示例#1
0
def post(token_info: dict, resource_type_name, resource_id):
    rt = ResourceType(resource_type_name)
    rt.create_id(resource_id)
    return make_response(jsonify({
        'msg': f"Created resource/{rt.name}/id/{resource_id}.",
        'resource_type': rt.name,
        'resource_id': resource_id}), 201)
示例#2
0
def get_resource_authz_parameters(user: str, resources: Union[List[str], str]):
    """

    Get all policy ids, and send them to lookup policy, group them by policy type.

    :param user:
    :param resource:
    :return:
    """
    policies = []
    _user = User(user)
    try:
        groups = _user.groups
    except cd_client.exceptions.ResourceNotFoundException:
        _user = User.provision_user(user)
        groups = _user.groups

    # Only support a single resource for now
    resource = resources[0] if isinstance(resources, list) else resources
    r_type, r_id, *_ = resource.split(':')[-1].split('/')
    if r_type in ResourceType.get_types():
        r_id = ResourceId(r_type, r_id)
        resource_policies = r_id.check_access(
            [_user] + [Group(object_ref=g) for g in groups])
        if not resource_policies:
            raise ResourceNotFound("ResourceNotFound")
        policies.extend(resource_policies)
    policies.extend(list(_user.get_policy_ids()))
    authz_params = Config.get_directory().get_policies(policies)
    if authz_params.get('ResourcePolicy'):
        authz_params['ResourcePolicy'] = combine(
            [i['policy_document'] for i in authz_params.get('ResourcePolicy')])
    return authz_params
示例#3
0
def get(token_info: dict, resource_type_name):
    next_token, per_page = get_next_token(request.args)
    rt = ResourceType(resource_type_name)
    return get_page(rt.list_policies,
                    next_token,
                    per_page,
                    content_key='policies')
示例#4
0
def clear_cd(directory: 'CloudDirectory',
             users: List[str] = None,
             groups: List[str] = None,
             roles: List[str] = None,
             resources: List[str] = None) -> None:
    """
    :param directory: the directory to clear
    :param users: a list of users to keep
    :param groups: a list of groups to keep
    :param roles: a list of roles to keep
    :param resources: a list of resource types to keep
    :return:
    """
    users = users if users else []
    groups = groups if groups else []
    roles = roles if roles else []
    resources = resources if resources else []
    protected_users = [User.hash_name(name) for name in ['public'] + users]
    protected_groups = [Group.hash_name(name) for name in ['user_default'] + groups]
    protected_roles = [Role.hash_name(name) for name in ["fusillade_admin", "default_user"] + roles]
    protected_resources = [ResourceType.hash_name(name) for name in resources]

    for name, obj_ref in directory.list_object_children('/user/', ConsistencyLevel=ConsistencyLevel.SERIALIZABLE.name):
        if name not in protected_users:
            directory.delete_object(obj_ref)
    for name, obj_ref in directory.list_object_children('/group/', ConsistencyLevel=ConsistencyLevel.SERIALIZABLE.name):
        if name not in protected_groups:
            directory.delete_object(obj_ref)
    for name, obj_ref in directory.list_object_children('/role/', ConsistencyLevel=ConsistencyLevel.SERIALIZABLE.name):
        if name not in protected_roles:
            directory.delete_object(obj_ref)
    for name, obj_ref in directory.list_object_children('/resource/',
                                                        ConsistencyLevel=ConsistencyLevel.SERIALIZABLE.name):
        if name not in protected_resources:
            directory.delete_object(obj_ref, delete_children=True)
示例#5
0
    def test_create_resource_type(self):
        actions = ['readproject', 'writeproject', 'deleteproject']
        resource_type = 'test_type'
        # a resource type is created
        self._create_resource_type(resource_type, actions)
        test_type = ResourceType(resource_type)

        # cannot do twice
        with self.assertRaises(FusilladeHTTPException):
            ResourceType.create(resource_type, actions)

        # actions are set
        self.assertTrue(set(test_type.actions) == set(actions))

        # owner policy exists
        self.assertIn(f'/resource/{resource_type}/policy/Owner',
                      test_type.list_policies()[0]['policies'])

        # create an additional resource type
        resource_type2 = 'test_type2'
        self._create_resource_type(resource_type2, actions)
        test_type2 = ResourceType(resource_type2)

