def delete(self, ref_or_id, requester_user):
"""
Delete an action alias.
Handles requests:
DELETE /actionalias/1
"""
action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
LOG.debug('DELETE /actionalias/ lookup with id=%s found object: %s',
ref_or_id, action_alias_db)
permission_type = PermissionType.ACTION_ALIAS_DELETE
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=action_alias_db,
permission_type=permission_type)
try:
ActionAlias.delete(action_alias_db)
except Exception as e:
LOG.exception(
'Database delete encountered exception during delete of id="%s".',
ref_or_id)
abort(http_client.INTERNAL_SERVER_ERROR, str(e))
return
extra = {'action_alias_db': action_alias_db}
LOG.audit('Action alias deleted. ActionAlias.id=%s.' %
(action_alias_db.id),
extra=extra)
return Response(status=http_client.NO_CONTENT)
def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None,
from_model_kwargs=None):
try:
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields)
except Exception as e:
LOG.exception(e.message)
abort(http_client.NOT_FOUND, e.message)
return
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.resource_model_filter(model=self.model, instance=instance,
requester_user=requester_user,
**from_model_kwargs)
if not result:
LOG.debug('Not returning the result because RBAC resource isolation is enabled and '
'current user doesn\'t match the resource user')
raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user,
resource_api_or_db=instance,
permission_type=permission_type)
if result and self.include_reference:
pack = getattr(result, 'pack', None)
name = getattr(result, 'name', None)
result.ref = ResourceReference(pack=pack, name=name).ref
return Response(json=result)
def _get_one_by_name_or_id(self,
name_or_id,
permission_type,
exclude_fields=None,
from_model_kwargs=None,
requester_user=None):
"""
:param exclude_fields: A list of object fields to exclude.
:type exclude_fields: ``list``
"""
instance = self._get_by_name_or_id(name_or_id=name_or_id,
exclude_fields=exclude_fields)
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
if not instance:
msg = 'Unable to identify resource with name_or_id "%s".' % (
name_or_id)
abort(http_client.NOT_FOUND, msg)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.model.from_model(instance, **from_model_kwargs)
return result
def get_one(self, ref_or_id, requester_user):
"""
Outputs the file associated with action entry_point
Handles requests:
GET /actions/views/entry_point/1
"""
LOG.info('GET /actions/views/entry_point with ref_or_id=%s', ref_or_id)
action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
permission_type = PermissionType.ACTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=action_db,
permission_type=permission_type)
pack = getattr(action_db, 'pack', None)
entry_point = getattr(action_db, 'entry_point', None)
abs_path = utils.get_entry_point_abs_path(pack, entry_point)
if not abs_path:
raise StackStormDBObjectNotFoundError(
'Action ref_or_id=%s has no entry_point to output' % ref_or_id)
with open(abs_path) as file:
content = file.read()
return content
def _get_one_by_name_or_id(self, name_or_id, requester_user, permission_type,
exclude_fields=None, include_fields=None, from_model_kwargs=None):
"""
:param exclude_fields: A list of object fields to exclude.
:type exclude_fields: ``list``
:param include_fields: A list of object fields to include.
:type include_fields: ``list``
"""
instance = self._get_by_name_or_id(name_or_id=name_or_id, exclude_fields=exclude_fields,
include_fields=include_fields)
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
if not instance:
msg = 'Unable to identify resource with name_or_id "%s".' % (name_or_id)
abort(http_client.NOT_FOUND, msg)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.model.from_model(instance, **from_model_kwargs)
return result
def delete(self, rule_ref_or_id, requester_user):
"""
Delete a rule.
Handles requests:
DELETE /rules/1
"""
rule_db = self._get_by_ref_or_id(ref_or_id=rule_ref_or_id)
permission_type = PermissionType.RULE_DELETE
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=rule_db,
permission_type=permission_type)
LOG.debug('DELETE /rules/ lookup with id=%s found object: %s',
rule_ref_or_id, rule_db)
try:
Rule.delete(rule_db)
except Exception as e:
LOG.exception(
'Database delete encountered exception during delete of id="%s".',
rule_ref_or_id)
abort(http_client.INTERNAL_SERVER_ERROR, str(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(rule_db)
extra = {'rule_db': rule_db}
LOG.audit('Rule deleted. Rule.id=%s.' % (rule_db.id), extra=extra)
return Response(status=http_client.NO_CONTENT)
def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None,
include_fields=None, from_model_kwargs=None):
try:
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields,
include_fields=include_fields)
except Exception as e:
LOG.exception(six.text_type(e))
abort(http_client.NOT_FOUND, six.text_type(e))
return
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
# Perform resource isolation check (if supported)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.resource_model_filter(model=self.model, instance=instance,
requester_user=requester_user,
**from_model_kwargs)
if not result:
LOG.debug('Not returning the result because RBAC resource isolation is enabled and '
'current user doesn\'t match the resource user')
raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user,
resource_api_or_db=instance,
permission_type=permission_type)
return Response(json=result)
def get(self, id, attribute, requester_user):
"""
Retrieve a particular attribute for the provided action execution.
Handles requests:
GET /executions/<id>/attribute/<attribute name>
:rtype: ``dict``
"""
fields = [attribute, 'action__pack', 'action__uid']
try:
fields = self._validate_exclude_fields(fields)
except ValueError:
valid_attributes = ', '.join(
ActionExecutionsControllerMixin.valid_exclude_attributes)
msg = (
'Invalid attribute "%s" specified. Valid attributes are: %s' %
(attribute, valid_attributes))
raise ValueError(msg)
action_exec_db = self.access.impl.model.objects.filter(id=id).only(
*fields).get()
permission_type = PermissionType.EXECUTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=action_exec_db,
permission_type=permission_type)
result = getattr(action_exec_db, attribute, None)
return result
def delete(self, ref_or_id, requester_user):
"""
Delete an action alias.
Handles requests:
DELETE /actionalias/1
"""
action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
LOG.debug('DELETE /actionalias/ lookup with id=%s found object: %s', ref_or_id,
action_alias_db)
permission_type = PermissionType.ACTION_ALIAS_DELETE
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=action_alias_db,
permission_type=permission_type)
try:
ActionAlias.delete(action_alias_db)
except Exception as e:
LOG.exception('Database delete encountered exception during delete of id="%s".',
ref_or_id)
abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
return
extra = {'action_alias_db': action_alias_db}
LOG.audit('Action alias deleted. ActionAlias.id=%s.' % (action_alias_db.id), extra=extra)
return Response(status=http_client.NO_CONTENT)
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None,
from_model_kwargs=None):
"""
:param exclude_fields: A list of object fields to exclude.
