Merge branch 'release/v0.3' of github.com:EOEPCA/um-pep-engine into r…

…elease/v0.3

Dockerfile

@@ -8,6 +8,11 @@ RUN pip install -r requirements.txt
 # Add requirements, code
 COPY src/ /
 
+
+RUN ln -sf /management_tools_script.sh /bin/management_tools
+RUN chmod +x /management_tools.py
+RUN chmod +x /management_tools_script.sh
+
 # Declare and expose service listening port
 EXPOSE 5566/tcp
 EXPOSE 5576/tcp

docs/ICD/03.interfaces/00.interfaces.adoc

@@ -901,6 +901,96 @@ ifdef::internal-generation[]
 
 endif::internal-generation[]
 
+[.API]
+=== API
+
+[.SwaggerUI]
+==== Swagger UI
+
+`/swagger-ui`
+
+===== Description 
+
+This operation accesses the API for the Policy Enforcement Point
+
+
+// markup not found, no include::{specDir}swagger-ui/spec.adoc[opts=optional]
+
+
+
+===== Parameters
+
+====== Path Parameters
+
+[cols="2,3,1"]
+|===         
+|Name| Description| Required
+
+| - 
+| -  
+| - 
+
+
+|===         
+
+
+
+====== Header Parameters
+
+[cols="2,3,1"]
+|===         
+|Name| Description| Required
+
+| - 
+| -  
+| - 
+
+
+|===         
+
+
+
+===== Return Type
+
+
+
+-
+
+
+===== Responses
+
+.http response codes
+[cols="2,3,1"]
+|===         
+| Code | Message | Datatype 
+
+
+| 200
+| OK
+|  <<>>
+
+|===         
+
+===== Samples
+
+
+// markup not found, no include::{snippetDir}swagger-ui/http-request.adoc[opts=optional]
+
+
+// markup not found, no include::{snippetDir}swagger-ui/http-response.adoc[opts=optional]
+
+
+
+// file not found, no * wiremock data link :swagger-ui/swagger-ui.json[]
+
+
+ifdef::internal-generation[]
+===== Implementation
+
+// markup not found, no include::{specDir}swagger-ui/implementation.adoc[opts=optional]
+
+
+endif::internal-generation[]
 
 [#models]
 == Models
@@ -917,22 +1007,28 @@ endif::internal-generation[]
 | Field Name| Required| Type| Description| Format
 
 | name 
-|  
+| Y 
 | String  
 | Human readable name for the resource
-|  
+| - 
+
+| description 
+| Y 
+| String  
+| Human readable description of the resource
+| - 
 
 | icon_uri 
-|  
+| Y 
 | String  
 | Protected uri of the resource. 
-|  
+| - 
 
-| scopes 
-|  
+| resource_scopes 
+| Y 
 | List  of <<string>> 
 | List of scopes associated with the resource
-|  
+| - 
 
 |===
 
@@ -948,34 +1044,34 @@ endif::internal-generation[]
 | Field Name| Required| Type| Description| Format
 
 | ownership_id 
-|  
+| Y 
 | UUID  
 | UUID of the Owner End-User
 | uuid 
 
-| id 
-|  
+| description 
+| Y 
 | UUID  
-| UUID of the resource
+| Human readable description of the resource
 | uuid 
 
 | name 
-|  
+| Y 
 | String  
 | Human readable name for the resource
-|  
+| - 
 
 | icon_uri 
-|  
+| Y 
 | String  
 | Protected uri of the resource. 
-|  
+| - 
 
-| scopes 
-|  
+| resource_scopes 
+| Y 
 | List  of <<string>> 
 | List of scopes associated with the resource
-|  
+| - 
 
 |===
 

docs/SDD/02.overview/00.overview.adoc

@@ -42,7 +42,7 @@ To further clarify the flow the PEP uses, you can also take a look at the Data F
 
 === Initialization flow
 
-image::../images/init_flow.png[top=5%, align=left, pdfwidth=6.5in]
+image::../images/init_flow3.png[top=5%, align=left, pdfwidth=6.5in]
 
 == External Interfaces
 
@@ -105,6 +105,11 @@ In case it is disabled, the signature will not be verified but the other steps a
 The UUID of the End-User will be included as attribute of the Resource description document (extending the data model) upon resource creation (with an “ownership_id” field).
 Subsequent requests to the specific Resource ID will perform a JWT or OAuth2.0 check, cross-checking against the “ownership_id” before performing actions and answering back with a 401 Unauthorized if there is no match.
 
+==== Policy API (to Policy Decision Point)
+When registering a new resource, the PEP will consume the Policy API to register a default policy with the PDP. The endpoint for this is:
+
+* <pdp_url>/policy
+
 == Required resources
 
 [NOTE]
@@ -124,6 +129,7 @@ The following Open-Source Software is required to support the deployment and int
 * EOEPCA's SCIM Client - https://github.com/EOEPCA/um-common-scim-client
 * EOEPCA's UMA Client - https://github.com/EOEPCA/um-common-uma-client
 * EOEPCA's Well Known Handler - https://github.com/EOEPCA/well-known-handler
+* EOEPCA's Policy Decision Point - https://github.com/EOEPCA/um-pdp-engine
 * Flask - https://github.com/pallets/flask
 * MongoDB for Python - https://pymongo.readthedocs.io/en/stable/index.html
 

docs/SDD/03.design/00.design.adoc

@@ -100,9 +100,9 @@ Included with the PEP there is a script at the source path that performs queries
 It is developed to generate a database called 'resource_db' in case it does not exist. The collection used for the storage of the documents is called 'resources'.
 The script defines methods to:
 
