import pickle
import time
from uuid import uuid4
+from python_moonutilities import exceptions
from moon_interface.authz_requests import AuthzRequest
"""
if uuid in cache.pdp:
return cache.pdp.get(uuid)
- return None
+ cache.update()
-def get_pdp_from_manager(cache, uuid):
- """Check if a PDP exist with this ID in the Manager component
+ if uuid in cache.pdp:
+ return cache.pdp.get(uuid)
- :param cache: Cache to use
- :param uuid: Keystone Project ID
- :return: True or False
- """
- cache.update()
- return get_pdp_from_cache(cache, uuid)
+ raise exceptions.PdpUnknown
def create_authz_request(cache, interface_name, manager_url, pdp_id, subject_name, object_name, action_name):
self.MANAGER_URL = kwargs.get("manager_url", "http://manager:8080")
self.TIMEOUT = 5
- def get(self, pdp_id=None, subject_name=None, object_name=None, action_name=None):
+ def get(self, pdp_id, subject_name=None, object_name=None, action_name=None):
"""Get a response on an authorization request
:param pdp_id: uuid of a tenant or an intra_extension
}
:internal_api: authz
"""
- pdp_value = get_pdp_from_cache(self.CACHE, pdp_id)
- if not pdp_id:
- pdp_value = get_pdp_from_manager(self.CACHE, pdp_id)
- if not pdp_id:
- return {
+ try:
+ get_pdp_from_cache(self.CACHE, pdp_id)
+ except exceptions.PdpUnknown:
+ return {
"result": False,
"message": "Unknown PDP ID."}, 403
+
authz_request = create_authz_request(
cache=self.CACHE,
pdp_id=pdp_id,
import itertools
import pickle
import requests
+import sys
from python_moonutilities import exceptions
from python_moonutilities.context import Context
from python_moonutilities.cache import Cache
if ctx['project_id'] not in CACHE.container_chaining:
raise exceptions.KeystoneProjectError("Unknown Project ID {}".format(ctx['project_id']))
self.container_chaining = CACHE.container_chaining[ctx['project_id']]
- if len(self.container_chaining) == 0:
+
+ if len(self.container_chaining) == 0 or not all(k in self.container_data for k in ("container_id", "hostname", "hostip", "port")):
raise exceptions.MoonError('Void container chaining')
+
self.pdp_container = self.container_chaining[0]["container_id"]
self.run()
def run(self):
self.context.delete_cache()
req = None
- try:
- req = requests.post("http://{}:{}/authz".format(
- self.container_chaining[0]["hostip"],
- self.container_chaining[0]["port"],
- ), data=pickle.dumps(self.context))
- if req.status_code != 200:
- raise exceptions.AuthzException(
- "Receive bad response from Authz function "
- "(with IP address - {})".format(
- req.status_code
- ))
- except requests.exceptions.ConnectionError:
- logger.error("Cannot connect to {}".format(
- "http://{}:{}/authz".format(
- self.container_chaining[0]["hostip"],
- self.container_chaining[0]["port"]
- )))
- except ValueError:
+ tries = 0
+ success = False
+
+ if "hostip" in self.container_chaining[0]:
+ hostname = self.container_chaining[0]["hostip"]
+ elif "hostname" in self.container_chaining[0]:
+ hostname = self.container_chaining[0]["hostname"]
+ else:
+ raise exceptions.AuthzException(
+ "error in address no hostname or hostip"
+ )
+ while tries < 2:
try:
req = requests.post("http://{}:{}/authz".format(
- self.container_chaining[0]["hostname"],
+ hostname,
self.container_chaining[0]["port"],
), data=pickle.dumps(self.context))
if req.status_code != 200:
raise exceptions.AuthzException(
"Receive bad response from Authz function "
- "(with hostname - {})".format(
- req.status_code
- ))
+ "(with address - {})".format(req.status_code)
+ )
+ success = True
except requests.exceptions.ConnectionError:
logger.error("Cannot connect to {}".format(
"http://{}:{}/authz".format(
- self.container_chaining[0]["hostname"],
+ hostname,
self.container_chaining[0]["port"]
)))
- raise exceptions.AuthzException(
- "Cannot connect to Authz function")
+ except:
+ logger.error("Unexpected error:", sys.exc_info()[0])
+ hostname = self.container_chaining[0]["hostname"],
+ tries += 1
+
+ if not success:
+ raise exceptions.AuthzException("Cannot connect to Authz function")
+
self.context.set_cache(CACHE)
if req and len(self.container_chaining) == 1:
self.result = pickle.loads(req.content)
authz_results = []
for key in self.result.pdp_set:
if "effect" in self.result.pdp_set[key]:
+
if self.result.pdp_set[key]["effect"] == "grant":
# the pdp is a authorization PDP and grant the request
authz_results.append(True)
def get_400_json(e):
return jsonify({"result": False, "code": 400, "description": str(e)}), 400
+
+ '''
+ [Note] i have tried to simulate authz post request (authz_Requests/run) to return 500 response code
+ and an AuthzException thrown from their [Line 63] and catched here , then the server here return response
+ with 403 code [Forbidden] , is it correct if so why sometime at authz [from Line 137] return a response
+ with error code , i think we can do it in the same way as the one mentioned?
