def _update_enforcement(self, enforcement_db):
try:
RuleEnforcement.add_or_update(enforcement_db)
except:
extra = {'enforcement_db': enforcement_db}
LOG.exception('Failed writing enforcement model to db.',
extra=extra)
def test_rule_enforcement_is_created_on_exception_2(self):
# 1. Exception in payload_lookup.get_value
rule_enforcement_dbs = list(RuleEnforcement.get_all())
self.assertEqual(rule_enforcement_dbs, [])
self._setup_sample_trigger('st2.test.trigger4')
rule_4_db = self._setup_sample_rule(RULE_4)
rules = [rule_4_db]
trigger_instance = container_utils.create_trigger_instance(
'dummy_pack_1.st2.test.trigger4', {
'k1': 't2_p_v',
'k2': 'v2'
}, date_utils.get_datetime_utc_now())
trigger = get_trigger_db_by_ref(trigger_instance.trigger)
rules_matcher = RulesMatcher(trigger_instance, trigger, rules)
matching_rules = rules_matcher.get_matching_rules()
self.assertEqual(matching_rules, [])
self.assertEqual(len(matching_rules), 0)
rule_enforcement_dbs = list(RuleEnforcement.get_all())
self.assertEqual(len(rule_enforcement_dbs), 1)
expected_failure = (
'Failed to match rule "yoyohoneysingh.st2.test.rule4" against trigger '
'instance "%s": Failed transforming criteria key trigger.k1: '
'exception in get_value' % (str(trigger_instance.id)))
self.assertEqual(rule_enforcement_dbs[0].failure_reason,
expected_failure)
self.assertEqual(rule_enforcement_dbs[0].trigger_instance_id,
str(trigger_instance.id))
self.assertEqual(rule_enforcement_dbs[0].rule['id'], str(rule_4_db.id))
self.assertEqual(rule_enforcement_dbs[0].status,
RULE_ENFORCEMENT_STATUS_FAILED)
def _create_rule_enforcement(self, failure_reason, exc):
"""
Note: We also create RuleEnforcementDB for rules which failed to match due to an exception.
Without that, only way for users to find out about those failes matches is by inspecting
the logs.
"""
failure_reason = (
'Failed to match rule "%s" against trigger instance "%s": %s: %s' %
(self.rule.ref, str(
self.trigger_instance.id), failure_reason, str(exc)))
rule_spec = {
'ref': self.rule.ref,
'id': str(self.rule.id),
'uid': self.rule.uid
}
enforcement_db = RuleEnforcementDB(
trigger_instance_id=str(self.trigger_instance.id),
rule=rule_spec,
failure_reason=failure_reason,
status=RULE_ENFORCEMENT_STATUS_FAILED)
try:
RuleEnforcement.add_or_update(enforcement_db)
except:
extra = {'enforcement_db': enforcement_db}
LOG.exception('Failed writing enforcement model to db.',
extra=extra)
return enforcement_db
def test_rule_enforcement_is_created_on_exception_3(self):
# 1. Exception in payload_lookup.get_value
rule_enforcement_dbs = list(RuleEnforcement.get_all())
self.assertEqual(rule_enforcement_dbs, [])
self._setup_sample_trigger('st2.test.trigger4')
rule_4_db = self._setup_sample_rule(RULE_4)
rules = [rule_4_db]
trigger_instance = container_utils.create_trigger_instance(
'dummy_pack_1.st2.test.trigger4',
{'k1': 't2_p_v', 'k2': 'v2'},
date_utils.get_datetime_utc_now()
)
trigger = get_trigger_db_by_ref(trigger_instance.trigger)
rules_matcher = RulesMatcher(trigger_instance, trigger, rules)
matching_rules = rules_matcher.get_matching_rules()
self.assertEqual(matching_rules, [])
self.assertEqual(len(matching_rules), 0)
rule_enforcement_dbs = list(RuleEnforcement.get_all())
self.assertEqual(len(rule_enforcement_dbs), 1)
expected_failure = ('Failed to match rule "yoyohoneysingh.st2.test.rule4" against trigger '
'instance "%s": There might be a problem with the criteria in rule '
'yoyohoneysingh.st2.test.rule4: exception in equals' %
(str(trigger_instance.id)))
self.assertEqual(rule_enforcement_dbs[0].failure_reason, expected_failure)
self.assertEqual(rule_enforcement_dbs[0].trigger_instance_id, str(trigger_instance.id))
