From 0e4a78d142013af0d1530db688350a83d5d65051 Mon Sep 17 00:00:00 2001 From: WuKong Date: Thu, 16 Jul 2015 18:06:45 +0200 Subject: reivew code Change-Id: I912698ca09a6c1161c02502a7ea551a5ee905949 Signed-off-by: WuKong --- keystone-moon/keystone/contrib/moon/algorithms.py | 6 +- .../keystone/contrib/moon/backends/sql.py | 76 +- keystone-moon/keystone/contrib/moon/controllers.py | 8 +- keystone-moon/keystone/contrib/moon/core.py | 1076 +++++++++++--------- keystone-moon/keystone/contrib/moon/exception.py | 187 +++- .../unit/test_unit_core_intra_extension_admin.py | 10 +- .../unit/test_unit_core_intra_extension_authz.py | 12 +- .../keystone/tests/moon/unit/test_unit_core_log.py | 2 +- .../tests/moon/unit/test_unit_core_tenant.py | 6 +- 9 files changed, 788 insertions(+), 595 deletions(-) (limited to 'keystone-moon') diff --git a/keystone-moon/keystone/contrib/moon/algorithms.py b/keystone-moon/keystone/contrib/moon/algorithms.py index e43e9222..49690f64 100644 --- a/keystone-moon/keystone/contrib/moon/algorithms.py +++ b/keystone-moon/keystone/contrib/moon/algorithms.py @@ -34,7 +34,7 @@ rule_dict = [ ] """ -def inclusion(authz_buffer, sub_meta_rule_dict, rule_dict): +def inclusion(authz_buffer, sub_meta_rule_dict, rule_list): _cat = [] for subject_cat in sub_meta_rule_dict['subject_categories']: if subject_cat in authz_buffer['subject_attributes']: @@ -47,13 +47,13 @@ def inclusion(authz_buffer, sub_meta_rule_dict, rule_dict): _cat.append(authz_buffer['object_attributes'][object_cat]) for _element in itertools.product(*_cat): - if list(_element) in rule_dict: + if list(_element) in rule_list: return True return False -def comparison(_authz_buffer, _sub_meta_rule_dict, _rule_dict): +def comparison(authz_buffer, sub_meta_rule_dict, rule_list): return diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py index 39b52ce6..4da0f1c8 100644 --- a/keystone-moon/keystone/contrib/moon/backends/sql.py +++ b/keystone-moon/keystone/contrib/moon/backends/sql.py @@ -382,7 +382,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() return ref.to_dict() def set_subject_dict(self, extension_uuid, subject_uuid): @@ -412,7 +412,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() subjects = dict(old_ref["subjects"]) subjects[subject_uuid] = subject_name @@ -434,7 +434,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() else: old_ref = ref.to_dict() subjects = dict(old_ref["subjects"]) @@ -460,7 +460,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() return ref.to_dict() def set_object_dict(self, extension_uuid, object_uuid): @@ -490,7 +490,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() objects = dict(old_ref["objects"]) objects[object_uuid] = object_name @@ -512,7 +512,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() else: old_ref = ref.to_dict() objects = dict(old_ref["objects"]) @@ -538,7 +538,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() return ref.to_dict() def set_action_dict(self, extension_uuid, action_uuid): @@ -568,7 +568,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() actions = dict(old_ref["actions"]) actions[action_uuid] = action_name @@ -590,7 +590,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() else: old_ref = ref.to_dict() actions = dict(old_ref["actions"]) @@ -618,7 +618,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() return ref.to_dict() def set_subject_category_dict(self, extension_uuid, subject_categories): @@ -648,7 +648,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() subject_categories = dict(old_ref["subject_categories"]) subject_categories[subject_category_uuid] = subject_category_name @@ -670,7 +670,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() else: old_ref = ref.to_dict() subject_categories = dict(old_ref["subject_categories"]) @@ -699,7 +699,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() return ref.to_dict() def set_object_category_dict(self, extension_uuid, object_categories): @@ -729,7 +729,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() object_categories = dict(old_ref["object_categories"]) object_categories[object_category_uuid] = object_category_name @@ -751,7 +751,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() else: old_ref = ref.to_dict() object_categories = dict(old_ref["object_categories"]) @@ -780,7 +780,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() return ref.to_dict() def set_action_category_dict(self, extension_uuid, action_categories): @@ -810,7 +810,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() action_categories = dict(old_ref["action_categories"]) action_categories[action_category_uuid] = action_category_name @@ -832,7 +832,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() else: old_ref = ref.to_dict() action_categories = dict(old_ref["action_categories"]) @@ -861,7 +861,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() result = copy.deepcopy(ref.to_dict()) if subject_category not in result["subject_category_scope"].keys(): raise SubjectScopeUnknown() @@ -895,7 +895,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() scope = copy.deepcopy(old_ref["subject_category_scope"]) if subject_category not in scope.keys(): @@ -909,7 +909,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() scope = dict(old_ref["subject_category_scope"]) if subject_category not in scope: @@ -938,7 +938,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() result = copy.deepcopy(ref.to_dict()) if object_category not in result["object_category_scope"].keys(): raise ObjectScopeUnknown() @@ -972,7 +972,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() scope = dict(old_ref["object_category_scope"]) if object_category not in scope: @@ -986,7 +986,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() scope = dict(old_ref["object_category_scope"]) if object_category not in scope: @@ -1015,7 +1015,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() result = copy.deepcopy(ref.to_dict()) if action_category not in result["action_category_scope"].keys(): raise ActionScopeUnknown() @@ -1049,7 +1049,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() scope = dict(old_ref["action_category_scope"]) if action_category not in scope: @@ -1063,7 +1063,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() scope = dict(old_ref["action_category_scope"]) if action_category not in scope: @@ -1098,7 +1098,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound("get_subject_category_assignment_dict") + raise IntraExtensionUnknown("get_subject_category_assignment_dict") _ref = ref.to_dict() if subject_uuid in _ref["subject_category_assignments"]: _backup_dict = _ref["subject_category_assignments"][subject_uuid] @@ -1146,7 +1146,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() assignments = ref.to_dict()['subject_category_assignments'] if subject_uuid not in assignments: assignments[subject_uuid] = dict() @@ -1165,7 +1165,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() if subject_uuid in old_ref["subject_category_assignments"]: if category_uuid in old_ref["subject_category_assignments"][subject_uuid]: @@ -1199,7 +1199,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() _ref = ref.to_dict() if object_uuid in _ref["object_category_assignments"]: _backup_dict = _ref["object_category_assignments"][object_uuid] @@ -1243,7 +1243,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() assignments = ref.to_dict()['object_category_assignments'] if object_uuid not in assignments: assignments[object_uuid] = dict() @@ -1262,7 +1262,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() if object_uuid in old_ref["object_category_assignments"]: if category_uuid in old_ref["object_category_assignments"][object_uuid]: @@ -1290,7 +1290,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() _ref = ref.to_dict() if action_uuid in _ref["action_category_assignments"]: _backup_dict = _ref["action_category_assignments"][action_uuid] @@ -1334,7 +1334,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() assignments = ref.to_dict()['action_category_assignments'] if action_uuid not in assignments: assignments[action_uuid] = dict() @@ -1353,7 +1353,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() old_ref = ref.to_dict() if action_uuid in old_ref["action_category_assignments"]: if category_uuid in old_ref["action_category_assignments"][action_uuid]: @@ -1375,7 +1375,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() return ref.to_dict() def set_meta_rule_dict(self, extension_uuid, meta_rule_dict): @@ -1403,7 +1403,7 @@ class IntraExtensionConnector(IntraExtensionDriver): query = query.filter_by(intra_extension_uuid=extension_uuid) ref = query.first() if not ref: - raise IntraExtensionNotFound() + raise IntraExtensionUnknown() return ref.to_dict() def set_rule_dict(self, extension_uuid, rule_dict): diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py index 592aa699..23f3b615 100644 --- a/keystone-moon/keystone/contrib/moon/controllers.py +++ b/keystone-moon/keystone/contrib/moon/controllers.py @@ -176,7 +176,7 @@ class IntraExtensions(controller.V3Controller): def del_intra_extension(self, context, **kw): user_id = self._get_user_id_from_token(context["token_id"]) if "ie_id" not in kw: - raise IntraExtensionNotFound + raise IntraExtensionUnknown ie_id = kw.get('intra_extension_id', None) return self.admin_api.del_intra_extension(user_id, ie_id) @@ -490,7 +490,7 @@ class IntraExtensions(controller.V3Controller): ie_id = kw.get("intra_extension_id", None) subject_id = kw["subject_id"] subject_category_id = kw["subject_category_id"] - return self.admin_api.get_subject_assignment_dict(user_id, ie_id, subject_id)[subject_category_id] + return self.admin_api.get_subject_assignment_dict(user_id, ie_id, subject_id, subject_category_id) @controller.protected() def del_subject_assignment(self, context, **kw): @@ -635,7 +635,7 @@ class IntraExtensions(controller.V3Controller): action_category_list = kw["action_categories"] sub_meta_rule_algorithm = kw["sub_meta_rule_algorithm"] - return self.admin_api.add_sub_meta_rule_dict( + return self.admin_api.add_sub_meta_rule( user_id, ie_id, sub_meta_rule_name, @@ -657,7 +657,7 @@ class IntraExtensions(controller.V3Controller): user_id = self._get_user_id_from_token(context["token_id"]) ie_id = kw.get("intra_extension_id") sub_meta_rule_id = kw["sub_meta_rule_id"] - return self.admin_api.del_sub_meta_rule(user_id, ie_id, sub_meta_rule_id) + return self.admin_api.get_sub_meta_rule(user_id, ie_id, sub_meta_rule_id) # Rules functions @controller.protected() diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index 205f7a7b..a82821e4 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -119,32 +119,32 @@ def filter_input(data): @dependency.provider('configuration_api') -@dependency.requires('moonlog_api') +@dependency.requires('moonlog_api') # TODO: log should be totally removed to exception.py class ConfigurationManager(manager.Manager): def __init__(self): super(ConfigurationManager, self).__init__(CONF.moon.configuration_driver) - def get_policy_templete_dict(self, user_id): + def get_policy_template_dict(self, user_id): """ - Return a dictionary of all policy templetes - :return: {templete_id: templete_description, ...} + Return a dictionary of all policy templates + :return: {template_id: {name: temp_name, description: template_description}, ...} """ # TODO: check user right with user_id in SuperExtension - return self.driver.get_policy_templete_dict() + return self.driver.get_policy_template_dict() - def get_policy_templete_id_from_name(self, user_id, policy_templete_name): + def get_policy_template_id_from_name(self, user_id, policy_template_name): # TODO: check user right with user_id in SuperExtension - policy_templete_dict = self.driver.get_policy_templete_dict() - for policy_templete_id in policy_templete_dict: - if policy_templete_dict[policy_templete_id] is policy_templete_name: - return policy_templete_id + policy_template_dict = self.driver.get_policy_template_dict() + for policy_template_id in policy_template_dict: + if policy_template_dict[policy_template_id]['name'] is policy_template_name: + return policy_template_id return None def get_aggregation_algorithm_dict(self, user_id): """ Return a dictionary of all aggregation algorithm - :return: {aggre_algo_id: aggre_algo_description, ...} + :return: {aggre_algo_id: {name: aggre_name, description: aggre_algo_description}, ...} """ # TODO: check user right with user_id in SuperExtension return self.driver.get_aggregation_algorithm_dict() @@ -153,14 +153,14 @@ class ConfigurationManager(manager.Manager): # TODO: check user right with user_id in SuperExtension aggregation_algorithm_dict = self.driver.get_aggregation_algorithm_dict() for aggregation_algorithm_id in aggregation_algorithm_dict: - if aggregation_algorithm_dict[aggregation_algorithm_id] is aggregation_algorithm_name: + if aggregation_algorithm_dict[aggregation_algorithm_id]['name'] is aggregation_algorithm_name: return aggregation_algorithm_id return None def get_sub_meta_rule_algorithm_dict(self, user_id): """ Return a dictionary of sub_meta_rule algorithm - :return: {sub_meta_rule_id: sub_meta_rule_description, } + :return: {sub_meta_rule_id: {name: sub_meta_rule_name, description: sub_meta_rule_description}, } """ # TODO: check user right with user_id in SuperExtension return self.driver.get_sub_meta_rule_algorithm_dict() @@ -169,7 +169,7 @@ class ConfigurationManager(manager.Manager): # TODO: check user right with user_id in SuperExtension sub_meta_rule_algorithm_dict = self.driver.get_sub_meta_rule_algorithm_dict() for sub_meta_rule_algorithm_id in sub_meta_rule_algorithm_dict: - if sub_meta_rule_algorithm_dict[sub_meta_rule_algorithm_id] is sub_meta_rule_algorithm_name: + if sub_meta_rule_algorithm_dict[sub_meta_rule_algorithm_id]['name'] is sub_meta_rule_algorithm_name: return sub_meta_rule_algorithm_id return None @@ -181,65 +181,53 @@ class TenantManager(manager.Manager): def __init__(self): super(TenantManager, self).