aboutsummaryrefslogtreecommitdiffstats
path: root/python_moondb/python_moondb/api
diff options
context:
space:
mode:
Diffstat (limited to 'python_moondb/python_moondb/api')
-rw-r--r--python_moondb/python_moondb/api/model.py79
-rw-r--r--python_moondb/python_moondb/api/pdp.py8
-rw-r--r--python_moondb/python_moondb/api/policy.py75
3 files changed, 148 insertions, 14 deletions
diff --git a/python_moondb/python_moondb/api/model.py b/python_moondb/python_moondb/api/model.py
index bd475365..c1603b83 100644
--- a/python_moondb/python_moondb/api/model.py
+++ b/python_moondb/python_moondb/api/model.py
@@ -9,7 +9,6 @@ from python_moonutilities import exceptions
from python_moonutilities.security_functions import filter_input, enforce
from python_moondb.api.managers import Managers
-
logger = logging.getLogger("moon.db.api.model")
@@ -23,6 +22,10 @@ class ModelManager(Managers):
def update_model(self, user_id, model_id, value):
if model_id not in self.driver.get_models(model_id=model_id):
raise exceptions.ModelUnknown
+ if value and 'meta_rules' in value:
+ for meta_rule_id in value['meta_rules']:
+ if not self.driver.get_meta_rules(meta_rule_id=meta_rule_id):
+ raise exceptions.MetaRuleUnknown
return self.driver.update_model(model_id=model_id, value=value)
@enforce(("read", "write"), "models")
@@ -30,6 +33,10 @@ class ModelManager(Managers):
if model_id not in self.driver.get_models(model_id=model_id):
raise exceptions.ModelUnknown
# TODO (asteroide): check that no policy is connected to this model
+ policies = Managers.PolicyManager.get_policies(user_id=user_id)
+ for policy in policies:
+ if policies[policy]['model_id'] == model_id:
+ raise exceptions.DeleteModelWithPolicy
return self.driver.delete_model(model_id=model_id)
@enforce(("read", "write"), "models")
@@ -38,6 +45,10 @@ class ModelManager(Managers):
raise exceptions.ModelExisting
if not model_id:
model_id = uuid4().hex
+ if value and 'meta_rules' in value:
+ for meta_rule_id in value['meta_rules']:
+ if not self.driver.get_meta_rules(meta_rule_id=meta_rule_id):
+ raise exceptions.MetaRuleUnknown
return self.driver.add_model(model_id=model_id, value=value)
@enforce("read", "models")
@@ -48,6 +59,19 @@ class ModelManager(Managers):
def set_meta_rule(self, user_id, meta_rule_id, value):
if meta_rule_id not in self.driver.get_meta_rules(meta_rule_id=meta_rule_id):
raise exceptions.MetaRuleUnknown
+ if value:
+ if 'subject_categories' in value:
+ for subject_category_id in value['subject_categories']:
+ if not self.driver.get_subject_categories(category_id=subject_category_id):
+ raise exceptions.SubjectCategoryUnknown
+ if 'object_categories' in value:
+ for object_category_id in value['object_categories']:
+ if not self.driver.get_object_categories(category_id=object_category_id):
+ raise exceptions.ObjectCategoryUnknown
+ if 'action_categories' in value:
+ for action_category_id in value['action_categories']:
+ if not self.driver.get_action_categories(category_id=action_category_id):
+ raise exceptions.ActionCategoryUnknown
return self.driver.set_meta_rule(meta_rule_id=meta_rule_id, value=value)
@enforce("read", "meta_rules")
@@ -58,9 +82,19 @@ class ModelManager(Managers):
def add_meta_rule(self, user_id, meta_rule_id=None, value=None):
if meta_rule_id in self.driver.get_meta_rules(meta_rule_id=meta_rule_id):
raise exceptions.MetaRuleExisting
- if not meta_rule_id:
- meta_rule_id = uuid4().hex
- logger.info("add_meta_rule {}".format(value))
+ if value:
+ if 'subject_categories' in value:
+ for subject_category_id in value['subject_categories']:
+ if not self.driver.get_subject_categories(category_id=subject_category_id):
+ raise exceptions.SubjectCategoryUnknown
+ if 'object_categories' in value:
+ for object_category_id in value['object_categories']:
+ if not self.driver.get_object_categories(category_id=object_category_id):
+ raise exceptions.ObjectCategoryUnknown
+ if 'action_categories' in value:
+ for action_category_id in value['action_categories']:
+ if not self.driver.get_action_categories(category_id=action_category_id):
