Ejemplo n.º 1
0
def _setup():
    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH)

    # 1. parse config args
    config.parse_args()

    # 2. setup logging.
    logging.setup(cfg.CONF.sensorcontainer.logging)

    # 3. all other setup which requires config to be parsed and logging to
    # be correctly setup.
    username = cfg.CONF.database.username if hasattr(cfg.CONF.database,
                                                     'username') else None
    password = cfg.CONF.database.password if hasattr(cfg.CONF.database,
                                                     'password') else None
    db_setup(cfg.CONF.database.db_name,
             cfg.CONF.database.host,
             cfg.CONF.database.port,
             username=username,
             password=password)
    register_exchanges()
    register_common_signal_handlers()

    # 4. Register internal triggers
    # Note: We need to do import here because of a messed up configuration
    # situation (this module depends on configuration being parsed)
    from st2common.triggers import register_internal_trigger_types
    register_internal_trigger_types()
Ejemplo n.º 2
0
def _setup():
    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH)

    # 1. parse config args
    config.parse_args()

    # 2. setup logging.
    logging.setup(cfg.CONF.sensorcontainer.logging)

    # 3. all other setup which requires config to be parsed and logging to
    # be correctly setup.
    username = cfg.CONF.database.username if hasattr(cfg.CONF.database,
                                                     'username') else None
    password = cfg.CONF.database.password if hasattr(cfg.CONF.database,
                                                     'password') else None
    db_setup(cfg.CONF.database.db_name,
             cfg.CONF.database.host,
             cfg.CONF.database.port,
             username=username,
             password=password)
    register_exchanges()
    register_common_signal_handlers()

    # 4. Register internal triggers
    register_internal_trigger_types()
Ejemplo n.º 3
0
def _setup():
    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH)

    # 1. parse config args
    config.parse_args()

    # 2. setup logging.
    logging.setup(cfg.CONF.sensorcontainer.logging)

    # 3. all other setup which requires config to be parsed and logging to
    # be correctly setup.
    username = cfg.CONF.database.username if hasattr(cfg.CONF.database, 'username') else None
    password = cfg.CONF.database.password if hasattr(cfg.CONF.database, 'password') else None
    db_setup(cfg.CONF.database.db_name, cfg.CONF.database.host, cfg.CONF.database.port,
             username=username, password=password)
    register_exchanges()
    register_common_signal_handlers()

    # 4. Register internal triggers
    # Note: We need to do import here because of a messed up configuration
    # situation (this module depends on configuration being parsed)
    from st2common.triggers import register_internal_trigger_types
    register_internal_trigger_types()
Ejemplo n.º 4
0
Archivo: api.py Proyecto: joshgre/st2
def _setup():
    common_setup(service='api',
                 config=config,
                 setup_db=True,
                 register_mq_exchanges=True,
                 register_signal_handlers=True)

    register_internal_trigger_types()
Ejemplo n.º 5
0
def setup(
    config,
    setup_db=True,
    register_mq_exchanges=True,
    register_internal_trigger_types=False,
):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Suppress DEBUG log level if --verbose flag is not used
    4. Registers RabbitMQ exchanges
    5. Registers internal trigger types (optional, disabled by default)

    :param config: Config object to use to parse args.
    """
    # Register common CLI options
    register_common_cli_options()

    # Parse args to setup config
    config.parse_args()

    if cfg.CONF.debug:
        cfg.CONF.verbose = True

    # Set up logging
    log_level = stdlib_logging.DEBUG
    stdlib_logging.basicConfig(
        format="%(asctime)s %(levelname)s [-] %(message)s", level=log_level)

    if not cfg.CONF.verbose:
        # Note: We still want to print things at the following log levels: INFO, ERROR, CRITICAL
        exclude_log_levels = [stdlib_logging.AUDIT, stdlib_logging.DEBUG]
        handlers = stdlib_logging.getLoggerClass().manager.root.handlers

        for handler in handlers:
            handler.addFilter(LogLevelFilter(log_levels=exclude_log_levels))

        # NOTE: statsd logger logs everything by default under INFO so we ignore those log
        # messages unless verbose / debug mode is used
        logging.ignore_statsd_log_messages()

    logging.ignore_lib2to3_log_messages()

    # All other setup code which requires config to be parsed and logging to be correctly setup
    if setup_db:
        db_setup()

    if register_mq_exchanges:
        register_exchanges_with_retry()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()
Ejemplo n.º 6
0
def setup(config, setup_db=True, register_mq_exchanges=True,
          register_internal_trigger_types=False):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Suppress DEBUG log level if --verbose flag is not used
    4. Registers RabbitMQ exchanges
    5. Registers internal trigger types (optional, disabled by default)

    :param config: Config object to use to parse args.
    """
    # Register common CLI options
    register_common_cli_options()

    # Parse args to setup config
    config.parse_args()

    if cfg.CONF.debug:
        cfg.CONF.verbose = True

    # Set up logging
    log_level = stdlib_logging.DEBUG
    stdlib_logging.basicConfig(format='%(asctime)s %(levelname)s [-] %(message)s', level=log_level)

    if not cfg.CONF.verbose:
        # Note: We still want to print things at the following log levels: INFO, ERROR, CRITICAL
        exclude_log_levels = [stdlib_logging.AUDIT, stdlib_logging.DEBUG]
        handlers = stdlib_logging.getLoggerClass().manager.root.handlers

        for handler in handlers:
            handler.addFilter(LogLevelFilter(log_levels=exclude_log_levels))

