def test_requests(container, process=FakeProcess()):
org_client = OrgManagementServiceProcessClient(node=container.node, process=process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=container.node, process=process)
rr_client = ResourceRegistryServiceProcessClient(node=container.node, process=process)
system_actor = id_client.find_actor_identity_by_name(name=CFG.system.system_actor)
log.info('system actor:' + system_actor._id)
sa_header_roles = get_role_message_headers(org_client.find_all_roles_by_user(system_actor._id))
try:
user = id_client.find_actor_identity_by_name('/DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Roger Unwin A254')
except:
raise Inconsistent("The test user is not found; did you seed the data?")
log.debug('user_id: ' + user._id)
user_header_roles = get_role_message_headers(org_client.find_all_roles_by_user(user._id))
try:
org2 = org_client.find_org('Org2')
org2_id = org2._id
except NotFound, e:
org2 = IonObject(RT.Org, name='Org2', description='A second Org')
org2_id = org_client.create_org(org2, headers={'ion-actor-id': system_actor._id, 'ion-actor-roles': sa_header_roles })
def test_policy(container, process=FakeProcess()):
org_client = OrgManagementServiceProcessClient(node=container.node, process=process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=container.node, process=process)
system_actor = id_client.find_actor_identity_by_name(name=CFG.system.system_actor)
log.info('system actor:' + system_actor._id)
policy_client = PolicyManagementServiceProcessClient(node=container.node, process=process)
header_roles = get_role_message_headers(org_client.find_all_roles_by_user(system_actor._id))
users = org_client.find_enrolled_users(ion_org._id, headers={'ion-actor-id': system_actor._id, 'ion-actor-roles': header_roles })
for u in users:
log.info( str(u))
user = id_client.find_actor_identity_by_name('/DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Roger Unwin A254')
log.debug('user_id: ' + user._id)
roles = org_client.find_roles_by_user(ion_org._id, user._id)
for r in roles:
log.info('User UserRole: ' +str(r))
header_roles = get_role_message_headers(org_client.find_all_roles_by_user(user._id))
try:
org_client.grant_role(ion_org._id, user._id, 'INSTRUMENT_OPERATOR', headers={'ion-actor-id': user._id, 'ion-actor-roles': header_roles })
except Exception, e:
log.info('This grant role should be denied:' + e.message)
def seed_gov(container, process=FakeProcess()):
dp_client = DataProductManagementServiceProcessClient(node=container.node, process=process)
dp_obj = IonObject(RT.DataProduct, name='DataProd1', description='some new dp')
dp_client.create_data_product(dp_obj)
dp_obj = IonObject(RT.DataProduct,
name='DataProd2',
description='and of course another new dp')
dp_client.create_data_product(dp_obj,)
dp_obj = IonObject(RT.DataProduct,
name='DataProd3',
description='yet another new dp')
dp_client.create_data_product(dp_obj,)
log.debug('Data Products')
dp_list = dp_client.find_data_products()
for dp_obj in dp_list:
log.debug( str(dp_obj))
ims_client = InstrumentManagementServiceProcessClient(node=container.node, process=process)
ia_obj = IonObject(RT.InstrumentAgent, name='Instrument Agent1', description='The first Instrument Agent')
ims_client.create_instrument_agent(ia_obj)
ia_obj = IonObject(RT.InstrumentAgent, name='Instrument Agent2', description='The second Instrument Agent')
ims_client.create_instrument_agent(ia_obj)
log.debug( 'Instrument Agents')
ia_list = ims_client.find_instrument_agents()
for ia_obj in ia_list:
log.debug( str(ia_obj))
org_client = OrgManagementServiceProcessClient(node=container.node, process=process)
ion_org = org_client.find_org()
policy_client = PolicyManagementServiceProcessClient(node=container.node, process=process)
role_obj = IonObject(RT.UserRole, name='Instrument Operator', description='Users assigned to this role are instrument operators')
role_id = policy_client.create_role(role_obj)
org_client.add_user_role(ion_org._id, role_id)
try:
role_id = policy_client.create_role(role_obj)
org_client.add_user_role(ion_org._id, role_id)
except Exception, e:
log.info("This should fail")
log.info(e.message)
def test_requests(container, process=FakeProcess()):
org_client = OrgManagementServiceProcessClient(node=container.node,
process=process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=container.node,
process=process)
rr_client = ResourceRegistryServiceProcessClient(node=container.node,
process=process)
system_actor = id_client.find_actor_identity_by_name(
name=CFG.system.system_actor)
log.info('system actor:' + system_actor._id)
sa_header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(system_actor._id))
try:
user = id_client.find_actor_identity_by_name(
'/DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Roger Unwin A254')
except:
raise Inconsistent(
"The test user is not found; did you seed the data?")
log.debug('user_id: ' + user._id)
user_header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(user._id))
try:
org2 = org_client.find_org('Org2')
org2_id = org2._id
except NotFound, e:
org2 = IonObject(RT.Org, name='Org2', description='A second Org')
org2_id = org_client.create_org(org2,
headers={
'ion-actor-id': system_actor._id,
'ion-actor-roles': sa_header_roles
})
def seed_gov(container, process=FakeProcess()):
id_client = IdentityManagementServiceProcessClient(node=container.node, process=process)
org_client = OrgManagementServiceProcessClient(node=container.node, process=process)
ion_org = org_client.find_org()
try:
myorg = org_client.read_org()
except Exception, e:
log.info("This should fail")
log.info(e.message)
def seed_gov(container, process=FakeProcess()):
id_client = IdentityManagementServiceProcessClient(node=container.node,
process=process)
org_client = OrgManagementServiceProcessClient(node=container.node,
process=process)
ion_org = org_client.find_org()
try:
myorg = org_client.read_org()
except Exception, e:
log.info("This should fail")
log.info(e.message)
def test_policy(container, process=FakeProcess()):
org_client = OrgManagementServiceProcessClient(node=container.node,
process=process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=container.node,
process=process)
system_actor = id_client.find_actor_identity_by_name(
name=CFG.system.system_actor)
log.info('system actor:' + system_actor._id)
policy_client = PolicyManagementServiceProcessClient(node=container.node,
process=process)
header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(system_actor._id))
users = org_client.find_enrolled_users(ion_org._id,
headers={
'ion-actor-id':
system_actor._id,
'ion-actor-roles': header_roles
})
for u in users:
log.info(str(u))
user = id_client.find_actor_identity_by_name(
'/DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Roger Unwin A254')
log.debug('user_id: ' + user._id)
roles = org_client.find_roles_by_user(ion_org._id, user._id)
for r in roles:
log.info('User UserRole: ' + str(r))
header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(user._id))
try:
org_client.grant_role(ion_org._id,
user._id,
'INSTRUMENT_OPERATOR',
headers={
'ion-actor-id': user._id,
'ion-actor-roles': header_roles
})
except Exception, e:
log.info('This grant role should be denied:' + e.message)
class GovernanceController(object):
def __init__(self,container):
log.debug('GovernanceController.__init__()')
self.container = container
self.enabled = False
self.interceptor_by_name_dict = dict()
self.interceptor_order = []
self.policy_decision_point_manager = None
self.governance_dispatcher = None
def start(self):
log.debug("GovernanceController starting ...")
config = CFG.interceptor.interceptors.governance.config
if config is None:
config['enabled'] = False
if "enabled" in config:
self.enabled = config["enabled"]
log.debug("GovernanceInterceptor enabled: %s" % str(self.enabled))
self.resource_policy_event_subscriber = None
if self.enabled:
self.initialize_from_config(config)
self.resource_policy_event_subscriber = EventSubscriber(event_type="ResourcePolicyEvent", callback=self.policy_event_callback)
self.resource_policy_event_subscriber.activate()
self.rr_client = ResourceRegistryServiceProcessClient(node=self.container.node, process=self.container)
self.policy_client = PolicyManagementServiceProcessClient(node=self.container.node, process=self.container)
self.org_client = OrgManagementServiceProcessClient(node=self.container.node, process=self.container)
def initialize_from_config(self, config):
self.governance_dispatcher = GovernanceDispatcher()
self.policy_decision_point_manager = PolicyDecisionPointManager()
if 'interceptor_order' in config:
self.interceptor_order = config['interceptor_order']
if 'governance_interceptors' in config:
gov_ints = config['governance_interceptors']
for name in gov_ints:
interceptor_def = gov_ints[name]
# Instantiate and put in by_name array
parts = interceptor_def["class"].split('.')
modpath = ".".join(parts[:-1])
classname = parts[-1]
module = __import__(modpath, fromlist=[classname])
classobj = getattr(module, classname)
classinst = classobj()
# Put in by_name_dict for possible re-use
self.interceptor_by_name_dict[name] = classinst
def stop(self):
log.debug("GovernanceController stopping ...")
