path: root/moon_manager/moon_manager/api/db/policy.py

# Software Name: MOON

# Version: 5.4

# SPDX-FileCopyrightText: Copyright (c) 2018-2020 Orange and its contributors
# SPDX-License-Identifier: Apache-2.0

# This software is distributed under the 'Apache License 2.0',
# the text of which is available at 'http://www.apache.org/licenses/LICENSE-2.0.txt'
# or see the "LICENSE" file for more details.


import logging
from uuid import uuid4
from moon_manager.api.db.managers import Managers
from moon_manager.pip_driver import InformationManager
from moon_utilities.security_functions import enforce
from moon_utilities import exceptions
from moon_manager import pip_driver


logger = logging.getLogger("moon.db.api.policy")


class PolicyManager(Managers):

    def __init__(self, connector=None):
        self.driver = connector.driver
        Managers.PolicyManager = self

    def get_policy_from_meta_rules(self, moon_user_id, meta_rule_id):
        policies = self.PolicyManager.get_policies("admin")
        models = self.ModelManager.get_models("admin")
        for pdp_key, pdp_value in self.PDPManager.get_pdp(moon_user_id=moon_user_id).items():
            if 'security_pipeline' not in pdp_value:
                raise exceptions.PdpContentError
            for policy_id in pdp_value["security_pipeline"]:
                if not policies or policy_id not in policies:
                    raise exceptions.PolicyUnknown
                model_id = policies[policy_id]["model_id"]
                if not models:
                    raise exceptions.ModelUnknown
                if model_id not in models:
                    raise exceptions.ModelUnknown
                if meta_rule_id in models[model_id]["meta_rules"]:
                    return policy_id

    @enforce(("read", "write"), "policies")
    def update_policy(self, moon_user_id, policy_id, value):

        if not value or not value['name'].strip():
            raise exceptions.PolicyContentError

        policy_list = self.driver.get_policies(policy_id=policy_id)
        if not policy_id or policy_id not in policy_list:
            raise exceptions.PolicyUnknown

        policies = self.driver.get_policies(policy_name=value['name'])
        if policies and not (policy_id in policies):
            raise exceptions.PolicyExisting("Policy name Existed")

        if 'model_id' in value and value['model_id']:
            if not value['model_id'].strip() or not Managers.ModelManager.get_models(
                    moon_user_id=moon_user_id, model_id=value['model_id']):
                raise exceptions.ModelUnknown

        policy_obj = policy_list[policy_id]
        if policy_obj["model_id"] and policy_obj["model_id"] != value['model_id']:
            raise exceptions.PolicyUpdateError("Model is not empty")

        return self.driver.update_policy(policy_id=policy_id, value=value)

    @enforce(("read", "write"), "policies")
    def delete_policy(self, moon_user_id, policy_id):
        # TODO (asteroide): unmap PDP linked to that policy
        if policy_id not in self.driver.get_policies(policy_id=policy_id):
            raise exceptions.PolicyUnknown
        pdps = self.PDPManager.get_pdp(moon_user_id=moon_user_id)
        for pdp in pdps:
            if policy_id in pdps[pdp]['security_pipeline']:
                self.PDPManager.delete_policy_from_pdp(moon_user_id=moon_user_id,
                                                       pdp_id=pdp,
                                                       policy_id=policy_id)

        subject_data = self.get_subject_data(moon_user_id=moon_user_id, policy_id=policy_id)
        if subject_data:
            for subject_data_obj in subject_data:
                if subject_data_obj and subject_data_obj["data"]:
                    for subject_data_id in subject_data_obj['data']:
                        self.delete_subject_data(moon_user_id=moon_user_id, policy_id=policy_id,
                                                 data_id=subject_data_id)

        object_data = self.get_object_data(moon_user_id=moon_user_id, policy_id=policy_id)
        if object_data:
            for object_data_obj in object_data:
                if object_data_obj and object_data_obj["data"]:
                    for object_data_id in object_data_obj['data']:
                        self.delete_object_data(moon_user_id=moon_user_id, policy_id=policy_id,
                                                data_id=object_data_id)
        action_data = self.get_action_data(moon_user_id=moon_user_id, policy_id=policy_id)
        if action_data:
            for action_data_obj in action_data:
                if action_data_obj and action_data_obj["data"]:
                    for action_data_id in action_data_obj['data']:
                        self.delete_action_data(moon_user_id=moon_user_id, policy_id=policy_id,
                                                data_id=action_data_id)

        subjects = self.driver.get_subjects(policy_id=policy_id)
        if subjects:
            for subject_id in subjects:
                self.delete_subject(moon_user_id=moon_user_id, policy_id=policy_id,
                                    perimeter_id=subject_id)
        objects = self.driver.get_objects(policy_id=policy_id)
        if objects:
            for object_id in objects:
                self.delete_object(moon_user_id=moon_user_id, policy_id=policy_id,
                                   perimeter_id=object_id)
        actions = self.driver.get_actions(policy_id=policy_id)
        if actions:
            for action_id in actions:
                self.delete_action(moon_user_id=moon_user_id, policy_id=policy_id,
                                   perimeter_id=action_id)

