def _create_request_from_message(self, invocation, receiver, receiver_type='service'): sender, sender_type = invocation.get_message_sender() op = invocation.get_header_value('op', 'Unknown') ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous') actor_roles = invocation.get_header_value('ion-actor-roles', {}) message_format = invocation.get_header_value('format', '') #log.debug("Checking XACML Request: receiver_type: %s, sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s", receiver_type, sender, receiver, op, ion_actor_id, actor_roles) request = Request() subject = Subject() subject.attributes.append(self.create_string_attribute(SENDER_ID, sender)) subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, ion_actor_id)) #Get the Org name associated with the endpoint process endpoint_process = invocation.get_arg_value('process', None) if endpoint_process is not None and hasattr(endpoint_process,'org_governance_name'): org_governance_name = endpoint_process.org_governance_name else: org_governance_name = self.governance_controller.system_root_org_name #If this process is not associated wiht the root Org, then iterate over the roles associated with the user only for #the Org that this process is associated with otherwise include all roles and create attributes for each if org_governance_name == self.governance_controller.system_root_org_name: #log.debug("Including roles for all Orgs") #If the process Org name is the same for the System Root Org, then include all of them to be safe for org in actor_roles: self.create_org_role_attribute(actor_roles[org],subject) else: if actor_roles.has_key(org_governance_name): log.debug("Org Roles (%s): %s" , org_governance_name, ' '.join(actor_roles[org_governance_name])) self.create_org_role_attribute(actor_roles[org_governance_name],subject) #Handle the special case for the ION system actor if actor_roles.has_key(self.governance_controller.system_root_org_name): if ION_MANAGER in actor_roles[self.governance_controller.system_root_org_name]: log.debug("Including ION_MANAGER role") self.create_org_role_attribute([ION_MANAGER],subject) request.subjects.append(subject) resource = Resource() resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver)) resource.attributes.append(self.create_string_attribute(RECEIVER_TYPE, receiver_type)) request.resources.append(resource) request.action = Action() request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op)) #Check to see if there is a OperationVerb decorator specifying a Verb used with policy if is_ion_object(message_format): try: msg_class = message_classes[message_format] operation_verb = get_class_decorator_value(msg_class,'OperationVerb') if operation_verb is not None: request.action.attributes.append(self.create_string_attribute(ACTION_VERB, operation_verb)) except NotFound: pass #Create generic attributes for each of the primitive message parameter types to be available in XACML rules parameter_dict = {'message': invocation.message, 'headers': invocation.headers, 'annotations': invocation.message_annotations } if endpoint_process is not None: parameter_dict['process'] = endpoint_process request.action.attributes.append(self.create_dict_attribute(ACTION_PARAMETERS, parameter_dict)) return request
def _create_request_from_message(self, invocation, receiver, receiver_type=PROCTYPE_SERVICE): sender, sender_type = invocation.get_message_sender() op = invocation.get_header_value(MSG_HEADER_OP, 'Unknown') actor_id = invocation.get_header_value(MSG_HEADER_ACTOR, ANONYMOUS_ACTOR) user_context_id = invocation.get_header_value(MSG_HEADER_USER_CONTEXT_ID, "") user_context_differs = bool(actor_id and actor_id != ANONYMOUS_ACTOR and user_context_id and actor_id != user_context_id) actor_roles = invocation.get_header_value(MSG_HEADER_ROLES, {}) message_format = invocation.get_header_value(MSG_HEADER_FORMAT, '') # if receiver == "agpro_exchange": # print "### POLICY DECISION rty=%s recv=%s actor=%s context=%s differ:%s" % (receiver_type, receiver, actor_id, user_context_id, user_context_differs) # print " Headers: %s" % invocation.headers #log.debug("Checking XACML Request: receiver_type: %s, sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s", receiver_type, sender, receiver, op, ion_actor_id, actor_roles) request = Request() subject = Subject() subject.attributes.append(self.create_string_attribute(SENDER_ID, sender)) subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, actor_id)) subject.attributes.append(self.create_string_attribute(USER_CONTEXT_ID, user_context_id)) subject.attributes.append(self.create_string_attribute(USER_CONTEXT_DIFFERS, str(user_context_differs))) # Get the Org name associated with the endpoint process endpoint_process = invocation.get_arg_value('process', None) if endpoint_process is not None and hasattr(endpoint_process, 'org_governance_name'): org_governance_name = endpoint_process.org_governance_name else: org_governance_name = self.governance_controller.system_root_org_name # If this process is not associated with the root Org, then iterate over the roles associated # with the user only for the Org that this process is associated with otherwise include all roles # and create attributes for each if org_governance_name == self.governance_controller.system_root_org_name: #log.debug("Including roles for all Orgs") # If the process Org name is the same for the System Root Org, then include all of them to be safe for org in actor_roles: self.create_org_role_attribute(actor_roles[org], subject) else: if org_governance_name in actor_roles: log.debug("Org Roles (%s): %s", org_governance_name, ' '.join(actor_roles[org_governance_name])) self.create_org_role_attribute(actor_roles[org_governance_name], subject) # Handle the special case for the ION system actor if self.governance_controller.system_root_org_name in actor_roles: if SUPERUSER_ROLE in actor_roles[self.governance_controller.system_root_org_name]: log.debug("Including SUPERUSER role") self.create_org_role_attribute([SUPERUSER_ROLE], subject) request.subjects.append(subject) resource = Resource() resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver)) resource.attributes.append(self.create_string_attribute(RECEIVER_TYPE, receiver_type)) request.resources.append(resource) request.action = Action() request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op)) # Check to see if there is a OperationVerb decorator specifying a Verb used with policy if is_ion_object(message_format): try: msg_class = message_classes[message_format] operation_verb = get_class_decorator_value(msg_class, DECORATOR_OP_VERB) if operation_verb is not None: request.action.attributes.append(self.create_string_attribute(ACTION_VERB, operation_verb)) except NotFound: pass # Create generic attributes for each of the primitive message parameter types to be available in XACML rules # and evaluation functions parameter_dict = {'message': invocation.message, 'headers': invocation.headers, 'annotations': invocation.message_annotations} if endpoint_process is not None: parameter_dict['process'] = endpoint_process request.action.attributes.append(self.create_dict_attribute(ACTION_PARAMETERS, parameter_dict)) return request