def _create_request_from_message(self, invocation, receiver, receiver_type='service'):
sender, sender_type = invocation.get_message_sender()
op = invocation.get_header_value('op', 'Unknown')
ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous')
actor_roles = invocation.get_header_value('ion-actor-roles', {})
message_format = invocation.get_header_value('format', '')
#log.debug("Checking XACML Request: receiver_type: %s, sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s", receiver_type, sender, receiver, op, ion_actor_id, actor_roles)
request = Request()
subject = Subject()
subject.attributes.append(self.create_string_attribute(SENDER_ID, sender))
subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, ion_actor_id))
#Get the Org name associated with the endpoint process
endpoint_process = invocation.get_arg_value('process', None)
if endpoint_process is not None and hasattr(endpoint_process,'org_governance_name'):
org_governance_name = endpoint_process.org_governance_name
else:
org_governance_name = self.governance_controller.system_root_org_name
#If this process is not associated wiht the root Org, then iterate over the roles associated with the user only for
#the Org that this process is associated with otherwise include all roles and create attributes for each
if org_governance_name == self.governance_controller.system_root_org_name:
#log.debug("Including roles for all Orgs")
#If the process Org name is the same for the System Root Org, then include all of them to be safe
for org in actor_roles:
self.create_org_role_attribute(actor_roles[org],subject)
else:
if actor_roles.has_key(org_governance_name):
log.debug("Org Roles (%s): %s" , org_governance_name, ' '.join(actor_roles[org_governance_name]))
self.create_org_role_attribute(actor_roles[org_governance_name],subject)
#Handle the special case for the ION system actor
if actor_roles.has_key(self.governance_controller.system_root_org_name):
if ION_MANAGER in actor_roles[self.governance_controller.system_root_org_name]:
log.debug("Including ION_MANAGER role")
self.create_org_role_attribute([ION_MANAGER],subject)
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver))
resource.attributes.append(self.create_string_attribute(RECEIVER_TYPE, receiver_type))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
#Check to see if there is a OperationVerb decorator specifying a Verb used with policy
if is_ion_object(message_format):
try:
msg_class = message_classes[message_format]
operation_verb = get_class_decorator_value(msg_class,'OperationVerb')
if operation_verb is not None:
request.action.attributes.append(self.create_string_attribute(ACTION_VERB, operation_verb))
except NotFound:
pass
#Create generic attributes for each of the primitive message parameter types to be available in XACML rules
parameter_dict = {'message': invocation.message, 'headers': invocation.headers, 'annotations': invocation.message_annotations }
if endpoint_process is not None:
parameter_dict['process'] = endpoint_process
request.action.attributes.append(self.create_dict_attribute(ACTION_PARAMETERS, parameter_dict))
return request
def _create_request_from_message(self, invocation, receiver, receiver_type=PROCTYPE_SERVICE):
sender, sender_type = invocation.get_message_sender()
op = invocation.get_header_value(MSG_HEADER_OP, 'Unknown')
actor_id = invocation.get_header_value(MSG_HEADER_ACTOR, ANONYMOUS_ACTOR)
user_context_id = invocation.get_header_value(MSG_HEADER_USER_CONTEXT_ID, "")
user_context_differs = bool(actor_id and actor_id != ANONYMOUS_ACTOR and user_context_id and actor_id != user_context_id)
actor_roles = invocation.get_header_value(MSG_HEADER_ROLES, {})
message_format = invocation.get_header_value(MSG_HEADER_FORMAT, '')
# if receiver == "agpro_exchange":
# print "### POLICY DECISION rty=%s recv=%s actor=%s context=%s differ:%s" % (receiver_type, receiver, actor_id, user_context_id, user_context_differs)
# print " Headers: %s" % invocation.headers
#log.debug("Checking XACML Request: receiver_type: %s, sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s", receiver_type, sender, receiver, op, ion_actor_id, actor_roles)
request = Request()
subject = Subject()
subject.attributes.append(self.create_string_attribute(SENDER_ID, sender))
subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, actor_id))
subject.attributes.append(self.create_string_attribute(USER_CONTEXT_ID, user_context_id))
subject.attributes.append(self.create_string_attribute(USER_CONTEXT_DIFFERS, str(user_context_differs)))
# Get the Org name associated with the endpoint process
endpoint_process = invocation.get_arg_value('process', None)
if endpoint_process is not None and hasattr(endpoint_process, 'org_governance_name'):
org_governance_name = endpoint_process.org_governance_name
else:
org_governance_name = self.governance_controller.system_root_org_name
# If this process is not associated with the root Org, then iterate over the roles associated
# with the user only for the Org that this process is associated with otherwise include all roles
# and create attributes for each
if org_governance_name == self.governance_controller.system_root_org_name:
#log.debug("Including roles for all Orgs")
# If the process Org name is the same for the System Root Org, then include all of them to be safe
for org in actor_roles:
self.create_org_role_attribute(actor_roles[org], subject)
else:
if org_governance_name in actor_roles:
log.debug("Org Roles (%s): %s", org_governance_name, ' '.join(actor_roles[org_governance_name]))
self.create_org_role_attribute(actor_roles[org_governance_name], subject)
# Handle the special case for the ION system actor
if self.governance_controller.system_root_org_name in actor_roles:
if SUPERUSER_ROLE in actor_roles[self.governance_controller.system_root_org_name]:
log.debug("Including SUPERUSER role")
self.create_org_role_attribute([SUPERUSER_ROLE], subject)
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver))
resource.attributes.append(self.create_string_attribute(RECEIVER_TYPE, receiver_type))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
# Check to see if there is a OperationVerb decorator specifying a Verb used with policy
if is_ion_object(message_format):
try:
msg_class = message_classes[message_format]
operation_verb = get_class_decorator_value(msg_class, DECORATOR_OP_VERB)
if operation_verb is not None:
request.action.attributes.append(self.create_string_attribute(ACTION_VERB, operation_verb))
except NotFound:
pass
# Create generic attributes for each of the primitive message parameter types to be available in XACML rules
# and evaluation functions
parameter_dict = {'message': invocation.message,
'headers': invocation.headers,
'annotations': invocation.message_annotations}
if endpoint_process is not None:
parameter_dict['process'] = endpoint_process
request.action.attributes.append(self.create_dict_attribute(ACTION_PARAMETERS, parameter_dict))
return request
