cyberark
diff --git a/‎app/controllers/policy_factories_controller.rb
Lines changed: 52 additions & 14 deletions b/‎app/controllers/policy_factories_controller.rb
Lines changed: 52 additions & 14 deletions
diff --git a/‎app/domain/factory/Readme.md
Lines changed: 59 additions & 0 deletions b/‎app/domain/factory/Readme.md
Lines changed: 59 additions & 0 deletions
diff --git a/‎app/domain/factory/create_from_policy_factory.rb
Lines changed: 178 additions & 45 deletions b/‎app/domain/factory/create_from_policy_factory.rb
Lines changed: 178 additions & 45 deletions
@@ -2,24 +2,27 @@
 
 require 'base64'
 require 'json'
+require './app/domain/responses'
 
 class PolicyFactoriesController < RestController
-  include AuthorizeResource
-
   before_action :current_user
 
   def create
-    factory_resource = load_factory(kind: params[:kind], id: params[:id], account: params[:account])
-    authorize(:execute, factory_resource)
-
-    response = Factory::CreateFromPolicyFactory.new.call(
-      account: params[:account],
-      factory_template: JSON.parse(Base64.decode64(factory_resource.secret.value)),
-      request_body: JSON.parse(request.body.read),
-      authorization: request.headers["Authorization"]
-    )
+    response = load_factory(kind: params[:kind], id: params[:id], account: params[:account])
+      .bind do |factory|
+        Factory::CreateFromPolicyFactory.new.call(
+          account: params[:account],
+          factory_template: JSON.parse(Base64.decode64(factory)),
+          request_body: request.body.read,
+          authorization: request.headers["Authorization"]
+        )
+      end
 
-    render(json: JSON.parse(response.body), status: :created) if response.code == 201
+    if response.success?
+      render(json: JSON.parse(response.result), status: :created)
+    else
+      render(json: error_response(response), status: response.status)
+    end
   end
 
   def info
@@ -32,8 +35,43 @@ def info
 
   private
 
-  def load_factory(kind:, id:, account:)
-    Resource["#{account}:variable:conjur/factories/#{kind}/#{id}"]
+  def error_response(response)
+    rtn = {
+      status: response.status,
+      body: { errors: [] }
+    }
+    if response.message.is_a?(Array)
+      rtn[:body][:errors] == response.message
+    else
+      rtn[:body][:errors] << {
+        message: response.message
+      }
+    end
   end
 
+  def load_factory(kind:, id:, account:)
+    factory_resource = Resource["#{account}:variable:conjur/factories/#{kind}/#{id}"]
+    if factory_resource.blank?
+      return ::FailureResponse.new(
+        "Policy Factory '#{kind}/#{id}' does not exist in account '#{account}'",
+        status: :not_found
+      )
+    end
+
+    if current_user.allowed_to?(:execute, factory_resource)
+      if factory_resource.secret.present?
+        ::SuccessResponse.new(factory_resource.secret.value)
+      else
+        ::FailureResponse.new(
+          "Policy Factory '#{kind}/#{id}' in account '#{account}' has not been initialized",
+          status: :bad_request
+        )
+      end
+    else
+      ::FailureResponse.new(
+        "Role '#{current_user}' does not have access to Policy Factory '#{kind}/#{id}' does not exist in account '#{account}'",
+        status: :forbidden
+      )
+    end
+  end
 end
@@ -0,0 +1,59 @@
+# Policy Factory
+
+## Policy Factory Creation Requests
+
+```plantuml
+@startuml
+start
+:Identify Factory\nvariable based\non request params;
+if (Can role load\nfactory variable?) then
+  :Load Factory;
+  :Extract Schema from Factory;
+  if (Parse JSON body?) then
+    if (Required keys missing?) then
+      #pink:(400) - missing keys;
+      kill
+    else
+      if (required values empty?) then
+        #pink:(400) - missing values;
+        kill
+      else
+        if (Policy rendered?) then
+          if (Policy namespace path rendered?) then
+            if (Policy successfully applied) then
+              if (Factory has variables?) then
+                if (Variable successfully set?) then
+                  :(201) Return policy response;
+                  end
+                else
+                  #pink:(401) - setting variables not permitted;
+                  kill
+                endif
+              else
+                :(201) Return policy response;
+                end
+              endif
+            else
+              #pink:(401) - policy creation not permitted;
+              kill
+            endif
+          else
+            #pink:(400) - policy namespace variable(s) missing;
+            kill
+          endif
+        else
+          #pink:(400) - policy variable(s) missing;
+          kill
+        endif
+      endif
+    endif
+  else
+    #pink:(400) - malformed JSON;
+    kill
+  endif
+else
+  #pink:(404) - factory not available;
+  kill
+endif
+@enduml
+```
@@ -3,67 +3,200 @@
 require 'base64'
 require 'rest_client'
 require 'json_schemer'
-require 'factory/render_policy'
+require 'factory/renderer'
 
