def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None, include_fields=None, from_model_kwargs=None): try: instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields, include_fields=include_fields) except Exception as e: LOG.exception(six.text_type(e)) abort(http_client.NOT_FOUND, six.text_type(e)) return if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) # Perform resource isolation check (if supported) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.resource_model_filter(model=self.model, instance=instance, requester_user=requester_user, **from_model_kwargs) if not result: LOG.debug('Not returning the result because RBAC resource isolation is enabled and ' 'current user doesn\'t match the resource user') raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user, resource_api_or_db=instance, permission_type=permission_type) return Response(json=result)
def _get_action_by_id(id): try: return Action.get_by_id(id) except Exception as e: msg = 'Database lookup for id="%s" resulted in exception. %s' % (id, e) LOG.exception(msg) abort(http_client.NOT_FOUND, msg)
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None, from_model_kwargs=None): """Override ResourceController._get_one_by_id to contain scope of Inquiries UID hack :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` """ instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields) # _get_by_id pulls the resource by ID directly off of the database. Since # Inquiries don't have their own DB model yet, this comes in the format # "execution:<id>". So, to allow RBAC to get a handle on inquiries specifically, # we're overriding the "get_uid" function to return one specific to Inquiries. # # TODO (mierdin): All of this should be removed once Inquiries get their own DB model if getattr(instance, 'runner', None) and instance.runner.get('runner_module') == 'inquirer': def get_uid(): return "inquiry" instance.get_uid = get_uid if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with id "%s".' % id abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def put(self, runner_type_api, name_or_id, requester_user): # Note: We only allow "enabled" attribute of the runner to be changed runner_type_db = self._get_by_name_or_id(name_or_id=name_or_id) permission_type = PermissionType.RUNNER_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=runner_type_db, permission_type=permission_type) old_runner_type_db = runner_type_db LOG.debug('PUT /runnertypes/ lookup with id=%s found object: %s', name_or_id, runner_type_db) try: if runner_type_api.id and runner_type_api.id != name_or_id: LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.', runner_type_api.id, name_or_id) runner_type_db.enabled = runner_type_api.enabled runner_type_db = RunnerType.add_or_update(runner_type_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for runner type data=%s', runner_type_api) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = {'old_runner_type_db': old_runner_type_db, 'new_runner_type_db': runner_type_db} LOG.audit('Runner Type updated. RunnerType.id=%s.' % (runner_type_db.id), extra=extra) runner_type_api = RunnerTypeAPI.from_model(runner_type_db) return runner_type_api
def _get_one_by_name_or_id(self, name_or_id, requester_user, permission_type, exclude_fields=None, include_fields=None, from_model_kwargs=None): """ :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` :param include_fields: A list of object fields to include. :type include_fields: ``list`` """ instance = self._get_by_name_or_id(name_or_id=name_or_id, exclude_fields=exclude_fields, include_fields=include_fields) if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with name_or_id "%s".' % (name_or_id) abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def put(self, triggertype, triggertype_ref_or_id): triggertype_db = self._get_by_ref_or_id(ref_or_id=triggertype_ref_or_id) triggertype_id = triggertype_db.id try: validate_not_part_of_system_pack(triggertype_db) except ValueValidationException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) try: triggertype_db = TriggerTypeAPI.to_model(triggertype) if triggertype.id is not None and len(triggertype.id) > 0 and \ triggertype.id != triggertype_id: LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.', triggertype.id, triggertype_id) triggertype_db.id = triggertype_id old_triggertype_db = triggertype_db triggertype_db = TriggerType.add_or_update(triggertype_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for triggertype data=%s', triggertype) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = {'old_triggertype_db': old_triggertype_db, 'new_triggertype_db': triggertype_db} LOG.audit('TriggerType updated. TriggerType.id=%s' % (triggertype_db.id), extra=extra) triggertype_api = TriggerTypeAPI.from_model(triggertype_db) return triggertype_api
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None, from_model_kwargs=None): """ :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` """ instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields) if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with id "%s".' % id abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.resource_model_filter(model=self.model, instance=instance, requester_user=requester_user, **from_model_kwargs) if not result: LOG.debug('Not returning the result because RBAC resource isolation is enabled and ' 'current user doesn\'t match the resource user') raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user, resource_api_or_db=instance, permission_type=permission_type) return result
def delete(self, triggertype_ref_or_id): """ Delete a triggertype. Handles requests: DELETE /triggertypes/1 DELETE /triggertypes/pack.name """ LOG.info('DELETE /triggertypes/ with ref_or_id=%s', triggertype_ref_or_id) triggertype_db = self._get_by_ref_or_id(ref_or_id=triggertype_ref_or_id) triggertype_id = triggertype_db.id try: validate_not_part_of_system_pack(triggertype_db) except ValueValidationException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) try: TriggerType.delete(triggertype_db) except Exception as e: LOG.exception('Database delete encountered exception during delete of id="%s". ', triggertype_id) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return else: extra = {'triggertype': triggertype_db} LOG.audit('TriggerType deleted. TriggerType.id=%s' % (triggertype_db.id), extra=extra) if not triggertype_db.parameters_schema: TriggerTypeController._delete_shadow_trigger(triggertype_db) return Response(status=http_client.NO_CONTENT)
