "test_pdp", + "security_pipeline": [], + "keystone_project_id": None, + "description": "test", +} + + +def get_keystone_projects(): + + HEADERS = { + "Content-Type": "application/json" + } + + data_auth = { + "auth": { + "identity": { + "methods": [ + "password" + ], + "password": { + "user": { + "name": KEYSTONE_USER, + "domain": { + "name": "Default" + }, + "password": KEYSTONE_PASSWORD + } + } + } + } + } + + req = requests.post("{}/auth/tokens".format(KEYSTONE_SERVER), json=data_auth, headers=HEADERS) + logger.debug("{}/auth/tokens".format(KEYSTONE_SERVER)) + logger.debug(req.text) + assert req.status_code in (200, 201) + TOKEN = req.headers['X-Subject-Token'] + HEADERS['X-Auth-Token'] = TOKEN + req = requests.get("{}/projects".format(KEYSTONE_SERVER), headers=HEADERS) + if req.status_code not in (200, 201): + data_auth["auth"]["scope"] = { + "project": { + "name": KEYSTONE_PROJECT, + "domain": { + "id": "default" + } + } + } + req = requests.post("{}/auth/tokens".format(KEYSTONE_SERVER), json=data_auth, headers=HEADERS) + assert req.status_code in (200, 201) + TOKEN = req.headers['X-Subject-Token'] + HEADERS['X-Auth-Token'] = TOKEN + req = requests.get("{}/projects".format(KEYSTONE_SERVER), headers=HEADERS) + assert req.status_code in (200, 201) + return req.json() + + +def check_pdp(pdp_id=None, keystone_project_id=None, moon_url=None): + _URL = URL + if moon_url: + _URL = moon_url + req = requests.get(_URL + "/pdp") + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "pdps" in result + if pdp_id: + assert result["pdps"] + assert pdp_id in result['pdps'] + assert "name" in result['pdps'][pdp_id] + assert pdp_template["name"] == result['pdps'][pdp_id]["name"] + if keystone_project_id: + assert result["pdps"] + assert pdp_id in result['pdps'] + assert "keystone_project_id" in result['pdps'][pdp_id] + assert keystone_project_id == result['pdps'][pdp_id]["keystone_project_id"] + return result + + +def add_pdp(name="test_pdp", policy_id=None): + pdp_template['name'] = name + if policy_id: + pdp_template['security_pipeline'].append(policy_id) + req = requests.post(URL + "/pdp", json=pdp_template, headers=HEADERS) + logger.debug(req.status_code) + logger.debug(req) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + pdp_id = list(result['pdps'].keys())[0] + if "result" in result: + assert result["result"] + assert "name" in result['pdps'][pdp_id] + assert pdp_template["name"] == result['pdps'][pdp_id]["name"] + return pdp_id + + +def update_pdp(pdp_id, policy_id=None): + req = requests.get(URL + "/pdp/{}".format(pdp_id)) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "pdps" in result + assert pdp_id in result['pdps'] + pipeline = result['pdps'][pdp_id]["security_pipeline"] + if policy_id not in pipeline: + pipeline.append(policy_id) + req = requests.patch(URL + "/pdp/{}".format(pdp_id), + json={"security_pipeline": pipeline}) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "pdps" in result + assert pdp_id in result['pdps'] + + req = requests.get(URL + "/pdp/{}".format(pdp_id)) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "pdps" in result + assert pdp_id in result['pdps'] + assert policy_id in pipeline + + +def map_to_keystone(pdp_id, keystone_project_id): + req = requests.patch(URL + "/pdp/{}".format(pdp_id), json={"keystone_project_id": keystone_project_id}, + headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + if "result" in result: + assert result["result"] + assert pdp_id in result['pdps'] + assert "name" in result['pdps'][pdp_id] + assert pdp_template["name"] == result['pdps'][pdp_id]["name"] + return pdp_id + + +def delete_pdp(pdp_id): + req = requests.delete(URL + "/pdp/{}".format(pdp_id)) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "result" in result + assert result["result"] + diff --git a/templates/moon_forming/utils/policies.py b/templates/moon_forming/utils/policies.py new file mode 100644 index 00000000..bd08291a --- /dev/null +++ b/templates/moon_forming/utils/policies.py @@ -0,0 +1,635 @@ +import logging +import requests +import utils.config + +config = utils.config.get_config_data() +logger = logging.getLogger("moonforming.utils.policies") + +URL = "http://{}:{}".format(config['components']['manager']['hostname'], config['components']['manager']['port']) +URL = URL + "{}" +HEADERS = {"content-type": "application/json"} +FILE = open("/tmp/test.log", "w") + +policy_template = { + "name": "test_policy", + "model_id": "", + "genre": "authz", + "description": "test", +} + +subject_template = { + "name": "test_subject", + "description": "test", + "email": "mail", + "password": "my_pass", +} + +object_template = { + "name": "test_subject", + "description": "test" +} + +action_template = { + "name": "test_subject", + "description": "test" +} + +subject_data_template = { + "name": "subject_data1", + "description": "description of the data subject" +} + +object_data_template = { + "name": "object_data1", + "description": "description of the data subject" +} + +action_data_template = { + "name": "action_data1", + "description": "description of the data subject" +} + +subject_assignment_template = { + "id": "", + "category_id": "", + "scope_id": "" +} + + +def check_policy(policy_id=None): + req = requests.get(URL.format("/policies")) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "policies" in result + if policy_id: + assert result["policies"] + assert policy_id in result['policies'] + assert "name" in result['policies'][policy_id] + assert policy_template["name"] == result['policies'][policy_id]["name"] + return result + + +def add_policy(name="test_policy", genre="authz"): + policy_template["name"] = name + policy_template["genre"] = genre + req = requests.post(URL.format("/policies"), json=policy_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + policy_id = list(result['policies'].keys())[0] + if "result" in result: + assert result["result"] + assert "name" in result['policies'][policy_id] + assert policy_template["name"] == result['policies'][policy_id]["name"] + return policy_id + + +def update_policy(policy_id, model_id): + req = requests.patch(URL.format("/policies/{}".format(policy_id)), + json={"model_id": model_id}, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + policy_id = list(result['policies'].keys())[0] + if "result" in result: + assert result["result"] + assert "model_id" in result['policies'][policy_id] + assert model_id == result['policies'][policy_id]["model_id"] + + +def delete_policy(policy_id): + req = requests.delete(URL.format("/policies/{}".format(policy_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "result" in result + assert result["result"] + + +def add_subject(policy_id=None, name="test_subject"): + subject_template['name'] = name + if policy_id: + logger.debug(URL.format("/policies/{}/subjects".format(policy_id))) + req = requests.post(URL.format("/policies/{}/subjects".format(policy_id)), + json=subject_template, headers=HEADERS) + else: + logger.debug(URL.format("/subjects")) + req = requests.post(URL.format("/subjects"), json=subject_template, headers=HEADERS) + logger.debug(req.text) + assert req.status_code == 200 + result = req.json() + assert "subjects" in result + subject_id = list(result['subjects'].keys())[0] + return subject_id + + +def update_subject(subject_id, policy_id=None, description=None): + if policy_id and not description: + req = requests.patch(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id)), + json={}) + elif policy_id and description: + req = requests.patch(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id)), + json={"description": description}) + else: + req = requests.patch(URL.format("/subjects/{}".format(subject_id)), + json={"description": description}) + assert req.status_code == 200 + result = req.json() + assert "subjects" in result + assert "name" in result["subjects"][subject_id] + assert subject_template["name"] == result["subjects"][subject_id]["name"] + assert "policy_list" in result["subjects"][subject_id] + if policy_id: + assert policy_id in result["subjects"][subject_id]["policy_list"] + if description: + assert description in result["subjects"][subject_id]["description"] + + +def check_subject(subject_id=None, policy_id=None): + if policy_id: + req = requests.get(URL.format("/policies/{}/subjects".format(policy_id))) + else: + req = requests.get(URL.format("/subjects")) + assert req.status_code == 200 + result = req.json() + assert "subjects" in result + assert "name" in result["subjects"][subject_id] + assert subject_template["name"] == result["subjects"][subject_id]["name"] + if policy_id: + assert "policy_list" in result["subjects"][subject_id] + assert policy_id in result["subjects"][subject_id]["policy_list"] + + +def delete_subject(subject_id, policy_id=None): + if policy_id: + req = requests.delete(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id))) + else: + req = requests.delete(URL.format("/subjects/{}".format(subject_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "result" in result + assert result["result"] + + if policy_id: + req = requests.get(URL.format("/policies/{}/subjects".format(policy_id))) + else: + req = requests.get(URL.format("/subjects")) + assert req.status_code == 200 + result = req.json() + assert "subjects" in result + if subject_id in result["subjects"]: + assert "name" in result["subjects"][subject_id] + assert subject_template["name"] == result["subjects"][subject_id]["name"] + if policy_id: + assert "policy_list" in result["subjects"][subject_id] + assert policy_id not in result["subjects"][subject_id]["policy_list"] + + +def add_object(policy_id=None, name="test_object"): + object_template['name'] = name + if policy_id: + req = requests.post(URL.format("/policies/{}/objects".format(policy_id)), + json=object_template, headers=HEADERS) + else: + req = requests.post(URL.format("/objects"), json=object_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "objects" in result + object_id = list(result['objects'].keys())[0] + return object_id + + +def update_object(object_id, policy_id): + req = requests.patch(URL.format("/policies/{}/objects/{}".format(policy_id, object_id)), json={}) + assert req.status_code == 200 + result = req.json() + assert "objects" in result + assert "name" in result["objects"][object_id] + assert object_template["name"] == result["objects"][object_id]["name"] + assert "policy_list" in result["objects"][object_id] + assert policy_id in result["objects"][object_id]["policy_list"] + + +def check_object(object_id=None, policy_id=None): + if policy_id: + req = requests.get(URL.format("/policies/{}/objects".format(policy_id))) + else: + req = requests.get(URL.format("/objects")) + assert req.status_code == 200 + result = req.json() + assert "objects" in result + assert "name" in result["objects"][object_id] + assert object_template["name"] == result["objects"][object_id]["name"] + if policy_id: + assert "policy_list" in result["objects"][object_id] + assert policy_id in result["objects"][object_id]["policy_list"] + + +def delete_object(object_id, policy_id=None): + if policy_id: + req = requests.delete(URL.format("/policies/{}/objects/{}".format(policy_id, object_id))) + else: + req = requests.delete(URL.format("/objects/{}".format(object_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "result" in result + assert result["result"] + + if policy_id: + req = requests.get(URL.format("/policies/{}/objects".format(policy_id))) + else: + req = requests.get(URL.format("/objects")) + assert req.status_code == 200 + result = req.json() + assert "objects" in result + if object_id in result["objects"]: + assert "name" in result["objects"][object_id] + assert object_template["name"] == result["objects"][object_id]["name"] + if policy_id: + assert "policy_list" in result["objects"][object_id] + assert policy_id not in result["objects"][object_id]["policy_list"] + + +def add_action(policy_id=None, name="test_action"): + action_template['name'] = name + if policy_id: + req = requests.post(URL.format("/policies/{}/actions".format(policy_id)), + json=action_template, headers=HEADERS) + else: + req = requests.post(URL.format("/actions"), json=action_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "actions" in result + action_id = list(result['actions'].keys())[0] + return action_id + + +def update_action(action_id, policy_id): + req = requests.patch(URL.format("/policies/{}/actions/{}".format(policy_id, action_id)), json={}) + assert req.status_code == 200 + result = req.json() + assert "actions" in result + assert "name" in result["actions"][action_id] + assert action_template["name"] == result["actions"][action_id]["name"] + assert "policy_list" in result["actions"][action_id] + assert policy_id in result["actions"][action_id]["policy_list"] + + +def check_action(action_id=None, policy_id=None): + if policy_id: + req = requests.get(URL.format("/policies/{}/actions".format(policy_id))) + else: + req = requests.get(URL.format("/actions")) + assert req.status_code == 200 + result = req.json() + assert "actions" in result + assert "name" in result["actions"][action_id] + assert action_template["name"] == result["actions"][action_id]["name"] + if policy_id: + assert "policy_list" in result["actions"][action_id] + assert policy_id in result["actions"][action_id]["policy_list"] + + +def delete_action(action_id, policy_id=None): + if policy_id: + req = requests.delete(URL.format("/policies/{}/actions/{}".format(policy_id, action_id))) + else: + req = requests.delete(URL.format("/actions/{}".format(action_id))) + assert req.status_code == 200 + result = req.json() + assert type(result) is dict + assert "result" in result + assert result["result"] + + if policy_id: + req = requests.get(URL.format("/policies/{}/actions".format(policy_id))) + else: + req = requests.get(URL.format("/actions")) + assert req.status_code == 200 + result = req.json() + assert "actions" in result + if action_id in result["actions"]: + assert "name" in result["actions"][action_id] + assert action_template["name"] == result["actions"][action_id]["name"] + if policy_id: + assert "policy_list" in result["actions"][action_id] + assert policy_id not in result["actions"][action_id]["policy_list"] + + +def add_subject_data(policy_id, category_id, name="subject_data1"): + subject_data_template['name'] = name + req = requests.post(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id)), + json=subject_data_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "subject_data" in result + subject_id = list(result['subject_data']['data'].keys())[0] + return subject_id + + +def check_subject_data(policy_id, data_id, category_id): + req = requests.get(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id))) + assert req.status_code == 200 + result = req.json() + assert "subject_data" in result + for _data in result['subject_data']: + assert data_id in list(_data['data'].keys()) + assert category_id == _data["category_id"] + + +def delete_subject_data(policy_id, category_id, data_id): + req = requests.delete(URL.format("/policies/{}/subject_data/{}/{}".format(policy_id, category_id, data_id)), + headers=HEADERS) + assert req.status_code == 200 + req = requests.get(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id))) + assert req.status_code == 200 + result = req.json() + assert "subject_data" in result + for _data in result['subject_data']: + assert data_id not in list(_data['data'].keys()) + assert category_id == _data["category_id"] + + +def add_object_data(policy_id, category_id, name="object_data1"): + object_data_template['name'] = name + req = requests.post(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id)), + json=object_data_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "object_data" in result + object_id = list(result['object_data']['data'].keys())[0] + return object_id + + +def check_object_data(policy_id, data_id, category_id): + req = requests.get(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id))) + assert req.status_code == 200 + result = req.json() + assert "object_data" in result + for _data in result['object_data']: + assert data_id in list(_data['data'].keys()) + assert category_id == _data["category_id"] + + +def delete_object_data(policy_id, category_id, data_id): + req = requests.delete(URL.format("/policies/{}/object_data/{}/{}".format(policy_id, category_id, data_id)), + headers=HEADERS) + assert req.status_code == 200 + req = requests.get(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id))) + assert