From cb23b06b64af120e0c6775dd2d59f6d970418995 Mon Sep 17 00:00:00 2001 From: RHE Date: Thu, 21 Dec 2017 15:36:27 +0100 Subject: python_moonutilities rename Change-Id: I306268f5b95dee283313f76db2e1cac49fc9c0ff Signed-off-by: RHE --- moonv4/moon_utilities/Changelog | 65 --- moonv4/moon_utilities/LICENSE | 202 -------- moonv4/moon_utilities/MANIFEST.in | 10 - moonv4/moon_utilities/README.md | 33 -- moonv4/moon_utilities/moon_utilities/__init__.py | 6 - moonv4/moon_utilities/moon_utilities/api.py | 28 -- moonv4/moon_utilities/moon_utilities/auth.py | 76 --- moonv4/moon_utilities/moon_utilities/cache.py | 543 --------------------- .../moon_utilities/moon_utilities/configuration.py | 114 ----- moonv4/moon_utilities/moon_utilities/exceptions.py | 521 -------------------- moonv4/moon_utilities/moon_utilities/misc.py | 142 ------ .../moon_utilities/security_functions.py | 532 -------------------- moonv4/moon_utilities/requirements.txt | 3 - moonv4/moon_utilities/setup.py | 42 -- .../moon_utilities/tests/unit_python/conftest.py | 17 - .../moon_utilities/tests/unit_python/mock_cache.py | 321 ------------ .../tests/unit_python/mock_components.py | 27 - .../tests/unit_python/mock_keystone.py | 23 - .../tests/unit_python/requirements.txt | 2 - .../moon_utilities/tests/unit_python/test_cache.py | 75 --- .../tests/unit_python/test_configuration.py | 5 - .../moon_utilities/tests/unit_python/utilities.py | 136 ------ moonv4/python_moonutilities/Changelog | 64 +++ moonv4/python_moonutilities/LICENSE | 202 ++++++++ moonv4/python_moonutilities/MANIFEST.in | 10 + moonv4/python_moonutilities/README.md | 33 ++ .../python_moonutilities/__init__.py | 6 + .../python_moonutilities/api.py | 28 ++ .../python_moonutilities/auth.py | 76 +++ .../python_moonutilities/cache.py | 543 +++++++++++++++++++++ .../python_moonutilities/configuration.py | 114 +++++ .../python_moonutilities/exceptions.py | 522 ++++++++++++++++++++ .../python_moonutilities/misc.py | 142 ++++++ .../python_moonutilities/security_functions.py | 531 ++++++++++++++++++++ moonv4/python_moonutilities/requirements.txt | 3 + moonv4/python_moonutilities/setup.py | 42 ++ .../tests/unit_python/conftest.py | 17 + .../tests/unit_python/mock_cache.py | 321 ++++++++++++ .../tests/unit_python/mock_components.py | 27 + .../tests/unit_python/mock_keystone.py | 23 + .../tests/unit_python/requirements.txt | 2 + .../tests/unit_python/test_cache.py | 75 +++ .../tests/unit_python/test_configuration.py | 5 + .../tests/unit_python/utilities.py | 136 ++++++ 44 files changed, 2922 insertions(+), 2923 deletions(-) delete mode 100644 moonv4/moon_utilities/Changelog delete mode 100644 moonv4/moon_utilities/LICENSE delete mode 100644 moonv4/moon_utilities/MANIFEST.in delete mode 100644 moonv4/moon_utilities/README.md delete mode 100644 moonv4/moon_utilities/moon_utilities/__init__.py delete mode 100644 moonv4/moon_utilities/moon_utilities/api.py delete mode 100644 moonv4/moon_utilities/moon_utilities/auth.py delete mode 100644 moonv4/moon_utilities/moon_utilities/cache.py delete mode 100644 moonv4/moon_utilities/moon_utilities/configuration.py delete mode 100644 moonv4/moon_utilities/moon_utilities/exceptions.py delete mode 100644 moonv4/moon_utilities/moon_utilities/misc.py delete mode 100644 moonv4/moon_utilities/moon_utilities/security_functions.py delete mode 100644 moonv4/moon_utilities/requirements.txt delete mode 100644 moonv4/moon_utilities/setup.py delete mode 100644 moonv4/moon_utilities/tests/unit_python/conftest.py delete mode 100644 moonv4/moon_utilities/tests/unit_python/mock_cache.py delete mode 100644 moonv4/moon_utilities/tests/unit_python/mock_components.py delete mode 100644 moonv4/moon_utilities/tests/unit_python/mock_keystone.py delete mode 100644 moonv4/moon_utilities/tests/unit_python/requirements.txt delete mode 100644 moonv4/moon_utilities/tests/unit_python/test_cache.py delete mode 100644 moonv4/moon_utilities/tests/unit_python/test_configuration.py delete mode 100644 moonv4/moon_utilities/tests/unit_python/utilities.py create mode 100644 moonv4/python_moonutilities/Changelog create mode 100644 moonv4/python_moonutilities/LICENSE create mode 100644 moonv4/python_moonutilities/MANIFEST.in create mode 100644 moonv4/python_moonutilities/README.md create mode 100644 moonv4/python_moonutilities/python_moonutilities/__init__.py create mode 100644 moonv4/python_moonutilities/python_moonutilities/api.py create mode 100644 moonv4/python_moonutilities/python_moonutilities/auth.py create mode 100644 moonv4/python_moonutilities/python_moonutilities/cache.py create mode 100644 moonv4/python_moonutilities/python_moonutilities/configuration.py create mode 100644 moonv4/python_moonutilities/python_moonutilities/exceptions.py create mode 100644 moonv4/python_moonutilities/python_moonutilities/misc.py create mode 100644 moonv4/python_moonutilities/python_moonutilities/security_functions.py create mode 100644 moonv4/python_moonutilities/requirements.txt create mode 100644 moonv4/python_moonutilities/setup.py create mode 100644 moonv4/python_moonutilities/tests/unit_python/conftest.py create mode 100644 moonv4/python_moonutilities/tests/unit_python/mock_cache.py create mode 100644 moonv4/python_moonutilities/tests/unit_python/mock_components.py create mode 100644 moonv4/python_moonutilities/tests/unit_python/mock_keystone.py create mode 100644 moonv4/python_moonutilities/tests/unit_python/requirements.txt create mode 100644 moonv4/python_moonutilities/tests/unit_python/test_cache.py create mode 100644 moonv4/python_moonutilities/tests/unit_python/test_configuration.py create mode 100644 moonv4/python_moonutilities/tests/unit_python/utilities.py (limited to 'moonv4') diff --git a/moonv4/moon_utilities/Changelog b/moonv4/moon_utilities/Changelog deleted file mode 100644 index 952c2aa1..00000000 --- a/moonv4/moon_utilities/Changelog +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - - -CHANGES -======= - -0.1.0 ------ -- First version of the moon_utilities library. - -1.0.0 ------ -- First public version of the moon_utilities library. - -1.0.1 ------ -- Update setup.py to force the installation of requirements. - -1.0.2 ------ -- Test PyPi upload - -1.1.0 ------ -- Add functions to get configuration from Consul - -1.1.1 ------ -- Add a missing requirements - -1.2.0 ------ -- Add authentication features for interface - -1.3.0 ------ -- Add cache functionality - -1.3.1 ------ -- Delete Oslo config possibilities - -1.3.2 ------ -- Delete Oslo logging and config - -1.3.3 ------ -- Update the cache - -1.3.4 ------ -- Fix a bug on the connection between interface and authz - -1.4.0 ------ -- Add a waiting loop when the Keystone server is not currently available - -1.4.1 ------ -- Cleanup moon_utilities code - diff --git a/moonv4/moon_utilities/LICENSE b/moonv4/moon_utilities/LICENSE deleted file mode 100644 index d6456956..00000000 --- a/moonv4/moon_utilities/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/moonv4/moon_utilities/MANIFEST.in b/moonv4/moon_utilities/MANIFEST.in deleted file mode 100644 index b764e35c..00000000 --- a/moonv4/moon_utilities/MANIFEST.in +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -include README.rst -include LICENSE -include Changelog -include setup.py -include requirements.txt diff --git a/moonv4/moon_utilities/README.md b/moonv4/moon_utilities/README.md deleted file mode 100644 index bbc1d458..00000000 --- a/moonv4/moon_utilities/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# Moon Python Utilities Package -This package contains the core module for the Moon project. -It is designed to provide authorization feature to all OpenStack components. - -For any other information, refer to the parent project: - - https://git.opnfv.org/moon - -moon_utilities is a common Python lib for other Moon Python packages - -## Build -### Build Python Package -```bash -cd ${MOON_HOME}/moonv4/moon_utilities -python3 setup.py sdist bdist_wheel -``` - -### Push Python Package to PIP -```bash -cd ${MOON_HOME}/moonv4/moon_utilities -gpg --detach-sign -u "${GPG_ID}" -a dist/moon_utilities-X.Y.Z-py3-none-any.whl -gpg --detach-sign -u "${GPG_ID}" -a dist/moon_utilities-X.Y.Z.tar.gz -twine upload dist/moon_db-X.Y.Z-py3-none-any.whl dist/moon_utilities-X.Y.Z-py3-none-any.whl.asc -twine upload dist/moon_db-X.Y.Z.tar.gz dist/moon_uutilities-X.Y.Z.tar.gz.asc -``` - -## Test -### Python Unit Test -launch Docker for Python unit tests -```bash -cd ${MOON_HOME}/moonv4/moon_utilities -docker run --rm --volume $(pwd):/data wukongsun/moon_python_unit_test:latest -``` diff --git a/moonv4/moon_utilities/moon_utilities/__init__.py b/moonv4/moon_utilities/moon_utilities/__init__.py deleted file mode 100644 index e3ad9307..00000000 --- a/moonv4/moon_utilities/moon_utilities/__init__.py +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -__version__ = "1.4.1" diff --git a/moonv4/moon_utilities/moon_utilities/api.py b/moonv4/moon_utilities/moon_utilities/api.py deleted file mode 100644 index 8e80c21d..00000000 --- a/moonv4/moon_utilities/moon_utilities/api.py +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - - -class APIList(object): - - API_LIST = () - - def __init__(self, api_list): - self.API_LIST = api_list - - def list_api(self, ctx): - api = dict() - for obj in self.API_LIST: - api[obj.__name__] = dict() - api[obj.__name__]["description"] = obj.__doc__.strip() if obj.__doc__ else "" - api[obj.__name__]["version"] = obj.__version__ - api[obj.__name__]["commands"] = dict() - for cmd in filter(lambda x: not x.startswith("__"), dir(obj)): - doc = eval("obj.{}.__doc__".format(cmd)) - if not doc: - doc = "" - api[obj.__name__]["commands"][cmd] = doc.strip() - return api - - diff --git a/moonv4/moon_utilities/moon_utilities/auth.py b/moonv4/moon_utilities/moon_utilities/auth.py deleted file mode 100644 index 10dda3ed..00000000 --- a/moonv4/moon_utilities/moon_utilities/auth.py +++ /dev/null @@ -1,76 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import os -import requests -import time -from functools import wraps -from flask import request -from oslo_log import log as logging -from moon_utilities import exceptions, configuration - - -LOG = logging.getLogger(__name__) -KEYSTONE_CONFIG = configuration.get_configuration("openstack/keystone")["openstack/keystone"] -TOKENS = {} - - -def check_token(token, url=None): - _verify = False - if KEYSTONE_CONFIG['certificate']: - _verify = KEYSTONE_CONFIG['certificate'] - try: - os.environ.pop("http_proxy") - os.environ.pop("https_proxy") - except KeyError: - pass - if not url: - url = KEYSTONE_CONFIG['url'] - headers = { - "Content-Type": "application/json", - 'X-Subject-Token': token, - 'X-Auth-Token': token, - } - if KEYSTONE_CONFIG['check_token'].lower() in ("false", "no", "n"): - # TODO (asteroide): must send the admin id - return "admin" if not token else token - if KEYSTONE_CONFIG['check_token'].lower() in ("yes", "y", "true"): - if token in TOKENS: - delta = time.mktime(TOKENS[token]["expires_at"]) - time.mktime(time.gmtime()) - if delta > 0: - return TOKENS[token]["user"] - raise exceptions.KeystoneError - else: - req = requests.get("{}/auth/tokens".format(url), headers=headers, verify=_verify) - if req.status_code in (200, 201): - # Note (asteroide): the time stamps is not in ISO 8601, so it is necessary to delete - # characters after the dot - token_time = req.json().get("token").get("expires_at").split(".") - TOKENS[token] = dict() - TOKENS[token]["expires_at"] = time.strptime(token_time[0], "%Y-%m-%dT%H:%M:%S") - TOKENS[token]["user"] = req.json().get("token").get("user").get("id") - return TOKENS[token]["user"] - LOG.error("{} - {}".format(req.status_code, req.text)) - raise exceptions.KeystoneError - elif KEYSTONE_CONFIG['check_token'].lower() == "strict": - req = requests.head("{}/auth/tokens".format(url), headers=headers, verify=_verify) - if req.status_code in (200, 201): - return token - LOG.error("{} - {}".format(req.status_code, req.text)) - raise exceptions.KeystoneError - raise exceptions.KeystoneError - - -def check_auth(function): - @wraps(function) - def wrapper(*args, **kwargs): - token = request.headers.get('X-Auth-Token') - token = check_token(token) - if not token: - raise exceptions.AuthException - user_id = kwargs.pop("user_id", token) - result = function(*args, **kwargs, user_id=user_id) - return result - return wrapper diff --git a/moonv4/moon_utilities/moon_utilities/cache.py b/moonv4/moon_utilities/moon_utilities/cache.py deleted file mode 100644 index 8c6ee3bf..00000000 --- a/moonv4/moon_utilities/moon_utilities/cache.py +++ /dev/null @@ -1,543 +0,0 @@ -import logging -import time -import requests -from uuid import uuid4 -from moon_utilities import configuration, exceptions - -LOG = logging.getLogger("moon.utilities.cache") - - -class Cache(object): - # TODO (asteroide): set cache integer in CONF file - ''' - [NOTE] Propose to define the following variables inside the init method - as defining them out side the init, will be treated as private static variables - and keep tracks with any changes done anywhere - for more info : you can check https://docs.python.org/3/tutorial/classes.html#class-and-instance-variables - ''' - __UPDATE_INTERVAL = 10 - - __CONTAINERS = {} - __CONTAINERS_UPDATE = 0 - - __CONTAINER_CHAINING_UPDATE = 0 - __CONTAINER_CHAINING = {} - - __PDP = {} - __PDP_UPDATE = 0 - - __POLICIES = {} - __POLICIES_UPDATE = 0 - - __MODELS = {} - __MODELS_UPDATE = 0 - - __SUBJECTS = {} - __OBJECTS = {} - __ACTIONS = {} - - __SUBJECT_ASSIGNMENTS = {} - __OBJECT_ASSIGNMENTS = {} - __ACTION_ASSIGNMENTS = {} - - __SUBJECT_CATEGORIES = {} - __SUBJECT_CATEGORIES_UPDATE = 0 - __OBJECT_CATEGORIES = {} - __OBJECT_CATEGORIES_UPDATE = 0 - __ACTION_CATEGORIES = {} - __ACTION_CATEGORIES_UPDATE = 0 - - __META_RULES = {} - __META_RULES_UPDATE = 0 - - __RULES = {} - __RULES_UPDATE = 0 - - __AUTHZ_REQUESTS = {} - - def __init__(self): - self.manager_url = "{}://{}:{}".format( - configuration.get_components()['manager'].get('protocol', 'http'), - configuration.get_components()['manager']['hostname'], - configuration.get_components()['manager']['port'] - ) - self.orchestrator_url = "{}://{}:{}".format( - configuration.get_components()['orchestrator'].get('protocol', 'http'), - configuration.get_components()['orchestrator']['hostname'], - configuration.get_components()['orchestrator']['port'] - ) - - def update(self): - self.__update_container() - self.__update_pdp() - self.__update_policies() - self.__update_models() - for key, value in self.__PDP.items(): - # LOG.info("Updating container_chaining with {}".format(value["keystone_project_id"])) - self.__update_container_chaining(value["keystone_project_id"]) - - @property - def authz_requests(self): - return self.__AUTHZ_REQUESTS - - # perimeter functions - - @property - def subjects(self): - return self.__SUBJECTS - - def update_subjects(self, policy_id=None): - req = requests.get("{}/policies/{}/subjects".format( - self.manager_url, policy_id)) - self.__SUBJECTS[policy_id] = req.json()['subjects'] - - def get_subject(self, policy_id, name): - try: - for _subject_id, _subject_dict in self.__SUBJECTS[policy_id].items(): - if _subject_dict["name"] == name: - return _subject_id - except KeyError: - pass - self.update_subjects(policy_id) - for _subject_id, _subject_dict in self.__SUBJECTS[policy_id].items(): - if _subject_dict["name"] == name: - return _subject_id - raise exceptions.SubjectUnknown("Cannot find subject {}".format(name)) - - @property - def objects(self): - return self.__OBJECTS - - def update_objects(self, policy_id=None): - req = requests.get("{}/policies/{}/objects".format( - self.manager_url, policy_id)) - self.__OBJECTS[policy_id] = req.json()['objects'] - - def get_object(self, policy_id, name): - try: - for _object_id, _object_dict in self.__OBJECTS[policy_id].items(): - if _object_dict["name"] == name: - return _object_id - except KeyError: - pass - self.update_objects(policy_id) - for _object_id, _object_dict in self.__OBJECTS[policy_id].items(): - if _object_dict["name"] == name: - return _object_id - raise exceptions.SubjectUnknown("Cannot find object {}".format(name)) - - @property - def actions(self): - return self.__ACTIONS - - def update_actions(self, policy_id=None): - req = requests.get("{}/policies/{}/actions".format( - self.manager_url, policy_id)) - self.__ACTIONS[policy_id] = req.json()['actions'] - - def get_action(self, policy_id, name): - try: - for _action_id, _action_dict in self.__ACTIONS[policy_id].items(): - if _action_dict["name"] == name: - return _action_id - except KeyError: - pass - self.update_actions(policy_id) - for _action_id, _action_dict in self.__ACTIONS[policy_id].items(): - if _action_dict["name"] == name: - return _action_id - raise exceptions.SubjectUnknown("Cannot find action {}".format(name)) - - # meta_rule functions - - @property - def meta_rules(self): - current_time = time.time() - if self.__META_RULES_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_meta_rules() - self.__META_RULES_UPDATE = current_time - return self.__META_RULES - - def __update_meta_rules(self): - req = requests.get("{}/meta_rules".format(self.manager_url)) - self.__META_RULES = req.json()['meta_rules'] - - # rule functions - - @property - def rules(self): - current_time = time.time() - if self.__RULES_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_rules() - self.__RULES_UPDATE = current_time - return self.__RULES - - def __update_rules(self): - for policy_id in self.__POLICIES: - LOG.info("Get {}".format("{}/policies/{}/rules".format( - self.manager_url, policy_id))) - req = requests.get("{}/policies/{}/rules".format( - self.manager_url, policy_id)) - self.__RULES[policy_id] = req.json()['rules'] - LOG.info("UPDATE RULES {}".format(self.__RULES)) - - # assignment functions - - @property - def subject_assignments(self): - return self.__SUBJECT_ASSIGNMENTS - - def update_subject_assignments(self, policy_id=None, perimeter_id=None): - if perimeter_id: - req = requests.get("{}/policies/{}/subject_assignments/{}".format( - self.manager_url, policy_id, perimeter_id)) - else: - req = requests.get("{}/policies/{}/subject_assignments".format( - self.manager_url, policy_id)) - if policy_id not in self.__SUBJECT_ASSIGNMENTS: - self.__SUBJECT_ASSIGNMENTS[policy_id] = {} - self.__SUBJECT_ASSIGNMENTS[policy_id].update( - req.json()['subject_assignments']) - - def get_subject_assignments(self, policy_id, perimeter_id, category_id): - if policy_id not in self.subject_assignments: - self.update_subject_assignments(policy_id, perimeter_id) - ''' - [NOTE] invalid condition for testing existence of policy_id - because update_subject_assignments function already add an empty object - with the given policy_id and then assign the response to it - as mentioned in these lines of code (line 191,192) - - Note: the same condition applied for the object,action assignment - line 234, 260 - ''' - if policy_id not in self.subject_assignments: - raise Exception("Cannot found the policy {}".format(policy_id)) - for key, value in self.subject_assignments[policy_id].items(): - if perimeter_id == value['subject_id'] and category_id == value['category_id']: - return value['assignments'] - return [] - - @property - def object_assignments(self): - return self.__OBJECT_ASSIGNMENTS - - def update_object_assignments(self, policy_id=None, perimeter_id=None): - if perimeter_id: - req = requests.get("{}/policies/{}/object_assignments/{}".format( - self.manager_url, policy_id, perimeter_id)) - else: - req = requests.get("{}/policies/{}/object_assignments".format( - self.manager_url, policy_id)) - if policy_id not in self.__OBJECT_ASSIGNMENTS: - self.__OBJECT_ASSIGNMENTS[policy_id] = {} - self.