__init__(CONF.moon.tenant_driver) - def __get_tenant_dict(self): - """ - Return a dictionary with all tenants - :return: dict - """ - try: - return self.driver.get_tenant_dict() - except TenantListEmpty: - # TODO: move log to Exception - self.moonlog_api.error(_("Tenant Mapping list is empty.")) - return {} - def get_tenant_dict(self, user_id): """ Return a dictionary with all tenants :return: dict """ # TODO: check user right with user_id in SuperExtension - return self.__get_tenant_dict() + return self.driver.get_tenant_dict() def add_tenant(self, user_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id): # TODO: check user right with user_id in SuperExtension - try: - return self.driver.set_tenant(uuid4().hex, tenant_name, intra_authz_ext_id, intra_admin_ext_id) - except AddedTenantNameExist: - return None + tenant_dict = self.driver.get_tenant_dict() + for tenant_id in tenant_dict: + if tenant_dict[tenant_id]['name'] is tenant_name: + raise TenantAddedNameExisting() + return self.driver.add_tenant(uuid4().hex, tenant_name, intra_authz_ext_id, intra_admin_ext_id) def get_tenant(self, user_id, tenant_id): # TODO: check user right with user_id in SuperExtension - tenant_dict = self.__get_tenant_dict() + tenant_dict = self.driver.get_tenant_dict() if tenant_id not in tenant_dict: - raise TenantIDNotFound(_("Tenant UUID ({}) was not found.".format(tenant_id))) + raise TenantUnknown() return tenant_dict[tenant_id] def del_tenant(self, user_id, tenant_id): # TODO: check user right with user_id in SuperExtension - tenant_dict = self.__get_tenant_dict() - try: - return tenant_dict.pop(tenant_id) - except KeyError: - raise TenantIDNotFound + tenant_dict = self.driver.get_tenant_dict() + if tenant_id not in tenant_dict: + raise TenantUnknown() + return self.driver.del_tenant(tenant_id) - def set_tenant_dict(self, user_id, tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id): - # TODO: check user right with user_id in SuperExtension - # TODO (dthom): Tenant must be checked against Keystone database. - return self.driver.set_tenant(tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id) + # def set_tenant_dict(self, user_id, tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id): + # # TODO: check user right with user_id in SuperExtension + # # TODO (dthom): Tenant must be checked against Keystone database. + # return self.driver.set_tenant(tenant_id, tenant_name, intra_authz_ext_id, intra_admin_ext_id) - def get_tenant_name(self, user_id, tenant_id): + def get_tenant_name_from_id(self, user_id, tenant_id): # TODO: check user right with user_id in SuperExtension - tenant_dict = self.__get_tenant_dict() + tenant_dict = self.driver.get_tenant_dict() if tenant_id not in tenant_dict: - raise TenantIDNotFound(_("Tenant UUID ({}) was not found.".format(tenant_id))) + raise TenantUnknown() return tenant_dict[tenant_id]["name"] def set_tenant_name(self, user_id, tenant_id, tenant_name): # TODO: check user right with user_id in SuperExtension - tenant_dict = self.__get_tenant_dict() + tenant_dict = self.driver.get_tenant_dict() if tenant_id not in tenant_dict: - raise TenantIDNotFound(_("Tenant UUID ({}) was not found.".format(tenant_id))) + raise TenantUnknown() return self.driver.set_tenant( self, tenant_id, @@ -250,7 +238,7 @@ class TenantManager(manager.Manager): def get_tenant_id_from_name(self, user_id, tenant_name): # TODO: check user right with user_id in SuperExtension - tenant_dict = self.__get_tenant_dict() + tenant_dict = self.driver.get_tenant_dict() for tenant_id in tenant_dict: if tenant_dict[tenant_id]["name"] is tenant_name: return tenant_id @@ -265,11 +253,11 @@ class TenantManager(manager.Manager): """ # 1 tenant only with 1 authz extension and 1 admin extension # TODO: check user right with user_id in SuperExtension - tenant_dict = self.__get_tenant_dict() + tenant_dict = self.driver.get_tenant_dict() if tenant_id not in tenant_dict: - raise TenantIDNotFound(_("Tenant UUID ({}) was not found.".format(tenant_id))) - if not tenant_dict[tenant_id][genre]: - raise IntraExtensionNotFound(_("No IntraExtension found for Tenant {}.".format(tenant_id))) + raise TenantUnknown() + elif not tenant_dict[tenant_id][genre]: + raise TenantNoIntraExtension() return tenant_dict[tenant_id][genre] # TODO: check if we need the func @@ -330,47 +318,35 @@ class IntraExtensionManager(manager.Manager): 'action_attributes': {}, } """ - - # TODO(dthom) move exception raise to driver - if not self.driver.get_intra_extension(intra_extension_id): - raise IntraExtensionNotFound() - authz_buffer = dict() authz_buffer['subject_id'] = subject_id authz_buffer['object_id'] = object_id authz_buffer['action_id'] = action_id - - meta_data_dict = {} + meta_data_dict = dict() meta_data_dict["subject_categories"] = self.driver.get_subject_category_dict(intra_extension_id)["subject_categories"] meta_data_dict["object_categories"] = self.driver.get_object_category_dict(intra_extension_id)["object_categories"] meta_data_dict["action_categories"] = self.driver.get_action_category_dict(intra_extension_id)["action_categories"] - subject_assignment_dict = dict() for category in meta_data_dict["subject_categories"]: subject_assignment_dict[category] = self.driver.get_subject_assignment_dict( intra_extension_id, category)["subject_category_assignments"] - object_assignment_dict = dict() for category in meta_data_dict["object_categories"]: object_assignment_dict[category] = self.driver.get_object_assignment_dict( intra_extension_id, category)["object_category_assignments"] - action_assignment_dict = dict() for category in meta_data_dict["action_categories"]: action_assignment_dict[category] = self.driver.get_action_assignment_dict( intra_extension_id, category)["action_category_assignments"] - authz_buffer['subject_attributes'] = dict() authz_buffer['object_attributes'] = dict() authz_buffer['action_attributes'] = dict() - for _subject_category in meta_data_dict['subject_categories']: authz_buffer['subject_attributes'][_subject_category] = subject_assignment_dict[_subject_category] for _object_category in meta_data_dict['object_categories']: authz_buffer['object_attributes'][_object_category] = object_assignment_dict[_object_category] for _action_category in meta_data_dict['action_categories']: authz_buffer['action_attributes'][_action_category] = action_assignment_dict[_action_category] - return authz_buffer def authz(self, intra_extension_id, subject_id, object_id, action_id): @@ -390,24 +366,22 @@ class IntraExtensionManager(manager.Manager): ObjectCategoryAssignmentUnknown ActionCategoryAssignmentUnknown """ - authz_buffer = self.__get_authz_buffer(intra_extension_id, subject_id, object_id, action_id) decision_buffer = dict() meta_rule_dict = self.driver.get_meta_rule_dict(intra_extension_id) - rule_dict = self.driver.get_rule_dict(intra_extension_id) - for _rule in meta_rule_dict['sub_meta_rules']: - if meta_rule_dict['sub_meta_rules'][_rule]['algorithm'] == 'inclusion': - decision_buffer[_rule] = inclusion( + for sub_meta_rule_id in meta_rule_dict['sub_meta_rules']: + if meta_rule_dict['sub_meta_rules'][sub_meta_rule_id]['algorithm'] == 'inclusion': + decision_buffer[sub_meta_rule_id] = inclusion( authz_buffer, - meta_rule_dict['sub_meta_rules'][_rule], - rule_dict['rules'][_rule]) - elif meta_rule_dict['sub_meta_rules'][_rule]['algorithm'] == 'comparison': - decision_buffer[_rule] = comparison( + meta_rule_dict['sub_meta_rules'][sub_meta_rule_id], + self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id).values()) + elif meta_rule_dict['sub_meta_rules'][sub_meta_rule_id]['algorithm'] == 'comparison': + decision_buffer[sub_meta_rule_id] = comparison( authz_buffer, - meta_rule_dict['sub_meta_rules'][_rule], - rule_dict['rules'][_rule]) + meta_rule_dict['sub_meta_rules'][sub_meta_rule_id], + self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id).values()) if meta_rule_dict['aggregation'] == 'all_true': return all_true(decision_buffer) @@ -415,16 +389,17 @@ class IntraExtensionManager(manager.Manager): return False def get_intra_extension_dict(self, user_id): + """ + :param user_id: + :return: {intra_extension_id: intra_extension_name, ...} + """ # TODO: check will be done through super_extension later return self.driver.get_intra_extension_dict() - def get_intra_extension(self, user_id, intra_extension_id): - # TODO: check will be done through super_extension later - return self.driver.get_intra_extension(intra_extension_id) - # load policy from policy directory + # TODO (dthom) re-checkt these funcs - def __load_metadata_file(self, intra_extension, policy_dir): + def __load_metadata_file(self, intra_extension_dict, policy_dir): metadata_path = os.path.join(policy_dir, 'metadata.json') f = open(metadata_path) @@ -433,31 +408,31 @@ class IntraExtensionManager(manager.Manager): subject_categories_dict = dict() for _cat in json_perimeter['subject_categories']: subject_categories_dict[uuid4().hex] = {"name": _cat} - self.driver.set_subject_category_dict(intra_extension["id"], subject_categories_dict) + self.driver.set_subject_category_dict(intra_extension_dict["id"], subject_categories_dict) # Initialize scope categories for _cat in subject_categories_dict.keys(): - self.driver.set_subject_scope_dict(intra_extension["id"], _cat, {}) - intra_extension['subject_categories'] = subject_categories_dict + self.driver.set_subject_scope_dict(intra_extension_dict["id"], _cat, {}) + intra_extension_dict['subject_categories'] = subject_categories_dict object_categories_dict = dict() for _cat in json_perimeter['object_categories']: object_categories_dict[uuid4().hex] = {"name": _cat} - self.driver.set_object_category_dict(intra_extension["id"], object_categories_dict) + self.driver.set_object_category_dict(intra_extension_dict["id"], object_categories_dict) # Initialize scope categories for _cat in object_categories_dict.keys(): - self.driver.set_object_scope_dict(intra_extension["id"], _cat, {}) - intra_extension['object_categories'] = object_categories_dict + self.driver.set_object_scope_dict(intra_extension_dict["id"], _cat, {}) + intra_extension_dict['object_categories'] = object_categories_dict action_categories_dict = dict() for _cat in json_perimeter['action_categories']: action_categories_dict[uuid4().hex] = {"name": _cat} - self.driver.set_action_category_dict(intra_extension["id"], action_categories_dict) + self.driver.set_action_category_dict(intra_extension_dict["id"], action_categories_dict) # Initialize scope categories for _cat in action_categories_dict.keys(): - self.driver.set_action_scope_dict(intra_extension["id"], _cat, {}) - intra_extension['action_categories'] = action_categories_dict + self.driver.set_action_scope_dict(intra_extension_dict["id"], _cat, {}) + intra_extension_dict['action_categories'] = action_categories_dict - def __load_perimeter_file(self, intra_extension, policy_dir): + def __load_perimeter_file(self, intra_extension_dict, policy_dir): perimeter_path = os.path.join(policy_dir, 'perimeter.json') f = open(perimeter_path) @@ -468,125 +443,125 @@ class IntraExtensionManager(manager.Manager): for _subject in json_perimeter['subjects']: user = self.identity_api.get_user_by_name(_subject, "default") subject_dict[user["id"]] = user - self.driver.set_subject_dict(intra_extension["id"], subject_dict) - intra_extension["subjects"] = subject_dict + self.driver.set_subject_dict(intra_extension_dict["id"], subject_dict) + intra_extension_dict["subjects"] = subject_dict # Copy all values for objects and subjects object_dict = dict() for _object in json_perimeter['objects']: object_dict[uuid4().hex] = {"name": _object} - self.driver.set_object_dict(intra_extension["id"], object_dict) - intra_extension["objects"] = object_dict + self.driver.set_object_dict(intra_extension_dict["id"], object_dict) + intra_extension_dict["objects"] = object_dict action_dict = dict() for _action in json_perimeter['actions']: action_dict[uuid4().hex] = {"name": _action} - self.driver.set_action_dict(intra_extension["id"], action_dict) - intra_extension["ations"] = action_dict + self.driver.set_action_dict(intra_extension_dict["id"], action_dict) + intra_extension_dict["ations"] = action_dict - def __load_scope_file(self, intra_extension, policy_dir): + def __load_scope_file(self, intra_extension_dict, policy_dir): metadata_path = os.path.join(policy_dir, 'scope.json') f = open(metadata_path) json_perimeter = json.load(f) - intra_extension['subject_category_scope'] = dict() + intra_extension_dict['subject_category_scope'] = dict() for category, scope