def delete(self, ref_or_id, requester_user): """ Delete an action alias. Handles requests: DELETE /actionalias/1 """ action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('DELETE /actionalias/ lookup with id=%s found object: %s', ref_or_id, action_alias_db) permission_type = PermissionType.ACTION_ALIAS_DELETE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_alias_db, permission_type=permission_type) try: ActionAlias.delete(action_alias_db) except Exception as e: LOG.exception('Database delete encountered exception during delete of id="%s".', ref_or_id) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return extra = {'action_alias_db': action_alias_db} LOG.audit('Action alias deleted. ActionAlias.id=%s.' % (action_alias_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def post(self, trigger_instance_id): """ Re-send the provided trigger instance optionally specifying override parameters. Handles requests: POST /triggerinstance/<id>/re_emit POST /triggerinstance/<id>/re_send """ # Note: We only really need parameters here existing_trigger_instance = self._get_one_by_id(id=trigger_instance_id, permission_type=None, requester_user=None) new_payload = copy.deepcopy(existing_trigger_instance.payload) new_payload['__context'] = { 'original_id': trigger_instance_id } try: self.trigger_dispatcher.dispatch(existing_trigger_instance.trigger, new_payload) return { 'message': 'Trigger instance %s succesfully re-sent.' % trigger_instance_id, 'payload': new_payload } except Exception as e: abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def post(self, action_alias, requester_user): """ Create a new ActionAlias. Handles requests: POST /actionalias/ """ permission_type = PermissionType.ACTION_ALIAS_CREATE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_api_permission(user_db=requester_user, resource_api=action_alias, permission_type=permission_type) try: action_alias_db = ActionAliasAPI.to_model(action_alias) LOG.debug('/actionalias/ POST verified ActionAliasAPI and formulated ActionAliasDB=%s', action_alias_db) action_alias_db = ActionAlias.add_or_update(action_alias_db) except (ValidationError, ValueError, ValueValidationException) as e: LOG.exception('Validation failed for action alias data=%s.', action_alias) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = {'action_alias_db': action_alias_db} LOG.audit('Action alias created. ActionAlias.id=%s' % (action_alias_db.id), extra=extra) action_alias_api = ActionAliasAPI.from_model(action_alias_db) return Response(json=action_alias_api, status=http_client.CREATED)
def _get_runner_by_name(name): try: return RunnerType.get_by_name(name) except (ValueError, ValidationError) as e: msg = 'Database lookup for name="%s" resulted in exception. %s' % (id, e) LOG.exception(msg) abort(http_client.NOT_FOUND, msg)
def get_one(self, api_key_id_or_key, requester_user, show_secrets=None): """ List api keys. Handle: GET /apikeys/1 """ api_key_db = None try: api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key) except ApiKeyNotFoundError: msg = ('ApiKey matching %s for reference and id not found.' % (api_key_id_or_key)) LOG.exception(msg) abort(http_client.NOT_FOUND, msg) permission_type = PermissionType.API_KEY_VIEW rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=api_key_db, permission_type=permission_type) try: mask_secrets = self._get_mask_secrets(show_secrets=show_secrets, requester_user=requester_user) return ApiKeyAPI.from_model(api_key_db, mask_secrets=mask_secrets) except (ValidationError, ValueError) as e: LOG.exception('Failed to serialize API key.') abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def delete(self, rule_ref_or_id, requester_user): """ Delete a rule. Handles requests: DELETE /rules/1 """ rule_db = self._get_by_ref_or_id(ref_or_id=rule_ref_or_id) permission_type = PermissionType.RULE_DELETE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=rule_db, permission_type=permission_type) LOG.debug('DELETE /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db) try: Rule.delete(rule_db) except Exception as e: LOG.exception('Database delete encountered exception during delete of id="%s".', rule_ref_or_id) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return # use old_rule_db for cleanup. cleanup_trigger_db_for_rule(rule_db) extra = {'rule_db': rule_db} LOG.audit('Rule deleted. Rule.id=%s.' % (rule_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def __get_by_id(id): try: return RuleType.get_by_id(id) except (ValueError, ValidationError) as e: msg = 'Database lookup for id="%s" resulted in exception. %s' % (id, e) LOG.exception(msg) abort(http_client.NOT_FOUND, msg)
def put(self, rule, rule_ref_or_id, requester_user): rule_db = self._get_by_ref_or_id(rule_ref_or_id) rbac_utils = get_rbac_backend().get_utils_class() permission_type = PermissionType.RULE_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=rule, permission_type=permission_type) LOG.debug('PUT /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db) if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) # Validate that the authenticated user is admin if user query param is provided user = requester_user.name rbac_utils.assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user, user=user) if not hasattr(rule, 'context'): rule.context = dict() rule.context['user'] = user try: if rule.id is not None and rule.id != '' and rule.id != rule_ref_or_id: LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.', rule.id, rule_ref_or_id) old_rule_db = rule_db try: rule_db = RuleAPI.to_model(rule) except TriggerDoesNotExistException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) return # Check referenced trigger and action permissions # Note: This needs to happen after "to_model" call since to_model performs some # validation (trigger exists, etc.) rbac_utils.assert_user_has_rule_trigger_and_action_permission(user_db=requester_user, rule_api=rule) rule_db.id = rule_ref_or_id rule_db = Rule.add_or_update(rule_db) # After the rule has been added modify the ref_count. This way a failure to add # the rule due to violated constraints will have no impact on ref_count. increment_trigger_ref_count(rule_api=rule) except (ValueValidationException, jsonschema.ValidationError, ValueError) as e: LOG.exception('Validation failed for rule data=%s', rule) abort(http_client.BAD_REQUEST, six.text_type(e)) return # use old_rule_db for cleanup. cleanup_trigger_db_for_rule(old_rule_db) extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db} LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra) rule_api = RuleAPI.from_model(rule_db) return rule_api
def get_all(self, timer_type=None): if timer_type and timer_type not in self._allowed_timer_types: msg = 'Timer type %s not in supported types - %s.' % (timer_type, self._allowed_timer_types) abort(http_client.BAD_REQUEST, msg) t_all = self._timers.get_all(timer_type=timer_type) LOG.debug('Got timers: %s', t_all) return t_all