        # NOTE: statsd logger logs everything by default under INFO so we ignore those log
        # messages unless verbose / debug mode is used
        logging.ignore_statsd_log_messages()

    logging.ignore_lib2to3_log_messages()

    # All other setup code which requires config to be parsed and logging to be correctly setup
    if setup_db:
        db_setup()

    if register_mq_exchanges:
        register_exchanges_with_retry()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()
Ejemplo n.º 7
0
def _setup():
    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH)

    # 1. parse config args
    config.parse_args()

    # 2. setup logging.
    logging.setup(cfg.CONF.sensorcontainer.logging)

    # 3. all other setup which requires config to be parsed and logging to
    # be correctly setup.
    username = cfg.CONF.database.username if hasattr(cfg.CONF.database, 'username') else None
    password = cfg.CONF.database.password if hasattr(cfg.CONF.database, 'password') else None
    db_setup(cfg.CONF.database.db_name, cfg.CONF.database.host, cfg.CONF.database.port,
             username=username, password=password)
    register_exchanges()
    register_common_signal_handlers()

    # 4. Register internal triggers
    register_internal_trigger_types()
Ejemplo n.º 8
0
def setup(service, config, setup_db=True, register_mq_exchanges=True,
          register_signal_handlers=True, register_internal_trigger_types=False,
          run_migrations=True, config_args=None):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Set log level for all the loggers to DEBUG if --debug flag is present or
       if system.debug config option is set to True.
    4. Registers RabbitMQ exchanges
    5. Registers common signal handlers
    6. Register internal trigger types

    :param service: Name of the service.
    :param config: Config object to use to parse args.
    """
    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH, excludes=None)

    # Parse args to setup config.
    if config_args:
        config.parse_args(config_args)
    else:
        config.parse_args()

    config_file_paths = cfg.CONF.config_file
    config_file_paths = [os.path.abspath(path) for path in config_file_paths]
    LOG.debug('Using config files: %s', ','.join(config_file_paths))

    # Setup logging.
    logging_config_path = config.get_logging_config_path()
    logging_config_path = os.path.abspath(logging_config_path)

    LOG.debug('Using logging config: %s', logging_config_path)

    try:
        logging.setup(logging_config_path, redirect_stderr=cfg.CONF.log.redirect_stderr,
                      excludes=cfg.CONF.log.excludes)
    except KeyError as e:
        tb_msg = traceback.format_exc()
        if 'log.setLevel' in tb_msg:
            msg = 'Invalid log level selected. Log level names need to be all uppercase.'
            msg += '\n\n' + getattr(e, 'message', str(e))
            raise KeyError(msg)
        else:
            raise e

    if cfg.CONF.debug or cfg.CONF.system.debug:
        enable_debugging()

    if cfg.CONF.profile:
        enable_profiling()

    # All other setup which requires config to be parsed and logging to
    # be correctly setup.
    if setup_db:
        db_setup()

    if register_mq_exchanges:
        register_exchanges_with_retry()

    if register_signal_handlers:
        register_common_signal_handlers()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()

    # TODO: This is a "not so nice" workaround until we have a proper migration system in place
    if run_migrations:
        run_all_rbac_migrations()

    metrics_initialize()
Ejemplo n.º 9
0
def setup(service,
          config,
          setup_db=True,
          register_mq_exchanges=True,
          register_signal_handlers=True,
          register_internal_trigger_types=False,
          run_migrations=True,
          register_runners=True,
          config_args=None):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Set log level for all the loggers to DEBUG if --debug flag is present or
       if system.debug config option is set to True.
    4. Registers RabbitMQ exchanges
    5. Registers common signal handlers
    6. Register internal trigger types
    7. Register all the runners which are installed inside StackStorm virtualenv.

    :param service: Name of the service.
    :param config: Config object to use to parse args.
    """
    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH, excludes=None)

    # Parse args to setup config.
    if config_args:
        config.parse_args(config_args)
    else:
        config.parse_args()

    version = '%s.%s.%s' % (sys.version_info[0], sys.version_info[1],
                            sys.version_info[2])
    LOG.debug('Using Python: %s (%s)' % (version, sys.executable))

    config_file_paths = cfg.CONF.config_file
    config_file_paths = [os.path.abspath(path) for path in config_file_paths]
    LOG.debug('Using config files: %s', ','.join(config_file_paths))

    # Setup logging.
    logging_config_path = config.get_logging_config_path()
    logging_config_path = os.path.abspath(logging_config_path)