        # rules = self.driver.get_rules(policy_id=policy_id)["rules"]
        # if rules:
        #     for rule_id in rules:
        #         self.delete_rule(moon_user_id=moon_user_id, policy_id=policy_id, rules=rule_id)

        return self.driver.delete_policy(policy_id=policy_id)

    @enforce(("read", "write"), "policies")
    def add_policy(self, moon_user_id, policy_id=None, value=None):

        if not value or not value['name'].strip():
            raise exceptions.PolicyContentError
        if policy_id in self.driver.get_policies(policy_id=policy_id):
            raise exceptions.PolicyExisting

        if self.driver.get_policies(policy_name=value['name']):
            raise exceptions.PolicyExisting("Policy name Existed")

        if not policy_id:
            policy_id = uuid4().hex
        if 'model_id' in value and value['model_id'] != "":
            model_id = value['model_id']
            if model_id is None:
                raise exceptions.ModelUnknown
            else:
                model_list = Managers.ModelManager.get_models(moon_user_id=moon_user_id,
                                                     model_id=model_id)
            if not model_list:
                raise exceptions.ModelUnknown

            self.__check_blank_model(model_list[model_id])

        return self.driver.add_policy(policy_id=policy_id, value=value)

    @enforce("read", "policies")
    def get_policies(self, moon_user_id, policy_id=None):
        return self.driver.get_policies(policy_id=policy_id)

    @enforce("read", "perimeter")
    def get_subjects(self, moon_user_id, policy_id, perimeter_id=None):
        # if not policy_id:
        #    raise exceptions.PolicyUnknown
        if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
            raise exceptions.PolicyUnknown
        return self.driver.get_subjects(policy_id=policy_id, perimeter_id=perimeter_id)

    @enforce(("read", "write"), "perimeter")
    def add_subject(self, moon_user_id, policy_id=None, perimeter_id=None, value=None):

        logger.debug("add_subject {}".format(policy_id))
        if not value or "name" not in value or not value["name"].strip():
            raise exceptions.PerimeterContentError('invalid name')

        if 'policy_list' in value:
            raise exceptions.PerimeterContentError("body should not contain policy_list")

        if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
            raise exceptions.PolicyUnknown

        if perimeter_id:
            subjects = self.driver.get_subjects(policy_id=None, perimeter_id=perimeter_id)
            if subjects and subjects[perimeter_id]['name'] != value['name']:
                raise exceptions.PerimeterContentError

        if not perimeter_id:
            subject_per = self.driver.get_subject_by_name(value['name'])
            if subject_per:
                perimeter_id = next(iter(subject_per))

        # should get k_user = {'users':[{"id":"11111"}]} from Keystone
        # FIXME: need to check other input
        # k_user = InformationManager.get_users(username=value.get('name'))
        #
        # if not k_user.get('users', {}):
        #     k_user = InformationManager.add_user(**value)
        # if k_user:
        #     if not perimeter_id:
        #         try:
        #             logger.info("k_user={}".format(k_user))
        #             perimeter_id = k_user['users'][0].get('id', uuid4().hex)
        #         except IndexError:
        #             k_user = InformationManager.get_users(value.get('name'))
        #             perimeter_id = uuid4().hex
        #         except KeyError:
        #             k_user = InformationManager.get_users(value.get('name'))
        #             perimeter_id = uuid4().hex
        #
        #     try:
        #         value.update(k_user['users'][0])
        #     except IndexError:
        #         logger.error("Cannot update user from external server data, got {}".format(k_user))

        return self.driver.set_subject(policy_id=policy_id, perimeter_id=perimeter_id, value=value)

    @enforce(("read", "write"), "perimeter")
    def update_subject(self, moon_user_id, perimeter_id, value):
        logger.debug("update_subject perimeter_id = {}".format(perimeter_id))

        if not perimeter_id:
            raise exceptions.SubjectUnknown

        subjects = self.driver.get_subjects(policy_id=None, perimeter_id=perimeter_id)
        if not subjects or not (perimeter_id in subjects):
            raise exceptions.PerimeterContentError

        if 'policy_list' in value or ('name' in value and not value['name']):
            raise exceptions.PerimeterContentError

        return self.driver.update_subject(perimeter_id=perimeter_id, value=value)