__OBJECT_ASSIGNMENTS[policy_id].update( - req.json()['object_assignments']) - - def get_object_assignments(self, policy_id, perimeter_id, category_id): - if policy_id not in self.object_assignments: - self.update_object_assignments(policy_id, perimeter_id) - if policy_id not in self.object_assignments: - raise Exception("Cannot found the policy {}".format(policy_id)) - for key, value in self.object_assignments[policy_id].items(): - if perimeter_id == value['object_id'] and category_id == value['category_id']: - return value['assignments'] - return [] - - @property - def action_assignments(self): - return self.__ACTION_ASSIGNMENTS - - def update_action_assignments(self, policy_id=None, perimeter_id=None): - if perimeter_id: - req = requests.get("{}/policies/{}/action_assignments/{}".format( - self.manager_url, policy_id, perimeter_id)) - else: - req = requests.get("{}/policies/{}/action_assignments".format( - self.manager_url, policy_id)) - if policy_id not in self.__ACTION_ASSIGNMENTS: - self.__ACTION_ASSIGNMENTS[policy_id] = {} - self.__ACTION_ASSIGNMENTS[policy_id].update( - req.json()['action_assignments']) - - def get_action_assignments(self, policy_id, perimeter_id, category_id): - if policy_id not in self.action_assignments: - self.update_action_assignments(policy_id, perimeter_id) - if policy_id not in self.action_assignments: - raise Exception("Cannot found the policy {}".format(policy_id)) - for key, value in self.action_assignments[policy_id].items(): - if perimeter_id == value['action_id'] and category_id == value['category_id']: - return value['assignments'] - return [] - - # category functions - - @property - def subject_categories(self): - current_time = time.time() - if self.__SUBJECT_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_subject_categories() - self.__SUBJECT_CATEGORIES_UPDATE = current_time - return self.__SUBJECT_CATEGORIES - - def __update_subject_categories(self): - req = requests.get("{}/policies/subject_categories".format( - self.manager_url)) - self.__SUBJECT_CATEGORIES.update(req.json()['subject_categories']) - - @property - def object_categories(self): - current_time = time.time() - if self.__OBJECT_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_object_categories() - self.__OBJECT_CATEGORIES_UPDATE = current_time - return self.__OBJECT_CATEGORIES - - def __update_object_categories(self): - req = requests.get("{}/policies/object_categories".format( - self.manager_url)) - self.__OBJECT_CATEGORIES.update(req.json()['object_categories']) - - @property - def action_categories(self): - current_time = time.time() - if self.__ACTION_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_action_categories() - self.__ACTION_CATEGORIES_UPDATE = current_time - return self.__ACTION_CATEGORIES - - def __update_action_categories(self): - req = requests.get("{}/policies/action_categories".format( - self.manager_url)) - self.__ACTION_CATEGORIES.update(req.json()['action_categories']) - - # PDP functions - - def __update_pdp(self): - req = requests.get("{}/pdp".format(self.manager_url)) - pdp = req.json() - for _pdp in pdp["pdps"].values(): - if _pdp['keystone_project_id'] not in self.__CONTAINER_CHAINING: - self.__CONTAINER_CHAINING[_pdp['keystone_project_id']] = {} - # Note (asteroide): force update of chaining - self.__update_container_chaining(_pdp['keystone_project_id']) - for key, value in pdp["pdps"].items(): - self.__PDP[key] = value - - @property - def pdp(self): - """Policy Decision Point - Example of content: - { - "pdp_id": { - "keystone_project_id": "keystone_project_id", - "name": "pdp1", - "description": "test", - "security_pipeline": [ - "policy_id" - ] - } - } - - :return: - """ - current_time = time.time() - if self.__PDP_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_pdp() - self.__PDP_UPDATE = current_time - return self.__PDP - - # policy functions - def __update_policies(self): - req = requests.get("{}/policies".format(self.manager_url)) - policies = req.json() - for key, value in policies["policies"].items(): - self.__POLICIES[key] = value - - @property - def policies(self): - current_time = time.time() - if self.__POLICIES_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_policies() - self.__POLICIES_UPDATE = current_time - return self.__POLICIES - - # model functions - - def __update_models(self): - req = requests.get("{}/models".format(self.manager_url)) - models = req.json() - for key, value in models["models"].items(): - self.__MODELS[key] = value - - @property - def models(self): - current_time = time.time() - if self.__MODELS_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_models() - self.__MODELS_UPDATE = current_time - return self.__MODELS - - # helper functions - - def get_policy_from_meta_rules(self, meta_rule_id): - for pdp_key, pdp_value in self.pdp.items(): - for policy_id in pdp_value["security_pipeline"]: - model_id = self.policies[policy_id]["model_id"] - if meta_rule_id in self.models[model_id]["meta_rules"]: - return policy_id - - def get_pdp_from_keystone_project(self, keystone_project_id): - for pdp_key, pdp_value in self.pdp.items(): - if keystone_project_id == pdp_value["keystone_project_id"]: - return pdp_key - - def get_keystone_project_id_from_policy_id(self, policy_id): - for pdp_key, pdp_value in self.pdp.items(): - if policy_id in pdp_value["security_pipeline"]: - return pdp_value["keystone_project_id"] - # for policy_id in pdp_value["security_pipeline"]: - # model_id = self.policies[policy_id]["model_id"] - # if meta_rule_id in self.models[model_id]["meta_rules"]: - # return pdp_value["keystone_project_id"] - - def get_containers_from_keystone_project_id(self, keystone_project_id, - meta_rule_id=None): - for container_id, container_values in self.containers.items(): - for container_value in container_values: - if 'keystone_project_id' not in container_value: - continue - if container_value['keystone_project_id'] == keystone_project_id: - if not meta_rule_id: - yield container_id, container_value - elif container_value.get('meta_rule_id') == meta_rule_id: - yield container_id, container_value - break - - # containers functions - - def __update_container(self): - req = requests.get("{}/pods".format(self.orchestrator_url)) - pods = req.json() - for key, value in pods["pods"].items(): - # if key not in self.__CONTAINERS: - self.__CONTAINERS[key] = value - # else: - # for container in value: - # self.__CONTAINERS[key].update(value) - - def add_container(self, container_data): - """Add a new container in the cache - - :param container_data: dictionary with information for the container - Example: - { - "name": name, - "hostname": name, - "port": { - "PrivatePort": tcp_port, - "Type": "tcp", - "IP": "0.0.0.0", - "PublicPort": tcp_port - }, - "keystone_project_id": uuid, - "pdp_id": self.CACHE.get_pdp_from_keystone_project(uuid), - "meta_rule_id": meta_rule_id, - "container_name": container_name, - "plugin_name": plugin_name - "container_id": "container_id" - } - - :return: - """ - self.__CONTAINERS[uuid4().hex] = { - "keystone_project_id": container_data['keystone_project_id'], - "name": container_data['name'], - "container_id": container_data['container_id'], - "hostname": container_data['name'], - "policy_id": container_data['policy_id'], - "meta_rule_id": container_data['meta_rule_id'], - "port": [ - { - "PublicPort": container_data['port']["PublicPort"], - "Type": container_data['port']["Type"], - "IP": container_data['port']["IP"], - "PrivatePort": container_data['port']["PrivatePort"] - } - ], - "genre": container_data['plugin_name'] - } - self.__update_container_chaining(self.get_keystone_project_id_from_policy_id(container_data['policy_id'])) - - @property - def containers(self): - """Containers cache - example of content : - { - "policy_uuid1": "component_hostname1", - "policy_uuid2": "component_hostname2", - } - :return: - """ - current_time = time.time() - if self.__CONTAINERS_UPDATE + self.__UPDATE_INTERVAL < current_time: - self.__update_container() - self.__CONTAINERS_UPDATE = current_time - return self.__CONTAINERS - - @property - def container_chaining(self): - """Cache for mapping Keystone Project ID with meta_rule ID and container ID - Example of content: - { - "keystone_project_id": [ - { - "container_id": "container_id", - "genre": "genre", - "policy_id": "policy_id", - "meta_rule_id": "meta_rule_id", - } - ] - } - - :return: - """ - current_time = time.time() - if self.__CONTAINER_CHAINING_UPDATE + self.__UPDATE_INTERVAL < current_time: - for key, value in self.pdp.items(): - if not value["keystone_project_id"]: - continue - self.__update_container_chaining(value["keystone_project_id"]) - self.__CONTAINER_CHAINING_UPDATE = current_time - LOG.info(self.__CONTAINER_CHAINING_UPDATE) - return self.__CONTAINER_CHAINING - - def __update_container_chaining(self, keystone_project_id): - container_ids = [] - for pdp_id, pdp_value, in self.__PDP.items(): - if pdp_value: - if pdp_value["keystone_project_id"] == keystone_project_id: - for policy_id in pdp_value["security_pipeline"]: - model_id = self.__POLICIES[policy_id]['model_id'] - for meta_rule_id in self.__MODELS[model_id]["meta_rules"]: - for container_id, container_value in self.get_containers_from_keystone_project_id( - keystone_project_id, - meta_rule_id - ): - _raw = requests.get("{}/pods/{}".format( - self.orchestrator_url, container_value["name"]) - ) - LOG.debug("_raw={}".format(_raw.text)) - container_ids.append( - { - "container_id": container_value["name"], - "genre": container_value["genre"], - "policy_id": policy_id, - "meta_rule_id": meta_rule_id, - "hostname": container_value["name"], - "hostip": "127.0.0.1", - "port": container_value["port"], - } - ) - self.__CONTAINER_CHAINING[keystone_project_id] = container_ids - diff --git a/moonv4/moon_utilities/moon_utilities/configuration.py b/moonv4/moon_utilities/moon_utilities/configuration.py deleted file mode 100644 index cda75de5..00000000 --- a/moonv4/moon_utilities/moon_utilities/configuration.py +++ /dev/null @@ -1,114 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - - -import base64 -import json -import requests -import logging -import logging.config -from moon_utilities import exceptions - -LOG = logging.getLogger("moon.utilities") - -CONSUL_HOST = "consul" -CONSUL_PORT = "8500" - -DATABASE = "database" -KEYSTONE = "keystone" -DOCKER = "docker" -COMPONENTS = "components" - - -def init_logging(): - config = get_configuration("logging") - logging.config.dictConfig(config['logging']) - - -def increment_port(): - components_port_start = int(get_configuration("components_port_start")['components_port_start']) - components_port_start += 1 - url = "http://{}:{}/v1/kv/components_port_start".format(CONSUL_HOST, CONSUL_PORT) - req = requests.put(url, json=str(components_port_start)) - if req.status_code != 200: - LOG.info("url={}".format(url)) - raise exceptions.ConsulError - return components_port_start - - -def get_configuration(key): - url = "http://{}:{}/v1/kv/{}".format(CONSUL_HOST, CONSUL_PORT, key) - req = requests.get(url) - if req.status_code != 200: - LOG.error("url={}".format(url)) - raise exceptions.ConsulComponentNotFound("error={}: {}".format(req.status_code, req.text)) - data = req.json() - if len(data) == 1: - data = data[0] - return {data["Key"]: json.loads(base64.b64decode(data["Value"]).decode("utf-8"))} - else: - return [ - {item["Key"]: json.loads(base64.b64decode(item["Value"]).decode("utf-8"))} - for item in data - ] - - -def add_component(name, uuid, port=None, bind="127.0.0.1", keystone_id="", extra=None, container=None): - data = { - "hostname": name, - "keystone_id": keystone_id, - "bind": bind, - "port": port, - "extra": extra, - "container": container - } - req = requests.put( - "http://{}:{}/v1/kv/components/{}".format(CONSUL_HOST, CONSUL_PORT, uuid), - headers={"content-type": "application/json"}, - json=data - ) - if req.status_code != 200: - LOG.debug("url={}".format("http://{}:{}/v1/kv/components/{}".format(CONSUL_HOST, CONSUL_PORT, uuid))) - LOG.debug("data={}".format(data)) - raise exceptions.ConsulError - LOG.info("Add component {}".format(req.text)) - return get_configuration("components/"+uuid) - - -def get_plugins(): - url = "http://{}:{}/v1/kv/plugins?recurse=true".format(CONSUL_HOST, CONSUL_PORT) - req = requests.get(url) - if req.status_code != 200: - LOG.info("url={}".format(url)) - raise exceptions.ConsulError - data = req.json() - if len(data) == 1: - data = data[0] - return {data["Key"].replace("plugins/", ""): json.loads(base64.b64decode(data["Value"]).decode("utf-8"))} - else: - return { - item["Key"].replace("plugins/", ""): json.loads(base64.b64decode(item["Value"]).decode("utf-8")) - for item in data - } - - -def get_components(): - url = "http://{}:{}/v1/kv/components?recurse=true".format(CONSUL_HOST, CONSUL_PORT) - req = requests.get(url) - if req.status_code != 200: - LOG.info("url={}".format(url)) - raise exceptions.ConsulError - data = req.json() - if len(data) == 1: - data = data[0] - return {data["Key"].replace("components/", ""): json.loads(base64.b64decode(data["Value"]).decode("utf-8"))} - else: - return { - item["Key"].replace("components/", ""): json.loads(base64.b64decode(item["Value"]).decode("utf-8")) - for item in data - } - - -init_logging() diff --git a/moonv4/moon_utilities/moon_utilities/exceptions.py b/moonv4/moon_utilities/moon_utilities/exceptions.py deleted file mode 100644 index eb606432..00000000 --- a/moonv4/moon_utilities/moon_utilities/exceptions.py +++ /dev/null @@ -1,521 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -from oslo_log import log as logging -from werkzeug.exceptions import HTTPException -LOG = logging.getLogger("moon.utilities.exceptions") -_ = str - - -class MoonErrorMetaClass(type): - - def __init__(cls, name, bases, dct): - super(MoonErrorMetaClass, cls).__init__(name, bases, dct) - cls.hierarchy += "/"+str(name) - - -class MoonError(HTTPException): - __metaclass__ = MoonErrorMetaClass - hierarchy = "" - description = _("There is an error requesting the Moon platform.") - code = 400 - title = 'Moon Error' - logger = "ERROR" - - def __init__(self, message="", status_code=None, payload=""): - if message: - self.description = message - if status_code: - self.code = status_code - self.payload = payload - super(MoonError, self).__init__() - - def __str__(self): - return "{}: {}".format(self.code, self.title) - - def __del__(self): - message = "{} ({}) {}".format(self.hierarchy, self.description, self.payload) - if self.logger == "ERROR": - try: - LOG.error(message) - except AttributeError: - LOG.error(message) - elif self.logger == "WARNING": - try: - LOG.warning(message) - except AttributeError: - LOG.warning(message) - elif self.logger == "CRITICAL": - try: - LOG.critical(message) - except AttributeError: - LOG.critical(message) - elif self.logger == "AUTHZ": - try: - LOG.authz(self.hierarchy) - LOG.error(message) - except AttributeError: - LOG.error(message) - else: - try: - LOG.info(message) - except AttributeError: - LOG.info(message) - - # def to_dict(self): - # rv = dict(self.payload or ()) - # rv['message'] = "{} ({})".format(self.hierarchy, self.description) - # rv['title'] = self.title - # rv['code'] = self.code - # return rv - - -# Exceptions for Tenant - -class TenantException(MoonError): - description = _("There is an error requesting this tenant.") - code = 400 - title = 'Tenant Error' - logger = "ERROR" - - -class TenantUnknown(TenantException): - description = _("The tenant is unknown.") - code = 400 - title = 'Tenant Unknown' - logger = "ERROR" - - -class TenantAddedNameExisting(TenantException): - description = _("The tenant name is existing.") - code = 400 - title = 'Added Tenant Name Existing' - logger = "ERROR" - - -class TenantNoIntraExtension(TenantException): - description = _("The tenant has not intra_extension.") - code = 400 - title = 'Tenant No Intra_Extension' - logger = "ERROR" - - -class TenantNoIntraAuthzExtension(TenantNoIntraExtension): - description = _("The tenant has not intra_admin_extension.") - code = 400 - title = 'Tenant No Intra_Admin_Extension' - logger = "ERROR" - -# Exceptions for IntraExtension - - -class IntraExtensionException(MoonError): - description = _("There is an error requesting this IntraExtension.") - code = 400 - title = 'Extension Error' - - -class IntraExtensionUnknown(IntraExtensionException): - description = _("The intra_extension is unknown.") - code = 400 - title = 'Intra Extension Unknown' - logger = "Error" - - -class ModelUnknown(MoonError): - description = _("The model is unknown.") - code = 400 - title = 'Model Unknown' - logger = "Error" - - -class ModelExisting(MoonError): - description = _("The model already exists.") - code = 409 - title = 'Model Error' - logger = "Error" - - -# Authz exceptions - -class AuthzException(MoonError): - description = _("There is an authorization error requesting this IntraExtension.") - code = 403 - title = 'Authz Exception' - logger = "AUTHZ" - - -# Auth exceptions - -class AuthException(MoonError): - description = _("There is an authentication error requesting this API. " - "You must provide a valid token from Keystone.") - code = 401 - title = 'Auth Exception' - logger = "AUTHZ" - - -# Admin exceptions - -class AdminException(MoonError): - description = _("There is an error requesting this Authz IntraExtension.") - code = 400 - title = 'Authz Exception' - logger = "AUTHZ" - - -class AdminMetaData(AdminException): - code = 400 - title = 'Metadata Exception' - - -class AdminPerimeter(AdminException): - code = 400 - title = 'Perimeter Exception' - - -class AdminScope(AdminException): - code = 400 - title = 'Scope Exception' - - -class AdminAssignment(AdminException): - code = 400 - title = 'Assignment Exception' - - -class AdminMetaRule(AdminException): - code = 400 - title = 'Aggregation Algorithm Exception' - - -class AdminRule(AdminException): - code = 400 - title = 'Rule Exception' - - -class SubjectCategoryNameExisting(AdminMetaData): - description = _("The given subject category name already exists.") - code = 409 - title = 'Subject Category Name Existing' - logger = "ERROR" - - -class SubjectCategoryExisting(AdminMetaData): - description = _("The given subject category already exists.") - code = 409 - title = 'Subject Category Existing' - logger = "ERROR" - - -class ObjectCategoryNameExisting(AdminMetaData): - description = _("The given object category name already exists.") - code = 409 - title = 'Object Category Name Existing' - logger = "ERROR" - - -class ObjectCategoryExisting(AdminMetaData): - description = _("The given object category already exists.") - code = 409 - title = 'Object Category Existing' - logger = "ERROR" - - -class ActionCategoryNameExisting(AdminMetaData): - description = _("The given action category name already exists.") - code = 409 - title = 'Action Category Name Existing' - logger = "ERROR" - - -class ActionCategoryExisting(AdminMetaData): - description = _("The given action category already exists.") - code = 409 - title = 'Action Category Existing' - logger = "ERROR" - - -class SubjectCategoryUnknown(AdminMetaData): - description = _("The given subject category is unknown.") - code = 400 - title = 'Subject Category Unknown' - logger = "ERROR" - - -class ObjectCategoryUnknown(AdminMetaData): - description = _("The given object category is unknown.") - code = 400 - title = 'Object Category Unknown' - logger = "ERROR" - - -class ActionCategoryUnknown(AdminMetaData): - description = _("The given action category is unknown.") - code = 400 - title = 'Action Category Unknown' - logger = "ERROR" - - -class SubjectUnknown(AdminPerimeter): - description = _("The given subject is unknown.") - code = 400 - title = 'Subject Unknown' - logger = "ERROR" - - -class ObjectUnknown(AdminPerimeter): - description = _("The given object is unknown.") - code = 400 - title = 'Object