def post(self, hook, webhook_body_api, headers, requester_user): body = webhook_body_api.data permission_type = PermissionType.WEBHOOK_SEND rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=WebhookDB(name=hook), permission_type=permission_type) headers = self._get_headers_as_dict(headers) # If webhook contains a trace-tag use that else create create a unique trace-tag. trace_context = self._create_trace_context(trace_tag=headers.pop(TRACE_TAG_HEADER, None), hook=hook) if hook == 'st2' or hook == 'st2/': # When using st2 or system webhook, body needs to always be a dict if not isinstance(body, dict): type_string = get_json_type_for_python_value(body) msg = ('Webhook body needs to be an object, got: %s' % (type_string)) raise ValueError(msg) trigger = body.get('trigger', None) payload = body.get('payload', None) if not trigger: msg = 'Trigger not specified.' return abort(http_client.BAD_REQUEST, msg) self._trigger_dispatcher_service.dispatch_with_context(trigger=trigger, payload=payload, trace_context=trace_context, throw_on_validation_error=True) else: if not self._is_valid_hook(hook): self._log_request('Invalid hook.', headers, body) msg = 'Webhook %s not registered with st2' % hook return abort(http_client.NOT_FOUND, msg) triggers = self._hooks.get_triggers_for_hook(hook) payload = {} payload['headers'] = headers payload['body'] = body # Dispatch trigger instance for each of the trigger found for trigger_dict in triggers: # TODO: Instead of dispatching the whole dict we should just # dispatch TriggerDB.ref or similar self._trigger_dispatcher_service.dispatch_with_context(trigger=trigger_dict, payload=payload, trace_context=trace_context, throw_on_validation_error=True) return Response(json=body, status=http_client.ACCEPTED)
def delete(self, name, requester_user, scope=FULL_SYSTEM_SCOPE, user=None): """ Delete the key value pair. Handles requests: DELETE /keys/1 """ if not scope: scope = FULL_SYSTEM_SCOPE if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) scope = get_datastore_full_scope(scope) self._validate_scope(scope=scope) user = user or requester_user.name # Validate that the authenticated user is admin if user query param is provided rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user, user=user, require_rbac=True) key_ref = get_key_reference(scope=scope, name=name, user=user) lock_name = self._get_lock_name_for_key(name=key_ref, scope=scope) # Note: We use lock to avoid a race with self._coordinator.get_lock(lock_name): from_model_kwargs = {'mask_secrets': True} kvp_api = self._get_one_by_scope_and_name( name=key_ref, scope=scope, from_model_kwargs=from_model_kwargs ) kvp_db = KeyValuePairAPI.to_model(kvp_api) LOG.debug('DELETE /keys/ lookup with scope=%s name=%s found object: %s', scope, name, kvp_db) try: KeyValuePair.delete(kvp_db) except Exception as e: LOG.exception('Database delete encountered exception during ' 'delete of name="%s". ', name) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return extra = {'kvp_db': kvp_db} LOG.audit('KeyValuePair deleted. KeyValuePair.id=%s' % (kvp_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def post(self, def_yaml): if not mistral: abort(http_client.NOT_FOUND) return result = self.validator.validate(def_yaml) for error in result: if not error.get('path', None): error['path'] = '' return Response(json=result)
def delete(self, id, requester_user, show_secrets=False): """ Stops a single execution. Handles requests: DELETE /executions/<id> """ if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) from_model_kwargs = { 'mask_secrets': self._get_mask_secrets(requester_user, show_secrets=show_secrets) } execution_api = self._get_one_by_id(id=id, requester_user=requester_user, from_model_kwargs=from_model_kwargs, permission_type=PermissionType.EXECUTION_STOP) if not execution_api: abort(http_client.NOT_FOUND, 'Execution with id %s not found.' % id) liveaction_id = execution_api.liveaction['id'] if not liveaction_id: abort(http_client.INTERNAL_SERVER_ERROR, 'Execution object missing link to liveaction %s.' % liveaction_id) try: liveaction_db = LiveAction.get_by_id(liveaction_id) except: abort(http_client.INTERNAL_SERVER_ERROR, 'Execution object missing link to liveaction %s.' % liveaction_id) if liveaction_db.status == action_constants.LIVEACTION_STATUS_CANCELED: LOG.info( 'Action %s already in "canceled" state; \ returning execution object.' % liveaction_db.id ) return execution_api if liveaction_db.status not in action_constants.LIVEACTION_CANCELABLE_STATES: abort(http_client.OK, 'Action cannot be canceled. State = %s.' % liveaction_db.status) try: (liveaction_db, execution_db) = action_service.request_cancellation( liveaction_db, requester_user.name or cfg.CONF.system_user.user) except: LOG.exception('Failed requesting cancellation for liveaction %s.', liveaction_db.id) abort(http_client.INTERNAL_SERVER_ERROR, 'Failed canceling execution.') return ActionExecutionAPI.from_model(execution_db, mask_secrets=from_model_kwargs['mask_secrets'])
def post(self, api_key_api, requester_user): """ Create a new entry. """ permission_type = PermissionType.API_KEY_CREATE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_api_permission(user_db=requester_user, resource_api=api_key_api, permission_type=permission_type) api_key_db = None api_key = None try: if not getattr(api_key_api, 'user', None): if requester_user: api_key_api.user = requester_user.name else: api_key_api.user = cfg.CONF.system_user.user try: User.get_by_name(api_key_api.user) except StackStormDBObjectNotFoundError: user_db = UserDB(name=api_key_api.user) User.add_or_update(user_db) extra = {'username': api_key_api.user, 'user': user_db} LOG.audit('Registered new user "%s".' % (api_key_api.user), extra=extra) # If key_hash is provided use that and do not create a new key. The assumption # is user already has the original api-key if not getattr(api_key_api, 'key_hash', None): api_key, api_key_hash = auth_util.generate_api_key_and_hash() # store key_hash in DB api_key_api.key_hash = api_key_hash api_key_db = ApiKey.add_or_update(ApiKeyAPI.to_model(api_key_api)) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for api_key data=%s.', api_key_api) abort(http_client.BAD_REQUEST, six.text_type(e)) extra = {'api_key_db': api_key_db} LOG.audit('ApiKey created. ApiKey.id=%s' % (api_key_db.id), extra=extra) api_key_create_response_api = ApiKeyCreateResponseAPI.from_model(api_key_db) # Return real api_key back to user. A one-way hash of the api_key is stored in the DB # only the real value only returned at create time. Also, no masking of key here since # the user needs to see this value atleast once. api_key_create_response_api.key = api_key return Response(json=api_key_create_response_api, status=http_client.CREATED)
