From d182202fc6001983541504ed323d68479086317e Mon Sep 17 00:00:00 2001 From: WuKong Date: Sat, 22 Apr 2017 13:25:07 +0200 Subject: add moonv4 Change-Id: I247af788d0b0fb961fbc85416486b241eb1d807c Signed-off-by: WuKong --- moonv4/moon_authz/LICENSE | 204 ++++++++++ moonv4/moon_authz/MANIFEST.in | 9 + moonv4/moon_authz/README.rst | 9 + moonv4/moon_authz/moon_authz/__init__.py | 6 + moonv4/moon_authz/moon_authz/__main__.py | 3 + moonv4/moon_authz/moon_authz/api/__init__.py | 0 moonv4/moon_authz/moon_authz/api/authorization.py | 445 ++++++++++++++++++++++ moonv4/moon_authz/moon_authz/api/generic.py | 28 ++ moonv4/moon_authz/moon_authz/messenger.py | 63 +++ moonv4/moon_authz/moon_authz/server.py | 36 ++ moonv4/moon_authz/requirements.txt | 1 + moonv4/moon_authz/setup.py | 47 +++ 12 files changed, 851 insertions(+) create mode 100644 moonv4/moon_authz/LICENSE create mode 100644 moonv4/moon_authz/MANIFEST.in create mode 100644 moonv4/moon_authz/README.rst create mode 100644 moonv4/moon_authz/moon_authz/__init__.py create mode 100644 moonv4/moon_authz/moon_authz/__main__.py create mode 100644 moonv4/moon_authz/moon_authz/api/__init__.py create mode 100644 moonv4/moon_authz/moon_authz/api/authorization.py create mode 100644 moonv4/moon_authz/moon_authz/api/generic.py create mode 100644 moonv4/moon_authz/moon_authz/messenger.py create mode 100644 moonv4/moon_authz/moon_authz/server.py create mode 100644 moonv4/moon_authz/requirements.txt create mode 100644 moonv4/moon_authz/setup.py (limited to 'moonv4/moon_authz') diff --git a/moonv4/moon_authz/LICENSE b/moonv4/moon_authz/LICENSE new file mode 100644 index 00000000..4143aac2 --- /dev/null +++ b/moonv4/moon_authz/LICENSE @@ -0,0 +1,204 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +--- License for python-keystoneclient versions prior to 2.1 --- + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of this project nor the names of its contributors may + be used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/moonv4/moon_authz/MANIFEST.in b/moonv4/moon_authz/MANIFEST.in new file mode 100644 index 00000000..1f674d50 --- /dev/null +++ b/moonv4/moon_authz/MANIFEST.in @@ -0,0 +1,9 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +include README.rst +include LICENSE +include setup.py +include requirements.txt diff --git a/moonv4/moon_authz/README.rst b/moonv4/moon_authz/README.rst new file mode 100644 index 00000000..ded4e99a --- /dev/null +++ b/moonv4/moon_authz/README.rst @@ -0,0 +1,9 @@ +Core module for the Moon project +================================ + +This package contains the core module for the Moon project +It is designed to provide authorization features to all OpenStack components. + +For any other information, refer to the parent project: + + https://git.opnfv.org/moon diff --git a/moonv4/moon_authz/moon_authz/__init__.py b/moonv4/moon_authz/moon_authz/__init__.py new file mode 100644 index 00000000..903c6518 --- /dev/null +++ b/moonv4/moon_authz/moon_authz/__init__.py @@ -0,0 +1,6 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +__version__ = "0.1.0" diff --git a/moonv4/moon_authz/moon_authz/__main__.py b/moonv4/moon_authz/moon_authz/__main__.py new file mode 100644 index 00000000..be483962 --- /dev/null +++ b/moonv4/moon_authz/moon_authz/__main__.py @@ -0,0 +1,3 @@ +from moon_authz.server import main + +main() diff --git a/moonv4/moon_authz/moon_authz/api/__init__.py b/moonv4/moon_authz/moon_authz/api/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/moonv4/moon_authz/moon_authz/api/authorization.py b/moonv4/moon_authz/moon_authz/api/authorization.py new file mode 100644 index 00000000..248a9565 --- /dev/null +++ b/moonv4/moon_authz/moon_authz/api/authorization.py @@ -0,0 +1,445 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import copy +import itertools +from oslo_log import log as logging +from oslo_config import cfg +from moon_utilities.security_functions import call, Context +from moon_utilities.misc import get_uuid_from_name +from moon_utilities import exceptions +from moon_db.core import PDPManager +from moon_db.core import ModelManager +from moon_db.core import PolicyManager + +# TODO (asteroide): +# - end the dev of the context +# - rebuild the authorization function according to the context +# - call the next security function +# - call the master if an element is absent + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + + +class PDP: + + def __init__(self, context): + self.