aboutsummaryrefslogtreecommitdiffstats
path: root/moon_manager/moon_manager/api/db
diff options
context:
space:
mode:
Diffstat (limited to 'moon_manager/moon_manager/api/db')
-rw-r--r--moon_manager/moon_manager/api/db/__init__.py12
-rw-r--r--moon_manager/moon_manager/api/db/managers.py24
-rw-r--r--moon_manager/moon_manager/api/db/migrations/__init__.py12
-rw-r--r--moon_manager/moon_manager/api/db/migrations/moon_001.py336
-rw-r--r--moon_manager/moon_manager/api/db/model.py429
-rw-r--r--moon_manager/moon_manager/api/db/pdp.py115
-rw-r--r--moon_manager/moon_manager/api/db/policy.py971
-rw-r--r--moon_manager/moon_manager/api/db/slave.py55
8 files changed, 1954 insertions, 0 deletions
diff --git a/moon_manager/moon_manager/api/db/__init__.py b/moon_manager/moon_manager/api/db/__init__.py
new file mode 100644
index 00000000..1856aa2c
--- /dev/null
+++ b/moon_manager/moon_manager/api/db/__init__.py
@@ -0,0 +1,12 @@
+# Software Name: MOON
+
+# Version: 5.4
+
+# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This software is distributed under the 'Apache License 2.0',
+# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+# or see the "LICENSE" file for more details.
+
+
diff --git a/moon_manager/moon_manager/api/db/managers.py b/moon_manager/moon_manager/api/db/managers.py
new file mode 100644
index 00000000..23be03fc
--- /dev/null
+++ b/moon_manager/moon_manager/api/db/managers.py
@@ -0,0 +1,24 @@
+# Software Name: MOON
+
+# Version: 5.4
+
+# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This software is distributed under the 'Apache License 2.0',
+# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+# or see the "LICENSE" file for more details.
+
+
+import logging
+
+logger = logging.getLogger("moon.db.api.managers")
+
+
+class Managers(object):
+ """Object that links managers together"""
+ ModelManager = None
+ KeystoneManager = None
+ PDPManager = None
+ PolicyManager = None
+ SlaveManager = None
diff --git a/moon_manager/moon_manager/api/db/migrations/__init__.py b/moon_manager/moon_manager/api/db/migrations/__init__.py
new file mode 100644
index 00000000..1856aa2c
--- /dev/null
+++ b/moon_manager/moon_manager/api/db/migrations/__init__.py
@@ -0,0 +1,12 @@
+# Software Name: MOON
+
+# Version: 5.4
+
+# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This software is distributed under the 'Apache License 2.0',
+# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+# or see the "LICENSE" file for more details.
+
+
diff --git a/moon_manager/moon_manager/api/db/migrations/moon_001.py b/moon_manager/moon_manager/api/db/migrations/moon_001.py
new file mode 100644
index 00000000..8e604d2b
--- /dev/null
+++ b/moon_manager/moon_manager/api/db/migrations/moon_001.py
@@ -0,0 +1,336 @@
+# Software Name: MOON
+
+# Version: 5.4
+
+# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This software is distributed under the 'Apache License 2.0',
+# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+# or see the "LICENSE" file for more details.
+
+
+import json
+import sqlalchemy as sql
+from sqlalchemy import types as sql_types
+from sqlalchemy import create_engine
+import sys
+
+
+class JsonBlob(sql_types.TypeDecorator):
+ impl = sql.Text
+
+ def process_bind_param(self, value, dialect):
+ return json.dumps(value)
+
+ def process_result_value(self, value, dialect):
+ return json.loads(value)
+
+
+def upgrade(migrate_engine):
+ if isinstance(migrate_engine, str):
+ migrate_engine = create_engine(migrate_engine)
+ meta = sql.MetaData()
+ meta.bind = migrate_engine
+ sys.stdout.write("Creating ")
+ sys.stdout.flush()
+
+ table = sql.Table(
+ 'pdp',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('vim_project_id', sql.String(64), nullable=True, default=""),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.UniqueConstraint('name', name='unique_constraint_models'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(table) + " ")
+ sys.stdout.flush()
+
+ table = sql.Table(
+ 'slaves',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('address', sql.String(256), nullable=True, default=""),
+ sql.Column('grant_if_unknown_project', sql.Boolean, nullable=True, default=""),
+ sql.Column('process', sql.String(256), nullable=False, default=""),
+ sql.Column('log', sql.String(256), nullable=False, default=""),
+ sql.Column('api_key', sql.String(256), nullable=False, default=""),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.UniqueConstraint('name', name='unique_constraint_models'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(table) + " ")
+ sys.stdout.flush()
+
+ table = sql.Table(
+ 'policies',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('model_id', sql.String(64), nullable=True, default=""),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.UniqueConstraint('name', 'model_id', name='unique_constraint_models'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(table) + " ")
+ sys.stdout.flush()
+
+ table = sql.Table(
+ 'models',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.UniqueConstraint('name', name='unique_constraint_models'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(table) + " ")
+ sys.stdout.flush()
+
+ subject_categories_table = sql.Table(
+ 'subject_categories',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('description', sql.String(256), nullable=True),
+
+ sql.UniqueConstraint('name', name='unique_constraint_subject_categories'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ subject_categories_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(subject_categories_table) + " ")
+ sys.stdout.flush()
+
+ object_categories_table = sql.Table(
+ 'object_categories',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('description', sql.String(256), nullable=True),
+
+ sql.UniqueConstraint('name', name='unique_constraint_object_categories'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ object_categories_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(object_categories_table) + " ")
+ sys.stdout.flush()
+
+ action_categories_table = sql.Table(
+ 'action_categories',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('description', sql.String(256), nullable=True),
+
+ sql.UniqueConstraint('name', name='unique_constraint_action_categories'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ action_categories_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(action_categories_table) + " ")
+ sys.stdout.flush()
+
+ subjects_table = sql.Table(
+ 'subjects',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.UniqueConstraint('name', name='unique_constraint_subjects'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ subjects_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(subjects_table) + " ")
+ sys.stdout.flush()
+
+ objects_table = sql.Table(
+ 'objects',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.UniqueConstraint('name', name='unique_constraint_objects'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ objects_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(objects_table) + " ")
+ sys.stdout.flush()
+
+ actions_table = sql.Table(
+ 'actions',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.UniqueConstraint('name', name='unique_constraint_actions'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ actions_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(actions_table) + " ")
+ sys.stdout.flush()
+
+ subject_data_table = sql.Table(
+ 'subject_data',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.Column('category_id', sql.ForeignKey("subject_categories.id"), nullable=False),
+ sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False),
+ sql.UniqueConstraint('name', 'category_id', 'policy_id',
+ name='unique_constraint_subject_data'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ subject_data_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(subject_data_table) + " ")
+ sys.stdout.flush()
+
+ object_data_table = sql.Table(
+ 'object_data',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.Column('category_id', sql.ForeignKey("object_categories.id"), nullable=False),
+ sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False),
+ sql.UniqueConstraint('name', 'category_id', 'policy_id',
+ name='unique_constraint_object_data'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ object_data_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(object_data_table) + " ")
+ sys.stdout.flush()
+
+ action_data_table = sql.Table(
+ 'action_data',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.Column('category_id', sql.ForeignKey("action_categories.id"), nullable=False),
+ sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False),
+ sql.UniqueConstraint('name', 'category_id', 'policy_id',
+ name='unique_constraint_action_data'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ action_data_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(action_data_table) + " ")
+ sys.stdout.flush()
+
+ subject_assignments_table = sql.Table(
+ 'subject_assignments',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('assignments', sql.String(256), nullable=True),
+ sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False),
+ sql.Column('subject_id', sql.ForeignKey("subjects.id"), nullable=False),
+ sql.Column('category_id', sql.ForeignKey("subject_categories.id"), nullable=False),
+ sql.UniqueConstraint('policy_id', 'subject_id', 'category_id',
+ name='unique_constraint_subject_assignment'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ subject_assignments_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(subject_assignments_table) + " ")
+ sys.stdout.flush()
+
+ object_assignments_table = sql.Table(
+ 'object_assignments',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('assignments', sql.String(256), nullable=True),
+ sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False),
+ sql.Column('object_id', sql.ForeignKey("objects.id"), nullable=False),
+ sql.Column('category_id', sql.ForeignKey("object_categories.id"), nullable=False),
+ sql.UniqueConstraint('policy_id', 'object_id', 'category_id',
+ name='unique_constraint_object_assignment'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ object_assignments_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(object_assignments_table) + " ")
+ sys.stdout.flush()
+
+ action_assignments_table = sql.Table(
+ 'action_assignments',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('assignments', sql.String(256), nullable=True),
+ sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False),
+ sql.Column('action_id', sql.ForeignKey("actions.id"), nullable=False),
+ sql.Column('category_id', sql.ForeignKey("action_categories.id"), nullable=False),
+ sql.UniqueConstraint('policy_id', 'action_id', 'category_id',
+ name='unique_constraint_action_assignment'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ action_assignments_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(action_assignments_table) + " ")
+ sys.stdout.flush()
+
+ meta_rules_table = sql.Table(
+ 'meta_rules',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('name', sql.String(256), nullable=False),
+ sql.Column('subject_categories', JsonBlob(), nullable=False),
+ sql.Column('object_categories', JsonBlob(), nullable=False),
+ sql.Column('action_categories', JsonBlob(), nullable=False),
+ sql.Column('value', JsonBlob(), nullable=True),
+ sql.UniqueConstraint('name', name='unique_constraint_meta_rule_name'),
+ # sql.UniqueConstraint('subject_categories', 'object_categories', 'action_categories', name='unique_constraint_meta_rule_def'),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ meta_rules_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(meta_rules_table) + " ")
+ sys.stdout.flush()
+
+ rules_table = sql.Table(
+ 'rules',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('rule', JsonBlob(), nullable=True),
+ sql.Column('policy_id', sql.ForeignKey("policies.id"), nullable=False),
+ sql.Column('meta_rule_id', sql.ForeignKey("meta_rules.id"), nullable=False),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ rules_table.create(migrate_engine, checkfirst=True)
+ sys.stdout.write(str(rules_table) + " ")
+ sys.stdout.flush()
+ print("")
+
+
+def downgrade(migrate_engine):
+ if isinstance(migrate_engine, str):
+ migrate_engine = create_engine(migrate_engine)
+ meta = sql.MetaData()
+ meta.bind = migrate_engine
+
+ for _table in (
+ 'rules',
+ 'meta_rules',
+ 'action_assignments',
+ 'object_assignments',
+ 'subject_assignments',
+ 'action_data',
+ 'object_data',
+ 'subject_data',
+ 'actions',
+ 'objects',
+ 'subjects',
+ 'action_categories',
+ 'object_categories',
+ 'subject_categories',
+ 'models',
+ 'policies',
+ 'pdp',
+ 'slaves'
+ ):
+ try:
+ table = sql.Table(_table, meta, autoload=True)
+ table.drop(migrate_engine, checkfirst=True)
+ except Exception as e:
+ print(e)
diff --git a/moon_manager/moon_manager/api/db/model.py b/moon_manager/moon_manager/api/db/model.py
new file mode 100644
index 00000000..9dc6273a
--- /dev/null
+++ b/moon_manager/moon_manager/api/db/model.py
@@ -0,0 +1,429 @@
+# Software Name: MOON
+
+# Version: 5.4
+
+# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This software is distributed under the 'Apache License 2.0',
+# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+# or see the "LICENSE" file for more details.
