def create_request_from_message(self, invocation): sender_type = invocation.get_header_value('sender-type', 'Unknown') if sender_type == 'service': sender_header = invocation.get_header_value( 'sender-service', 'Unknown') sender = invocation.get_service_name(sender_header) else: sender = invocation.get_header_value('sender', 'Unknown') receiver_header = invocation.get_header_value('receiver', 'Unknown') receiver = invocation.get_service_name(receiver_header) op = invocation.get_header_value('op', 'Unknown') ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous') actor_roles = invocation.get_header_value('ion-actor-roles', {}) log.debug( "XACML Request: sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s" % (sender, receiver, op, ion_actor_id, str(actor_roles))) request = Request() subject = Subject() subject.attributes.append( self.create_string_attribute(SENDER_ID, sender)) subject.attributes.append( self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, ion_actor_id)) #Iterate over the roles associated with the user and create attributes for each for org in actor_roles: attribute = None for role in actor_roles[org]: if attribute is None: attribute = self.create_string_attribute( ROLE_ATTRIBUTE_ID, role ) #TODO - Figure out how to handle multiple Org Roles else: attribute.attributeValues.append(StringAttributeValue()) attribute.attributeValues[-1].value = org + "_" + role subject.attributes.append(attribute) request.subjects.append(subject) resource = Resource() resource.attributes.append( self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver)) request.resources.append(resource) request.action = Action() request.action.attributes.append( self.create_string_attribute(Identifiers.Action.ACTION_ID, op)) return request
def _createXacmlRequestCtx(cls): """Helper to create a XACML request context""" ctx = Request() ctx.subjects.append(Subject()) openidAttr = Attribute() ctx.subjects[-1].attributes.append(openidAttr) openidAttr.attributeId = cls.OPENID_ATTR_ID openidAttr.dataType = 'http://www.w3.org/2001/XMLSchema#anyURI' anyUriAttrValue = cls.attributeValueClassFactory(openidAttr.dataType) openidAttrVal = anyUriAttrValue(TestUserDatabase.OPENID_URI) openidAttr.attributeValues.append(openidAttrVal) return ctx
def _create_request_from_message(self, invocation, receiver, receiver_type='service'): sender_type = invocation.get_header_value('sender-type', 'Unknown') if sender_type == 'service': sender_header = invocation.get_header_value( 'sender-service', 'Unknown') sender = invocation.get_service_name(sender_header) else: sender = invocation.get_header_value('sender', 'Unknown') op = invocation.get_header_value('op', 'Unknown') ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous') actor_roles = invocation.get_header_value('ion-actor-roles', {}) log.debug( "Using XACML Request: sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s" % (sender, receiver, op, ion_actor_id, str(actor_roles))) request = Request() subject = Subject() subject.attributes.append( self.create_string_attribute(SENDER_ID, sender)) subject.attributes.append( self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, ion_actor_id)) #Get the Org name associated with the endpoint process endpoint_process = invocation.get_arg_value('process', invocation) if hasattr(endpoint_process, 'org_name'): org_name = endpoint_process.org_name else: org_name = self.governance_controller._system_root_org_name #If this process is not associated wiht the root Org, then iterate over the roles associated with the user only for #the Org that this process is associated with otherwise include all roles and create attributes for each if org_name == self.governance_controller._system_root_org_name: log.debug("Including roles for all Orgs") #If the process Org name is the same for the System Root Org, then include all of them to be safe for org in actor_roles: self.create_org_role_attribute(actor_roles[org], subject) else: if actor_roles.has_key(org_name): log.debug("Org Roles (%s): %s", org_name, ' '.join(actor_roles[org_name])) self.create_org_role_attribute(actor_roles[org_name], subject) #Handle the special case for the ION system actor if actor_roles.has_key( self.governance_controller._system_root_org_name): if 'ION_MANAGER' in actor_roles[ self.governance_controller._system_root_org_name]: log.debug("Including ION_MANAGER role") self.create_org_role_attribute(['ION_MANAGER'], subject) request.subjects.append(subject) resource = Resource() resource.attributes.append( self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver)) resource.attributes.append( self.create_string_attribute(RECEIVER_TYPE, receiver_type)) request.resources.append(resource) request.action = Action() request.action.attributes.append( self.create_string_attribute(Identifiers.Action.ACTION_ID, op)) return request