    @enforce(("read", "write"), "perimeter")
    def delete_subject(self, moon_user_id, policy_id, perimeter_id):

        if not perimeter_id:
            raise exceptions.SubjectUnknown

        # if not policy_id:
        #     raise exceptions.PolicyUnknown

        if not self.get_subjects(moon_user_id=moon_user_id, policy_id=policy_id,
                                 perimeter_id=perimeter_id):
            raise exceptions.SubjectUnknown

        if policy_id:
            if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
                raise exceptions.PolicyUnknown

            subj_assig = self.driver.get_subject_assignments(policy_id=policy_id,
                                                             subject_id=perimeter_id)
            if subj_assig:
                assign_id = next(iter(subj_assig))
                for data_id in subj_assig[assign_id]['assignments']:
                    self.delete_subject_assignment(moon_user_id=moon_user_id,
                                                   policy_id=policy_id,
                                                   subject_id=perimeter_id,
                                                   category_id=subj_assig[assign_id]['category_id'],
                                                   data_id=data_id)

        return self.driver.delete_subject(policy_id=policy_id, perimeter_id=perimeter_id)

    @enforce("read", "perimeter")
    def get_objects(self, moon_user_id, policy_id, perimeter_id=None):
        # if not policy_id:
        #     pass
        if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
            raise exceptions.PolicyUnknown
        return self.driver.get_objects(policy_id=policy_id, perimeter_id=perimeter_id)

    @enforce(("read", "write"), "perimeter")
    def add_object(self, moon_user_id, policy_id, perimeter_id=None, value=None):
        logger.debug("add_object {}".format(policy_id))

        if not value or "name" not in value or not value["name"].strip():
            raise exceptions.PerimeterContentError('invalid name')

        if 'policy_list' in value:
            raise exceptions.PerimeterContentError("body should not contain policy_list")

        if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
            raise exceptions.PolicyUnknown

        # object_perimeter = {}
        # if perimeter_id:
        #     object_perimeter = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id)
        #     if not object_perimeter:
        #         raise exceptions.PerimeterContentError
        # empeche l'ajout d'un objet avec un id prédéterminé

        if not perimeter_id:
            object_perimeter = self.driver.get_object_by_name(value['name'])
            if object_perimeter:
                perimeter_id = next(iter(object_perimeter))

        if perimeter_id:
            objects = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id)
            if objects and objects[perimeter_id]['name'] != value['name']:
                raise exceptions.PerimeterContentError

        if not perimeter_id:
            perimeter_id = uuid4().hex
        return self.driver.set_object(policy_id=policy_id, perimeter_id=perimeter_id, value=value)

    @enforce(("read", "write"), "perimeter")
    def update_object(self, moon_user_id, perimeter_id, value):
        logger.debug("update_object perimeter_id = {}".format(perimeter_id))

        if not perimeter_id:
            raise exceptions.ObjectUnknown

        objects = self.driver.get_objects(policy_id=None, perimeter_id=perimeter_id)
        if not objects or not (perimeter_id in objects):
            raise exceptions.PerimeterContentError

        if 'policy_list' in value or ('name' in value and not value['name']):
            raise exceptions.PerimeterContentError

        return self.driver.update_object(perimeter_id=perimeter_id, value=value)

    @enforce(("read", "write"), "perimeter")
    def delete_object(self, moon_user_id, policy_id, perimeter_id):

        if not perimeter_id:
            raise exceptions.ObjectUnknown

        # if not policy_id:
        #     raise exceptions.PolicyUnknown

        if not self.get_objects(moon_user_id=moon_user_id, policy_id=policy_id,
                                perimeter_id=perimeter_id):
            raise exceptions.ObjectUnknown

        if policy_id:

            if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
                raise exceptions.PolicyUnknown

            obj_assig = self.driver.get_object_assignments(policy_id=policy_id, object_id=perimeter_id)

            if obj_assig:
                assign_id = next(iter(obj_assig))
                for data_id in obj_assig[assign_id]['assignments']:
                    self.delete_object_assignment(moon_user_id,
                                                  policy_id=policy_id,
                                                  object_id=perimeter_id,
                                                  category_id=obj_assig[assign_id]['category_id'],
                                                  data_id=data_id)

        return self.driver.delete_object(policy_id=policy_id, perimeter_id=perimeter_id)

    @enforce("read", "perimeter")
    def get_actions(self, moon_user_id, policy_id, perimeter_id=None):

        if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
            raise exceptions.PolicyUnknown
        return self.driver.get_actions(policy_id=policy_id, perimeter_id=perimeter_id)

    @enforce(("read", "write"), "perimeter")
    def add_action(self, moon_user_id, policy_id, perimeter_id=None, value=None):
        logger.debug("add_action {}".format(policy_id))

        if not value or "name" not in value or not value["name"].strip():
            raise exceptions.PerimeterContentError('invalid name')

        if 'policy_list' in value:
            raise exceptions.PerimeterContentError("body should not contain policy_list")

        if policy_id and (not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)):
            raise exceptions.PolicyUnknown

        action_perimeter = {}
        if perimeter_id:
            action_perimeter = self.driver.get_actions(policy_id=None, perimeter_id=perimeter_id)
            if not action_perimeter:
                raise exceptions.PerimeterContentError

        if not perimeter_id:
            action_perimeter = self.driver.get_action_by_name(value['name'])
            if action_perimeter:
                perimeter_id = next(iter(action_perimeter))

        if perimeter_id and action_perimeter[perimeter_id]['name'] != value['name']:
            raise exceptions.PerimeterContentError

        if not perimeter_id:
            perimeter_id = uuid4().hex

        return self.driver.set_action(policy_id=policy_id, perimeter_id=perimeter_id, value=value)