in json_perimeter["subject_category_scope"].iteritems(): - category = self.driver.get_uuid_from_name(intra_extension["id"], category, self.driver.SUBJECT_CATEGORY) + category = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.SUBJECT_CATEGORY) _scope_dict = dict() for _scope in scope: _scope_dict[uuid4().hex] = {"name": _scope} - self.driver.set_subject_scope_dict(intra_extension["id"], category, _scope_dict) - intra_extension['subject_category_scope'][category] = _scope_dict + self.driver.set_subject_scope_dict(intra_extension_dict["id"], category, _scope_dict) + intra_extension_dict['subject_category_scope'][category] = _scope_dict - intra_extension['object_category_scope'] = dict() + intra_extension_dict['object_category_scope'] = dict() for category, scope in json_perimeter["object_category_scope"].iteritems(): - category = self.driver.get_uuid_from_name(intra_extension["id"], category, self.driver.OBJECT_CATEGORY) + category = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.OBJECT_CATEGORY) _scope_dict = dict() for _scope in scope: _scope_dict[uuid4().hex] = {"name": _scope} - self.driver.set_object_scope_dict(intra_extension["id"], category, _scope_dict) - intra_extension['object_category_scope'][category] = _scope_dict + self.driver.set_object_scope_dict(intra_extension_dict["id"], category, _scope_dict) + intra_extension_dict['object_category_scope'][category] = _scope_dict - intra_extension['action_category_scope'] = dict() + intra_extension_dict['action_category_scope'] = dict() for category, scope in json_perimeter["action_category_scope"].iteritems(): - category = self.driver.get_uuid_from_name(intra_extension["id"], category, self.driver.ACTION_CATEGORY) + category = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.ACTION_CATEGORY) _scope_dict = dict() for _scope in scope: _scope_dict[uuid4().hex] = {"name": _scope} - self.driver.set_action_scope_dict(intra_extension["id"], category, _scope_dict) - intra_extension['action_category_scope'][category] = _scope_dict + self.driver.set_action_scope_dict(intra_extension_dict["id"], category, _scope_dict) + intra_extension_dict['action_category_scope'][category] = _scope_dict - def __load_assignment_file(self, intra_extension, policy_dir): + def __load_assignment_file(self, intra_extension_dict, policy_dir): f = open(os.path.join(policy_dir, 'assignment.json')) json_assignments = json.load(f) subject_assignments = dict() for category_name, value in json_assignments['subject_assignments'].iteritems(): - category = self.driver.get_uuid_from_name(intra_extension["id"], category_name, self.driver.SUBJECT_CATEGORY) + category = self.driver.get_uuid_from_name(intra_extension_dict["id"], category_name, self.driver.SUBJECT_CATEGORY) for user_name in value: - user_id = self.driver.get_uuid_from_name(intra_extension["id"], user_name, self.driver.SUBJECT) + user_id = self.driver.get_uuid_from_name(intra_extension_dict["id"], user_name, self.driver.SUBJECT) if user_id not in subject_assignments: subject_assignments[user_id] = dict() if category not in subject_assignments[user_id]: subject_assignments[user_id][category] = \ - map(lambda x: self.driver.get_uuid_from_name(intra_extension["id"], x, self.driver.SUBJECT_SCOPE, category_name), + map(lambda x: self.driver.get_uuid_from_name(intra_extension_dict["id"], x, self.driver.SUBJECT_SCOPE, category_name), value[user_name]) else: subject_assignments[user_id][category].extend( - map(lambda x: self.driver.get_uuid_from_name(intra_extension["id"], x, self.driver.SUBJECT_SCOPE, category_name), + map(lambda x: self.driver.get_uuid_from_name(intra_extension_dict["id"], x, self.driver.SUBJECT_SCOPE, category_name), value[user_name]) ) # Note (dthom): subject_category_assignment must be initialized because when there is no data in json # we will not go through the for loop - self.driver.set_subject_assignment_dict(intra_extension["id"]) + self.driver.set_subject_assignment_dict(intra_extension_dict["id"]) for subject in subject_assignments: - self.driver.set_subject_assignment_dict(intra_extension["id"], subject, subject_assignments[subject]) + self.driver.set_subject_assignment_dict(intra_extension_dict["id"], subject, subject_assignments[subject]) object_assignments = dict() for category_name, value in json_assignments["object_assignments"].iteritems(): - category = self.driver.get_uuid_from_name(intra_extension["id"], category_name, self.driver.OBJECT_CATEGORY) + category = self.driver.get_uuid_from_name(intra_extension_dict["id"], category_name, self.driver.OBJECT_CATEGORY) for object_name in value: if object_name not in object_assignments: object_assignments[object_name] = dict() if category not in object_assignments[object_name]: object_assignments[object_name][category] = \ - map(lambda x: self.driver.get_uuid_from_name(intra_extension["id"], x, self.driver.OBJECT_SCOPE, category_name), + map(lambda x: self.driver.get_uuid_from_name(intra_extension_dict["id"], x, self.driver.OBJECT_SCOPE, category_name), value[object_name]) else: object_assignments[object_name][category].extend( - map(lambda x: self.driver.get_uuid_from_name(intra_extension["id"], x, self.driver.OBJECT_SCOPE, category_name), + map(lambda x: self.driver.get_uuid_from_name(intra_extension_dict["id"], x, self.driver.OBJECT_SCOPE, category_name), value[object_name]) ) # Note (dthom): object_category_assignment must be initialized because when there is no data in json # we will not go through the for loop - self.driver.set_object_assignment_dict(intra_extension["id"]) + self.driver.set_object_assignment_dict(intra_extension_dict["id"]) for object in object_assignments: - self.driver.set_object_assignment_dict(intra_extension["id"], object, object_assignments[object]) + self.driver.set_object_assignment_dict(intra_extension_dict["id"], object, object_assignments[object]) action_assignments = dict() for category_name, value in json_assignments["action_assignments"].iteritems(): - category = self.driver.get_uuid_from_name(intra_extension["id"], category_name, self.driver.ACTION_CATEGORY) + category = self.driver.get_uuid_from_name(intra_extension_dict["id"], category_name, self.driver.ACTION_CATEGORY) for action_name in value: if action_name not in action_assignments: action_assignments[action_name] = dict() if category not in action_assignments[action_name]: action_assignments[action_name][category] = \ - map(lambda x: self.driver.get_uuid_from_name(intra_extension["id"], x, self.driver.ACTION_SCOPE, category_name), + map(lambda x: self.driver.get_uuid_from_name(intra_extension_dict["id"], x, self.driver.ACTION_SCOPE, category_name), value[action_name]) else: action_assignments[action_name][category].extend( - map(lambda x: self.driver.get_uuid_from_name(intra_extension["id"], x, self.driver.ACTION_SCOPE, category_name), + map(lambda x: self.driver.get_uuid_from_name(intra_extension_dict["id"], x, self.driver.ACTION_SCOPE, category_name), value[action_name]) ) # Note (dthom): action_category_assignment must be initialized because when there is no data in json # we will not go through the for loop - self.driver.set_action_assignment_dict(intra_extension["id"]) + self.driver.set_action_assignment_dict(intra_extension_dict["id"]) for action in action_assignments: - self.driver.set_action_assignment_dict(intra_extension["id"], action, action_assignments[action]) + self.driver.set_action_assignment_dict(intra_extension_dict["id"], action, action_assignments[action]) - def __load_metarule_file(self, intra_extension, policy_dir): + def __load_metarule_file(self, intra_extension_dict, policy_dir): metadata_path = os.path.join(policy_dir, 'metarule.json') f = open(metadata_path) @@ -604,23 +579,23 @@ class IntraExtensionManager(manager.Manager): for item in ("subject_categories", "object_categories", "action_categories"): metarule[relation][item] = list() for element in json_metarule["sub_meta_rules"][relation][item]: - metarule[relation][item].append(self.driver.get_uuid_from_name(intra_extension["id"], element, categories[item])) + metarule[relation][item].append(self.driver.get_uuid_from_name(intra_extension_dict["id"], element, categories[item])) metarule[relation]["algorithm"] = json_metarule["sub_meta_rules"][relation]["algorithm"] submetarules = { "aggregation": json_metarule["aggregation"], "sub_meta_rules": metarule } - self.driver.set_meta_rule_dict(intra_extension["id"], submetarules) + self.driver.set_meta_rule_dict(intra_extension_dict["id"], submetarules) - def __load_rule_file(self, intra_extension, policy_dir): + def __load_rule_file(self, intra_extension_dict, policy_dir): metadata_path = os.path.join(policy_dir, 'rule.json') f = open(metadata_path) json_rules = json.load(f) - intra_extension["rule"] = {"rule": copy.deepcopy(json_rules)} + intra_extension_dict["rule"] = {"rule": copy.deepcopy(json_rules)} # Translate value from JSON file to UUID for Database rules = dict() - sub_meta_rules = self.driver.get_meta_rule_dict(intra_extension["id"]) + sub_meta_rules = self.driver.get_meta_rule_dict(intra_extension_dict["id"]) for relation in json_rules: # print(relation) # print(self.get_sub_meta_rule_relations("admin", ie["id"])) @@ -632,21 +607,21 @@ class IntraExtensionManager(manager.Manager): _rule = list(rule) for category_uuid in sub_meta_rules["rule"][relation]["subject_categories"]: scope_name = _rule.pop(0) - scope_uuid = self.driver.get_uuid_from_name(intra_extension["id"], + scope_uuid = self.driver.get_uuid_from_name(intra_extension_dict["id"], scope_name, self.driver.SUBJECT_SCOPE, category_uuid=category_uuid) subrule.append(scope_uuid) for category_uuid in sub_meta_rules["rule"][relation]["action_categories"]: scope_name = _rule.pop(0) - scope_uuid = self.driver.get_uuid_from_name(intra_extension["id"], + scope_uuid = self.driver.get_uuid_from_name(intra_extension_dict["id"], scope_name, self.driver.ACTION_SCOPE, category_uuid=category_uuid) subrule.append(scope_uuid) for category_uuid in sub_meta_rules["rule"][relation]["object_categories"]: scope_name = _rule.pop(0) - scope_uuid = self.driver.get_uuid_from_name(intra_extension["id"], + scope_uuid = self.driver.get_uuid_from_name(intra_extension_dict["id"], scope_name, self.driver.OBJECT_SCOPE, category_uuid=category_uuid) @@ -673,224 +648,286 @@ class IntraExtensionManager(manager.Manager): # if value doesn't exist add a default value subrule.append(True) rules[relation].append(subrule) - self.driver.set_rule_dict(intra_extension["id"], rules) + self.driver.set_rule_dict(intra_extension_dict["id"], rules) - def load_intra_extension(self, user_id, intra_extension): + def load_intra_extension_dict(self, user_id, intra_extension_dict): # TODO: check will be done through super_extension later - ie = dict() + ie_dict = dict() # TODO: clean some values - ie['id'] = uuid4().hex - ie["name"] = filter_input(intra_extension["name"]) - ie["model"] = filter_input(intra_extension["policymodel"]) - ie["description"] = filter_input(intra_extension["description"]) - ref = self.driver.set_intra_extension(ie['id'], ie) + ie_dict['id'] = uuid4().hex + ie_dict["name"] = filter_input(intra_extension_dict["name"]) + ie_dict["model"] = filter_input(intra_extension_dict["policymodel"]) + ie_dict["description"] = filter_input(intra_extension_dict["description"]) + ref = self.driver.set_intra_extension(ie_dict['id'], ie_dict) self.moonlog_api.debug("Creation of IE: {}".format(ref)) # read the profile given by "policymodel" and populate default variables - policy_dir = os.path.join(CONF.moon.policy_directory, ie["model"]) - self.__load_perimeter_file(ie, policy_dir) - self.__load_metadata_file(ie, policy_dir) - self.__load_scope_file(ie, policy_dir) - self.__load_assignment_file(ie, policy_dir) - self.__load_metarule_file(ie, policy_dir) - self.__load_rule_file(ie, policy_dir) + policy_dir = os.path.join(CONF.moon.policy_directory, ie_dict["model"]) + self.__load_metadata_file(ie_dict, policy_dir) + self.__load_perimeter_file(ie_dict, policy_dir) + self.__load_scope_file(ie_dict, policy_dir) + self.__load_assignment_file(ie_dict, policy_dir) + self.__load_metarule_file(ie_dict, policy_dir) + self.__load_rule_file(ie_dict, policy_dir) return ref + def get_intra_extension(self, user_id, intra_extension_id): + """ + :param user_id: + :return: {intra_extension_id: intra_extension_name, ...