aboutsummaryrefslogtreecommitdiffstats
path: root/python_moondb/python_moondb/api/policy.py
diff options
context:
space:
mode:
Diffstat (limited to 'python_moondb/python_moondb/api/policy.py')
-rw-r--r--python_moondb/python_moondb/api/policy.py290
1 files changed, 0 insertions, 290 deletions
diff --git a/python_moondb/python_moondb/api/policy.py b/python_moondb/python_moondb/api/policy.py
deleted file mode 100644
index 9e7ad96c..00000000
--- a/python_moondb/python_moondb/api/policy.py
+++ /dev/null
@@ -1,290 +0,0 @@
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-from uuid import uuid4
-import logging
-from python_moonutilities.security_functions import enforce
-from python_moondb.api.managers import Managers
-from python_moonutilities import exceptions
-
-logger = logging.getLogger("moon.db.api.policy")
-
-
-class PolicyManager(Managers):
-
- def __init__(self, connector=None):
- self.driver = connector.driver
- Managers.PolicyManager = self
-
- def get_policy_from_meta_rules(self, user_id, meta_rule_id):
- policies = self.PolicyManager.get_policies("admin")
- models = self.ModelManager.get_models("admin")
- for pdp_key, pdp_value in self.PDPManager.get_pdp(user_id).items():
- if 'security_pipeline' not in pdp_value:
- raise exceptions.PdpContentError
- for policy_id in pdp_value["security_pipeline"]:
- if not policies or policy_id not in policies:
- raise exceptions.PolicyUnknown
- model_id = policies[policy_id]["model_id"]
- if not models:
- raise exceptions.ModelUnknown
- if model_id not in models:
- raise exceptions.ModelUnknown
- if meta_rule_id in models[model_id]["meta_rules"]:
- return policy_id
-
- @enforce(("read", "write"), "policies")
- def update_policy(self, user_id, policy_id, value):
- if policy_id not in self.driver.get_policies(policy_id=policy_id):
- raise exceptions.PolicyUnknown
- return self.driver.update_policy(policy_id=policy_id, value=value)
-
- @enforce(("read", "write"), "policies")
- def delete_policy(self, user_id, policy_id):
- # TODO (asteroide): unmap PDP linked to that policy
- if policy_id not in self.driver.get_policies(policy_id=policy_id):
- raise exceptions.PolicyUnknown
- return self.driver.delete_policy(policy_id=policy_id)
-
- @enforce(("read", "write"), "policies")
- def add_policy(self, user_id, policy_id=None, value=None):
- if policy_id in self.driver.get_policies(policy_id=policy_id):
- raise exceptions.PolicyExisting
- if not policy_id:
- policy_id = uuid4().hex
- return self.driver.add_policy(policy_id=policy_id, value=value)
-
- @enforce("read", "policies")
- def get_policies(self, user_id, policy_id=None):
- return self.driver.get_policies(policy_id=policy_id)
-
- @enforce("read", "perimeter")
- def get_subjects(self, user_id, policy_id, perimeter_id=None):
- return self.driver.get_subjects(policy_id=policy_id, perimeter_id=perimeter_id)
-
- @enforce(("read", "write"), "perimeter")
- def add_subject(self, user_id, policy_id, perimeter_id=None, value=None):
- k_user = Managers.KeystoneManager.get_user_by_name(value.get('name'))
- if not k_user['users']:
- k_user = Managers.KeystoneManager.create_user(value)
- if not perimeter_id:
- try:
- logger.info("k_user={}".format(k_user))
- perimeter_id = k_user['users'][0].get('id', uuid4().hex)
- except IndexError:
- k_user = Managers.KeystoneManager.get_user_by_name(
- value.get('name'))
- perimeter_id = uuid4().hex
- except KeyError:
- k_user = Managers.KeystoneManager.get_user_by_name(
- value.get('name'))
- perimeter_id = uuid4().hex
- value.update(k_user['users'][0])
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- return self.driver.set_subject(policy_id=policy_id, perimeter_id=perimeter_id, value=value)
-
- @enforce(("read", "write"), "perimeter")
- def delete_subject(self, user_id, policy_id, perimeter_id):
- return self.driver.delete_subject(policy_id=policy_id, perimeter_id=perimeter_id)
-
- @enforce("read", "perimeter")
- def get_objects(self, user_id, policy_id, perimeter_id=None):
- return self.driver.get_objects(policy_id=policy_id, perimeter_id=perimeter_id)
-
- @enforce(("read", "write"), "perimeter")
- def add_object(self, user_id, policy_id, perimeter_id=None, value=None):
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- if not perimeter_id:
- perimeter_id = uuid4().hex
