def delete(self, ref_or_id, requester_user): """ Delete an action alias. Handles requests: DELETE /actionalias/1 """ action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('DELETE /actionalias/ lookup with id=%s found object: %s', ref_or_id, action_alias_db) permission_type = PermissionType.ACTION_ALIAS_DELETE rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_alias_db, permission_type=permission_type) try: ActionAlias.delete(action_alias_db) except Exception as e: LOG.exception( 'Database delete encountered exception during delete of id="%s".', ref_or_id) abort(http_client.INTERNAL_SERVER_ERROR, str(e)) return extra = {'action_alias_db': action_alias_db} LOG.audit('Action alias deleted. ActionAlias.id=%s.' % (action_alias_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None, from_model_kwargs=None): try: instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields) except Exception as e: LOG.exception(e.message) abort(http_client.NOT_FOUND, e.message) return if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.resource_model_filter(model=self.model, instance=instance, requester_user=requester_user, **from_model_kwargs) if not result: LOG.debug('Not returning the result because RBAC resource isolation is enabled and ' 'current user doesn\'t match the resource user') raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user, resource_api_or_db=instance, permission_type=permission_type) if result and self.include_reference: pack = getattr(result, 'pack', None) name = getattr(result, 'name', None) result.ref = ResourceReference(pack=pack, name=name).ref return Response(json=result)
def _get_one_by_name_or_id(self, name_or_id, permission_type, exclude_fields=None, from_model_kwargs=None, requester_user=None): """ :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` """ instance = self._get_by_name_or_id(name_or_id=name_or_id, exclude_fields=exclude_fields) if permission_type: rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with name_or_id "%s".' % ( name_or_id) abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def get_one(self, ref_or_id, requester_user): """ Outputs the file associated with action entry_point Handles requests: GET /actions/views/entry_point/1 """ LOG.info('GET /actions/views/entry_point with ref_or_id=%s', ref_or_id) action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.ACTION_VIEW rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_db, permission_type=permission_type) pack = getattr(action_db, 'pack', None) entry_point = getattr(action_db, 'entry_point', None) abs_path = utils.get_entry_point_abs_path(pack, entry_point) if not abs_path: raise StackStormDBObjectNotFoundError( 'Action ref_or_id=%s has no entry_point to output' % ref_or_id) with open(abs_path) as file: content = file.read() return content
def _get_one_by_name_or_id(self, name_or_id, requester_user, permission_type, exclude_fields=None, include_fields=None, from_model_kwargs=None): """ :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` :param include_fields: A list of object fields to include. :type include_fields: ``list`` """ instance = self._get_by_name_or_id(name_or_id=name_or_id, exclude_fields=exclude_fields, include_fields=include_fields) if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with name_or_id "%s".' % (name_or_id) abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def delete(self, rule_ref_or_id, requester_user): """ Delete a rule. Handles requests: DELETE /rules/1 """ rule_db = self._get_by_ref_or_id(ref_or_id=rule_ref_or_id) permission_type = PermissionType.RULE_DELETE rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=rule_db, permission_type=permission_type) LOG.debug('DELETE /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db) try: Rule.delete(rule_db) except Exception as e: LOG.exception( 'Database delete encountered exception during delete of id="%s".', rule_ref_or_id) abort(http_client.INTERNAL_SERVER_ERROR, str(e)) return # use old_rule_db for cleanup. cleanup_trigger_db_for_rule(rule_db) extra = {'rule_db': rule_db} LOG.audit('Rule deleted. Rule.id=%s.' % (rule_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None, include_fields=None, from_model_kwargs=None): try: instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields, include_fields=include_fields) except Exception as e: LOG.exception(six.text_type(e)) abort(http_client.NOT_FOUND, six.text_type(e)) return if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) # Perform resource isolation check (if supported) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.resource_model_filter(model=self.model, instance=instance, requester_user=requester_user, **from_model_kwargs) if not result: LOG.debug('Not returning the result because RBAC resource isolation is enabled and ' 'current user doesn\'t match the resource user') raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user, resource_api_or_db=instance, permission_type=permission_type) return Response(json=result)
def get(self, id, attribute, requester_user): """ Retrieve a particular attribute for the provided action execution. Handles requests: GET /executions/<id>/attribute/<attribute name> :rtype: ``dict`` """ fields = [attribute, 'action__pack', 'action__uid'] try: fields = self._validate_exclude_fields(fields) except ValueError: valid_attributes = ', '.join( ActionExecutionsControllerMixin.valid_exclude_attributes) msg = ( 'Invalid attribute "%s" specified. Valid attributes are: %s' % (attribute, valid_attributes)) raise ValueError(msg) action_exec_db = self.access.impl.model.objects.filter(id=id).only( *fields).get() permission_type = PermissionType.EXECUTION_VIEW rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_exec_db, permission_type=permission_type) result = getattr(action_exec_db, attribute, None) return result
def delete(self, ref_or_id, requester_user): """ Delete an action alias. Handles requests: DELETE /actionalias/1 """ action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('DELETE /actionalias/ lookup with id=%s found object: %s', ref_or_id, action_alias_db) permission_type = PermissionType.ACTION_ALIAS_DELETE rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_alias_db, permission_type=permission_type) try: ActionAlias.delete(action_alias_db) except Exception as e: LOG.exception('Database delete encountered exception during delete of id="%s".', ref_or_id) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return extra = {'action_alias_db': action_alias_db} LOG.audit('Action alias deleted. ActionAlias.id=%s.' % (action_alias_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None, from_model_kwargs=None): """ :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` """ instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields) if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with id "%s".' % id abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.resource_model_filter(model=self.model, instance=instance, requester_user=requester_user, **from_model_kwargs) if not result: LOG.debug('Not returning the result because RBAC resource isolation is enabled and ' 'current user doesn\'t match the resource user') raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user, resource_api_or_db=instance, permission_type=permission_type) return result