if self.resource_policy_event_subscriber is not None:
self.resource_policy_event_subscriber.deactivate()
def process_incoming_message(self,invocation):
self.process_message(invocation, self.interceptor_order,'incoming' )
return self.governance_dispatcher.handle_incoming_message(invocation)
def process_outgoing_message(self,invocation):
self.process_message(invocation, reversed(self.interceptor_order),'outgoing')
return self.governance_dispatcher.handle_outgoing_message(invocation)
def process_message(self,invocation,interceptor_list, method):
for int_name in interceptor_list:
class_inst = self.interceptor_by_name_dict[int_name]
getattr(class_inst, method)(invocation)
return invocation
def policy_event_callback(self, *args, **kwargs):
resource_policy_event = args[0]
policy_id = resource_policy_event.origin
resource_id = resource_policy_event.resource_id
resource_type = resource_policy_event.resource_type
resource_name = resource_policy_event.resource_name
log.info("Resource policy modified: %s %s %s" % ( policy_id, resource_id, resource_type))
if resource_type == 'ServiceDefinition': #TODO - REDO to have a configurable Org boundary by container
ion_org = self.org_client.find_org()
policy_rules = self.policy_client.get_active_service_policy_rules(ion_org._id, resource_name)
self.update_resource_policy(resource_name, policy_rules)
elif resource_type == 'Org':
policy_rules = self.policy_client.get_active_resource_policy_rules(resource_id)
if self.policy_decision_point_manager is not None:
self.policy_decision_point_manager.load_org_policy_rules(policy_rules)
self.update_all_resource_policies(resource_id)
else:
policy_rules = self.policy_client.get_active_resource_policy_rules(resource_id)
self.update_resource_policy(resource_id, policy_rules)
def update_resource_policy(self, resource_name, policy_rules):
#Notify policy decision point of updated rules
if self.policy_decision_point_manager is not None:
log.debug("Loading policy for resource: %s" % resource_name)
self.policy_decision_point_manager.load_policy_rules(resource_name, policy_rules)
def update_all_resource_policies(self, org_id):
#Notify policy decision point of updated rules for all existing service policies
if self.policy_decision_point_manager is not None:
for res_name in self.policy_decision_point_manager.policy_decision_point:
try:
policy_rules = self.policy_client.get_active_service_policy_rules(org_id, res_name)
self.update_resource_policy(res_name, policy_rules)
except Exception, e:
log.error(e.message)
def op_load_system_policies(cls, calling_process):
org_client = OrgManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=Container.instance.node, process=calling_process )
system_actor = id_client.find_actor_identity_by_name(name=CFG.system.system_actor)
log.debug('system actor:' + system_actor._id)
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule>
'''
policy_obj = IonObject(RT.Policy, name='Anonymous_Deny_Everything', definition_type="global", rule=policy_text,
description='A global policy rule that denies anonymous access to everything in the Org as the base')
policy_id = policy_client.create_policy(policy_obj, headers={'ion-actor-id': system_actor._id})
policy_client.add_resource_policy(ion_org._id, policy_id, headers={'ion-actor-id': system_actor._id})
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_user_requests</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
</Apply>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(RT.Policy, name='Anonymous_Allowed_Operations', definition_type="global", rule=policy_text,
description='A global policy rule which specifies operations that are allowed with anonymous access')
policy_id = policy_client.create_policy(policy_obj, headers={'ion-actor-id': system_actor._id})
policy_client.add_resource_policy(ion_org._id, policy_id, headers={'ion-actor-id': system_actor._id})
log.debug('Policy created: ' + policy_obj.name)
##############
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(RT.Policy, name='Org_Manager_Permit_Everything', definition_type="global", rule=policy_text,
description='A global policy rule that permits access to everything in the Org for a user with Org Manager role')
policy_id = policy_client.create_policy(policy_obj, headers={'ion-actor-id': system_actor._id})
policy_client.add_resource_policy(ion_org._id, policy_id, headers={'ion-actor-id': system_actor._id})
log.debug('Policy created: ' + policy_obj.name)
##############
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(RT.Policy, name='ION_Manager_Permit_Everything', definition_type="global", rule=policy_text,
description='A global policy rule that permits access to everything across Orgs for user with ION Manager role')
policy_id = policy_client.create_policy(policy_obj, headers={'ion-actor-id': system_actor._id})
policy_client.add_resource_policy(ion_org._id, policy_id, headers={'ion-actor-id': system_actor._id})
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">datastore</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_doc</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(RT.Policy, name='DataStore_Anonymous_Bootstrap', definition_type="service", rule=policy_text,
description='Permit anonymous access to these operations in the Datastore Service if called from the Bootstrap Service')
policy_id = policy_client.create_policy(policy_obj)
policy_client.add_service_policy('datastore', policy_id)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_actor_identity</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(RT.Policy, name='Identity_Management_Anonymous_Bootstrap', definition_type="service", rule=policy_text,
description='Permit anonymous access to these operations in the Identity Management Service if called from the Bootstrap Service')
policy_id = policy_client.create_policy(policy_obj)
policy_client.add_service_policy('identity_management', policy_id)
log.debug('Policy created: ' + policy_obj.name)
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource_registry</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_association</AttributeValue>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(RT.Policy, name='Resource_Registry_Anonymous_Bootstrap', definition_type="service", rule=policy_text,
description='Permit anonymous access to these operations in the Resource Registry Service if called from the Identity Management Service')
policy_id = policy_client.create_policy(policy_obj)
policy_client.add_service_policy('resource_registry', policy_id)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve_request</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">deny_request</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">enroll_member</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cancel_member_enrollment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">grant_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">revoke_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remove_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acquire_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_obj = IonObject(RT.Policy, name='Org_Management_Org_Manager_Role_Permitted', definition_type="service", rule=policy_text,
description='Deny these operations in the Org Management Service if not the role of Org Manager')
policy_id = policy_client.create_policy(policy_obj)
policy_client.add_service_policy('org_management', policy_id)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_obj = IonObject(RT.Policy, name='Instrument_Management_Instrument_Operator_Role_Permitted', definition_type="service", rule=policy_text,
description='Deny these operations in the Instrument Management Service if not the role of Instrument Operator')
policy_id = policy_client.create_policy(policy_obj)
policy_client.add_service_policy('instrument_management', policy_id)
log.debug('Policy created: ' + policy_obj.name)
#TODO - replace with Event update framework
from pyon.core.bootstrap import service_registry
for service_name in service_registry.services:
policy_rules = policy_client.get_active_service_policy_rules(ion_org._id, service_name)
Container.instance.governance_controller.update_resource_policy(service_name, policy_rules)
class TestGovernanceInt(IonIntegrationTestCase):
def setUp(self):
# Start container
self._start_container()
#Load a deploy file
self.container.start_rel_from_url('res/deploy/r2deploy.yml')
#Instantiate a process to represent the test
process=GovernanceTestProcess()
#Load system policies after container has started all of the services
LoadSystemPolicy.op_load_system_policies(process)
self.rr_client = ResourceRegistryServiceProcessClient(node=self.container.node, process=process)
self.id_client = IdentityManagementServiceProcessClient(node=self.container.node, process=process)
self.pol_client = PolicyManagementServiceProcessClient(node=self.container.node, process=process)
self.org_client = OrgManagementServiceProcessClient(node=self.container.node, process=process)
self.ims_client = InstrumentManagementServiceProcessClient(node=self.container.node, process=process)
self.ems_client = ExchangeManagementServiceProcessClient(node=self.container.node, process=process)
self.ion_org = self.org_client.find_org()
self.system_actor = self.id_client.find_actor_identity_by_name(name=CFG.system.system_actor)
log.debug('system actor:' + self.system_actor._id)
sa_header_roles = get_role_message_headers(self.org_client.find_all_roles_by_user(self.system_actor._id))
self.sa_user_header = {'ion-actor-id': self.system_actor._id, 'ion-actor-roles': sa_header_roles }
@attr('LOCOINT')
@unittest.skipIf(os.getenv('CEI_LAUNCH_TEST', False),'Not integrated for CEI')
def test_basic_policy(self):
#Make sure that the system policies have been loaded
policy_list,_ = self.rr_client.find_resources(restype=RT.Policy)
self.assertNotEqual(len(policy_list),0,"The system policies have not been loaded into the Resource Registry")
#Attempt to access an operation in service which does not have specific policies set
es_obj = IonObject(RT.ExchangeSpace, description= 'ION test XS', name='ioncore2' )
with self.assertRaises(Unauthorized) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn( 'exchange_management(create_exchange_space) has been denied',cm.exception.message)
#Add a new policy to allow the the above service call.
policy_obj = IonObject(RT.Policy, name='Exchange_Management_Test_Policy', definition_type="Service", rule=TEST_POLICY_TEXT,
description='Allow specific operations in the Exchange Management Service for anonymous user')
test_policy_id = self.pol_client.create_policy(policy_obj, headers=self.sa_user_header)
self.pol_client.add_service_policy('exchange_management', test_policy_id, headers=self.sa_user_header)
log.info('Policy created: ' + policy_obj.name)
gevent.sleep(2) # Wait for events to be fired and policy updated
#The previous attempt at this operations should now be allowed.
es_obj = IonObject(RT.ExchangeSpace, description= 'ION test XS', name='ioncore2' )
with self.assertRaises(BadRequest) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn( 'Arguments not set',cm.exception.message)
#disable the test policy to try again
self.pol_client.disable_policy(test_policy_id, headers=self.sa_user_header)
gevent.sleep(2) # Wait for events to be fired and policy updated
#The same request that previously was allowed should not be denied
es_obj = IonObject(RT.ExchangeSpace, description= 'ION test XS', name='ioncore2' )
with self.assertRaises(Unauthorized) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn( 'exchange_management(create_exchange_space) has been denied',cm.exception.message)
#now enable the test policy to try again
self.pol_client.enable_policy(test_policy_id, headers=self.sa_user_header)
gevent.sleep(2) # Wait for events to be fired and policy updated
#The previous attempt at this operations should now be allowed.
es_obj = IonObject(RT.ExchangeSpace, description= 'ION test XS', name='ioncore2' )
with self.assertRaises(BadRequest) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn( 'Arguments not set',cm.exception.message)
self.pol_client.remove_service_policy('exchange_management', test_policy_id, headers=self.sa_user_header)
self.pol_client.delete_policy(test_policy_id, headers=self.sa_user_header)
gevent.sleep(2) # Wait for events to be fired and policy updated
#The same request that previously was allowed should not be denied
es_obj = IonObject(RT.ExchangeSpace, description= 'ION test XS', name='ioncore2' )
with self.assertRaises(Unauthorized) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn( 'exchange_management(create_exchange_space) has been denied',cm.exception.message)
@attr('LOCOINT')
@unittest.skipIf(os.getenv('CEI_LAUNCH_TEST', False),'Not integrated for CEI')
def test_org_policy(self):
#Make sure that the system policies have been loaded
policy_list,_ = self.rr_client.find_resources(restype=RT.Policy)
self.assertNotEqual(len(policy_list),0,"The system policies have not been loaded into the Resource Registry")
with self.assertRaises(BadRequest) as cm:
myorg = self.org_client.read_org()
self.assertTrue(cm.exception.message == 'The org_id parameter is missing')
user_id, valid_until, registered = self.id_client.signon(USER1_CERTIFICATE, True)
log.debug( "user id=" + user_id)
user_roles = get_role_message_headers(self.org_client.find_all_roles_by_user(user_id))
user_header = {'ion-actor-id': user_id, 'ion-actor-roles': user_roles }
#Attempt to enroll a user anonymously - should not be allowed
with self.assertRaises(Unauthorized) as cm:
self.org_client.enroll_member(self.ion_org._id,user_id)
self.assertIn( 'org_management(enroll_member) has been denied',cm.exception.message)
#Attempt to let a user enroll themselves - should not be allowed
with self.assertRaises(Unauthorized) as cm:
self.org_client.enroll_member(self.ion_org._id,user_id, headers=user_header)
self.assertIn( 'org_management(enroll_member) has been denied',cm.exception.message)
#Attept to enroll the user in the ION Root org as a manager - should not be allowed since
#registration with the system implies membership in the ROOT Org.