:type exclude_fields: ``list``
"""
instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields)
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
if not instance:
msg = 'Unable to identify resource with id "%s".' % id
abort(http_client.NOT_FOUND, msg)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.resource_model_filter(model=self.model, instance=instance,
requester_user=requester_user,
**from_model_kwargs)
if not result:
LOG.debug('Not returning the result because RBAC resource isolation is enabled and '
'current user doesn\'t match the resource user')
raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user,
resource_api_or_db=instance,
permission_type=permission_type)
return result
def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None,
include_fields=None, from_model_kwargs=None):
try:
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields,
include_fields=include_fields)
except Exception as e:
LOG.exception(str(e))
abort(http_client.NOT_FOUND, str(e))
return
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
# Perform resource isolation check (if supported)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.resource_model_filter(model=self.model, instance=instance,
requester_user=requester_user,
**from_model_kwargs)
if not result:
LOG.debug('Not returning the result because RBAC resource isolation is enabled and '
'current user doesn\'t match the resource user')
raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user,
resource_api_or_db=instance,
permission_type=permission_type)
return Response(json=result)
def _schedule_execution(self, action_alias_db, params, notify, context, requester_user,
show_secrets):
action_ref = action_alias_db.action_ref
action_db = action_utils.get_action_by_ref(action_ref)
if not action_db:
raise StackStormDBObjectNotFoundError('Action with ref "%s" not found ' % (action_ref))
assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db,
permission_type=PermissionType.ACTION_EXECUTE)
try:
# prior to shipping off the params cast them to the right type.
params = action_param_utils.cast_params(action_ref=action_alias_db.action_ref,
params=params,
cast_overrides=CAST_OVERRIDES)
if not context:
context = {
'action_alias_ref': reference.get_ref_from_model(action_alias_db),
'user': get_system_username()
}
liveaction = LiveActionDB(action=action_alias_db.action_ref, context=context,
parameters=params, notify=notify)
_, action_execution_db = action_service.request(liveaction)
mask_secrets = self._get_mask_secrets(requester_user, show_secrets=show_secrets)
return ActionExecutionAPI.from_model(action_execution_db, mask_secrets=mask_secrets)
except ValueError as e:
LOG.exception('Unable to execute action.')
abort(http_client.BAD_REQUEST, six.text_type(e))
except jsonschema.ValidationError as e:
LOG.exception('Unable to execute action. Parameter validation failed.')
abort(http_client.BAD_REQUEST, six.text_type(e))
except Exception as e:
LOG.exception('Unable to execute action. Unexpected error encountered.')
abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None,
from_model_kwargs=None):
"""
:param exclude_fields: A list of object fields to exclude.
:type exclude_fields: ``list``
"""
instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields)
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
if not instance:
msg = 'Unable to identify resource with id "%s".' % id
abort(http_client.NOT_FOUND, msg)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.resource_model_filter(model=self.model, instance=instance,
requester_user=requester_user,
**from_model_kwargs)
if not result:
LOG.debug('Not returning the result because RBAC resource isolation is enabled and '
'current user doesn\'t match the resource user')
raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user,
resource_api_or_db=instance,
permission_type=permission_type)
return result
def _schedule_execution(self, action_alias_db, params, notify, context, requester_user,
show_secrets):
action_ref = action_alias_db.action_ref
action_db = action_utils.get_action_by_ref(action_ref)
if not action_db:
raise StackStormDBObjectNotFoundError('Action with ref "%s" not found ' % (action_ref))
assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db,
permission_type=PermissionType.ACTION_EXECUTE)
try:
# prior to shipping off the params cast them to the right type.
params = action_param_utils.cast_params(action_ref=action_alias_db.action_ref,
params=params,
cast_overrides=CAST_OVERRIDES)
if not context:
context = {
'action_alias_ref': reference.get_ref_from_model(action_alias_db),
'user': get_system_username()
}
liveaction = LiveActionDB(action=action_alias_db.action_ref, context=context,
parameters=params, notify=notify)
_, action_execution_db = action_service.request(liveaction)
mask_secrets = self._get_mask_secrets(requester_user, show_secrets=show_secrets)
return ActionExecutionAPI.from_model(action_execution_db, mask_secrets=mask_secrets)
except ValueError as e:
LOG.exception('Unable to execute action.')
abort(http_client.BAD_REQUEST, str(e))
except jsonschema.ValidationError as e:
LOG.exception('Unable to execute action. Parameter validation failed.')
abort(http_client.BAD_REQUEST, str(e))
except Exception as e:
LOG.exception('Unable to execute action. Unexpected error encountered.')
abort(http_client.INTERNAL_SERVER_ERROR, str(e))
def put(self, runner_type_api, name_or_id, requester_user):
# Note: We only allow "enabled" attribute of the runner to be changed
runner_type_db = self._get_by_name_or_id(name_or_id=name_or_id)
permission_type = PermissionType.RUNNER_MODIFY
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=runner_type_db,
permission_type=permission_type)
old_runner_type_db = runner_type_db
LOG.debug('PUT /runnertypes/ lookup with id=%s found object: %s', name_or_id,
runner_type_db)
try:
if runner_type_api.id and runner_type_api.id != name_or_id:
LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.',
runner_type_api.id, name_or_id)
runner_type_db.enabled = runner_type_api.enabled
runner_type_db = RunnerType.add_or_update(runner_type_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for runner type data=%s', runner_type_api)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
extra = {'old_runner_type_db': old_runner_type_db, 'new_runner_type_db': runner_type_db}
LOG.audit('Runner Type updated. RunnerType.id=%s.' % (runner_type_db.id), extra=extra)
runner_type_api = RunnerTypeAPI.from_model(runner_type_db)
return runner_type_api
def get(self, id, attribute, requester_user):
"""
Retrieve a particular attribute for the provided action execution.
Handles requests:
GET /executions/<id>/attribute/<attribute name>
:rtype: ``dict``
"""
fields = [attribute, 'action__pack', 'action__uid']
try:
fields = self._validate_exclude_fields(fields)
except ValueError:
valid_attributes = ', '.join(ActionExecutionsControllerMixin.valid_exclude_attributes)
msg = ('Invalid attribute "%s" specified. Valid attributes are: %s' %
(attribute, valid_attributes))
raise ValueError(msg)
action_exec_db = self.access.impl.model.objects.filter(id=id).only(*fields).get()
permission_type = PermissionType.EXECUTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=action_exec_db,
permission_type=permission_type)
result = getattr(action_exec_db, attribute, None)
return Response(json=result, status=http_client.OK)
def get_one(self,
id,
requester_user,
depth=-1,
result_fmt=None,
show_secrets=False):
"""
Retrieve children for the provided action execution.