req.status_code == 200 + result = req.json() + assert "object_data" in result + for _data in result['object_data']: + assert data_id not in list(_data['data'].keys()) + assert category_id == _data["category_id"] + + +def add_action_data(policy_id, category_id, name="action_data1"): + action_data_template['name'] = name + req = requests.post(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id)), + json=action_data_template, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "action_data" in result + action_id = list(result['action_data']['data'].keys())[0] + return action_id + + +def check_action_data(policy_id, data_id, category_id): + req = requests.get(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id))) + assert req.status_code == 200 + result = req.json() + assert "action_data" in result + for _data in result['action_data']: + assert data_id in list(_data['data'].keys()) + assert category_id == _data["category_id"] + + +def delete_action_data(policy_id, category_id, data_id): + req = requests.delete(URL.format("/policies/{}/action_data/{}/{}".format(policy_id, category_id, data_id)), + headers=HEADERS) + assert req.status_code == 200 + req = requests.get(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id))) + assert req.status_code == 200 + result = req.json() + assert "action_data" in result + for _data in result['action_data']: + assert data_id not in list(_data['data'].keys()) + assert category_id == _data["category_id"] + + +def add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id): + req = requests.post(URL.format("/policies/{}/subject_assignments".format(policy_id)), + json={ + "id": subject_id, + "category_id": subject_cat_id, + "data_id": subject_data_id + }, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "subject_assignments" in result + assert result["subject_assignments"] + + +def check_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id): + req = requests.get(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( + policy_id, subject_id, subject_cat_id, subject_data_id))) + assert req.status_code == 200 + result = req.json() + assert "subject_assignments" in result + assert result["subject_assignments"] + for key in result["subject_assignments"]: + assert "subject_id" in result["subject_assignments"][key] + assert "category_id" in result["subject_assignments"][key] + assert "assignments" in result["subject_assignments"][key] + if result["subject_assignments"][key]['subject_id'] == subject_id and \ + result["subject_assignments"][key]["category_id"] == subject_cat_id: + assert subject_data_id in result["subject_assignments"][key]["assignments"] + + +def check_object_assignments(policy_id, object_id, object_cat_id, object_data_id): + req = requests.get(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( + policy_id, object_id, object_cat_id, object_data_id))) + assert req.status_code == 200 + result = req.json() + assert "object_assignments" in result + assert result["object_assignments"] + for key in result["object_assignments"]: + assert "object_id" in result["object_assignments"][key] + assert "category_id" in result["object_assignments"][key] + assert "assignments" in result["object_assignments"][key] + if result["object_assignments"][key]['object_id'] == object_id and \ + result["object_assignments"][key]["category_id"] == object_cat_id: + assert object_data_id in result["object_assignments"][key]["assignments"] + + +def check_action_assignments(policy_id, action_id, action_cat_id, action_data_id): + req = requests.get(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( + policy_id, action_id, action_cat_id, action_data_id))) + assert req.status_code == 200 + result = req.json() + assert "action_assignments" in result + assert result["action_assignments"] + for key in result["action_assignments"]: + assert "action_id" in result["action_assignments"][key] + assert "category_id" in result["action_assignments"][key] + assert "assignments" in result["action_assignments"][key] + if result["action_assignments"][key]['action_id'] == action_id and \ + result["action_assignments"][key]["category_id"] == action_cat_id: + assert action_data_id in result["action_assignments"][key]["assignments"] + + +def add_object_assignments(policy_id, object_id, object_cat_id, object_data_id): + req = requests.post(URL.format("/policies/{}/object_assignments".format(policy_id)), + json={ + "id": object_id, + "category_id": object_cat_id, + "data_id": object_data_id + }, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "object_assignments" in result + assert result["object_assignments"] + + +def add_action_assignments(policy_id, action_id, action_cat_id, action_data_id): + req = requests.post(URL.format("/policies/{}/action_assignments".format(policy_id)), + json={ + "id": action_id, + "category_id": action_cat_id, + "data_id": action_data_id + }, headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "action_assignments" in result + assert result["action_assignments"] + + +def delete_subject_assignment(policy_id, subject_id, subject_cat_id, subject_data_id): + req = requests.delete(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( + policy_id, subject_id, subject_cat_id, subject_data_id))) + assert req.status_code == 200 + result = req.json() + assert "result" in result + assert result["result"] + + req = requests.get(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( + policy_id, subject_id, subject_cat_id, subject_data_id))) + assert req.status_code == 200 + result = req.json() + assert "subject_assignments" in result + assert result["subject_assignments"] + for key in result["subject_assignments"]: + assert "subject_id" in result["subject_assignments"][key] + assert "category_id" in result["subject_assignments"][key] + assert "assignments" in result["subject_assignments"][key] + if result["subject_assignments"][key]['subject_id'] == subject_id and \ + result["subject_assignments"][key]["category_id"] == subject_cat_id: + assert subject_data_id not in result["subject_assignments"][key]["assignments"] + + +def delete_object_assignment(policy_id, object_id, object_cat_id, object_data_id): + req = requests.delete(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( + policy_id, object_id, object_cat_id, object_data_id))) + assert req.status_code == 200 + result = req.json() + assert "result" in result + assert result["result"] + + req = requests.get(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( + policy_id, object_id, object_cat_id, object_data_id))) + assert req.status_code == 200 + result = req.json() + assert "object_assignments" in result + assert result["object_assignments"] + for key in result["object_assignments"]: + assert "object_id" in result["object_assignments"][key] + assert "category_id" in result["object_assignments"][key] + assert "assignments" in result["object_assignments"][key] + if result["object_assignments"][key]['object_id'] == object_id and \ + result["object_assignments"][key]["category_id"] == object_cat_id: + assert object_data_id not in result["object_assignments"][key]["assignments"] + + +def delete_action_assignment(policy_id, action_id, action_cat_id, action_data_id): + req = requests.delete(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( + policy_id, action_id, action_cat_id, action_data_id))) + assert req.status_code == 200 + result = req.json() + assert "result" in result + assert result["result"] + + req = requests.get(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( + policy_id, action_id, action_cat_id, action_data_id))) + assert req.status_code == 200 + result = req.json() + assert "action_assignments" in result + assert result["action_assignments"] + for key in result["action_assignments"]: + assert "action_id" in result["action_assignments"][key] + assert "category_id" in result["action_assignments"][key] + assert "assignments" in result["action_assignments"][key] + if result["action_assignments"][key]['action_id'] == action_id and \ + result["action_assignments"][key]["category_id"] == action_cat_id: + assert action_data_id not in result["action_assignments"][key]["assignments"] + + +def add_rule(policy_id, meta_rule_id, rule, instructions={"chain": [{"security_pipeline": "rbac"}]}): + req = requests.post(URL.format("/policies/{}/rules".format(policy_id)), + json={ + "meta_rule_id": meta_rule_id, + "rule": rule, + "instructions": instructions, + "enabled": True + }, + headers=HEADERS) + assert req.status_code == 200 + result = req.json() + assert "rules" in result + try: + rule_id = list(result["rules"].keys())[0] + except Exception as e: + return False + assert "policy_id" in result["rules"][rule_id] + assert policy_id == result["rules"][rule_id]["policy_id"] + assert "meta_rule_id" in result["rules"][rule_id] + assert meta_rule_id == result["rules"][rule_id]["meta_rule_id"] + assert rule == result["rules"][rule_id]["rule"] + return rule_id + + +def check_rule(policy_id, meta_rule_id, rule_id, rule): + req = requests.get(URL.format("/policies/{}/rules".format(policy_id))) + assert req.status_code == 200 + result = req.json() + assert "rules" in result + assert "policy_id" in result["rules"] + assert policy_id == result["rules"]["policy_id"] + for item in result["rules"]["rules"]: + assert "meta_rule_id" in item + if meta_rule_id == item["meta_rule_id"]: + if rule_id == item["id"]: + assert rule == item["rule"] + + +def delete_rule(policy_id, rule_id): + req = requests.delete(URL.format("/policies/{}/rules/{}".format(policy_id, rule_id))) + assert req.status_code == 200 + result = req.json() + assert "result" in result + assert result["result"] + + req = requests.get(URL.format("/policies/{}/rules".format(policy_id))) + assert req.status_code == 200 + result = req.json() + assert "rules" in result + assert "policy_id" in result["rules"] + assert policy_id == result["rules"]["policy_id"] + found_rule = False + for item in result["rules"]["rules"]: + if rule_id == item["id"]: + found_rule = True + assert not found_rule diff --git a/templates/moon_pythonunittest/Dockerfile b/templates/moon_pythonunittest/Dockerfile new file mode 100644 index 00000000..b8fb5151 --- /dev/null +++ b/templates/moon_pythonunittest/Dockerfile @@ -0,0 +1,8 @@ +FROM python:3 + +RUN pip install pytest requests_mock requests --upgrade +ADD requirements.txt /root +RUN pip install -r /root/requirements.txt --upgrade + +ADD run_tests.sh /root +CMD ["sh", "/root/run_tests.sh"] \ No newline at end of file diff --git a/templates/moon_pythonunittest/README.md b/templates/moon_pythonunittest/README.md new file mode 100644 index 00000000..45d3a988 --- /dev/null +++ b/templates/moon_pythonunittest/README.md @@ -0,0 +1,8 @@ +# Python Unit Test Docker + +## Build +- `docker image build -t wukongsun/moon_python_unit_test .` + +## Push to DockerHub +- `docker login --username=wukongsun` +- `docker image push wukongsun/moon_python_unit_test` \ No newline at end of file diff --git a/templates/moon_pythonunittest/requirements.txt b/templates/moon_pythonunittest/requirements.txt new file mode 100644 index 00000000..b611b008 --- /dev/null +++ b/templates/moon_pythonunittest/requirements.txt @@ -0,0 +1,10 @@ +kombu !=4.0.1,!=4.0.0 +oslo.messaging +oslo.config +oslo.log +vine +werkzeug +flask +requests +pytest +requests_mock \ No newline at end of file diff --git a/templates/moon_pythonunittest/run_tests.sh b/templates/moon_pythonunittest/run_tests.sh new file mode 100644 index 00000000..6c586f87 --- /dev/null +++ b/templates/moon_pythonunittest/run_tests.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +cd /data +pip3 install -r tests/unit_python/requirements.txt --upgrade +pip3 install . + +if [ -f /data/tests/unit_python/run_tests.sh ]; +then + bash /data/tests/unit_python/run_tests.sh; +fi + +cd /data/tests/unit_python +pytest . diff --git a/templates/moonforming/Dockerfile b/templates/moonforming/Dockerfile deleted file mode 100644 index fe48eee0..00000000 --- a/templates/moonforming/Dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -FROM python:3 -WORKDIR /usr/src/app -RUN pip install --no-cache-dir --upgrade requests pyyaml python_moonutilities python_moondb - -ENV POPULATE_ARGS "-v" - -ADD . /root -WORKDIR /root - -CMD sh /root/run.sh ${POPULATE_ARGS} \ No newline at end of file diff --git a/templates/moonforming/README.md b/templates/moonforming/README.md deleted file mode 100644 index f6327693..00000000 --- a/templates/moonforming/README.md +++ /dev/null @@ -1,12 +0,0 @@ -Introduction -============ - -moonforming is a container used to automatize the configuration of the Moon patform - -Usage -===== - -```bash -docker run asteroide/moonforming:v1.1 -``` - diff --git a/templates/moonforming/conf/mls.py b/templates/moonforming/conf/mls.py deleted file mode 100644 index 0e6285c9..00000000 --- a/templates/moonforming/conf/mls.py +++ /dev/null @@ -1,59 +0,0 @@ - -pdp_name = "pdp_mls" -policy_name = "MLS Policy example" -model_name = "MLS" -policy_genre = "authz" - -subjects = {"adminuser": "", "user1": "", "user2": "", } -objects = {"vm0": "", "vm1": "", } -actions = {"start": "", "stop": ""} - -subject_categories = {"subject-security-level": "", } -object_categories = {"object-security-level": "", } -action_categories = {"action-type": "", } - -subject_data = { - "subject-security-level": {"low": "", "medium": "", "high": ""}, -} -object_data = { - "object-security-level": {"low": "", "medium": "", "high": ""}, -} -action_data = {"action-type": {"vm-action": "", "storage-action": "", }} - -subject_assignments = { - "adminuser": {"subject-security-level": "high"}, - "user1": {"subject-security-level": "medium"}, -} -object_assignments = { - "vm0": {"object-security-level": "medium"}, - "vm1": {"object-security-level": "low"}, -} -action_assignments = { - "start": {"action-type": "vm-action"}, - "stop": {"action-type": "vm-action"} -} - -meta_rule = { - "mls": { - "id": "", - "value": ("subject-security-level", - "object-security-level", - "action-type")}, -} - -rules = { - "mls": ( - { - "rule": ("high", "medium", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - { - "rule": ("high", "low", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - { - "rule": ("medium", "low", "vm-action"), - "instructions": ({"decision": "grant"}) - }, - ) -} diff --git a/templates/moonforming/conf/rbac.py b/templates/moonforming/conf/rbac.py deleted file mode 100644 index 25c010fd..00000000 --- a/templates/moonforming/conf/rbac.py +++ /dev/null @@ -1,61 +0,0 @@ - -pdp_name = "pdp_rbac" -policy_name = "RBAC policy example" -model_name = "RBAC" -policy_genre = "authz" - -subjects = {"adminuser": "", "user1": "", } -objects = {"vm0": "", "vm1": "", } -actions = {"start": "", "stop": ""} - -subject_categories = {"role": "", } -object_categories = {"id": "", } -action_categories = {"action-type": "", } - -subject_data = {"role": {"admin": "", "employee": "", "*": ""}} -object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} -action_data = {"action-type": {"vm-action": "", "*": ""}} - -subject_assignments = { - "adminuser": - ({"role": "admin"}, {"role": "employee"}, {"role": "*"}), - "user1": - ({"role": "employee"}, {"role": "*"}), -} -object_assignments = { - "vm0": - ({"id": "vm0"}, {"id": "*"}), - "vm1": - ({"id": "vm1"}, {"id": "*"}) -} -action_assignments = { - "start": - ({"action-type": "vm-action"}, {"action-type": "*"}), - "stop": - ({"action-type": "vm-action"}, {"action-type": "*"}) -} - -meta_rule = { - "rbac": {"id": "", "value": ("role", "id", "action-type")}, -} - -rules = { - "rbac": ( - { - "rule": ("admin", "vm0", "vm-action"), - "instructions": ( - {"decision": "grant"}, - # "grant" to immediately exit, - # "continue" to wait for the result of next policy - ) - }, - { - "rule": ("employee", "vm1", "vm-action"), - "instructions": ( - {"decision": "grant"}, - ) - }, - ) -} - - diff --git a/templates/moonforming/conf2consul.py b/templates/moonforming/conf2consul.py deleted file mode 100644 index 46c99d5c..00000000 --- a/templates/moonforming/conf2consul.py +++ /dev/null @@ -1,103 +0,0 @@ -import os -import sys -import requests -import yaml -import logging -import json -import base64 - -logging.basicConfig(level=logging.INFO) -log = logging.getLogger("moon.conf2consul") -requests_log = logging.getLogger("requests.packages.urllib3") -requests_log.setLevel(logging.WARNING) -requests_log.propagate = True - -if len(sys.argv) == 2: - if os.path.isfile(sys.argv[1]): - CONF_FILENAME = sys.argv[1] - CONSUL_HOST = "consul" - else: - CONF_FILENAME = "moon.conf" - CONSUL_HOST = sys.argv[1] - CONSUL_PORT = 8500 -else: - CONSUL_HOST = sys.argv[1] if len(sys.argv) > 1 else "consul" - CONSUL_PORT = sys.argv[2] if len(sys.argv) > 2 else 8500 - CONF_FILENAME = sys.argv[3] if len(sys.argv) > 3 else "moon.conf" -HEADERS = {"content-type": "application/json"} - - -def search_config_file(): - data_config = None - for _file in ( - CONF_FILENAME, - "conf/moon.conf", - "../moon.conf", - "../conf/moon.conf", - "/etc/moon/moon.conf", - ): - try: - data_config = yaml.safe_load(open(_file)) - except FileNotFoundError: - data_config = None - continue - else: - break - if not data_config: - raise Exception("Configuration file not found...") - return data_config - - -def put(key, value): - url = "http://{host}:{port}/v1/kv/{key}".format(host=CONSUL_HOST, port=CONSUL_PORT, key=key) - log.info(url) - req = requests.put( - url, - headers=HEADERS, - json=value - ) - if req.status_code != 200: - raise Exception("Error connecting to Consul ({}, {})".format(req.status_code, req.text)) - - -def get(key): - url = "http://{host}:{port}/v1/kv/{key}".format(host=CONSUL_HOST, port=CONSUL_PORT, key=key) - req = requests.get(url) - data = req.json() - for item in data: - log.info("{} {} -> {}".format( - req.status_code, - item["Key"], - json.loads(base64.b64decode(item["Value"]).decode("utf-8")) - )) - yield json.loads(base64.b64decode(item["Value"]).decode("utf-8")) - - -def main(): - data_config = search_config_file() - req = requests.head("http://{}:{}/ui/".format(CONSUL_HOST, CONSUL_PORT)) - if req.status_code != 200: - log.critical("Consul is down...") - log.critical("request info: {}/{}".format(req, req.text)) - sys.exit(1) - - put("database", data_config["database"]) - # put("messenger", data_config["messenger"]) - # put("slave", data_config["slave"]) - # put("docker", data_config["docker"]) - put("logging", data_config["logging"]) - put("components_port_start", data_config["components"]["port_start"]) - - for _key, _value in data_config["components"].items(): - if type(_value) is dict: - put("components/{}".format(_key), data_config["components"][_key]) - - for _key, _value in data_config["plugins"].items(): - put("plugins/{}".format(_key), data_config["plugins"][_key]) - - for _key, _value in data_config["openstack"].items(): - put("openstack/{}".format(_key), data_config["openstack"][_key]) - - -main() - diff --git a/templates/moonforming/moon.conf b/templates/moonforming/moon.conf deleted file mode 100644 index dc498e34..00000000 --- a/templates/moonforming/moon.conf +++ /dev/null @@ -1,79 +0,0 @@ -database: - url: mysql+pymysql://moon:p4sswOrd1@db/moon - driver: sql - -openstack: - keystone: - url: http://keystone:5000/v3 - user: admin - password: p4ssw0rd - domain: default - project: admin - check_token: false - certificate: false - -plugins: - authz: - container: wukongsun/moon_authz:v4.3 - port: 8081 - session: - container: asteroide/session:latest - port: 8082 - -components: - interface: - port: 8080 - bind: 0.0.0.0 - hostname: interface - container: wukongsun/moon_interface:v4.3 - orchestrator: - port: 8083 - bind: 0.0.0.0 - hostname: orchestrator - container: wukongsun/moon_orchestrator:v4.3 - wrapper: - port: 8080 - bind: 0.0.0.0 - hostname: wrapper - container: wukongsun/moon_wrapper:v4.3.1 - timeout: 5 - manager: - port: 8082 - bind: 0.0.0.0 - hostname: manager - container: wukongsun/moon_manager:v4.3.1 - port_start: 31001 - -logging: - version: 1 - - formatters: - brief: - format: "%(levelname)s %(name)s %(message)-30s" - custom: - format: "%(asctime)-15s %(levelname)s %(name)s %(message)s" - - handlers: - console: - class : logging.StreamHandler - formatter: brief - level : INFO - stream : ext://sys.stdout - file: - class : logging.handlers.RotatingFileHandler - formatter: custom - level : DEBUG - filename: /tmp/moon.log - maxBytes: 1048576 - backupCount: 3 - - loggers: - moon: - level: DEBUG - handlers: [console, file] - propagate: no - - root: - level: ERROR - handlers: [console] - diff --git a/templates/moonforming/populate_default_values.py b/templates/moonforming/populate_default_values.py deleted file mode 100644 index fa099458..00000000 --- a/templates/moonforming/populate_default_values.py +++ /dev/null @@ -1,235 +0,0 @@ -import argparse -import logging -from importlib.machinery import SourceFileLoader -from utils.pdp import * -from utils.models import * -from utils.policies import * - -parser = argparse.ArgumentParser() -parser.add_argument('filename', help='scenario filename', nargs=1) -parser.add_argument("--verbose", "-v", action='store_true', - help="verbose mode") -parser.add_argument("--debug", "-d", action='store_true', help="debug mode") -parser.add_argument("--keystone-pid", "-k", dest="keystone_pid", default="", - help="Force a particular Keystone Project ID") -args = parser.parse_args() - -FORMAT = '%(asctime)-15s %(levelname)s %(message)s' -if args.debug: - logging.basicConfig( - format=FORMAT, - level=logging.DEBUG) -elif args.verbose: - logging.basicConfig( - format=FORMAT, - level=logging.INFO) -else: - logging.basicConfig( - format=FORMAT, - level=logging.WARNING) - -requests_log = logging.getLogger("requests.packages.urllib3") -requests_log.setLevel(logging.WARNING) -requests_log.propagate = True - -logger = logging.getLogger("moonforming") - -if args.filename: - print("Loading: {}".format(args.filename[0])) - -m = SourceFileLoader("scenario", args.filename[0]) - -scenario = m.load_module() - - -def create_model(model_id=None): - if args.verbose: - logger.info("Creating model {}".format(scenario.model_name)) - if not model_id: - logger.info("Add model") - model_id = add_model(name=scenario.model_name) - logger.info("Add subject categories") - for cat in scenario.subject_categories: - scenario.subject_categories[cat] = add_subject_category(name=cat) - logger.info("Add object categories") - for cat in scenario.object_categories: - scenario.object_categories[cat] = add_object_category(name=cat) - logger.info("Add action categories") - for cat in scenario.action_categories: - scenario.action_categories[cat] = add_action_category(name=cat) - sub_cat = [] - ob_cat = [] - act_cat = [] - meta_rule_list = [] - for item_name, item_value in scenario.meta_rule.items(): - for item in item_value["value"]: - if item in scenario.subject_categories: - sub_cat.append(scenario.subject_categories[item]) - elif item in scenario.object_categories: - ob_cat.append(scenario.object_categories[item]) - elif item in scenario.action_categories: - act_cat.append(scenario.action_categories[item]) - meta_rules = check_meta_rule(meta_rule_id=None) - for _meta_rule_id, _meta_rule_value in meta_rules['meta_rules'].items(): - if _meta_rule_value['name'] == item_name: - meta_rule_id = _meta_rule_id - break - else: - logger.info("Add meta rule") - meta_rule_id = add_meta_rule(item_name, sub_cat, ob_cat, act_cat) - item_value["id"] = meta_rule_id - if meta_rule_id not in meta_rule_list: - meta_rule_list.append(meta_rule_id) - return model_id, meta_rule_list - - -def create_policy(model_id, meta_rule_list): - if args.verbose: - logger.info("Creating policy {}".format(scenario.policy_name)) - _policies = check_policy() - for _policy_id, _policy_value in _policies["policies"].items(): - if _policy_value['name'] == scenario.policy_name: - policy_id = _policy_id - break - else: - policy_id = add_policy(name=scenario.policy_name, genre=scenario.policy_genre) - - update_policy(policy_id, model_id) - - for meta_rule_id in meta_rule_list: - logger.debug("add_meta_rule_to_model {} {}".format(model_id, meta_rule_id)) - add_meta_rule_to_model(model_id, meta_rule_id) - - logger.info("Add subject data") - for subject_cat_name in scenario.subject_data: - for subject_data_name in scenario.subject_data[subject_cat_name]: - data_id = scenario.subject_data[subject_cat_name][subject_data_name] = add_subject_data( - policy_id=policy_id, - category_id=scenario.subject_categories[subject_cat_name], name=subject_data_name) - scenario.subject_data[subject_cat_name][subject_data_name] = data_id - logger.info("Add object data") - for object_cat_name in scenario.object_data: - for object_data_name in scenario.object_data[object_cat_name]: - data_id = scenario.object_data[object_cat_name][object_data_name] = add_object_data( - policy_id=policy_id, - category_id=scenario.object_categories[object_cat_name], name=object_data_name) - scenario.object_data[object_cat_name][object_data_name] = data_id - logger.info("Add action data") - for action_cat_name in scenario.action_data: - for action_data_name in scenario.action_data[action_cat_name]: - data_id = scenario.action_data[action_cat_name][action_data_name] = add_action_data( - policy_id=policy_id, - category_id=scenario.action_categories[action_cat_name], name=action_data_name) - scenario.action_data[action_cat_name][action_data_name] = data_id - - logger.info("Add subjects") - for name in scenario.subjects: - scenario.subjects[name] = add_subject(policy_id, name=name) - logger.info("Add objects") - for name in scenario.objects: - scenario.objects[name] = add_object(policy_id, name=name) - logger.info("Add actions") - for name in scenario.actions: - scenario.actions[name] = add_action(policy_id, name=name) - - logger.info("Add subject assignments") - for subject_name in scenario.subject_assignments: - if type(scenario.subject_assignments[subject_name]) in (list, tuple): - for items in scenario.subject_assignments[subject_name]: - for subject_category_name in items: - subject_id = scenario.subjects[subject_name] - subject_cat_id = scenario.subject_categories[subject_category_name] - for data in scenario.subject_assignments[subject_name]: - subject_data_id = scenario.subject_data[subject_category_name][data[subject_category_name]] - add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) - else: - for subject_category_name in scenario.subject_assignments[subject_name]: - subject_id = scenario.subjects[subject_name] - subject_cat_id = scenario.subject_categories[subject_category_name] - subject_data_id = scenario.subject_data[subject_category_name][scenario.subject_assignments[subject_name][subject_category_name]] - add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id) - - logger.info("Add object assignments") - for object_name in scenario.object_assignments: - if type(scenario.object_assignments[object_name]) in (list, tuple): - for items in scenario.object_assignments[object_name]: - for object_category_name in items: - object_id = scenario.objects[object_name] - object_cat_id = scenario.object_categories[object_category_name] - for data in scenario.object_assignments[object_name]: - object_data_id = scenario.object_data[object_category_name][data[object_category_name]] - add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) - else: - for object_category_name in scenario.object_assignments[object_name]: - object_id = scenario.objects[object_name] - object_cat_id = scenario.object_categories[object_category_name] - object_data_id = scenario.object_data[object_category_name][scenario.object_assignments[object_name][object_category_name]] - add_object_assignments(policy_id, object_id, object_cat_id, object_data_id) - - logger.info("Add action assignments") - for action_name in scenario.action_assignments: - if type(scenario.action_assignments[action_name]) in (list, tuple): - for items in scenario.action_assignments[action_name]: - for action_category_name in items: - action_id = scenario.actions[action_name] - action_cat_id = scenario.action_categories[action_category_name] - for data in scenario.action_assignments[action_name]: - action_data_id = scenario.action_data[action_category_name][data[action_category_name]] - add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) - else: - for action_category_name in scenario.action_assignments[action_name]: - action_id = scenario.actions[action_name] - action_cat_id = scenario.action_categories[action_category_name] - action_data_id = scenario.action_data[action_category_name][scenario.action_assignments[action_name][action_category_name]] - add_action_assignments(policy_id, action_id, action_cat_id, action_data_id) - - logger.info("Add rules") - for meta_rule_name in scenario.rules: - meta_rule_value = scenario.meta_rule[meta_rule_name] - for rule in scenario.rules[meta_rule_name]: - data_list = [] - _meta_rule = list(meta_rule_value["value"]) - for data_name in rule["rule"]: - category_name = _meta_rule.pop(0) - if category_name in scenario.subject_categories: - data_list.append(scenario.subject_data[category_name][data_name]) - elif category_name in scenario.object_categories: - data_list.append(scenario.object_data[category_name][data_name]) - elif category_name in scenario.action_categories: - data_list.append(scenario.action_data[category_name][data_name]) - instructions = rule["instructions"] - add_rule(policy_id, meta_rule_value["id"], data_list, instructions) - return policy_id - - -def create_pdp(policy_id=None): - logger.info("Creating PDP {}".format(scenario.pdp_name)) - projects = get_keystone_projects() - project_id = args.keystone_pid - if not project_id: - for _project in projects['projects']: - if _project['name'] == "admin": - project_id = _project['id'] - assert project_id - pdps = check_pdp()["pdps"] - for pdp_id, pdp_value in pdps.items(): - if scenario.pdp_name == pdp_value["name"]: - update_pdp(pdp_id, policy_id=policy_id) - logger.debug("Found existing PDP named {} (will add policy {})".format(scenario.pdp_name, policy_id)) - return pdp_id - _pdp_id = add_pdp(name=scenario.pdp_name, policy_id=policy_id) - map_to_keystone(pdp_id=_pdp_id, keystone_project_id=project_id) - return _pdp_id - -if __name__ == "__main__": - _models = check_model() - for _model_id, _model_value in _models['models'].items(): - if _model_value['name'] == scenario.model_name: - model_id = _model_id - meta_rule_list = _model_value['meta_rules'] - create_model(model_id) - break - else: - model_id, meta_rule_list = create_model() - policy_id = create_policy(model_id, meta_rule_list) - pdp_id = create_pdp(policy_id) diff --git a/templates/moonforming/run.sh b/templates/moonforming/run.sh deleted file mode 100644 index 71543f9e..00000000 --- a/templates/moonforming/run.