subject_category_id1: {
subject_scope_id1: {
name: xxx,
- des: aaa},
+ description: aaa},
subject_scope_id2: {
name: yyy,
- des: bbb},
+ description: bbb},
...},
subject_category_id2: {...},
...
},
...
}
+
aggregation_algorithm = aggregation_algorithm_id
sub_meta_rules = {
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
from uuid import uuid4
+from glob import glob
+import os
from keystone import config
from keystone.contrib.moon.core import ConfigurationDriver
from keystone.contrib.moon.core import TenantDriver
def __init__(self):
super(ConfigurationConnector, self).__init__()
self.aggregation_algorithm_dict = dict()
- self.aggregation_algorithm_dict[uuid4()] = "all_true"
+ self.aggregation_algorithm_dict[uuid4().hex] = "all_true"
self.sub_meta_rule_algorithm_dict = dict()
- self.sub_meta_rule_algorithm_dict[uuid4()] = "inclusion"
- self.sub_meta_rule_algorithm_dict[uuid4()] = "comparison"
+ self.sub_meta_rule_algorithm_dict[uuid4().hex] = "inclusion"
+ self.sub_meta_rule_algorithm_dict[uuid4().hex] = "comparison"
- def get_policy_templete_dict(self):
- # TODO (dthom)
- pass
+ def get_policy_template_dict(self):
+ nodes = glob(os.path.join(CONF.moon.policy_directory, "*"))
+ return {
+ "authz_templates":
+ [os.path.basename(n) for n in nodes if os.path.isdir(n)]
+ }
def get_aggregation_algorithm_dict(self):
return self.aggregation_algorithm_dict
def get_sub_meta_rule_algorithm_dict(self):
return self.sub_meta_rule_algorithm_dict
-
-class TenantConnector(TenantDriver):
-
- def get_tenant_dict(self):
- # TODO (dthom)
- pass
-
- def set_tenant(self, tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id):
- # TODO (dthom)
- pass
-
-
# class SuperExtensionConnector(SuperExtensionDriver):
#
# def __init__(self):
class IntraExtension(sql.ModelBase, sql.DictBase):
__tablename__ = 'intra_extensions'
- attributes = ['id', 'name', 'model', 'description']
+ attributes = ['id', 'intra_extension']
id = sql.Column(sql.String(64), primary_key=True)
- name = sql.Column(sql.String(64), nullable=False)
- model = sql.Column(sql.String(64), nullable=True)
- description = sql.Column(sql.Text())
+ intra_extension = sql.Column(sql.JsonBlob(), nullable=True)
@classmethod
def from_dict(cls, d):
class Tenant(sql.ModelBase, sql.DictBase):
__tablename__ = 'tenants'
- # attributes = ['id', 'tenant', 'intra_authz_extension_id', 'intra_adminextension_id']
attributes = ['id', 'tenant']
id = sql.Column(sql.String(64), primary_key=True, nullable=False)
tenant = sql.Column(sql.JsonBlob(), nullable=True)
- # intra_authz_extension_id = sql.Column(sql.ForeignKey("intra_extensions.id"), nullable=False)
- # intra_admin_extension_id = sql.Column(sql.ForeignKey("intra_extensions.id"), nullable=False)
- # name = sql.Column(sql.String(128), nullable=True)
- # authz = sql.Column(sql.String(64), nullable=True)
- # admin = sql.Column(sql.String(64), nullable=True)
@classmethod
def from_dict(cls, d):
class TenantConnector(TenantDriver):
- def get_tenant_dict(self):
+ def get_tenants_dict(self):
with sql.transaction() as session:
query = session.query(Tenant)
- # query = query.filter_by(uuid=tenant_uuid)
- # ref = query.first().to_dict()
tenants = query.all()
return {tenant.id: Tenant.to_dict(tenant) for tenant in tenants}
- def add_tenant(self, tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id):
- pass
+ def add_tenant_dict(self, tenant_id, tenant_dict):
+ with sql.transaction() as session:
+ new_ref = Tenant.from_dict(
+ {
+ "id": tenant_id,
+ 'tenant': tenant_dict
+ }
+ )
+ session.add(new_ref)
+ return new_ref.to_dict()
def del_tenant(self, tenant_id):
- pass
+ with sql.transaction() as session:
+ query = session.query(Tenant)
+ query = query.filter_by(id=tenant_id)