- return self.driver.set_object(policy_id=policy_id, perimeter_id=perimeter_id, value=value)
-
- @enforce(("read", "write"), "perimeter")
- def delete_object(self, user_id, policy_id, perimeter_id):
- return self.driver.delete_object(policy_id=policy_id, perimeter_id=perimeter_id)
-
- @enforce("read", "perimeter")
- def get_actions(self, user_id, policy_id, perimeter_id=None):
- return self.driver.get_actions(policy_id=policy_id, perimeter_id=perimeter_id)
-
- @enforce(("read", "write"), "perimeter")
- def add_action(self, user_id, policy_id, perimeter_id=None, value=None):
- logger.info("add_action {}".format(policy_id))
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- return self.driver.set_action(policy_id=policy_id, perimeter_id=perimeter_id, value=value)
-
- @enforce(("read", "write"), "perimeter")
- def delete_action(self, user_id, policy_id, perimeter_id):
- return self.driver.delete_action(policy_id=policy_id, perimeter_id=perimeter_id)
-
- @enforce("read", "data")
- def get_subject_data(self, user_id, policy_id, data_id=None, category_id=None):
- available_metadata = self.get_available_metadata(user_id, policy_id)
- results = []
- if not category_id:
- for cat in available_metadata["subject"]:
- results.append(self.driver.get_subject_data(policy_id=policy_id, data_id=data_id,
- category_id=cat))
- if category_id and category_id in available_metadata["subject"]:
- results.append(self.driver.get_subject_data(policy_id=policy_id, data_id=data_id,
- category_id=category_id))
- return results
-
- @enforce(("read", "write"), "data")
- def set_subject_data(self, user_id, policy_id, data_id=None, category_id=None, value=None):
- if not category_id:
- raise Exception('Invalid category id')
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- if not data_id:
- data_id = uuid4().hex
- return self.driver.set_subject_data(policy_id=policy_id, data_id=data_id, category_id=category_id, value=value)
-
- @enforce(("read", "write"), "data")
- def delete_subject_data(self, user_id, policy_id, data_id):
- # TODO (asteroide): check and/or delete assignments linked to that data
- return self.driver.delete_subject_data(policy_id=policy_id, data_id=data_id)
-
- @enforce("read", "data")
- def get_object_data(self, user_id, policy_id, data_id=None, category_id=None):
- available_metadata = self.get_available_metadata(user_id, policy_id)
- results = []
- if not category_id:
- for cat in available_metadata["object"]:
- results.append(self.driver.get_object_data(policy_id=policy_id, data_id=data_id,
- category_id=cat))
- if category_id and category_id in available_metadata["object"]:
- results.append(self.driver.get_object_data(policy_id=policy_id, data_id=data_id,
- category_id=category_id))
- return results
-
- @enforce(("read", "write"), "data")
- def add_object_data(self, user_id, policy_id, data_id=None, category_id=None, value=None):
- if not category_id:
- raise Exception('Invalid category id')
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- if not data_id:
- data_id = uuid4().hex
- return self.driver.set_object_data(policy_id=policy_id, data_id=data_id, category_id=category_id, value=value)
-
- @enforce(("read", "write"), "data")
- def delete_object_data(self, user_id, policy_id, data_id):
- # TODO (asteroide): check and/or delete assignments linked to that data
- return self.driver.delete_object_data(policy_id=policy_id, data_id=data_id)
-
- @enforce("read", "data")
- def get_action_data(self, user_id, policy_id, data_id=None, category_id=None):
- available_metadata = self.get_available_metadata(user_id, policy_id)
- results = []
- if not category_id:
- for cat in available_metadata["action"]:
- results.append(self.driver.get_action_data(policy_id=policy_id, data_id=data_id,
- category_id=cat))
- if category_id and category_id in available_metadata["action"]:
- results.append(self.driver.get_action_data(policy_id=policy_id, data_id=data_id,
- category_id=category_id))
- return results
-
- @enforce(("read", "write"), "data")
- def add_action_data(self, user_id, policy_id, data_id=None, category_id=None, value=None):
- if not category_id:
- raise Exception('Invalid category id')
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- if not data_id:
- data_id = uuid4().hex
- return self.driver.set_action_data(policy_id=policy_id, data_id=data_id, category_id=category_id, value=value)