with self.assertRaises(BadRequest) as cm:
self.org_client.enroll_member(self.ion_org._id,user_id, headers=self.sa_user_header)
self.assertTrue(cm.exception.message == 'A request to enroll in the root ION Org is not allowed')
with self.assertRaises(Unauthorized) as cm:
users = self.org_client.find_enrolled_users(self.ion_org._id)
self.assertIn('org_management(find_enrolled_users) has been denied',cm.exception.message)
with self.assertRaises(Unauthorized) as cm:
users = self.org_client.find_enrolled_users(self.ion_org._id, headers=user_header)
self.assertIn( 'org_management(find_enrolled_users) has been denied',cm.exception.message)
users = self.org_client.find_enrolled_users(self.ion_org._id, headers=self.sa_user_header)
self.assertEqual(len(users),2)
## test_org_roles and policies
roles = self.org_client.find_org_roles(self.ion_org._id)
self.assertEqual(len(roles),3)
self.assertItemsEqual([r.name for r in roles], [MANAGER_ROLE, MEMBER_ROLE, ION_MANAGER])
roles = self.org_client.find_roles_by_user(self.ion_org._id, self.system_actor._id, headers=self.sa_user_header)
self.assertEqual(len(roles),3)
self.assertItemsEqual([r.name for r in roles], [MEMBER_ROLE, MANAGER_ROLE, ION_MANAGER])
roles = self.org_client.find_roles_by_user(self.ion_org._id, user_id, headers=self.sa_user_header)
self.assertEqual(len(roles),1)
self.assertItemsEqual([r.name for r in roles], [MEMBER_ROLE])
with self.assertRaises(NotFound) as nf:
org2 = self.org_client.find_org(ORG2)
self.assertIn('The Org with name Org2 does not exist',nf.exception.message)
org2 = IonObject(RT.Org, name=ORG2, description='A second Org')
org2_id = self.org_client.create_org(org2, headers=self.sa_user_header)
org2 = self.org_client.find_org(ORG2)
self.assertEqual(org2_id, org2._id)
roles = self.org_client.find_org_roles(org2_id)
self.assertEqual(len(roles),2)
self.assertItemsEqual([r.name for r in roles], [MANAGER_ROLE, MEMBER_ROLE])
operator_role = IonObject(RT.UserRole, name=INSTRUMENT_OPERATOR,label='Instrument Operator', description='Instrument Operator')
#First try to add the user role anonymously
with self.assertRaises(Unauthorized) as cm:
self.org_client.add_user_role(org2_id, operator_role)
self.assertIn('org_management(add_user_role) has been denied',cm.exception.message)
self.org_client.add_user_role(org2_id, operator_role, headers=self.sa_user_header)
roles = self.org_client.find_org_roles(org2_id)
self.assertEqual(len(roles),3)
self.assertItemsEqual([r.name for r in roles], [MANAGER_ROLE, MEMBER_ROLE, INSTRUMENT_OPERATOR])
# test requests for enrollments and roles.
#First try to find user requests anonymously
with self.assertRaises(Unauthorized) as cm:
requests = self.org_client.find_requests(org2_id)
self.assertIn('org_management(find_requests) has been denied',cm.exception.message)
#Next try to find user requests as as a basic member
with self.assertRaises(Unauthorized) as cm:
requests = self.org_client.find_requests(org2_id, headers=user_header)
self.assertIn('org_management(find_requests) has been denied',cm.exception.message)
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),0)
# First try to request a role without being a member
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_role(org2_id, user_id, INSTRUMENT_OPERATOR, headers=user_header )
self.assertIn('A precondition for this request has not been satisfied: is_enrolled(org_id,user_id)',cm.exception.message)
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),0)
req_id = self.org_client.request_enroll(org2_id, user_id, headers=user_header )
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),1)
requests = self.org_client.find_user_requests(user_id, org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),1)
#User tried requesting enrollment again - this should fail
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_enroll(org2_id, user_id, headers=user_header )
self.assertIn('A precondition for this request has not been satisfied: enroll_req_not_exist(org_id,user_id)',cm.exception.message)
#Manager denies the request
self.org_client.deny_request(org2_id,req_id,'To test the deny process', headers=self.sa_user_header)
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),1)
self.assertEqual(requests[0].status, REQUEST_DENIED)
#Manager approves request
self.org_client.approve_request(org2_id,req_id, headers=self.sa_user_header)
users = self.org_client.find_enrolled_users(org2_id, headers=self.sa_user_header)
self.assertEqual(len(users),0)
#User Accepts request
self.org_client.accept_request(org2_id,req_id, headers=user_header)
users = self.org_client.find_enrolled_users(org2_id, headers=self.sa_user_header)
self.assertEqual(len(users),1)
#User tried requesting enrollment again - this should fail
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_enroll(org2_id, user_id, headers=user_header )
self.assertIn('A precondition for this request has not been satisfied: is_not_enrolled(org_id,user_id)',cm.exception.message)
req_id = self.org_client.request_role(org2_id, user_id, INSTRUMENT_OPERATOR, headers=user_header )
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),2)
requests = self.org_client.find_requests(org2_id,request_status='Open', headers=self.sa_user_header)
self.assertEqual(len(requests),1)
requests = self.org_client.find_user_requests(user_id, org2_id, headers=user_header)
self.assertEqual(len(requests),2)
requests = self.org_client.find_user_requests(user_id, org2_id, request_type=RT.RoleRequest, headers=user_header)
self.assertEqual(len(requests),1)
requests = self.org_client.find_user_requests(user_id, org2_id, request_status="Open", headers=user_header)
self.assertEqual(len(requests),1)
ia_list,_ = self.rr_client.find_resources(restype=RT.InstrumentAgent)
self.assertEqual(len(ia_list),0)
ia_obj = IonObject(RT.InstrumentAgent, name='Instrument Agent1', description='The first Instrument Agent')
with self.assertRaises(Unauthorized) as cm:
self.ims_client.create_instrument_agent(ia_obj)
self.assertIn('instrument_management(create_instrument_agent) has been denied',cm.exception.message)
with self.assertRaises(Unauthorized) as cm:
self.ims_client.create_instrument_agent(ia_obj, headers=user_header)
self.assertIn('instrument_management(create_instrument_agent) has been denied',cm.exception.message)
#Manager approves request
self.org_client.approve_request(org2_id,req_id, headers=self.sa_user_header)
requests = self.org_client.find_user_requests(user_id, org2_id, request_status="Open", headers=user_header)
self.assertEqual(len(requests),0)
#User accepts request
self.org_client.accept_request(org2_id, req_id, headers=user_header)
#Refresh headers with new role
user_roles = get_role_message_headers(self.org_client.find_all_roles_by_user(user_id))
user_header = {'ion-actor-id': user_id, 'ion-actor-roles': user_roles }
self.ims_client.create_instrument_agent(ia_obj, headers=user_header)
ia_obj = IonObject(RT.InstrumentAgent, name='Instrument Agent2', description='The second Instrument Agent')
self.ims_client.create_instrument_agent(ia_obj, headers=user_header)
ia_list,_ = self.rr_client.find_resources(restype=RT.InstrumentAgent)
self.assertEqual(len(ia_list),2)
#First make a acquire resource request with an non-enrolled user.
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_acquire_resource(org2_id,self.system_actor._id,ia_list[0]._id , headers=self.sa_user_header)
self.assertIn('A precondition for this request has not been satisfied: is_enrolled(org_id,user_id)',cm.exception.message)
req_id = self.org_client.request_acquire_resource(org2_id,user_id,ia_list[0]._id , headers=user_header)
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),3)
requests = self.org_client.find_user_requests(user_id, org2_id, headers=user_header)
self.assertEqual(len(requests),3)
requests = self.org_client.find_user_requests(user_id, org2_id, request_type=RT.ResourceRequest, headers=user_header)
self.assertEqual(len(requests),1)
requests = self.org_client.find_user_requests(user_id, org2_id, request_status="Open", headers=user_header)
self.assertEqual(len(requests),1)
self.assertEqual(requests[0]._id, req_id)
#Manager approves Instrument request
self.org_client.approve_request(org2_id,req_id, headers=self.sa_user_header)
requests = self.org_client.find_user_requests(user_id, org2_id, request_status="Open", headers=user_header)
self.assertEqual(len(requests),0)
#User accepts request
self.org_client.accept_request(org2_id,req_id, headers=user_header)
#Check commitments
commitments, _ = self.rr_client.find_objects(ia_list[0]._id,PRED.hasCommitment, RT.ResourceCommitment)
self.assertEqual(len(commitments),1)
commitments, _ = self.rr_client.find_objects(user_id,PRED.hasCommitment, RT.ResourceCommitment)
self.assertEqual(len(commitments),1)
#Release the resource
self.org_client.release_resource(org2_id,user_id ,ia_list[0]._id, headers=self.sa_user_header,timeout=15) #TODO - Refactor release_resource
#Check commitments
commitments, _ = self.rr_client.find_objects(ia_list[0]._id,PRED.hasCommitment, RT.ResourceCommitment)
self.assertEqual(len(commitments),0)
commitments, _ = self.rr_client.find_objects(user_id,PRED.hasCommitment, RT.ResourceCommitment)
self.assertEqual(len(commitments),0)
def op_load_system_policies(cls, calling_process):
org_client = OrgManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
system_actor = get_system_actor()
log.info("system actor:" + system_actor._id)
sa_user_header = get_system_actor_header()
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
timeout = 20
##############
"""
This rule must be loaded before the Deny_Everything rule
"""
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
policy_text = """
<Rule RuleId="%s:" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule>
"""
policy_id = policy_client.create_common_service_access_policy(
"ION_Manager_Permit_Everything",
"A global policy rule that permits access to everything with the ION Manager role",
policy_text,
headers=sa_user_header,
)
##############
"""
This rule must be loaded before the Deny_Everything rule
"""
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">is*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_org_negotiations</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
</Apply>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
"""
policy_id = policy_client.create_common_service_access_policy(
"Allowed_Anonymous_Service_Operations",
"A global policy rule which specifies operations that are allowed with anonymous access",
policy_text,
headers=sa_user_header,
)
##############
# This rule has been modified specifically for 2.0 to Deny for only specific services and agents. Everything else will be allowed.
