diff options
Diffstat (limited to 'moon_manager/moon_manager/api/db')
-rw-r--r-- | moon_manager/moon_manager/api/db/__init__.py | 12 | ||||
-rw-r--r-- | moon_manager/moon_manager/api/db/managers.py | 24 | ||||
-rw-r--r-- | moon_manager/moon_manager/api/db/migrations/__init__.py | 12 | ||||
-rw-r--r-- | moon_manager/moon_manager/api/db/migrations/moon_001.py | 336 | ||||
-rw-r--r-- | moon_manager/moon_manager/api/db/model.py | 429 | ||||
-rw-r--r-- | moon_manager/moon_manager/api/db/pdp.py | 115 | ||||
-rw-r--r-- | moon_manager/moon_manager/api/db/policy.py | 971 | ||||
-rw-r--r-- | moon_manager/moon_manager/api/db/slave.py | 55 |
8 files changed, 1954 insertions, 0 deletions
diff --git a/moon_manager/moon_manager/api/db/__init__.py b/moon_manager/moon_manager/api/db/__init__.py new file mode 100644 index 00000000..1856aa2c --- /dev/null +++ b/moon_manager/moon_manager/api/db/__init__.py @@ -0,0 +1,12 @@ +# Software Name: MOON + +# Version: 5.4 + +# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors +# SPDX-License-Identifier: Apache-2.0 + +# This software is distributed under the 'Apache License 2.0', +# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt' +# or see the "LICENSE" file for more details. + + diff --git a/moon_manager/moon_manager/api/db/managers.py b/moon_manager/moon_manager/api/db/managers.py new file mode 100644 index 00000000..23be03fc --- /dev/null +++ b/moon_manager/moon_manager/api/db/managers.py @@ -0,0 +1,24 @@ +# Software Name: MOON + +# Version: 5.4 + +# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors +# SPDX-License-Identifier: Apache-2.0 + +# This software is distributed under the 'Apache License 2.0', +# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt' +# or see the "LICENSE" file for more details. + + +import logging + +logger = logging.getLogger("moon.db.api.managers") + + +class Managers(object): + """Object that links managers together""" + ModelManager = None + KeystoneManager = None + PDPManager = None + PolicyManager = None + SlaveManager = None diff --git a/moon_manager/moon_manager/api/db/migrations/__init__.py b/moon_manager/moon_manager/api/db/migrations/__init__.py new file mode 100644 index 00000000..1856aa2c --- /dev/null +++ b/moon_manager/moon_manager/api/db/migrations/__init__.py @@ -0,0 +1,12 @@ +# Software Name: MOON + +# Version: 5.4 + +# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors +# SPDX-License-Identifier: Apache-2.0 + +# This software is distributed under the 'Apache License 2.0', +# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt' +# or see the "LICENSE" file for more details. + + diff --git a/moon_manager/moon_manager/api/db/migrations/moon_001.py b/moon_manager/moon_manager/api/db/migrations/moon_001.py new file mode 100644 index 00000000..8e604d2b --- /dev/null +++ b/moon_manager/moon_manager/api/db/migrations/moon_001.py @@ -0,0 +1,336 @@ +# Software Name: MOON + +# Version: 5.4 + +# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors +# SPDX-License-Identifier: Apache-2.0 + +# This software is distributed under the 'Apache License 2.0', +# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt' +# or see the "LICENSE" file for more details. + + +import json +import sqlalchemy as sql +from sqlalchemy import types as sql_types +from sqlalchemy import create_engine +import sys + + +class JsonBlob(sql_types.TypeDecorator): + impl = sql.Text + + def process_bind_param(self, value, dialect): + return json.dumps(value) + + def process_result_value(self, value, dialect): + return json.loads(value) + + +def upgrade(migrate_engine): + if isinstance(migrate_engine, str): + migrate_engine = create_engine(migrate_engine) + meta = sql.MetaData() + meta.bind = migrate_engine + sys.stdout.write("Creating ") + sys.stdout.flush() + + table = sql.Table( + 'pdp', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('vim_project_id', sql.String(64), nullable=True, default=""), + sql.Column('value', JsonBlob(), nullable=True), + sql.UniqueConstraint('name', name='unique_constraint_models'), + mysql_engine='InnoDB', + mysql_charset='utf8') + table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(table) + " ") + sys.stdout.flush() + + table = sql.Table( + 'slaves', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('address', sql.String(256), nullable=True, default=""), + sql.Column('grant_if_unknown_project', sql.Boolean, nullable=True, default=""), + sql.Column('process', sql.String(256), nullable=False, default=""), + sql.Column('log', sql.String(256), nullable=False, default=""), + sql.Column('api_key', sql.String(256), nullable=False, default=""), + sql.Column('value', JsonBlob(), nullable=True), + sql.UniqueConstraint('name', name='unique_constraint_models'), + mysql_engine='InnoDB', + mysql_charset='utf8') + table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(table) + " ") + sys.stdout.flush() + + table = sql.Table( + 'policies', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('model_id', sql.String(64), nullable=True, default=""), + sql.Column('value', JsonBlob(), nullable=True), + sql.UniqueConstraint('name', 'model_id', name='unique_constraint_models'), + mysql_engine='InnoDB', + mysql_charset='utf8') + table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(table) + " ") + sys.stdout.flush() + + table = sql.Table( + 'models', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('value', JsonBlob(), nullable=True), + sql.UniqueConstraint('name', name='unique_constraint_models'), + mysql_engine='InnoDB', + mysql_charset='utf8') + table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(table) + " ") + sys.stdout.flush() + + subject_categories_table = sql.Table( + 'subject_categories', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('description', sql.String(256), nullable=True), + + sql.UniqueConstraint('name', name='unique_constraint_subject_categories'), + mysql_engine='InnoDB', + mysql_charset='utf8') + subject_categories_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(subject_categories_table) + " ") + sys.stdout.flush() + + object_categories_table = sql.Table( + 'object_categories', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('description', sql.String(256), nullable=True), + + sql.UniqueConstraint('name', name='unique_constraint_object_categories'), + mysql_engine='InnoDB', + mysql_charset='utf8') + object_categories_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(object_categories_table) + " ") + sys.stdout.flush() + + action_categories_table = sql.Table( + 'action_categories', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('description', sql.String(256), nullable=True), + + sql.UniqueConstraint('name', name='unique_constraint_action_categories'), + mysql_engine='InnoDB', + mysql_charset='utf8') + action_categories_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(action_categories_table) + " ") + sys.stdout.flush() + + subjects_table = sql.Table( + 'subjects', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('value', JsonBlob(), nullable=True), + sql.UniqueConstraint('name', name='unique_constraint_subjects'), + mysql_engine='InnoDB', + mysql_charset='utf8') + subjects_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(subjects_table) + " ") + sys.stdout.flush() + + objects_table = sql.Table( + 'objects', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('value', JsonBlob(), nullable=True), + sql.UniqueConstraint('name', name='unique_constraint_objects'), + mysql_engine='InnoDB', + mysql_charset='utf8') + objects_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(objects_table) + " ") + sys.stdout.flush() + + actions_table = sql.Table( + 'actions', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('value', JsonBlob(), nullable=True), + sql.UniqueConstraint('name', name='unique_constraint_actions'), + mysql_engine='InnoDB', + mysql_charset='utf8') + actions_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(actions_table) + " ") + sys.stdout.flush() + + subject_data_table = sql.Table( + 'subject_data', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('value', JsonBlob(), nullable=True), + sql.Column('category_id', sql.ForeignKey("subject_categories.id"), nullable=False), + sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False), + sql.UniqueConstraint('name', 'category_id', 'policy_id', + name='unique_constraint_subject_data'), + mysql_engine='InnoDB', + mysql_charset='utf8') + subject_data_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(subject_data_table) + " ") + sys.stdout.flush() + + object_data_table = sql.Table( + 'object_data', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('value', JsonBlob(), nullable=True), + sql.Column('category_id', sql.ForeignKey("object_categories.id"), nullable=False), + sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False), + sql.UniqueConstraint('name', 'category_id', 'policy_id', + name='unique_constraint_object_data'), + mysql_engine='InnoDB', + mysql_charset='utf8') + object_data_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(object_data_table) + " ") + sys.stdout.flush() + + action_data_table = sql.Table( + 