Cloudpods/backend/pkg/yunionconf/models/scopedpolicies.go

// Copyright 2019 Yunion
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package models

import (
	"context"

	"yunion.io/x/jsonutils"
	"yunion.io/x/pkg/errors"
	"yunion.io/x/pkg/util/rbacscope"
	"yunion.io/x/sqlchemy"

	api "yunion.io/x/onecloud/pkg/apis/yunionconf"
	"yunion.io/x/onecloud/pkg/cloudcommon/db"
	"yunion.io/x/onecloud/pkg/httperrors"
	"yunion.io/x/onecloud/pkg/mcclient"
	"yunion.io/x/onecloud/pkg/util/stringutils2"
)

// +onecloud:swagger-gen-model-singular=scopedpolicy
// +onecloud:swagger-gen-model-plural=scopedpolicies
type SScopedPolicyManager struct {
	db.SInfrasResourceBaseManager
}

var ScopedPolicyManager *SScopedPolicyManager

func init() {
	ScopedPolicyManager = &SScopedPolicyManager{
		SInfrasResourceBaseManager: db.NewInfrasResourceBaseManager(
			SScopedPolicy{},
			"scopedpolicies_tbl",
			"scopedpolicy",
			"scopedpolicies",
		),
	}
	ScopedPolicyManager.SetVirtualObject(ScopedPolicyManager)
}

type SScopedPolicy struct {
	db.SInfrasResourceBase

	// 策略类别
	Category string `width:"64" charset:"utf8" nullable:"false" list:"domain" create:"domain_required" index:"true"`

	// 策略内容
	Policies jsonutils.JSONObject `charset:"utf8" nullable:"true" list:"domain" update:"domain" create:"domain_optional"`
}

func (manager *SScopedPolicyManager) ValidateCreateData(
	ctx context.Context,
	userCred mcclient.TokenCredential,
	ownerId mcclient.IIdentityProvider,
	query jsonutils.JSONObject,
	input api.ScopedPolicyCreateInput,
) (api.ScopedPolicyCreateInput, error) {
	var err error

	if len(input.Category) == 0 {
		return input, errors.Wrap(httperrors.ErrInputParameter, "empty category")
	}

	input.InfrasResourceBaseCreateInput, err = manager.SInfrasResourceBaseManager.ValidateCreateData(ctx, userCred, ownerId, query, input.InfrasResourceBaseCreateInput)
	if err != nil {
		return input, errors.Wrap(err, "SInfrasResourceBaseManager.ValidateCreateData")
	}

	return input, nil
}

func (policy *SScopedPolicy) ValidateUpdateData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.ScopedPolicyUpdateInput) (api.ScopedPolicyUpdateInput, error) {
	var err error
	input.InfrasResourceBaseUpdateInput, err = policy.SInfrasResourceBase.ValidateUpdateData(ctx, userCred, query, input.InfrasResourceBaseUpdateInput)
	if err != nil {
		return input, errors.Wrap(err, "SInfrasResourceBase.ValidateUpdateData")
	}
	return input, nil
}

func (policy *SScopedPolicy) ValidateDeleteCondition(ctx context.Context, info jsonutils.JSONObject) error {
	cnt, err := policy.getReferenceCount()
	if err != nil {
		return httperrors.NewInternalServerError("getReferenceCount fail %s", err)
	}
	if cnt > 0 {
		return httperrors.NewNotEmptyError("policy is referenced")
	}
	return policy.SInfrasResourceBase.ValidateDeleteCondition(ctx, nil)
}

func (policy *SScopedPolicy) getReferenceCount() (int, error) {
	return ScopedPolicyBindingManager.getReferenceCount(policy.Id)
}

// 范围策略列表
func (manager *SScopedPolicyManager) ListItemFilter(
	ctx context.Context,
	q *sqlchemy.SQuery,
	userCred mcclient.TokenCredential,
	query api.ScopedPolicyListInput,
) (*sqlchemy.SQuery, error) {
	var err error

	q, err = manager.SInfrasResourceBaseManager.ListItemFilter(ctx, q, userCred, query.InfrasResourceBaseListInput)
	if err != nil {
		return nil, errors.Wrap(err, "SInfrasResourceBaseManager.ListItemFilter")
	}

	if len(query.Category) > 0 {
		q = q.Filter(sqlchemy.ContainsAny(q.Field("category"), query.Category))
	}

