CORD-1570: Re-implementation of XOS Security via xproto at the API boundary

Change-Id: I9cb6380b0798a5f4af2f0459c5decd0b9edbb317
diff --git a/lib/xos-genx/xosgenx/jinja2_extensions/fol2.py b/lib/xos-genx/xosgenx/jinja2_extensions/fol2.py
index 0c8513a..4552d59 100644
--- a/lib/xos-genx/xosgenx/jinja2_extensions/fol2.py
+++ b/lib/xos-genx/xosgenx/jinja2_extensions/fol2.py
@@ -422,7 +422,7 @@
         if not tag:
             tag = gen_random_string()
 
-        policy_function_name_template = 'policy_%s_' + '%(random_string)s' % {'random_string': tag}
+        policy_function_name_template = '%s_' + '%(random_string)s' % {'random_string': tag}
         policy_function_name = policy_function_name_template % policy_name
 
         self.verdict_next()
@@ -636,7 +636,7 @@
     if fol_reduced in ['True','False'] and fol != fol_reduced:
         raise TrivialPolicy("Policy %(name)s trivially reduces to %(reduced)s. If this is what you want, replace its contents with %(reduced)s"%{'name':policy, 'reduced':fol_reduced})
 
-    a = f2p.gen_test_function(fol_reduced, policy, tag='enforcer')
+    a = f2p.gen_test_function(fol_reduced, policy, tag='security_check')
 
     return astunparse.unparse(a)
 
diff --git a/lib/xos-genx/xosgenx/targets/django-security.xtarget b/lib/xos-genx/xosgenx/targets/django-security.xtarget
new file mode 100644
index 0000000..d970cea
--- /dev/null
+++ b/lib/xos-genx/xosgenx/targets/django-security.xtarget
@@ -0,0 +1,9 @@
+from privilege import Privilege
+from django.db.models import Q
+
+{% for m in proto.messages %}
+{% if m.policy %}
+{{ xproto_fol_to_python_test(m.policy, proto.policies[m.policy], m) }}
+{% endif %}
+
+{% endfor %}
diff --git a/lib/xos-genx/xosgenx/targets/django-split.xtarget b/lib/xos-genx/xosgenx/targets/django-split.xtarget
index 5260e85..60cf9de 100644
--- a/lib/xos-genx/xosgenx/targets/django-split.xtarget
+++ b/lib/xos-genx/xosgenx/targets/django-split.xtarget
@@ -4,13 +4,17 @@
 {%- for l in m.links %}
 
 {% if l.peer.name != m.name %}
-from core.models.{{ l.peer.name | lower }} import {{ l.peer.name }} 
+from {{ l.peer.name | lower }} import {{ l.peer.name }} 
 {% endif %}
 
 {%- endfor %}
+{% if m.name!='XOSBase' and 'Mixin' not in m.name %}
+import security
+from privilege import Privilege
+{% endif %}
 {% for b in m.bases %}
 {% if b.name!='XOSBase' and 'Mixin' not in b.name %}
-from core.models.{{b.name | lower}} import {{ b.name }}
+from {{b.name | lower}} import {{ b.name }}
 {% endif %}
 {% endfor %}
 
@@ -40,9 +44,9 @@
       unique_together = {{ xproto_tuplify(uniques) }}
   {%- endif %}
   {% if file_exists(m.name|lower + '_model.py') -%}{{ include_file(m.name|lower + '_model.py') | indent(width=2)}}{%- endif %}
+  pass
 
   {% if m.name!='XOSBase' and 'Mixin' not in m.name %}
-
   # Generated methods
   def save(self, *args, **kwds):
       if not self.leaf_model_name:
@@ -58,7 +62,17 @@
       {% endfor %}
       super({{ m.name }}, self).save(*args, **kwds)
 