+ tenant = query.first()
+ session.delete(tenant)
- # TODO: def set_tenant(self, tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id)
- def set_tenant_dict(self, tenant):
+ def set_tenant_dict(self, tenant_id, tenant_dict):
with sql.transaction() as session:
- uuid = tenant.keys()[0]
query = session.query(Tenant)
- query = query.filter_by(id=uuid)
+ query = query.filter_by(id=tenant_id)
ref = query.first()
- if not ref:
- # if not result, create the database line
- ref = Tenant.from_dict(tenant)
- session.add(ref)
- return Tenant.to_dict(ref)
- elif not tenant[uuid]["authz"] and not tenant[uuid]["admin"]:
- # if admin and authz extensions are not set, delete the mapping
- session.delete(ref)
- return
- elif tenant[uuid]["authz"] or tenant[uuid]["admin"]:
- tenant_ref = ref.to_dict()
- tenant_ref.update(tenant[uuid])
- new_tenant = Tenant(
- id=uuid,
- name=tenant[uuid]["name"],
- authz=tenant[uuid]["intra_authz_extension_id"],
- admin=tenant[uuid]["intra_admin_extension_id"],
- )
- for attr in Tenant.attributes:
- if attr != 'id':
- setattr(ref, attr, getattr(new_tenant, attr))
- return Tenant.to_dict(ref)
- raise TenantException()
+ tenant_ref = ref.to_dict()
+ tenant_ref.update(tenant_dict)
+ new_tenant = Tenant(
+ id=tenant_id,
+ tenant=tenant_ref
+ )
+ for attr in Tenant.attributes:
+ if attr != 'id':
+ setattr(ref, attr, getattr(new_tenant, attr))
+ return Tenant.to_dict(ref)
class IntraExtensionConnector(IntraExtensionDriver):
return token_ref.get('user')
@controller.protected()
- def get_policy_templetes(self, context, **kw):
+ def get_policy_templates(self, context, **kw):
user_id = self._get_user_uuid_from_token(context.get("token_id"))
- # TODO: belowing code should be move to core.py
- # TODO: return self.configuration_api_get_policy_templete_dict(user_id)
- nodes = glob.glob(os.path.join(CONF.moon.policy_directory, "*"))
- return {
- "authz_templetes":
- [os.path.basename(n) for n in nodes if os.path.isdir(n)]
- }
+ return self.configuration_api_get_policy_templete_dict(user_id)
@controller.protected()
def get_aggregation_algorithms(self, context, **kw):
@controller.protected()
def get_tenants(self, context, **kw):
user_id = self._get_user_id_from_token(context.get("token_id"))
- return self.tenant_api.get_tenant_dict(user_id)
+ return self.tenant_api.get_tenants_dict(user_id)
@controller.protected()
def add_tenant(self, context, **kw):
user_id = self._get_user_id_from_token(context.get("token_id"))
# TODO: get tenant name from keystone
- tenant_name = kw.get("tenant_name")
- intra_authz_ext_id = kw.get("intra_authz_ext_id")
- intra_admin_ext_id = kw.get("intra_admin_ext_id")
- return self.tenant_api.add_tenant(user_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id)
+ tenant_dict = dict()
+ tenant_dict['name'] = kw.get("name")
+ tenant_dict['description'] = kw.get("description")
+ tenant_dict['intra_authz_ext_id'] = kw.get("intra_authz_ext_id")
+ tenant_dict['intra_admin_ext_id'] = kw.get("intra_admin_ext_id")
+ return self.tenant_api.add_tenant_dict(user_id, tenant_dict)
@controller.protected()
def get_tenant(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
tenant_id = kw.get("tenant_id")
- return self.tenant_api.get_tenant(user_id, tenant_id)
+ return self.tenant_api.get_tenants_dict(user_id, tenant_id)
@controller.protected()
def del_tenant(self, context, **kw):
tenant_id = kw.get("tenant_id")
return self.tenant_api.del_tenant(user_id, tenant_id)
- """def load_tenant(self, context, **kw):
+ def set_tenant(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
- tenant_id = kw["tenant_id"]
- tenant_name = self.resource_api.get_project(tenant_id)["name"]
- intra_authz_ext_id = kw.get("intra_authz_ext_id")
- intra_admin_ext_id = kw.get("intra_admin_ext_id")