 module Factory
   class CreateFromPolicyFactory
-    def initialize(base64: Base64, renderer: Factory::RenderPolicy.new, http: RestClient, schema_validator: JSONSchemer)
-      @base64 = base64
+    def initialize(renderer: Factory::Renderer.new, http: RestClient, schema_validator: JSONSchemer, success: SuccessResponse, failure: FailureResponse)
       @renderer = renderer
       @http = http
       @schema_validator = schema_validator
+      @success = success
+      @failure = failure
+
+      # JSON, URI, and Base64 are defined here for visibility. They
+      # are not currently mocked in testing, thus, we're not setting
+      # them in the initializer.
+      @json = JSON
+      @base64 = Base64
+      @uri = URI
     end
 
-    def validate!(schema:, params:)
+    def validate_and_transform_request(schema:, params:)
+      return @failure.new("Request body must be JSON", status: :bad_request) if params.blank?
+
+      begin
+        params = @json.parse(params)
+      rescue
+        return @failure.new("Request body must be valid JSON", status: :bad_request)
+      end
+
+      # Strip keys without values
+      params = params.select{|_, v| v.present? }
+
       validator = @schema_validator.schema(schema)
-      return if validator.valid?(params)
-
-      error = validator.validate(params).first
-      case error['type']
-      when 'required'
-        missing_attributes = error['details']['missing_keys'].map{|key| [ error['data_pointer'], key].reject{|item| item.empty?}.join('/') }.join("', '")
-        raise "The following JSON attributes are missing: '#{missing_attributes}'"
-      else
-        raise "Generic JSON Schema validation error: type => '#{error['type']}', details => '#{error['type'].inspect}'"
+      return @success.new(params) if validator.valid?(params)
+
+      errors = validator.validate(params).map do |error|
+        case error['type']
+        when 'required'
+          missing_attributes = error['details']['missing_keys'].map{|key| [ error['data_pointer'], key].reject(&:empty?).join('/') } #.join("', '")
+          missing_attributes.map do |attribute|
+            {
+              message: "Missing JSON key or value for: '#{attribute}'",
+              key: attribute
+            }
+          end
+        else
+          {
+            message: "Generic JSON Schema validation error: type => '#{error['type']}', details => '#{error['type'].inspect}'"
+          }
+        end
+      end
+      @failure.new(errors.flatten, status: :bad_request)
+    end
+
+    def render_and_apply_policy(policy_load_path:, policy_template:, variables:, account:, authorization:)
+      @renderer.render(
+        template: policy_template,
+        variables: variables
+      ).bind do |rendered_policy|
+          response = @http.post(
+            "http://localhost:3000/policies/#{account}/policy/#{policy_load_path}",
+            rendered_policy,
+            'Authorization' => authorization
+          )
+          if response.code == 201
+            @success.new(response.body)
+          else
+            case response.code
+            when 400
+              @failure.new("Failed to apply generated Policy to '#{policy_load_path}'", status: :bad_request)
+            when 401
+              @failure.new("Unauthorized to apply generated policy to '#{policy_load_path}'", status: :unauthorized)
+            when 403
+              @failure.new("Forbidden to apply generated policy to '#{policy_load_path}'", status: :forbidden)
+            when 404
+              @failure.new("Unable to apply generated policy to '#{policy_load_path}'", status: :not_found)
+            else
+              @failure.new(
+                "Failed to apply generated policy to '#{policy_load_path}'. Status Code: '#{response.code}, Response: '#{response.body}''",
+                status: :bad_request
+              )
+            end
+          end
+        end
+    end
+
+    def set_factory_variables(schema_variables:, factory_variables:, variable_path:, authorization:, account:)
+      schema_variables.each_key do |factory_variable|
+        next unless factory_variables.key?(factory_variable)
+
+        variable_id = @uri.encode_www_form_component("#{variable_path}/#{factory_variable}")
+        secret_path = "secrets/#{account}/variable/#{variable_id}"
+
+        response = @http.post(
+          "http://localhost:3000/#{secret_path}",
+          factory_variables[factory_variable].to_s,
+          { 'Authorization' => authorization }
+        )
+        next if response.code == 201
+
+        case response.code
+        when 401
+          return @failure.new("Role is unauthorized to set variable: '#{secret_path}'", status: :unauthorized)
+        when 403
+          return @failure.new("Role lacks the privilege to set variable: '#{secret_path}'", status: :forbidden)
+        else
+          return @failure.new(
+            "Failed to set variable: '#{secret_path}'. Status Code: '#{response.code}', Response: '#{response.body}'",
+            status: :bad_request
+          )
+        end
       end
+      @success.new('Variables successfully set')
     end
 