+  def can_access(self, ctx):
+      {% if m.policy %}
+      verdict = security.{{m.policy}}_security_check(self, ctx)
+      return verdict,"{{ m.policy }}"
+      {% else %}
+      verdict = XOS_GLOBAL_DEFAULT_SECURITY_POLICY
+      return verdict,"xos_default_policy"
+      {% endif %}
+      
   {% endif %}
+    
 {% if file_exists(xproto_base_name(m.name)|lower+'_bottom.py') -%}{{ include_file(xproto_base_name(m.name)|lower+'_bottom.py') }}{% endif %}
 +++ {{m.name|lower}}.py
 {% endif %}{% endfor %}
diff --git a/lib/xos-genx/xosgenx/targets/django.xtarget b/lib/xos-genx/xosgenx/targets/django.xtarget
index e9a56ec..1c8ce93 100644
--- a/lib/xos-genx/xosgenx/targets/django.xtarget
+++ b/lib/xos-genx/xosgenx/targets/django.xtarget
@@ -4,13 +4,19 @@
 {%- for l in m.links %}
 
 {% if l.peer.name != m.name %}
-from core.models.{{ l.peer.name | lower }} import {{ l.peer.name }} 
+from {{ l.peer.name | lower }} import {{ l.peer.name }} 
 {% endif %}
 
 {%- endfor %}
+{% if m.name!='XOSBase' and 'Mixin' not in m.name %}
+import security
+{% if m.name!='Privilege' %}
+from privilege import Privilege
+{% endif %}
+{% endif %}
 {% for b in m.bases %}
 {% if b.name!='XOSBase' and 'Mixin' not in b.name %}
-from core.models.{{b.name | lower}} import {{ b.name }}
+from {{b.name | lower}} import {{ b.name }}
 {% endif %}
 {% endfor %}
 
@@ -57,6 +63,16 @@
       policy_{{policy}}_validator(self, None)
       {% endfor %}
       super({{ m.name }}, self).save(*args, **kwds)
+
+  def can_access(self, ctx):
+      {% if m.policy %}
+      verdict = security.{{m.policy}}_security_check(self, ctx)
+      return verdict,"{{ m.policy }}"
+      {% else %}
+      verdict = XOS_GLOBAL_DEFAULT_SECURITY_POLICY
+      return verdict,"xos_default_policy"
+      {% endif %}
+      
   {% endif %}
     
 {% if file_exists(xproto_base_name(m.name)|lower+'_bottom.py') -%}{{ include_file(xproto_base_name(m.name)|lower+'_bottom.py') }}{% endif %}
diff --git a/lib/xos-genx/xosgenx/targets/grpc_api.xtarget b/lib/xos-genx/xosgenx/targets/grpc_api.xtarget
index a0373a3..4d05870 100644
--- a/lib/xos-genx/xosgenx/targets/grpc_api.xtarget
+++ b/lib/xos-genx/xosgenx/targets/grpc_api.xtarget
@@ -21,19 +21,19 @@
     def List{{ object.name }}(self, request, context):
       user=self.authenticate(context)
       model=self.get_model("{{ object.name }}")
-      return self.querysetToProto(model, model.objects.all())
+      return self.list(model, user)
 
     @translate_exceptions
     def Filter{{ object.name }}(self, request, context):
       user=self.authenticate(context)
       model=self.get_model("{{ object.name }}")
-      return self.filter(model, request)
+      return self.filter(model, user, request)
 
     @translate_exceptions
     def Get{{ object.name }}(self, request, context):
       user=self.authenticate(context)
       model=self.get_model("{{ object.name }}")
-      return self.get(model, request.id)
+      return self.get(model, user, request.id)
 
     @translate_exceptions
     def Create{{ object.name }}(self, request, context):
diff --git a/lib/xos-genx/xosgenx/targets/service.xtarget b/lib/xos-genx/xosgenx/targets/service.xtarget
index 5336f82..bf14b83 100644
--- a/lib/xos-genx/xosgenx/targets/service.xtarget
+++ b/lib/xos-genx/xosgenx/targets/service.xtarget
@@ -73,6 +73,15 @@
       policy_{{policy}}_validator(self, None)
       {% endfor %}
       super({{ m.name }}{{ legacy_tag }}, self).save(*args, **kwds)
+  
+  def can_access(self, ctx):
+      {% if m.policy %}
+      verdict = security.{{m.policy}}_security_check(self, ctx)
+      return verdict,"{{ m.policy }}"
+      {% else %}
+      verdict = True
+      return verdict,"xos_default_policy"
+      {% endif %}
 
 {% if file_exists(m.name|lower+'_bottom.py') -%}{{ include_file(m.name|lower+'_bottom.py') }}{% endif %} 
 {% endfor %}