    LOG.debug('Using logging config: %s', logging_config_path)

    is_debug_enabled = (cfg.CONF.debug or cfg.CONF.system.debug)

    try:
        logging.setup(logging_config_path,
                      redirect_stderr=cfg.CONF.log.redirect_stderr,
                      excludes=cfg.CONF.log.excludes)
    except KeyError as e:
        tb_msg = traceback.format_exc()
        if 'log.setLevel' in tb_msg:
            msg = 'Invalid log level selected. Log level names need to be all uppercase.'
            msg += '\n\n' + getattr(e, 'message', str(e))
            raise KeyError(msg)
        else:
            raise e

    exclude_log_levels = [stdlib_logging.AUDIT]
    handlers = stdlib_logging.getLoggerClass().manager.root.handlers

    for handler in handlers:
        # If log level is not set to DEBUG we filter out "AUDIT" log messages. This way we avoid
        # duplicate "AUDIT" messages in production deployments where default service log level is
        # set to "INFO" and we already log messages with level AUDIT to a special dedicated log
        # file.
        ignore_audit_log_messages = (handler.level >= stdlib_logging.INFO
                                     and handler.level < stdlib_logging.AUDIT)
        if not is_debug_enabled and ignore_audit_log_messages:
            LOG.debug(
                'Excluding log messages with level "AUDIT" for handler "%s"' %
                (handler))
            handler.addFilter(LogLevelFilter(log_levels=exclude_log_levels))

    if not is_debug_enabled:
        # NOTE: statsd logger logs everything by default under INFO so we ignore those log
        # messages unless verbose / debug mode is used
        logging.ignore_statsd_log_messages()

    logging.ignore_lib2to3_log_messages()

    if is_debug_enabled:
        enable_debugging()
    else:
        # Add global ignore filters, such as "heartbeat_tick" messages which are logged every 2
        # ms which cause too much noise
        add_global_filters_for_all_loggers()

    if cfg.CONF.profile:
        enable_profiling()

    # All other setup which requires config to be parsed and logging to be correctly setup.
    if setup_db:
        db_setup()

    if register_mq_exchanges:
        register_exchanges_with_retry()

    if register_signal_handlers:
        register_common_signal_handlers()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()

    # TODO: This is a "not so nice" workaround until we have a proper migration system in place
    if run_migrations:
        run_all_rbac_migrations()

    if register_runners:
        runnersregistrar.register_runners()

    register_kombu_serializers()

    metrics_initialize()
Ejemplo n.º 10
0
def setup(
    service,
    config,
    setup_db=True,
    register_mq_exchanges=True,
    register_signal_handlers=True,
    register_internal_trigger_types=False,
    run_migrations=True,
    register_runners=True,
    service_registry=False,
    capabilities=None,
    config_args=None,
):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Set log level for all the loggers to DEBUG if --debug flag is present or
       if system.debug config option is set to True.
    4. Registers RabbitMQ exchanges
    5. Registers common signal handlers
    6. Register internal trigger types
    7. Register all the runners which are installed inside StackStorm virtualenv.
    8. Register service in the service registry with the provided capabilities

    :param service: Name of the service.
    :param config: Config object to use to parse args.
    """
    capabilities = capabilities or {}

    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH, excludes=None)

    # Parse args to setup config.
    if config_args is not None:
        config.parse_args(config_args)
    else:
        config.parse_args()

    version = "%s.%s.%s" % (
        sys.version_info[0],
        sys.version_info[1],
        sys.version_info[2],
    )

    # We print locale related info to make it easier to troubleshoot issues where locale is not
    # set correctly (e.g. using C / ascii, but services are trying to work with unicode data
    # would result in things blowing up)

    fs_encoding = sys.getfilesystemencoding()
    default_encoding = sys.getdefaultencoding()
    lang_env = os.environ.get("LANG", "unknown")

    try:
        language_code, encoding = locale.getdefaultlocale()

        if language_code and encoding:
            used_locale = ".".join([language_code, encoding])
        else:
            used_locale = "unable to retrieve locale"
    except Exception as e:
        used_locale = "unable to retrieve locale: %s " % (str(e))

    LOG.info("Using Python: %s (%s)" % (version, sys.executable))
    LOG.info(
        "Using fs encoding: %s, default encoding: %s, LANG env variable: %s, locale: %s"
        % (fs_encoding, default_encoding, lang_env, used_locale))

    config_file_paths = cfg.CONF.config_file
    config_file_paths = [os.path.abspath(path) for path in config_file_paths]
    LOG.info("Using config files: %s", ",".join(config_file_paths))

    # Setup logging.
    logging_config_path = config.get_logging_config_path()
    logging_config_path = os.path.abspath(logging_config_path)

    LOG.info("Using logging config: %s", logging_config_path)

    is_debug_enabled = cfg.CONF.debug or cfg.CONF.system.debug

    try:
        logging.setup(
            logging_config_path,
            redirect_stderr=cfg.CONF.log.redirect_stderr,
            excludes=cfg.CONF.log.excludes,
        )
    except KeyError as e:
        tb_msg = traceback.format_exc()
        if "log.setLevel" in tb_msg:
            msg = (
                "Invalid log level selected. Log level names need to be all uppercase."
            )
            msg += "\n\n" + getattr(e, "message", six.text_type(e))
            raise KeyError(msg)
        else:
            raise e

    exclude_log_levels = [stdlib_logging.AUDIT]
    handlers = stdlib_logging.getLoggerClass().manager.root.handlers

    for handler in handlers:
        # If log level is not set to DEBUG we filter out "AUDIT" log messages. This way we avoid
        # duplicate "AUDIT" messages in production deployments where default service log level is
        # set to "INFO" and we already log messages with level AUDIT to a special dedicated log
        # file.
        ignore_audit_log_messages = (handler.level >= stdlib_logging.INFO
                                     and handler.level < stdlib_logging.AUDIT)
        if not is_debug_enabled and ignore_audit_log_messages:
            LOG.debug(
                'Excluding log messages with level "AUDIT" for handler "%s"' %
                (handler))
            handler.addFilter(LogLevelFilter(log_levels=exclude_log_levels))

    if not is_debug_enabled:
        # NOTE: statsd logger logs everything by default under INFO so we ignore those log
        # messages unless verbose / debug mode is used
        logging.ignore_statsd_log_messages()

    logging.ignore_lib2to3_log_messages()

    if is_debug_enabled:
        enable_debugging()
    else:
        # Add global ignore filters, such as "heartbeat_tick" messages which are logged every 2
        # ms which cause too much noise
        add_global_filters_for_all_loggers()

    if cfg.CONF.profile:
        enable_profiling()