Unknown' - logger = "ERROR" - - -class ActionUnknown(AdminPerimeter): - description = _("The given action is unknown.") - code = 400 - title = 'Action Unknown' - logger = "ERROR" - - -class SubjectNameExisting(AdminPerimeter): - description = _("The given subject name is existing.") - code = 400 - title = 'Subject Name Existing' - logger = "ERROR" - - -class ObjectNameExisting(AdminPerimeter): - description = _("The given object name is existing.") - code = 400 - title = 'Object Name Existing' - logger = "ERROR" - - -class ActionNameExisting(AdminPerimeter): - description = _("The given action name is existing.") - code = 400 - title = 'Action Name Existing' - logger = "ERROR" - - -class ObjectsWriteNoAuthorized(AdminPerimeter): - description = _("The modification on Objects is not authorized.") - code = 400 - title = 'Objects Write No Authorized' - logger = "AUTHZ" - - -class ActionsWriteNoAuthorized(AdminPerimeter): - description = _("The modification on Actions is not authorized.") - code = 400 - title = 'Actions Write No Authorized' - logger = "AUTHZ" - - -class SubjectScopeUnknown(AdminScope): - description = _("The given subject scope is unknown.") - code = 400 - title = 'Subject Scope Unknown' - logger = "ERROR" - - -class ObjectScopeUnknown(AdminScope): - description = _("The given object scope is unknown.") - code = 400 - title = 'Object Scope Unknown' - logger = "ERROR" - - -class ActionScopeUnknown(AdminScope): - description = _("The given action scope is unknown.") - code = 400 - title = 'Action Scope Unknown' - logger = "ERROR" - - -class SubjectScopeNameExisting(AdminScope): - description = _("The given subject scope name is existing.") - code = 400 - title = 'Subject Scope Name Existing' - logger = "ERROR" - - -class ObjectScopeNameExisting(AdminScope): - description = _("The given object scope name is existing.") - code = 400 - title = 'Object Scope Name Existing' - logger = "ERROR" - - -class ActionScopeNameExisting(AdminScope): - description = _("The given action scope name is existing.") - code = 400 - title = 'Action Scope Name Existing' - logger = "ERROR" - - -class SubjectAssignmentUnknown(AdminAssignment): - description = _("The given subject assignment value is unknown.") - code = 400 - title = 'Subject Assignment Unknown' - logger = "ERROR" - - -class ObjectAssignmentUnknown(AdminAssignment): - description = _("The given object assignment value is unknown.") - code = 400 - title = 'Object Assignment Unknown' - logger = "ERROR" - - -class ActionAssignmentUnknown(AdminAssignment): - description = _("The given action assignment value is unknown.") - code = 400 - title = 'Action Assignment Unknown' - logger = "ERROR" - - -class SubjectAssignmentExisting(AdminAssignment): - description = _("The given subject assignment value is existing.") - code = 400 - title = 'Subject Assignment Existing' - logger = "ERROR" - - -class ObjectAssignmentExisting(AdminAssignment): - description = _("The given object assignment value is existing.") - code = 400 - title = 'Object Assignment Existing' - logger = "ERROR" - - -class ActionAssignmentExisting(AdminAssignment): - description = _("The given action assignment value is existing.") - code = 400 - title = 'Action Assignment Existing' - logger = "ERROR" - - -class AggregationAlgorithmNotExisting(AdminMetaRule): - description = _("The given aggregation algorithm is not existing.") - code = 400 - title = 'Aggregation Algorithm Not Existing' - logger = "ERROR" - - -class AggregationAlgorithmUnknown(AdminMetaRule): - description = _("The given aggregation algorithm is unknown.") - code = 400 - title = 'Aggregation Algorithm Unknown' - logger = "ERROR" - - -class SubMetaRuleAlgorithmNotExisting(AdminMetaRule): - description = _("The given sub_meta_rule algorithm is unknown.") - code = 400 - title = 'Sub_meta_rule Algorithm Unknown' - logger = "ERROR" - - -class MetaRuleUnknown(AdminMetaRule): - description = _("The given sub meta rule is unknown.") - code = 400 - title = 'Sub Meta Rule Unknown' - logger = "ERROR" - - -class SubMetaRuleNameExisting(AdminMetaRule): - description = _("The sub meta rule name already exists.") - code = 400 - title = 'Sub Meta Rule Name Existing' - logger = "ERROR" - - -class MetaRuleExisting(AdminMetaRule): - description = _("The sub meta rule already exists.") - code = 400 - title = 'Sub Meta Rule Existing' - logger = "ERROR" - - -class RuleExisting(AdminRule): - description = _("The rule already exists.") - code = 400 - title = 'Rule Existing' - logger = "ERROR" - - -class RuleUnknown(AdminRule): - description = _("The rule for that request doesn't exist.") - code = 400 - title = 'Rule Unknown' - logger = "ERROR" - - -# Keystone exceptions - - -class KeystoneError(MoonError): - description = _("There is an error connecting to Keystone.") - code = 400 - title = 'Keystone error' - logger = "ERROR" - - -class KeystoneProjectError(KeystoneError): - description = _("There is an error retrieving projects from the Keystone service.") - code = 400 - title = 'Keystone project error' - logger = "ERROR" - - -class KeystoneUserError(KeystoneError): - description = _("There is an error retrieving users from the Keystone service.") - code = 400 - title = 'Keystone user error' - logger = "ERROR" - - -class KeystoneUserConflict(KeystoneUserError): - description = _("A user with that name already exist.") - code = 400 - title = 'Keystone user error' - logger = "ERROR" - - -# Consul exceptions - - -class ConsulError(MoonError): - description = _("There is an error connecting to Consul.") - code = 400 - title = 'Consul error' - logger = "ERROR" - - -class ConsulComponentNotFound(ConsulError): - description = _("The component do not exist in Consul database.") - code = 500 - title = 'Consul error' - logger = "WARNING" - - -# Containers exceptions - - -class DockerError(MoonError): - description = _("There is an error with Docker.") - code = 400 - title = 'Docker error' - logger = "ERROR" - - -class ContainerMissing(DockerError): - description = _("Some containers are missing.") - code = 400 - title = 'Container missing' - logger = "ERROR" - diff --git a/moonv4/moon_utilities/moon_utilities/misc.py b/moonv4/moon_utilities/moon_utilities/misc.py deleted file mode 100644 index b83523c3..00000000 --- a/moonv4/moon_utilities/moon_utilities/misc.py +++ /dev/null @@ -1,142 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - - -import logging -import random - -LOG = logging.getLogger(__name__) - - -def get_uuid_from_name(name, elements, **kwargs): - for element in elements: - if type(elements[element]) is dict and elements[element].get('name') == name: - if kwargs: - for args in kwargs: - if elements[element].get(args) != kwargs[args]: - return - else: - return element - else: - return element - - -def get_name_from_uuid(uuid, elements, **kwargs): - for element in elements: - if element == uuid: - if kwargs: - for args in kwargs: - if elements[element].get(args) != kwargs[args]: - return - else: - return elements[element].get('name') - else: - return elements[element].get('name') - - -def get_random_name(): - _list = ( - "windy", - "vengeful", - "precious", - "vivacious", - "quiet", - "confused", - "exultant", - "impossible", - "thick", - "obsolete", - "piquant", - "fanatical", - "tame", - "perfect", - "animated", - "dark", - "stimulating", - "drunk", - "depressed", - "fumbling", - "like", - "undesirable", - "spurious", - "subsequent", - "spiteful", - "last", - "stale", - "hulking", - "giddy", - "minor", - "careful", - "possessive", - "gullible", - "fragile", - "divergent", - "ill-informed", - "false", - "jumpy", - "damaged", - "likeable", - "volatile", - "handsomely", - "wet", - "long-term", - "pretty", - "taboo", - "normal", - "magnificent", - "nutty", - "puzzling", - "small", - "kind", - "devilish", - "chubby", - "paltry", - "cultured", - "old", - "defective", - "hanging", - "innocent", - "jagged", - "economic", - "good", - "sulky", - "real", - "bent", - "shut", - "furry", - "terrific", - "hollow", - "terrible", - "mammoth", - "pleasant", - "scared", - "obnoxious", - "absorbing", - "imported", - "infamous", - "grieving", - "ill-fated", - "mighty", - "handy", - "comfortable", - "astonishing", - "brown", - "assorted", - "wrong", - "unsightly", - "spooky", - "delightful", - "acid", - "inconclusive", - "mere", - "careless", - "historical", - "flashy", - "squealing", - "quarrelsome", - "empty", - "long", - ) - return random.choice(_list) diff --git a/moonv4/moon_utilities/moon_utilities/security_functions.py b/moonv4/moon_utilities/moon_utilities/security_functions.py deleted file mode 100644 index 50ab4daf..00000000 --- a/moonv4/moon_utilities/moon_utilities/security_functions.py +++ /dev/null @@ -1,532 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - - -import copy -import re -import os -import types -import requests -import time -from functools import wraps -from flask import request -import logging -from moon_utilities import exceptions -from moon_utilities import configuration - -LOG = logging.getLogger("moon.utilities." + __name__) - -keystone_config = configuration.get_configuration("openstack/keystone")["openstack/keystone"] -TOKENS = {} -__targets = {} - - -def filter_input(func_or_str): - - def __filter(string): - if string and type(string) is str: - return "".join(re.findall("[\w\- +]*", string)) - return string - - def __filter_dict(arg): - result = dict() - for key in arg.keys(): - if key == "email": - result["email"] = __filter_email(arg[key]) - elif key == "password": - result["password"] = arg['password'] - else: - result[key] = __filter(arg[key]) - return result - - def __filter_email(string): - if string and type(string) is str: - return "".join(re.findall("[\w@\._\- +]*", string)) - return string - - def wrapped(*args, **kwargs): - _args = [] - for arg in args: - if isinstance(arg, str): - arg = __filter(arg) - elif isinstance(arg, list): - arg = [__filter(item) for item in arg] - elif isinstance(arg, tuple): - arg = (__filter(item) for item in arg) - elif isinstance(arg, dict): - arg = __filter_dict(arg) - _args.append(arg) - for arg in kwargs: - if type(kwargs[arg]) is str: - kwargs[arg] = __filter(kwargs[arg]) - if isinstance(kwargs[arg], str): - kwargs[arg] = __filter(kwargs[arg]) - elif isinstance(kwargs[arg], list): - kwargs[arg] = [__filter(item) for item in kwargs[arg]] - elif isinstance(kwargs[arg], tuple): - kwargs[arg] = (__filter(item) for item in kwargs[arg]) - elif isinstance(kwargs[arg], dict): - kwargs[arg] = __filter_dict(kwargs[arg]) - return func_or_str(*_args, **kwargs) - - if isinstance(func_or_str, str): - return __filter(func_or_str) - if isinstance(func_or_str, list): - return [__filter(item) for item in func_or_str] - if isinstance(func_or_str, tuple): - return (__filter(item) for item in func_or_str) - if isinstance(func_or_str, dict): - return __filter_dict(func_or_str) - if isinstance(func_or_str, types.FunctionType): - return wrapped - return None - - -def enforce(action_names, object_name, **extra): - """Fake version of the enforce decorator""" - def wrapper_func(func): - def wrapper_args(*args, **kwargs): - # LOG.info("kwargs={}".format(kwargs)) - # kwargs['user_id'] = kwargs.pop('user_id', "admin") - # LOG.info("Calling enforce on {} with args={} kwargs={}".format(func.__name__, args, kwargs)) - return func(*args, **kwargs) - return wrapper_args - return wrapper_func - - -def login(user=None, password=None, domain=None, project=None, url=None): - start_time = time.time() - if not user: - user = keystone_config['user'] - if not password: - password = keystone_config['password'] - if not domain: - domain = keystone_config['domain'] - if not project: - project = keystone_config['project'] - if not url: - url = keystone_config['url'] - headers = { - "Content-Type": "application/json" - } - data_auth = { - "auth": { - "identity": { - "methods": [ - "password" - ], - "password": { - "user": { - "domain": { - "id": domain - }, - "name": user, - "password": password - } - } - }, - "scope": { - "project": { - "domain": { - "id": domain - }, - "name": project - } - } - } - } - - while True: - req = requests.post("{}/auth/tokens".format(url), - json=data_auth, headers=headers, - verify=keystone_config['certificate']) - - if req.status_code in (200, 201, 204): - headers['X-Auth-Token'] = req.headers['X-Subject-Token'] - return headers - LOG.warning("Waiting for Keystone...") - if time.time() - start_time == 100: - LOG.error(req.text) - raise exceptions.KeystoneError - time.sleep(5) - - -def logout(headers, url=None): - if not url: - url = keystone_config['url'] - headers['X-Subject-Token'] = headers['X-Auth-Token'] - req = requests.delete("{}/auth/tokens".format(url), headers=headers, verify=keystone_config['certificate']) - if req.status_code in (200, 201, 204): - return - LOG.error(req.text) - raise exceptions.KeystoneError - - -class Context: - - def __init__(self, init_context, cache): - self.cache = cache - self.__keystone_project_id = init_context.get("project_id") - self.__pdp_id = None - self.__pdp_value = None - for _pdp_key, _pdp_value in self.cache.pdp.items(): - if _pdp_value["keystone_project_id"] == self.__keystone_project_id: - self.__pdp_id = _pdp_key - self.__pdp_value = copy.deepcopy(_pdp_value) - break - if not self.__pdp_value: - raise exceptions.AuthzException( - "Cannot create context for authz " - "with Keystone project ID {}".format( - self.__keystone_project_id - )) - self.__subject = init_context.get("subject_name") - self.__object = init_context.get("object_name") - self.__action = init_context.get("action_name") - self.__current_request = None - self.__request_id = init_context.get("req_id") - self.__cookie = init_context.get("cookie") - self.__manager_url = init_context.get("manager_url") - self.__interface_name = init_context.get("interface_name") - self.__index = -1 - # self.__init_initial_request() - self.__headers = [] - policies = self.cache.policies - models = self.cache.models - for policy_id in self.__pdp_value["security_pipeline"]: - model_id = policies[policy_id]["model_id"] - for meta_rule in models[model_id]["meta_rules"]: - self.__headers.append(meta_rule) - self.__meta_rules = self.cache.meta_rules - self.__pdp_set = {} - # self.__init_pdp_set() - - def delete_cache(self): - self.cache = {} - - def set_cache(self, cache): - self.cache = cache - - def increment_index(self): - self.__index += 1 - self.__init_current_request() - self.__init_pdp_set() - - @property - def current_state(self): - return self.__pdp_set[self.__headers[self.__index]]['effect'] - - @current_state.setter - def current_state(self, state): - if state not in ("grant", "deny", "passed"): - state = "passed" - self.__pdp_set[self.__headers[self.__index]]['effect'] = state - - @current_state.deleter - def current_state(self): - self.__pdp_set[self.__headers[self.__index]]['effect'] = "unset" - - @property - def current_policy_id(self): - return self.__pdp_value["security_pipeline"][self.__index] - - @current_policy_id.setter - def current_policy_id(self, value): - pass - - @current_policy_id.deleter - def current_policy_id(self): - pass - - def __init_current_request(self): - self.__subject = self.cache.get_subject( - self.__pdp_value["security_pipeline"][self.__index], - self.__subject) - self.__object = self.cache.get_object( - self.__pdp_value["security_pipeline"][self.__index], - self.__object) - self.__action = self.cache.get_action( - self.__pdp_value["security_pipeline"][self.__index], - self.__action) - self.__current_request = dict(self.initial_request) - - def __init_pdp_set(self): - for header in self.__headers: - self.__pdp_set[header] = dict() - self.__pdp_set[header]["meta_rules"] = self.__meta_rules[header] - self.__pdp_set[header]["target"] = self.__add_target(header) - self.__pdp_set[header]["effect"] = "unset" - self.__pdp_set["effect"] = "deny" - - # def update_target(self, context): - # # result = dict() - # current_request = context['current_request'] - # _subject = current_request.get("subject") - # _object = current_request.get("object") - # _action = current_request.get("action") - # meta_rule_id = context['headers'][context['index']] - # policy_id = self.cache.get_policy_from_meta_rules(meta_rule_id) - # meta_rules = self.cache.meta_rules() - # # for meta_rule_id in meta_rules: - # for sub_cat in meta_rules[meta_rule_id]['subject_categories']: - # if sub_cat not in context["pdp_set"][meta_rule_id]["target"]: - # context["pdp_set"][meta_rule_id]["target"][sub_cat] = [] - # for assign in self.cache.get_subject_assignments(policy_id, _subject, sub_cat).values(): - # for assign in assign["assignments"]: - # if assign not in context["pdp_set"][meta_rule_id]["target"][sub_cat]: - # context["pdp_set"][meta_rule_id]["target"][sub_cat].append(assign) - # for obj_cat in meta_rules[meta_rule_id]['object_categories']: - # if obj_cat not in context["pdp_set"][meta_rule_id]["target"]: - # context["pdp_set"][meta_rule_id]["target"][obj_cat] = [] - # for assign in self.cache.get_object_assignments(policy_id, _object, obj_cat).values(): - # for assign in assign["assignments"]: - # if assign not in context["pdp_set"][meta_rule_id]["target"][obj_cat]: - # context["pdp_set"][meta_rule_id]["target"][obj_cat].append(assign) - # for act_cat in meta_rules[meta_rule_id]['action_categories']: - # if act_cat not in context["pdp_set"][meta_rule_id]["target"]: - # context["pdp_set"][meta_rule_id]["target"][act_cat] = [] - # for assign in self.cache.get_action_assignments(policy_id, _action, act_cat).values(): - # for assign in assign["assignments"]: - # if assign not in context["pdp_set"][meta_rule_id]["target"][act_cat]: - # context["pdp_set"][meta_rule_id]["target"][act_cat].append(assign) - # # context["pdp_set"][meta_rule_id]["target"].update(result) - - def __add_target(self, meta_rule_id): - """build target from meta_rule - - Target is dict of categories as keys ; and the value of each category - will be a list of assignments - - """ - result = dict() - _subject = self.__current_request["subject"] - _object = self.__current_request["object"] - _action = self.__current_request["action"] - meta_rules = self.cache.meta_rules - policy_id = self.cache.get_policy_from_meta_rules(meta_rule_id) - for sub_cat in meta_rules[meta_rule_id]['subject_categories']: - if sub_cat not in result: - result[sub_cat] = [] - result[sub_cat].extend( - self.cache.get_subject_assignments(policy_id, _subject, sub_cat)) - for obj_cat in meta_rules[meta_rule_id]['object_categories']: - if obj_cat not in result: - result[obj_cat] = [] - result[obj_cat].extend( - self.cache.get_object_assignments(policy_id, _object, obj_cat)) - for act_cat in meta_rules[meta_rule_id]['action_categories']: - if act_cat not in result: - result[act_cat] = [] - result[act_cat].extend( - self.cache.get_action_assignments(policy_id, _action, act_cat)) - return result - - def __repr__(self): - return """PDP ID: {id} -current_request: {current_request} -request_id: {request_id} -index: {index} -headers: {headers} -pdp_set: {pdp_set} - """.format( - id=self.__pdp_id, - current_request=self.__current_request, - request_id=self.__request_id, - headers=self.__headers, - pdp_set=self.__pdp_set, - index=self.__index - ) - - def to_dict(self): - return { - "initial_request": copy.deepcopy(self.initial_request), - "current_request": copy.deepcopy(self.__current_request), - "headers": copy.deepcopy(self.__headers), - "index": copy.deepcopy(self.__index), - "pdp_set": copy.deepcopy(self.__pdp_set), - "request_id": copy.deepcopy(self.__request_id), - "manager_url": copy.deepcopy(self.__manager_url), - "interface_name": copy.deepcopy(self.__interface_name), - } - - @property - def request_id(self): - return self.