+
+
+from uuid import uuid4
+import logging
+from moon_utilities import exceptions
+from moon_utilities.security_functions import enforce
+from moon_manager.api.db.managers import Managers
+import copy
+from moon_manager import pip_driver
+
+logger = logging.getLogger("moon.db.api.model")
+
+
+class ModelManager(Managers):
+
+ def __init__(self, connector=None):
+ self.driver = connector.driver
+ Managers.ModelManager = self
+
+ @enforce(("read", "write"), "models")
+ def update_model(self, moon_user_id, model_id, value):
+ if model_id not in self.driver.get_models(model_id=model_id):
+ raise exceptions.ModelUnknown
+
+ if not value['name'].strip():
+ raise exceptions.ModelContentError('Model name invalid')
+
+ if 'meta_rules' not in value:
+ raise exceptions.MetaRuleUnknown
+
+ model = self.get_models(moon_user_id=moon_user_id, model_id=model_id)
+ model = model[next(iter(model))]
+ if ((model['meta_rules'] and value['meta_rules'] and model['meta_rules'] != value[
+ 'meta_rules']) \
+ or (model['meta_rules'] and not value['meta_rules'])):
+ policies = Managers.PolicyManager.get_policies(moon_user_id=moon_user_id)
+ for policy_id in policies:
+ if policies[policy_id]["model_id"] == model_id:
+ raise exceptions.DeleteModelWithPolicy
+
+ if value and 'meta_rules' in value:
+ for meta_rule_id in value['meta_rules']:
+ if meta_rule_id:
+ meta_rule_tmp = self.driver.get_meta_rules(meta_rule_id=meta_rule_id)
+ if (not meta_rule_id) or (not meta_rule_tmp) :
+ raise exceptions.MetaRuleUnknown
+
+ return self.driver.update_model(model_id=model_id, value=value)
+
+ @enforce(("read", "write"), "models")
+ def delete_model(self, moon_user_id, model_id):
+ if model_id not in self.driver.get_models(model_id=model_id):
+ raise exceptions.ModelUnknown
+ # TODO (asteroide): check that no policy is connected to this model
+ policies = Managers.PolicyManager.get_policies(moon_user_id=moon_user_id)
+ for policy in policies:
+ if policies[policy]['model_id'] == model_id:
+ raise exceptions.DeleteModelWithPolicy
+ return self.driver.delete_model(model_id=model_id)
+
+ @enforce(("read", "write"), "models")
+ def add_model(self, moon_user_id, model_id=None, value=None):
+
+ if not value['name'].strip():
+ raise exceptions.ModelContentError('Model name invalid')
+
+ models = self.driver.get_models()
+ if model_id in models:
+ raise exceptions.ModelExisting
+
+ if value.get('meta_rules', []):
+ for model in models:
+ if models[model]['name'] == value['name']:
+ raise exceptions.ModelExisting("Model Name Existed")
+ if sorted(models[model].get('meta_rules', [])) == sorted(value.get('meta_rules', [])):
+ raise exceptions.ModelExisting("Meta Rules List Existed in another Model")
+
+ if not model_id:
+ model_id = uuid4().hex
+ if value and 'meta_rules' in value:
+ for meta_rule_id in value['meta_rules']:
+ if not meta_rule_id:
+ raise exceptions.MetaRuleUnknown
+ meta_rule = self.driver.get_meta_rules(meta_rule_id=meta_rule_id)
+ if not meta_rule:
+ raise exceptions.MetaRuleUnknown
+
+ return self.driver.add_model(model_id=model_id, value=value)
+
+ @enforce("read", "models")
+ def get_models(self, moon_user_id, model_id=None):
+ return self.driver.get_models(model_id=model_id)
+
+ @enforce("read", "policies")
+ def get_policies(self, moon_user_id, policy_id=None):
+ return self.driver.get_policies(policy_id=policy_id)
+
+ @enforce(("read", "write"), "meta_rules")
+ def update_meta_rule(self, moon_user_id, meta_rule_id, value):
+ meta_rules = self.driver.get_meta_rules()
+ if not meta_rule_id or meta_rule_id not in meta_rules:
+ raise exceptions.MetaRuleUnknown
+ self.__check_meta_rule_dependencies(moon_user_id=moon_user_id, meta_rule_id=meta_rule_id)
+ if value:
+ if not value['name'].strip():
+ raise exceptions.MetaRuleContentError('Meta_rule name invalid')
+
+ if 'subject_categories' in value:
+ if (len(value['subject_categories']) == 1 and (value['subject_categories'][0] is None or value[
+ 'subject_categories'][0].strip() == "")):
+ value['subject_categories'] = [];
+ else:
+ for subject_category_id in value['subject_categories']:
+ if (not subject_category_id) or (not self.driver.get_subject_categories(
+ category_id=subject_category_id)):
+ raise exceptions.SubjectCategoryUnknown
+ if 'object_categories' in value:
+ if (len(value['object_categories']) == 1 and (value['object_categories'][0] is None or value[
+ 'object_categories'][0].strip() == "")):
+ value['object_categories'] = [];
+ else:
+ for object_category_id in value['object_categories']:
+ if (not object_category_id) or (not self.driver.get_object_categories(
+ category_id=object_category_id)):
+ raise exceptions.ObjectCategoryUnknown
+ if 'action_categories' in value:
+ if (len(value['action_categories']) == 1 and (value['action_categories'][0] is None or value[
+ 'action_categories'][0].strip() == "")):
+ value['action_categories'] = [];
+ else:
+ for action_category_id in value['action_categories']:
+ if (not action_category_id) or (not self.driver.get_action_categories(
+ category_id=action_category_id)):
+ raise exceptions.ActionCategoryUnknown
+
+ for meta_rule_obj_id in meta_rules:
+ counter_matched_list = 0
+ counter_matched_list += self.check_combination(
+ meta_rules[meta_rule_obj_id]['subject_categories'],
+ value['subject_categories'])
+ counter_matched_list += self.check_combination(
+ meta_rules[meta_rule_obj_id]['object_categories'],
+ value['object_categories'])
+ counter_matched_list += self.check_combination(
+ meta_rules[meta_rule_obj_id]['action_categories'],
+ value['action_categories'])
+ if counter_matched_list == 3 and meta_rule_obj_id != meta_rule_id:
+ raise exceptions.MetaRuleExisting("Same categories combination existed")
+
+ return self.driver.set_meta_rule(meta_rule_id=meta_rule_id, value=value)
+
+ def __check_meta_rule_dependencies(self, moon_user_id, meta_rule_id):
+ policies = self.get_policies(moon_user_id=moon_user_id)
+ for policy in policies:
+ model_id = policies[policy]["model_id"]
+ model = self.get_models(moon_user_id=moon_user_id, model_id=model_id)[model_id]
+ if meta_rule_id in model["meta_rules"]:
+ raise exceptions.MetaRuleUpdateError("This meta_rule is already in use in a policy")
+
+ policies = Managers.PolicyManager.get_policies(moon_user_id=moon_user_id)
+ for policy_id in policies:
+ rules = Managers.PolicyManager.get_rules(moon_user_id=moon_user_id, policy_id=policy_id,
+ meta_rule_id=meta_rule_id)
+ if rules['rules']:
+ raise exceptions.MetaRuleUpdateError
+
+ @enforce("read", "meta_rules")
+ def get_meta_rules(self, moon_user_id, meta_rule_id=None):
+ return self.driver.get_meta_rules(meta_rule_id=meta_rule_id)
+
+ @enforce(("read", "write"), "meta_rules")
+ def add_meta_rule(self, moon_user_id, meta_rule_id=None, value=None):
+
+ if not value['name'].strip():
+ raise exceptions.MetaRuleContentError('Meta_rule name invalid')
+
+ meta_rules = self.driver.get_meta_rules()
+
+ if meta_rule_id in meta_rules:
+ raise exceptions.MetaRuleExisting
+
+ if value:
+ if 'subject_categories' in value:
+ if (len(value['subject_categories']) == 1 and (value['subject_categories'][0] is None or value[
+ 'subject_categories'][0].strip() == "")):
+ value['subject_categories'] = [];
+ else:
+ for subject_category_id in value['subject_categories']:
+ if ((not subject_category_id) or (not self.driver.get_subject_categories(
+ category_id=subject_category_id))):
+ if subject_category_id.startswith("attributes:"):
+ _attributes = pip_driver.AttrsManager.get_objects(
+ moon_user_id="admin",
+ object_type=subject_category_id.replace("attributes:", "")
+ )
+ action_category_id = subject_category_id.replace("attributes:", "")
+ if action_category_id != _attributes['id']:
+ raise exceptions.SubjectCategoryUnknown
+ else:
+ raise exceptions.SubjectCategoryUnknown
+ if 'object_categories' in value:
+ if(len(value['object_categories']) == 1 and (value['object_categories'][0] is None or value[
+ 'object_categories'][0].strip() == "")):
+ value['object_categories'] = [];
+ else:
+ for object_category_id in value['object_categories']:
+ if ((not object_category_id) or (not self.driver.get_object_categories(
+ category_id=object_category_id))):
+ if object_category_id.startswith("attributes:"):
+ _attributes = pip_driver.AttrsManager.get_objects(
+ moon_user_id="admin",
+ object_type=object_category_id.replace("attributes:", "")
+ )
+ action_category_id = object_category_id.replace("attributes:", "")
+ if action_category_id != _attributes['id']:
+ raise exceptions.ObjectCategoryUnknown
+ else:
+ raise exceptions.ObjectCategoryUnknown
+ if 'action_categories' in value:
+ if (len(value['action_categories']) == 1 and (value['action_categories'][0] is None or value[
+ 'action_categories'][0].strip() == "")):
+ value['action_categories'] = [];
+ else:
+ for action_category_id in value['action_categories']:
+ if ((not action_category_id) or (not self.driver.get_action_categories(
+ category_id=action_category_id))):
+ if action_category_id.startswith("attributes:"):
+ _attributes = pip_driver.AttrsManager.get_objects(
+ moon_user_id="admin",
+ object_type=action_category_id.replace("attributes:", "")
+ )
+ action_category_id = action_category_id.replace("attributes:", "")
+ if action_category_id not in _attributes.keys():
+ raise exceptions.ActionCategoryUnknown
+ else:
+ raise exceptions.ActionCategoryUnknown
+
+ for meta_rule_obj_id in meta_rules:
+ counter_matched_list = 0
+
+ counter_matched_list += self.check_combination(
+ meta_rules[meta_rule_obj_id]['subject_categories'], value['subject_categories'])
+
+ counter_matched_list += self.check_combination(
+ meta_rules[meta_rule_obj_id]['object_categories'], value['object_categories'])
+
+ counter_matched_list += self.check_combination(
+ meta_rules[meta_rule_obj_id]['action_categories'], value['action_categories'])
+
+ if counter_matched_list == 3:
+ raise exceptions.MetaRuleExisting("Same categories combination existed")
+
+ return self.driver.set_meta_rule(meta_rule_id=meta_rule_id, value=value)
+
+ # @enforce(("read", "write"), "meta_rules")
+ def check_combination(self, list_one, list_two):
+ counter_removed_items = 0
+ temp_list_two = copy.deepcopy(list_two)
+ for item in list_one:
+ if item in temp_list_two:
+ temp_list_two.remove(item)
+ counter_removed_items += 1
+
+ if list_two and counter_removed_items == len(list_two) and len(list_two) == len(list_one):
+ return 1
+ return 0
+
+ @enforce(("read", "write"), "meta_rules")
+ def delete_meta_rule(self, moon_user_id, meta_rule_id=None):
+ if meta_rule_id not in self.driver.get_meta_rules(meta_rule_id=meta_rule_id):
+ raise exceptions.MetaRuleUnknown
+ # TODO (asteroide): check and/or delete data and assignments and rules linked to that meta_rule
+ models = self.get_models(moon_user_id=moon_user_id)
+ for model_id in models:
+ for id in models[model_id]['meta_rules']:
+ if id == meta_rule_id:
+ raise exceptions.DeleteMetaRuleWithModel
+ return self.driver.delete_meta_rule(meta_rule_id=meta_rule_id)
+
+ @enforce("read", "meta_data")
+ def get_subject_categories(self, moon_user_id, category_id=None):
+ return self.driver.get_subject_categories(category_id=category_id)
+
+ @enforce(("read", "write"), "meta_data")
+ def add_subject_category(self, moon_user_id, category_id=None, value=None):
+
+ if not value['name'].strip():
+ raise exceptions.CategoryNameInvalid
+
+ subject_categories = []
+ if category_id is not None:
+ subject_categories = self.driver.get_subject_categories(category_id=category_id)
+
+ subject_categories_names = self.driver.get_subject_categories(category_name=value['name'].strip())
+
+ if subject_categories_names or subject_categories:
+ raise exceptions.SubjectCategoryExisting
+
+
+ if not ('description' in value):
+ value['description'] = ""
+ return self.driver.add_subject_category(name=value["name"],
+ description=value["description"], uuid=category_id)
+
+ @enforce(("read", "write"), "meta_data")
+ def delete_subject_category(self, moon_user_id, category_id):
+ # TODO (asteroide): delete all data linked to that category
+ # TODO (asteroide): delete all meta_rules linked to that category
+ if category_id not in self.driver.get_subject_categories(category_id=category_id):
+ raise exceptions.SubjectCategoryUnknown
+ meta_rules = self.get_meta_rules(moon_user_id=moon_user_id)
+ for meta_rule_id in meta_rules:
+ for subject_category_id in meta_rules[meta_rule_id]['subject_categories']:
+ logger.info(
+ "delete_subject_category {} {}".format(subject_category_id, meta_rule_id))
+ logger.info("delete_subject_category {}".format(meta_rules[meta_rule_id]))
+ if subject_category_id == category_id:
+ # has_rules = self.driver.is_meta_rule_has_rules(meta_rule_id)
+ # if has_rules:
+ raise exceptions.DeleteSubjectCategoryWithMetaRule
+
+ if self.driver.is_subject_category_has_assignment(category_id):
+ raise exceptions.DeleteCategoryWithAssignment
+
+ if self.driver.is_subject_data_exist(category_id=category_id):
+ raise exceptions.DeleteCategoryWithData
+
+ return self.driver.delete_subject_category(category_id=category_id)
+
+ @enforce("read", "meta_data")
+ def get_object_categories(self, moon_user_id, category_id=None):
+ return self.driver.get_object_categories(category_id)
+
+ @enforce(("read", "write"), "meta_data")
+ def add_object_category(self, moon_user_id, category_id=None, value=None):
+ if not value['name'].strip():
+ raise exceptions.CategoryNameInvalid
+
+ object_categories = []
+ if category_id is not None:
+ object_categories = self.driver.get_object_categories(category_id=category_id)
+
+ object_categories_names = self.driver.get_object_categories(category_name=value['name'].strip())
+ if object_categories_names or object_categories:
+ raise exceptions.ObjectCategoryExisting
+
+ if not ('description' in value):
+ value['description'] = ""
+
+ return self.driver.add_object_category(name=value["name"], description=value["description"],
+ uuid=category_id)
+
+ @enforce(("read", "write"), "meta_data")
+ def delete_object_category(self, moon_user_id, category_id):
+ # TODO (asteroide): delete all data linked to that category
+ # TODO (asteroide): delete all meta_rules linked to that category
+ if category_id not in self.driver.get_object_categories(category_id=category_id):
+ raise exceptions.ObjectCategoryUnknown
+ meta_rules = self.get_meta_rules(moon_user_id=moon_user_id)
+ for meta_rule_id in meta_rules:
+ for object_category_id in meta_rules[meta_rule_id]['object_categories']:
+ if object_category_id == category_id:
+ # has_rules = self.driver.is_meta_rule_has_rules(meta_rule_id)
+ # if has_rules:
+ raise exceptions.DeleteObjectCategoryWithMetaRule
+
+ if self.driver.is_object_category_has_assignment(category_id):
+ raise exceptions.DeleteCategoryWithAssignment
+
+ if self.driver.is_object_data_exist(category_id=category_id):
+ raise exceptions.DeleteCategoryWithData
+
+ return self.driver.delete_object_category(category_id=category_id)
+
+ @enforce("read", "meta_data")
+ def get_action_categories(self, moon_user_id, category_id=None):
+ return self.driver.get_action_categories(category_id=category_id)
+
+ @enforce(("read", "write"), "meta_data")
+ def add_action_category(self, moon_user_id, category_id=None, value=None):
+
+ if not value['name'].strip():
+ raise exceptions.CategoryNameInvalid
+
+ action_categories = []
+ if category_id is not None:
+ action_categories = self.driver.get_action_categories(category_id=category_id)
+
+ action_categories_names = self.driver.get_action_categories(category_name=value['name'].strip())
+ if action_categories_names or action_categories:
+ raise exceptions.ActionCategoryExisting
+
+ if not ('description' in value):
+ value['description'] = ""
+
+ return self.driver.add_action_category(name=value["name"], description=value["description"],
+ uuid=category_id)
+
+ @enforce(("read", "write"), "meta_data")
+ def delete_action_category(self, moon_user_id, category_id):
+ # TODO (asteroide): delete all data linked to that category
+ # TODO (asteroide): delete all meta_rules linked to that category
+ if category_id not in self.driver.get_action_categories(category_id=category_id):
+ raise exceptions.ActionCategoryUnknown
+ meta_rules = self.get_meta_rules(moon_user_id=moon_user_id)
+ for meta_rule_id in meta_rules:
+ for action_category_id in meta_rules[meta_rule_id]['action_categories']:
+ if action_category_id == category_id:
+ # has_rules = self.driver.is_meta_rule_has_rules(meta_rule_id)
+ # if has_rules:
+ raise exceptions.DeleteActionCategoryWithMetaRule
+
+ if self.driver.is_action_category_has_assignment(category_id):
+ raise exceptions.DeleteCategoryWithAssignment
+
+ if self.driver.is_action_data_exist(category_id=category_id):
+ raise exceptions.DeleteCategoryWithData
+
+ return self.driver.delete_action_category(category_id=category_id)
diff --git a/moon_manager/moon_manager/api/db/pdp.py b/moon_manager/moon_manager/api/db/pdp.py
new file mode 100644
index 00000000..a4ca08f6
--- /dev/null
+++ b/moon_manager/moon_manager/api/db/pdp.py
@@ -0,0 +1,115 @@
+# Software Name: MOON
+
+# Version: 5.4
+
+# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This software is distributed under the 'Apache License 2.0',
+# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+# or see the "LICENSE" file for more details.
