From ffd694ebadb1d3b4e140104f9f0a81837c0e7258 Mon Sep 17 00:00:00 2001 From: WuKong Date: Wed, 19 Jul 2017 10:23:25 +0200 Subject: add pip package Change-Id: I8b4d3fa24f6ad7c7f9bb5dc93279c4a48bb0fe86 Signed-off-by: WuKong --- moonv4/moon_router/LICENSE | 204 ++++++++++ moonv4/moon_router/MANIFEST.in | 9 + moonv4/moon_router/README.rst | 9 + moonv4/moon_router/doc/api-moon-secrouter.pdf | Bin 0 -> 195778 bytes moonv4/moon_router/doc/api.pdf | Bin 0 -> 195377 bytes moonv4/moon_router/moon_secrouter/__init__.py | 6 + moonv4/moon_router/moon_secrouter/__main__.py | 3 + moonv4/moon_router/moon_secrouter/api/__init__.py | 0 moonv4/moon_router/moon_secrouter/api/generic.py | 46 +++ moonv4/moon_router/moon_secrouter/api/route.py | 467 ++++++++++++++++++++++ moonv4/moon_router/moon_secrouter/messenger.py | 61 +++ moonv4/moon_router/moon_secrouter/server.py | 59 +++ moonv4/moon_router/requirements.txt | 6 + moonv4/moon_router/setup.py | 47 +++ moonv4/moon_router/tests/moon_db-0.1.0.tar.gz | Bin 0 -> 21423 bytes moonv4/moon_router/tests/moon_policy-0.1.0.tar.gz | Bin 0 -> 8640 bytes 16 files changed, 917 insertions(+) create mode 100644 moonv4/moon_router/LICENSE create mode 100644 moonv4/moon_router/MANIFEST.in create mode 100644 moonv4/moon_router/README.rst create mode 100644 moonv4/moon_router/doc/api-moon-secrouter.pdf create mode 100644 moonv4/moon_router/doc/api.pdf create mode 100644 moonv4/moon_router/moon_secrouter/__init__.py create mode 100644 moonv4/moon_router/moon_secrouter/__main__.py create mode 100644 moonv4/moon_router/moon_secrouter/api/__init__.py create mode 100644 moonv4/moon_router/moon_secrouter/api/generic.py create mode 100644 moonv4/moon_router/moon_secrouter/api/route.py create mode 100644 moonv4/moon_router/moon_secrouter/messenger.py create mode 100644 moonv4/moon_router/moon_secrouter/server.py create mode 100644 moonv4/moon_router/requirements.txt create mode 100644 moonv4/moon_router/setup.py create mode 100644 moonv4/moon_router/tests/moon_db-0.1.0.tar.gz create mode 100644 moonv4/moon_router/tests/moon_policy-0.1.0.tar.gz (limited to 'moonv4/moon_router') diff --git a/moonv4/moon_router/LICENSE b/moonv4/moon_router/LICENSE new file mode 100644 index 00000000..4143aac2 --- /dev/null +++ b/moonv4/moon_router/LICENSE @@ -0,0 +1,204 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +--- License for python-keystoneclient versions prior to 2.1 --- + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of this project nor the names of its contributors may + be used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/moonv4/moon_router/MANIFEST.in b/moonv4/moon_router/MANIFEST.in new file mode 100644 index 00000000..1f674d50 --- /dev/null +++ b/moonv4/moon_router/MANIFEST.in @@ -0,0 +1,9 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +include README.rst +include LICENSE +include setup.py +include requirements.txt diff --git a/moonv4/moon_router/README.rst b/moonv4/moon_router/README.rst new file mode 100644 index 00000000..ded4e99a --- /dev/null +++ b/moonv4/moon_router/README.rst @@ -0,0 +1,9 @@ +Core module for the Moon project +================================ + +This package contains the core module for the Moon project +It is designed to provide authorization features to all OpenStack components. + +For any other information, refer to the parent project: + + https://git.opnfv.org/moon diff --git a/moonv4/moon_router/doc/api-moon-secrouter.pdf b/moonv4/moon_router/doc/api-moon-secrouter.pdf new file mode 100644 index 00000000..9ba75db0 Binary files /dev/null and b/moonv4/moon_router/doc/api-moon-secrouter.pdf differ diff --git a/moonv4/moon_router/doc/api.pdf b/moonv4/moon_router/doc/api.pdf new file mode 100644 index 