forked from ManageIQ/manageiq
-
Notifications
You must be signed in to change notification settings - Fork 0
/
miq_policy_mixin.rb
166 lines (140 loc) · 5.18 KB
/
miq_policy_mixin.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
module MiqPolicyMixin
extend ActiveSupport::Concern
included do
tag_attribute :policy, "/miq_policy/assignment"
end
def add_policy(policy)
ns = "/miq_policy"
cat = "assignment/#{policy.class.to_s.underscore}"
tag = policy.id.to_s
tag_add(tag, :ns => ns, :cat => cat)
reload
end
def remove_policy(policy)
ns = "/miq_policy"
cat = "assignment/#{policy.class.to_s.underscore}"
tag = policy.id.to_s
tags = tag_list(:ns => ns, :cat => cat).split
tags.delete(tag)
tag_with(tags.join(" "), :ns => ns, :cat => cat)
reload
end
def get_policies
policy_tags
.map { |t| t.split("/").first(2) }
.group_by(&:first)
.select { |klass, _ids| ["miq_policy", "miq_policy_set"].include?(klass) }
.flat_map { |klass, ids| klass.camelize.constantize.where(:id => ids.map(&:last)).to_a }
end
def resolve_policies(list, event = nil)
MiqPolicy.resolve(self, list, event)
end
def resolve_profiles(list, event = nil)
result = []
list.each do |pid|
prof = MiqPolicySet.find(pid)
next unless prof
plist = prof.members.collect(&:name)
presults = resolve_policies(plist, event)
next if presults.empty? # skip profiles that had no policies due to the event not matching or no policies in scope
prof_result = "allow"
presults.each do |r|
if r["result"] == "deny"
prof_result = "deny"
break
end
end
result_list = presults.collect { |r| r["result"] }.uniq
prof_result = result_list.first if result_list.length == 1 && result_list.first == "N/A"
result.push(prof.attributes.merge("result" => prof_result, "policies" => presults))
end
result
end
def passes_policy?(list = nil)
list.nil? ? plist = policies : plist = resolve_policies(list)
result = true
plist.each do |policy|
result = false if policy["result"] == "deny"
end
result_list = plist.collect { |r| r["result"] }.uniq
result = result_list.first if result_list.length == 1 && result_list.first == "N/A"
result
end
def passes_profiles?(list)
plist = resolve_profiles(list)
result = true
plist.each do |prof|
result = false if prof["result"] == "deny"
end
result_list = plist.collect { |r| r["result"] }.uniq
result = result_list.first if result_list.length == 1 && result_list.first == "N/A"
result
end
def parent_enterprise
MiqEnterprise.my_enterprise
end
# cb_method: the MiqQueue callback method along with the parameters that is called
# when automate process is done and the request is not prevented to proceed by policy
def prevent_callback_settings(*cb_method)
{
:class_name => self.class.to_s,
:instance_id => id,
:method_name => :check_policy_prevent_callback,
:args => [*cb_method],
:server_guid => MiqServer.my_guid
}
end
def check_policy_prevent_callback(*action, _status, _message, result)
prevented = false
if result.kind_of?(MiqAeEngine::MiqAeWorkspaceRuntime)
event = result.get_obj_from_path("/")['event_stream']
data = event.attributes["full_data"]
prevented = data.fetch_path(:policy, :prevented) if data
end
if prevented
_log.info(event.attributes["message"])
else
kwargs = action.extract_options!
send(*action, **kwargs)
end
end
module ClassMethods
def rsop(event, targets)
eventobj = event.kind_of?(String) ? MiqEventDefinition.find_by(:name => event) : MiqEventDefinition.extract_objects(event)
raise _("No event found for [%{event}]") % {:event => event} if eventobj.nil?
targets = extract_objects(targets)
result = []
targets.each do |t|
profiles = (t.get_policies + MiqPolicy.associations_to_get_policies.collect do |assoc|
next unless t.respond_to?(assoc)
t.send(assoc).get_policies unless t.send(assoc).nil?
end).compact.flatten.uniq
presults = t.resolve_profiles(profiles.collect(&:id), eventobj)
target_result = presults.inject("allow") do |s, r|
break "deny" if r["result"] == "deny"
s
end
result_list = presults.collect { |r| r["result"] }.uniq
target_result = result_list.first if result_list.length == 1 && result_list.first == "N/A"
result.push("id" => t.id, "name" => t.name, "result" => target_result, "profiles" => presults)
end
result
end
def rsop_async(event, targets, userid = nil)
eventobj = event.kind_of?(String) ? MiqEventDefinition.find_by(:name => event) : MiqEventDefinition.extract_objects(event)
raise _("No event found for [%{event}]") % {:event => event} if eventobj.nil?
targets = targets.first.kind_of?(self) ? targets.collect(&:id) : targets
opts = {
:action => "#{name} - Resultant Set of Policy, Event: [#{eventobj.description}]",
:userid => userid
}
qopts = {
:class_name => name,
:method_name => "rsop",
:args => [eventobj.name, targets],
:priority => MiqQueue::HIGH_PRIORITY
}
MiqTask.generic_action_with_callback(opts, qopts)
end
end # module ClassMethods
end # module MiqPolicyMixin