    # All other setup which requires config to be parsed and logging to be correctly setup.
    if setup_db:
        db_setup()

    if register_mq_exchanges:
        register_exchanges_with_retry()

    if register_signal_handlers:
        register_common_signal_handlers()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()

    # TODO: This is a "not so nice" workaround until we have a proper migration system in place
    if run_migrations:
        run_all_rbac_migrations()

    if register_runners:
        runnersregistrar.register_runners()

    register_kombu_serializers()

    metrics_initialize()

    # Register service in the service registry
    if cfg.CONF.coordination.service_registry and service_registry:
        # NOTE: It's important that we pass start_heart=True to start the hearbeat process
        register_service_in_service_registry(service=service,
                                             capabilities=capabilities,
                                             start_heart=True)

    if sys.version_info[0] == 2:
        LOG.warning(PYTHON2_DEPRECATION)
Ejemplo n.º 11
0
    def setUp(self):
        super(RuleEnforcementPermissionsResolverTestCase, self).setUp()

        register_internal_trigger_types()

        # Create some mock users
        user_1_db = UserDB(name='1_role_rule_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_rule_pack_grant'] = user_1_db

        user_2_db = UserDB(name='1_role_rule_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_rule_grant'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_rule_all_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_rule_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_rule_all_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_rule_modify_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_rule_modify_grant'] = user_5_db

        user_6_db = UserDB(name='rule_pack_rule_create_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['rule_pack_rule_create_grant'] = user_6_db

        user_7_db = UserDB(name='rule_pack_rule_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['rule_pack_rule_all_grant'] = user_7_db

        user_8_db = UserDB(name='rule_rule_create_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['rule_rule_create_grant'] = user_8_db

        user_9_db = UserDB(name='rule_rule_all_grant')
        user_9_db = User.add_or_update(user_9_db)
        self.users['rule_rule_all_grant'] = user_9_db

        user_10_db = UserDB(name='custom_role_rule_list_grant')
        user_10_db = User.add_or_update(user_10_db)
        self.users['custom_role_rule_list_grant'] = user_10_db

        # Create some mock resources on which permissions can be granted
        rule_1_db = RuleDB(pack='test_pack_1',
                           name='rule1',
                           action={'ref': 'core.local'},
                           trigger='core.st2.key_value_pair.create')
        rule_1_db = Rule.add_or_update(rule_1_db)
        self.resources['rule_1'] = rule_1_db

        rule_enforcement_1_db = RuleEnforcementDB(
            trigger_instance_id=str(bson.ObjectId()),
            execution_id=str(bson.ObjectId()),
            rule={
                'ref': rule_1_db.ref,
                'uid': rule_1_db.uid,
                'id': str(rule_1_db.id)
            })
        rule_enforcement_1_db = RuleEnforcement.add_or_update(
            rule_enforcement_1_db)
        self.resources['rule_enforcement_1'] = rule_enforcement_1_db

        rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
        rule_2_db = Rule.add_or_update(rule_2_db)
        self.resources['rule_2'] = rule_2_db

        rule_enforcement_2_db = RuleEnforcementDB(
            trigger_instance_id=str(bson.ObjectId()),
            execution_id=str(bson.ObjectId()),
            rule={
                'ref': rule_2_db.ref,
                'uid': rule_2_db.uid,
                'id': str(rule_2_db.id)
            })
        rule_enforcement_2_db = RuleEnforcement.add_or_update(
            rule_enforcement_2_db)
        self.resources['rule_enforcement_2'] = rule_enforcement_2_db

        rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
        rule_3_db = Rule.add_or_update(rule_3_db)
        self.resources['rule_3'] = rule_3_db

        rule_enforcement_3_db = RuleEnforcementDB(
            trigger_instance_id=str(bson.ObjectId()),
            execution_id=str(bson.ObjectId()),
            rule={
                'ref': rule_3_db.ref,
                'uid': rule_3_db.uid,
                'id': str(rule_3_db.id)
            })
        rule_enforcement_3_db = RuleEnforcement.add_or_update(
            rule_enforcement_3_db)
        self.resources['rule_enforcement_3'] = rule_enforcement_3_db

        # Create some mock roles with associated permission grants
        # Custom role 2 - one grant on parent pack
        # "rule_view" on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_rule_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_rule_pack_grant'] = role_3_db

        # Custom role 4 - one grant on rule
        # "rule_view on rule_3
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_3'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_grant'] = role_4_db

        # Custom role - "rule_all" grant on a parent rule pack
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_rule_all_grant'] = role_4_db