+ raise exceptions.ActionCategoryUnknown
return self.driver.set_meta_rule(meta_rule_id=meta_rule_id, value=value)
@enforce(("read", "write"), "meta_rules")
@@ -68,6 +102,10 @@ class ModelManager(Managers):
if meta_rule_id not in self.driver.get_meta_rules(meta_rule_id=meta_rule_id):
raise exceptions.MetaRuleUnknown
# TODO (asteroide): check and/or delete data and assignments and rules linked to that meta_rule
+ models = self.get_models(user_id=user_id)
+ for model_id in models:
+ if models[model_id]['meta_rules'] == meta_rule_id:
+ raise exceptions.DeleteMetaRuleWithModel
return self.driver.delete_meta_rule(meta_rule_id=meta_rule_id)
@enforce("read", "meta_data")
@@ -78,8 +116,6 @@ class ModelManager(Managers):
def add_subject_category(self, user_id, category_id=None, value=None):
if category_id in self.driver.get_subject_categories(category_id=category_id):
raise exceptions.SubjectCategoryExisting
- # if not category_id:
- # category_id = uuid4().hex
return self.driver.add_subject_category(name=value["name"], description=value["description"], uuid=category_id)
@enforce(("read", "write"), "meta_data")
@@ -88,6 +124,16 @@ class ModelManager(Managers):
# TODO (asteroide): delete all meta_rules linked to that category
if category_id not in self.driver.get_subject_categories(category_id=category_id):
raise exceptions.SubjectCategoryUnknown
+ meta_rules = self.get_meta_rules(user_id=user_id)
+ for meta_rule_id in meta_rules:
+ for subject_category_id in meta_rules[meta_rule_id]['subject_categories']:
+ logger.info("delete_subject_category {} {}".format(subject_category_id, meta_rule_id))
+ logger.info("delete_subject_category {}".format(meta_rules[meta_rule_id]))
+ if subject_category_id == category_id:
+ self.delete_meta_rule(user_id, meta_rule_id)
+ # raise exceptions.DeleteCategoryWithMetaRule
+ if self.driver.is_subject_data_exist(category_id=category_id):
+ raise exceptions.DeleteCategoryWithData
return self.driver.delete_subject_category(category_id=category_id)
@enforce("read", "meta_data")
@@ -98,8 +144,6 @@ class ModelManager(Managers):
def add_object_category(self, user_id, category_id=None, value=None):
if category_id in self.driver.get_object_categories(category_id=category_id):
raise exceptions.ObjectCategoryExisting
- # if not category_id:
- # category_id = uuid4().hex
return self.driver.add_object_category(name=value["name"], description=value["description"], uuid=category_id)
@enforce(("read", "write"), "meta_data")
@@ -108,6 +152,13 @@ class ModelManager(Managers):
# TODO (asteroide): delete all meta_rules linked to that category
if category_id not in self.driver.get_object_categories(category_id=category_id):
raise exceptions.ObjectCategoryUnknown
+ meta_rules = self.get_meta_rules(user_id=user_id)
+ for meta_rule_id in meta_rules:
+ for object_category_id in meta_rules[meta_rule_id]['object_categories']:
+ if object_category_id == category_id:
+ self.delete_meta_rule(user_id, meta_rule_id)
+ if self.driver.is_object_data_exist(category_id=category_id):
+ raise exceptions.DeleteCategoryWithData
return self.driver.delete_object_category(category_id=category_id)
@enforce("read", "meta_data")
@@ -118,8 +169,6 @@ class ModelManager(Managers):
def add_action_category(self, user_id, category_id=None, value=None):
if category_id in self.driver.get_action_categories(category_id=category_id):
raise exceptions.ActionCategoryExisting
- # if not category_id:
- # category_id = uuid4().hex
return self.driver.add_action_category(name=value["name"], description=value["description"], uuid=category_id)
@enforce(("read", "write"), "meta_data")
@@ -127,6 +176,12 @@ class ModelManager(Managers):
# TODO (asteroide): delete all data linked to that category
# TODO (asteroide): delete all meta_rules linked to that category
if category_id not in self.driver.get_action_categories(category_id=category_id):
- raise exceptions.ActionCategoryExisting
+ raise exceptions.ActionCategoryUnknown
+ meta_rules = self.get_meta_rules(user_id=user_id)
+ for meta_rule_id in meta_rules:
+ for action_category_id in meta_rules[meta_rule_id]['action_categories']:
+ if action_category_id == category_id:
+ self.delete_meta_rule(user_id, meta_rule_id)
+ if self.driver.is_action_data_exist(category_id=category_id):
+ raise exceptions.DeleteCategoryWithData
return self.driver.delete_action_category(category_id=category_id)
-
diff --git a/python_moondb/python_moondb/api/pdp.py b/python_moondb/python_moondb/api/pdp.py
index 7e852ca8..d0a071c9 100644
--- a/python_moondb/python_moondb/api/pdp.py
+++ b/python_moondb/python_moondb/api/pdp.py
@@ -22,6 +22,10 @@ class PDPManager(Managers):
def update_pdp(self, user_id, pdp_id, value):
if pdp_id not in self.driver.get_pdp(pdp_id=pdp_id):
raise exceptions.PdpUnknown
+ if value and 'security_pipeline' in value:
+ for policy_id in value['security_pipeline']:
+ if not Managers.PolicyManager.get_policies(user_id=user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
return self.driver.update_pdp(pdp_id=pdp_id, value=value)
@enforce(("read", "write"), "pdp")
@@ -36,6 +40,10 @@ class PDPManager(Managers):
raise exceptions.PdpExisting
if not pdp_id:
pdp_id = uuid4().hex
+ if value and 'security_pipeline' in value:
+ for policy_id in value['security_pipeline']:
+ if not Managers.PolicyManager.get_policies(user_id=user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
return self.driver.add_pdp(pdp_id=pdp_id, value=value)
@enforce("read", "pdp")
diff --git a/python_moondb/python_moondb/api/policy.py b/python_moondb/python_moondb/api/policy.py
index ca313f9a..05c2b7d5 100644
--- a/python_moondb/python_moondb/api/policy.py
+++ b/python_moondb/python_moondb/api/policy.py
@@ -8,6 +8,7 @@ import logging
from python_moonutilities.security_functions import enforce
from python_moondb.api.managers import Managers
from python_moonutilities import exceptions
+# from python_moondb.core import PDPManager
logger = logging.getLogger("moon.db.api.policy")
@@ -39,6 +40,9 @@ class PolicyManager(Managers):
def update_policy(self, user_id, policy_id, value):
if policy_id not in self.driver.get_policies(policy_id=policy_id):
raise exceptions.PolicyUnknown
+ if value and 'model_id' in value and value['model_id'] != "":
+ if not Managers.ModelManager.get_models(user_id, model_id=value['model_id']):
+ raise exceptions.ModelUnknown
return self.driver.update_policy(policy_id=policy_id, value=value)
@enforce(("read", "write"), "policies")
@@ -46,6 +50,11 @@ class PolicyManager(Managers):
# TODO (asteroide): unmap PDP linked to that policy
if policy_id not in self.driver.get_policies(policy_id=policy_id):
raise exceptions.PolicyUnknown
+ pdps = self.PDPManager.get_pdp(user_id=user_id)
+ for pdp in pdps:
+ for policy_id in pdps[pdp]['security_pipeline']:
+ if policy_id == policy_id:
+ raise exceptions.DeletePolicyWithPdp
return self.driver.delete_policy(policy_id=policy_id)
@enforce(("read", "write"), "policies")
@@ -54,6 +63,9 @@ class PolicyManager(Managers):
raise exceptions.PolicyExisting
if not policy_id:
policy_id = uuid4().hex
+ if value and 'model_id' in value and value['model_id'] != "":
+ if not Managers.ModelManager.get_models(user_id, model_id=value['model_id']):
+ raise exceptions.ModelUnknown
return self.driver.add_policy(policy_id=policy_id, value=value)
@enforce("read", "policies")
@@ -62,10 +74,19 @@ class PolicyManager(Managers):
@enforce("read", "perimeter")
def get_subjects(self, user_id, policy_id, perimeter_id=None):
+ if not policy_id:
+ pass
+ elif not (policy_id and self.get_policies(user_id=user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
return self.driver.get_subjects(policy_id=policy_id, perimeter_id=perimeter_id)
@enforce(("read", "write"), "perimeter")
def add_subject(self, user_id, policy_id, perimeter_id=None, value=None):
+ if not value or "name" not in value or not value["name"].strip():
+ raise exceptions.PerimeterNameInvalid
+ if value["name"] in map(lambda x: x['name'],
+ self.get_subjects(user_id, policy_id, perimeter_id).values()):
+ raise exceptions.SubjectExisting