00000000..b7d91293 Binary files /dev/null and b/moonv4/moon_router/doc/api.pdf differ diff --git a/moonv4/moon_router/moon_secrouter/__init__.py b/moonv4/moon_router/moon_secrouter/__init__.py new file mode 100644 index 00000000..903c6518 --- /dev/null +++ b/moonv4/moon_router/moon_secrouter/__init__.py @@ -0,0 +1,6 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +__version__ = "0.1.0" diff --git a/moonv4/moon_router/moon_secrouter/__main__.py b/moonv4/moon_router/moon_secrouter/__main__.py new file mode 100644 index 00000000..8ec695db --- /dev/null +++ b/moonv4/moon_router/moon_secrouter/__main__.py @@ -0,0 +1,3 @@ +from moon_secrouter.server import main + +main() diff --git a/moonv4/moon_router/moon_secrouter/api/__init__.py b/moonv4/moon_router/moon_secrouter/api/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/moonv4/moon_router/moon_secrouter/api/generic.py b/moonv4/moon_router/moon_secrouter/api/generic.py new file mode 100644 index 00000000..d066f715 --- /dev/null +++ b/moonv4/moon_router/moon_secrouter/api/generic.py @@ -0,0 +1,46 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +from moon_utilities.security_functions import call + + +class Status(object): + """ + Retrieve the current status of all components. + """ + + __version__ = "0.1.0" + + def __get_status(self, ctx, args={}): + return {"status": "Running"} + + def get_status(self, ctx, args={}): + status = dict() + if "component_id" in ctx and ctx["component_id"] == "security_router": + return {"security_router": self.__get_status(ctx, args)} + elif "component_id" in ctx and ctx["component_id"]: + # TODO (dthom): check if component exist + status[ctx["component_id"]] = call(ctx["component_id"], ctx, "get_status", args=args) + else: + # TODO (dthom): must get the status of all containers + status["orchestrator"] = call("orchestrator", ctx, "get_status", args=args) + status["security_router"] = self.__get_status(ctx, args) + return status + + +class Logs(object): + """ + Retrieve the current status of all components. + """ + + __version__ = "0.1.0" + + def get_logs(self, ctx, args={}): + logs = dict() + logs["orchestrator"] = call("orchestrator", ctx, "get_logs", args=args) + # TODO (dthom): must get the logs of all containers + logs["security_router"] = {"error": "Not implemented", "ctx": ctx, "args": args} + return logs + + diff --git a/moonv4/moon_router/moon_secrouter/api/route.py b/moonv4/moon_router/moon_secrouter/api/route.py new file mode 100644 index 00000000..2a2c54bc --- /dev/null +++ b/moonv4/moon_router/moon_secrouter/api/route.py @@ -0,0 +1,467 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import copy +import time +import itertools +from uuid import uuid4 +from oslo_log import log as logging +from moon_utilities.security_functions import call, notify +from oslo_config import cfg +from moon_secrouter.api.generic import Status, Logs + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + +API = { + "orchestrator": ( + "add_container", + "delete_container", + "add_slave", + "get_slaves", + "delete_slave" + ), + # TODO (asteroide): need to check if some of those calls need (or not) to be called "update_" + "manager": ( + "get_subject_assignments", + "set_subject_assignment", + "delete_subject_assignment", + "get_object_assignments", + "set_object_assignment", + "delete_object_assignment", + "get_action_assignments", + "set_action_assignment", + "delete_action_assignment", + "get_subject_data", + "add_subject_data", + "delete_subject_data", + "get_object_data", + "add_object_data", + "delete_object_data", + "get_action_data", + "add_action_data", + "delete_action_data", + "get_subject_categories", + "set_subject_category", + "delete_subject_category", + "get_object_categories", + "set_object_category", + "delete_object_category", + "get_action_categories", + "set_action_category", + "delete_action_category", + "add_meta_rules", + "delete_meta_rules", + "get_meta_rules", + "set_meta_rules", + "get_models", + "add_model", + "delete_model", + "update_model", + "get_pdp", + "add_pdp", + "delete_pdp", + "update_pdp", + "get_subjects", + "set_subject", + "delete_subject", + "get_objects", + "set_object", + "delete_object", + "get_actions", + "set_action", + "delete_action", + "get_policies", + "add_policy", + "delete_policy", + "update_policy", + "get_subject_assignments", + "update_subject_assignment", + "delete_subject_assignment", + "get_object_assignments", + "update_object_assignment", + "delete_object_assignment", + "get_action_assignments", + "update_action_assignment", + "delete_action_assignment", + "get_rules", + "add_rule", + "delete_rule", + "update_from_master" + ), + "function": ( + "authz", + "return_authz", + ), +} + + +class Cache(object): + + # TODO (asteroide): set cache integer in CONF file + __UPDATE_INTERVAL = 10 + + __CONTAINERS = {} + __CONTAINERS_UPDATE = 0 + + __CONTAINER_CHAINING_UPDATE = 0 + __CONTAINER_CHAINING = {} + + __PDP = {} + __PDP_UPDATE = 0 + + __POLICIES = {} + __POLICIES_UPDATE = 0 + + __MODELS = {} + __MODELS_UPDATE = 0 + + __AUTHZ_REQUESTS = {} + + def update(self, component=None): + self.__update_container() + self.__update_pdp() + self.__update_policies() + self.__update_models() + for key, value in self.__PDP.items(): + LOG.info("Updating container_chaining with {}".format(value["keystone_project_id"])) + self.__update_container_chaining(value["keystone_project_id"]) + + @property + def authz_requests(self): + return self.__AUTHZ_REQUESTS + + def __update_pdp(self): + pdp = call("moon_manager", method="get_pdp", ctx={"user_id": "admin"}, args={}) + if not pdp["pdps"]: + LOG.info("Updating PDP through master") + pdp = call("moon_manager", method="get_pdp", + ctx={ + "user_id": "admin", + 'call_master': True + }, + args={}) + for _pdp in pdp["pdps"].values(): + if _pdp['keystone_project_id'] not in self.__CONTAINER_CHAINING: + self.__CONTAINER_CHAINING[_pdp['keystone_project_id']] = {} + # Note (asteroide): force update of chaining + self.__update_container_chaining(_pdp['keystone_project_id']) + for key, value in pdp["pdps"].items(): + self.__PDP[key] = value + + @property + def pdp(self): + current_time = time.time() + if self.__PDP_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_pdp() + self.__PDP_UPDATE = current_time + return self.__PDP + + def __update_policies(self): + policies = call("moon_manager", method="get_policies", ctx={"user_id": "admin"}, args={}) + for key, value in policies["policies"].items(): + self.__POLICIES[key] = value + + @property + def policies(self): + current_time = time.time() + if self.__POLICIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_policies() + self.__POLICIES_UPDATE = current_time + return self.__POLICIES + + def __update_models(self): + models = call("moon_manager", method="get_models", ctx={"user_id": "admin"}, args={}) + for key, value in models["models"].items(): + self.__MODELS[key] = value + + @property + def models(self): + current_time = time.time() + if self.__MODELS_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_models() + self.__MODELS_UPDATE = current_time + return self.__MODELS + + def __update_container(self): + containers = call("orchestrator", method="get_container", ctx={}, args={}) + for key, value in containers["containers"].items(): + self.__CONTAINERS[key] = value + + @property + def container_chaining(self): + current_time = time.time() + if self.__CONTAINER_CHAINING_UPDATE + self.