policy_text = """
<Rule RuleId="%s:" Effect="Deny">
<Description>
%s
</Description>
<Target>
<!-- REMOVE THE RESOURCE TARGETS BELOW AFTER 2.0 TO TIGHTEN POLICY -->
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">observatory_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">scheduler</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
</Rule>
"""
policy_id = policy_client.create_common_service_access_policy(
"Deny_Everything",
"A global policy rule that denies access to everything by default",
policy_text,
headers=sa_user_header,
)
##############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DATA_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> """
policy_id = policy_client.create_common_service_access_policy(
"Allowed_CUD_Service_Operations_for_Roles",
"A global policy rule which specifies operations that are allowed with for OPERATOR AND MANAGER roles",
policy_text,
headers=sa_user_header,
)
##############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_user_info</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule> """
policy_id = policy_client.create_service_access_policy(
"identity_management",
"IDS_Permitted_Non_Anonymous",
"Permit these operations in the Identity Management Service is the user is not anonymous",
policy_text,
headers=sa_user_header,
)
##############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> """
policy_id = policy_client.create_service_access_policy(
"org_management",
"OMS_Org_Manager_Role_Permitted",
"Permit these operations in the Org Management Service for the role of Org Manager",
policy_text,
headers=sa_user_header,
)
##############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_commitment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> """
policy_id = policy_client.create_service_access_policy(
"org_management",
"OMS_Org_Member_Role_Permitted",
"Permit these operations in the Org Management Service for any user that is a simple Member of the Org",
policy_text,
headers=sa_user_header,
)
##############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> """
policy_id = policy_client.create_service_access_policy(
"instrument_management",
"IMS_Role_Permitted_Operations",
"Permit these operations in the Instrument Management Service for role of Instrument Operator, Observatory Operator or Org Manager",
policy_text,
headers=sa_user_header,
)
##############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">observatory_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> """
policy_id = policy_client.create_service_access_policy(
"observatory_management",
"OBM_Role_Permitted_Operations",
"Permit these operations in the Observatory Management Service for role of Observatory Operator or Org Manager",
policy_text,
headers=sa_user_header,
)
##############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> """
# All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
"InstrumentDevice",
"Instrument_Agent_Org_Manager_Role_Permitted",
"Permit all instrument agent operations for the role of Org Manager",
policy_text,
headers=sa_user_header,
)
# All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
"PlatformDevice",
"Platform_Agent_Org_Manager_Role_Permitted",
"Permit all platform agent operations for the role of Org Manager",
policy_text,
headers=sa_user_header,
)
#############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_capabilities</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> """
# All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
"InstrumentDevice",
"Instrument_Agent_Org_Member_Permitted",
"Permit these operations in an instrument agent for a Member of the Org",
policy_text,
headers=sa_user_header,
)
# All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
"PlatformDevice",
"Platform_Agent_Org_Member_Permitted",
"Permit these operations in an platform agent for a Member of the Org",
policy_text,
headers=sa_user_header,
)
#############
policy_text = """
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource_state</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">set_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">execute_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ping_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_agent_state</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> """
# All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
"InstrumentDevice",
"Instrument_Agent_Instrument_Operator_Permitted",
"Permit these operations in an instrument agent for an Instrument Operator",
policy_text,
headers=sa_user_header,
)
# All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
"PlatformDevice",
"Platform_Agent_Instrument_Operator_Permitted",
"Permit these operations in an platform agent for an Instrument Operator",
policy_text,
headers=sa_user_header,
)
######### Load Operation Specific Preconditions #############
# Add precondition policies for the Instrument Agents
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op="execute_resource",
policy_content="check_resource_operation_policy",
headers=sa_user_header,
)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op="set_resource",
policy_content="check_resource_operation_policy",
headers=sa_user_header,
)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op="ping_resource",
policy_content="check_resource_operation_policy",
headers=sa_user_header,
)
# Add precondition policies for the Platform Agents
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op="execute_resource",
policy_content="check_resource_operation_policy",
headers=sa_user_header,
)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op="set_resource",
policy_content="check_resource_operation_policy",
headers=sa_user_header,
)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op="ping_resource",
policy_content="check_resource_operation_policy",
headers=sa_user_header,
)
# Add precondition policies for IMS Direct Access operations
pol_id = policy_client.add_process_operation_precondition_policy(
process_name="instrument_management",
op="request_direct_access",
policy_content="check_direct_access_policy",
headers=sa_user_header,
)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name="instrument_management",
op="stop_direct_access",
policy_content="check_direct_access_policy",
headers=sa_user_header,
)
# Add precondition policies for IMS lifecyle operations
pol_id = policy_client.add_process_operation_precondition_policy(
process_name="instrument_management",
op="execute_instrument_device_lifecycle",
policy_content="check_device_lifecycle_policy",
headers=sa_user_header,
)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name="instrument_management",
op="execute_platform_device_lifecycle",
policy_content="check_device_lifecycle_policy",
headers=sa_user_header,
)
class GovernanceController(object):
def __init__(self, container):
log.debug('GovernanceController.__init__()')
self.container = container
self.enabled = False
self.interceptor_by_name_dict = dict()
self.interceptor_order = []
self.policy_decision_point_manager = None
self.governance_dispatcher = None
def start(self):
log.debug("GovernanceController starting ...")
config = CFG.interceptor.interceptors.governance.config
if config is None:
config['enabled'] = False
if "enabled" in config:
self.enabled = config["enabled"]
log.debug("GovernanceInterceptor enabled: %s" % str(self.enabled))
self.resource_policy_event_subscriber = None
if self.enabled:
self.initialize_from_config(config)
self.resource_policy_event_subscriber = EventSubscriber(
event_type="ResourcePolicyEvent",
callback=self.policy_event_callback)
self.resource_policy_event_subscriber.activate()
self.rr_client = ResourceRegistryServiceProcessClient(
node=self.container.node, process=self.container)
self.policy_client = PolicyManagementServiceProcessClient(
node=self.container.node, process=self.container)
self.org_client = OrgManagementServiceProcessClient(
node=self.container.node, process=self.container)
def initialize_from_config(self, config):
self.governance_dispatcher = GovernanceDispatcher()
self.policy_decision_point_manager = PolicyDecisionPointManager()
if 'interceptor_order' in config:
self.interceptor_order = config['interceptor_order']
if 'governance_interceptors' in config:
gov_ints = config['governance_interceptors']
for name in gov_ints:
interceptor_def = gov_ints[name]
# Instantiate and put in by_name array
parts = interceptor_def["class"].split('.')
modpath = ".".join(parts[:-1])
classname = parts[-1]
module = __import__(modpath, fromlist=[classname])
classobj = getattr(module, classname)
classinst = classobj()
# Put in by_name_dict for possible re-use
self.interceptor_by_name_dict[name] = classinst
def stop(self):
log.debug("GovernanceController stopping ...")
if self.resource_policy_event_subscriber is not None:
self.resource_policy_event_subscriber.deactivate()
def process_incoming_message(self, invocation):
self.process_message(invocation, self.interceptor_order, 'incoming')
return self.governance_dispatcher.handle_incoming_message(invocation)
def process_outgoing_message(self, invocation):
self.process_message(invocation, reversed(self.interceptor_order),
'outgoing')
return self.governance_dispatcher.handle_outgoing_message(invocation)
def process_message(self, invocation, interceptor_list, method):
for int_name in interceptor_list:
class_inst = self.interceptor_by_name_dict[int_name]
getattr(class_inst, method)(invocation)
return invocation
def policy_event_callback(self, *args, **kwargs):
resource_policy_event = args[0]
policy_id = resource_policy_event.origin
resource_id = resource_policy_event.resource_id
resource_type = resource_policy_event.resource_type
resource_name = resource_policy_event.resource_name
log.info("Resource policy modified: %s %s %s" %
(policy_id, resource_id, resource_type))
if resource_type == 'ServiceDefinition': #TODO - REDO to have a configurable Org boundary by container
ion_org = self.org_client.find_org()
policy_rules = self.policy_client.get_active_service_policy_rules(
ion_org._id, resource_name)
self.update_resource_policy(resource_name, policy_rules)
elif resource_type == 'Org':
policy_rules = self.policy_client.get_active_resource_policy_rules(
resource_id)
if self.policy_decision_point_manager is not None:
self.policy_decision_point_manager.load_org_policy_rules(
policy_rules)
self.update_all_resource_policies(resource_id)
else:
policy_rules = self.policy_client.get_active_resource_policy_rules(
resource_id)
self.update_resource_policy(resource_id, policy_rules)
def update_resource_policy(self, resource_name, policy_rules):
#Notify policy decision point of updated rules
if self.policy_decision_point_manager is not None:
log.debug("Loading policy for resource: %s" % resource_name)
self.policy_decision_point_manager.load_policy_rules(
resource_name, policy_rules)
def update_all_resource_policies(self, org_id):
#Notify policy decision point of updated rules for all existing service policies
if self.policy_decision_point_manager is not None:
for res_name in self.policy_decision_point_manager.policy_decision_point:
try:
policy_rules = self.policy_client.get_active_service_policy_rules(
org_id, res_name)
self.update_resource_policy(res_name, policy_rules)
except Exception, e:
log.error(e.message)
def op_load_system_policies(cls, calling_process):
org_client = OrgManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=Container.instance.node, process=calling_process )
system_actor = id_client.find_actor_identity_by_name(name=CFG.system.system_actor)
log.debug('system actor:' + system_actor._id)
sa_header_roles = get_role_message_headers(org_client.find_all_roles_by_user(system_actor._id))
sa_user_header = {'ion-actor-id': system_actor._id, 'ion-actor-roles': sa_header_roles }
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
timeout = 20
##############
"""
This policy MUST BE LOADED FIRST!!!!!