     def call(factory_template:, request_body:, account:, authorization:)
-      request_body = request_body.select{|_, v| v.present? }
-      validate!(
+      validate_and_transform_request(
         schema: factory_template['schema'],
         params: request_body
-      )
-
-      # Convert `dashed` keys to `underscored`.  This only occurs for top-level parameters.
-      # Conjur variables should be use dashes rather than underscores.
-      template_variables = request_body.transform_keys { |key| key.to_s.underscore }
-
-      # Render the policy from the template and provided values
-      policy_template = @base64.decode64(factory_template['policy'])
-
-      # Push rendered policy to the desired policy branch
-      policy_load_path = @renderer.render(template: factory_template['policy_namespace'], variables: template_variables)
-      response = @http.post(
-        "http://localhost:3000/policies/#{account}/policy/#{policy_load_path}",
-        @renderer.render(template: policy_template, variables: template_variables),
-        'Authorization' => authorization
-      )
-
-      if factory_template['schema']['properties'].key?('variables')
-        variable_path = @renderer.render(template: "#{factory_template['policy_namespace']}/<%= id %>", variables: template_variables)
-        factory_template['schema']['properties']['variables']['properties'].each_key do |factory_variable|
-          variable_id = URI.encode_www_form_component("#{variable_path}/#{factory_variable}")
-
-          @http.post(
-            "http://localhost:3000/secrets/#{account}/variable/#{variable_id}",
-            # All values must be sent to Conjur as strings
-            template_variables['variables'][factory_variable].to_s,
-            { 'Authorization' => authorization }
-          )
+      ).bind do |body_variables|
+          # Convert `dashed` keys to `underscored`.  This only occurs for top-level parameters.
+          # Conjur variables should be use dashes rather than underscores.
+          template_variables = body_variables.transform_keys { |key| key.to_s.underscore }
+
+          # Render the policy from the template and provided values
+          policy_template = @base64.decode64(factory_template['policy'])
+
+          # Push rendered policy to the desired policy branch
+          @renderer.render(template: factory_template['policy_namespace'], variables: template_variables)
+            .bind do |policy_load_path|
+              valid_variables = factory_template['schema']['properties'].keys - ['variables']
+              render_and_apply_policy(
+                policy_load_path: policy_load_path,
+                policy_template: policy_template,
+                variables: template_variables.select { |k,_| valid_variables.include?(k) },
+                account: account,
+                authorization: authorization
+              ).bind do |result|
+                return @success.new(result) unless factory_template['schema']['properties'].key?('variables')
+
+                # Set Policy Factory variables
+                @renderer.render(template: "#{factory_template['policy_namespace']}/<%= id %>", variables: template_variables)
+                  .bind { |variable_path|
+                    set_factory_variables(
+                      schema_variables: factory_template['schema']['properties']['variables']['properties'],
+                      factory_variables: template_variables['variables'],
+                      variable_path: variable_path,
+                      authorization: authorization,
+                      account: account
+                    )
+                  }.bind {
+                    # If variables were added successfully, return the result so that
+                    # we send the policy load response back to the client.
+                    @success.new(result)
+                  }
+              end
+            end
         end
-      end
-      response
+
+
+      # # Push rendered policy to the desired policy branch
+      # policy_post = @renderer.render(template: factory_template['policy_namespace'], variables: template_variables)
+      #   .bind do |policy_load_path|
+      #     render_and_apply_policy(
+      #       policy_load_path: policy_load_path,
+      #       policy_template: policy_template,
+      #       # TODO: restrict the scope to the first level (exclude variables) if present
+      #       variables: @json.parse(params)
+      #     )
+      #   end
+      #   .bind do |result|
+      #     return result unless factory_template['schema']['properties'].key?('variables')
+
+      #     apply_variables(
+      #       schema_variables: factory_template['schema']['properties']['variables']['properties'],
+      #       variable_path: @renderer.render(template: "#{factory_template['policy_namespace']}/<%= id %>", variables: template_variables)
+      #     )
+      #   end
+
+      # return policy_post unless policy_post.success?
+
+      # if factory_template['schema']['properties'].key?('variables')
+      #   variable_path = @renderer.render(template: "#{factory_template['policy_namespace']}/<%= id %>", variables: template_variables)
+      #   factory_template['schema']['properties']['variables']['properties'].each_key do |factory_variable|
+      #     variable_id = URI.encode_www_form_component("#{variable_path}/#{factory_variable}")
+
+      #     @http.post(
+      #       "http://localhost:3000/secrets/#{account}/variable/#{variable_id}",
+      #       # All values must be sent to Conjur as strings
+      #       template_variables['variables'][factory_variable].to_s,
+      #       { 'Authorization' => authorization }
+      #     )
+      #   end
+      # end
+      # policy_post
     end
   end
 end