} + """ + # TODO: check will be done through super_extension later + if intra_extension_id not in self.driver.get_intra_extension_dict(): + raise IntraExtensionUnknown() + return self.driver.get_intra_extension_dict()[intra_extension_id] + def del_intra_extension(self, user_id, intra_extension_id): # TODO: check will be done through super_extension later - ref = self.driver.del_intra_extension(intra_extension_id) - return ref + if intra_extension_id not in self.driver.get_intra_extension_dict(): + raise IntraExtensionUnknown() + return self.driver.del_intra_extension(intra_extension_id) # Metadata functions - @filter_args + @filter_args # TODO: check for each function if intra_entension_id exists @enforce("read", "subject_categories") def get_subject_category_dict(self, user_id, intra_extension_id): + """ + :param user_id: + :param intra_extension_id: + :return: {subject_catgory_id: subject_category_name, } + """ return self.driver.get_subject_category_dict(intra_extension_id) - @filter_args - @enforce("read", "subject_categories") - @enforce(("read", "write"), "subject_category_scope") - def set_subject_category_dict(self, user_id, intra_extension_id, subject_category_list): - subject_category = {uuid4().hex: item for item in subject_category_list} - subject_category_dict = self.driver.set_subject_category_dict(intra_extension_id, subject_category) - # if we add a new category, we must add it to the subject_category_scope - for _cat in subject_category.keys(): - try: - _ = self.driver.get_subject_scope_dict(intra_extension_id, _cat) - except SubjectScopeUnknown: - self.driver.set_subject_scope_dict(intra_extension_id, _cat, {}) - return subject_category_dict - @filter_args @enforce(("read", "write"), "subject_categories") - @enforce(("read", "write"), "subject_category_scope") + @enforce(("read", "write"), "subject_scopes") def add_subject_category(self, user_id, intra_extension_id, subject_category_name): - # TODO (asteroide): we must check input here. - # TODO: add category to scope + subject_category_dict = self.driver.get_subject_category_dict(intra_extension_id) + for subject_category_id in subject_category_dict: + if subject_category_dict[subject_category_id] is subject_category_name: + raise SubjectCategoryNameExisting() subject_category_id = uuid4().hex + # TODO (dthom): create category in scope + # self.driver.create_subject_category_in_scope(intra_extension_id, subject_category_id) return self.driver.add_subject_category(intra_extension_id, subject_category_id, subject_category_name) + @filter_args + @enforce("read", "subject_categories") + def get_subject_category(self, user_id, intra_extension_id, subject_category_id): + subject_category_dict = self.driver.get_subject_category_dict(intra_extension_id) + if subject_category_id not in subject_category_dict: + raise SubjectCategoryUnknown() + return self.driver.get_subject_category_dict(intra_extension_id)[subject_category_id] + @filter_args @enforce(("read", "write"), "subject_categories") - @enforce(("read", "write"), "subject_category_scope") + @enforce(("read", "write"), "subject_scopes") def del_subject_category(self, user_id, intra_extension_id, subject_category_id): - # TODO: del category from scope + subject_category_dict = self.driver.get_subject_category_dict(intra_extension_id) + if subject_category_id not in subject_category_dict: + raise SubjectCategoryUnknown() + # TODO (dthom): destroy category in scope + # self.driver.destroy_subject_category_in_scope(intra_extension_id, subject_category_id) + # TODO (dthom): destroy category-related assignment in assignement + # self.driver.destroy_subject_category_in_assignement(intra_extension_id, subject_category_id) return self.driver.del_subject_category(intra_extension_id, subject_category_id) @filter_args @enforce("read", "object_categories") def get_object_category_dict(self, user_id, intra_extension_id): + """ + :param user_id: + :param intra_extension_id: + :return: {object_catgory_id: object_category_name, } + """ return self.driver.get_object_category_dict(intra_extension_id) - @filter_args - @enforce("read", "object_categories") - @enforce(("read", "write"), "object_category_scope") - def set_object_category_dict(self, user_id, intra_extension_id, object_category_list): - # TODO (asteroide): we must check input here. - object_category = {uuid4().hex: item for item in object_category_list} - object_category_dict = self.driver.set_object_category_dict(intra_extension_id, object_category) - # if we add a new category, we must add it to the object_category_scope - for _cat in object_category.keys(): - try: - _ = self.driver.get_object_scope_dict(intra_extension_id, _cat) - except ObjectScopeUnknown: - self.driver.set_object_scope_dict(intra_extension_id, _cat, {}) - return object_category_dict - @filter_args @enforce(("read", "write"), "object_categories") - @enforce(("read", "write"), "object_category_scope") + @enforce(("read", "write"), "object_scopes") def add_object_category(self, user_id, intra_extension_id, object_category_name): - # TODO (asteroide): we must check input here. - # TODO: add category to scope + object_category_dict = self.driver.get_object_category_dict(intra_extension_id) + for object_category_id in object_category_dict: + if object_category_dict[object_category_id] is object_category_name: + raise ObjectCategoryNameExisting() object_category_id = uuid4().hex + # TODO (dthom): create category in scope + # self.driver.create_object_category_in_scope(intra_extension_id, object_category_id) return self.driver.add_object_category(intra_extension_id, object_category_id, object_category_name) + @filter_args + @enforce("read", "object_categories") + def get_object_category(self, user_id, intra_extension_id, object_category_id): + object_category_dict = self.driver.get_object_category_dict(intra_extension_id) + if object_category_id not in object_category_dict: + raise ObjectCategoryUnknown() + return self.driver.get_object_category_dict(intra_extension_id)[object_category_id] + @filter_args @enforce(("read", "write"), "object_categories") - @enforce(("read", "write"), "object_category_scope") - def del_object_category(self, user_id, intra_extension_id, object_id): - # TODO: add category to scope - return self.driver.del_object_category(intra_extension_id, object_id) + @enforce(("read", "write"), "object_scopes") + def del_object_category(self, user_id, intra_extension_id, object_category_id): + object_category_dict = self.driver.get_object_category_dict(intra_extension_id) + if object_category_id not in object_category_dict: + raise ObjectCategoryUnknown() + # TODO (dthom): destroy category in scope + # self.driver.destroy_object_category_in_scope(intra_extension_id, object_category_id) + # TODO (dthom): destroy category-related assignment in assignement + # self.driver.destroy_object_category_in_assignement(intra_extension_id, object_category_id) + return self.driver.del_object_category(intra_extension_id, object_category_id) @filter_args @enforce("read", "action_categories") def get_action_category_dict(self, user_id, intra_extension_id): + """ + :param user_id: + :param intra_extension_id: + :return: {action_catgory_id: action_category_name, } + """ return self.driver.get_action_category_dict(intra_extension_id) @filter_args @enforce(("read", "write"), "action_categories") - @enforce(("read", "write"), "action_category_scope") - def set_action_category_dict(self, user_id, intra_extension_id, action_category_list): - # TODO (asteroide): we must check input here. - action_category = {uuid4().hex: item for item in action_category_list} - action_category_dict = self.driver.set_action_category_dict(intra_extension_id, action_category) - # if we add a new category, we must add it to the action_category_scope - for _cat in action_category.keys(): - try: - _ = self.driver.get_action_scope_dict(intra_extension_id, _cat) - except ActionScopeUnknown: - self.driver.set_action_scope_dict(intra_extension_id, _cat, {}) - return action_category_dict - - @filter_args - @enforce(("read", "write"), "action_categories") - @enforce(("read", "write"), "action_category_scope") + @enforce(("read", "write"), "action_scopes") def add_action_category(self, user_id, intra_extension_id, action_category_name): - # TODO (asteroide): we must check input here. - # TODO: add category in scope + action_category_dict = self.driver.get_action_category_dict(intra_extension_id) + for action_category_id in action_category_dict: + if action_category_dict[action_category_id] is action_category_name: + raise ActionCategoryNameExisting() action_category_id = uuid4().hex + # TODO (dthom): create category in scope + # self.driver.create_action_category_in_scope(intra_extension_id, action_category_id) return self.driver.add_action_category(intra_extension_id, action_category_id, action_category_name) + @filter_args + @enforce("read", "action_categories") + def get_action_category(self, user_id, intra_extension_id, action_category_id): + action_category_dict = self.driver.get_action_category_dict(intra_extension_id) + if action_category_id not in action_category_dict: + raise ActionCategoryUnknown() + return self.driver.get_action_category_dict(intra_extension_id)[action_category_id] + @filter_args @enforce(("read", "write"), "action_categories") - @enforce(("read", "write"), "action_category_scope") - def del_action_category(self, user_id, intra_extension_id, action_id): - return self.driver.del_action_category(intra_extension_id, action_id) + @enforce(("read", "write"), "action_category_scopes") + def del_action_category(self, user_id, intra_extension_id, action_category_id): + action_category_dict = self.driver.get_action_category_dict(intra_extension_id) + if action_category_id not in action_category_dict: + raise ActionCategoryUnknown() + # TODO (dthom): destroy category in scope + # self.driver.destroy_action_category_in_scope(intra_extension_id, action_category_id) + # TODO (dthom): destroy category-related assignment in assignement + # self.driver.destroy_action_category_in_assignement(intra_extension_id, action_category_id) + return self.driver.del_action_category(intra_extension_id, action_category_id) # Perimeter functions @filter_args @enforce("read", "subjects") def get_subject_dict(self, user_id, intra_extension_id): + """ + :param user_id: + :param intra_extension_id: + :return: {subject_id: {name: subject_name, description: des, ...}, .. } + """ return self.driver.get_subject_dict(intra_extension_id) - @filter_args - @enforce(("read", "write"), "subjects") - def set_subject_dict(self, user_id, intra_extension_id, subject_list): - # TODO: propose to remove this - subject_dict = {} - for _user in subject_list: - # Next line will raise an error if user is not present in Keystone database - user = self.identity_api.get_user_by_name(_user["name"], "default") - subject_dict[user["id"]] = dict() - for key in user.keys(): - subject_dict[user["id"]][key] = user[key] - return self.driver.set_subject_dict(intra_extension_id, subject_dict) - @filter_args @enforce(("read", "write"), "subjects") def add_subject(self, user_id, intra_extension_id, subject_name): + subject_dict = self.driver.get_subject_dict(intra_extension_id) + for subject_id in subject_dict: + if subject_dict[subject_id]["name"] is subject_name: + raise SubjectNameExisting() # Next line will raise an error if user is not present in Keystone database - subject_dict = self.identity_api.get_user_by_name(subject_name, "default") - subjects = self.driver.add_subject(intra_extension_id, subject_dict["id"], subject_name) - return subjects + subject_item_dict = self.identity_api.get_user_by_name(subject_name, "default") + return self.driver.add_subject(intra_extension_id, subject_item_dict["id"], subject_name) + + @filter_args + @enforce("read", "subjects") + def get_subject(self, user_id, intra_extension_id, subject_id): + subject_dict = self.driver.get_subject_dict(intra_extension_id) + if subject_id in subject_dict: + raise SubjectUnknown() + return self.driver.get_subject_dict(intra_extension_id)[subject_id] @filter_args @enforce(("read", "write"), "subjects") def del_subject(self, user_id, intra_extension_id, subject_id): - self.driver.del_subject(intra_extension_id, subject_id) + subject_dict = self.driver.get_subject_dict(intra_extension_id) + if subject_id in subject_dict: + raise SubjectUnknown() + # TODO (dthom): destroy item-related assignment + return self.driver.del_subject(intra_extension_id, subject_id) @filter_args @enforce("read", "objects") def get_object_dict(self, user_id, intra_extension_id): + """ + :param user_id: + :param intra_extension_id: + :return: {object_id: {name: object_name, description: des, ...