self.assertEqual(rule_enforcement_dbs[0].rule['id'], str(rule_4_db.id))
self.assertEqual(rule_enforcement_dbs[0].status, RULE_ENFORCEMENT_STATUS_FAILED)
def test_rule_enforcement_is_created_on_exception_3(self):
# 1. Exception in payload_lookup.get_value
rule_enforcement_dbs = list(RuleEnforcement.get_all())
self.assertEqual(rule_enforcement_dbs, [])
self._setup_sample_trigger("st2.test.trigger4")
rule_4_db = self._setup_sample_rule(RULE_4)
rules = [rule_4_db]
trigger_instance = container_utils.create_trigger_instance(
"dummy_pack_1.st2.test.trigger4",
{"k1": "t2_p_v", "k2": "v2"},
date_utils.get_datetime_utc_now(),
)
trigger = get_trigger_db_by_ref(trigger_instance.trigger)
rules_matcher = RulesMatcher(trigger_instance, trigger, rules)
matching_rules = rules_matcher.get_matching_rules()
self.assertEqual(matching_rules, [])
self.assertEqual(len(matching_rules), 0)
rule_enforcement_dbs = list(RuleEnforcement.get_all())
self.assertEqual(len(rule_enforcement_dbs), 1)
expected_failure = (
'Failed to match rule "yoyohoneysingh.st2.test.rule4" against trigger '
'instance "%s": There might be a problem with the criteria in rule '
"yoyohoneysingh.st2.test.rule4: exception in equals"
% (str(trigger_instance.id))
)
self.assertEqual(rule_enforcement_dbs[0].failure_reason, expected_failure)
self.assertEqual(
rule_enforcement_dbs[0].trigger_instance_id, str(trigger_instance.id)
)
self.assertEqual(rule_enforcement_dbs[0].rule["id"], str(rule_4_db.id))
self.assertEqual(rule_enforcement_dbs[0].status, RULE_ENFORCEMENT_STATUS_FAILED)
def test_status_set_to_failed_for_objects_which_predate_status_field(self):
rule = {"ref": "foo_pack.foo_rule", "uid": "rule:foo_pack:foo_rule"}
# 1. No status field explicitly set and no failure reason
enforcement_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
)
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status,
RULE_ENFORCEMENT_STATUS_SUCCEEDED)
# 2. No status field, with failure reason, status should be set to failed
enforcement_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
failure_reason="so much fail",
)
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status, RULE_ENFORCEMENT_STATUS_FAILED)
# 3. Explcit status field - succeeded + failure reasun
enforcement_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
status=RULE_ENFORCEMENT_STATUS_SUCCEEDED,
failure_reason="so much fail",
)
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status, RULE_ENFORCEMENT_STATUS_FAILED)
# 4. Explcit status field - succeeded + no failure reasun
enforcement_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
status=RULE_ENFORCEMENT_STATUS_SUCCEEDED,
)
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status,
RULE_ENFORCEMENT_STATUS_SUCCEEDED)
# 5. Explcit status field - failed + no failure reasun
enforcement_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
status=RULE_ENFORCEMENT_STATUS_FAILED,
)
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status, RULE_ENFORCEMENT_STATUS_FAILED)
def test_purge(self):
now = date_utils.get_datetime_utc_now()
TestPurgeRuleEnforcement._create_save_rule_enforcement(
enforced_at=now - timedelta(days=20), )
TestPurgeRuleEnforcement._create_save_rule_enforcement(
enforced_at=now - timedelta(days=5), )
self.assertEqual(len(RuleEnforcement.get_all()), 2)
purge_rule_enforcements(logger=LOG, timestamp=now - timedelta(days=10))
self.assertEqual(len(RuleEnforcement.get_all()), 1)
def test_status_set_to_failed_for_objects_which_predate_status_field(self):
rule = {
'ref': 'foo_pack.foo_rule',
'uid': 'rule:foo_pack:foo_rule'
}
# 1. No status field explicitly set and no failure reason
enforcement_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()))