__context = context + + +class Authorization(object): + """ + Retrieve the current status of all components. + """ + + __version__ = "0.1.0" + pdp_id = None + meta_rule_id = None + keystone_project_id = None + + def __init__(self, component_id): + self.component_id = component_id + LOG.info("ext={}".format(component_id)) + for _id_value in component_id.split("_"): + LOG.info("_id_value={}".format(_id_value.split(":"))) + _type, _id = _id_value.split(":") + if _type == "pdp": + self.pdp_id = _id + elif _type == "metarule": + self.meta_rule_id = _id + elif _type == "project": + self.keystone_project_id = _id + # self.manager = IntraExtensionAdminManager + # self.context = {"id": self.component_id, "user_id": "admin"} + # self.aggregation_algorithm_dict = ConfigurationManager.driver.get_aggregation_algorithms_dict() + # self.__subjects = None + # self.__objects = None + # self.__actions = None + # self.__subject_scopes = None + # self.__object_scopes = None + # self.__action_scopes = None + # self.__subject_categories = None + # self.__object_categories = None + # self.__action_categories = None + # self.__subject_assignments = None + # self.__object_assignments = None + # self.__action_assignments = None + # self.__sub_meta_rules = None + # self.__rules = None + # self.aggregation_algorithm_id = None + + # @property + # def subjects(self): + # if not self.__subjects: + # self.__subjects = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_subjects", args={}) + # if "subjects" in self.__subjects: + # return self.__subjects + # else: + # LOG.error("An error occurred {}".format(self.__subjects)) + # return self.__subjects + # + # @property + # def objects(self): + # if not self.__objects: + # self.__objects = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_objects", args={}) + # if "objects" in self.__objects: + # return self.__objects + # else: + # LOG.error("An error occurred {}".format(self.__objects)) + # return self.__objects + # + # @property + # def actions(self): + # if not self.__actions: + # self.__actions = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_actions", args={}) + # if "actions" in self.__actions: + # return self.__actions + # else: + # LOG.error("An error occurred {}".format(self.__actions)) + # return self.__actions + # + # @property + # def subject_scopes(self): + # if not self.__subject_scopes: + # self.__subject_scopes = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_subject_scopes", args={}) + # if "subject_scopes" in self.__subject_scopes: + # return self.__subject_scopes + # else: + # LOG.error("An error occurred {}".format(self.__subject_scopes)) + # return self.__subject_scopes + # + # @property + # def object_scopes(self): + # if not self.__object_scopes: + # self.__object_scopes = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_object_scopes", args={}) + # if "object_scopes" in self.__object_scopes: + # return self.__object_scopes + # else: + # LOG.error("An error occurred {}".format(self.__object_scopes)) + # return self.__object_scopes + # + # @property + # def action_scopes(self): + # if not self.__action_scopes: + # self.__action_scopes = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_action_scopes", args={}) + # if "action_scopes" in self.__action_scopes: + # return self.__action_scopes + # else: + # LOG.error("An error occurred {}".format(self.__action_scopes)) + # return self.__action_scopes + # + # @property + # def subject_categories(self): + # if not self.__subject_categories: + # self.__subject_categories = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_subject_categories", args={}) + # if "subject_categories" in self.__subject_categories: + # return self.__subject_categories + # else: + # LOG.error("An error occurred {}".format(self.__subject_categories)) + # return self.__subject_categories + # + # @property + # def object_categories(self): + # if not self.__object_categories: + # self.