k_user = Managers.KeystoneManager.get_user_by_name(value.get('name'))
if not k_user['users']:
k_user = Managers.KeystoneManager.create_user(value)
@@ -88,10 +109,16 @@ class PolicyManager(Managers):
@enforce(("read", "write"), "perimeter")
def delete_subject(self, user_id, policy_id, perimeter_id):
+ if policy_id and not self.get_policies(user_id=user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
return self.driver.delete_subject(policy_id=policy_id, perimeter_id=perimeter_id)
@enforce("read", "perimeter")
def get_objects(self, user_id, policy_id, perimeter_id=None):
+ if not policy_id:
+ pass
+ elif not (policy_id and self.get_policies(user_id=user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
return self.driver.get_objects(policy_id=policy_id, perimeter_id=perimeter_id)
@enforce(("read", "write"), "perimeter")
@@ -104,22 +131,30 @@ class PolicyManager(Managers):
@enforce(("read", "write"), "perimeter")
def delete_object(self, user_id, policy_id, perimeter_id):
+ if policy_id and not self.get_policies(user_id=user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
return self.driver.delete_object(policy_id=policy_id, perimeter_id=perimeter_id)
@enforce("read", "perimeter")
def get_actions(self, user_id, policy_id, perimeter_id=None):
+ if not policy_id:
+ pass
+ elif not (policy_id and self.get_policies(user_id=user_id, policy_id=policy_id)):
+ raise exceptions.PolicyUnknown
return self.driver.get_actions(policy_id=policy_id, perimeter_id=perimeter_id)
@enforce(("read", "write"), "perimeter")
def add_action(self, user_id, policy_id, perimeter_id=None, value=None):
+ logger.debug("add_action {}".format(policy_id))
if not self.get_policies(user_id=user_id, policy_id=policy_id):
raise exceptions.PolicyUnknown
- if not perimeter_id:
- perimeter_id = uuid4().hex
return self.driver.set_action(policy_id=policy_id, perimeter_id=perimeter_id, value=value)
@enforce(("read", "write"), "perimeter")
def delete_action(self, user_id, policy_id, perimeter_id):
+ logger.debug("delete_action {} {} {}".format(policy_id, perimeter_id, self.get_policies(user_id=user_id, policy_id=policy_id)))
+ if policy_id and not self.get_policies(user_id=user_id, policy_id=policy_id):
+ raise exceptions.PolicyUnknown
return self.driver.delete_action(policy_id=policy_id, perimeter_id=perimeter_id)
@enforce("read", "data")
@@ -139,6 +174,8 @@ class PolicyManager(Managers):
def set_subject_data(self, user_id, policy_id, data_id=None, category_id=None, value=None):
if not category_id:
raise Exception('Invalid category id')
+ if not Managers.ModelManager.get_subject_categories(user_id=user_id, category_id=category_id):
+ raise exceptions.MetaDataUnknown
if not self.get_policies(user_id=user_id, policy_id=policy_id):
raise exceptions.PolicyUnknown
if not data_id:
@@ -148,6 +185,9 @@ class PolicyManager(Managers):
@enforce(("read", "write"), "data")
def delete_subject_data(self, user_id, policy_id, data_id):
# TODO (asteroide): check and/or delete assignments linked to that data
+ subject_assignments = self.get_subject_assignments(user_id=user_id, policy_id=policy_id, subject_id=data_id)
+ if subject_assignments:
+ raise exceptions.DeleteData
return self.driver.delete_subject_data(policy_id=policy_id, data_id=data_id)
@enforce("read", "data")
@@ -167,6 +207,8 @@ class PolicyManager(Managers):
def add_object_data(self, user_id, policy_id, data_id=None, category_id=None, value=None):
if not category_id:
raise Exception('Invalid category id')
+ if not Managers.ModelManager.get_object_categories(user_id=user_id, category_id=category_id):
+ raise exceptions.MetaDataUnknown
if not self.get_policies(user_id=user_id, policy_id=policy_id):
raise exceptions.PolicyUnknown
if not data_id:
@@ -176,6 +218,9 @@ class PolicyManager(Managers):
@enforce(("read", "write"), "data")
def delete_object_data(self, user_id, policy_id, data_id):
# TODO (asteroide): check and/or delete assignments linked to that data
+ object_assignments = self.get_object_assignments(user_id=user_id, policy_id=policy_id, object_id=data_id)
