def add_rule(policy_id, meta_rule_id, value=None): from python_moondb.core import PolicyManager if not value: meta_rule = meta_rule_helper.get_meta_rules(meta_rule_id) sub_cat_id = meta_rule[meta_rule_id]['subject_categories'][0] ob_cat_id = meta_rule[meta_rule_id]['object_categories'][0] act_cat_id = meta_rule[meta_rule_id]['action_categories'][0] subject_data_id = mock_data.create_subject_data(policy_id=policy_id, category_id=sub_cat_id) object_data_id = mock_data.create_object_data(policy_id=policy_id, category_id=ob_cat_id) action_data_id = mock_data.create_action_data(policy_id=policy_id, category_id=act_cat_id) value = { "rule": (subject_data_id, object_data_id, action_data_id), "instructions": ({ "decision": "grant" }), "enabled": "", } return PolicyManager.add_rule("", policy_id, meta_rule_id, value)
def delete(self, uuid=None, perimeter_id=None, user_id=None): """Delete a subject for a given policy :param uuid: uuid of the policy (mandatory if perimeter_id is not set) :param perimeter_id: uuid of the subject (mandatory if uuid is not set) :param user_id: user ID who do the request :return: { "subject_id": { "name": "name of the subject", "keystone_id": "keystone id of the subject", "description": "description of the subject (optional)", "password": "******", "email": "email address of the subject (optional)" } } :internal_api: delete_subject """ data = PolicyManager.delete_subject(user_id=user_id, policy_id=uuid, perimeter_id=perimeter_id) return {"result": True}
def patch(self, uuid=None, user_id=None): """Update a policy :param uuid: uuid of the policy to update :param user_id: user ID who do the request :return: { "policy_id1": { "name": "...", "model_id": "...", "genre": "...", "description": "...", } } :internal_api: update_policy """ try: data = PolicyManager.update_policy(user_id=user_id, policy_id=uuid, value=request.json) except Exception as e: logger.error(e, exc_info=True) return {"result": False, "error": str(e)}, 500 return {"policies": data}
def patch(self, uuid=None, perimeter_id=None, user_id=None): """Create or update a action. :param uuid: uuid of the policy :param perimeter_id: must not be used here :param user_id: user ID who do the request :request body: { "name": "name of the action", "description": "description of the action (optional)" } :return: { "action_id": { "name": "name of the action", "description": "description of the action (optional)" } } :internal_api: set_action """ data = PolicyManager.update_action(user_id=user_id, perimeter_id=perimeter_id, value=request.json) return {"actions": data}
def get(self, uuid=None, perimeter_id=None, user_id=None): """Retrieve all actions or a specific one if perimeter_id is given for a given policy :param uuid: uuid of the policy :param perimeter_id: uuid of the action :param user_id: user ID who do the request :return: { "action_id": { "name": "name of the action", "description": "description of the action" } } :internal_api: get_actions """ try: data = PolicyManager.get_actions(user_id=user_id, policy_id=uuid, perimeter_id=perimeter_id) except Exception as e: logger.error(e, exc_info=True) return {"result": False, "error": str(e)}, 500 return {"actions": data}
def post(self, uuid=None, perimeter_id=None, category_id=None, data_id=None, user_id=None): """Create a subject assignment. :param uuid: uuid of the policy :param perimeter_id: uuid of the subject (not used here) :param category_id: uuid of the subject category (not used here) :param data_id: uuid of the subject scope (not used here) :param user_id: user ID who do the request :request body: { "id": "UUID of the subject", "category_id": "UUID of the category" "data_id": "UUID of the scope" } :return: { "subject_data_id": { "policy_id": "ID of the policy", "subject_id": "ID of the subject", "category_id": "ID of the category", "assignments": "Assignments list (list of data_id)", } } :internal_api: update_subject_assignment """ try: data_id = request.json.get("data_id") category_id = request.json.get("category_id") perimeter_id = request.json.get("id") data = PolicyManager.add_subject_assignment( user_id=user_id, policy_id=uuid, subject_id=perimeter_id, category_id=category_id, data_id=data_id) except Exception as e: logger.error(e, exc_info=True) return {"result": False, "error": str(e)}, 500 return {"subject_assignments": data}
