def test_register_rules(self):
# Verify DB is empty at the beginning
self.assertEqual(len(Rule.get_all()), 0)
self.assertEqual(len(Trigger.get_all()), 0)
registrar = RulesRegistrar()
registrar.register_from_packs(base_dirs=[PACKS_DIR])
# Verify modeles are created
rule_dbs = Rule.get_all()
trigger_dbs = Trigger.get_all()
self.assertEqual(len(rule_dbs), 2)
self.assertEqual(len(trigger_dbs), 1)
self.assertEqual(rule_dbs[0].name, 'sample.with_the_same_timer')
self.assertEqual(rule_dbs[1].name, 'sample.with_timer')
self.assertTrue(trigger_dbs[0].name is not None)
# Verify second register call updates existing models
registrar.register_from_packs(base_dirs=[PACKS_DIR])
rule_dbs = Rule.get_all()
trigger_dbs = Trigger.get_all()
self.assertEqual(len(rule_dbs), 2)
self.assertEqual(len(trigger_dbs), 1)
def delete(self, rule_ref_or_id, requester_user):
"""
Delete a rule.
Handles requests:
DELETE /rules/1
"""
rule_db = self._get_by_ref_or_id(ref_or_id=rule_ref_or_id)
permission_type = PermissionType.RULE_DELETE
rbac_utils = get_rbac_backend().get_utils_class()
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=rule_db,
permission_type=permission_type)
LOG.debug('DELETE /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db)
try:
Rule.delete(rule_db)
except Exception as e:
LOG.exception('Database delete encountered exception during delete of id="%s".',
rule_ref_or_id)
abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(rule_db)
extra = {'rule_db': rule_db}
LOG.audit('Rule deleted. Rule.id=%s.' % (rule_db.id), extra=extra)
return Response(status=http_client.NO_CONTENT)
def _register_rules_from_pack(self, pack, rules):
registered_count = 0
for rule in rules:
LOG.debug('Loading rule from %s.', rule)
try:
content = self._meta_loader.load(rule)
pack_field = content.get('pack', None)
if not pack_field:
content['pack'] = pack
pack_field = pack
if pack_field != pack:
raise Exception('Model is in pack "%s" but field "pack" is different: %s' %
(pack, pack_field))
rule_api = RuleAPI(**content)
rule_api.validate()
rule_db = RuleAPI.to_model(rule_api)
# Migration from rule without pack to rule with pack.
# There might be a rule with same name but in pack `default`
# generated in migration script. In this case, we want to
# delete so we don't have duplicates.
if pack_field != DEFAULT_PACK_NAME:
try:
rule_ref = ResourceReference.to_string_reference(name=content['name'],
pack=DEFAULT_PACK_NAME)
LOG.debug('Looking for rule %s in pack %s', content['name'],
DEFAULT_PACK_NAME)
existing = Rule.get_by_ref(rule_ref)
LOG.debug('Existing = %s', existing)
if existing:
LOG.debug('Found rule in pack default: %s; Deleting.', rule_ref)
Rule.delete(existing)
except:
LOG.exception('Exception deleting rule from %s pack.', DEFAULT_PACK_NAME)
try:
rule_ref = ResourceReference.to_string_reference(name=content['name'],
pack=content['pack'])
existing = Rule.get_by_ref(rule_ref)
if existing:
rule_db.id = existing.id
LOG.debug('Found existing rule: %s with id: %s', rule_ref, existing.id)
except ValueError:
LOG.debug('Rule %s not found. Creating new one.', rule)
try:
rule_db = Rule.add_or_update(rule_db)
extra = {'rule_db': rule_db}
LOG.audit('Rule updated. Rule %s from %s.', rule_db, rule, extra=extra)
except Exception:
LOG.exception('Failed to create rule %s.', rule_api.name)
except:
LOG.exception('Failed registering rule from %s.', rule)
else:
registered_count += 1
return registered_count
def test_run(self):
pack = 'dummy_pack_1'
# Verify all the resources are there
pack_dbs = Pack.query(ref=pack)
action_dbs = Action.query(pack=pack)
alias_dbs = ActionAlias.query(pack=pack)
rule_dbs = Rule.query(pack=pack)
sensor_dbs = Sensor.query(pack=pack)
trigger_type_dbs = TriggerType.query(pack=pack)
policy_dbs = Policy.query(pack=pack)
config_schema_dbs = ConfigSchema.query(pack=pack)
config_dbs = Config.query(pack=pack)
self.assertEqual(len(pack_dbs), 1)
self.assertEqual(len(action_dbs), 1)
self.assertEqual(len(alias_dbs), 2)
self.assertEqual(len(rule_dbs), 1)
self.assertEqual(len(sensor_dbs), 3)
self.assertEqual(len(trigger_type_dbs), 4)
self.assertEqual(len(policy_dbs), 2)
self.assertEqual(len(config_schema_dbs), 1)
self.assertEqual(len(config_dbs), 1)
# Run action
action = self.get_action_instance()
action.run(packs=[pack])
# Make sure all resources have been removed from the db
pack_dbs = Pack.query(ref=pack)
action_dbs = Action.query(pack=pack)
alias_dbs = ActionAlias.query(pack=pack)
rule_dbs = Rule.query(pack=pack)
sensor_dbs = Sensor.query(pack=pack)
trigger_type_dbs = TriggerType.query(pack=pack)
policy_dbs = Policy.query(pack=pack)
config_schema_dbs = ConfigSchema.query(pack=pack)
config_dbs = Config.query(pack=pack)
self.assertEqual(len(pack_dbs), 0)
self.assertEqual(len(action_dbs), 0)
self.assertEqual(len(alias_dbs), 0)
self.assertEqual(len(rule_dbs), 0)
self.assertEqual(len(sensor_dbs), 0)
self.assertEqual(len(trigger_type_dbs), 0)
self.assertEqual(len(policy_dbs), 0)
self.assertEqual(len(config_schema_dbs), 0)
self.assertEqual(len(config_dbs), 0)
def post(self, rule):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
try:
if not hasattr(rule, 'pack'):
setattr(rule, 'pack', DEFAULT_PACK_NAME)
rule_db = RuleAPI.to_model(rule)
LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s', rule_db)
rule_db = Rule.add_or_update(rule_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except (ValueValidationException, jsonschema.ValidationError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except TriggerDoesNotExistException as e:
msg = 'Trigger %s in rule does not exist in system' % rule.trigger['type']
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
extra = {'rule_db': rule_db}
LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def put(self, rule_ref_or_id, rule):
try:
rule_db = self._get_by_ref_or_id(rule_ref_or_id)
except Exception as e:
LOG.exception(e.message)
abort(http_client.NOT_FOUND, e.message)
return
LOG.debug('PUT /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db)
try:
if rule.id is not None and rule.id is not '' and rule.id != rule_ref_or_id:
LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.',
rule.id, rule_ref_or_id)
old_rule_db = rule_db
rule_db = RuleAPI.to_model(rule)
rule_db.id = rule_ref_or_id
rule_db = Rule.add_or_update(rule_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s', rule)
abort(http_client.BAD_REQUEST, str(e))
return
extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db}
LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def post(self, rule, requester_user):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
permission_type = PermissionType.RULE_CREATE
rbac_utils.assert_user_has_resource_api_permission(user_db=requester_user,
resource_api=rule,
permission_type=permission_type)
if not requester_user:
requester_user = UserDB(cfg.CONF.system_user.user)
# Validate that the authenticated user is admin if user query param is provided
user = requester_user.name
assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user,
user=user)
if not hasattr(rule, 'context'):
rule.context = dict()
rule.context['user'] = user
try:
rule_db = RuleAPI.to_model(rule)
LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s', rule_db)
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_user_has_rule_trigger_and_action_permission(user_db=requester_user,
rule_api=rule)
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
except (ValueValidationException, jsonschema.ValidationError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
except TriggerDoesNotExistException as e:
msg = ('Trigger "%s" defined in the rule does not exist in system or it\'s missing '
'required "parameters" attribute' % (rule.trigger['type']))
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
extra = {'rule_db': rule_db}
LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return Response(json=rule_api, status=exc.HTTPCreated.code)
def put(self, rule_ref_or_id, rule):
rule_db = self._get_by_ref_or_id(rule_ref_or_id)
LOG.debug('PUT /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db)
try:
if rule.id is not None and rule.id is not '' and rule.id != rule_ref_or_id:
LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.',
rule.id, rule_ref_or_id)
old_rule_db = rule_db
rule_db = RuleAPI.to_model(rule)
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_request_user_has_rule_trigger_and_action_permission(request=pecan.request,
rule_api=rule)
rule_db.id = rule_ref_or_id
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValueValidationException, jsonschema.ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s', rule)
abort(http_client.BAD_REQUEST, str(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(old_rule_db)
extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db}
LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def put(self, rule, rule_ref_or_id, requester_user):
rule_db = self._get_by_ref_or_id(rule_ref_or_id)
rbac_utils = get_rbac_backend().get_utils_class()
permission_type = PermissionType.RULE_MODIFY
rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user,
resource_db=rule,
permission_type=permission_type)
LOG.debug('PUT /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db)
if not requester_user:
requester_user = UserDB(cfg.CONF.system_user.user)
# Validate that the authenticated user is admin if user query param is provided
user = requester_user.name
rbac_utils.assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user,
user=user)
if not hasattr(rule, 'context'):
rule.context = dict()
rule.context['user'] = user
try:
if rule.id is not None and rule.id != '' and rule.id != rule_ref_or_id:
LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.',
rule.id, rule_ref_or_id)
old_rule_db = rule_db
try:
rule_db = RuleAPI.to_model(rule)
except TriggerDoesNotExistException as e:
abort(http_client.BAD_REQUEST, six.text_type(e))
return
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
rbac_utils.assert_user_has_rule_trigger_and_action_permission(user_db=requester_user,
rule_api=rule)
rule_db.id = rule_ref_or_id
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValueValidationException, jsonschema.ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s', rule)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(old_rule_db)
extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db}
LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def delete(self, rule_ref_or_id):
"""
Delete a rule.