+
+
+from uuid import uuid4
+import logging
+from moon_utilities.security_functions import enforce
+from moon_manager.api.db.managers import Managers
+from moon_utilities import exceptions
+
+logger = logging.getLogger("moon.db.api.pdp")
+
+
+class PDPManager(Managers):
+
+ def __init__(self, connector=None):
+ self.driver = connector.driver
+ Managers.PDPManager = self
+
+ @enforce(("read", "write"), "pdp")
+ def update_pdp(self, moon_user_id, pdp_id, value):
+ if not value or 'name' not in value or not value['name'].strip():
+ raise exceptions.PdpContentError
+
+ exists_security_pipeline = value and 'security_pipeline' in value and \
+ len(value['security_pipeline']) > 0
+ exists_vim_project_id = value and 'vim_project_id' in value and \
+ value['vim_project_id'] != None and \
+ value['vim_project_id'].strip()
+ if not exists_security_pipeline and exists_vim_project_id:
+ raise exceptions.PdpContentError
+ if exists_security_pipeline and not exists_vim_project_id:
+ raise exceptions.PdpContentError
+
+ self.__pdp_validated_pipeline_name_id(pdp_id, value, "update")
+
+ if value and 'security_pipeline' in value:
+ for policy_id in value['security_pipeline']:
+ if not policy_id or not policy_id.strip() or not \
+ Managers.PolicyManager.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+
+ return self.driver.update_pdp(pdp_id=pdp_id, value=value)
+
+ @enforce(("read", "write"), "pdp")
+ def delete_pdp(self, moon_user_id, pdp_id):
+ if pdp_id not in self.driver.get_pdp(pdp_id=pdp_id):
+ raise exceptions.PdpUnknown
+ return self.driver.delete_pdp(pdp_id=pdp_id)
+
+ @enforce(("read", "write"), "pdp")
+ def add_pdp(self, moon_user_id, pdp_id=None, value=None):
+ if not value or 'name' not in value or not value['name'].strip():
+ raise exceptions.PdpContentError
+
+ exists_security_pipeline = value and 'security_pipeline' in value and \
+ len(value['security_pipeline']) > 0
+ exists_vim_project_id = value and 'vim_project_id' in value and \
+ value['vim_project_id'] is not None and \
+ value['vim_project_id'].strip()
+ if not exists_security_pipeline and exists_vim_project_id:
+ raise exceptions.PdpContentError
+ if exists_security_pipeline and not exists_vim_project_id:
+ raise exceptions.PdpContentError
+
+ self.__pdp_validated_pipeline_name_id(pdp_id, value, "add")
+
+ if value and 'security_pipeline' in value:
+ for policy_id in value['security_pipeline']:
+ if not policy_id or not policy_id.strip() or not \
+ Managers.PolicyManager.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+
+ return self.driver.add_pdp(pdp_id=pdp_id, value=value)
+
+ @enforce("read", "pdp")
+ def get_pdp(self, moon_user_id, pdp_id=None):
+ return self.driver.get_pdp(pdp_id=pdp_id)
+
+ @enforce("read", "pdp")
+ def delete_policy_from_pdp(self, moon_user_id, pdp_id, policy_id):
+
+ if pdp_id not in self.driver.get_pdp(pdp_id=pdp_id):
+ raise exceptions.PdpUnknown
+ if policy_id not in self.driver.get_policies(policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+ x = self.driver.delete_policy_from_pdp(pdp_id=pdp_id, policy_id=policy_id)
+ return x
+
+ def __pdp_validated_pipeline_name_id(self, pdp_id, value, method_type=None):
+ all_pdps = self.driver.get_pdp()
+ if method_type == 'update':
+ if pdp_id not in all_pdps:
+ raise exceptions.PdpUnknown
+ else:
+ if pdp_id in all_pdps:
+ raise exceptions.PdpExisting
+ if not pdp_id:
+ pdp_id = uuid4().hex
+
+ for key in all_pdps:
+ if pdp_id != key:
+ if all_pdps[key]['name'] == value['name']:
+ raise exceptions.PdpExisting
+ for policy_id in value['security_pipeline']:
+ if policy_id in all_pdps[key]['security_pipeline']:
+ raise exceptions.PdpInUse
diff --git a/moon_manager/moon_manager/api/db/policy.py b/moon_manager/moon_manager/api/db/policy.py
new file mode 100644
index 00000000..e736aca7
--- /dev/null
+++ b/moon_manager/moon_manager/api/db/policy.py
@@ -0,0 +1,971 @@
+# Software Name: MOON
+
+# Version: 5.4
+
+# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This software is distributed under the 'Apache License 2.0',
+# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+# or see the "LICENSE" file for more details.
+
+
+import logging
+from uuid import uuid4
+from moon_manager.api.db.managers import Managers
+from moon_manager.pip_driver import InformationManager
+from moon_utilities.security_functions import enforce
+from moon_utilities import exceptions
+from moon_manager import pip_driver
+
+
+logger = logging.getLogger("moon.db.api.policy")
+
+
+class PolicyManager(Managers):
+
+ def __init__(self, connector=None):
+ self.driver = connector.driver
+ Managers.PolicyManager = self
+
+ def get_policy_from_meta_rules(self, moon_user_id, meta_rule_id):
+ policies = self.PolicyManager.get_policies("admin")
+ models = self.ModelManager.get_models("admin")
+ for pdp_key, pdp_value in self.PDPManager.get_pdp(moon_user_id=moon_user_id).items():
+ if 'security_pipeline' not in pdp_value:
+ raise exceptions.PdpContentError
+ for policy_id in pdp_value["security_pipeline"]:
+ if not policies or policy_id not in policies:
+ raise exceptions.PolicyUnknown
+ model_id = policies[policy_id]["model_id"]
+ if not models:
+ raise exceptions.ModelUnknown
+ if model_id not in models:
+ raise exceptions.ModelUnknown
+ if meta_rule_id in models[model_id]["meta_rules"]:
+ return policy_id
+
+ @enforce(("read", "write"), "policies")
+ def update_policy(self, moon_user_id, policy_id, value):
+
+ if not value or not value['name'].strip():
+ raise exceptions.PolicyContentError
+
+ policy_list = self.driver.get_policies(policy_id=policy_id)
+ if not policy_id or policy_id not in policy_list:
+ raise exceptions.PolicyUnknown
+
+ policies = self.driver.get_policies(policy_name=value['name'])
+ if policies and not (policy_id in policies):
+ raise exceptions.PolicyExisting("Policy name Existed")
+
+ if 'model_id' in value and value['model_id']:
+ if not value['model_id'].strip() or not Managers.ModelManager.get_models(
+ moon_user_id=moon_user_id, model_id=value['model_id']):
+ raise exceptions.ModelUnknown
+
+ policy_obj = policy_list[policy_id]
+ if policy_obj["model_id"] and policy_obj["model_id"] != value['model_id']:
+ raise exceptions.PolicyUpdateError("Model is not empty")
+
+ return self.driver.update_policy(policy_id=policy_id, value=value)
+
+ @enforce(("read", "write"), "policies")
+ def delete_policy(self, moon_user_id, policy_id):
+ # TODO (asteroide): unmap PDP linked to that policy
+ if policy_id not in self.driver.get_policies(policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+ pdps = self.PDPManager.get_pdp(moon_user_id=moon_user_id)
+ for pdp in pdps:
+ if policy_id in pdps[pdp]['security_pipeline']:
+ self.PDPManager.delete_policy_from_pdp(moon_user_id=moon_user_id,
+ pdp_id=pdp,
+ policy_id=policy_id)
+
+ subject_data = self.get_subject_data(moon_user_id=moon_user_id, policy_id=policy_id)
+ if subject_data:
+ for subject_data_obj in subject_data:
+ if subject_data_obj and subject_data_obj["data"]:
+ for subject_data_id in subject_data_obj['data']:
+ self.delete_subject_data(moon_user_id=moon_user_id, policy_id=policy_id,
+ data_id=subject_data_id)
+
+ object_data = self.get_object_data(moon_user_id=moon_user_id, policy_id=policy_id)
+ if object_data:
+ for object_data_obj in object_data:
+ if object_data_obj and object_data_obj["data"]:
+ for object_data_id in object_data_obj['data']:
+ self.delete_object_data(moon_user_id=moon_user_id, policy_id=policy_id,
+ data_id=object_data_id)
+ action_data = self.get_action_data(moon_user_id=moon_user_id, policy_id=policy_id)
+ if action_data:
+ for action_data_obj in action_data:
+ if action_data_obj and action_data_obj["data"]:
+ for action_data_id in action_data_obj['data']:
+ self.delete_action_data(moon_user_id=moon_user_id, policy_id=policy_id,
+ data_id=action_data_id)
+
+ subjects = self.driver.get_subjects(policy_id=policy_id)
+ if subjects:
+ for subject_id in subjects:
+ self.delete_subject(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=subject_id)
+ objects = self.driver.get_objects(policy_id=policy_id)
+ if objects:
+ for object_id in objects:
+ self.delete_object(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=object_id)
+ actions = self.driver.get_actions(policy_id=policy_id)
+ if actions:
+ for action_id in actions:
+ self.delete_action(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=action_id)
+