def post(self, uuid=None, perimeter_id=None, user_id=None): """Create or update a object. :param uuid: uuid of the policy :param perimeter_id: must not be used here :param user_id: user ID who do the request :request body: { "object_name": "name of the object (mandatory)", "object_description": "description of the object (optional)" } :return: { "object_id": { "name": "name of the object", "description": "description of the object (optional)" } } :internal_api: set_object """ data = PolicyManager.add_object(user_id=user_id, policy_id=uuid, perimeter_id=perimeter_id, value=request.json) return {"objects": data}
def get_policies(): from python_moondb.core import PolicyManager return PolicyManager.get_policies("admin")
def delete_subject_data(policy_id, data_id): from python_moondb.core import PolicyManager PolicyManager.delete_subject_data("", policy_id, data_id)
def get_subjects(policy_id, perimeter_id=None): from python_moondb.core import PolicyManager return PolicyManager.get_subjects("", policy_id, perimeter_id)
def delete_rule(policy_id=None, rule_id=None): from python_moondb.core import PolicyManager PolicyManager.delete_rule("", policy_id, rule_id)
def delete_subject_assignment(policy_id, subject_id, category_id, data_id): from python_moondb.core import PolicyManager PolicyManager.delete_subject_assignment("", policy_id, subject_id, category_id, data_id)
def add_action_data(policy_id, data_id=None, category_id=None, value=None): from python_moondb.core import PolicyManager return PolicyManager.add_action_data("", policy_id, data_id, category_id, value)
def delete_action_data(policy_id, data_id): from python_moondb.core import PolicyManager PolicyManager.delete_action_data("", policy_id=policy_id, data_id=data_id)
def update_policy(policy_id, value): from python_moondb.core import PolicyManager return PolicyManager.update_policy("admin", policy_id, value)
def _import_rules(self, json_rules): if not isinstance(json_rules, list): raise InvalidJson("rules shall be a list!") for json_rule in json_rules: json_to_use = dict() JsonUtils.copy_field_if_exists(json_rule, json_to_use, "instructions", str) JsonUtils.copy_field_if_exists(json_rule, json_to_use, "enabled", bool, default_value=True) json_ids = dict() JsonUtils.convert_name_to_id(json_rule, json_ids, "policy", "policy_id", "policy", PolicyManager, self._user_id) JsonUtils.convert_name_to_id(json_rule, json_to_use, "meta_rule", "meta_rule_id", "meta_rule", ModelManager, self._user_id) json_subject_ids = dict() json_object_ids = dict() json_action_ids = dict() JsonUtils.convert_names_to_ids(json_rule["rule"], json_subject_ids, "subject_data", "subject", "subject_data", PolicyManager, self._user_id, json_ids["policy_id"]) JsonUtils.convert_names_to_ids(json_rule["rule"], json_object_ids, "object_data", "object", "object_data", PolicyManager, self._user_id, json_ids["policy_id"]) JsonUtils.convert_names_to_ids(json_rule["rule"], json_action_ids, "action_data", "action", "action_data", PolicyManager, self._user_id, json_ids["policy_id"]) meta_rule = ModelManager.get_meta_rules( self._user_id, json_to_use["meta_rule_id"]) meta_rule = [v for v in meta_rule.values()] meta_rule = meta_rule[0] json_to_use_rule = self._reorder_rules_ids( json_rule, meta_rule["subject_categories"], json_subject_ids["subject"], json_ids["policy_id"], PolicyManager.get_subject_data) json_to_use_rule = json_to_use_rule + self._reorder_rules_ids( json_rule, meta_rule["object_categories"], json_object_ids["object"], json_ids["policy_id"], PolicyManager.get_object_data) json_to_use_rule = json_to_use_rule + self._reorder_rules_ids( json_rule, meta_rule["action_categories"], json_action_ids["action"], json_ids["policy_id"], PolicyManager.get_action_data) json_to_use["rule"] = json_to_use_rule try: logger.debug("Adding / updating a rule from json {}".format( json_to_use)) PolicyManager.add_rule(self._user_id, json_ids["policy_id"], json_to_use["meta_rule_id"], json_to_use) except exceptions.RuleExisting: pass except exceptions.PolicyUnknown: raise UnknownPolicy("Unknown policy with id {}".format( json_ids["policy_id"]))
def add_subject(policy_id, perimeter_id=None, value=None): from python_moondb.core import PolicyManager return PolicyManager.add_subject("", policy_id, perimeter_id, value)