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status, RULE_ENFORCEMENT_STATUS_SUCCEEDED)
# 2. No status field, with failure reason, status should be set to failed
enforcement_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
failure_reason='so much fail')
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status, RULE_ENFORCEMENT_STATUS_FAILED)
# 3. Explcit status field - succeeded + failure reasun
enforcement_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
status=RULE_ENFORCEMENT_STATUS_SUCCEEDED,
failure_reason='so much fail')
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status, RULE_ENFORCEMENT_STATUS_FAILED)
# 4. Explcit status field - succeeded + no failure reasun
enforcement_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
status=RULE_ENFORCEMENT_STATUS_SUCCEEDED)
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status, RULE_ENFORCEMENT_STATUS_SUCCEEDED)
# 5. Explcit status field - failed + no failure reasun
enforcement_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
rule=rule,
execution_id=str(bson.ObjectId()),
status=RULE_ENFORCEMENT_STATUS_FAILED)
enforcement_db = RuleEnforcement.add_or_update(enforcement_db)
self.assertEqual(enforcement_db.status, RULE_ENFORCEMENT_STATUS_FAILED)
def test_no_timestamp_doesnt_delete(self):
now = date_utils.get_datetime_utc_now()
TestPurgeRuleEnforcement._create_save_rule_enforcement(
enforced_at=now - timedelta(days=20), )
self.assertEqual(len(RuleEnforcement.get_all()), 1)
expected_msg = "Specify a valid timestamp"
self.assertRaisesRegexp(
ValueError,
expected_msg,
purge_rule_enforcements,
logger=LOG,
timestamp=None,
)
self.assertEqual(len(RuleEnforcement.get_all()), 1)
def purge_rule_enforcements(logger, timestamp):
"""
:param timestamp: Rule enforcement instances older than this timestamp will be deleted.
:type timestamp: ``datetime.datetime
"""
if not timestamp:
raise ValueError("Specify a valid timestamp to purge.")
logger.info("Purging rule enforcements older than timestamp: %s" %
timestamp.strftime("%Y-%m-%dT%H:%M:%S.%fZ"))
query_filters = {"enforced_at__lt": isotime.parse(timestamp)}
try:
deleted_count = RuleEnforcement.delete_by_query(**query_filters)
except InvalidQueryError as e:
msg = ("Bad query (%s) used to delete rule enforcements: %s"
"Please contact support." % (
query_filters,
six.text_type(e),
))
raise InvalidQueryError(msg)
except:
logger.exception(
"Deleting rule enforcements using query_filters %s failed.",
query_filters)
else:
logger.info("Deleted %s rule enforcement objects" % (deleted_count))
# Print stats
logger.info(
"All rule enforcement models older than timestamp %s were deleted.",
timestamp)
def _create_save_rule_enforcement():
created = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
rule={
'ref': 'foo_pack.foo_rule',
'uid': 'rule:foo_pack:foo_rule'
},
execution_id=str(bson.ObjectId()))
return RuleEnforcement.add_or_update(created)
def _create_save_rule_enforcement():
created = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
rule={
"ref": "foo_pack.foo_rule",
"uid": "rule:foo_pack:foo_rule"
},
execution_id=str(bson.ObjectId()),
)
return RuleEnforcement.add_or_update(created)
def test_ruleenforcment_crud(self):
saved = RuleEnforcementModelTest._create_save_rule_enforcement()
retrieved = RuleEnforcement.get_by_id(saved.id)
self.assertEqual(saved.rule.ref, retrieved.rule.ref,
'Same rule enforcement was not returned.')
self.assertTrue(retrieved.enforced_at is not None)
# test update
RULE_ID = str(bson.ObjectId())
self.assertEqual(retrieved.rule.id, None)
retrieved.rule.id = RULE_ID
saved = RuleEnforcement.add_or_update(retrieved)
retrieved = RuleEnforcement.get_by_id(saved.id)
self.assertEqual(retrieved.rule.id, RULE_ID,
'Update to rule enforcement failed.')