'action_data', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('value', JsonBlob(), nullable=True), + sql.Column('category_id', sql.ForeignKey("action_categories.id"), nullable=False), + sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False), + sql.UniqueConstraint('name', 'category_id', 'policy_id', + name='unique_constraint_action_data'), + mysql_engine='InnoDB', + mysql_charset='utf8') + action_data_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(action_data_table) + " ") + sys.stdout.flush() + + subject_assignments_table = sql.Table( + 'subject_assignments', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('assignments', sql.String(256), nullable=True), + sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False), + sql.Column('subject_id', sql.ForeignKey("subjects.id"), nullable=False), + sql.Column('category_id', sql.ForeignKey("subject_categories.id"), nullable=False), + sql.UniqueConstraint('policy_id', 'subject_id', 'category_id', + name='unique_constraint_subject_assignment'), + mysql_engine='InnoDB', + mysql_charset='utf8') + subject_assignments_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(subject_assignments_table) + " ") + sys.stdout.flush() + + object_assignments_table = sql.Table( + 'object_assignments', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('assignments', sql.String(256), nullable=True), + sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False), + sql.Column('object_id', sql.ForeignKey("objects.id"), nullable=False), + sql.Column('category_id', sql.ForeignKey("object_categories.id"), nullable=False), + sql.UniqueConstraint('policy_id', 'object_id', 'category_id', + name='unique_constraint_object_assignment'), + mysql_engine='InnoDB', + mysql_charset='utf8') + object_assignments_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(object_assignments_table) + " ") + sys.stdout.flush() + + action_assignments_table = sql.Table( + 'action_assignments', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('assignments', sql.String(256), nullable=True), + sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False), + sql.Column('action_id', sql.ForeignKey("actions.id"), nullable=False), + sql.Column('category_id', sql.ForeignKey("action_categories.id"), nullable=False), + sql.UniqueConstraint('policy_id', 'action_id', 'category_id', + name='unique_constraint_action_assignment'), + mysql_engine='InnoDB', + mysql_charset='utf8') + action_assignments_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(action_assignments_table) + " ") + sys.stdout.flush() + + meta_rules_table = sql.Table( + 'meta_rules', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('name', sql.String(256), nullable=False), + sql.Column('subject_categories', JsonBlob(), nullable=False), + sql.Column('object_categories', JsonBlob(), nullable=False), + sql.Column('action_categories', JsonBlob(), nullable=False), + sql.Column('value', JsonBlob(), nullable=True), + sql.UniqueConstraint('name', name='unique_constraint_meta_rule_name'), + # sql.UniqueConstraint('subject_categories', 'object_categories', 'action_categories', name='unique_constraint_meta_rule_def'), + mysql_engine='InnoDB', + mysql_charset='utf8') + meta_rules_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(meta_rules_table) + " ") + sys.stdout.flush() + + rules_table = sql.Table( + 'rules', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('rule', JsonBlob(), nullable=True), + sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False), + sql.Column('meta_rule_id', sql.ForeignKey("meta_rules.id"), nullable=False), + mysql_engine='InnoDB', + mysql_charset='utf8') + rules_table.create(migrate_engine, checkfirst=True) + sys.stdout.write(str(rules_table) + " ") + sys.stdout.flush() + print("") + + +def downgrade(migrate_engine): + if isinstance(migrate_engine, str): + migrate_engine = create_engine(migrate_engine) + meta = sql.MetaData() + meta.bind = migrate_engine + + for _table in ( + 'rules', + 'meta_rules', + 'action_assignments', + 'object_assignments', + 'subject_assignments', + 'action_data', + 'object_data', + 'subject_data', + 'actions', + 'objects', + 'subjects', + 'action_categories', + 'object_categories', + 'subject_categories', + 'models', + 'policies', + 'pdp', + 'slaves' + ): + try: + table = sql.Table(_table, meta, autoload=True) + table.drop(migrate_engine, checkfirst=True) + except Exception as e: + print(e) diff --git a/moon_manager/moon_manager/api/db/model.py b/moon_manager/moon_manager/api/db/model.py new file mode 100644 index 00000000..9dc6273a --- /dev/null +++ b/moon_manager/moon_manager/api/db/model.py @@ -0,0 +1,429 @@ +# Software Name: MOON + +# Version: 5.4 + +# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors +# SPDX-License-Identifier: Apache-2.0 + +# This software is distributed under the 'Apache License 2.0', +# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt' +# or see the "LICENSE" file for more details. + + +from uuid import uuid4 +import logging +from moon_utilities import exceptions +from moon_utilities.security_functions import enforce +from moon_manager.api.db.managers import Managers +import copy +from moon_manager import pip_driver + +logger = logging.getLogger("moon.db.api.model") + + +class ModelManager(Managers): + + def __init__(self, connector=None): + self.driver = connector.driver + Managers.ModelManager = self + + @enforce(("read", "write"), "models") + def update_model(self, moon_user_id, model_id, value): + if model_id not in self.driver.get_models(model_id=model_id): + raise exceptions.ModelUnknown + + if not value['name'].strip(): + raise exceptions.ModelContentError('Model name invalid') + + if 'meta_rules' not in value: + raise exceptions.MetaRuleUnknown + + model = self.get_models(moon_user_id=moon_user_id, model_id=model_id) + model = model[next(iter(model))] + if ((model['meta_rules'] and value['meta_rules'] and model['meta_rules'] != value[ + 'meta_rules']) \ + or (model['meta_rules'] and not value['meta_rules'])): + policies = Managers.PolicyManager.get_policies(moon_user_id=moon_user_id) + for policy_id in policies: + if policies[policy_id]["model_id"] == model_id: + raise exceptions.DeleteModelWithPolicy + + if value and 'meta_rules' in value: + for meta_rule_id in value['meta_rules']: + if meta_rule_id: + meta_rule_tmp = self.driver.get_meta_rules(meta_rule_id=meta_rule_id) + if (not meta_rule_id) or (not meta_rule_tmp) : + raise exceptions.MetaRuleUnknown + + return self.driver.update_model(model_id=model_id, value=value) + + @enforce(("read", "write"), "models") + def delete_model(self, moon_user_id, model_id): + if model_id not in self.driver.get_models(model_id=model_id): + raise exceptions.ModelUnknown + # TODO (asteroide): check that no policy is connected to this model + policies = Managers.PolicyManager.get_policies(moon_user_id=moon_user_id) + for policy in policies: + if policies[policy]['model_id'] == model_id: + raise exceptions.DeleteModelWithPolicy + return self.driver.delete_model(model_id=model_id) + + @enforce(("read", "write"), "models") + def add_model(self, moon_user_id, model_id=None, value=None): + + if not value['name'].strip(): + raise exceptions.ModelContentError('Model name invalid') + + models = self.driver.get_models() + if model_id in models: + raise exceptions.ModelExisting + + if value.get('meta_rules', []): + for model in models: + if models[model]['name'] == value['name']: + raise exceptions.ModelExisting("Model Name Existed") + if sorted(models[model].get('meta_rules', [])) == sorted(value.get('meta_rules', [])): + raise exceptions.ModelExisting("Meta Rules List Existed in another Model") + + if not model_id: + model_id = uuid4().hex + if value and 'meta_rules' in value: + for meta_rule_id in value['meta_rules']: + if not meta_rule_id: + raise exceptions.MetaRuleUnknown + meta_rule = self.driver.get_meta_rules(meta_rule_id=meta_rule_id) + if not meta_rule: + raise exceptions.MetaRuleUnknown + + return self.driver.add_model(model_id=model_id, value=value) + + @enforce("read", "models") + def get_models(self, moon_user_id, model_id=None): + return self.driver.get_models(model_id=model_id) + + @enforce("read", "policies") + def get_policies(self, moon_user_id, policy_id=None): + return self.driver.get_policies(policy_id=policy_id) + + @enforce(("read", "write"), "meta_rules") + def update_meta_rule(self, moon_user_id, meta_rule_id, value): + meta_rules = self.driver.get_meta_rules() + if not meta_rule_id or meta_rule_id not in meta_rules: + raise exceptions.MetaRuleUnknown + self.