Handles requests:
DELETE /rules/1
"""
rule_db = self._get_by_ref_or_id(ref_or_id=rule_ref_or_id)
LOG.debug("DELETE /rules/ lookup with id=%s found object: %s", rule_ref_or_id, rule_db)
try:
Rule.delete(rule_db)
except Exception as e:
LOG.exception('Database delete encountered exception during delete of id="%s".', rule_ref_or_id)
abort(http_client.INTERNAL_SERVER_ERROR, str(e))
return
extra = {"rule_db": rule_db}
LOG.audit("Rule deleted. Rule.id=%s." % (rule_db.id), extra=extra)
def test_rule_lookup(self):
triggertype = ReactorModelTest._create_save_triggertype()
trigger = ReactorModelTest._create_save_trigger(triggertype)
runnertype = ActionModelTest._create_save_runnertype()
action = ActionModelTest._create_save_action(runnertype)
saved = ReactorModelTest._create_save_rule(trigger, action)
retrievedrules = Rule.query(trigger=reference.get_str_resource_ref_from_model(trigger))
self.assertEqual(1, len(retrievedrules), 'No rules found.')
for retrievedrule in retrievedrules:
self.assertEqual(saved.id, retrievedrule.id, 'Incorrect rule returned.')
ReactorModelTest._delete([saved, trigger, action, runnertype, triggertype])
def test_rule_lookup_disabled(self):
triggertype = ReactorModelTest._create_save_triggertype()
trigger = ReactorModelTest._create_save_trigger(triggertype)
runnertype = ActionModelTest._create_save_runnertype()
action = ActionModelTest._create_save_action(runnertype)
saved = ReactorModelTest._create_save_rule(trigger, action, False)
retrievedrules = Rule.query(trigger=reference.get_str_resource_ref_from_model(trigger), enabled=False)
self.assertEqual(1, len(retrievedrules), "Error looking up enabled rules.")
for retrievedrule in retrievedrules:
self.assertEqual(saved.id, retrievedrule.id, "Incorrect rule returned.")
ReactorModelTest._delete([saved, trigger, action, runnertype, triggertype])
def test_rule_crud(self):
triggertype = ReactorModelTest._create_save_triggertype()
trigger = ReactorModelTest._create_save_trigger(triggertype)
runnertype = ActionModelTest._create_save_runnertype()
action = ActionModelTest._create_save_action(runnertype)
saved = ReactorModelTest._create_save_rule(trigger, action)
retrieved = Rule.get_by_id(saved.id)
self.assertEqual(saved.name, retrieved.name, 'Same rule was not returned.')
# test update
self.assertEqual(retrieved.enabled, True)
retrieved.enabled = False
saved = Rule.add_or_update(retrieved)
retrieved = Rule.get_by_id(saved.id)
self.assertEqual(retrieved.enabled, False, 'Update to rule failed.')
# cleanup
ReactorModelTest._delete([retrieved, trigger, action, runnertype, triggertype])
try:
retrieved = Rule.get_by_id(saved.id)
except ValueError:
retrieved = None
self.assertIsNone(retrieved, 'managed to retrieve after failure.')
def get_matching_rules_for_trigger(self, trigger_instance):
trigger = trigger_instance.trigger
trigger = get_trigger_db_by_ref(trigger_instance.trigger)
rules = Rule.query(trigger=trigger_instance.trigger, enabled=True)
LOG.info('Found %d rules defined for trigger %s (type=%s)', len(rules), trigger['name'],
trigger['type'])
matcher = RulesMatcher(trigger_instance=trigger_instance,
trigger=trigger, rules=rules)
matching_rules = matcher.get_matching_rules()
LOG.info('Matched %s rule(s) for trigger_instance %s (type=%s)', len(matching_rules),
trigger['name'], trigger['type'])
return matching_rules
def test_rule_lookup(self):
triggertype = ReactorModelTest._create_save_triggertype()
trigger = ReactorModelTest._create_save_trigger(triggertype)
runnertype = ActionModelTest._create_save_runnertype()
action = ActionModelTest._create_save_action(runnertype)
saved = ReactorModelTest._create_save_rule(trigger, action)
retrievedrules = Rule.query(
trigger=reference.get_str_resource_ref_from_model(trigger))
self.assertEqual(1, len(retrievedrules), 'No rules found.')
for retrievedrule in retrievedrules:
self.assertEqual(saved.id, retrievedrule.id,
'Incorrect rule returned.')
ReactorModelTest._delete(
[saved, trigger, action, runnertype, triggertype])
def test_rule_crud(self):
triggertype = ReactorModelTest._create_save_triggertype()
trigger = ReactorModelTest._create_save_trigger(triggertype)
runnertype = ActionModelTest._create_save_runnertype()
action = ActionModelTest._create_save_action(runnertype)
saved = ReactorModelTest._create_save_rule(trigger, action)
retrieved = Rule.get_by_id(saved.id)
self.assertEqual(saved.name, retrieved.name,
'Same rule was not returned.')
# test update
self.assertEqual(retrieved.enabled, True)
retrieved.enabled = False
saved = Rule.add_or_update(retrieved)
retrieved = Rule.get_by_id(saved.id)
self.assertEqual(retrieved.enabled, False, 'Update to rule failed.')