def _get_one(self, ref_or_id, requester_user, permission_type, exclude_fields=None, include_fields=None, from_model_kwargs=None): try: instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields, include_fields=include_fields) except Exception as e: LOG.exception(str(e)) abort(http_client.NOT_FOUND, str(e)) return if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) # Perform resource isolation check (if supported) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.resource_model_filter(model=self.model, instance=instance, requester_user=requester_user, **from_model_kwargs) if not result: LOG.debug('Not returning the result because RBAC resource isolation is enabled and ' 'current user doesn\'t match the resource user') raise ResourceAccessDeniedPermissionIsolationError(user_db=requester_user, resource_api_or_db=instance, permission_type=permission_type) return Response(json=result)
def _schedule_execution(self, action_alias_db, params, notify, context, requester_user, show_secrets): action_ref = action_alias_db.action_ref action_db = action_utils.get_action_by_ref(action_ref) if not action_db: raise StackStormDBObjectNotFoundError('Action with ref "%s" not found ' % (action_ref)) assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) try: # prior to shipping off the params cast them to the right type. params = action_param_utils.cast_params(action_ref=action_alias_db.action_ref, params=params, cast_overrides=CAST_OVERRIDES) if not context: context = { 'action_alias_ref': reference.get_ref_from_model(action_alias_db), 'user': get_system_username() } liveaction = LiveActionDB(action=action_alias_db.action_ref, context=context, parameters=params, notify=notify) _, action_execution_db = action_service.request(liveaction) mask_secrets = self._get_mask_secrets(requester_user, show_secrets=show_secrets) return ActionExecutionAPI.from_model(action_execution_db, mask_secrets=mask_secrets) except ValueError as e: LOG.exception('Unable to execute action.') abort(http_client.BAD_REQUEST, six.text_type(e)) except jsonschema.ValidationError as e: LOG.exception('Unable to execute action. Parameter validation failed.') abort(http_client.BAD_REQUEST, six.text_type(e)) except Exception as e: LOG.exception('Unable to execute action. Unexpected error encountered.') abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def _schedule_execution(self, action_alias_db, params, notify, context, requester_user, show_secrets): action_ref = action_alias_db.action_ref action_db = action_utils.get_action_by_ref(action_ref) if not action_db: raise StackStormDBObjectNotFoundError('Action with ref "%s" not found ' % (action_ref)) assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) try: # prior to shipping off the params cast them to the right type. params = action_param_utils.cast_params(action_ref=action_alias_db.action_ref, params=params, cast_overrides=CAST_OVERRIDES) if not context: context = { 'action_alias_ref': reference.get_ref_from_model(action_alias_db), 'user': get_system_username() } liveaction = LiveActionDB(action=action_alias_db.action_ref, context=context, parameters=params, notify=notify) _, action_execution_db = action_service.request(liveaction) mask_secrets = self._get_mask_secrets(requester_user, show_secrets=show_secrets) return ActionExecutionAPI.from_model(action_execution_db, mask_secrets=mask_secrets) except ValueError as e: LOG.exception('Unable to execute action.') abort(http_client.BAD_REQUEST, str(e)) except jsonschema.ValidationError as e: LOG.exception('Unable to execute action. Parameter validation failed.') abort(http_client.BAD_REQUEST, str(e)) except Exception as e: LOG.exception('Unable to execute action. Unexpected error encountered.') abort(http_client.INTERNAL_SERVER_ERROR, str(e))
def put(self, runner_type_api, name_or_id, requester_user): # Note: We only allow "enabled" attribute of the runner to be changed runner_type_db = self._get_by_name_or_id(name_or_id=name_or_id) permission_type = PermissionType.RUNNER_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=runner_type_db, permission_type=permission_type) old_runner_type_db = runner_type_db LOG.debug('PUT /runnertypes/ lookup with id=%s found object: %s', name_or_id, runner_type_db) try: if runner_type_api.id and runner_type_api.id != name_or_id: LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.', runner_type_api.id, name_or_id) runner_type_db.enabled = runner_type_api.enabled runner_type_db = RunnerType.add_or_update(runner_type_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for runner type data=%s', runner_type_api) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = {'old_runner_type_db': old_runner_type_db, 'new_runner_type_db': runner_type_db} LOG.audit('Runner Type updated. RunnerType.id=%s.' % (runner_type_db.id), extra=extra) runner_type_api = RunnerTypeAPI.from_model(runner_type_db) return runner_type_api
def get(self, id, attribute, requester_user): """ Retrieve a particular attribute for the provided action execution. Handles requests: GET /executions/<id>/attribute/<attribute name> :rtype: ``dict`` """ fields = [attribute, 'action__pack', 'action__uid'] try: fields = self._validate_exclude_fields(fields) except ValueError: valid_attributes = ', '.join(ActionExecutionsControllerMixin.valid_exclude_attributes) msg = ('Invalid attribute "%s" specified. Valid attributes are: %s' % (attribute, valid_attributes)) raise ValueError(msg) action_exec_db = self.access.impl.model.objects.filter(id=id).only(*fields).get() permission_type = PermissionType.EXECUTION_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_exec_db, permission_type=permission_type) result = getattr(action_exec_db, attribute, None) return Response(json=result, status=http_client.OK)
def get_one(self, id, requester_user, depth=-1, result_fmt=None, show_secrets=False): """ Retrieve children for the provided action execution. :rtype: ``list`` """ instance = self._get_by_id(resource_id=id) permission_type = PermissionType.EXECUTION_VIEW rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=permission_type) return self._get_children(id_=id, depth=depth, result_fmt=result_fmt, requester_user=requester_user, show_secrets=show_secrets)
def get_one(self, ref_or_id, requester_user): """ Outputs the file associated with action entry_point Handles requests: GET /actions/views/entry_point/1 """ LOG.info('GET /actions/views/entry_point with ref_or_id=%s', ref_or_id) action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.ACTION_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=permission_type) pack = getattr(action_db, 'pack', None) entry_point = getattr(action_db, 'entry_point', None) abs_path = utils.get_entry_point_abs_path(pack, entry_point) if not abs_path: raise StackStormDBObjectNotFoundError('Action ref_or_id=%s has no entry_point to output' % ref_or_id) with open(abs_path) as file: content = file.read() return content