        # Custom role - "rule_all" grant on a rule
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_all_grant'] = role_4_db

        # Custom role - "rule_modify" on role_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_rule_modify_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_rule_modify_grant'] = role_5_db

        # Custom role - "rule_create" grant on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_6_db = RoleDB(name='rule_pack_rule_create_grant',
                           permission_grants=permission_grants)
        role_6_db = Role.add_or_update(role_6_db)
        self.roles['rule_pack_rule_create_grant'] = role_6_db

        # Custom role - "rule_all" grant on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_7_db = RoleDB(name='rule_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_7_db = Role.add_or_update(role_7_db)
        self.roles['rule_pack_rule_all_grant'] = role_7_db

        # Custom role - "rule_create" grant on rule_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_8_db = RoleDB(name='rule_rule_create_grant',
                           permission_grants=permission_grants)
        role_8_db = Role.add_or_update(role_8_db)
        self.roles['rule_rule_create_grant'] = role_8_db

        # Custom role - "rule_all" grant on rule_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_9_db = RoleDB(name='rule_rule_all_grant',
                           permission_grants=permission_grants)
        role_9_db = Role.add_or_update(role_9_db)
        self.roles['rule_rule_all_grant'] = role_9_db

        # Custom role - "rule_list" grant
        grant_db = PermissionGrantDB(
            resource_uid=None,
            resource_type=None,
            permission_types=[PermissionType.RULE_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_10_db = RoleDB(name='custom_role_rule_list_grant',
                            permission_grants=permission_grants)
        role_10_db = Role.add_or_update(role_10_db)
        self.roles['custom_role_rule_list_grant'] = role_10_db

        # Create some mock role assignments
        user_db = self.users['custom_role_rule_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_pack_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_rule_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_modify_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_create_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_rule_create_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_rule_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_list_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_list_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Ejemplo n.º 12
0
def setup(service, config, setup_db=True, register_mq_exchanges=True,
          register_signal_handlers=True, register_internal_trigger_types=False,
          run_migrations=True, register_runners=True, service_registry=False,
          capabilities=None, config_args=None):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Set log level for all the loggers to DEBUG if --debug flag is present or
       if system.debug config option is set to True.
    4. Registers RabbitMQ exchanges
    5. Registers common signal handlers
    6. Register internal trigger types
    7. Register all the runners which are installed inside StackStorm virtualenv.
    8. Register service in the service registry with the provided capabilities

    :param service: Name of the service.
    :param config: Config object to use to parse args.
    """
    capabilities = capabilities or {}

    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH, excludes=None)

    # Parse args to setup config.
    if config_args is not None:
        config.parse_args(config_args)
    else:
        config.parse_args()

    version = '%s.%s.%s' % (sys.version_info[0], sys.version_info[1], sys.version_info[2])
    LOG.debug('Using Python: %s (%s)' % (version, sys.executable))

    config_file_paths = cfg.CONF.config_file
    config_file_paths = [os.path.abspath(path) for path in config_file_paths]
    LOG.debug('Using config files: %s', ','.join(config_file_paths))

    # Setup logging.
    logging_config_path = config.get_logging_config_path()
    logging_config_path = os.path.abspath(logging_config_path)

    LOG.debug('Using logging config: %s', logging_config_path)

    is_debug_enabled = (cfg.CONF.debug or cfg.CONF.system.debug)

    try:
        logging.setup(logging_config_path, redirect_stderr=cfg.CONF.log.redirect_stderr,
                      excludes=cfg.CONF.log.excludes)
    except KeyError as e:
        tb_msg = traceback.format_exc()
        if 'log.setLevel' in tb_msg:
            msg = 'Invalid log level selected. Log level names need to be all uppercase.'
            msg += '\n\n' + getattr(e, 'message', six.text_type(e))
            raise KeyError(msg)
        else:
            raise e

    exclude_log_levels = [stdlib_logging.AUDIT]
    handlers = stdlib_logging.getLoggerClass().manager.root.handlers

    for handler in handlers:
        # If log level is not set to DEBUG we filter out "AUDIT" log messages. This way we avoid
        # duplicate "AUDIT" messages in production deployments where default service log level is
        # set to "INFO" and we already log messages with level AUDIT to a special dedicated log
        # file.
        ignore_audit_log_messages = (handler.level >= stdlib_logging.INFO and
                                     handler.level < stdlib_logging.AUDIT)
        if not is_debug_enabled and ignore_audit_log_messages:
            LOG.debug('Excluding log messages with level "AUDIT" for handler "%s"' % (handler))
            handler.addFilter(LogLevelFilter(log_levels=exclude_log_levels))

    if not is_debug_enabled:
        # NOTE: statsd logger logs everything by default under INFO so we ignore those log
        # messages unless verbose / debug mode is used
        logging.ignore_statsd_log_messages()

    logging.ignore_lib2to3_log_messages()

    if is_debug_enabled:
        enable_debugging()
    else:
        # Add global ignore filters, such as "heartbeat_tick" messages which are logged every 2
        # ms which cause too much noise
        add_global_filters_for_all_loggers()

    if cfg.CONF.profile:
        enable_profiling()

    # All other setup which requires config to be parsed and logging to be correctly setup.
    if setup_db:
        db_setup()

    if register_mq_exchanges:
        register_exchanges_with_retry()

    if register_signal_handlers:
        register_common_signal_handlers()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()

