def run(self):
self.context.delete_cache()
req = None
tries = 0
success = False
if "hostip" in self.container_chaining[0]:
hostname = self.container_chaining[0]["hostip"]
elif "hostname" in self.container_chaining[0]:
hostname = self.container_chaining[0]["hostname"]
else:
raise exceptions.AuthzException(
"error in address no hostname or hostip"
)
tried_hostnames = []
while tries < 2:
tried_hostnames.append(hostname)
try:
req = requests.post("http://{}:{}/authz".format(
hostname,
self.container_chaining[0]["port"],
), data=pickle.dumps(self.context))
if req.status_code != 200:
raise exceptions.AuthzException(
"Receive bad response from Authz function "
"(with {} -> {})".format(hostname, req.status_code)
)
success = True
except requests.exceptions.ConnectionError:
if tries > 1:
logger.error("Cannot connect to {}".format(
"http://[{}]:{}/authz".format(
", ".join(tried_hostnames),
self.container_chaining[0]["port"]
)))
except Exception as e:
logger.exception(e)
else:
break
hostname = self.container_chaining[0]["hostname"],
tries += 1
if not success:
raise exceptions.AuthzException("Cannot connect to Authz function")
self.context.set_cache(CACHE)
if req and len(self.container_chaining) == 1:
self.result = pickle.loads(req.content)
def manage_data(self):
data = request.form
if not dict(request.form):
data = json.loads(request.data.decode("utf-8"))
target = json.loads(data.get('target', {}))
credentials = json.loads(data.get('credentials', {}))
rule = data.get('rule', "").strip('"').strip("'")
_subject = self.__get_subject(target, credentials)
_object = self.__get_object(target, credentials)
_action = rule
LOGGER.info("authz {} {} {}".format(_subject, _object, _action))
_project_id = self.__get_project_id(target, credentials)
_pdp_id = self.CACHE.get_pdp_from_keystone_project(_project_id)
interface_url = self.get_interface_url(_project_id)
LOGGER.debug("interface_url={}".format(interface_url))
req = requests.get("{}/authz/{}/{}/{}/{}".format(
interface_url,
_pdp_id,
_subject,
_object,
_action
))
LOGGER.debug("Get interface {}".format(req.text))
if req.status_code == 200:
if req.json().get("result", False):
return True
raise exceptions.AuthzException("error in authz request")
def __init__(self, init_context, cache):
if init_context is None:
raise Exception("Invalid context content object")
self.cache = cache
self.__keystone_project_id = init_context.get("project_id")
self.__pdp_id = self.cache.get_pdp_from_keystone_project(
self.__keystone_project_id)
if not self.__pdp_id:
raise exceptions.AuthzException(
"Cannot create context for authz "
"with Keystone project ID {}".format(
self.__keystone_project_id))
self.__pdp_value = copy.deepcopy(self.cache.pdp[self.__pdp_id])
self.__subject = init_context.get("subject_name")
self.__object = init_context.get("object_name")
self.__action = init_context.get("action_name")
self.__request_id = init_context.get("req_id")
self.__cookie = init_context.get("cookie")
self.__manager_url = init_context.get("manager_url")
self.__interface_name = init_context.get("interface_name")
self.__current_request = None
self.__index = -1
# self.__init_initial_request()
self.__meta_rule_ids = self.cache.get_meta_rule_ids_from_pdp_value(
self.__pdp_value)
self.__meta_rules = self.cache.meta_rules
self.__pdp_set = {}
def __init__(self, init_context, cache):
self.cache = cache
self.__keystone_project_id = init_context.get("project_id")
self.__pdp_id = None
self.__pdp_value = None
for _pdp_key, _pdp_value in self.cache.pdp.items():
if _pdp_value["keystone_project_id"] == self.__keystone_project_id:
self.__pdp_id = _pdp_key
self.__pdp_value = copy.deepcopy(_pdp_value)
break
if not self.__pdp_value:
raise exceptions.AuthzException(
"Cannot create context for authz "
"with Keystone project ID {}".format(
self.__keystone_project_id
))
self.__subject = init_context.get("subject_name")
self.__object = init_context.get("object_name")
self.__action = init_context.get("action_name")
self.__current_request = None
self.__request_id = init_context.get("req_id")
self.__cookie = init_context.get("cookie")
self.__manager_url = init_context.get("manager_url")
self.__interface_name = init_context.get("interface_name")
self.__index = -1
# self.__init_initial_request()
self.__headers = []
policies = self.cache.policies
models = self.cache.models
for policy_id in self.__pdp_value["security_pipeline"]:
model_id = policies[policy_id]["model_id"]
for meta_rule in models[model_id]["meta_rules"]:
self.__headers.append(meta_rule)
self.__meta_rules = self.cache.meta_rules
self.__pdp_set = {}
def run(self):
self.context.delete_cache()
req = None
try:
req = requests.post("http://{}:{}/authz".format(
self.container_chaining[0]["hostip"],
self.container_chaining[0]["port"],
),
data=pickle.dumps(self.context))
if req.status_code != 200:
raise exceptions.AuthzException(
"Receive bad response from Authz function "
"(with IP address - {})".format(req.status_code))
except requests.exceptions.ConnectionError:
logger.error("Cannot connect to {}".format(
"http://{}:{}/authz".format(
self.container_chaining[0]["hostip"],
self.container_chaining[0]["port"])))
except ValueError:
try:
req = requests.post("http://{}:{}/authz".format(
self.container_chaining[0]["hostname"],
self.container_chaining[0]["port"],
),
data=pickle.dumps(self.context))
if req.status_code != 200:
raise exceptions.AuthzException(
"Receive bad response from Authz function "
"(with hostname - {})".format(req.status_code))
except requests.exceptions.ConnectionError:
logger.error("Cannot connect to {}".format(
"http://{}:{}/authz".format(
self.container_chaining[0]["hostname"],
self.container_chaining[0]["port"])))
raise exceptions.AuthzException(
"Cannot connect to Authz function")
self.context.set_cache(CACHE)
if req and len(self.container_chaining) == 1:
self.result = pickle.loads(req.content)
def get_interface_url(self, project_id):
LOGGER.debug("project_id {}".format(project_id))
for containers in self.CACHE.containers.values():
LOGGER.info("containers {}".format(containers))
for container in containers:
if container.get("keystone_project_id") == project_id:
if "pipeline" in container['name']:
return "http://{}:{}".format(container['name'],
container['port'])
self.CACHE.update()
# Note (asteroide): test an other time after the update
for containers in self.CACHE.containers.values():
for container in containers:
if container.get("keystone_project_id") == project_id:
if "pipeline" in container['name']:
return "http://{}:{}".format(container['name'],
container['port'])
raise exceptions.AuthzException("Keystone Project "
"ID ({}) is unknown or not mapped "
"to a PDP.".format(project_id))
def current_policy_id(self):
if "security_pipeline" not in self.__pdp_value:
raise exceptions.AuthzException(
'Cannot find security_pipeline key within pdp.')
return self.__pdp_value["security_pipeline"][self.__index]