-* **Insert resource data**: Generates a document with the resource data received as input and if it already exists, it gets updated. The main parameters of the resource would be an auto-generated id provided by mongo which identify each document in the database, the resource ID provided by the login-service, and the match url which will define the endpoint of the resource. This would be mandatory parameters in order to perform other kind of queries.
+* **Insert resource data**: Generates a document with the resource data received as input and if it already exists, it gets updated. The main parameters of the resource would be an auto-generated id provided by mongo which identify each document in the database, the resource ID provided by the login-service, and the match url which will define the endpoint of the resource. This would be mandatory parameters in order to perform other kind of queries. For updated operations, it is also capable of querying the OIDC endpoint of the Authorization Server to query if the request was performed by a valid resource operator.
 * **Get the ID from a URI**: Returns the id for the best candidate of the match by a given URI.
-* **Delete resources**: Receives a resource id and will find and delete the matched document
+* **Delete resources**: Receives a resource id and will find and delete the matched document, if the requesting user is a valid resource operator.
 
 This script is manipulated by the API which would intercept the request in order to perform PUT,POST and DELETE methods.
 The GET method would be called by the reverse proxy since it will be in charge of filtering the resource with the given URI.
@@ -117,3 +117,25 @@ image::../images/MongoFlow.png[top=5%, align="center", pdfwidth=6.5in]
 === Applicable Resources
 
 * MongoDB image from DockerHub - https://hub.docker.com/_/mongo
+
+== Resource default Protection Policy
+=== Overview and Purpose
+Together with the Resource Repository, the PEP will also contact the Policy Decision Point in order to register a default protection policy for the resource.
+
+This call to `<pdp_url>/policy` will include a preset policy configuration, to be applied to the registering resource. It stands as follows:
+```
+{"name": "Default Ownership Policy of <resource_id>",
+ "description": "This is the default ownership policy for created resources through PEP",
+  "config": {"resource_id": resource_id,
+             "rules": [ { "AND": [ { "EQUAL": { "user_name" : user_name }}]}]
+            },
+   "scopes": ["protected_access"]}
+```
+
+=== Data flow
+
+This subroutine is triggered by the successful registration of the resource.
+
+=== Applicable Resources
+
+* EOEPCA's Policy Decision Point - https://github.com/EOEPCA/um-pdp-engine

src/blueprints/resources.py

@@ -266,7 +266,7 @@ def user_not_authorized(response):
         return response
 
     def get_default_ownership_policy_cfg(resource_id, uid):
-        return { "resource_id": resource_id, "action": "view", "rules": [{ "AND": [ {"EQUAL": {"uid" : uid } }] }] }
+        return { "resource_id": resource_id, "action": "view", "rules": [{ "AND": [ {"EQUAL": {"id" : uid } }] }] }
 
     def get_default_ownership_policy_body(resource_id, uid):
         name = "Default Ownership Policy of " + str(resource_id)

src/handlers/mongo_handler.py

@@ -127,6 +127,13 @@ def get_all_resources(self):
         '''
         col = self.db['resources']
         return col.find()
+
+    def remove_resources(self, filter_key=None, filter_value=None):
+        col = self.db['resources']
+        query = {}
+        if filter_key is not None and filter_value is not None:
+            query = { filter_key: filter_value }
+        col.delete_many(query)
 
     #Functions for rpt db
     def insert_rpt_in_mongo(self, rpt: str, rpt_limit_uses: int, timestamp: str):   

src/management_tools.py

@@ -0,0 +1,55 @@
+#!/usr/local/bin/python3
+import argparse
+import sys
+from handlers.mongo_handler import Mongo_Handler
+from bson.json_util import dumps
+
+custom_mongo = Mongo_Handler("resource_db", "resources")
+
+def list_resources(user,resource):
+    if resource is not None:
+        return custom_mongo.get_from_mongo("resource_id", resource)
+    if user is not None:
+        resources=custom_mongo.get_all_resources()
+        return list(filter(lambda x: x["ownership_id"] == user,resources))
+    return custom_mongo.get_all_resources()
+
+def remove_resources(user,resource,all):
+    if resource is not None:
+        return custom_mongo.delete_in_mongo("resource_id", resource)
+    if user is not None and all:
+        return custom_mongo.remove_resources("ownership_id",user)
+    if user is None and all:
+        return custom_mongo.remove_resources()
+    return "No action taken (missing --all flag?)"
+
+
+parser = argparse.ArgumentParser(description='Operational management of resources.')
+parser.add_argument('action', metavar='action', type=str,
+                    help='Operation to perform: list/remove')
+parser.add_argument('-u',
+                       '--user',
+                       help='Filter action by user ID')
+parser.add_argument('-r',
+                       '--resource',
+                       help='Filter action by resource ID')
+
+parser.add_argument('-a',
+                       '--all',
+                       action='store_true',
+                       help='Apply action to all resources.')
+
+
+args = vars(parser.parse_args())
+
+if args["action"] == "list":
+    result = dumps(list_resources(args['user'],args['resource']))
+elif args["action"] == "remove": 
+    if args["resource"] is not None:
+        args["all"] = False
+    result = remove_resources(args['user'],args['resource'],args['all'])
+else:
+    print("Allowed actions are 'remove' or 'list'")
+    sys.exit(-1)
+
+print(result)

src/management_tools_script.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+python3 /management_tools.py "$@"