:rtype: ``list``
"""
instance = self._get_by_id(resource_id=id)
permission_type = PermissionType.EXECUTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
return self._get_children(id_=id,
depth=depth,
result_fmt=result_fmt,
requester_user=requester_user,
show_secrets=show_secrets)
def get_one(self, ref_or_id, requester_user):
"""
Outputs the file associated with action entry_point
Handles requests:
GET /actions/views/entry_point/1
"""
LOG.info('GET /actions/views/entry_point with ref_or_id=%s', ref_or_id)
action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
permission_type = PermissionType.ACTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=action_db,
permission_type=permission_type)
pack = getattr(action_db, 'pack', None)
entry_point = getattr(action_db, 'entry_point', None)
abs_path = utils.get_entry_point_abs_path(pack, entry_point)
if not abs_path:
raise StackStormDBObjectNotFoundError('Action ref_or_id=%s has no entry_point to output'
% ref_or_id)
with open(abs_path) as file:
content = file.read()
return content
def get_one(self, pack_ref, requester_user, show_secrets=False):
"""
Retrieve config for a particular pack.
Handles requests:
GET /configs/<pack_ref>
"""
from_model_kwargs = {
'mask_secrets':
self._get_mask_secrets(requester_user, show_secrets=show_secrets)
}
try:
instance = packs_service.get_pack_by_ref(pack_ref=pack_ref)
except StackStormDBObjectNotFoundError:
msg = 'Unable to identify resource with pack_ref "%s".' % (
pack_ref)
abort(http_client.NOT_FOUND, msg)
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=instance,
permission_type=PermissionType.PACK_VIEW)
return self._get_one_by_pack_ref(pack_ref=pack_ref,
from_model_kwargs=from_model_kwargs)
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None,
from_model_kwargs=None):
"""Override ResourceController._get_one_by_id to contain scope of Inquiries UID hack
:param exclude_fields: A list of object fields to exclude.
:type exclude_fields: ``list``
"""
instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields)
# _get_by_id pulls the resource by ID directly off of the database. Since
# Inquiries don't have their own DB model yet, this comes in the format
# "execution:<id>". So, to allow RBAC to get a handle on inquiries specifically,
# we're overriding the "get_uid" function to return one specific to Inquiries.
#
# TODO (mierdin): All of this should be removed once Inquiries get their own DB model
if getattr(instance, 'runner', None) and instance.runner.get('runner_module') == 'inquirer':
def get_uid():
return "inquiry"
instance.get_uid = get_uid
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
if not instance:
msg = 'Unable to identify resource with id "%s".' % id
abort(http_client.NOT_FOUND, msg)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.model.from_model(instance, **from_model_kwargs)
return result
def delete(self, rule_ref_or_id, requester_user):
"""
Delete a rule.
Handles requests:
DELETE /rules/1
"""
rule_db = self._get_by_ref_or_id(ref_or_id=rule_ref_or_id)
permission_type = PermissionType.RULE_DELETE
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=rule_db,
permission_type=permission_type)
LOG.debug('DELETE /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db)
try:
Rule.delete(rule_db)
except Exception as e:
LOG.exception('Database delete encountered exception during delete of id="%s".',
rule_ref_or_id)
abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(rule_db)
extra = {'rule_db': rule_db}
LOG.audit('Rule deleted. Rule.id=%s.' % (rule_db.id), extra=extra)
return Response(status=http_client.NO_CONTENT)
def get_one(self, api_key_id_or_key, requester_user, show_secrets=None):
"""
List api keys.
Handle:
GET /apikeys/1
"""
api_key_db = None
try:
api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key)
except ApiKeyNotFoundError:
msg = ('ApiKey matching %s for reference and id not found.' % (api_key_id_or_key))
LOG.exception(msg)
abort(http_client.NOT_FOUND, msg)
permission_type = PermissionType.API_KEY_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=api_key_db,
permission_type=permission_type)
try:
mask_secrets = self._get_mask_secrets(show_secrets=show_secrets,
requester_user=requester_user)
return ApiKeyAPI.from_model(api_key_db, mask_secrets=mask_secrets)
except (ValidationError, ValueError) as e:
LOG.exception('Failed to serialize API key.')
abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def _get_one(self,
ref_or_id,
permission_type,
exclude_fields=None,
from_model_kwargs=None,
requester_user=None):
try:
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id,
exclude_fields=exclude_fields)
except Exception as e:
LOG.exception(e.message)
abort(http_client.NOT_FOUND, e.message)
return
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.model.from_model(instance, **from_model_kwargs)
if result and self.include_reference:
pack = getattr(result, 'pack', None)
name = getattr(result, 'name', None)
result.ref = ResourceReference(pack=pack, name=name).ref
return Response(json=result)
def get_one(self, api_key_id_or_key, requester_user, show_secrets=None):
"""
List api keys.
Handle:
GET /apikeys/1
"""
api_key_db = None
try:
api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key)
except ApiKeyNotFoundError:
msg = ('ApiKey matching %s for reference and id not found.' % (api_key_id_or_key))
LOG.exception(msg)
abort(http_client.NOT_FOUND, msg)
permission_type = PermissionType.API_KEY_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=api_key_db,
permission_type=permission_type)
try:
mask_secrets = self._get_mask_secrets(show_secrets=show_secrets,
requester_user=requester_user)
return ApiKeyAPI.from_model(api_key_db, mask_secrets=mask_secrets)
except (ValidationError, ValueError) as e:
LOG.exception('Failed to serialize API key.')
abort(http_client.INTERNAL_SERVER_ERROR, str(e))
def post(self, hook, webhook_body_api, headers, requester_user):
body = webhook_body_api.data
permission_type = PermissionType.WEBHOOK_SEND
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=WebhookDB(name=hook),
permission_type=permission_type)
headers = self._get_headers_as_dict(headers)
# If webhook contains a trace-tag use that else create create a unique trace-tag.
trace_context = self._create_trace_context(trace_tag=headers.pop(
TRACE_TAG_HEADER, None),
hook=hook)
if hook == 'st2' or hook == 'st2/':
# When using st2 or system webhook, body needs to always be a dict
if not isinstance(body, dict):
type_string = get_json_type_for_python_value(body)
msg = ('Webhook body needs to be an object, got: %s' %
(type_string))
raise ValueError(msg)
trigger = body.get('trigger', None)
payload = body.get('payload', None)
if not trigger:
msg = 'Trigger not specified.'
return abort(http_client.BAD_REQUEST, msg)
self._trigger_dispatcher_service.dispatch_with_context(
trigger=trigger,
payload=payload,
trace_context=trace_context,
throw_on_validation_error=True)
else:
if not self._is_valid_hook(hook):
self._log_request('Invalid hook.', headers, body)
msg = 'Webhook %s not registered with st2' % hook
return abort(http_client.NOT_FOUND, msg)
triggers = self._hooks.get_triggers_for_hook(hook)
payload = {}
payload['headers'] = headers
payload['body'] = body
# Dispatch trigger instance for each of the trigger found
for trigger_dict in triggers:
# TODO: Instead of dispatching the whole dict we should just
# dispatch TriggerDB.ref or similar
self._trigger_dispatcher_service.dispatch_with_context(
trigger=trigger_dict,
payload=payload,
trace_context=trace_context,
throw_on_validation_error=True)
return Response(json=body, status=http_client.ACCEPTED)
def get_one(self, ref_or_id, file_path, requester_user, **kwargs):
"""
Outputs the content of a specific file in a pack.