def get_one(self, pack_ref, requester_user, show_secrets=False): """ Retrieve config for a particular pack. Handles requests: GET /configs/<pack_ref> """ from_model_kwargs = { 'mask_secrets': self._get_mask_secrets(requester_user, show_secrets=show_secrets) } try: instance = packs_service.get_pack_by_ref(pack_ref=pack_ref) except StackStormDBObjectNotFoundError: msg = 'Unable to identify resource with pack_ref "%s".' % ( pack_ref) abort(http_client.NOT_FOUND, msg) rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=PermissionType.PACK_VIEW) return self._get_one_by_pack_ref(pack_ref=pack_ref, from_model_kwargs=from_model_kwargs)
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None, from_model_kwargs=None): """Override ResourceController._get_one_by_id to contain scope of Inquiries UID hack :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` """ instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields) # _get_by_id pulls the resource by ID directly off of the database. Since # Inquiries don't have their own DB model yet, this comes in the format # "execution:<id>". So, to allow RBAC to get a handle on inquiries specifically, # we're overriding the "get_uid" function to return one specific to Inquiries. # # TODO (mierdin): All of this should be removed once Inquiries get their own DB model if getattr(instance, 'runner', None) and instance.runner.get('runner_module') == 'inquirer': def get_uid(): return "inquiry" instance.get_uid = get_uid if permission_type: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with id "%s".' % id abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def delete(self, rule_ref_or_id, requester_user): """ Delete a rule. Handles requests: DELETE /rules/1 """ rule_db = self._get_by_ref_or_id(ref_or_id=rule_ref_or_id) permission_type = PermissionType.RULE_DELETE rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=rule_db, permission_type=permission_type) LOG.debug('DELETE /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db) try: Rule.delete(rule_db) except Exception as e: LOG.exception('Database delete encountered exception during delete of id="%s".', rule_ref_or_id) abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e)) return # use old_rule_db for cleanup. cleanup_trigger_db_for_rule(rule_db) extra = {'rule_db': rule_db} LOG.audit('Rule deleted. Rule.id=%s.' % (rule_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def get_one(self, api_key_id_or_key, requester_user, show_secrets=None): """ List api keys. Handle: GET /apikeys/1 """ api_key_db = None try: api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key) except ApiKeyNotFoundError: msg = ('ApiKey matching %s for reference and id not found.' % (api_key_id_or_key)) LOG.exception(msg) abort(http_client.NOT_FOUND, msg) permission_type = PermissionType.API_KEY_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=api_key_db, permission_type=permission_type) try: mask_secrets = self._get_mask_secrets(show_secrets=show_secrets, requester_user=requester_user) return ApiKeyAPI.from_model(api_key_db, mask_secrets=mask_secrets) except (ValidationError, ValueError) as e: LOG.exception('Failed to serialize API key.') abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def _get_one(self, ref_or_id, permission_type, exclude_fields=None, from_model_kwargs=None, requester_user=None): try: instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields) except Exception as e: LOG.exception(e.message) abort(http_client.NOT_FOUND, e.message) return if permission_type: rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=permission_type) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) if result and self.include_reference: pack = getattr(result, 'pack', None) name = getattr(result, 'name', None) result.ref = ResourceReference(pack=pack, name=name).ref return Response(json=result)
def get_one(self, api_key_id_or_key, requester_user, show_secrets=None): """ List api keys. Handle: GET /apikeys/1 """ api_key_db = None try: api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key) except ApiKeyNotFoundError: msg = ('ApiKey matching %s for reference and id not found.' % (api_key_id_or_key)) LOG.exception(msg) abort(http_client.NOT_FOUND, msg) permission_type = PermissionType.API_KEY_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=api_key_db, permission_type=permission_type) try: mask_secrets = self._get_mask_secrets(show_secrets=show_secrets, requester_user=requester_user) return ApiKeyAPI.from_model(api_key_db, mask_secrets=mask_secrets) except (ValidationError, ValueError) as e: LOG.exception('Failed to serialize API key.') abort(http_client.INTERNAL_SERVER_ERROR, str(e))
def post(self, hook, webhook_body_api, headers, requester_user): body = webhook_body_api.data permission_type = PermissionType.WEBHOOK_SEND rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=WebhookDB(name=hook), permission_type=permission_type) headers = self._get_headers_as_dict(headers) # If webhook contains a trace-tag use that else create create a unique trace-tag. trace_context = self._create_trace_context(trace_tag=headers.pop( TRACE_TAG_HEADER, None), hook=hook) if hook == 'st2' or hook == 'st2/': # When using st2 or system webhook, body needs to always be a dict if not isinstance(body, dict): type_string = get_json_type_for_python_value(body) msg = ('Webhook body needs to be an object, got: %s' % (type_string)) raise ValueError(msg) trigger = body.get('trigger', None) payload = body.get('payload', None) if not trigger: msg = 'Trigger not specified.' return abort(http_client.BAD_REQUEST, msg) self._trigger_dispatcher_service.dispatch_with_context( trigger=trigger, payload=payload, trace_context=trace_context, throw_on_validation_error=True) else: if not self._is_valid_hook(hook): self._log_request('Invalid hook.', headers, body) msg = 'Webhook %s not registered with st2' % hook return abort(http_client.NOT_FOUND, msg) triggers = self._hooks.get_triggers_for_hook(hook) payload = {} payload['headers'] = headers payload['body'] = body # Dispatch trigger instance for each of the trigger found for trigger_dict in triggers: # TODO: Instead of dispatching the whole dict we should just # dispatch TriggerDB.ref or similar self._trigger_dispatcher_service.dispatch_with_context( trigger=trigger_dict, payload=payload, trace_context=trace_context, throw_on_validation_error=True) return Response(json=body, status=http_client.ACCEPTED)