+ # rules = self.driver.get_rules(policy_id=policy_id)["rules"]
+ # if rules:
+ # for rule_id in rules:
+ # self.delete_rule(moon_user_id=moon_user_id, policy_id=policy_id, rules=rule_id)
+
+ return self.driver.delete_policy(policy_id=policy_id)
+
+ @enforce(("read", "write"), "policies")
+ def add_policy(self, moon_user_id, policy_id=None, value=None):
+
+ if not value or not value['name'].strip():
+ raise exceptions.PolicyContentError
+ if policy_id in self.driver.get_policies(policy_id=policy_id):
+ raise exceptions.PolicyExisting
+
+ if self.driver.get_policies(policy_name=value['name']):
+ raise exceptions.PolicyExisting("Policy name Existed")
+
+ if not policy_id:
+ policy_id = uuid4().hex
+ if 'model_id' in value and value['model_id'] != "":
+ model_id = value['model_id']
+ if model_id is None:
+ raise exceptions.ModelUnknown
+ else:
+ model_list = Managers.ModelManager.get_models(moon_user_id=moon_user_id,
+ model_id=model_id)
+ if not model_list:
+ raise exceptions.ModelUnknown
+
+ self.__check_blank_model(model_list[model_id])
+
+ return self.driver.add_policy(policy_id=policy_id, value=value)
+
+ @enforce("read", "policies")
+ def get_policies(self, moon_user_id, policy_id=None):
+ return self.driver.get_policies(policy_id=policy_id)
+
+ @enforce("read", "perimeter")
+ def get_subjects(self, moon_user_id, policy_id, perimeter_id=None):
+ # if not policy_id:
+ # raise exceptions.PolicyUnknown
+ if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
+ return self.driver.get_subjects(policy_id=policy_id, perimeter_id=perimeter_id)
+
+ @enforce(("read", "write"), "perimeter")
+ def add_subject(self, moon_user_id, policy_id=None, perimeter_id=None, value=None):
+
+ logger.debug("add_subject {}".format(policy_id))
+ if not value or "name" not in value or not value["name"].strip():
+ raise exceptions.PerimeterContentError('invalid name')
+
+ if 'policy_list' in value:
+ raise exceptions.PerimeterContentError("body should not contain policy_list")
+
+ if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
+
+ if perimeter_id:
+ subjects = self.driver.get_subjects(policy_id=None, perimeter_id=perimeter_id)
+ if subjects and subjects[perimeter_id]['name'] != value['name']:
+ raise exceptions.PerimeterContentError
+
+ if not perimeter_id:
+ subject_per = self.driver.get_subject_by_name(value['name'])
+ if subject_per:
+ perimeter_id = next(iter(subject_per))
+
+ # should get k_user = {'users':[{"id":"11111"}]} from Keystone
+ # FIXME: need to check other input
+ # k_user = InformationManager.get_users(username=value.get('name'))
+ #
+ # if not k_user.get('users', {}):
+ # k_user = InformationManager.add_user(**value)
+ # if k_user:
+ # if not perimeter_id:
+ # try:
+ # logger.info("k_user={}".format(k_user))
+ # perimeter_id = k_user['users'][0].get('id', uuid4().hex)
+ # except IndexError:
+ # k_user = InformationManager.get_users(value.get('name'))
+ # perimeter_id = uuid4().hex
+ # except KeyError:
+ # k_user = InformationManager.get_users(value.get('name'))
+ # perimeter_id = uuid4().hex
+ #
+ # try:
+ # value.update(k_user['users'][0])
+ # except IndexError:
+ # logger.error("Cannot update user from external server data, got {}".format(k_user))
+
+ return self.driver.set_subject(policy_id=policy_id, perimeter_id=perimeter_id, value=value)
+
+ @enforce(("read", "write"), "perimeter")
+ def update_subject(self, moon_user_id, perimeter_id, value):
+ logger.debug("update_subject perimeter_id = {}".format(perimeter_id))
+
+ if not perimeter_id:
+ raise exceptions.SubjectUnknown
+
+ subjects = self.driver.get_subjects(policy_id=None, perimeter_id=perimeter_id)
+ if not subjects or not (perimeter_id in subjects):
+ raise exceptions.PerimeterContentError
+
+ if 'policy_list' in value or ('name' in value and not value['name']):
+ raise exceptions.PerimeterContentError
+
+ return self.driver.update_subject(perimeter_id=perimeter_id, value=value)
+
+ @enforce(("read", "write"), "perimeter")
+ def delete_subject(self, moon_user_id, policy_id, perimeter_id):
+
+ if not perimeter_id:
+ raise exceptions.SubjectUnknown
+
+ # if not policy_id:
+ # raise exceptions.PolicyUnknown
+
+ if not self.get_subjects(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=perimeter_id):
+ raise exceptions.SubjectUnknown
+
+ if policy_id:
+ if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+
+ subj_assig = self.driver.get_subject_assignments(policy_id=policy_id,
+ subject_id=perimeter_id)
+ if subj_assig:
+ assign_id = next(iter(subj_assig))
+ for data_id in subj_assig[assign_id]['assignments']:
+ self.delete_subject_assignment(moon_user_id=moon_user_id,
+ policy_id=policy_id,
+ subject_id=perimeter_id,
+ category_id=subj_assig[assign_id]['category_id'],
+ data_id=data_id)
+
+ return self.driver.delete_subject(policy_id=policy_id, perimeter_id=perimeter_id)
+
+ @enforce("read", "perimeter")
+ def get_objects(self, moon_user_id, policy_id, perimeter_id=None):
+ # if not policy_id:
+ # pass
+ if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
+ return self.driver.get_objects(policy_id=policy_id, perimeter_id=perimeter_id)
+
+ @enforce(("read", "write"), "perimeter")
+ def add_object(self, moon_user_id, policy_id, perimeter_id=None, value=None):
+ logger.debug("add_object {}".format(policy_id))
+
+ if not value or "name" not in value or not value["name"].strip():
+ raise exceptions.PerimeterContentError('invalid name')
+
+ if 'policy_list' in value:
+ raise exceptions.PerimeterContentError("body should not contain policy_list")
+
+ if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
+
+ # object_perimeter = {}
+ # if perimeter_id:
+ # object_perimeter = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id)
+ # if not object_perimeter:
+ # raise exceptions.PerimeterContentError
+ # empeche l'ajout d'un objet avec un id prédéterminé
+
+ if not perimeter_id:
+ object_perimeter = self.driver.get_object_by_name(value['name'])
+ if object_perimeter:
+ perimeter_id = next(iter(object_perimeter))
+
+ if perimeter_id:
+ objects = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id)
+ if objects and objects[perimeter_id]['name'] != value['name']:
+ raise exceptions.PerimeterContentError
+
+ if not perimeter_id:
+ perimeter_id = uuid4().hex
+ return self.driver.set_object(policy_id=policy_id, perimeter_id=perimeter_id, value=value)
+
+ @enforce(("read", "write"), "perimeter")
+ def update_object(self, moon_user_id, perimeter_id, value):
+ logger.debug("update_object perimeter_id = {}".format(perimeter_id))
+
+ if not perimeter_id:
+ raise exceptions.ObjectUnknown
+
+ objects = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id)
+ if not objects or not (perimeter_id in objects):
+ raise exceptions.PerimeterContentError
+
+ if 'policy_list' in value or ('name' in value and not value['name']):
+ raise exceptions.PerimeterContentError
+
+ return self.driver.update_object(perimeter_id=perimeter_id, value=value)
+
+ @enforce(("read", "write"), "perimeter")
+ def delete_object(self, moon_user_id, policy_id, perimeter_id):
+
+ if not perimeter_id:
+ raise exceptions.ObjectUnknown
+
+ # if not policy_id:
+ # raise exceptions.PolicyUnknown
+
+ if not self.get_objects(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=perimeter_id):
+ raise exceptions.ObjectUnknown
+
+ if policy_id:
+
+ if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+
+ obj_assig = self.driver.get_object_assignments(policy_id=policy_id, object_id=perimeter_id)
+
+ if obj_assig:
+ assign_id = next(iter(obj_assig))
+ for data_id in obj_assig[assign_id]['assignments']:
+ self.delete_object_assignment(moon_user_id,
+ policy_id=policy_id,
+ object_id=perimeter_id,
+ category_id=obj_assig[assign_id]['category_id'],
+ data_id=data_id)
+
+ return self.driver.delete_object(policy_id=policy_id, perimeter_id=perimeter_id)
+
+ @enforce("read", "perimeter")
+ def get_actions(self, moon_user_id, policy_id, perimeter_id=None):
+
+ if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
+ return self.driver.get_actions(policy_id=policy_id, perimeter_id=perimeter_id)
+
+ @enforce(("read", "write"), "perimeter")
+ def add_action(self, moon_user_id, policy_id, perimeter_id=None, value=None):
+ logger.debug("add_action {}".format(policy_id))
+
+ if not value or "name" not in value or not value["name"].strip():
+ raise exceptions.PerimeterContentError('invalid name')
+
+ if 'policy_list' in value:
+ raise exceptions.PerimeterContentError("body should not contain policy_list")
+
+ if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
+
+ action_perimeter = {}
+ if perimeter_id:
+ action_perimeter = self.driver.get_actions(policy_id=None, perimeter_id=perimeter_id)
+ if not action_perimeter:
+ raise exceptions.PerimeterContentError
+
+ if not perimeter_id:
+ action_perimeter = self.driver.get_action_by_name(value['name'])
+ if action_perimeter:
+ perimeter_id = next(iter(action_perimeter))
+
+ if perimeter_id and action_perimeter[perimeter_id]['name'] != value['name']:
+ raise exceptions.PerimeterContentError
+
+ if not perimeter_id:
+ perimeter_id = uuid4().hex
+
+ return self.driver.set_action(policy_id=policy_id, perimeter_id=perimeter_id, value=value)
+
+ @enforce(("read", "write"), "perimeter")
+ def update_action(self, moon_user_id, perimeter_id, value):
+ logger.debug("update_action perimeter_id = {}".format(perimeter_id))
+
+ if not perimeter_id:
+ raise exceptions.ActionUnknown
+
+ actions = self.driver.get_actions(policy_id=None, perimeter_id=perimeter_id)
+ if not actions or not (perimeter_id in actions):
+ raise exceptions.PerimeterContentError
+
+ if 'policy_list' in value or ('name' in value and not value['name'].strip()):
+ raise exceptions.PerimeterContentError
+
+ return self.driver.update_action(perimeter_id=perimeter_id, value=value)
+
+ @enforce(("read", "write"), "perimeter")
+ def delete_action(self, moon_user_id, policy_id, perimeter_id):
+
+ if not perimeter_id:
+ raise exceptions.ActionUnknown
+
+ # if not policy_id:
+ # raise exceptions.PolicyUnknown
+
+ if not self.get_actions(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=perimeter_id):
+ raise exceptions.ActionUnknown
+
+ logger.debug("delete_action {} {} {}".format(policy_id, perimeter_id,
+ self.get_policies(moon_user_id=moon_user_id,
+ policy_id=policy_id)))
+ if policy_id:
+ if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+
+ act_assig = self.driver.get_action_assignments(policy_id=policy_id, action_id=perimeter_id)
+
+ if act_assig:
+ assign_id = next(iter(act_assig))
+ for data_id in act_assig[assign_id]['assignments']:
+ self.delete_action_assignment(moon_user_id=moon_user_id,
+ policy_id=policy_id,
+ action_id=perimeter_id,
+ category_id=act_assig[assign_id]['category_id'],
+ data_id=data_id)
+
+ return self.driver.delete_action(policy_id=policy_id, perimeter_id=perimeter_id)
+
+ @enforce("read", "data")
+ def get_subject_data(self, moon_user_id, policy_id, data_id=None, category_id=None):
+ available_metadata = self.get_available_metadata(moon_user_id=moon_user_id,
+ policy_id=policy_id)
+ results = []
+ if not category_id:
+ for cat in available_metadata["subject"]:
+ _value = self.driver.get_subject_data(policy_id=policy_id, data_id=data_id,
+ category_id=cat)
+ results.append(_value)
+ if category_id and category_id in available_metadata["subject"]:
+ results.append(self.driver.get_subject_data(policy_id=policy_id, data_id=data_id,
+ category_id=category_id))
+ return results
+
+ @enforce(("read", "write"), "data")
+ def set_subject_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None):
+
+ logger.debug("set_subject_data policyID {}".format(policy_id))
+
+ if not value or 'name' not in value or not value['name'].strip():
+ raise exceptions.DataContentError
+
+ if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+
+ if not category_id or (
+ not Managers.ModelManager.get_subject_categories(moon_user_id=moon_user_id,
+ category_id=category_id)):
+ raise exceptions.SubjectCategoryUnknown
+
+ self.__category_dependency_validation(moon_user_id, policy_id, category_id,
+ 'subject_categories')
+
+ if not data_id:
+ data_id = uuid4().hex
+ return self.driver.set_subject_data(policy_id=policy_id, data_id=data_id,
+ category_id=category_id, value=value)
+
+ @enforce(("read", "write"), "data")
+ def delete_subject_data(self, moon_user_id, policy_id, data_id, category_id=None):
+ # TODO (asteroide): check and/or delete assignments linked to that data
+ subject_assignments = self.get_subject_assignments(moon_user_id=moon_user_id,
+ policy_id=policy_id,
+ category_id=category_id)
+ if subject_assignments:
+ for assign_id in subject_assignments:
+ self.driver.delete_subject_assignment(
+ policy_id=subject_assignments[assign_id]['policy_id'],
+ subject_id=subject_assignments[assign_id]['subject_id'],
+ category_id=subject_assignments[assign_id]['category_id'],
+ data_id=subject_assignments[assign_id]['id'])
+
+ rules = self.driver.get_rules(policy_id=policy_id)
+ if rules['rules']:
+ for rule in rules['rules']:
+ if data_id in rule['rule']:
+ self.driver.delete_rule(policy_id, rule['id'])
+
+ return self.driver.delete_subject_data(policy_id=policy_id, category_id=category_id,
+ data_id=data_id)
+
+ @enforce("read", "data")
+ def get_object_data(self, moon_user_id, policy_id, data_id=None, category_id=None):
+ available_metadata = self.get_available_metadata(moon_user_id=moon_user_id,
+ policy_id=policy_id)
+ results = []
+ if not category_id:
+ for cat in available_metadata["object"]:
+ results.append(self.driver.get_object_data(policy_id=policy_id, data_id=data_id,
+ category_id=cat))
+ if category_id and category_id in available_metadata["object"]:
+ results.append(self.driver.get_object_data(policy_id=policy_id, data_id=data_id,
+ category_id=category_id))
+ return results
+
+ @enforce(("read", "write"), "data")
+ def add_object_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None):
+ logger.debug("add_object_data policyID {}".format(policy_id))
+
+ if not value or 'name' not in value or not value['name'].strip():
+ raise exceptions.DataContentError
+
+ if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+
+ if not category_id or (
+ not Managers.ModelManager.get_object_categories(moon_user_id=moon_user_id,
+ category_id=category_id)):
+ raise exceptions.ObjectCategoryUnknown
+
+ self.__category_dependency_validation(moon_user_id, policy_id, category_id,
+ 'object_categories')
+
+ if not data_id:
+ data_id = uuid4().hex
+ return self.driver.set_object_data(policy_id=policy_id, data_id=data_id,
+ category_id=category_id, value=value)
+
+ @enforce(("read", "write"), "data")
+ def delete_object_data(self, moon_user_id, policy_id, data_id, category_id=None):
+ # TODO (asteroide): check and/or delete assignments linked to that data
+ object_assignments = self.get_object_assignments(moon_user_id=moon_user_id,
+ policy_id=policy_id,
+ category_id=category_id)
+
+ if object_assignments:
+ for assign_id in object_assignments:
+ self.driver.delete_object_assignment(
+ policy_id=object_assignments[assign_id]['policy_id'],
+ object_id=object_assignments[assign_id]['object_id'],
+ category_id=object_assignments[assign_id]['category_id'],
+ data_id=object_assignments[assign_id]['id'])
+
+ rules = self.driver.get_rules(policy_id=policy_id)
+ if rules['rules']:
+ for rule in rules['rules']:
+ if data_id in rule['rule']:
+ self.driver.delete_rule(policy_id, rule['id'])
+
+ return self.driver.delete_object_data(policy_id=policy_id, category_id=category_id,
+ data_id=data_id)
+
+ @enforce("read", "data")
+ def get_action_data(self, moon_user_id, policy_id, data_id=None, category_id=None):
+ available_metadata = self.get_available_metadata(moon_user_id=moon_user_id,
+ policy_id=policy_id)
+ results = []
+ if not category_id:
+ for cat in available_metadata["action"]:
+ results.append(self.driver.get_action_data(policy_id=policy_id, data_id=data_id,
+ category_id=cat))
+ if category_id and category_id in available_metadata["action"]:
+ if category_id.startswith("attributes:"):
+ data = {}
+ attrs = pip_driver.AttrsManager.get_objects(
+ moon_user_id="admin",
+ object_type=category_id.replace("attributes:", ""))
+ for item in attrs.keys():
+ data[item] = {"id": item, "name": item, "description": item}
+ results.append(
+ {
+ "policy_id": policy_id,
+ "category_id": category_id,
+ "data": data,
+ }
+ )
+ else:
+ results.append(self.driver.get_action_data(policy_id=policy_id,
+ data_id=data_id,
+ category_id=category_id))
+ return results
+
+ @enforce(("read", "write"), "data")
+ def add_action_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None):
+
+ logger.debug("add_action_data policyID {}".format(policy_id))
+
+ if not value or 'name' not in value or not value['name'].strip():
+ raise exceptions.DataContentError
+
