1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
|
# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
# This software is distributed under the terms and conditions of the 'Apache-2.0'
# license which can be found in the file 'LICENSE' in this package distribution
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
import itertools
import pickle
import logging
import flask
from flask import request
from flask_restful import Resource
from python_moonutilities import exceptions
logger = logging.getLogger("moon.authz.api." + __name__)
class Authz(Resource):
"""
Endpoint for authz requests
"""
__version__ = "4.3.1"
__urls__ = (
"/authz",
"/authz/",
)
pdp_id = None
meta_rule_id = None
keystone_project_id = None
payload = None
def __init__(self, **kwargs):
component_data = kwargs.get("component_data", {})
self.component_id = component_data['component_id']
self.pdp_id = component_data['pdp_id']
self.meta_rule_id = component_data['meta_rule_id']
self.keystone_project_id = component_data['keystone_project_id']
self.cache = kwargs.get("cache")
self.context = None
def post(self):
"""Get a response on an authorization request
:request:
:return: {
"args": {},
"ctx": {
"action_name": "4567",
"id": "123456",
"method": "authz",
"object_name": "234567",
"subject_name": "123456",
"user_id": "admin"
},
"error": {
"code": 500,
"description": "",
"title": "Moon Error"
},
"intra_extension_id": "123456",
"result": false
}
:internal_api: authz
"""
self.context = pickle.loads(request.data)
self.context.set_cache(self.cache)
self.context.increment_index()
self.run()
self.context.delete_cache()
response = flask.make_response(pickle.dumps(self.context))
response.headers['content-type'] = 'application/octet-stream'
return response
def run(self):
logger.debug("self.context.pdp_set={}".format(self.context.pdp_set))
result, message = self.__check_rules()
if result:
return self.__exec_instructions(result)
else:
self.context.current_state = "deny"
# self.__exec_next_state(result)
return
def __check_rules(self):
scopes_list = list()
current_header_id = self.context.headers[self.context.index]
# Context.update_target(context)
if not self.context.pdp_set:
raise exceptions.PdpUnknown
if current_header_id not in self.context.pdp_set:
raise Exception('Invalid index')
current_pdp = self.context.pdp_set[current_header_id]
category_list = list()
if 'meta_rules' not in current_pdp:
raise exceptions.PdpContentError
try:
category_list.extend(current_pdp["meta_rules"]["subject_categories"])
category_list.extend(current_pdp["meta_rules"]["object_categories"])
category_list.extend(current_pdp["meta_rules"]["action_categories"])
except Exception:
raise exceptions.MetaRuleContentError
if 'target' not in current_pdp:
raise exceptions.PdpContentError
for category in category_list:
scope = list(current_pdp['target'][category])
scopes_list.append(scope)
# policy_id = self.cache.get_policy_from_meta_rules("admin", current_header_id)
if self.context.current_policy_id not in self.cache.rules:
raise exceptions.PolicyUnknown
if 'rules' not in self.cache.rules[self.context.current_policy_id]:
raise exceptions.RuleUnknown
for item in itertools.product(*scopes_list):
req = list(item)
for rule in self.cache.rules[self.context.current_policy_id]["rules"]:
logger.info("rule={}".format(rule))
if req == rule['rule']:
return rule['instructions'], ""
logger.warning("No rule match the request...")
return False, "No rule match the request..."