def _import_policies(self, json_policies): policy_mandatory_ids = [] if not isinstance(json_policies, list): raise InvalidJson("policies shall be a list!") for json_policy in json_policies: # TODO put this in moondb # policy_in_db = PolicyManager.get_policies_by_name(json_without_model_name["name"]) policies = PolicyManager.get_policies(self._user_id) policy_in_db = None policy_id = None for policy_key in policies: if policies[policy_key]["name"] == json_policy["name"]: policy_in_db = policies[policy_key] policy_id = policy_key # end TODO if policy_in_db is None: policy_does_exist = False else: policy_does_exist = True policy_override = JsonUtils.get_override(json_policy) policy_mandatory = JsonUtils.get_mandatory(json_policy) if policy_override is False and policy_does_exist: if policy_id: policy_mandatory_ids.append(policy_id) logger.warning( "Existing policy not updated because of the override option is not set !" ) continue json_without_model_name = dict() JsonUtils.copy_field_if_exists(json_policy, json_without_model_name, "name", str) JsonUtils.copy_field_if_exists(json_policy, json_without_model_name, "description", str) JsonUtils.copy_field_if_exists(json_policy, json_without_model_name, "genre", str) JsonUtils.convert_name_to_id(json_policy, json_without_model_name, "model", "model_id", "model", ModelManager, self._user_id, field_mandatory=False) if not policy_does_exist: logger.debug( "Creating policy {} ".format(json_without_model_name)) added_policy = PolicyManager.add_policy( self._user_id, None, json_without_model_name) if policy_mandatory is True: keys = list(added_policy.keys()) policy_mandatory_ids.append(keys[0]) elif policy_override is True: logger.debug( "Updating policy {} ".format(json_without_model_name)) updated_policy = PolicyManager.update_policy( self._user_id, policy_id, json_without_model_name) if policy_mandatory is True: policy_mandatory_ids.append(policy_id) return policy_mandatory_ids
def _import_subject_object_action_assignments(self, json_item_assignments, type_element): import_method = getattr(PolicyManager, 'add_' + type_element + '_assignment') get_method = getattr(PolicyManager, 'get_' + type_element + '_data') if not isinstance(json_item_assignments, list): raise InvalidJson(type_element + " assignments shall be a list!") # get the policy id related to the user policies = PolicyManager.get_policies(self._user_id) for json_item_assignment in json_item_assignments: item_override = JsonUtils.get_override(json_item_assignment) if item_override is True: raise ForbiddenOverride( "{} assignments do not support override flag !".format( type_element)) json_assignment = dict() JsonUtils.convert_name_to_id(json_item_assignment, json_assignment, "category", "category_id", type_element + "_category", ModelManager, self._user_id) has_found_data = False # loop over policies for policy_id in policies: json_data = dict() try: JsonUtils.convert_name_to_id(json_item_assignment, json_assignment, type_element, "id", type_element, PolicyManager, self._user_id, policy_id) JsonUtils.convert_names_to_ids( json_item_assignment, json_data, "assignments", "data_id", type_element + "_data", PolicyManager, self._user_id, policy_id, json_assignment["category_id"]) has_found_data = True except UnknownName: # the category or data has not been found in this policy : we look into the next one continue for data_id in json_data["data_id"]: # find the policy related to the current data data = get_method(self._user_id, policy_id, data_id, json_assignment["category_id"]) if data is not None and len(data) == 1: logger.debug( "Adding / updating a {} assignment from json {}". format(type_element, json_assignment)) import_method(self._user_id, policy_id, json_assignment["id"], json_assignment["category_id"], data_id) else: raise UnknownData( "Unknown data with id {}".format(data_id)) # case the data has not been found in any policies if has_found_data is False: raise InvalidJson( "The json contains unknown {} data or category : {}". format(type_element, json_item_assignment))
def get_available_metadata(policy_id): from python_moondb.core import PolicyManager return PolicyManager.get_available_metadata("", policy_id)
def get_action_data(policy_id, data_id=None, category_id=None): from python_moondb.core import PolicyManager return PolicyManager.get_action_data("", policy_id, data_id, category_id)
def get_policy_from_meta_rules(meta_rule_id): from python_moondb.core import PolicyManager return PolicyManager.get_policy_from_meta_rules("admin", meta_rule_id)
def get_subject_assignments(policy_id, subject_id=None, category_id=None): from python_moondb.core import PolicyManager return PolicyManager.get_subject_assignments("", policy_id, subject_id, category_id)
def get_rules(policy_id=None, meta_rule_id=None, rule_id=None): from python_moondb.core import PolicyManager return PolicyManager.get_rules("", policy_id, meta_rule_id, rule_id)
def add_action_assignment(policy_id, action_id, category_id, data_id): from python_moondb.core import PolicyManager return PolicyManager.add_action_assignment("", policy_id, action_id, category_id, data_id)
def delete_subject(policy_id, perimeter_id): from python_moondb.core import PolicyManager PolicyManager.delete_subject("", policy_id, perimeter_id)