def _create_request_from_message(self, invocation, receiver, receiver_type=PROCTYPE_SERVICE): sender, sender_type = invocation.get_message_sender() op = invocation.get_header_value(MSG_HEADER_OP, 'Unknown') actor_id = invocation.get_header_value(MSG_HEADER_ACTOR, ANONYMOUS_ACTOR) user_context_id = invocation.get_header_value(MSG_HEADER_USER_CONTEXT_ID, "") user_context_differs = bool(actor_id and actor_id != ANONYMOUS_ACTOR and user_context_id and actor_id != user_context_id) actor_roles = invocation.get_header_value(MSG_HEADER_ROLES, {}) message_format = invocation.get_header_value(MSG_HEADER_FORMAT, '') # if receiver == "agpro_exchange": # print "### POLICY DECISION rty=%s recv=%s actor=%s context=%s differ:%s" % (receiver_type, receiver, actor_id, user_context_id, user_context_differs) # print " Headers: %s" % invocation.headers #log.debug("Checking XACML Request: receiver_type: %s, sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s", receiver_type, sender, receiver, op, ion_actor_id, actor_roles) request = Request() subject = Subject() subject.attributes.append(self.create_string_attribute(SENDER_ID, sender)) subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, actor_id)) subject.attributes.append(self.create_string_attribute(USER_CONTEXT_ID, user_context_id)) subject.attributes.append(self.create_string_attribute(USER_CONTEXT_DIFFERS, str(user_context_differs))) # Get the Org name associated with the endpoint process endpoint_process = invocation.get_arg_value('process', None) if endpoint_process is not None and hasattr(endpoint_process, 'org_governance_name'): org_governance_name = endpoint_process.org_governance_name else: org_governance_name = self.governance_controller.system_root_org_name # If this process is not associated with the root Org, then iterate over the roles associated # with the user only for the Org that this process is associated with otherwise include all roles # and create attributes for each if org_governance_name == self.governance_controller.system_root_org_name: #log.debug("Including roles for all Orgs") # If the process Org name is the same for the System Root Org, then include all of them to be safe for org in actor_roles: self.create_org_role_attribute(actor_roles[org], subject) else: if org_governance_name in actor_roles: log.debug("Org Roles (%s): %s", org_governance_name, ' '.join(actor_roles[org_governance_name])) self.create_org_role_attribute(actor_roles[org_governance_name], subject) # Handle the special case for the ION system actor if self.governance_controller.system_root_org_name in actor_roles: if SUPERUSER_ROLE in actor_roles[self.governance_controller.system_root_org_name]: log.debug("Including SUPERUSER role") self.create_org_role_attribute([SUPERUSER_ROLE], subject) request.subjects.append(subject) resource = Resource() resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver)) resource.attributes.append(self.create_string_attribute(RECEIVER_TYPE, receiver_type)) request.resources.append(resource) request.action = Action() request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op)) # Check to see if there is a OperationVerb decorator specifying a Verb used with policy if is_ion_object(message_format): try: msg_class = message_classes[message_format] operation_verb = get_class_decorator_value(msg_class, DECORATOR_OP_VERB) if operation_verb is not None: request.action.attributes.append(self.create_string_attribute(ACTION_VERB, operation_verb)) except NotFound: pass # Create generic attributes for each of the primitive message parameter types to be available in XACML rules # and evaluation functions parameter_dict = {'message': invocation.message, 'headers': invocation.headers, 'annotations': invocation.message_annotations} if endpoint_process is not None: parameter_dict['process'] = endpoint_process request.action.attributes.append(self.create_dict_attribute(ACTION_PARAMETERS, parameter_dict)) return request