    @enforce(("read", "write"), "perimeter")
    def update_action(self, moon_user_id, perimeter_id, value):
        logger.debug("update_action perimeter_id = {}".format(perimeter_id))

        if not perimeter_id:
            raise exceptions.ActionUnknown

        actions = self.driver.get_actions(policy_id=None, perimeter_id=perimeter_id)
        if not actions or not (perimeter_id in actions):
            raise exceptions.PerimeterContentError

        if 'policy_list' in value or ('name' in value and not value['name'].strip()):
            raise exceptions.PerimeterContentError

        return self.driver.update_action(perimeter_id=perimeter_id, value=value)

    @enforce(("read", "write"), "perimeter")
    def delete_action(self, moon_user_id, policy_id, perimeter_id):

        if not perimeter_id:
            raise exceptions.ActionUnknown

        # if not policy_id:
        #     raise exceptions.PolicyUnknown

        if not self.get_actions(moon_user_id=moon_user_id, policy_id=policy_id,
                                perimeter_id=perimeter_id):
            raise exceptions.ActionUnknown

        logger.debug("delete_action {} {} {}".format(policy_id, perimeter_id,
                                                     self.get_policies(moon_user_id=moon_user_id,
                                                                       policy_id=policy_id)))
        if policy_id:
            if not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
                raise exceptions.PolicyUnknown

            act_assig = self.driver.get_action_assignments(policy_id=policy_id, action_id=perimeter_id)

            if act_assig:
                assign_id = next(iter(act_assig))
                for data_id in act_assig[assign_id]['assignments']:
                    self.delete_action_assignment(moon_user_id=moon_user_id,
                                                  policy_id=policy_id,
                                                  action_id=perimeter_id,
                                                  category_id=act_assig[assign_id]['category_id'],
                                                  data_id=data_id)

        return self.driver.delete_action(policy_id=policy_id, perimeter_id=perimeter_id)

    @enforce("read", "data")
    def get_subject_data(self, moon_user_id, policy_id, data_id=None, category_id=None):
        available_metadata = self.get_available_metadata(moon_user_id=moon_user_id,
                                                         policy_id=policy_id)
        results = []
        if not category_id:
            for cat in available_metadata["subject"]:
                _value = self.driver.get_subject_data(policy_id=policy_id, data_id=data_id,
                                                      category_id=cat)
                results.append(_value)
        if category_id and category_id in available_metadata["subject"]:
            results.append(self.driver.get_subject_data(policy_id=policy_id, data_id=data_id,
                                                        category_id=category_id))
        return results

    @enforce(("read", "write"), "data")
    def set_subject_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None):

        logger.debug("set_subject_data policyID {}".format(policy_id))

        if not value or 'name' not in value or not value['name'].strip():
            raise exceptions.DataContentError

        if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
            raise exceptions.PolicyUnknown

        if not category_id or (
                not Managers.ModelManager.get_subject_categories(moon_user_id=moon_user_id,
                                                                 category_id=category_id)):
            raise exceptions.SubjectCategoryUnknown

        self.__category_dependency_validation(moon_user_id, policy_id, category_id,
                                              'subject_categories')

        if not data_id:
            data_id = uuid4().hex
        return self.driver.set_subject_data(policy_id=policy_id, data_id=data_id,
                                            category_id=category_id, value=value)

    @enforce(("read", "write"), "data")
    def delete_subject_data(self, moon_user_id, policy_id, data_id, category_id=None):
        # TODO (asteroide): check and/or delete assignments linked to that data
        subject_assignments = self.get_subject_assignments(moon_user_id=moon_user_id,
                                                           policy_id=policy_id,
                                                           category_id=category_id)
        if subject_assignments:
            for assign_id in subject_assignments:
                self.driver.delete_subject_assignment(
                    policy_id=subject_assignments[assign_id]['policy_id'],
                    subject_id=subject_assignments[assign_id]['subject_id'],
                    category_id=subject_assignments[assign_id]['category_id'],
                    data_id=subject_assignments[assign_id]['id'])

        rules = self.driver.get_rules(policy_id=policy_id)
        if rules['rules']:
            for rule in rules['rules']:
                if data_id in rule['rule']:
                    self.driver.delete_rule(policy_id, rule['id'])

        return self.driver.delete_subject_data(policy_id=policy_id, category_id=category_id,
                                               data_id=data_id)