-
- @enforce(("read", "write"), "data")
- def delete_action_data(self, user_id, policy_id, data_id):
- # TODO (asteroide): check and/or delete assignments linked to that data
- return self.driver.delete_action_data(policy_id=policy_id, data_id=data_id)
-
- @enforce("read", "assignments")
- def get_subject_assignments(self, user_id, policy_id, subject_id=None, category_id=None):
- return self.driver.get_subject_assignments(policy_id=policy_id, subject_id=subject_id, category_id=category_id)
-
- @enforce(("read", "write"), "assignments")
- def add_subject_assignment(self, user_id, policy_id, subject_id, category_id, data_id):
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- return self.driver.add_subject_assignment(policy_id=policy_id, subject_id=subject_id,
- category_id=category_id, data_id=data_id)
-
- @enforce(("read", "write"), "assignments")
- def delete_subject_assignment(self, user_id, policy_id, subject_id, category_id, data_id):
- return self.driver.delete_subject_assignment(policy_id=policy_id, subject_id=subject_id,
- category_id=category_id, data_id=data_id)
-
- @enforce("read", "assignments")
- def get_object_assignments(self, user_id, policy_id, object_id=None, category_id=None):
- return self.driver.get_object_assignments(policy_id=policy_id, object_id=object_id, category_id=category_id)
-
- @enforce(("read", "write"), "assignments")
- def add_object_assignment(self, user_id, policy_id, object_id, category_id, data_id):
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- return self.driver.add_object_assignment(policy_id=policy_id, object_id=object_id,
- category_id=category_id, data_id=data_id)
-
- @enforce(("read", "write"), "assignments")
- def delete_object_assignment(self, user_id, policy_id, object_id, category_id, data_id):
- return self.driver.delete_object_assignment(policy_id=policy_id, object_id=object_id,
- category_id=category_id, data_id=data_id)
-
- @enforce("read", "assignments")
- def get_action_assignments(self, user_id, policy_id, action_id=None, category_id=None):
- return self.driver.get_action_assignments(policy_id=policy_id, action_id=action_id, category_id=category_id)
-
- @enforce(("read", "write"), "assignments")
- def add_action_assignment(self, user_id, policy_id, action_id, category_id, data_id):
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- return self.driver.add_action_assignment(policy_id=policy_id, action_id=action_id,
- category_id=category_id, data_id=data_id)
-
- @enforce(("read", "write"), "assignments")
- def delete_action_assignment(self, user_id, policy_id, action_id, category_id, data_id):
- return self.driver.delete_action_assignment(policy_id=policy_id, action_id=action_id,
- category_id=category_id, data_id=data_id)
-
- @enforce("read", "rules")
- def get_rules(self, user_id, policy_id, meta_rule_id=None, rule_id=None):
- return self.driver.get_rules(policy_id=policy_id, meta_rule_id=meta_rule_id, rule_id=rule_id)
-
- @enforce(("read", "write"), "rules")
- def add_rule(self, user_id, policy_id, meta_rule_id, value):
- if not self.get_policies(user_id=user_id, policy_id=policy_id):
- raise exceptions.PolicyUnknown
- return self.driver.add_rule(policy_id=policy_id, meta_rule_id=meta_rule_id, value=value)
-
- @enforce(("read", "write"), "rules")
- def delete_rule(self, user_id, policy_id, rule_id):
- return self.driver.delete_rule(policy_id=policy_id, rule_id=rule_id)
-
- @enforce("read", "meta_data")
- def get_available_metadata(self, user_id, policy_id):
- categories = {
- "subject": [],
- "object": [],
- "action": []
- }
- policy = self.driver.get_policies(policy_id=policy_id)
- if not policy:
- raise exceptions.PolicyUnknown
- model_id = policy[policy_id]["model_id"]
- model = Managers.ModelManager.get_models(user_id=user_id, model_id=model_id)
- try:
- meta_rule_list = model[model_id]["meta_rules"]
- for meta_rule_id in meta_rule_list:
- meta_rule = Managers.ModelManager.get_meta_rules(user_id=user_id, meta_rule_id=meta_rule_id)
- categories["subject"].extend(meta_rule[meta_rule_id]["subject_categories"])
- categories["object"].extend(meta_rule[meta_rule_id]["object_categories"])
- categories["action"].extend(meta_rule[meta_rule_id]["action_categories"])
- finally:
- return categories