    # TODO: This is a "not so nice" workaround until we have a proper migration system in place
    if run_migrations:
        run_all_rbac_migrations()

    if register_runners:
        runnersregistrar.register_runners()

    register_kombu_serializers()

    metrics_initialize()

    # Register service in the service registry
    if cfg.CONF.coordination.service_registry and service_registry:
        # NOTE: It's important that we pass start_heart=True to start the hearbeat process
        register_service_in_service_registry(service=service, capabilities=capabilities,
                                             start_heart=True)
 def test_register_internal_trigger_types(self):
     registered_trigger_types_db = register_internal_trigger_types()
     for trigger_type_db in registered_trigger_types_db:
         self._validate_shadow_trigger(trigger_type_db)
Ejemplo n.º 14
0
Archivo: api.py Proyecto: ipv1337/st2
def _setup():
    common_setup(service='api', config=config, setup_db=True, register_mq_exchanges=True,
                 register_signal_handlers=True)

    register_internal_trigger_types()
Ejemplo n.º 15
0
def setup(service, config, setup_db=True, register_mq_exchanges=True,
          register_signal_handlers=True, register_internal_trigger_types=False,
          run_migrations=True, config_args=None):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Set log level for all the loggers to DEBUG if --debug flag is present or
       if system.debug config option is set to True.
    4. Registers RabbitMQ exchanges
    5. Registers common signal handlers
    6. Register internal trigger types

    :param service: Name of the service.
    :param config: Config object to use to parse args.
    """
    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH, excludes=None)

    # Parse args to setup config.
    if config_args:
        config.parse_args(config_args)
    else:
        config.parse_args()

    config_file_paths = cfg.CONF.config_file
    config_file_paths = [os.path.abspath(path) for path in config_file_paths]
    LOG.debug('Using config files: %s', ','.join(config_file_paths))

    # Setup logging.
    logging_config_path = config.get_logging_config_path()
    logging_config_path = os.path.abspath(logging_config_path)

    LOG.debug('Using logging config: %s', logging_config_path)
    logging.setup(logging_config_path, redirect_stderr=cfg.CONF.log.redirect_stderr,
                  excludes=cfg.CONF.log.excludes)

    if cfg.CONF.debug or cfg.CONF.system.debug:
        enable_debugging()

    if cfg.CONF.profile:
        enable_profiling()

    # All other setup which requires config to be parsed and logging to
    # be correctly setup.
    if setup_db:
        db_setup()

    if register_mq_exchanges:
        register_exchanges_with_retry()

    if register_signal_handlers:
        register_common_signal_handlers()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()

    # TODO: This is a "not so nice" workaround until we have a proper migration system in place
    if run_migrations:
        run_all_rbac_migrations()

    if cfg.CONF.rbac.enable and not cfg.CONF.auth.enable:
        msg = ('Authentication is not enabled. RBAC only works when authentication is enabled.'
               'You can either enable authentication or disable RBAC.')
        raise Exception(msg)
Ejemplo n.º 16
0
 def test_register_internal_trigger_types(self):
     registered_trigger_types_db = register_internal_trigger_types()
     for trigger_type_db in registered_trigger_types_db:
         self._validate_shadow_trigger(trigger_type_db)
Ejemplo n.º 17
0
    def setUp(self):
        super(RulePermissionsResolverTestCase, self).setUp()

        # Register internal triggers - this is needed so we can reference an internal trigger
        # inside a mock rule
        register_internal_trigger_types()

        # Create some mock users
        user_1_db = UserDB(name='1_role_rule_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_rule_pack_grant'] = user_1_db

        user_2_db = UserDB(name='1_role_rule_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_rule_grant'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_rule_all_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_rule_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_rule_all_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_rule_modify_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_rule_modify_grant'] = user_5_db

        user_6_db = UserDB(name='rule_pack_rule_create_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['rule_pack_rule_create_grant'] = user_6_db

        user_7_db = UserDB(name='rule_pack_rule_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['rule_pack_rule_all_grant'] = user_7_db

        user_8_db = UserDB(name='rule_rule_create_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['rule_rule_create_grant'] = user_8_db

        user_9_db = UserDB(name='rule_rule_all_grant')
        user_9_db = User.add_or_update(user_9_db)
        self.users['rule_rule_all_grant'] = user_9_db

        # Create some mock resources on which permissions can be granted
        rule_1_db = RuleDB(pack='test_pack_1',
                           name='rule1',
                           action={'ref': 'core.local'},
                           trigger='core.st2.key_value_pair.create')
        rule_1_db = Rule.add_or_update(rule_1_db)
        self.resources['rule_1'] = rule_1_db

        rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
        rule_2_db = Rule.add_or_update(rule_2_db)
        self.resources['rule_2'] = rule_2_db

        rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
        rule_3_db = Rule.add_or_update(rule_3_db)
        self.resources['rule_3'] = rule_3_db

        # Create some mock roles with associated permission grants
        # Custom role 2 - one grant on parent pack
        # "rule_view" on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_rule_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_rule_pack_grant'] = role_3_db

        # Custom role 4 - one grant on rule
        # "rule_view on rule_3
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_3'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_grant'] = role_4_db

        # Custom role - "rule_all" grant on a parent rule pack
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_rule_all_grant'] = role_4_db