def get_one(self, inquiry_id, requester_user=None): """Retrieve a single Inquiry Handles requests: GET /inquiries/<inquiry id> """ # Retrieve the inquiry by id. # (Passing permission_type here leverages inquiry service built-in RBAC assertions) try: inquiry = self._get_one_by_id( id=inquiry_id, requester_user=requester_user, permission_type=rbac_types.PermissionType.INQUIRY_VIEW ) except db_exceptions.StackStormDBObjectNotFoundError as e: LOG.exception('Unable to identify inquiry with id "%s".' % inquiry_id) api_router.abort(http_client.NOT_FOUND, six.text_type(e)) except rbac_exceptions.ResourceAccessDeniedError as e: LOG.exception('User is denied access to inquiry "%s".' % inquiry_id) api_router.abort(http_client.FORBIDDEN, six.text_type(e)) except Exception as e: LOG.exception('Unable to get record for inquiry "%s".' % inquiry_id) api_router.abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) try: inquiry_service.check_inquiry(inquiry) except Exception as e: api_router.abort(http_client.BAD_REQUEST, six.text_type(e)) return inqy_api_models.InquiryResponseAPI.from_inquiry_api(inquiry)
def get_one(self, url, requester_user): triggers = self._hooks.get_triggers_for_hook(url) if not triggers: abort(http_client.NOT_FOUND) return permission_type = PermissionType.WEBHOOK_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=WebhookDB(name=url), permission_type=permission_type) # For demonstration purpose return 1st return triggers[0]
def _get_one_by_pack_ref(self, pack_ref, exclude_fields=None, include_fields=None, from_model_kwargs=None): instance = self._get_by_pack_ref(pack_ref=pack_ref, exclude_fields=exclude_fields, include_fields=include_fields) if not instance: msg = 'Unable to identify resource with pack_ref "%s".' % (pack_ref) abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def _get_one_by_ref_or_id(self, ref_or_id, requester_user, exclude_fields=None): instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields) rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=PermissionType.PACK_VIEW) if not instance: msg = 'Unable to identify resource with ref_or_id "%s".' % (ref_or_id) abort(http_client.NOT_FOUND, msg) return result = self.model.from_model(instance, **self.from_model_kwargs) return result
def _handle_schedule_execution(self, liveaction_api, requester_user, context_string=None, show_secrets=False): """ :param liveaction: LiveActionAPI object. :type liveaction: :class:`LiveActionAPI` """ if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) # Assert action ref is valid action_ref = liveaction_api.action action_db = action_utils.get_action_by_ref(action_ref) if not action_db: message = 'Action "%s" cannot be found.' % (action_ref) LOG.warning(message) abort(http_client.BAD_REQUEST, message) # Assert the permissions assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) # Validate that the authenticated user is admin if user query param is provided user = liveaction_api.user or requester_user.name assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user, user=user) try: return self._schedule_execution(liveaction=liveaction_api, requester_user=requester_user, user=user, context_string=context_string, show_secrets=show_secrets, action_db=action_db) except ValueError as e: LOG.exception('Unable to execute action.') abort(http_client.BAD_REQUEST, six.text_type(e)) except jsonschema.ValidationError as e: LOG.exception('Unable to execute action. Parameter validation failed.') abort(http_client.BAD_REQUEST, re.sub("u'([^']*)'", r"'\1'", getattr(e, 'message', six.text_type(e)))) except trace_exc.TraceNotFoundException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) except validation_exc.ValueValidationException as e: raise e except Exception as e: LOG.exception('Unable to execute action. Unexpected error encountered.') abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def post(self, action, requester_user): """ Create a new action. Handles requests: POST /actions/ """ permission_type = PermissionType.ACTION_CREATE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_api_permission(user_db=requester_user, resource_api=action, permission_type=permission_type) try: # Perform validation validate_not_part_of_system_pack(action) action_validator.validate_action(action) except (ValidationError, ValueError, ValueValidationException, InvalidActionParameterException) as e: LOG.exception('Unable to create action data=%s', action) abort(http_client.BAD_REQUEST, six.text_type(e)) return # Write pack data files to disk (if any are provided) data_files = getattr(action, 'data_files', []) written_data_files = [] if data_files: written_data_files = self._handle_data_files(pack_ref=action.pack, data_files=data_files) action_model = ActionAPI.to_model(action) LOG.debug('/actions/ POST verified ActionAPI object=%s', action) action_db = Action.add_or_update(action_model) LOG.debug('/actions/ POST saved ActionDB object=%s', action_db) # Dispatch an internal trigger for each written data file. This way user # automate comitting this files to git using StackStorm rule if written_data_files: self._dispatch_trigger_for_written_data_files(action_db=action_db, written_data_files=written_data_files) extra = {'acion_db': action_db} LOG.audit('Action created. Action.id=%s' % (action_db.id), extra=extra) action_api = ActionAPI.from_model(action_db) return Response(json=action_api, status=http_client.CREATED)
def get_one(self, ref_or_id, requester_user): try: trigger_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) except Exception as e: LOG.exception(six.text_type(e)) abort(http_client.NOT_FOUND, six.text_type(e)) return permission_type = PermissionType.TIMER_VIEW resource_db = TimerDB(pack=trigger_db.pack, name=trigger_db.name) rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=resource_db, permission_type=permission_type) result = self.model.from_model(trigger_db) return result
def put(self, action, ref_or_id, requester_user): action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) # Assert permissions permission_type = PermissionType.ACTION_MODIFY rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=permission_type) action_id = action_db.id if not getattr(action, 'pack', None): action.pack = action_db.pack # Perform validation validate_not_part_of_system_pack(action) action_validator.validate_action(action) # Write pack data files to disk (if any are provided) data_files = getattr(action, 'data_files', []) written_data_files = [] if data_files: written_data_files = self._handle_data_files(pack_ref=action.pack, data_files=data_files) try: action_db = ActionAPI.to_model(action) LOG.debug('/actions/ PUT incoming action: %s', action_db) action_db.id = action_id action_db = Action.add_or_update(action_db) LOG.debug('/actions/ PUT after add_or_update: %s', action_db) except (ValidationError, ValueError) as e: LOG.exception('Unable to update action data=%s', action) abort(http_client.BAD_REQUEST, six.text_type(e)) return # Dispatch an internal trigger for each written data file. This way user # automate committing this files to git using StackStorm rule if written_data_files: self._dispatch_trigger_for_written_data_files(action_db=action_db, written_data_files=written_data_files) action_api = ActionAPI.from_model(action_db) LOG.debug('PUT /actions/ client_result=%s', action_api) return action_api
