def create_group(permissions=None, group_name=None, display_name=None,
owner=None, ldap=False,
root_password=None):
# tg_group.group_name column is VARCHAR(16)
if group_name is None:
group_name = unique_name(u'group%s')
assert len(group_name) <= 16
group = Group.lazy_create(group_name=group_name)
group.root_password = root_password
if display_name is None:
group.display_name = u'Group %s' % group_name
else:
group.display_name = display_name
group.ldap = ldap
if ldap:
assert owner is None, 'LDAP groups cannot have owners'
if owner:
add_owner_to_group(owner, group)
else:
group_owner = create_user(user_name=unique_name(u'group_owner_%s'))
add_owner_to_group(group_owner, group)
if permissions:
group.permissions.extend(Permission.by_name(name) for name in permissions)
return group
def save_group_permissions(self, **kw):
try:
permission_name = kw['permissions']['text']
except KeyError:
log.exception('Permission not submitted correctly')
response.status = 403
return ['Permission not submitted correctly']
try:
permission = Permission.by_name(permission_name)
except NoResultFound:
log.exception('Invalid permission: %s' % permission_name)
response.status = 403
return ['Invalid permission value']
try:
group_id = kw['group_id']
except KeyError:
log.exception('Group id not submitted')
response.status = 403
return ['No group id given']
try:
group = Group.by_id(group_id)
except NoResultFound:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
group = Group.by_id(group_id)
if permission not in group.permissions:
group.permissions.append(permission)
else:
response.status = 403
return ['%s already exists in group %s' %
(permission.permission_name, group.group_name)]
return {'name':permission_name, 'id':permission.permission_id}
def create_group(permissions=None,
group_name=None,
display_name=None,
owner=None,
membership_type=GroupMembershipType.normal,
root_password=None):
if group_name is None:
group_name = unique_name(u'group%s')
group = Group.lazy_create(group_name=group_name)
group.root_password = root_password
if display_name is None:
group.display_name = u'Group %s display name' % group_name
else:
group.display_name = display_name
group.membership_type = membership_type
if group.membership_type == GroupMembershipType.ldap:
assert owner is None, 'LDAP groups cannot have owners'
if not owner:
owner = create_user(user_name=unique_name(u'group_owner_%s'))
group.add_member(owner, is_owner=True, service=u'testdata')
if permissions:
group.permissions.extend(
Permission.by_name(name) for name in permissions)
return group
def create_group(permissions=None,
group_name=None,
display_name=None,
owner=None,
ldap=False,
root_password=None):
# tg_group.group_name column is VARCHAR(16)
if group_name is None:
group_name = unique_name(u'group%s')
assert len(group_name) <= 16
group = Group.lazy_create(group_name=group_name)
group.root_password = root_password
if display_name is None:
group.display_name = u'Group %s' % group_name
else:
group.display_name = display_name
group.ldap = ldap
if ldap:
assert owner is None, 'LDAP groups cannot have owners'
if owner:
add_owner_to_group(owner, group)
else:
group_owner = create_user(user_name=unique_name(u'group_owner_%s'))
add_owner_to_group(group_owner, group)
if permissions:
group.permissions.extend(
Permission.by_name(name) for name in permissions)
return group
def setUp(self):
self.lc = data_setup.create_labcontroller()
self.distro = data_setup.create_distro()
self.distro_tree = data_setup.create_distro_tree(distro=self.distro,
arch='x86_64', lab_controllers=[self.lc])
self.server = self.get_server()
user = User.by_user_name(data_setup.ADMIN_USER)
user.groups[0].permissions[:] = user.groups[0].permissions + [ Permission.by_name('distro_expire')]
def permissions_typeahead():
if 'q' in request.args:
permissions = Permission.by_name(request.args['q'], anywhere=True)
else:
permissions = Permission.query.all()
data = [{'permission_name': permission.permission_name,
'tokens': [permission.permission_name]}
for permission in permissions]
return jsonify(data=data)
def permissions_typeahead():
if 'q' in request.args:
permissions = Permission.by_name(request.args['q'], anywhere=True)
else:
permissions = Permission.query.all()