}, .. } + """ return self.driver.get_object_dict(intra_extension_id) - @filter_args - @enforce(("read", "write"), "objects") - def set_object_dict(self, user_id, intra_extension_id, object_list): - # TODO: propose to remove this - # TODO (asteroide): we must check input here. - object_dict = {uuid4().hex: item for item in object_list} - return self.driver.set_object_dict(intra_extension_id, object_dict) - @filter_args @enforce(("read", "write"), "objects") def add_object(self, user_id, intra_extension_id, object_name): - # TODO (asteroide): we must check input here. + object_dict = self.driver.get_object_dict(intra_extension_id) + for object_id in object_dict: + if object_dict[object_id]["name"] is object_name: + raise ObjectNameExisting() object_id = uuid4().hex return self.driver.add_object(intra_extension_id, object_id, object_name) + @filter_args + @enforce("read", "objects") + def get_object(self, user_id, intra_extension_id, object_id): + object_dict = self.driver.get_object_dict(intra_extension_id) + if object_id in object_dict: + raise ObjectUnknown() + return self.driver.get_object_dict(intra_extension_id)[object_id] + @filter_args @enforce(("read", "write"), "objects") def del_object(self, user_id, intra_extension_id, object_id): - self.driver.del_object(intra_extension_id, object_id) + object_dict = self.driver.get_object_dict(intra_extension_id) + if object_id in object_dict: + raise ObjectUnknown() + # TODO (dthom): destroy item-related assignment + return self.driver.del_object(intra_extension_id, object_id) @filter_args @enforce("read", "actions") def get_action_dict(self, user_id, intra_extension_id): - # TODO: check will be done through super_extension later return self.driver.get_action_dict(intra_extension_id) - @filter_args - @enforce(("read", "write"), "actions") - def set_action_dict(self, user_id, intra_extension_id, action_list): - # TODO: propose to remove this - # TODO (asteroide): we must check input here. - action_dict = {uuid4().hex: item for item in action_list} - return self.driver.set_action_dict(intra_extension_id, action_dict) - @filter_args @enforce(("read", "write"), "actions") def add_action(self, user_id, intra_extension_id, action_name): - # TODO (asteroide): we must check input here. + action_dict = self.driver.get_action_dict(intra_extension_id) + for action_id in action_dict: + if action_dict[action_id]["name"] is action_name: + raise ActionNameExisting() action_id = uuid4().hex return self.driver.add_action(intra_extension_id, action_id, action_name) + @filter_args + @enforce("read", "actions") + def get_action(self, user_id, intra_extension_id, action_id): + action_dict = self.driver.get_action_dict(intra_extension_id) + if action_id in action_dict: + raise ActionUnknown() + return self.driver.get_action_dict(intra_extension_id)[action_id] + @filter_args @enforce(("read", "write"), "actions") def del_action(self, user_id, intra_extension_id, action_id): - self.driver.del_action(intra_extension_id, action_id) + action_dict = self.driver.get_action_dict(intra_extension_id) + if action_id in action_dict: + raise ActionUnknown() + # TODO (dthom): destroy item-related assignment + return self.driver.del_action(intra_extension_id, action_id) # Scope functions @@ -898,27 +935,24 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "subject_scopes") @enforce("read", "subject_categories") def get_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id): - if subject_category_id not in self.get_subject_category_dict(user_id, intra_extension_id)["subject_categories"]: + """ + :param user_id: + :param intra_extension_id: + :param subject_category_id: + :return: {subject_scope_id: subject_scope_value, ...} + """ + if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): raise SubjectCategoryUnknown() return self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id) - @filter_args - @enforce(("read", "write"), "subject_scopes") - @enforce("read", "subject_categorys") - def set_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_name_list): - # TODO (asteroide): we must check input here. - if subject_category_id not in self.get_subject_category_dict(user_id, intra_extension_id)["subject_categories"]: - raise SubjectCategoryUnknown() - subject_scope_dict = {uuid4().hex: item for item in subject_scope_name_list} - return self.driver.set_subject_scope_dict(intra_extension_id, subject_category_id, subject_scope_dict) - @filter_args @enforce(("read", "write"), "subject_scopes") @enforce("read", "subject_categories") def add_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_name): - # TODO (asteroide): we must check input here. - if subject_category_id not in self.get_subject_category_dict(user_id, intra_extension_id)["subject_categories"]: + if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): raise SubjectCategoryUnknown() + if subject_scope_name in self.driver.get_subject_scope_dict(intra_extension_id).values(): + raise SubjectScopeNameExisting() subject_scope_id = uuid4().hex return self.driver.add_subject_scope( intra_extension_id, @@ -926,37 +960,51 @@ class IntraExtensionManager(manager.Manager): subject_scope_id, subject_scope_name) + @filter_args + @enforce("read", "subject_scopes") + @enforce("read", "subject_categories") + def get_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): + if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + raise SubjectCategoryUnknown() + subject_scopte_dict = self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id) + if subject_scope_id not in subject_scopte_dict: + raise SubjectScopeUnknown() + return subject_scopte_dict[subject_scope_id] + @filter_args @enforce(("read", "write"), "subject_scopes") @enforce("read", "subject_categories") def del_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): - if subject_category_id not in self.get_subject_category_dict(user_id, intra_extension_id)["subject_categories"]: + if subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): raise SubjectCategoryUnknown() - self.driver.del_subject_scope(intra_extension_id, subject_category_id, subject_scope_id) + if subject_scope_id not in self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id): + raise SubjectScopeUnknown() + # TODO (dthom): destroy scope-related assignment + # TODO (dthom): destroy scope-related rule + return self.driver.del_subject_scope(intra_extension_id, subject_category_id, subject_scope_id) @filter_args @enforce("read", "object_category_scopes") - @enforce("read", "object_categorys") - def get_object_scope_dict(self, user_id, intra_extension_id, object_category_id): - return self.driver.get_object_scope_dict(intra_extension_id, object_category_id) - - @filter_args - @enforce(("read", "write"), "object_scopes") @enforce("read", "object_categories") - def set_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_name_list): - # TODO (asteroide): we must check input here. - if object_category_id not in self.get_object_category_dict(user_id, intra_extension_id)["object_categories"]: + def get_object_scope_dict(self, user_id, intra_extension_id, object_category_id): + """ + :param user_id: + :param intra_extension_id: + :param object_category_id: + :return: {object_scope_id: object_scope_value, ...} + """ + if object_category_id not in self.driver.get_object_category_dict(intra_extension_id): raise ObjectCategoryUnknown() - object_scope_dict = {uuid4().hex: item for item in object_scope_name_list} - return self.driver.set_object_scope_dict(intra_extension_id, object_category_id, object_scope_dict) + return self.driver.get_object_scope_dict(intra_extension_id, object_category_id) @filter_args @enforce(("read", "write"), "object_scopes") @enforce("read", "object_categories") def add_object_scope(self, user_id, intra_extension_id, object_category_id, object_scope_name): - # TODO (asteroide): we must check input here. - if object_category_id not in self.get_object_category_dict(user_id, intra_extension_id)["object_categories"]: + if object_category_id not in self.driver.get_object_category_dict(intra_extension_id): raise ObjectCategoryUnknown() + if object_scope_name in self.driver.get_object_scope_dict(intra_extension_id).values(): + raise ObjectScopeNameExisting() object_scope_id = uuid4().hex return self.driver.add_subject_scope( intra_extension_id, @@ -964,42 +1012,51 @@ class IntraExtensionManager(manager.Manager): object_scope_id, object_scope_name) + @filter_args + @enforce("read", "object_scopes") + @enforce("read", "object_categories") + def get_object_scope(self, user_id, intra_extension_id, object_category_id, object_scope_id): + if object_category_id not in self.driver.get_object_category_dict(intra_extension_id): + raise ObjectCategoryUnknown() + object_scopte_dict = self.driver.get_object_scope_dict(intra_extension_id, object_category_id) + if object_scope_id not in object_scopte_dict: + raise ObjectScopeUnknown() + return object_scopte_dict[object_scope_id] + @filter_args @enforce(("read", "write"), "object_scopes") @enforce("read", "object_categories") def del_object_scope(self, user_id, intra_extension_id, object_category_id, object_scope_id): - if object_category_id not in self.get_object_category_dict(user_id, intra_extension_id)["object_categories"]: + if object_category_id not in self.driver.get_object_category_dict(intra_extension_id): raise ObjectCategoryUnknown() - self.driver.del_object_scope( - intra_extension_id, - object_category_id, - object_scope_id) + if object_scope_id not in self.driver.get_object_scope_dict(intra_extension_id, object_category_id): + raise ObjectScopeUnknown() + # TODO (dthom): destroy scope-related assignment + # TODO (dthom): destroy scope-related rule + return self.driver.del_object_scope(intra_extension_id, object_category_id, object_scope_id) @filter_args @enforce("read", "action_category_scopes") @enforce("read", "action_categories") def get_action_scope_dict(self, user_id, intra_extension_id, action_category_id): - if action_category_id not in self.get_action_category_dict(user_id, intra_extension_id)["action_categories"]: + """ + :param user_id: + :param intra_extension_id: + :param action_category_id: + :return: {action_scope_id: action_scope_value, ...} + """ + if action_category_id not in self.driver.get_object_category_dict(intra_extension_id): raise ActionCategoryUnknown() return self.driver.get_action_scope_dict(intra_extension_id, action_category_id) - @filter_args - @enforce(("read", "write"), "action_scopes") - @enforce("read", "action_categories") - def set_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_name_list): - # TODO (asteroide): we must check input here. - if action_category_id not in self.get_action_category_dict(user_id, intra_extension_id)["action_categories"]: - raise ActionCategoryUnknown() - action_scope_dict = {uuid4().hex: item for item in action_scope_name_list} - return self.driver.set_action_scope_dict(intra_extension_id, action_category_id, action_scope_dict) - @filter_args @enforce(("read", "write"), "action_scopes") @enforce("read", "action_categories") def add_action_scope(self, user_id, intra_extension_id, action_category_id, action_scope_name): - # TODO (asteroide): we must check input here. - if action_category_id not in self.get_action_category_dict(user_id, intra_extension_id)["action_categories"]: + if action_category_id not in self.driver.get_action_category_dict(intra_extension_id): raise ActionCategoryUnknown() + if action_scope_name in self.driver.get_action_scope_dict(intra_extension_id).values(): + raise ActionScopeNameExisting() action_scope_id = uuid4().hex return self.driver.add_action_scope( intra_extension_id, @@ -1007,13 +1064,28 @@ class IntraExtensionManager(manager.Manager): action_scope_id, action_scope_name) + @filter_args + @enforce("read", "action_scopes") + @enforce("read", "action_categories") + def get_action_scope(self, user_id, intra_extension_id, action_category_id, action_scope_id): + if action_category_id not in self.driver.get_action_category_dict(intra_extension_id): + raise ActionCategoryUnknown() + action_scopte_dict = self.driver.get_action_scope_dict(intra_extension_id, action_category_id) + if action_scope_id not in action_scopte_dict: + raise ActionScopeUnknown() + return action_scopte_dict[action_scope_id] + @filter_args @enforce(("read", "write"), "action_scopes") @enforce("read", "action_categories") def del_action_scope(self, user_id, intra_extension_id, action_category_id, action_scope_id): - if action_category_id not in self.get_action_category_dict(user_id, intra_extension_id)["action_categories"]: + if action_category_id not in self.driver.get_action_category_dict(intra_extension_id): raise ActionCategoryUnknown() - self.driver.del_action_scope(intra_extension_id, action_category_id, action_scope_id) + if action_scope_id not in self.driver.get_action_scope_dict(intra_extension_id, action_category_id): + raise ActionScopeUnknown() + # TODO (dthom): destroy scope-related assignment + # TODO (dthom): destroy scope-related rule + return self.driver.del_action_scope(intra_extension_id, action_category_id, action_scope_id) # Assignment functions @@ -1021,31 +1093,42 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "subject_assignments") @enforce("read", "subjects") def get_subject_assignment_dict(self, user_id, intra_extension_id, subject_id): - if subject_id not in self.get_subject_dict(user_id, intra_extension_id): + """ + :param user_id: + :param intra_extension_id: + :param subject_id: + :return: {subject_category_id: [subject_scope_id1, subject_scope_id2, ...], ...