fix: policy attachents

tombosmansibm · tombosmansibm · commit 797be124cd9a · 2025-07-14T16:20:29.000+02:00
diff --git a/docs/changelog.md b/docs/changelog.md
@@ -1,7 +1,10 @@
 # Manual change log
 
 ## Latest
+
 - fix: certificate_databases : python syntax (indentation)
+- fix: policy_attachments.py : idempotency and handle applications correctly
+-
 
 ## 2025.6.3.0
 
diff --git a/ibmsecurity/isam/aac/access_control/policy_attachments.py b/ibmsecurity/isam/aac/access_control/policy_attachments.py
@@ -28,11 +28,11 @@ def get(isamAppliance, server, resourceUri, check_mode=False, force=False):
         check_mode=check_mode,
         force=force,
     )
-    resource_id = ret_obj["data"]
+    resource_id = ret_obj.get("data", {})
 
     if resource_id == {}:
         logger.info(
-            f"Resource {server}/{resourceUri} had no match, skipping retrieval."
+            f"Resource {server}{resourceUri} had no match, skipping retrieval."
         )
         return isamAppliance.create_return_object()
     else:
@@ -57,7 +57,7 @@ def get_attachments(isamAppliance, server, resourceUri, check_mode=False, force=
 
     if resource_id == {}:
         logger.info(
-            f"Resource {server}/{resourceUri} had no match, skipping retrieval."
+            f"Resource {server}{resourceUri} had no match, skipping retrieval."
         )
         return isamAppliance.create_return_object()
     else:
@@ -77,10 +77,11 @@ def search(isamAppliance, server, resourceUri, force=False, check_mode=False):
     for obj in ret_obj["data"]:
         if obj["resourceUri"] == resourceUri and obj["server"] == server:
             logger.info(
-                f"Found server/resourceUri {server}/{resourceUri} id: {obj['id']}"
+                f"Found server/resourceUri {server}{resourceUri} id: {obj['id']}"
             )
             return_obj["data"] = obj["id"]
             return_obj["rc"] = 0
+            return return_obj
 
     return return_obj
 
@@ -144,38 +145,55 @@ def config(
       {'name': '<definition name>', 'type': 'definition'}]
     """
     warnings = []
-    if force is False:
-        ret_obj = search(isamAppliance, server, resourceUri)
+    ret_obj = search(isamAppliance, server, resourceUri)
 
-    if force is True or ret_obj["data"] == {}:
-        json_data = {"server": server, "resourceUri": resourceUri}
-        if policyType is not None:
-            if tools.version_compare(isamAppliance.facts["version"], "9.0.6.0") < 0:
-                warnings.append(
-                    f"Appliance at version: {isamAppliance.facts['version']}, policyType: {policyType} is not supported. Needs 9.0.6.0 or higher. Ignoring policyType for this call."
-                )
-            else:
-                json_data["type"] = policyType
+    json_data = {"server": server, "resourceUri": resourceUri}
+    if policyType is not None:
+        if tools.version_compare(isamAppliance.facts["version"], "9.0.6.0") < 0:
+            warnings.append(
+                f"Appliance at version: {isamAppliance.facts['version']}, policyType: {policyType} is not supported. Needs 9.0.6.0 or higher. Ignoring policyType for this call."
+            )
+        else:
+            json_data["type"] = policyType
+
+    json_data["policies"] = _convert_policy_name_to_id(isamAppliance, policies)
+    if policyCombiningAlgorithm is not None:
+        json_data["policyCombiningAlgorithm"] = policyCombiningAlgorithm
+    if cache is not None:
+        if tools.version_compare(isamAppliance.facts["version"], "9.0.3.0") < 0:
+            warnings.append(
+                f"Appliance at version: {isamAppliance.facts['version']}, cache: {cache} is not supported. Needs 9.0.3.0 or higher. Ignoring cache for this call."
+            )
+        else:
+            json_data["cache"] = int(cache)
 
-        json_data["policies"] = _convert_policy_name_to_id(isamAppliance, policies)
-        if policyCombiningAlgorithm is not None:
-            json_data["policyCombiningAlgorithm"] = policyCombiningAlgorithm
-        if cache is not None:
-            if tools.version_compare(isamAppliance.facts["version"], "9.0.3.0") < 0:
-                warnings.append(
-                    f"Appliance at version: {isamAppliance.facts['version']}, cache: {cache} is not supported. Needs 9.0.3.0 or higher. Ignoring cache for this call."
-                )
-            else:
-                json_data["cache"] = int(cache)
-        if check_mode is True:
+    if force or ret_obj.get("data", {}) == {}:
+        if check_mode:
             return isamAppliance.create_return_object(changed=True, warnings=warnings)
         else:
             return isamAppliance.invoke_post(
                 "Configure a resource", uri, json_data, warnings=warnings
             )
-
-    return isamAppliance.create_return_object()
-
+    else:
+        # Idempotency check
+        logger.debug(f"Idempotency check for {server}{resourceUri}")
+        curConfig = get(isamAppliance, server, resourceUri)
+        curConfig = curConfig.get("data", {})
+        # Need to get rid of lastmodified and name in each policy
+        _policies = list(map(lambda item: item.pop('lastmodified', None), curConfig.get("policies", [])))
+        _policies = list(map(lambda item: item.pop('name', None), curConfig.get("policies", [])))
+        if tools.json_equals(curConfig, json_data):
+            # No updates needed
+            return isamAppliance.create_return_object()
+        else:
+            if check_mode:
+                return isamAppliance.create_return_object(changed=True, warnings=warnings)
+            else:
+                # delete and add again
+                delete(isamAppliance, server, resourceUri)
+                return isamAppliance.invoke_post(
+                    "Reconfigure a resource", uri, json_data, warnings=warnings
+                )
 
 def update(
     isamAppliance,
@@ -306,17 +324,22 @@ def publish(isamAppliance, server, resourceUri, check_mode=False, force=False):
     """
     ret_obj = get(isamAppliance, server, resourceUri)
 