    @enforce("read", "data")
    def get_object_data(self, moon_user_id, policy_id, data_id=None, category_id=None):
        available_metadata = self.get_available_metadata(moon_user_id=moon_user_id,
                                                         policy_id=policy_id)
        results = []
        if not category_id:
            for cat in available_metadata["object"]:
                results.append(self.driver.get_object_data(policy_id=policy_id, data_id=data_id,
                                                           category_id=cat))
        if category_id and category_id in available_metadata["object"]:
            results.append(self.driver.get_object_data(policy_id=policy_id, data_id=data_id,
                                                       category_id=category_id))
        return results

    @enforce(("read", "write"), "data")
    def add_object_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None):
        logger.debug("add_object_data policyID {}".format(policy_id))

        if not value or 'name' not in value or not value['name'].strip():
            raise exceptions.DataContentError

        if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
            raise exceptions.PolicyUnknown

        if not category_id or (
                not Managers.ModelManager.get_object_categories(moon_user_id=moon_user_id,
                                                                category_id=category_id)):
            raise exceptions.ObjectCategoryUnknown

        self.__category_dependency_validation(moon_user_id, policy_id, category_id,
                                              'object_categories')

        if not data_id:
            data_id = uuid4().hex
        return self.driver.set_object_data(policy_id=policy_id, data_id=data_id,
                                           category_id=category_id, value=value)

    @enforce(("read", "write"), "data")
    def delete_object_data(self, moon_user_id, policy_id, data_id, category_id=None):
        # TODO (asteroide): check and/or delete assignments linked to that data
        object_assignments = self.get_object_assignments(moon_user_id=moon_user_id,
                                                         policy_id=policy_id,
                                                         category_id=category_id)

        if object_assignments:
            for assign_id in object_assignments:
                self.driver.delete_object_assignment(
                    policy_id=object_assignments[assign_id]['policy_id'],
                    object_id=object_assignments[assign_id]['object_id'],
                    category_id=object_assignments[assign_id]['category_id'],
                    data_id=object_assignments[assign_id]['id'])

        rules = self.driver.get_rules(policy_id=policy_id)
        if rules['rules']:
            for rule in rules['rules']:
                if data_id in rule['rule']:
                    self.driver.delete_rule(policy_id, rule['id'])

        return self.driver.delete_object_data(policy_id=policy_id, category_id=category_id,
                                              data_id=data_id)

    @enforce("read", "data")
    def get_action_data(self, moon_user_id, policy_id, data_id=None, category_id=None):
        available_metadata = self.get_available_metadata(moon_user_id=moon_user_id,
                                                         policy_id=policy_id)
        results = []
        if not category_id:
            for cat in available_metadata["action"]:
                results.append(self.driver.get_action_data(policy_id=policy_id, data_id=data_id,
                                                           category_id=cat))
        if category_id and category_id in available_metadata["action"]:
            if category_id.startswith("attributes:"):
                data = {}
                attrs = pip_driver.AttrsManager.get_objects(
                    moon_user_id="admin",
                    object_type=category_id.replace("attributes:", ""))
                for item in attrs.keys():
                    data[item] = {"id": item, "name": item, "description": item}
                results.append(
                    {
                        "policy_id": policy_id,
                        "category_id": category_id,
                        "data": data,
                    }
                )
            else:
                results.append(self.driver.get_action_data(policy_id=policy_id,
                                                           data_id=data_id,
                                                           category_id=category_id))
        return results

    @enforce(("read", "write"), "data")
    def add_action_data(self, moon_user_id, policy_id, data_id=None, category_id=None, value=None):

        logger.debug("add_action_data policyID {}".format(policy_id))

        if not value or 'name' not in value or not value['name'].strip():
            raise exceptions.DataContentError

        if not policy_id or not self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id):
            raise exceptions.PolicyUnknown

        if not category_id or (
                not Managers.ModelManager.get_action_categories(moon_user_id=moon_user_id,
                                                                category_id=category_id)):
            raise exceptions.ActionCategoryUnknown

        self.__category_dependency_validation(moon_user_id, policy_id, category_id,
                                              'action_categories')

        if not data_id:
            data_id = uuid4().hex
        return self.driver.set_action_data(policy_id=policy_id, data_id=data_id,
                                           category_id=category_id, value=value)

    @enforce(("read", "write"), "data")
    def delete_action_data(self, moon_user_id, policy_id, data_id, category_id=None):
        # TODO (asteroide): check and/or delete assignments linked to that data
        action_assignments = self.get_action_assignments(moon_user_id=moon_user_id,
                                                         policy_id=policy_id,
                                                         category_id=category_id)
        if action_assignments:
            for assign_id in action_assignments:
                self.driver.delete_action_assignment(
                    policy_id=action_assignments[assign_id]['policy_id'],
                    action_id=action_assignments[assign_id]['action_id'],
                    category_id=action_assignments[assign_id]['category_id'],
                    data_id=action_assignments[assign_id]['id'])

        rules = self.driver.get_rules(policy_id=policy_id)
        if rules['rules']:
            for rule in rules['rules']:
                if data_id in rule['rule']:
                    self.driver.delete_rule(policy_id, rule['id'])

        return self.driver.delete_action_data(policy_id=policy_id, category_id=category_id,
                                              data_id=data_id)

