X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=ta%2Faccess-management.git;a=blobdiff_plain;f=src%2Faccess_management%2Frest-plugin%2Froles_permissions.py;fp=src%2Faccess_management%2Frest-plugin%2Froles_permissions.py;h=c5a64d58ed1ad35f2bae9e2ffe4c4a575a041cbb;hp=0000000000000000000000000000000000000000;hb=d37b9ab19ff6f50b9c1746784623b3dd328ab525;hpb=0205adc63d3bba479a24db85d2d4bfdba0411876 diff --git a/src/access_management/rest-plugin/roles_permissions.py b/src/access_management/rest-plugin/roles_permissions.py new file mode 100644 index 0000000..c5a64d5 --- /dev/null +++ b/src/access_management/rest-plugin/roles_permissions.py @@ -0,0 +1,196 @@ +# Copyright 2019 Nokia + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from am_api_base import * +import access_management.db.amdb as amdb + + +class RolesPermissions(AMApiBase): + + """ + Role add permission operations + + .. :quickref: Roles permission;Role add permission operations + + .. http:post:: /am/v1/roles/permissions + + **Start Role add permission** + + **Example request**: + + .. sourcecode:: http + + POST am/v1/roles/permissions HTTP/1.1 + Host: haproxyvip:61200 + Accept: application/json + { + "role_name": "test_role" + "res_path": "domain/domain_object" + "res_op": "GET" + } + + :> json string role_name: The role the permission gets to be added to. + :> json string res_path: The endpoint of the permission to be added. + :> json string res_op: The method of the permission to be added. + + **Example response**: + + .. sourcecode:: http + + HTTP/1.1 200 OK + { + "code": 0, + "description": "Resource added to role" + } + + :> json int code: the status code + :> json string description: the error description, present if code is non zero + + Role remove permission operations + + .. :quickref: Roles permission;Role remove permission operations + + .. http:delete:: /am/v1/roles/permissions + + **Start Role remove permission** + + **Example request**: + + .. sourcecode:: http + + DELETE am/v1/roles/permissions HTTP/1.1 + Host: haproxyvip:61200 + Accept: application/json + { + "role_name": "test_role" + "res_path": "domain/domain_object" + "res_op": "GET" + } + + :> json string role_name: The role the permission gets to be removed from. + :> json string res_path: The endpoint of the permission to be removed. + :> json string res_op: The method of the permission to be removed. + + **Example response**: + + .. sourcecode:: http + + HTTP/1.1 200 OK + { + "code": 0, + "description": "Resource removed from role" + } + + :> json int code: the status code + :> json string description: the error description, present if code is non zero + """ + + endpoints = ['roles/permissions'] + parser_arguments = ['role_name', + 'res_path', + 'res_op'] + + def post(self): + self.logger.info("Received a role add permission request!") + args = self.parse_args() + + state, permissions = self._add_permission(args) + + if state: + self.logger.info("The {1}:{2} permission added to {0} role!".format(args["role_name"], args["res_path"], args["res_op"])) + return AMApiBase.embed_data({}, 0, permissions) + else: + self.logger.error("The request to add permission {1}:{2} to role {0} failed: {3}".format(args["role_name"], args["res_path"], args["res_op"], permissions)) + return AMApiBase.embed_data({}, 1, permissions) + + def delete(self): + self.logger.info("Received a role remove permission request!") + args = self.parse_args() + + state, result = self._remove_permission(args) + + if state: + self.logger.info("The {1}:{2} permission removed from {0} role!".format(args["role_name"], args["res_path"], args["res_op"])) + return AMApiBase.embed_data({}, 0, result) + else: + self.logger.error("The request to remove permission {1}:{2} from role {0} failed: {3}".format(args["role_name"], args["res_path"], args["res_op"], result)) + return AMApiBase.construct_error_response(1, result) + + def _remove_permission(self, args): + state_open, message_open = self._open_db() + if state_open: + state_remove, message_remove = self._delete_role_resource(args) + if state_remove: + state_close, message_close = self._close_db() + if not state_close: + self._close_db() + return True, state_remove + else: + state_close, message_close = self._close_db() + if not state_close: + self._close_db() + return False, state_remove + else: + return False, message_open + + def _add_permission(self, args): + state_open, message_open = self._open_db() + if state_open: + state_add, message_add = self._add_resource_to_role(args) + if state_add: + state_close, message_close = self._close_db() + if not state_close: + self._close_db() + return True, message_add + else: + state_close, message_close = self._close_db() + if not state_close: + self._close_db() + return False, message_add + else: + return False, message_open + + def _add_resource_to_role(self, args): + try: + self.db.add_resource_to_role(args["role_name"], args["res_path"], args["res_op"]) + except amdb.AlreadyExist: + message = "Role-permission pair already exists in table: {0}:{1}, {2}".format(args["role_name"],args["res_path"],args["res_op"]) + self.logger.error(message) + return False, message + except amdb.NotAllowedOperation: + message = "Service role cannot be modified: {0}".format(args["role_name"]) + self.logger.error(message) + return False, message + except Exception as ex: + message = "Internal error: {0}".format(ex) + self.logger.error(message) + return False, message + return True, "Permission added to role!" + + def _delete_role_resource(self, args): + try: + self.db.delete_role_resource(args["role_name"],args["res_path"],args["res_op"]) + except amdb.NotExist: + message = "Role {0} has no such resource:operation: {1}:{2}".format(args["role_name"],args["res_path"],args["res_op"]) + self.logger.error(message) + return False, message + except amdb.NotAllowedOperation: + message = "Service role cannot be modified: {0}".format(args["role_name"]) + self.logger.error(message) + return False, message + except Exception as ex: + message = "Internal error: {0}".format(ex) + self.logger.error(message) + return False, message + return True, "Permission removed from role!"