+ if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
+
+ if not category_id or (
+ not Managers.ModelManager.get_action_categories(moon_user_id=moon_user_id,
+ category_id=category_id)):
+ raise exceptions.ActionCategoryUnknown
+
+ self.__category_dependency_validation(moon_user_id, policy_id, category_id,
+ 'action_categories')
+
+ if not data_id:
+ data_id = uuid4().hex
+ return self.driver.set_action_data(policy_id=policy_id, data_id=data_id,
+ category_id=category_id, value=value)
+
+ @enforce(("read", "write"), "data")
+ def delete_action_data(self, moon_user_id, policy_id, data_id, category_id=None):
+ # TODO (asteroide): check and/or delete assignments linked to that data
+ action_assignments = self.get_action_assignments(moon_user_id=moon_user_id,
+ policy_id=policy_id,
+ category_id=category_id)
+ if action_assignments:
+ for assign_id in action_assignments:
+ self.driver.delete_action_assignment(
+ policy_id=action_assignments[assign_id]['policy_id'],
+ action_id=action_assignments[assign_id]['action_id'],
+ category_id=action_assignments[assign_id]['category_id'],
+ data_id=action_assignments[assign_id]['id'])
+
+ rules = self.driver.get_rules(policy_id=policy_id)
+ if rules['rules']:
+ for rule in rules['rules']:
+ if data_id in rule['rule']:
+ self.driver.delete_rule(policy_id, rule['id'])
+
+ return self.driver.delete_action_data(policy_id=policy_id, category_id=category_id,
+ data_id=data_id)
+
+ @enforce("read", "assignments")
+ def get_subject_assignments(self, moon_user_id, policy_id, subject_id=None, category_id=None):
+ return self.driver.get_subject_assignments(policy_id=policy_id, subject_id=subject_id,
+ category_id=category_id)
+
+ @enforce(("read", "write"), "assignments")
+ def add_subject_assignment(self, moon_user_id, policy_id, subject_id, category_id, data_id):
+
+ logger.debug("add_subject_assignment policyID {}".format(policy_id))
+ if not category_id or (
+ not Managers.ModelManager.get_subject_categories(moon_user_id=moon_user_id,
+ category_id=category_id)):
+ raise exceptions.SubjectCategoryUnknown
+
+ self.__category_dependency_validation(moon_user_id, policy_id, category_id,
+ 'subject_categories')
+
+ if not subject_id or (
+ not self.get_subjects(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=subject_id)):
+ raise exceptions.SubjectUnknown
+ subjects_data = self.get_subject_data(moon_user_id=moon_user_id, policy_id=policy_id,
+ data_id=data_id, category_id=category_id)
+ if not data_id or not subjects_data or data_id not in subjects_data[0]['data']:
+ raise exceptions.DataUnknown
+
+ return self.driver.add_subject_assignment(policy_id=policy_id, subject_id=subject_id,
+ category_id=category_id, data_id=data_id)
+
+ @enforce(("read", "write"), "assignments")
+ def delete_subject_assignment(self, moon_user_id, policy_id, subject_id, category_id, data_id):
+ if policy_id:
+ return self.driver.delete_subject_assignment(
+ policy_id=policy_id, subject_id=subject_id,
+ category_id=category_id, data_id=data_id)
+ raise exceptions.PolicyUnknown
+
+ @enforce("read", "assignments")
+ def get_object_assignments(self, moon_user_id, policy_id, object_id=None, category_id=None):
+ return self.driver.get_object_assignments(policy_id=policy_id, object_id=object_id,
+ category_id=category_id)
+
+ @enforce(("read", "write"), "assignments")
+ def add_object_assignment(self, moon_user_id, policy_id, object_id, category_id, data_id):
+
+ logger.debug("add_object_assignment policyID {}".format(policy_id))
+ if not category_id or (
+ not Managers.ModelManager.get_object_categories(moon_user_id=moon_user_id,
+ category_id=category_id)):
+ raise exceptions.ObjectCategoryUnknown
+
+ self.__category_dependency_validation(moon_user_id, policy_id, category_id,
+ 'object_categories')
+
+ if not object_id or (
+ not self.get_objects(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=object_id)):
+ raise exceptions.ObjectUnknown
+ objects_data = self.get_object_data(moon_user_id=moon_user_id, policy_id=policy_id,
+ data_id=data_id, category_id=category_id)
+ if not data_id or not objects_data or data_id not in objects_data[0]['data']:
+ raise exceptions.DataUnknown
+
+ return self.driver.add_object_assignment(policy_id=policy_id, object_id=object_id,
+ category_id=category_id, data_id=data_id)
+
+ @enforce(("read", "write"), "assignments")
+ def delete_object_assignment(self, moon_user_id, policy_id, object_id, category_id, data_id):
+ if policy_id:
+ return self.driver.delete_object_assignment(policy_id=policy_id, object_id=object_id,
+ category_id=category_id, data_id=data_id)
+ raise exceptions.PolicyUnknown
+
+ @enforce("read", "assignments")
+ def get_action_assignments(self, moon_user_id, policy_id, action_id=None, category_id=None):
+ return self.driver.get_action_assignments(policy_id=policy_id, action_id=action_id,
+ category_id=category_id)
+
+ @enforce(("read", "write"), "assignments")
+ def add_action_assignment(self, moon_user_id, policy_id, action_id, category_id, data_id):
+
+ logger.debug("add_action_assignment policyID {}".format(policy_id))
+
+ if not category_id or (
+ not Managers.ModelManager.get_action_categories(moon_user_id=moon_user_id,
+ category_id=category_id)):
+ raise exceptions.ActionCategoryUnknown
+
+ self.__category_dependency_validation(moon_user_id, policy_id, category_id,
+ 'action_categories')
+
+ if not action_id or (
+ not self.get_actions(moon_user_id=moon_user_id, policy_id=policy_id,
+ perimeter_id=action_id)):
+ raise exceptions.ActionUnknown
+ actions_data = self.get_action_data(moon_user_id=moon_user_id, policy_id=policy_id,
+ data_id=data_id, category_id=category_id)
+ if not data_id or not actions_data or data_id not in actions_data[0]['data']:
+ raise exceptions.DataUnknown
+
+ return self.driver.add_action_assignment(policy_id=policy_id, action_id=action_id,
+ category_id=category_id, data_id=data_id)
+
+ @enforce(("read", "write"), "assignments")
+ def delete_action_assignment(self, moon_user_id, policy_id, action_id, category_id, data_id):
+ if policy_id:
+ return self.driver.delete_action_assignment(policy_id=policy_id, action_id=action_id,
+ category_id=category_id, data_id=data_id)
+ raise exceptions.PolicyUnknown
+
+ @enforce("read", "rules")
+ def get_rules(self, moon_user_id, policy_id, meta_rule_id=None, rule_id=None):
+ return self.driver.get_rules(policy_id=policy_id, meta_rule_id=meta_rule_id,
+ rule_id=rule_id)
+
+ @enforce(("read", "write"), "policies")
+ def update_rule(self, moon_user_id, rule_id, value):
+ if not value or 'instructions' not in value:
+ raise exceptions.RuleContentError
+
+ rule_list = self.driver.get_rules(policy_id=None, rule_id=rule_id)
+ if not rule_id or rule_id not in rule_list:
+ raise exceptions.RuleUnknown
+
+ return self.driver.update_rule(rule_id=rule_id, value=value)
+
+ @enforce(("read", "write"), "rules")
+ def add_rule(self, moon_user_id, policy_id, meta_rule_id, value):
+
+ if not meta_rule_id or (
+ not self.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
+ meta_rule_id=meta_rule_id)):
+ raise exceptions.MetaRuleUnknown
+
+ if not value or 'instructions' not in value: # TODO or not value['instructions']:
+ raise exceptions.MetaRuleContentError
+
+ decision_exist = False
+ default_instruction = {"decision": "grant"}
+
+ for instruction in value['instructions']:
+ if 'decision' in instruction:
+ decision_exist = True
+ if not instruction['decision']:
+ instruction['decision'] = default_instruction['decision']
+ elif instruction['decision'].lower() not in ['grant', 'deny', 'continue']:
+ raise exceptions.RuleContentError("Invalid Decision")
+
+ if not decision_exist:
+ value['instructions'].append(default_instruction)
+
+ self.__dependencies_validation(moon_user_id, policy_id, meta_rule_id)
+
+ self.__check_existing_rule(policy_id=policy_id, meta_rule_id=meta_rule_id,
+ moon_user_id=moon_user_id, rule_value=value)
+
+ return self.driver.add_rule(policy_id=policy_id, meta_rule_id=meta_rule_id, value=value)
+
+ def __check_existing_rule(self, moon_user_id, policy_id, meta_rule_id, rule_value):
+
+ if not meta_rule_id:
+ raise exceptions.MetaRuleUnknown
+
+ meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
+ meta_rule_id=meta_rule_id)
+ if not meta_rule:
+ raise exceptions.MetaRuleUnknown
+
+ if len(meta_rule[meta_rule_id]['subject_categories']) + len(
+ meta_rule[meta_rule_id]['object_categories']) \