__object_categories = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_object_categories", args={}) + # if "object_categories" in self.__object_categories: + # return self.__object_categories + # else: + # LOG.error("An error occurred {}".format(self.__object_categories)) + # return self.__object_categories + # + # @property + # def action_categories(self): + # if not self.__action_categories: + # self.__action_categories = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_action_categories", args={}) + # if "action_categories" in self.__action_categories: + # return self.__action_categories + # else: + # LOG.error("An error occurred {}".format(self.__action_categories)) + # return self.__action_categories + # + # @property + # def subject_assignments(self): + # if not self.__subject_assignments: + # context = copy.deepcopy(self.context) + # context['sid'] = None + # context['scid'] = None + # args = {'ssid': None} + # self.__subject_assignments = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=context, + # method="get_subject_assignments", args=args) + # if "subject_assignments" in self.__subject_assignments: + # return self.__subject_assignments + # else: + # LOG.error("An error occurred {}".format(self.__subject_assignments)) + # return self.__subject_assignments + # + # @property + # def object_assignments(self): + # if not self.__object_assignments: + # context = copy.deepcopy(self.context) + # context['sid'] = None + # context['scid'] = None + # args = {'ssid': None} + # self.__object_assignments = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=context, + # method="get_object_assignments", args=args) + # if "object_assignments" in self.__object_assignments: + # return self.__object_assignments + # else: + # LOG.error("An error occurred {}".format(self.__object_assignments)) + # return self.__object_assignments + # + # @property + # def action_assignments(self): + # if not self.__action_assignments: + # context = copy.deepcopy(self.context) + # context['sid'] = None + # context['scid'] = None + # args = {'ssid': None} + # self.__action_assignments = call("moon_secpolicy_{}".format(self.intra_extension_id), ctx=context, + # method="get_action_assignments", args=args) + # if "action_assignments" in self.__action_assignments: + # return self.__action_assignments + # else: + # LOG.error("An error occurred {}".format(self.__action_assignments)) + # return self.__action_assignments + # + # @property + # def sub_meta_rules(self): + # if not self.__sub_meta_rules: + # self.__sub_meta_rules = call("moon_secfunction_{}".format(self.intra_extension_id), ctx=self.context, + # method="get_sub_meta_rules", args={}) + # if "sub_meta_rules" in self.__sub_meta_rules: + # return self.__sub_meta_rules + # else: + # LOG.error("An error occurred {}".format(self.__sub_meta_rules)) + # return self.__sub_meta_rules + # + # @property + # def rules(self): + # if not self.__rules: + # self.__rules = dict() + # for _id, _value in self.sub_meta_rules["sub_meta_rules"].items(): + # context = copy.deepcopy(self.context) + # context["sub_meta_rule_id"] = _id + # __elements = call("moon_secfunction_{}".format(self.intra_extension_id), ctx=context, + # method="get_rules", args={}) + # if "rules" in __elements: + # self.__rules[_id] = __elements + # else: + # LOG.error("An error occurred {}".format(__elements)) + # return self.__rules + + # def __get_authz_buffer(self, subject_id, object_id, action_id): + # """ + # :param intra_extension_id: + # :param subject_id: + # :param object_id: + # :param action_id: + # :return: authz_buffer = { + # 'subject_id': xxx, + # 'object_id': yyy, + # 'action_id': zzz, + # 'subject_assignments': { + # 'subject_category1': [], + # 'subject_category2': [], + # ... + # }, + # 'object_assignments': {}, + # 'action_assignments': {}, + # } + # """ + # authz_buffer = dict() + # # Sometimes it is not the subject ID but the User Keystone ID, so, we have to check + # subjects_dict = copy.deepcopy(self.subjects) + # if subject_id not in subjects_dict["subjects"].keys(): + # for _subject_id in subjects_dict["subjects"]: + # if subjects_dict["subjects"][_subject_id]['keystone_id']: + # subject_id = _subject_id + # break + # authz_buffer['subject_id'] = subject_id + # authz_buffer['object_id'] = object_id + # authz_buffer['action_id'] = action_id + # meta_data_dict = dict() + # meta_data_dict["subject_categories"] = copy.deepcopy(self.subject_categories["subject_categories"]) + # meta_data_dict["object_categories"] = copy.deepcopy(self.object_categories["object_categories"]) + # meta_data_dict["action_categories"] = copy.deepcopy(self.action_categories["action_categories"]) + # subject_assignment_dict = copy.deepcopy(self.subject_assignments['subject_assignments'][subject_id]) + # LOG.info("__get_authz_buffer self.object_assignments['object_assignments']={}".format(self.object_assignments['object_assignments'])) + # LOG.info("__get_authz_buffer object_id={}".format(object_id)) + # object_assignment_dict = copy.deepcopy(self.object_assignments['object_assignments'][object_id]) + # action_assignment_dict = copy.deepcopy(self.action_assignments['action_assignments'][action_id]) + # + # authz_buffer['subject_assignments'] = dict() + # authz_buffer['object_assignments'] = dict() + # authz_buffer['action_assignments'] = dict() + # + # for _subject_category in meta_data_dict['subject_categories']: + # authz_buffer['subject_assignments'][_subject_category] = list(subject_assignment_dict[_subject_category]) + # for _object_category in meta_data_dict['object_categories']: + # authz_buffer['object_assignments'][_object_category] = list(object_assignment_dict[_object_category]) + # for _action_category in meta_data_dict['action_categories']: + # authz_buffer['action_assignments'][_action_category] = list(action_assignment_dict[_action_category]) + # return authz_buffer + # + # def __get_decision_dict(self, subject_id, object_id, action_id): + # """Check authorization for a particular action. + # + # :param intra_extension_id: UUID of an IntraExtension + # :param subject_id: subject UUID of the request + # :param object_id: object UUID of the request + # :param action_id: action UUID of the request + # :return: True or False or raise an exception + # :raises: + # """ + # authz_buffer = self.__get_authz_buffer(subject_id, object_id, action_id) + # decision_buffer = dict() + # + # meta_rule_dict = copy.deepcopy(self.sub_meta_rules['sub_meta_rules']) + # rules_dict = copy.deepcopy(self.rules) + # for sub_meta_rule_id in meta_rule_dict: + # if meta_rule_dict[sub_meta_rule_id]['algorithm'] == 'inclusion': + # decision_buffer[sub_meta_rule_id] = algorithms.inclusion( + # authz_buffer, + # meta_rule_dict[sub_meta_rule_id], + # rules_dict[sub_meta_rule_id]['rules'].values()) + # elif meta_rule_dict[sub_meta_rule_id]['algorithm'] == 'comparison': + # decision_buffer[sub_meta_rule_id] = algorithms.comparison( + # authz_buffer, + # meta_rule_dict[sub_meta_rule_id], + # rules_dict[sub_meta_rule_id]['rules'].values()) + # + # return decision_buffer + # + # def __authz(self, subject_id, object_id, action_id): + # decision = False + # decision_dict = dict() + # try: + # decision_dict = self.__get_decision_dict(subject_id, object_id, action_id) + # except (exceptions.SubjectUnknown, exceptions.ObjectUnknown, exceptions.ActionUnknown) as e: + # # maybe we need to synchronize with the master + # pass + # # if CONF.slave.slave_name and CONF.slave.master_url: + # # self.get_data_from_master() + # # decision_dict = self.__get_decision_dict(subject_id, object_id, action_id) + # + # try: + # # aggregation_algorithm_id = IntraExtensionAdminManager.get_aggregation_algorithm_id( + # # "admin", + # # self.intra_extension_id)['aggregation_algorithm'] + # if not self.aggregation_algorithm_id: + # self.aggregation_algorithm_id = self.intra_extension['aggregation_algorithm'] + # except Exception as e: + # LOG.error(e, exc_info=True) + # LOG.error(self.intra_extension) + # return { + # 'authz': False, + # 'comment': "Aggregation algorithm not set" + # } + # if self.aggregation_algorithm_dict[self.aggregation_algorithm_id]['name'] == 'all_true': + # decision = algorithms.all_true(decision_dict) + # elif self.aggregation_algorithm_dict[self.aggregation_algorithm_id]['name'] == 'one_true': + # decision = algorithms.one_true(decision_dict) + # if not decision_dict or not decision: + # raise