def get_one(self, ref_or_id, file_path, requester_user, **kwargs): """ Outputs the content of a specific file in a pack. Handles requests: GET /packs/views/file/<pack_ref_or_id>/<file path> """ pack_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) if not pack_db: msg = 'Pack with ref_or_id "%s" does not exist' % (ref_or_id) raise StackStormDBObjectNotFoundError(msg) if not file_path: raise ValueError('Missing file path') pack_ref = pack_db.ref # Note: Until list filtering is in place we don't require RBAC check for icon file permission_type = PermissionType.PACK_VIEW if file_path not in WHITELISTED_FILE_PATHS: rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=pack_db, permission_type=permission_type) normalized_file_path = get_pack_file_abs_path(pack_ref=pack_ref, file_path=file_path) if not normalized_file_path or not os.path.isfile( normalized_file_path): # Ignore references to files which don't exist on disk raise StackStormDBObjectNotFoundError('File "%s" not found' % (file_path)) file_size, file_mtime = self._get_file_stats( file_path=normalized_file_path) response = Response() if not self._is_file_changed(file_mtime, **kwargs): response.status = http_client.NOT_MODIFIED else: if file_size is not None and file_size > MAX_FILE_SIZE: msg = ('File %s exceeds maximum allowed file size (%s bytes)' % (file_path, MAX_FILE_SIZE)) raise ValueError(msg) content_type = mimetypes.guess_type(normalized_file_path)[0] or \ 'application/octet-stream' response.headers['Content-Type'] = content_type response.body = self._get_file_content( file_path=normalized_file_path) response.headers['Last-Modified'] = format_date_time(file_mtime) response.headers['ETag'] = repr(file_mtime) return response
def put(self, rule, rule_ref_or_id, requester_user): rule_db = self._get_by_ref_or_id(rule_ref_or_id) permission_type = PermissionType.RULE_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=rule, permission_type=permission_type) LOG.debug('PUT /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db) if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) # Validate that the authenticated user is admin if user query param is provided user = requester_user.name assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user, user=user) if not hasattr(rule, 'context'): rule.context = dict() rule.context['user'] = user try: if rule.id is not None and rule.id is not '' and rule.id != rule_ref_or_id: LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.', rule.id, rule_ref_or_id) old_rule_db = rule_db try: rule_db = RuleAPI.to_model(rule) except TriggerDoesNotExistException as e: abort(http_client.BAD_REQUEST, str(e)) return # Check referenced trigger and action permissions # Note: This needs to happen after "to_model" call since to_model performs some # validation (trigger exists, etc.) assert_user_has_rule_trigger_and_action_permission(user_db=requester_user, rule_api=rule) rule_db.id = rule_ref_or_id rule_db = Rule.add_or_update(rule_db) # After the rule has been added modify the ref_count. This way a failure to add # the rule due to violated constraints will have no impact on ref_count. increment_trigger_ref_count(rule_api=rule) except (ValueValidationException, jsonschema.ValidationError, ValueError) as e: LOG.exception('Validation failed for rule data=%s', rule) abort(http_client.BAD_REQUEST, str(e)) return # use old_rule_db for cleanup. cleanup_trigger_db_for_rule(old_rule_db) extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db} LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra) rule_api = RuleAPI.from_model(rule_db) return rule_api
def put(self, rule, rule_ref_or_id, requester_user): rule_db = self._get_by_ref_or_id(rule_ref_or_id) permission_type = PermissionType.RULE_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=rule, permission_type=permission_type) LOG.debug('PUT /rules/ lookup with id=%s found object: %s', rule_ref_or_id, rule_db) if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) # Validate that the authenticated user is admin if user query param is provided user = requester_user.name assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user, user=user) if not hasattr(rule, 'context'): rule.context = dict() rule.context['user'] = user try: if rule.id is not None and rule.id is not '' and rule.id != rule_ref_or_id: LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.', rule.id, rule_ref_or_id) old_rule_db = rule_db try: rule_db = RuleAPI.to_model(rule) except TriggerDoesNotExistException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) return # Check referenced trigger and action permissions # Note: This needs to happen after "to_model" call since to_model performs some # validation (trigger exists, etc.) assert_user_has_rule_trigger_and_action_permission(user_db=requester_user, rule_api=rule) rule_db.id = rule_ref_or_id rule_db = Rule.add_or_update(rule_db) # After the rule has been added modify the ref_count. This way a failure to add # the rule due to violated constraints will have no impact on ref_count. increment_trigger_ref_count(rule_api=rule) except (ValueValidationException, jsonschema.ValidationError, ValueError) as e: LOG.exception('Validation failed for rule data=%s', rule) abort(http_client.BAD_REQUEST, six.text_type(e)) return # use old_rule_db for cleanup. cleanup_trigger_db_for_rule(old_rule_db) extra = {'old_rule_db': old_rule_db, 'new_rule_db': rule_db} LOG.audit('Rule updated. Rule.id=%s.' % (rule_db.id), extra=extra) rule_api = RuleAPI.from_model(rule_db) return rule_api
def _handle_schedule_execution(self, liveaction_api, requester_user, context_string=None, show_secrets=False): """ :param liveaction: LiveActionAPI object. :type liveaction: :class:`LiveActionAPI` """ if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) # Assert action ref is valid action_ref = liveaction_api.action action_db = action_utils.get_action_by_ref(action_ref) if not action_db: message = 'Action "%s" cannot be found.' % action_ref LOG.warning(message) abort(http_client.BAD_REQUEST, message) # Assert the permissions assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) # Validate that the authenticated user is admin if user query param is provided user = liveaction_api.user or requester_user.name assert_user_is_admin_if_user_query_param_is_provided( user_db=requester_user, user=user) try: return self._schedule_execution(liveaction=liveaction_api, requester_user=requester_user, user=user, context_string=context_string, show_secrets=show_secrets, pack=action_db.pack) except ValueError as e: LOG.exception('Unable to execute action.') abort(http_client.BAD_REQUEST, str(e)) except jsonschema.ValidationError as e: LOG.exception( 'Unable to execute action. Parameter validation failed.') abort(http_client.BAD_REQUEST, re.sub("u'([^']*)'", r"'\1'", e.message)) except trace_exc.TraceNotFoundException as e: abort(http_client.BAD_REQUEST, str(e)) except validation_exc.ValueValidationException as e: raise e except Exception as e: LOG.exception( 'Unable to execute action. Unexpected error encountered.') abort(http_client.INTERNAL_SERVER_ERROR, str(e))
def _get_one(self, ref_or_id, requester_user): instance = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.POLICY_TYPE_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) result = self.model.from_model(instance) return result
