From d952bb14e7eae2fdae1c4dda23761391a64a23e7 Mon Sep 17 00:00:00 2001 From: WuKong Date: Mon, 20 Jul 2015 19:44:01 +0200 Subject: [PATCH] review code Change-Id: I51abe36356ff91f1142d0307a69c48dff1a08a46 Signed-off-by: WuKong --- .../extensions/moon/ExceptionHierarchy-v0.2.pptx | Bin 35111 -> 34849 bytes .../moon/policies/policy_admin/perimeter.json | 8 +- .../keystone/contrib/moon/backends/__init__.py | 9 +- .../keystone/contrib/moon/backends/memory.py | 6 +- .../keystone/contrib/moon/backends/sql.py | 456 ++++------- keystone-moon/keystone/contrib/moon/controllers.py | 249 +++--- keystone-moon/keystone/contrib/moon/core.py | 876 ++++++--------------- keystone-moon/keystone/contrib/moon/exception.py | 15 +- keystone-moon/keystone/contrib/moon/routers.py | 17 +- .../unit/test_unit_core_intra_extension_admin.py | 102 +-- .../unit/test_unit_core_intra_extension_authz.py | 36 +- 11 files changed, 610 insertions(+), 1164 deletions(-) diff --git a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx b/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx index f6541354975bae4070b8726525cd1d6d9ca98392..96f9a04149571ad5d4d28d2f088e20eae93e8afe 100644 GIT binary patch delta 6689 zcmY*;WmMGBw>Aujh@`~O-3`)`(miyylpx*pqq_%0nwg;yq*D;38>Aa)lm_Xz{(0Yf z*S+Vbt2DSAt71zK<_arfJL`OxmSU!<@e8t z@}cOjn=5Eb2pH6gQs+2_<^v-Y_18IHxJg}oth~Pz6GJgaTSF>D4SvONCG}Au8dU6D zqJDWE@Yt0x?RLtd))eRI#$&x|FsYa`JaZ=N=FW3}wmjqFFm388u$dq}P%x5Y`av0#>Hs=_pzDRy*pUtV3euWfUZYj4}{jFHg!+s!#+F2KI6|7DLpMpysip234$ zQ05iSck8R|&li6LdzfT*%)|>Tz^n2*K8*tzaV$iSY=J#ovO6akj=WH=(W#2M#o0&) z+a?LJDsi?4q{D(c#JToqj2BfOcHE9{)VH8OvJdMo*r*b!^52;S8E+Jy>iuP67k6UQ zExVfBs^jUaVF#{*hc7@k9jBk-+mH#YL|{=36l2@#p{FG9Gu76SpqSZ;7lH0Psv8CZ zMG>*$_Z=g4xzh~iZnZ%z`kXzh`i$vd7n=4^os`Q~;gXUppeSx-0}$OloqgxegXNmh zj8M5-YhI7i26oyn67Q53_eE}7<9l%QcXr81!??~<0K81?oPgV*r1eHccc|ipCq58u z1Az^B;BnZiy7)Ke1#$SF^!er9A7gQ=Pc@>KPP(-flp5(mxN6dfW_q8;jpImc zyjF#OL7!oI9+9Y(65!>4vYZnxP*faA;8%{|+>W+bG+GWCQ^< zcNibSi!l40mnERp_nli2Z!83?s*kw%RF6S6a~N#T z$lIfsLt7MiIagI%VNFg`*A$*HC2Bl^*AZa9Vb-CNK7>7}MelR}`r5npVF}Y@nnKBS zNz4J6Ok>RO6K)kcWcgf4-H80~us|O;6edc|#GBTJ?0-@GC}&Q!9?o0{`=zP~LHFq* z5Y`AymOjDa+ml-I!xc&rtrzh3oK2Rl?MPKfTKuTWoD89DrY0gPyg<~^HS_b*Tvhtq_w+&{cAU-9ERhKrc=R<-l*MUECE)y-JE zU5(9x8n4QHp0;7Rd_N0igGb;y?YAW-u;7bn5C4od+kT?3JbiQ=V*Yw0eI%x47L#{A zWD(WmRfbFJp-9MebDi(Sb%;XwU_Y3(iRZe0bx+?|wMI`4R9v}_YNc8KG^_K`nWWT^ zteiDj>`(1*n$+*3pcElP7n}iaY`1g|fYJLd26A<96A!raEpsJ>L<<49Gbh}(_>Z^c zlBgw=9$&X6Nkp4e|Kxd#ErO6)@A1a!;zruP`Y7=n^BpXFTP!((5b6@@(nsG+=C<0! z0fBbey%MVJMMm=htZ_O5L z9d4q^7`cYnf)!6oX8|oAvk&Hk;5}&;FYO;uYH8@#B#6ks@iR!lc&XGEz`sGxVcs(C zV^=mQM7J`0d3pdswbnlU+yj@i738cdS!&15GSq<(;jjNnp69|}KI!}=sX#f>5b3Cr zs9^7vCfI+L|72WF|s|5)7DR|=83I3QA|`H<3=P(Uxdx@9UXa(Ur}lf7o~M><$-6EApP(OjOQaI zg*3;NkeSjfVFX9)QCzmsG#1mNskHK)v`3dO!zyP4yws}>;^GU1NV;OO6ObJYmA=v) zz)E}%D}N&m$XL&;NIK;NLzLuhA97F9$w z0Tb@1p-9psp^~DWGK{%+fjtfG>pdHo5=YXlIo@M59xSz{q3--F#PvAHI&sGbUUoSZ zp?O-a$sDWMUI!8JJ`*rdVj+lv^^da>94`2`(WnERf$76}xUn2l)eG>drjQnnkD>Z+ zs*8jKSfwi8BEvYfHlT@T3~lt*@Ms1EOelhX-|x$-jAj2nArp}1q~2dY{O4(!=d&)| zC>EL+>0)g)BF9a;eD1u~H|*)#>8#Wv}K>dVJ{^4~{vQ|qc$bkKZttxCT*j|Y(#EfY(83R zGbGZ-H2lWjD2gX9G|J+W?lF=y)$3d5>{MSA=cfF;c}`*)PN4TP?7e z=4Vu1M`9b{6!j`t48hOMd>m^=sI-*(>Lb8g_W^{7KU#hsoOc{fJ7R9&qnUb(ZT+0i zdG55rXK(u9JpE`{V2+E1r{7Iai&F(q@+llTh_F=VKRnd$-xMEOj#o(r_W3S^$|)Dj zzGPsj=hzk~xn}kVVO`^5`z@VTznNwmh5M$-cA=gWWU0Qnt=$`yy6X_fLf%FVFpNt{ z*U`p$sL*^bNGI*3JdtSlth!}9_yOgmm8Tn-)oxW`Z>TQdd2_2QL--)ZucHDG$vQ-! zbwbW2Y;VWWSqDzKqVzZ`yiG4=RN0-5^_v7@e)^oQ{z*D|j1X2>RWaRpG#j-GSbDs; zCF0@7McM5S7$LK!G;cr3@e=Dy{g!~Z7K9E7cia(hQJEK+b?nm&+}oxxwk;Rj*8j2_ zqyUHEHucSJb{WwdiALEg-!=oSpIT;K%F;zL&G2o|>w%$LUcHT@u^R4J_}ihZf;d^T z$#V7w@!eY36I;QJ5%AoJ7a!gvH5yW`UBiyYLPNYSXw#z9&5b%u726%m)lZHBgT-Pl zjE72;gkrQSH~asRMhaf6D;#!se%jOwff7#nUa68Ou2e9`InV6rO|Ag_M30fi77Me1 z4c+x`5Ov~5L(Qi0)IDLfgLF5j#uiyRRb-LnS$$!n{C27DCU~o^^|Sn%H%LAmTG{ve z`MS?8aUaP+b-rEw#I?AsvK+gTyyVjrZeL&`*!k+W8#SiJZ-bppFQmlbqK%ud3?z$ zGoo=mN+T1fMp&8oAM8!0%e#>!O|_Q~pdk>;{-Z;9=Ip&?y5yBL7v;i+Zs28wFpT)W z8u-Kb#(e8Xe5+j(hFh83o%JOL_E^(;m@qbw5s){7kfjK5`~pbMe6k_!b%~$9I&{_P zbFrHKE#UPYY-8OUXHheByRzIzC|LYU){$nRrX9od-FN$)jk(;8Ng3KP!(CYWH1_6z zx%OId&Cnau`1!A&ohANKzS6Am(^%Mz+7)dc;3%e++uQfziTem`n;KAQh_vZ_!(M@D z*ioQ_wG1b2#E1jFV*I@1-plQXqG0=xZ9yb@BWe8-uTO2gHg$E}!RKZ#v^0&psqNS0 z6Iqc%PC6b!rzY`&Ow9dEgCqlv=-h!vEa~XZBE6Gl$DP^3flX=`L9!n1`bH<#s zuFuG+{i^#Pcc-*h$ftO;dd>G@#rAFXYDWx0g_8uLX7EF5&Wf~l;)LVE%ZWw1`|ZTg z5fR!=+}sm@`8rGSoQnO6xc!tYy_}CxP&04#V?|fPVb*JD4tWiFOF`#i6kXxBrD_iG zQlAN{HF0126rRON_BD*m=L&_IDD%T>JwL5<-gR~xC4 zcbDtpd-s{%1nZ##<9QGp=e(?Nv!bta9U+Q|fFTcGQ8uBV3itT-GhxcUm}wn9va_KO zucB8sOLc)K4>cF0h#a>at)sq^_MT7v8M9D^ zsrqZ&-IoY%5CQ4T1S+JzAMIEhyU#^{9*;m5&@fre6$`t-tl#(ra?>F;``TpEv^u(z zhle4DLOGxlfoy|4^Yvl3Tuv_{EQ4`=R`(F$qH{Z{pmA8=pz;l@Uc-7YH=s-?Gti#B zA8(&_SmanA7vU+YbE4U?b=C1Tr1!NKRZ|8p1lo?w+CCnNuli&8CM(GFM9aC^;SIVE zuv5^{R!85q9H5Q{p#UrBTrXfViSVFpkb)HUcxEE5&p%V<8QW|`RYGM3jVD!jB{X>yT+`=i}d z7C+|}z+|Y*7mIowoFhp&T;@3RA`~|rNLkWo;fyTNTJS3m8thcW*(f0=y4m&a)hufu zzn|JI!TzfyuY6g4?#l$`#|$)e)o|+9ps&c%>5-*b#$P#;p&-|wEN+Wd1~BEJrWz>~LjX95{p>2DHMW%HQBQVV41rk-IMfQNmU zPFNDo)Ne{lvh?GL9?)e<6&ZG64mo%YA9la%PT7eulF+$)XFg1m1y7u)QN_l(=ey24 z6_wP8bT=nY$Yi9fMc2}j|~I2I!+Thv3oR--}L*~Vi>%hkyfii z*r$i4oe;mY9@y6Y(C}^`GWgXJ@K%E2RL7!XY4z8dJTuR`Dl7K)W-CjDCs?2>krrc1 z!%f;Y6N~e=W<0G$(=QFWf=hMu_#K~pSD1gVPposGQMypWtD7@hA`f;74;Ar@ypc=_ z#-UJ%rzH{=pY;sHgp?N~01Cci@mluK>e5@0=Bhg&ZGa*^VnifyUwP3hw&? zl+OABtgxLPn(V|rmu(X)!i8OZm@w{j=puQbKvF=DkugioqDvJ)mP1USY~fd$(OwT( ztGr%FBC2E-oLZ2gaKRydL8uHdx8fGAfWL(m39_rUJEH$mBzg}v3CYxoUx`s%k zEaU$x@_z5-^JcGT5(r5pa3L#RquyIAmM0``iK#S9n`i#&^VwBhXFDGG4&NnH0$hou zYrk`X!v9V6oEc?X+2z3Fu0#)M|4OC)ShV z*j_6gp=Bdg_H|9eeSm+hP3lmkOD&=J9Vm6xj<;OaKvYJdE0;)NbwT>lQV64-?kjJT zJ)LVwl^hJtys)$5%0}1_s5U8H)S^Xk(7ZT%)RBoA#@m$bZBHIH7J_BQwX;4RYJDSL z?|ZK}tY{#+$gcLK8&8=m2O%$m%BhnvZo78*z=Z@2Q6a3OqKVK(9m;35hL(D=12b~} zbair8DgP#NCVe-@Apx4>zZ89vKR=={jooawpL`bhzyaxs-%{EZBIzUMQPlZvoxbtq zzRxZu#Z!hzhIzm(z=p_q<_i~FE`Lt0I2H)W{&ng`n7c?EtuoGMMz7C&&}6psvKW+E zZ4Hb57r_pAMXsVr?|(3KTx8qc06GS4gDZq$Gb*h}mY=Ax`xjAWFCvTcr6wZ{g7;bh z4Z|>@J^Q#LHTWfLhNUZ(gN>pVtUv9T*DFN2eWB!C*0dL}QUre#(mf9STkXLV8v<6D z!mUHdbhhH}Ki5C{tVdtRar!Myg`0IPp^XJsTmrr8*dc#3?H6H2>BtE)pg74QXIo8F zR)S+)ZwsLaS(y=$XsE-h|B-5*KWNPTb8uTImmOLln&$CcvG$Y6i61VGIAoXQeugXE z%4^JUR*Sg$y5ddgh1Ox#ZSr#*f70I({%Dm=tIbx@Ct(xmzk1a0F$80o*&UE=F)r1S zX+Bw)sW!(_At50>KB6E&pfM^~sN;OFwmM61W@JF^2RA|Qk!nCx(WOyS$lI(B^ba&y zlE&}kHcTcd3tSyC8o7Pw^Si)xWI{B4^EpR%H-W2)jBVxTjRgr1URe!XS{!;U<9?l3 z)7UZzxx5-}H$&DJEDK>$(EU?d3w{eF=_(zp1q|*yIz?&yTzEqR|M$6Se(fn#HJW9Y zG7mtu(*HMM70Yb_Tc<0r=>`V-)|BQF=)RQ+PM2CoY2fTJk1W&$dHd`qDfu(JhiSv{ z^lNWeb`CR}#bv{gN4@{x_CELi^cy-qi%CAI*Sn5Fk9a}ZV?-v}X8nz9Xw1q&bh>k| zYK?(F(jBOwUQI>?nnzW5{fk3}519=7UWZzKW*BRNxBI_V{8u1*Vxuqb_=dnQ9xCi- z`5a~a+t?|+QXdX5J$w~C!~Hlx!l(}7m>#lrhkbx1WNlDxex)bb=M+v#9pjZJTn6?gfxM8f( zXq-3s7yTo{H(~a^v^V6wJiT5yRHZ_}>St%ZcO!zYiDr`;5)9Gpz8ZB;Dw4{tVSGtg zE!w{Ris;i903Tu43aoZ4XO4d=Mn_2h*m_j0;KcAG5UG`9Merbxj z#9oAOU;>;UIL^Fk67#OQJF2**7}6cv-@pH%n>z>5>Nbz<%fi5KnWPl^-R1O?8 z9vRrMS9q%#gtghGd=19U#CT7p4QRo>`gJ8E*aT+mBnRGIe!SX@K`B!}ll~k(vvy&C zoquiFZfZDrelJBKALbkF>BlnYY)kEv=CX75Ems|LgV<1iHOtBQvaSLR6ET<*qte}R{EnS0 zl@Ua#awsT5m2ew-se0&4@Lg!`tYA)?HF$f7?5ra zB4?D5MdF?$zQ$>wZ#DGpSshW}2ju_#S&$H<1;V6;p0LnE(EvUW0S#0X&9e*G2vqVo9+L<3K^foJ*JmXt`JsG zKhu*7gz$mJng2n~e<`e>IhH4uf(-*I7Rm}*V}&BK|377y?MdO_z<8>S97YN{W{2W& z(nEEkaiJRj+?U+{Tq>w@@H1#*5H57<_5a@eC+|Oz61o`11=8k!f~?_OpdrDh6u)pz zkcKd{JX{sDD*hybBe+1pQc&1iI;cYgD`-&qiEa4DQpr7~n8`nbVnninx)h!i?MN89p~Ca6!~Pf6>$h$I delta 6977 zcmY+JbyO5U+xB7UlCGs2mJTH(q#Kr!mM-aT77$oTm8GSnLAtwPLAtv;1p(>L$M1bT z&pUtpuIs*M&YU^tzUR!DoX>#5ctGVPHYO=&59ci*0z&FI>=By^V(7lqPaJfn@{9x> zQ;jiReyPD1MPS3H>Y#pHJH~^d?4bA=#jH=Q@VRYm0j08$13?Labux_F;U_)8y!*mg zz+UxQz>Qr^rdZg|pt{)dy<>X|ajb8BUQJP_<$E0+{I>pb^qk80(!UkesP>$Mq$b0{+IRtxE{&~K!y zX8n%!h>g~HIH}m-;rS zX&9cGJrvhAM@gLLl4%$FR^+b(+nQhBai}#)gH$BVm$f{>Nwu%<^t^xC335QIQSlO~uPI zyov&1Dl)67i&+~;`8DBNo&A1NK(LEP;|6X7U!zjwX1)X z(t_^ZO+Uvlgl8LvZ|dj%&7>orlRr4-HpXeTmJ${%xP60Xbg~(Eq1CwZV?X)Gmy#=9 zm{a@wd{{ik^R07E;kT3F89&Z;3#!D-PKpEavZ&VC72=hd3;wnPv8MsYa!B0uoI8zf zB)d{C(l80`<|g|YR>h$6B8xL@>6UEHiR9YCvb&xOn;JA$)2er7Jl7i*ol<#i3q~s0bk;(7dV~1>j<}0_F~IAIlu|I z;t-hshMK0K(X;OYO^YMh;!^R3ZK)PQRYe;fIAj@9tGb@1SoK1igHS?@_~>STZQ}aV zZc0&yLC9`NM30Js32j!;i&8RN!{zdD`Q<8XzIF^Q(v6ET4Fa_6y6%sS@G4jL(EyC) zA4Erq-{I4=*n%qT<|ykTO+Qn$La{MJ4p;thwMrD&M6U zl6HYDET;+a629Nu?9Z7tU?s;ku1DH-&VDv)`F5yMP~@-SL7y+fAzzJy?B1X>$4Y-eq-5$d z-!n>&3Q0BJzB5yT`IDG_`>3Nb3gL`0R2u5RR>yNBMFd&laRj(hBg24HL@n(YTQkfm z-Mf@uFMQNj3f+_{voWK{D8a-Wr#|tgtYP1ii!ssIJC{&~h*6=;!if5KO}TVvM8b`i z%~$-^yDELjnX0<8kjg>l>-!mFnQ+Dr!^S-U)j37#18y?)v3zWlwV^v0kXTSkvwW2b zrXsiWso$YHE1ql1BUwea&o$_QVW;w9F(wPOj`!Wt|xLgi-vmUQ`zqUWmQ()=R1pwJL!At zHJSsvkCqrCXteRl%x1npkP*hl6Zg3;Ca@K8mda-3kGUMg9k$fooVl_UvINDL4%zMA z=Fl#qs-vDR(`aAx$Wlojej~!A?mpD6mxBIanTMqTPj}JjCE0k<5=#l1m}Bl-R8l1k zEeukTFLc|=USEvIYjnjB?8c8eIu>&?J?rE%E{#!GOYe4`4)frMkn=7#1X<4u#}L6` z0g5jUzNh=4-pgE`hjnIOL>?cn@I4fJZZ5liKZSD9dGH>UN8U4oe7SJiV#|e%X$upl zPfD&m+>%VRU%1Gg+q0vwve6D9g+T$Xgq%OcMLoqDx+t$oDN_RVD!iVvhqw)h!BI*?*b)$y8Y2%PvGXh7$*N)@0${2-5?Wbno;+JbrIn;uJGI< zuQu@cHFHkzCYd4Yeri!-n(J;Vr~x~dfqV3|NzQgmBT*E6&y`fy($}!bmi~e+%>eb^ zCe=g(Va3|r7^4na+VNl?N8fIJ}X;X>@2Z|>tInKVX zS{o)(s|od%e%wBzkax~@YY9I(oUy8Nh z9A~FJ#XK^5#hk6p5VJYloUg)|m3G?7HYRQO^6H&%3!_!;N2c#NdZ{m`+jQfGGndcu z5;440t30vJAy#+m*6fB+jv6&(VGnVV_)`8awtk)T_N^%R$q&i!zW$V?h&n8nfZ@ra zY?~inB%7*-x_N(@tT_5bA(ho{dx8%RUVvF?qN_&DB32siIY-Bv#$1HhI8zDt&@$x= zhRZ9{FPX-1VGw@jH3`lFp`BXGud7AwM!56>SzPw0Apq$+17wOH9)S&qg=EcgtaA7Z zIAiCW$a1QZN^~)j=bAN<}I{nSQd6i>Xn*RS-vuqH(h+G2c4;(RsJq+! zAV}%H$XL%ugD$1KTSKo+W47(bThoGxK}?f*kn;OcvDciSx4+vP7x!EC9h#_> zNwV0Eci5QD8o#%QsfvlTm6P0CgF)y^v{$2DwMxr=6@~p&M!K=(%KH(L=xVT{@LDP) zDz&~BVH5Dl)2@d0h0Sx|{m;h^p7e9)nz@5#L9DccyN)5*QqcTz!$*zw6ij6&1I#3Cr}rbYoi?Ut9COP z798Oo}g3~D%{X@X3F^2Z-jQGH@@p!y9Ecl zkNz4IVE+gv&1dp;{=nF})Sm_MZ0q5CI#Gzevh{ei?P)i6gr3)!Y~w3Kg@cM-?{A1b zw142J*i)Sp75b^pGl7HsPEX`Eto&5P*da3z%tc~xQ$0gH-j{}6%tFe}I-1kEaN9KB zGqLsgU71w|*JR7x8?o>or2Vwk*YAonIZXAP2MuJR4+}MuM(SJdS}k`W^J=R_b7n6+UeXJ3@UYFtBgH$U23>vI%}v7OoCZ{$@ljnzG<1s zXxrlAvVGS?e9OK(Fu}AeI^7hwo~w~Rn+}k--$tuLoXTt{oUt@H$*Hd3<7G^q%#qCq zKF)sgmcsgd|Fp`4&m%SjZqZof=0yR+Ui_Jxr7G#;26u(W5}(r>9KWyE?T-HO`pjo} zZo7dO%4>KQ6g=^3+chI$ym@9GK*?J>VR8_Wa_%x!Qp>`icT;$|ZB}n?^>@5_F zUdwIyFv6t!HEnyTK1$A3Q;_`AU796E^EBE8r4T2UlO9RGe{TpFDH znc{HFKvZrtf&CL5j(>0vdJV0Y1KHHEulAcS!$Ll1)Qk8+qy2oY`%G_1@LK)R0=qko>X*IpL+&NR#`gtHAE-$aa zShuZNjI_0BZfCECN|iVYh{Ns8`**GeFXAjJ^w&xI?06X>M&0gee zH4vU!f|@(YZ`I)beKt+LNrW;nAjbu_cDmx_tZHwsY25N zvoi9Os$|?Dm)crb$l6>IiHF8yC>o*SDK595`7r4bm9zTIbmN2%BMCRNhP6ZndHVX0>s)T*f^6DB`Tf2Mgx~0o_{^SW3b2u?*OY z^vF18f+>yQ%W;Db2!cD*DxHlxh<)BU_|DY*}kZ8j~gi5ectH>THEUeJ?O z3bI@toJirg(hJ1hvXZ4NBOS`A-Uy8!Ptoo=#)ar?-ix^4D!!ld!^&3LaM(S6iJ0;VEWNF-mPw#nq>E9VW?-WcaUU844RR!Wy@!;u>jGGKN%PH&T@VcRTj`#4GNkNvyM>haLo1c=t=c z_E0lLe?V%nur6y(PBiob0p$nQ$P+rlm%P=|aYbWJGfl(r_!%9(_bz7y5>~xK;YAY$7vDR)9r0<8ic*h_w;_4|Q+(GP! zRG=5wX)Ezujc^Te?@jhqKv<(UX?Z2N_LiW}@A6*DB3ETLsor@NE;$Q|=f zk~$yf)p^<$L;?YY?r4yKkV9EMoFeV@(Y{hN&eXRHUF?&Cm{{Ad*oBrJw9vb}%ohfZ zPm}B|!18ITZf{88KUWH43JtuxyAQuLn^10mauF#C^Zc)pI@zu%E98tQ{7JlSEW*>L z(>OfKI`)_X#R~Rh(a_`42r}m`h55{EVzymD?^kA_X;xvQ)fP6Rj1nQRZLYIG0K>6q6Ut`Kk{#Bg4~@oJ_J_KAKxHKvRRO)+dW=9Ufh zqk0A&zmq^WCvze^hVjUa@nsLkLwGU*#OYNTOV-R@G~7-y&166?VBOb6%wwGxu~rexF)p z1P8EekufkAgPO{)9@-u$M|i8_2IJA0^h4BtY|dO;?N)$}AwBG5XjVYa%f?P*vZ z#J%i|OSC3%OXS0GT~8AM;RqwRFysov)fCYgZ7O&87C=mNhzpOUCjxu&uxKMNHiKJN zTpcTH@5lulQ&3XM@8c#3dKJ|TA3O-!aO>2_-_sR zpIyt=nU2g3|yoSM|9RoIVXcYw~p!g$bS(y!ri$7Q2T#P((Lk z&M4O+L>{6Dv?0srOv}#{PngJ*Y(w+2KYExRl^e%Y4h;mk_bad)u6yvQhhBguQCQ#( zeqBeBqQBqd6na#cfCi3}sEpOkI(I8hvlrEy>`tYrMUU-@NKeUY-$Aw_aQblN<|2|Q zR9Tl?yV@FKFIGf|QV$PN{~5|! z&UU-%R23-aq*FrLtY;Gx5U;qzdNH9tFvZp zeSHoYMSDb4YA0I)1(!XWqB)tTvHRLY=-AOF5t5m$}q;Ns zY-g_T)(iF970yjm8w$+WTb8UCPnmj_$oDTN57DoTkp0jf`2DC>R*AI|Wa-H7Hxku1 zLt_qv3N(JLF1$vwd_>!mA8UtAun}VfKDJ4s01yxiYc7505FyG=OFVchr2ACJCl-sv zumaSPY!^Hq4M9Lzp8Z=&eHpg+^~(2?gfIUbG+#UiWHCGXZRxFO>}qQ&en(K5>g1a@ zC&!{0G5vOcdKaao5z)3W=dtohnGEP0ra;aBA54}b|$W~y%5e4qlt?i z=mVV4tjnD=AMS~>xdO!+eZlp-87lSjDXM05lcr6u`STZKe0F1GXn73WSY8aijEkN+ z^~%i)n^72{xbU=Ysod(zmy%HfI{~LGVSkh^e)4T*1&B#bVLbZ| z&`CbR`o&dY6$Ckn?wPOnZ0#7}i`{;OHL(L^GVdHAGur9#f!X|@TnFki>%|C?Vmbic zeV&Z@gphb<4Ff-@$RXmc*8=l@pCYmSA%^KVQC&d5$J%I*l0r2TyU&07s<01I* zK>`4BdKeEK7wjkm57rq71V9=7Hwdf!6aB>aPriT%0Fs&hM-ss7{>W_RfATpD1qO$3 z1BzMxSv0`{fDzVz^L_uw8Mc2Cj|~&H5)1;Yfc{yWAp(FM_J5L=9TSEb^#8YY!tp=0 zEZ~as4^qRZgHd6xLqPyM-oG+Dlm{@!{}*RMxdHmG{vzWCZos(EUv&S2Z$)5^!VIv1 z4~+j!oMm diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json index b5edec1c..7716986d 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json +++ b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json @@ -19,12 +19,12 @@ "subject_category_scope", "object_category_scope", "action_category_scope", - "sub_rules", + "rules", "subject_assignments", "object_assignments", "action_assignments", - "sub_meta_rule_relations", - "aggregation_algorithms", - "sub_meta_rule" + "sub_meta_rule_algorithm", + "aggregation_algorithm", + "sub_meta_rules" ] } diff --git a/keystone-moon/keystone/contrib/moon/backends/__init__.py b/keystone-moon/keystone/contrib/moon/backends/__init__.py index f880dbb6..28b42dd4 100644 --- a/keystone-moon/keystone/contrib/moon/backends/__init__.py +++ b/keystone-moon/keystone/contrib/moon/backends/__init__.py @@ -48,6 +48,8 @@ subject_scopes = { name: yyy, description: bbb}, ...}, + subject_scope_id3: { + ...} subject_category_id2: {...}, ... } @@ -66,7 +68,12 @@ subject_assignments = { ... } -aggregation_algorithm = aggregation_algorithm_id +aggregation_algorithm = { + aggregation_algorithm_id: { + name: xxx, + description: yyy + } + } sub_meta_rules = { sub_meta_rule_id_1: { diff --git a/keystone-moon/keystone/contrib/moon/backends/memory.py b/keystone-moon/keystone/contrib/moon/backends/memory.py index 95152386..69ad5360 100644 --- a/keystone-moon/keystone/contrib/moon/backends/memory.py +++ b/keystone-moon/keystone/contrib/moon/backends/memory.py @@ -21,10 +21,10 @@ class ConfigurationConnector(ConfigurationDriver): def __init__(self): super(ConfigurationConnector, self).__init__() self.aggregation_algorithm_dict = dict() - self.aggregation_algorithm_dict[uuid4().hex] = "all_true" + self.aggregation_algorithm_dict[uuid4().hex] = {'name': 'all_true', 'description': 'all_true'} self.sub_meta_rule_algorithm_dict = dict() - self.sub_meta_rule_algorithm_dict[uuid4().hex] = "inclusion" - self.sub_meta_rule_algorithm_dict[uuid4().hex] = "comparison" + self.sub_meta_rule_algorithm_dict[uuid4().hex] = {'name': 'inclusion', 'description': 'inclusion'} + self.sub_meta_rule_algorithm_dict[uuid4().hex] = {'name': 'comparison', 'description': 'comparison'} def get_policy_template_dict(self): nodes = glob(os.path.join(CONF.moon.policy_directory, "*")) diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py index d62cf162..272dc4ac 100644 --- a/keystone-moon/keystone/contrib/moon/backends/sql.py +++ b/keystone-moon/keystone/contrib/moon/backends/sql.py @@ -208,11 +208,12 @@ class ActionScope(sql.ModelBase, sql.DictBase): class SubjectAssignment(sql.ModelBase, sql.DictBase): __tablename__ = 'subject_assignments' - attributes = ['id', 'subject_assignment', 'intra_extension_id', 'subject_id'] + attributes = ['id', 'subject_assignment', 'intra_extension_id', 'subject_id', 'subject_category_id'] id = sql.Column(sql.String(64), primary_key=True) subject_assignment = sql.Column(sql.JsonBlob(), nullable=True) intra_extension_id = sql.Column(sql.ForeignKey("intra_extensions.id"), nullable=False) subject_id = sql.Column(sql.ForeignKey("subjects.id"), nullable=False) + subject_category_id = sql.Column(sql.ForeignKey("subject_categories.id"), nullable=False) @classmethod def from_dict(cls, d): @@ -259,9 +260,9 @@ class ActionAssignment(sql.ModelBase, sql.DictBase): class AggregationAlgorithm(sql.ModelBase, sql.DictBase): __tablename__ = 'aggregation_algorithm' - attributes = ['id', 'aggregation_algorithm_id', 'intra_extension_id'] + attributes = ['id', 'aggregation_algorithm', 'intra_extension_id'] id = sql.Column(sql.String(64), primary_key=True) - aggregation_algorithm_id = sql.Column(sql.Text(), nullable=True) + aggregation_algorithm = sql.Column(sql.JsonBlob(), nullable=True) intra_extension_id = sql.Column(sql.ForeignKey("intra_extensions.id"), nullable=False) @classmethod @@ -373,28 +374,13 @@ class IntraExtensionConnector(IntraExtensionDriver): # Tenant functions - def get_intra_extension_dict(self): + def get_intra_extensions_dict(self): with sql.transaction() as session: query = session.query(IntraExtension.id) intraextensions = query.all() - return [intraextension[0] for intraextension in intraextensions] + return {intraextension.id: IntraExtension.to_dict(intraextension) for intraextension in intraextensions} - def set_intra_extension(self, intra_id, intra_extension): - with sql.transaction() as session: - # intra_extension["admin"] = jsonutils.dumps(intra_extension["admin"]) - # intra_extension["authz"] = jsonutils.dumps(intra_extension["authz"]) - ie_ref = IntraExtension.from_dict(intra_extension) - session.add(ie_ref) - return IntraExtension.to_dict(ie_ref) - - def get_intra_extension(self, intra_extension_id): - with sql.transaction() as session: - query = session.query(IntraExtension) - query = query.filter_by(id=intra_extension_id) - ref = query.first() - if not ref: - raise exception.NotFound - return ref.to_dict() + # TODO (dthom): load_intra_extension(self): def del_intra_extension(self, intra_extension_id): with sql.transaction() as session: @@ -409,69 +395,36 @@ class IntraExtensionConnector(IntraExtensionDriver): session.flush() session.delete(ref) - def get_intra_extension_name(self, intra_extension_id): - intra_extension = self.get_intra_extension(intra_extension_id) - return intra_extension["name"] - - def set_intra_extension_name(self, intra_extension_id, intra_extension_name): - raise exception.NotImplemented() # pragma: no cover - - def