    @enforce("read", "assignments")
    def get_subject_assignments(self, moon_user_id, policy_id, subject_id=None, category_id=None):
        return self.driver.get_subject_assignments(policy_id=policy_id, subject_id=subject_id,
                                                   category_id=category_id)

    @enforce(("read", "write"), "assignments")
    def add_subject_assignment(self, moon_user_id, policy_id, subject_id, category_id, data_id):

        logger.debug("add_subject_assignment policyID {}".format(policy_id))
        if not category_id or (
                not Managers.ModelManager.get_subject_categories(moon_user_id=moon_user_id,
                                                                 category_id=category_id)):
            raise exceptions.SubjectCategoryUnknown

        self.__category_dependency_validation(moon_user_id, policy_id, category_id,
                                              'subject_categories')

        if not subject_id or (
                not self.get_subjects(moon_user_id=moon_user_id, policy_id=policy_id,
                                      perimeter_id=subject_id)):
            raise exceptions.SubjectUnknown
        subjects_data = self.get_subject_data(moon_user_id=moon_user_id, policy_id=policy_id,
                                              data_id=data_id, category_id=category_id)
        if not data_id or not subjects_data or data_id not in subjects_data[0]['data']:
            raise exceptions.DataUnknown

        return self.driver.add_subject_assignment(policy_id=policy_id, subject_id=subject_id,
                                                  category_id=category_id, data_id=data_id)

    @enforce(("read", "write"), "assignments")
    def delete_subject_assignment(self, moon_user_id, policy_id, subject_id, category_id, data_id):
        if policy_id:
            return self.driver.delete_subject_assignment(
                policy_id=policy_id, subject_id=subject_id,
                category_id=category_id, data_id=data_id)
        raise exceptions.PolicyUnknown

    @enforce("read", "assignments")
    def get_object_assignments(self, moon_user_id, policy_id, object_id=None, category_id=None):
        return self.driver.get_object_assignments(policy_id=policy_id, object_id=object_id,
                                                  category_id=category_id)

    @enforce(("read", "write"), "assignments")
    def add_object_assignment(self, moon_user_id, policy_id, object_id, category_id, data_id):

        logger.debug("add_object_assignment policyID {}".format(policy_id))
        if not category_id or (
                not Managers.ModelManager.get_object_categories(moon_user_id=moon_user_id,
                                                                category_id=category_id)):
            raise exceptions.ObjectCategoryUnknown

        self.__category_dependency_validation(moon_user_id, policy_id, category_id,
                                              'object_categories')

        if not object_id or (
                not self.get_objects(moon_user_id=moon_user_id, policy_id=policy_id,
                                     perimeter_id=object_id)):
            raise exceptions.ObjectUnknown
        objects_data = self.get_object_data(moon_user_id=moon_user_id, policy_id=policy_id,
                                            data_id=data_id, category_id=category_id)
        if not data_id or not objects_data or data_id not in objects_data[0]['data']:
            raise exceptions.DataUnknown

        return self.driver.add_object_assignment(policy_id=policy_id, object_id=object_id,
                                                 category_id=category_id, data_id=data_id)

    @enforce(("read", "write"), "assignments")
    def delete_object_assignment(self, moon_user_id, policy_id, object_id, category_id, data_id):
        if policy_id:
            return self.driver.delete_object_assignment(policy_id=policy_id, object_id=object_id,
                                                        category_id=category_id, data_id=data_id)
        raise exceptions.PolicyUnknown

    @enforce("read", "assignments")
    def get_action_assignments(self, moon_user_id, policy_id, action_id=None, category_id=None):
        return self.driver.get_action_assignments(policy_id=policy_id, action_id=action_id,
                                                  category_id=category_id)

    @enforce(("read", "write"), "assignments")
    def add_action_assignment(self, moon_user_id, policy_id, action_id, category_id, data_id):

        logger.debug("add_action_assignment policyID {}".format(policy_id))

        if not category_id or (
                not Managers.ModelManager.get_action_categories(moon_user_id=moon_user_id,
                                                                category_id=category_id)):
            raise exceptions.ActionCategoryUnknown

        self.__category_dependency_validation(moon_user_id, policy_id, category_id,
                                              'action_categories')

        if not action_id or (
                not self.get_actions(moon_user_id=moon_user_id, policy_id=policy_id,
                                     perimeter_id=action_id)):
            raise exceptions.ActionUnknown
        actions_data = self.get_action_data(moon_user_id=moon_user_id, policy_id=policy_id,
                                            data_id=data_id, category_id=category_id)
        if not data_id or not actions_data or data_id not in actions_data[0]['data']:
            raise exceptions.DataUnknown

        return self.driver.add_action_assignment(policy_id=policy_id, action_id=action_id,
                                                 category_id=category_id, data_id=data_id)