__UPDATE_INTERVAL < current_time: + for key, value in self.pdp.items(): + self.__update_container_chaining(value["keystone_project_id"]) + self.__CONTAINER_CHAINING_UPDATE = current_time + return self.__CONTAINER_CHAINING + + def __update_container_chaining(self, keystone_project_id): + container_ids = [] + for pdp_id, pdp_value, in CACHE.pdp.items(): + LOG.info("pdp_id, pdp_value = {}, {}".format(pdp_id, pdp_value)) + if pdp_value: + if pdp_value["keystone_project_id"] == keystone_project_id: + for policy_id in pdp_value["security_pipeline"]: + model_id = CACHE.policies[policy_id]['model_id'] + LOG.info("model_id = {}".format(model_id)) + LOG.info("CACHE = {}".format(CACHE.models[model_id])) + for meta_rule_id in CACHE.models[model_id]["meta_rules"]: + LOG.info("CACHE.containers = {}".format(CACHE.containers)) + for container_id, container_values, in CACHE.containers.items(): + LOG.info("container_id, container_values = {}".format(container_id, container_values)) + for container_value in container_values: + LOG.info("container_value[\"meta_rule_id\"] == meta_rule_id = {} {}".format(container_value["meta_rule_id"], meta_rule_id)) + if container_value["meta_rule_id"] == meta_rule_id: + container_ids.append( + { + "container_id": container_value["container_id"], + "genre": container_value["genre"] + } + ) + break + self.__CONTAINER_CHAINING[keystone_project_id] = container_ids + + @property + def containers(self): + """intra_extensions cache + example of content : + { + "pdp_uuid1": "component_uuid1", + "pdp_uuid2": "component_uuid2", + } + :return: + """ + current_time = time.time() + if self.__CONTAINERS_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_container() + self.__CONTAINERS_UPDATE = current_time + return self.__CONTAINERS + + +CACHE = Cache() + + +class AuthzRequest: + + result = None + req_max_delay = 2 + + def __init__(self, ctx, args): + self.ctx = ctx + self.args = args + self.request_id = ctx["request_id"] + if self.ctx['id'] not in CACHE.container_chaining: + LOG.warning("Unknown Project ID {}".format(self.ctx['id'])) + # TODO (asteroide): add a better exception handler + raise Exception("Unknown Project ID {}".format(self.ctx['id'])) + self.container_chaining = CACHE.container_chaining[self.ctx['id']] + ctx["container_chaining"] = copy.deepcopy(self.container_chaining) + LOG.info("self.container_chaining={}".format(self.container_chaining)) + self.pdp_container = self.container_chaining[0]["container_id"] + self.run() + + def run(self): + notify(request_id=self.request_id, container_id=self.pdp_container, payload=self.ctx) + cpt = 0 + while cpt < self.req_max_delay*10: + time.sleep(0.1) + cpt += 1 + if CACHE.authz_requests[self.request_id]: + self.result = CACHE.authz_requests[self.request_id] + return + LOG.warning("Request {} has timed out".format(self.request_id)) + + def is_authz(self): + if not self.result: + return False + authz_results = [] + for key in self.result["pdp_set"]: + if "effect" in self.result["pdp_set"][key]: + if self.result["pdp_set"][key]["effect"] == "grant": + # the pdp is a authorization PDP and grant the request + authz_results.append(True) + elif self.result["pdp_set"][key]["effect"] == "passed": + # the pdp is not a authorization PDP (session or delegation) and had run normally + authz_results.append(True) + elif self.result["pdp_set"][key]["effect"] == "unset": + # the pdp is not a authorization PDP (session or delegation) and had not yep run + authz_results.append(True) + else: + # the pdp is (or not) a authorization PDP and had run badly + authz_results.append(False) + if list(itertools.accumulate(authz_results, lambda x, y: x & y))[-1]: + self.result["pdp_set"]["effect"] = "grant" + if