# cleanup
ReactorModelTest._delete(
[retrieved, trigger, action, runnertype, triggertype])
try:
retrieved = Rule.get_by_id(saved.id)
except ValueError:
retrieved = None
self.assertIsNone(retrieved, 'managed to retrieve after failure.')
def test_triggered_execution(self):
docs = {
'trigger_type': copy.deepcopy(fixture.ARTIFACTS['trigger_type']),
'trigger': copy.deepcopy(fixture.ARTIFACTS['trigger']),
'rule': copy.deepcopy(fixture.ARTIFACTS['rule']),
'trigger_instance': copy.deepcopy(fixture.ARTIFACTS['trigger_instance'])}
# Trigger an action execution.
trigger_type = TriggerType.add_or_update(
TriggerTypeAPI.to_model(TriggerTypeAPI(**docs['trigger_type'])))
trigger = Trigger.add_or_update(TriggerAPI.to_model(TriggerAPI(**docs['trigger'])))
rule = RuleAPI.to_model(RuleAPI(**docs['rule']))
rule.trigger = reference.get_str_resource_ref_from_model(trigger)
rule = Rule.add_or_update(rule)
trigger_instance = TriggerInstance.add_or_update(
TriggerInstanceAPI.to_model(TriggerInstanceAPI(**docs['trigger_instance'])))
trace_service.add_or_update_given_trace_context(
trace_context={'trace_tag': 'test_triggered_execution_trace'},
trigger_instances=[str(trigger_instance.id)])
enforcer = RuleEnforcer(trigger_instance, rule)
enforcer.enforce()
# Wait for the action execution to complete and then confirm outcome.
liveaction = LiveAction.get(context__trigger_instance__id=str(trigger_instance.id))
self.assertIsNotNone(liveaction)
liveaction = self._wait_on_status(liveaction, action_constants.LIVEACTION_STATUS_FAILED)
execution = self._get_action_execution(
liveaction__id=str(liveaction.id),
raise_exception=True
)
self.assertDictEqual(execution.trigger, vars(TriggerAPI.from_model(trigger)))
self.assertDictEqual(execution.trigger_type, vars(TriggerTypeAPI.from_model(trigger_type)))
self.assertDictEqual(execution.trigger_instance,
vars(TriggerInstanceAPI.from_model(trigger_instance)))
self.assertDictEqual(execution.rule, vars(RuleAPI.from_model(rule)))
action = action_utils.get_action_by_ref(liveaction.action)
self.assertDictEqual(execution.action, vars(ActionAPI.from_model(action)))
runner = RunnerType.get_by_name(action.runner_type['name'])
self.assertDictEqual(execution.runner, vars(RunnerTypeAPI.from_model(runner)))
liveaction = LiveAction.get_by_id(str(liveaction.id))
self.assertEqual(execution.start_timestamp, liveaction.start_timestamp)
self.assertEqual(execution.end_timestamp, liveaction.end_timestamp)
self.assertEqual(execution.result, liveaction.result)
self.assertEqual(execution.status, liveaction.status)
self.assertEqual(execution.context, liveaction.context)
self.assertEqual(execution.liveaction['callback'], liveaction.callback)
self.assertEqual(execution.liveaction['action'], liveaction.action)
def delete(self, rule_ref_or_id):
"""
Delete a rule.
Handles requests:
DELETE /rules/1
"""
rule_db = self._get_by_ref_or_id(ref_or_id=rule_ref_or_id)
LOG.debug('DELETE /rules/ lookup with id=%s found object: %s',
rule_ref_or_id, rule_db)
try:
Rule.delete(rule_db)
except Exception as e:
LOG.exception(
'Database delete encountered exception during delete of id="%s".',
rule_ref_or_id)
abort(http_client.INTERNAL_SERVER_ERROR, str(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(rule_db)
extra = {'rule_db': rule_db}
LOG.audit('Rule deleted. Rule.id=%s.' % (rule_db.id), extra=extra)
def get_rules_with_trigger_ref(trigger_ref=None, enabled=True):
"""
Get rules in DB corresponding to given trigger_ref as a string reference.
:param trigger_ref: Reference to trigger.
:type trigger_ref: ``str``
:rtype: ``list`` of ``RuleDB``
"""
if not trigger_ref:
return None
LOG.debug('Querying rules with trigger %s', trigger_ref)
return Rule.query(trigger=trigger_ref, enabled=enabled)
def _create_save_rule(trigger, action=None, enabled=True):
name = 'rule-1'
pack = 'default'
ref = ResourceReference.to_string_reference(name=name, pack=pack)
created = RuleDB(name=name, pack=pack, ref=ref)
created.description = ''
created.enabled = enabled
created.trigger = reference.get_str_resource_ref_from_model(trigger)
created.criteria = {}
created.action = ActionExecutionSpecDB()
action_ref = ResourceReference(pack=action.pack, name=action.name).ref
created.action.ref = action_ref
created.action.pack = action.pack
created.action.parameters = {}
return Rule.add_or_update(created)
def _create_save_rule(trigger, action=None, enabled=True):
name = 'rule-1'
pack = 'default'
ref = ResourceReference.to_string_reference(name=name, pack=pack)
created = RuleDB(name=name, pack=pack, ref=ref)
created.description = ''
created.enabled = enabled
created.trigger = reference.get_str_resource_ref_from_model(trigger)
created.criteria = {}
created.action = ActionExecutionSpecDB()
action_ref = ResourceReference(pack=action.pack, name=action.name).ref
created.action.ref = action_ref
created.action.pack = action.pack
created.action.parameters = {}
return Rule.add_or_update(created)
def get_rules_with_trigger_ref(trigger_ref=None, enabled=True):
"""
Get rules in DB corresponding to given trigger_ref as a string reference.
:param trigger_ref: Reference to trigger.
:type trigger_ref: ``str``
:rtype: ``list`` of ``RuleDB``
"""
if not trigger_ref:
return None
LOG.debug('Querying rules with trigger %s', trigger_ref)
return Rule.query(trigger=trigger_ref, enabled=enabled)
def test_rule_lookup_disabled(self):
triggertype = ReactorModelTestCase._create_save_triggertype()
trigger = ReactorModelTestCase._create_save_trigger(triggertype)
runnertype = ActionModelTestCase._create_save_runnertype()
action = ActionModelTestCase._create_save_action(runnertype)
saved = ReactorModelTestCase._create_save_rule(trigger, action, False)
retrievedrules = Rule.query(
trigger=reference.get_str_resource_ref_from_model(trigger),
enabled=False)
self.assertEqual(1, len(retrievedrules),
'Error looking up enabled rules.')
for retrievedrule in retrievedrules:
self.assertEqual(saved.id, retrievedrule.id,
'Incorrect rule returned.')
ReactorModelTestCase._delete(
[saved, trigger, action, runnertype, triggertype])
def put(self, rule, rule_ref_or_id, requester_user):
rule_db = self._get_by_ref_or_id(rule_ref_or_id)
permission_type = PermissionType.RULE_MODIFY
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=rule,
permission_type=permission_type)
LOG.debug('PUT /rules/ lookup with id=%s found object: %s',
rule_ref_or_id, rule_db)
try:
if rule.id is not None and rule.id is not '' and rule.id != rule_ref_or_id:
LOG.warning(
'Discarding mismatched id=%s found in payload and using uri_id=%s.',
rule.id, rule_ref_or_id)
old_rule_db = rule_db
rule_db = RuleAPI.to_model(rule)
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_user_has_rule_trigger_and_action_permission(
user_db=requester_user, rule_api=rule)
rule_db.id = rule_ref_or_id
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValueValidationException, jsonschema.ValidationError,
ValueError) as e:
LOG.exception('Validation failed for rule data=%s', rule)
abort(http_client.BAD_REQUEST, str(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(old_rule_db)
extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db}
LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def analyze(self, root_action_ref, link_tigger_ref):
rules = Rule.query(trigger=link_tigger_ref, enabled=True)
# pprint.pprint([rule.ref for rule in rules])
for rule in rules:
source_action_ref = self._get_source_action_ref(rule)
if not source_action_ref:
print('No source_action_ref for rule %s' % rule.ref)
continue
rule_links = self._rules.get(source_action_ref, None)
if rule_links is None:
rule_links = []
self._rules[source_action_ref] = rule_links
rule_links.append(RuleLink(source_action_ref=source_action_ref, rule_ref=rule.ref,
dest_action_ref=rule.action.ref))
analyzed = self._do_analyze(action_ref=root_action_ref)
for (depth, rule_link) in analyzed:
print('%s%s' % (' ' * depth, rule_link))
return analyzed
def analyze(self, root_action_ref, link_tigger_ref):
rules = Rule.query(trigger=link_tigger_ref, enabled=True)
# pprint.pprint([rule.ref for rule in rules])
for rule in rules:
source_action_ref = self._get_source_action_ref(rule)
if not source_action_ref:
print 'No source_action_ref for rule %s' % rule.ref
continue
rule_links = self._rules.get(source_action_ref, None)
if rule_links is None:
rule_links = []
self._rules[source_action_ref] = rule_links
rule_links.append(RuleLink(source_action_ref=source_action_ref, rule_ref=rule.ref,
dest_action_ref=rule.action.ref))
analyzed = self._do_analyze(action_ref=root_action_ref)
for (depth, rule_link) in analyzed:
print '%s%s' % (' ' * depth, rule_link)
return analyzed
def setUp(self):
super(RBACServicesTestCase, self).setUp()
# TODO: Share mocks
self.users = {}
self.roles = {}
self.resources = {}
# Create some mock users
user_1_db = UserDB(name='admin')
user_1_db = User.add_or_update(user_1_db)
self.users['admin'] = user_1_db
user_2_db = UserDB(name='observer')
user_2_db = User.add_or_update(user_2_db)
self.users['observer'] = user_2_db
user_3_db = UserDB(name='no_roles')
user_3_db = User.add_or_update(user_3_db)
self.users['no_roles'] = user_3_db
user_4_db = UserDB(name='custom_role')
user_4_db = User.add_or_update(user_4_db)
self.users['1_custom_role'] = user_4_db
# Create some mock roles
role_1_db = rbac_services.create_role(name='custom_role_1')
role_2_db = rbac_services.create_role(name='custom_role_2',
description='custom role 2')
self.roles['custom_role_1'] = role_1_db
self.roles['custom_role_2'] = role_2_db
# Create some mock role assignments
role_assignment_1 = UserRoleAssignmentDB(
user=self.users['1_custom_role'].name,
role=self.roles['custom_role_1'].name)
role_assignment_1 = UserRoleAssignment.add_or_update(role_assignment_1)
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test1', name='rule1', ref='test1.rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
def setUp(self):
super(RBACServicesTestCase, self).setUp()
# TODO: Share mocks
self.users = {}
self.roles = {}
self.resources = {}
# Create some mock users
user_1_db = UserDB(name='admin')
user_1_db = User.add_or_update(user_1_db)
self.users['admin'] = user_1_db
user_2_db = UserDB(name='observer')