__check_meta_rule_dependencies(moon_user_id=moon_user_id, meta_rule_id=meta_rule_id) + if value: + if not value['name'].strip(): + raise exceptions.MetaRuleContentError('Meta_rule name invalid') + + if 'subject_categories' in value: + if (len(value['subject_categories']) == 1 and (value['subject_categories'][0] is None or value[ + 'subject_categories'][0].strip() == "")): + value['subject_categories'] = []; + else: + for subject_category_id in value['subject_categories']: + if (not subject_category_id) or (not self.driver.get_subject_categories( + category_id=subject_category_id)): + raise exceptions.SubjectCategoryUnknown + if 'object_categories' in value: + if (len(value['object_categories']) == 1 and (value['object_categories'][0] is None or value[ + 'object_categories'][0].strip() == "")): + value['object_categories'] = []; + else: + for object_category_id in value['object_categories']: + if (not object_category_id) or (not self.driver.get_object_categories( + category_id=object_category_id)): + raise exceptions.ObjectCategoryUnknown + if 'action_categories' in value: + if (len(value['action_categories']) == 1 and (value['action_categories'][0] is None or value[ + 'action_categories'][0].strip() == "")): + value['action_categories'] = []; + else: + for action_category_id in value['action_categories']: + if (not action_category_id) or (not self.driver.get_action_categories( + category_id=action_category_id)): + raise exceptions.ActionCategoryUnknown + + for meta_rule_obj_id in meta_rules: + counter_matched_list = 0 + counter_matched_list += self.check_combination( + meta_rules[meta_rule_obj_id]['subject_categories'], + value['subject_categories']) + counter_matched_list += self.check_combination( + meta_rules[meta_rule_obj_id]['object_categories'], + value['object_categories']) + counter_matched_list += self.check_combination( + meta_rules[meta_rule_obj_id]['action_categories'], + value['action_categories']) + if counter_matched_list == 3 and meta_rule_obj_id != meta_rule_id: + raise exceptions.MetaRuleExisting("Same categories combination existed") + + return self.driver.set_meta_rule(meta_rule_id=meta_rule_id, value=value) + + def __check_meta_rule_dependencies(self, moon_user_id, meta_rule_id): + policies = self.get_policies(moon_user_id=moon_user_id) + for policy in policies: + model_id = policies[policy]["model_id"] + model = self.get_models(moon_user_id=moon_user_id, model_id=model_id)[model_id] + if meta_rule_id in model["meta_rules"]: + raise exceptions.MetaRuleUpdateError("This meta_rule is already in use in a policy") + + policies = Managers.PolicyManager.get_policies(moon_user_id=moon_user_id) + for policy_id in policies: + rules = Managers.PolicyManager.get_rules(moon_user_id=moon_user_id, policy_id=policy_id, + meta_rule_id=meta_rule_id) + if rules['rules']: + raise exceptions.MetaRuleUpdateError + + @enforce("read", "meta_rules") + def get_meta_rules(self, moon_user_id, meta_rule_id=None): + return self.driver.get_meta_rules(meta_rule_id=meta_rule_id) + + @enforce(("read", "write"), "meta_rules") + def add_meta_rule(self, moon_user_id, meta_rule_id=None, value=None): + + if not value['name'].strip(): + raise exceptions.MetaRuleContentError('Meta_rule name invalid') + + meta_rules = self.driver.get_meta_rules() + + if meta_rule_id in meta_rules: + raise exceptions.MetaRuleExisting + + if value: + if 'subject_categories' in value: + if (len(value['subject_categories']) == 1 and (value['subject_categories'][0] is None or value[ + 'subject_categories'][0].strip() == "")): + value['subject_categories'] = []; + else: + for subject_category_id in value['subject_categories']: + if ((not subject_category_id) or (not self.driver.get_subject_categories( + category_id=subject_category_id))): + if subject_category_id.startswith("attributes:"): + _attributes = pip_driver.AttrsManager.get_objects( + moon_user_id="admin", + object_type=subject_category_id.replace("attributes:", "") + ) + action_category_id = subject_category_id.replace("attributes:", "") + if action_category_id != _attributes['id']: + raise exceptions.SubjectCategoryUnknown + else: + raise exceptions.SubjectCategoryUnknown + if 'object_categories' in value: + if(len(value['object_categories']) == 1 and (value['object_categories'][0] is None or value[ + 'object_categories'][0].strip() == "")): + value['object_categories'] = []; + else: + for object_category_id in value['object_categories']: + if ((not object_category_id) or (not self.driver.get_object_categories( + category_id=object_category_id))): + if object_category_id.startswith("attributes:"): + _attributes = pip_driver.AttrsManager.get_objects( + moon_user_id="admin", + object_type=object_category_id.replace("attributes:", "") + ) + action_category_id = object_category_id.replace("attributes:", "") + if action_category_id != _attributes['id']: + raise exceptions.ObjectCategoryUnknown + else: + raise exceptions.ObjectCategoryUnknown + if 'action_categories' in value: + if (len(value['action_categories']) == 1 and (value['action_categories'][0] is None or value[ + 'action_categories'][0].strip() == "")): + value['action_categories'] = []; + else: + for action_category_id in value['action_categories']: + if ((not action_category_id) or (not self.driver.get_action_categories( + category_id=action_category_id))): + if action_category_id.startswith("attributes:"): + _attributes = pip_driver.AttrsManager.get_objects( + moon_user_id="admin", + object_type=action_category_id.replace("attributes:", "") + ) + action_category_id = action_category_id.replace("attributes:", "") + if action_category_id not in _attributes.keys(): + raise exceptions.ActionCategoryUnknown + else: + raise exceptions.ActionCategoryUnknown + + for meta_rule_obj_id in meta_rules: + counter_matched_list = 0 + + counter_matched_list += self.check_combination( + meta_rules[meta_rule_obj_id]['subject_categories'], value['subject_categories']) + + counter_matched_list += self.check_combination( + meta_rules[meta_rule_obj_id]['object_categories'], value['object_categories']) + + counter_matched_list += self.check_combination( + meta_rules[meta_rule_obj_id]['action_categories'], value['action_categories']) + + if counter_matched_list == 3: + raise exceptions.MetaRuleExisting("Same categories combination existed") + + return self.driver.set_meta_rule(meta_rule_id=meta_rule_id, value=value) + + # @enforce(("read", "write"), "meta_rules") + def check_combination(self, list_one, list_two): + counter_removed_items = 0 + temp_list_two = copy.deepcopy(list_two) + for item in list_one: + if item in temp_list_two: + temp_list_two.remove(item) + counter_removed_items += 1 + + if list_two and counter_removed_items == len(list_two) and len(list_two) == len(list_one): + return 1 + return 0 + + @enforce(("read", "write"), "meta_rules") + def delete_meta_rule(self, moon_user_id, meta_rule_id=None): + if meta_rule_id not in self.driver.get_meta_rules(meta_rule_id=meta_rule_id): + raise exceptions.MetaRuleUnknown + # TODO (asteroide): check and/or delete data and assignments and rules linked to that meta_rule + models = self.get_models(moon_user_id=moon_user_id) + for model_id in models: + for id in models[model_id]['meta_rules']: + if id == meta_rule_id: + raise exceptions.DeleteMetaRuleWithModel + return self.driver.delete_meta_rule(meta_rule_id=meta_rule_id) + + @enforce("read", "meta_data") + def get_subject_categories(self, moon_user_id, category_id=None): + return self.driver.get_subject_categories(category_id=category_id) + + @enforce(("read", "write"), "meta_data") + def add_subject_category(self, moon_user_id, category_id=None, value=None): + + if not value['name'].strip(): + raise exceptions.CategoryNameInvalid + + subject_categories = [] + if category_id is not None: + subject_categories = self.driver.get_subject_categories(category_id=category_id) + + subject_categories_names = self.driver.get_subject_categories(category_name=value['name'].strip()) + + if subject_categories_names or subject_categories: + raise exceptions.SubjectCategoryExisting + + + if not ('description' in value): + value['description'] = "" + return self.driver.add_subject_category(name=value["name"], + description=value["description"], uuid=category_id) + + @enforce(("read", "write"), "meta_data") + def delete_subject_category(self, moon_user_id, category_id): + # TODO (asteroide): delete all data linked to that category + # TODO (asteroide): delete all meta_rules linked to that category + if category_id not in self.driver.get_subject_categories(category_id=category_id): + raise exceptions.SubjectCategoryUnknown + meta_rules = self.get_meta_rules(moon_user_id=moon_user_id) + for meta_rule_id in meta_rules: + for subject_category_id in meta_rules[meta_rule_id]['subject_categories']: + logger.info( + "delete_subject_category {} {}".format(subject_category_id, meta_rule_id)) + logger.info("delete_subject_category {}".format(meta_rules[meta_rule_id])) + if subject_category_id == category_id: + # has_rules = self.driver.is_meta_rule_has_rules(meta_rule_id) + # if has_rules: + raise exceptions.DeleteSubjectCategoryWithMetaRule + + if self.driver.is_subject_category_has_assignment(category_id): + raise exceptions.DeleteCategoryWithAssignment + + if self.driver.is_subject_data_exist(category_id=category_id): + raise exceptions.DeleteCategoryWithData + + return self.driver.delete_subject_category(category_id=category_id) + + @enforce("read", "meta_data") + def get_object_categories(self, moon_user_id, category_id=None): + return self.driver.get_object_categories(category_id) + + @enforce(("read", "write"), "meta_data") + def add_object_category(self, moon_user_id, category_id=None, value=None): + if not value['name'].strip(): + raise exceptions.CategoryNameInvalid + + object_categories = [] + if category_id is not None: + object_categories = self.driver.get_object_categories(category_id=category_id) + + object_categories_names = self.driver.get_object_categories(category_name=value['name'].strip()) + if object_categories_names