Handles requests:
GET /packs/views/file/<pack_ref_or_id>/<file path>
"""
pack_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
if not pack_db:
msg = 'Pack with ref_or_id "%s" does not exist' % (ref_or_id)
raise StackStormDBObjectNotFoundError(msg)
if not file_path:
raise ValueError('Missing file path')
pack_ref = pack_db.ref
# Note: Until list filtering is in place we don't require RBAC check for icon file
permission_type = PermissionType.PACK_VIEW
if file_path not in WHITELISTED_FILE_PATHS:
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=pack_db,
permission_type=permission_type)
normalized_file_path = get_pack_file_abs_path(pack_ref=pack_ref,
file_path=file_path)
if not normalized_file_path or not os.path.isfile(
normalized_file_path):
# Ignore references to files which don't exist on disk
raise StackStormDBObjectNotFoundError('File "%s" not found' %
(file_path))
file_size, file_mtime = self._get_file_stats(
file_path=normalized_file_path)
response = Response()
if not self._is_file_changed(file_mtime, **kwargs):
response.status = http_client.NOT_MODIFIED
else:
if file_size is not None and file_size > MAX_FILE_SIZE:
msg = ('File %s exceeds maximum allowed file size (%s bytes)' %
(file_path, MAX_FILE_SIZE))
raise ValueError(msg)
content_type = mimetypes.guess_type(normalized_file_path)[0] or \
'application/octet-stream'
response.headers['Content-Type'] = content_type
response.body = self._get_file_content(
file_path=normalized_file_path)
response.headers['Last-Modified'] = format_date_time(file_mtime)
response.headers['ETag'] = repr(file_mtime)
return response
def put(self, rule, rule_ref_or_id, requester_user):
rule_db = self._get_by_ref_or_id(rule_ref_or_id)
permission_type = PermissionType.RULE_MODIFY
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=rule,
permission_type=permission_type)
LOG.debug('PUT /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db)
if not requester_user:
requester_user = UserDB(cfg.CONF.system_user.user)
# Validate that the authenticated user is admin if user query param is provided
user = requester_user.name
assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user,
user=user)
if not hasattr(rule, 'context'):
rule.context = dict()
rule.context['user'] = user
try:
if rule.id is not None and rule.id is not '' and rule.id != rule_ref_or_id:
LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.',
rule.id, rule_ref_or_id)
old_rule_db = rule_db
try:
rule_db = RuleAPI.to_model(rule)
except TriggerDoesNotExistException as e:
abort(http_client.BAD_REQUEST, str(e))
return
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_user_has_rule_trigger_and_action_permission(user_db=requester_user,
rule_api=rule)
rule_db.id = rule_ref_or_id
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValueValidationException, jsonschema.ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s', rule)
abort(http_client.BAD_REQUEST, str(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(old_rule_db)
extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db}
LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def put(self, rule, rule_ref_or_id, requester_user):
rule_db = self._get_by_ref_or_id(rule_ref_or_id)
permission_type = PermissionType.RULE_MODIFY
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=rule,
permission_type=permission_type)
LOG.debug('PUT /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db)
if not requester_user:
requester_user = UserDB(cfg.CONF.system_user.user)
# Validate that the authenticated user is admin if user query param is provided
user = requester_user.name
assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user,
user=user)
if not hasattr(rule, 'context'):
rule.context = dict()
rule.context['user'] = user
try:
if rule.id is not None and rule.id is not '' and rule.id != rule_ref_or_id:
LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.',
rule.id, rule_ref_or_id)
old_rule_db = rule_db
try:
rule_db = RuleAPI.to_model(rule)
except TriggerDoesNotExistException as e:
abort(http_client.BAD_REQUEST, six.text_type(e))
return
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_user_has_rule_trigger_and_action_permission(user_db=requester_user,
rule_api=rule)
rule_db.id = rule_ref_or_id
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValueValidationException, jsonschema.ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s', rule)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(old_rule_db)
extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db}
LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def _handle_schedule_execution(self,
liveaction_api,
requester_user,
context_string=None,
show_secrets=False):
"""
:param liveaction: LiveActionAPI object.
:type liveaction: :class:`LiveActionAPI`
"""
if not requester_user:
requester_user = UserDB(cfg.CONF.system_user.user)
# Assert action ref is valid
action_ref = liveaction_api.action
action_db = action_utils.get_action_by_ref(action_ref)
if not action_db:
message = 'Action "%s" cannot be found.' % action_ref
LOG.warning(message)
abort(http_client.BAD_REQUEST, message)
# Assert the permissions
assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=action_db,
permission_type=PermissionType.ACTION_EXECUTE)
# Validate that the authenticated user is admin if user query param is provided
user = liveaction_api.user or requester_user.name
assert_user_is_admin_if_user_query_param_is_provided(
user_db=requester_user, user=user)
try:
return self._schedule_execution(liveaction=liveaction_api,
requester_user=requester_user,
user=user,
context_string=context_string,
show_secrets=show_secrets,
pack=action_db.pack)
except ValueError as e:
LOG.exception('Unable to execute action.')
abort(http_client.BAD_REQUEST, str(e))
except jsonschema.ValidationError as e:
LOG.exception(
'Unable to execute action. Parameter validation failed.')
abort(http_client.BAD_REQUEST,
re.sub("u'([^']*)'", r"'\1'", e.message))
except trace_exc.TraceNotFoundException as e:
abort(http_client.BAD_REQUEST, str(e))
except validation_exc.ValueValidationException as e:
raise e
except Exception as e:
LOG.exception(
'Unable to execute action. Unexpected error encountered.')
abort(http_client.INTERNAL_SERVER_ERROR, str(e))
def _get_one(self, ref_or_id, requester_user):
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id)
permission_type = PermissionType.POLICY_TYPE_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
result = self.model.from_model(instance)
return result
def get_one(self, ref_or_id, file_path, requester_user, if_none_match=None,
if_modified_since=None):
"""
Outputs the content of a specific file in a pack.