"""
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_user_requests</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
</Apply>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy( 'Allowed_Anonymous_Service_Operations',
'A global Org policy rule which specifies operations that are allowed with anonymous access',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy( 'Anonymous_Deny_Everything',
'A global Org policy rule that denies anonymous access to everything in the Org as the base',
policy_text, headers=sa_user_header)
###############
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="%s:" Effect="Permit">
<Description>
%s
</Description>
<Target>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy( 'Org_Manager_Permit_Everything',
'A global Org policy rule that permits access to everything in the Org for a user with Org Manager or ION Manager role',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource_registry</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_association</AttributeValue>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">policy_management</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_id = policy_client.create_service_access_policy('resource_registry', 'RR_Anonymous_Bootstrap',
'Permit anonymous access to these operations in the Resource Registry Service if called from the Identity Management Service',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_actor_identity</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_id = policy_client.create_service_access_policy('identity_management', 'IMS_Anonymous_Bootstrap',
'Permit anonymous access to these operations in the Identity Management Service if called from the Bootstrap Service',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve_request</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">deny_request</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">enroll_member</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cancel_member_enrollment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">grant_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">revoke_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remove_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acquire_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_id = policy_client.create_service_access_policy('org_management', 'OMS_Org_Manager_Role_Permitted',
'Deny these operations in the Org Management Service if not the role of Org Manager',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_id = policy_client.create_service_access_policy('instrument_management', 'IMS_Instrument_Operator_Role_Permitted',
'Deny these operations in the Instrument Management Service if not the role of Instrument Operator',
policy_text, headers=sa_user_header)
def op_load_system_policies(cls, calling_process):
org_client = OrgManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
system_actor = get_system_actor()
log.info('system actor:' + system_actor._id)
sa_user_header = get_system_actor_header()
policy_client = PolicyManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
timeout = 20
##############
'''
This rule must be loaded before the Deny_Everything rule
'''
policy_client = PolicyManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="%s:" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy(
'ION_Manager_Permit_Everything',
'A global policy rule that permits access to everything with the ION Manager role',
policy_text,
headers=sa_user_header)
##############
'''
This rule must be loaded before the Deny_Everything rule
'''
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">is*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_org_negotiations</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
</Apply>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy(
'Allowed_Anonymous_Service_Operations',
'A global policy rule which specifies operations that are allowed with anonymous access',
policy_text,
headers=sa_user_header)
##############
#This rule has been modified specifically for 2.0 to Deny for only specific services and agents. Everything else will be allowed.
policy_text = '''
<Rule RuleId="%s:" Effect="Deny">
<Description>
%s
</Description>
<Target>
<!-- REMOVE THE RESOURCE TARGETS BELOW AFTER 2.0 TO TIGHTEN POLICY -->
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">observatory_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">scheduler</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy(
'Deny_Everything',
'A global policy rule that denies access to everything by default',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DATA_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_common_service_access_policy(
'Allowed_CUD_Service_Operations_for_Roles',
'A global policy rule which specifies operations that are allowed with for OPERATOR AND MANAGER roles',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_user_info</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'identity_management',
'IDS_Permitted_Non_Anonymous',
'Permit these operations in the Identity Management Service is the user is not anonymous',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'org_management',
'OMS_Org_Manager_Role_Permitted',
'Permit these operations in the Org Management Service for the role of Org Manager',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_commitment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'org_management',
'OMS_Org_Member_Role_Permitted',
'Permit these operations in the Org Management Service for any user that is a simple Member of the Org',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'instrument_management',
'IMS_Role_Permitted_Operations',
'Permit these operations in the Instrument Management Service for role of Instrument Operator, Observatory Operator or Org Manager',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">observatory_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'observatory_management',
'OBM_Role_Permitted_Operations',
'Permit these operations in the Observatory Management Service for role of Observatory Operator or Org Manager',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'InstrumentDevice',
'Instrument_Agent_Org_Manager_Role_Permitted',
'Permit all instrument agent operations for the role of Org Manager',
policy_text,
headers=sa_user_header)
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'PlatformDevice',
'Platform_Agent_Org_Manager_Role_Permitted',
'Permit all platform agent operations for the role of Org Manager',
policy_text,
headers=sa_user_header)
#############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_capabilities</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'InstrumentDevice',
'Instrument_Agent_Org_Member_Permitted',
'Permit these operations in an instrument agent for a Member of the Org',
policy_text,
headers=sa_user_header)
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'PlatformDevice',
'Platform_Agent_Org_Member_Permitted',
'Permit these operations in an platform agent for a Member of the Org',
policy_text,
headers=sa_user_header)
#############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource_state</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">set_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">execute_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ping_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_agent_state</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'InstrumentDevice',
'Instrument_Agent_Instrument_Operator_Permitted',
'Permit these operations in an instrument agent for an Instrument Operator',
policy_text,
headers=sa_user_header)
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'PlatformDevice',
'Platform_Agent_Instrument_Operator_Permitted',
'Permit these operations in an platform agent for an Instrument Operator',
policy_text,
headers=sa_user_header)
######### Load Operation Specific Preconditions #############
#Add precondition policies for the Instrument Agents
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op='execute_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op='set_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op='ping_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
#Add precondition policies for the Platform Agents
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op='execute_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op='set_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op='ping_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
#Add precondition policies for IMS Direct Access operations
pol_id = policy_client.add_process_operation_precondition_policy(
process_name='instrument_management',
op='request_direct_access',
policy_content='check_direct_access_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name='instrument_management',
op='stop_direct_access',
policy_content='check_direct_access_policy',
headers=sa_user_header)
#Add precondition policies for IMS lifecyle operations
pol_id = policy_client.add_process_operation_precondition_policy(
process_name='instrument_management',
op='execute_instrument_device_lifecycle',
policy_content='check_device_lifecycle_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name='instrument_management',
op='execute_platform_device_lifecycle',
policy_content='check_device_lifecycle_policy',
headers=sa_user_header)
def op_load_system_policies(cls, calling_process):
org_client = OrgManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=Container.instance.node, process=calling_process )
system_actor = Container.instance.governance_controller.get_system_actor()
log.info('system actor:' + system_actor._id)
sa_user_header = Container.instance.governance_controller.get_system_actor_header()
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
timeout = 20
##############
'''
This rule must be loaded before the Deny_Everything rule
'''
policy_client = PolicyManagementServiceProcessClient(node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="%s:" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy( 'ION_Manager_Permit_Everything',
'A global policy rule that permits access to everything with the ION Manager role',
policy_text, headers=sa_user_header)
##############
'''
This rule must be loaded before the Deny_Everything rule
'''
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_org_negotiations</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
</Apply>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy( 'Allowed_Anonymous_Service_Operations',
'A global policy rule which specifies operations that are allowed with anonymous access',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s:" Effect="Deny">
<Description>
%s
</Description>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy( 'Deny_Everything',
'A global policy rule that denies access to everything by default',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_id = policy_client.create_service_access_policy('identity_management', 'IDS_Permitted_Non_Anonymous',
'Permit these operations in the Identity Management Service is the user is not anonymous',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_org_negotiations</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve_negotiation</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">deny_negotiation</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">enroll_member</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cancel_member_enrollment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">grant_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">revoke_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remove_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acquire_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_commitment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy('org_management', 'OMS_Org_Manager_Role_Permitted',
'Permit these operations in the Org Management Service for the role of Org Manager',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_commitment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy('org_management', 'OMS_Org_Member_Role_Permitted',
'Permit these operations in the Org Management Service for any user that is a simple Member of the Org',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">process_dispatcher</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy('process_dispatcher', 'PD_Role_Permitted',
'Permit these operations in the Process Dispatcher Service for role of Instrument Operator, Observatory Manager and Org Manager',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">execute_.*_lifecycle</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">request_direct_access</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">stop_direct_access</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy('instrument_management', 'IMS_Role_Permitted_Operations',
'Permit these operations in the Instrument Management Service for role of Instrument Operator, Observatory Operator or Org Manager',
policy_text, headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy('InstrumentDevice', 'Instrument_Agent_Org_Manager_Role_Permitted',
'Permit all instrument agent operations for the role of Org Manager',
policy_text, headers=sa_user_header)
#############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_capabilities</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy('InstrumentDevice', 'Instrument_Agent_Org_Member_Permitted',
'Permit these operations in an instrument agent for a Member of the Org',
policy_text, headers=sa_user_header)
#############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource_state</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">set_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">execute_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ping_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_agent_state</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy('InstrumentDevice', 'Instrument_Agent_Instrument_Operator_Permitted',
'Permit these operations in an instrument agent for an Instrument Operator',
policy_text, headers=sa_user_header)
######### Load Operation Specific Preconditions #############
#Add precondition policies for the Instrument Agents
pol_id = policy_client.add_process_operation_precondition_policy(process_name=RT.InstrumentDevice, op='execute_resource',
policy_content='check_execute_resource', headers=sa_user_header )
pol_id = policy_client.add_process_operation_precondition_policy(process_name=RT.InstrumentDevice, op='set_resource',
policy_content='check_set_resource', headers=sa_user_header )
pol_id = policy_client.add_process_operation_precondition_policy(process_name=RT.InstrumentDevice, op='ping_resource',
policy_content='check_ping_resource', headers=sa_user_header )
#Add precondition policies for the Platform Agents
pol_id = policy_client.add_process_operation_precondition_policy(process_name=RT.PlatformDevice, op='execute_resource',
policy_content='check_execute_resource', headers=sa_user_header )
pol_id = policy_client.add_process_operation_precondition_policy(process_name=RT.PlatformDevice, op='set_resource',
policy_content='check_set_resource', headers=sa_user_header )
pol_id = policy_client.add_process_operation_precondition_policy(process_name=RT.PlatformDevice, op='ping_resource',
policy_content='check_ping_resource', headers=sa_user_header )
#Add precondition policies for IMS Direct Access operations
pol_id = policy_client.add_process_operation_precondition_policy(process_name='instrument_management', op='request_direct_access',
policy_content='check_exclusive_commitment', headers=sa_user_header )
pol_id = policy_client.add_process_operation_precondition_policy(process_name='instrument_management', op='stop_direct_access',
policy_content='check_exclusive_commitment', headers=sa_user_header )
class TestGovernanceInt(IonIntegrationTestCase):
def setUp(self):
# Start container
self._start_container()
#Load a deploy file that also loads basic policy.