} + """ + if subject_id not in self.driver.get_subject_dict(user_id, intra_extension_id): raise SubjectUnknown() return self.driver.get_subject_assignment_dict(intra_extension_id, subject_id) @filter_args @enforce(("read", "write"), "subject_assignments") @enforce("read", "subjects") - def set_subject_assignment_dict(self, user_id, intra_extension_id, subject_id, subject_assignment_dict): - if subject_id not in self.get_subject_dict(user_id, intra_extension_id): + @enforce("read", "subject_categories") + @enforce("read", "subject_scopes") + def add_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): + if subject_id not in self.driver.get_subject_dict(intra_extension_id): raise SubjectUnknown() - return self.driver.set_subject_assignment_dict(intra_extension_id, subject_id, subject_assignment_dict) + elif subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): + raise SubjectCategoryUnknown() + elif subject_scope_id not in self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id): + raise SubjectScopeUnknown() + elif subject_scope_id in self.driver.get_subject_assignment_dict(intra_extension_id, subject_id)[subject_category_id]: + raise SubjectAssignmentExisting() + return self.driver.add_subject_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) @filter_args - @enforce(("read", "write"), "subject_assignments") + @enforce("read", "subject_assignments") @enforce("read", "subjects") @enforce("read", "subject_categories") - def add_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - if subject_id not in self.get_subject_dict(user_id, intra_extension_id): + def get_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id): + if subject_id not in self.driver.get_subject_dict(user_id, intra_extension_id): raise SubjectUnknown() - elif subject_category_id not in self.get_subject_category_dict(user_id, intra_extension_id): + elif subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): raise SubjectCategoryUnknown() - elif subject_scope_id not in self.get_subject_scope_dict(user_id, intra_extension_id, subject_category_id): - raise SubjectAssignmentOutOfScope() - # TODO: raise SubjectAssignmentExisting() for the below func - return self.driver.add_subject_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) + return self.driver.get_subject_assignment_dict(intra_extension_id, subject_id)[subject_category_id] @filter_args @enforce(("read", "write"), "subject_assignments") @@ -1053,19 +1136,26 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "subject_categories") @enforce("read", "subject_scopes") def del_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): - if subject_id not in self.get_subject_dict(user_id, intra_extension_id): + if subject_id not in self.driver.get_subject_dict(intra_extension_id): raise SubjectUnknown() - elif subject_category_id not in self.get_subject_category_dict(user_id, intra_extension_id): + elif subject_category_id not in self.driver.get_subject_category_dict(intra_extension_id): raise SubjectCategoryUnknown() - elif subject_scope_id not in self.get_subject_scope_dict(user_id, intra_extension_id, subject_category_id): - raise SubjectAssignmentOutOfScope - # TODO: raise SubjectAssignmentUnknown() for the below func + elif subject_scope_id not in self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id): + raise SubjectScopeUnknown() + elif subject_scope_id not in self.driver.get_subject_assignment_dict(intra_extension_id, subject_id)[subject_category_id]: + raise SubjectAssignmentUnknown() return self.driver.del_subject_category_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) @filter_args @enforce("read", "object_assignments") @enforce("read", "objects") def get_object_assignment_dict(self, user_id, intra_extension_id, object_id): + """ + :param user_id: + :param intra_extension_id: + :param object_id: + :return: {object_category_id: [object_scope_id1, object_scope_id2, ...], ...} + """ if object_id not in self.get_object_dict(user_id, intra_extension_id): raise ObjectUnknown() return self.driver.get_object_assignment_dict(intra_extension_id, object_id) @@ -1073,43 +1163,55 @@ class IntraExtensionManager(manager.Manager): @filter_args @enforce(("read", "write"), "object_assignments") @enforce("read", "objects") - def set_object_category_assignment_dict(self, user_id, intra_extension_id, object_id, object_assignment_dict): - if object_id not in self.get_object_dict(user_id, intra_extension_id): + @enforce("read", "object_categories") + def add_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): + if object_id not in self.driver.get_object_dict(intra_extension_id): raise ObjectUnknown() - return self.driver.set_object_assignment_dict(intra_extension_id, object_id, object_assignment_dict) + elif object_category_id not in self.driver.get_object_category_dict(intra_extension_id): + raise ObjectCategoryUnknown() + elif object_scope_id not in self.driver.get_object_scope_dict(intra_extension_id, object_category_id): + raise ObjectScopeUnknown() + elif object_scope_id in self.driver.get_object_assignment_dict(intra_extension_id, object_id)[object_category_id]: + raise ObjectAssignmentExisting() + return self.driver.add_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id) @filter_args - @enforce(("read", "write"), "object_assignments") + @enforce("read", "object_assignments") @enforce("read", "objects") - @enforce("read", "object_category") - def add_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): - if object_id not in self.get_object_dict(user_id, intra_extension_id): + @enforce("read", "object_categories") + def get_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id): + if object_id not in self.driver.get_object_dict(user_id, intra_extension_id): raise ObjectUnknown() - elif object_category_id not in self.get_object_category_dict(user_id, intra_extension_id): + elif object_category_id not in self.driver.get_object_category_dict(intra_extension_id): raise ObjectCategoryUnknown() - elif object_scope_id not in self.get_object_scope_dict(user_id, intra_extension_id, object_category_id): - raise ObjectAssignmentOutOfScope() - # TODO: raise ObjectAssignmentExisting() for the below func - return self.driver.add_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id) + return self.driver.get_object_assignment_dict(intra_extension_id, object_id)[object_category_id] @filter_args @enforce(("read", "write"), "object_assignments") @enforce("read", "objects") @enforce("read", "object_categories") + @enforce("read", "object_scopes") def del_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): - if object_id not in self.get_object_dict(user_id, intra_extension_id): + if object_id not in self.driver.get_object_dict(intra_extension_id): raise ObjectUnknown() - elif object_category_id not in self.get_object_category_dict(user_id, intra_extension_id): + elif object_category_id not in self.driver.get_object_category_dict(intra_extension_id): raise ObjectCategoryUnknown() - elif object_scope_id not in self.get_object_scope_dict(user_id, intra_extension_id, object_category_id): - raise ObjectAssignmentOutOfScope() - # TODO: raise SubjectAssignmentUnknown() for the below func + elif object_scope_id not in self.driver.get_object_scope_dict(intra_extension_id, object_category_id): + raise ObjectScopeUnknown() + elif object_scope_id not in self.driver.get_subject_assignment_dict(intra_extension_id, object_id)[object_category_id]: + raise ObjectAssignmentUnknown() return self.driver.del_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id) @filter_args @enforce("read", "action_assignments") @enforce("read", "actions") def get_action_assignment_dict(self, user_id, intra_extension_id, action_id): + """ + :param user_id: + :param intra_extension_id: + :param action_id: + :return: {action_category_id: [action_scope_id1, action_scope_id2, ...], ...} + """ if action_id not in self.get_action_dict(user_id, intra_extension_id): raise ActionUnknown() return self.driver.get_action_assignment_dict(intra_extension_id, action_id) @@ -1117,53 +1219,61 @@ class IntraExtensionManager(manager.Manager): @filter_args @enforce(("read", "write"), "action_assignments") @enforce("read", "actions") - def set_action_assignment_dict(self, user_id, intra_extension_id, action_id, action_assignment_dict): - if action_id not in self.get_action_dict(user_id, intra_extension_id): + @enforce("read", "action_categories") + def add_action_assignment(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): + if action_id not in self.driver.get_action_dict(intra_extension_id): raise ActionUnknown() - return self.driver.set_action_assignment_dict(intra_extension_id, action_id, action_assignment_dict) + elif action_category_id not in self.driver.get_action_category_dict(intra_extension_id): + raise ActionCategoryUnknown() + elif action_scope_id not in self.driver.get_action_scope_dict(intra_extension_id, action_category_id): + raise ActionScopeUnknown() + elif action_scope_id in self.driver.get_action_assignment_dict(intra_extension_id, action_id)[action_category_id]: + raise ObjectAssignmentExisting() + return self.driver.add_action_assignment(intra_extension_id, action_id, action_category_id, action_scope_id) @filter_args - @enforce(("read", "write"), "action_assignments") + @enforce("read", "action_assignments") @enforce("read", "actions") @enforce("read", "action_categories") - def add_action_assignment(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): - if action_id not in self.get_action_dict(user_id, intra_extension_id): + def get_action_assignment(self, user_id, intra_extension_id, action_id, action_category_id): + if action_id not in self.driver.get_action_dict(user_id, intra_extension_id): raise ActionUnknown() - elif action_category_id not in self.get_action_category_dict(user_id, intra_extension_id): + elif action_category_id not in self.driver.get_action_category_dict(intra_extension_id): raise ActionCategoryUnknown() - elif action_scope_id not in self.get_action_scope_dict(user_id, intra_extension_id, action_category_id): - raise ActionAssignmentOutOfScope() - # TODO: raise ActionAssignmentExisting() for the below func - return self.driver.add_action_assignment(intra_extension_id, action_id, action_category_id, action_scope_id) + return self.driver.get_action_assignment_dict(intra_extension_id, action_id)[action_category_id] @filter_args @enforce(("read", "write"), "action_assignments") @enforce("read", "actions") @enforce("read", "action_categories") + @enforce("read", "action_scopes") def del_action_assignment(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): - if action_id not in self.get_action_dict(user_id, intra_extension_id): + if action_id not in self.driver.get_action_dict(intra_extension_id): raise ActionUnknown() - elif action_category_id not in self.get_action_category_dict(user_id, intra_extension_id): + elif action_category_id not in self.driver.get_action_category_dict(intra_extension_id): raise ActionCategoryUnknown() - elif action_scope_id not in self.get_action_scope_dict(user_id, intra_extension_id, action_category_id): + elif action_scope_id not in self.driver.get_action_scope_dict(intra_extension_id, action_category_id): + raise ActionScopeUnknown() + elif action_scope_id not in self.driver.get_action_assignment_dict(intra_extension_id, action_id)[action_category_id]: raise ActionAssignmentUnknown() - # TODO: raise ActionAssignmentUnknown() for the below func return self.driver.del_action_assignment(intra_extension_id, action_id, action_category_id, action_scope_id) # Metarule functions @filter_args - @enforce("write", "aggregation_algorithm") + @enforce(("read", "write"), "aggregation_algorithm") def add_aggregation_algorithm(self, user_id, intra_extension_id, aggregation_algorithm_id): - if aggregation_algorithm_id is not self.dirver.get_aggregation_algorithm(intra_extension_id): - raise AggregationAlgorithmNotExisting() - elif aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms: - raise AggregationAlgorithmOutOfScope() + if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms: + raise AggregationAlgorithmUnknown() + elif self.dirver.get_aggregation_algorithm(intra_extension_id): + raise AggregationAlgorithmExisting() return self.driver.add_aggregation_algorithm(intra_extension_id, aggregation_algorithm_id) @filter_args @enforce("read", "aggregation_algorithm") def get_aggregation_algorithm(self, user_id, intra_extension_id): + if not self.dirver.get_aggregation_algorithm(intra_extension_id): + raise AggregationAlgorithmNotExisting() return self.driver.get_aggregation_algorithm(intra_extension_id) @filter_args @@ -1176,152 +1286,123 @@ class IntraExtensionManager(manager.Manager): @filter_args @enforce("read", "sub_meta_rules") def get_sub_meta_rule_dict(self, user_id, intra_extension_id): - return self.driver.get_meta_rule_dict(intra_extension_id) + """ + :param user_id: + :param intra_extension_id: + :return: { + sub_meta_rule_id_1: { + "name": xxx, + "algorithm": yyy, + "subject_categories": [subject_categoriy_id1, subject_categoriy_id2,...], + "object_categories": [object_categoriy_id1, object_categoriy_id2,...], + "action_categories": [action_categoriy_id1, action_categoriy_id2,...] + sub_meta_rule_id_2: ...