+ '''
self.app.register_error_handler(400, lambda e: get_400_json)
self.app.register_error_handler(403, exceptions.AuthException)
def create_server():
configuration.init_logging()
try:
+
conf = configuration.get_configuration("components/pipeline").get(
"components/pipeline", {}).get("interface", {})
+ '''
+ [Note] i think pipeline should be changed to interface
+ '''
hostname = conf.get("hostname", "pipeline")
port = conf.get("port", 80)
bind = conf.get("bind", "127.0.0.1")
hostname = "interface"
bind = "127.0.0.1"
port = 80
+ '''
+ [Note] i think pipeline should be changed to interface
+ '''
configuration.add_component(uuid="pipeline",
name=hostname,
port=port,
import json
+import conftest
def get_json(data):
def test_authz_true(context):
+
import moon_interface.server
server = moon_interface.server.create_server()
client = server.app.test_client()
data = get_json(req.data)
assert data
assert "result" in data
- assert data['result'] == True
+ assert data['result'] is True
+
+def test_authz_False(context):
+ import moon_interface.server
+ server = moon_interface.server.create_server()
+ client = server.app.test_client()
+ req = client.get("/authz/{p_id}/{s_id}/{o_id}/{a_id}".format(
+ p_id=None,
+ s_id=context["subject_name"],
+ o_id=context["object_name"],
+ a_id=context["action_name"],
+ ))
+ assert req.status_code == 403
+ data = get_json(req.data)
+ assert data
+ assert "result" in data
+ assert data['result'] is False
+
+
+def test_authz_effect_unset(context, set_consul_and_db):
+ import moon_interface.server
+ server = moon_interface.server.create_server()
+ client = server.app.test_client()
+
+ set_consul_and_db.register_uri(
+ 'POST', 'http://127.0.0.1:8081/authz',
+ content = conftest.get_pickled_context_invalid()
+ )
+
+ req = client.get("/authz/{p_id}/{s_id}/{o_id}/{a_id}".format(
+ p_id=context["pdp_id"],
+ s_id=context["subject_name"],
+ o_id=context["object_name"],
+ a_id=context["action_name"],
+ ))
+ assert req.status_code == 401
+ data = get_json(req.data)
+ assert data
+ assert "result" in data
+ assert data['result'] is False
+
+def test_authz_invalid_ip(context, set_consul_and_db):
+ import moon_interface.server
+ server = moon_interface.server.create_server()
+ client = server.app.test_client()
+
+ set_consul_and_db.register_uri(
+ 'POST', 'http://127.0.0.1:8081/authz', status_code=500
+ )
+
+ req = client.get("/authz/{p_id}/{s_id}/{o_id}/{a_id}".format(
+ p_id=context["pdp_id"],
+ s_id=context["subject_name"],
+ o_id=context["object_name"],
+ a_id=context["action_name"],
+ ))
+ assert req.status_code == 403
print(_context.pdp_set)
return pickle.dumps(_context)
+def get_pickled_context_invalid():
+ from python_moonutilities.context import Context
+ from python_moonutilities.cache import Cache
+ CACHE = Cache()
+ CACHE.update()
+ _context = Context(context(), CACHE)
+ _context.increment_index()
+ _context.pdp_set['effect'] = 'invalid'
+ _context.pdp_set[os.environ['META_RULE_ID']]['effect'] = 'invalid'
+ print(_context.pdp_set)
+ return pickle.dumps(_context)
+
+
@pytest.fixture(autouse=True)
def set_consul_and_db(monkeypatch):
Code Review / moon.git / commitdiff