or object_categories: + raise exceptions.ObjectCategoryExisting + + if not ('description' in value): + value['description'] = "" + + return self.driver.add_object_category(name=value["name"], description=value["description"], + uuid=category_id) + + @enforce(("read", "write"), "meta_data") + def delete_object_category(self, moon_user_id, category_id): + # TODO (asteroide): delete all data linked to that category + # TODO (asteroide): delete all meta_rules linked to that category + if category_id not in self.driver.get_object_categories(category_id=category_id): + raise exceptions.ObjectCategoryUnknown + meta_rules = self.get_meta_rules(moon_user_id=moon_user_id) + for meta_rule_id in meta_rules: + for object_category_id in meta_rules[meta_rule_id]['object_categories']: + if object_category_id == category_id: + # has_rules = self.driver.is_meta_rule_has_rules(meta_rule_id) + # if has_rules: + raise exceptions.DeleteObjectCategoryWithMetaRule + + if self.driver.is_object_category_has_assignment(category_id): + raise exceptions.DeleteCategoryWithAssignment + + if self.driver.is_object_data_exist(category_id=category_id): + raise exceptions.DeleteCategoryWithData + + return self.driver.delete_object_category(category_id=category_id) + + @enforce("read", "meta_data") + def get_action_categories(self, moon_user_id, category_id=None): + return self.driver.get_action_categories(category_id=category_id) + + @enforce(("read", "write"), "meta_data") + def add_action_category(self, moon_user_id, category_id=None, value=None): + + if not value['name'].strip(): + raise exceptions.CategoryNameInvalid + + action_categories = [] + if category_id is not None: + action_categories = self.driver.get_action_categories(category_id=category_id) + + action_categories_names = self.driver.get_action_categories(category_name=value['name'].strip()) + if action_categories_names or action_categories: + raise exceptions.ActionCategoryExisting + + if not ('description' in value): + value['description'] = "" + + return self.driver.add_action_category(name=value["name"], description=value["description"], + uuid=category_id) + + @enforce(("read", "write"), "meta_data") + def delete_action_category(self, moon_user_id, category_id): + # TODO (asteroide): delete all data linked to that category + # TODO (asteroide): delete all meta_rules linked to that category + if category_id not in self.driver.get_action_categories(category_id=category_id): + raise exceptions.ActionCategoryUnknown + meta_rules = self.get_meta_rules(moon_user_id=moon_user_id) + for meta_rule_id in meta_rules: + for action_category_id in meta_rules[meta_rule_id]['action_categories']: + if action_category_id == category_id: + # has_rules = self.driver.is_meta_rule_has_rules(meta_rule_id) + # if has_rules: + raise exceptions.DeleteActionCategoryWithMetaRule + + if self.driver.is_action_category_has_assignment(category_id): + raise exceptions.DeleteCategoryWithAssignment + + if self.driver.is_action_data_exist(category_id=category_id): + raise exceptions.DeleteCategoryWithData + + return self.driver.delete_action_category(category_id=category_id) diff --git a/moon_manager/moon_manager/api/db/pdp.py b/moon_manager/moon_manager/api/db/pdp.py new file mode 100644 index 00000000..a4ca08f6 --- /dev/null +++ b/moon_manager/moon_manager/api/db/pdp.py @@ -0,0 +1,115 @@ +# Software Name: MOON + +# Version: 5.4 + +# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors +# SPDX-License-Identifier: Apache-2.0 + +# This software is distributed under the 'Apache License 2.0', +# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt' +# or see the "LICENSE" file for more details. + + +from uuid import uuid4 +import logging +from moon_utilities.security_functions import enforce +from moon_manager.api.db.managers import Managers +from moon_utilities import exceptions + +logger = logging.getLogger("moon.db.api.pdp") + + +class PDPManager(Managers): + + def __init__(self, connector=None): + self.driver = connector.driver + Managers.PDPManager = self + + @enforce(("read", "write"), "pdp") + def update_pdp(self, moon_user_id, pdp_id, value): + if not value or 'name' not in value or not value['name'].strip(): + raise exceptions.PdpContentError + + exists_security_pipeline = value and 'security_pipeline' in value and \ + len(value['security_pipeline']) > 0 + exists_vim_project_id = value and 'vim_project_id' in value and \ + value['vim_project_id'] != None and \ + value['vim_project_id'].strip() + if not exists_security_pipeline and exists_vim_project_id: + raise exceptions.PdpContentError + if exists_security_pipeline and not exists_vim_project_id: + raise exceptions.PdpContentError + + self.__pdp_validated_pipeline_name_id(pdp_id, value, "update") + + if value and 'security_pipeline' in value: + for policy_id in value['security_pipeline']: + if not policy_id or not policy_id.strip() or not \ + Managers.PolicyManager.get_policies(moon_user_id=moon_user_id, policy_id=policy_id): + raise exceptions.PolicyUnknown + + return self.driver.update_pdp(pdp_id=pdp_id, value=value) + + @enforce(("read", "write"), "pdp") + def delete_pdp(self, moon_user_id, pdp_id): + if pdp_id not in self.driver.get_pdp(pdp_id=pdp_id): + raise exceptions.PdpUnknown + return self.driver.delete_pdp(pdp_id=pdp_id) + + @enforce(("read", "write"), "pdp") + def add_pdp(self, moon_user_id, pdp_id=None, value=None): + if not value or 'name' not in value or not value['name'].strip(): + raise exceptions.PdpContentError + + exists_security_pipeline = value and 'security_pipeline' in value and \ + len(value['security_pipeline']) > 0 + exists_vim_project_id = value and 'vim_project_id' in value and \ + value['vim_project_id'] is not None and \ + value['vim_project_id'].strip() + if not exists_security_pipeline and exists_vim_project_id: + raise exceptions.PdpContentError + if exists_security_pipeline and not exists_vim_project_id: + raise exceptions.PdpContentError + + self.__pdp_validated_pipeline_name_id(pdp_id, value, "add") + + if value and 'security_pipeline' in value: + for policy_id in value['security_pipeline']: + if not policy_id or not policy_id.strip() or not \ + Managers.PolicyManager.get_policies(moon_user_id=moon_user_id, policy_id=policy_id): + raise exceptions.PolicyUnknown + + return self.driver.add_pdp(pdp_id=pdp_id, value=value) + + @enforce("read", "pdp") + def get_pdp(self, moon_user_id, pdp_id=None): + return self.driver.get_pdp(pdp_id=pdp_id) + + @enforce("read", "pdp") + def delete_policy_from_pdp(self, moon_user_id, pdp_id, policy_id): + + if pdp_id not in self.driver.get_pdp(pdp_id=pdp_id): + raise exceptions.PdpUnknown + if policy_id not in self.driver.get_policies(policy_id=policy_id): + raise exceptions.PolicyUnknown + x = self.driver.delete_policy_from_pdp(pdp_id=pdp_id, policy_id=policy_id) + return x + + def __pdp_validated_pipeline_name_id(self, pdp_id, value, method_type=None): + all_pdps = self.driver.get_pdp() + if method_type == 'update': + if pdp_id not in all_pdps: + raise exceptions.PdpUnknown + else: + if pdp_id in all_pdps: + raise exceptions.PdpExisting + if not pdp_id: + pdp_id = uuid4().hex + + for key in all_pdps: + if pdp_id != key: + if all_pdps[key]['name'] == value['name']: + raise exceptions.PdpExisting + for policy_id in value['security_pipeline']: + if policy_id in all_pdps[key]['security_pipeline']: + raise exceptions.PdpInUse diff --git a/moon_manager/moon_manager/api/db/policy.py b/moon_manager/moon_manager/api/db/policy.py new file mode 100644 index 00000000..e736aca7 --- /dev/null +++ b/moon_manager/moon_manager/api/db/policy.py @@ -0,0 +1,971 @@ +# Software Name: MOON + +# Version: 5.4 + +# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors +# SPDX-License-Identifier: Apache-2.0 + +# This software is distributed under the 'Apache License 2.0', +# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt' +# or see the "LICENSE" file for more details. + + +import logging +from uuid import uuid4 +from moon_manager.api.db.managers import Managers +from moon_manager.pip_driver import InformationManager +from moon_utilities.security_functions import enforce +from moon_utilities import exceptions +from moon_manager import pip_driver + + +logger = logging.getLogger("moon.db.api.policy") + + +class PolicyManager(Managers): + + def __init__(self, connector=None): + self.driver = connector.driver + Managers.PolicyManager = self + + def get_policy_from_meta_rules(self, moon_user_id, meta_rule_id): + policies = self.PolicyManager.get_policies("admin") + models = self.ModelManager.get_models("admin") + for pdp_key, pdp_value in self.PDPManager.get_pdp(moon_user_id=moon_user_id).items(): + if 'security_pipeline' not in pdp_value: + raise exceptions.PdpContentError + for policy_id in pdp_value["security_pipeline"]: + if not policies or policy_id not in policies: + raise exceptions.PolicyUnknown + model_id = policies[policy_id]["model_id"] + if not models: + raise exceptions.ModelUnknown + if model_id not in models: + raise exceptions.ModelUnknown + if meta_rule_id in models[model_id]["meta_rules"]: + return policy_id + + @enforce(("read", "write"), "policies") + def update_policy(self, moon_user_id, policy_id, value): + + if not value or not