3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
15 from am_api_base import *
16 import access_management.db.amdb as amdb
19 class RolesPermissions(AMApiBase):
22 Role add permission operations
24 .. :quickref: Roles permission;Role add permission operations
26 .. http:post:: /am/v1/roles/permissions
28 **Start Role add permission**
34 POST am/v1/roles/permissions HTTP/1.1
35 Host: haproxyvip:61200
36 Accept: application/json
38 "role_name": "test_role"
39 "res_path": "domain/domain_object"
43 :> json string role_name: The role the permission gets to be added to.
44 :> json string res_path: The endpoint of the permission to be added.
45 :> json string res_op: The method of the permission to be added.
54 "description": "Resource added to role"
57 :> json int code: the status code
58 :> json string description: the error description, present if code is non zero
60 Role remove permission operations
62 .. :quickref: Roles permission;Role remove permission operations
64 .. http:delete:: /am/v1/roles/permissions
66 **Start Role remove permission**
72 DELETE am/v1/roles/permissions HTTP/1.1
73 Host: haproxyvip:61200
74 Accept: application/json
76 "role_name": "test_role"
77 "res_path": "domain/domain_object"
81 :> json string role_name: The role the permission gets to be removed from.
82 :> json string res_path: The endpoint of the permission to be removed.
83 :> json string res_op: The method of the permission to be removed.
92 "description": "Resource removed from role"
95 :> json int code: the status code
96 :> json string description: the error description, present if code is non zero
99 endpoints = ['roles/permissions']
100 parser_arguments = ['role_name',
105 self.logger.info("Received a role add permission request!")
106 args = self.parse_args()
108 state, permissions = self._add_permission(args)
111 self.logger.info("The {1}:{2} permission added to {0} role!".format(args["role_name"], args["res_path"], args["res_op"]))
112 return AMApiBase.embed_data({}, 0, permissions)
114 self.logger.error("The request to add permission {1}:{2} to role {0} failed: {3}".format(args["role_name"], args["res_path"], args["res_op"], permissions))
115 return AMApiBase.embed_data({}, 1, permissions)
118 self.logger.info("Received a role remove permission request!")
119 args = self.parse_args()
121 state, result = self._remove_permission(args)
124 self.logger.info("The {1}:{2} permission removed from {0} role!".format(args["role_name"], args["res_path"], args["res_op"]))
125 return AMApiBase.embed_data({}, 0, result)
127 self.logger.error("The request to remove permission {1}:{2} from role {0} failed: {3}".format(args["role_name"], args["res_path"], args["res_op"], result))
128 return AMApiBase.construct_error_response(1, result)
130 def _remove_permission(self, args):
131 state_open, message_open = self._open_db()
133 state_remove, message_remove = self._delete_role_resource(args)
135 state_close, message_close = self._close_db()
138 return True, state_remove
140 state_close, message_close = self._close_db()
143 return False, state_remove
145 return False, message_open
147 def _add_permission(self, args):
148 state_open, message_open = self._open_db()
150 state_add, message_add = self._add_resource_to_role(args)
152 state_close, message_close = self._close_db()
155 return True, message_add
157 state_close, message_close = self._close_db()
160 return False, message_add
162 return False, message_open
164 def _add_resource_to_role(self, args):
166 self.db.add_resource_to_role(args["role_name"], args["res_path"], args["res_op"])
167 except amdb.AlreadyExist:
168 message = "Role-permission pair already exists in table: {0}:{1}, {2}".format(args["role_name"],args["res_path"],args["res_op"])
169 self.logger.error(message)
170 return False, message
171 except amdb.NotAllowedOperation:
172 message = "Service role cannot be modified: {0}".format(args["role_name"])
173 self.logger.error(message)
174 return False, message
175 except Exception as ex:
176 message = "Internal error: {0}".format(ex)
177 self.logger.error(message)
178 return False, message
179 return True, "Permission added to role!"
181 def _delete_role_resource(self, args):
183 self.db.delete_role_resource(args["role_name"],args["res_path"],args["res_op"])
184 except amdb.NotExist:
185 message = "Role {0} has no such resource:operation: {1}:{2}".format(args["role_name"],args["res_path"],args["res_op"])
186 self.logger.error(message)
187 return False, message
188 except amdb.NotAllowedOperation:
189 message = "Service role cannot be modified: {0}".format(args["role_name"])
190 self.logger.error(message)
191 return False, message
192 except Exception as ex:
193 message = "Internal error: {0}".format(ex)
194 self.logger.error(message)
195 return False, message
196 return True, "Permission removed from role!"