def post(self, trigger): """ Create a new trigger. Handles requests: POST /triggers/ """ try: trigger_db = TriggerService.create_trigger_db(trigger) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for trigger data=%s.', trigger) abort(http_client.BAD_REQUEST, str(e)) return extra = {'trigger': trigger_db} LOG.audit('Trigger created. Trigger.id=%s' % (trigger_db.id), extra=extra) trigger_api = TriggerAPI.from_model(trigger_db) return Response(json=trigger_api, status=http_client.CREATED)
def put(self, trigger, trigger_id): trigger_db = TriggerController.__get_by_id(trigger_id) try: if trigger.id is not None and trigger.id is not '' and trigger.id != trigger_id: LOG.warning( 'Discarding mismatched id=%s found in payload and using uri_id=%s.', trigger.id, trigger_id) trigger_db = TriggerAPI.to_model(trigger) trigger_db.id = trigger_id trigger_db = Trigger.add_or_update(trigger_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for trigger data=%s', trigger) abort(http_client.BAD_REQUEST, str(e)) return extra = {'old_trigger_db': trigger, 'new_trigger_db': trigger_db} LOG.audit('Trigger updated. Trigger.id=%s' % (trigger.id), extra=extra) trigger_api = TriggerAPI.from_model(trigger_db) return trigger_api
def get_one(self, ref_or_id, requester_user): try: trigger_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) except Exception as e: LOG.exception(six.text_type(e)) abort(http_client.NOT_FOUND, six.text_type(e)) return permission_type = PermissionType.TIMER_VIEW resource_db = TimerDB(pack=trigger_db.pack, name=trigger_db.name) rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=resource_db, permission_type=permission_type, ) result = self.model.from_model(trigger_db) return result
def put(self, sensor_type, ref_or_id, requester_user): # Note: Right now this function only supports updating of "enabled" # attribute on the SensorType model. # The reason for that is that SensorTypeAPI.to_model right now only # knows how to work with sensor type definitions from YAML files. sensor_type_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.SENSOR_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=sensor_type_db, permission_type=permission_type) sensor_type_id = sensor_type_db.id try: validate_not_part_of_system_pack(sensor_type_db) except ValueValidationException as e: abort(http_client.BAD_REQUEST, str(e)) return if not getattr(sensor_type, 'pack', None): sensor_type.pack = sensor_type_db.pack try: old_sensor_type_db = sensor_type_db sensor_type_db.id = sensor_type_id sensor_type_db.enabled = getattr(sensor_type, 'enabled', False) sensor_type_db = SensorType.add_or_update(sensor_type_db) except (ValidationError, ValueError) as e: LOG.exception('Unable to update sensor_type data=%s', sensor_type) abort(http_client.BAD_REQUEST, str(e)) return extra = { 'old_sensor_type_db': old_sensor_type_db, 'new_sensor_type_db': sensor_type_db } LOG.audit('Sensor updated. Sensor.id=%s.' % (sensor_type_db.id), extra=extra) sensor_type_api = SensorTypeAPI.from_model(sensor_type_db) return sensor_type_api
def _get_one_by_ref_or_id(self, ref_or_id, requester_user, exclude_fields=None): instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields) rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=PermissionType.PACK_VIEW) if not instance: msg = 'Unable to identify resource with ref_or_id "%s".' % ( ref_or_id) abort(http_client.NOT_FOUND, msg) return result = self.model.from_model(instance, **self.from_model_kwargs) return result
def _get_one_by_pack_ref(self, pack_ref, exclude_fields=None, include_fields=None, from_model_kwargs=None): instance = self._get_by_pack_ref( pack_ref=pack_ref, exclude_fields=exclude_fields, include_fields=include_fields, ) if not instance: msg = 'Unable to identify resource with pack_ref "%s".' % ( pack_ref) abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def get_one(self, pack_ref, requester_user): """ Retrieve config for a particular pack. Handles requests: GET /configs/<pack_ref> """ # TODO: Make sure secret values are masked try: instance = packs_service.get_pack_by_ref(pack_ref=pack_ref) except StackStormDBObjectNotFoundError: msg = 'Unable to identify resource with pack_ref "%s".' % ( pack_ref) abort(http_client.NOT_FOUND, msg) rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=PermissionType.PACK_VIEW) return self._get_one_by_pack_ref(pack_ref=pack_ref)
def delete(self, trigger_id): """ Delete a trigger. Handles requests: DELETE /triggers/1 """ LOG.info('DELETE /triggers/ with id=%s', trigger_id) trigger_db = TriggerController.__get_by_id(trigger_id) try: Trigger.delete(trigger_db) except Exception as e: LOG.exception('Database delete encountered exception during delete of id="%s". ', trigger_id) abort(http_client.INTERNAL_SERVER_ERROR, str(e)) return extra = {'trigger_db': trigger_db} LOG.audit('Trigger deleted. Trigger.id=%s' % (trigger_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def get_one(self, inquiry_id, requester_user=None): """Retrieve a single Inquiry Handles requests: GET /inquiries/<inquiry id> """ # Retrieve the desired inquiry # # (Passing permission_type here leverages _get_one_by_id's built-in # RBAC assertions) inquiry = self._get_one_by_id( id=inquiry_id, requester_user=requester_user, permission_type=PermissionType.INQUIRY_VIEW) sanity_result, msg = self._inquiry_sanity_check(inquiry) if not sanity_result: abort(http_client.BAD_REQUEST, msg) return InquiryResponseAPI.from_inquiry_api(inquiry)