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env bash - -populate_args=$* - -echo "Waiting for Consul (http://consul:8500)" -while ! python -c "import requests; req = requests.get('http://consul:8500')" 2>/dev/null ; do - sleep 5 ; - echo "." -done - -echo "Consul (http://consul:8500) is up." - -python3 /root/conf2consul.py /etc/moon/moon.conf - -echo "Waiting for DB (tcp://db:3306)" -while ! python -c "import socket, sys; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(('db', 3306)); sys.exit(0)" 2>/dev/null ; do - sleep 5 ; - echo "." -done - -echo "Database (http://db:3306) is up." - -moon_db_manager upgrade - -echo "Waiting for Keystone (http://keystone:5000)" -while ! python -c "import requests; req = requests.get('http://keystone:5000')" 2>/dev/null ; do - sleep 5 ; - echo "." -done - -echo "Keystone (http://keystone:5000) is up." - -echo "Waiting for Manager (http://manager:8082)" -while ! python -c "import requests; req = requests.get('http://manager:8082')" 2>/dev/null ; do - sleep 5 ; - echo "." -done - -echo "Manager (http://manager:8082) is up." - -cd /root - -python3 populate_default_values.py $populate_args /root/conf/rbac.py -python3 populate_default_values.py $populate_args /root/conf/mls.py diff --git a/templates/moonforming/utils/__init__.py b/templates/moonforming/utils/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/templates/moonforming/utils/config.py b/templates/moonforming/utils/config.py deleted file mode 100644 index 30c8ea4f..00000000 --- a/templates/moonforming/utils/config.py +++ /dev/null @@ -1,22 +0,0 @@ -import yaml - - -def get_config_data(filename="moon.conf"): - data_config = None - for _file in ( - filename, - "conf/moon.conf", - "../moon.conf", - "../conf/moon.conf", - "/etc/moon/moon.conf", - ): - try: - data_config = yaml.safe_load(open(_file)) - except FileNotFoundError: - data_config = None - continue - else: - break - if not data_config: - raise Exception("Configuration file not found...") - return data_config diff --git a/templates/moonforming/utils/models.py b/templates/moonforming/utils/models.py deleted file mode 100644 index 3cf31354..00000000 --- a/templates/moonforming/utils/models.py +++ /dev/null @@ -1,270 +0,0 @@ -import requests -import copy -import utils.config - -config = utils.config.get_config_data() - -URL = "http://{}:{}".format( - config['components']['manager']['hostname'], - config['components']['manager']['port']) -URL = URL + "{}" -HEADERS = {"content-type": "application/json"} - -model_template = { - "name": "test_model", - "description": "test", - "meta_rules": [] -} - -category_template = { - "name": "name of the category", - "description": "description of the category" -} - -meta_rule_template = { - "name": "test_meta_rule", - "subject_categories": [], - "object_categories": [], - "action_categories": [] -} - - -def check_model(model_id=None, check_model_name=True): - req = requests.get(URL.format("/models")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "models" in result - if model_id: - assert result["models"] - assert model_id in result['models'] - assert "name" in result['models'][model_id] - if check_model_name: - assert model_template["name"] == result['models'][model_id]["name"] - return result - - -def add_model(name=None): - if name: - model_template['name'] = name - req = requests.post(URL.format("/models"), json=model_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - model_id = list(result['models'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['models'][model_id] - assert model_template["name"] == result['models'][model_id]["name"] - return model_id - - -def delete_model(model_id): - req = requests.delete(URL.format("/models/{}".format(model_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - -def add_subject_category(name="subject_cat_1"): - category_template["name"] = name - req = requests.post(URL.format("/subject_categories"), json=category_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "subject_categories" in result - category_id = list(result['subject_categories'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['subject_categories'][category_id] - assert category_template["name"] == result['subject_categories'][category_id]["name"] - return category_id - - -def check_subject_category(category_id): - req = requests.get(URL.format("/subject_categories")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "subject_categories" in result - if "result" in result: - assert result["result"] - assert category_id in result['subject_categories'] - assert "name" in result['subject_categories'][category_id] - assert category_template["name"] == result['subject_categories'][category_id]["name"] - - -def delete_subject_category(category_id): - req = requests.delete(URL.format("/subject_categories/{}".format(category_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - - -def add_object_category(name="object_cat_1"): - category_template["name"] = name - req = requests.post(URL.format("/object_categories"), json=category_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "object_categories" in result - category_id = list(result['object_categories'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['object_categories'][category_id] - assert category_template["name"] == result['object_categories'][category_id]["name"] - return category_id - - -def check_object_category(category_id): - req = requests.get(URL.format("/object_categories")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "object_categories" in result - if "result" in result: - assert result["result"] - assert category_id in result['object_categories'] - assert "name" in result['object_categories'][category_id] - assert category_template["name"] == result['object_categories'][category_id]["name"] - - -def delete_object_category(category_id): - req = requests.delete(URL.format("/object_categories/{}".format(category_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - - -def add_action_category(name="action_cat_1"): - category_template["name"] = name - req = requests.post(URL.format("/action_categories"), json=category_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "action_categories" in result - category_id = list(result['action_categories'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['action_categories'][category_id] - assert category_template["name"] == result['action_categories'][category_id]["name"] - return category_id - - -def check_action_category(category_id): - req = requests.get(URL.format("/action_categories")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "action_categories" in result - if "result" in result: - assert result["result"] - assert category_id in result['action_categories'] - assert "name" in result['action_categories'][category_id] - assert category_template["name"] == result['action_categories'][category_id]["name"] - - -def delete_action_category(category_id): - req = requests.delete(URL.format("/action_categories/{}".format(category_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - - -def add_categories_and_meta_rule(name="test_meta_rule"): - scat_id = add_subject_category() - ocat_id = add_object_category() - acat_id = add_action_category() - _meta_rule_template = copy.deepcopy(meta_rule_template) - _meta_rule_template["name"] = name - _meta_rule_template["subject_categories"].append(scat_id) - _meta_rule_template["object_categories"].append(ocat_id) - _meta_rule_template["action_categories"].append(acat_id) - req = requests.post(URL.format("/meta_rules"), json=_meta_rule_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "meta_rules" in result - meta_rule_id = list(result['meta_rules'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['meta_rules'][meta_rule_id] - assert _meta_rule_template["name"] == result['meta_rules'][meta_rule_id]["name"] - return meta_rule_id, scat_id, ocat_id, acat_id - - -def add_meta_rule(name="test_meta_rule", scat=[], ocat=[], acat=[]): - _meta_rule_template = copy.deepcopy(meta_rule_template) - _meta_rule_template["name"] = name - _meta_rule_template["subject_categories"] = [] - _meta_rule_template["subject_categories"].extend(scat) - _meta_rule_template["object_categories"] = [] - _meta_rule_template["object_categories"].extend(ocat) - _meta_rule_template["action_categories"] = [] - _meta_rule_template["action_categories"].extend(acat) - req = requests.post(URL.format("/meta_rules"), json=_meta_rule_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "meta_rules" in result - meta_rule_id = list(result['meta_rules'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['meta_rules'][meta_rule_id] - assert _meta_rule_template["name"] == result['meta_rules'][meta_rule_id]["name"] - return meta_rule_id - - -def check_meta_rule(meta_rule_id, scat_id=None, ocat_id=None, acat_id=None): - req = requests.get(URL.format("/meta_rules")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "meta_rules" in result - if "result" in result: - assert result["result"] - if not meta_rule_id: - return result - assert meta_rule_id in result['meta_rules'] - assert "name" in result['meta_rules'][meta_rule_id] - if scat_id: - assert scat_id in result['meta_rules'][meta_rule_id]["subject_categories"] - if ocat_id: - assert ocat_id in result['meta_rules'][meta_rule_id]["object_categories"] - if acat_id: - assert acat_id in result['meta_rules'][meta_rule_id]["action_categories"] - - -def delete_meta_rule(meta_rule_id): - req = requests.delete(URL.format("/meta_rules/{}".format(meta_rule_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - - -def add_meta_rule_to_model(model_id, meta_rule_id): - model = check_model(model_id, check_model_name=False)['models'] - meta_rule_list = model[model_id]["meta_rules"] - if meta_rule_id not in meta_rule_list: - meta_rule_list.append(meta_rule_id) - req = requests.patch(URL.format("/models/{}".format(model_id)), - json={"meta_rules": meta_rule_list}, - headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - model_id = list(result['models'].keys())[0] - if "result" in result: - assert result["result"] - assert "meta_rules" in result['models'][model_id] - assert meta_rule_list == result['models'][model_id]["meta_rules"] diff --git a/templates/moonforming/utils/pdp.py b/templates/moonforming/utils/pdp.py deleted file mode 100644 index f3c6df37..00000000 --- a/templates/moonforming/utils/pdp.py +++ /dev/null @@ -1,163 +0,0 @@ -import logging -import requests -import utils.config - -config = utils.config.get_config_data() -logger = logging.getLogger("moonforming.utils.policies") - -URL = "http://{}:{}".format( - config['components']['manager']['hostname'], - config['components']['manager']['port']) -HEADERS = {"content-type": "application/json"} -KEYSTONE_USER = config['openstack']['keystone']['user'] -KEYSTONE_PASSWORD = config['openstack']['keystone']['password'] -KEYSTONE_PROJECT = config['openstack']['keystone']['project'] -KEYSTONE_SERVER = config['openstack']['keystone']['url'] - -pdp_template = { - "name": "test_pdp", - "security_pipeline": [], - "keystone_project_id": None, - "description": "test", -} - - -def get_keystone_projects(): - - HEADERS = { - "Content-Type": "application/json" - } - - data_auth = { - "auth": { - "identity": { - "methods": [ - "password" - ], - "password": { - "user": { - "name": KEYSTONE_USER, - "domain": { - "name": "Default" - }, - "password": KEYSTONE_PASSWORD - } - } - } - } - } - - req = requests.post("{}/auth/tokens".format(KEYSTONE_SERVER), json=data_auth, headers=HEADERS) - logger.debug("{}/auth/tokens".format(KEYSTONE_SERVER)) - logger.debug(req.text) - assert req.status_code in (200, 201) - TOKEN = req.headers['X-Subject-Token'] - HEADERS['X-Auth-Token'] = TOKEN - req = requests.get("{}/projects".format(KEYSTONE_SERVER), headers=HEADERS) - if req.status_code not in (200, 201): - data_auth["auth"]["scope"] = { - "project": { - "name": KEYSTONE_PROJECT, - "domain": { - "id": "default" - } - } - } - req = requests.post("{}/auth/tokens".format(KEYSTONE_SERVER), json=data_auth, headers=HEADERS) - assert req.status_code in (200, 201) - TOKEN = req.headers['X-Subject-Token'] - HEADERS['X-Auth-Token'] = TOKEN - req = requests.get("{}/projects".format(KEYSTONE_SERVER), headers=HEADERS) - assert req.status_code in (200, 201) - return req.json() - - -def check_pdp(pdp_id=None, keystone_project_id=None, moon_url=None): - _URL = URL - if moon_url: - _URL = moon_url - req = requests.get(_URL + "/pdp") - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "pdps" in result - if pdp_id: - assert result["pdps"] - assert pdp_id in result['pdps'] - assert "name" in result['pdps'][pdp_id] - assert pdp_template["name"] == result['pdps'][pdp_id]["name"] - if keystone_project_id: - assert result["pdps"] - assert pdp_id in result['pdps'] - assert "keystone_project_id" in result['pdps'][pdp_id] - assert keystone_project_id == result['pdps'][pdp_id]["keystone_project_id"] - return result - - -def add_pdp(name="test_pdp", policy_id=None): - pdp_template['name'] = name - if policy_id: - pdp_template['security_pipeline'].append(policy_id) - req = requests.post(URL + "/pdp", json=pdp_template, headers=HEADERS) - logger.debug(req.status_code) - logger.debug(req) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - pdp_id = list(result['pdps'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['pdps'][pdp_id] - assert pdp_template["name"] == result['pdps'][pdp_id]["name"] - return pdp_id - - -def update_pdp(pdp_id, policy_id=None): - req = requests.get(URL + "/pdp/{}".format(pdp_id)) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "pdps" in result - assert pdp_id in result['pdps'] - pipeline = result['pdps'][pdp_id]["security_pipeline"] - if policy_id not in pipeline: - pipeline.append(policy_id) - req = requests.patch(URL + "/pdp/{}".format(pdp_id), - json={"security_pipeline": pipeline}) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "pdps" in result - assert pdp_id in result['pdps'] - - req = requests.get(URL + "/pdp/{}".format(pdp_id)) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "pdps" in result - assert pdp_id in result['pdps'] - assert policy_id in pipeline - - -def map_to_keystone(pdp_id, keystone_project_id): - req = requests.patch(URL + "/pdp/{}".format(pdp_id), json={"keystone_project_id": keystone_project_id}, - headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - if "result" in result: - assert result["result"] - assert pdp_id in result['pdps'] - assert "name" in result['pdps'][pdp_id] - assert pdp_template["name"] == result['pdps'][pdp_id]["name"] - return pdp_id - - -def delete_pdp(pdp_id): - req = requests.delete(URL + "/pdp/{}".format(pdp_id)) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - diff --git a/templates/moonforming/utils/policies.py b/templates/moonforming/utils/policies.py deleted file mode 100644 index bd08291a..00000000 --- a/templates/moonforming/utils/policies.py +++ /dev/null @@ -1,635 +0,0 @@ -import logging -import requests -import utils.config - -config = utils.config.get_config_data() -logger = logging.getLogger("moonforming.utils.policies") - -URL = "http://{}:{}".format(config['components']['manager']['hostname'], config['components']['manager']['port']) -URL = URL + "{}" -HEADERS = {"content-type": "application/json"} -FILE = open("/tmp/test.log", "w") - -policy_template = { - "name": "test_policy", - "model_id": "", - "genre": "authz", - "description": "test", -} - -subject_template = { - "name": "test_subject", - "description": "test", - "email": "mail", - "password": "my_pass", -} - -object_template = { - "name": "test_subject", - "description": "test" -} - -action_template = { - "name": "test_subject", - "description": "test" -} - -subject_data_template = { - "name": "subject_data1", - "description": "description of the data subject" -} - -object_data_template = { - "name": "object_data1", - "description": "description of the data subject" -} - -action_data_template = { - "name": "action_data1", - "description": "description of the data subject" -} - -subject_assignment_template = { - "id": "", - "category_id": "", - "scope_id": "" -} - - -def check_policy(policy_id=None): - req = requests.get(URL.format("/policies")) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "policies" in result - if policy_id: - assert result["policies"] - assert policy_id in result['policies'] - assert "name" in result['policies'][policy_id] - assert policy_template["name"] == result['policies'][policy_id]["name"] - return result - - -def add_policy(name="test_policy", genre="authz"): - policy_template["name"] = name - policy_template["genre"] = genre - req = requests.post(URL.format("/policies"), json=policy_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - policy_id = list(result['policies'].keys())[0] - if "result" in result: - assert result["result"] - assert "name" in result['policies'][policy_id] - assert policy_template["name"] == result['policies'][policy_id]["name"] - return policy_id - - -def update_policy(policy_id, model_id): - req = requests.patch(URL.format("/policies/{}".format(policy_id)), - json={"model_id": model_id}, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - policy_id = list(result['policies'].keys())[0] - if "result" in result: - assert result["result"] - assert "model_id" in result['policies'][policy_id] - assert model_id == result['policies'][policy_id]["model_id"] - - -def delete_policy(policy_id): - req = requests.delete(URL.format("/policies/{}".format(policy_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - -def add_subject(policy_id=None, name="test_subject"): - subject_template['name'] = name - if policy_id: - logger.debug(URL.format("/policies/{}/subjects".format(policy_id))) - req = requests.post(URL.format("/policies/{}/subjects".format(policy_id)), - json=subject_template, headers=HEADERS) - else: - logger.debug(URL.format("/subjects")) - req = requests.post(URL.format("/subjects"), json=subject_template, headers=HEADERS) - logger.debug(req.text) - assert req.status_code == 200 - result = req.json() - assert "subjects" in result - subject_id = list(result['subjects'].keys())[0] - return subject_id - - -def update_subject(subject_id, policy_id=None, description=None): - if policy_id and not description: - req = requests.patch(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id)), - json={}) - elif policy_id and description: - req = requests.patch(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id)), - json={"description": description}) - else: - req = requests.patch(URL.format("/subjects/{}".format(subject_id)), - json={"description": description}) - assert req.status_code == 200 - result = req.json() - assert "subjects" in result - assert "name" in result["subjects"][subject_id] - assert