get_intra_extension_model(self, intra_extension_id): - intra_extension = self.get_intra_extension(intra_extension_id) - return intra_extension["model"] - - def set_intra_extension_model(self, intra_extension_id, intra_extension_model): - raise exception.NotImplemented() # pragma: no cover - - def get_intra_extension_description(self, intra_extension_id): - intra_extension = self.get_intra_extension(intra_extension_id) - return intra_extension["description"] - - def set_intra_extension_description(self, intra_extension_id, intra_extension_description): - raise exception.NotImplemented() # pragma: no cover + def set_intra_extension_dict(self, intra_extension_id, intra_extension_dict): + with sql.transaction() as session: + query = session.query(IntraExtension) + query = query.filter_by(id=intra_extension_id) + ref = query.first() + intra_extension_ref = ref.to_dict() + intra_extension_ref.update(intra_extension_dict) + new_intra_extension = IntraExtension( + id=intra_extension_id, + intra_extension=intra_extension_ref + ) + for attr in Tenant.attributes: + if attr != 'id': + setattr(ref, attr, getattr(new_intra_extension, attr)) + return IntraExtension.to_dict(ref) # Getter and Setter for subject_category - def get_subject_category_dict(self, intra_extension_id): + def get_subject_categories_dict(self, intra_extension_id): with sql.transaction() as session: query = session.query(SubjectCategory) query = query.filter_by(intra_extension_id=intra_extension_id) - ref = query.first() - if not ref: - raise IntraExtensionUnknown() - return ref.to_dict() + ref_list = query.all() + return {_ref.id: _ref.to_dict()['subject_category'] for _ref in ref_list} - # TODO: review the code def set_subject_category_dict(self, intra_extension_id, subject_category_id, subject_category_dict): with sql.transaction() as session: query = session.query(SubjectCategory) query = query.filter_by(intra_extension_id=intra_extension_id) ref = query.first() - if not ref: - raise IntraExtensionUnknown() - old_ref = ref.to_dict() - new_ref = SubjectCategory.from_dict( - { - "id": subject_category_id, - 'subject_category': subject_category_dict, - 'intra_extension_id': intra_extension_id - } - ) - for attr in SubjectCategory.attributes: - if attr != 'id': - setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() - - # TODO: review the code - def add_subject_category(self, intra_extension_id, subject_category_id, subject_category_name): - with sql.transaction() as session: - query = session.query(SubjectCategory) - query = query.filter_by(intra_extension_id=intra_extension_id) - ref = query.first() - subject_category_dict = { - 'name': subject_category_name, - 'description': None - } new_ref = SubjectCategory.from_dict( { "id": subject_category_id, @@ -486,34 +439,14 @@ class IntraExtensionConnector(IntraExtensionDriver): for attr in SubjectCategory.attributes: if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() + return self.get_subject_categories_dict(intra_extension_id)[subject_category_id] def del_subject_category(self, intra_extension_id, subject_category_id): with sql.transaction() as session: query = session.query(SubjectCategory) - query = query.filter_by(intra_extension_id=intra_extension_id) + query = query.filter_by(subject_category_id=subject_category_id) ref = query.first() - if not ref: - raise IntraExtensionUnknown() - else: - old_ref = ref.to_dict() - subject_category_dict = dict(old_ref["subject_category"]) - try: - subject_category_dict.pop(subject_category_id) - except KeyError: - pass - else: - new_ref = SubjectCategory.from_dict( - { - "id": old_ref["id"], - 'subject_categories': subject_category_dict, - 'intra_extension_id': old_ref["intra_extension_id"] - } - ) - for attr in SubjectCategory.attributes: - if attr != 'id': - setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() + session.delete(ref) # Getter and Setter for object_category @@ -683,25 +616,22 @@ class IntraExtensionConnector(IntraExtensionDriver): # Perimeter - def get_subject_dict(self, intra_extension_id): + def get_subjects_dict(self, intra_extension_id): with sql.transaction() as session: query = session.query(Subject) query = query.filter_by(intra_extension_id=intra_extension_id) - ref = query.first() - if not ref: - raise IntraExtensionUnknown() - return ref.to_dict() + ref_list = query.all() + return {_ref.id: _ref.to_dict()['subjects'] for _ref in ref_list} - # TODO: to recheck - def set_subject_dict(self, intra_extension_id, subject_id): + def set_subject_dict(self, intra_extension_id, subject_id, subject_dict): with sql.transaction() as session: query = session.query(Subject) - query = query.filter_by(intra_extension_id=intra_extension_id) + query = query.filter_by(subject_id=subject_id) ref = query.first() new_ref = Subject.from_dict( { - "id": uuid4().hex, - 'subjects': subject_id, + "id": subject_id, + 'subjects': subject_dict, 'intra_extension_id': intra_extension_id } ) @@ -712,56 +642,14 @@ class IntraExtensionConnector(IntraExtensionDriver): for attr in Subject.attributes: if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() - - def add_subject(self, intra_extension_id, subject_id, subject_name): - with sql.transaction() as session: - query = session.query(Subject) - query = query.filter_by(intra_extension_id=intra_extension_id) - ref = query.first() - if not ref: - raise IntraExtensionUnknown() - old_ref = ref.to_dict() - subjects = dict(old_ref["subjects"]) - # TODO: subjects[subject_id] is a dict - subjects[subject_id] = subject_name - new_ref = Subject.from_dict( - { - "id": old_ref["id"], - 'subjects': subjects, - 'intra_extension_id': old_ref["intra_extension_id"] - } - ) - for attr in Subject.attributes: - if attr != 'id': - setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() + return self.get_subjects_dict(intra_extension_id)[subject_id] def del_subject(self, intra_extension_id, subject_id): with sql.transaction() as session: query = session.query(Subject) - query = query.filter_by(intra_extension_id=intra_extension_id) + query = query.filter_by(subject_id=subject_id) ref = query.first() - if not ref: - raise IntraExtensionUnknown() - else: - old_ref = ref.to_dict() - subjects = dict(old_ref["subjects"]) - try: - subjects.pop(subject_id) - except KeyError: - LOG.error("KeyError in remove_subject {} | {}".format(subject_id, subjects)) - else: - new_ref = Subject.from_dict( - { - "id": old_ref["id"], - 'subjects': subjects, - 'intra_extension_id': old_ref["intra_extension_id"] - } - ) - for attr in Subject.attributes: - if attr != 'id': - setattr(ref, attr, getattr(new_ref, attr)) + session.delete(ref) def get_object_dict(self, intra_extension_id): with sql.transaction() as session: @@ -925,82 +813,43 @@ class IntraExtensionConnector(IntraExtensionDriver): # Getter and Setter for subject_scope - def get_subject_scope_dict(self, intra_extension_id, subject_category_id): + def get_subject_scopes_dict(self, intra_extension_id, subject_category_id): with sql.transaction() as session: query = session.query(SubjectScope) query = query.filter_by( intra_extension_id=intra_extension_id, subject_category_id=subject_category_id) - ref = query.first() - if not ref: - raise IntraExtensionUnknown() - result = copy.deepcopy(ref.to_dict()) - if subject_category_id not in result["subject_scopes"].keys(): - raise SubjectScopeUnknown() - return result + ref_list = query.all() + return {_ref.id: _ref.to_dict()['subject_scope'] for _ref in ref_list} - def set_subject_scope_dict(self, intra_extension_id, subject_category_id, subject_scope_id): + def set_subject_scope_dict(self, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict): with sql.transaction() as session: query = session.query(SubjectScope) - query = query.filter_by(intra_extension_id=intra_extension_id) + query = query.filter_by(subject_scope_id=subject_scope_id) ref = query.first() + new_ref = SubjectScope.from_dict( + { + "id": subject_scope_id, + 'subject_scope': subject_scope_dict, + 'intra_extension_id': intra_extension_id, + 'subject_category_id': subject_category_id + } + ) if not ref: - new_ref = SubjectScope.from_dict( - { - "id": uuid4().hex, - 'subject_scope': {subject_category_id: subject_scope_id}, - 'intra_extension_id': intra_extension_id - } - ) session.add(new_ref) + ref = new_ref else: - tmp_ref = ref.to_dict() - tmp_ref['subject_scope'].update({subject_category_id: subject_scope_id}) - session.delete(ref) - new_ref = SubjectScope.from_dict(tmp_ref) - session.add(new_ref) - return new_ref.to_dict() - - def add_subject_scope(self, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_name): - with sql.transaction() as session: - query = session.query(SubjectScope) - query = query.filter_by(intra_extension_id=intra_extension_id) - ref = query.first() - if not ref: - raise IntraExtensionUnknown() - old_ref = ref.to_dict() - scope = copy.deepcopy(old_ref["subject_scope"]) - if subject_category_id not in scope.keys(): - scope[subject_category_id] = dict() - scope[subject_category_id][subject_scope_id] = subject_scope_name - return self.set_subject_scope_dict(intra_extension_id, subject_category_id, scope[subject_category_id]) + for attr in Subject.attributes: + if attr != 'id': + setattr(ref, attr, getattr(new_ref, attr)) + return self.get_subject_scopes_dict(intra_extension_id, subject_category_id)[subject_scope_id] def del_subject_scope(self, intra_extension_id, subject_category_id, subject_scope_id): with sql.transaction() as session: query = session.query(SubjectScope) - query = query.filter_by(intra_extension_id=intra_extension_id) + query = query.filter_by(subject_scope_id=subject_scope_id) ref = query.first() - if not ref: - raise IntraExtensionUnknown() - old_ref = ref.to_dict() - scope = dict(old_ref["subject_scope"]) - if subject_category_id not in scope: - return - try: - scope[subject_category_id].pop(subject_scope_id) - except KeyError: - return - new_ref = SubjectScope.from_dict( - { - "id": old_ref["id"], - 'subject_scope': scope, - 'intra_extension_id': old_ref["intra_extension_id"] - } - ) - for attr in SubjectScope.attributes: - if attr != 'id': - setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() + session.delete(ref) # Getter and Setter for object_category_scope @@ -1158,104 +1007,45 @@ class IntraExtensionConnector(IntraExtensionDriver): # Getter and Setter for subject_category_assignment - def get_subject_assignment_dict(self, intra_extension_id, subject_id): - """ From a subject_uuid, return a dictionary of (category: scope for that subject) - - :param intra_extension_id: intra extension UUID - :param subject_id: subject UUID - :return: a dictionary of (keys are category nd values are scope for that subject) - """ + def get_subject_assignment_list(self, intra_extension_id, subject_id, subject_category_id): with sql.transaction() as session: query = session.query(SubjectAssignment) - query = query.filter_by(intra_extension_id=intra_extension_id) + query = query.filter_by(intra_extension_id=intra_extension_id, subject_id=subject_id, subject_category_id=subject_category_id) ref = query.first() - if not ref: - raise IntraExtensionUnknown() - _ref = ref.to_dict() - if subject_id in _ref["subject_assignment"]: - _backup_dict = _ref["subject_assignment"][subject_id] - _ref["subject_assignment"] = dict() - _ref["subject_assignment"][subject_id] = _backup_dict - else: - _ref["subject_assignment"] = dict() - _ref["subject_assignment"][subject_id] = dict() - return _ref + return ref.to_dict()['subject_assignment'] - def set_subject_assignment_dict(self, intra_extension_id, subject_id=None, subject_assignment_dict={}): + def set_subject_assignment_list(self, intra_extension_id, subject_id, subject_category_id, subject_assignment_list=[]): with sql.transaction() as session: query = session.query(SubjectAssignment) - query = query.filter_by(intra_extension_id=intra_extension_id) + query = query.filter_by(intra_extension_id=intra_extension_id, subject_id=subject_id, subject_category_id=subject_category_id) ref = query.first() - if type(subject_assignment_dict) is not dict: - raise IntraExtensionError() - for value in subject_assignment_dict.values(): - if type(value) is not list: - raise IntraExtensionError(str(value)) - if not subject_id: - subject_assignments = {} - else: - subject_assignments = {subject_id: subject_assignment_dict} new_ref = SubjectAssignment.from_dict( { "id": uuid4().hex, - 'subject_assignment': subject_assignments, - 'intra_extension_id': intra_extension_id + 'subject_assignment': subject_assignment_list, + 'intra_extension_id': intra_extension_id, + 'subject_id': subject_id, + 'subject_category_id': subject_category_id } ) if not ref: session.add(new_ref) ref = new_ref else: - new_ref.subject_assignments[subject_id] = subject_assignment_dict for attr in SubjectAssignment.attributes: if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() + return self.get_subject_assignment_list(intra_extension_id, subject_id, subject_category_id) - def add_subject_assignment(self, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - with sql.transaction() as session: - query = session.query(SubjectAssignment) - query = query.filter_by(intra_extension_id=intra_extension_id) - ref = query.first() - if not ref: - raise IntraExtensionUnknown() - assignment = ref.to_dict()['subject_assignment'] - if subject_id not in assignment: - assignment[subject_id] = dict() - if subject_category_id not in assignment[subject_id]: - assignment[subject_id][subject_category_id] = list() - if subject_scope_id not in assignment[subject_id][subject_category_id]: - assignment[subject_id][subject_category_id].append(subject_scope_id) - return self.set_subject_assignment_dict( - intra_extension_id, - subject_id, - assignment[subject_id]) + def add_subject_assignment_list(self, intra_extension_id, subject_id, subject_category_id, subject_scope_id): + new_subject_assignment_list = self.get_subject_assignment_list(intra_extension_id, subject_id, subject_category_id) + new_subject_assignment_list.append(subject_scope_id) + return self.set_subject_assignment_list(intra_extension_id, subject_id, subject_category_id, new_subject_assignment_list) def del_subject_assignment(self, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - with sql.transaction() as session: - query = session.query(SubjectAssignment) - query = query.filter_by(intra_extension_id=intra_extension_id) - ref = query.first() - if not ref: - raise IntraExtensionUnknown() - old_ref = ref.to_dict() - if subject_id in old_ref["subject_assignment"]: - if subject_category_id in old_ref["subject_assignment"][subject_id]: - old_ref["subject_assignment"][subject_id][subject_category_id].remove(subject_scope_id) - if not old_ref["subject_assignment"][subject_id][subject_category_id]: - old_ref["subject_assignment"][subject_id].pop(subject_category_id) - if not old_ref["subject_assignment"][subject_id]: - old_ref["subject_assignment"].pop(subject_id) - try: - self.set_subject_assignment_dict( - intra_extension_id, - subject_id, - old_ref["subject_assignment"][subject_id]) - except KeyError: - self.set_subject_assignment_dict( - intra_extension_id, - subject_id, - {}) + new_subject_assignment_list = self.get_subject_assignment_list(intra_extension_id, subject_id, subject_category_id) + new_subject_assignment_list.pop(subject_scope_id) + return self.set_subject_assignment_list(intra_extension_id, subject_id, subject_category_id, new_subject_assignment_list) # Getter and Setter for object_category_assignment @@ -1439,63 +1229,107 @@ class IntraExtensionConnector(IntraExtensionDriver): action_id, old_ref["action_assignment"][action_id]) - # Getter and Setter for meta_rule + # Getter and Setter for sub_meta_rule - def get_sub_meta_rule_dict(self, intra_extension_id): + def set_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): with sql.transaction() as session: - query = session.query(SubMetaRule) + query = session.query(AggregationAlgorithm) query = query.filter_by(intra_extension_id=intra_extension_id) ref = query.first() + new_ref = AggregationAlgorithm.from_dict( + { + "id": aggregation_algorithm_id, + 'aggregation_algorithm': aggregation_algorithm_dict, + 'intra_extension_id': intra_extension_id + } + ) if not ref: - raise IntraExtensionUnknown() - return ref.to_dict() + session.add(new_ref) + else: + for attr in AggregationAlgorithm.attributes: + if attr != 'id': + setattr(ref, attr, getattr(new_ref, attr)) + return self.get_aggregation_algorithm(intra_extension_id) + + def get_aggregation_algorithm(self, intra_extension_id): + with sql.transaction() as session: + query = session.query(AggregationAlgorithm) + query = query.filter_by(intra_extension_id=intra_extension_id) + ref = query.first() + return {ref.to_dict()['id']: ref.to_dict()['aggregation_algorithm']} + + # Getter and Setter for sub_meta_rule - def set_sub_meta_rule_dict(self, intra_extension_id, sub_meta_rule_dict): + def get_sub_meta_rules_dict(self, intra_extension_id): + with sql.transaction() as session: + query = session.query(SubMetaRule) + query = query.filter_by(intra_extension_id=intra_extension_id) + ref_list = query.all() + return {_ref.id: _ref.to_dict()['sub_meta_rule'] for _ref in ref_list} + + def set_sub_meta_rule_dict(self, intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict): with sql.transaction() as session: query = session.query(SubMetaRule) query = query.filter_by(intra_extension_id=intra_extension_id) ref = query.first() - sub_meta_rule_dict["id"] = uuid4().hex - sub_meta_rule_dict["intra_extension_id"] = intra_extension_id - new_ref = SubMetaRule.from_dict(sub_meta_rule_dict) + new_ref = SubMetaRule.from_dict( + { + "id": sub_meta_rule_id, + 