def _get_one_by_name_or_id( self, name_or_id, requester_user, permission_type, exclude_fields=None, include_fields=None, from_model_kwargs=None, ): """ :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` :param include_fields: A list of object fields to include. :type include_fields: ``list`` """ instance = self._get_by_name_or_id( name_or_id=name_or_id, exclude_fields=exclude_fields, include_fields=include_fields, ) if permission_type: rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=permission_type, ) if not instance: msg = 'Unable to identify resource with name_or_id "%s".' % ( name_or_id) abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def put(self, instance, ref_or_id, requester_user): op = 'PUT /policies/%s/' % ref_or_id db_model = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('%s found object: %s', op, db_model) permission_type = PermissionType.POLICY_MODIFY rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=db_model, permission_type=permission_type) db_model_id = db_model.id try: validate_not_part_of_system_pack(db_model) except ValueValidationException as e: LOG.exception('%s unable to update object from system pack.', op) abort(http_client.BAD_REQUEST, six.text_type(e)) if not getattr(instance, 'pack', None): instance.pack = db_model.pack try: db_model = self.model.to_model(instance) db_model.id = db_model_id db_model = self.access.add_or_update(db_model) except (ValidationError, ValueError) as e: LOG.exception('%s unable to update object: %s', op, db_model) abort(http_client.BAD_REQUEST, six.text_type(e)) return LOG.debug('%s updated object: %s', op, db_model) LOG.audit('Policy updated. Policy.id=%s' % (db_model.id), extra={'policy_db': db_model}) exec_result = self.model.from_model(db_model) return Response(json=exec_result, status=http_client.OK)
def _schedule_execution(self, action_alias_db, params, notify, context, requester_user, show_secrets): action_ref = action_alias_db.action_ref action_db = action_utils.get_action_by_ref(action_ref) if not action_db: raise StackStormDBObjectNotFoundError('Action with ref "%s" not found ' % (action_ref)) assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) try: # prior to shipping off the params cast them to the right type. params = action_param_utils.cast_params(action_ref=action_alias_db.action_ref, params=params, cast_overrides=CAST_OVERRIDES) if not context: context = { 'action_alias_ref': reference.get_ref_from_model(action_alias_db), 'user': get_system_username() } liveaction = LiveActionDB(action=action_alias_db.action_ref, context=context, parameters=params, notify=notify) _, action_execution_db = action_service.request(liveaction) mask_secrets = self._get_mask_secrets(requester_user, show_secrets=show_secrets) return ActionExecutionAPI.from_model(action_execution_db, mask_secrets=mask_secrets) except ValueError as e: LOG.exception('Unable to execute action.') abort(http_client.BAD_REQUEST, str(e)) except jsonschema.ValidationError as e: LOG.exception('Unable to execute action. Parameter validation failed.') abort(http_client.BAD_REQUEST, str(e)) except Exception as e: LOG.exception('Unable to execute action. Unexpected error encountered.') abort(http_client.INTERNAL_SERVER_ERROR, str(e))
def put(self, triggertype, triggertype_ref_or_id): triggertype_db = self._get_by_ref_or_id(ref_or_id=triggertype_ref_or_id) triggertype_id = triggertype_db.id try: validate_not_part_of_system_pack(triggertype_db) except ValueValidationException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) try: triggertype_db = TriggerTypeAPI.to_model(triggertype) if ( triggertype.id is not None and len(triggertype.id) > 0 and triggertype.id != triggertype_id ): LOG.warning( "Discarding mismatched id=%s found in payload and using uri_id=%s.", triggertype.id, triggertype_id, ) triggertype_db.id = triggertype_id old_triggertype_db = triggertype_db triggertype_db = TriggerType.add_or_update(triggertype_db) except (ValidationError, ValueError) as e: LOG.exception("Validation failed for triggertype data=%s", triggertype) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = { "old_triggertype_db": old_triggertype_db, "new_triggertype_db": triggertype_db, } LOG.audit( "TriggerType updated. TriggerType.id=%s" % (triggertype_db.id), extra=extra ) triggertype_api = TriggerTypeAPI.from_model(triggertype_db) return triggertype_api
def post(self, rule, requester_user): """ Create a new rule. Handles requests: POST /rules/ """ permission_type = PermissionType.RULE_CREATE rbac_utils.assert_user_has_resource_api_permission(user_db=requester_user, resource_api=rule, permission_type=permission_type) if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) # Validate that the authenticated user is admin if user query param is provided user = requester_user.name assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user, user=user) if not hasattr(rule, 'context'): rule.context = dict() rule.context['user'] = user try: rule_db = RuleAPI.to_model(rule) LOG.debug('/rules/ POST verified RuleAPI and formulated RuleDB=%s', rule_db) # Check referenced trigger and action permissions # Note: This needs to happen after "to_model" call since to_model performs some # validation (trigger exists, etc.) assert_user_has_rule_trigger_and_action_permission(user_db=requester_user, rule_api=rule) rule_db = Rule.add_or_update(rule_db) # After the rule has been added modify the ref_count. This way a failure to add # the rule due to violated constraints will have no impact on ref_count. increment_trigger_ref_count(rule_api=rule) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for rule data=%s.', rule) abort(http_client.BAD_REQUEST, str(e)) return except (ValueValidationException, jsonschema.ValidationError) as e: LOG.exception('Validation failed for rule data=%s.', rule) abort(http_client.BAD_REQUEST, str(e)) return except TriggerDoesNotExistException as e: msg = ('Trigger "%s" defined in the rule does not exist in system or it\'s missing ' 'required "parameters" attribute' % (rule.trigger['type'])) LOG.exception(msg) abort(http_client.BAD_REQUEST, msg) return extra = {'rule_db': rule_db} LOG.audit('Rule created. Rule.id=%s' % (rule_db.id), extra=extra) rule_api = RuleAPI.from_model(rule_db) return Response(json=rule_api, status=exc.HTTPCreated.code)
def delete(self, triggertype_ref_or_id): """ Delete a triggertype. Handles requests: DELETE /triggertypes/1 DELETE /triggertypes/pack.name """ LOG.info("DELETE /triggertypes/ with ref_or_id=%s", triggertype_ref_or_id) triggertype_db = self._get_by_ref_or_id( ref_or_id=triggertype_ref_or_id) triggertype_id = triggertype_db.id try: validate_not_part_of_system_pack(triggertype_db) except ValueValidationException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) try: TriggerType.delete(triggertype_db) except Exception as e: LOG.exception( 'Database delete encountered exception during delete of id="%s". ', triggertype_id, ) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return else: extra = {"triggertype": triggertype_db} LOG.audit( "TriggerType deleted. TriggerType.id=%s" % (triggertype_db.id), extra=extra, ) if not triggertype_db.parameters_schema: TriggerTypeController._delete_shadow_trigger(triggertype_db) return Response(status=http_client.NO_CONTENT)