    @enforce(("read", "write"), "assignments")
    def delete_action_assignment(self, moon_user_id, policy_id, action_id, category_id, data_id):
        if policy_id:
            return self.driver.delete_action_assignment(policy_id=policy_id, action_id=action_id,
                                                        category_id=category_id, data_id=data_id)
        raise exceptions.PolicyUnknown

    @enforce("read", "rules")
    def get_rules(self, moon_user_id, policy_id, meta_rule_id=None, rule_id=None):
        return self.driver.get_rules(policy_id=policy_id, meta_rule_id=meta_rule_id,
                                     rule_id=rule_id)

    @enforce(("read", "write"), "policies")
    def update_rule(self, moon_user_id, rule_id, value):
        if not value or 'instructions' not in value:
            raise exceptions.RuleContentError

        rule_list = self.driver.get_rules(policy_id=None, rule_id=rule_id)
        if not rule_id or rule_id not in rule_list:
            raise exceptions.RuleUnknown

        return self.driver.update_rule(rule_id=rule_id, value=value)

    @enforce(("read", "write"), "rules")
    def add_rule(self, moon_user_id, policy_id, meta_rule_id, value):

        if not meta_rule_id or (
                not self.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
                                                     meta_rule_id=meta_rule_id)):
            raise exceptions.MetaRuleUnknown

        if not value or 'instructions' not in value:  # TODO or not value['instructions']:
            raise exceptions.MetaRuleContentError

        decision_exist = False
        default_instruction = {"decision": "grant"}

        for instruction in value['instructions']:
            if 'decision' in instruction:
                decision_exist = True
                if not instruction['decision']:
                    instruction['decision'] = default_instruction['decision']
                elif instruction['decision'].lower() not in ['grant', 'deny', 'continue']:
                    raise exceptions.RuleContentError("Invalid Decision")

        if not decision_exist:
            value['instructions'].append(default_instruction)

        self.__dependencies_validation(moon_user_id, policy_id, meta_rule_id)

        self.__check_existing_rule(policy_id=policy_id, meta_rule_id=meta_rule_id,
                                   moon_user_id=moon_user_id, rule_value=value)

        return self.driver.add_rule(policy_id=policy_id, meta_rule_id=meta_rule_id, value=value)

    def __check_existing_rule(self, moon_user_id, policy_id, meta_rule_id, rule_value):

        if not meta_rule_id:
            raise exceptions.MetaRuleUnknown

        meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
                                                     meta_rule_id=meta_rule_id)
        if not meta_rule:
            raise exceptions.MetaRuleUnknown

        if len(meta_rule[meta_rule_id]['subject_categories']) + len(
                meta_rule[meta_rule_id]['object_categories']) \
                + len(meta_rule[meta_rule_id]['action_categories']) > len(rule_value['rule']):
            raise exceptions.RuleContentError(message="Missing Data")

        if len(meta_rule[meta_rule_id]['subject_categories']) + len(
                meta_rule[meta_rule_id]['object_categories']) \
                + len(meta_rule[meta_rule_id]['action_categories']) < len(rule_value['rule']):
            raise exceptions.MetaRuleContentError(message="Missing Data")

        temp_rule_data = list(
            rule_value['rule'][0:len(meta_rule[meta_rule_id]['subject_categories'])])
        found_data_counter = 0
        start_sub = len(meta_rule[meta_rule_id]['subject_categories'])

        for sub_cat_id in meta_rule[meta_rule_id]['subject_categories']:
            subjects_data = self.get_subject_data(moon_user_id=moon_user_id,
                                                  category_id=sub_cat_id, policy_id=policy_id)
            if subjects_data:
                found_data_counter = self.__validate_data_id(sub_cat_id, subjects_data[0]['data'],
                                                             temp_rule_data,
                                                             "Missing Subject_category "
                                                             , found_data_counter)

        if found_data_counter != len(meta_rule[meta_rule_id]['subject_categories']):
            raise exceptions.RuleContentError(message="Missing Data")

        _index = start_sub + len(meta_rule[meta_rule_id]['object_categories'])
        temp_rule_data = list(rule_value['rule'][start_sub:_index])
        found_data_counter = 0
        start_sub = start_sub + len(meta_rule[meta_rule_id]['object_categories'])

        for ob_cat_id in meta_rule[meta_rule_id]['object_categories']:
            object_data = self.get_object_data(moon_user_id=moon_user_id,
                                               category_id=ob_cat_id, policy_id=policy_id)
            if object_data:
                found_data_counter = self.__validate_data_id(ob_cat_id, object_data[0]['data'],
                                                             temp_rule_data,
                                                             "Missing Object_category ",
                                                             found_data_counter)

        if found_data_counter != len(meta_rule[meta_rule_id]['object_categories']):
            raise exceptions.RuleContentError(message="Missing Data")