'sub_meta_rule': sub_meta_rule_dict, + 'intra_extension_id': intra_extension_id + } + ) if not ref: session.add(new_ref) - ref = new_ref else: for attr in SubMetaRule.attributes: if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() + return self.get_sub_meta_rules_dict(intra_extension_id) + + def del_sub_meta_rule(self, intra_extension_id, sub_meta_rule_id): + with sql.transaction() as session: + query = session.query(SubMetaRule) + query = query.filter_by(sub_meta_rule_id=sub_meta_rule_id) + ref = query.first() + session.delete(ref) # Getter and Setter for rules - def get_rule_dict(self, intra_extension_id): + def get_rules_dict(self, intra_extension_id, sub_meta_rule_id): with sql.transaction() as session: query = session.query(Rule) - query = query.filter_by(intra_extension_id=intra_extension_id) - ref = query.first() - if not ref: - raise IntraExtensionUnknown() - return ref.to_dict() + query = query.filter_by(intra_extension_id=intra_extension_id, sub_meta_rule_id=sub_meta_rule_id) + ref_list = query.all() + return {_ref.id: _ref.to_dict()['rule'] for _ref in ref_list} - def set_rule_dict(self, intra_extension_id, rule_dict): + def set_rule_dict(self, intra_extension_id, sub_meta_rule_id, rule_id, rule_list): with sql.transaction() as session: query = session.query(Rule) - query = query.filter_by(intra_extension_id=intra_extension_id) + query = query.filter_by(rule_id=rule_id) ref = query.first() - rules = dict() - rules["id"] = uuid4().hex - rules["intra_extension_id"] = intra_extension_id - rules["rule"] = rule_dict - new_ref = Rule.from_dict(rules) + new_ref = Rule.from_dict( + { + "id": rule_id, + 'rule': rule_list, + 'intra_extension_id': intra_extension_id, + 'sub_meta_rule_id': sub_meta_rule_id + } + ) if not ref: session.add(new_ref) - ref = new_ref else: for attr in Rule.attributes: if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) - return ref.to_dict() + return self.get_rules_dict(intra_extension_id, sub_meta_rule_id)[rule_id] + + def del_rule_dict(self, intra_extension_id, sub_meta_rule_id, rule_id): + with sql.transaction() as session: + query = session.query(Rule) + query = query.filter_by(rule_id=rule_id) + ref = query.first() + session.delete(ref) # class InterExtension(sql.ModelBase, sql.DictBase): diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py index 817dd880..0465fbb9 100644 --- a/keystone-moon/keystone/contrib/moon/controllers.py +++ b/keystone-moon/keystone/contrib/moon/controllers.py @@ -76,32 +76,32 @@ class Tenants(controller.V3Controller): user_id = self._get_user_id_from_token(context.get("token_id")) # TODO: get tenant name from keystone tenant_dict = dict() - tenant_dict['name'] = kw.get("name") - tenant_dict['description'] = kw.get("description") - tenant_dict['intra_authz_ext_id'] = kw.get("intra_authz_ext_id") - tenant_dict['intra_admin_ext_id'] = kw.get("intra_admin_ext_id") + tenant_dict['name'] = kw.get("name", None) + tenant_dict['description'] = kw.get("description", None) + tenant_dict['intra_authz_ext_id'] = kw.get("intra_authz_ext_id", None) + tenant_dict['intra_admin_ext_id'] = kw.get("intra_admin_ext_id", None) return self.tenant_api.add_tenant_dict(user_id, tenant_dict) @controller.protected() def get_tenant(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) - tenant_id = kw.get("tenant_id") + tenant_id = kw.get("tenant_id", None) return self.tenant_api.get_tenants_dict(user_id, tenant_id) @controller.protected() def del_tenant(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) - tenant_id = kw.get("tenant_id") + tenant_id = kw.get("tenant_id", None) return self.tenant_api.del_tenant(user_id, tenant_id) def set_tenant(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) - tenant_id = kw["id"] + tenant_id = kw.get('id', None) tenant_dict = dict() - tenant_dict['name'] = kw.get("name") - tenant_dict['description'] = kw.get("description") - tenant_dict['intra_authz_ext_id'] = kw.get("intra_authz_ext_id") - tenant_dict['intra_admin_ext_id'] = kw.get("intra_admin_ext_id") + tenant_dict['name'] = kw.get("name", None) + tenant_dict['description'] = kw.get("description", None) + tenant_dict['intra_authz_ext_id'] = kw.get("intra_authz_ext_id", None) + tenant_dict['intra_admin_ext_id'] = kw.get("intra_admin_ext_id", None) self.tenant_api.set_tenant_dict(user_id, tenant_id, tenant_dict) @@ -161,54 +161,66 @@ class IntraExtensions(controller.V3Controller): return self.admin_api.load_intra_extension_dict(user_id, intra_extension_dict) @controller.protected() - def get_intra_extension_dict(self, context, **kw): + def get_intra_extension(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) - ie_id = kw.get('intra_extension_id', None) - return self.admin_api.get_intra_extensions_dict(user_id)[ie_id] + ie_id = kw.get('id', None) + return self.admin_api.get_intra_extensions_dict(user_id, ie_id) @controller.protected() def del_intra_extension(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) - if "ie_id" not in kw: - raise IntraExtensionUnknown - ie_id = kw.get('intra_extension_id', None) + ie_id = kw.get('id', None) self.admin_api.del_intra_extension(user_id, ie_id) @controller.protected() def set_intra_extension(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) - if "ie_id" not in kw: - raise IntraExtensionUnknown - ie_id = kw.get('intra_extension_id', None) - self.admin_api.set_intra_extension(user_id, ie_id) + ie_id = kw.get('id', None) + intra_extension_dict = dict() + intra_extension_dict["name"] = kw.get("name", None) + intra_extension_dict["model"] = kw.get("model", None) + intra_extension_dict["description"] = kw.get("description", None) + return self.admin_api.set_intra_extension_dict(user_id, ie_id, intra_extension_dict) # Metadata functions @controller.protected() def get_subject_categories(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get('intra_extension_id', None) - return self.admin_api.get_subject_category_dict(user_id, ie_id) + return self.admin_api.get_subject_categories_dict(user_id, ie_id) @controller.protected() def add_subject_category(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get('intra_extension_id', None) - subject_category_name = kw.get("subject_category_name", None) - return self.admin_api.add_subject_category(user_id, ie_id, subject_category_name) + subject_category_dict = dict() + subject_category_dict['name'] = kw.get("name", None) + subject_category_dict['description'] = kw.get("description", None) + return self.admin_api.add_subject_category(user_id, ie_id, subject_category_dict) @controller.protected() def get_subject_category(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get('intra_extension_id', None) subject_category_id = kw.get("subject_category_id", None) - return self.admin_api.get_subject_category_dict(user_id, ie_id)[subject_category_id] + return self.admin_api.get_subject_categories_dict(user_id, ie_id)[subject_category_id] @controller.protected() def del_subject_category(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get('intra_extension_id', None) - subject_category_id = kw["subject_category_id"] - return self.admin_api.del_subject_category(user_id, ie_id, subject_category_id) + subject_category_id = kw.get("subject_category_id", None) + self.admin_api.del_subject_category(user_id, ie_id, subject_category_id) + + @controller.protected() + def set_subject_category(self, context, **kw): + user_id = self._get_user_id_from_token(context.get('token_id')) + ie_id = kw.get('intra_extension_id', None) + subject_category_id = kw.get('subject_category_id', None) + subject_category_dict = dict() + subject_category_dict['name'] = kw.get("name", None) + subject_category_dict['description'] = kw.get("description", None) + return self.admin_api.set_subject_category(user_id, ie_id, subject_category_id, subject_category_dict) @controller.protected() def get_object_categories(self, context, **kw): @@ -269,28 +281,28 @@ class IntraExtensions(controller.V3Controller): def get_subjects(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get('intra_extension_id', None) - return self.admin_api.get_subject_dict(user_id, ie_id) + return self.admin_api.get_subjects_dict(user_id, ie_id) @controller.protected() def add_subject(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get('intra_extension_id', None) subject_name = kw["subject_name"] - return self.admin_api.add_subject(user_id, ie_id, subject_name) + return self.admin_api.add_subject_dict(user_id, ie_id, subject_name) @controller.protected() def get_subject(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get('intra_extension_id', None) subject_id = kw["subject_id"] - return self.admin_api.get_subject_dict(user_id, ie_id)[subject_id] + return self.admin_api.get_subjects_dict(user_id, ie_id)[subject_id] @controller.protected() def del_subject(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get('intra_extension_id', None) subject_id = kw["subject_id"] - return self.admin_api.del_subject(user_id, ie_id, subject_id) + self.admin_api.del_subject(user_id, ie_id, subject_id) @controller.protected() def get_objects(self, context, **kw): @@ -351,40 +363,45 @@ class IntraExtensions(controller.V3Controller): def get_subject_scopes(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - subject_category_id = kw["subject_category_id"] - return self.admin_api.get_subject_scope_dict(user_id, ie_id, subject_category_id) + subject_category_id = kw.get("subject_category_id", None) + return self.admin_api.get_subject_scopes_dict(user_id, ie_id, subject_category_id) @controller.protected() def add_subject_scope(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - subject_category_id = kw["subject_category_id"] - subject_scope_name = kw["subject_scope_name"] - return self.admin_api.add_subject_scope( - user_id, - ie_id, - subject_category_id, - subject_scope_name) + subject_category_id = kw.get("subject_category_id", None) + subject_scope_dict = dict() + subject_scope_dict['name'] = kw.get("subject_scope_name", None) + subject_scope_dict['description'] = kw.get("subject_scope_description", None) + return self.admin_api.add_subject_scope_dict(user_id, ie_id, subject_category_id, subject_scope_dict) @controller.protected() def get_subject_scope(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - subject_category_id = kw["subject_category_id"] - subject_scope_id = kw["subject_scope_id"] - return self.admin_api.get_subject_scope(user_id, ie_id, subject_category_id, subject_scope_id) + subject_category_id = kw.get("subject_category_id", None) + subject_scope_id = kw.get("subject_scope_id", None) + return self.admin_api.get_subject_scopes_dict(user_id, ie_id, subject_category_id, subject_scope_id) @controller.protected() def del_subject_scope(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - subject_category_id = kw["subject_category_id"] - subject_scope_id = kw["subject_scope_id"] - return self.admin_api.del_subject_scope( - user_id, - ie_id, - subject_category_id, - subject_scope_id) + subject_category_id = kw.get("subject_category_id", None) + subject_scope_id = kw.get("subject_scope_id", None) + self.admin_api.del_subject_scope(user_id, ie_id, subject_category_id, subject_scope_id) + + @controller.protected() + def set_subject_scope(self, context, **kw): + user_id = self._get_user_id_from_token(context.get('token_id')) + ie_id = kw.get("intra_extension_id", None) + subject_category_id = kw.get("subject_category_id", None) + subject_scope_id = kw.get("subject_scope_id", None) + subject_scope_dict = dict() + subject_scope_dict['name'] = kw.get("subject_scope_name", None) + subject_scope_dict['description'] = kw.get("subject_scope_description", None) + return self.admin_api.set_subject_scope_dict(user_id, ie_id, subject_category_id, subject_scope_id, subject_scope_dict) @controller.protected() def get_object_scopes(self, context, **kw): @@ -465,21 +482,15 @@ class IntraExtensions(controller.V3Controller): action_scope_id) # Assignment functions - @controller.protected() - def get_subject_assignments(self, context, **kw): - user_id = self._get_user_id_from_token(context.get('token_id')) - ie_id = kw.get("intra_extension_id", None) - subject_id = kw["subject_id"] - return self.admin_api.get_subject_assignment_dict(user_id, ie_id, subject_id) @controller.protected() def add_subject_assignment(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - subject_id = kw["subject_id"] - subject_category_id = kw["subject_category_id"] - subject_scope_id = kw["subject_scope_id"] - return self.admin_api.add_subject_assignment( + subject_id = kw.get("subject_id", None) + subject_category_id = kw.get("subject_category_id", None) + subject_scope_id = kw.get("subject_scope_id", None) + return self.admin_api.add_subject_assignment_list( user_id, ie_id, subject_id, @@ -490,17 +501,17 @@ class IntraExtensions(controller.V3Controller): def get_subject_assignment(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - subject_id = kw["subject_id"] - subject_category_id = kw["subject_category_id"] - return self.admin_api.get_subject_assignment_dict(user_id, ie_id, subject_id, subject_category_id) + subject_id = kw.get("subject_id", None) + subject_category_id = kw.get("subject_category_id", None) + return self.admin_api.get_subject_assignment_list(user_id, ie_id, subject_id, subject_category_id) @controller.protected() def del_subject_assignment(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - subject_id = kw["subject_id"] - subject_category_id = kw["subject_category_id"] - subject_scope_id = kw["subject_scope_id"] + subject_id = kw.get("subject_id", None) + subject_category_id = kw.get("subject_category_id", None) + subject_scope_id = kw.get("subject_scope_id", None) return self.admin_api.del_subject_assignment( user_id, ie_id, @@ -596,106 +607,112 @@ class IntraExtensions(controller.V3Controller): # Metarule functions @controller.protected() - def add_aggregation_algorithm(self, context, **kw): + def set_aggregation_algorithm(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - aggregation_algorithm_id = kw["aggregation_algorithm_id"] - return self.admin_api.add_aggregation_algorithm( - user_id, - ie_id, - aggregation_algorithm_id) + aggregation_algorithm_id = kw.get("aggregation_algorithm_id", None) + aggregation_algorithm_dict = kw.get("aggregation_algorithm_dict", None) + return self.admin_api.set_aggregation_algorithm_dict(user_id, ie_id, aggregation_algorithm_id, aggregation_algorithm_dict) @controller.protected() def get_aggregation_algorithm(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - return self.admin_api.get_aggregation_algorithm(user_id, ie_id) - - @controller.protected() - def del_aggregation_algorithm(self, context, **kw): - user_id = self._get_user_id_from_token(context.get('token_id')) - ie_id = kw.get("intra_extension_id", None) - aggregation_algorithm_id = kw["aggregation_algorithm_id"] - return self.admin_api.del_aggregation_algorithm( - user_id, - ie_id, - aggregation_algorithm_id) + return self.admin_api.get_aggregation_algorithm_dict(user_id, ie_id) @controller.protected() def get_sub_meta_rules(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - return self.admin_api.get_sub_meta_rule_dict(user_id, ie_id) + return self.admin_api.get_sub_meta_rules_dict(user_id, ie_id) @controller.protected() def add_sub_meta_rule(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - sub_meta_rule_name = kw["sub_meta_rule_name"] - subject_category_list = kw["subject_categories"] - object_category_list = kw["object_categories"] - action_category_list = kw["action_categories"] - sub_meta_rule_algorithm = kw["sub_meta_rule_algorithm"] - - return self.admin_api.add_sub_meta_rule( - user_id, - ie_id, - sub_meta_rule_name, - subject_category_list, - object_category_list, - action_category_list, - sub_meta_rule_algorithm - ) + sub_meta_rule_dict = dict() + sub_meta_rule_dict['name'] = kw.get('sub_meta_rule_name', None) + sub_meta_rule_dict['algorithm'] = kw.get('sub_meta_rule_algorithm', None) + sub_meta_rule_dict['subject_categories'] = kw.get('sub_meta_rule_subject_categories', None) + sub_meta_rule_dict['object_categories'] = kw.get('sub_meta_rule_object_categories', None) + sub_meta_rule_dict['action_categories'] = kw.get('sub_meta_rule_action_categories', None) + return self.admin_api.add_sub_meta_rule_dict(user_id, ie_id, sub_meta_rule_dict) @controller.protected() def get_sub_meta_rule(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - sub_meta_rule_id = kw["sub_meta_rule_id"] - return self.admin_api.get_sub_meta_rule(user_id, ie_id, sub_meta_rule_id) + sub_meta_rule_id = kw.get("sub_meta_rule_id", None) + return self.admin_api.get_sub_meta_rules_dict(user_id, ie_id, sub_meta_rule_id) @controller.protected() def del_sub_meta_rule(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id") - sub_meta_rule_id = kw["sub_meta_rule_id"] - return self.admin_api.get_sub_meta_rule(user_id, ie_id, sub_meta_rule_id) + sub_meta_rule_id = kw.get("sub_meta_rule_id", None) + self.admin_api.del_sub_meta_rule(user_id, ie_id, sub_meta_rule_id) + + @controller.protected() + def set_sub_meta_rule(self, context, **kw): + user_id = self._get_user_id_from_token(context.get('token_id')) + ie_id = kw.get("intra_extension_id", None) + sub_meta_rule_id = kw.get("sub_meta_rule_id", None) + sub_meta_rule_dict = dict() + sub_meta_rule_dict['name'] = kw.get('sub_meta_rule_name', None) + sub_meta_rule_dict['algorithm'] = kw.get('sub_meta_rule_algorithm', None) + sub_meta_rule_dict['subject_categories'] = kw.get('sub_meta_rule_subject_categories', None) + sub_meta_rule_dict['object_categories'] = kw.get('sub_meta_rule_object_categories', None) + sub_meta_rule_dict['action_categories'] = kw.get('sub_meta_rule_action_categories', None) + return