        # Custom role - "rule_all" grant on a rule
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_all_grant'] = role_4_db

        # Custom role - "rule_modify" on role_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_rule_modify_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_rule_modify_grant'] = role_5_db

        # Custom role - "rule_create" grant on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_6_db = RoleDB(name='rule_pack_rule_create_grant',
                           permission_grants=permission_grants)
        role_6_db = Role.add_or_update(role_6_db)
        self.roles['rule_pack_rule_create_grant'] = role_6_db

        # Custom role - "rule_all" grant on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_7_db = RoleDB(name='rule_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_7_db = Role.add_or_update(role_7_db)
        self.roles['rule_pack_rule_all_grant'] = role_7_db

        # Custom role - "rule_create" grant on rule_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_8_db = RoleDB(name='rule_rule_create_grant',
                           permission_grants=permission_grants)
        role_8_db = Role.add_or_update(role_8_db)
        self.roles['rule_rule_create_grant'] = role_8_db

        # Custom role - "rule_all" grant on rule_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_9_db = RoleDB(name='rule_rule_all_grant',
                           permission_grants=permission_grants)
        role_9_db = Role.add_or_update(role_9_db)
        self.roles['rule_rule_all_grant'] = role_9_db

        # Create some mock role assignments
        user_db = self.users['custom_role_rule_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_pack_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_rule_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_modify_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_create_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['rule_rule_create_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['rule_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
    def setUp(self):
        super(RuleEnforcementPermissionsResolverTestCase, self).setUp()

        register_internal_trigger_types()

        # Create some mock users
        user_1_db = UserDB(name='1_role_rule_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_rule_pack_grant'] = user_1_db

        user_2_db = UserDB(name='1_role_rule_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_rule_grant'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_rule_all_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_rule_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_rule_all_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_rule_modify_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_rule_modify_grant'] = user_5_db

        user_6_db = UserDB(name='rule_pack_rule_create_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['rule_pack_rule_create_grant'] = user_6_db

        user_7_db = UserDB(name='rule_pack_rule_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['rule_pack_rule_all_grant'] = user_7_db

        user_8_db = UserDB(name='rule_rule_create_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['rule_rule_create_grant'] = user_8_db

        user_9_db = UserDB(name='rule_rule_all_grant')
        user_9_db = User.add_or_update(user_9_db)
        self.users['rule_rule_all_grant'] = user_9_db

        user_10_db = UserDB(name='custom_role_rule_list_grant')
        user_10_db = User.add_or_update(user_10_db)
        self.users['custom_role_rule_list_grant'] = user_10_db

        # Create some mock resources on which permissions can be granted
        rule_1_db = RuleDB(pack='test_pack_1', name='rule1', action={'ref': 'core.local'},
                           trigger='core.st2.key_value_pair.create')
        rule_1_db = Rule.add_or_update(rule_1_db)
        self.resources['rule_1'] = rule_1_db

        rule_enforcement_1_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
                                                  execution_id=str(bson.ObjectId()),
                                                  rule={'ref': rule_1_db.ref,
                                                        'uid': rule_1_db.uid,
                                                        'id': str(rule_1_db.id)})
        rule_enforcement_1_db = RuleEnforcement.add_or_update(rule_enforcement_1_db)
        self.resources['rule_enforcement_1'] = rule_enforcement_1_db

        rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
        rule_2_db = Rule.add_or_update(rule_2_db)
        self.resources['rule_2'] = rule_2_db

        rule_enforcement_2_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
                                                  execution_id=str(bson.ObjectId()),
                                                  rule={'ref': rule_2_db.ref,
                                                        'uid': rule_2_db.uid,
                                                        'id': str(rule_2_db.id)})
        rule_enforcement_2_db = RuleEnforcement.add_or_update(rule_enforcement_2_db)
        self.resources['rule_enforcement_2'] = rule_enforcement_2_db

        rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
        rule_3_db = Rule.add_or_update(rule_3_db)
        self.resources['rule_3'] = rule_3_db

        rule_enforcement_3_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
                                                  execution_id=str(bson.ObjectId()),
                                                  rule={'ref': rule_3_db.ref,
                                                        'uid': rule_3_db.uid,
                                                        'id': str(rule_3_db.id)})
        rule_enforcement_3_db = RuleEnforcement.add_or_update(rule_enforcement_3_db)
        self.resources['rule_enforcement_3'] = rule_enforcement_3_db

        # Create some mock roles with associated permission grants
        # Custom role 2 - one grant on parent pack
        # "rule_view" on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_rule_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_rule_pack_grant'] = role_3_db

        # Custom role 4 - one grant on rule
        # "rule_view on rule_3
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_3'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_grant'] = role_4_db

        # Custom role - "rule_all" grant on a parent rule pack
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_rule_all_grant'] = role_4_db

        # Custom role - "rule_all" grant on a rule
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_all_grant'] = role_4_db

        # Custom role - "rule_modify" on role_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_rule_modify_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_rule_modify_grant'] = role_5_db

        # Custom role - "rule_create" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_6_db = RoleDB(name='rule_pack_rule_create_grant',
                           permission_grants=permission_grants)
        role_6_db = Role.add_or_update(role_6_db)
        self.roles['rule_pack_rule_create_grant'] = role_6_db

        # Custom role - "rule_all" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_7_db = RoleDB(name='rule_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_7_db = Role.add_or_update(role_7_db)
        self.roles['rule_pack_rule_all_grant'] = role_7_db