Handles requests:
GET /packs/views/file/<pack_ref_or_id>/<file path>
"""
pack_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
if not pack_db:
msg = 'Pack with ref_or_id "%s" does not exist' % (ref_or_id)
raise StackStormDBObjectNotFoundError(msg)
if not file_path:
raise ValueError('Missing file path')
pack_ref = pack_db.ref
# Note: Until list filtering is in place we don't require RBAC check for icon file
permission_type = PermissionType.PACK_VIEW
if file_path not in WHITELISTED_FILE_PATHS:
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=pack_db,
permission_type=permission_type)
normalized_file_path = get_pack_file_abs_path(pack_ref=pack_ref, file_path=file_path)
if not normalized_file_path or not os.path.isfile(normalized_file_path):
# Ignore references to files which don't exist on disk
raise StackStormDBObjectNotFoundError('File "%s" not found' % (file_path))
file_size, file_mtime = self._get_file_stats(file_path=normalized_file_path)
response = Response()
if not self._is_file_changed(file_mtime,
if_none_match=if_none_match,
if_modified_since=if_modified_since):
response.status = http_client.NOT_MODIFIED
else:
if file_size is not None and file_size > MAX_FILE_SIZE:
msg = ('File %s exceeds maximum allowed file size (%s bytes)' %
(file_path, MAX_FILE_SIZE))
raise ValueError(msg)
content_type = mimetypes.guess_type(normalized_file_path)[0] or \
'application/octet-stream'
response.headers['Content-Type'] = content_type
response.body = self._get_file_content(file_path=normalized_file_path)
response.headers['Last-Modified'] = format_date_time(file_mtime)
response.headers['ETag'] = repr(file_mtime)
return response
def post(self, hook, webhook_body_api, headers, requester_user):
body = webhook_body_api.data
permission_type = PermissionType.WEBHOOK_SEND
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=WebhookDB(name=hook),
permission_type=permission_type)
headers = self._get_headers_as_dict(headers)
# If webhook contains a trace-tag use that else create create a unique trace-tag.
trace_context = self._create_trace_context(trace_tag=headers.pop(TRACE_TAG_HEADER, None),
hook=hook)
if hook == 'st2' or hook == 'st2/':
# When using st2 or system webhook, body needs to always be a dict
if not isinstance(body, dict):
type_string = get_json_type_for_python_value(body)
msg = ('Webhook body needs to be an object, got: %s' % (type_string))
raise ValueError(msg)
trigger = body.get('trigger', None)
payload = body.get('payload', None)
if not trigger:
msg = 'Trigger not specified.'
return abort(http_client.BAD_REQUEST, msg)
self._trigger_dispatcher_service.dispatch_with_context(trigger=trigger,
payload=payload,
trace_context=trace_context,
throw_on_validation_error=True)
else:
if not self._is_valid_hook(hook):
self._log_request('Invalid hook.', headers, body)
msg = 'Webhook %s not registered with st2' % hook
return abort(http_client.NOT_FOUND, msg)
triggers = self._hooks.get_triggers_for_hook(hook)
payload = {}
payload['headers'] = headers
payload['body'] = body
# Dispatch trigger instance for each of the trigger found
for trigger_dict in triggers:
# TODO: Instead of dispatching the whole dict we should just
# dispatch TriggerDB.ref or similar
self._trigger_dispatcher_service.dispatch_with_context(trigger=trigger_dict,
payload=payload,
trace_context=trace_context,
throw_on_validation_error=True)
return Response(json=body, status=http_client.ACCEPTED)
def get_one(self, ref_or_id, requester_user):
"""
Outputs the file associated with action entry_point
Handles requests:
GET /actions/views/entry_point/1
"""
LOG.info('GET /actions/views/entry_point with ref_or_id=%s', ref_or_id)
action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
permission_type = PermissionType.ACTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=action_db,
permission_type=permission_type)
pack = getattr(action_db, 'pack', None)
entry_point = getattr(action_db, 'entry_point', None)
abs_path = utils.get_entry_point_abs_path(pack, entry_point)
if not abs_path:
raise StackStormDBObjectNotFoundError(
'Action ref_or_id=%s has no entry_point to output' % ref_or_id)
with codecs.open(abs_path, 'r') as fp:
content = fp.read()
# Ensure content is utf-8
if isinstance(content, six.binary_type):
content = content.decode('utf-8')
try:
content_type = mimetypes.guess_type(abs_path)[0]
except Exception:
content_type = None
# Special case if /etc/mime.types doesn't contain entry for yaml, py
if not content_type:
_, extension = os.path.splitext(abs_path)
if extension in ['.yaml', '.yml']:
content_type = 'application/x-yaml'
elif extension in ['.py']:
content_type = 'application/x-python'
else:
content_type = 'text/plain'
response = Response()
response.headers['Content-Type'] = content_type
response.text = content
return response
def get_one(self, url, requester_user):
triggers = self._hooks.get_triggers_for_hook(url)
if not triggers:
abort(http_client.NOT_FOUND)
return
permission_type = PermissionType.WEBHOOK_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=WebhookDB(name=url),
permission_type=permission_type)
# For demonstration purpose return 1st
return triggers[0]
def get_one(self, name, requester_user):
triggers = self._hooks.get_triggers_for_hook(name)
if not triggers:
abort(http_client.NOT_FOUND)
return
permission_type = PermissionType.WEBHOOK_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=WebhookDB(name=name),
permission_type=permission_type)
# For demonstration purpose return 1st
return triggers[0]
def get_one(self, ref_or_id, requester_user):
"""
Outputs the file associated with action entry_point
Handles requests:
GET /actions/views/entry_point/1
"""
LOG.info('GET /actions/views/entry_point with ref_or_id=%s', ref_or_id)
action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
permission_type = PermissionType.ACTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=action_db,
permission_type=permission_type)
pack = getattr(action_db, 'pack', None)
entry_point = getattr(action_db, 'entry_point', None)
abs_path = utils.get_entry_point_abs_path(pack, entry_point)
if not abs_path:
raise StackStormDBObjectNotFoundError('Action ref_or_id=%s has no entry_point to output'
% ref_or_id)
with codecs.open(abs_path, 'r') as fp:
content = fp.read()
# Ensure content is utf-8
if isinstance(content, six.binary_type):
content = content.decode('utf-8')
try:
content_type = mimetypes.guess_type(abs_path)[0]
except Exception:
content_type = None
# Special case if /etc/mime.types doesn't contain entry for yaml, py
if not content_type:
_, extension = os.path.splitext(abs_path)
if extension in ['.yaml', '.yml']:
content_type = 'application/x-yaml'
elif extension in ['.py']:
content_type = 'application/x-python'
else:
content_type = 'text/plain'
response = Response()
response.headers['Content-Type'] = content_type
response.text = content
return response
def _get_one_by_ref_or_id(self, ref_or_id, requester_user, exclude_fields=None):
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields)
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=PermissionType.PACK_VIEW)
if not instance:
msg = 'Unable to identify resource with ref_or_id "%s".' % (ref_or_id)
abort(http_client.NOT_FOUND, msg)
return
result = self.model.from_model(instance, **self.from_model_kwargs)
return result
def _get_one_by_ref_or_id(self, ref_or_id, requester_user, exclude_fields=None):
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields)
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=PermissionType.PACK_VIEW)
if not instance:
msg = 'Unable to identify resource with ref_or_id "%s".' % (ref_or_id)
abort(http_client.NOT_FOUND, msg)
return
result = self.model.from_model(instance, **self.from_model_kwargs)
return result
def get_one(self, ref_or_id, requester_user):
"""
Outputs the content of all the files inside the pack.