subject_template["name"] == result["subjects"][subject_id]["name"] - assert "policy_list" in result["subjects"][subject_id] - if policy_id: - assert policy_id in result["subjects"][subject_id]["policy_list"] - if description: - assert description in result["subjects"][subject_id]["description"] - - -def check_subject(subject_id=None, policy_id=None): - if policy_id: - req = requests.get(URL.format("/policies/{}/subjects".format(policy_id))) - else: - req = requests.get(URL.format("/subjects")) - assert req.status_code == 200 - result = req.json() - assert "subjects" in result - assert "name" in result["subjects"][subject_id] - assert subject_template["name"] == result["subjects"][subject_id]["name"] - if policy_id: - assert "policy_list" in result["subjects"][subject_id] - assert policy_id in result["subjects"][subject_id]["policy_list"] - - -def delete_subject(subject_id, policy_id=None): - if policy_id: - req = requests.delete(URL.format("/policies/{}/subjects/{}".format(policy_id, subject_id))) - else: - req = requests.delete(URL.format("/subjects/{}".format(subject_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - if policy_id: - req = requests.get(URL.format("/policies/{}/subjects".format(policy_id))) - else: - req = requests.get(URL.format("/subjects")) - assert req.status_code == 200 - result = req.json() - assert "subjects" in result - if subject_id in result["subjects"]: - assert "name" in result["subjects"][subject_id] - assert subject_template["name"] == result["subjects"][subject_id]["name"] - if policy_id: - assert "policy_list" in result["subjects"][subject_id] - assert policy_id not in result["subjects"][subject_id]["policy_list"] - - -def add_object(policy_id=None, name="test_object"): - object_template['name'] = name - if policy_id: - req = requests.post(URL.format("/policies/{}/objects".format(policy_id)), - json=object_template, headers=HEADERS) - else: - req = requests.post(URL.format("/objects"), json=object_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "objects" in result - object_id = list(result['objects'].keys())[0] - return object_id - - -def update_object(object_id, policy_id): - req = requests.patch(URL.format("/policies/{}/objects/{}".format(policy_id, object_id)), json={}) - assert req.status_code == 200 - result = req.json() - assert "objects" in result - assert "name" in result["objects"][object_id] - assert object_template["name"] == result["objects"][object_id]["name"] - assert "policy_list" in result["objects"][object_id] - assert policy_id in result["objects"][object_id]["policy_list"] - - -def check_object(object_id=None, policy_id=None): - if policy_id: - req = requests.get(URL.format("/policies/{}/objects".format(policy_id))) - else: - req = requests.get(URL.format("/objects")) - assert req.status_code == 200 - result = req.json() - assert "objects" in result - assert "name" in result["objects"][object_id] - assert object_template["name"] == result["objects"][object_id]["name"] - if policy_id: - assert "policy_list" in result["objects"][object_id] - assert policy_id in result["objects"][object_id]["policy_list"] - - -def delete_object(object_id, policy_id=None): - if policy_id: - req = requests.delete(URL.format("/policies/{}/objects/{}".format(policy_id, object_id))) - else: - req = requests.delete(URL.format("/objects/{}".format(object_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - if policy_id: - req = requests.get(URL.format("/policies/{}/objects".format(policy_id))) - else: - req = requests.get(URL.format("/objects")) - assert req.status_code == 200 - result = req.json() - assert "objects" in result - if object_id in result["objects"]: - assert "name" in result["objects"][object_id] - assert object_template["name"] == result["objects"][object_id]["name"] - if policy_id: - assert "policy_list" in result["objects"][object_id] - assert policy_id not in result["objects"][object_id]["policy_list"] - - -def add_action(policy_id=None, name="test_action"): - action_template['name'] = name - if policy_id: - req = requests.post(URL.format("/policies/{}/actions".format(policy_id)), - json=action_template, headers=HEADERS) - else: - req = requests.post(URL.format("/actions"), json=action_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "actions" in result - action_id = list(result['actions'].keys())[0] - return action_id - - -def update_action(action_id, policy_id): - req = requests.patch(URL.format("/policies/{}/actions/{}".format(policy_id, action_id)), json={}) - assert req.status_code == 200 - result = req.json() - assert "actions" in result - assert "name" in result["actions"][action_id] - assert action_template["name"] == result["actions"][action_id]["name"] - assert "policy_list" in result["actions"][action_id] - assert policy_id in result["actions"][action_id]["policy_list"] - - -def check_action(action_id=None, policy_id=None): - if policy_id: - req = requests.get(URL.format("/policies/{}/actions".format(policy_id))) - else: - req = requests.get(URL.format("/actions")) - assert req.status_code == 200 - result = req.json() - assert "actions" in result - assert "name" in result["actions"][action_id] - assert action_template["name"] == result["actions"][action_id]["name"] - if policy_id: - assert "policy_list" in result["actions"][action_id] - assert policy_id in result["actions"][action_id]["policy_list"] - - -def delete_action(action_id, policy_id=None): - if policy_id: - req = requests.delete(URL.format("/policies/{}/actions/{}".format(policy_id, action_id))) - else: - req = requests.delete(URL.format("/actions/{}".format(action_id))) - assert req.status_code == 200 - result = req.json() - assert type(result) is dict - assert "result" in result - assert result["result"] - - if policy_id: - req = requests.get(URL.format("/policies/{}/actions".format(policy_id))) - else: - req = requests.get(URL.format("/actions")) - assert req.status_code == 200 - result = req.json() - assert "actions" in result - if action_id in result["actions"]: - assert "name" in result["actions"][action_id] - assert action_template["name"] == result["actions"][action_id]["name"] - if policy_id: - assert "policy_list" in result["actions"][action_id] - assert policy_id not in result["actions"][action_id]["policy_list"] - - -def add_subject_data(policy_id, category_id, name="subject_data1"): - subject_data_template['name'] = name - req = requests.post(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id)), - json=subject_data_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "subject_data" in result - subject_id = list(result['subject_data']['data'].keys())[0] - return subject_id - - -def check_subject_data(policy_id, data_id, category_id): - req = requests.get(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "subject_data" in result - for _data in result['subject_data']: - assert data_id in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def delete_subject_data(policy_id, category_id, data_id): - req = requests.delete(URL.format("/policies/{}/subject_data/{}/{}".format(policy_id, category_id, data_id)), - headers=HEADERS) - assert req.status_code == 200 - req = requests.get(URL.format("/policies/{}/subject_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "subject_data" in result - for _data in result['subject_data']: - assert data_id not in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def add_object_data(policy_id, category_id, name="object_data1"): - object_data_template['name'] = name - req = requests.post(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id)), - json=object_data_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "object_data" in result - object_id = list(result['object_data']['data'].keys())[0] - return object_id - - -def check_object_data(policy_id, data_id, category_id): - req = requests.get(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "object_data" in result - for _data in result['object_data']: - assert data_id in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def delete_object_data(policy_id, category_id, data_id): - req = requests.delete(URL.format("/policies/{}/object_data/{}/{}".format(policy_id, category_id, data_id)), - headers=HEADERS) - assert req.status_code == 200 - req = requests.get(URL.format("/policies/{}/object_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "object_data" in result - for _data in result['object_data']: - assert data_id not in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def add_action_data(policy_id, category_id, name="action_data1"): - action_data_template['name'] = name - req = requests.post(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id)), - json=action_data_template, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "action_data" in result - action_id = list(result['action_data']['data'].keys())[0] - return action_id - - -def check_action_data(policy_id, data_id, category_id): - req = requests.get(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "action_data" in result - for _data in result['action_data']: - assert data_id in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def delete_action_data(policy_id, category_id, data_id): - req = requests.delete(URL.format("/policies/{}/action_data/{}/{}".format(policy_id, category_id, data_id)), - headers=HEADERS) - assert req.status_code == 200 - req = requests.get(URL.format("/policies/{}/action_data/{}".format(policy_id, category_id))) - assert req.status_code == 200 - result = req.json() - assert "action_data" in result - for _data in result['action_data']: - assert data_id not in list(_data['data'].keys()) - assert category_id == _data["category_id"] - - -def add_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id): - req = requests.post(URL.format("/policies/{}/subject_assignments".format(policy_id)), - json={ - "id": subject_id, - "category_id": subject_cat_id, - "data_id": subject_data_id - }, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "subject_assignments" in result - assert result["subject_assignments"] - - -def check_subject_assignments(policy_id, subject_id, subject_cat_id, subject_data_id): - req = requests.get(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( - policy_id, subject_id, subject_cat_id, subject_data_id))) - assert req.status_code == 200 - result = req.json() - assert "subject_assignments" in result - assert result["subject_assignments"] - for key in result["subject_assignments"]: - assert "subject_id" in result["subject_assignments"][key] - assert "category_id" in result["subject_assignments"][key] - assert "assignments" in result["subject_assignments"][key] - if result["subject_assignments"][key]['subject_id'] == subject_id and \ - result["subject_assignments"][key]["category_id"] == subject_cat_id: - assert subject_data_id in result["subject_assignments"][key]["assignments"] - - -def check_object_assignments(policy_id, object_id, object_cat_id, object_data_id): - req = requests.get(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( - policy_id, object_id, object_cat_id, object_data_id))) - assert req.status_code == 200 - result = req.json() - assert "object_assignments" in result - assert result["object_assignments"] - for key in result["object_assignments"]: - assert "object_id" in result["object_assignments"][key] - assert "category_id" in result["object_assignments"][key] - assert "assignments" in result["object_assignments"][key] - if result["object_assignments"][key]['object_id'] == object_id and \ - result["object_assignments"][key]["category_id"] == object_cat_id: - assert object_data_id in result["object_assignments"][key]["assignments"] - - -def check_action_assignments(policy_id, action_id, action_cat_id, action_data_id): - req = requests.get(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( - policy_id, action_id, action_cat_id, action_data_id))) - assert req.status_code == 200 - result = req.json() - assert "action_assignments" in result - assert result["action_assignments"] - for key in result["action_assignments"]: - assert "action_id" in result["action_assignments"][key] - assert "category_id" in result["action_assignments"][key] - assert "assignments" in result["action_assignments"][key] - if result["action_assignments"][key]['action_id'] == action_id and \ - result["action_assignments"][key]["category_id"] == action_cat_id: - assert action_data_id in result["action_assignments"][key]["assignments"] - - -def add_object_assignments(policy_id, object_id, object_cat_id, object_data_id): - req = requests.post(URL.format("/policies/{}/object_assignments".format(policy_id)), - json={ - "id": object_id, - "category_id": object_cat_id, - "data_id": object_data_id - }, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "object_assignments" in result - assert result["object_assignments"] - - -def add_action_assignments(policy_id, action_id, action_cat_id, action_data_id): - req = requests.post(URL.format("/policies/{}/action_assignments".format(policy_id)), - json={ - "id": action_id, - "category_id": action_cat_id, - "data_id": action_data_id - }, headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "action_assignments" in result - assert result["action_assignments"] - - -def delete_subject_assignment(policy_id, subject_id, subject_cat_id, subject_data_id): - req = requests.delete(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( - policy_id, subject_id, subject_cat_id, subject_data_id))) - assert req.status_code == 200 - result = req.json() - assert "result" in result - assert result["result"] - - req = requests.get(URL.format("/policies/{}/subject_assignments/{}/{}/{}".format( - policy_id, subject_id, subject_cat_id, subject_data_id))) - assert req.status_code == 200 - result = req.json() - assert "subject_assignments" in result - assert result["subject_assignments"] - for key in result["subject_assignments"]: - assert "subject_id" in result["subject_assignments"][key] - assert "category_id" in result["subject_assignments"][key] - assert "assignments" in result["subject_assignments"][key] - if result["subject_assignments"][key]['subject_id'] == subject_id and \ - result["subject_assignments"][key]["category_id"] == subject_cat_id: - assert subject_data_id not in result["subject_assignments"][key]["assignments"] - - -def delete_object_assignment(policy_id, object_id, object_cat_id, object_data_id): - req = requests.delete(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( - policy_id, object_id, object_cat_id, object_data_id))) - assert req.status_code == 200 - result = req.json() - assert "result" in result - assert result["result"] - - req = requests.get(URL.format("/policies/{}/object_assignments/{}/{}/{}".format( - policy_id, object_id, object_cat_id, object_data_id))) - assert req.status_code == 200 - result = req.json() - assert "object_assignments" in result - assert result["object_assignments"] - for key in result["object_assignments"]: - assert "object_id" in result["object_assignments"][key] - assert "category_id" in result["object_assignments"][key] - assert "assignments" in result["object_assignments"][key] - if result["object_assignments"][key]['object_id'] == object_id and \ - result["object_assignments"][key]["category_id"] == object_cat_id: - assert object_data_id not in result["object_assignments"][key]["assignments"] - - -def delete_action_assignment(policy_id, action_id, action_cat_id, action_data_id): - req = requests.delete(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( - policy_id, action_id, action_cat_id, action_data_id))) - assert req.status_code == 200 - result = req.json() - assert "result" in result - assert result["result"] - - req = requests.get(URL.format("/policies/{}/action_assignments/{}/{}/{}".format( - policy_id, action_id, action_cat_id, action_data_id))) - assert req.status_code == 200 - result = req.json() - assert "action_assignments" in result - assert result["action_assignments"] - for key in result["action_assignments"]: - assert "action_id" in result["action_assignments"][key] - assert "category_id" in result["action_assignments"][key] - assert "assignments" in result["action_assignments"][key] - if result["action_assignments"][key]['action_id'] == action_id and \ - result["action_assignments"][key]["category_id"] == action_cat_id: - assert action_data_id not in result["action_assignments"][key]["assignments"] - - -def add_rule(policy_id, meta_rule_id, rule, instructions={"chain": [{"security_pipeline": "rbac"}]}): - req = requests.post(URL.format("/policies/{}/rules".format(policy_id)), - json={ - "meta_rule_id": meta_rule_id, - "rule": rule, - "instructions": instructions, - "enabled": True - }, - headers=HEADERS) - assert req.status_code == 200 - result = req.json() - assert "rules" in result - try: - rule_id = list(result["rules"].keys())[0] - except Exception as e: - return False - assert "policy_id" in result["rules"][rule_id] - assert policy_id == result["rules"][rule_id]["policy_id"] - assert "meta_rule_id" in result["rules"][rule_id] - assert meta_rule_id == result["rules"][rule_id]["meta_rule_id"] - assert rule == result["rules"][rule_id]["rule"] - return rule_id - - -def check_rule(policy_id, meta_rule_id, rule_id, rule): - req = requests.get(URL.format("/policies/{}/rules".format(policy_id))) - assert req.status_code == 200 - result = req.json() - assert "rules" in result - assert "policy_id" in result["rules"] - assert policy_id == result["rules"]["policy_id"] - for item in result["rules"]["rules"]: - assert "meta_rule_id" in item - if meta_rule_id == item["meta_rule_id"]: - if rule_id == item["id"]: - assert rule == item["rule"] - - -def delete_rule(policy_id, rule_id): - req = requests.delete(URL.format("/policies/{}/rules/{}".format(policy_id, rule_id))) - assert req.status_code == 200 - result = req.json() - assert "result" in result - assert result["result"] - - req = requests.get(URL.format("/policies/{}/rules".format(policy_id))) - assert req.status_code == 200 - result = req.json() - assert "rules" in result - assert "policy_id" in result["rules"] - assert policy_id == result["rules"]["policy_id"] - found_rule = False - for item in result["rules"]["rules"]: - if rule_id == item["id"]: - found_rule = True - assert not found_rule diff --git a/templates/nova/policy.json b/templates/nova/policy.json deleted file mode 100644 index 29763ce3..00000000 --- a/templates/nova/policy.json +++ /dev/null @@ -1,488 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "cells_scheduler_filter:TargetCellFilter": "is_admin:True", - - "compute:create": "http://my_hostname:31001/authz", - "compute:create:attach_network": "", - "compute:create:attach_volume": "", - "compute:create:forced_host": "is_admin:True", - - "compute:get": "http://my_hostname:31001/authz", - "compute:get_all": "http://my_hostname:31001/authz", - "compute:get_all_tenants": "is_admin:True", - - "compute:update": "", - - "compute:get_instance_metadata": "", - "compute:get_all_instance_metadata": "", - "compute:get_all_instance_system_metadata": "", - "compute:update_instance_metadata": "", - "compute:delete_instance_metadata": "", - - "compute:get_instance_faults": "", - "compute:get_diagnostics": "", - "compute:get_instance_diagnostics": "", - - "compute:start": "rule:admin_or_owner", - "compute:stop": "rule:admin_or_owner", - - "compute:get_lock": "", - "compute:lock": "rule:admin_or_owner", - "compute:unlock": "rule:admin_or_owner", - "compute:unlock_override": "rule:admin_api", - - "compute:get_vnc_console": "", - "compute:get_spice_console": "", - "compute:get_rdp_console": "", - "compute:get_serial_console": "", - "compute:get_mks_console": "", - "compute:get_console_output": "", - - "compute:reset_network": "", - "compute:inject_network_info": "", - "compute:add_fixed_ip": "", - "compute:remove_fixed_ip": "", - - "compute:attach_volume": "", - "compute:detach_volume": "", - "compute:swap_volume": "", - - "compute:attach_interface": "", - "compute:detach_interface": "", - - "compute:set_admin_password": "", - - "compute:rescue": "", - "compute:unrescue": "", - - "compute:suspend": "", - "compute:resume": "", - - "compute:pause": "", - "compute:unpause": "", - - "compute:shelve": "", - "compute:shelve_offload": "", - "compute:unshelve": "", - - "compute:snapshot": "", - "compute:snapshot_volume_backed": "", - "compute:backup": "", - - "compute:resize": "", - "compute:confirm_resize": "", - "compute:revert_resize": "", - - "compute:rebuild": "", - "compute:reboot": "", - "compute:delete": "rule:admin_or_owner", - "compute:soft_delete": "rule:admin_or_owner", - "compute:force_delete": "rule:admin_or_owner", - - "compute:security_groups:add_to_instance": "", - "compute:security_groups:remove_from_instance": "", - - "compute:delete": "", - "compute:soft_delete": "", - "compute:force_delete": "", - "compute:restore": "", - - "compute:volume_snapshot_create": "", - "compute:volume_snapshot_delete": "", - - "admin_api": "is_admin:True", - "compute_extension:accounts": "rule:admin_api", - "compute_extension:admin_actions": "rule:admin_api", - "compute_extension:admin_actions:pause": "rule:admin_or_owner", - "compute_extension:admin_actions:unpause": "rule:admin_or_owner", - "compute_extension:admin_actions:suspend": "rule:admin_or_owner", - "compute_extension:admin_actions:resume": "rule:admin_or_owner", - "compute_extension:admin_actions:lock": "rule:admin_or_owner", - "compute_extension:admin_actions:unlock": "rule:admin_or_owner", - "compute_extension:admin_actions:resetNetwork": "rule:admin_api", - "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api", - "compute_extension:admin_actions:createBackup": "rule:admin_or_owner", - "compute_extension:admin_actions:migrateLive": "rule:admin_api", - "compute_extension:admin_actions:resetState": "rule:admin_api", - "compute_extension:admin_actions:migrate": "rule:admin_api", - "compute_extension:aggregates": "rule:admin_api", - "compute_extension:agents": "rule:admin_api", - "compute_extension:attach_interfaces": "", - "compute_extension:baremetal_nodes": "rule:admin_api", - "compute_extension:cells": "rule:admin_api", - "compute_extension:cells:create": "rule:admin_api", - "compute_extension:cells:delete": "rule:admin_api", - "compute_extension:cells:update": "rule:admin_api", - "compute_extension:cells:sync_instances": "rule:admin_api", - "compute_extension:certificates": "", - "compute_extension:cloudpipe": "rule:admin_api", - "compute_extension:cloudpipe_update": "rule:admin_api", - "compute_extension:config_drive": "", - "compute_extension:console_output": "", - "compute_extension:consoles": "", - "compute_extension:createserverext": "", - "compute_extension:deferred_delete": "", - "compute_extension:disk_config": "", - "compute_extension:evacuate": "rule:admin_api", - "compute_extension:extended_server_attributes": "rule:admin_api", - "compute_extension:extended_status": "", - "compute_extension:extended_availability_zone": "", - "compute_extension:extended_ips": "", - "compute_extension:extended_ips_mac": "", - "compute_extension:extended_vif_net": "", - "compute_extension:extended_volumes": "", - "compute_extension:fixed_ips": "rule:admin_api", - "compute_extension:flavor_access": "", - "compute_extension:flavor_access:addTenantAccess": "rule:admin_api", - "compute_extension:flavor_access:removeTenantAccess": "rule:admin_api", - "compute_extension:flavor_disabled": "", - "compute_extension:flavor_rxtx": "", - "compute_extension:flavor_swap": "", - "compute_extension:flavorextradata": "", - "compute_extension:flavorextraspecs:index": "", - "compute_extension:flavorextraspecs:show": "", - "compute_extension:flavorextraspecs:create": "rule:admin_api", - "compute_extension:flavorextraspecs:update": "rule:admin_api", - "compute_extension:flavorextraspecs:delete": "rule:admin_api", - "compute_extension:flavormanage": "rule:admin_api", - "compute_extension:floating_ip_dns": "", - "compute_extension:floating_ip_pools": "", - "compute_extension:floating_ips": "", - "compute_extension:floating_ips_bulk": "rule:admin_api", - "compute_extension:fping": "", - "compute_extension:fping:all_tenants": "rule:admin_api", - "compute_extension:hide_server_addresses": "is_admin:False", - "compute_extension:hosts": "rule:admin_api", - "compute_extension:hypervisors": "rule:admin_api", - "compute_extension:image_size": "", - "compute_extension:instance_actions": "", - "compute_extension:instance_actions:events": "rule:admin_api", - "compute_extension:instance_usage_audit_log": "rule:admin_api", - "compute_extension:keypairs": "", - "compute_extension:keypairs:index": "", - "compute_extension:keypairs:show": "", - "compute_extension:keypairs:create": "", - "compute_extension:keypairs:delete": "", - "compute_extension:multinic": "", - "compute_extension:networks": "rule:admin_api", - "compute_extension:networks:view": "", - "compute_extension:networks_associate": "rule:admin_api", - "compute_extension:os-tenant-networks": "", - "compute_extension:quotas:show": "", - "compute_extension:quotas:update": "rule:admin_api", - "compute_extension:quotas:delete": "rule:admin_api", - "compute_extension:quota_classes": "", - "compute_extension:rescue": "", - "compute_extension:security_group_default_rules": "rule:admin_api", - "compute_extension:security_groups": "", - "compute_extension:server_diagnostics": "rule:admin_api", - "compute_extension:server_groups": "", - "compute_extension:server_password": "", - "compute_extension:server_usage": "", - "compute_extension:services": "rule:admin_api", - "compute_extension:shelve": "", - "compute_extension:shelveOffload": "rule:admin_api", - "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner", - "compute_extension:simple_tenant_usage:list": "rule:admin_api", - "compute_extension:unshelve": "", - "compute_extension:users": "rule:admin_api", - "compute_extension:virtual_interfaces": "", - "compute_extension:virtual_storage_arrays": "", - "compute_extension:volumes": "", - "compute_extension:volume_attachments:index": "", - "compute_extension:volume_attachments:show": "", - "compute_extension:volume_attachments:create": "", - "compute_extension:volume_attachments:update": "", - "compute_extension:volume_attachments:delete": "", - "compute_extension:volumetypes": "", - "compute_extension:availability_zone:list": "", - "compute_extension:availability_zone:detail": "rule:admin_api", - "compute_extension:used_limits_for_admin": "rule:admin_api", - "compute_extension:migrations:index": "rule:admin_api", - "compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api", - "compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api", - "compute_extension:console_auth_tokens": "rule:admin_api", - "compute_extension:os-server-external-events:create": "rule:admin_api", - - "network:get_all": "", - "network:get": "", - "network:create": "", - "network:delete": "", - "network:associate": "", - "network:disassociate": "", - "network:get_vifs_by_instance": "", - "network:allocate_for_instance": "", - "network:deallocate_for_instance": "", - "network:validate_networks": "", - "network:get_instance_uuids_by_ip_filter": "", - "network:get_instance_id_by_floating_address": "", - "network:setup_networks_on_host": "", - "network:get_backdoor_port": "", - - "network:get_floating_ip": "", - "network:get_floating_ip_pools": "", - "network:get_floating_ip_by_address": "", - "network:get_floating_ips_by_project": "", - "network:get_floating_ips_by_fixed_address": "", - "network:allocate_floating_ip": "", - "network:associate_floating_ip": "", - "network:disassociate_floating_ip": "", - "network:release_floating_ip": "", - "network:migrate_instance_start": "", - "network:migrate_instance_finish": "", - - "network:get_fixed_ip": "", - "network:get_fixed_ip_by_address": "", - "network:add_fixed_ip_to_instance": "", - "network:remove_fixed_ip_from_instance": "", - "network:add_network_to_project": "", - "network:get_instance_nw_info": "", - - "network:get_dns_domains": "", - "network:add_dns_entry": "", - "network:modify_dns_entry": "", - "network:delete_dns_entry": "", - "network:get_dns_entries_by_address": "", - "network:get_dns_entries_by_name": "", - "network:create_private_dns_domain": "", - "network:create_public_dns_domain": "", - "network:delete_dns_domain": "", - "network:attach_external_network": "rule:admin_api", - "network:get_vif_by_mac_address": "", - - "os_compute_api:servers:detail:get_all_tenants": "is_admin:True", - "os_compute_api:servers:index:get_all_tenants": "is_admin:True", - "os_compute_api:servers:confirm_resize": "", - "os_compute_api:servers:create": "http://my_hostname:31001/authz", - "os_compute_api:servers:create:attach_network": "", - "os_compute_api:servers:create:attach_volume": "", - "os_compute_api:servers:create:forced_host": "rule:admin_api", - "os_compute_api:servers:delete": "http://my_hostname:31001/authz", - "os_compute_api:servers:update": "http://my_hostname:31001/authz", - "os_compute_api:servers:detail": "http://my_hostname:31001/authz", - "os_compute_api:servers:index": "http://my_hostname:31001/authz", - "os_compute_api:servers:reboot": "http://my_hostname:31001/authz", - "os_compute_api:servers:rebuild": "http://my_hostname:31001/authz", - "os_compute_api:servers:resize": "http://my_hostname:31001/authz", - "os_compute_api:servers:revert_resize": "http://my_hostname:31001/authz", - "os_compute_api:servers:show": "http://my_hostname:31001/authz", - "os_compute_api:servers:create_image": "", - "os_compute_api:servers:create_image:allow_volume_backed": "", - "os_compute_api:servers:start": "rule:admin_or_owner", - "os_compute_api:servers:stop": "rule:admin_or_owner", - "os_compute_api:os-access-ips:discoverable": "", - "os_compute_api:os-access-ips": "", - "os_compute_api:os-admin-actions": "rule:admin_api", - "os_compute_api:os-admin-actions:discoverable": "", - "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", - "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", - "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", - "os_compute_api:os-admin-password": "", - "os_compute_api:os-admin-password:discoverable": "", - "os_compute_api:os-aggregates:discoverable": "", - "os_compute_api:os-aggregates:index": "rule:admin_api", - "os_compute_api:os-aggregates:create": "rule:admin_api", - "os_compute_api:os-aggregates:show": "rule:admin_api", - "os_compute_api:os-aggregates:update": "rule:admin_api", - "os_compute_api:os-aggregates:delete": "rule:admin_api", - "os_compute_api:os-aggregates:add_host": "rule:admin_api", - "os_compute_api:os-aggregates:remove_host": "rule:admin_api", - "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", - "os_compute_api:os-agents": "rule:admin_api", - "os_compute_api:os-agents:discoverable": "", - "os_compute_api:os-attach-interfaces": "", - "os_compute_api:os-attach-interfaces:discoverable": "", - "os_compute_api:os-baremetal-nodes": "rule:admin_api", - "os_compute_api:os-baremetal-nodes:discoverable": "", - "os_compute_api:os-block-device-mapping-v1:discoverable": "", - "os_compute_api:os-cells": "rule:admin_api", - "os_compute_api:os-cells:create": "rule:admin_api", - "os_compute_api:os-cells:delete": "rule:admin_api", - "os_compute_api:os-cells:update": "rule:admin_api", - "os_compute_api:os-cells:sync_instances": "rule:admin_api", - "os_compute_api:os-cells:discoverable": "", - "os_compute_api:os-certificates:create": "", - "os_compute_api:os-certificates:show": "", - "os_compute_api:os-certificates:discoverable": "", - "os_compute_api:os-cloudpipe": "rule:admin_api", - "os_compute_api:os-cloudpipe:discoverable": "", - "os_compute_api:os-config-drive": "", - "os_compute_api:os-consoles:discoverable": "", - "os_compute_api:os-consoles:create": "", - "os_compute_api:os-consoles:delete": "", - "os_compute_api:os-consoles:index": "", - "os_compute_api:os-consoles:show": "", - "os_compute_api:os-console-output:discoverable": "", - "os_compute_api:os-console-output": "", - "os_compute_api:os-remote-consoles": "", - "os_compute_api:os-remote-consoles:discoverable": "", - "os_compute_api:os-create-backup:discoverable": "", - "os_compute_api:os-create-backup": "rule:admin_or_owner", - "os_compute_api:os-deferred-delete": "", - "os_compute_api:os-deferred-delete:discoverable": "", - "os_compute_api:os-disk-config": "", - "os_compute_api:os-disk-config:discoverable": "", - "os_compute_api:os-evacuate": "rule:admin_api", - "os_compute_api:os-evacuate:discoverable": "", - "os_compute_api:os-extended-server-attributes": "rule:admin_api", - "os_compute_api:os-extended-server-attributes:discoverable": "", - "os_compute_api:os-extended-status": "", - "os_compute_api:os-extended-status:discoverable": "", - "os_compute_api:os-extended-availability-zone": "", - "os_compute_api:os-extended-availability-zone:discoverable": "", - "os_compute_api:extensions": "", - "os_compute_api:extension_info:discoverable": "", - "os_compute_api:os-extended-volumes": "", - "os_compute_api:os-extended-volumes:discoverable": "", - "os_compute_api:os-fixed-ips": "rule:admin_api", - "os_compute_api:os-fixed-ips:discoverable