def get_one(self, ref_or_id, file_path, requester_user, if_none_match=None, if_modified_since=None): """ Outputs the content of a specific file in a pack. Handles requests: GET /packs/views/file/<pack_ref_or_id>/<file path> """ pack_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) if not pack_db: msg = 'Pack with ref_or_id "%s" does not exist' % (ref_or_id) raise StackStormDBObjectNotFoundError(msg) if not file_path: raise ValueError('Missing file path') pack_ref = pack_db.ref # Note: Until list filtering is in place we don't require RBAC check for icon file permission_type = PermissionType.PACK_VIEW if file_path not in WHITELISTED_FILE_PATHS: rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=pack_db, permission_type=permission_type) normalized_file_path = get_pack_file_abs_path(pack_ref=pack_ref, file_path=file_path) if not normalized_file_path or not os.path.isfile(normalized_file_path): # Ignore references to files which don't exist on disk raise StackStormDBObjectNotFoundError('File "%s" not found' % (file_path)) file_size, file_mtime = self._get_file_stats(file_path=normalized_file_path) response = Response() if not self._is_file_changed(file_mtime, if_none_match=if_none_match, if_modified_since=if_modified_since): response.status = http_client.NOT_MODIFIED else: if file_size is not None and file_size > MAX_FILE_SIZE: msg = ('File %s exceeds maximum allowed file size (%s bytes)' % (file_path, MAX_FILE_SIZE)) raise ValueError(msg) content_type = mimetypes.guess_type(normalized_file_path)[0] or \ 'application/octet-stream' response.headers['Content-Type'] = content_type response.body = self._get_file_content(file_path=normalized_file_path) response.headers['Last-Modified'] = format_date_time(file_mtime) response.headers['ETag'] = repr(file_mtime) return response
def post(self, hook, webhook_body_api, headers, requester_user): body = webhook_body_api.data permission_type = PermissionType.WEBHOOK_SEND rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=WebhookDB(name=hook), permission_type=permission_type) headers = self._get_headers_as_dict(headers) # If webhook contains a trace-tag use that else create create a unique trace-tag. trace_context = self._create_trace_context(trace_tag=headers.pop(TRACE_TAG_HEADER, None), hook=hook) if hook == 'st2' or hook == 'st2/': # When using st2 or system webhook, body needs to always be a dict if not isinstance(body, dict): type_string = get_json_type_for_python_value(body) msg = ('Webhook body needs to be an object, got: %s' % (type_string)) raise ValueError(msg) trigger = body.get('trigger', None) payload = body.get('payload', None) if not trigger: msg = 'Trigger not specified.' return abort(http_client.BAD_REQUEST, msg) self._trigger_dispatcher_service.dispatch_with_context(trigger=trigger, payload=payload, trace_context=trace_context, throw_on_validation_error=True) else: if not self._is_valid_hook(hook): self._log_request('Invalid hook.', headers, body) msg = 'Webhook %s not registered with st2' % hook return abort(http_client.NOT_FOUND, msg) triggers = self._hooks.get_triggers_for_hook(hook) payload = {} payload['headers'] = headers payload['body'] = body # Dispatch trigger instance for each of the trigger found for trigger_dict in triggers: # TODO: Instead of dispatching the whole dict we should just # dispatch TriggerDB.ref or similar self._trigger_dispatcher_service.dispatch_with_context(trigger=trigger_dict, payload=payload, trace_context=trace_context, throw_on_validation_error=True) return Response(json=body, status=http_client.ACCEPTED)
def get_one(self, ref_or_id, requester_user): """ Outputs the file associated with action entry_point Handles requests: GET /actions/views/entry_point/1 """ LOG.info('GET /actions/views/entry_point with ref_or_id=%s', ref_or_id) action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.ACTION_VIEW rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_db, permission_type=permission_type) pack = getattr(action_db, 'pack', None) entry_point = getattr(action_db, 'entry_point', None) abs_path = utils.get_entry_point_abs_path(pack, entry_point) if not abs_path: raise StackStormDBObjectNotFoundError( 'Action ref_or_id=%s has no entry_point to output' % ref_or_id) with codecs.open(abs_path, 'r') as fp: content = fp.read() # Ensure content is utf-8 if isinstance(content, six.binary_type): content = content.decode('utf-8') try: content_type = mimetypes.guess_type(abs_path)[0] except Exception: content_type = None # Special case if /etc/mime.types doesn't contain entry for yaml, py if not content_type: _, extension = os.path.splitext(abs_path) if extension in ['.yaml', '.yml']: content_type = 'application/x-yaml' elif extension in ['.py']: content_type = 'application/x-python' else: content_type = 'text/plain' response = Response() response.headers['Content-Type'] = content_type response.text = content return response
def get_one(self, url, requester_user): triggers = self._hooks.get_triggers_for_hook(url) if not triggers: abort(http_client.NOT_FOUND) return permission_type = PermissionType.WEBHOOK_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=WebhookDB(name=url), permission_type=permission_type) # For demonstration purpose return 1st return triggers[0]
def get_one(self, name, requester_user): triggers = self._hooks.get_triggers_for_hook(name) if not triggers: abort(http_client.NOT_FOUND) return permission_type = PermissionType.WEBHOOK_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=WebhookDB(name=name), permission_type=permission_type) # For demonstration purpose return 1st return triggers[0]
def get_one(self, ref_or_id, requester_user): """ Outputs the file associated with action entry_point Handles requests: GET /actions/views/entry_point/1 """ LOG.info('GET /actions/views/entry_point with ref_or_id=%s', ref_or_id) action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.ACTION_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=permission_type) pack = getattr(action_db, 'pack', None) entry_point = getattr(action_db, 'entry_point', None) abs_path = utils.get_entry_point_abs_path(pack, entry_point) if not abs_path: raise StackStormDBObjectNotFoundError('Action ref_or_id=%s has no entry_point to output' % ref_or_id) with codecs.open(abs_path, 'r') as fp: content = fp.read() # Ensure content is utf-8 if isinstance(content, six.binary_type): content = content.decode('utf-8') try: content_type = mimetypes.guess_type(abs_path)[0] except Exception: content_type = None # Special case if /etc/mime.types doesn't contain entry for yaml, py if not content_type: _, extension = os.path.splitext(abs_path) if extension in ['.yaml', '.yml']: content_type = 'application/x-yaml' elif extension in ['.py']: content_type = 'application/x-python' else: content_type = 'text/plain' response = Response() response.headers['Content-Type'] = content_type response.text = content return response
def _get_one_by_ref_or_id(self, ref_or_id, requester_user, exclude_fields=None): instance = self._get_by_ref_or_id(ref_or_id=ref_or_id, exclude_fields=exclude_fields) rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=PermissionType.PACK_VIEW) if not instance: msg = 'Unable to identify resource with ref_or_id "%s".' % (ref_or_id) abort(http_client.NOT_FOUND, msg) return result = self.model.from_model(instance, **self.from_model_kwargs) return result
