From 019b10d95976bb80bcce60ee93099b0fd57fcab5 Mon Sep 17 00:00:00 2001 From: asteroide Date: Mon, 15 May 2017 14:19:43 +0200 Subject: Update Moon engine to allow a session policy Change-Id: I63a80597710f08a6641e159cc2306d3cc68b1240 --- .../moon_utilities/security_functions.py | 78 ++++++++++++++++------ 1 file changed, 56 insertions(+), 22 deletions(-) (limited to 'moonv4/moon_utilities') diff --git a/moonv4/moon_utilities/moon_utilities/security_functions.py b/moonv4/moon_utilities/moon_utilities/security_functions.py index f7cbdf2c..5d66d927 100644 --- a/moonv4/moon_utilities/moon_utilities/security_functions.py +++ b/moonv4/moon_utilities/moon_utilities/security_functions.py @@ -168,8 +168,10 @@ def notify(request_id, container_id, payload, event_type="authz"): 'request_id': request_id, 'container_id': container_id } - result = __n_notifier.critical(ctxt, event_type, payload=payload) - return result + __n_notifier.critical(ctxt, event_type, payload=payload) + # FIXME (asteroide): the notification mus be done 2 times otherwise the notification + # may not be sent (need to search why) + __n_notifier.critical(ctxt, event_type, payload=payload) def call(endpoint, ctx=None, method="get_status", **kwargs): @@ -249,34 +251,66 @@ class Context: self.__pdp_set[header]["meta_rules"] = self.__meta_rules[header] self.__pdp_set[header]["target"] = self.__add_target(header) # TODO (asteroide): the following information must be retrieve somewhere - self.__pdp_set[header]["instruction"] = list() - self.__pdp_set[header]["effect"] = "deny" + self.__pdp_set[header]["effect"] = "unset" self.__pdp_set["effect"] = "deny" + @staticmethod + def update_target(context): + from moon_db.core import PDPManager, ModelManager, PolicyManager + # result = dict() + current_request = context['current_request'] + _subject = current_request.get("subject") + _object = current_request.get("object") + _action = current_request.get("action") + meta_rule_id = context['headers'][context['index']] + policy_id = PolicyManager.get_policy_from_meta_rules("admin", meta_rule_id) + meta_rules = ModelManager.get_meta_rules("admin") + # for meta_rule_id in meta_rules: + for sub_cat in meta_rules[meta_rule_id]['subject_categories']: + if sub_cat not in context["pdp_set"][meta_rule_id]["target"]: + context["pdp_set"][meta_rule_id]["target"][sub_cat] = [] + for assign in PolicyManager.get_subject_assignments("admin", policy_id, _subject, sub_cat).values(): + for assign in assign["assignments"]: + if assign not in context["pdp_set"][meta_rule_id]["target"][sub_cat]: + context["pdp_set"][meta_rule_id]["target"][sub_cat].append(assign) + for obj_cat in meta_rules[meta_rule_id]['object_categories']: + if obj_cat not in context["pdp_set"][meta_rule_id]["target"]: + context["pdp_set"][meta_rule_id]["target"][obj_cat] = [] + for assign in PolicyManager.get_object_assignments("admin", policy_id, _object, obj_cat).values(): + for assign in assign["assignments"]: + if assign not in context["pdp_set"][meta_rule_id]["target"][obj_cat]: + context["pdp_set"][meta_rule_id]["target"][obj_cat].append(assign) + for act_cat in meta_rules[meta_rule_id]['action_categories']: + if act_cat not in context["pdp_set"][meta_rule_id]["target"]: + context["pdp_set"][meta_rule_id]["target"][act_cat] = [] + for assign in PolicyManager.get_action_assignments("admin", policy_id, _action, act_cat).values(): + for assign in assign["assignments"]: + if assign not in context["pdp_set"][meta_rule_id]["target"][act_cat]: + context["pdp_set"][meta_rule_id]["target"][act_cat].append(assign) + # context["pdp_set"][meta_rule_id]["target"].update(result) + def __add_target(self, meta_rule_id): result = dict() _subject = self.__current_request["subject"] _object = self.__current_request["object"] _action = self.__current_request["action"] meta_rules = self.ModelManager.get_meta_rules("admin") - for header in self.__headers: - policy_id = self.PolicyManager.get_policy_from_meta_rules("admin", header) - for meta_rule_id in meta_rules: - for sub_cat in meta_rules[meta_rule_id]['subject_categories']: - if sub_cat not in result: - result[sub_cat] = [] - for assign in self.PolicyManager.get_subject_assignments("admin", policy_id, _subject, sub_cat).values(): - result[sub_cat].extend(assign["assignments"]) - for obj_cat in meta_rules[meta_rule_id]['object_categories']: - if obj_cat not in result: - result[obj_cat] = [] - for assign in self.PolicyManager.get_object_assignments("admin", policy_id, _object, obj_cat).values(): - result[obj_cat].extend(assign["assignments"]) - for act_cat in meta_rules[meta_rule_id]['action_categories']: - if act_cat not in result: - result[act_cat] = [] - for assign in self.PolicyManager.get_action_assignments("admin", policy_id, _action, act_cat).values(): - result[act_cat].extend(assign["assignments"]) + policy_id = self.PolicyManager.get_policy_from_meta_rules("admin", meta_rule_id) + for sub_cat in meta_rules[meta_rule_id]['subject_categories']: + if sub_cat not in result: + result[sub_cat] = [] + for assign in self.PolicyManager.get_subject_assignments("admin", policy_id, _subject, sub_cat).values(): + result[sub_cat].extend(assign["assignments"]) + for obj_cat in meta_rules[meta_rule_id]['object_categories']: + if obj_cat not in result: + result[obj_cat] = [] + for assign in self.PolicyManager.get_object_assignments("admin", policy_id, _object, obj_cat).values(): + result[obj_cat].extend(assign["assignments"]) + for act_cat in meta_rules[meta_rule_id]['action_categories']: + if act_cat not in result: + result[act_cat] = [] + for assign in self.PolicyManager.get_action_assignments("admin", policy_id, _action, act_cat).values(): + result[act_cat].extend(assign["assignments"]) return result def __repr__(self): -- cgit 1.2.3-korg