user_2_db = User.add_or_update(user_2_db)
self.users['observer'] = user_2_db
user_3_db = UserDB(name='no_roles')
user_3_db = User.add_or_update(user_3_db)
self.users['no_roles'] = user_3_db
user_4_db = UserDB(name='custom_role')
user_4_db = User.add_or_update(user_4_db)
self.users['1_custom_role'] = user_4_db
# Create some mock roles
role_1_db = rbac_services.create_role(name='custom_role_1')
role_2_db = rbac_services.create_role(name='custom_role_2',
description='custom role 2')
self.roles['custom_role_1'] = role_1_db
self.roles['custom_role_2'] = role_2_db
# Create some mock role assignments
role_assignment_1 = UserRoleAssignmentDB(user=self.users['1_custom_role'].name,
role=self.roles['custom_role_1'].name)
role_assignment_1 = UserRoleAssignment.add_or_update(role_assignment_1)
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test1', name='rule1', ref='test1.rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
def post(self, rule):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
try:
rule_db = RuleAPI.to_model(rule)
LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s',
rule_db)
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_request_user_has_rule_trigger_and_action_permission(
request=pecan.request, rule_api=rule)
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except (ValueValidationException, jsonschema.ValidationError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except TriggerDoesNotExistException as e:
msg = (
'Trigger "%s" defined in the rule does not exist in system or it\'s missing '
'required "parameters" attribute' % (rule.trigger['type']))
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
extra = {'rule_db': rule_db}
LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def post(self, rule):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
try:
if not hasattr(rule, 'pack'):
setattr(rule, 'pack', DEFAULT_PACK_NAME)
rule_db = RuleAPI.to_model(rule)
LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s',
rule_db)
rule_db = Rule.add_or_update(rule_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except (ValueValidationException, jsonschema.ValidationError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except TriggerDoesNotExistException as e:
msg = 'Trigger %s in rule does not exist in system' % rule.trigger[
'type']
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
except StackStormDBObjectConflictError as e:
LOG.warn(
'Rule creation of %s failed with uniqueness conflict. Exception %s',
rule, str(e))
abort(http_client.CONFLICT,
str(e),
body={'conflict-id': e.conflict_id})
return
extra = {'rule_db': rule_db}
LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def post(self, rule):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
try:
rule_db = RuleAPI.to_model(rule)
LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s', rule_db)
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_request_user_has_rule_trigger_and_action_permission(request=pecan.request,
rule_api=rule)
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except (ValueValidationException, jsonschema.ValidationError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except TriggerDoesNotExistException as e:
msg = ('Trigger "%s" defined in the rule does not exist in system or it\'s missing '
'required "parameters" attribute' % (rule.trigger['type']))
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
extra = {'rule_db': rule_db}
LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def post(self, rule):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
try:
if not hasattr(rule, 'pack'):
setattr(rule, 'pack', DEFAULT_PACK_NAME)
rule_db = RuleAPI.to_model(rule)
LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s',
rule_db)
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_request_user_has_rule_trigger_and_action_permission(
request=pecan.request, rule_api=rule)
rule_db = Rule.add_or_update(rule_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except (ValueValidationException, jsonschema.ValidationError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except TriggerDoesNotExistException as e:
msg = 'Trigger %s in rule does not exist in system' % rule.trigger[
'type']
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
extra = {'rule_db': rule_db}
LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def post(self, rule):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
try:
if not hasattr(rule, 'pack'):
setattr(rule, 'pack', DEFAULT_PACK_NAME)
rule_db = RuleAPI.to_model(rule)
LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s', rule_db)
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
assert_request_user_has_rule_trigger_and_action_permission(request=pecan.request,
rule_api=rule)
rule_db = Rule.add_or_update(rule_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except (ValueValidationException, jsonschema.ValidationError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except TriggerDoesNotExistException as e:
msg = 'Trigger %s in rule does not exist in system' % rule.trigger['type']
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
extra = {'rule_db': rule_db}
LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def post(self, rule):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
try:
if not hasattr(rule, 'pack'):
setattr(rule, 'pack', DEFAULT_PACK_NAME)
rule_db = RuleAPI.to_model(rule)
LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s', rule_db)
rule_db = Rule.add_or_update(rule_db)
except (ValidationError, ValueError) as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except ValueValidationException as e:
LOG.exception('Validation failed for rule data=%s.', rule)
abort(http_client.BAD_REQUEST, str(e))
return
except TriggerDoesNotExistException as e:
msg = 'Trigger %s in rule does not exist in system' % rule.trigger['type']
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
except StackStormDBObjectConflictError as e:
LOG.warn('Rule creation of %s failed with uniqueness conflict. Exception %s',
rule, str(e))
abort(http_client.CONFLICT, str(e), body={'conflict-id': e.conflict_id})
return
extra = {'rule_db': rule_db}
LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def setUp(self):
super(RuleEnforcementPermissionsResolverTestCase, self).setUp()
register_internal_trigger_types()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
user_6_db = UserDB(name='rule_pack_rule_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['rule_pack_rule_create_grant'] = user_6_db
user_7_db = UserDB(name='rule_pack_rule_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['rule_pack_rule_all_grant'] = user_7_db
user_8_db = UserDB(name='rule_rule_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['rule_rule_create_grant'] = user_8_db
user_9_db = UserDB(name='rule_rule_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['rule_rule_all_grant'] = user_9_db
user_10_db = UserDB(name='custom_role_rule_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['custom_role_rule_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1',
name='rule1',
action={'ref': 'core.local'},
trigger='core.st2.key_value_pair.create')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_enforcement_1_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={
'ref': rule_1_db.ref,
'uid': rule_1_db.uid,
'id': str(rule_1_db.id)
})
rule_enforcement_1_db = RuleEnforcement.add_or_update(
rule_enforcement_1_db)
self.resources['rule_enforcement_1'] = rule_enforcement_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_enforcement_2_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={
'ref': rule_2_db.ref,
'uid': rule_2_db.uid,
'id': str(rule_2_db.id)
})
rule_enforcement_2_db = RuleEnforcement.add_or_update(
rule_enforcement_2_db)
self.resources['rule_enforcement_2'] = rule_enforcement_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
rule_enforcement_3_db = RuleEnforcementDB(
trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={
'ref': rule_3_db.ref,
'uid': rule_3_db.uid,
'id': str(rule_3_db.id)
})
rule_enforcement_3_db = RuleEnforcement.add_or_update(
rule_enforcement_3_db)
self.resources['rule_enforcement_3'] = rule_enforcement_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Custom role - "rule_create" grant on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='rule_pack_rule_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['rule_pack_rule_create_grant'] = role_6_db
# Custom role - "rule_all" grant on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='rule_pack_rule_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['rule_pack_rule_all_grant'] = role_7_db
# Custom role - "rule_create" grant on rule_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='rule_rule_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['rule_rule_create_grant'] = role_8_db
# Custom role - "rule_all" grant on rule_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='rule_rule_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['rule_rule_all_grant'] = role_9_db
# Custom role - "rule_list" grant
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=None,
permission_types=[PermissionType.RULE_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='custom_role_rule_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['custom_role_rule_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_rule_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_rule_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_list_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def _setup_sample_rule(self, rule):
rule_api = RuleAPI(**rule)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
return rule_db
def _register_rules_from_pack(self, pack, rules):
registered_count = 0
for rule in rules:
LOG.debug('Loading rule from %s.', rule)
try:
content = self._meta_loader.load(rule)
pack_field = content.get('pack', None)
if not pack_field:
content['pack'] = pack
pack_field = pack
if pack_field != pack:
raise Exception(
'Model is in pack "%s" but field "pack" is different: %s'
% (pack, pack_field))
rule_api = RuleAPI(**content)
rule_api.validate()
rule_db = RuleAPI.to_model(rule_api)