# cleanup
RuleEnforcementModelTest._delete([retrieved])
try:
retrieved = RuleEnforcement.get_by_id(saved.id)
except StackStormDBObjectNotFoundError:
retrieved = None
self.assertIsNone(retrieved, 'managed to retrieve after delete.')
def test_ruleenforcment_crud(self):
saved = RuleEnforcementModelTest._create_save_rule_enforcement()
retrieved = RuleEnforcement.get_by_id(saved.id)
self.assertEqual(saved.rule.ref, retrieved.rule.ref,
'Same rule enforcement was not returned.')
self.assertTrue(retrieved.enforced_at is not None)
# test update
RULE_ID = str(bson.ObjectId())
self.assertEqual(retrieved.rule.id, None)
retrieved.rule.id = RULE_ID
saved = RuleEnforcement.add_or_update(retrieved)
retrieved = RuleEnforcement.get_by_id(saved.id)
self.assertEqual(retrieved.rule.id, RULE_ID,
'Update to rule enforcement failed.')
# cleanup
RuleEnforcementModelTest._delete([retrieved])
try:
retrieved = RuleEnforcement.get_by_id(saved.id)
except ValueError:
retrieved = None
self.assertIsNone(retrieved, 'managed to retrieve after delete.')
def _create_rule_enforcement(self, failure_reason, exc):
"""
Note: We also create RuleEnforcementDB for rules which failed to match due to an exception.
Without that, only way for users to find out about those failes matches is by inspecting
the logs.
"""
failure_reason = ('Failed to match rule "%s" against trigger instance "%s": %s: %s' %
(self.rule.ref, str(self.trigger_instance.id), failure_reason, str(exc)))
rule_spec = {'ref': self.rule.ref, 'id': str(self.rule.id), 'uid': self.rule.uid}
enforcement_db = RuleEnforcementDB(trigger_instance_id=str(self.trigger_instance.id),
rule=rule_spec,
failure_reason=failure_reason,
status=RULE_ENFORCEMENT_STATUS_FAILED)
try:
RuleEnforcement.add_or_update(enforcement_db)
except:
extra = {'enforcement_db': enforcement_db}
LOG.exception('Failed writing enforcement model to db.', extra=extra)
return enforcement_db
def _update_enforcement(self, enforcement_db):
try:
RuleEnforcement.add_or_update(enforcement_db)
except:
extra = {'enforcement_db': enforcement_db}
LOG.exception('Failed writing enforcement model to db.', extra=extra)
def setUp(self):
super(RuleEnforcementPermissionsResolverTestCase, self).setUp()
register_internal_trigger_types()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
user_6_db = UserDB(name='rule_pack_rule_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['rule_pack_rule_create_grant'] = user_6_db
user_7_db = UserDB(name='rule_pack_rule_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['rule_pack_rule_all_grant'] = user_7_db
user_8_db = UserDB(name='rule_rule_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['rule_rule_create_grant'] = user_8_db
user_9_db = UserDB(name='rule_rule_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['rule_rule_all_grant'] = user_9_db
user_10_db = UserDB(name='custom_role_rule_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['custom_role_rule_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1', name='rule1', action={'ref': 'core.local'},
trigger='core.st2.key_value_pair.create')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_enforcement_1_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_1_db.ref,
'uid': rule_1_db.uid,
'id': str(rule_1_db.id)})
rule_enforcement_1_db = RuleEnforcement.add_or_update(rule_enforcement_1_db)
self.resources['rule_enforcement_1'] = rule_enforcement_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_enforcement_2_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_2_db.ref,
'uid': rule_2_db.uid,
'id': str(rule_2_db.id)})
rule_enforcement_2_db = RuleEnforcement.add_or_update(rule_enforcement_2_db)
self.resources['rule_enforcement_2'] = rule_enforcement_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
rule_enforcement_3_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_3_db.ref,
'uid': rule_3_db.uid,
'id': str(rule_3_db.id)})
rule_enforcement_3_db = RuleEnforcement.add_or_update(rule_enforcement_3_db)
self.resources['rule_enforcement_3'] = rule_enforcement_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Custom role - "rule_create" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='rule_pack_rule_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['rule_pack_rule_create_grant'] = role_6_db