        # list resources
        resource_types = ResourceType.get_types()
        self.assertEqual([resource_type, resource_type2], resource_types)
示例#6
0
    def test_eval(self):
        actions = ['test:readproject', 'test:writeproject', 'test:deleteproject']
        resource_type = 'test_type'
        test_type = ResourceType.create(resource_type, actions)
        access_level = 'Reader'
        resource_policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Principal": "*",
                    "Sid": "project_reader",
                    "Effect": "Allow",
                    "Action": ['test:readproject'],
                    "Resource": f"{self.arn_prefix}{resource_type}/*"
                }
            ]
        }
        test_type.create_policy(access_level, resource_policy, 'ResourcePolicy')
        user = User.provision_user('test_user')
        type_id = '1234455'
        resource = f'{self.arn_prefix}{resource_type}/{type_id}'

        with self.subTest("A user does not have access when they only have permitting resource_policy and no "
                          "permitting IAMPolicy"):
            test_id = test_type.create_id(type_id)
            test_id.add_principals([user], access_level)
            x = get_resource_authz_parameters(user.name, resource)
            resp = evaluate_policy(user.name, ['test:readproject'], [resource], x['IAMPolicy'], x['ResourcePolicy'])
            self.assertFalse(resp['result'])

        with self.subTest("A user has a access when they have a permitting resource policy and IAMPolicy"):
            IAMpolicy = {
                "Statement": [
                    {
                        "Sid": "project_reader",
                        "Effect": "Allow",
                        "Action": [
                            "test:readproject"
                        ],
                        "Resource": f"{self.arn_prefix}{resource_type}/*"
                    }
                ]
            }
            role = Role.create('project_reader', IAMpolicy)

            user.add_roles([role.name])
            x = get_resource_authz_parameters(user.name, resource)
            resp = evaluate_policy(user.name, ['test:readproject'], [resource], x['IAMPolicy'], x['ResourcePolicy'])
            self.assertTrue(resp['result'])
示例#7
0
    def test_get_authz_params(self):
        actions = ['test:readproject', 'test:writeproject', 'test:deleteproject']
        resource_type = 'test_type'
        test_type = ResourceType.create(resource_type, actions)
        access_level = 'Reader'
        resource_policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Principal": "*",
                    "Sid": "project_reader",
                    "Effect": "Allow",
                    "Action": ['test:readproject'],
                    "Resource": f"{self.arn_prefix}{resource_type}/*"
                }
            ]
        }
        test_type.create_policy(access_level, resource_policy, 'ResourcePolicy')
        user = User.provision_user('test_user')
        type_id = '1234455'
        resource = f'{self.arn_prefix}{resource_type}/{type_id}'

        with self.subTest("A user has no access when no access level set between user and resource"):
            with self.assertRaises(ResourceNotFound):
                get_resource_authz_parameters(user.name, resource)

        with self.subTest("No resource policy parameters are returned when the user tries to access a resource that "
                          "does not use resource policies"):
            params = get_resource_authz_parameters(user.name, f"{self.arn_prefix}non_acl_resource/1234")
            self.assertFalse(params.get('ResourcePolicy'))
            self.assertFalse(params.get('resources'))

        with self.subTest("The resource policy for the access level assigned to the user is returned when a user "
                          "is given access to a resource"):
            test_id = test_type.create_id(type_id)
            test_id.add_principals([user], access_level)
            params = get_resource_authz_parameters(user.name, resource)
            self.assertTrue(json_equal(params['ResourcePolicy'], resource_policy))
            self.assertEqual(['Reader'], params['resources'])

        with self.subTest("No access when the user is disabled."):
            user.disable()
            with self.assertRaises(AuthorizationException):
                get_resource_authz_parameters(user.name, resource)
示例#8
0
 def _create_resource_type(self, name='test_type', actions=None):
     actions = actions or ['readproject', 'writeproject', 'deleteproject']
     return ResourceType.create(name, actions)
示例#9
0
def delete(token_info: dict, resource_type_name, policy_name):
    rt = ResourceType(resource_type_name)
    rt.delete_policy(policy_name)
    return make_response(
        f"Deleted resource/{resource_type_name}/policy/{policy_name}.", 200)
示例#10
0
def put(token_info: dict, resource_type_name, policy_name):
    json_body = request.json
    rt = ResourceType(resource_type_name)
    rt.update_policy(policy_name, json_body['policy'], 'ResourcePolicy')
    return make_response(
        f"Modified resource/{resource_type_name}/policy/{policy_name}.", 200)
示例#11
0
def get(token_info: dict, resource_type_name, policy_name):
    rt = ResourceType(resource_type_name)
    rt._exists([rt.name])
    policy = rt.get_policy(policy_name)
    return make_response(jsonify(policy), 200)
示例#12
0
def get(token_info: dict, resource_type_name):
    rt = ResourceType(resource_type_name)
    actions = rt.actions
    return make_response(jsonify({'actions': actions}), 200)
示例#13
0
def delete(token_info: dict, resource_type_name):
    json_body = request.json
    rt = ResourceType(resource_type_name)
    rt.remove_actions(json_body['actions'])
    return make_response(f"Actions removed from resource type {rt.name}.", 200)
示例#14
0
def put(token_info: dict, resource_type_name):
    json_body = request.json
    rt = ResourceType(resource_type_name)
    rt.add_actions(json_body['actions'])
    return make_response(f"Actions added to resource type {rt.name}.", 200)
示例#15
0
def get(token_info: dict, resource_type_name):
    next_token, per_page = get_next_token(request.args)
    return get_page(ResourceType(resource_type_name).list_ids, next_token, per_page, content_key='resource_ids')