# Migration from rule without pack to rule with pack.
# There might be a rule with same name but in pack `default`
# generated in migration script. In this case, we want to
# delete so we don't have duplicates.
if pack_field != DEFAULT_PACK_NAME:
try:
rule_ref = ResourceReference.to_string_reference(
name=content['name'], pack=DEFAULT_PACK_NAME)
LOG.debug('Looking for rule %s in pack %s',
content['name'], DEFAULT_PACK_NAME)
existing = Rule.get_by_ref(rule_ref)
LOG.debug('Existing = %s', existing)
if existing:
LOG.debug(
'Found rule in pack default: %s; Deleting.',
rule_ref)
Rule.delete(existing)
except:
LOG.exception('Exception deleting rule from %s pack.',
DEFAULT_PACK_NAME)
try:
rule_ref = ResourceReference.to_string_reference(
name=content['name'], pack=content['pack'])
existing = Rule.get_by_ref(rule_ref)
if existing:
rule_db.id = existing.id
LOG.debug('Found existing rule: %s with id: %s',
rule_ref, existing.id)
except ValueError:
LOG.debug('Rule %s not found. Creating new one.', rule)
try:
rule_db = Rule.add_or_update(rule_db)
extra = {'rule_db': rule_db}
LOG.audit('Rule updated. Rule %s from %s.',
rule_db,
rule,
extra=extra)
except Exception:
LOG.exception('Failed to create rule %s.', rule_api.name)
except:
LOG.exception('Failed registering rule from %s.', rule)
else:
registered_count += 1
return registered_count
def setUp(self):
super(RulePermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1', name='rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def test_triggered_execution(self):
docs = {
"trigger_type":
copy.deepcopy(fixture.ARTIFACTS["trigger_type"]),
"trigger":
copy.deepcopy(fixture.ARTIFACTS["trigger"]),
"rule":
copy.deepcopy(fixture.ARTIFACTS["rule"]),
"trigger_instance":
copy.deepcopy(fixture.ARTIFACTS["trigger_instance"]),
}
# Trigger an action execution.
trigger_type = TriggerType.add_or_update(
TriggerTypeAPI.to_model(TriggerTypeAPI(**docs["trigger_type"])))
trigger = Trigger.add_or_update(
TriggerAPI.to_model(TriggerAPI(**docs["trigger"])))
rule = RuleAPI.to_model(RuleAPI(**docs["rule"]))
rule.trigger = reference.get_str_resource_ref_from_model(trigger)
rule = Rule.add_or_update(rule)
trigger_instance = TriggerInstance.add_or_update(
TriggerInstanceAPI.to_model(
TriggerInstanceAPI(**docs["trigger_instance"])))
trace_service.add_or_update_given_trace_context(
trace_context={"trace_tag": "test_triggered_execution_trace"},
trigger_instances=[str(trigger_instance.id)],
)
enforcer = RuleEnforcer(trigger_instance, rule)
enforcer.enforce()
# Wait for the action execution to complete and then confirm outcome.
liveaction = LiveAction.get(
context__trigger_instance__id=str(trigger_instance.id))
self.assertIsNotNone(liveaction)
liveaction = self._wait_on_status(
liveaction, action_constants.LIVEACTION_STATUS_FAILED)
execution = self._get_action_execution(liveaction__id=str(
liveaction.id),
raise_exception=True)
self.assertDictEqual(execution.trigger,
vars(TriggerAPI.from_model(trigger)))
self.assertDictEqual(execution.trigger_type,
vars(TriggerTypeAPI.from_model(trigger_type)))
self.assertDictEqual(
execution.trigger_instance,
vars(TriggerInstanceAPI.from_model(trigger_instance)),
)
self.assertDictEqual(execution.rule, vars(RuleAPI.from_model(rule)))
action = action_utils.get_action_by_ref(liveaction.action)
self.assertDictEqual(execution.action,
vars(ActionAPI.from_model(action)))
runner = RunnerType.get_by_name(action.runner_type["name"])
self.assertDictEqual(execution.runner,
vars(RunnerTypeAPI.from_model(runner)))
liveaction = LiveAction.get_by_id(str(liveaction.id))
self.assertEqual(execution.start_timestamp, liveaction.start_timestamp)
# NOTE: Timestamp of liveaction and execution may be a bit different, depending on how long
# it takes to persist each object in the database
self.assertEqual(
execution.end_timestamp.replace(microsecond=0),
liveaction.end_timestamp.replace(microsecond=0),
)
self.assertEqual(execution.result, liveaction.result)
self.assertEqual(execution.status, liveaction.status)
self.assertEqual(execution.context, liveaction.context)
self.assertEqual(execution.liveaction["callback"], liveaction.callback)
self.assertEqual(execution.liveaction["action"], liveaction.action)
def _register_rules_from_pack(self, pack, rules):
registered_count = 0
overridden_count = 0
# TODO: Refactor this monstrosity
for rule in rules:
LOG.debug("Loading rule from %s.", rule)
try:
content = self._meta_loader.load(rule)
pack_field = content.get("pack", None)
if not pack_field:
content["pack"] = pack
pack_field = pack
if pack_field != pack:
raise Exception(
'Model is in pack "%s" but field "pack" is different: %s'
% (pack, pack_field))
metadata_file = content_utils.get_relative_path_to_pack_file(
pack_ref=pack, file_path=rule, use_pack_cache=True)
content["metadata_file"] = metadata_file
# Pass override information
altered = self._override_loader.override(
pack, "rules", content)
rule_api = RuleAPI(**content)
rule_api.validate()
rule_db = RuleAPI.to_model(rule_api)