def __update_subject_category_in_policy(self, operation, target):
result = False
try:
policy_name, category_name, data_name = target.split(":")
except ValueError:
logger.error("Cannot understand value in instruction ({})".format(target))
return False
# pdp_set = self.payload["authz_context"]['pdp_set']
for meta_rule_id in self.context.pdp_set:
if meta_rule_id == "effect":
continue
if self.context.pdp_set[meta_rule_id]["meta_rules"]["name"] == policy_name:
for category_id, category_value in self.cache.subject_categories.items():
if category_value["name"] == "role":
subject_category_id = category_id
break
else:
logger.error("Cannot understand category in instruction ({})".format(target))
return False
subject_data_id = None
for data in PolicyManager.get_subject_data("admin", policy_id, category_id=subject_category_id):
for data_id, data_value in data['data'].items():
if data_value["name"] == data_name:
subject_data_id = data_id
break
if subject_data_id:
break
else:
logger.error("Cannot understand data in instruction ({})".format(target))
return False
if operation == "add":
self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][subject_category_id].append(
subject_data_id)
elif operation == "delete":
try:
self.payload["authz_context"]['pdp_set'][meta_rule_id]['target'][subject_category_id].remove(
subject_data_id)
except ValueError:
logger.warning("Cannot remove role {} from target".format(data_name))
result = True
break
return result
def __update_container_chaining(self):
for index in range(len(self.payload["authz_context"]['headers'])):
self.payload["container_chaining"][index]["meta_rule_id"] = self.payload["authz_context"]['headers'][index]
def __get_container_from_meta_rule(self, meta_rule_id):
for index in range(len(self.payload["authz_context"]['headers'])):
if self.payload["container_chaining"][index]["meta_rule_id"] == meta_rule_id:
return self.payload["container_chaining"][index]
def __update_headers(self, name):
# context = self.payload["authz_context"]
for meta_rule_id, meta_rule_value in self.context.pdp_set.items():
if meta_rule_id == "effect":
continue
if meta_rule_value["meta_rules"]["name"] == name:
self.context.headers.append(meta_rule_id)
return True
return False
# def __exec_next_state(self, rule_found):
# index = self.context.index
# current_meta_rule = self.context.headers[index]
# current_container = self.__get_container_from_meta_rule(current_meta_rule)
# current_container_genre = current_container["genre"]
# try:
# next_meta_rule = self.context.headers[index + 1]
# except IndexError:
# next_meta_rule = None
# if current_container_genre == "authz":
# if rule_found:
# return True
# pass
# if next_meta_rule:
# # next will be session if current is deny and session is unset
# if self.payload["authz_context"]['pdp_set'][next_meta_rule]['effect'] == "unset":
# return notify(
# request_id=self.payload["authz_context"]["request_id"],
# container_id=self.__get_container_from_meta_rule(next_meta_rule)['container_id'],
# payload=self.payload)
# # next will be delegation if current is deny and session is passed or deny and delegation is unset
# else:
# LOG.error("Delegation is not developed!")
#
# else:
# # else next will be None and the request is sent to router
# return self.__return_to_router()
# elif current_container_genre == "session":
# pass
# # next will be next container in headers if current is passed
# if self.payload["authz_context"]['pdp_set'][current_meta_rule]['effect'] == "passed":
# return notify(
# request_id=self.payload["authz_context"]["request_id"],
# container_id=self.__get_container_from_meta_rule(next_meta_rule)['container_id'],
# payload=self.payload)
# # next will be None if current is grant and the request is sent to router
# else:
# return self.__return_to_router()
# elif current_container_genre == "delegation":
# LOG.error("Delegation is not developed!")
# # next will be authz if current is deny
# # next will be None if current is grant and the request is sent to router
# def __return_to_router(self):
# call(endpoint="security_router",
# ctx={"id": self.component_id,
# "call_master": False,
# "method": "return_authz",
# "request_id": self.payload["authz_context"]["request_id"]},
# method="route",
# args=self.payload["authz_context"])
def __exec_instructions(self, instructions):
for instruction in instructions:
for key in instruction:
if key == "decision":
if instruction["decision"] == "grant":
self.context.current_state = "grant"
logger.info("__exec_instructions True {}".format(
self.context.current_state))
return True
else:
self.context.current_state = instruction["decision"].lower()
elif key == "chain":
result = self.__update_headers(**instruction["chain"])
if not result:
self.context.current_state = "deny"
else:
self.context.current_state = "passed"
elif key == "update":
result = self.__update_subject_category_in_policy(**instruction["update"])
if not result:
self.context.current_state = "deny"
else:
self.context.current_state = "passed"
logger.info("__exec_instructions False {}".format(self.context.current_state))
# def __update_current_request(self):
# index = self.payload["authz_context"]["index"]
# current_header_id = self.payload["authz_context"]['headers'][index]
# previous_header_id = self.payload["authz_context"]['headers'][index - 1]
# current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id)
# previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id)
# # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy
# if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "session":
# subject = self.payload["authz_context"]['current_request'].get("subject")
# subject_category_id = None
# role_names = []
# for category_id, category_value in ModelManager.get_subject_categories("admin").items():
# if category_value["name"] == "role":
# subject_category_id = category_id
# break
# for assignment_id, assignment_value in PolicyManager.get_subject_assignments(
# "admin", previous_policy_id, subject, subject_category_id).items():
# for data_id in assignment_value["assignments"]:
# data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id)
# for _data in data:
# for key, value in _data["data"].items():
# role_names.append(value["name"])
# new_role_ids = []
# for perimeter_id, perimeter_value in PolicyManager.get_objects("admin", current_policy_id).items():
# if perimeter_value["name"] in role_names:
# new_role_ids.append(perimeter_id)
# break
# perimeter_id = None
# for perimeter_id, perimeter_value in PolicyManager.get_actions("admin", current_policy_id).items():
# if perimeter_value["name"] == "*":
# break
#
# self.payload["authz_context"]['current_request']['object'] = new_role_ids[0]
# self.payload["authz_context"]['current_request']['action'] = perimeter_id
# elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac":
# self.payload["authz_context"]['current_request']['subject'] = \
# self.payload["authz_context"]['initial_request']['subject']
# self.payload["authz_context"]['current_request']['object'] = \
# self.payload["authz_context"]['initial_request']['object']
# self.payload["authz_context"]['current_request']['action'] = \
# self.payload["authz_context"]['initial_request']['action']
def get_authz(self):
# self.keystone_project_id = payload["id"]
# LOG.info("get_authz {}".format(payload))
# self.payload = payload
try:
# if "authz_context" not in payload:
# try:
# self.payload["authz_context"] = Context(self.keystone_project_id,
# self.payload["subject_name"],
# self.payload["object_name"],
# self.payload["action_name"],
# self.payload["request_id"]).to_dict()
# except exceptions.SubjectUnknown:
# ctx = {
# "subject_name": self.payload["subject_name"],
# "object_name": self.payload["object_name"],
# "action_name": self.payload["action_name"],
# }
# call("moon_manager", method="update_from_master", ctx=ctx, args={})
# self.payload["authz_context"] = Context(self.keystone_project_id,
# self.payload["subject_name"],
# self.payload["object_name"],
# self.payload["action_name"],
# self.payload["request_id"]).to_dict()
# except exceptions.ObjectUnknown:
# ctx = {
# "subject_name": self.payload["subject_name"],
# "object_name": self.payload["object_name"],
# "action_name": self.payload["action_name"],
# }
# call("moon_manager", method="update_from_master", ctx=ctx, args={})
# self.payload["authz_context"] = Context(self.keystone_project_id,
# self.payload["subject_name"],
# self.payload["object_name"],
# self.payload["action_name"],
# self.payload["request_id"]).to_dict()
# except exceptions.ActionUnknown:
# ctx = {
# "subject_name": self.payload["subject_name"],
# "object_name": self.payload["object_name"],
# "action_name": self.payload["action_name"],
# }
# call("moon_manager", method="update_from_master", ctx=ctx, args={})
# self.payload["authz_context"] = Context(self.keystone_project_id,
# self.payload["subject_name"],
# self.payload["object_name"],
# self.payload["action_name"],
# self.payload["request_id"]).to_dict()
# self.__update_container_chaining()
# else:
# self.payload["authz_context"]["index"] += 1
# self.__update_current_request()
result, message = self.__check_rules(self.payload["authz_context"])
current_header_id = self.payload["authz_context"]['headers'][self.payload["authz_context"]['index']]
if result:
self.__exec_instructions(result)
else:
self.payload["authz_context"]['pdp_set'][current_header_id]["effect"] = "deny"
self.__exec_next_state(result)
return {"authz": result,
"error": message,
"pdp_id": self.pdp_id,
"args": self.payload}
except Exception as e:
try:
logger.error(self.payload["authz_context"])
except KeyError:
logger.error("Cannot find \"authz_context\" in context")
logger.error(e, exc_info=True)
return {"authz": False,
"error": str(e),
"pdp_id": self.pdp_id,
"args": self.payload}
def head(self, uuid=None, subject_name=None, object_name=None, action_name=None):
logger.info("HEAD request")
return "", 200
|