def delete(self, ref_or_id, requester_user): """ Delete a policy. Handles requests: POST /policies/1?_method=delete DELETE /policies/1 DELETE /policies/mypack.mypolicy """ op = 'DELETE /policies/%s/' % ref_or_id db_model = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('%s found object: %s', op, db_model) permission_type = PermissionType.POLICY_DELETE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=db_model, permission_type=permission_type) try: validate_not_part_of_system_pack(db_model) except ValueValidationException as e: LOG.exception('%s unable to delete object from system pack.', op) abort(http_client.BAD_REQUEST, six.text_type(e)) try: self.access.delete(db_model) except Exception as e: LOG.exception('%s unable to delete object: %s', op, db_model) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return LOG.debug('%s deleted object: %s', op, db_model) LOG.audit('Policy deleted. Policy.id=%s' % (db_model.id), extra={'policy_db': db_model}) # return None return Response(status=http_client.NO_CONTENT)
def _handle_schedule_execution(self, liveaction_api, requester_user, context_string=None, show_secrets=False): """ :param liveaction: LiveActionAPI object. :type liveaction: :class:`LiveActionAPI` """ if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) # Assert the permissions action_ref = liveaction_api.action action_db = action_utils.get_action_by_ref(action_ref) user = liveaction_api.user or requester_user.name assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) # Validate that the authenticated user is admin if user query param is provided assert_user_is_admin_if_user_query_param_is_provided( user_db=requester_user, user=user) try: return self._schedule_execution(liveaction=liveaction_api, requester_user=requester_user, user=user, context_string=context_string, show_secrets=show_secrets) except ValueError as e: LOG.exception('Unable to execute action.') abort(http_client.BAD_REQUEST, str(e)) except jsonschema.ValidationError as e: LOG.exception( 'Unable to execute action. Parameter validation failed.') abort(http_client.BAD_REQUEST, re.sub("u'([^']*)'", r"'\1'", e.message)) except TraceNotFoundException as e: abort(http_client.BAD_REQUEST, str(e)) except ValueValidationException as e: raise e except Exception as e: LOG.exception( 'Unable to execute action. Unexpected error encountered.') abort(http_client.INTERNAL_SERVER_ERROR, str(e))
def delete(self, ref_or_id, requester_user): """ Delete an action. Handles requests: POST /actions/1?_method=delete DELETE /actions/1 DELETE /actions/mypack.myaction """ action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) action_id = action_db.id permission_type = PermissionType.ACTION_DELETE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_db, permission_type=permission_type) try: validate_not_part_of_system_pack(action_db) except ValueValidationException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) LOG.debug('DELETE /actions/ lookup with ref_or_id=%s found object: %s', ref_or_id, action_db) try: Action.delete(action_db) except Exception as e: LOG.error( 'Database delete encountered exception during delete of id="%s". ' 'Exception was %s', action_id, e) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return extra = {'action_db': action_db} LOG.audit('Action deleted. Action.id=%s' % (action_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def get_one(self, pack_ref, requester_user, show_secrets=False): """ Retrieve config for a particular pack. Handles requests: GET /configs/<pack_ref> """ from_model_kwargs = { 'mask_secrets': self._get_mask_secrets(requester_user, show_secrets=show_secrets) } try: instance = packs_service.get_pack_by_ref(pack_ref=pack_ref) except StackStormDBObjectNotFoundError: msg = 'Unable to identify resource with pack_ref "%s".' % (pack_ref) abort(http_client.NOT_FOUND, msg) rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=PermissionType.PACK_VIEW) return self._get_one_by_pack_ref(pack_ref=pack_ref, from_model_kwargs=from_model_kwargs)
def put(self, action_alias, ref_or_id, requester_user): """ Update an action alias. Handles requests: PUT /actionalias/1 """ action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('PUT /actionalias/ lookup with id=%s found object: %s', ref_or_id, action_alias_db) permission_type = PermissionType.ACTION_ALIAS_MODIFY rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_alias_db, permission_type=permission_type) if not hasattr(action_alias, 'id'): action_alias.id = None try: if action_alias.id is not None and action_alias.id != '' and \ action_alias.id != ref_or_id: LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.', action_alias.id, ref_or_id) old_action_alias_db = action_alias_db action_alias_db = ActionAliasAPI.to_model(action_alias) action_alias_db.id = ref_or_id action_alias_db = ActionAlias.add_or_update(action_alias_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for action alias data=%s', action_alias) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = {'old_action_alias_db': old_action_alias_db, 'new_action_alias_db': action_alias_db} LOG.audit('Action alias updated. ActionAlias.id=%s.' % (action_alias_db.id), extra=extra) action_alias_api = ActionAliasAPI.from_model(action_alias_db) return action_alias_api
def delete(self, ref_or_id, requester_user): """ Delete an action alias. Handles requests: DELETE /actionalias/1 """ action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug( "DELETE /actionalias/ lookup with id=%s found object: %s", ref_or_id, action_alias_db, ) permission_type = PermissionType.ACTION_ALIAS_DELETE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_alias_db, permission_type=permission_type, ) try: ActionAlias.delete(action_alias_db) except Exception as e: LOG.exception( 'Database delete encountered exception during delete of id="%s".', ref_or_id, ) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return extra = {"action_alias_db": action_alias_db} LOG.audit( "Action alias deleted. ActionAlias.id=%s." % (action_alias_db.id), extra=extra, ) return Response(status=http_client.NO_CONTENT)
def put(self, runner_type_api, name_or_id, requester_user): # Note: We only allow "enabled" attribute of the runner to be changed runner_type_db = self._get_by_name_or_id(name_or_id=name_or_id) permission_type = PermissionType.RUNNER_MODIFY rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=runner_type_db, permission_type=permission_type) old_runner_type_db = runner_type_db LOG.debug('PUT /runnertypes/ lookup with id=%s found object: %s', name_or_id, runner_type_db) try: if runner_type_api.id and runner_type_api.id != name_or_id: LOG.warning( 'Discarding mismatched id=%s found in payload and using uri_id=%s.', runner_type_api.id, name_or_id) runner_type_db.enabled = runner_type_api.enabled runner_type_db = RunnerType.add_or_update(runner_type_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for runner type data=%s', runner_type_api) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = { 'old_runner_type_db': old_runner_type_db, 'new_runner_type_db': runner_type_db } LOG.audit('Runner Type updated. RunnerType.id=%s.' % (runner_type_db.id), extra=extra) runner_type_api = RunnerTypeAPI.from_model(runner_type_db) return runner_type_api