# Custom role - "rule_all" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='rule_pack_rule_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['rule_pack_rule_all_grant'] = role_7_db
# Custom role - "rule_create" grant on rule_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='rule_rule_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['rule_rule_create_grant'] = role_8_db
# Custom role - "rule_all" grant on rule_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='rule_rule_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['rule_rule_all_grant'] = role_9_db
# Custom role - "rule_list" grant
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=None,
permission_types=[PermissionType.RULE_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='custom_role_rule_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['custom_role_rule_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_list_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RuleEnforcementPermissionsResolverTestCase, self).setUp()
register_internal_trigger_types()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
user_6_db = UserDB(name='rule_pack_rule_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['rule_pack_rule_create_grant'] = user_6_db
user_7_db = UserDB(name='rule_pack_rule_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['rule_pack_rule_all_grant'] = user_7_db
user_8_db = UserDB(name='rule_rule_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['rule_rule_create_grant'] = user_8_db
user_9_db = UserDB(name='rule_rule_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['rule_rule_all_grant'] = user_9_db
user_10_db = UserDB(name='custom_role_rule_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['custom_role_rule_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1',
name='rule1',
action={'ref': 'core.local'},
trigger='core.st2.key_value_pair.create')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_enforcement_1_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={
'ref': rule_1_db.ref,
'uid': rule_1_db.uid,
'id': str(rule_1_db.id)
})
rule_enforcement_1_db = RuleEnforcement.add_or_update(
rule_enforcement_1_db)
self.resources['rule_enforcement_1'] = rule_enforcement_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_enforcement_2_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={
'ref': rule_2_db.ref,
'uid': rule_2_db.uid,
'id': str(rule_2_db.id)
})
rule_enforcement_2_db = RuleEnforcement.add_or_update(
rule_enforcement_2_db)
self.resources['rule_enforcement_2'] = rule_enforcement_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
rule_enforcement_3_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={
'ref': rule_3_db.ref,
'uid': rule_3_db.uid,
'id': str(rule_3_db.id)
})
rule_enforcement_3_db = RuleEnforcement.add_or_update(
rule_enforcement_3_db)
self.resources['rule_enforcement_3'] = rule_enforcement_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Custom role - "rule_create" grant on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='rule_pack_rule_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['rule_pack_rule_create_grant'] = role_6_db
# Custom role - "rule_all" grant on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='rule_pack_rule_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['rule_pack_rule_all_grant'] = role_7_db
# Custom role - "rule_create" grant on rule_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='rule_rule_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['rule_rule_create_grant'] = role_8_db
# Custom role - "rule_all" grant on rule_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='rule_rule_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['rule_rule_all_grant'] = role_9_db
# Custom role - "rule_list" grant
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=None,
permission_types=[PermissionType.RULE_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='custom_role_rule_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['custom_role_rule_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['rule_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['rule_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_list_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def _create_save_rule_enforcement():
created = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
rule={'ref': 'foo_pack.foo_rule',
'uid': 'rule:foo_pack:foo_rule'},
execution_id=str(bson.ObjectId()))
return RuleEnforcement.add_or_update(created)