        # Custom role - "rule_create" grant on rule_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_8_db = RoleDB(name='rule_rule_create_grant',
                           permission_grants=permission_grants)
        role_8_db = Role.add_or_update(role_8_db)
        self.roles['rule_rule_create_grant'] = role_8_db

        # Custom role - "rule_all" grant on rule_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_9_db = RoleDB(name='rule_rule_all_grant',
                           permission_grants=permission_grants)
        role_9_db = Role.add_or_update(role_9_db)
        self.roles['rule_rule_all_grant'] = role_9_db

        # Custom role - "rule_list" grant
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=None,
                                     permission_types=[PermissionType.RULE_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_10_db = RoleDB(name='custom_role_rule_list_grant',
                            permission_grants=permission_grants)
        role_10_db = Role.add_or_update(role_10_db)
        self.roles['custom_role_rule_list_grant'] = role_10_db

        # Create some mock role assignments
        user_db = self.users['custom_role_rule_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_pack_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_grant']
        role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
                                                  role=self.roles['custom_role_rule_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_modify_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_create_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_rule_create_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_list_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_list_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Ejemplo n.º 19
0
def setup(service, config, setup_db=True, register_mq_exchanges=True,
          register_signal_handlers=True, register_internal_trigger_types=False,
          run_migrations=True, config_args=None):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Set log level for all the loggers to DEBUG if --debug flag is present
    4. Registers RabbitMQ exchanges
    5. Registers common signal handlers
    6. Register internal trigger types

    :param service: Name of the service.
    :param config: Config object to use to parse args.
    """
    # Set up logger which logs everything which happens during and before config
    # parsing to sys.stdout
    logging.setup(DEFAULT_LOGGING_CONF_PATH)

    # Parse args to setup config.
    if config_args:
        config.parse_args(config_args)
    else:
        config.parse_args()

    config_file_paths = cfg.CONF.config_file
    config_file_paths = [os.path.abspath(path) for path in config_file_paths]
    LOG.debug('Using config files: %s', ','.join(config_file_paths))

    # Setup logging.
    logging_config_path = config.get_logging_config_path()
    logging_config_path = os.path.abspath(logging_config_path)

    LOG.debug('Using logging config: %s', logging_config_path)
    logging.setup(logging_config_path)

    if cfg.CONF.debug:
        set_log_level_for_all_loggers(level=stdlib_logging.DEBUG)

    # All other setup which requires config to be parsed and logging to
    # be correctly setup.
    if setup_db:
        db_setup()

    if cfg.CONF.debug or cfg.CONF.profile:
        enable_profiling()

    if register_mq_exchanges:
        register_exchanges()

    if register_signal_handlers:
        register_common_signal_handlers()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()

    # TODO: This is a "not so nice" workaround until we have a proper migration system in place
    if run_migrations:
        run_all_rbac_migrations()

    if cfg.CONF.rbac.enable and not cfg.CONF.auth.enable:
        msg = ('Authentication is not enabled. RBAC only works when authentication is enabled.'
               'You can either enable authentication or disable RBAC.')
        raise Exception(msg)
Ejemplo n.º 20
0
def setup(
    config,
    setup_db=True,
    register_mq_exchanges=True,
    register_internal_trigger_types=False,
    ignore_register_config_opts_errors=False,
):
    """
    Common setup function.

    Currently it performs the following operations:

    1. Parses config and CLI arguments
    2. Establishes DB connection
    3. Suppress DEBUG log level if --verbose flag is not used
    4. Registers RabbitMQ exchanges
    5. Registers internal trigger types (optional, disabled by default)

    :param config: Config object to use to parse args.
    """
    # Register common CLI options
    register_common_cli_options()

    # Parse args to setup config
    # NOTE: This code is not the best, but it's only realistic option we have at this point.
    # Refactoring all the code and config modules to avoid import time side affects would be a big
    # rabbit hole. Luckily registering same options twice is not really a big deal or fatal error
    # so we simply ignore such errors.
    if config.__name__ == "st2common.config" and ignore_register_config_opts_errors:
        config.parse_args(ignore_errors=True)
    else:
        config.parse_args()

    if cfg.CONF.debug:
        cfg.CONF.verbose = True

    # Set up logging
    log_level = stdlib_logging.DEBUG
    stdlib_logging.basicConfig(
        format="%(asctime)s %(levelname)s [-] %(message)s", level=log_level)

    if not cfg.CONF.verbose:
        # Note: We still want to print things at the following log levels: INFO, ERROR, CRITICAL
        exclude_log_levels = [stdlib_logging.AUDIT, stdlib_logging.DEBUG]
        handlers = stdlib_logging.getLoggerClass().manager.root.handlers

        for handler in handlers:
            handler.addFilter(LogLevelFilter(log_levels=exclude_log_levels))

        # NOTE: statsd logger logs everything by default under INFO so we ignore those log
        # messages unless verbose / debug mode is used
        logging.ignore_statsd_log_messages()

    logging.ignore_lib2to3_log_messages()

    # All other setup code which requires config to be parsed and logging to be correctly setup
    if setup_db:
        db_setup()

    if register_mq_exchanges:
        register_exchanges_with_retry()

    if register_internal_trigger_types:
        triggers.register_internal_trigger_types()