value['name'].strip(): + raise exceptions.PolicyContentError + + policy_list = self.driver.get_policies(policy_id=policy_id) + if not policy_id or policy_id not in policy_list: + raise exceptions.PolicyUnknown + + policies = self.driver.get_policies(policy_name=value['name']) + if policies and not (policy_id in policies): + raise exceptions.PolicyExisting("Policy name Existed") + + if 'model_id' in value and value['model_id']: + if not value['model_id'].strip() or not Managers.ModelManager.get_models( + moon_user_id=moon_user_id, model_id=value['model_id']): + raise exceptions.ModelUnknown + + policy_obj = policy_list[policy_id] + if policy_obj["model_id"] and policy_obj["model_id"] != value['model_id']: + raise exceptions.PolicyUpdateError("Model is not empty") + + return self.driver.update_policy(policy_id=policy_id, value=value) + + @enforce(("read", "write"), "policies") + def delete_policy(self, moon_user_id, policy_id): + # TODO (asteroide): unmap PDP linked to that policy + if policy_id not in self.driver.get_policies(policy_id=policy_id): + raise exceptions.PolicyUnknown + pdps = self.PDPManager.get_pdp(moon_user_id=moon_user_id) + for pdp in pdps: + if policy_id in pdps[pdp]['security_pipeline']: + self.PDPManager.delete_policy_from_pdp(moon_user_id=moon_user_id, + pdp_id=pdp, + policy_id=policy_id) + + subject_data = self.get_subject_data(moon_user_id=moon_user_id, policy_id=policy_id) + if subject_data: + for subject_data_obj in subject_data: + if subject_data_obj and subject_data_obj["data"]: + for subject_data_id in subject_data_obj['data']: + self.delete_subject_data(moon_user_id=moon_user_id, policy_id=policy_id, + data_id=subject_data_id) + + object_data = self.get_object_data(moon_user_id=moon_user_id, policy_id=policy_id) + if object_data: + for object_data_obj in object_data: + if object_data_obj and object_data_obj["data"]: + for object_data_id in object_data_obj['data']: + self.delete_object_data(moon_user_id=moon_user_id, policy_id=policy_id, + data_id=object_data_id) + action_data = self.get_action_data(moon_user_id=moon_user_id, policy_id=policy_id) + if action_data: + for action_data_obj in action_data: + if action_data_obj and action_data_obj["data"]: + for action_data_id in action_data_obj['data']: + self.delete_action_data(moon_user_id=moon_user_id, policy_id=policy_id, + data_id=action_data_id) + + subjects = self.driver.get_subjects(policy_id=policy_id) + if subjects: + for subject_id in subjects: + self.delete_subject(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=subject_id) + objects = self.driver.get_objects(policy_id=policy_id) + if objects: + for object_id in objects: + self.delete_object(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=object_id) + actions = self.driver.get_actions(policy_id=policy_id) + if actions: + for action_id in actions: + self.delete_action(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=action_id) + + # rules = self.driver.get_rules(policy_id=policy_id)["rules"] + # if rules: + # for rule_id in rules: + # self.delete_rule(moon_user_id=moon_user_id, policy_id=policy_id, rules=rule_id) + + return self.driver.delete_policy(policy_id=policy_id) + + @enforce(("read", "write"), "policies") + def add_policy(self, moon_user_id, policy_id=None, value=None): + + if not value or not value['name'].strip(): + raise exceptions.PolicyContentError + if policy_id in self.driver.get_policies(policy_id=policy_id): + raise exceptions.PolicyExisting + + if self.driver.get_policies(policy_name=value['name']): + raise exceptions.PolicyExisting("Policy name Existed") + + if not policy_id: + policy_id = uuid4().hex + if 'model_id' in value and value['model_id'] != "": + model_id = value['model_id'] + if model_id is None: + raise exceptions.ModelUnknown + else: + model_list = Managers.ModelManager.get_models(moon_user_id=moon_user_id, + model_id=model_id) + if not model_list: + raise exceptions.ModelUnknown + + self.__check_blank_model(model_list[model_id]) + + return self.driver.add_policy(policy_id=policy_id, value=value) + + @enforce("read", "policies") + def get_policies(self, moon_user_id, policy_id=None): + return self.driver.get_policies(policy_id=policy_id) + + @enforce("read", "perimeter") + def get_subjects(self, moon_user_id, policy_id, perimeter_id=None): + # if not policy_id: + # raise exceptions.PolicyUnknown + if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)): + raise exceptions.PolicyUnknown + return self.driver.get_subjects(policy_id=policy_id, perimeter_id=perimeter_id) + + @enforce(("read", "write"), "perimeter") + def add_subject(self, moon_user_id, policy_id=None, perimeter_id=None, value=None): + + logger.debug("add_subject {}".format(policy_id)) + if not value or "name" not in value or not value["name"].strip(): + raise exceptions.PerimeterContentError('invalid name') + + if 'policy_list' in value: + raise exceptions.PerimeterContentError("body should not contain policy_list") + + if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)): + raise exceptions.PolicyUnknown + + if perimeter_id: + subjects = self.driver.get_subjects(policy_id=None, perimeter_id=perimeter_id) + if subjects and subjects[perimeter_id]['name'] != value['name']: + raise exceptions.PerimeterContentError + + if not perimeter_id: + subject_per = self.driver.get_subject_by_name(value['name']) + if subject_per: + perimeter_id = next(iter(subject_per)) + + # should get k_user = {'users':[{"id":"11111"}]} from Keystone + # FIXME: need to check other input + # k_user = InformationManager.get_users(username=value.get('name')) + # + # if not k_user.get('users', {}): + # k_user = InformationManager.add_user(**value) + # if k_user: + # if not perimeter_id: + # try: + # logger.info("k_user={}".format(k_user)) + # perimeter_id = k_user['users'][0].get('id', uuid4().hex) + # except IndexError: + # k_user = InformationManager.get_users(value.get('name')) + # perimeter_id = uuid4().hex + # except KeyError: + # k_user = InformationManager.get_users(value.get('name')) + # perimeter_id = uuid4().hex + # + # try: + # value.update(k_user['users'][0]) + # except IndexError: + # logger.error("Cannot update user from external server data, got {}".format(k_user)) + + return self.driver.set_subject(policy_id=policy_id, perimeter_id=perimeter_id, value=value) + + @enforce(("read", "write"), "perimeter") + def update_subject(self, moon_user_id, perimeter_id, value): + logger.debug("update_subject perimeter_id = {}".format(perimeter_id)) + + if not perimeter_id: + raise exceptions.SubjectUnknown + + subjects = self.driver.get_subjects(policy_id=None, perimeter_id=perimeter_id) + if not subjects or not (perimeter_id in subjects): + raise exceptions.PerimeterContentError + + if 'policy_list' in value or ('name' in value and not value['name']): + raise exceptions.PerimeterContentError + + return self.driver.update_subject(perimeter_id=perimeter_id, value=value) + + @enforce(("read", "write"), "perimeter") + def delete_subject(self, moon_user_id, policy_id, perimeter_id): + + if not perimeter_id: + raise exceptions.SubjectUnknown + + # if not policy_id: + # raise exceptions.PolicyUnknown + + if not self.get_subjects(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=perimeter_id): + raise exceptions.SubjectUnknown + + if policy_id: + if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id): + raise exceptions.PolicyUnknown + + subj_assig = self.driver.get_subject_assignments(policy_id=policy_id, + subject_id=perimeter_id) + if subj_assig: + assign_id = next(iter(subj_assig)) + for data_id in subj_assig[assign_id]['assignments']: + self.delete_subject_assignment(moon_user_id=moon_user_id, + policy_id=policy_id, + subject_id=perimeter_id, + category_id=subj_assig[assign_id]['category_id'], + data_id=data_id) + + return self.driver.delete_subject(policy_id=policy_id, perimeter_id=perimeter_id) + + @enforce("read", "perimeter") + def get_objects(self, moon_user_id, policy_id, perimeter_id=None): + # if not policy_id: + # pass + if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)): + raise exceptions.PolicyUnknown + return self.driver.get_objects(policy_id=policy_id, perimeter_id=perimeter_id) + + @enforce(("read", "write"), "perimeter") + def add_object(self, moon_user_id, policy_id, perimeter_id=None, value=None): + logger.debug("add_object {}".format(policy_id)) + + if not value or "name" not in value or not value["name"].strip(): + raise exceptions.PerimeterContentError('invalid name') + + if 'policy_list' in value: + raise exceptions.PerimeterContentError("body should not contain policy_list") + + if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)): + raise exceptions.PolicyUnknown + + # object_perimeter = {} + # if perimeter_id: + # object_perimeter = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id) + # if not object_perimeter: + # raise exceptions.PerimeterContentError + # empeche l'ajout d'un objet avec un id prédéterminé + + if not perimeter_id: + object_perimeter = self.driver.get_object_by_name(value['name']) + if object_perimeter: + perimeter_id = next(iter(object_perimeter)) + + if perimeter_id: + objects = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id) + if objects and objects[perimeter_id]['name'] != value['name']: + raise exceptions.PerimeterContentError + + if not perimeter_id: + perimeter_id = uuid4().hex + return self.driver.set_object(policy_id=policy_id, perimeter_id=perimeter_id, value=value) + + @enforce(("read", "write"), "perimeter") + def update_object(self, moon_user_id, perimeter_id, value): + logger.debug("update_object perimeter_id = {}".format(perimeter_id)) + + if not perimeter_id: + raise exceptions.ObjectUnknown + + objects = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id) + if not objects or not (perimeter_id in objects): + raise exceptions.PerimeterContentError + + if 'policy_list' in value or ('name' in value and not value['name']): + raise exceptions.PerimeterContentError + + return self.driver.update_object(perimeter_id=perimeter_id, value=value) + + @enforce(("read", "write"), "perimeter") + def delete_object(self, moon_user_id, policy_id, perimeter_id): + + if not perimeter_id: + raise exceptions.ObjectUnknown + + # if not policy_id: + # raise exceptions.PolicyUnknown + + if not self.get_objects(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=perimeter_id): + raise exceptions.ObjectUnknown + + if policy_id: + + if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id): + raise exceptions.PolicyUnknown + + obj_assig = self.driver.get_object_assignments(policy_id=policy_id, object_id=perimeter_id) + + if obj_assig: + assign_id = next(iter(obj_assig)) + for data_id in obj_assig[assign_id]['assignments']: + self.delete_object_assignment(moon_user_id, + policy_id=policy_id, + object_id=perimeter_id, + category_id=obj_assig[assign_id]['category_id'], + data_id=data_id) + + return self.driver.delete_object(policy_id=policy_id, perimeter_id=perimeter_id) + + @enforce("read", "perimeter") + def get_actions(self, moon_user_id, policy_id, perimeter_id=None): + + if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)): + raise exceptions.PolicyUnknown + return self.driver.get_actions(policy_id=policy_id, perimeter_id=perimeter_id) + + @enforce(("read", "write"), "perimeter") + def add_action(self, moon_user_id, policy_id, perimeter_id=None, value=None): + logger.debug("add_action {}".format(policy_id)) + + if not value or "name" not in value or not value["name"].strip(): + raise exceptions.PerimeterContentError('invalid name') + + if 'policy_list' in value: + raise exceptions.PerimeterContentError("body should not contain policy_list") + + if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)): + raise exceptions.PolicyUnknown + + action_perimeter = {} + if perimeter_id: + action_perimeter = self.driver.get_actions(policy_id=None, perimeter_id=perimeter_id) + if not action_perimeter: + raise exceptions.PerimeterContentError + + if not perimeter_id: + action_perimeter = self.driver.get_action_by_name(value['name']) + if action_perimeter: + perimeter_id = next(iter(action_perimeter)) + + if perimeter_id and action_perimeter[perimeter_id]['name'] != value['name']: + raise exceptions.PerimeterContentError + + if not perimeter_id: + perimeter_id = uuid4().hex + + return self.driver.set_action(policy_id=policy_id, perimeter_id=perimeter_id, value=value) + + @enforce(("read", "write"), "perimeter") + def update_action(self, moon_user_id, perimeter_id, value): + logger.debug("update_action perimeter_id = {}".format(perimeter_id)) + + if not perimeter_id: + raise exceptions.ActionUnknown + + actions = self.driver.get_actions(policy_id=None, perimeter_id=perimeter_id) + if not actions or not (perimeter_id in actions): + raise exceptions.PerimeterContentError + + if 'policy_list' in value or ('name' in value and not value['name'].strip()): + raise exceptions.PerimeterContentError + + return self.driver.update_action(perimeter_id=perimeter_id, value=value) + + @enforce(("read", "write"), "perimeter") + def delete_action(self, moon_user_id, policy_id, perimeter_id): + + if not perimeter_id: + raise exceptions.ActionUnknown + + # if not policy_id: + # raise exceptions.PolicyUnknown + + if not self.get_actions(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=perimeter_id): + raise exceptions.ActionUnknown + + logger.debug("delete_action {} {} {}".format(policy_id, perimeter_id, + self.get_policies(moon_user_id=moon_user_id, + policy_id=policy_id))) + if policy_id: + if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id): + raise exceptions.PolicyUnknown + + act_assig = self.driver.get_action_assignments(policy_id=policy_id, action_id=perimeter_id) + + if act_assig: + assign_id = next(iter(act_assig)) + for data_id in act_assig[assign_id]['assignments']: + self.delete_action_assignment(moon_user_id=moon_user_id, + policy_id=policy_id, + action_id=perimeter_id, + category_id=act_assig[assign_id]['category_id'], + data_id=data_id) + + return self.driver.delete_action(policy_id=policy_id, perimeter_id=perimeter_id) + + @enforce("read", "data") + def get_subject_data(self, moon_user_id, policy_id, data_id=None, category_id=None): + available_metadata = self.get_available_metadata(moon_user_id=moon_user_id, + policy_id=policy_id) + results = [] + if not category_id: + for cat in available_metadata["subject"]: + _value = self.driver.get_subject_data(policy_id=policy_id, data_id=data_id, + category_id=cat) + results.append(_value) + if category_id and category_id in available_metadata["subject"]: + results.append(self.driver.get_subject_data(policy_id=policy_id, data_id=data_id, + category_id=category_id)) + return results + + @enforce(("read", "write"), "data") + def set_subject_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None): + + logger.debug("set_subject_data policyID {}".format(policy_id)) + + if not value or 'name' not in value or not value['name'].strip(): + raise exceptions.DataContentError + + if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id): + raise exceptions.PolicyUnknown + + if not category_id or ( + not Managers.ModelManager.get_subject_categories(moon_user_id=moon_user_id, + category_id=category_id)): + raise exceptions.SubjectCategoryUnknown + + self.__category_dependency_validation(moon_user_id, policy_id, category_id, + 'subject_categories') + + if not data_id: + data_id = uuid4().hex + return self.driver.set_subject_data(policy_id=policy_id, data_id=data_id, + category_id=category_id, value=value) + + @enforce(("read", "write"), "data") + def delete_subject_data(self, moon_user_id, policy_id, data_id, category_id=None): + # TODO (asteroide): check and/or delete assignments linked to that data + subject_assignments = self.get_subject_assignments(moon_user_id=moon_user_id, + policy_id=policy_id, + category_id=category_id) + if subject_assignments: + for assign_id in subject_assignments: + self.driver.delete_subject_assignment( + policy_id=subject_assignments[assign_id]['policy_id'], + subject_id=subject_assignments[assign_id]['subject_id'], + category_id=subject_assignments[assign_id]['category_id'], + data_id=subject_assignments[assign_id]['id']) + + rules = self.driver.get_rules(policy_id=policy_id) + if rules['rules']: + for rule in rules['rules']: + if data_id in rule['rule']: + self.driver.delete_rule(policy_id, rule['id']) + + return self.driver.delete_subject_data(policy_id=policy_id, category_id=category_id, + data_id=data_id) + + @enforce("read", "data") + def get_object_data(self, moon_user_id, policy_id, data_id=None, category_id=None): + available_metadata = self.get_available_metadata(moon_user_id=moon_user_id, + policy_id=policy_id) + results = [] + if not category_id: + for cat in available_metadata["object"]: + results.append(self.driver.get_object_data(policy_id=policy_id, data_id=data_id, + category_id=cat)) + if category_id and category_id in available_metadata["object"]: + results.append(self.driver.get_object_data(policy_id=policy_id, data_id=data_id, + category_id=category_id)) + return results + + @enforce(("read", "write"), "data") + def add_object_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None): + logger.debug("add_object_data policyID {}".format(policy_id)) + + if not value or 'name' not in value or not value['name'].strip(): + raise exceptions.DataContentError + + if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id): + raise exceptions.PolicyUnknown + + if not category_id or ( + not Managers.ModelManager.get_object_categories(moon_user_id=moon_user_id, + category_id=category_id)): + raise exceptions.ObjectCategoryUnknown + + self.