# Migration from rule without pack to rule with pack.
# There might be a rule with same name but in pack `default`
# generated in migration script. In this case, we want to
# delete so we don't have duplicates.
if pack_field != DEFAULT_PACK_NAME:
try:
rule_ref = ResourceReference.to_string_reference(
name=content["name"], pack=DEFAULT_PACK_NAME)
LOG.debug(
"Looking for rule %s in pack %s",
content["name"],
DEFAULT_PACK_NAME,
)
existing = Rule.get_by_ref(rule_ref)
LOG.debug("Existing = %s", existing)
if existing:
LOG.debug(
"Found rule in pack default: %s; Deleting.",
rule_ref)
Rule.delete(existing)
except:
LOG.exception("Exception deleting rule from %s pack.",
DEFAULT_PACK_NAME)
try:
rule_ref = ResourceReference.to_string_reference(
name=content["name"], pack=content["pack"])
existing = Rule.get_by_ref(rule_ref)
if existing:
rule_db.id = existing.id
LOG.debug("Found existing rule: %s with id: %s",
rule_ref, existing.id)
except StackStormDBObjectNotFoundError:
LOG.debug("Rule %s not found. Creating new one.", rule)
try:
rule_db = Rule.add_or_update(rule_db)
increment_trigger_ref_count(rule_api=rule_api)
extra = {"rule_db": rule_db}
LOG.audit("Rule updated. Rule %s from %s.",
rule_db,
rule,
extra=extra)
except Exception:
LOG.exception("Failed to create rule %s.", rule_api.name)
# If there was an existing rule then the ref count was updated in
# to_model so it needs to be adjusted down here. Also, update could
# lead to removal of a Trigger so now is a good time for book-keeping.
if existing:
cleanup_trigger_db_for_rule(existing)
except Exception as e:
if self._fail_on_failure:
msg = 'Failed to register rule "%s" from pack "%s": %s' % (
rule,
pack,
six.text_type(e),
)
raise ValueError(msg)
LOG.exception("Failed registering rule from %s.", rule)
else:
registered_count += 1
if altered:
overridden_count += 1
return registered_count, overridden_count
def _get_sample_rules(self):
if self.rules:
# Make sure rules are created only once
return self.rules
RULE_1 = {
'enabled': True,
'name': 'st2.test.rule1',
'pack': 'yoyohoneysingh',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'k1': { # Missing prefix 'trigger'. This rule won't match.
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_1)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
self.rules.append(rule_db)
RULE_2 = { # Rule should match.
'enabled': True,
'name': 'st2.test.rule2',
'pack': 'yoyohoneysingh',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_2)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
self.rules.append(rule_db)
RULE_3 = {
'enabled': False, # Disabled rule shouldn't match.
'name': 'st2.test.rule3',
'pack': 'yoyohoneysingh',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_3)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
self.rules.append(rule_db)
return self.rules
def setUp(self):
super(RBACServicesTestCase, self).setUp()
# TODO: Share mocks
self.users = {}
self.roles = {}
self.resources = {}
# Create some mock users
user_1_db = UserDB(name='admin')
user_1_db = User.add_or_update(user_1_db)
self.users['admin'] = user_1_db
user_2_db = UserDB(name='observer')
user_2_db = User.add_or_update(user_2_db)
self.users['observer'] = user_2_db
user_3_db = UserDB(name='no_roles')
user_3_db = User.add_or_update(user_3_db)
self.users['no_roles'] = user_3_db
user_5_db = UserDB(name='user_5')
user_5_db = User.add_or_update(user_5_db)
self.users['user_5'] = user_5_db
user_4_db = UserDB(name='custom_role')
user_4_db = User.add_or_update(user_4_db)
self.users['1_custom_role'] = user_4_db
# Create some mock roles
role_1_db = rbac_services.create_role(name='custom_role_1')
role_2_db = rbac_services.create_role(name='custom_role_2',
description='custom role 2')
self.roles['custom_role_1'] = role_1_db
self.roles['custom_role_2'] = role_2_db
rbac_services.create_role(name='role_1')
rbac_services.create_role(name='role_2')
rbac_services.create_role(name='role_3')
rbac_services.create_role(name='role_4')
# Create some mock role assignments
role_assignment_1 = UserRoleAssignmentDB(
user=self.users['1_custom_role'].name,
role=self.roles['custom_role_1'].name,
source='assignments/%s.yaml' % self.users['1_custom_role'].name)
role_assignment_1 = UserRoleAssignment.add_or_update(role_assignment_1)
# Note: User use pymongo to insert mock data because we want to insert a
# raw document and skip mongoengine to leave is_remote field unpopulated
client = MongoClient()
db = client['st2-test']
db.user_role_assignment_d_b.insert_one({
'user': '******',
'role': 'role_1'
})
db.user_role_assignment_d_b.insert_one({
'user': '******',
'role': 'role_2'
})
db.user_role_assignment_d_b.insert_one({
'user': '******',
'role': 'role_3',
'is_remote': False
})
db.user_role_assignment_d_b.insert_one({
'user': '******',
'role': 'role_4',
'is_remote': True
})
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test1', name='rule1', ref='test1.rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
def _register_rules_from_pack(self, pack, rules):
registered_count = 0
# TODO: Refactor this monstrosity
for rule in rules:
LOG.debug('Loading rule from %s.', rule)
try:
content = self._meta_loader.load(rule)
pack_field = content.get('pack', None)
if not pack_field:
content['pack'] = pack
pack_field = pack
if pack_field != pack:
raise Exception(
'Model is in pack "%s" but field "pack" is different: %s'
% (pack, pack_field))
rule_api = RuleAPI(**content)
rule_api.validate()
rule_db = RuleAPI.to_model(rule_api)
# Migration from rule without pack to rule with pack.
# There might be a rule with same name but in pack `default`
# generated in migration script. In this case, we want to
# delete so we don't have duplicates.
if pack_field != DEFAULT_PACK_NAME:
try:
rule_ref = ResourceReference.to_string_reference(
name=content['name'], pack=DEFAULT_PACK_NAME)
LOG.debug('Looking for rule %s in pack %s',
content['name'], DEFAULT_PACK_NAME)
existing = Rule.get_by_ref(rule_ref)
LOG.debug('Existing = %s', existing)
if existing:
LOG.debug(
'Found rule in pack default: %s; Deleting.',
rule_ref)
Rule.delete(existing)
except:
LOG.exception('Exception deleting rule from %s pack.',
DEFAULT_PACK_NAME)
try:
rule_ref = ResourceReference.to_string_reference(
name=content['name'], pack=content['pack'])
existing = Rule.get_by_ref(rule_ref)
if existing:
rule_db.id = existing.id
LOG.debug('Found existing rule: %s with id: %s',
rule_ref, existing.id)
except StackStormDBObjectNotFoundError:
LOG.debug('Rule %s not found. Creating new one.', rule)
try:
rule_db = Rule.add_or_update(rule_db)
increment_trigger_ref_count(rule_api=rule_api)
extra = {'rule_db': rule_db}
LOG.audit('Rule updated. Rule %s from %s.',
rule_db,
rule,
extra=extra)
except Exception:
LOG.exception('Failed to create rule %s.', rule_api.name)
# If there was an existing rule then the ref count was updated in
# to_model so it needs to be adjusted down here. Also, update could
# lead to removal of a Trigger so now is a good time for book-keeping.
if existing:
cleanup_trigger_db_for_rule(existing)
except Exception as e:
if self._fail_on_failure:
raise e
LOG.exception('Failed registering rule from %s.', rule)
else:
registered_count += 1
return registered_count
def _get_rules_for_trigger(self, trigger_ref):
"""
All rules that reference the supplied trigger_ref.
"""
return Rule.get_all(**{'trigger': trigger_ref})
def setUp(self):
super(RuleEnforcementPermissionsResolverTestCase, self).setUp()
register_internal_trigger_types()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
user_6_db = UserDB(name='rule_pack_rule_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['rule_pack_rule_create_grant'] = user_6_db
user_7_db = UserDB(name='rule_pack_rule_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['rule_pack_rule_all_grant'] = user_7_db
user_8_db = UserDB(name='rule_rule_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['rule_rule_create_grant'] = user_8_db
user_9_db = UserDB(name='rule_rule_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['rule_rule_all_grant'] = user_9_db
user_10_db = UserDB(name='custom_role_rule_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['custom_role_rule_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1', name='rule1', action={'ref': 'core.local'},
trigger='core.st2.key_value_pair.create')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_enforcement_1_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_1_db.ref,
'uid': rule_1_db.uid,
'id': str(rule_1_db.id)})
rule_enforcement_1_db = RuleEnforcement.add_or_update(rule_enforcement_1_db)
self.resources['rule_enforcement_1'] = rule_enforcement_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_enforcement_2_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_2_db.ref,
'uid': rule_2_db.uid,
'id': str(rule_2_db.id)})
rule_enforcement_2_db = RuleEnforcement.add_or_update(rule_enforcement_2_db)
self.resources['rule_enforcement_2'] = rule_enforcement_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
rule_enforcement_3_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_3_db.ref,
'uid': rule_3_db.uid,
'id': str(rule_3_db.id)})
rule_enforcement_3_db = RuleEnforcement.add_or_update(rule_enforcement_3_db)
self.resources['rule_enforcement_3'] = rule_enforcement_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Custom role - "rule_create" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='rule_pack_rule_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['rule_pack_rule_create_grant'] = role_6_db
# Custom role - "rule_all" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='rule_pack_rule_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['rule_pack_rule_all_grant'] = role_7_db
# Custom role - "rule_create" grant on rule_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='rule_rule_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['rule_rule_create_grant'] = role_8_db
# Custom role - "rule_all" grant on rule_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='rule_rule_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['rule_rule_all_grant'] = role_9_db
# Custom role - "rule_list" grant
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=None,
permission_types=[PermissionType.RULE_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='custom_role_rule_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['custom_role_rule_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_list_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def _setup_sample_rules(self):
rules = []
# Rules for st2.test.trigger1
RULE_1 = {
"enabled": True,
"name": "st2.test.rule1",
"pack": "sixpack",
"trigger": {"type": "dummy_pack_1.st2.test.trigger1"},
"criteria": {
"k1": { # Missing prefix 'trigger'. This rule won't match.