__request_id - - @request_id.setter - def request_id(self, value): - raise Exception("You cannot update the request_id") - - @request_id.deleter - def request_id(self): - raise Exception("You cannot update the request_id") - - @property - def manager_url(self): - return self.__manager_url - - @manager_url.setter - def manager_url(self, value): - raise Exception("You cannot update the manager_url") - - @manager_url.deleter - def manager_url(self): - raise Exception("You cannot update the manager_url") - - @property - def interface_name(self): - return self.__interface_name - - @interface_name.setter - def interface_name(self, value): - raise Exception("You cannot update the interface_name") - - @interface_name.deleter - def interface_name(self): - raise Exception("You cannot update the interface_name") - - @property - def cookie(self): - return self.__cookie - - @cookie.setter - def cookie(self, value): - raise Exception("You cannot update the cookie") - - @cookie.deleter - def cookie(self): - raise Exception("You cannot delete the cookie") - - @property - def initial_request(self): - return { - "subject": self.__subject, - "object": self.__object, - "action": self.__action, - } - - @initial_request.setter - def initial_request(self, value): - raise Exception("You are not allowed to update the initial_request") - - @initial_request.deleter - def initial_request(self): - raise Exception("You are not allowed to delete the initial_request") - - @property - def current_request(self): - if not self.__current_request: - self.__current_request = copy.deepcopy(self.initial_request) - return self.__current_request - - @current_request.setter - def current_request(self, value): - self.__current_request = copy.deepcopy(value) - # Note (asteroide): if the current request is modified, - # we must update the PDP Set. - self.__init_pdp_set() - - @current_request.deleter - def current_request(self): - self.__current_request = {} - self.__pdp_set = {} - - @property - def headers(self): - return self.__headers - - @headers.setter - def headers(self, headers): - self.__headers = headers - - @headers.deleter - def headers(self): - self.__headers = list() - - @property - def index(self): - return self.__index - - @index.setter - def index(self, index): - self.__index += 1 - - @index.deleter - def index(self): - self.__index = -1 - - @property - def pdp_set(self): - return self.__pdp_set - - @pdp_set.setter - def pdp_set(self, value): - raise Exception("You are not allowed to modify the pdp_set") - - @pdp_set.deleter - def pdp_set(self): - self.__pdp_set = {} - - -def check_token(token, url=None): - _verify = False - if keystone_config['certificate']: - _verify = keystone_config['certificate'] - try: - os.environ.pop("http_proxy") - os.environ.pop("https_proxy") - except KeyError: - pass - if not url: - url = keystone_config['url'] - headers = { - "Content-Type": "application/json", - 'X-Subject-Token': token, - 'X-Auth-Token': token, - } - if not keystone_config['check_token']: - # TODO (asteroide): must send the admin id - return "admin" if not token else token - elif keystone_config['check_token'].lower() in ("false", "no", "n"): - # TODO (asteroide): must send the admin id - return "admin" if not token else token - if keystone_config['check_token'].lower() in ("yes", "y", "true"): - if token in TOKENS: - delta = time.mktime(TOKENS[token]["expires_at"]) - time.mktime(time.gmtime()) - if delta > 0: - return TOKENS[token]["user"] - raise exceptions.KeystoneError - else: - req = requests.get("{}/auth/tokens".format(url), headers=headers, verify=_verify) - if req.status_code in (200, 201): - # Note (asteroide): the time stamps is not in ISO 8601, so it is necessary to delete - # characters after the dot - token_time = req.json().get("token").get("expires_at").split(".") - TOKENS[token] = dict() - TOKENS[token]["expires_at"] = time.strptime(token_time[0], "%Y-%m-%dT%H:%M:%S") - TOKENS[token]["user"] = req.json().get("token").get("user").get("id") - return TOKENS[token]["user"] - LOG.error("{} - {}".format(req.status_code, req.text)) - raise exceptions.KeystoneError - elif keystone_config['check_token'].lower() == "strict": - req = requests.head("{}/auth/tokens".format(url), headers=headers, verify=_verify) - if req.status_code in (200, 201): - return token - LOG.error("{} - {}".format(req.status_code, req.text)) - raise exceptions.KeystoneError - raise exceptions.KeystoneError - - -def check_auth(function): - @wraps(function) - def wrapper(*args, **kwargs): - token = request.headers.get('X-Auth-Token') - token = check_token(token) - if not token: - raise exceptions.AuthException - user_id = kwargs.pop("user_id", token) - result = function(*args, **kwargs, user_id=user_id) - return result - return wrapper diff --git a/moonv4/moon_utilities/requirements.txt b/moonv4/moon_utilities/requirements.txt deleted file mode 100644 index 5b80e5f2..00000000 --- a/moonv4/moon_utilities/requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -werkzeug -flask -requests \ No newline at end of file diff --git a/moonv4/moon_utilities/setup.py b/moonv4/moon_utilities/setup.py deleted file mode 100644 index 21e11419..00000000 --- a/moonv4/moon_utilities/setup.py +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -from setuptools import setup, find_packages -import moon_utilities - -with open('requirements.txt') as f: - required = f.read().splitlines() - -setup( - - name='moon_utilities', - - version=moon_utilities.__version__, - - packages=find_packages(), - - author='Thomas Duval', - - author_email='thomas.duval@orange.com', - - description='Some utilities for all the Moon components', - - long_description=open('README.md').read(), - - install_requires=required, - - include_package_data=True, - - url='https://git.opnfv.org/cgit/moon', - - classifiers=[ - 'Programming Language :: Python :: 3', - 'Development Status :: 1 - Planning', - 'License :: OSI Approved', - 'Natural Language :: English', - 'Operating System :: OS Independent', - ], - -) diff --git a/moonv4/moon_utilities/tests/unit_python/conftest.py b/moonv4/moon_utilities/tests/unit_python/conftest.py deleted file mode 100644 index 7217586a..00000000 --- a/moonv4/moon_utilities/tests/unit_python/conftest.py +++ /dev/null @@ -1,17 +0,0 @@ -import pytest -import requests_mock -import mock_components -import mock_keystone -import mock_cache - - -@pytest.fixture(autouse=True) -def no_requests(monkeypatch): - """ Modify the response from Requests module - """ - with requests_mock.Mocker(real_http=True) as m: - mock_components.register_components(m) - mock_keystone.register_keystone(m) - mock_cache.register_cache(m) - print("End registering URI") - yield m \ No newline at end of file diff --git a/moonv4/moon_utilities/tests/unit_python/mock_cache.py b/moonv4/moon_utilities/tests/unit_python/mock_cache.py deleted file mode 100644 index b2b287a9..00000000 --- a/moonv4/moon_utilities/tests/unit_python/mock_cache.py +++ /dev/null @@ -1,321 +0,0 @@ -from utilities import CONF - -pdp_mock = { - "pdp_id1": { - "name": "...", - "security_pipeline": ["policy_id_1", "policy_id_2"], - "keystone_project_id": "keystone_project_id1", - "description": "...", - }, - "pdp_id12": { - "name": "...", - "security_pipeline": ["policy_id_1", "policy_id_2"], - "keystone_project_id": "keystone_project_id1", - "description": "...", - } -} - -meta_rules_mock = { - "meta_rule_id1": { - "name": "meta_rule1", - "algorithm": "name of the meta rule algorithm", - "subject_categories": ["subject_category_id1", - "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - }, - "meta_rule_id2": { - "name": "name of the meta rules2", - "algorithm": "name of the meta rule algorithm", - "subject_categories": ["subject_category_id1", - "subject_category_id2"], - "object_categories": ["object_category_id1"], - "action_categories": ["action_category_id1"] - } -} - -policies_mock = { - "policy_id_1": { - "name": "test_policy1", - "model_id": "model_id_1", - "genre": "authz", - "description": "test", - }, - "policy_id_2": { - "name": "test_policy2", - "model_id": "model_id_2", - "genre": "authz", - "description": "test", - } -} - -subject_mock = { - "policy_id_1": { - "subject_id": { - "name": "subject_name", - "keystone_id": "keystone_project_id1", - "description": "a description" - } - }, - "policy_id_2": { - "subject_id": { - "name": "subject_name", - "keystone_id": "keystone_project_id1", - "description": "a description" - } - } -} - -subject_assignment_mock = { - "subject_id": { - "policy_id": "ID of the policy", - "subject_id": "ID of the subject", - "category_id": "ID of the category", - "assignments": [], - } -} - -object_mock = { - "policy_id_1": { - "object_id": { - "name": "object_name", - "description": "a description" - } - }, - "policy_id_2": { - "object_id": { - "name": "object_name", - "description": "a description" - } - } -} - -object_assignment_mock = { - "object_id": { - "policy_id": "ID of the policy", - "object_id": "ID of the object", - "category_id": "ID of the category", - "assignments": [], - } -} - -action_mock = { - "policy_id_1": { - "action_id": { - "name": "action_name", - "description": "a description" - } - }, - "policy_id_2": { - "action_id": { - "name": "action_name", - "description": "a description" - } - } -} - -action_assignment_mock = { - "action_id": { - "policy_id": "ID of the policy", - "action_id": "ID of the action", - "category_id": "ID of the category", - "assignments": [], - } -} - -models_mock = { - "model_id_1": { - "name": "test_model", - "description": "test", - "meta_rules": ["meta_rule_id1"] - }, - "model_id_2": { - "name": "test_model", - "description": "test", - "meta_rules": ["meta_rule_id2"] - }, -} - -rules_mock = { - "rules": { - "meta_rule_id": "meta_rule_id1", - "rule_id1": { - "rule": ["subject_data_id1", - "object_data_id1", - "action_data_id1"], - "instructions": ( - {"decision": "grant"}, - # "grant" to immediately exit, - # "continue" to wait for the result of next policy - # "deny" to deny the request - ) - }, - "rule_id2": { - "rule": ["subject_data_id2", - "object_data_id2", - "action_data_id2"], - "instructions": ( - { - "update": { - "operation": "add", - # operations may be "add" or "delete" - "target": "rbac:role:admin" - # add the role admin to the current user - } - }, - {"chain": {"name": "rbac"}} - # chain with the policy named rbac - ) - } - } -} - - -def register_cache(m): - """ Modify the response from Requests module - """ - register_pdp(m) - register_meta_rules(m) - register_policies(m) - register_models(m) - register_policy_subject(m, "policy_id_1") - register_policy_subject(m, "policy_id_2") - register_policy_object(m, "policy_id_1") - register_policy_object(m, "policy_id_2") - register_policy_action(m, "policy_id_1") - register_policy_action(m, "policy_id_2") - register_policy_subject_assignment(m, "policy_id_1", "subject_id") - # register_policy_subject_assignment_list(m1, "policy_id_1") - register_policy_subject_assignment(m, "policy_id_2", "subject_id") - # register_policy_subject_assignment_list(m1, "policy_id_2") - register_policy_object_assignment(m, "policy_id_1", "object_id") - # register_policy_object_assignment_list(m1, "policy_id_1") - register_policy_object_assignment(m, "policy_id_2", "object_id") - # register_policy_object_assignment_list(m1, "policy_id_2") - register_policy_action_assignment(m, "policy_id_1", "action_id") - # register_policy_action_assignment_list(m1, "policy_id_1") - register_policy_action_assignment(m, "policy_id_2", "action_id") - # register_policy_action_assignment_list(m1, "policy_id_2") - register_rules(m, "policy_id1") - - -def register_pdp(m): - m.register_uri( - 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'pdp'), - json={'pdps': pdp_mock} - ) - - -def register_meta_rules(m): - m.register_uri( - 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'meta_rules'), - json={'meta_rules': meta_rules_mock} - ) - - -def register_policies(m): - m.register_uri( - 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies'), - json={'policies': policies_mock} - ) - - -def register_models(m): - m.register_uri( - 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'models'), - json={'models': models_mock} - ) - - -def register_policy_subject(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/subjects'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', policy_id), - json={'subjects': subject_mock[policy_id]} - ) - - -def register_policy_object(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/objects'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', policy_id), - json={'objects': object_mock[policy_id]} - ) - - -def register_policy_action(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/actions'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', policy_id), - json={'actions': action_mock[policy_id]} - ) - - -def register_policy_subject_assignment(m, policy_id, subj_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/subject_assignments/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id, - subj_id), - json={'subject_assignments': subject_assignment_mock} - ) - - -def register_policy_subject_assignment_list(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/subject_assignments'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id), - json={'subject_assignments': subject_assignment_mock} - ) - - -def register_policy_object_assignment(m, policy_id, obj_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/object_assignments/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id, - obj_id), - json={'object_assignments': object_assignment_mock} - ) - - -def register_policy_object_assignment_list(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/object_assignments'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id), - json={'object_assignments': object_assignment_mock} - ) - - -def register_policy_action_assignment(m, policy_id, action_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/action_assignments/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id, - action_id), - json={'action_assignments': action_assignment_mock} - ) - - -def register_policy_action_assignment_list(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/action_assignments'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id), - json={'action_assignments': action_assignment_mock} - ) - - -def register_rules(m, policy_id): - m.register_uri( - 'GET', 'http://{}:{}/{}/{}/{}'.format(CONF['components']['manager']['hostname'], - CONF['components']['manager']['port'], 'policies', - policy_id, 'rules'), - json={'rules': rules_mock} - ) \ No newline at end of file diff --git a/moonv4/moon_utilities/tests/unit_python/mock_components.py b/moonv4/moon_utilities/tests/unit_python/mock_components.py deleted file mode 100644 index a0319e1a..00000000 --- a/moonv4/moon_utilities/tests/unit_python/mock_components.py +++ /dev/null @@ -1,27 +0,0 @@ -import utilities - -COMPONENTS = ( - "logging", - "openstack/keystone", - "database", - "slave", - "components/manager", - "components/orchestrator", - "components/interface", -) - - -def register_components(m): - for component in COMPONENTS: - m.register_uri( - 'GET', 'http://consul:8500/v1/kv/{}'.format(component), - json=[{'Key': component, 'Value': utilities.get_b64_conf(component)}] - ) - - m.register_uri( - 'GET', 'http://consul:8500/v1/kv/components?recurse=true', - json=[ - {"Key": key, "Value": utilities.get_b64_conf(key)} for key in COMPONENTS - ], - # json={'Key': "components", 'Value': get_b64_conf("components")} - ) \ No newline at end of file diff --git a/moonv4/moon_utilities/tests/unit_python/mock_keystone.py b/moonv4/moon_utilities/tests/unit_python/mock_keystone.py deleted file mode 100644 index c0b26b88..00000000 --- a/moonv4/moon_utilities/tests/unit_python/mock_keystone.py +++ /dev/null @@ -1,23 +0,0 @@ -def register_keystone(m): - m.register_uri( - 'POST', 'http://keystone:5000/v3/auth/tokens', - headers={'X-Subject-Token': "111111111"} - ) - m.register_uri( - 'DELETE', 'http://keystone:5000/v3/auth/tokens', - headers={'X-Subject-Token': "111111111"} - ) - m.register_uri( - 'POST', 'http://keystone:5000/v3/users?name=testuser&domain_id=default', - json={"users": {}} - ) - m.register_uri( - 'GET', 'http://keystone:5000/v3/users?name=testuser&domain_id=default', - json={"users": {}} - ) - m.register_uri( - 'POST', 'http://keystone:5000/v3/users/', - json={"users": [{ - "id": "1111111111111" - }]} - ) \ No newline at end of file diff --git a/moonv4/moon_utilities/tests/unit_python/requirements.txt b/moonv4/moon_utilities/tests/unit_python/requirements.txt deleted file mode 100644 index 3c1ad607..00000000 --- a/moonv4/moon_utilities/tests/unit_python/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -pytest -requests_mock \ No newline at end of file diff --git a/moonv4/moon_utilities/tests/unit_python/test_cache.py b/moonv4/moon_utilities/tests/unit_python/test_cache.py deleted file mode 100644 index 3d4f7292..00000000 --- a/moonv4/moon_utilities/tests/unit_python/test_cache.py +++ /dev/null @@ -1,75 +0,0 @@ -import pytest - - -def test_authz_request(): - from moon_utilities import cache - c = cache.Cache() - assert isinstance(c.authz_requests, dict) - - -def test_get_subject_success(): - from moon_utilities import cache - cache_obj = cache.Cache() - policy_id = 'policy_id_1' - name = 'subject_name' - subject_id = cache_obj.get_subject(policy_id, name) - assert subject_id is not None - - -def test_get_subject_failure(): - from moon_utilities import cache - cache_obj = cache.Cache() - policy_id = 'policy_id_1' - name = 'invalid name' - with pytest.raises(Exception) as exception_info: - cache_obj.get_subject(policy_id, name) - assert str(exception_info.value) == '400: Subject Unknown' - - -def test_get_object_success(): - from moon_utilities import cache - cache_obj = cache.Cache() - policy_id = 'policy_id_1' - name = 'object_name' - object_id = cache_obj.get_object(policy_id, name) - assert object_id is not None - - -def test_get_object_failure(): - from moon_utilities import cache - cache_obj = cache.Cache() - policy_id = 'policy_id_1' - name = 'invalid name' - with pytest.raises(Exception) as exception_info: - cache_obj.get_object(policy_id, name) - assert str(exception_info.value) == '400: Subject Unknown' - - -def test_get_action_success(): - from moon_utilities import cache - cache_obj = cache.Cache() - policy_id = 'policy_id_1' - name = 'action_name' - action_id = cache_obj.get_action(policy_id, name) - assert action_id is not None - - -def test_get_action_failure(): - from moon_utilities import cache - cache_obj = cache.Cache() - policy_id = 'policy_id_1' - name = 'invalid name' - with pytest.raises(Exception) as exception_info: - cache_obj.get_action(policy_id, name) - assert str(exception_info.value) == '400: Subject Unknown' - - -def test_cache_manager(): - from moon_utilities import cache - cache_obj = cache.Cache() - assert cache_obj.pdp is not None - assert cache_obj.meta_rules is not None - assert len(cache_obj.meta_rules) == 2 - assert cache_obj.policies is not None - assert len(cache_obj.policies) == 2 - assert cache_obj.models is not None \ No newline at end of file diff --git a/moonv4/moon_utilities/tests/unit_python/test_configuration.py b/moonv4/moon_utilities/tests/unit_python/test_configuration.py deleted file mode 100644 index 0ebff995..00000000 --- a/moonv4/moon_utilities/tests/unit_python/test_configuration.py +++ /dev/null @@ -1,5 +0,0 @@ - -def test_get_components(): - from moon_utilities import configuration - assert isinstance(configuration.get_components(), dict) - diff --git a/moonv4/moon_utilities/tests/unit_python/utilities.py b/moonv4/moon_utilities/tests/unit_python/utilities.py deleted file mode 100644 index 1d79d890..00000000 --- a/moonv4/moon_utilities/tests/unit_python/utilities.py +++ /dev/null @@ -1,136 +0,0 @@ -import base64 -import json - - -CONF = { - "openstack": { - "keystone": { - "url": "http://keystone:5000/v3", - "user": "admin", - "check_token": False, - "password": "p4ssw0rd", - "domain": "default", - "certificate": False, - "project": "admin" - } - }, - "components": { - "wrapper": { - "bind": "0.0.0.0", - "port": 8080, - "container": "wukongsun/moon_wrapper:v4.3", - "timeout": 5, - "hostname": "wrapper" - }, - "manager": { - "bind": "0.0.0.0", - "port": 8082, - "container": "wukongsun/moon_manager:v4.3", - "hostname": "manager" - }, - "port_start": 31001, - "orchestrator": { - "bind": "0.0.0.0", - "port": 8083, - "container": "wukongsun/moon_orchestrator:v4.3", - "hostname": "interface" - }, - "interface": { - "bind": "0.0.0.0", - "port": 8080, - "container": "wukongsun/moon_interface:v4.3", - "hostname": "interface" - } - }, - "plugins": { - "session": { - "port": 8082, - "container": "asteroide/session:latest" - }, - "authz": { - "port": 8081, - "container": "wukongsun/moon_authz:v4.3" - } - }, - "logging": { - "handlers": { - "file": { - "filename": "/tmp/moon.log", - "class": "logging.handlers.RotatingFileHandler", - "level": "DEBUG", - "formatter": "custom", - "backupCount": 3, - "maxBytes": 1048576 - }, - "console": { - "class": "logging.StreamHandler", - "formatter": "brief", - "level": "INFO", - "stream": "ext://sys.stdout" - } - }, - "formatters": { - "brief": { - "format": "%(levelname)s %(name)s %(message)-30s" - }, - "custom": { - "format": "%(asctime)-15s %(levelname)s %(name)s %(message)s" - } - }, - "root": { - "handlers": [ - "console" - ], - "level": "ERROR" - }, - "version": 1, - "loggers": { - "moon": { - "handlers": [ - "console", - "file" - ], - "propagate": False, - "level": "DEBUG" - } - } - }, - "slave": { - "name": None, - "master": { - "url": None, - "login": None, - "password": None - } - }, - "docker": { - "url": "tcp://172.88.88.1:2376", - "network": "moon" - }, - "database": { - "url": "sqlite:///database.db", - # "url": "mysql+pymysql://moon:p4sswOrd1@db/moon", - "driver": "sql" - }, - "messenger": { - "url": "rabbit://moon:p4sswOrd1@messenger:5672/moon" - } -} - - -def get_b64_conf(component=None): - if component == "components": - return base64.b64encode( - json.dumps(CONF["components"]).encode('utf-8')+b"\n").decode('utf-8') - elif component in CONF: - return base64.b64encode( - json.dumps( - CONF[component]).encode('utf-8')+b"\n").decode('utf-8') - elif not component: - return base64.b64encode( - json.dumps(CONF).encode('utf-8')+b"\n").decode('utf-8') - elif "/" in component: - key1, _, key2 = component.partition("/") - return base64.b64encode( - json.dumps( - CONF[key1][key2]).encode('utf-8')+b"\n").decode('utf-8') diff --git a/moonv4/python_moonutilities/Changelog b/moonv4/python_moonutilities/Changelog new file mode 100644 index 00000000..3eaf7894 --- /dev/null +++ b/moonv4/python_moonutilities/Changelog @@ -0,0 +1,64 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +CHANGES +======= + +0.1.0 +----- +- First version of the moon_utilities library. + +1.0.0 +----- +- First public version of the moon_utilities library. + +1.0.1 +----- +- Update setup.py to force the installation of requirements. + +1.0.2 +----- +- Test PyPi upload + +1.1.0 +----- +- Add functions to get configuration from Consul + +1.1.1 +----- +- Add a missing requirements + +1.2.0 +----- +- Add authentication features for interface + +1.3.0 +----- +- Add cache functionality + +1.3.1 +----- +- Delete Oslo config possibilities + +1.3.2 +----- +- Delete Oslo logging and config + +1.3.3 +----- +- Update the cache + +1.3.4 +----- +- Fix a bug on the connection between interface and authz + +1.4.0 +----- +- Add a waiting loop when the Keystone server is not currently available + +1.4.1 +----- +- Cleanup moon_utilities code diff --git a/moonv4/python_moonutilities/LICENSE b/moonv4/python_moonutilities/LICENSE new file mode 100644 index 00000000..d6456956 --- /dev/null +++ b/moonv4/python_moonutilities/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/moonv4/python_moonutilities/MANIFEST.in b/moonv4/python_moonutilities/MANIFEST.in new file mode 100644 index 00000000..b764e35c --- /dev/null +++ b/moonv4/python_moonutilities/MANIFEST.in @@ -0,0 +1,10 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +include README.rst +include LICENSE +include Changelog +include setup.py +include requirements.txt diff --git a/moonv4/python_moonutilities/README.md b/moonv4/python_moonutilities/README.md new file mode 100644 index 00000000..8e21966a --- /dev/null +++ b/moonv4/python_moonutilities/README.md @@ -0,0 +1,33 @@ +# python-moonutilities Package +This package contains the core module for the Moon project. +It is designed to provide authorization feature to all OpenStack components. + +For any other information, refer to the parent project: + + https://git.opnfv.org/moon + +python-moonutilities is a common Python lib for other Moon Python packages + +## Build +### Build Python Package +```bash +cd ${MOON_HOME}/python_moonutilities +python3 setup.py sdist bdist_wheel +``` + +### Push Python Package to PIP +```bash +cd ${MOON_HOME}/python_moonutilities +gpg --detach-sign -u "${GPG_ID}" -a dist/python_moonutilities-X.Y.Z-py3-none-any.whl +gpg --detach-sign -u "${GPG_ID}" -a dist/python_moonutilities-X.Y.Z.tar.gz +twine upload dist/python_moonutilities-X.Y.Z-py3-none-any.whl dist/python_moonutilities-X.Y.Z-py3-none-any.whl.asc +twine upload dist/python_moonutilities-X.Y.Z.tar.gz dist/python_moonutilities-X.Y.Z.tar.gz.asc +``` + +## Test +### Python Unit Test +launch Docker for Python unit tests +```bash +cd ${MOON_HOME}/python_moonutilities +docker run --rm --volume $(pwd):/data wukongsun/moon_python_unit_test:latest +``` diff --git a/moonv4/python_moonutilities/python_moonutilities/__init__.py b/moonv4/python_moonutilities/python_moonutilities/__init__.py new file mode 100644 index 00000000..e3ad9307 --- /dev/null +++ b/moonv4/python_moonutilities/python_moonutilities/__init__.py @@ -0,0 +1,6 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +__version__ = "1.4.1" diff --git a/moonv4/python_moonutilities/python_moonutilities/api.py b/moonv4/python_moonutilities/python_moonutilities/api.py new file mode 100644 index 00000000..8e80c21d --- /dev/null +++ b/moonv4/python_moonutilities/python_moonutilities/api.py @@ -0,0 +1,28 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +class APIList(object): + + API_LIST = () + + def __init__(self, api_list): + self.API_LIST = api_list + + def list_api(self, ctx): + api = dict() + for obj in self.API_LIST: + api[obj.__name__] = dict() + api[obj.__name__]["description"] = obj.__doc__.strip() if obj.__doc__ else "" + api[obj.__name__]["version"] = obj.__version__ + api[obj.__name__]["commands"] = dict() + for cmd in filter(lambda x: not x.startswith("__"), dir(obj)): + doc = eval("obj.{}.__doc__".format(cmd)) + if not doc: + doc = "" + api[obj.__name__]["commands"][cmd] = doc.strip() + return api + + diff --git a/moonv4/python_moonutilities/python_moonutilities/auth.py b/moonv4/python_moonutilities/python_moonutilities/auth.py new file mode 100644 index 00000000..7656f4e7 --- /dev/null +++ b/moonv4/python_moonutilities/python_moonutilities/auth.py @@ -0,0 +1,76 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import requests +import time +from functools import wraps +from flask import request +from oslo_log import log as logging +from python_moonutilities import exceptions, configuration + + +LOG = logging.getLogger(__name__) +KEYSTONE_CONFIG = configuration.get_configuration("openstack/keystone")["openstack/keystone"] +TOKENS = {} + + +def check_token(token, url=None): + _verify = False + if KEYSTONE_CONFIG['certificate']: + _verify = KEYSTONE_CONFIG['certificate'] + try: + os.environ.pop("http_proxy") + os.environ.pop("https_proxy") + except KeyError: + pass + if not url: + url = KEYSTONE_CONFIG['url'] + headers = { + "Content-Type": "application/json", + 'X-Subject-Token': token, + 'X-Auth-Token': token, + } + if KEYSTONE_CONFIG['check_token'].lower() in ("false", "no", "n"): + # TODO (asteroide): must send the admin id + return "admin" if not token else token + if KEYSTONE_CONFIG['check_token'].lower() in ("yes", "y", "true"): + if token in TOKENS: + delta = time.mktime(TOKENS[token]["expires_at"]) - time.mktime(time.gmtime()) + if delta > 0: + return TOKENS[token]["user"] + raise exceptions.KeystoneError + else: + req = requests.get("{}/auth/tokens".format(url), headers=headers, verify=_verify) + if req.status_code in (200, 201): + # Note (asteroide): the time stamps is not in ISO 8601, so it is necessary to delete + # characters after the dot + token_time = req.json().get("token").get("expires_at").split(".") + TOKENS[token] = dict() + TOKENS[token]["expires_at"] = time.strptime(token_time[0], "%Y-%m-%dT%H:%M:%S") + TOKENS[token]["user"] = req.json().get("token").get("user").get("id") + return TOKENS[token]["user"] + LOG.error("{} - {}".format(req.status_code, req.text)) + raise exceptions.KeystoneError + elif KEYSTONE_CONFIG['check_token'].lower() == "strict": + req = requests.head("{}/auth/tokens".format(url), headers=headers, verify=_verify) + if req.status_code in (200, 201): + return token + LOG.error("{} - {}".format(req.status_code, req.text)) + raise exceptions.KeystoneError + raise exceptions.KeystoneError + + +def check_auth(function): + @wraps(function) + def wrapper(*args, **kwargs): + token = request.headers.get('X-Auth-Token') + token = check_token(token) + if not token: + raise exceptions.AuthException + user_id = kwargs.pop("user_id", token) + result = function(*args, **kwargs, user_id=user_id) + return result + return wrapper diff --git a/moonv4/python_moonutilities/python_moonutilities/cache.py b/moonv4/python_moonutilities/python_moonutilities/cache.py new file mode 100644 index 00000000..93e3daca --- /dev/null +++ b/moonv4/python_moonutilities/python_moonutilities/cache.py @@ -0,0 +1,543 @@ +import logging +import time +import requests +from uuid import uuid4 +from python_moonutilities import configuration, exceptions + +LOG = logging.getLogger("moon.utilities.cache") + + +class Cache(object): + # TODO (asteroide): set cache integer in CONF file + ''' + [NOTE] Propose to define the following variables inside the init method + as defining them out side the init, will be treated as private static variables + and keep tracks with any changes done anywhere + for more info : you can check https://docs.python.org/3/tutorial/classes.html#class-and-instance-variables + ''' + __UPDATE_INTERVAL = 10 + + __CONTAINERS = {} + __CONTAINERS_UPDATE = 0 + + __CONTAINER_CHAINING_UPDATE = 0 + __CONTAINER_CHAINING = {} + + __PDP = {} + __PDP_UPDATE = 0 + + __POLICIES = {} + __POLICIES_UPDATE = 0 + + __MODELS = {} + __MODELS_UPDATE = 0 + + __SUBJECTS = {} + __OBJECTS = {} + __ACTIONS = {} + + __SUBJECT_ASSIGNMENTS = {} + __OBJECT_ASSIGNMENTS = {} + __ACTION_ASSIGNMENTS = {} + + __SUBJECT_CATEGORIES = {} + __SUBJECT_CATEGORIES_UPDATE = 0 + __OBJECT_CATEGORIES = {} + __OBJECT_CATEGORIES_UPDATE = 0 + __ACTION_CATEGORIES = {} + __ACTION_CATEGORIES_UPDATE = 0 + + __META_RULES = {} + __META_RULES_UPDATE = 0 + + __RULES = {} + __RULES_UPDATE = 0 + + __AUTHZ_REQUESTS = {} + + def __init__(self): + self.manager_url = "{}://{}:{}".format( + configuration.get_components()['manager'].get('protocol', 'http'), + configuration.get_components()['manager']['hostname'], + configuration.get_components()['manager']['port'] + ) + self.orchestrator_url = "{}://{}:{}".format( + configuration.get_components()['orchestrator'].get('protocol', 'http'), + configuration.get_components()['orchestrator']['hostname'], + configuration.get_components()['orchestrator']['port'] + ) + + def update(self): + self.__update_container() + self.__update_pdp() + self.__update_policies() + self.__update_models() + for key, value in self.__PDP.items(): + # LOG.info("Updating container_chaining with {}".format(value["keystone_project_id"])) + self.__update_container_chaining(value["keystone_project_id"]) + + @property + def authz_requests(self): + return self.__AUTHZ_REQUESTS + + # perimeter functions + + @property + def subjects(self): + return self.__SUBJECTS + + def update_subjects(self, policy_id=None): + req = requests.get("{}/policies/{}/subjects".format( + self.manager_url, policy_id)) + self.__SUBJECTS[policy_id] = req.json()['subjects'] + + def get_subject(self, policy_id, name): + try: + for _subject_id, _subject_dict in self.__SUBJECTS[policy_id].items(): + if _subject_dict["name"] == name: + return _subject_id + except KeyError: + pass + self.update_subjects(policy_id) + for _subject_id, _subject_dict in self.__SUBJECTS[policy_id].items(): + if _subject_dict["name"] == name: + return _subject_id + raise exceptions.SubjectUnknown("Cannot find subject {}".format(name)) + + @property + def objects(self): + return self.__OBJECTS + + def update_objects(self, policy_id=None): + req = requests.get("{}/policies/{}/objects".format( + self.manager_url, policy_id)) + self.__OBJECTS[policy_id] = req.json()['objects'] + + def get_object(self, policy_id, name): + try: + for _object_id, _object_dict in self.__OBJECTS[policy_id].items(): + if _object_dict["name"] == name: + return _object_id + except KeyError: + pass + self.update_objects(policy_id) + for _object_id, _object_dict in self.__OBJECTS[policy_id].items(): + if _object_dict["name"] == name: + return _object_id + raise exceptions.SubjectUnknown("Cannot find object {}".format(name)) + + @property + def actions(self): + return self.__ACTIONS + + def update_actions(self, policy_id=None): + req = requests.get("{}/policies/{}/actions".format( + self.manager_url, policy_id)) + self.__ACTIONS[policy_id] = req.json()['actions'] + + def get_action(self, policy_id, name): + try: + for _action_id, _action_dict in self.__ACTIONS[policy_id].items(): + if _action_dict["name"] == name: + return _action_id + except KeyError: + pass + self.update_actions(policy_id) + for _action_id, _action_dict in self.__ACTIONS[policy_id].items(): + if _action_dict["name"] == name: + return _action_id + raise exceptions.SubjectUnknown("Cannot find action {}".format(name)) + + # meta_rule functions + + @property + def meta_rules(self): + current_time = time.time() + if self.__META_RULES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_meta_rules() + self.__META_RULES_UPDATE = current_time + return self.__META_RULES + + def __update_meta_rules(self): + req = requests.get("{}/meta_rules".format(self.manager_url)) + self.__META_RULES = req.json()['meta_rules'] + + # rule functions + + @property + def rules(self): + current_time = time.time() + if self.__RULES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_rules() + self.__RULES_UPDATE = current_time + return self.__RULES + + def __update_rules(self): + for policy_id in self.__POLICIES: + LOG.info("Get {}".format("{}/policies/{}/rules".format( + self.manager_url, policy_id))) + req = requests.get("{}/policies/{}/rules".format( + self.manager_url, policy_id)) + self.__RULES[policy_id] = req.json()['rules'] + LOG.info("UPDATE RULES {}".format(self.__RULES)) + + # assignment functions + + @property + def subject_assignments(self): + return self.__SUBJECT_ASSIGNMENTS + + def update_subject_assignments(self, policy_id=None, perimeter_id=None): + if perimeter_id: + req = requests.get("{}/policies/{}/subject_assignments/{}".format( + self.manager_url, policy_id, perimeter_id)) + else: + req = requests.get("{}/policies/{}/subject_assignments".format( + self.manager_url, policy_id)) + if policy_id not in self.__SUBJECT_ASSIGNMENTS: + self.__SUBJECT_ASSIGNMENTS[policy_id] = {} + self.__SUBJECT_ASSIGNMENTS[policy_id].update( + req.json()['subject_assignments']) + + def get_subject_assignments(self, policy_id, perimeter_id, category_id): + if policy_id not in self.subject_assignments: + self.update_subject_assignments(policy_id, perimeter_id) + ''' + [NOTE] invalid condition for testing existence of policy_id + because update_subject_assignments function already add an empty object + with the given policy_id and then assign the response to it + as mentioned in these lines of code (line 191,192) + + Note: the same condition applied for the object,action assignment + line 234, 260 + ''' + if policy_id not in self.subject_assignments: + raise Exception("Cannot found the policy {}".format(policy_id)) + for key, value in self.subject_assignments[policy_id].items(): + if perimeter_id == value['subject_id'] and category_id == value['category_id']: + return value['assignments'] + return [] + + @property + def object_assignments(self): + return self.__OBJECT_ASSIGNMENTS + + def update_object_assignments(self, policy_id=None, perimeter_id=None): + if perimeter_id: + req = requests.get("{}/policies/{}/object_assignments/{}".format( + self.manager_url, policy_id, perimeter_id)) + else: + req = requests.get("{}/policies/{}/object_assignments".format( + self.manager_url, policy_id)) + if policy_id not in self.__OBJECT_ASSIGNMENTS: + self.__OBJECT_ASSIGNMENTS[policy_id] = {} + self.__OBJECT_ASSIGNMENTS[policy_id].update( + req.json()['object_assignments']) + + def get_object_assignments(self, policy_id, perimeter_id, category_id): + if policy_id not in self.object_assignments: + self.update_object_assignments(policy_id, perimeter_id) + if policy_id not in self.object_assignments: + raise Exception("Cannot found the policy {}".format(policy_id)) + for key, value in self.object_assignments[policy_id].items(): + if perimeter_id == value['object_id'] and category_id == value['category_id']: + return value['assignments'] + return [] + + @property + def action_assignments(self): + return self.__ACTION_ASSIGNMENTS + + def update_action_assignments(self, policy_id=None, perimeter_id=None): + if perimeter_id: + req = requests.get("{}/policies/{}/action_assignments/{}".format( + self.manager_url, policy_id, perimeter_id)) + else: + req = requests.get("{}/policies/{}/action_assignments".format( + self.manager_url, policy_id)) + if policy_id not in self.__ACTION_ASSIGNMENTS: + self.__ACTION_ASSIGNMENTS[policy_id] = {} + self.__ACTION_ASSIGNMENTS[policy_id].update( + req.json()['action_assignments']) + + def get_action_assignments(self, policy_id, perimeter_id, category_id): + if policy_id not in self.action_assignments: + self.update_action_assignments(policy_id, perimeter_id) + if policy_id not in self.action_assignments: + raise Exception("Cannot found the policy {}".format(policy_id)) + for key, value in self.action_assignments[policy_id].items(): + if perimeter_id == value['action_id'] and category_id == value['category_id']: + return value['assignments'] + return [] + + # category functions + + @property + def subject_categories(self): + current_time = time.time() + if self.__SUBJECT_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_subject_categories() + self.__SUBJECT_CATEGORIES_UPDATE = current_time + return self.__SUBJECT_CATEGORIES + + def __update_subject_categories(self): + req = requests.get("{}/policies/subject_categories".format( + self.manager_url)) + self.__SUBJECT_CATEGORIES.update(req.json()['subject_categories']) + + @property + def object_categories(self): + current_time = time.time() + if self.__OBJECT_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_object_categories() + self.__OBJECT_CATEGORIES_UPDATE = current_time + return self.__OBJECT_CATEGORIES + + def __update_object_categories(self): + req = requests.get("{}/policies/object_categories".format( + self.manager_url)) + self.__OBJECT_CATEGORIES.update(req.json()['object_categories']) + + @property + def action_categories(self): + current_time = time.time() + if self.__ACTION_CATEGORIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_action_categories() + self.__ACTION_CATEGORIES_UPDATE = current_time + return self.