def get_one(self, ref_or_id, requester_user): """ Outputs the content of all the files inside the pack. Handles requests: GET /packs/views/files/<pack_ref_or_id> """ pack_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=pack_db, permission_type=PermissionType.PACK_VIEW) if not pack_db: msg = 'Pack with ref_or_id "%s" does not exist' % (ref_or_id) raise StackStormDBObjectNotFoundError(msg) pack_ref = pack_db.ref pack_files = pack_db.files result = [] for file_path in pack_files: normalized_file_path = get_pack_file_abs_path(pack_ref=pack_ref, file_path=file_path) if not normalized_file_path or not os.path.isfile( normalized_file_path): # Ignore references to files which don't exist on disk continue file_size = self._get_file_size(file_path=normalized_file_path) if file_size is not None and file_size > MAX_FILE_SIZE: LOG.debug( 'Skipping file "%s" which size exceeds max file size (%s bytes)' % (normalized_file_path, MAX_FILE_SIZE)) continue content = self._get_file_content(file_path=normalized_file_path) include_file = self._include_file(file_path=file_path, content=content) if not include_file: LOG.debug('Skipping binary file "%s"' % (normalized_file_path)) continue item = {'file_path': file_path, 'content': content} result.append(item) return result
def _handle_schedule_execution(self, liveaction_api, requester_user, context_string=None, show_secrets=False): """ :param liveaction: LiveActionAPI object. :type liveaction: :class:`LiveActionAPI` """ if not requester_user: requester_user = UserDB(cfg.CONF.system_user.user) # Assert action ref is valid action_ref = liveaction_api.action action_db = action_utils.get_action_by_ref(action_ref) if not action_db: message = 'Action "%s" cannot be found.' % (action_ref) LOG.warning(message) abort(http_client.BAD_REQUEST, message) # Assert the permissions assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE) # Validate that the authenticated user is admin if user query param is provided user = liveaction_api.user or requester_user.name assert_user_is_admin_if_user_query_param_is_provided(user_db=requester_user, user=user) try: return self._schedule_execution(liveaction=liveaction_api, requester_user=requester_user, user=user, context_string=context_string, show_secrets=show_secrets, action_db=action_db) except ValueError as e: LOG.exception('Unable to execute action.') abort(http_client.BAD_REQUEST, six.text_type(e)) except jsonschema.ValidationError as e: LOG.exception('Unable to execute action. Parameter validation failed.') abort(http_client.BAD_REQUEST, re.sub("u'([^']*)'", r"'\1'", getattr(e, 'message', six.text_type(e)))) except trace_exc.TraceNotFoundException as e: abort(http_client.BAD_REQUEST, six.text_type(e)) except validation_exc.ValueValidationException as e: raise e except Exception as e: LOG.exception('Unable to execute action. Unexpected error encountered.') abort(http_client.INTERNAL_SERVER_ERROR, six.text_type(e))
def _get_one(self, ref_or_id, requester_user): instance = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.POLICY_TYPE_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=permission_type) result = self.model.from_model(instance) if result and self.include_reference: resource_type = getattr(result, 'resource_type', None) name = getattr(result, 'name', None) result.ref = PolicyTypeReference(resource_type=resource_type, name=name).ref return result
def get_one(self, ref_or_id, requester_user): try: trigger_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) except Exception as e: LOG.exception(six.text_type(e)) abort(http_client.NOT_FOUND, six.text_type(e)) return permission_type = PermissionType.TIMER_VIEW resource_db = TimerDB(pack=trigger_db.pack, name=trigger_db.name) rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=resource_db, permission_type=permission_type) result = self.model.from_model(trigger_db) return result
def get_one(self, ref_or_id, requester_user): try: trigger_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) except Exception as e: LOG.exception(e.message) abort(http_client.NOT_FOUND, e.message) return permission_type = PermissionType.TIMER_VIEW resource_db = TimerDB(pack=trigger_db.pack, name=trigger_db.name) rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=resource_db, permission_type=permission_type) result = self.model.from_model(trigger_db) return result
def put(self, action, ref_or_id, requester_user): action_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) # Assert permissions permission_type = PermissionType.ACTION_MODIFY rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_db, permission_type=permission_type) action_id = action_db.id if not getattr(action, 'pack', None): action.pack = action_db.pack # Perform validation validate_not_part_of_system_pack(action) action_validator.validate_action(action) # Write pack data files to disk (if any are provided) data_files = getattr(action, 'data_files', []) written_data_files = [] if data_files: written_data_files = self._handle_data_files(pack_ref=action.pack, data_files=data_files) try: action_db = ActionAPI.to_model(action) LOG.debug('/actions/ PUT incoming action: %s', action_db) action_db.id = action_id action_db = Action.add_or_update(action_db) LOG.debug('/actions/ PUT after add_or_update: %s', action_db) except (ValidationError, ValueError) as e: LOG.exception('Unable to update action data=%s', action) abort(http_client.BAD_REQUEST, str(e)) return # Dispatch an internal trigger for each written data file. This way user # automate committing this files to git using StackStorm rule if written_data_files: self._dispatch_trigger_for_written_data_files( action_db=action_db, written_data_files=written_data_files) action_api = ActionAPI.from_model(action_db) LOG.debug('PUT /actions/ client_result=%s', action_api) return action_api
def put(self, action_alias, ref_or_id, requester_user): """ Update an action alias. Handles requests: PUT /actionalias/1 """ action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('PUT /actionalias/ lookup with id=%s found object: %s', ref_or_id, action_alias_db) permission_type = PermissionType.ACTION_ALIAS_MODIFY rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=action_alias_db, permission_type=permission_type) if not hasattr(action_alias, 'id'): action_alias.id = None try: if action_alias.id is not None and action_alias.id is not '' and \ action_alias.id != ref_or_id: LOG.warning( 'Discarding mismatched id=%s found in payload and using uri_id=%s.', action_alias.id, ref_or_id) old_action_alias_db = action_alias_db action_alias_db = ActionAliasAPI.to_model(action_alias) action_alias_db.id = ref_or_id action_alias_db = ActionAlias.add_or_update(action_alias_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for action alias data=%s', action_alias) abort(http_client.BAD_REQUEST, str(e)) return extra = { 'old_action_alias_db': old_action_alias_db, 'new_action_alias_db': action_alias_db } LOG.audit('Action alias updated. ActionAlias.id=%s.' % (action_alias_db.id), extra=extra) action_alias_api = ActionAliasAPI.from_model(action_alias_db) return action_alias_api