"pattern": "t1_p_v",
"type": "equals",
}
},
"action": {
"ref": "sixpack.st2.test.action",
"parameters": {"ip2": "{{rule.k1}}", "ip1": "{{trigger.t1_p}}"},
},
"id": "23",
"description": "",
}
rule_api = RuleAPI(**RULE_1)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
RULE_2 = { # Rule should match.
"enabled": True,
"name": "st2.test.rule2",
"pack": "sixpack",
"trigger": {"type": "dummy_pack_1.st2.test.trigger1"},
"criteria": {"trigger.k1": {"pattern": "t1_p_v", "type": "equals"}},
"action": {
"ref": "sixpack.st2.test.action",
"parameters": {"ip2": "{{rule.k1}}", "ip1": "{{trigger.t1_p}}"},
},
"id": "23",
"description": "",
}
rule_api = RuleAPI(**RULE_2)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
RULE_3 = {
"enabled": False, # Disabled rule shouldn't match.
"name": "st2.test.rule3",
"pack": "sixpack",
"trigger": {"type": "dummy_pack_1.st2.test.trigger1"},
"criteria": {"trigger.k1": {"pattern": "t1_p_v", "type": "equals"}},
"action": {
"ref": "sixpack.st2.test.action",
"parameters": {"ip2": "{{rule.k1}}", "ip1": "{{trigger.t1_p}}"},
},
"id": "23",
"description": "",
}
rule_api = RuleAPI(**RULE_3)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
# Rules for st2.test.trigger2
RULE_4 = {
"enabled": True,
"name": "st2.test.rule4",
"pack": "sixpack",
"trigger": {"type": "dummy_pack_1.st2.test.trigger2"},
"criteria": {"trigger.k1": {"pattern": "t1_p_v", "type": "equals"}},
"action": {
"ref": "sixpack.st2.test.action",
"parameters": {"ip2": "{{rule.k1}}", "ip1": "{{trigger.t1_p}}"},
},
"id": "23",
"description": "",
}
rule_api = RuleAPI(**RULE_4)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
return rules
def _setup_sample_rules(self):
rules = []
# Rules for st2.test.trigger1
RULE_1 = {
'enabled': True,
'name': 'st2.test.rule1',
'pack': 'sixpack',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'k1': { # Missing prefix 'trigger'. This rule won't match.
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_1)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
RULE_2 = { # Rule should match.
'enabled': True,
'name': 'st2.test.rule2',
'pack': 'sixpack',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_2)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
RULE_3 = {
'enabled': False, # Disabled rule shouldn't match.
'name': 'st2.test.rule3',
'pack': 'sixpack',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_3)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
# Rules for st2.test.trigger2
RULE_4 = {
'enabled': True,
'name': 'st2.test.rule4',
'pack': 'sixpack',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger2'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_4)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
return rules
def setUp(self):
super(RulePermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1', name='rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def post(self, rule, requester_user):
"""
Create a new rule.
Handles requests:
POST /rules/
"""
rbac_utils = get_rbac_backend().get_utils_class()
permission_type = PermissionType.RULE_CREATE
rbac_utils.assert_user_has_resource_api_permission(
user_db=requester_user,
resource_api=rule,
permission_type=permission_type)
if not requester_user:
requester_user = UserDB(cfg.CONF.system_user.user)
# Validate that the authenticated user is admin if user query param is provided
user = requester_user.name
rbac_utils.assert_user_is_admin_if_user_query_param_is_provided(
user_db=requester_user, user=user)
if not hasattr(rule, "context"):
rule.context = dict()
rule.context["user"] = user
try:
rule_db = RuleAPI.to_model(rule)
LOG.debug("/rules/ POST verified RuleAPI and formulated RuleDB=%s",
rule_db)
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
rbac_utils.assert_user_has_rule_trigger_and_action_permission(
user_db=requester_user, rule_api=rule)
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValidationError, ValueError) as e:
LOG.exception("Validation failed for rule data=%s.", rule)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
except (ValueValidationException, jsonschema.ValidationError) as e:
LOG.exception("Validation failed for rule data=%s.", rule)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
except TriggerDoesNotExistException:
msg = (
'Trigger "%s" defined in the rule does not exist in system or it\'s missing '
'required "parameters" attribute' % (rule.trigger["type"]))
LOG.exception(msg)
abort(http_client.BAD_REQUEST, msg)
return
extra = {"rule_db": rule_db}
LOG.audit("Rule created. Rule.id=%s" % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return Response(json=rule_api, status=exc.HTTPCreated.code)
def _get_rules_for_trigger(self, trigger_ref):
"""
All rules that reference the supplied trigger_ref.
"""
return Rule.get_all(**{'trigger': trigger_ref})
def put(self, rule, rule_ref_or_id, requester_user):
rule_db = self._get_by_ref_or_id(rule_ref_or_id)
rbac_utils = get_rbac_backend().get_utils_class()
permission_type = PermissionType.RULE_MODIFY
rbac_utils.assert_user_has_resource_db_permission(
user_db=requester_user,
resource_db=rule,
permission_type=permission_type)
LOG.debug("PUT /rules/ lookup with id=%s found object: %s",
rule_ref_or_id, rule_db)
if not requester_user:
requester_user = UserDB(cfg.CONF.system_user.user)
# Validate that the authenticated user is admin if user query param is provided
user = requester_user.name
rbac_utils.assert_user_is_admin_if_user_query_param_is_provided(
user_db=requester_user, user=user)
if not hasattr(rule, "context"):
rule.context = dict()
rule.context["user"] = user
try:
if rule.id is not None and rule.id != "" and rule.id != rule_ref_or_id:
LOG.warning(
"Discarding mismatched id=%s found in payload and using uri_id=%s.",
rule.id,
rule_ref_or_id,
)
old_rule_db = rule_db
try:
rule_db = RuleAPI.to_model(rule)
except TriggerDoesNotExistException as e:
abort(http_client.BAD_REQUEST, six.text_type(e))
return
# Check referenced trigger and action permissions
# Note: This needs to happen after "to_model" call since to_model performs some
# validation (trigger exists, etc.)
rbac_utils.assert_user_has_rule_trigger_and_action_permission(
user_db=requester_user, rule_api=rule)
rule_db.id = rule_ref_or_id
rule_db = Rule.add_or_update(rule_db)
# After the rule has been added modify the ref_count. This way a failure to add
# the rule due to violated constraints will have no impact on ref_count.
increment_trigger_ref_count(rule_api=rule)
except (ValueValidationException, jsonschema.ValidationError,
ValueError) as e:
LOG.exception("Validation failed for rule data=%s", rule)
abort(http_client.BAD_REQUEST, six.text_type(e))
return
# use old_rule_db for cleanup.
cleanup_trigger_db_for_rule(old_rule_db)
extra = {"old_rule_db": old_rule_db, "new_rule_db": rule_db}
LOG.audit("Rule updated. Rule.id=%s." % (rule_db.id), extra=extra)
rule_api = RuleAPI.from_model(rule_db)
return rule_api
def _setup_sample_rules(self):
rules = []
# Rules for st2.test.trigger1
RULE_1 = {
"enabled": True,
"name": "st2.test.rule1",
"pack": "sixpack",
"trigger": {"type": "dummy_pack_1.st2.test.trigger1"},
"criteria": {
"k1": {"pattern": "t1_p_v", "type": "equals"} # Missing prefix 'trigger'. This rule won't match.
