def post(self, uuid=None, rule_id=None, user_id=None):
"""Add a rule to a meta rule
:param uuid: policy ID
:param rule_id: rule ID
:param user_id: user ID who do the request
:request body: post = {
"meta_rule_id": "meta_rule_id1",
"rule": ["subject_data_id2", "object_data_id2", "action_data_id2"],
"instructions": (
{"decision": "grant"},
)
"enabled": True
}
:return: {
"rules": [
"meta_rule_id": "meta_rule_id1",
"rule_id1": {
"rule": ["subject_data_id1",
"object_data_id1",
"action_data_id1"],
"instructions": (
{"decision": "grant"},
# "grant" to immediately exit,
# "continue" to wait for the result of next policy
# "deny" to deny the request
)
}
"rule_id2": {
"rule": ["subject_data_id2",
"object_data_id2",
"action_data_id2"],
"instructions": (
{
"update": {
"operation": "add",
# operations may be "add" or "delete"
"target": "rbac:role:admin"
# add the role admin to the current user
}
},
{"chain": {"name": "rbac"}}
# chain with the policy named rbac
)
}
]
}
:internal_api: add_rule
"""
args = request.json
try:
data = PolicyManager.add_rule(user_id=user_id,
policy_id=uuid,
meta_rule_id=args['meta_rule_id'],
value=args)
except Exception as e:
logger.error(e, exc_info=True)
return {"result": False,
"error": str(e)}, 500
return {"rules": data}
def add_rule(policy_id=None, meta_rule_id=None, value=None):
from python_moondb.core import PolicyManager
if not value:
value = {
"rule": ("high", "medium", "vm-action"),
"instructions": ({
"decision": "grant"
}),
"enabled": "",
}
return PolicyManager.add_rule("", policy_id, meta_rule_id, value)
def add_rule(policy_id, meta_rule_id, value=None):
from python_moondb.core import PolicyManager
if not value:
meta_rule = meta_rule_helper.get_meta_rules(meta_rule_id)
sub_cat_id = meta_rule[meta_rule_id]['subject_categories'][0]
ob_cat_id = meta_rule[meta_rule_id]['object_categories'][0]
act_cat_id = meta_rule[meta_rule_id]['action_categories'][0]
subject_data_id = mock_data.create_subject_data(policy_id=policy_id,
category_id=sub_cat_id)
object_data_id = mock_data.create_object_data(policy_id=policy_id,
category_id=ob_cat_id)
action_data_id = mock_data.create_action_data(policy_id=policy_id,
category_id=act_cat_id)
value = {
"rule": (subject_data_id, object_data_id, action_data_id),
"instructions": ({
"decision": "grant"
}),
"enabled": "",
}
return PolicyManager.add_rule("", policy_id, meta_rule_id, value)
def _import_rules(self, json_rules):
if not isinstance(json_rules, list):
raise InvalidJson("rules shall be a list!")
for json_rule in json_rules:
json_to_use = dict()
JsonUtils.copy_field_if_exists(json_rule, json_to_use,
"instructions", str)
JsonUtils.copy_field_if_exists(json_rule,
json_to_use,
"enabled",
bool,
default_value=True)
json_ids = dict()
JsonUtils.convert_name_to_id(json_rule, json_ids, "policy",
"policy_id", "policy", PolicyManager,
self._user_id)
JsonUtils.convert_name_to_id(json_rule, json_to_use, "meta_rule",
"meta_rule_id", "meta_rule",
ModelManager, self._user_id)
json_subject_ids = dict()
json_object_ids = dict()
json_action_ids = dict()
JsonUtils.convert_names_to_ids(json_rule["rule"], json_subject_ids,
"subject_data", "subject",
"subject_data", PolicyManager,
self._user_id,
json_ids["policy_id"])
JsonUtils.convert_names_to_ids(json_rule["rule"], json_object_ids,
"object_data", "object",
"object_data", PolicyManager,
self._user_id,
json_ids["policy_id"])
JsonUtils.convert_names_to_ids(json_rule["rule"], json_action_ids,
"action_data", "action",
"action_data", PolicyManager,
self._user_id,
json_ids["policy_id"])
meta_rule = ModelManager.get_meta_rules(
self._user_id, json_to_use["meta_rule_id"])
meta_rule = [v for v in meta_rule.values()]
meta_rule = meta_rule[0]
json_to_use_rule = self._reorder_rules_ids(
json_rule, meta_rule["subject_categories"],
json_subject_ids["subject"], json_ids["policy_id"],
PolicyManager.get_subject_data)
json_to_use_rule = json_to_use_rule + self._reorder_rules_ids(
json_rule, meta_rule["object_categories"],
json_object_ids["object"], json_ids["policy_id"],
PolicyManager.get_object_data)
json_to_use_rule = json_to_use_rule + self._reorder_rules_ids(
json_rule, meta_rule["action_categories"],
json_action_ids["action"], json_ids["policy_id"],
PolicyManager.get_action_data)
json_to_use["rule"] = json_to_use_rule
try:
logger.debug("Adding / updating a rule from json {}".format(
json_to_use))
PolicyManager.add_rule(self._user_id, json_ids["policy_id"],
json_to_use["meta_rule_id"],
json_to_use)
except exceptions.RuleExisting:
pass
except exceptions.PolicyUnknown:
raise UnknownPolicy("Unknown policy with id {}".format(
json_ids["policy_id"]))