lemur/lemur/schemas.py

"""
.. module: lemur.schemas
    :platform: unix
    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.

.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>

"""
from sqlalchemy.orm.exc import NoResultFound

from marshmallow import fields, post_load, pre_load, post_dump, validates_schema
from marshmallow.exceptions import ValidationError

from lemur.common import validators
from lemur.common.schema import LemurSchema, LemurInputSchema, LemurOutputSchema

from lemur.plugins import plugins
from lemur.roles.models import Role
from lemur.users.models import User
from lemur.authorities.models import Authority
from lemur.certificates.models import Certificate
from lemur.destinations.models import Destination
from lemur.notifications.models import Notification


def get_object_attribute(data, many=False):
    if many:
        ids = [d.get('id') for d in data]
        names = [d.get('name') for d in data]

        if None in ids:
            if None in names:
                raise ValidationError('Associated object require a name or id.')
            else:
                return 'name'
        return 'id'
    else:
        if data.get('id'):
            return 'id'
        elif data.get('name'):
            return 'name'
        else:
            raise ValidationError('Associated object require a name or id.')


def fetch_objects(model, data, many=False):
    attr = get_object_attribute(data, many=many)

    if many:
        values = [v[attr] for v in data]
        items = model.query.filter(getattr(model, attr).in_(values)).all()
        found = [getattr(i, attr) for i in items]
        diff = set(values).symmetric_difference(set(found))

        if diff:
            raise ValidationError('Unable to locate {model} with {attr} {diff}'.format(
                model=model,
                attr=attr,
                diff=",".join(list(diff))))

        return items

    else:
        try:
            return model.query.filter(getattr(model, attr) == data[attr]).one()
        except NoResultFound:
            raise ValidationError('Unable to find {model} with {attr}: {data}'.format(
                model=model,
                attr=attr,
                data=data[attr]))


class AssociatedAuthoritySchema(LemurInputSchema):
    id = fields.Int()
    name = fields.String()

    @post_load
    def get_object(self, data, many=False):
        return fetch_objects(Authority, data, many=many)


class AssociatedRoleSchema(LemurInputSchema):
    id = fields.Int()
    name = fields.String()

    @post_load
    def get_object(self, data, many=False):
        return fetch_objects(Role, data, many=many)


class AssociatedDestinationSchema(LemurInputSchema):
    id = fields.Int()
    name = fields.String()

    @post_load
    def get_object(self, data, many=False):
        return fetch_objects(Destination, data, many=many)


class AssociatedNotificationSchema(LemurInputSchema):
    id = fields.Int()
    name = fields.String()

    @post_load
    def get_object(self, data, many=False):
        return fetch_objects(Notification, data, many=many)


class AssociatedCertificateSchema(LemurInputSchema):
    id = fields.Int()
    name = fields.String()

    @post_load
    def get_object(self, data, many=False):
        return fetch_objects(Certificate, data, many=many)


class AssociatedUserSchema(LemurInputSchema):
    id = fields.Int()
    name = fields.String()

    @post_load
    def get_object(self, data, many=False):
        return fetch_objects(User, data, many=many)


class PluginInputSchema(LemurInputSchema):
    plugin_options = fields.List(fields.Dict())
    slug = fields.String(required=True)
    title = fields.String()
    description = fields.String()

    @post_load
    def get_object(self, data, many=False):
        try:
            data['plugin_object'] = plugins.get(data['slug'])
            return data
        except Exception:
            raise ValidationError('Unable to find plugin: {0}'.format(data['slug']))


class PluginOutputSchema(LemurOutputSchema):
    id = fields.Integer()
    label = fields.String()
    description = fields.String()
    active = fields.Boolean()
    options = fields.List(fields.Dict(), dump_to='pluginOptions')
    slug = fields.String()
    title = fields.String()


plugins_output_schema = PluginOutputSchema(many=True)
plugin_output_schema = PluginOutputSchema


class BaseExtensionSchema(LemurSchema):
    @pre_load(pass_many=True)
    def preprocess(self, data, many):
        return self.under(data, many=many)