__ACTION_CATEGORIES + + def __update_action_categories(self): + req = requests.get("{}/policies/action_categories".format( + self.manager_url)) + self.__ACTION_CATEGORIES.update(req.json()['action_categories']) + + # PDP functions + + def __update_pdp(self): + req = requests.get("{}/pdp".format(self.manager_url)) + pdp = req.json() + for _pdp in pdp["pdps"].values(): + if _pdp['keystone_project_id'] not in self.__CONTAINER_CHAINING: + self.__CONTAINER_CHAINING[_pdp['keystone_project_id']] = {} + # Note (asteroide): force update of chaining + self.__update_container_chaining(_pdp['keystone_project_id']) + for key, value in pdp["pdps"].items(): + self.__PDP[key] = value + + @property + def pdp(self): + """Policy Decision Point + Example of content: + { + "pdp_id": { + "keystone_project_id": "keystone_project_id", + "name": "pdp1", + "description": "test", + "security_pipeline": [ + "policy_id" + ] + } + } + + :return: + """ + current_time = time.time() + if self.__PDP_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_pdp() + self.__PDP_UPDATE = current_time + return self.__PDP + + # policy functions + def __update_policies(self): + req = requests.get("{}/policies".format(self.manager_url)) + policies = req.json() + for key, value in policies["policies"].items(): + self.__POLICIES[key] = value + + @property + def policies(self): + current_time = time.time() + if self.__POLICIES_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_policies() + self.__POLICIES_UPDATE = current_time + return self.__POLICIES + + # model functions + + def __update_models(self): + req = requests.get("{}/models".format(self.manager_url)) + models = req.json() + for key, value in models["models"].items(): + self.__MODELS[key] = value + + @property + def models(self): + current_time = time.time() + if self.__MODELS_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_models() + self.__MODELS_UPDATE = current_time + return self.__MODELS + + # helper functions + + def get_policy_from_meta_rules(self, meta_rule_id): + for pdp_key, pdp_value in self.pdp.items(): + for policy_id in pdp_value["security_pipeline"]: + model_id = self.policies[policy_id]["model_id"] + if meta_rule_id in self.models[model_id]["meta_rules"]: + return policy_id + + def get_pdp_from_keystone_project(self, keystone_project_id): + for pdp_key, pdp_value in self.pdp.items(): + if keystone_project_id == pdp_value["keystone_project_id"]: + return pdp_key + + def get_keystone_project_id_from_policy_id(self, policy_id): + for pdp_key, pdp_value in self.pdp.items(): + if policy_id in pdp_value["security_pipeline"]: + return pdp_value["keystone_project_id"] + # for policy_id in pdp_value["security_pipeline"]: + # model_id = self.policies[policy_id]["model_id"] + # if meta_rule_id in self.models[model_id]["meta_rules"]: + # return pdp_value["keystone_project_id"] + + def get_containers_from_keystone_project_id(self, keystone_project_id, + meta_rule_id=None): + for container_id, container_values in self.containers.items(): + for container_value in container_values: + if 'keystone_project_id' not in container_value: + continue + if container_value['keystone_project_id'] == keystone_project_id: + if not meta_rule_id: + yield container_id, container_value + elif container_value.get('meta_rule_id') == meta_rule_id: + yield container_id, container_value + break + + # containers functions + + def __update_container(self): + req = requests.get("{}/pods".format(self.orchestrator_url)) + pods = req.json() + for key, value in pods["pods"].items(): + # if key not in self.__CONTAINERS: + self.__CONTAINERS[key] = value + # else: + # for container in value: + # self.__CONTAINERS[key].update(value) + + def add_container(self, container_data): + """Add a new container in the cache + + :param container_data: dictionary with information for the container + Example: + { + "name": name, + "hostname": name, + "port": { + "PrivatePort": tcp_port, + "Type": "tcp", + "IP": "0.0.0.0", + "PublicPort": tcp_port + }, + "keystone_project_id": uuid, + "pdp_id": self.CACHE.get_pdp_from_keystone_project(uuid), + "meta_rule_id": meta_rule_id, + "container_name": container_name, + "plugin_name": plugin_name + "container_id": "container_id" + } + + :return: + """ + self.__CONTAINERS[uuid4().hex] = { + "keystone_project_id": container_data['keystone_project_id'], + "name": container_data['name'], + "container_id": container_data['container_id'], + "hostname": container_data['name'], + "policy_id": container_data['policy_id'], + "meta_rule_id": container_data['meta_rule_id'], + "port": [ + { + "PublicPort": container_data['port']["PublicPort"], + "Type": container_data['port']["Type"], + "IP": container_data['port']["IP"], + "PrivatePort": container_data['port']["PrivatePort"] + } + ], + "genre": container_data['plugin_name'] + } + self.__update_container_chaining(self.get_keystone_project_id_from_policy_id(container_data['policy_id'])) + + @property + def containers(self): + """Containers cache + example of content : + { + "policy_uuid1": "component_hostname1", + "policy_uuid2": "component_hostname2", + } + :return: + """ + current_time = time.time() + if self.__CONTAINERS_UPDATE + self.__UPDATE_INTERVAL < current_time: + self.__update_container() + self.__CONTAINERS_UPDATE = current_time + return self.__CONTAINERS + + @property + def container_chaining(self): + """Cache for mapping Keystone Project ID with meta_rule ID and container ID + Example of content: + { + "keystone_project_id": [ + { + "container_id": "container_id", + "genre": "genre", + "policy_id": "policy_id", + "meta_rule_id": "meta_rule_id", + } + ] + } + + :return: + """ + current_time = time.time() + if self.__CONTAINER_CHAINING_UPDATE + self.__UPDATE_INTERVAL < current_time: + for key, value in self.pdp.items(): + if not value["keystone_project_id"]: + continue + self.__update_container_chaining(value["keystone_project_id"]) + self.__CONTAINER_CHAINING_UPDATE = current_time + LOG.info(self.__CONTAINER_CHAINING_UPDATE) + return self.__CONTAINER_CHAINING + + def __update_container_chaining(self, keystone_project_id): + container_ids = [] + for pdp_id, pdp_value, in self.__PDP.items(): + if pdp_value: + if pdp_value["keystone_project_id"] == keystone_project_id: + for policy_id in pdp_value["security_pipeline"]: + model_id = self.__POLICIES[policy_id]['model_id'] + for meta_rule_id in self.__MODELS[model_id]["meta_rules"]: + for container_id, container_value in self.get_containers_from_keystone_project_id( + keystone_project_id, + meta_rule_id + ): + _raw = requests.get("{}/pods/{}".format( + self.orchestrator_url, container_value["name"]) + ) + LOG.debug("_raw={}".format(_raw.text)) + container_ids.append( + { + "container_id": container_value["name"], + "genre": container_value["genre"], + "policy_id": policy_id, + "meta_rule_id": meta_rule_id, + "hostname": container_value["name"], + "hostip": "127.0.0.1", + "port": container_value["port"], + } + ) + self.__CONTAINER_CHAINING[keystone_project_id] = container_ids + diff --git a/moonv4/python_moonutilities/python_moonutilities/configuration.py b/moonv4/python_moonutilities/python_moonutilities/configuration.py new file mode 100644 index 00000000..f0ef74a6 --- /dev/null +++ b/moonv4/python_moonutilities/python_moonutilities/configuration.py @@ -0,0 +1,114 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +import base64 +import json +import requests +import logging +import logging.config +from python_moonutilities import exceptions + +LOG = logging.getLogger("moon.utilities") + +CONSUL_HOST = "consul" +CONSUL_PORT = "8500" + +DATABASE = "database" +KEYSTONE = "keystone" +DOCKER = "docker" +COMPONENTS = "components" + + +def init_logging(): + config = get_configuration("logging") + logging.config.dictConfig(config['logging']) + + +def increment_port(): + components_port_start = int(get_configuration("components_port_start")['components_port_start']) + components_port_start += 1 + url = "http://{}:{}/v1/kv/components_port_start".format(CONSUL_HOST, CONSUL_PORT) + req = requests.put(url, json=str(components_port_start)) + if req.status_code != 200: + LOG.info("url={}".format(url)) + raise exceptions.ConsulError + return components_port_start + + +def get_configuration(key): + url = "http://{}:{}/v1/kv/{}".format(CONSUL_HOST, CONSUL_PORT, key) + req = requests.get(url) + if req.status_code != 200: + LOG.error("url={}".format(url)) + raise exceptions.ConsulComponentNotFound("error={}: {}".format(req.status_code, req.text)) + data = req.json() + if len(data) == 1: + data = data[0] + return {data["Key"]: json.loads(base64.b64decode(data["Value"]).decode("utf-8"))} + else: + return [ + {item["Key"]: json.loads(base64.b64decode(item["Value"]).decode("utf-8"))} + for item in data + ] + + +def add_component(name, uuid, port=None, bind="127.0.0.1", keystone_id="", extra=None, container=None): + data = { + "hostname": name, + "keystone_id": keystone_id, + "bind": bind, + "port": port, + "extra": extra, + "container": container + } + req = requests.put( + "http://{}:{}/v1/kv/components/{}".format(CONSUL_HOST, CONSUL_PORT, uuid), + headers={"content-type": "application/json"}, + json=data + ) + if req.status_code != 200: + LOG.debug("url={}".format("http://{}:{}/v1/kv/components/{}".format(CONSUL_HOST, CONSUL_PORT, uuid))) + LOG.debug("data={}".format(data)) + raise exceptions.ConsulError + LOG.info("Add component {}".format(req.text)) + return get_configuration("components/"+uuid) + + +def get_plugins(): + url = "http://{}:{}/v1/kv/plugins?recurse=true".format(CONSUL_HOST, CONSUL_PORT) + req = requests.get(url) + if req.status_code != 200: + LOG.info("url={}".format(url)) + raise exceptions.ConsulError + data = req.json() + if len(data) == 1: + data = data[0] + return {data["Key"].replace("plugins/", ""): json.loads(base64.b64decode(data["Value"]).decode("utf-8"))} + else: + return { + item["Key"].replace("plugins/", ""): json.loads(base64.b64decode(item["Value"]).decode("utf-8")) + for item in data + } + + +def get_components(): + url = "http://{}:{}/v1/kv/components?recurse=true".format(CONSUL_HOST, CONSUL_PORT) + req = requests.get(url) + if req.status_code != 200: + LOG.info("url={}".format(url)) + raise exceptions.ConsulError + data = req.json() + if len(data) == 1: + data = data[0] + return {data["Key"].replace("components/", ""): json.loads(base64.b64decode(data["Value"]).decode("utf-8"))} + else: + return { + item["Key"].replace("components/", ""): json.loads(base64.b64decode(item["Value"]).decode("utf-8")) + for item in data + } + + +init_logging() diff --git a/moonv4/python_moonutilities/python_moonutilities/exceptions.py b/moonv4/python_moonutilities/python_moonutilities/exceptions.py new file mode 100644 index 00000000..5bbab2be --- /dev/null +++ b/moonv4/python_moonutilities/python_moonutilities/exceptions.py @@ -0,0 +1,522 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from oslo_log import log as logging +from werkzeug.exceptions import HTTPException + +LOG = logging.getLogger("moon.utilities.exceptions") +_ = str + + +class MoonErrorMetaClass(type): + + def __init__(cls, name, bases, dct): + super(MoonErrorMetaClass, cls).__init__(name, bases, dct) + cls.hierarchy += "/"+str(name) + + +class MoonError(HTTPException): + __metaclass__ = MoonErrorMetaClass + hierarchy = "" + description = _("There is an error requesting the Moon platform.") + code = 400 + title = 'Moon Error' + logger = "ERROR" + + def __init__(self, message="", status_code=None, payload=""): + if message: + self.description = message + if status_code: + self.code = status_code + self.payload = payload + super(MoonError, self).__init__() + + def __str__(self): + return "{}: {}".format(self.code, self.title) + + def __del__(self): + message = "{} ({}) {}".format(self.hierarchy, self.description, self.payload) + if self.logger == "ERROR": + try: + LOG.error(message) + except AttributeError: + LOG.error(message) + elif self.logger == "WARNING": + try: + LOG.warning(message) + except AttributeError: + LOG.warning(message) + elif self.logger == "CRITICAL": + try: + LOG.critical(message) + except AttributeError: + LOG.critical(message) + elif self.logger == "AUTHZ": + try: + LOG.authz(self.hierarchy) + LOG.error(message) + except AttributeError: + LOG.error(message) + else: + try: + LOG.info(message) + except AttributeError: + LOG.info(message) + + # def to_dict(self): + # rv = dict(self.payload or ()) + # rv['message'] = "{} ({})".format(self.hierarchy, self.description) + # rv['title'] = self.title + # rv['code'] = self.code + # return rv + + +# Exceptions for Tenant + +class TenantException(MoonError): + description = _("There is an error requesting this tenant.") + code = 400 + title = 'Tenant Error' + logger = "ERROR" + + +class TenantUnknown(TenantException): + description = _("The tenant is unknown.") + code = 400 + title = 'Tenant Unknown' + logger = "ERROR" + + +class TenantAddedNameExisting(TenantException): + description = _("The tenant name is existing.") + code = 400 + title = 'Added Tenant Name Existing' + logger = "ERROR" + + +class TenantNoIntraExtension(TenantException): + description = _("The tenant has not intra_extension.") + code = 400 + title = 'Tenant No Intra_Extension' + logger = "ERROR" + + +class TenantNoIntraAuthzExtension(TenantNoIntraExtension): + description = _("The tenant has not intra_admin_extension.") + code = 400 + title = 'Tenant No Intra_Admin_Extension' + logger = "ERROR" + +# Exceptions for IntraExtension + + +class IntraExtensionException(MoonError): + description = _("There is an error requesting this IntraExtension.") + code = 400 + title = 'Extension Error' + + +class IntraExtensionUnknown(IntraExtensionException): + description = _("The intra_extension is unknown.") + code = 400 + title = 'Intra Extension Unknown' + logger = "Error" + + +class ModelUnknown(MoonError): + description = _("The model is unknown.") + code = 400 + title = 'Model Unknown' + logger = "Error" + + +class ModelExisting(MoonError): + description = _("The model already exists.") + code = 409 + title = 'Model Error' + logger = "Error" + + +# Authz exceptions + +class AuthzException(MoonError): + description = _("There is an authorization error requesting this IntraExtension.") + code = 403 + title = 'Authz Exception' + logger = "AUTHZ" + + +# Auth exceptions + +class AuthException(MoonError): + description = _("There is an authentication error requesting this API. " + "You must provide a valid token from Keystone.") + code = 401 + title = 'Auth Exception' + logger = "AUTHZ" + + +# Admin exceptions + +class AdminException(MoonError): + description = _("There is an error requesting this Authz IntraExtension.") + code = 400 + title = 'Authz Exception' + logger = "AUTHZ" + + +class AdminMetaData(AdminException): + code = 400 + title = 'Metadata Exception' + + +class AdminPerimeter(AdminException): + code = 400 + title = 'Perimeter Exception' + + +class AdminScope(AdminException): + code = 400 + title = 'Scope Exception' + + +class AdminAssignment(AdminException): + code = 400 + title = 'Assignment Exception' + + +class AdminMetaRule(AdminException): + code = 400 + title = 'Aggregation Algorithm Exception' + + +class AdminRule(AdminException): + code = 400 + title = 'Rule Exception' + + +class SubjectCategoryNameExisting(AdminMetaData): + description = _("The given subject category name already exists.") + code = 409 + title = 'Subject Category Name Existing' + logger = "ERROR" + + +class SubjectCategoryExisting(AdminMetaData): + description = _("The given subject category already exists.") + code = 409 + title = 'Subject Category Existing' + logger = "ERROR" + + +class ObjectCategoryNameExisting(AdminMetaData): + description = _("The given object category name already exists.") + code = 409 + title = 'Object Category Name Existing' + logger = "ERROR" + + +class ObjectCategoryExisting(AdminMetaData): + description = _("The given object category already exists.") + code = 409 + title = 'Object Category Existing' + logger = "ERROR" + + +class ActionCategoryNameExisting(AdminMetaData): + description = _("The given action category name already exists.") + code = 409 + title = 'Action Category Name Existing' + logger = "ERROR" + + +class ActionCategoryExisting(AdminMetaData): + description = _("The given action category already exists.") + code = 409 + title = 'Action Category Existing' + logger = "ERROR" + + +class SubjectCategoryUnknown(AdminMetaData): + description = _("The given subject category is unknown.") + code = 400 + title = 'Subject Category Unknown' + logger = "ERROR" + + +class ObjectCategoryUnknown(AdminMetaData): + description = _("The given object category is unknown.") + code = 400 + title = 'Object Category Unknown' + logger = "ERROR" + + +class ActionCategoryUnknown(AdminMetaData): + description = _("The given action category is unknown.") + code = 400 + title = 'Action Category Unknown' + logger = "ERROR" + + +class SubjectUnknown(AdminPerimeter): + description = _("The given subject is unknown.") + code = 400 + title = 'Subject Unknown' + logger = "ERROR" + + +class ObjectUnknown(AdminPerimeter): + description = _("The given object is unknown.") + code = 400 + title = 'Object Unknown' + logger = "ERROR" + + +class ActionUnknown(AdminPerimeter): + description = _("The given action is unknown.") + code = 400 + title = 'Action Unknown' + logger = "ERROR" + + +class SubjectNameExisting(AdminPerimeter): + description = _("The given subject name is existing.") + code = 400 + title = 'Subject Name Existing' + logger = "ERROR" + + +class ObjectNameExisting(AdminPerimeter): + description = _("The given object name is existing.") + code = 400 + title = 'Object Name Existing' + logger = "ERROR" + + +class ActionNameExisting(AdminPerimeter): + description = _("The given action name is existing.") + code = 400 + title = 'Action Name Existing' + logger = "ERROR" + + +class ObjectsWriteNoAuthorized(AdminPerimeter): + description = _("The modification on Objects is not authorized.") + code = 400 + title = 'Objects Write No Authorized' + logger = "AUTHZ" + + +class ActionsWriteNoAuthorized(AdminPerimeter): + description = _("The modification on Actions is not authorized.") + code = 400 + title = 'Actions Write No Authorized' + logger = "AUTHZ" + + +class SubjectScopeUnknown(AdminScope): + description = _("The given subject scope is unknown.") + code = 400 + title = 'Subject Scope Unknown' + logger = "ERROR" + + +class ObjectScopeUnknown(AdminScope): + description = _("The given object scope is unknown.") + code = 400 + title = 'Object Scope Unknown' + logger = "ERROR" + + +class ActionScopeUnknown(AdminScope): + description = _("The given action scope is unknown.") + code = 400 + title = 'Action Scope Unknown' + logger = "ERROR" + + +class SubjectScopeNameExisting(AdminScope): + description = _("The given subject scope name is existing.") + code = 400 + title = 'Subject Scope Name Existing' + logger = "ERROR" + + +class ObjectScopeNameExisting(AdminScope): + description = _("The given object scope name is existing.") + code = 400 + title = 'Object Scope Name Existing' + logger = "ERROR" + + +class ActionScopeNameExisting(AdminScope): + description = _("The given action scope name is existing.") + code = 400 + title = 'Action Scope Name Existing' + logger = "ERROR" + + +class SubjectAssignmentUnknown(AdminAssignment): + description = _("The given subject assignment value is unknown.") + code = 400 + title = 'Subject Assignment Unknown' + logger = "ERROR" + + +class ObjectAssignmentUnknown(AdminAssignment): + description = _("The given object assignment value is unknown.") + code = 400 + title = 'Object Assignment Unknown' + logger = "ERROR" + + +class ActionAssignmentUnknown(AdminAssignment): + description = _("The given action assignment value is unknown.") + code = 400 + title = 'Action Assignment Unknown' + logger = "ERROR" + + +class SubjectAssignmentExisting(AdminAssignment): + description = _("The given subject assignment value is existing.") + code = 400 + title = 'Subject Assignment Existing' + logger = "ERROR" + + +class ObjectAssignmentExisting(AdminAssignment): + description = _("The given object assignment value is existing.") + code = 400 + title = 'Object Assignment Existing' + logger = "ERROR" + + +class ActionAssignmentExisting(AdminAssignment): + description = _("The given action assignment value is existing.") + code = 400 + title = 'Action Assignment Existing' + logger = "ERROR" + + +class AggregationAlgorithmNotExisting(AdminMetaRule): + description = _("The given aggregation algorithm is not existing.") + code = 400 + title = 'Aggregation Algorithm Not Existing' + logger = "ERROR" + + +class AggregationAlgorithmUnknown(AdminMetaRule): + description = _("The given aggregation algorithm is unknown.") + code = 400 + title = 'Aggregation Algorithm Unknown' + logger = "ERROR" + + +class SubMetaRuleAlgorithmNotExisting(AdminMetaRule): + description = _("The given sub_meta_rule algorithm is unknown.") + code = 400 + title = 'Sub_meta_rule Algorithm Unknown' + logger = "ERROR" + + +class MetaRuleUnknown(AdminMetaRule): + description = _("The given sub meta rule is unknown.") + code = 400 + title = 'Sub Meta Rule Unknown' + logger = "ERROR" + + +class SubMetaRuleNameExisting(AdminMetaRule): + description = _("The sub meta rule name already exists.") + code = 400 + title = 'Sub Meta Rule Name Existing' + logger = "ERROR" + + +class MetaRuleExisting(AdminMetaRule): + description = _("The sub meta rule already exists.") + code = 400 + title = 'Sub Meta Rule Existing' + logger = "ERROR" + + +class RuleExisting(AdminRule): + description = _("The rule already exists.") + code = 400 + title = 'Rule Existing' + logger = "ERROR" + + +class RuleUnknown(AdminRule): + description = _("The rule for that request doesn't exist.") + code = 400 + title = 'Rule Unknown' + logger = "ERROR" + + +# Keystone exceptions + + +class KeystoneError(MoonError): + description = _("There is an error connecting to Keystone.") + code = 400 + title = 'Keystone error' + logger = "ERROR" + + +class KeystoneProjectError(KeystoneError): + description = _("There is an error retrieving projects from the Keystone service.") + code = 400 + title = 'Keystone project error' + logger = "ERROR" + + +class KeystoneUserError(KeystoneError): + description = _("There is an error retrieving users from the Keystone service.") + code = 400 + title = 'Keystone user error' + logger = "ERROR" + + +class KeystoneUserConflict(KeystoneUserError): + description = _("A user with that name already exist.") + code = 400 + title = 'Keystone user error' + logger = "ERROR" + + +# Consul exceptions + + +class ConsulError(MoonError): + description = _("There is an error connecting to Consul.") + code = 400 + title = 'Consul error' + logger = "ERROR" + + +class ConsulComponentNotFound(ConsulError): + description = _("The component do not exist in Consul database.") + code = 500 + title = 'Consul error' + logger = "WARNING" + + +# Containers exceptions + + +class DockerError(MoonError): + description = _("There is an error with Docker.") + code = 400 + title = 'Docker error' + logger = "ERROR" + + +class ContainerMissing(DockerError): + description = _("Some containers are missing.") + code = 400 + title = 'Container missing' + logger = "ERROR" + diff --git a/moonv4/python_moonutilities/python_moonutilities/misc.py b/moonv4/python_moonutilities/python_moonutilities/misc.py new file mode 100644 index 00000000..b83523c3 --- /dev/null +++ b/moonv4/python_moonutilities/python_moonutilities/misc.py @@ -0,0 +1,142 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +import logging +import random + +LOG = logging.getLogger(__name__) + + +def get_uuid_from_name(name, elements, **kwargs): + for element in elements: + if type(elements[element]) is dict and elements[element].get('name') == name: + if kwargs: + for args in kwargs: + if elements[element].get(args) != kwargs[args]: + return + else: + return element + else: + return element + + +def get_name_from_uuid(uuid, elements, **kwargs): + for element in elements: + if element == uuid: + if kwargs: + for args in kwargs: + if elements[element].get(args) != kwargs[args]: + return + else: + return elements[element].get('name') + else: + return elements[element].get('name') + + +def get_random_name(): + _list = ( + "windy", + "vengeful", + "precious", + "vivacious", + "quiet", + "confused", + "exultant", + "impossible", + "thick", + "obsolete", + "piquant", + "fanatical", + "tame", + "perfect", + "animated", + "dark", + "stimulating", + "drunk", + "depressed", + "fumbling", + "like", + "undesirable", + "spurious", + "subsequent", + "spiteful", + "last", + "stale", + "hulking", + "giddy", + "minor", + "careful", + "possessive", + "gullible", + "fragile", + "divergent", + "ill-informed", + "false", + "jumpy", + "damaged", + "likeable", + "volatile", + "handsomely", + "wet", + "long-term", + "pretty", + "taboo", + "normal", + "magnificent", + "nutty", + "puzzling", + "small", + "kind", + "devilish", + "chubby", + "paltry", + "cultured", + "old", + "defective", + "hanging", + "innocent", + "jagged", + "economic", + "good", + "sulky", + "real", + "bent", + "shut", + "furry", + "terrific", + "hollow", + "terrible", + "mammoth", + "pleasant", + "scared", + "obnoxious", + "absorbing", + "imported", + "infamous", + "grieving", + "ill-fated", + "mighty", + "handy", + "comfortable", + "astonishing", + "brown", + "assorted", + "wrong", + "unsightly", + "spooky", + "delightful", + "acid", + "inconclusive", + "mere", + "careless", + "historical", + "flashy", + "squealing", + "quarrelsome", + "empty", + "long", + ) + return random.choice(_list) diff --git a/moonv4/python_moonutilities/python_moonutilities/security_functions.py b/moonv4/python_moonutilities/python_moonutilities/security_functions.py new file mode 100644 index 00000000..6d9307fe --- /dev/null +++ b/moonv4/python_moonutilities/python_moonutilities/security_functions.py @@ -0,0 +1,531 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +import copy +import re +import os +import types +import requests +import time +from functools import wraps +from flask import request +import logging +from python_moonutilities import exceptions, configuration + +LOG = logging.getLogger("moon.utilities." + __name__) + +keystone_config = configuration.get_configuration("openstack/keystone")["openstack/keystone"] +TOKENS = {} +__targets = {} + + +def filter_input(func_or_str): + + def __filter(string): + if string and type(string) is str: + return "".join(re.findall("[\w\- +]*", string)) + return string + + def __filter_dict(arg): + result = dict() + for key in arg.keys(): + if key == "email": + result["email"] = __filter_email(arg[key]) + elif key == "password": + result["password"] = arg['password'] + else: + result[key] = __filter(arg[key]) + return result + + def __filter_email(string): + if string and type(string) is str: + return "".join(re.findall("[\w@\._\- +]*", string)) + return string + + def wrapped(*args, **kwargs): + _args = [] + for arg in args: + if isinstance(arg, str): + arg = __filter(arg) + elif isinstance(arg, list): + arg = [__filter(item) for item in arg] + elif isinstance(arg, tuple): + arg = (__filter(item) for item in arg) + elif isinstance(arg, dict): + arg = __filter_dict(arg) + _args.append(arg) + for arg in kwargs: + if type(kwargs[arg]) is str: + kwargs[arg] = __filter(kwargs[arg]) + if isinstance(kwargs[arg], str): + kwargs[arg] = __filter(kwargs[arg]) + elif isinstance(kwargs[arg], list): + kwargs[arg] = [__filter(item) for item in kwargs[arg]] + elif isinstance(kwargs[arg], tuple): + kwargs[arg] = (__filter(item) for item in kwargs[arg]) + elif isinstance(kwargs[arg], dict): + kwargs[arg] = __filter_dict(kwargs[arg]) + return func_or_str(*_args, **kwargs) + + if isinstance(func_or_str, str): + return __filter(func_or_str) + if isinstance(func_or_str, list): + return [__filter(item) for item in func_or_str] + if isinstance(func_or_str, tuple): + return (__filter(item) for item in func_or_str) + if isinstance(func_or_str, dict): + return __filter_dict(func_or_str) + if isinstance(func_or_str, types.FunctionType): + return wrapped + return None + + +def enforce(action_names, object_name, **extra): + """Fake version of the enforce decorator""" + def wrapper_func(func): + def wrapper_args(*args, **kwargs): + # LOG.info("kwargs={}".format(kwargs)) + # kwargs['user_id'] = kwargs.pop('user_id', "admin") + # LOG.info("Calling enforce on {} with args={} kwargs={}".format(func.__name__, args, kwargs)) + return func(*args, **kwargs) + return wrapper_args + return wrapper_func + + +def login(user=None, password=None, domain=None, project=None, url=None): + start_time = time.time() + if not user: + user = keystone_config['user'] + if not password: + password = keystone_config['password'] + if not domain: + domain = keystone_config['domain'] + if not project: + project = keystone_config['project'] + if not url: + url = keystone_config['url'] + headers = { + "Content-Type": "application/json" + } + data_auth = { + "auth": { + "identity": { + "methods": [ + "password" + ], + "password": { + "user": { + "domain": { + "id": domain + }, + "name": user, + "password": password + } + } + }, + "scope": { + "project": { + "domain": { + "id": domain + }, + "name": project + } + } + } + } + + while True: + req = requests.post("{}/auth/tokens".format(url), + json=data_auth, headers=headers, + verify=keystone_config['certificate']) + + if req.status_code in (200, 201, 204): + headers['X-Auth-Token'] = req.headers['X-Subject-Token'] + return headers + LOG.warning("Waiting for Keystone...") + if time.time() - start_time == 100: + LOG.error(req.text) + raise exceptions.KeystoneError + time.sleep(5) + + +def logout(headers, url=None): + if not url: + url = keystone_config['url'] + headers['X-Subject-Token'] = headers['X-Auth-Token'] + req = requests.delete("{}/auth/tokens".format(url), headers=headers, verify=keystone_config['certificate']) + if req.status_code in (200, 201, 204): + return + LOG.error(req.text) + raise exceptions.KeystoneError + + +class Context: + + def __init__(self, init_context, cache): + self.cache = cache + self.__keystone_project_id = init_context.get("project_id") + self.__pdp_id = None + self.__pdp_value = None + for _pdp_key, _pdp_value in self.cache.pdp.items(): + if _pdp_value["keystone_project_id"] == self.__keystone_project_id: + self.__pdp_id = _pdp_key + self.__pdp_value = copy.deepcopy(_pdp_value) + break + if not self.__pdp_value: + raise exceptions.AuthzException( + "Cannot create context for authz " + "with Keystone project ID {}".format( + self.__keystone_project_id + )) + self.__subject = init_context.get("subject_name") + self.__object = init_context.get("object_name") + self.__action = init_context.get("action_name") + self.__current_request = None + self.__request_id = init_context.get("req_id") + self.__cookie = init_context.get("cookie") + self.__manager_url = init_context.get("manager_url") + self.__interface_name = init_context.get("interface_name") + self.__index = -1 + # self.__init_initial_request() + self.__headers = [] + policies = self.cache.policies + models = self.cache.models + for policy_id in self.__pdp_value["security_pipeline"]: + model_id = policies[policy_id]["model_id"] + for meta_rule in models[model_id]["meta_rules"]: + self.__headers.append(meta_rule) + self.__meta_rules = self.cache.meta_rules + self.__pdp_set = {} + # self.__init_pdp_set() + + def delete_cache(self): + self.cache = {} + + def set_cache(self, cache): + self.cache = cache + + def increment_index(self): + self.__index += 1 + self.__init_current_request() + self.__init_pdp_set() + + @property + def current_state(self): + return self.__pdp_set[self.__headers[self.__index]]['effect'] + + @current_state.setter + def current_state(self, state): + if state not in ("grant", "deny", "passed"): + state = "passed" + self.__pdp_set[self.__headers[self.__index]]['effect'] = state + + @current_state.deleter + def current_state(self): + self.__pdp_set[self.__headers[self.__index]]['effect'] = "unset" + + @property + def current_policy_id(self): + return self.__pdp_value["security_pipeline"][self.__index] + + @current_policy_id.setter + def current_policy_id(self, value): + pass + + @current_policy_id.deleter + def current_policy_id(self): + pass + + def __init_current_request(self): + self.__subject = self.cache.get_subject( + self.__pdp_value["security_pipeline"][self.__index], + self.__subject) + self.__object = self.cache.get_object( + self.__pdp_value["security_pipeline"][self.__index], + self.__object) + self.__action = self.cache.get_action( + self.__pdp_value["security_pipeline"][self.__index], + self.__action) + self.__current_request = dict(self.initial_request) + + def __init_pdp_set(self): + for header in self.__headers: + self.__pdp_set[header] = dict() + self.__pdp_set[header]["meta_rules"] = self.__meta_rules[header] + self.__pdp_set[header]["target"] = self.__add_target(header) + self.__pdp_set[header]["effect"] = "unset" + self.__pdp_set["effect"] = "deny" + + # def update_target(self, context): + # # result = dict() + # current_request = context['current_request'] + # _subject = current_request.get("subject") + # _object = current_request.get("object") + # _action = current_request.get("action") + # meta_rule_id = context['headers'][context['index']] + # policy_id = self.cache.get_policy_from_meta_rules(meta_rule_id) + # meta_rules = self.cache.meta_rules() + # # for meta_rule_id in meta_rules: + # for sub_cat in meta_rules[meta_rule_id]['subject_categories']: + # if sub_cat not in context["pdp_set"][meta_rule_id]["target"]: + # context["pdp_set"][meta_rule_id]["target"][sub_cat] = [] + # for assign in self.cache.get_subject_assignments(policy_id, _subject, sub_cat).values(): + # for assign in assign["assignments"]: + # if assign not in context["pdp_set"][meta_rule_id]["target"][sub_cat]: + # context["pdp_set"][meta_rule_id]["target"][sub_cat].append(assign) + # for obj_cat in meta_rules[meta_rule_id]['object_categories']: + # if obj_cat not in context["pdp_set"][meta_rule_id]["target"]: + # context["pdp_set"][meta_rule_id]["target"][obj_cat] = [] + # for assign in self.cache.get_object_assignments(policy_id, _object, obj_cat).values(): + # for assign in assign["assignments"]: + # if assign not in context["pdp_set"][meta_rule_id]["target"][obj_cat]: + # context["pdp_set"][meta_rule_id]["target"][obj_cat].append(assign) + # for act_cat in meta_rules[meta_rule_id]['action_categories']: + # if act_cat not in context["pdp_set"][meta_rule_id]["target"]: + # context["pdp_set"][meta_rule_id]["target"][act_cat] = [] + # for assign in self.cache.get_action_assignments(policy_id, _action, act_cat).values(): + # for assign in assign["assignments"]: + # if assign not in context["pdp_set"][meta_rule_id]["target"][act_cat]: + # context["pdp_set"][meta_rule_id]["target"][act_cat].append(assign) + # # context["pdp_set"][meta_rule_id]["target"].update(result) + + def __add_target(self, meta_rule_id): + """build target from meta_rule + + Target is dict of categories as keys ; and the value of each category + will be a list of assignments + + """ + result = dict() + _subject = self.__current_request["subject"] + _object = self.__current_request["object"] + _action = self.__current_request["action"] + meta_rules = self.cache.meta_rules + policy_id = self.cache.get_policy_from_meta_rules(meta_rule_id) + for sub_cat in meta_rules[meta_rule_id]['subject_categories']: + if sub_cat not in result: + result[sub_cat] = [] + result[sub_cat].extend( + self.cache.get_subject_assignments(policy_id, _subject, sub_cat)) + for obj_cat in meta_rules[meta_rule_id]['object_categories']: + if obj_cat not in result: + result[obj_cat] = [] + result[obj_cat].extend( + self.cache.get_object_assignments(policy_id, _object, obj_cat)) + for act_cat in meta_rules[meta_rule_id]['action_categories']: + if act_cat not in result: + result[act_cat] = [] + result[act_cat].extend( + self.cache.get_action_assignments(policy_id, _action, act_cat)) + return result + + def __repr__(self): + return """PDP ID: {id} +current_request: {current_request} +request_id: {request_id} +index: {index} +headers: {headers} +pdp_set: {pdp_set} + """.format( + id=self.__pdp_id, + current_request=self.__current_request, + request_id=self.__request_id, + headers=self.__headers, + pdp_set=self.__pdp_set, + index=self.__index + ) + + def to_dict(self): + return { + "initial_request": copy.deepcopy(self.initial_request), + "current_request": copy.deepcopy(self.__current_request), + "headers": copy.deepcopy(self.__headers), + "index": copy.deepcopy(self.__index), + "pdp_set": copy.deepcopy(self.__pdp_set), + "request_id": copy.deepcopy(self.__request_id), + "manager_url": copy.deepcopy(self.__manager_url), + "interface_name": copy.deepcopy(self.__interface_name), + } + + @property + def request_id(self): + return self.__request_id + + @request_id.setter + def request_id(self, value): + raise Exception("You cannot update the request_id") + + @request_id.deleter + def request_id(self): + raise Exception("You cannot update the request_id") + + @property + def manager_url(self): + return self.__manager_url + + @manager_url.setter + def manager_url(self, value): + raise Exception("You cannot update the manager_url") + + @manager_url.deleter + def manager_url(self): + raise Exception("You cannot update the manager_url") + + @property + def interface_name(self): + return self.__interface_name + + @interface_name.setter + def interface_name(self, value): + raise Exception("You cannot update the interface_name") + + @interface_name.deleter + def interface_name(self): + raise Exception("You cannot update the interface_name") + + @property + def cookie(self): + return self.__cookie + + @cookie.setter + def cookie(self, value): + raise Exception("You cannot update the cookie") + + @cookie.deleter + def cookie(self): + raise Exception("You cannot delete the cookie") + + @property + def initial_request(self): + return { + "subject": self.__subject, + "object": self.__object, + "action": self.__action, + } + + @initial_request.setter + def initial_request(self, value): + raise Exception("You are not allowed to update the initial_request") + + @initial_request.deleter + def initial_request(self): + raise Exception("You are not allowed to delete the initial_request") + + @property + def current_request(self): + if not self.__current_request: + self.__current_request = copy.deepcopy(self.initial_request) + return self.__current_request + + @current_request.setter + def current_request(self, value): + self.__current_request = copy.deepcopy(value) + # Note (asteroide): if the current request is modified, + # we must update the PDP Set. + self.__init_pdp_set() + + @current_request.deleter + def current_request(self): + self.__current_request = {} + self.__pdp_set = {} + + @property + def headers(self): + return self.__headers + + @headers.setter + def headers(self, headers): + self.__headers = headers + + @headers.deleter + def headers(self): + self.__headers = list() + + @property + def index(self): + return self.__index + + @index.setter + def index(self, index): + self.__index += 1 + + @index.deleter + def index(self): + self.__index = -1 + + @property + def pdp_set(self): + return self.__pdp_set + + @pdp_set.setter + def pdp_set(self, value): + raise Exception("You are not allowed to modify the pdp_set") + + @pdp_set.deleter + def pdp_set(self): + self.