self.container.start_rel_from_url('res/deploy/r2gov.yml')
process=FakeProcess()
self.rr_client = ResourceRegistryServiceProcessClient(node=self.container.node, process=process)
self.id_client = IdentityManagementServiceProcessClient(node=self.container.node, process=process)
self.org_client = OrgManagementServiceProcessClient(node=self.container.node, process=process)
self.ims_client = InstrumentManagementServiceProcessClient(node=self.container.node, process=process)
self.ion_org = self.org_client.find_org()
self.system_actor = self.id_client.find_actor_identity_by_name(name=CFG.system.system_actor)
log.debug('system actor:' + self.system_actor._id)
sa_header_roles = get_role_message_headers(self.org_client.find_all_roles_by_user(self.system_actor._id))
self.sa_user_header = {'ion-actor-id': self.system_actor._id, 'ion-actor-roles': sa_header_roles }
@attr('LOCOINT')
@unittest.skipIf(os.getenv('CEI_LAUNCH_TEST', False),'Not integrated for CEI')
@unittest.skip("Not working on buildbot for some reason but works on Mac")
def test_org_policy(self):
with self.assertRaises(BadRequest) as cm:
myorg = self.org_client.read_org()
self.assertTrue(cm.exception.message == 'The org_id parameter is missing')
user_id, valid_until, registered = self.id_client.signon(USER1_CERTIFICATE, True)
log.debug( "user id=" + user_id)
user_roles = get_role_message_headers(self.org_client.find_all_roles_by_user(user_id))
user_header = {'ion-actor-id': user_id, 'ion-actor-roles': user_roles }
#Attempt to enroll a user anonymously - should not be allowed
with self.assertRaises(Unauthorized) as cm:
self.org_client.enroll_member(self.ion_org._id,user_id)
self.assertIn( 'org_management(enroll_member) has been denied',cm.exception.message)
#Attempt to let a user enroll themselves - should not be allowed
with self.assertRaises(Unauthorized) as cm:
self.org_client.enroll_member(self.ion_org._id,user_id, headers=user_header)
self.assertIn( 'org_management(enroll_member) has been denied',cm.exception.message)
#Attept to enroll the user in the ION Root org as a manager - should not be allowed since
#registration with the system implies membership in the ROOT Org.
with self.assertRaises(BadRequest) as cm:
self.org_client.enroll_member(self.ion_org._id,user_id, headers=self.sa_user_header)
self.assertTrue(cm.exception.message == 'A request to enroll in the root ION Org is not allowed')
with self.assertRaises(Unauthorized) as cm:
users = self.org_client.find_enrolled_users(self.ion_org._id)
self.assertIn('org_management(find_enrolled_users) has been denied',cm.exception.message)
with self.assertRaises(Unauthorized) as cm:
users = self.org_client.find_enrolled_users(self.ion_org._id, headers=user_header)
self.assertIn( 'org_management(find_enrolled_users) has been denied',cm.exception.message)
users = self.org_client.find_enrolled_users(self.ion_org._id, headers=self.sa_user_header)
self.assertEqual(len(users),2)
## test_org_roles and policies
roles = self.org_client.find_org_roles(self.ion_org._id)
self.assertEqual(len(roles),3)
self.assertItemsEqual([r.name for r in roles], [MANAGER_ROLE, MEMBER_ROLE, ION_MANAGER])
roles = self.org_client.find_roles_by_user(self.ion_org._id, self.system_actor._id, headers=self.sa_user_header)
self.assertEqual(len(roles),3)
self.assertItemsEqual([r.name for r in roles], [MEMBER_ROLE, MANAGER_ROLE, ION_MANAGER])
roles = self.org_client.find_roles_by_user(self.ion_org._id, user_id, headers=self.sa_user_header)
self.assertEqual(len(roles),1)
self.assertItemsEqual([r.name for r in roles], [MEMBER_ROLE])
with self.assertRaises(NotFound) as nf:
org2 = self.org_client.find_org(ORG2)
self.assertIn('The Org with name Org2 does not exist',nf.exception.message)
org2 = IonObject(RT.Org, name=ORG2, description='A second Org')
org2_id = self.org_client.create_org(org2, headers=self.sa_user_header)
org2 = self.org_client.find_org(ORG2)
self.assertEqual(org2_id, org2._id)
roles = self.org_client.find_org_roles(org2_id)
self.assertEqual(len(roles),2)
self.assertItemsEqual([r.name for r in roles], [MANAGER_ROLE, MEMBER_ROLE])
operator_role = IonObject(RT.UserRole, name=INSTRUMENT_OPERATOR,label='Instrument Operator', description='Instrument Operator')
#First try to add the user role anonymously
with self.assertRaises(Unauthorized) as cm:
self.org_client.add_user_role(org2_id, operator_role)
self.assertIn('org_management(add_user_role) has been denied',cm.exception.message)
self.org_client.add_user_role(org2_id, operator_role, headers=self.sa_user_header)
roles = self.org_client.find_org_roles(org2_id)
self.assertEqual(len(roles),3)
self.assertItemsEqual([r.name for r in roles], [MANAGER_ROLE, MEMBER_ROLE, INSTRUMENT_OPERATOR])
# test requests for enrollments and roles.
#First try to find user requests anonymously
with self.assertRaises(Unauthorized) as cm:
requests = self.org_client.find_requests(org2_id)
self.assertIn('org_management(find_requests) has been denied',cm.exception.message)
#Next try to find user requests as as a basic member
with self.assertRaises(Unauthorized) as cm:
requests = self.org_client.find_requests(org2_id, headers=user_header)
self.assertIn('org_management(find_requests) has been denied',cm.exception.message)
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),0)
# First try to request a role without being a member
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_role(org2_id, user_id, INSTRUMENT_OPERATOR, headers=user_header )
self.assertIn('A precondition for this request has not been satisfied: is_enrolled(org_id,user_id) == True',cm.exception.message)
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),0)
req_id = self.org_client.request_enroll(org2_id, user_id, headers=user_header )
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),1)
requests = self.org_client.find_user_requests(user_id, org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),1)
#User tried requesting enrollment again - this should fail
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_enroll(org2_id, user_id, headers=user_header )
self.assertIn('A precondition for this request has not been satisfied: enroll_req_exists(org_id,user_id) == False',cm.exception.message)
#Manager denies the request
self.org_client.deny_request(org2_id,req_id,'To test the deny process', headers=self.sa_user_header)
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),1)
self.assertEqual(requests[0].status, REQUEST_DENIED)
#Manager approves request
self.org_client.approve_request(org2_id,req_id, headers=self.sa_user_header)
users = self.org_client.find_enrolled_users(org2_id, headers=self.sa_user_header)
self.assertEqual(len(users),0)
#User Accepts request
self.org_client.accept_request(org2_id,req_id, headers=user_header)
users = self.org_client.find_enrolled_users(org2_id, headers=self.sa_user_header)
self.assertEqual(len(users),1)
req_id = self.org_client.request_role(org2_id, user_id, INSTRUMENT_OPERATOR, headers=user_header )
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),2)
requests = self.org_client.find_requests(org2_id,request_status='Open', headers=self.sa_user_header)
self.assertEqual(len(requests),1)
requests = self.org_client.find_user_requests(user_id, org2_id, headers=user_header)
self.assertEqual(len(requests),2)
requests = self.org_client.find_user_requests(user_id, org2_id, request_type=RT.RoleRequest, headers=user_header)
self.assertEqual(len(requests),1)
requests = self.org_client.find_user_requests(user_id, org2_id, request_status="Open", headers=user_header)
self.assertEqual(len(requests),1)
ia_list = self.ims_client.find_instrument_agents()
self.assertEqual(len(ia_list),0)
ia_obj = IonObject(RT.InstrumentAgent, name='Instrument Agent1', description='The first Instrument Agent')
with self.assertRaises(Unauthorized) as cm:
self.ims_client.create_instrument_agent(ia_obj)
self.assertIn('instrument_management(create_instrument_agent) has been denied',cm.exception.message)
with self.assertRaises(Unauthorized) as cm:
self.ims_client.create_instrument_agent(ia_obj, headers=user_header)
self.assertIn('instrument_management(create_instrument_agent) has been denied',cm.exception.message)
#Manager approves request
self.org_client.approve_request(org2_id,req_id, headers=self.sa_user_header)
requests = self.org_client.find_user_requests(user_id, org2_id, request_status="Open", headers=user_header)
self.assertEqual(len(requests),0)
#User accepts request
self.org_client.accept_request(org2_id, req_id, headers=user_header)
#Refresh headers with new role
user_roles = get_role_message_headers(self.org_client.find_all_roles_by_user(user_id))
user_header = {'ion-actor-id': user_id, 'ion-actor-roles': user_roles }
self.ims_client.create_instrument_agent(ia_obj, headers=user_header)
ia_obj = IonObject(RT.InstrumentAgent, name='Instrument Agent2', description='The second Instrument Agent')
self.ims_client.create_instrument_agent(ia_obj, headers=user_header)
ia_list = self.ims_client.find_instrument_agents()
self.assertEqual(len(ia_list),2)
#First make a acquire resource request with an non-enrolled user.