def get_one(self, ref_or_id, requester_user): """ Outputs the content of all the files inside the pack. Handles requests: GET /packs/views/files/<pack_ref_or_id> """ pack_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=pack_db, permission_type=PermissionType.PACK_VIEW) if not pack_db: msg = 'Pack with ref_or_id "%s" does not exist' % (ref_or_id) raise StackStormDBObjectNotFoundError(msg) pack_ref = pack_db.ref pack_files = pack_db.files result = [] for file_path in pack_files: normalized_file_path = get_pack_file_abs_path(pack_ref=pack_ref, file_path=file_path) if not normalized_file_path or not os.path.isfile(normalized_file_path): # Ignore references to files which don't exist on disk continue file_size = self._get_file_size(file_path=normalized_file_path) if file_size is not None and file_size > MAX_FILE_SIZE: LOG.debug('Skipping file "%s" which size exceeds max file size (%s bytes)' % (normalized_file_path, MAX_FILE_SIZE)) continue content = self._get_file_content(file_path=normalized_file_path) include_file = self._include_file(file_path=file_path, content=content) if not include_file: LOG.debug('Skipping binary file "%s"' % (normalized_file_path)) continue item = { 'file_path': file_path, 'content': content } result.append(item) return result
def put(self, api_key_api, api_key_id_or_key, requester_user): api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key) permission_type = PermissionType.API_KEY_MODIFY rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=api_key_db, permission_type=permission_type) old_api_key_db = api_key_db api_key_db = ApiKeyAPI.to_model(api_key_api) try: User.get_by_name(api_key_api.user) except StackStormDBObjectNotFoundError: user_db = UserDB(name=api_key_api.user) User.add_or_update(user_db) extra = {'username': api_key_api.user, 'user': user_db} LOG.audit('Registered new user "%s".' % (api_key_api.user), extra=extra) # Passing in key_hash as MASKED_ATTRIBUTE_VALUE is expected since we do not # leak it out therefore it is expected we get the same value back. Interpret # this special code and empty value as no-change if api_key_db.key_hash == MASKED_ATTRIBUTE_VALUE or not api_key_db.key_hash: api_key_db.key_hash = old_api_key_db.key_hash # Rather than silently ignore any update to key_hash it is better to explicitly # disallow and notify user. if old_api_key_db.key_hash != api_key_db.key_hash: raise ValueError('Update of key_hash is not allowed.') api_key_db.id = old_api_key_db.id api_key_db = ApiKey.add_or_update(api_key_db) extra = { 'old_api_key_db': old_api_key_db, 'new_api_key_db': api_key_db } LOG.audit('API Key updated. ApiKey.id=%s.' % (api_key_db.id), extra=extra) api_key_api = ApiKeyAPI.from_model(api_key_db) return api_key_api
def _get_one_by_id(self, id, requester_user, permission_type, exclude_fields=None, from_model_kwargs=None): """Override ResourceController._get_one_by_id to contain scope of Inquiries UID hack :param exclude_fields: A list of object fields to exclude. :type exclude_fields: ``list`` """ instance = self._get_by_id(resource_id=id, exclude_fields=exclude_fields) # _get_by_id pulls the resource by ID directly off of the database. Since # Inquiries don't have their own DB model yet, this comes in the format # "execution:<id>". So, to allow RBAC to get a handle on inquiries specifically, # we're overriding the "get_uid" function to return one specific to Inquiries. # # TODO (mierdin): All of this should be removed once Inquiries get their own DB model if getattr( instance, 'runner', None) and instance.runner.get('runner_module') == 'inquirer': def get_uid(): return "inquiry" instance.get_uid = get_uid if permission_type: rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=permission_type) if not instance: msg = 'Unable to identify resource with id "%s".' % id abort(http_client.NOT_FOUND, msg) from_model_kwargs = from_model_kwargs or {} from_model_kwargs.update(self.from_model_kwargs) result = self.model.from_model(instance, **from_model_kwargs) return result
def _get_one(self, ref_or_id, requester_user): instance = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.POLICY_TYPE_VIEW rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=instance, permission_type=permission_type) result = self.model.from_model(instance) if result and self.include_reference: resource_type = getattr(result, 'resource_type', None) name = getattr(result, 'name', None) result.ref = PolicyTypeReference(resource_type=resource_type, name=name).ref return result
def post(self, hook, body, headers, requester_user): body = vars(body) permission_type = PermissionType.WEBHOOK_SEND rbac_utils.assert_user_has_resource_db_permission( user_db=requester_user, resource_db=WebhookDB(name=hook), permission_type=permission_type) headers = self._get_headers_as_dict(headers) # If webhook contains a trace-tag use that else create create a unique trace-tag. trace_context = self._create_trace_context(trace_tag=headers.pop( TRACE_TAG_HEADER, None), hook=hook) if hook == 'st2' or hook == 'st2/': trigger = body.get('trigger', None) payload = body.get('payload', None) if not trigger: msg = 'Trigger not specified.' return abort(http_client.BAD_REQUEST, msg) self._trigger_dispatcher.dispatch(trigger, payload=payload, trace_context=trace_context) else: if not self._is_valid_hook(hook): self._log_request('Invalid hook.', headers, body) msg = 'Webhook %s not registered with st2' % hook return abort(http_client.NOT_FOUND, msg) triggers = self._hooks.get_triggers_for_hook(hook) payload = {} payload['headers'] = headers payload['body'] = body # Dispatch trigger instance for each of the trigger found for trigger in triggers: self._trigger_dispatcher.dispatch(trigger, payload=payload, trace_context=trace_context) return Response(json=body, status=http_client.ACCEPTED)
def _get_one(action_id, requester_user): """ List merged action & runner parameters by action id. Handle: GET /actions/views/parameters/1 """ action_db = LookupUtils._get_action_by_id(action_id) permission_type = PermissionType.ACTION_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_db, permission_type=permission_type) runner_db = LookupUtils._get_runner_by_name(action_db.runner_type['name']) all_params = action_param_utils.get_params_view( action_db=action_db, runner_db=runner_db, merged_only=True) return {'parameters': all_params}
def get_one(self, pack_ref, requester_user): """ Retrieve config for a particular pack. Handles requests: GET /configs/<pack_ref> """ # TODO: Make sure secret values are masked try: instance = packs_service.get_pack_by_ref(pack_ref=pack_ref) except StackStormDBObjectNotFoundError: msg = 'Unable to identify resource with pack_ref "%s".' % (pack_ref) abort(http_client.NOT_FOUND, msg) rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=PermissionType.PACK_VIEW) return self._get_one_by_pack_ref(pack_ref=pack_ref)