        _index = start_sub + len(meta_rule[meta_rule_id]['action_categories'])
        temp_rule_data = list(rule_value['rule'][start_sub:_index])
        found_data_counter = 0

        for act_cat_id in meta_rule[meta_rule_id]['action_categories']:
            action_data = self.get_action_data(moon_user_id=moon_user_id, category_id=act_cat_id,
                                               policy_id=policy_id)
            if action_data:
                found_data_counter = self.__validate_data_id(act_cat_id, action_data[0]['data'],
                                                             temp_rule_data,
                                                             "Missing Action_category ",
                                                             found_data_counter)

        # Note: adding count of data linked to a global attribute
        found_data_counter += len(list(filter(lambda x: "attributes:" in x, temp_rule_data)))
        if found_data_counter != len(meta_rule[meta_rule_id]['action_categories']):
            raise exceptions.RuleContentError(message="Missing Data")

    @staticmethod
    def __validate_data_id(cat_id, data_ids, temp_rule_data, error_msg, found_data_counter):
        for ID in data_ids:
            if ID in temp_rule_data:
                temp_rule_data.remove(ID)
                found_data_counter += 1
        # if no data id found in the rule, so rule not valid
        if found_data_counter < 1:
            raise exceptions.RuleContentError(message=error_msg + cat_id)
        return found_data_counter

    @enforce(("read", "write"), "rules")
    def delete_rule(self, moon_user_id, policy_id, rule_id):
        return self.driver.delete_rule(policy_id=policy_id, rule_id=rule_id)

    @enforce("read", "meta_data")
    def get_available_metadata(self, moon_user_id, policy_id):
        categories = {
            "subject": [],
            "object": [],
            "action": []
        }
        policy = self.driver.get_policies(policy_id=policy_id)
        if not policy:
            raise exceptions.PolicyUnknown
        model_id = policy[policy_id]["model_id"]
        model = Managers.ModelManager.get_models(moon_user_id=moon_user_id, model_id=model_id)
        try:
            meta_rule_list = model[model_id]["meta_rules"]
            for meta_rule_id in meta_rule_list:
                meta_rule = Managers.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
                                                                 meta_rule_id=meta_rule_id)
                categories["subject"].extend(meta_rule[meta_rule_id]["subject_categories"])
                categories["object"].extend(meta_rule[meta_rule_id]["object_categories"])
                categories["action"].extend(meta_rule[meta_rule_id]["action_categories"])
        finally:
            return categories

    def __dependencies_validation(self, moon_user_id, policy_id, meta_rule_id=None):

        policies = self.get_policies(moon_user_id=moon_user_id, policy_id=policy_id)
        if not policy_id or (not policies):
            raise exceptions.PolicyUnknown

        policy_content = policies[next(iter(policies))]
        model_id = policy_content['model_id']
        models = Managers.ModelManager.get_models(moon_user_id=moon_user_id, model_id=model_id)
        if not model_id or not models:
            raise exceptions.ModelUnknown

        model_content = models[next(iter(models))]
        if meta_rule_id:
            meta_rule_exists = False

            for model_meta_rule_id in model_content['meta_rules']:
                if model_meta_rule_id == meta_rule_id:
                    meta_rule_exists = True
                    break

            if not meta_rule_exists:
                raise exceptions.MetaRuleNotLinkedWithPolicyModel

            meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
                                                         meta_rule_id=meta_rule_id)
            meta_rule_content = meta_rule[next(iter(meta_rule))]
            if (not meta_rule_content['subject_categories']) or \
                    (not meta_rule_content['object_categories']) or \
                    (not meta_rule_content['action_categories']):
                raise exceptions.MetaRuleContentError
        return model_content

    def __category_dependency_validation(self, moon_user_id, policy_id, category_id, category_key):
        model = self.__dependencies_validation(moon_user_id=moon_user_id, policy_id=policy_id)
        category_found = False
        for model_meta_rule_id in model['meta_rules']:
            meta_rule = self.ModelManager.get_meta_rules(moon_user_id=moon_user_id,
                                                         meta_rule_id=model_meta_rule_id)
            meta_rule_content = meta_rule[next(iter(meta_rule))]
            if meta_rule_content[category_key] and category_id in meta_rule_content[category_key]:
                category_found = True
                break

        if not category_found:
            raise exceptions.CategoryNotAssignedMetaRule

    def __check_blank_model(self, model):
        if 'meta_rules' not in model or not model['meta_rules']:
            raise exceptions.MetaRuleUnknown
        for meta_rule_id in model['meta_rules']:
            self.__check_blank_meta_rule(meta_rule_id)

    def __check_blank_meta_rule(self, meta_rule_id):
        meta_rule = self.driver.get_meta_rules(meta_rule_id=meta_rule_id)
        if not meta_rule:
            return exceptions.MetaRuleUnknown
        meta_rule_content = meta_rule[next(iter(meta_rule))]
        if (not meta_rule_content['subject_categories']) or (
                not meta_rule_content['object_categories']) or (
                not meta_rule_content['action_categories']):
            raise exceptions.MetaRuleContentError