self.admin_api.set_sub_meta_rule_dict(user_id, ie_id, sub_meta_rule_id, sub_meta_rule_dict) # Rules functions @controller.protected() def get_rules(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - sub_meta_rule_id = kw["sub_meta_rule_id"] - return self.admin_api.get_rule_dict(user_id, ie_id, sub_meta_rule_id) + sub_meta_rule_id = kw.get("sub_meta_rule_id", None) + return self.admin_api.get_rules_dict(user_id, ie_id, sub_meta_rule_id) @controller.protected() def add_rule(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - sub_meta_rule_id = kw.get("sub_meta_rule_id") + sub_meta_rule_id = kw.get("sub_meta_rule_id", None) rule_list = list() - subject_category_list = kw.get('subject_categories') - object_category_list = kw.get('object_categories') - action_category_list = kw.get('action_categories') - rule_list = subject_category_list + object_category_list + action_category_list + subject_category_list = kw.get('subject_categories', []) + object_category_list = kw.get('object_categories', []) + action_category_list = kw.get('action_categories', []) + rule_list = subject_category_list + action_category_list + object_category_list return self.admin_api.add_rule_list(user_id, ie_id, sub_meta_rule_id, rule_list) @controller.protected() def get_rule(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - sub_meta_rule_id = kw.get("sub_meta_rule_id") - rule_id = kw.get("rule_id") - return self.admin_api.get_rule(user_id, ie_id, sub_meta_rule_id, rule_id) + sub_meta_rule_id = kw.get("sub_meta_rule_id", None) + rule_id = kw.get("rule_id", None) + return self.admin_api.get_rules_dict(user_id, ie_id, sub_meta_rule_id, rule_id) @controller.protected() def del_rule(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) ie_id = kw.get("intra_extension_id", None) - sub_meta_rule_id = kw["sub_meta_rule_id"] - rule_id = kw["rule_id"] - return self.admin_api.del_rule(user_id, ie_id, sub_meta_rule_id, rule_id) + sub_meta_rule_id = kw.get("sub_meta_rule_id", None) + rule_id = kw.get("rule_id", None) + self.admin_api.del_rule(user_id, ie_id, sub_meta_rule_id, rule_id) + + @controller.protected() + def set_rule(self, context, **kw): + user_id = self._get_user_id_from_token(context.get('token_id')) + ie_id = kw.get("intra_extension_id", None) + sub_meta_rule_id = kw.get("sub_meta_rule_id", None) + rule_id = kw.get("rule_id", None) + rule_list = list() + subject_category_list = kw.get('subject_categories', []) + object_category_list = kw.get('object_categories', []) + action_category_list = kw.get('action_categories', []) + rule_list = subject_category_list + action_category_list + object_category_list + return self.admin_api.set_rule_list(user_id, ie_id, sub_meta_rule_id, rule_id, rule_list) @dependency.requires('authz_api') diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index b65a613d..d5f08251 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -73,37 +73,43 @@ def filter_args(func): return wrapped -def enforce(actions, object, **extra): - _actions = actions +def enforce(action_names, object_name, **extra): + _action_name_list = action_names def wrap(func): def wrapped(*args): # global actions self = args[0] user_name = args[1] - intra_extension_uuid = args[2] - _admin_extension_uuid = self.tenant_api.get_admin_extension_uuid(args[2]) + intra_extension_id = args[2] + if intra_extension_id not in self.admin_api.get_intra_extensions(DEFAULT_USER): + raise IntraExtensionUnknown() + + tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER) + intra_admin_extension_id = None + tenant_name = None + for tenant_id in tenants_dict: + if tenants_dict[tenant_id]['intra_authz_extension_id'] is intra_extension_id: + intra_admin_extension_id = tenants_dict[tenant_id]['intra_admin_extension_id'] + tenant_name = tenants_dict[tenant_id]['name'] + # func.func_globals["_admin_extension_uuid"] = _admin_extension_uuid - if not _admin_extension_uuid: + if not intra_admin_extension_id: args[0].moonlog_api.warning("No admin IntraExtension found, authorization granted by default.") return func(*args) else: - _authz = False - if type(_actions) in (str, unicode): - actions = (_actions, ) + authz_result = False + if type(_action_name_list) in (str, unicode): + action_name_list = (_action_name_list, ) else: - actions = _actions - for action in actions: - if self.admin_api.authz( - _admin_extension_uuid, - user_name, - object, - action): - _authz = True + action_name_list = _action_name_list + for action_name in action_name_list: + if self.authz_api.authz(tenant_name, user_name, object_name, action_name, 'admin'): + authz_result = True else: - _authz = False + authz_result = False break - if _authz: + if authz_result: return func(*args) return wrapped return wrap @@ -268,41 +274,12 @@ class TenantManager(manager.Manager): raise TenantNoIntraExtension() return tenant_dict[tenant_id][genre] - # TODO: check if we need the func - def get_tenant_uuid(self, extension_uuid): - for _tenant_uuid, _tenant_value in six.iteritems(self.get_tenants_dict()): - if extension_uuid == _tenant_value["authz"] or extension_uuid == _tenant_value["admin"]: - return _tenant_uuid - raise TenantIDNotFound() - - # TODO: check if we need the func - def get_admin_extension_uuid(self, authz_extension_uuid): - _tenants = self.get_tenants_dict() - for _tenant_uuid in _tenants: - if authz_extension_uuid == _tenants[_tenant_uuid]['authz'] and _tenants[_tenant_uuid]['admin']: - return _tenants[_tenant_uuid]['admin'] - self.moonlog_api.error(_("No IntraExtension found mapping this Authz IntraExtension: {}.".format( - authz_extension_uuid))) - # FIXME (dthom): if AdminIntraExtensionNotFound, maybe we can add an option in configuration file - # to allow or not the fact that Admin IntraExtension can be None - # raise AdminIntraExtensionNotFound() - - # TODO: check if we need the func - def delete(self, authz_extension_uuid): - _tenants = self.get_tenants_dict() - for _tenant_uuid in _tenants: - if authz_extension_uuid == _tenants[_tenant_uuid]['authz']: - return self.set_tenant_dict(_tenant_uuid, "", "", "") - raise AuthzIntraExtensionNotFound(_("No IntraExtension found mapping this Authz IntraExtension: {}.".format( - authz_extension_uuid))) - @dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api', 'moonlog_api') class IntraExtensionManager(manager.Manager): - __genre__ = None - def __init__(self): + self.__genre__ = None driver = CONF.moon.intraextension_driver super(IntraExtensionManager, self).__init__(driver) @@ -331,12 +308,12 @@ class IntraExtensionManager(manager.Manager): authz_buffer['object_id'] = object_id authz_buffer['action_id'] = action_id meta_data_dict = dict() - meta_data_dict["subject_categories"] = self.driver.get_subject_category_dict(intra_extension_id) + meta_data_dict["subject_categories"] = self.driver.get_subject_categories_dict(intra_extension_id) meta_data_dict["object_categories"] = self.driver.get_object_category_dict(intra_extension_id) meta_data_dict["action_categories"] = self.driver.get_action_category_dict(intra_extension_id) subject_assignment_dict = dict() for category in meta_data_dict["subject_categories"]: - subject_assignment_dict[category] = self.driver.get_subject_assignment_dict( + subject_assignment_dict[category] = self.driver.get_subject_assignment_list( intra_extension_id, subject_id)[category] object_assignment_dict = dict() for category in meta_data_dict["object_categories"]: @@ -377,19 +354,19 @@ class IntraExtensionManager(manager.Manager): authz_buffer = self.__get_authz_buffer(intra_extension_id, subject_id, object_id, action_id) decision_buffer = dict() - meta_rule_dict = self.driver.get_sub_meta_rule_dict(intra_extension_id) + meta_rule_dict = self.driver.get_sub_meta_rules_dict(intra_extension_id) for sub_meta_rule_id in meta_rule_dict['sub_meta_rules']: if meta_rule_dict['sub_meta_rules'][sub_meta_rule_id]['algorithm'] == 'inclusion': decision_buffer[sub_meta_rule_id] = inclusion( authz_buffer, meta_rule_dict['sub_meta_rules'][sub_meta_rule_id], - self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id).values()) + self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values()) elif meta_rule_dict['sub_meta_rules'][sub_meta_rule_id]['algorithm'] == 'comparison': decision_buffer[sub_meta_rule_id] = comparison( authz_buffer, meta_rule_dict['sub_meta_rules'][sub_meta_rule_id], - self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id).values()) + self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values()) if meta_rule_dict['aggregation'] == 'all_true': return all_true(decision_buffer) @@ -530,9 +507,9 @@ class IntraExtensionManager(manager.Manager): ) # Note (dthom): subject_category_assignment must be initialized because when there is no data in json # we will not go through the for loop - self.driver.set_subject_assignment_dict(intra_extension_dict["id"]) + self.driver.set_subject_assignment_list(intra_extension_dict["id"]) for subject in subject_assignments: - self.driver.set_subject_assignment_dict(intra_extension_dict["id"], subject, subject_assignments[subject]) + self.driver.set_subject_assignment_list(intra_extension_dict["id"], subject, subject_assignments[subject]) object_assignments = dict() for category_name, value in json_assignments["object_assignments"].iteritems(): @@ -610,7 +587,7 @@ class IntraExtensionManager(manager.Manager): intra_extension_dict["rule"] = {"rule": copy.deepcopy(json_rules)} # Translate value from JSON file to UUID for Database rules = dict() - sub_meta_rules = self.driver.get_sub_meta_rule_dict(intra_extension_dict["id"]) + sub_meta_rules = self.driver.get_sub_meta_rules_dict(intra_extension_dict["id"]) for relation in json_rules: # print(relation) # print(self.get_sub_meta_rule_relations("admin", ie["id"])) @@ -673,7 +650,7 @@ class IntraExtensionManager(manager.Manager): ie_dict["name"] = filter_input(intra_extension_dict["name"]) ie_dict["model"] = filter_input(intra_extension_dict["policymodel"]) ie_dict["description"] = filter_input(intra_extension_dict["description"]) - ref = self.driver.set_intra_extension(ie_dict['id'], ie_dict) + ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict) self.moonlog_api.debug("Creation of IE: {}".format(ref)) # read the profile given by "policymodel" and populate default variables policy_dir = os.path.join(CONF.moon.policy_directory, ie_dict["model"]) @@ -685,7 +662,7 @@ class IntraExtensionManager(manager.Manager): self.__load_rule_file(ie_dict, policy_dir) return ref - def get_intra_extension(self, user_id, intra_extension_id): + def get_intra_extension_dict(self, user_id, intra_extension_id): """ :param user_id: :return: {intra_extension_id: intra_extension_name, ...} @@ -701,11 +678,17 @@ class IntraExtensionManager(manager.Manager): raise IntraExtensionUnknown() return self.driver.del_intra_extension(intra_extension_id) + def set_intra_extension_dict(self, user_id, intra_extension_id, intra_extension_dict): + # TODO: check will be done through super_extension later + if intra_extension_id not in self.driver.get_intra_extensions_dict(): + raise IntraExtensionUnknown() + return self.driver.set_intra_extension_dict(intra_extension_id, intra_extension_dict) + # Metadata functions @filter_args # TODO: check for each function if intra_entension_id exists @enforce("read", "subject_categories") - def get_subject_category_dict(self, user_id, intra_extension_id): + def get_subject_categories_dict(self, user_id, intra_extension_id): """ :param user_id: :param intra_extension_id: @@ -716,25 +699,21 @@ class IntraExtensionManager(manager.Manager): subject_category_id2: {...}, ...} """ - return self.driver.get_subject_category_dict(intra_extension_id) + return self.driver.get_subject_categories_dict(intra_extension_id) @filter_args @enforce(("read", "write"), "subject_categories") - @enforce(("read", "write"), "subject_scopes") - def add_subject_category(self, user_id, intra_extension_id, subject_category_name): - subject_category_dict = self.driver.get_subject_category_dict(intra_extension_id) + def add_subject_category(self, user_id, intra_extension_id, subject_category_dict): + subject_category_dict = self.driver.get_subject_categories_dict(intra_extension_id) for subject_category_id in subject_category_dict: - if subject_category_dict[subject_category_id]['name'] is subject_category_name: + if subject_category_dict[subject_category_id]['name'] is subject_category_dict['name']: raise SubjectCategoryNameExisting() - subject_category_id = uuid4().hex - # TODO (dthom): create category in scope - # self.driver.create_subject_category_in_scope(intra_extension_id, subject_category_id) - return self.driver.add_subject_category(intra_extension_id, subject_category_id, subject_category_name) + return self.driver.set_subject_category(intra_extension_id, uuid4().hex, subject_category_dict) @filter_args @enforce("read", "subject_categories") def get_subject_category(self, user_id, intra_extension_id, subject_category_id): - subject_category_dict = self.driver.get_subject_category_dict(intra_extension_id) + subject_category_dict = self.driver.get_subject_categories_dict(intra_extension_id) if subject_category_id not in subject_category_dict: raise SubjectCategoryUnknown() return subject_category_dict[subject_category_id] @@ -744,7 +723,7 @@ class IntraExtensionManager(manager.Manager): @enforce(("read", "write"), "subject_scopes") @enforce(("read", "write"), "subject_assignments") def del_subject_category(self, user_id, intra_extension_id, subject_category_id): - if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() # TODO (dthom): destroy category in scope # self.driver.destroy_subject_category_in_scope(intra_extension_id, subject_category_id) @@ -752,6 +731,13 @@ class IntraExtensionManager(manager.Manager): # self.driver.destroy_subject_category_in_assignement(intra_extension_id, subject_category_id) return self.driver.del_subject_category(intra_extension_id, subject_category_id) + @filter_args + @enforce(("read", "write"), "subject_categories") + def set_subject_category(self, user_id, intra_extension_id, subject_category_id, subject_category_dict): + for subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): + raise SubjectCategoryUnknown() + return self.driver.set_subject_category(intra_extension_id, subject_category_id, subject_category_dict) + @filter_args @enforce("read", "object_categories") def get_object_category_dict(self, user_id, intra_extension_id): @@ -845,35 +831,24 @@ class IntraExtensionManager(manager.Manager): @filter_args @enforce("read", "subjects") - def get_subject_dict(self, user_id, intra_extension_id): - """ - :param user_id: - :param intra_extension_id: - :return: { - subject_id1: { - name: xxx, - description: yyy, - ...}, - subject_id2: {...}, - ...} - """ - return self.driver.get_subject_dict(intra_extension_id) + def get_subjects_dict(self, user_id, intra_extension_id): + return self.driver.get_subjects_dict(intra_extension_id) @filter_args @enforce(("read", "write"), "subjects") - def add_subject(self, user_id, intra_extension_id, subject_name): - subject_dict = self.driver.get_subject_dict(intra_extension_id) - for subject_id in subject_dict: - if subject_dict[subject_id]["name"] is subject_name: + def add_subject_dict(self, user_id, intra_extension_id, subject_dict): + subjects_dict = self.driver.get_subjects_dict(intra_extension_id) + for subject_id in subjects_dict: + if subjects_dict[subject_id]["name"] is subject_dict['name']: raise SubjectNameExisting() # Next line will raise an error if user is not present in Keystone database - subject_item_dict = self.identity_api.get_user_by_name(subject_name, "default") - return self.driver.add_subject(intra_extension_id, subject_item_dict["id"], subject_name) + subject_item_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default") + return self.driver.set_subject_dict(intra_extension_id, subject_item_dict["id"], subject_dict) @filter_args @enforce("read", "subjects") - def get_subject(self, user_id, intra_extension_id, subject_id): - subject_dict = self.driver.get_subject_dict(intra_extension_id) + def get_subject_dict(self, user_id, intra_extension_id, subject_id): + subject_dict = self.driver.get_subjects_dict(intra_extension_id) if subject_id in subject_dict: raise SubjectUnknown() return subject_dict[subject_id] @@ -881,10 +856,21 @@ class IntraExtensionManager(manager.Manager): @filter_args @enforce(("read", "write"), "subjects") def del_subject(self, user_id, intra_extension_id, subject_id): - if subject_id in self.driver.get_subject_dict(intra_extension_id): + if subject_id in self.driver.get_subjects_dict(intra_extension_id): raise SubjectUnknown() # TODO (dthom): destroy item-related assignment - return self.driver.del_subject(intra_extension_id, subject_id) + self.driver.del_subject(intra_extension_id, subject_id) + + @filter_args + @enforce(("read", "write"), "subjects") + def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): + subjects_dict = self.driver.get_subjects_dict(intra_extension_id) + for subject_id in subjects_dict: + if subjects_dict[subject_id]["name"] is subject_dict['name']: + raise SubjectNameExisting() + # Next line will raise an error if user is not present in Keystone database + subject_item_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default") + return self.driver.set_subject_dict(intra_extension_id, subject_item_dict["id"], subject_dict) @filter_args @enforce("read", "objects") @@ -953,7 +939,7 @@ class IntraExtensionManager(manager.Manager): @filter_args @enforce("read", "subject_scopes") @enforce("read", "subject_categories") - def get_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id): + def get_subject_scopes_dict(self, user_id, intra_extension_id, subject_category_id): """ :param user_id: :param intra_extension_id: @@ -967,50 +953,58 @@ class IntraExtensionManager(manager.Manager): des: bbb}, ...