    @post_dump(pass_many=True)
    def post_process(self, data, many):
        if data:
            data = self.camel(data, many=many)
        return data


class BasicConstraintsSchema(BaseExtensionSchema):
    pass


class AuthorityIdentifierSchema(BaseExtensionSchema):
    use_authority_cert = fields.Boolean()


class AuthorityKeyIdentifierSchema(BaseExtensionSchema):
    use_key_identifier = fields.Boolean()


class CertificateInfoAccessSchema(BaseExtensionSchema):
    include_aia = fields.Boolean()

    @post_dump
    def handle_keys(self, data):
        return {'includeAIA': data['include_aia']}


class KeyUsageSchema(BaseExtensionSchema):
    use_crl_sign = fields.Boolean()
    use_data_encipherment = fields.Boolean()
    use_decipher_only = fields.Boolean()
    use_encipher_only = fields.Boolean()
    use_key_encipherment = fields.Boolean()
    use_digital_signature = fields.Boolean()
    use_non_repudiation = fields.Boolean()


class ExtendedKeyUsageSchema(BaseExtensionSchema):
    use_server_authentication = fields.Boolean()
    use_client_authentication = fields.Boolean()
    use_eap_over_lan = fields.Boolean()
    use_eap_over_ppp = fields.Boolean()
    use_ocsp_signing = fields.Boolean()
    use_smart_card_authentication = fields.Boolean()
    use_timestamping = fields.Boolean()


class SubjectKeyIdentifierSchema(BaseExtensionSchema):
    include_ski = fields.Boolean()

    @post_dump
    def handle_keys(self, data):
        return {'includeSKI': data['include_ski']}


class SubAltNameSchema(BaseExtensionSchema):
    name_type = fields.String(validate=validators.sub_alt_type)
    value = fields.String()

    @validates_schema
    def check_sensitive(self, data):
        if data.get('name_type') == 'DNSName':
            validators.sensitive_domain(data['value'])


class SubAltNamesSchema(BaseExtensionSchema):
    names = fields.Nested(SubAltNameSchema, many=True)


class CustomOIDSchema(BaseExtensionSchema):
    oid = fields.String()
    encoding = fields.String(validate=validators.encoding)
    value = fields.String()


class ExtensionSchema(BaseExtensionSchema):
    basic_constraints = fields.Nested(BasicConstraintsSchema)
    key_usage = fields.Nested(KeyUsageSchema)
    extended_key_usage = fields.Nested(ExtendedKeyUsageSchema)
    subject_key_identifier = fields.Nested(SubjectKeyIdentifierSchema)
    sub_alt_names = fields.Nested(SubAltNamesSchema)
    authority_identifier = fields.Nested(AuthorityIdentifierSchema)
    authority_key_identifier = fields.Nested(AuthorityKeyIdentifierSchema)
    certificate_info_access = fields.Nested(CertificateInfoAccessSchema)
    custom = fields.List(fields.Nested(CustomOIDSchema))


class EndpointNestedOutputSchema(LemurOutputSchema):
    __envelope__ = False
    id = fields.Integer()
    description = fields.String()
    name = fields.String()
    dnsname = fields.String()
    owner = fields.Email()
    type = fields.String()
    active = fields.Boolean()
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`"""`
			`.. module: lemur.schemas`
			`:platform: unix`
			`:copyright: (c) 2015 by Netflix Inc., see AUTHORS for more`
			`:license: Apache, see LICENSE for more details.`

			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`

			`"""`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00			`from sqlalchemy.orm.exc import NoResultFound`

Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`from marshmallow import fields, post_load, pre_load, post_dump, validates_schema`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00			`from marshmallow.exceptions import ValidationError`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00
			`from lemur.common import validators`
Various bug fixes. (#314) 2016-05-12 21:38:44 +02:00			`from lemur.common.schema import LemurSchema, LemurInputSchema, LemurOutputSchema`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`from lemur.plugins import plugins`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`from lemur.roles.models import Role`
			`from lemur.users.models import User`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00			`from lemur.authorities.models import Authority`
			`from lemur.certificates.models import Certificate`
			`from lemur.destinations.models import Destination`
			`from lemur.notifications.models import Notification`


Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`def get_object_attribute(data, many=False):`
			`if many:`
			`ids = [d.get('id') for d in data]`
			`names = [d.get('name') for d in data]`

			`if None in ids:`
			`if None in names:`
			`raise ValidationError('Associated object require a name or id.')`
			`else:`
			`return 'name'`
			`return 'id'`
			`else:`
			`if data.get('id'):`
			`return 'id'`
			`elif data.get('name'):`
			`return 'name'`
			`else:`
			`raise ValidationError('Associated object require a name or id.')`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00

Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`def fetch_objects(model, data, many=False):`
			`attr = get_object_attribute(data, many=many)`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`if many:`
			`values = [v[attr] for v in data]`
			`items = model.query.filter(getattr(model, attr).in_(values)).all()`
			`found = [getattr(i, attr) for i in items]`
			`diff = set(values).symmetric_difference(set(found))`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`if diff:`
			`raise ValidationError('Unable to locate {model} with {attr} {diff}'.format(`
			`model=model,`
			`attr=attr,`
			`diff=",".join(list(diff))))`

			`return items`

			`else:`
			`try:`
			`return model.query.filter(getattr(model, attr) == data[attr]).one()`
			`except NoResultFound:`
			`raise ValidationError('Unable to find {model} with {attr}: {data}'.format(`
			`model=model,`
			`attr=attr,`
			`data=data[attr]))`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00

			`class AssociatedAuthoritySchema(LemurInputSchema):`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`id = fields.Int()`
			`name = fields.String()`

			`@post_load`
			`def get_object(self, data, many=False):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`return fetch_objects(Authority, data, many=many)`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00

			`class AssociatedRoleSchema(LemurInputSchema):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`id = fields.Int()`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`name = fields.String()`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
			`@post_load`
			`def get_object(self, data, many=False):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`return fetch_objects(Role, data, many=many)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00

			`class AssociatedDestinationSchema(LemurInputSchema):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`id = fields.Int()`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`name = fields.String()`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
			`@post_load`
			`def get_object(self, data, many=False):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`return fetch_objects(Destination, data, many=many)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00

			`class AssociatedNotificationSchema(LemurInputSchema):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`id = fields.Int()`
			`name = fields.String()`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
			`@post_load`
			`def get_object(self, data, many=False):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`return fetch_objects(Notification, data, many=many)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00

			`class AssociatedCertificateSchema(LemurInputSchema):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`id = fields.Int()`
			`name = fields.String()`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
			`@post_load`
			`def get_object(self, data, many=False):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`return fetch_objects(Certificate, data, many=many)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00

Marshmallowing roles (#313) 2016-05-10 23:22:22 +02:00			`class AssociatedUserSchema(LemurInputSchema):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`id = fields.Int()`
			`name = fields.String()`
Marshmallowing roles (#313) 2016-05-10 23:22:22 +02:00
			`@post_load`
			`def get_object(self, data, many=False):`
Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 12:56:13 +02:00			`return fetch_objects(User, data, many=many)`
Marshmallowing roles (#313) 2016-05-10 23:22:22 +02:00

Various bug fixes. (#314) 2016-05-12 21:38:44 +02:00			`class PluginInputSchema(LemurInputSchema):`
			`plugin_options = fields.List(fields.Dict())`
			`slug = fields.String(required=True)`
Marshmallowing notifications. (#308) 2016-05-10 20:27:57 +02:00			`title = fields.String()`
			`description = fields.String()`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
			`@post_load`
			`def get_object(self, data, many=False):`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00			`try:`
			`data['plugin_object'] = plugins.get(data['slug'])`
			`return data`
			`except Exception:`
			`raise ValidationError('Unable to find plugin: {0}'.format(data['slug']))`
Various bug fixes. (#314) 2016-05-12 21:38:44 +02:00

			`class PluginOutputSchema(LemurOutputSchema):`
			`id = fields.Integer()`
			`label = fields.String()`
			`description = fields.String()`
			`active = fields.Boolean()`
Fixes various issues. (#317) 2016-05-16 18:23:48 +02:00			`options = fields.List(fields.Dict(), dump_to='pluginOptions')`
Various bug fixes. (#314) 2016-05-12 21:38:44 +02:00			`slug = fields.String()`
			`title = fields.String()`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00