exceptions.AuthzException("{} {}-{}-{}".format(self.intra_extension['id'], subject_id, action_id, object_id)) + # return { + # 'authz': decision, + # 'comment': "{} {}-{}-{}".format(self.intra_extension['id'], subject_id, action_id, object_id) + # } + # + # def authz_bak(self, ctx, args): + # """Return the authorization for a specific request + # + # :param ctx: { + # "subject_name" : "string name", + # "action_name" : "string name", + # "object_name" : "string name" + # } + # :param args: {} + # :return: { + # "authz": "True or False", + # "message": "optional message" + # } + # """ + # intra_extension_id = ctx["id"] + # try: + # subject_id = get_uuid_from_name(ctx["subject_name"], self.subjects['subjects']) + # object_id = get_uuid_from_name(ctx["object_name"], self.objects['objects']) + # action_id = get_uuid_from_name(ctx["action_name"], self.actions['actions']) + # authz_result = self.__authz(subject_id, object_id, action_id) + # return authz_result + # except Exception as e: + # LOG.error(e, exc_info=True) + # return {"authz": False, + # "error": str(e), + # "intra_extension_id": intra_extension_id, + # "ctx": ctx, "args": args} + # + # return {"authz": False} + + def __check_rules(self, context): + scopes_list = list() + current_header_id = context.headers[context.index]['id'] + current_pdp = context.pdp_set[current_header_id] + category_list = list() + category_list.extend(current_pdp["meta_rules"]["subject_categories"]) + category_list.extend(current_pdp["meta_rules"]["action_categories"]) + category_list.extend(current_pdp["meta_rules"]["object_categories"]) + for category in category_list: + if not current_pdp['target'][category]: + LOG.warning("Empty assignment detected: {} target={}".format(category, current_pdp['target'])) + return False, "Empty assignment detected..." + scopes_list.append(current_pdp['target'][category]) + scopes_list.append([True, ]) + rules = PolicyManager.get_rules_dict(user_id="admin", + policy_id=self.policy_id, + meta_rule_id=current_header_id).values() + for item in itertools.product(*scopes_list): + if list(item) in rules: + return True, "" + LOG.warning("No rule match the request...") + return False, "No rule match the request..." + + def authz(self, ctx, args): + LOG.info("authz {}".format(ctx)) + keystone_project_id = ctx["id"] + try: + if "authz_context" not in ctx: + ctx["authz_context"] = Context(keystone_project_id, + ctx["subject_name"], + ctx["object_name"], + ctx["action_name"], + ctx["request_id"]).to_dict() + LOG.info("Context={}".format(ctx["authz_context"])) + else: + ctx["authz_context"].index += 1 + result, message = self.__check_rules(ctx["authz_context"]) + # if ctx["authz_context"].index < len(ctx["authz_context"].headers): + del ctx["authz_context"] + return {"authz": result, + "error": message, + "pdp_id": self.pdp_id, + "ctx": ctx, "args": args} + except Exception as e: + try: + LOG.error(ctx["authz_context"]) + # del ctx["authz_context"] + except KeyError: + LOG.error("Cannot find \"authz_context\" in context") + LOG.error(e, exc_info=True) + return {"authz": False, + "error": str(e), + "pdp_id": self.pdp_id, + "ctx": ctx, "args": args} + diff --git a/moonv4/moon_authz/moon_authz/api/generic.py b/moonv4/moon_authz/moon_authz/api/generic.py new file mode 100644 index 00000000..db61188b --- /dev/null +++ b/moonv4/moon_authz/moon_authz/api/generic.py @@ -0,0 +1,28 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +class Status(object): + """ + Retrieve the current status of all components. + """ + + __version__ = "0.1.0" + + def get_status(self, ctx, args): + return {"status": "Running"} + + +class Logs(object): + """ + Retrieve the current status of all components. + """ + + __version__ = "0.1.0" + + def get_logs(self, ctx, args): + return {"error": "NotImplemented"} + + diff --git a/moonv4/moon_authz/moon_authz/messenger.py b/moonv4/moon_authz/moon_authz/messenger.py new file mode 100644 index 00000000..8ebd1633 --- /dev/null +++ b/moonv4/moon_authz/moon_authz/messenger.py @@ -0,0 +1,63 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from oslo_config import cfg +import oslo_messaging +import hashlib +import time +from oslo_log import log as logging +from moon_authz.api.generic import