} """ - if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() - return self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id) + return self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id) @filter_args @enforce(("read", "write"), "subject_scopes") @enforce("read", "subject_categories") - def add_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_name): - if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + def add_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_dict): + if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() - subject_scope_dict = self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id) - for _subject_scope_id in subject_scope_dict: - if subject_scope_name is subject_scope_dict[_subject_scope_id]['name']: + subject_scopes_dict = self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id) + for _subject_scope_id in subject_scopes_dict: + if subject_scope_dict['name'] is subject_scopes_dict[_subject_scope_id]['name']: raise SubjectScopeNameExisting() subject_scope_id = uuid4().hex - return self.driver.add_subject_scope( - intra_extension_id, - subject_category_id, - subject_scope_id, - subject_scope_name) + return self.driver.add_subject_scope_dict(intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict) @filter_args @enforce("read", "subject_scopes") @enforce("read", "subject_categories") - def get_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): - if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + def get_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): + if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() - subject_scopte_dict = self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id) - if subject_scope_id not in subject_scopte_dict: + subject_scopes_dict = self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id) + if subject_scope_id not in subject_scopes_dict: raise SubjectScopeUnknown() - return subject_scopte_dict[subject_scope_id] + return subject_scopes_dict[subject_scope_id] @filter_args @enforce(("read", "write"), "subject_scopes") @enforce("read", "subject_categories") def del_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): - if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() - if subject_scope_id not in self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id): + if subject_scope_id not in self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id): raise SubjectScopeUnknown() # TODO (dthom): destroy scope-related assignment # TODO (dthom): destroy scope-related rule return self.driver.del_subject_scope(intra_extension_id, subject_category_id, subject_scope_id) + @filter_args + @enforce(("read", "write"), "subject_scopes") + @enforce("read", "subject_categories") + def set_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_name): + if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): + raise SubjectCategoryUnknown() + subject_scope_dict = self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id) + for _subject_scope_id in subject_scope_dict: + if subject_scope_name is subject_scope_dict[_subject_scope_id]['name']: + raise SubjectScopeNameExisting() + return self.driver.set_subject_scope_dict(intra_extension_id, subject_category_id, uuid4().hex, subject_scope_dict) + @filter_args @enforce("read", "object_category_scopes") @enforce("read", "object_categories") @@ -1030,7 +1024,7 @@ class IntraExtensionManager(manager.Manager): if object_scope_name is object_scope_dict[_object_scope_id]['name']: raise ObjectScopeNameExisting() object_scope_id = uuid4().hex - return self.driver.add_subject_scope( + return self.driver.add_subject_scope_dict( intra_extension_id, object_category_id, object_scope_id, @@ -1109,50 +1103,32 @@ class IntraExtensionManager(manager.Manager): # Assignment functions - @filter_args - @enforce("read", "subject_assignments") - @enforce("read", "subjects") - def get_subject_assignment_dict(self, user_id, intra_extension_id, subject_id): - """ - :param user_id: - :param intra_extension_id: - :param subject_id: - :return: { - subject_category_id1: [subject_scope_id1, subject_scope_id2, ...], - subject_category_id2: [subject_scope_id1, subject_scope_id2, ...], - ... - } - """ - if subject_id not in self.driver.get_subject_dict(user_id, intra_extension_id): - raise SubjectUnknown() - return self.driver.get_subject_assignment_dict(intra_extension_id, subject_id) - @filter_args @enforce(("read", "write"), "subject_assignments") @enforce("read", "subjects") @enforce("read", "subject_categories") @enforce("read", "subject_scopes") def add_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - if subject_id not in self.driver.get_subject_dict(intra_extension_id): + if subject_id not in self.driver.get_subjects_dict(intra_extension_id): raise SubjectUnknown() - elif subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() - elif subject_scope_id not in self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id): + if subject_scope_id not in self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id): raise SubjectScopeUnknown() - elif subject_scope_id in self.driver.get_subject_assignment_dict(intra_extension_id, subject_id)[subject_category_id]: + if subject_scope_id in self.driver.get_subject_assignment_list(intra_extension_id, subject_id, subject_category_id): raise SubjectAssignmentExisting() - return self.driver.add_subject_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) + return self.driver.add_subject_assignment_list(intra_extension_id, subject_id, subject_category_id, subject_scope_id) @filter_args @enforce("read", "subject_assignments") @enforce("read", "subjects") @enforce("read", "subject_categories") - def get_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id): - if subject_id not in self.driver.get_subject_dict(user_id, intra_extension_id): + def get_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id): + if subject_id not in self.driver.get_subjects_dict(user_id, intra_extension_id): raise SubjectUnknown() - elif subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + elif subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() - return self.driver.get_subject_assignment_dict(intra_extension_id, subject_id)[subject_category_id] + return self.driver.get_subject_assignment_list(intra_extension_id, subject_id)[subject_category_id] @filter_args @enforce(("read", "write"), "subject_assignments") @@ -1160,15 +1136,15 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "subject_categories") @enforce("read", "subject_scopes") def del_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - if subject_id not in self.driver.get_subject_dict(intra_extension_id): + if subject_id not in self.driver.get_subjects_dict(intra_extension_id): raise SubjectUnknown() - elif subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + elif subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() - elif subject_scope_id not in self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id): + elif subject_scope_id not in self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id): raise SubjectScopeUnknown() - elif subject_scope_id not in self.driver.get_subject_assignment_dict(intra_extension_id, subject_id)[subject_category_id]: + elif subject_scope_id not in self.driver.get_subject_assignment_list(intra_extension_id, subject_id)[subject_category_id]: raise SubjectAssignmentUnknown() - return self.driver.del_subject_category_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) + self.driver.del_subject_category_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) @filter_args @enforce("read", "object_assignments") @@ -1216,7 +1192,7 @@ class IntraExtensionManager(manager.Manager): raise ObjectCategoryUnknown() elif object_scope_id not in self.driver.get_object_scope_dict(intra_extension_id, object_category_id): raise ObjectScopeUnknown() - elif object_scope_id not in self.driver.get_subject_assignment_dict(intra_extension_id, object_id)[object_category_id]: + elif object_scope_id not in self.driver.get_subject_assignment_list(intra_extension_id, object_id)[object_category_id]: raise ObjectAssignmentUnknown() return self.driver.del_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id) @@ -1274,30 +1250,34 @@ class IntraExtensionManager(manager.Manager): @filter_args @enforce(("read", "write"), "aggregation_algorithm") - def add_aggregation_algorithm(self, user_id, intra_extension_id, aggregation_algorithm_id): - if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms: - raise AggregationAlgorithmUnknown() - elif self.dirver.get_aggregation_algorithm(intra_extension_id): - raise AggregationAlgorithmExisting() - return self.driver.add_aggregation_algorithm(intra_extension_id, aggregation_algorithm_id) + def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): + if aggregation_algorithm_id: + if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(DEFAULT_USER): + raise AggregationAlgorithmUnknown() + else: + aggregation_algorithm_id = uuid4().hex + return self.driver.set_aggregation_algorithm_dict(intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict) @filter_args @enforce("read", "aggregation_algorithm") - def get_aggregation_algorithm(self, user_id, intra_extension_id): - if not self.dirver.get_aggregation_algorithm(intra_extension_id): - raise AggregationAlgorithmNotExisting() - return self.driver.get_aggregation_algorithm(intra_extension_id) - - @filter_args - @enforce("write", "aggregation_algorithm") - def del_aggregation_algorithm(self, user_id, intra_extension_id, aggregation_algorithm_id): - if aggregation_algorithm_id is not self.dirver.get_aggregation_algorithm(intra_extension_id): + def get_aggregation_algorithm_dict(self, user_id, intra_extension_id): + """ + :param user_id: + :param intra_extension_id: + :return: { + aggregation_algorithm_id: { + name: xxx, + description: yyy + } + } + """ + if not self.driver.get_aggregation_algorithm_dict(intra_extension_id): raise AggregationAlgorithmNotExisting() - return self.driver.del_aggregation_algorithm(intra_extension_id, aggregation_algorithm_id) + return self.driver.get_aggregation_algorithm_dict(intra_extension_id) @filter_args @enforce("read", "sub_meta_rules") - def get_sub_meta_rule_dict(self, user_id, intra_extension_id): + def get_sub_meta_rules_dict(self, user_id, intra_extension_id): """ :param user_id: :param intra_extension_id: @@ -1312,44 +1292,30 @@ class IntraExtensionManager(manager.Manager): ... } """ - return self.driver.get_sub_meta_rule_dict(intra_extension_id) + return self.driver.get_sub_meta_rules_dict(intra_extension_id) @filter_args @enforce(("read", "write"), "sub_meta_rules") @enforce("write", "rule") - def add_sub_meta_rule(self, - user_id, - intra_extension_id, - sub_meta_rule_name, - subject_category_list, - object_category_list, - action_category_list, - sub_meta_rule_algorithm): - sub_meta_rule_dict = self.driver.get_sub_meta_rule_dict(intra_extension_id) - for _sub_meta_rule_id in sub_meta_rule_dict: - if sub_meta_rule_name is sub_meta_rule_dict[_sub_meta_rule_id]["name"]: + def add_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_dict): + sub_meta_rules_dict = self.driver.get_sub_meta_rules_dict(intra_extension_id) + for _sub_meta_rule_id in sub_meta_rules_dict: + if sub_meta_rule_dict['name'] is sub_meta_rules_dict[_sub_meta_rule_id]["name"]: raise SubMetaRuleNameExisting() - elif subject_category_list is sub_meta_rule_dict[_sub_meta_rule_id]["subject_categories"] and \ - object_category_list is sub_meta_rule_dict[_sub_meta_rule_id]["object_categories"] and \ - action_category_list is sub_meta_rule_dict[_sub_meta_rule_id]["action_categories"] and \ - sub_meta_rule_algorithm is sub_meta_rule_dict[_sub_meta_rule_id]["algorithm"]: + elif sub_meta_rule_dict['subject_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["subject_categories"] and \ + sub_meta_rule_dict['object_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["object_categories"] and \ + sub_meta_rule_dict['action_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["action_categories"] and \ + sub_meta_rule_dict['algorithm'] is sub_meta_rules_dict[_sub_meta_rule_id]["algorithm"]: raise SubMetaRuleExisting() sub_meta_rule_id = uuid4().hex() # TODO (dthom): add new sub-meta-rule to rule # self.driver.add_rule(intra_extension_id, sub_meta_rule_id, []) - return self.driver.add_sub_meta_rule( - intra_extension_id, - sub_meta_rule_id, - sub_meta_rule_name, - subject_category_list, - object_category_list, - action_category_list, - sub_meta_rule_algorithm) + return self.driver.set_sub_meta_rule_dict(intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict) @filter_args @enforce(("read", "write"), "sub_meta_rules") - def get_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): - sub_meta_rule_dict = self.driver.get_sub_meta_rule_dict(intra_extension_id) + def get_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id): + sub_meta_rule_dict = self.driver.get_sub_meta_rules_dict(intra_extension_id) if sub_meta_rule_id not in sub_meta_rule_dict: raise SubMetaRuleUnknown() return sub_meta_rule_dict[sub_meta_rule_id] @@ -1358,16 +1324,26 @@ class IntraExtensionManager(manager.Manager): @enforce(("read", "write"), "sub_meta_rules") @enforce(("read", "write"), "rule") def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): - if sub_meta_rule_id not in self.driver.get_sub_meta_rule_dict(intra_extension_id): + if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): raise SubMetaRuleUnknown() # TODO (dthom): destroy sub-meta-rule-related rules # self.driver.del_rule(intra_extension_id, sub_meta_rule_id, "*") - return self.driver.del_sub_meta_rule(intra_extension_id, sub_meta_rule_id) + self.driver.del_sub_meta_rule(intra_extension_id, sub_meta_rule_id) + + @filter_args + @enforce(("read", "write"), "sub_meta_rules") + @enforce("write", "rule") + def set_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict): + if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): + raise SubMetaRuleUnknown() + # TODO (dthom): add new sub-meta-rule to rule + # self.driver.add_rule(intra_extension_id, sub_meta_rule_id, []) + return self.driver.set_sub_meta_rule_dict(intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict) # Rule functions @filter_args - @enforce("read", "rule") - def get_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id): + @enforce("read", "rules") + def get_rules_dict(self, user_id, intra_extension_id, sub_meta_rule_id): """ :param user_id: :param intra_extension_id: @@ -1377,56 +1353,68 @@ class IntraExtensionManager(manager.Manager): rule_id2: [subject_scope3, subject_scope4, ..., action_scope3, ..., object_scope3, ... ], ...} """ - return self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id) + return self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id) @filter_args @enforce("read", "sub_meta_rules") - @enforce(("read", "write"), "rule") - def add_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_list): - if sub_meta_rule_id not in self.driver.get_sub_meta_rule_dict(intra_extension_id): + @enforce(("read", "write"), "rules") + def add_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_list): + if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): raise SubMetaRuleUnknown() - elif rule_list in self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id).values(): + if rule_list in self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values(): raise RuleExisting() - rule_id = uuid4().hex() - return self.driver.add_rule(intra_extension_id, sub_meta_rule_id, rule_id, rule_list) + rule_id = uuid4().hex + return self.driver.set_rule_dict(intra_extension_id, sub_meta_rule_id, rule_id, rule_list) @filter_args @enforce("read", "sub_meta_rules") - @enforce("read", "rule") - def get_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): - if sub_meta_rule_id not in self.driver.get_sub_meta_rule_dict(intra_extension_id): + @enforce("read", "rules") + def get_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): + if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): raise SubMetaRuleUnknown() - rule_dict = self.driver.get_rule_dict(intra_extension_id) - if rule_id not in rule_dict[sub_meta_rule_id]: + rules_dict = self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id) + if rule_id not in rules_dict: raise RuleUnknown() - return rule_dict[rule_id] + return rules_dict[rule_id] @filter_args @enforce("read", "sub_meta_rules") - @enforce(("read", "write"), "rule") + @enforce(("read", "write"), "rules") def del_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): - if sub_meta_rule_id not in self.driver.get_sub_meta_rule_dict(intra_extension_id): + if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): raise SubMetaRuleUnknown() - rule_dict = self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id) - if rule_id not in rule_dict: + rules_dict = self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id) + if rule_id not in rules_dict: raise RuleUnknown() - return self.driver.del_rule(intra_extension_id, sub_meta_rule_id, rule_id) + self.driver.del_rule(intra_extension_id, sub_meta_rule_id, rule_id) + @filter_args + @enforce("read", "sub_meta_rules") + @enforce(("read", "write"), "rules") + def set_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id, rule_list): + if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): + raise SubMetaRuleUnknown() + rules_dict = self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id) + if rule_id not in rules_dict: + raise RuleUnknown() + return self.driver.set_rule_dict(intra_extension_id, sub_meta_rule_id, rule_id, rule_list) @dependency.provider('authz_api') @dependency.requires('identity_api', 'tenant_api', 'moonlog_api') class IntraExtensionAuthzManager(IntraExtensionManager): - __genre__ = "authz" + def __init__(self): + self.