Handles requests:
GET /packs/views/files/<pack_ref_or_id>
"""
pack_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=pack_db,
permission_type=PermissionType.PACK_VIEW)
if not pack_db:
msg = 'Pack with ref_or_id "%s" does not exist' % (ref_or_id)
raise StackStormDBObjectNotFoundError(msg)
pack_ref = pack_db.ref
pack_files = pack_db.files
result = []
for file_path in pack_files:
normalized_file_path = get_pack_file_abs_path(pack_ref=pack_ref,
file_path=file_path)
if not normalized_file_path or not os.path.isfile(
normalized_file_path):
# Ignore references to files which don't exist on disk
continue
file_size = self._get_file_size(file_path=normalized_file_path)
if file_size is not None and file_size > MAX_FILE_SIZE:
LOG.debug(
'Skipping file "%s" which size exceeds max file size (%s bytes)'
% (normalized_file_path, MAX_FILE_SIZE))
continue
content = self._get_file_content(file_path=normalized_file_path)
include_file = self._include_file(file_path=file_path,
content=content)
if not include_file:
LOG.debug('Skipping binary file "%s"' % (normalized_file_path))
continue
item = {'file_path': file_path, 'content': content}
result.append(item)
return result
def _handle_schedule_execution(self, liveaction_api, requester_user, context_string=None,
show_secrets=False):
"""
:param liveaction: LiveActionAPI object.
:type liveaction: :class:`LiveActionAPI`
"""
if not requester_user:
requester_user = UserDB(cfg.CONF.system_user.user)
# Assert action ref is valid
action_ref = liveaction_api.action
action_db = action_utils.get_action_by_ref(action_ref)
if not action_db:
message = 'Action "%s" cannot be found.' % (action_ref)
LOG.warning(message)
abort(http_client.BAD_REQUEST, message)
# Assert the permissions
assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db,
permission_type=PermissionType.ACTION_EXECUTE)
# Validate that the authenticated user is admin if user query param is provided
user = liveaction_api.user or requester_user.name
assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user,
user=user)
try:
return self._schedule_execution(liveaction=liveaction_api,
requester_user=requester_user,
user=user,
context_string=context_string,
show_secrets=show_secrets,
action_db=action_db)
except ValueError as e:
LOG.exception('Unable to execute action.')
abort(http_client.BAD_REQUEST, six.text_type(e))
except jsonschema.ValidationError as e:
LOG.exception('Unable to execute action. Parameter validation failed.')
abort(http_client.BAD_REQUEST, re.sub("u'([^']*)'", r"'\1'",
getattr(e, 'message', six.text_type(e))))
except trace_exc.TraceNotFoundException as e:
abort(http_client.BAD_REQUEST, six.text_type(e))
except validation_exc.ValueValidationException as e:
raise e
except Exception as e:
LOG.exception('Unable to execute action. Unexpected error encountered.')
abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def _get_one(self, ref_or_id, requester_user):
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id)
permission_type = PermissionType.POLICY_TYPE_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
result = self.model.from_model(instance)
if result and self.include_reference:
resource_type = getattr(result, 'resource_type', None)
name = getattr(result, 'name', None)
result.ref = PolicyTypeReference(resource_type=resource_type, name=name).ref
return result
def get_one(self, ref_or_id, requester_user):
try:
trigger_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
except Exception as e:
LOG.exception(six.text_type(e))
abort(http_client.NOT_FOUND, six.text_type(e))
return
permission_type = PermissionType.TIMER_VIEW
resource_db = TimerDB(pack=trigger_db.pack, name=trigger_db.name)
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=resource_db,
permission_type=permission_type)
result = self.model.from_model(trigger_db)
return result
def get_one(self, ref_or_id, requester_user):
try:
trigger_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
except Exception as e:
LOG.exception(e.message)
abort(http_client.NOT_FOUND, e.message)
return
permission_type = PermissionType.TIMER_VIEW
resource_db = TimerDB(pack=trigger_db.pack, name=trigger_db.name)
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=resource_db,
permission_type=permission_type)
result = self.model.from_model(trigger_db)
return result
def put(self, action, ref_or_id, requester_user):
action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
# Assert permissions
permission_type = PermissionType.ACTION_MODIFY
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=action_db,
permission_type=permission_type)
action_id = action_db.id
if not getattr(action, 'pack', None):
action.pack = action_db.pack
# Perform validation
validate_not_part_of_system_pack(action)
action_validator.validate_action(action)
# Write pack data files to disk (if any are provided)
data_files = getattr(action, 'data_files', [])
written_data_files = []
if data_files:
written_data_files = self._handle_data_files(pack_ref=action.pack,
data_files=data_files)
try:
action_db = ActionAPI.to_model(action)
LOG.debug('/actions/ PUT incoming action: %s', action_db)
action_db.id = action_id
action_db = Action.add_or_update(action_db)
LOG.debug('/actions/ PUT after add_or_update: %s', action_db)
except (ValidationError, ValueError) as e:
LOG.exception('Unable to update action data=%s', action)
abort(http_client.BAD_REQUEST, str(e))
return
# Dispatch an internal trigger for each written data file. This way user
# automate committing this files to git using StackStorm rule
if written_data_files:
self._dispatch_trigger_for_written_data_files(
action_db=action_db, written_data_files=written_data_files)
action_api = ActionAPI.from_model(action_db)
LOG.debug('PUT /actions/ client_result=%s', action_api)
return action_api
def put(self, action_alias, ref_or_id, requester_user):
"""
Update an action alias.
Handles requests:
PUT /actionalias/1
"""
action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
LOG.debug('PUT /actionalias/ lookup with id=%s found object: %s',
ref_or_id, action_alias_db)
permission_type = PermissionType.ACTION_ALIAS_MODIFY
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=action_alias_db,
permission_type=permission_type)
if not hasattr(action_alias, 'id'):
action_alias.id = None
try:
if action_alias.id is not None and action_alias.id is not '' and \
action_alias.id != ref_or_id:
LOG.warning(
'Discarding mismatched id=%s found in payload and using uri_id=%s.',
action_alias.id, ref_or_id)
old_action_alias_db = action_alias_db
action_alias_db = ActionAliasAPI.to_model(action_alias)
action_alias_db.id = ref_or_id
action_alias_db = ActionAlias.add_or_update(action_alias_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for action alias data=%s',
action_alias)
abort(http_client.BAD_REQUEST, str(e))
return
extra = {
'old_action_alias_db': old_action_alias_db,
'new_action_alias_db': action_alias_db
}
LOG.audit('Action alias updated. ActionAlias.id=%s.' %
(action_alias_db.id),
extra=extra)
action_alias_api = ActionAliasAPI.from_model(action_alias_db)
return action_alias_api
def get_one(self, ref_or_id, requester_user):
"""
Outputs the content of all the files inside the pack.