- self.tenant_api.add_tenant_dict(
- user_id,
- tenant_id,
- tenant_name,
- intra_authz_ext_id,
- intra_admin_ext_id)
- """
+ tenant_id = kw["id"]
+ tenant_dict = dict()
+ tenant_dict['name'] = kw.get("name")
+ tenant_dict['description'] = kw.get("description")
+ tenant_dict['intra_authz_ext_id'] = kw.get("intra_authz_ext_id")
+ tenant_dict['intra_admin_ext_id'] = kw.get("intra_admin_ext_id")
+ self.tenant_api.set_tenant_dict(user_id, tenant_id, tenant_dict)
@dependency.requires('authz_api')
def get_authz(self, context, tenant_name, subject_name, object_name, action_name):
try:
return self.authz_api.authz(tenant_name, subject_name, object_name, action_name)
- except TenantUnknown:
- return True
except:
return False
@controller.protected()
def get_intra_extensions(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
- return self.admin_api.get_intra_extension_dict(user_id)
+ return self.admin_api.get_intra_extensions_dict(user_id)
@controller.protected()
def add_intra_extension(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
intra_extension_dict = dict()
- # TODO: replace kw by a tangible dict with known variables
intra_extension_dict["intra_extension_name"] = kw.get("intra_extension_name", dict())
intra_extension_dict["subject_categories"] = kw.get("subject_categories", dict())
intra_extension_dict["object_categories"] = kw.get("object_categories", dict())
return self.admin_api.load_intra_extension_dict(user_id, intra_extension_dict)
@controller.protected()
- def get_intra_extension(self, context, **kw):
+ def get_intra_extension_dict(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
ie_id = kw.get('intra_extension_id', None)
- return self.admin_api.get_intra_extension_dict(user_id)[ie_id]
+ return self.admin_api.get_intra_extensions_dict(user_id)[ie_id]
@controller.protected()
def del_intra_extension(self, context, **kw):
if "ie_id" not in kw:
raise IntraExtensionUnknown
ie_id = kw.get('intra_extension_id', None)
- return self.admin_api.del_intra_extension(user_id, ie_id)
+ self.admin_api.del_intra_extension(user_id, ie_id)
+
+ @controller.protected()
+ def set_intra_extension(self, context, **kw):
+ user_id = self._get_user_id_from_token(context.get('token_id'))
+ if "ie_id" not in kw:
+ raise IntraExtensionUnknown
+ ie_id = kw.get('intra_extension_id', None)
+ self.admin_api.set_intra_extension(user_id, ie_id)
# Metadata functions
@controller.protected()
CONF = config.CONF
LOG = log.getLogger(__name__)
-DEFAULT_USER = uuid4().hex() # default user_id for internal invocation
+DEFAULT_USER = uuid4().hex # default user_id for internal invocation
_OPTS = [
@dependency.provider('configuration_api')
-@dependency.requires('moonlog_api') # TODO: log should be totally removed to exception.py
+@dependency.requires('moonlog_api')
class ConfigurationManager(manager.Manager):
def __init__(self):
@dependency.provider('tenant_api')
-@dependency.requires('moonlog_api') # TODO: log should be totally removed to exception.py
+@dependency.requires('moonlog_api')
class TenantManager(manager.Manager):
def __init__(self):
super(TenantManager, self).__init__(CONF.moon.tenant_driver)
- def get_tenant_dict(self, user_id):
+ def get_tenants_dict(self, user_id):
"""
Return a dictionary with all tenants
:return: {
}
"""
# TODO: check user right with user_id in SuperExtension
- tenant_dict = self.driver.get_tenant_dict()
- # TODO: check whether we need this exception
- if not tenant_dict:
- raise TenantDictEmpty()
- return tenant_dict
+ return self.driver.get_tenants_dict()
- def add_tenant(self, user_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id):
+ def add_tenant_dict(self, user_id, tenant_dict):