__category_dependency_validation(moon_user_id, policy_id, category_id, + 'object_categories') + + if not data_id: + data_id = uuid4().hex + return self.driver.set_object_data(policy_id=policy_id, data_id=data_id, + category_id=category_id, value=value) + + @enforce(("read", "write"), "data") + def delete_object_data(self, moon_user_id, policy_id, data_id, category_id=None): + # TODO (asteroide): check and/or delete assignments linked to that data + object_assignments = self.get_object_assignments(moon_user_id=moon_user_id, + policy_id=policy_id, + category_id=category_id) + + if object_assignments: + for assign_id in object_assignments: + self.driver.delete_object_assignment( + policy_id=object_assignments[assign_id]['policy_id'], + object_id=object_assignments[assign_id]['object_id'], + category_id=object_assignments[assign_id]['category_id'], + data_id=object_assignments[assign_id]['id']) + + rules = self.driver.get_rules(policy_id=policy_id) + if rules['rules']: + for rule in rules['rules']: + if data_id in rule['rule']: + self.driver.delete_rule(policy_id, rule['id']) + + return self.driver.delete_object_data(policy_id=policy_id, category_id=category_id, + data_id=data_id) + + @enforce("read", "data") + def get_action_data(self, moon_user_id, policy_id, data_id=None, category_id=None): + available_metadata = self.get_available_metadata(moon_user_id=moon_user_id, + policy_id=policy_id) + results = [] + if not category_id: + for cat in available_metadata["action"]: + results.append(self.driver.get_action_data(policy_id=policy_id, data_id=data_id, + category_id=cat)) + if category_id and category_id in available_metadata["action"]: + if category_id.startswith("attributes:"): + data = {} + attrs = pip_driver.AttrsManager.get_objects( + moon_user_id="admin", + object_type=category_id.replace("attributes:", "")) + for item in attrs.keys(): + data[item] = {"id": item, "name": item, "description": item} + results.append( + { + "policy_id": policy_id, + "category_id": category_id, + "data": data, + } + ) + else: + results.append(self.driver.get_action_data(policy_id=policy_id, + data_id=data_id, + category_id=category_id)) + return results + + @enforce(("read", "write"), "data") + def add_action_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None): + + logger.debug("add_action_data policyID {}".format(policy_id)) + + if not value or 'name' not in value or not value['name'].strip(): + raise exceptions.DataContentError + + if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id): + raise exceptions.PolicyUnknown + + if not category_id or ( + not Managers.ModelManager.get_action_categories(moon_user_id=moon_user_id, + category_id=category_id)): + raise exceptions.ActionCategoryUnknown + + self.__category_dependency_validation(moon_user_id, policy_id, category_id, + 'action_categories') + + if not data_id: + data_id = uuid4().hex + return self.driver.set_action_data(policy_id=policy_id, data_id=data_id, + category_id=category_id, value=value) + + @enforce(("read", "write"), "data") + def delete_action_data(self, moon_user_id, policy_id, data_id, category_id=None): + # TODO (asteroide): check and/or delete assignments linked to that data + action_assignments = self.get_action_assignments(moon_user_id=moon_user_id, + policy_id=policy_id, + category_id=category_id) + if action_assignments: + for assign_id in action_assignments: + self.driver.delete_action_assignment( + policy_id=action_assignments[assign_id]['policy_id'], + action_id=action_assignments[assign_id]['action_id'], + category_id=action_assignments[assign_id]['category_id'], + data_id=action_assignments[assign_id]['id']) + + rules = self.driver.get_rules(policy_id=policy_id) + if rules['rules']: + for rule in rules['rules']: + if data_id in rule['rule']: + self.driver.delete_rule(policy_id, rule['id']) + + return self.driver.delete_action_data(policy_id=policy_id, category_id=category_id, + data_id=data_id) + + @enforce("read", "assignments") + def get_subject_assignments(self, moon_user_id, policy_id, subject_id=None, category_id=None): + return self.driver.get_subject_assignments(policy_id=policy_id, subject_id=subject_id, + category_id=category_id) + + @enforce(("read", "write"), "assignments") + def add_subject_assignment(self, moon_user_id, policy_id, subject_id, category_id, data_id): + + logger.debug("add_subject_assignment policyID {}".format(policy_id)) + if not category_id or ( + not Managers.ModelManager.get_subject_categories(moon_user_id=moon_user_id, + category_id=category_id)): + raise exceptions.SubjectCategoryUnknown + + self.__category_dependency_validation(moon_user_id, policy_id, category_id, + 'subject_categories') + + if not subject_id or ( + not self.get_subjects(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=subject_id)): + raise exceptions.SubjectUnknown + subjects_data = self.get_subject_data(moon_user_id=moon_user_id, policy_id=policy_id, + data_id=data_id, category_id=category_id) + if not data_id or not subjects_data or data_id not in subjects_data[0]['data']: + raise exceptions.DataUnknown + + return self.driver.add_subject_assignment(policy_id=policy_id, subject_id=subject_id, + category_id=category_id, data_id=data_id) + + @enforce(("read", "write"), "assignments") + def delete_subject_assignment(self, moon_user_id, policy_id, subject_id, category_id, data_id): + if policy_id: + return self.driver.delete_subject_assignment( + policy_id=policy_id, subject_id=subject_id, + category_id=category_id, data_id=data_id) + raise exceptions.PolicyUnknown + + @enforce("read", "assignments") + def get_object_assignments(self, moon_user_id, policy_id, object_id=None, category_id=None): + return self.driver.get_object_assignments(policy_id=policy_id, object_id=object_id, + category_id=category_id) + + @enforce(("read", "write"), "assignments") + def add_object_assignment(self, moon_user_id, policy_id, object_id, category_id, data_id): + + logger.debug("add_object_assignment policyID {}".format(policy_id)) + if not category_id or ( + not Managers.ModelManager.get_object_categories(moon_user_id=moon_user_id, + category_id=category_id)): + raise exceptions.ObjectCategoryUnknown + + self.__category_dependency_validation(moon_user_id, policy_id, category_id, + 'object_categories') + + if not object_id or ( + not self.get_objects(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=object_id)): + raise exceptions.ObjectUnknown + objects_data = self.get_object_data(moon_user_id=moon_user_id, policy_id=policy_id, + data_id=data_id, category_id=category_id) + if not data_id or not objects_data or data_id not in objects_data[0]['data']: + raise exceptions.DataUnknown + + return self.driver.add_object_assignment(policy_id=policy_id, object_id=object_id, + category_id=category_id, data_id=data_id) + + @enforce(("read", "write"), "assignments") + def delete_object_assignment(self, moon_user_id, policy_id, object_id, category_id, data_id): + if policy_id: + return self.driver.delete_object_assignment(policy_id=policy_id, object_id=object_id, + category_id=category_id, data_id=data_id) + raise exceptions.PolicyUnknown + + @enforce("read", "assignments") + def get_action_assignments(self, moon_user_id, policy_id, action_id=None, category_id=None): + return self.driver.get_action_assignments(policy_id=policy_id, action_id=action_id, + category_id=category_id) + + @enforce(("read", "write"), "assignments") + def add_action_assignment(self, moon_user_id, policy_id, action_id, category_id, data_id): + + logger.debug("add_action_assignment policyID {}".format(policy_id)) + + if not category_id or ( + not Managers.ModelManager.get_action_categories(moon_user_id=moon_user_id, + category_id=category_id)): + raise exceptions.ActionCategoryUnknown + + self.__category_dependency_validation(moon_user_id, policy_id, category_id, + 'action_categories') + + if not action_id or ( + not self.get_actions(moon_user_id=moon_user_id, policy_id=policy_id, + perimeter_id=action_id)): + raise exceptions.ActionUnknown + actions_data = self.get_action_data(moon_user_id=moon_user_id, policy_id=policy_id, + data_id=data_id, category_id=category_id) + if not data_id or not actions_data or data_id not in actions_data[0]['data']: + raise exceptions.DataUnknown + + return self.driver.add_action_assignment(policy_id=policy_id, action_id=action_id, + category_id=category_id, data_id=data_id) + + @enforce(("read", "write"), "assignments") + def delete_action_assignment(self, moon_user_id, policy_id, action_id, category_id, data_id): + if policy_id: + return self.driver.delete_action_assignment(policy_id=policy_id, action_id=action_id, + category_id=category_id, data_id=data_id) + raise exceptions.PolicyUnknown + + @enforce("read", "rules") + def get_rules(self, moon_user_id, policy_id, meta_rule_id=None, rule_id=None): + return self.driver.get_rules(policy_id=policy_id, meta_rule_id=meta_rule_id, + rule_id=rule_id) + + @enforce(("read", "write"), "policies") + def update_rule(self, moon_user_id, rule_id, value): + if not value or 'instructions' not in value: + raise exceptions.RuleContentError + + rule_list = self.driver.get_rules(policy_id=None, rule_id=rule_id) + if not rule_id or rule_id not in rule_list: + raise exceptions.RuleUnknown + + return self.driver.update_rule(rule_id=rule_id, value=value) + + @enforce(("read", "write"), "rules") + def add_rule(self, moon_user_id, policy_id, meta_rule_id, value): + + if not meta_rule_id or ( + not self.ModelManager.get_meta_rules(moon_user_id=moon_user_id, + meta_rule_id=meta_rule_id)): + raise exceptions.MetaRuleUnknown + + if not value or 'instructions' not in value: # TODO or not value['instructions']: + raise exceptions.MetaRuleContentError + + decision_exist = False + default_instruction = {"decision": "grant"} + + for instruction in value['instructions']: + if 'decision' in instruction: + decision_exist = True + if not instruction['decision']: + instruction['decision'] = default_instruction['decision'] + elif instruction['decision'].lower() not in ['grant', 'deny', 'continue']: + raise exceptions.RuleContentError("Invalid Decision") + + if not decision_exist: + value['instructions'].append(default_instruction) + + self.