": "", - "os_compute_api:os-flavor-access": "", - "os_compute_api:os-flavor-access:discoverable": "", - "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-rxtx": "", - "os_compute_api:os-flavor-rxtx:discoverable": "", - "os_compute_api:flavors:discoverable": "", - "os_compute_api:os-flavor-extra-specs:discoverable": "", - "os_compute_api:os-flavor-extra-specs:index": "", - "os_compute_api:os-flavor-extra-specs:show": "", - "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", - "os_compute_api:os-flavor-manage:discoverable": "", - "os_compute_api:os-flavor-manage": "rule:admin_api", - "os_compute_api:os-floating-ip-dns": "", - "os_compute_api:os-floating-ip-dns:discoverable": "", - "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", - "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api", - "os_compute_api:os-floating-ip-pools": "", - "os_compute_api:os-floating-ip-pools:discoverable": "", - "os_compute_api:os-floating-ips": "", - "os_compute_api:os-floating-ips:discoverable": "", - "os_compute_api:os-floating-ips-bulk": "rule:admin_api", - "os_compute_api:os-floating-ips-bulk:discoverable": "", - "os_compute_api:os-fping": "", - "os_compute_api:os-fping:discoverable": "", - "os_compute_api:os-fping:all_tenants": "rule:admin_api", - "os_compute_api:os-hide-server-addresses": "is_admin:False", - "os_compute_api:os-hide-server-addresses:discoverable": "", - "os_compute_api:os-hosts": "rule:admin_api", - "os_compute_api:os-hosts:discoverable": "", - "os_compute_api:os-hypervisors": "rule:admin_api", - "os_compute_api:os-hypervisors:discoverable": "", - "os_compute_api:images:discoverable": "", - "os_compute_api:image-size": "", - "os_compute_api:image-size:discoverable": "", - "os_compute_api:os-instance-actions": "", - "os_compute_api:os-instance-actions:discoverable": "", - "os_compute_api:os-instance-actions:events": "rule:admin_api", - "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", - "os_compute_api:os-instance-usage-audit-log:discoverable": "", - "os_compute_api:ips:discoverable": "", - "os_compute_api:ips:index": "rule:admin_or_owner", - "os_compute_api:ips:show": "rule:admin_or_owner", - "os_compute_api:os-keypairs:discoverable": "", - "os_compute_api:os-keypairs": "", - "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:limits:discoverable": "", - "os_compute_api:limits": "", - "os_compute_api:os-lock-server:discoverable": "", - "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", - "os_compute_api:os-migrate-server:discoverable": "", - "os_compute_api:os-migrate-server:migrate": "rule:admin_api", - "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", - "os_compute_api:os-multinic": "", - "os_compute_api:os-multinic:discoverable": "", - "os_compute_api:os-networks": "rule:admin_api", - "os_compute_api:os-networks:view": "", - "os_compute_api:os-networks:discoverable": "", - "os_compute_api:os-networks-associate": "rule:admin_api", - "os_compute_api:os-networks-associate:discoverable": "", - "os_compute_api:os-pause-server:discoverable": "", - "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", - "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", - "os_compute_api:os-pci:pci_servers": "", - "os_compute_api:os-pci:discoverable": "", - "os_compute_api:os-pci:index": "rule:admin_api", - "os_compute_api:os-pci:detail": "rule:admin_api", - "os_compute_api:os-pci:show": "rule:admin_api", - "os_compute_api:os-personality:discoverable": "", - "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "", - "os_compute_api:os-quota-sets:discoverable": "", - "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", - "os_compute_api:os-quota-sets:defaults": "", - "os_compute_api:os-quota-sets:update": "rule:admin_api", - "os_compute_api:os-quota-sets:delete": "rule:admin_api", - "os_compute_api:os-quota-sets:detail": "rule:admin_api", - "os_compute_api:os-quota-class-sets:update": "rule:admin_api", - "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", - "os_compute_api:os-quota-class-sets:discoverable": "", - "os_compute_api:os-rescue": "", - "os_compute_api:os-rescue:discoverable": "", - "os_compute_api:os-scheduler-hints:discoverable": "", - "os_compute_api:os-security-group-default-rules:discoverable": "", - "os_compute_api:os-security-group-default-rules": "rule:admin_api", - "os_compute_api:os-security-groups": "", - "os_compute_api:os-security-groups:discoverable": "", - "os_compute_api:os-server-diagnostics": "rule:admin_api", - "os_compute_api:os-server-diagnostics:discoverable": "", - "os_compute_api:os-server-password": "", - "os_compute_api:os-server-password:discoverable": "", - "os_compute_api:os-server-usage": "", - "os_compute_api:os-server-usage:discoverable": "", - "os_compute_api:os-server-groups": "", - "os_compute_api:os-server-groups:discoverable": "", - "os_compute_api:os-services": "rule:admin_api", - "os_compute_api:os-services:discoverable": "", - "os_compute_api:server-metadata:discoverable": "", - "os_compute_api:server-metadata:index": "rule:admin_or_owner", - "os_compute_api:server-metadata:show": "rule:admin_or_owner", - "os_compute_api:server-metadata:delete": "rule:admin_or_owner", - "os_compute_api:server-metadata:create": "rule:admin_or_owner", - "os_compute_api:server-metadata:update": "rule:admin_or_owner", - "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", - "os_compute_api:servers:discoverable": "", - "os_compute_api:os-shelve:shelve": "", - "os_compute_api:os-shelve:shelve:discoverable": "", - "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", - "os_compute_api:os-simple-tenant-usage:discoverable": "", - "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", - "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", - "os_compute_api:os-suspend-server:discoverable": "", - "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", - "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks:discoverable": "", - "os_compute_api:os-shelve:unshelve": "", - "os_compute_api:os-user-data:discoverable": "", - "os_compute_api:os-virtual-interfaces": "", - "os_compute_api:os-virtual-interfaces:discoverable": "", - "os_compute_api:os-volumes": "", - "os_compute_api:os-volumes:discoverable": "", - "os_compute_api:os-volumes-attachments:index": "", - "os_compute_api:os-volumes-attachments:show": "", - "os_compute_api:os-volumes-attachments:create": "", - "os_compute_api:os-volumes-attachments:update": "", - "os_compute_api:os-volumes-attachments:delete": "", - "os_compute_api:os-volumes-attachments:discoverable": "", - "os_compute_api:os-availability-zone:list": "", - "os_compute_api:os-availability-zone:discoverable": "", - "os_compute_api:os-availability-zone:detail": "rule:admin_api", - "os_compute_api:os-used-limits": "rule:admin_api", - "os_compute_api:os-used-limits:discoverable": "", - "os_compute_api:os-migrations:index": "rule:admin_api", - "os_compute_api:os-migrations:discoverable": "", - "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:discoverable": "", - "os_compute_api:os-console-auth-tokens": "rule:admin_api", - "os_compute_api:os-server-external-events:create": "rule:admin_api" -} diff --git a/templates/openstack/glance/policy.json b/templates/openstack/glance/policy.json new file mode 100644 index 00000000..5505f67f --- /dev/null +++ b/templates/openstack/glance/policy.json @@ -0,0 +1,62 @@ +{ + "context_is_admin": "role:admin", + "default": "role:admin", + + "add_image": "http://my_hostname:31001/authz", + "delete_image": "http://my_hostname:31001/authz", + "get_image": "http://my_hostname:31001/authz", + "get_images": "http://my_hostname:31001/authz", + "modify_image": "http://my_hostname:31001/authz", + "publicize_image": "role:admin", + "communitize_image": "", + "copy_from": "", + + "download_image": "", + "upload_image": "", + + "delete_image_location": "", + "get_image_location": "", + "set_image_location": "", + + "add_member": "", + "delete_member": "", + "get_member": "", + "get_members": "", + "modify_member": "", + + "manage_image_cache": "role:admin", + + "get_task": "role:admin", + "get_tasks": "role:admin", + "add_task": "role:admin", + "modify_task": "role:admin", + + "deactivate": "", + "reactivate": "", + + "get_metadef_namespace": "", + "get_metadef_namespaces":"", + "modify_metadef_namespace":"", + "add_metadef_namespace":"", + + "get_metadef_object":"", + "get_metadef_objects":"", + "modify_metadef_object":"", + "add_metadef_object":"", + + "list_metadef_resource_types":"", + "get_metadef_resource_type":"", + "add_metadef_resource_type_association":"", + + "get_metadef_property":"", + "get_metadef_properties":"", + "modify_metadef_property":"", + "add_metadef_property":"", + + "get_metadef_tag":"", + "get_metadef_tags":"", + "modify_metadef_tag":"", + "add_metadef_tag":"", + "add_metadef_tags":"" + +} diff --git a/templates/openstack/nova/policy.json b/templates/openstack/nova/policy.json new file mode 100644 index 00000000..29763ce3 --- /dev/null +++ b/templates/openstack/nova/policy.json @@ -0,0 +1,488 @@ +{ + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "cells_scheduler_filter:TargetCellFilter": "is_admin:True", + + "compute:create": "http://my_hostname:31001/authz", + "compute:create:attach_network": "", + "compute:create:attach_volume": "", + "compute:create:forced_host": "is_admin:True", + + "compute:get": "http://my_hostname:31001/authz", + "compute:get_all": "http://my_hostname:31001/authz", + "compute:get_all_tenants": "is_admin:True", + + "compute:update": "", + + "compute:get_instance_metadata": "", + "compute:get_all_instance_metadata": "", + "compute:get_all_instance_system_metadata": "", + "compute:update_instance_metadata": "", + "compute:delete_instance_metadata": "", + + "compute:get_instance_faults": "", + "compute:get_diagnostics": "", + "compute:get_instance_diagnostics": "", + + "compute:start": "rule:admin_or_owner", + "compute:stop": "rule:admin_or_owner", + + "compute:get_lock": "", + "compute:lock": "rule:admin_or_owner", + "compute:unlock": "rule:admin_or_owner", + "compute:unlock_override": "rule:admin_api", + + "compute:get_vnc_console": "", + "compute:get_spice_console": "", + "compute:get_rdp_console": "", + "compute:get_serial_console": "", + "compute:get_mks_console": "", + "compute:get_console_output": "", + + "compute:reset_network": "", + "compute:inject_network_info": "", + "compute:add_fixed_ip": "", + "compute:remove_fixed_ip": "", + + "compute:attach_volume": "", + "compute:detach_volume": "", + "compute:swap_volume": "", + + "compute:attach_interface": "", + "compute:detach_interface": "", + + "compute:set_admin_password": "", + + "compute:rescue": "", + "compute:unrescue": "", + + "compute:suspend": "", + "compute:resume": "", + + "compute:pause": "", + "compute:unpause": "", + + "compute:shelve": "", + "compute:shelve_offload": "", + "compute:unshelve": "", + + "compute:snapshot": "", + "compute:snapshot_volume_backed": "", + "compute:backup": "", + + "compute:resize": "", + "compute:confirm_resize": "", + "compute:revert_resize": "", + + "compute:rebuild": "", + "compute:reboot": "", + "compute:delete": "rule:admin_or_owner", + "compute:soft_delete": "rule:admin_or_owner", + "compute:force_delete": "rule:admin_or_owner", + + "compute:security_groups:add_to_instance": "", + "compute:security_groups:remove_from_instance": "", + + "compute:delete": "", + "compute:soft_delete": "", + "compute:force_delete": "", + "compute:restore": "", + + "compute:volume_snapshot_create": "", + "compute:volume_snapshot_delete": "", + + "admin_api": "is_admin:True", + "compute_extension:accounts": "rule:admin_api", + "compute_extension:admin_actions": "rule:admin_api", + "compute_extension:admin_actions:pause": "rule:admin_or_owner", + "compute_extension:admin_actions:unpause": "rule:admin_or_owner", + "compute_extension:admin_actions:suspend": "rule:admin_or_owner", + "compute_extension:admin_actions:resume": "rule:admin_or_owner", + "compute_extension:admin_actions:lock": "rule:admin_or_owner", + "compute_extension:admin_actions:unlock": "rule:admin_or_owner", + "compute_extension:admin_actions:resetNetwork": "rule:admin_api", + "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api", + "compute_extension:admin_actions:createBackup": "rule:admin_or_owner", + "compute_extension:admin_actions:migrateLive": "rule:admin_api", + "compute_extension:admin_actions:resetState": "rule:admin_api", + "compute_extension:admin_actions:migrate": "rule:admin_api", + "compute_extension:aggregates": "rule:admin_api", + "compute_extension:agents": "rule:admin_api", + "compute_extension:attach_interfaces": "", + "compute_extension:baremetal_nodes": "rule:admin_api", + "compute_extension:cells": "rule:admin_api", + "compute_extension:cells:create": "rule:admin_api", + "compute_extension:cells:delete": "rule:admin_api", + "compute_extension:cells:update": "rule:admin_api", + "compute_extension:cells:sync_instances": "rule:admin_api", + "compute_extension:certificates": "", + "compute_extension:cloudpipe": "rule:admin_api", + "compute_extension:cloudpipe_update": "rule:admin_api", + "compute_extension:config_drive": "", + "compute_extension:console_output": "", + "compute_extension:consoles": "", + "compute_extension:createserverext": "", + "compute_extension:deferred_delete": "", + "compute_extension:disk_config": "", + "compute_extension:evacuate": "rule:admin_api", + "compute_extension:extended_server_attributes": "rule:admin_api", + "compute_extension:extended_status": "", + "compute_extension:extended_availability_zone": "", + "compute_extension:extended_ips": "", + "compute_extension:extended_ips_mac": "", + "compute_extension:extended_vif_net": "", + "compute_extension:extended_volumes": "", + "compute_extension:fixed_ips": "rule:admin_api", + "compute_extension:flavor_access": "", + "compute_extension:flavor_access:addTenantAccess": "rule:admin_api", + "compute_extension:flavor_access:removeTenantAccess": "rule:admin_api", + "compute_extension:flavor_disabled": "", + "compute_extension:flavor_rxtx": "", + "compute_extension:flavor_swap": "", + "compute_extension:flavorextradata": "", + "compute_extension:flavorextraspecs:index": "", + "compute_extension:flavorextraspecs:show": "", + "compute_extension:flavorextraspecs:create": "rule:admin_api", + "compute_extension:flavorextraspecs:update": "rule:admin_api", + "compute_extension:flavorextraspecs:delete": "rule:admin_api", + "compute_extension:flavormanage": "rule:admin_api", + "compute_extension:floating_ip_dns": "", + "compute_extension:floating_ip_pools": "", + "compute_extension:floating_ips": "", + "compute_extension:floating_ips_bulk": "rule:admin_api", + "compute_extension:fping": "", + "compute_extension:fping:all_tenants": "rule:admin_api", + "compute_extension:hide_server_addresses": "is_admin:False", + "compute_extension:hosts": "rule:admin_api", + "compute_extension:hypervisors": "rule:admin_api", + "compute_extension:image_size": "", + "compute_extension:instance_actions": "", + "compute_extension:instance_actions:events": "rule:admin_api", + "compute_extension:instance_usage_audit_log": "rule:admin_api", + "compute_extension:keypairs": "", + "compute_extension:keypairs:index": "", + "compute_extension:keypairs:show": "", + "compute_extension:keypairs:create": "", + "compute_extension:keypairs:delete": "", + "compute_extension:multinic": "", + "compute_extension:networks": "rule:admin_api", + "compute_extension:networks:view": "", + "compute_extension:networks_associate": "rule:admin_api", + "compute_extension:os-tenant-networks": "", + "compute_extension:quotas:show": "", + "compute_extension:quotas:update": "rule:admin_api", + "compute_extension:quotas:delete": "rule:admin_api", + "compute_extension:quota_classes": "", + "compute_extension:rescue": "", + "compute_extension:security_group_default_rules": "rule:admin_api", + "compute_extension:security_groups": "", + "compute_extension:server_diagnostics": "rule:admin_api", + "compute_extension:server_groups": "", + "compute_extension:server_password": "", + "compute_extension:server_usage": "", + "compute_extension:services": "rule:admin_api", + "compute_extension:shelve": "", + "compute_extension:shelveOffload": "rule:admin_api", + "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner", + "compute_extension:simple_tenant_usage:list": "rule:admin_api", + "compute_extension:unshelve": "", + "compute_extension:users": "rule:admin_api", + "compute_extension:virtual_interfaces": "", + "compute_extension:virtual_storage_arrays": "", + "compute