} + """ + return self.driver.get_sub_meta_rule_dict(intra_extension_id) @filter_args @enforce(("read", "write"), "sub_meta_rules") - def add_sub_meta_rule_dict(self, user_id, + @enforce("write", "rule") + def add_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_name, subject_category_list, object_category_list, action_category_list, sub_meta_rule_algorithm): - for sub_meta_rule_id in sub_meta_rule_dict: - if sub_meta_rule_id not in self.get_sub_meta_rule_dict(user_id, intra_extension_id): - raise SubMetaRuleOutOfScope() - # for cat in ("subject_categories", "object_categories", "action_categories"): - # if cat not in sub_meta_rule_dict[sub_meta_rule_id]: - # raise IntraExtensionError("set_sub_meta_rule category {} missed".format(cat)) - # if type(sub_meta_rule_dict[sub_meta_rule_id][cat]) is not list: - # raise IntraExtensionError("set_sub_meta_rule category {} is not a list".format(cat)) - # subject_categories = self.get_subject_category_dict(user_id, intra_extension_id)["subject_categories"] - # for data in list(sub_meta_rule_dict[sub_meta_rule_id]["subject_categories"]): - # if data not in subject_categories: - # raise IntraExtensionError("set_sub_meta_rule category {} is not part of subject_categories {}".format( - # data, subject_categories)) - # object_categories = self.get_object_category_dict(user_id, intra_extension_id)["object_categories"] - # for data in sub_meta_rule_dict[sub_meta_rule_id]["object_categories"]: - # if data not in object_categories: - # raise IntraExtensionError("set_sub_meta_rule category {} is not part of object_categories {}".format( - # data, object_categories)) - # action_categories = self.get_action_category_dict(user_id, intra_extension_id)["actions_categories"] - # for data in sub_meta_rule_dict[sub_meta_rule_id]["action_categories"]: - # if data not in action_categories: - # raise IntraExtensionError("set_sub_meta_rule category {} is not part of action_categories {}".format( - # data, action_categories)) - - return self.driver.set_meta_rule_dict(intra_extension_id,sub_meta_rule_dict) + sub_meta_rule_dict = self.driver.get_sub_meta_rule_dict(intra_extension_id) + for _sub_meta_rule_id in sub_meta_rule_dict: + if sub_meta_rule_name is sub_meta_rule_dict[_sub_meta_rule_id]["name"]: + raise SubMetaRuleNameExisting() + elif subject_category_list is sub_meta_rule_dict[_sub_meta_rule_id]["subject_categories"] and \ + object_category_list is sub_meta_rule_dict[_sub_meta_rule_id]["object_categories"] and \ + action_category_list is sub_meta_rule_dict[_sub_meta_rule_id]["action_categories"] and \ + sub_meta_rule_algorithm is sub_meta_rule_dict[_sub_meta_rule_id]["algorithm"]: + raise SubMetaRuleExisting() + sub_meta_rule_id = uuid4().hex() + # TODO (dthom): add new sub-meta-rule to rule + # self.driver.add_rule(intra_extension_id, sub_meta_rule_id, []) + return self.driver.add_sub_meta_rule(intra_extension_id, + sub_meta_rule_id, + sub_meta_rule_name, + subject_category_list, + object_category_list, + action_category_list, + sub_meta_rule_algorithm) @filter_args @enforce(("read", "write"), "sub_meta_rules") - def set_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_dict): - # TODO (dthom): When sub_meta_rule is set, all rules must be dropped - for sub_meta_rule_id in sub_meta_rule_dict: - if sub_meta_rule_id not in self.get_sub_meta_rule_dict(user_id, intra_extension_id): - raise SubMetaRuleOutOfScope() - # for cat in ("subject_categories", "object_categories", "action_categories"): - # if cat not in sub_meta_rule_dict[sub_meta_rule_id]: - # raise IntraExtensionError("set_sub_meta_rule category {} missed".format(cat)) - # if type(sub_meta_rule_dict[sub_meta_rule_id][cat]) is not list: - # raise IntraExtensionError("set_sub_meta_rule category {} is not a list".format(cat)) - # subject_categories = self.get_subject_category_dict(user_id, intra_extension_id)["subject_categories"] - # for data in list(sub_meta_rule_dict[sub_meta_rule_id]["subject_categories"]): - # if data not in subject_categories: - # raise IntraExtensionError("set_sub_meta_rule category {} is not part of subject_categories {}".format( - # data, subject_categories)) - # object_categories = self.get_object_category_dict(user_id, intra_extension_id)["object_categories"] - # for data in sub_meta_rule_dict[sub_meta_rule_id]["object_categories"]: - # if data not in object_categories: - # raise IntraExtensionError("set_sub_meta_rule category {} is not part of object_categories {}".format( - # data, object_categories)) - # action_categories = self.get_action_category_dict(user_id, intra_extension_id)["actions_categories"] - # for data in sub_meta_rule_dict[sub_meta_rule_id]["action_categories"]: - # if data not in action_categories: - # raise IntraExtensionError("set_sub_meta_rule category {} is not part of action_categories {}".format( - # data, action_categories)) - return self.driver.set_meta_rule_dict(intra_extension_id,sub_meta_rule_dict) + def get_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): + sub_meta_rule_dict = self.driver.get_sub_meta_rule_dict(intra_extension_id) + if sub_meta_rule_id not in sub_meta_rule_dict: + raise SubMetaRuleUnknown() + return sub_meta_rule_dict[sub_meta_rule_id] + + @filter_args + @enforce(("read", "write"), "sub_meta_rules") + @enforce(("read", "write"), "rule") + def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): + if sub_meta_rule_id not in self.driver.get_sub_meta_rule_dict(intra_extension_id): + raise SubMetaRuleUnknown() + # TODO (dthom): destroy sub-meta-rule-related rules + # self.driver.del_rule(intra_extension_id, sub_meta_rule_id, "*") + return self.driver.del_sub_meta_rule(intra_extension_id, sub_meta_rule_id) # Rule functions @filter_args @enforce("read", "rule") - def get_rule_dict(self, user_id, intra_extension_id): - return self.driver.get_rule_dict(intra_extension_id) + def get_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id): + """ + :param user_id: + :param intra_extension_id: + :param sub_meta_rule_id: + :total: { + sub_meta_rule_id1: { + rule_id1: [subject_scope1, subject_scope2, ..., action_scope1, ..., object_scope1, ... ], + rule_id2: [...] + ...}, + sub_meta_rule_id2: { }, + ...} + :return: { + rule_id1: [subject_scope1, subject_scope2, ..., action_scope1, ..., object_scope1, ... ], + rule_id2: [...] + ...} + """ + return self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id) @filter_args + @enforce("read", "sub_meta_rules") @enforce(("read", "write"), "rule") - def set_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_dict): - # for item in rule_dict: - # if type(item) not in (str, unicode, bool): - # raise IntraExtensionError("Bad input data (sub_rule).") - # ref_rules = self.driver.get_rule_dict(intra_extension_id) - # _sub_rule = list(rule_dict) - # if sub_meta_rule_id not in self.get_sub_meta_rule_relations(user_id, intra_extension_id)["sub_meta_rule_relations"]: - # raise IntraExtensionError("Bad input data (rules).") - # # filter strings in sub_rule - # rule_dict = [filter_input(x) for x in rule_dict] - # # check if length of sub_rule is correct from metadata_sub_rule - # metadata_sub_rule = self.get_sub_meta_rule_dict(user_id, intra_extension_id) - # metadata_sub_rule_length = len(metadata_sub_rule['sub_meta_rules'][sub_meta_rule_id]["subject_categories"]) + \ - # len(metadata_sub_rule['sub_meta_rules'][sub_meta_rule_id]["action_categories"]) + \ - # len(metadata_sub_rule['sub_meta_rules'][sub_meta_rule_id]["object_categories"]) + 1 - # if metadata_sub_rule_length != len(rule_dict): - # raise IntraExtensionError("Bad number of argument in sub_rule {}/{}".format(rule_dict, - # metadata_sub_rule_length)) - # # check if each item in sub_rule match a corresponding scope value - # for category in metadata_sub_rule['sub_meta_rules'][sub_meta_rule_id]["subject_categories"]: - # item = _sub_rule.pop(0) - # if item not in self.get_subject_scope_dict( - # user_id, - # intra_extension_id, category)["subject_category_scope"][category].keys(): - # raise IntraExtensionError("Bad subject value in sub_rule {}/{}".format(category, item)) - # for category in metadata_sub_rule['sub_meta_rules'][sub_meta_rule_id]["action_categories"]: - # action_categories = self.get_action_scope_dict( - # user_id, - # intra_extension_id, category)["action_category_scope"][category] - # item = _sub_rule.pop(0) - # if item not in action_categories.keys(): - # self.moonlog_api.warning("set_sub_rule bad action value in sub_rule {}/{}".format(category, item)) - # raise IntraExtensionError("Bad input data.") - # for category in metadata_sub_rule['sub_meta_rules'][sub_meta_rule_id]["object_categories"]: - # item = _sub_rule.pop(0) - # if item not in self.get_object_scope_dict( - # user_id, - # intra_extension_id, category)["object_category_scope"][category].keys(): - # raise IntraExtensionError("Bad object value in sub_rule {}/{}".format(category, item)) - # # check if relation is already there - # if sub_meta_rule_id not in ref_rules["rules"]: - # ref_rules["rules"][sub_meta_rule_id] = list() - # add sub_rule - ref_rules["rules"][sub_meta_rule_id].append(rule_dict) - return self.driver.set_rules(intra_extension_id, ref_rules["rules"]) + def add_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_list): + if sub_meta_rule_id not in self.driver.get_sub_meta_rule_dict(intra_extension_id): + raise SubMetaRuleUnknown() + elif rule_list in self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id): + raise RuleExisting() + rule_id = uuid4().hex() + return self.driver.add_rule(intra_extension_id, sub_meta_rule_id, rule_id, rule_list) @filter_args - @enforce(("read", "write"), "rule") - def add_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_list): - # TODO: self.driver.set_rules ??? - return self.driver.add_rule(intra_extension_id, sub_meta_rule_id, rule_list) + @enforce("read", "sub_meta_rules") + @enforce("read", "rule") + def get_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): + if sub_meta_rule_id not in self.driver.get_sub_meta_rule_dict(intra_extension_id): + raise SubMetaRuleUnknown() + rule_dict = self.driver.get_rule_dict(intra_extension_id) + if rule_id not in rule_dict[sub_meta_rule_id]: + raise RuleUnknown() + return rule_dict[rule_id] @filter_args + @enforce("read", "sub_meta_rules") @enforce(("read", "write"), "rule") def del_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): - ref_rules = self.driver.get_rule_dict(intra_extension_id) - rule_id = rule_id.split("+") - for index, _item in enumerate(rule_id): - if "True" in _item: - rule_id[index] = True - if "False" in _item: - rule_id[index] = False - if relation_name in ref_rules["rules"]: - if rule_id in ref_rules["rules"][relation_name]: - ref_rules["rules"][relation_name].remove(rule_id) - else: - raise RuleUnknown() - else: - raise IntraExtensionError("Unknown relation name for rules: {}".format(relation_name)) - self.driver.set_rules(intra_extension_id, ref_rules["rules"]) - ref_rules["rules"][sub_meta_rule_id].append(rule_dict) - return self.driver.set_rules(intra_extension_id, ref_rules["rules"]) + if sub_meta_rule_id not in self.driver.get_sub_meta_rule_dict(intra_extension_id): + raise SubMetaRuleUnknown() + rule_dict = self.driver.get_rule_dict(intra_extension_id, sub_meta_rule_id) + if rule_id not in rule_dict: + raise RuleUnknown() + return self.driver.del_rule(intra_extension_id, sub_meta_rule_id, rule_id) + @dependency.provider('authz_api') @dependency.requires('identity_api', 'tenant_api', 'moonlog_api') @@ -1336,22 +1417,27 @@ class IntraExtensionAuthzManager(IntraExtensionManager): """ tenant_id = self.tenant_api.get_tenant_id_from_name(DEFAULT_USER, tenant_name) intra_extension_id = self.tenant_api.get_tenant_intra_extension_id(DEFAULT_USER, tenant_id, self.__genre__) - subject_dict = self.get_subject_dict(DEFAULT_USER, intra_extension_id) + subject_dict = self.driver.get_subject_dict(intra_extension_id) subject_id = None for _subject_id in subject_dict: - if subject_dict[_subject_id] is subject_name: + if subject_dict[_subject_id]['name'] is subject_name: subject_id = _subject_id - object_dict = self.get_object_dict(DEFAULT_USER, intra_extension_id) + if not subject_id: + raise SubjectUnknown() + object_dict = self.driver.get_object_dict(intra_extension_id) object_id = None for _object_id in object_dict: - if object_dict[_object_id] is object_name: + if object_dict[_object_id]['name'] is object_name: object_id = _object_id - action_dict = self.get_action_dict(DEFAULT_USER, intra_extension_id) + if not object_id: + raise ObjectUnknown() + action_dict = self.driver.get_action_dict(intra_extension_id) action_id = None for _action_id in action_dict: if action_dict[_action_id] is action_name: action_id = _action_id - + if not action_id: + raise ActionUnknown() return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id) def del_intra_extension(self, intra_extension_id): @@ -1468,7 +1554,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def set_aggregation_algorithm(self, user_id, intra_extension_uuid, aggregation_algorithm): raise MetaRuleAddNotAuthorized() - def set_sub_meta_rule_dict(self, user_id, intra_extension_uuid, sub_meta_rules): + def get_sub_meta_rule(self, user_id, intra_extension_uuid, sub_meta_rules): raise MetaRuleAddNotAuthorized() def set_sub_rule(self, user_id, intra_extension_uuid, relation, sub_rule): @@ -1484,26 +1570,6 @@ class IntraExtensionAdminManager(IntraExtensionManager): __genre__ = "admin" - # def set_perimeter_values(self, ie, policy_dir): - # - # # Check if object like "subjects", "objects", "actions" exist... - # perimeter_path = os.path.join(policy_dir, 'perimeter.json') - # f = open(perimeter_path) - # json_perimeter = json.load(f) - # for item in ("subjects", "objects", "actions"): - # if item not in json_perimeter["objects"]: - # raise AdminIntraExtensionCreationError() - # - # super(IntraExtensionAdminManager, self).set_perimeter_values(ie, policy_dir) - # - # @filter_args - # def add_subject_dict(self, user_name, uuid, subject_uuid): - # raise AdminIntraExtensionModificationNotAuthorized() - # - # @filter_args - # def del_subject(self, user_name, uuid, subject_uuid): - # raise AdminIntraExtensionModificationNotAuthorized() - @dependency.provider('moonlog_api') class LogManager(manager.Manager): @@ -1582,7 +1648,7 @@ class LogManager(manager.Manager): class ConfigurationDriver(object): - def get_policy_templete_dict(self): + def get_policy_template_dict(self): raise exception.NotImplemented() # pragma: no cover def