	return q, nil
}

func (manager *SScopedPolicyManager) OrderByExtraFields(
	ctx context.Context,
	q *sqlchemy.SQuery,
	userCred mcclient.TokenCredential,
	query api.ScopedPolicyListInput,
) (*sqlchemy.SQuery, error) {
	var err error

	q, err = manager.SInfrasResourceBaseManager.OrderByExtraFields(ctx, q, userCred, query.InfrasResourceBaseListInput)
	if err != nil {
		return nil, errors.Wrap(err, "SInfrasResourceBaseManager.OrderByExtraFields")
	}

	return q, nil
}

func (manager *SScopedPolicyManager) QueryDistinctExtraField(q *sqlchemy.SQuery, field string) (*sqlchemy.SQuery, error) {
	var err error

	q, err = manager.SInfrasResourceBaseManager.QueryDistinctExtraField(q, field)
	if err == nil {
		return q, nil
	}

	return q, httperrors.ErrNotFound
}

func (manager *SScopedPolicyManager) FetchCustomizeColumns(
	ctx context.Context,
	userCred mcclient.TokenCredential,
	query jsonutils.JSONObject,
	objs []interface{},
	fields stringutils2.SSortedStrings,
	isList bool,
) []api.ScopedPolicyDetails {
	rows := make([]api.ScopedPolicyDetails, len(objs))

	stdRows := manager.SInfrasResourceBaseManager.FetchCustomizeColumns(ctx, userCred, query, objs, fields, isList)

	for i := range rows {
		rows[i] = api.ScopedPolicyDetails{
			InfrasResourceBaseDetails: stdRows[i],
		}
		rows[i].RefCount, _ = objs[i].(*SScopedPolicy).getReferenceCount()
	}

	return rows
}

func (manager *SScopedPolicyManager) ListItemExportKeys(ctx context.Context,
	q *sqlchemy.SQuery,
	userCred mcclient.TokenCredential,
	keys stringutils2.SSortedStrings,
) (*sqlchemy.SQuery, error) {
	var err error
	q, err = manager.SInfrasResourceBaseManager.ListItemExportKeys(ctx, q, userCred, keys)
	if err != nil {
		return nil, errors.Wrap(err, "SInfrasResourceBaseManager.ListItemExportKeys")
	}
	return q, nil
}

func (policy *SScopedPolicy) PerformBind(
	ctx context.Context,
	userCred mcclient.TokenCredential,
	query jsonutils.JSONObject,
	input api.ScopedPolicyBindInput,
) (jsonutils.JSONObject, error) {
	switch input.Scope {
	case rbacscope.ScopeSystem:
		err := ScopedPolicyBindingManager.bind(ctx, policy.Category, policy.Id, "", "")
		if err != nil {
			return nil, errors.Wrap(err, "bind system")
		}
	case rbacscope.ScopeDomain:
		for i := range input.TargetIds {
			if input.TargetIds[i] == api.ANY_DOMAIN_ID {
				err := ScopedPolicyBindingManager.bind(ctx, policy.Category, policy.Id, api.ANY_DOMAIN_ID, "")
				if err != nil {
					return nil, errors.Wrap(err, "bind all domain")
				}
			} else {
				domainObj, err := db.TenantCacheManager.FetchDomainByIdOrName(ctx, input.TargetIds[i])
				if err != nil {
					return nil, errors.Wrap(err, "FetchDomainByIdOrName")
				}
				err = ScopedPolicyBindingManager.bind(ctx, policy.Category, policy.Id, domainObj.GetId(), "")
				if err != nil {
					return nil, errors.Wrapf(err, "bind domain %s", domainObj.GetName())
				}
			}
		}
	case rbacscope.ScopeProject:
		for i := range input.TargetIds {
			if input.TargetIds[i] == api.ANY_PROJECT_ID {
				err := ScopedPolicyBindingManager.bind(ctx, policy.Category, policy.Id, api.ANY_DOMAIN_ID, api.ANY_PROJECT_ID)
				if err != nil {
					return nil, errors.Wrap(err, "bind all project")
				}
			} else {
				tenantObj, err := db.TenantCacheManager.FetchTenantById(ctx, input.TargetIds[i])
				if err != nil {
					return nil, errors.Wrap(err, "FetchTenantByIdOrName")
				}
				err = ScopedPolicyBindingManager.bind(ctx, policy.Category, policy.Id, tenantObj.DomainId, tenantObj.Id)
				if err != nil {
					return nil, errors.Wrapf(err, "bind project %s", tenantObj.GetName())
				}
			}
		}
	}
	return nil, nil
}