_extension:volumes": "", + "compute_extension:volume_attachments:index": "", + "compute_extension:volume_attachments:show": "", + "compute_extension:volume_attachments:create": "", + "compute_extension:volume_attachments:update": "", + "compute_extension:volume_attachments:delete": "", + "compute_extension:volumetypes": "", + "compute_extension:availability_zone:list": "", + "compute_extension:availability_zone:detail": "rule:admin_api", + "compute_extension:used_limits_for_admin": "rule:admin_api", + "compute_extension:migrations:index": "rule:admin_api", + "compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api", + "compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api", + "compute_extension:console_auth_tokens": "rule:admin_api", + "compute_extension:os-server-external-events:create": "rule:admin_api", + + "network:get_all": "", + "network:get": "", + "network:create": "", + "network:delete": "", + "network:associate": "", + "network:disassociate": "", + "network:get_vifs_by_instance": "", + "network:allocate_for_instance": "", + "network:deallocate_for_instance": "", + "network:validate_networks": "", + "network:get_instance_uuids_by_ip_filter": "", + "network:get_instance_id_by_floating_address": "", + "network:setup_networks_on_host": "", + "network:get_backdoor_port": "", + + "network:get_floating_ip": "", + "network:get_floating_ip_pools": "", + "network:get_floating_ip_by_address": "", + "network:get_floating_ips_by_project": "", + "network:get_floating_ips_by_fixed_address": "", + "network:allocate_floating_ip": "", + "network:associate_floating_ip": "", + "network:disassociate_floating_ip": "", + "network:release_floating_ip": "", + "network:migrate_instance_start": "", + "network:migrate_instance_finish": "", + + "network:get_fixed_ip": "", + "network:get_fixed_ip_by_address": "", + "network:add_fixed_ip_to_instance": "", + "network:remove_fixed_ip_from_instance": "", + "network:add_network_to_project": "", + "network:get_instance_nw_info": "", + + "network:get_dns_domains": "", + "network:add_dns_entry": "", + "network:modify_dns_entry": "", + "network:delete_dns_entry": "", + "network:get_dns_entries_by_address": "", + "network:get_dns_entries_by_name": "", + "network:create_private_dns_domain": "", + "network:create_public_dns_domain": "", + "network:delete_dns_domain": "", + "network:attach_external_network": "rule:admin_api", + "network:get_vif_by_mac_address": "", + + "os_compute_api:servers:detail:get_all_tenants": "is_admin:True", + "os_compute_api:servers:index:get_all_tenants": "is_admin:True", + "os_compute_api:servers:confirm_resize": "", + "os_compute_api:servers:create": "http://my_hostname:31001/authz", + "os_compute_api:servers:create:attach_network": "", + "os_compute_api:servers:create:attach_volume": "", + "os_compute_api:servers:create:forced_host": "rule:admin_api", + "os_compute_api:servers:delete": "http://my_hostname:31001/authz", + "os_compute_api:servers:update": "http://my_hostname:31001/authz", + "os_compute_api:servers:detail": "http://my_hostname:31001/authz", + "os_compute_api:servers:index": "http://my_hostname:31001/authz", + "os_compute_api:servers:reboot": "http://my_hostname:31001/authz", + "os_compute_api:servers:rebuild": "http://my_hostname:31001/authz", + "os_compute_api:servers:resize": "http://my_hostname:31001/authz", + "os_compute_api:servers:revert_resize": "http://my_hostname:31001/authz", + "os_compute_api:servers:show": "http://my_hostname:31001/authz", + "os_compute_api:servers:create_image": "", + "os_compute_api:servers:create_image:allow_volume_backed": "", + "os_compute_api:servers:start": "rule:admin_or_owner", + "os_compute_api:servers:stop": "rule:admin_or_owner", + "os_compute_api:os-access-ips:discoverable": "", + "os_compute_api:os-access-ips": "", + "os_compute_api:os-admin-actions": "rule:admin_api", + "os_compute_api:os-admin-actions:discoverable": "", + "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", + "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", + "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", + "os_compute_api:os-admin-password": "", + "os_compute_api:os-admin-password:discoverable": "", + "os_compute_api:os-aggregates:discoverable": "", + "os_compute_api:os-aggregates:index": "rule:admin_api", + "os_compute_api:os-aggregates:create": "rule:admin_api", + "os_compute_api:os-aggregates:show": "rule:admin_api", + "os_compute_api:os-aggregates:update": "rule:admin_api", + "os_compute_api:os-aggregates:delete": "rule:admin_api", + "os_compute_api:os-aggregates:add_host": "rule:admin_api", + "os_compute_api:os-aggregates:remove_host": "rule:admin_api", + "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", + "os_compute_api:os-agents": "rule:admin_api", + "os_compute_api:os-agents:discoverable": "", + "os_compute_api:os-attach-interfaces": "", + "os_compute_api:os-attach-interfaces:discoverable": "", + "os_compute_api:os-baremetal-nodes": "rule:admin_api", + "os_compute_api:os-baremetal-nodes:discoverable": "", + "os_compute_api:os-block-device-mapping-v1:discoverable": "", + "os_compute_api:os-cells": "rule:admin_api", + "os_compute_api:os-cells:create": "rule:admin_api", + "os_compute_api:os-cells:delete": "rule:admin_api", + "os_compute_api:os-cells:update": "rule:admin_api", + "os_compute_api:os-cells:sync_instances": "rule:admin_api", + "os_compute_api:os-cells:discoverable": "", + "os_compute_api:os-certificates:create": "", + "os_compute_api:os-certificates:show": "", + "os_compute_api:os-certificates:discoverable": "", + "os_compute_api:os-cloudpipe": "rule:admin_api", + "os_compute_api:os-cloudpipe:discoverable": "", + "os_compute_api:os-config-drive": "", + "os_compute_api:os-consoles:discoverable": "", + "os_compute_api:os-consoles:create": "", + "os_compute_api:os-consoles:delete": "", + "os_compute_api:os-consoles:index": "", + "os_compute_api:os-consoles:show": "", + "os_compute_api:os-console-output:discoverable": "", + "os_compute_api:os-console-output": "", + "os_compute_api:os-remote-consoles": "", + "os_compute_api:os-remote-consoles:discoverable": "", + "os_compute_api:os-create-backup:discoverable": "", + "os_compute_api:os-create-backup": "rule:admin_or_owner", + "os_compute_api:os-deferred-delete": "", + "os_compute_api:os-deferred-delete:discoverable": "", + "os_compute_api:os-disk-config": "", + "os_compute_api:os-disk-config:discoverable": "", + "os_compute_api:os-evacuate": "rule:admin_api", + "os_compute_api:os-evacuate:discoverable": "", + "os_compute_api:os-extended-server-attributes": "rule:admin_api", + "os_compute_api:os-extended-server-attributes:discoverable": "", + "os_compute_api:os-extended-status": "", + "os_compute_api:os-extended-status:discoverable": "", + "os_compute_api:os-extended-availability-zone": "", + "os_compute_api:os-extended-availability-zone:discoverable": "", + "os_compute_api:extensions": "", + "os_compute_api:extension_info:discoverable": "", + "os_compute_api:os-extended-volumes": "", + "os_compute_api:os-extended-volumes:discoverable": "", + "os_compute_api:os-fixed-ips": "rule:admin_api", + "os_compute_api:os-fixed-ips:discoverable": "", + "os_compute_api:os-flavor-access": "", + "os_compute_api:os-flavor-access:discoverable": "", + "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-rxtx": "", + "os_compute_api:os-flavor-rxtx:discoverable": "", + "os_compute_api:flavors:discoverable": "", + "os_compute_api:os-flavor-extra-specs:discoverable": "", + "os_compute_api:os-flavor-extra-specs:index": "", + "os_compute_api:os-flavor-extra-specs:show": "", + "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", + "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", + "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", + "os_compute_api:os-flavor-manage:discoverable": "", + "os_compute_api:os-flavor-manage": "rule:admin_api", + "os_compute_api:os-floating-ip-dns": "", + "os_compute_api:os-floating-ip-dns:discoverable": "", + "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", + "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api", + "os_compute_api:os-floating-ip-pools": "", + "os_compute_api:os-floating-ip-pools:discoverable": "", + "os_compute_api:os-floating-ips": "", + "os_compute_api:os-floating-ips:discoverable": "", + "os_compute_api:os-floating-ips-bulk": "rule:admin_api", + "os_compute_api:os-floating-ips-bulk:discoverable": "", + "os_compute_api:os-fping": "", + "os_compute_api:os-fping:discoverable": "", + "os_compute_api:os-fping:all_tenants": "rule:admin_api", + "os_compute_api:os-hide-server-addresses": "is_admin:False", + "os_compute_api:os-hide-server-addresses:discoverable": "", + "os_compute_api:os-hosts": "rule:admin_api", + "os_compute_api:os-hosts:discoverable": "", + "os_compute_api:os-hypervisors": "rule:admin_api", + "os_compute_api:os-hypervisors:discoverable": "", + "os_compute_api:images:discoverable": "", + "os_compute_api:image-size": "", + "os_compute_api:image-size:discoverable": "", + "os_compute_api:os-instance-actions": "", + "os_compute_api:os-instance-actions:discoverable": "", + "os_compute_api:os-instance-actions:events": "rule:admin_api", + "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", + "os_compute_api:os-instance-usage-audit-log:discoverable": "", + "os_compute_api:ips:discoverable": "", + "os_compute_api:ips:index": "rule:admin_or_owner", + "os_compute_api:ips:show": "rule:admin_or_owner", + "os_compute_api:os-keypairs:discoverable": "", + "os_compute_api:os-keypairs": "", + "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:limits:discoverable": "", + "os_compute_api:limits": "", + "os_compute_api:os-lock-server:discoverable": "", + "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", + "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", + "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", + "os_compute_api:os-migrate-server:discoverable": "", + "os_compute_api:os-migrate-server:migrate": "rule:admin_api", + "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", + "os_compute_api:os-multinic": "", + "os_compute_api:os-multinic:discoverable": "", + "os_compute_api:os-networks": "rule:admin_api", + "os_compute_api:os-networks:view": "", + "os_compute_api:os-networks:discoverable": "", + "os_compute_api:os-networks-associate": "rule:admin_api", + "os_compute_api:os-networks-associate:discoverable": "", + "os_compute_api:os-pause-server:discoverable": "", + "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", + "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", + "os_compute_api:os-pci:pci_servers": "", + "os_compute_api:os-pci:discoverable": "", + "os_compute_api:os-pci:index": "rule:admin_api", + "os_compute_api:os-pci:detail": "rule:admin_api", + "os_compute_api:os-pci:show": "rule:admin_api", + "os_compute_api:os-personality:discoverable": "", + "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "", + "os_compute_api:os-quota-sets:discoverable": "", + "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", + "os_compute_api:os-quota-sets:defaults": "", + "os_compute_api:os-quota-sets:update": "rule:admin_api", + "os_compute_api:os-quota-sets:delete": "rule:admin_api", + "os_compute_api:os-quota-sets:detail": "rule:admin_api", + "os_compute_api:os-quota-class-sets:update": "rule:admin_api", + "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", + "os_compute_api:os-quota-class-sets:discoverable": "", + "os_compute_api:os-rescue": "", + "os_compute_api:os-rescue:discoverable": "", + "os_compute_api:os-scheduler-hints:discoverable": "", + "os_compute_api:os-security-group-default-rules:discoverable": "", + "os_compute_api:os-security-group-default-rules": "rule:admin_api", + "os_compute_api:os-security-groups": "", + "os_compute_api:os-security-groups:discoverable": "", + "os_compute_api:os-server-diagnostics": "rule:admin_api", + "os_compute_api:os-server-diagnostics:discoverable": "", + "os_compute_api:os-server-password": "", + "os_compute_api:os-server-password:discoverable": "", + "os_compute_api:os-server-usage": "", + "os_compute_api:os-server-usage:discoverable": "", + "os_compute_api:os-server-groups": "", + "os_compute_api:os-server-groups:discoverable": "", + "os_compute_api:os-services": "rule:admin_api", + "os_compute_api:os-services:discoverable": "", + "os_compute_api:server-metadata:discoverable": "", + "os_compute_api:server-metadata:index": "rule:admin_or_owner", + "os_compute_api:server-metadata:show": "rule:admin_or_owner", + "os_compute_api:server-metadata:delete": "rule:admin_or_owner", + "os_compute_api:server-metadata:create": "rule:admin_or_owner", + "os_compute_api:server-metadata:update": "rule:admin_or_owner", + "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", + "os_compute_api:servers:discoverable": "", + "os_compute_api:os-shelve:shelve": "", + "os_compute_api:os-shelve:shelve:discoverable": "", + "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", + "os_compute_api:os-simple-tenant-usage:discoverable": "", + "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", + "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", + "os_compute_api:os-suspend-server:discoverable": "", + "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", + "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", + "os_compute_api:os-tenant-networks": "rule:admin_or_owner", + "os_compute_api:os-tenant-networks:discoverable": "", + "os_compute_api:os-shelve:unshelve": "", + "os_compute_api:os-user-data:discoverable": "", + "os_compute_api:os-virtual-interfaces": "", + "os_compute_api:os-virtual-interfaces:discoverable": "", + "os_compute_api:os-volumes": "", + "os_compute_api:os-volumes:discoverable": "", + "os_compute_api:os-volumes-attachments:index": "", + "os_compute_api:os-volumes-attachments:show": "", + "os_compute_api:os-volumes-attachments:create": "", + "os_compute_api:os-volumes-attachments:update": "", + "os_compute_api:os-volumes-attachments:delete": "", + "os_compute_api:os-volumes-attachments:discoverable": "", + "os_compute_api:os-availability-zone:list": "", + "os_compute_api:os-availability-zone:discoverable": "", + "os_compute_api:os-availability-zone:detail": "rule:admin_api", + "os_compute_api:os-used-limits": "rule:admin_api", + "os_compute_api:os-used-limits:discoverable": "", + "os_compute_api:os-migrations:index": "rule:admin_api", + "os_compute_api:os-migrations:discoverable": "", + "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", + "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", + "os_compute_api:os-assisted-volume-snapshots:discoverable": "", + "os_compute_api:os-console-auth-tokens": "rule:admin_api", + "os_compute_api:os-server-external-events:create": "rule:admin_api" +} diff --git a/templates/python_unit_test/Dockerfile b/templates/python_unit_test/Dockerfile deleted file mode 100644 index b8fb5151..00000000 --- a/templates/python_unit_test/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM python:3 - -RUN pip install pytest requests_mock requests --upgrade -ADD requirements.txt /root -RUN pip install -r /root/requirements.txt --upgrade - -ADD run_tests.sh /root -CMD ["sh", "/root/run_tests.sh"] \ No newline at end of file diff --git a/templates/python_unit_test/README.md b/templates/python_unit_test/README.md deleted file mode 100644 index 45d3a988..00000000 --- a/templates/python_unit_test/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# Python Unit Test Docker - -## Build -- `docker image build -t wukongsun/moon_python_unit_test .` - -## Push to DockerHub -- `docker login --username=wukongsun` -- `docker image push wukongsun/moon_python_unit_test` \ No newline at end of file diff --git a/templates/python_unit_test/requirements.txt b/templates/python_unit_test/requirements.txt deleted file mode 100644 index b611b008..00000000 --- a/templates/python_unit_test/requirements.txt +++ /dev/null @@ -1,10 +0,0 @@ -kombu !=4.0.1,!=4.0.0 -oslo.messaging -oslo.config -oslo.log -vine -werkzeug -flask -requests -pytest -requests_mock \ No newline at end of file diff --git a/templates/python_unit_test/run_tests.sh b/templates/python_unit_test/run_tests.sh deleted file mode 100644 index 6c586f87..00000000 --- a/templates/python_unit_test/run_tests.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash - -cd /data -pip3 install -r tests/unit_python/requirements.txt --upgrade -pip3 install . - -if [ -f /data/tests/unit_python/run_tests.sh ]; -then - bash /data/tests/unit_python/run_tests.sh; -fi - -cd /data/tests/unit_python -pytest . -- cgit 1.2.3-korg