# TODO: check user right with user_id in SuperExtension
- tenant_dict = self.driver.get_tenant_dict()
- for tenant_id in tenant_dict:
- if tenant_dict[tenant_id]['name'] is tenant_name:
+ tenants_dict = self.driver.get_tenants_dict()
+ for tenant_id in tenants_dict:
+ if tenants_dict[tenant_id]['name'] is tenant_dict['name']:
raise TenantAddedNameExisting()
- return self.driver.add_tenant(uuid4().hex(), tenant_name, intra_authz_ext_id, intra_admin_ext_id)
+ return self.driver.add_tenant_dict(uuid4().hex, tenant_dict)
- def get_tenant(self, user_id, tenant_id):
+ def get_tenant_dict(self, user_id, tenant_id):
# TODO: check user right with user_id in SuperExtension
- tenant_dict = self.driver.get_tenant_dict()
- if tenant_id not in tenant_dict:
+ tenants_dict = self.driver.get_tenants_dict()
+ if tenant_id not in tenants_dict:
raise TenantUnknown()
- return tenant_dict[tenant_id]
+ return tenants_dict[tenant_id]
def del_tenant(self, user_id, tenant_id):
# TODO: check user right with user_id in SuperExtension
- if tenant_id not in self.driver.get_tenant_dict():
+ if tenant_id not in self.driver.get_tenants_dict():
raise TenantUnknown()
- return self.driver.del_tenant(tenant_id)
+ self.driver.del_tenant(tenant_id)
- # def set_tenant_dict(self, user_id, tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id):
- # # TODO: check user right with user_id in SuperExtension
- # # TODO (dthom): Tenant must be checked against Keystone database.
- # return self.driver.set_tenant(tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id)
+ def set_tenant_dict(self, user_id, tenant_id, tenant_dict):
+ # TODO: check user right with user_id in SuperExtension
+ if tenant_id not in self.driver.get_tenants_dict():
+ raise TenantUnknown()
+ return self.driver.set_tenant_dict(tenant_id, tenant_dict)
def get_tenant_name_from_id(self, user_id, tenant_id):
# TODO: check user right with user_id in SuperExtension
- tenant_dict = self.driver.get_tenant_dict()
+ tenant_dict = self.driver.get_tenants_dict()
if tenant_id not in tenant_dict:
raise TenantUnknown()
return tenant_dict[tenant_id]["name"]
def set_tenant_name(self, user_id, tenant_id, tenant_name):
# TODO: check user right with user_id in SuperExtension
- tenant_dict = self.driver.get_tenant_dict()
+ tenant_dict = self.driver.get_tenants_dict()
if tenant_id not in tenant_dict:
raise TenantUnknown()
return self.driver.set_tenant(
def get_tenant_id_from_name(self, user_id, tenant_name):
# TODO: check user right with user_id in SuperExtension
- tenant_dict = self.driver.get_tenant_dict()
- for tenant_id in tenant_dict:
- if tenant_dict[tenant_id]["name"] is tenant_name:
+ tenants_dict = self.driver.get_tenants_dict()
+ for tenant_id in tenants_dict:
+ if tenants_dict[tenant_id]["name"] is tenant_name:
return tenant_id
return None
"""
# 1 tenant only with 1 authz extension and 1 admin extension
# TODO: check user right with user_id in SuperExtension
- tenant_dict = self.driver.get_tenant_dict()
+ tenant_dict = self.driver.get_tenants_dict()
if tenant_id not in tenant_dict:
raise TenantUnknown()
elif not tenant_dict[tenant_id][genre]:
# TODO: check if we need the func
def get_tenant_uuid(self, extension_uuid):
- for _tenant_uuid, _tenant_value in six.iteritems(self.get_tenant_dict()):
+ for _tenant_uuid, _tenant_value in six.iteritems(self.get_tenants_dict()):
if extension_uuid == _tenant_value["authz"] or extension_uuid == _tenant_value["admin"]:
return _tenant_uuid
raise TenantIDNotFound()
# TODO: check if we need the func
def get_admin_extension_uuid(self, authz_extension_uuid):
- _tenants = self.get_tenant_dict()
+ _tenants = self.get_tenants_dict()
for _tenant_uuid in _tenants:
if authz_extension_uuid == _tenants[_tenant_uuid]['authz'] and _tenants[_tenant_uuid]['admin']:
return _tenants[_tenant_uuid]['admin']
# TODO: check if we need the func
def delete(self, authz_extension_uuid):
- _tenants = self.get_tenant_dict()
+ _tenants = self.get_tenants_dict()
for _tenant_uuid in _tenants:
if authz_extension_uuid == _tenants[_tenant_uuid]['authz']:
return self.set_tenant_dict(_tenant_uuid, "", "", "")
return False
- def get_intra_extension_dict(self, user_id):
+ def get_intra_extensions_dict(self, user_id):
"""
:param user_id:
:return: {
...}
"""
# TODO: check will be done through super_extension later
- return self.driver.get_intra_extension_dict()
+ return self.driver.get_intra_extensions_dict()
# load policy from policy directory
# TODO (dthom) re-check these funcs
:return: {intra_extension_id: intra_extension_name, ...}
"""
# TODO: check will be done through super_extension later
- if intra_extension_id not in self.driver.get_intra_extension_dict():
+ if intra_extension_id not in self.driver.get_intra_extensions_dict():
raise IntraExtensionUnknown()
- return self.driver.get_intra_extension_dict()[intra_extension_id]
+ return self.driver.get_intra_extensions_dict()[intra_extension_id]
def del_intra_extension(self, user_id, intra_extension_id):
# TODO: check will be done through super_extension later
- if intra_extension_id not in self.driver.get_intra_extension_dict():
+ if intra_extension_id not in self.driver.get_intra_extensions_dict():
raise IntraExtensionUnknown()
return self.driver.del_intra_extension(intra_extension_id)
"""
tenant_id = self.tenant_api.get_tenant_id_from_name(DEFAULT_USER, tenant_name)
intra_extension_id = self.tenant_api.get_tenant_intra_extension_id(DEFAULT_USER, tenant_id, self.__genre__)
- subject_dict = self.driver.get_subject_dict(intra_extension_id)
+ subjects_dict = self.driver.get_subject_dict(intra_extension_id)
subject_id = None
- for _subject_id in subject_dict:
- if subject_dict[_subject_id]['name'] is subject_name:
+ for _subject_id in subjects_dict:
+ if subjects_dict[_subject_id]['name'] is subject_name:
subject_id = _subject_id
if not subject_id:
raise SubjectUnknown()
- object_dict = self.driver.get_object_dict(intra_extension_id)
+ objects_dict = self.driver.get_object_dict(intra_extension_id)
object_id = None
- for _object_id in object_dict:
- if object_dict[_object_id]['name'] is object_name:
+ for _object_id in objects_dict:
+ if objects_dict[_object_id]['name'] is object_name:
object_id = _object_id
if not object_id:
raise ObjectUnknown()
- action_dict = self.driver.get_action_dict(intra_extension_id)
+ actions_dict = self.driver.get_action_dict(intra_extension_id)
action_id = None
- for _action_id in action_dict:
- if action_dict[_action_id] is action_name:
+ for _action_id in actions_dict:
+ if actions_dict[_action_id] is action_name:
action_id = _action_id
if not action_id:
raise ActionUnknown()
class TenantDriver(object):
- def get_tenant_dict(self):
- # TODO: should implement TenantListEmpty exception
+ def get_tenants_dict(self):
+ raise exception.NotImplemented() # pragma: no cover
+
+ def add_tenant_dict(self, tenant_id, tenant_dict):
+ raise exception.NotImplemented() # pragma: no cover
+
+ def del_tenant_dict(self, tenant_id):
raise exception.NotImplemented() # pragma: no cover
- def set_tenant(self, tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id):
- # if tenant_id exists, then modify; if the tenant_id not exists, then add the tenant
- # TODO: should implement AddedTenantNameExist exception
+ def set_tenant_dict(self, tenant_id, tenant_dict):
raise exception.NotImplemented() # pragma: no cover
logger = "ERROR"
-class TenantDictEmpty(TenantException):
- message_format = _("The tenant dict mapping is empty, you must set the mapping first.")
