# Copyright 2019 Nokia # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. from am_api_base import * import access_management.db.amdb as amdb class RolesPermissions(AMApiBase): """ Role add permission operations .. :quickref: Roles permission;Role add permission operations .. http:post:: /am/v1/roles/permissions **Start Role add permission** **Example request**: .. sourcecode:: http POST am/v1/roles/permissions HTTP/1.1 Host: haproxyvip:61200 Accept: application/json { "role_name": "test_role" "res_path": "domain/domain_object" "res_op": "GET" } :> json string role_name: The role the permission gets to be added to. :> json string res_path: The endpoint of the permission to be added. :> json string res_op: The method of the permission to be added. **Example response**: .. sourcecode:: http HTTP/1.1 200 OK { "code": 0, "description": "Resource added to role" } :> json int code: the status code :> json string description: the error description, present if code is non zero Role remove permission operations .. :quickref: Roles permission;Role remove permission operations .. http:delete:: /am/v1/roles/permissions **Start Role remove permission** **Example request**: .. sourcecode:: http DELETE am/v1/roles/permissions HTTP/1.1 Host: haproxyvip:61200 Accept: application/json { "role_name": "test_role" "res_path": "domain/domain_object" "res_op": "GET" } :> json string role_name: The role the permission gets to be removed from. :> json string res_path: The endpoint of the permission to be removed. :> json string res_op: The method of the permission to be removed. **Example response**: .. sourcecode:: http HTTP/1.1 200 OK { "code": 0, "description": "Resource removed from role" } :> json int code: the status code :> json string description: the error description, present if code is non zero """ endpoints = ['roles/permissions'] parser_arguments = ['role_name', 'res_path', 'res_op'] def post(self): self.logger.info("Received a role add permission request!") args = self.parse_args() state, permissions = self._add_permission(args) if state: self.logger.info("The {1}:{2} permission added to {0} role!".format(args["role_name"], args["res_path"], args["res_op"])) return AMApiBase.embed_data({}, 0, permissions) else: self.logger.error("The request to add permission {1}:{2} to role {0} failed: {3}".format(args["role_name"], args["res_path"], args["res_op"], permissions)) return AMApiBase.embed_data({}, 1, permissions) def delete(self): self.logger.info("Received a role remove permission request!") args = self.parse_args() state, result = self._remove_permission(args) if state: self.logger.info("The {1}:{2} permission removed from {0} role!".format(args["role_name"], args["res_path"], args["res_op"])) return AMApiBase.embed_data({}, 0, result) else: self.logger.error("The request to remove permission {1}:{2} from role {0} failed: {3}".format(args["role_name"], args["res_path"], args["res_op"], result)) return AMApiBase.construct_error_response(1, result) def _remove_permission(self, args): state_open, message_open = self._open_db() if state_open: state_remove, message_remove = self._delete_role_resource(args) if state_remove: state_close, message_close = self._close_db() if not state_close: self._close_db() return True, state_remove else: state_close, message_close = self._close_db() if not state_close: self._close_db() return False, state_remove else: return False, message_open def _add_permission(self, args): state_open, message_open = self._open_db() if state_open: state_add, message_add = self._add_resource_to_role(args) if state_add: state_close, message_close = self._close_db() if not state_close: self._close_db() return True, message_add else: state_close, message_close = self._close_db() if not state_close: self._close_db() return False, message_add else: return False, message_open def _add_resource_to_role(self, args): try: self.db.add_resource_to_role(args["role_name"], args["res_path"], args["res_op"]) except amdb.AlreadyExist: message = "Role-permission pair already exists in table: {0}:{1}, {2}".format(args["role_name"],args["res_path"],args["res_op"]) self.logger.error(message) return False, message except amdb.NotAllowedOperation: message = "Service role cannot be modified: {0}".format(args["role_name"]) self.logger.error(message) return False, message except Exception as ex: message = "Internal error: {0}".format(ex) self.logger.error(message) return False, message return True, "Permission added to role!" def _delete_role_resource(self, args): try: self.db.delete_role_resource(args["role_name"],args["res_path"],args["res_op"]) except amdb.NotExist: message = "Role {0} has no such resource:operation: {1}:{2}".format(args["role_name"],args["res_path"],args["res_op"]) self.logger.error(message) return False, message except amdb.NotAllowedOperation: message = "Service role cannot be modified: {0}".format(args["role_name"]) self.logger.error(message) return False, message except Exception as ex: message = "Internal error: {0}".format(ex) self.logger.error(message) return False, message return True, "Permission removed from role!"