__genre__ = "authz" + super(IntraExtensionAuthzManager, self).__init__() - def authz(self, tenant_name, subject_name, object_name, action_name): + def authz(self, tenant_name, subject_name, object_name, action_name, genre="authz"): # TODO (dthom) add moon log """Check authorization for a particular action. :return: True or False or raise an exception """ tenant_id = self.tenant_api.get_tenant_id_from_name(DEFAULT_USER, tenant_name) - intra_extension_id = self.tenant_api.get_tenant_intra_extension_id(DEFAULT_USER, tenant_id, self.__genre__) - subjects_dict = self.driver.get_subject_dict(intra_extension_id) + intra_extension_id = self.tenant_api.get_tenant_intra_extension_id(DEFAULT_USER, tenant_id, genre) + subjects_dict = self.driver.get_subjects_dict(intra_extension_id) subject_id = None for _subject_id in subjects_dict: if subjects_dict[_subject_id]['name'] is subject_name: @@ -1449,13 +1437,13 @@ class IntraExtensionAuthzManager(IntraExtensionManager): raise ActionUnknown() return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id) - def del_intra_extension(self, intra_extension_id): + def del_intra_extension(self, user_id, intra_extension_id): raise AdminException() def set_subject_dict(self, user_id, intra_extension_uuid, subject_dict): raise SubjectAddNotAuthorized() - def add_subject(self, user_id, intra_extension_uuid, subject_name): + def add_subject_dict(self, user_id, intra_extension_uuid, subject_name): raise SubjectAddNotAuthorized() def del_subject(self, user_id, intra_extension_uuid, subject_name): @@ -1509,7 +1497,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def set_subject_scope_dict(self, user_id, intra_extension_uuid, category, scope): raise SubjectCategoryScopeAddNotAuthorized() - def add_subject_scope(self, user_id, intra_extension_uuid, subject_category, scope_name): + def add_subject_scope_dict(self, user_id, intra_extension_uuid, subject_category, scope_name): raise SubjectCategoryScopeAddNotAuthorized() def del_subject_scope(self, user_id, intra_extension_uuid, subject_category, subject_category_scope): @@ -1560,10 +1548,10 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def add_action_assignment(self, user_id, intra_extension_uuid, action_uuid, category_uuid, scope_uuid): raise ActionCategoryAssignmentDelNotAuthorized() - def set_aggregation_algorithm(self, user_id, intra_extension_uuid, aggregation_algorithm): + def set_aggregation_algorithm_dict(self, user_id, intra_extension_uuid, aggregation_algorithm): raise MetaRuleAddNotAuthorized() - def get_sub_meta_rule(self, user_id, intra_extension_uuid, sub_meta_rules): + def get_sub_meta_rule_dict(self, user_id, intra_extension_uuid, sub_meta_rules): raise MetaRuleAddNotAuthorized() def set_sub_rule(self, user_id, intra_extension_uuid, relation, sub_rule): @@ -1577,7 +1565,9 @@ class IntraExtensionAuthzManager(IntraExtensionManager): @dependency.requires('identity_api', 'tenant_api', 'moonlog_api') class IntraExtensionAdminManager(IntraExtensionManager): - __genre__ = "admin" + def __init__(self): + self.__genre__ = "admin" + super(IntraExtensionAdminManager, self).__init__() @dependency.provider('moonlog_api') @@ -1713,7 +1703,7 @@ class IntraExtensionDriver(object): data_values = list() if data_name == self.SUBJECT: - data_values = self.get_subject_dict(intra_extension_uuid)["subjects"] + data_values = self.get_subjects_dict(intra_extension_uuid)["subjects"] if (name and name not in extract_name(data_values)) or \ (uuid and uuid not in data_values.keys()): raise SubjectUnknown() @@ -1728,7 +1718,7 @@ class IntraExtensionDriver(object): (uuid and uuid not in data_values.keys()): raise ActionUnknown() elif data_name == self.SUBJECT_CATEGORY: - data_values = self.get_subject_category_dict(intra_extension_uuid)["subject_categories"] + data_values = self.get_subject_categories_dict(intra_extension_uuid)["subject_categories"] if (name and name not in extract_name(data_values)) or \ (uuid and uuid not in data_values.keys()): raise SubjectCategoryUnknown() @@ -1792,89 +1782,28 @@ class IntraExtensionDriver(object): # Getter and Setter for intra_extension - def get_intra_extension_dict(self): - """Get a list of IntraExtension - :return: {"intra_extension_id": "intra_extension_name", } - """ - raise exception.NotImplemented() # pragma: no cover - - def get_intra_extension(self, intra_extension_id): - """Get a description of an IntraExtension - :param intra_extension_id: the IntraExtension UUID - :return: {intra_extension_id: intra_extension_name, ...} - """ + def get_intra_extensions_dict(self): raise exception.NotImplemented() # pragma: no cover - def set_intra_extension(self, intra_extension_id, intra_extension_dict): - """Set a new IntraExtension - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param intra_extension_dict: a dictionary withe the description of the IntraExtension (see below) - :type intra_extension_dict: dict - :return: the IntraExtension dictionary, example: - { - "id": "uuid1", - "name": "Name of the intra_extension", - "model": "Model of te intra_extension (admin or authz)" - "description": "a description of the intra_extension" - } - """ - raise exception.NotImplemented() # pragma: no cover + # TODO: check with load + # def add_intra_extensions_dict(self): + # raise exception.NotImplemented() # pragma: no cover def del_intra_extension(self, intra_extension_id): - """Delete an IntraExtension + raise exception.NotImplemented() # pragma: no cover - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :return: None - """ + def set_intra_extension_dict(self, intra_extension_id, intra_extension_dict): raise exception.NotImplemented() # pragma: no cover # Metadata functions - def get_subject_category_dict(self, intra_extension_id): - """Get a list of all subject categories - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :return: a dictionary containing all subject categories {"uuid1": "name1", "uuid2": "name2"} - """ + def get_subject_categories_dict(self, intra_extension_id): raise exception.NotImplemented() # pragma: no cover def set_subject_category_dict(self, intra_extension_id, subject_category_id, subject_category_dict): - """Set the list of all subject categories - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_category_dict: dict of subject categories {"uuid1": "name1", "uuid2": "name2"} - :type subject_category_dict: dict - :return: a dictionary containing all subject categories {"uuid1": "name1", "uuid2": "name2"} - """ - raise exception.NotImplemented() # pragma: no cover - - def add_subject_category(self, intra_extension_id, subject_category_id, subject_category_name): - """Add a subject category - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_category_id: the UUID of the subject category - :type subject_category_id: string - :param subject_category_name: the name of the subject category - :type subject_category_name: string - :return: a dictionnary with the subject catgory added {"uuid1": "name1"} - """ raise exception.NotImplemented() # pragma: no cover def del_subject_category(self, intra_extension_id, subject_category_id): - """Remove one subject category - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_category_id: the UUID of subject category to remove - :type subject_category_id: string - :return: a dictionary containing all subject categories {"uuid1": "name1", "uuid2": "name2"} - """ raise exception.NotImplemented() # pragma: no cover def get_object_category_dict(self, intra_extension_id): @@ -1967,7 +1896,7 @@ class IntraExtensionDriver(object): # Perimeter functions - def get_subject_dict(self, intra_extension_id): + def get_subjects_dict(self, intra_extension_id): """Get the list of subject for that IntraExtension :param intra_extension_id: IntraExtension UUID @@ -1976,179 +1905,45 @@ class IntraExtensionDriver(object): """ raise exception.NotImplemented() # pragma: no cover - def set_subject_dict(self, intra_extension_id, subject_dict): - """Set the list of subject for that IntraExtension - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_dict: dict of subject: {"uuid1": "name1", "uuid2": "name2"} - :type subject_dict: dict - :return: a dictionary containing all subjects for that IntraExtension, eg. {"uuid1": "name1", "uuid2": "name2"} - """ - raise exception.NotImplemented() # pragma: no cover - - def add_subject(self, intra_extension_id, subject_id, subject_name): - """Add a subject - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_id: Subject UUID - :type subject_id: string - :param subject_name: Subject name - :type subject_name: string - :return: the added subject {"uuid1": "name1"} - """ + def set_subject_dict(self, intra_extension_id, subject_id, subject_dict): raise exception.NotImplemented() # pragma: no cover def del_subject(self, intra_extension_id, subject_id): - """Remove a subject - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_id: Subject UUID - :type subject_id: string - :return: None - """ raise exception.NotImplemented() # pragma: no cover def get_object_dict(self, intra_extension_id): - """Get the list of object for that IntraExtension - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :return: a dictionary containing all objects for that IntraExtension, eg. {"uuid1": "name1", "uuid2": "name2"} - """ raise exception.NotImplemented() # pragma: no cover def set_object_dict(self, intra_extension_id, object_dict): - """Set the list of object for that IntraExtension - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param object_dict: dict of object: {"uuid1": "name1", "uuid2": "name2"} - :type object_dict: dict - :return: a dictionary containing all objects for that IntraExtension, eg. {"uuid1": "name1", "uuid2": "name2"} - """ raise exception.NotImplemented() # pragma: no cover def add_object(self, intra_extension_id, object_id, object_name): - """Ad an object - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param object_id: Object UUID - :type object_id: string - :param object_name: Object name - :type object_name: string - :return: the added object {"uuid1": "name1"} - """ raise exception.NotImplemented() # pragma: no cover def del_object(self, intra_extension_id, object_id): - """Remove an object - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param object_id: Object UUID - :type object_id: string - :return: None - """ raise exception.NotImplemented() # pragma: no cover def get_action_dict(self, intra_extension_id): - """ Get the list of action for that IntraExtension - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :return: a dictionary containing all actions for that IntraExtension, eg. {"uuid1": "name1", "uuid2": "name2"} - """ raise exception.NotImplemented() # pragma: no cover def set_action_dict(self, intra_extension_id, action_dict): - """ Set the list of action for that IntraExtension - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param action_dict: dict of actions: {"uuid1": "name1", "uuid2": "name2"} - :type action_dict: dict - :return: a dictionary containing all actions for that IntraExtension, eg. {"uuid1": "name1", "uuid2": "name2"} - """ raise exception.NotImplemented() # pragma: no cover def add_action(self, intra_extension_id, action_id, action_name): - """Ad an action - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param action_id: Action UUID - :type action_id: string - :param action_name: Action name - :type action_name: string - :return: the added action {"uuid1": "name1"} - """ raise exception.NotImplemented() # pragma: no cover def del_action(self, intra_extension_id, action_id): - """Remove an action - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param action_id: Action UUID - :type action_id: string - :return: None - """ raise exception.NotImplemented() # pragma: no cover # Scope functions - def get_subject_scope_dict(self, intra_extension_id, subject_category_id): - """Get a list of all subject category scope - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_category_id: the category UUID where the scope values are - :type subject_category_id: string - :return: a dictionary containing all subject category scope {"category1": {"scope_uuid1": "scope_name1}} - """ - raise exception.NotImplemented() # pragma: no cover - - def set_subject_scope_dict(self, intra_extension_id, subject_category_id, subject_scope_dict): - """Set the list of all scope for that subject category - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_category_id: the UUID of the subject category where this scope will be set - :type subject_category_id: string - :return: a dictionary containing all scope {"scope_uuid1": "scope_name1, "scope_uuid2": "scope_name2} - """ + def get_subject_scopes_dict(self, intra_extension_id, subject_category_id): raise exception.NotImplemented() # pragma: no cover - def add_subject_scope(self, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_name): - """Add a subject category - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_category_id: the subject category UUID where the scope will be added - :type subject_category_id: string - :param subject_scope_id: the UUID of the subject category - :type subject_scope_id: string - :param subject_scope_name: the name of the subject category - :type subject_scope_name: string - :return: a dictionary containing the subject category scope added {"category1": {"scope_uuid1": "scope_name1}} - """ + def set_subject_scope_dict(self, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict): raise exception.NotImplemented() # pragma: no cover def del_subject_scope(self, intra_extension_id, subject_category_id, subject_scope_id): - """Remove one scope belonging to a subject category - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_category_id: the UUID of subject categorywhere we can find the scope to remove - :type subject_category_id: string - :param subject_scope_id: the UUID of the scope to remove - :type subject_scope_id: string - :return: None - """ raise exception.NotImplemented() # pragma: no cover def get_object_scope_dict(self, intra_extension_id, object_category_id): @@ -2253,258 +2048,69 @@ class IntraExtensionDriver(object): # Assignment functions - def get_subject_assignment_dict(self, intra_extension_id, subject_id): - """Get the assignment for a given subject_uuid - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_id: subject UUID - :type subject_id: string - :return: a dictionary of assignment for the given subject {"cat1": ["scope_uuid1", "scope_uuid2"]} - :raises: IntraExtensionNotFound, SubjectUnknown, SubjectCategoryAssignmentUnknown, SubjectCategoryAssignmentOutOfScope - """ + def get_subject_assignment_list(self, intra_extension_id, subject_id, subject_category_id): raise exception.NotImplemented() # pragma: no cover - def set_subject_assignment_dict(self, intra_extension_id, subject_id, subject_assignment_dict): - """Set the assignment for a given subject_uuid - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_id: subject UUID - :type subject_id: string - :param subject_assignment_dict: the assignment dictionary {"cat1": ["scope_uuid1", "scope_uuid2"]} - :type subject_assignment_dict: dict - :return: a dictionary of assignment for the given subject {"cat1": ["scope_uuid1", "scope_uuid2"]} - """ + def set_subject_assignment_list(self, intra_extension_id, subject_id, subject_category_id, subject_assignment_list): raise exception.NotImplemented() # pragma: no cover - def add_subject_assignment(self, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - """Add a scope to a category and to a subject - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_id: the subject UUID - :type subject_id: string - :param subject_category_id: the category UUID - :type subject_category_id: string - :param subject_scope_id: the scope UUID - :type subject_scope_id: string - :return: a dictionary of assignment for the given subject {"cat1": ["scope_uuid1", "scope_uuid2"]} - """ + def add_subject_assignment_list(self, intra_extension_id, subject_id, subject_category_id, subject_scope_id): raise exception.NotImplemented() # pragma: no cover def del_subject_assignment(self, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - """Remove a scope from a category and from a subject - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param subject_id: the subject UUID - :type subject_id: string - :param subject_category_id: the category UUID - :type subject_category_id: string - :param subject_scope_id: the scope UUID - :type subject_scope_id: string - :return: None - """ raise exception.NotImplemented() # pragma: no cover def get_object_assignment_dict(self, intra_extension_id, object_id): - """Get the assignment for a given object_uuid - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param object_id: object UUID - :type object_id: string - :return: a dictionary of assignment for the given object {"cat1": ["scope_uuid1", "scope_uuid2"]} - :raises: IntraExtensionNotFound, ObjectUnknown, ObjectCategoryAssignmentUnknown, ObjectCategoryAssignmentOutOfScope - """ raise exception.NotImplemented() # pragma: no cover def set_object_assignment_dict(self, intra_extension_id, object_id, object_assignment_dict): - """Set the assignment for a given object_uuid - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param object_id: object UUID - :type object_id: string - :param object_assignment_dict: the assignment dictionary {"cat1": ["scope_uuid1", "scope_uuid2"]} - :type object_assignment_dict: dict - :return: a dictionary of assignment for the given object {"cat1": ["scope_uuid1", "scope_uuid2"]} - """ raise exception.NotImplemented() # pragma: no cover def add_object_assignment(self, intra_extension_id, object_id, object_category_id, object_scope_id): - """Add a scope to a category and to a object - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param object_id: the object UUID - :type object_id: string - :param object_category_id: the category UUID - :type object_category_id: string - :param object_scope_id: the scope UUID - :type object_scope_id: string - :return: a dictionary of assignment for the given object {"cat1": ["scope_uuid1", "scope_uuid2"]} - """ raise exception.NotImplemented() # pragma: no cover def del_object_assignment(self, intra_extension_id, object_id, object_category_id, object_scope_id): - """Remove a scope from a category and from a object - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param object_id: the object UUID - :type object_id: string - :param object_category_id: the category UUID - :type object_category_id: string - :param object_scope_id: the scope UUID - :type object_scope_id: string - :return: None - """ raise exception.NotImplemented() # pragma: no cover def get_action_assignment_dict(self, intra_extension_id, action_id): - """Get the assignment for a given action_uuid - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param action_id: action UUID - :type action_id: string - :return: a dictionary of assignment for the given action {"cat1": ["scope_uuid1", "scope_uuid2"]} - :raises: IntraExtensionNotFound, ActionUnknown, ActionCategoryAssignmentUnknown, ActionCategoryAssignmentOutOfScope - """ raise exception.NotImplemented() # pragma: no cover def set_action_assignment_dict(self, intra_extension_id, action_id, action_assignment_dict): - """Set the assignment for a given action_uuid - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param action_id: action UUID - :type action_id: string - :param action_assignment_dict: the assignment dictionary {"cat1": ["scope_uuid1", "scope_uuid2"]} - :type action_assignment_dict: dict - :return: a dictionary of assignment for the given action {"cat1": ["scope_uuid1", "scope_uuid2"]} - """ raise exception.NotImplemented() # pragma: no cover def add_action_assignment(self, intra_extension_id, action_id, action_category_id, action_scope_id): - """Add a scope to a category and to a action - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param action_id: the action UUID - :type action_id: string - :param action_category_id: the category UUID - :type action_category_id: string - :param action_scope_id: the scope UUID - :type action_scope_id: string - :return: a dictionary of assignment for the given action {"cat1": ["scope_uuid1", "scope_uuid2"]} - """ raise exception.NotImplemented() # pragma: no cover def del_action_assignment(self, intra_extension_id, action_id, action_category_id, action_scope_id): - """Remove a scope from a category and from a action - - :param intra_extension_id: IntraExtension UUID - :type intra_extension_id: string - :param action_id: the action UUID - :type action_id: string - :param action_category_id: the category UUID - :type action_category_id: string - :param action_scope_id: the scope UUID - :type action_scope_id: string - :return: None - """ raise exception.NotImplemented() # pragma: no cover # Meta_rule functions - def get_sub_meta_rule_dict(self, extension_uuid): - """Get the Meta rule - - :param extension_uuid: IntraExtension UUID - :type extension_uuid: string - :return: a dictionary containing the meta_rule - - Here is an example of a meta_rule: - { - "sub_meta_rules": { - "relation_super": { - "subject_categories": ["role"], - "action_categories": ["computing_action"], - "object_categories": ["id"], - "relation": "relation_super" - } - }, - "aggregation": "and_true_aggregation" - } - """ + def set_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): raise exception.NotImplemented() # pragma: no cover - def set_sub_meta_rule_dict(self, extension_uuid, meta_rule_dict): - """Set the Meta rule + def get_aggregation_algorithm(self, intra_extension_id): + raise exception.NotImplemented() # pragma: no cover - :param extension_uuid: IntraExtension UUID - :type extension_uuid: string - :param meta_rule: a dictionary representing the meta_rule (see below) - :return:a dictionary containing the meta_rule + def get_sub_meta_rules_dict(self, intra_extension_id): + raise exception.NotImplemented() # pragma: no cover - Here is an example of a meta_rule: - { - "sub_meta_rules": { - "relation_super": { - "subject_categories": ["role"], - "action_categories": ["computing_action"], - "object_categories": ["id"], - "relation": "relation_super" - } - }, - "aggregation": "and_true_aggregation" - } - """ + def set_sub_meta_rule_dict(self, intra_extension_id, sub_meta_rule_id, meta_rule_dict): + raise exception.NotImplemented() # pragma: no cover + + def del_sub_meta_rule(self, intra_extension_id, sub_meta_rule_id): raise exception.NotImplemented() # pragma: no cover # Rule functions - def get_rule_dict(self, extension_uuid): - """Get all rules - - :param extension_uuid: IntraExtension UUID - :type extension_uuid: string - :return: a dictionary containing rules ie. - { - "relation_super":[ - ["admin", "vm_admin", "servers", True], - ["admin", "vm_access", "servers", True] - ] - } - All items will be UUID. - The last boolean item is the positive/negative value. If True, request that conforms to that rule - will be authorized, if false, request will be rejected. - """ + def get_rules_dict(self, intra_extension_id, sub_meta_rule_id): raise exception.NotImplemented() # pragma: no cover - def set_rule_dict(self, extension_uuid, rule_dict): - """Set all rules - - :param extension_uuid: IntraExtension UUID - :type extension_uuid: string - :param rules: a dictionary containing rules (see below) - :type rules: dict - :return: a dictionary containing rules ie. - { - "relation_super":[ - ["admin", "vm_admin", "servers", True], - ["admin", "vm_access", "servers", True] - ] - } - All items will be UUID. - The last boolean item is the positive/negative value. If True, request that conforms to that rule - will be authorized, if false, request will be rejected. - """ + def set_rule_dict(self, intra_extension_id, sub_meta_rule_id, rule_id, rule_list): raise exception.NotImplemented() # pragma: no cover + def del_rule_dict(self, intra_extension_id, sub_meta_rule_id, rule_id): + raise exception.NotImplemented() # pragma: no cover class LogDriver(object): diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py index 1bf36abd..1339122c 100644 --- a/keystone-moon/keystone/contrib/moon/exception.py +++ b/keystone-moon/keystone/contrib/moon/exception.py @@ -78,13 +78,6 @@ class IntraExtensionException(MoonError): title = 'Extension Error' -class IntraExtensionUnMapped(IntraExtensionException): - message_format = _("The Extension is not mapped to a tenant.") - code = 400 - title = 'Extension UUID Not Found Error' - logger = "WARNING" - - class IntraExtensionUnknown(IntraExtensionException): message_format = _("The intra_extension is unknown.") code = 400 @@ -327,13 +320,6 @@ class ActionAssignmentExisting(AuthzAssignment): logger = "ERROR" -class AggregationAlgorithmExisting(AuthzMetadata): - message_format = _("The given aggregation algorithm is existing.") - code = 400 - title = 'Aggregation Algorithm Existing' - logger = "ERROR" - - class AggregationAlgorithmNotExisting(AuthzMetadata): message_format = _("The given aggregation algorithm is not existing.") code = 400 @@ -354,6 +340,7 @@ class SubMetaRuleUnknown(AuthzMetadata): title = 'Sub Meta Rule Unknown' logger = "ERROR" + class SubMetaRuleNameExisting(AuthzMetadata): message_format = _("The sub meta rule name is existing.") code = 400 diff --git a/keystone-moon/keystone/contrib/moon/routers.py b/keystone-moon/keystone/contrib/moon/routers.py index aedb9ec6..340b8d8f 100644 --- a/keystone-moon/keystone/contrib/moon/routers.py +++ b/keystone-moon/keystone/contrib/moon/routers.py @@ -118,6 +118,7 @@ class Routers(wsgi.RoutersBase): path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/subject_categories/{subject_category_id}', get_action='get_subject_category', delete_action='del_subject_category', + post_action='set_subject_category', rel=self._get_rel('subject_categories'), path_vars={ 'intra_extension_id': self._get_path('intra_extensions'), @@ -174,6 +175,7 @@ class Routers(wsgi.RoutersBase): path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/subjects/{subject_id}', get_action='get_subject', delete_action='del_subject', + post_action='set_subject', rel=self._get_rel('subjects'), path_vars={ 'intra_extension_id': self._get_path('intra_extensions'), @@ -230,6 +232,7 @@ class Routers(wsgi.RoutersBase): path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/subject_scopes/{subject_category_id}/{subject_scope_id}', get_action='get_subject_scope', delete_action='del_subject_scope', + post_action='set_subject_scope', rel=self._get_rel('subject_scope'), path_vars={ 'intra_extension_id': self._get_path('intra_extensions'), @@ -271,15 +274,6 @@ class Routers(wsgi.RoutersBase): 'intra_extension_id': self._get_path('intra_extensions'), }) - # Assignment route - self._add_resource( - mapper, intra_ext_controller, - path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/subject_assignments/{subject_id}', - get_action='get_subject_assignments', - rel=self._get_rel('subject_assignments'), - path_vars={ - 'intra_extension_id': self._get_path('intra_extensions'), - }) self._add_resource( mapper, intra_ext_controller, path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/subject_assignments', @@ -379,7 +373,7 @@ class Routers(wsgi.RoutersBase): self._add_resource( mapper, intra_ext_controller, path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/aggregation_algorithm', - post_action='add_aggregation_algorithm', + post_action='set_aggregation_algorithm', rel=self._get_rel('aggregation_algorithms'), path_vars={ 'intra_extension_id': self._get_path('intra_extensions'), @@ -388,7 +382,6 @@ class Routers(wsgi.RoutersBase): mapper, intra_ext_controller, path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/aggregation_algorithm/{aggregation_algorithm_id}', get_action='get_aggregation_algorithm', - delete_action='del_aggregation_algorithm', rel=self._get_rel('aggregation_algorithms'), path_vars={ 'intra_extension_id': self._get_path('intra_extensions'), @@ -407,6 +400,7 @@ class Routers(wsgi.RoutersBase): path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/sub_meta_rules/{sub_meta_rule_id}', get_action='get_sub_meta_rule', delete_action='del_sub_meta_rule', + post_action='set_sub_meta_rule', rel=self._get_rel('sub_meta_rules'), path_vars={ 'intra_extension_id': self._get_path('intra_extensions'), @@ -427,6 +421,7 @@ class Routers(wsgi.RoutersBase): path=self.PATH_PREFIX+'/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}/{rule_id}', get_action='get_rule', delete_action='del_rule', + post_action='set_rule', rel=self._get_rel('rules'), path_vars={ 'intra_extension_id': self._get_path('intra_extensions'), diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py index 0b7c1d21..cfa2eb4f 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py @@ -103,7 +103,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.create_user("admin") self.create_intra_extension() - subjects = self.manager.get_subject_dict("admin", self.ref["id"]) + subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subjects", subjects) self.assertIn("id", subjects) @@ -125,7 +125,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): # Delete the new subject self.manager.del_subject("admin", self.ref["id"], new_subject["id"]) - subjects = self.manager.get_subject_dict("admin", self.ref["id"]) + subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subjects", subjects) self.assertIn("id", subjects) @@ -134,12 +134,12 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.assertNotIn(new_subject["id"], subjects["subjects"]) # Add a particular subject - subjects = self.manager.add_subject("admin", self.ref["id"], new_subject["id"]) + subjects = self.manager.add_subject_dict("admin", self.ref["id"], new_subject["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subject", subjects) self.assertIn("uuid", subjects["subject"]) self.assertEqual(new_subject["name"], subjects["subject"]["name"]) - subjects = self.manager.get_subject_dict("admin", self.ref["id"]) + subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subjects", subjects) self.assertIn("id", subjects) @@ -252,7 +252,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.create_user("admin") self.create_intra_extension() - subject_categories = self.manager.get_subject_category_dict("admin", self.ref["id"]) + subject_categories = self.manager.get_subject_categories_dict("admin", self.ref["id"]) self.assertIsInstance(subject_categories, dict) self.assertIn("subject_categories", subject_categories) self.assertIn("id", subject_categories) @@ -274,7 +274,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): # Delete the new subject_category self.manager.del_subject_category("admin", self.ref["id"], new_subject_category["id"]) - subject_categories = self.manager.get_subject_category_dict("admin", self.ref["id"]) + subject_categories = self.manager.get_subject_categories_dict("admin", self.ref["id"]) self.assertIsInstance(subject_categories, dict) self.assertIn("subject_categories", subject_categories) self.assertIn("id", subject_categories) @@ -292,7 +292,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.assertIn("uuid", subject_categories["subject_category"]) self.assertEqual(new_subject_category["name"], subject_categories["subject_category"]["name"]) new_subject_category["id"] = subject_categories["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_category_dict( + subject_categories = self.manager.get_subject_categories_dict( "admin", self.ref["id"]) self.assertIsInstance(subject_categories, dict) @@ -427,7 +427,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): ) for subject_category in subject_categories["subject_categories"]: - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( "admin", self.ref["id"], subject_category) @@ -460,7 +460,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.ref["id"], subject_category, new_subject_category_scope_uuid) - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( "admin", self.ref["id"], subject_category) @@ -472,7 +472,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) # Add a particular subject_category_scope - subject_category_scope = self.manager.add_subject_scope( + subject_category_scope = self.manager.add_subject_scope_dict( "admin", self.ref["id"], subject_category, @@ -482,7 +482,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.assertIn("uuid", subject_category_scope["subject_category_scope"]) self.assertEqual(new_subject_category_scope[new_subject_category_scope_uuid], subject_category_scope["subject_category_scope"]["name"]) - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( "admin", self.ref["id"], subject_category) @@ -676,7 +676,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): ) for subject_category in subject_categories["subject_categories"]: - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( "admin", self.ref["id"], subject_category) @@ -1113,25 +1113,25 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"]) self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"]) - aggregation_algorithm = self.manager.get_aggregation_algorithm("admin", self.ref["id"]) + aggregation_algorithm = self.manager.get_aggregation_algorithm_dict("admin", self.ref["id"]) self.assertIsInstance(aggregation_algorithm, dict) self.assertIn("aggregation", aggregation_algorithm) self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"]) _aggregation_algorithm.remove(aggregation_algorithm["aggregation"]) - aggregation_algorithm = self.manager.set_aggregation_algorithm("admin", self.ref["id"], _aggregation_algorithm[0]) + aggregation_algorithm = self.manager.set_aggregation_algorithm_dict("admin", self.ref["id"], _aggregation_algorithm[0]) self.assertIsInstance(aggregation_algorithm, dict) self.assertIn("aggregation", aggregation_algorithm) self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - sub_meta_rules = self.manager.get_sub_meta_rule_dict("admin", self.ref["id"]) + sub_meta_rules = self.manager.get_sub_meta_rules_dict("admin", self.ref["id"]) self.assertIsInstance(sub_meta_rules, dict) self.assertIn("sub_meta_rules", sub_meta_rules) sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, self.ref["model"], "metarule.json"))) metarule = dict() categories = { - "subject_categories": self.manager.get_subject_category_dict("admin", self.ref["id"]), + "subject_categories": self.manager.get_subject_categories_dict("admin", self.ref["id"]), "object_categories": self.manager.get_object_category_dict("admin", self.ref["id"]), "action_categories": self.manager.get_action_category_dict("admin", self.ref["id"]) } @@ -1160,7 +1160,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.ref["id"], new_subject_category["name"]) new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_category_dict( + subject_categories = self.manager.get_subject_categories_dict( "admin", self.ref["id"]) self.assertIsInstance(subject_categories, dict) @@ -1183,7 +1183,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.create_user("admin") self.create_intra_extension() - sub_meta_rules = self.manager.get_sub_meta_rule_dict("admin", self.ref["id"]) + sub_meta_rules = self.manager.get_sub_meta_rules_dict("admin", self.ref["id"]) self.assertIsInstance(sub_meta_rules, dict) self.assertIn("sub_meta_rules", sub_meta_rules) @@ -1196,7 +1196,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): rules[relation] = list() for rule in sub_rules["rules"][relation]: for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scope_dict, "subject_category_scope"), + ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), ("action_categories", self.manager.get_action_scope_dict, "action_category_scope"), ("object_categories", self.manager.get_object_scope_dict, "object_category_scope"), ): @@ -1215,7 +1215,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): relation = sub_rules["rules"].keys()[0] sub_rule = [] for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scope_dict, "subject_category_scope"), + ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), ("action_categories", self.manager.get_action_scope_dict, "action_category_scope"), ("object_categories", self.manager.get_object_scope_dict, "object_category_scope"), ): @@ -1238,7 +1238,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): rules[relation] = list() for rule in sub_rules["rules"][relation]: for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scope_dict, "subject_category_scope"), + ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), ("action_categories", self.manager.get_action_scope_dict, "action_category_scope"), ("object_categories", self.manager.get_object_scope_dict, "object_category_scope"), ): @@ -1321,10 +1321,10 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): self.assertRaises( SubjectReadNotAuthorized, - self.manager.get_subject_dict, + self.manager.get_subjects_dict, demo_user["id"], ref["id"]) - subjects = self.manager.get_subject_dict(admin_user["id"], ref["id"]) + subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subjects", subjects) self.assertIn("id", subjects) @@ -1357,7 +1357,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): demo_user["id"], ref["id"], new_subject["id"]) self.manager.del_subject(admin_user["id"], ref["id"], new_subject["id"]) - subjects = self.manager.get_subject_dict(admin_user["id"], ref["id"]) + subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subjects", subjects) self.assertIn("id", subjects) @@ -1368,15 +1368,15 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): # Add a particular subject self.assertRaises( SubjectAddNotAuthorized, - self.manager.add_subject, + self.manager.add_subject_dict, demo_user["id"], ref["id"], new_subject["id"]) - subjects = self.manager.add_subject(admin_user["id"], ref["id"], new_subject["id"]) + subjects = self.manager.add_subject_dict(admin_user["id"], ref["id"], new_subject["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subject", subjects) self.assertIn("uuid", subjects["subject"]) self.assertEqual(new_subject["name"], subjects["subject"]["name"]) - subjects = self.manager.get_subject_dict(admin_user["id"], ref["id"]) + subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subjects", subjects) self.assertIn("id", subjects) @@ -1533,10 +1533,10 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): self.assertRaises( SubjectCategoryReadNotAuthorized, - self.manager.get_subject_category_dict, + self.manager.get_subject_categories_dict, demo_user["id"], ref["id"]) - subject_categories = self.manager.get_subject_category_dict(admin_user["id"], ref["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) self.assertIsInstance(subject_categories, dict) self.assertIn("subject_categories", subject_categories) self.assertIn("id", subject_categories) @@ -1569,7 +1569,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): demo_user["id"], ref["id"], new_subject_category["id"]) self.manager.del_subject_category(admin_user["id"], ref["id"], new_subject_category["id"]) - subject_categories = self.manager.get_subject_category_dict(admin_user["id"], ref["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) self.assertIsInstance(subject_categories, dict) self.assertIn("subject_categories", subject_categories) self.assertIn("id", subject_categories) @@ -1592,7 +1592,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): self.assertIn("uuid", subject_categories["subject_category"]) self.assertEqual(new_subject_category["name"], subject_categories["subject_category"]["name"]) new_subject_category["id"] = subject_categories["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_category_dict( + subject_categories = self.manager.get_subject_categories_dict( admin_user["id"], ref["id"]) self.assertIsInstance(subject_categories, dict) @@ -1776,10 +1776,10 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): for subject_category in subject_categories["subject_categories"]: self.assertRaises( SubjectCategoryScopeReadNotAuthorized, - self.manager.get_subject_scope_dict, + self.manager.get_subject_scopes_dict, demo_user["id"], ref["id"], subject_category) - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( admin_user["id"], ref["id"], subject_category) @@ -1823,7 +1823,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): ref["id"], subject_category, new_subject_category_scope_uuid) - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( admin_user["id"], ref["id"], subject_category) @@ -1837,11 +1837,11 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): # Add a particular subject_category_scope self.assertRaises( SubjectCategoryScopeAddNotAuthorized, - self.manager.add_subject_scope, + self.manager.add_subject_scope_dict, demo_user["id"], ref["id"], subject_category, new_subject_category_scope[new_subject_category_scope_uuid]) - subject_category_scope = self.manager.add_subject_scope( + subject_category_scope = self.manager.add_subject_scope_dict( admin_user["id"], ref["id"], subject_category, @@ -1851,7 +1851,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): self.assertIn("uuid", subject_category_scope["subject_category_scope"]) self.assertEqual(new_subject_category_scope[new_subject_category_scope_uuid], subject_category_scope["subject_category_scope"]["name"]) - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( admin_user["id"], ref["id"], subject_category) @@ -2093,7 +2093,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): ) for subject_category in subject_categories["subject_categories"]: - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( admin_user["id"], ref["id"], subject_category) @@ -2624,11 +2624,11 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): self.assertRaises( MetaRuleReadNotAuthorized, - self.manager.get_aggregation_algorithm, + self.manager.get_aggregation_algorithm_dict, demo_user["id"], ref["id"] ) - aggregation_algorithm = self.manager.get_aggregation_algorithm(admin_user["id"], ref["id"]) + aggregation_algorithm = self.manager.get_aggregation_algorithm_dict(admin_user["id"], ref["id"]) self.assertIsInstance(aggregation_algorithm, dict) self.assertIn("aggregation", aggregation_algorithm) self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) @@ -2642,24 +2642,24 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): demo_user["id"], ref["id"], _aggregation_algorithm[0] ) - aggregation_algorithm = self.manager.set_aggregation_algorithm(admin_user["id"], ref["id"], _aggregation_algorithm[0]) + aggregation_algorithm = self.manager.set_aggregation_algorithm_dict(admin_user["id"], ref["id"], _aggregation_algorithm[0]) self.assertIsInstance(aggregation_algorithm, dict) self.assertIn("aggregation", aggregation_algorithm) self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) self.assertRaises( MetaRuleReadNotAuthorized, - self.manager.get_sub_meta_rule_dict, + self.manager.get_sub_meta_rules_dict, demo_user["id"], ref["id"] ) - sub_meta_rules = self.manager.get_sub_meta_rule_dict(admin_user["id"], ref["id"]) + sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) self.assertIsInstance(sub_meta_rules, dict) self.assertIn("sub_meta_rules", sub_meta_rules) sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, ref["model"], "metarule.json"))) metarule = dict() categories = { - "subject_categories": self.manager.get_subject_category_dict(admin_user["id"], ref["id"]), + "subject_categories": self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]), "object_categories": self.manager.get_object_category_dict(admin_user["id"], ref["id"]), "action_categories": self.manager.get_action_category_dict(admin_user["id"], ref["id"]) } @@ -2688,7 +2688,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): ref["id"], new_subject_category["name"]) new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_category_dict( + subject_categories = self.manager.get_subject_categories_dict( admin_user["id"], ref["id"]) self.assertIsInstance(subject_categories, dict) @@ -2701,11 +2701,11 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): self.assertRaises( MetaRuleAddNotAuthorized, - self.manager.get_sub_meta_rule, + self.manager.get_sub_meta_rule_dict, demo_user["id"], ref["id"], metarule ) - _sub_meta_rules = self.manager.get_sub_meta_rule(admin_user["id"], ref["id"], metarule) + _sub_meta_rules = self.manager.get_sub_meta_rule_dict(admin_user["id"], ref["id"], metarule) self.assertIn(relation, metarule) for item in ("subject_categories", "object_categories", "action_categories"): self.assertEqual( @@ -2718,7 +2718,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): admin_user = self.create_user("admin") ref = self.create_intra_extension() - sub_meta_rules = self.manager.get_sub_meta_rule_dict(admin_user["id"], ref["id"]) + sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) self.assertIsInstance(sub_meta_rules, dict) self.assertIn("sub_meta_rules", sub_meta_rules) @@ -2737,7 +2737,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): rules[relation] = list() for rule in sub_rules["rules"][relation]: for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scope_dict, "subject_category_scope"), + ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), ("action_categories", self.manager.get_action_scope_dict, "action_category_scope"), ("object_categories", self.manager.get_object_scope_dict, "object_category_scope"), ): @@ -2756,7 +2756,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): relation = sub_rules["rules"].keys()[0] sub_rule = [] for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scope_dict, "subject_category_scope"), + ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), ("action_categories", self.manager.get_action_scope_dict, "action_category_scope"), ("object_categories", self.manager.get_object_scope_dict, "object_category_scope"), ): @@ -2785,7 +2785,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): rules[relation] = list() for rule in sub_rules["rules"][relation]: for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scope_dict, "subject_category_scope"), + ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), ("action_categories", self.manager.get_action_scope_dict, "action_category_scope"), ("object_categories", self.manager.get_object_scope_dict, "object_category_scope"), ): diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py index 7bbac97a..5eeed82a 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py @@ -162,7 +162,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): # Test when subject is known but not the object demo_user = self.create_user("demo") - self.manager.add_subject( + self.manager.add_subject_dict( admin_user['id'], self.ref["id"], demo_user["id"] @@ -210,7 +210,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): ) my_subject_category = {"id": _tmp[0], "name": _tmp[1]} - _tmp = self.manager.add_subject_scope( + _tmp = self.manager.add_subject_scope_dict( admin_user['id'], self.ref["id"], my_subject_category["id"], @@ -322,7 +322,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): "relation": "relation_super" } } - self.manager.get_sub_meta_rule( + self.manager.get_sub_meta_rule_dict( admin_user['id'], self.ref["id"], my_meta_rule @@ -345,7 +345,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): ref_admin = self.create_intra_extension("policy_admin") self.create_mapping(tenant, ref["id"], ref_admin["id"]) - subjects = self.manager.get_subject_dict(admin_user["id"], tenant["id"]) + subjects = self.manager.get_subjects_dict(admin_user["id"], tenant["id"]) self.assertIsInstance(subjects, dict) self.assertIn("subjects", subjects) self.assertIn("id", subjects) @@ -370,7 +370,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): # Add a particular subject self.assertRaises( SubjectAddNotAuthorized, - self.manager.add_subject, + self.manager.add_subject_dict, admin_user["id"], ref["id"], new_subject["id"]) def test_objects(self): @@ -453,7 +453,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): ref_admin = self.create_intra_extension("policy_admin") self.create_mapping(tenant, ref["id"], ref_admin["id"]) - subject_categories = self.manager.get_subject_category_dict(admin_user["id"], ref["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) self.assertIsInstance(subject_categories, dict) self.assertIn("subject_categories", subject_categories) self.assertIn("id", subject_categories) @@ -571,7 +571,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): ) for subject_category in subject_categories["subject_categories"]: - subject_category_scope = self.manager.get_subject_scope_dict( + subject_category_scope = self.manager.get_subject_scopes_dict( admin_user["id"], ref["id"], subject_category) @@ -599,7 +599,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): # Add a particular subject_category_scope self.assertRaises( SubjectCategoryScopeAddNotAuthorized, - self.manager.add_subject_scope, + self.manager.add_subject_scope_dict, admin_user["id"], ref["id"], subject_category, new_subject_category_scope[new_subject_category_scope_uuid]) def test_object_category_scope(self): @@ -724,7 +724,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): ) for subject_category in subject_categories["subject_categories"]: - subject_category_scope = self.admin_manager.get_subject_scope_dict( + subject_category_scope = self.admin_manager.get_subject_scopes_dict( admin_user["id"], ref["id"], subject_category) @@ -1017,7 +1017,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"]) self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"]) - aggregation_algorithm = self.manager.get_aggregation_algorithm(admin_user["id"], ref["id"]) + aggregation_algorithm = self.manager.get_aggregation_algorithm_dict(admin_user["id"], ref["id"]) self.assertIsInstance(aggregation_algorithm, dict) self.assertIn("aggregation", aggregation_algorithm) self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) @@ -1026,16 +1026,16 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): _aggregation_algorithm.remove(aggregation_algorithm["aggregation"]) self.assertRaises( MetaRuleAddNotAuthorized, - self.manager.set_aggregation_algorithm, + self.manager.set_aggregation_algorithm_dict, admin_user["id"], ref["id"], _aggregation_algorithm[0]) - sub_meta_rules = self.manager.get_sub_meta_rule_dict(admin_user["id"], ref["id"]) + sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) self.assertIsInstance(sub_meta_rules, dict) self.assertIn("sub_meta_rules", sub_meta_rules) sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, ref["model"], "metarule.json"))) metarule = dict() categories = { - "subject_categories": self.manager.get_subject_category_dict(admin_user["id"], ref["id"]), + "subject_categories": self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]), "object_categories": self.manager.get_object_category_dict(admin_user["id"], ref["id"]), "action_categories": self.manager.get_action_category_dict(admin_user["id"], ref["id"]) } @@ -1064,7 +1064,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): ref["id"], new_subject_category["name"]) new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_category_dict( + subject_categories = self.manager.get_subject_categories_dict( admin_user["id"], ref["id"]) self.assertIsInstance(subject_categories, dict) @@ -1076,7 +1076,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): metarule[relation]["subject_categories"].append(new_subject_category["id"]) self.assertRaises( MetaRuleAddNotAuthorized, - self.manager.get_sub_meta_rule, + self.manager.get_sub_meta_rule_dict, admin_user["id"], ref["id"], metarule) def test_sub_rules(self): @@ -1087,7 +1087,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): ref_admin = self.create_intra_extension("policy_admin") self.create_mapping(tenant, ref["id"], ref_admin["id"]) - sub_meta_rules = self.manager.get_sub_meta_rule_dict(admin_user["id"], ref["id"]) + sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) self.assertIsInstance(sub_meta_rules, dict) self.assertIn("sub_meta_rules", sub_meta_rules) @@ -1100,7 +1100,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): rules[relation] = list() for rule in sub_rules["rules"][relation]: for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scope_dict, "subject_category_scope"), + ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), ("action_categories", self.manager.get_action_scope_dict, "action_category_scope"), ("object_categories", self.manager.get_object_scope_dict, "object_category_scope"), ): @@ -1118,7 +1118,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): relation = sub_rules["rules"].keys()[0] sub_rule = [] for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scope_dict, "subject_category_scope"), + ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), ("action_categories", self.manager.get_action_scope_dict, "action_category_scope"), ("object_categories", self.manager.get_object_scope_dict, "object_category_scope"), ): -- 2.16.6