+ if object_assignments:
+ raise exceptions.DeleteData
return self.driver.delete_object_data(policy_id=policy_id, data_id=data_id)
@enforce("read", "data")
@@ -195,6 +240,8 @@ class PolicyManager(Managers):
def add_action_data(self, user_id, policy_id, data_id=None, category_id=None, value=None):
if not category_id:
raise Exception('Invalid category id')
+ if not Managers.ModelManager.get_action_categories(user_id=user_id, category_id=category_id):
+ raise exceptions.MetaDataUnknown
if not self.get_policies(user_id=user_id, policy_id=policy_id):
raise exceptions.PolicyUnknown
if not data_id:
@@ -204,6 +251,9 @@ class PolicyManager(Managers):
@enforce(("read", "write"), "data")
def delete_action_data(self, user_id, policy_id, data_id):
# TODO (asteroide): check and/or delete assignments linked to that data
+ action_assignments = self.get_action_assignments(user_id=user_id, policy_id=policy_id, action_id=data_id)
+ if action_assignments:
+ raise exceptions.DeleteData
return self.driver.delete_action_data(policy_id=policy_id, data_id=data_id)
@enforce("read", "assignments")
@@ -214,6 +264,12 @@ class PolicyManager(Managers):
def add_subject_assignment(self, user_id, policy_id, subject_id, category_id, data_id):
if not self.get_policies(user_id=user_id, policy_id=policy_id):
raise exceptions.PolicyUnknown
+ if not self.get_subjects(user_id=user_id, policy_id=policy_id, perimeter_id=subject_id):
+ raise exceptions.SubjectUnknown
+ if not Managers.ModelManager.get_subject_categories(user_id=user_id, category_id=category_id):
+ raise exceptions.MetaDataUnknown
+ if not self.get_subject_data(user_id=user_id, policy_id=policy_id, data_id=data_id):
+ raise exceptions.DataUnknown
return self.driver.add_subject_assignment(policy_id=policy_id, subject_id=subject_id,
category_id=category_id, data_id=data_id)
@@ -230,6 +286,12 @@ class PolicyManager(Managers):
def add_object_assignment(self, user_id, policy_id, object_id, category_id, data_id):
if not self.get_policies(user_id=user_id, policy_id=policy_id):
raise exceptions.PolicyUnknown
+ if not self.get_objects(user_id=user_id, policy_id=policy_id, perimeter_id=object_id):
+ raise exceptions.ObjectUnknown
+ if not Managers.ModelManager.get_object_categories(user_id=user_id, category_id=category_id):
+ raise exceptions.MetaDataUnknown
+ if not self.get_object_data(user_id=user_id, policy_id=policy_id, data_id=data_id):
+ raise exceptions.DataUnknown
return self.driver.add_object_assignment(policy_id=policy_id, object_id=object_id,
category_id=category_id, data_id=data_id)
@@ -246,6 +308,12 @@ class PolicyManager(Managers):
def add_action_assignment(self, user_id, policy_id, action_id, category_id, data_id):
if not self.get_policies(user_id=user_id, policy_id=policy_id):
raise exceptions.PolicyUnknown
+ if not self.get_actions(user_id=user_id, policy_id=policy_id, perimeter_id=action_id):
+ raise exceptions.ActionUnknown
+ if not Managers.ModelManager.get_action_categories(user_id=user_id, category_id=category_id):
+ raise exceptions.MetaDataUnknown
+ if not self.get_action_data(user_id=user_id, policy_id=policy_id, data_id=data_id):
+ raise exceptions.DataUnknown
return self.driver.add_action_assignment(policy_id=policy_id, action_id=action_id,
category_id=category_id, data_id=data_id)
@@ -257,11 +325,14 @@ class PolicyManager(Managers):
@enforce("read", "rules")
def get_rules(self, user_id, policy_id, meta_rule_id=None, rule_id=None):
return self.driver.get_rules(policy_id=policy_id, meta_rule_id=meta_rule_id, rule_id=rule_id)
+ logger.info("delete_subject_data: {} {}".format(policy_id, data_id))
@enforce(("read", "write"), "rules")
def add_rule(self, user_id, policy_id, meta_rule_id, value):
if not self.get_policies(user_id=user_id, policy_id=policy_id):
raise exceptions.PolicyUnknown
+ if not self.ModelManager.get_meta_rules(user_id=user_id, meta_rule_id=meta_rule_id):
+ raise exceptions.MetaRuleUnknown
return self.driver.add_rule(policy_id=policy_id, meta_rule_id=meta_rule_id, value=value)
@enforce(("read", "write"), "rules")