1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
# This software is distributed under the terms and conditions of the 'Apache-2.0'
# license which can be found in the file 'LICENSE' in this package distribution
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
"""
Rules (TODO)
"""
from flask import request
from flask_restful import Resource
from oslo_log import log as logging
from moon_utilities.security_functions import call
from moon_utilities.security_functions import check_auth
__version__ = "0.1.0"
LOG = logging.getLogger("moon.interface.api." + __name__)
class Rules(Resource):
"""
Endpoint for rules requests
"""
__urls__ = ("/policies/<string:uuid>/rules",
"/policies/<string:uuid>/rules/",
"/policies/<string:uuid>/rules/<string:rule_id>",
"/policies/<string:uuid>/rules/<string:rule_id>/",
)
@check_auth
def get(self, uuid=None, rule_id=None, user_id=None):
"""Retrieve all rules or a specific one
:param uuid: policy ID
:param rule_id: rule ID
:param user_id: user ID who do the request
:return: {
"rules": [
"policy_id": "policy_id1",
"meta_rule_id": "meta_rule_id1",
"rule_id1": ["subject_data_id1", "object_data_id1", "action_data_id1"],
"rule_id2": ["subject_data_id2", "object_data_id2", "action_data_id2"],
]
}
:internal_api: get_rules
"""
return call("security_router", ctx={"id": uuid,
"method": "get_rules",
"user_id": user_id,
"rule_id": rule_id}, args={})
@check_auth
def post(self, uuid=None, rule_id=None, user_id=None):
"""Add a rule to a meta rule
:param uuid: policy ID
:param rule_id: rule ID
:param user_id: user ID who do the request
:request body: post = {
"meta_rule_id": "meta_rule_id1",
"rule": ["subject_data_id2", "object_data_id2", "action_data_id2"],
"instructions": (
{"decision": "grant"},
)
"enabled": True
}
:return: {
"rules": [
"meta_rule_id": "meta_rule_id1",
"rule_id1": {
"rule": ["subject_data_id1", "object_data_id1", "action_data_id1"],
"instructions": (
{"decision": "grant"}, # "grant" to immediately exit,
# "continue" to wait for the result of next policy
# "deny" to deny the request
)
}
"rule_id2": {
"rule": ["subject_data_id2", "object_data_id2", "action_data_id2"],
"instructions": (
{
"update": {
"operation": "add", # operations may be "add" or "delete"
"target": "rbac:role:admin" # add the role admin to the current user
}
},
{"chain": {"name": "rbac"}} # chain with the policy named rbac
)
}
]
}
:internal_api: add_rule
"""
return call("security_router", ctx={"id": uuid,
"method": "add_rule",
"user_id": user_id,
"rule_id": rule_id}, args=request.json)
@check_auth
def delete(self, uuid=None, rule_id=None, user_id=None):
"""Delete one rule linked to a specific sub meta rule
:param uuid: policy ID
:param rule_id: rule ID
:param user_id: user ID who do the request
:return: { "result": true }
:internal_api: delete_rule
"""
return call("security_router", ctx={"id": uuid,
"method": "delete_rule",
"user_id": user_id,
"rule_id": rule_id}, args={})
|