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_acquire_resource(org2_id,self.system_actor._id,ia_list[0]._id , headers=self.sa_user_header)
self.assertIn('A precondition for this request has not been satisfied: is_enrolled(org_id,user_id) == True',cm.exception.message)
req_id = self.org_client.request_acquire_resource(org2_id,user_id,ia_list[0]._id , headers=user_header)
requests = self.org_client.find_requests(org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests),3)
requests = self.org_client.find_user_requests(user_id, org2_id, headers=user_header)
self.assertEqual(len(requests),3)
requests = self.org_client.find_user_requests(user_id, org2_id, request_type=RT.ResourceRequest, headers=user_header)
self.assertEqual(len(requests),1)
requests = self.org_client.find_user_requests(user_id, org2_id, request_status="Open", headers=user_header)
self.assertEqual(len(requests),1)
self.assertEqual(requests[0]._id, req_id)
#Manager approves Instrument request
self.org_client.approve_request(org2_id,req_id, headers=self.sa_user_header)
requests = self.org_client.find_user_requests(user_id, org2_id, request_status="Open", headers=user_header)
self.assertEqual(len(requests),0)
#User accepts request
self.org_client.accept_request(org2_id,req_id, headers=user_header)
#Check commitments
commitments, _ = self.rr_client.find_objects(ia_list[0]._id,PRED.hasCommitment, RT.ResourceCommitment)
self.assertEqual(len(commitments),1)
commitments, _ = self.rr_client.find_objects(user_id,PRED.hasCommitment, RT.ResourceCommitment)
self.assertEqual(len(commitments),1)
#Release the resource
self.org_client.release_resource(org2_id,user_id ,ia_list[0]._id, headers=self.sa_user_header)
#Check commitments
commitments, _ = self.rr_client.find_objects(ia_list[0]._id,PRED.hasCommitment, RT.ResourceCommitment)
self.assertEqual(len(commitments),0)
commitments, _ = self.rr_client.find_objects(user_id,PRED.hasCommitment, RT.ResourceCommitment)
self.assertEqual(len(commitments),0)
class TestGovernanceInt(IonIntegrationTestCase):
def setUp(self):
# Start container
self._start_container()
#Load a deploy file
self.container.start_rel_from_url('res/deploy/r2deploy.yml')
#Instantiate a process to represent the test
process = GovernanceTestProcess()
#Load system policies after container has started all of the services
LoadSystemPolicy.op_load_system_policies(process)
self.rr_client = ResourceRegistryServiceProcessClient(
node=self.container.node, process=process)
self.id_client = IdentityManagementServiceProcessClient(
node=self.container.node, process=process)
self.pol_client = PolicyManagementServiceProcessClient(
node=self.container.node, process=process)
self.org_client = OrgManagementServiceProcessClient(
node=self.container.node, process=process)
self.ims_client = InstrumentManagementServiceProcessClient(
node=self.container.node, process=process)
self.ems_client = ExchangeManagementServiceProcessClient(
node=self.container.node, process=process)
self.ion_org = self.org_client.find_org()
self.system_actor = self.id_client.find_actor_identity_by_name(
name=CFG.system.system_actor)
log.debug('system actor:' + self.system_actor._id)
sa_header_roles = get_role_message_headers(
self.org_client.find_all_roles_by_user(self.system_actor._id))
self.sa_user_header = {
'ion-actor-id': self.system_actor._id,
'ion-actor-roles': sa_header_roles
}
@attr('LOCOINT')
@unittest.skipIf(os.getenv('CEI_LAUNCH_TEST', False),
'Not integrated for CEI')
def test_basic_policy(self):
#Make sure that the system policies have been loaded
policy_list, _ = self.rr_client.find_resources(restype=RT.Policy)
self.assertNotEqual(
len(policy_list), 0,
"The system policies have not been loaded into the Resource Registry"
)
#Attempt to access an operation in service which does not have specific policies set
es_obj = IonObject(RT.ExchangeSpace,
description='ION test XS',
name='ioncore2')
with self.assertRaises(Unauthorized) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn(
'exchange_management(create_exchange_space) has been denied',
cm.exception.message)
#Add a new policy to allow the the above service call.
policy_obj = IonObject(
RT.Policy,
name='Exchange_Management_Test_Policy',
definition_type="Service",
rule=TEST_POLICY_TEXT,
description=
'Allow specific operations in the Exchange Management Service for anonymous user'
)
test_policy_id = self.pol_client.create_policy(
policy_obj, headers=self.sa_user_header)
self.pol_client.add_service_policy('exchange_management',
test_policy_id,
headers=self.sa_user_header)
log.info('Policy created: ' + policy_obj.name)
gevent.sleep(2) # Wait for events to be fired and policy updated
#The previous attempt at this operations should now be allowed.
es_obj = IonObject(RT.ExchangeSpace,
description='ION test XS',
name='ioncore2')
with self.assertRaises(BadRequest) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn('Arguments not set', cm.exception.message)
#disable the test policy to try again
self.pol_client.disable_policy(test_policy_id,
headers=self.sa_user_header)
gevent.sleep(2) # Wait for events to be fired and policy updated
#The same request that previously was allowed should not be denied
es_obj = IonObject(RT.ExchangeSpace,
description='ION test XS',
name='ioncore2')
with self.assertRaises(Unauthorized) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn(
'exchange_management(create_exchange_space) has been denied',
cm.exception.message)
#now enable the test policy to try again
self.pol_client.enable_policy(test_policy_id,
headers=self.sa_user_header)
gevent.sleep(2) # Wait for events to be fired and policy updated
#The previous attempt at this operations should now be allowed.
es_obj = IonObject(RT.ExchangeSpace,
description='ION test XS',
name='ioncore2')
with self.assertRaises(BadRequest) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn('Arguments not set', cm.exception.message)
self.pol_client.remove_service_policy('exchange_management',
test_policy_id,
headers=self.sa_user_header)
self.pol_client.delete_policy(test_policy_id,
headers=self.sa_user_header)
gevent.sleep(2) # Wait for events to be fired and policy updated
#The same request that previously was allowed should not be denied
es_obj = IonObject(RT.ExchangeSpace,
description='ION test XS',
name='ioncore2')
with self.assertRaises(Unauthorized) as cm:
self.ems_client.create_exchange_space(es_obj)
self.assertIn(
'exchange_management(create_exchange_space) has been denied',
cm.exception.message)
@attr('LOCOINT')
@unittest.skipIf(os.getenv('CEI_LAUNCH_TEST', False),
'Not integrated for CEI')
def test_org_policy(self):
#Make sure that the system policies have been loaded
policy_list, _ = self.rr_client.find_resources(restype=RT.Policy)
self.assertNotEqual(
len(policy_list), 0,
"The system policies have not been loaded into the Resource Registry"
)
with self.assertRaises(BadRequest) as cm:
myorg = self.org_client.read_org()
self.assertTrue(
cm.exception.message == 'The org_id parameter is missing')
user_id, valid_until, registered = self.id_client.signon(
USER1_CERTIFICATE, True)
log.debug("user id=" + user_id)
user_roles = get_role_message_headers(
self.org_client.find_all_roles_by_user(user_id))
user_header = {'ion-actor-id': user_id, 'ion-actor-roles': user_roles}
#Attempt to enroll a user anonymously - should not be allowed
with self.assertRaises(Unauthorized) as cm:
self.org_client.enroll_member(self.ion_org._id, user_id)
self.assertIn('org_management(enroll_member) has been denied',
cm.exception.message)
#Attempt to let a user enroll themselves - should not be allowed
with self.assertRaises(Unauthorized) as cm:
self.org_client.enroll_member(self.ion_org._id,
user_id,
headers=user_header)
self.assertIn('org_management(enroll_member) has been denied',
cm.exception.message)
#Attept to enroll the user in the ION Root org as a manager - should not be allowed since
#registration with the system implies membership in the ROOT Org.
with self.assertRaises(BadRequest) as cm:
self.org_client.enroll_member(self.ion_org._id,
user_id,
headers=self.sa_user_header)
self.assertTrue(
cm.exception.message ==
'A request to enroll in the root ION Org is not allowed')
with self.assertRaises(Unauthorized) as cm:
users = self.org_client.find_enrolled_users(self.ion_org._id)
self.assertIn('org_management(find_enrolled_users) has been denied',
cm.exception.message)
with self.assertRaises(Unauthorized) as cm:
users = self.org_client.find_enrolled_users(self.ion_org._id,
headers=user_header)
self.assertIn('org_management(find_enrolled_users) has been denied',
cm.exception.message)
users = self.org_client.find_enrolled_users(
self.ion_org._id, headers=self.sa_user_header)
self.assertEqual(len(users), 2)
## test_org_roles and policies
roles = self.org_client.find_org_roles(self.ion_org._id)
self.assertEqual(len(roles), 3)
self.assertItemsEqual([r.name for r in roles],
[MANAGER_ROLE, MEMBER_ROLE, ION_MANAGER])
roles = self.org_client.find_roles_by_user(self.ion_org._id,
self.system_actor._id,
headers=self.sa_user_header)
self.assertEqual(len(roles), 3)
self.assertItemsEqual([r.name for r in roles],
[MEMBER_ROLE, MANAGER_ROLE, ION_MANAGER])
roles = self.org_client.find_roles_by_user(self.ion_org._id,
user_id,
headers=self.sa_user_header)
self.assertEqual(len(roles), 1)
self.assertItemsEqual([r.name for r in roles], [MEMBER_ROLE])
with self.assertRaises(NotFound) as nf:
org2 = self.org_client.find_org(ORG2)
self.assertIn('The Org with name Org2 does not exist',
nf.exception.message)
org2 = IonObject(RT.Org, name=ORG2, description='A second Org')
org2_id = self.org_client.create_org(org2, headers=self.sa_user_header)
org2 = self.org_client.find_org(ORG2)
self.assertEqual(org2_id, org2._id)
roles = self.org_client.find_org_roles(org2_id)
self.assertEqual(len(roles), 2)
self.assertItemsEqual([r.name for r in roles],
[MANAGER_ROLE, MEMBER_ROLE])
operator_role = IonObject(RT.UserRole,
name=INSTRUMENT_OPERATOR,
label='Instrument Operator',
description='Instrument Operator')
#First try to add the user role anonymously
with self.assertRaises(Unauthorized) as cm:
self.org_client.add_user_role(org2_id, operator_role)
self.assertIn('org_management(add_user_role) has been denied',
cm.exception.message)
self.org_client.add_user_role(org2_id,
operator_role,
headers=self.sa_user_header)
roles = self.org_client.find_org_roles(org2_id)
self.assertEqual(len(roles), 3)
self.assertItemsEqual([r.name for r in roles],
[MANAGER_ROLE, MEMBER_ROLE, INSTRUMENT_OPERATOR])