get_aggregation_algorithm_dict(self): diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py index 3108b7c2..f18e4a47 100644 --- a/keystone-moon/keystone/contrib/moon/exception.py +++ b/keystone-moon/keystone/contrib/moon/exception.py @@ -41,7 +41,6 @@ class MoonError(Error): # Exceptions for Tenant - class TenantException(MoonError): message_format = _("There is an error requesting this tenant.") code = 400 @@ -49,23 +48,33 @@ class TenantException(MoonError): logger = "ERROR" -class TenantListEmpty(TenantException): - message_format = _("The tenant list mapping is empty, you must set the mapping first.") +class TenantDictEmpty(TenantException): + message_format = _("The tenant dict mapping is empty, you must set the mapping first.") code = 400 - title = 'Tenant List Empty Error' + title = 'Tenant Dict Empty' logger = "WARNING" -class TenantIDNotFound(TenantException): - message_format = _("The tenant UUID was not found.") +class TenantUnknown(TenantException): + message_format = _("The tenant is unknown.") + code = 400 + title = 'Tenant Unknown' + logger = "ERROR" + + +class TenantAddedNameExisting(TenantException): + message_format = _("The tenant name is existing.") code = 400 - title = 'Tenant UUID Not Found Error' + title = 'Added Tenant Name Existing' + logger = "ERROR" -class AddedTenantNameExist(TenantException): - message_format = _("The tenant name exists already.") +class TenantNoIntraExtension(TenantException): + message_format = _("The tenant has not intra_extension.") code = 400 - title = 'Added Tenant Name Exist' + title = 'Tenant No Intra_Extension' + logger = "ERROR" + # Exceptions for IntraExtension @@ -83,11 +92,11 @@ class IntraExtensionUnMapped(IntraExtensionException): logger = "WARNING" -class IntraExtensionNotFound(IntraExtensionException): - message_format = _("The Extension for that tenant is unknown.") +class IntraExtensionUnknown(IntraExtensionException): + message_format = _("The intra_extension is unknown.") code = 400 - title = 'Extension UUID Not Found Error' - logger = "WARNING" + title = 'Intra Extension Unkonw' + logger = "Error" class IntraExtensionCreationError(IntraExtensionException): @@ -136,24 +145,24 @@ class AuthzRule(AuthzException): title = 'Rule Exception' -class SubjectUnknown(AuthzPerimeter): - message_format = _("The given subject is unknown.") +class SubjectCategoryNameExisting(AuthzMetadata): + message_format = _("The given subject category name is existing.") code = 400 - title = 'Subject Unknown' + title = 'Subject Category Name Existing' logger = "ERROR" -class ObjectUnknown(AuthzPerimeter): - message_format = _("The given object is unknown.") +class ObjectCategoryNameExisting(AuthzMetadata): + message_format = _("The given object category name is existing.") code = 400 - title = 'Object Unknown' + title = 'Object Category Name Existing' logger = "ERROR" -class ActionUnknown(AuthzPerimeter): - message_format = _("The given action is unknown.") +class ActionCategoryNameExisting(AuthzMetadata): + message_format = _("The given action category name is existing.") code = 400 - title = 'Action Unknown' + title = 'Action Category Name Existing' logger = "ERROR" @@ -178,6 +187,48 @@ class ActionCategoryUnknown(AuthzMetadata): logger = "ERROR" +class SubjectUnknown(AuthzPerimeter): + message_format = _("The given subject is unknown.") + code = 400 + title = 'Subject Unknown' + logger = "ERROR" + + +class ObjectUnknown(AuthzPerimeter): + message_format = _("The given object is unknown.") + code = 400 + title = 'Object Unknown' + logger = "ERROR" + + +class ActionUnknown(AuthzPerimeter): + message_format = _("The given action is unknown.") + code = 400 + title = 'Action Unknown' + logger = "ERROR" + + +class SubjectNameExisting(AuthzPerimeter): + message_format = _("The given subject name is existing.") + code = 400 + title = 'Subject Name Existing' + logger = "ERROR" + + +class ObjectNameExisting(AuthzPerimeter): + message_format = _("The given object name is existing.") + code = 400 + title = 'Object Name Existing' + logger = "ERROR" + + +class ActionNameExisting(AuthzPerimeter): + message_format = _("The given action name is existing.") + code = 400 + title = 'Action Name Existing' + logger = "ERROR" + + class SubjectScopeUnknown(AuthzScope): message_format = _("The given subject scope is unknown.") code = 400 @@ -199,6 +250,27 @@ class ActionScopeUnknown(AuthzScope): logger = "ERROR" +class SubjectScopeNameExisting(AuthzScope): + message_format = _("The given subject scope name is existing.") + code = 400 + title = 'Subject Scope Name Existing' + logger = "ERROR" + + +class ObjectScopeNameExisting(AuthzScope): + message_format = _("The given object scope name is existing.") + code = 400 + title = 'Object Scope Name Existing' + logger = "ERROR" + + +class ActionScopeNameExisting(AuthzScope): + message_format = _("The given action scope name is existing.") + code = 400 + title = 'Action Scope Name Existing' + logger = "ERROR" + + class SubjectAssignmentOutOfScope(AuthzScope): message_format = _("The given subject scope value is out of scope.") code = 400 @@ -241,24 +313,65 @@ class ActionAssignmentUnknown(AuthzAssignment): logger = "ERROR" +class SubjectAssignmentExisting(AuthzAssignment): + message_format = _("The given subject assignment value is existing.") + code = 400 + title = 'Subject Assignment Existing' + logger = "ERROR" + + +class ObjectAssignmentExisting(AuthzAssignment): + message_format = _("The given object assignment value is existing.") + code = 400 + title = 'Object Assignment Existing' + logger = "ERROR" + + +class ActionAssignmentExisting(AuthzAssignment): + message_format = _("The given action assignment value is existing.") + code = 400 + title = 'Action Assignment Existing' + logger = "ERROR" + + +class AggregationAlgorithmExisting(AuthzMetadata): + message_format = _("The given aggregation algorithm is existing.") + code = 400 + title = 'Aggregation Algorithm Existing' + logger = "ERROR" + + class AggregationAlgorithmNotExisting(AuthzMetadata): - message_format = _("The given aggregation algorithm is not exsiting.") + message_format = _("The given aggregation algorithm is not existing.") code = 400 title = 'Aggregation Algorithm Not Existing' logger = "ERROR" -class AggregationAlgorithmOutOfScope(AuthzMetadata): - message_format = _("The given aggregation algorithm is out of scope.") +class AggregationAlgorithmUnknown(AuthzMetadata): + message_format = _("The given aggregation algorithm is unknown.") code = 400 - title = 'Aggregation Algorithm Out Of Scope' + title = 'Aggregation Algorithm Unknown' logger = "ERROR" -class SubMetaRuleOutOfScope(AuthzMetadata): - message_format = _("The given sub meta rule is out of scope.") +class SubMetaRuleUnknown(AuthzMetadata): + message_format = _("The given sub meta rule is unknown.") + code = 400 + title = 'Sub Meta Rule Unknown' + logger = "ERROR" + +class SubMetaRuleNameExisting(AuthzMetadata): + message_format = _("The sub meta rule name is existing.") code = 400 - title = 'Sub Meta Rule Out Of Scope' + title = 'Sub Meta Rule Name Existing' + logger = "ERROR" + + +class SubMetaRuleExisting(AuthzMetadata): + message_format = _("The sub meta rule is existing.") + code = 400 + title = 'Sub Meta Rule Existing' logger = "ERROR" @@ -276,6 +389,13 @@ class RuleKOExisting(AuthzRule): logger = "ERROR" +class RuleExisting(AuthzRule): + message_format = _("The rule is existing.") + code = 400 + title = 'Rule Existing' + logger = "ERROR" + + class RuleUnknown(AuthzRule): message_format = _("The rule for that request doesn't exist.") code = 400 @@ -283,6 +403,13 @@ class RuleUnknown(AuthzRule): logger = "ERROR" +class AddedRuleExisting(AuthzRule): + message_format = _("The added rule for that request is existing.") + code = 400 + title = 'Added Rule Existing' + logger = "ERROR" + + # Admin exceptions diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py index 0e5d69d4..0b7c1d21 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py @@ -65,7 +65,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): #self.admin = self.identity_api.create_user(USER) IE["policymodel"] = policy_model IE["name"] = uuid.uuid4().hex - self.ref = self.manager.load_intra_extension(IE) + self.ref = self.manager.load_intra_extension_dict(IE) self.assertIsInstance(self.ref, dict) self.create_tenant(self.ref["id"]) @@ -1170,7 +1170,7 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) metarule[relation]["subject_categories"].append(new_subject_category["id"]) - _sub_meta_rules = self.manager.set_sub_meta_rule_dict("admin", self.ref["id"], metarule) + _sub_meta_rules = self.manager.del_sub_meta_rule("admin", self.ref["id"], metarule) self.assertIn(relation, metarule) for item in ("subject_categories", "object_categories", "action_categories"): self.assertEqual( @@ -1310,7 +1310,7 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): IE["policymodel"] = policy_model IE["name"] = uuid.uuid4().hex - ref = self.admin_manager.load_intra_extension(IE) + ref = self.admin_manager.load_intra_extension_dict(IE) self.assertIsInstance(ref, dict) return ref @@ -2701,11 +2701,11 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): self.assertRaises( MetaRuleAddNotAuthorized, - self.manager.set_sub_meta_rule_dict, + self.manager.get_sub_meta_rule, demo_user["id"], ref["id"], metarule ) - _sub_meta_rules = self.manager.set_sub_meta_rule_dict(admin_user["id"], ref["id"], metarule) + _sub_meta_rules = self.manager.get_sub_meta_rule(admin_user["id"], ref["id"], metarule) self.assertIn(relation, metarule) for item in ("subject_categories", "object_categories", "action_categories"): self.assertEqual( diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py index 707c138d..7bbac97a 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py @@ -89,7 +89,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): IE["policymodel"] = policy_model IE["name"] = uuid.uuid4().hex - ref = self.admin_manager.load_intra_extension(IE) + ref = self.admin_manager.load_intra_extension_dict(IE) self.assertIsInstance(ref, dict) return ref @@ -123,12 +123,12 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): tenant = self.create_tenant() self.assertRaises( - IntraExtensionNotFound, + IntraExtensionUnknown, self.manager.get_extension_uuid, tenant["id"], "authz" ) self.assertRaises( - IntraExtensionNotFound, + IntraExtensionUnknown, self.manager.get_extension_uuid, tenant["id"], "admin" ) @@ -142,7 +142,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): def test_authz_exceptions(self): self.assertRaises( - IntraExtensionNotFound, + IntraExtensionUnknown, self.manager.authz, uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex ) @@ -322,7 +322,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): "relation": "relation_super" } } - self.manager.set_sub_meta_rule_dict( + self.manager.get_sub_meta_rule( admin_user['id'], self.ref["id"], my_meta_rule @@ -1076,7 +1076,7 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): metarule[relation]["subject_categories"].append(new_subject_category["id"]) self.assertRaises( MetaRuleAddNotAuthorized, - self.manager.set_sub_meta_rule_dict, + self.manager.get_sub_meta_rule, admin_user["id"], ref["id"], metarule) def test_sub_rules(self): diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py index a4ea1d36..f38d68ab 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py @@ -67,7 +67,7 @@ class TestIntraExtensionAdminManager(tests.TestCase): # Create the admin user because IntraExtension needs it self.admin = self.identity_api.create_user(USER_ADMIN) IE["policymodel"] = policy_model - self.ref = self.manager.load_intra_extension(IE) + self.ref = self.manager.load_intra_extension_dict(IE) self.assertIsInstance(self.ref, dict) self.create_tenant(self.ref["id"]) diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py index 615b8bbc..bc34feaa 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py @@ -89,7 +89,7 @@ class TestTenantManager(tests.TestCase): data = self.manager.set_tenant_name(_uuid, "new name") self.assertEquals(_uuid, data["id"]) self.assertEquals(data["name"], "new name") - data = self.manager.get_tenant_name(_uuid) + data = self.manager.get_tenant_name_from_id(_uuid) self.assertEquals(data, "new name") def test_delete_tenant(self): @@ -139,7 +139,7 @@ class TestTenantManager(tests.TestCase): self.assertEqual(data, new_mapping[_uuid]["admin"]) def test_unkown_tenant_uuid(self): - self.assertRaises(TenantIDNotFound, self.manager.get_tenant_name, uuid.uuid4().hex) + self.assertRaises(TenantIDNotFound, self.manager.get_tenant_name_from_id, uuid.uuid4().hex) self.assertRaises(TenantIDNotFound, self.manager.set_tenant_name, uuid.uuid4().hex, "new name") self.assertRaises(TenantIDNotFound, self.manager.get_extension_id, uuid.uuid4().hex) _uuid = uuid.uuid4().hex @@ -157,6 +157,6 @@ class TestTenantManager(tests.TestCase): intra_admin_ext_id="" ) self.assertEquals(_uuid, data["id"]) - self.assertRaises(IntraExtensionNotFound, self.manager.get_extension_id, _uuid, "admin") + self.assertRaises(IntraExtensionUnknown, self.manager.get_extension_id, _uuid, "admin") self.assertRaises(TenantIDNotFound, self.manager.get_tenant_uuid, uuid.uuid4().hex) # self.assertRaises(AdminIntraExtensionNotFound, self.manager.get_admin_extension_uuid, uuid.uuid4().hex) -- cgit 1.2.3-korg