+ + len(meta_rule[meta_rule_id]['action_categories']) > len(rule_value['rule']):
+ raise exceptions.RuleContentError(message="Missing Data")
+
+ if len(meta_rule[meta_rule_id]['subject_categories']) + len(
+ meta_rule[meta_rule_id]['object_categories']) \
+ + len(meta_rule[meta_rule_id]['action_categories']) < len(rule_value['rule']):
+ raise exceptions.MetaRuleContentError(message="Missing Data")
+
+ temp_rule_data = list(
+ rule_value['rule'][0:len(meta_rule[meta_rule_id]['subject_categories'])])
+ found_data_counter = 0
+ start_sub = len(meta_rule[meta_rule_id]['subject_categories'])
+
+ for sub_cat_id in meta_rule[meta_rule_id]['subject_categories']:
+ subjects_data = self.get_subject_data(moon_user_id=moon_user_id,
+ category_id=sub_cat_id, policy_id=policy_id)
+ if subjects_data:
+ found_data_counter = self.__validate_data_id(sub_cat_id, subjects_data[0]['data'],
+ temp_rule_data,
+ "Missing Subject_category "
+ , found_data_counter)
+
+ if found_data_counter != len(meta_rule[meta_rule_id]['subject_categories']):
+ raise exceptions.RuleContentError(message="Missing Data")
+
+ _index = start_sub + len(meta_rule[meta_rule_id]['object_categories'])
+ temp_rule_data = list(rule_value['rule'][start_sub:_index])
+ found_data_counter = 0
+ start_sub = start_sub + len(meta_rule[meta_rule_id]['object_categories'])
+
+ for ob_cat_id in meta_rule[meta_rule_id]['object_categories']:
+ object_data = self.get_object_data(moon_user_id=moon_user_id,
+ category_id=ob_cat_id, policy_id=policy_id)
+ if object_data:
+ found_data_counter = self.__validate_data_id(ob_cat_id, object_data[0]['data'],
+ temp_rule_data,
+ "Missing Object_category ",
+ found_data_counter)
+
+ if found_data_counter != len(meta_rule[meta_rule_id]['object_categories']):
+ raise exceptions.RuleContentError(message="Missing Data")
+
+ _index = start_sub + len(meta_rule[meta_rule_id]['action_categories'])
+ temp_rule_data = list(rule_value['rule'][start_sub:_index])
+ found_data_counter = 0
+
+ for act_cat_id in meta_rule[meta_rule_id]['action_categories']:
+ action_data = self.get_action_data(moon_user_id=moon_user_id, category_id=act_cat_id,
+ policy_id=policy_id)
+ if action_data:
+ found_data_counter = self.__validate_data_id(act_cat_id, action_data[0]['data'],
+ temp_rule_data,
+ "Missing Action_category ",
+ found_data_counter)
+
+ # Note: adding count of data linked to a global attribute
+ found_data_counter += len(list(filter(lambda x: "attributes:" in x, temp_rule_data)))
+ if found_data_counter != len(meta_rule[meta_rule_id]['action_categories']):
+ raise exceptions.RuleContentError(message="Missing Data")
+
+ @staticmethod
+ def __validate_data_id(cat_id, data_ids, temp_rule_data, error_msg, found_data_counter):
+ for ID in data_ids:
+ if ID in temp_rule_data:
+ temp_rule_data.remove(ID)
+ found_data_counter += 1
+ # if no data id found in the rule, so rule not valid
+ if found_data_counter < 1:
+ raise exceptions.RuleContentError(message=error_msg + cat_id)
+ return found_data_counter
+
+ @enforce(("read", "write"), "rules")
+ def delete_rule(self, moon_user_id, policy_id, rule_id):
+ return self.driver.delete_rule(policy_id=policy_id, rule_id=rule_id)
+
+ @enforce("read", "meta_data")
+ def get_available_metadata(self, moon_user_id, policy_id):
+ categories = {
+ "subject": [],
+ "object": [],
+ "action": []
+ }
+ policy = self.driver.get_policies(policy_id=policy_id)
+ if not policy:
+ raise exceptions.PolicyUnknown
+ model_id = policy[policy_id]["model_id"]
+ model = Managers.ModelManager.get_models(moon_user_id=moon_user_id, model_id=model_id)
+ try:
+ meta_rule_list = model[model_id]["meta_rules"]
+ for meta_rule_id in meta_rule_list:
+ meta_rule = Managers.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
+ meta_rule_id=meta_rule_id)
+ categories["subject"].extend(meta_rule[meta_rule_id]["subject_categories"])
+ categories["object"].extend(meta_rule[meta_rule_id]["object_categories"])
+ categories["action"].extend(meta_rule[meta_rule_id]["action_categories"])
+ finally:
+ return categories
+
+ def __dependencies_validation(self, moon_user_id, policy_id, meta_rule_id=None):
+
+ policies = self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)
+ if not policy_id or (not policies):
+ raise exceptions.PolicyUnknown
+
+ policy_content = policies[next(iter(policies))]
+ model_id = policy_content['model_id']
+ models = Managers.ModelManager.get_models(moon_user_id=moon_user_id, model_id=model_id)
+ if not model_id or not models:
+ raise exceptions.ModelUnknown
+
+ model_content = models[next(iter(models))]
+ if meta_rule_id:
+ meta_rule_exists = False
+
+ for model_meta_rule_id in model_content['meta_rules']:
+ if model_meta_rule_id == meta_rule_id:
+ meta_rule_exists = True
+ break
+
+ if not meta_rule_exists:
+ raise exceptions.MetaRuleNotLinkedWithPolicyModel
+
+ meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
+ meta_rule_id=meta_rule_id)
+ meta_rule_content = meta_rule[next(iter(meta_rule))]
+ if (not meta_rule_content['subject_categories']) or \
+ (not meta_rule_content['object_categories']) or \
+ (not meta_rule_content['action_categories']):
+ raise exceptions.MetaRuleContentError
+ return model_content
+
+ def __category_dependency_validation(self, moon_user_id, policy_id, category_id, category_key):
+ model = self.__dependencies_validation(moon_user_id=moon_user_id, policy_id=policy_id)
+ category_found = False
+ for model_meta_rule_id in model['meta_rules']:
+ meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
+ meta_rule_id=model_meta_rule_id)
+ meta_rule_content = meta_rule[next(iter(meta_rule))]
+ if meta_rule_content[category_key] and category_id in meta_rule_content[category_key]:
+ category_found = True
+ break
+
+ if not category_found:
+ raise exceptions.CategoryNotAssignedMetaRule
+
+ def __check_blank_model(self, model):
+ if 'meta_rules' not in model or not model['meta_rules']:
+ raise exceptions.MetaRuleUnknown
+ for meta_rule_id in model['meta_rules']:
+ self.__check_blank_meta_rule(meta_rule_id)
+
+ def __check_blank_meta_rule(self, meta_rule_id):
+ meta_rule = self.driver.get_meta_rules(meta_rule_id=meta_rule_id)
+ if not meta_rule:
+ return exceptions.MetaRuleUnknown
+ meta_rule_content = meta_rule[next(iter(meta_rule))]
+ if (not meta_rule_content['subject_categories']) or (
+ not meta_rule_content['object_categories']) or (
+ not meta_rule_content['action_categories']):
+ raise exceptions.MetaRuleContentError
+
diff --git a/moon_manager/moon_manager/api/db/slave.py b/moon_manager/moon_manager/api/db/slave.py
new file mode 100644
index 00000000..f5ac9189
--- /dev/null
+++ b/moon_manager/moon_manager/api/db/slave.py
@@ -0,0 +1,55 @@
+# Software Name: MOON
+
+# Version: 5.4
+
+# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# This software is distributed under the 'Apache License 2.0',
+# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+# or see the "LICENSE" file for more details.
+
+
+from uuid import uuid4
+import logging
+from moon_utilities.security_functions import enforce
+from moon_manager.api.db.managers import Managers
+from moon_utilities import exceptions
+
+logger = logging.getLogger("moon.db.api.slave")
+
+
+class SlaveManager(Managers):
+
+ def __init__(self, connector=None):
+ self.driver = connector.driver
+ Managers.SlaveManager = self
+
+ @enforce(("read", "write"), "slave")
+ def update_slave(self, moon_user_id, slave_id, value):
+ if slave_id not in self.driver.get_slaves(slave_id=slave_id):
+ raise exceptions.SlaveNameUnknown
+
+ return self.driver.update_slave(slave_id=slave_id, value=value)
+
+ @enforce(("read", "write"), "slave")
+ def delete_slave(self, moon_user_id, slave_id):
+ if slave_id not in self.driver.get_slaves(slave_id=slave_id):
+ raise exceptions.SlaveNameUnknown
+ return self.driver.delete_slave(slave_id=slave_id)
+
+ @enforce(("read", "write"), "slave")
+ def add_slave(self, moon_user_id, slave_id=None, value=None):
+ if not value or 'name' not in value or not value['name'].strip():
+ raise exceptions.SlaveNameUnknown
+
+ if slave_id in self.driver.get_slaves(slave_id=slave_id):
+ raise exceptions.SlaveExisting
+ if not slave_id:
+ slave_id = uuid4().hex
+
+ return self.driver.add_slave(slave_id=slave_id, value=value)
+
+ @enforce("read", "slave")
+ def get_slaves(self, moon_user_id, slave_id=None):
+ return self.driver.get_slaves(slave_id=slave_id)