data = [{'permission_name': permission.permission_name,
'tokens': [permission.permission_name]}
for permission in permissions]
return jsonify(data=data)
def setUp(self):
self.lc = data_setup.create_labcontroller()
self.distro = data_setup.create_distro()
self.distro_tree = data_setup.create_distro_tree(
distro=self.distro, arch='x86_64', lab_controllers=[self.lc])
self.server = self.get_server()
user = User.by_user_name(data_setup.ADMIN_USER)
user.groups[0].permissions[:] = user.groups[0].permissions + [
Permission.by_name('distro_expire')
]
def setUp(self):
self.group = data_setup.create_group()
# grant the group distro_expire permission
self.group.permissions.append(Permission.by_name('distro_expire'))
self.user = data_setup.create_user(password=u'password')
self.group.add_member(self.user)
self.lc = data_setup.create_labcontroller(user=self.user)
self.distro = data_setup.create_distro()
self.distro_tree = data_setup.create_distro_tree(
distro=self.distro, arch='x86_64', lab_controllers=[self.lc])
self.server = self.get_server()
def setUp(self):
self.group = data_setup.create_group()
# grant the group distro_expire permission
self.group.permissions.append(Permission.by_name('distro_expire'))
self.user = data_setup.create_user(password=u'password')
self.group.add_member(self.user)
self.lc = data_setup.create_labcontroller(user=self.user)
self.distro = data_setup.create_distro()
self.distro_tree = data_setup.create_distro_tree(distro=self.distro,
arch='x86_64', lab_controllers=[self.lc])
self.server = self.get_server()
def test_whoami_proxy_user(self):
with session.begin():
group = data_setup.create_group()
proxy_perm = Permission.by_name(u'proxy_auth')
group.permissions.append(proxy_perm)
proxied_user = data_setup.create_user()
proxying_user = data_setup.create_user(password='******')
group.add_member(proxying_user)
out = run_client(
['bkr', 'whoami', '--proxy-user', proxied_user.user_name],
config=create_client_config(username=proxying_user.user_name,
password='******'))
self.assertIn('"username": "******"' % proxied_user.user_name, out)
self.assertIn('"proxied_by_username": "******"' % proxying_user.user_name,
out)
def test_whoami_proxy_user(self):
with session.begin():
group = data_setup.create_group()
proxy_perm = Permission.by_name(u'proxy_auth')
group.permissions.append(proxy_perm)
proxied_user = data_setup.create_user()
proxying_user = data_setup.create_user(password='******')
group.add_member(proxying_user)
out = run_client(['bkr', 'whoami',
'--proxy-user', proxied_user.user_name],
config=\
create_client_config(
username=proxying_user.user_name,
password='******'))
self.assertIn('"username": "******"' % proxied_user.user_name, out)
self.assertIn('"proxied_by_username": "******"' % proxying_user.user_name, out)
def remove_group_permission(self, group_id, permission_id):
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid Group to remove' % group_id)
return ['0']
if not group.can_edit(identity.current.user):
log.exception('User %d does not have edit permissions for Group id %s'
% (identity.current.user.user_id, group_id))
response.status = 403
return ['You are not an owner of group %s' % group]
try:
permission = Permission.by_id(permission_id)
except NoResultFound:
log.exception('Permission id %s is not a valid Permission to remove' % permission_id)
return ['0']
group.permissions.remove(permission)
return ['1']
def create_group(permissions=None, group_name=None, display_name=None,
owner=None, membership_type=GroupMembershipType.normal, root_password=None):
if group_name is None:
group_name = unique_name(u'group%s')
group = Group.lazy_create(group_name=group_name)
group.root_password = root_password
if display_name is None:
group.display_name = u'Group %s display name' % group_name
else:
group.display_name = display_name
group.membership_type = membership_type
if group.membership_type == GroupMembershipType.ldap:
assert owner is None, 'LDAP groups cannot have owners'
if not owner:
owner = create_user(user_name=unique_name(u'group_owner_%s'))
group.add_member(owner, is_owner=True, service=u'testdata')
if permissions:
group.permissions.extend(Permission.by_name(name) for name in permissions)
return group
def save_group_permissions(self, **kw):
try:
permission_name = kw['permissions']['text']
except KeyError:
log.exception('Permission not submitted correctly')
response.status = 403
return ['Permission not submitted correctly']
try:
permission = Permission.by_name(permission_name)
except NoResultFound:
log.exception('Invalid permission: %s' % permission_name)
response.status = 403
return ['Invalid permission value']
try:
group_id = kw['group_id']
except KeyError:
log.exception('Group id not submitted')
response.status = 403
return ['No group id given']
try:
group = Group.by_id(group_id)
except NoResultFound:
log.exception('Group id %s is not a valid group id' % group_id)
response.status = 403
return ['Invalid Group Id']
group = Group.by_id(group_id)
if permission not in group.permissions:
group.permissions.append(permission)
else:
response.status = 403
return [
'%s already exists in group %s' %
(permission.permission_name, group.group_name)
]
return {'name': permission_name, 'id': permission.permission_id}
def remove_group_permission(self, group_id, permission_id):
try:
group = Group.by_id(group_id)
except DatabaseLookupError:
log.exception('Group id %s is not a valid Group to remove' %
group_id)
return ['0']
if not group.can_edit(identity.current.user):
log.exception(
'User %d does not have edit permissions for Group id %s' %
(identity.current.user.user_id, group_id))
response.status = 403
return ['You are not an owner of group %s' % group]
try:
permission = Permission.by_id(permission_id)
except NoResultFound:
log.exception(
'Permission id %s is not a valid Permission to remove' %
permission_id)
return ['0']
group.permissions.remove(permission)
return ['1']
def populate_db(user_name=None, password=None, user_display_name=None,
user_email_address=None):
logger.info('Populating tables with pre-defined values if necessary')
session.begin()
try:
admin = Group.by_name(u'admin')
except InvalidRequestError:
admin = Group(group_name=u'admin', display_name=u'Admin')
session.add(admin)
try:
lab_controller = Group.by_name(u'lab_controller')
except InvalidRequestError:
lab_controller = Group(group_name=u'lab_controller',
display_name=u'Lab Controller')
session.add(lab_controller)
# Setup User account
if user_name:
user = User.lazy_create(user_name=user_name.decode('utf8'))
if password:
user.password = password.decode('utf8')
if user_display_name:
user.display_name = user_display_name.decode('utf8')
if user_email_address:
user.email_address = user_email_address.decode('utf8')
# Ensure the user is in the 'admin' group as an owner.
# Flush for lazy_create.
session.flush()
user_group_assoc = UserGroup.lazy_create(
user_id=user.user_id, group_id=admin.group_id)
user_group_assoc.is_owner = True
# Create distro_expire perm if not present
try:
_ = Permission.by_name(u'distro_expire')
except NoResultFound:
distro_expire_perm = Permission(u'distro_expire')
session.add(distro_expire_perm)
# Create proxy_auth perm if not present
try:
_ = Permission.by_name(u'proxy_auth')
except NoResultFound:
proxy_auth_perm = Permission(u'proxy_auth')
session.add(proxy_auth_perm)
# Create tag_distro perm if not present
try:
_ = Permission.by_name(u'tag_distro')
except NoResultFound:
tag_distro_perm = Permission(u'tag_distro')
admin.permissions.append(tag_distro_perm)
# Create stop_task perm if not present
try:
_ = Permission.by_name(u'stop_task')
except NoResultFound:
stop_task_perm = Permission(u'stop_task')
lab_controller.permissions.append(stop_task_perm)
admin.permissions.append(stop_task_perm)
# Create secret_visible perm if not present
try:
_ = Permission.by_name(u'secret_visible')
except NoResultFound:
secret_visible_perm = Permission(u'secret_visible')
lab_controller.permissions.append(secret_visible_perm)
admin.permissions.append(secret_visible_perm)
# Create change_prio perm if not present
try:
_ = Permission.by_name(u'change_prio')
except NoResultFound:
change_prio_perm = Permission(u'change_prio')
session.add(change_prio_perm)
# Setup Hypervisors Table
if Hypervisor.query.count() == 0:
for h in [u'KVM', u'Xen', u'HyperV', u'VMWare']:
session.add(Hypervisor(hypervisor=h))
# Setup kernel_type Table
if KernelType.query.count() == 0:
for type in [u'default', u'highbank', u'imx', u'omap', u'tegra']:
session.add(KernelType(kernel_type=type, uboot=False))