Handles requests:
GET /packs/views/files/<pack_ref_or_id>
"""
pack_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=pack_db,
permission_type=PermissionType.PACK_VIEW)
if not pack_db:
msg = 'Pack with ref_or_id "%s" does not exist' % (ref_or_id)
raise StackStormDBObjectNotFoundError(msg)
pack_ref = pack_db.ref
pack_files = pack_db.files
result = []
for file_path in pack_files:
normalized_file_path = get_pack_file_abs_path(pack_ref=pack_ref, file_path=file_path)
if not normalized_file_path or not os.path.isfile(normalized_file_path):
# Ignore references to files which don't exist on disk
continue
file_size = self._get_file_size(file_path=normalized_file_path)
if file_size is not None and file_size > MAX_FILE_SIZE:
LOG.debug('Skipping file "%s" which size exceeds max file size (%s bytes)' %
(normalized_file_path, MAX_FILE_SIZE))
continue
content = self._get_file_content(file_path=normalized_file_path)
include_file = self._include_file(file_path=file_path, content=content)
if not include_file:
LOG.debug('Skipping binary file "%s"' % (normalized_file_path))
continue
item = {
'file_path': file_path,
'content': content
}
result.append(item)
return result
def put(self, api_key_api, api_key_id_or_key, requester_user):
api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key)
permission_type = PermissionType.API_KEY_MODIFY
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=api_key_db,
permission_type=permission_type)
old_api_key_db = api_key_db
api_key_db = ApiKeyAPI.to_model(api_key_api)
try:
User.get_by_name(api_key_api.user)
except StackStormDBObjectNotFoundError:
user_db = UserDB(name=api_key_api.user)
User.add_or_update(user_db)
extra = {'username': api_key_api.user, 'user': user_db}
LOG.audit('Registered new user "%s".' % (api_key_api.user),
extra=extra)
# Passing in key_hash as MASKED_ATTRIBUTE_VALUE is expected since we do not
# leak it out therefore it is expected we get the same value back. Interpret
# this special code and empty value as no-change
if api_key_db.key_hash == MASKED_ATTRIBUTE_VALUE or not api_key_db.key_hash:
api_key_db.key_hash = old_api_key_db.key_hash
# Rather than silently ignore any update to key_hash it is better to explicitly
# disallow and notify user.
if old_api_key_db.key_hash != api_key_db.key_hash:
raise ValueError('Update of key_hash is not allowed.')
api_key_db.id = old_api_key_db.id
api_key_db = ApiKey.add_or_update(api_key_db)
extra = {
'old_api_key_db': old_api_key_db,
'new_api_key_db': api_key_db
}
LOG.audit('API Key updated. ApiKey.id=%s.' % (api_key_db.id),
extra=extra)
api_key_api = ApiKeyAPI.from_model(api_key_db)
return api_key_api
def _get_one_by_id(self,
id,
requester_user,
permission_type,
exclude_fields=None,
from_model_kwargs=None):
"""Override ResourceController._get_one_by_id to contain scope of Inquiries UID hack
:param exclude_fields: A list of object fields to exclude.
:type exclude_fields: ``list``
"""
instance = self._get_by_id(resource_id=id,
exclude_fields=exclude_fields)
# _get_by_id pulls the resource by ID directly off of the database. Since
# Inquiries don't have their own DB model yet, this comes in the format
# "execution:<id>". So, to allow RBAC to get a handle on inquiries specifically,
# we're overriding the "get_uid" function to return one specific to Inquiries.
#
# TODO (mierdin): All of this should be removed once Inquiries get their own DB model
if getattr(
instance, 'runner',
None) and instance.runner.get('runner_module') == 'inquirer':
def get_uid():
return "inquiry"
instance.get_uid = get_uid
if permission_type:
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
if not instance:
msg = 'Unable to identify resource with id "%s".' % id
abort(http_client.NOT_FOUND, msg)
from_model_kwargs = from_model_kwargs or {}
from_model_kwargs.update(self.from_model_kwargs)
result = self.model.from_model(instance, **from_model_kwargs)
return result
def _get_one(self, ref_or_id, requester_user):
instance = self._get_by_ref_or_id(ref_or_id=ref_or_id)
permission_type = PermissionType.POLICY_TYPE_VIEW
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=instance,
permission_type=permission_type)
result = self.model.from_model(instance)
if result and self.include_reference:
resource_type = getattr(result, 'resource_type', None)
name = getattr(result, 'name', None)
result.ref = PolicyTypeReference(resource_type=resource_type,
name=name).ref
return result
def post(self, hook, body, headers, requester_user):
body = vars(body)
permission_type = PermissionType.WEBHOOK_SEND
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=WebhookDB(name=hook),
permission_type=permission_type)
headers = self._get_headers_as_dict(headers)
# If webhook contains a trace-tag use that else create create a unique trace-tag.
trace_context = self._create_trace_context(trace_tag=headers.pop(
TRACE_TAG_HEADER, None),
hook=hook)
if hook == 'st2' or hook == 'st2/':
trigger = body.get('trigger', None)
payload = body.get('payload', None)
if not trigger:
msg = 'Trigger not specified.'
return abort(http_client.BAD_REQUEST, msg)
self._trigger_dispatcher.dispatch(trigger,
payload=payload,
trace_context=trace_context)
else:
if not self._is_valid_hook(hook):
self._log_request('Invalid hook.', headers, body)
msg = 'Webhook %s not registered with st2' % hook
return abort(http_client.NOT_FOUND, msg)
triggers = self._hooks.get_triggers_for_hook(hook)
payload = {}
payload['headers'] = headers
payload['body'] = body
# Dispatch trigger instance for each of the trigger found
for trigger in triggers:
self._trigger_dispatcher.dispatch(trigger,
payload=payload,
trace_context=trace_context)
return Response(json=body, status=http_client.ACCEPTED)
def _get_one(action_id, requester_user):
"""
List merged action & runner parameters by action id.
Handle:
GET /actions/views/parameters/1
"""
action_db = LookupUtils._get_action_by_id(action_id)
permission_type = PermissionType.ACTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=action_db,
permission_type=permission_type)
runner_db = LookupUtils._get_runner_by_name(action_db.runner_type['name'])
all_params = action_param_utils.get_params_view(
action_db=action_db, runner_db=runner_db, merged_only=True)
return {'parameters': all_params}
def get_one(self, pack_ref, requester_user):
"""
Retrieve config for a particular pack.
Handles requests:
GET /configs/<pack_ref>
"""
# TODO: Make sure secret values are masked
try:
instance = packs_service.get_pack_by_ref(pack_ref=pack_ref)
except StackStormDBObjectNotFoundError:
msg = 'Unable to identify resource with pack_ref "%s".' % (pack_ref)
abort(http_client.NOT_FOUND, msg)
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=PermissionType.PACK_VIEW)
return self._get_one_by_pack_ref(pack_ref=pack_ref)
def delete(self, api_key_id_or_key, requester_user):
"""
Delete the key value pair.