- code = 400
- title = 'Tenant Dict Empty'
- logger = "WARNING"
-
-
class TenantUnknown(TenantException):
message_format = _("The tenant is unknown.")
code = 400
# Configuration route
self._add_resource(
mapper, configuration_controller,
- path=self.PATH_PREFIX+'/configuration/templetes',
- get_action='get_templetes',
- rel=self._get_rel('templetes'),
+ path=self.PATH_PREFIX+'/configuration/templates',
+ get_action='get_templates',
+ rel=self._get_rel('templates'),
path_vars={})
self._add_resource(
mapper, configuration_controller,
path_vars={})
self._add_resource(
mapper, tenants_controller,
- path=self.PATH_PREFIX+'/tenant/{tenant_uuid}',
+ path=self.PATH_PREFIX+'/tenants/{tenant_id}',
get_action='get_tenant',
delete_action='del_tenant',
+ post_action='set_tenant',
rel=self._get_rel('tenants'),
path_vars={
- 'tenant_uuid': self._get_path('tenants'),
+ 'tenant_id': self._get_path('tenants'),
})
# Authz route
self._add_resource(
mapper, authz_controller,
- path=self.PATH_PREFIX+'/authz/{tenant_id}/{subject_id}/{object_id}/{action_id}',
+ path=self.PATH_PREFIX+'/authz/{tenant_name}/{subject_name}/{object_name}/{action_name}',
get_action='get_authz',
rel=self._get_rel('authz'),
path_vars={
- 'tenant_id': self._get_path('tenants'),
- 'subject_id': self._get_path('subjects'),
- 'object_id': self._get_path('objects'),
- 'action_id': self._get_path('actions'),
+ 'tenant_name': self._get_path('tenants'),
+ 'subject_name': self._get_path('subjects'),
+ 'object_name': self._get_path('objects'),
+ 'action_name': self._get_path('actions'),
})
# IntraExtensions/Admin route
path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}',
get_action='get_intra_extension',
delete_action='del_intra_extension',
+ post_action='set_intra_extension',
rel=self._get_rel('intra_extensions'),
path_vars={
'intra_extension_id': self._get_path('intra_extensions'),
self.assertEquals(data["name"], new_mapping[_uuid]["name"])
self.assertEquals(data["authz"], new_mapping[_uuid]["authz"])
self.assertEquals(data["admin"], new_mapping[_uuid]["admin"])
- data = self.manager.get_tenant_dict()
+ data = self.manager.get_tenants_dict()
self.assertNotEqual(data, {})
data = self.manager.get_tenant_uuid(new_mapping[_uuid]["authz"])
self.assertEquals(_uuid, data)
self.assertEquals(data["name"], new_mapping[_uuid]["name"])
self.assertEquals(data["authz"], new_mapping[_uuid]["authz"])
self.assertEquals(data["admin"], new_mapping[_uuid]["admin"])
- data = self.manager.get_tenant_dict()
+ data = self.manager.get_tenants_dict()
self.assertNotEqual(data, {})
self.manager.delete(new_mapping[_uuid]["authz"])
- data = self.manager.get_tenant_dict()
+ data = self.manager.get_tenants_dict()
self.assertEqual(data, {})
def test_set_tenant_name(self):
Code Review / moon.git / commitdiff