-    if force or (
-        ret_obj["data"] != {} and (
-            ret_obj["data"]["deployrequired"] or not ret_obj["data"]["deployed"]
-        ) and ret_obj["data"]["policies"] != []
-    ):
+    deploy_required = False
+    if ret_obj.get("data", {}).get("deployrequired", False) or not ret_obj.get("data", {}).get("deployed", False):
+        deploy_required = True
+
+    logger.debug(f"\n\nDeploy required: {deploy_required}\n\n")
+
+    resource_id = ret_obj.get('data', {}).get('id', None)
+    logger.debug(f"\n\nID: {resource_id}\n\n")
+    # if (force or deploy_required) and ret_obj.get("data", {}).get("policies", []) != []:
+    if (force or deploy_required) and resource_id is not None:
         if check_mode:
             return isamAppliance.create_return_object(changed=True)
         else:
             return isamAppliance.invoke_put(
                 "Publish the policy attachments for a resource",
-                f"{uri}/deployment/{ret_obj['data']['id']}",
+                f"{uri}/deployment/{resource_id}",
                 {},
             )
 
diff --git a/test/test_aac_access_control.py b/test/test_aac_access_control.py
@@ -68,15 +68,73 @@ def getTestData():
                     "Description": "Permit access"
                 }
             }
+        },
+        {
+            "dialect": "urn:oasis:names:tc:xacml:2.0:policy:schema:os",
+            "attributesRequired": False,
+            "name": "Test Access Control Policy 2",
+            "description": "Permit access",
+            "predefined": False,
+            "formatting": "json",
+            "policy": {
+                "PolicyTag": "urn:ibm:security:isam:8.0:xacml:2.0:config-policy",
+                "PolicyName": "Test Access Control Policy 2",
+                "PolicySet": {
+                    "Policy": [
+                        {
+                            "RuleCombiningAlgId": "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable",
+                            "Rule": {
+                                "Condition": {
+                                    "Apply": [
+                                        {
+                                            "FunctionId": "urn:oasis:names:tc:xacml:1.0:function:and",
+                                            "Apply": [
+                                                {
+                                                    "FunctionId": "urn:oasis:names:tc:xacml:1.0:function:any-of-any",
+                                                    "Function": {
+                                                        "FunctionId": "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal"
+                                                    },
+                                                    "Apply": [
+                                                        {
+                                                            "FunctionId": "urn:oasis:names:tc:xacml:1.0:function:integer-bag",
+                                                            "AttributeValue": {
+                                                                "DataType": "http://www.w3.org/2001/XMLSchema#integer",
+                                                                "content": 50
+                                                            }
+                                                        }
+                                                    ],
+                                                    "SubjectAttributeDesignator": [
+                                                        {
+                                                            "Issuer": "urn:ibm:security:issuer:RiskCalculator",
+                                                            "AttributeId": "urn:ibm:security:subject:riskScore",
+                                                            "MustBePresent": True,
+                                                            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
+                                                        }
+                                                    ]
+                                                }
+                                            ]
+                                        }
+                                    ]
+                                },
+                                "RuleId": "urn:ibm:security:rule:0",
+                                "Effect": "Deny"
+                            },
+                            "PolicyId": "urn:ibm:security:rule-container:0"
+                        }
+                    ],
+                    "PolicyCombiningAlgId": "urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable",
+                    "Description": "Deny access"
+                }
+            }
         }
     ]
     return testdata
 
 
 def getPolicyAttachmentData():
     testdata = [
-        {"server": "default",
-         "resourceUri": "/register_mobile.html",
+        {"server": "isva11kvm-default",
+         "resourceUri": "/molecule.html",
          "policyCombiningAlgorithm": "denyOverrides",
          "policies": [
              {"name": "Test Access Control Policy",
@@ -86,8 +144,30 @@ def getPolicyAttachmentData():
          "type": "reverse_proxy",
          "cache": 0
          },
+        {"server": "isva11kvm-default",
+         "resourceUri": "/index.html",
+         "policyCombiningAlgorithm": "denyOverrides",
+         "policies": [
+             {"name": "Test Access Control Policy 2",
+              "type": "policy"
+              }
+         ],
+         "type": "reverse_proxy",
+         "cache": 0
+         },
+        {"server": "mobileApp",
+         "resourceUri": "/registerApp",
+         "policyCombiningAlgorithm": "denyOverrides",
+         "policies": [
+             {"name": "Test Access Control Policy",
+              "type": "policy"
+              }
+         ],
+         "type": "application",
+         "cache": 0
+         },
         {"server": "mobileApp",
-         "resourceUri": "registerApp",
+         "resourceUri": "/somethingelseApp",
          "policyCombiningAlgorithm": "denyOverrides",
          "policies": [
              {"name": "Test Access Control Policy",