self.result: + if "pdp_set" in self.result and self.result["pdp_set"]["effect"] == "grant": + return True + return False + + +class Router(object): + """ + Route requests to all components. + """ + + __version__ = "0.1.0" + cache_requests = {} + + def __init__(self, add_master_cnx): + if CONF.slave.slave_name and add_master_cnx: + result = call('security_router', method="route", + ctx={ + "name": CONF.slave.slave_name, + "description": CONF.slave.slave_name, + "call_master": True, + "method": "add_slave"}, args={}) + if "result" in result and not result["result"]: + LOG.error("An error occurred when sending slave name {} {}".format( + CONF.slave.slave_name, result + )) + self.slave_id = list(result['slaves'].keys())[0] + result = call('security_router', method="route", + ctx={ + "name": CONF.slave.slave_name, + "description": CONF.slave.slave_name, + "call_master": True, + "method": "get_slaves"}, args={}) + if "result" in result and not result["result"]: + LOG.error("An error occurred when receiving slave names {} {}".format( + CONF.slave.slave_name, result + )) + LOG.info("SLAVES: {}".format(result)) + + def delete(self): + if CONF.slave.slave_name and self.slave_id: + result = call('security_router', method="route", + ctx={ + "name": CONF.slave.slave_name, + "description": CONF.slave.slave_name, + "call_master": True, + "method": "delete_slave", + "id": self.slave_id}, args={}) + if "result" in result and not result["result"]: + LOG.error("An error occurred when sending slave name {} {}".format( + CONF.slave.slave_name, result + )) + LOG.info("SLAVE CONNECTION ENDED!") + LOG.info(result) + + @staticmethod + def check_pdp(ctx): + _ctx = copy.deepcopy(ctx) + keystone_id = _ctx.pop('id') + # LOG.info("_ctx {}".format(_ctx)) + ext = call("moon_manager", method="get_pdp", ctx=_ctx, args={}) + # LOG.info("check_pdp {}".format(ext)) + if "error" in ext: + return False + keystone_id_list = map(lambda x: x["keystone_project_id"], ext['pdps'].values()) + if not ext['pdps'] or keystone_id not in keystone_id_list: + if CONF.slave.slave_name: + _ctx['call_master'] = True + # update from master if exist and test again + LOG.info("Need to update from master {}".format(keystone_id)) + ext = call("moon_manager", method="get_pdp", ctx=_ctx, args={}) + if "error" in ext: + return False + keystone_id_list = map(lambda x: x["keystone_project_id"], ext['pdps'].values()) + if not ext['pdps'] or keystone_id not in keystone_id_list: + return False + else: + # Must update from Master + _ctx["keystone_id"] = keystone_id + _ctx["pdp_id"] = None + _ctx["security_pipeline"] = None + _ctx['call_master'] = False + pdp_value = {} + for pdp_id, pdp_value in ext["pdps"].items(): + if keystone_id == pdp_value["keystone_project_id"]: + _ctx["pdp_id"] = keystone_id + _ctx["security_pipeline"] = pdp_value["security_pipeline"] + break + call("moon_manager", method="update_from_master", ctx=_ctx, args=pdp_value) + CACHE.update() + return True + else: + # return False otherwise + return False + return True + + def send_update(self, api, ctx={}, args={}): + # TODO (asteroide): add threads here + if not CONF.slave.slave_name: + # Note (asteroide): + # if adding or setting an element: do nothing + # if updating or deleting an element: force deletion in the slave + if "update_" in api or "delete_" in api: + for slave_id, slave_dict in call("orchestrator", method="get_slaves", ctx={}, args={})['slaves'].items(): + LOG.info('send_update slave_id={}'.format(slave_id)) + LOG.info('send_update slave_dict={}'.format(slave_dict)) + ctx['method'] = api.replace("update", "delete") + # TODO (asteroide): force data_id to None to force the deletion in the slave + result = call("security_router_"+slave_dict['name'], method="route", ctx=ctx, args=args) + if "result" in result and not result["result"]: + LOG.error("An error occurred when sending update to {} {}".format( + "security_router_"+slave_dict['name'], result + )) + + def route(self, ctx, args): + """Route the request to the right endpoint + + :param ctx: dictionary depending of the real destination + :param args: dictionary depending of the real destination + :return: dictionary depending of the real destination + """ + if ctx["method"] == "get_status": + return Status().get_status(ctx=ctx, args=args) + if ctx["method"] == "get_logs": + return Logs().get_logs(ctx=ctx, args=args) + for component in API: + if ctx["method"] in API[component]: + if component == "orchestrator": + return call(component, method=ctx["method"], ctx=ctx, args=args) + if component == "manager": + result = call("moon_manager", method=ctx["method"], ctx=ctx, args=args) + if ctx["method"] == "get_pdp": + _ctx = copy.deepcopy(ctx) + _ctx["call_master"] = True + result2 = call("moon_manager", method=ctx["method"], ctx=_ctx, args=args) + result["pdps"].update(result2["pdps"]) + self.send_update(api=ctx["method"], ctx=ctx, args=args) + return result + if component == "function": + if ctx["method"] == "return_authz": + request_id = ctx["request_id"] + CACHE.authz_requests[request_id] = args + return args + elif self.check_pdp(ctx): + req_id = uuid4().hex + CACHE.authz_requests[req_id] = {} + ctx["request_id"] = req_id + req = AuthzRequest(ctx, args) + # result = copy.deepcopy(req.result) + if req.is_authz(): + return {"authz": True, + "pdp_id": ctx["id"], + "ctx": ctx, "args": args} + return {"authz": False, + "error": {'code': 403, 'title': 'Authz Error', + 'description': "The authz request is refused."}, + "pdp_id": ctx["id"], + "ctx": ctx, "args": args} + return {"result": False, + "error": {'code': 500, 'title': 'Moon Error', + 'description': "Function component not found."}, + "pdp_id": ctx["id"], + "ctx": ctx, "args": args} + + # TODO (asteroide): must raise an exception here ? + return {"result": False, + "error": {'code': 500, 'title': 'Moon Error', 'description': "Endpoint method not found."}, + "intra_extension_id": ctx["id"], + "ctx": ctx, "args": args} + diff --git a/moonv4/moon_router/moon_secrouter/messenger.py b/moonv4/moon_router/moon_secrouter/messenger.py new file mode 100644 index 00000000..52e5c341 --- /dev/null +++ b/moonv4/moon_router/moon_secrouter/messenger.py @@ -0,0 +1,61 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from oslo_config import cfg +import oslo_messaging +import time +from oslo_log import log as logging +from moon_secrouter.api.generic import Status, Logs +from moon_secrouter.api.route import Router +from moon_utilities.api import APIList + +LOG = logging.getLogger(__name__) + + +class Server: + + TOPIC = "security_router" + + def __init__(self, add_master_cnx=False): + if add_master_cnx and cfg.CONF.slave.master_url: + self.transport = oslo_messaging.get_transport(cfg.CONF, cfg.CONF.slave.master_url) + self.TOPIC = self.TOPIC + "_" + cfg.CONF.slave.slave_name + else: + self.transport = oslo_messaging.get_transport(cfg.CONF) + self.target = oslo_messaging.Target(topic=self.TOPIC, server='server1') + LOG.info("Starting MQ server with topic: {}".format(self.TOPIC)) + self.endpoints = [ + APIList((Status, Logs, Router)), + Status(), + Logs(), + Router(add_master_cnx) + ] + self.server = oslo_messaging.get_rpc_server(self.transport, self.target, self.endpoints, + executor='threading', + access_policy=oslo_messaging.DefaultRPCAccessPolicy) + self.__is_alive = False + + def stop(self): + self.__is_alive = False + self.endpoints[-1].delete() + + def run(self): + try: + self.