Status, Logs +from moon_authz.api.authorization import Authorization +from moon_utilities.security_functions import call +from moon_utilities.api import APIList + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + + +class Server: + + def __init__(self, component_id, keystone_project_id): + self.TOPIC = "authz_"+hashlib.sha224(component_id.encode("utf-8")).hexdigest() + self.transport = oslo_messaging.get_transport(cfg.CONF) + self.target = oslo_messaging.Target(topic=self.TOPIC, server='moon_authz_server1') + # ctx = {'user_id': 'admin', 'id': component_id, 'method': 'get_intra_extensions'} + # if CONF.slave.slave_name: + # ctx['call_master'] = True + # intra_extension = call( + # endpoint="security_router", + # ctx=ctx, + # method='route', + # args={} + # ) + # if "intra_extensions" not in intra_extension: + # LOG.error("Error reading intra_extension from router") + # LOG.error("intra_extension: {}".format(intra_extension)) + # raise IntraExtensionUnknown + # component_id = list(intra_extension["intra_extensions"].keys())[0] + LOG.info("Starting MQ server with topic: {}".format(self.TOPIC)) + self.endpoints = [ + APIList((Status, Logs)), + Status(), + Logs(), + Authorization(component_id) + ] + self.server = oslo_messaging.get_rpc_server(self.transport, self.target, self.endpoints, + executor='threading', + access_policy=oslo_messaging.DefaultRPCAccessPolicy) + + def run(self): + try: + self.server.start() + while True: + time.sleep(1) + except KeyboardInterrupt: + print("Stopping server by crtl+c") + except SystemExit: + print("Stopping server") + + self.server.stop() + self.server.wait() + diff --git a/moonv4/moon_authz/moon_authz/server.py b/moonv4/moon_authz/moon_authz/server.py new file mode 100644 index 00000000..0c2a36ff --- /dev/null +++ b/moonv4/moon_authz/moon_authz/server.py @@ -0,0 +1,36 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +from oslo_config import cfg +from oslo_log import log as logging +# cfg.CONF.register_cli_opt(cfg.StrOpt('function_type', positional=True, +# help="The type of function managed by this component (example 'authz').")) +cfg.CONF.register_cli_opt(cfg.StrOpt('uuid', positional=True, + help="The ID of the component managed here.")) +cfg.CONF.register_cli_opt(cfg.StrOpt('keystone_project_id', positional=True, + help="The ID of the component managed here.")) +from moon_utilities import options # noqa +from moon_authz.messenger import Server + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_authz" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) + + +def main(): + component_id = CONF.uuid + keystone_project_id = CONF.keystone_project_id + # function_type = CONF.intra_extension_id.replace(component_id, "").strip('_') + LOG.info("Starting server with IP {} on component {}".format( + CONF.security_router.host, component_id)) + server = Server(component_id=component_id, keystone_project_id=keystone_project_id) + server.run() + + +if __name__ == '__main__': + main() diff --git a/moonv4/moon_authz/requirements.txt b/moonv4/moon_authz/requirements.txt new file mode 100644 index 00000000..8faf9439 --- /dev/null +++ b/moonv4/moon_authz/requirements.txt @@ -0,0 +1 @@ +kombu !=4.0.1,!=4.0.0 \ No newline at end of file diff --git a/moonv4/moon_authz/setup.py b/moonv4/moon_authz/setup.py new file mode 100644 index 00000000..a8dcd0c4 --- /dev/null +++ b/moonv4/moon_authz/setup.py @@ -0,0 +1,47 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from setuptools import setup, find_packages +import moon_authz + + +setup( + + name='moon_authz', + + version=moon_authz.__version__, + + packages=find_packages(), + + author="Thomas Duval", + + author_email="thomas.duval@orange.com", + + description="", + + long_description=open('README.rst').read(), + + # install_requires= , + + include_package_data=True, + + url='https://git.opnfv.org/moon', + + classifiers=[ + "Programming Language :: Python", + "Development Status :: 1 - Planning", + "License :: OSI Approved", + "Natural Language :: French", + "Operating System :: OS Independent", + "Programming Language :: Python :: 3", + ], + + entry_points={ + 'console_scripts': [ + 'moon_authz = moon_authz.server:main', + ], + } + +) -- cgit 1.2.3-korg