def delete(self, api_key_id_or_key, requester_user): """ Delete the key value pair. Handles requests: DELETE /apikeys/1 """ api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key) permission_type = PermissionType.API_KEY_DELETE rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=api_key_db, permission_type=permission_type) ApiKey.delete(api_key_db) extra = {'api_key_db': api_key_db} LOG.audit('ApiKey deleted. ApiKey.id=%s' % (api_key_db.id), extra=extra) return Response(status=http_client.NO_CONTENT)
def put(self, sensor_type, ref_or_id, requester_user): # Note: Right now this function only supports updating of "enabled" # attribute on the SensorType model. # The reason for that is that SensorTypeAPI.to_model right now only # knows how to work with sensor type definitions from YAML files. sensor_type_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) permission_type = PermissionType.SENSOR_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=sensor_type_db, permission_type=permission_type) sensor_type_id = sensor_type_db.id try: validate_not_part_of_system_pack(sensor_type_db) except ValueValidationException as e: abort(http_client.BAD_REQUEST, str(e)) return if not getattr(sensor_type, 'pack', None): sensor_type.pack = sensor_type_db.pack try: old_sensor_type_db = sensor_type_db sensor_type_db.id = sensor_type_id sensor_type_db.enabled = getattr(sensor_type, 'enabled', False) sensor_type_db = SensorType.add_or_update(sensor_type_db) except (ValidationError, ValueError) as e: LOG.exception('Unable to update sensor_type data=%s', sensor_type) abort(http_client.BAD_REQUEST, str(e)) return extra = { 'old_sensor_type_db': old_sensor_type_db, 'new_sensor_type_db': sensor_type_db } LOG.audit('Sensor updated. Sensor.id=%s.' % (sensor_type_db.id), extra=extra) sensor_type_api = SensorTypeAPI.from_model(sensor_type_db) return sensor_type_api
def get_one(self, pack_ref, requester_user, show_secrets=False): """ Retrieve config for a particular pack. Handles requests: GET /configs/<pack_ref> """ from_model_kwargs = { 'mask_secrets': self._get_mask_secrets(requester_user, show_secrets=show_secrets) } try: instance = packs_service.get_pack_by_ref(pack_ref=pack_ref) except StackStormDBObjectNotFoundError: msg = 'Unable to identify resource with pack_ref "%s".' % (pack_ref) abort(http_client.NOT_FOUND, msg) rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=instance, permission_type=PermissionType.PACK_VIEW) return self._get_one_by_pack_ref(pack_ref=pack_ref, from_model_kwargs=from_model_kwargs)
def get(self, id, attribute, requester_user): """ Retrieve a particular attribute for the provided action execution. Handles requests: GET /executions/<id>/attribute/<attribute name> :rtype: ``dict`` """ fields = [attribute, 'action__pack', 'action__uid'] fields = self._validate_exclude_fields(fields) action_exec_db = self.access.impl.model.objects.filter(id=id).only(*fields).get() permission_type = PermissionType.EXECUTION_VIEW rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_exec_db, permission_type=permission_type) result = getattr(action_exec_db, attribute, None) return result
def put(self, api_key_api, api_key_id_or_key, requester_user): api_key_db = ApiKey.get_by_key_or_id(api_key_id_or_key) permission_type = PermissionType.API_KEY_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=api_key_db, permission_type=permission_type) old_api_key_db = api_key_db api_key_db = ApiKeyAPI.to_model(api_key_api) try: User.get_by_name(api_key_api.user) except StackStormDBObjectNotFoundError: user_db = UserDB(name=api_key_api.user) User.add_or_update(user_db) extra = {'username': api_key_api.user, 'user': user_db} LOG.audit('Registered new user "%s".' % (api_key_api.user), extra=extra) # Passing in key_hash as MASKED_ATTRIBUTE_VALUE is expected since we do not # leak it out therefore it is expected we get the same value back. Interpret # this special code and empty value as no-change if api_key_db.key_hash == MASKED_ATTRIBUTE_VALUE or not api_key_db.key_hash: api_key_db.key_hash = old_api_key_db.key_hash # Rather than silently ignore any update to key_hash it is better to explicitly # disallow and notify user. if old_api_key_db.key_hash != api_key_db.key_hash: raise ValueError('Update of key_hash is not allowed.') api_key_db.id = old_api_key_db.id api_key_db = ApiKey.add_or_update(api_key_db) extra = {'old_api_key_db': old_api_key_db, 'new_api_key_db': api_key_db} LOG.audit('API Key updated. ApiKey.id=%s.' % (api_key_db.id), extra=extra) api_key_api = ApiKeyAPI.from_model(api_key_db) return api_key_api
def put(self, action_alias, ref_or_id, requester_user): """ Update an action alias. Handles requests: PUT /actionalias/1 """ action_alias_db = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('PUT /actionalias/ lookup with id=%s found object: %s', ref_or_id, action_alias_db) permission_type = PermissionType.ACTION_ALIAS_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=action_alias_db, permission_type=permission_type) if not hasattr(action_alias, 'id'): action_alias.id = None try: if action_alias.id is not None and action_alias.id is not '' and \ action_alias.id != ref_or_id: LOG.warning('Discarding mismatched id=%s found in payload and using uri_id=%s.', action_alias.id, ref_or_id) old_action_alias_db = action_alias_db action_alias_db = ActionAliasAPI.to_model(action_alias) action_alias_db.id = ref_or_id action_alias_db = ActionAlias.add_or_update(action_alias_db) except (ValidationError, ValueError) as e: LOG.exception('Validation failed for action alias data=%s', action_alias) abort(http_client.BAD_REQUEST, six.text_type(e)) return extra = {'old_action_alias_db': old_action_alias_db, 'new_action_alias_db': action_alias_db} LOG.audit('Action alias updated. ActionAlias.id=%s.' % (action_alias_db.id), extra=extra) action_alias_api = ActionAliasAPI.from_model(action_alias_db) return action_alias_api
def put(self, instance, ref_or_id, requester_user): op = 'PUT /policies/%s/' % ref_or_id db_model = self._get_by_ref_or_id(ref_or_id=ref_or_id) LOG.debug('%s found object: %s', op, db_model) permission_type = PermissionType.POLICY_MODIFY rbac_utils.assert_user_has_resource_db_permission(user_db=requester_user, resource_db=db_model, permission_type=permission_type) db_model_id = db_model.id try: validate_not_part_of_system_pack(db_model) except ValueValidationException as e: LOG.exception('%s unable to update object from system pack.', op) abort(http_client.BAD_REQUEST, six.text_type(e)) if not getattr(instance, 'pack', None): instance.pack = db_model.pack try: db_model = self.model.to_model(instance) db_model.id = db_model_id db_model = self.access.add_or_update(db_model) except (ValidationError, ValueError) as e: LOG.exception('%s unable to update object: %s', op, db_model) abort(http_client.BAD_REQUEST, six.text_type(e)) return LOG.debug('%s updated object: %s', op, db_model) LOG.audit('Policy updated. Policy.id=%s' % (db_model.id), extra={'policy_db': db_model}) exec_result = self.model.from_model(db_model) return Response(json=exec_result, status=http_client.OK)