aboutsummaryrefslogtreecommitdiffstats
path: root/moon_manager/moon_manager/api/rules.py
blob: 32c1003064becaf0e2df3ac3885edb2396924fba (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
# This software is distributed under the terms and conditions of the 'Apache-2.0'
# license which can be found in the file 'LICENSE' in this package distribution
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
"""
Rules (TODO)
"""

from flask import request
from flask_restful import Resource
import logging
from python_moonutilities.security_functions import check_auth
from python_moondb.core import PolicyManager
from python_moonutilities.security_functions import validate_input

__version__ = "4.3.2"

logger = logging.getLogger("moon.manager.api." + __name__)


class Rules(Resource):
    """
    Endpoint for rules requests
    """

    __urls__ = ("/policies/<string:uuid>/rules",
                "/policies/<string:uuid>/rules/",
                "/policies/<string:uuid>/rules/<string:rule_id>",
                "/policies/<string:uuid>/rules/<string:rule_id>/",
                )

    @validate_input("get", kwargs_state=[False, False, False])
    @check_auth
    def get(self, uuid=None, rule_id=None, user_id=None):
        """Retrieve all rules or a specific one

        :param uuid: policy ID
        :param rule_id: rule ID
        :param user_id: user ID who do the request
        :return: {
            "rules": [
                "policy_id": "policy_id1",
                "meta_rule_id": "meta_rule_id1",
                "rule_id1":
                    ["subject_data_id1", "subject_data_id2", "object_data_id1", "action_data_id1"],
                "rule_id2":
                    ["subject_data_id3", "subject_data_id4", "object_data_id2", "action_data_id2"],
            ]
        }
        :internal_api: get_rules
        """
        try:
            data = PolicyManager.get_rules(user_id=user_id,
                                           policy_id=uuid,
                                           rule_id=rule_id)
        except Exception as e:
            logger.error(e, exc_info=True)
            return {"result": False,
                    "error": str(e)}, 500
        return {"rules": data}

    @validate_input("post", kwargs_state=[True, False, False], body_state=[True, False, False, False])
    @check_auth
    def post(self, uuid=None, rule_id=None, user_id=None):
        """Add a rule to a meta rule

        :param uuid: policy ID
        :param rule_id: rule ID
        :param user_id: user ID who do the request
        :request body: post = {
            "meta_rule_id": "meta_rule_id1",
            "rule": ["subject_data_id2", "object_data_id2", "action_data_id2"],
            "instructions": (
                {"decision": "grant"},
            )
            "enabled": True
        }
        :return: {
            "rules": [
                "meta_rule_id": "meta_rule_id1",
                "rule_id1": {
                    "rule": ["subject_data_id1",
                             "object_data_id1",
                             "action_data_id1"],
                    "instructions": (
                        {"decision": "grant"},
                        # "grant" to immediately exit,
                        # "continue" to wait for the result of next policy
                        # "deny" to deny the request
                    )
                }
                "rule_id2": {
                    "rule": ["subject_data_id2",
                             "object_data_id2",
                             "action_data_id2"],
                    "instructions": (
                        {
                            "update": {
                                "operation": "add",
                                    # operations may be "add" or "delete"
                                "target": "rbac:role:admin"
                                    # add the role admin to the current user
                            }
                        },
                        {"chain": {"name": "rbac"}}
                            # chain with the policy named rbac
                    )
                }
            ]
        }
        :internal_api: add_rule
        """
        args = request.json
        try:
            data = PolicyManager.add_rule(user_id=user_id,
                                          policy_id=uuid,
                                          meta_rule_id=args['meta_rule_id'],
                                          value=args)
        except Exception as e:
            logger.error(e, exc_info=True)
            return {"result": False,
                    "error": str(e)}, 500
        return {"rules": data}

    @validate_input("delete", kwargs_state=[True, True, False])
    @check_auth
    def delete(self, uuid=None, rule_id=None, user_id=None):
        """Delete one rule linked to a specific sub meta rule

        :param uuid: policy ID
        :param rule_id: rule ID
        :param user_id: user ID who do the request
        :return: { "result": true }
        :internal_api: delete_rule
        """
        try:
            data = PolicyManager.delete_rule(
                user_id=user_id, policy_id=uuid, rule_id=rule_id)
        except Exception as e:
            logger.error(e, exc_info=True)
            return {"result": False,
                    "error": str(e)}, 500
        return {"result": True}