__dependencies_validation(moon_user_id, policy_id, meta_rule_id) + + self.__check_existing_rule(policy_id=policy_id, meta_rule_id=meta_rule_id, + moon_user_id=moon_user_id, rule_value=value) + + return self.driver.add_rule(policy_id=policy_id, meta_rule_id=meta_rule_id, value=value) + + def __check_existing_rule(self, moon_user_id, policy_id, meta_rule_id, rule_value): + + if not meta_rule_id: + raise exceptions.MetaRuleUnknown + + meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id, + meta_rule_id=meta_rule_id) + if not meta_rule: + raise exceptions.MetaRuleUnknown + + if len(meta_rule[meta_rule_id]['subject_categories']) + len( + meta_rule[meta_rule_id]['object_categories']) \ + + len(meta_rule[meta_rule_id]['action_categories']) > len(rule_value['rule']): + raise exceptions.RuleContentError(message="Missing Data") + + if len(meta_rule[meta_rule_id]['subject_categories']) + len( + meta_rule[meta_rule_id]['object_categories']) \ + + len(meta_rule[meta_rule_id]['action_categories']) < len(rule_value['rule']): + raise exceptions.MetaRuleContentError(message="Missing Data") + + temp_rule_data = list( + rule_value['rule'][0:len(meta_rule[meta_rule_id]['subject_categories'])]) + found_data_counter = 0 + start_sub = len(meta_rule[meta_rule_id]['subject_categories']) + + for sub_cat_id in meta_rule[meta_rule_id]['subject_categories']: + subjects_data = self.get_subject_data(moon_user_id=moon_user_id, + category_id=sub_cat_id, policy_id=policy_id) + if subjects_data: + found_data_counter = self.__validate_data_id(sub_cat_id, subjects_data[0]['data'], + temp_rule_data, + "Missing Subject_category " + , found_data_counter) + + if found_data_counter != len(meta_rule[meta_rule_id]['subject_categories']): + raise exceptions.RuleContentError(message="Missing Data") + + _index = start_sub + len(meta_rule[meta_rule_id]['object_categories']) + temp_rule_data = list(rule_value['rule'][start_sub:_index]) + found_data_counter = 0 + start_sub = start_sub + len(meta_rule[meta_rule_id]['object_categories']) + + for ob_cat_id in meta_rule[meta_rule_id]['object_categories']: + object_data = self.get_object_data(moon_user_id=moon_user_id, + category_id=ob_cat_id, policy_id=policy_id) + if object_data: + found_data_counter = self.__validate_data_id(ob_cat_id, object_data[0]['data'], + temp_rule_data, + "Missing Object_category ", + found_data_counter) + + if found_data_counter != len(meta_rule[meta_rule_id]['object_categories']): + raise exceptions.RuleContentError(message="Missing Data") + + _index = start_sub + len(meta_rule[meta_rule_id]['action_categories']) + temp_rule_data = list(rule_value['rule'][start_sub:_index]) + found_data_counter = 0 + + for act_cat_id in meta_rule[meta_rule_id]['action_categories']: + action_data = self.get_action_data(moon_user_id=moon_user_id, category_id=act_cat_id, + policy_id=policy_id) + if action_data: + found_data_counter = self.__validate_data_id(act_cat_id, action_data[0]['data'], + temp_rule_data, + "Missing Action_category ", + found_data_counter) + + # Note: adding count of data linked to a global attribute + found_data_counter += len(list(filter(lambda x: "attributes:" in x, temp_rule_data))) + if found_data_counter != len(meta_rule[meta_rule_id]['action_categories']): + raise exceptions.RuleContentError(message="Missing Data") + + @staticmethod + def __validate_data_id(cat_id, data_ids, temp_rule_data, error_msg, found_data_counter): + for ID in data_ids: + if ID in temp_rule_data: + temp_rule_data.remove(ID) + found_data_counter += 1 + # if no data id found in the rule, so rule not valid + if found_data_counter < 1: + raise exceptions.RuleContentError(message=error_msg + cat_id) + return found_data_counter + + @enforce(("read", "write"), "rules") + def delete_rule(self, moon_user_id, policy_id, rule_id): + return self.driver.delete_rule(policy_id=policy_id, rule_id=rule_id) + + @enforce("read", "meta_data") + def get_available_metadata(self, moon_user_id, policy_id): + categories = { + "subject": [], + "object": [], + "action": [] + } + policy = self.driver.get_policies(policy_id=policy_id) + if not policy: + raise exceptions.PolicyUnknown + model_id = policy[policy_id]["model_id"] + model = Managers.ModelManager.get_models(moon_user_id=moon_user_id, model_id=model_id) + try: + meta_rule_list = model[model_id]["meta_rules"] + for meta_rule_id in meta_rule_list: + meta_rule = Managers.ModelManager.get_meta_rules(moon_user_id=moon_user_id, + meta_rule_id=meta_rule_id) + categories["subject"].extend(meta_rule[meta_rule_id]["subject_categories"]) + categories["object"].extend(meta_rule[meta_rule_id]["object_categories"]) + categories["action"].extend(meta_rule[meta_rule_id]["action_categories"]) + finally: + return categories + + def __dependencies_validation(self, moon_user_id, policy_id, meta_rule_id=None): + + policies = self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id) + if not policy_id or (not policies): + raise exceptions.PolicyUnknown + + policy_content = policies[next(iter(policies))] + model_id = policy_content['model_id'] + models = Managers.ModelManager.get_models(moon_user_id=moon_user_id, model_id=model_id) + if not model_id or not models: + raise exceptions.ModelUnknown + + model_content = models[next(iter(models))] + if meta_rule_id: + meta_rule_exists = False + + for model_meta_rule_id in model_content['meta_rules']: + if model_meta_rule_id == meta_rule_id: + meta_rule_exists = True + break + + if not meta_rule_exists: + raise exceptions.MetaRuleNotLinkedWithPolicyModel + + meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id, + meta_rule_id=meta_rule_id) + meta_rule_content = meta_rule[next(iter(meta_rule))] + if (not meta_rule_content['subject_categories']) or \ + (not meta_rule_content['object_categories']) or \ + (not meta_rule_content['action_categories']): + raise exceptions.MetaRuleContentError + return model_content + + def __category_dependency_validation(self, moon_user_id, policy_id, category_id, category_key): + model = self.__dependencies_validation(moon_user_id=moon_user_id, policy_id=policy_id) + category_found = False + for model_meta_rule_id in model['meta_rules']: + meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id, + meta_rule_id=model_meta_rule_id) + meta_rule_content = meta_rule[next(iter(meta_rule))] + if meta_rule_content[category_key] and category_id in meta_rule_content[category_key]: + category_found = True + break + + if not category_found: + raise exceptions.CategoryNotAssignedMetaRule + + def __check_blank_model(self, model): + if 'meta_rules' not in model or not model['meta_rules']: + raise exceptions.MetaRuleUnknown + for meta_rule_id in model['meta_rules']: + self.__check_blank_meta_rule(meta_rule_id) + + def __check_blank_meta_rule(self, meta_rule_id): + meta_rule = self.driver.get_meta_rules(meta_rule_id=meta_rule_id) + if not meta_rule: + return exceptions.MetaRuleUnknown + meta_rule_content = meta_rule[next(iter(meta_rule))] + if (not meta_rule_content['subject_categories']) or ( + not meta_rule_content['object_categories']) or ( + not meta_rule_content['action_categories']): + raise exceptions.MetaRuleContentError + diff --git a/moon_manager/moon_manager/api/db/slave.py b/moon_manager/moon_manager/api/db/slave.py new file mode 100644 index 00000000..f5ac9189 --- /dev/null +++ b/moon_manager/moon_manager/api/db/slave.py @@ -0,0 +1,55 @@ +# Software Name: MOON + +# Version: 5.4 + +# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors +# SPDX-License-Identifier: Apache-2.0 + +# This software is distributed under the 'Apache License 2.0', +# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt' +# or see the "LICENSE" file for more details. + + +from uuid import uuid4 +import logging +from moon_utilities.security_functions import enforce +from moon_manager.api.db.managers import Managers +from moon_utilities import exceptions + +logger = logging.getLogger("moon.db.api.slave") + + +class SlaveManager(Managers): + + def __init__(self, connector=None): + self.driver = connector.driver + Managers.SlaveManager = self + + @enforce(("read", "write"), "slave") + def update_slave(self, moon_user_id, slave_id, value): + if slave_id not in self.driver.get_slaves(slave_id=slave_id): + raise exceptions.SlaveNameUnknown + + return self.driver.update_slave(slave_id=slave_id, value=value) + + @enforce(("read", "write"), "slave") + def delete_slave(self, moon_user_id, slave_id): + if slave_id not in self.driver.get_slaves(slave_id=slave_id): + raise exceptions.SlaveNameUnknown + return self.driver.delete_slave(slave_id=slave_id) + + @enforce(("read", "write"), "slave") + def add_slave(self, moon_user_id, slave_id=None, value=None): + if not value or 'name' not in value or not value['name'].strip(): + raise exceptions.SlaveNameUnknown + + if slave_id in self.driver.get_slaves(slave_id=slave_id): + raise exceptions.SlaveExisting + if not slave_id: + slave_id = uuid4().hex + + return self.driver.add_slave(slave_id=slave_id, value=value) + + @enforce("read", "slave") + def get_slaves(self, moon_user_id, slave_id=None): + return self.driver.get_slaves(slave_id=slave_id) |