},
"action": {
"ref": "sixpack.st2.test.action",
"parameters": {"ip2": "{{rule.k1}}", "ip1": "{{trigger.t1_p}}"},
},
"id": "23",
"description": "",
}
rule_api = RuleAPI(**RULE_1)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
RULE_2 = { # Rule should match.
"enabled": True,
"name": "st2.test.rule2",
"pack": "sixpack",
"trigger": {"type": "dummy_pack_1.st2.test.trigger1"},
"criteria": {"trigger.k1": {"pattern": "t1_p_v", "type": "equals"}},
"action": {
"ref": "sixpack.st2.test.action",
"parameters": {"ip2": "{{rule.k1}}", "ip1": "{{trigger.t1_p}}"},
},
"id": "23",
"description": "",
}
rule_api = RuleAPI(**RULE_2)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
RULE_3 = {
"enabled": False, # Disabled rule shouldn't match.
"name": "st2.test.rule3",
"pack": "sixpack",
"trigger": {"type": "dummy_pack_1.st2.test.trigger1"},
"criteria": {"trigger.k1": {"pattern": "t1_p_v", "type": "equals"}},
"action": {
"ref": "sixpack.st2.test.action",
"parameters": {"ip2": "{{rule.k1}}", "ip1": "{{trigger.t1_p}}"},
},
"id": "23",
"description": "",
}
rule_api = RuleAPI(**RULE_3)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
# Rules for st2.test.trigger2
RULE_4 = {
"enabled": True,
"name": "st2.test.rule4",
"pack": "sixpack",
"trigger": {"type": "dummy_pack_1.st2.test.trigger2"},
"criteria": {"trigger.k1": {"pattern": "t1_p_v", "type": "equals"}},
"action": {
"ref": "sixpack.st2.test.action",
"parameters": {"ip2": "{{rule.k1}}", "ip1": "{{trigger.t1_p}}"},
},
"id": "23",
"description": "",
}
rule_api = RuleAPI(**RULE_4)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
return rules
def _setup_sample_rules(self):
rules = []
# Rules for st2.test.trigger1
RULE_1 = {
'enabled': True,
'name': 'st2.test.rule1',
'pack': 'sixpack',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'k1': { # Missing prefix 'trigger'. This rule won't match.
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_1)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
RULE_2 = { # Rule should match.
'enabled': True,
'name': 'st2.test.rule2',
'pack': 'sixpack',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_2)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
RULE_3 = {
'enabled': False, # Disabled rule shouldn't match.
'name': 'st2.test.rule3',
'pack': 'sixpack',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_3)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
# Rules for st2.test.trigger2
RULE_4 = {
'enabled': True,
'name': 'st2.test.rule4',
'pack': 'sixpack',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger2'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_4)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
rules.append(rule_db)
return rules
def setUp(self):
super(RulePermissionsResolverTestCase, self).setUp()
# Register internal triggers - this is needed so we can reference an internal trigger
# inside a mock rule
register_internal_trigger_types()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
user_6_db = UserDB(name='rule_pack_rule_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['rule_pack_rule_create_grant'] = user_6_db
user_7_db = UserDB(name='rule_pack_rule_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['rule_pack_rule_all_grant'] = user_7_db
user_8_db = UserDB(name='rule_rule_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['rule_rule_create_grant'] = user_8_db
user_9_db = UserDB(name='rule_rule_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['rule_rule_all_grant'] = user_9_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1',
name='rule1',
action={'ref': 'core.local'},
trigger='core.st2.key_value_pair.create')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Custom role - "rule_create" grant on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='rule_pack_rule_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['rule_pack_rule_create_grant'] = role_6_db
# Custom role - "rule_all" grant on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='rule_pack_rule_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['rule_pack_rule_all_grant'] = role_7_db
# Custom role - "rule_create" grant on rule_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='rule_rule_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['rule_rule_create_grant'] = role_8_db
# Custom role - "rule_all" grant on rule_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='rule_rule_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['rule_rule_all_grant'] = role_9_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['rule_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['rule_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def _setup_sample_rule(self, rule):
rule_api = RuleAPI(**rule)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
return rule_db
def _get_sample_rules(self):
if self.rules:
# Make sure rules are created only once
return self.rules
RULE_1 = {
'enabled': True,
'name': 'st2.test.rule1',
'pack': 'yoyohoneysingh',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'k1': { # Missing prefix 'trigger'. This rule won't match.
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_1)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
self.rules.append(rule_db)
RULE_2 = { # Rule should match.
'enabled': True,
'name': 'st2.test.rule2',
'pack': 'yoyohoneysingh',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_2)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
self.rules.append(rule_db)
RULE_3 = {
'enabled': False, # Disabled rule shouldn't match.
'name': 'st2.test.rule3',
'pack': 'yoyohoneysingh',
'trigger': {
'type': 'dummy_pack_1.st2.test.trigger1'
},
'criteria': {
'trigger.k1': {
'pattern': 't1_p_v',
'type': 'equals'
}
},
'action': {
'ref': 'sixpack.st2.test.action',
'parameters': {
'ip2': '{{rule.k1}}',
'ip1': '{{trigger.t1_p}}'
}
},
'id': '23',
'description': ''
}
rule_api = RuleAPI(**RULE_3)
rule_db = RuleAPI.to_model(rule_api)
rule_db = Rule.add_or_update(rule_db)
self.rules.append(rule_db)
return self.rules
def _register_rules_from_pack(self, pack, rules):
registered_count = 0
# TODO: Refactor this monstrosity
for rule in rules:
LOG.debug('Loading rule from %s.', rule)
try:
content = self._meta_loader.load(rule)
pack_field = content.get('pack', None)
if not pack_field:
content['pack'] = pack
pack_field = pack
if pack_field != pack:
raise Exception('Model is in pack "%s" but field "pack" is different: %s' %
(pack, pack_field))
rule_api = RuleAPI(**content)
rule_api.validate()
rule_db = RuleAPI.to_model(rule_api)
# Migration from rule without pack to rule with pack.
# There might be a rule with same name but in pack `default`
# generated in migration script. In this case, we want to
# delete so we don't have duplicates.
if pack_field != DEFAULT_PACK_NAME:
try:
rule_ref = ResourceReference.to_string_reference(name=content['name'],
pack=DEFAULT_PACK_NAME)
LOG.debug('Looking for rule %s in pack %s', content['name'],
DEFAULT_PACK_NAME)
existing = Rule.get_by_ref(rule_ref)
LOG.debug('Existing = %s', existing)
if existing:
LOG.debug('Found rule in pack default: %s; Deleting.', rule_ref)
Rule.delete(existing)
except:
LOG.exception('Exception deleting rule from %s pack.', DEFAULT_PACK_NAME)
try:
rule_ref = ResourceReference.to_string_reference(name=content['name'],
pack=content['pack'])
existing = Rule.get_by_ref(rule_ref)
if existing:
rule_db.id = existing.id
LOG.debug('Found existing rule: %s with id: %s', rule_ref, existing.id)
except StackStormDBObjectNotFoundError:
LOG.debug('Rule %s not found. Creating new one.', rule)
try:
rule_db = Rule.add_or_update(rule_db)
increment_trigger_ref_count(rule_api=rule_api)
extra = {'rule_db': rule_db}
LOG.audit('Rule updated. Rule %s from %s.', rule_db, rule, extra=extra)
except Exception:
LOG.exception('Failed to create rule %s.', rule_api.name)
# If there was an existing rule then the ref count was updated in
# to_model so it needs to be adjusted down here. Also, update could
# lead to removal of a Trigger so now is a good time for book-keeping.
if existing:
cleanup_trigger_db_for_rule(existing)
except Exception as e:
if self._fail_on_failure:
msg = ('Failed to register rule "%s" from pack "%s": %s' % (rule, pack,
str(e)))
raise ValueError(msg)
LOG.exception('Failed registering rule from %s.', rule)
else:
registered_count += 1
return registered_count