# test requests for enrollments and roles.
#First try to find user requests anonymously
with self.assertRaises(Unauthorized) as cm:
requests = self.org_client.find_requests(org2_id)
self.assertIn('org_management(find_requests) has been denied',
cm.exception.message)
#Next try to find user requests as as a basic member
with self.assertRaises(Unauthorized) as cm:
requests = self.org_client.find_requests(org2_id,
headers=user_header)
self.assertIn('org_management(find_requests) has been denied',
cm.exception.message)
requests = self.org_client.find_requests(org2_id,
headers=self.sa_user_header)
self.assertEqual(len(requests), 0)
# First try to request a role without being a member
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_role(org2_id,
user_id,
INSTRUMENT_OPERATOR,
headers=user_header)
self.assertIn(
'A precondition for this request has not been satisfied: is_enrolled(org_id,user_id)',
cm.exception.message)
requests = self.org_client.find_requests(org2_id,
headers=self.sa_user_header)
self.assertEqual(len(requests), 0)
req_id = self.org_client.request_enroll(org2_id,
user_id,
headers=user_header)
requests = self.org_client.find_requests(org2_id,
headers=self.sa_user_header)
self.assertEqual(len(requests), 1)
requests = self.org_client.find_user_requests(
user_id, org2_id, headers=self.sa_user_header)
self.assertEqual(len(requests), 1)
#User tried requesting enrollment again - this should fail
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_enroll(org2_id,
user_id,
headers=user_header)
self.assertIn(
'A precondition for this request has not been satisfied: enroll_req_not_exist(org_id,user_id)',
cm.exception.message)
#Manager denies the request
self.org_client.deny_request(org2_id,
req_id,
'To test the deny process',
headers=self.sa_user_header)
requests = self.org_client.find_requests(org2_id,
headers=self.sa_user_header)
self.assertEqual(len(requests), 1)
self.assertEqual(requests[0].status, REQUEST_DENIED)
#Manager approves request
self.org_client.approve_request(org2_id,
req_id,
headers=self.sa_user_header)
users = self.org_client.find_enrolled_users(
org2_id, headers=self.sa_user_header)
self.assertEqual(len(users), 0)
#User Accepts request
self.org_client.accept_request(org2_id, req_id, headers=user_header)
users = self.org_client.find_enrolled_users(
org2_id, headers=self.sa_user_header)
self.assertEqual(len(users), 1)
#User tried requesting enrollment again - this should fail
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_enroll(org2_id,
user_id,
headers=user_header)
self.assertIn(
'A precondition for this request has not been satisfied: is_not_enrolled(org_id,user_id)',
cm.exception.message)
req_id = self.org_client.request_role(org2_id,
user_id,
INSTRUMENT_OPERATOR,
headers=user_header)
requests = self.org_client.find_requests(org2_id,
headers=self.sa_user_header)
self.assertEqual(len(requests), 2)
requests = self.org_client.find_requests(org2_id,
request_status='Open',
headers=self.sa_user_header)
self.assertEqual(len(requests), 1)
requests = self.org_client.find_user_requests(user_id,
org2_id,
headers=user_header)
self.assertEqual(len(requests), 2)
requests = self.org_client.find_user_requests(
user_id, org2_id, request_type=RT.RoleRequest, headers=user_header)
self.assertEqual(len(requests), 1)
requests = self.org_client.find_user_requests(user_id,
org2_id,
request_status="Open",
headers=user_header)
self.assertEqual(len(requests), 1)
ia_list, _ = self.rr_client.find_resources(restype=RT.InstrumentAgent)
self.assertEqual(len(ia_list), 0)
ia_obj = IonObject(RT.InstrumentAgent,
name='Instrument Agent1',
description='The first Instrument Agent')
with self.assertRaises(Unauthorized) as cm:
self.ims_client.create_instrument_agent(ia_obj)
self.assertIn(
'instrument_management(create_instrument_agent) has been denied',
cm.exception.message)
with self.assertRaises(Unauthorized) as cm:
self.ims_client.create_instrument_agent(ia_obj,
headers=user_header)
self.assertIn(
'instrument_management(create_instrument_agent) has been denied',
cm.exception.message)
#Manager approves request
self.org_client.approve_request(org2_id,
req_id,
headers=self.sa_user_header)
requests = self.org_client.find_user_requests(user_id,
org2_id,
request_status="Open",
headers=user_header)
self.assertEqual(len(requests), 0)
#User accepts request
self.org_client.accept_request(org2_id, req_id, headers=user_header)
#Refresh headers with new role
user_roles = get_role_message_headers(
self.org_client.find_all_roles_by_user(user_id))
user_header = {'ion-actor-id': user_id, 'ion-actor-roles': user_roles}
self.ims_client.create_instrument_agent(ia_obj, headers=user_header)
ia_obj = IonObject(RT.InstrumentAgent,
name='Instrument Agent2',
description='The second Instrument Agent')
self.ims_client.create_instrument_agent(ia_obj, headers=user_header)
ia_list, _ = self.rr_client.find_resources(restype=RT.InstrumentAgent)
self.assertEqual(len(ia_list), 2)
#First make a acquire resource request with an non-enrolled user.
with self.assertRaises(BadRequest) as cm:
req_id = self.org_client.request_acquire_resource(
org2_id,
self.system_actor._id,
ia_list[0]._id,
headers=self.sa_user_header)
self.assertIn(
'A precondition for this request has not been satisfied: is_enrolled(org_id,user_id)',
cm.exception.message)
req_id = self.org_client.request_acquire_resource(org2_id,
user_id,
ia_list[0]._id,
headers=user_header)
requests = self.org_client.find_requests(org2_id,
headers=self.sa_user_header)
self.assertEqual(len(requests), 3)
requests = self.org_client.find_user_requests(user_id,
org2_id,
headers=user_header)
self.assertEqual(len(requests), 3)
requests = self.org_client.find_user_requests(
user_id,
org2_id,
request_type=RT.ResourceRequest,
headers=user_header)
self.assertEqual(len(requests), 1)
requests = self.org_client.find_user_requests(user_id,
org2_id,
request_status="Open",
headers=user_header)
self.assertEqual(len(requests), 1)
self.assertEqual(requests[0]._id, req_id)
#Manager approves Instrument request
self.org_client.approve_request(org2_id,
req_id,
headers=self.sa_user_header)
requests = self.org_client.find_user_requests(user_id,
org2_id,
request_status="Open",
headers=user_header)
self.assertEqual(len(requests), 0)
#User accepts request
self.org_client.accept_request(org2_id, req_id, headers=user_header)
#Check commitments
commitments, _ = self.rr_client.find_objects(ia_list[0]._id,
PRED.hasCommitment,
RT.ResourceCommitment)
self.assertEqual(len(commitments), 1)
commitments, _ = self.rr_client.find_objects(user_id,
PRED.hasCommitment,
RT.ResourceCommitment)
self.assertEqual(len(commitments), 1)
#Release the resource
self.org_client.release_resource(
org2_id,
user_id,
ia_list[0]._id,
headers=self.sa_user_header,
timeout=15) #TODO - Refactor release_resource
#Check commitments
commitments, _ = self.rr_client.find_objects(ia_list[0]._id,
PRED.hasCommitment,
RT.ResourceCommitment)
self.assertEqual(len(commitments), 0)
commitments, _ = self.rr_client.find_objects(user_id,
PRED.hasCommitment,
RT.ResourceCommitment)
self.assertEqual(len(commitments), 0)
def op_load_system_policies(cls, calling_process):
org_client = OrgManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
system_actor = id_client.find_actor_identity_by_name(
name=CFG.system.system_actor)
log.debug('system actor:' + system_actor._id)
sa_header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(system_actor._id))
sa_user_header = {
'ion-actor-id': system_actor._id,
'ion-actor-roles': sa_header_roles
}
policy_client = PolicyManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
##############
"""
This policy MUST BE LOADED FIRST!!!!!
"""
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_user_requests</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
</Apply>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Anonymous_Allowed_Operations',
definition_type="Org",
rule=policy_text,
description=
'A global Org policy rule which specifies operations that are allowed with anonymous access'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_resource_policy(ion_org._id,
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Anonymous_Deny_Everything',
definition_type="Org",
rule=policy_text,
description=
'A global Org policy rule that denies anonymous access to everything in the Org as the base'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_resource_policy(ion_org._id,
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
###############
policy_client = PolicyManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Org_Manager_Permit_Everything',
definition_type="Org",
rule=policy_text,
description=
'A global Org policy rule that permits access to everything in the Org for a user with Org Manager or ION Manager role'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_resource_policy(ion_org._id,
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">datastore</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_doc</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='DataStore_Anonymous_Bootstrap',
definition_type="Service",
rule=policy_text,
description=
'Permit anonymous access to these operations in the Datastore Service if called from the Bootstrap Service'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('datastore',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource_registry</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_association</AttributeValue>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">policy_management</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Resource_Registry_Anonymous_Bootstrap',
definition_type="Service",
rule=policy_text,
description=
'Permit anonymous access to these operations in the Resource Registry Service if called from the Identity Management Service'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('resource_registry',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_actor_identity</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Identity_Management_Anonymous_Bootstrap',
definition_type="Service",
rule=policy_text,
description=
'Permit anonymous access to these operations in the Identity Management Service if called from the Bootstrap Service'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('identity_management',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve_request</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">deny_request</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">enroll_member</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cancel_member_enrollment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">grant_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">revoke_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remove_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acquire_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_obj = IonObject(
RT.Policy,
name='Org_Management_Org_Manager_Role_Permitted',
definition_type="Service",
rule=policy_text,
description=
'Deny these operations in the Org Management Service if not the role of Org Manager'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('org_management',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_obj = IonObject(
RT.Policy,
name='Instrument_Management_Instrument_Operator_Role_Permitted',
definition_type="Service",
rule=policy_text,
description=
'Deny these operations in the Instrument Management Service if not the role of Instrument Operator'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('instrument_management',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