__pdp_set = {} + + +def check_token(token, url=None): + _verify = False + if keystone_config['certificate']: + _verify = keystone_config['certificate'] + try: + os.environ.pop("http_proxy") + os.environ.pop("https_proxy") + except KeyError: + pass + if not url: + url = keystone_config['url'] + headers = { + "Content-Type": "application/json", + 'X-Subject-Token': token, + 'X-Auth-Token': token, + } + if not keystone_config['check_token']: + # TODO (asteroide): must send the admin id + return "admin" if not token else token + elif keystone_config['check_token'].lower() in ("false", "no", "n"): + # TODO (asteroide): must send the admin id + return "admin" if not token else token + if keystone_config['check_token'].lower() in ("yes", "y", "true"): + if token in TOKENS: + delta = time.mktime(TOKENS[token]["expires_at"]) - time.mktime(time.gmtime()) + if delta > 0: + return TOKENS[token]["user"] + raise exceptions.KeystoneError + else: + req = requests.get("{}/auth/tokens".format(url), headers=headers, verify=_verify) + if req.status_code in (200, 201): + # Note (asteroide): the time stamps is not in ISO 8601, so it is necessary to delete + # characters after the dot + token_time = req.json().get("token").get("expires_at").split(".") + TOKENS[token] = dict() + TOKENS[token]["expires_at"] = time.strptime(token_time[0], "%Y-%m-%dT%H:%M:%S") + TOKENS[token]["user"] = req.json().get("token").get("user").get("id") + return TOKENS[token]["user"] + LOG.error("{} - {}".format(req.status_code, req.text)) + raise exceptions.KeystoneError + elif keystone_config['check_token'].lower() == "strict": + req = requests.head("{}/auth/tokens".format(url), headers=headers, verify=_verify) + if req.status_code in (200, 201): + return token + LOG.error("{} - {}".format(req.status_code, req.text)) + raise exceptions.KeystoneError + raise exceptions.KeystoneError + + +def check_auth(function): + @wraps(function) + def wrapper(*args, **kwargs): + token = request.headers.get('X-Auth-Token') + token = check_token(token) + if not token: + raise exceptions.AuthException + user_id = kwargs.pop("user_id", token) + result = function(*args, **kwargs, user_id=user_id) + return result + return wrapper diff --git a/moonv4/python_moonutilities/requirements.txt b/moonv4/python_moonutilities/requirements.txt new file mode 100644 index 00000000..5b80e5f2 --- /dev/null +++ b/moonv4/python_moonutilities/requirements.txt @@ -0,0 +1,3 @@ +werkzeug +flask +requests \ No newline at end of file diff --git a/moonv4/python_moonutilities/setup.py b/moonv4/python_moonutilities/setup.py new file mode 100644 index 00000000..4a2eef5d --- /dev/null +++ b/moonv4/python_moonutilities/setup.py @@ -0,0 +1,42 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from setuptools import setup, find_packages +import python_moonutilities + +with open('requirements.txt') as f: + required = f.read().splitlines() + +setup( + + name='python-moonutilities', + + version=python_moonutilities.__version__, + + packages=find_packages(), + + author='Thomas Duval', + + author_email='thomas.duval@orange.com', + + description='Some utilities for all the Moon components', + + long_description=open('README.md').read(), + + install_requires=required, + + include_package_data=True, + + url='https://git.opnfv.org/cgit/moon', + + classifiers=[ + 'Programming Language :: Python :: 3', + 'Development Status :: 1 - Planning', + 'License :: OSI Approved', + 'Natural Language :: English', + 'Operating System :: OS Independent', + ], + +) diff --git a/moonv4/python_moonutilities/tests/unit_python/conftest.py b/moonv4/python_moonutilities/tests/unit_python/conftest.py new file mode 100644 index 00000000..7217586a --- /dev/null +++ b/moonv4/python_moonutilities/tests/unit_python/conftest.py @@ -0,0 +1,17 @@ +import pytest +import requests_mock +import mock_components +import mock_keystone +import mock_cache + + +@pytest.fixture(autouse=True) +def no_requests(monkeypatch): + """ Modify the response from Requests module + """ + with requests_mock.Mocker(real_http=True) as m: + mock_components.register_components(m) + mock_keystone.register_keystone(m) + mock_cache.register_cache(m) + print("End registering URI") + yield m \ No newline at end of file diff --git a/moonv4/python_moonutilities/tests/unit_python/mock_cache.py b/moonv4/python_moonutilities/tests/unit_python/mock_cache.py new file mode 100644 index 00000000..b2b287a9 --- /dev/null +++ b/moonv4/python_moonutilities/tests/unit_python/mock_cache.py @@ -0,0 +1,321 @@ +from utilities import CONF + +pdp_mock = { + "pdp_id1": { + "name": "...", + "security_pipeline": ["policy_id_1", "policy_id_2"], + "keystone_project_id": "keystone_project_id1", + "description": "...", + }, + "pdp_id12": { + "name": "...", + "security_pipeline": ["policy_id_1", "policy_id_2"], + "keystone_project_id": "keystone_project_id1", + "description": "...", + } +} + +meta_rules_mock = { + "meta_rule_id1": { + "name": "meta_rule1", + "algorithm": "name of the meta rule algorithm", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + }, + "meta_rule_id2": { + "name": "name of the meta rules2", + "algorithm": "name of the meta rule algorithm", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + } +} + +policies_mock = { + "policy_id_1": { + "name": "test_policy1", + "model_id": "model_id_1", + "genre": "authz", + "description": "test", + }, + "policy_id_2": { + "name": "test_policy2", + "model_id": "model_id_2", + "genre": "authz", + "description": "test", + } +} + +subject_mock = { + "policy_id_1": { + "subject_id": { + "name": "subject_name", + "keystone_id": "keystone_project_id1", + "description": "a description" + } + }, + "policy_id_2": { + "subject_id": { + "name": "subject_name", + "keystone_id": "keystone_project_id1", + "description": "a description" + } + } +} + +subject_assignment_mock = { + "subject_id": { + "policy_id": "ID of the policy", + "subject_id": "ID of the subject", + "category_id": "ID of the category", + "assignments": [], + } +} + +object_mock = { + "policy_id_1": { + "object_id": { + "name": "object_name", + "description": "a description" + } + }, + "policy_id_2": { + "object_id": { + "name": "object_name", + "description": "a description" + } + } +} + +object_assignment_mock = { + "object_id": { + "policy_id": "ID of the policy", + "object_id": "ID of the object", + "category_id": "ID of the category", + "assignments": [], + } +} + +action_mock = { + "policy_id_1": { + "action_id": { + "name": "action_name", + "description": "a description" + } + }, + "policy_id_2": { + "action_id": { + "name": "action_name", + "description": "a description" + } + } +} + +action_assignment_mock = { + "action_id": { + "policy_id": "ID of the policy", + "action_id": "ID of the action", + "category_id": "ID of the category", + "assignments": [], + } +} + +models_mock = { + "model_id_1": { + "name": "test_model", + "description": "test", + "meta_rules": ["meta_rule_id1"] + }, + "model_id_2": { + "name": "test_model", + "description": "test", + "meta_rules": ["meta_rule_id2"] + }, +} + +rules_mock = { + "rules": { + "meta_rule_id": "meta_rule_id1", + "rule_id1": { + "rule": ["subject_data_id1", + "object_data_id1", + "action_data_id1"], + "instructions": ( + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy + # "deny" to deny the request + ) + }, + "rule_id2": { + "rule": ["subject_data_id2", + "object_data_id2", + "action_data_id2"], + "instructions": ( + { + "update": { + "operation": "add", + # operations may be "add" or "delete" + "target": "rbac:role:admin" + # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} + # chain with the policy named rbac + ) + } + } +} + + +def register_cache(m): + """ Modify the response from Requests module + """ + register_pdp(m) + register_meta_rules(m) + register_policies(m) + register_models(m) + register_policy_subject(m, "policy_id_1") + register_policy_subject(m, "policy_id_2") + register_policy_object(m, "policy_id_1") + register_policy_object(m, "policy_id_2") + register_policy_action(m, "policy_id_1") + register_policy_action(m, "policy_id_2") + register_policy_subject_assignment(m, "policy_id_1", "subject_id") + # register_policy_subject_assignment_list(m1, "policy_id_1") + register_policy_subject_assignment(m, "policy_id_2", "subject_id") + # register_policy_subject_assignment_list(m1, "policy_id_2") + register_policy_object_assignment(m, "policy_id_1", "object_id") + # register_policy_object_assignment_list(m1, "policy_id_1") + register_policy_object_assignment(m, "policy_id_2", "object_id") + # register_policy_object_assignment_list(m1, "policy_id_2") + register_policy_action_assignment(m, "policy_id_1", "action_id") + # register_policy_action_assignment_list(m1, "policy_id_1") + register_policy_action_assignment(m, "policy_id_2", "action_id") + # register_policy_action_assignment_list(m1, "policy_id_2") + register_rules(m, "policy_id1") + + +def register_pdp(m): + m.register_uri( + 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'pdp'), + json={'pdps': pdp_mock} + ) + + +def register_meta_rules(m): + m.register_uri( + 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'meta_rules'), + json={'meta_rules': meta_rules_mock} + ) + + +def register_policies(m): + m.register_uri( + 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies'), + json={'policies': policies_mock} + ) + + +def register_models(m): + m.register_uri( + 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'models'), + json={'models': models_mock} + ) + + +def register_policy_subject(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/subjects'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', policy_id), + json={'subjects': subject_mock[policy_id]} + ) + + +def register_policy_object(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/objects'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', policy_id), + json={'objects': object_mock[policy_id]} + ) + + +def register_policy_action(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/actions'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', policy_id), + json={'actions': action_mock[policy_id]} + ) + + +def register_policy_subject_assignment(m, policy_id, subj_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/subject_assignments/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id, + subj_id), + json={'subject_assignments': subject_assignment_mock} + ) + + +def register_policy_subject_assignment_list(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/subject_assignments'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id), + json={'subject_assignments': subject_assignment_mock} + ) + + +def register_policy_object_assignment(m, policy_id, obj_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/object_assignments/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id, + obj_id), + json={'object_assignments': object_assignment_mock} + ) + + +def register_policy_object_assignment_list(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/object_assignments'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id), + json={'object_assignments': object_assignment_mock} + ) + + +def register_policy_action_assignment(m, policy_id, action_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/action_assignments/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id, + action_id), + json={'action_assignments': action_assignment_mock} + ) + + +def register_policy_action_assignment_list(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/action_assignments'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id), + json={'action_assignments': action_assignment_mock} + ) + + +def register_rules(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id, 'rules'), + json={'rules': rules_mock} + ) \ No newline at end of file diff --git a/moonv4/python_moonutilities/tests/unit_python/mock_components.py b/moonv4/python_moonutilities/tests/unit_python/mock_components.py new file mode 100644 index 00000000..a0319e1a --- /dev/null +++ b/moonv4/python_moonutilities/tests/unit_python/mock_components.py @@ -0,0 +1,27 @@ +import utilities + +COMPONENTS = ( + "logging", + "openstack/keystone", + "database", + "slave", + "components/manager", + "components/orchestrator", + "components/interface", +) + + +def register_components(m): + for component in COMPONENTS: + m.register_uri( + 'GET', 'http://consul:8500/v1/kv/{}'.format(component), + json=[{'Key': component, 'Value': utilities.get_b64_conf(component)}] + ) + + m.register_uri( + 'GET', 'http://consul:8500/v1/kv/components?recurse=true', + json=[ + {"Key": key, "Value": utilities.get_b64_conf(key)} for key in COMPONENTS + ], + # json={'Key': "components", 'Value': get_b64_conf("components")} + ) \ No newline at end of file diff --git a/moonv4/python_moonutilities/tests/unit_python/mock_keystone.py b/moonv4/python_moonutilities/tests/unit_python/mock_keystone.py new file mode 100644 index 00000000..c0b26b88 --- /dev/null +++ b/moonv4/python_moonutilities/tests/unit_python/mock_keystone.py @@ -0,0 +1,23 @@ +def register_keystone(m): + m.register_uri( + 'POST', 'http://keystone:5000/v3/auth/tokens', + headers={'X-Subject-Token': "111111111"} + ) + m.register_uri( + 'DELETE', 'http://keystone:5000/v3/auth/tokens', + headers={'X-Subject-Token': "111111111"} + ) + m.register_uri( + 'POST', 'http://keystone:5000/v3/users?name=testuser&domain_id=default', + json={"users": {}} + ) + m.register_uri( + 'GET', 'http://keystone:5000/v3/users?name=testuser&domain_id=default', + json={"users": {}} + ) + m.register_uri( + 'POST', 'http://keystone:5000/v3/users/', + json={"users": [{ + "id": "1111111111111" + }]} + ) \ No newline at end of file diff --git a/moonv4/python_moonutilities/tests/unit_python/requirements.txt b/moonv4/python_moonutilities/tests/unit_python/requirements.txt new file mode 100644 index 00000000..3c1ad607 --- /dev/null +++ b/moonv4/python_moonutilities/tests/unit_python/requirements.txt @@ -0,0 +1,2 @@ +pytest +requests_mock \ No newline at end of file diff --git a/moonv4/python_moonutilities/tests/unit_python/test_cache.py b/moonv4/python_moonutilities/tests/unit_python/test_cache.py new file mode 100644 index 00000000..3d4f7292 --- /dev/null +++ b/moonv4/python_moonutilities/tests/unit_python/test_cache.py @@ -0,0 +1,75 @@ +import pytest + + +def test_authz_request(): + from moon_utilities import cache + c = cache.Cache() + assert isinstance(c.authz_requests, dict) + + +def test_get_subject_success(): + from moon_utilities import cache + cache_obj = cache.Cache() + policy_id = 'policy_id_1' + name = 'subject_name' + subject_id = cache_obj.get_subject(policy_id, name) + assert subject_id is not None + + +def test_get_subject_failure(): + from moon_utilities import cache + cache_obj = cache.Cache() + policy_id = 'policy_id_1' + name = 'invalid name' + with pytest.raises(Exception) as exception_info: + cache_obj.get_subject(policy_id, name) + assert str(exception_info.value) == '400: Subject Unknown' + + +def test_get_object_success(): + from moon_utilities import cache + cache_obj = cache.Cache() + policy_id = 'policy_id_1' + name = 'object_name' + object_id = cache_obj.get_object(policy_id, name) + assert object_id is not None + + +def test_get_object_failure(): + from moon_utilities import cache + cache_obj = cache.Cache() + policy_id = 'policy_id_1' + name = 'invalid name' + with pytest.raises(Exception) as exception_info: + cache_obj.get_object(policy_id, name) + assert str(exception_info.value) == '400: Subject Unknown' + + +def test_get_action_success(): + from moon_utilities import cache + cache_obj = cache.Cache() + policy_id = 'policy_id_1' + name = 'action_name' + action_id = cache_obj.get_action(policy_id, name) + assert action_id is not None + + +def test_get_action_failure(): + from moon_utilities import cache + cache_obj = cache.Cache() + policy_id = 'policy_id_1' + name = 'invalid name' + with pytest.raises(Exception) as exception_info: + cache_obj.get_action(policy_id, name) + assert str(exception_info.value) == '400: Subject Unknown' + + +def test_cache_manager(): + from moon_utilities import cache + cache_obj = cache.Cache() + assert cache_obj.pdp is not None + assert cache_obj.meta_rules is not None + assert len(cache_obj.meta_rules) == 2 + assert cache_obj.policies is not None + assert len(cache_obj.policies) == 2 + assert cache_obj.models is not None \ No newline at end of file diff --git a/moonv4/python_moonutilities/tests/unit_python/test_configuration.py b/moonv4/python_moonutilities/tests/unit_python/test_configuration.py new file mode 100644 index 00000000..0ebff995 --- /dev/null +++ b/moonv4/python_moonutilities/tests/unit_python/test_configuration.py @@ -0,0 +1,5 @@ + +def test_get_components(): + from moon_utilities import configuration + assert isinstance(configuration.get_components(), dict) + diff --git a/moonv4/python_moonutilities/tests/unit_python/utilities.py b/moonv4/python_moonutilities/tests/unit_python/utilities.py new file mode 100644 index 00000000..1d79d890 --- /dev/null +++ b/moonv4/python_moonutilities/tests/unit_python/utilities.py @@ -0,0 +1,136 @@ +import base64 +import json + + +CONF = { + "openstack": { + "keystone": { + "url": "http://keystone:5000/v3", + "user": "admin", + "check_token": False, + "password": "p4ssw0rd", + "domain": "default", + "certificate": False, + "project": "admin" + } + }, + "components": { + "wrapper": { + "bind": "0.0.0.0", + "port": 8080, + "container": "wukongsun/moon_wrapper:v4.3", + "timeout": 5, + "hostname": "wrapper" + }, + "manager": { + "bind": "0.0.0.0", + "port": 8082, + "container": "wukongsun/moon_manager:v4.3", + "hostname": "manager" + }, + "port_start": 31001, + "orchestrator": { + "bind": "0.0.0.0", + "port": 8083, + "container": "wukongsun/moon_orchestrator:v4.3", + "hostname": "interface" + }, + "interface": { + "bind": "0.0.0.0", + "port": 8080, + "container": "wukongsun/moon_interface:v4.3", + "hostname": "interface" + } + }, + "plugins": { + "session": { + "port": 8082, + "container": "asteroide/session:latest" + }, + "authz": { + "port": 8081, + "container": "wukongsun/moon_authz:v4.3" + } + }, + "logging": { + "handlers": { + "file": { + "filename": "/tmp/moon.log", + "class": "logging.handlers.RotatingFileHandler", + "level": "DEBUG", + "formatter": "custom", + "backupCount": 3, + "maxBytes": 1048576 + }, + "console": { + "class": "logging.StreamHandler", + "formatter": "brief", + "level": "INFO", + "stream": "ext://sys.stdout" + } + }, + "formatters": { + "brief": { + "format": "%(levelname)s %(name)s %(message)-30s" + }, + "custom": { + "format": "%(asctime)-15s %(levelname)s %(name)s %(message)s" + } + }, + "root": { + "handlers": [ + "console" + ], + "level": "ERROR" + }, + "version": 1, + "loggers": { + "moon": { + "handlers": [ + "console", + "file" + ], + "propagate": False, + "level": "DEBUG" + } + } + }, + "slave": { + "name": None, + "master": { + "url": None, + "login": None, + "password": None + } + }, + "docker": { + "url": "tcp://172.88.88.1:2376", + "network": "moon" + }, + "database": { + "url": "sqlite:///database.db", + # "url": "mysql+pymysql://moon:p4sswOrd1@db/moon", + "driver": "sql" + }, + "messenger": { + "url": "rabbit://moon:p4sswOrd1@messenger:5672/moon" + } +} + + +def get_b64_conf(component=None): + if component == "components": + return base64.b64encode( + json.dumps(CONF["components"]).encode('utf-8')+b"\n").decode('utf-8') + elif component in CONF: + return base64.b64encode( + json.dumps( + CONF[component]).encode('utf-8')+b"\n").decode('utf-8') + elif not component: + return base64.b64encode( + json.dumps(CONF).encode('utf-8')+b"\n").decode('utf-8') + elif "/" in component: + key1, _, key2 = component.partition("/") + return base64.b64encode( + json.dumps( + CONF[key1][key2]).encode('utf-8')+b"\n").decode('utf-8') -- cgit 1.2.3-korg