Handles requests:
DELETE /apikeys/1
"""
api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key)
permission_type = PermissionType.API_KEY_DELETE
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=api_key_db,
permission_type=permission_type)
ApiKey.delete(api_key_db)
extra = {'api_key_db': api_key_db}
LOG.audit('ApiKey deleted. ApiKey.id=%s' % (api_key_db.id), extra=extra)
return Response(status=http_client.NO_CONTENT)
def put(self, sensor_type, ref_or_id, requester_user):
# Note: Right now this function only supports updating of "enabled"
# attribute on the SensorType model.
# The reason for that is that SensorTypeAPI.to_model right now only
# knows how to work with sensor type definitions from YAML files.
sensor_type_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
permission_type = PermissionType.SENSOR_MODIFY
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=sensor_type_db,
permission_type=permission_type)
sensor_type_id = sensor_type_db.id
try:
validate_not_part_of_system_pack(sensor_type_db)
except ValueValidationException as e:
abort(http_client.BAD_REQUEST, str(e))
return
if not getattr(sensor_type, 'pack', None):
sensor_type.pack = sensor_type_db.pack
try:
old_sensor_type_db = sensor_type_db
sensor_type_db.id = sensor_type_id
sensor_type_db.enabled = getattr(sensor_type, 'enabled', False)
sensor_type_db = SensorType.add_or_update(sensor_type_db)
except (ValidationError, ValueError) as e:
LOG.exception('Unable to update sensor_type data=%s', sensor_type)
abort(http_client.BAD_REQUEST, str(e))
return
extra = {
'old_sensor_type_db': old_sensor_type_db,
'new_sensor_type_db': sensor_type_db
}
LOG.audit('Sensor updated. Sensor.id=%s.' % (sensor_type_db.id), extra=extra)
sensor_type_api = SensorTypeAPI.from_model(sensor_type_db)
return sensor_type_api
def get_one(self, pack_ref, requester_user, show_secrets=False):
"""
Retrieve config for a particular pack.
Handles requests:
GET /configs/<pack_ref>
"""
from_model_kwargs = {
'mask_secrets': self._get_mask_secrets(requester_user, show_secrets=show_secrets)
}
try:
instance = packs_service.get_pack_by_ref(pack_ref=pack_ref)
except StackStormDBObjectNotFoundError:
msg = 'Unable to identify resource with pack_ref "%s".' % (pack_ref)
abort(http_client.NOT_FOUND, msg)
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=instance,
permission_type=PermissionType.PACK_VIEW)
return self._get_one_by_pack_ref(pack_ref=pack_ref, from_model_kwargs=from_model_kwargs)
def get(self, id, attribute, requester_user):
"""
Retrieve a particular attribute for the provided action execution.
Handles requests:
GET /executions/<id>/attribute/<attribute name>
:rtype: ``dict``
"""
fields = [attribute, 'action__pack', 'action__uid']
fields = self._validate_exclude_fields(fields)
action_exec_db = self.access.impl.model.objects.filter(id=id).only(*fields).get()
permission_type = PermissionType.EXECUTION_VIEW
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=action_exec_db,
permission_type=permission_type)
result = getattr(action_exec_db, attribute, None)
return result
def put(self, api_key_api, api_key_id_or_key, requester_user):
api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key)
permission_type = PermissionType.API_KEY_MODIFY
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=api_key_db,
permission_type=permission_type)
old_api_key_db = api_key_db
api_key_db = ApiKeyAPI.to_model(api_key_api)
try:
User.get_by_name(api_key_api.user)
except StackStormDBObjectNotFoundError:
user_db = UserDB(name=api_key_api.user)
User.add_or_update(user_db)
extra = {'username': api_key_api.user, 'user': user_db}
LOG.audit('Registered new user "%s".' % (api_key_api.user), extra=extra)
# Passing in key_hash as MASKED_ATTRIBUTE_VALUE is expected since we do not
# leak it out therefore it is expected we get the same value back. Interpret
# this special code and empty value as no-change
if api_key_db.key_hash == MASKED_ATTRIBUTE_VALUE or not api_key_db.key_hash:
api_key_db.key_hash = old_api_key_db.key_hash
# Rather than silently ignore any update to key_hash it is better to explicitly
# disallow and notify user.
if old_api_key_db.key_hash != api_key_db.key_hash:
raise ValueError('Update of key_hash is not allowed.')
api_key_db.id = old_api_key_db.id
api_key_db = ApiKey.add_or_update(api_key_db)
extra = {'old_api_key_db': old_api_key_db, 'new_api_key_db': api_key_db}
LOG.audit('API Key updated. ApiKey.id=%s.' % (api_key_db.id), extra=extra)
api_key_api = ApiKeyAPI.from_model(api_key_db)
return api_key_api
def put(self, action_alias, ref_or_id, requester_user):
"""
Update an action alias.
Handles requests:
PUT /actionalias/1
"""
action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id)
LOG.debug('PUT /actionalias/ lookup with id=%s found object: %s', ref_or_id,
action_alias_db)
permission_type = PermissionType.ACTION_ALIAS_MODIFY
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=action_alias_db,
permission_type=permission_type)
if not hasattr(action_alias, 'id'):
action_alias.id = None
try:
if action_alias.id is not None and action_alias.id is not '' and \
action_alias.id != ref_or_id:
LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.',
action_alias.id, ref_or_id)
old_action_alias_db = action_alias_db
action_alias_db = ActionAliasAPI.to_model(action_alias)
action_alias_db.id = ref_or_id
action_alias_db = ActionAlias.add_or_update(action_alias_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for action alias data=%s', action_alias)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
extra = {'old_action_alias_db': old_action_alias_db, 'new_action_alias_db': action_alias_db}
LOG.audit('Action alias updated. ActionAlias.id=%s.' % (action_alias_db.id), extra=extra)
action_alias_api = ActionAliasAPI.from_model(action_alias_db)
return action_alias_api
def put(self, instance, ref_or_id, requester_user):
op = 'PUT /policies/%s/' % ref_or_id
db_model = self._get_by_ref_or_id(ref_or_id=ref_or_id)
LOG.debug('%s found object: %s', op, db_model)
permission_type = PermissionType.POLICY_MODIFY
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=db_model,
permission_type=permission_type)
db_model_id = db_model.id
try:
validate_not_part_of_system_pack(db_model)
except ValueValidationException as e:
LOG.exception('%s unable to update object from system pack.', op)
abort(http_client.BAD_REQUEST, six.text_type(e))
if not getattr(instance, 'pack', None):
instance.pack = db_model.pack
try:
db_model = self.model.to_model(instance)
db_model.id = db_model_id
db_model = self.access.add_or_update(db_model)
except (ValidationError, ValueError) as e:
LOG.exception('%s unable to update object: %s', op, db_model)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
LOG.debug('%s updated object: %s', op, db_model)
LOG.audit('Policy updated. Policy.id=%s' % (db_model.id), extra={'policy_db': db_model})
exec_result = self.model.from_model(db_model)
return Response(json=exec_result, status=http_client.OK)