Fixes various issues. (#316) 2016-05-13 23:35:38 +02:00			`plugins_output_schema = PluginOutputSchema(many=True)`
			`plugin_output_schema = PluginOutputSchema`


Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`class BaseExtensionSchema(LemurSchema):`
			`@pre_load(pass_many=True)`
			`def preprocess(self, data, many):`
			`return self.under(data, many=many)`

			`@post_dump(pass_many=True)`
			`def post_process(self, data, many):`
			`if data:`
			`data = self.camel(data, many=many)`
			`return data`


			`class BasicConstraintsSchema(BaseExtensionSchema):`
			`pass`


			`class AuthorityIdentifierSchema(BaseExtensionSchema):`
			`use_authority_cert = fields.Boolean()`


			`class AuthorityKeyIdentifierSchema(BaseExtensionSchema):`
			`use_key_identifier = fields.Boolean()`


			`class CertificateInfoAccessSchema(BaseExtensionSchema):`
			`include_aia = fields.Boolean()`

			`@post_dump`
			`def handle_keys(self, data):`
			`return {'includeAIA': data['include_aia']}`


			`class KeyUsageSchema(BaseExtensionSchema):`
			`use_crl_sign = fields.Boolean()`
			`use_data_encipherment = fields.Boolean()`
			`use_decipher_only = fields.Boolean()`
			`use_encipher_only = fields.Boolean()`
			`use_key_encipherment = fields.Boolean()`
			`use_digital_signature = fields.Boolean()`
			`use_non_repudiation = fields.Boolean()`


			`class ExtendedKeyUsageSchema(BaseExtensionSchema):`
			`use_server_authentication = fields.Boolean()`
			`use_client_authentication = fields.Boolean()`
			`use_eap_over_lan = fields.Boolean()`
			`use_eap_over_ppp = fields.Boolean()`
			`use_ocsp_signing = fields.Boolean()`
			`use_smart_card_authentication = fields.Boolean()`
			`use_timestamping = fields.Boolean()`


			`class SubjectKeyIdentifierSchema(BaseExtensionSchema):`
			`include_ski = fields.Boolean()`

			`@post_dump`
			`def handle_keys(self, data):`
			`return {'includeSKI': data['include_ski']}`


			`class SubAltNameSchema(BaseExtensionSchema):`
			`name_type = fields.String(validate=validators.sub_alt_type)`
			`value = fields.String()`

			`@validates_schema`
			`def check_sensitive(self, data):`
San alt name (#468) 2016-10-31 19:00:15 +01:00			`if data.get('name_type') == 'DNSName':`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`validators.sensitive_domain(data['value'])`


			`class SubAltNamesSchema(BaseExtensionSchema):`
			`names = fields.Nested(SubAltNameSchema, many=True)`


			`class CustomOIDSchema(BaseExtensionSchema):`
			`oid = fields.String()`
Fix for Issue #352. 2016-06-09 01:41:31 +02:00			`encoding = fields.String(validate=validators.encoding)`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`value = fields.String()`


			`class ExtensionSchema(BaseExtensionSchema):`
			`basic_constraints = fields.Nested(BasicConstraintsSchema)`
			`key_usage = fields.Nested(KeyUsageSchema)`
			`extended_key_usage = fields.Nested(ExtendedKeyUsageSchema)`
			`subject_key_identifier = fields.Nested(SubjectKeyIdentifierSchema)`
			`sub_alt_names = fields.Nested(SubAltNamesSchema)`
			`authority_identifier = fields.Nested(AuthorityIdentifierSchema)`
			`authority_key_identifier = fields.Nested(AuthorityKeyIdentifierSchema)`
			`certificate_info_access = fields.Nested(CertificateInfoAccessSchema)`
			`custom = fields.List(fields.Nested(CustomOIDSchema))`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00

			`class EndpointNestedOutputSchema(LemurOutputSchema):`
			`__envelope__ = False`
			`id = fields.Integer()`
			`description = fields.String()`
			`name = fields.String()`
			`dnsname = fields.String()`
			`owner = fields.Email()`
			`type = fields.String()`
			`active = fields.Boolean()`