__is_alive = True + self.server.start() + while True: + if self.__is_alive: + time.sleep(1) + else: + break + except KeyboardInterrupt: + print("Stopping server by crtl+c") + except SystemExit: + print("Stopping server with SystemExit") + print("Stopping server") + + self.server.stop() + self.server.wait() + diff --git a/moonv4/moon_router/moon_secrouter/server.py b/moonv4/moon_router/moon_secrouter/server.py new file mode 100644 index 00000000..16f6ea9c --- /dev/null +++ b/moonv4/moon_router/moon_secrouter/server.py @@ -0,0 +1,59 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import threading +import signal +from oslo_config import cfg +from oslo_log import log as logging +from moon_utilities import options # noqa +from moon_secrouter.messenger import Server + + +class AsyncServer(threading.Thread): + + def __init__(self, add_master_cnx): + threading.Thread.__init__(self) + self.server = Server(add_master_cnx=add_master_cnx) + + def run(self): + self.server.run() + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_secrouter" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) + +background_threads = [] + + +def stop_thread(): + for _t in background_threads: + _t.stop() + + +def main(): + global background_threads + LOG.info("Starting server with IP {}".format(CONF.security_router.host)) + signal.signal(signal.SIGALRM, stop_thread) + signal.signal(signal.SIGTERM, stop_thread) + signal.signal(signal.SIGABRT, stop_thread) + background_master = None + if CONF.slave.slave_name: + background_master = AsyncServer(add_master_cnx=True) + background_threads.append(background_master) + background_slave = AsyncServer(add_master_cnx=False) + background_threads.append(background_slave) + if CONF.slave.slave_name: + background_master.start() + background_slave.start() + if CONF.slave.slave_name: + background_master.join() + background_slave.join() + + +if __name__ == '__main__': + main() diff --git a/moonv4/moon_router/requirements.txt b/moonv4/moon_router/requirements.txt new file mode 100644 index 00000000..a919c625 --- /dev/null +++ b/moonv4/moon_router/requirements.txt @@ -0,0 +1,6 @@ +kombu !=4.0.1,!=4.0.0 +oslo.messaging +oslo.config +vine +oslo.log +babel \ No newline at end of file diff --git a/moonv4/moon_router/setup.py b/moonv4/moon_router/setup.py new file mode 100644 index 00000000..0c3b61ba --- /dev/null +++ b/moonv4/moon_router/setup.py @@ -0,0 +1,47 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from setuptools import setup, find_packages +import moon_secrouter + + +setup( + + name='moon_secrouter', + + version=moon_secrouter.__version__, + + packages=find_packages(), + + author="Thomas Duval", + + author_email="thomas.duval@orange.com", + + description="", + + long_description=open('README.rst').read(), + + # install_requires= , + + include_package_data=True, + + url='https://git.opnfv.org/cgit/moon', + + classifiers=[ + "Programming Language :: Python", + "Development Status :: 1 - Planning", + "License :: OSI Approved", + "Natural Language :: French", + "Operating System :: OS Independent", + "Programming Language :: Python :: 3", + ], + + entry_points={ + 'console_scripts': [ + 'moon_secrouter = moon_secrouter.server:main', + ], + } + +) diff --git a/moonv4/moon_router/tests/moon_db-0.1.0.tar.gz b/moonv4/moon_router/tests/moon_db-0.1.0.tar.gz new file mode 100644 index 00000000..14df1d47 Binary files /dev/null and b/moonv4/moon_router/tests/moon_db-0.1.0.tar.gz differ diff --git a/moonv4/moon_router/tests/moon_policy-0.1.0.tar.gz b/moonv4/moon_router/tests/moon_policy-0.1.0.tar.gz new file mode 100644 index 00000000..d3246532 Binary files /dev/null and b/moonv4/moon_router/tests/moon_policy-0.1.0.tar.gz differ -- cgit 1.2.3-korg