def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None, from_model_kwargs=None): try: instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields) except Exception as e: LOG.exception(e.message) abort(http_client.NOT_FOUND, e.message) return if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) if result and self.include_reference: pack = getattr(result, 'pack', None) name = getattr(result, 'name', None) result.ref = ResourceReference(pack=pack, name=name).ref return Response(json=result)
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None, from_model_kwargs=None): """ :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` """ instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields) if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with id "%s".' % id abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def help(self, filter, pack, limit, offset, **kwargs): """ Get available help strings for action aliases. Handles requests: GET /actionalias/help """ try: aliases_resp = super(ActionAliasController, self)._get_all(**kwargs) aliases = [ActionAliasAPI(**alias) for alias in aliases_resp.json] return generate_helpstring_result(aliases, filter, pack, int(limit), int(offset)) except (TypeError) as e: LOG.exception('Helpstring request contains an invalid data type: %s.', six.text_type(e)) return abort(http_client.BAD_REQUEST, six.text_type(e))
def post(self, action_alias, requester_user): """ Create a new ActionAlias. Handles requests: POST /actionalias/ """ permission_type = PermissionType.ACTION_ALIAS_CREATE rbac_utils = get_rbac_backend().get_utils_class() rbac_utils.assert_user_has_resource_api_permission( user_db=requester_user, resource_api=action_alias, permission_type=permission_type, ) try: action_alias_db = ActionAliasAPI.to_model(action_alias) LOG.debug( "/actionalias/ POST verified ActionAliasAPI and formulated ActionAliasDB=%s", action_alias_db, ) action_alias_db = ActionAlias.add_or_update(action_alias_db) except (ValidationError, ValueError, ValueValidationException) as e: LOG.exception("Validation failed for action alias data=%s.", action_alias) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = {"action_alias_db": action_alias_db} LOG.audit( "Action alias created. ActionAlias.id=%s" % (action_alias_db.id), extra=extra, ) action_alias_api = ActionAliasAPI.from_model(action_alias_db) return Response(json=action_alias_api, status=http_client.CREATED)
def post(self, triggertype): """ Create a new triggertype. Handles requests: POST /triggertypes/ """ try: triggertype_db = TriggerTypeAPI.to_model(triggertype) triggertype_db = TriggerType.add_or_update(triggertype_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for triggertype data=%s.', triggertype) abort(http_client.BAD_REQUEST, str(e)) return else: extra = {'triggertype_db': triggertype_db} LOG.audit('TriggerType created. TriggerType.id=%s' % (triggertype_db.id), extra=extra) if not triggertype_db.parameters_schema: TriggerTypeController._create_shadow_trigger(triggertype_db) triggertype_api = TriggerTypeAPI.from_model(triggertype_db) return Response(json=triggertype_api, status=http_client.CREATED)
def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None, include_fields=None, from_model_kwargs=None): try: instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields, include_fields=include_fields) except Exception as e: LOG.exception(str(e)) abort(http_client.NOT_FOUND, str(e)) return if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) # Perform resource isolation check (if supported) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.resource_model_filter(model=self.model, instance=instance, requester_user=requester_user, **from_model_kwargs) if not result: LOG.debug('Not returning the result because RBAC resource isolation is enabled and ' 'current user doesn\'t match the resource user') raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user, resource_api_or_db=instance, permission_type=permission_type) if result and self.include_reference: pack = getattr(result, 'pack', None) name = getattr(result, 'name', None) result.ref = ResourceReference(pack=pack, name=name).ref return Response(json=result)
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None, include_fields=None, from_model_kwargs=None): """ :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` :param include_fields: A list of object fields to include. :type include_fields: ``list`` """ instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields, include_fields=include_fields) if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with id "%s".' % id abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.resource_model_filter(model=self.model, instance=instance, requester_user=requester_user, **from_model_kwargs) if not result: LOG.debug('Not returning the result because RBAC resource isolation is enabled and ' 'current user doesn\'t match the resource user') raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user, resource_api_or_db=instance, permission_type=permission_type) return result
def match_and_execute(self, input_api, requester_user, show_secrets=False): """ Try to find a matching alias and if one is found, schedule a new execution by parsing parameters from the provided command against the matched alias. Handles requests: POST /aliasexecution/match_and_execute """ command = input_api.command try: format_ = get_matching_alias(command=command) except ActionAliasAmbiguityException as e: LOG.exception('Command "%s" matched (%s) patterns.', e.command, len(e.matches)) return abort(http_client.BAD_REQUEST, six.text_type(e)) action_alias_db = format_["alias"] representation = format_["representation"] params = { "name": action_alias_db.name, "format": representation, "command": command, "user": input_api.user, "source_channel": input_api.source_channel, } # Add in any additional parameters provided by the user if input_api.notification_channel: params["notification_channel"] = input_api.notification_channel if input_api.notification_route: params["notification_route"] = input_api.notification_route alias_execution_api = AliasMatchAndExecuteInputAPI(**params) results = self._post( payload=alias_execution_api, requester_user=requester_user, show_secrets=show_secrets, match_multiple=format_["match_multiple"], ) return Response(json={"results": results}, status=http_client.CREATED)