for type in [u'mvebu']:
session.add(KernelType(kernel_type=type, uboot=True))
# Setup base Architectures
if Arch.query.count() == 0:
for arch in [u'i386', u'x86_64', u'ia64', u'ppc', u'ppc64', u'ppc64le',
u's390', u's390x', u'armhfp', u'aarch64', u'arm']:
session.add(Arch(arch))
# Setup base power types
if PowerType.query.count() == 0:
for power_type in [u'apc_snmp', u'apc_snmp_then_etherwake',
u'bladecenter', u'bladepap', u'drac', u'ether_wake', u'hyper-v',
u'ilo', u'integrity', u'ipmilan', u'ipmitool', u'lpar', u'rsa',
u'virsh', u'wti']:
session.add(PowerType(power_type))
# Setup key types
if Key.query.count() == 0:
session.add(Key(u'DISKSPACE', True))
session.add(Key(u'COMMENT'))
session.add(Key(u'CPUFAMILY', True))
session.add(Key(u'CPUFLAGS'))
session.add(Key(u'CPUMODEL'))
session.add(Key(u'CPUMODELNUMBER', True))
session.add(Key(u'CPUSPEED', True))
session.add(Key(u'CPUVENDOR'))
session.add(Key(u'DISK', True))
session.add(Key(u'FORMFACTOR'))
session.add(Key(u'HVM'))
session.add(Key(u'MEMORY', True))
session.add(Key(u'MODEL'))
session.add(Key(u'MODULE'))
session.add(Key(u'NETWORK'))
session.add(Key(u'NR_DISKS', True))
session.add(Key(u'NR_ETH', True))
session.add(Key(u'NR_IB', True))
session.add(Key(u'PCIID'))
session.add(Key(u'PROCESSORS', True))
session.add(Key(u'RTCERT'))
session.add(Key(u'SCRATCH'))
session.add(Key(u'STORAGE'))
session.add(Key(u'USBID'))
session.add(Key(u'VENDOR'))
session.add(Key(u'XENCERT'))
session.add(Key(u'NETBOOT_METHOD'))
if RetentionTag.query.count() == 0:
session.add(RetentionTag(tag=u'scratch', is_default=1, expire_in_days=30))
session.add(RetentionTag(tag=u'60days', needs_product=False, expire_in_days=60))
session.add(RetentionTag(tag=u'120days', needs_product=False, expire_in_days=120))
session.add(RetentionTag(tag=u'active', needs_product=True))
session.add(RetentionTag(tag=u'audit', needs_product=True))
config_items = [
# name, description, numeric
(u'root_password', u'Plaintext root password for provisioned systems', False),
(u'root_password_validity', u"Maximum number of days a user's root password is valid for",
True),
(u'guest_name_prefix', u'Prefix for names of dynamic guests in OpenStack', False),
(u'guest_private_network', u'Network address in CIDR format for private networks'
' of dynamic guests in OpenStack.', False),
]
for name, description, numeric in config_items:
ConfigItem.lazy_create(name=name, description=description, numeric=numeric)
if ConfigItem.by_name(u'root_password').current_value() is None:
ConfigItem.by_name(u'root_password').set(u'beaker', user=admin.users[0])
if ConfigItem.by_name(u'guest_private_network').current_value() is None:
ConfigItem.by_name(u'guest_private_network').set(u'192.168.10.0/24',
user=admin.users[0])
session.commit()
session.close()
logger.info('Pre-defined values populated')
def create_permission(name=None):
if not name:
name = unique_name('permission%s')
permission = Permission(name)
session.add(permission)
return permission
def get_permissions(self, input):
results = Permission.by_name(input, anywhere=True)
permission_names = [result.permission_name for result in results]
return dict(matches=permission_names)
def populate_db(user_name=None, password=None, user_display_name=None,
user_email_address=None):
session.begin()
try:
admin = Group.by_name(u'admin')
except InvalidRequestError:
admin = Group(group_name=u'admin',display_name=u'Admin')
session.add(admin)
try:
lab_controller = Group.by_name(u'lab_controller')
except InvalidRequestError:
lab_controller = Group(group_name=u'lab_controller',
display_name=u'Lab Controller')
session.add(lab_controller)
#Setup User account
if user_name:
user = User.lazy_create(user_name=user_name.decode('utf8'))
if password:
user.password = password.decode('utf8')
if user_display_name:
user.display_name = user_display_name.decode('utf8')
if user_email_address:
user.email_address = user_email_address.decode('utf8')
# Ensure the user is in the 'admin' group as an owner.
# Flush for lazy_create.
session.flush()
user_group_assoc = UserGroup.lazy_create(
user_id=user.user_id, group_id=admin.group_id)
user_group_assoc.is_owner = True
# Create distro_expire perm if not present
try:
distro_expire_perm = Permission.by_name(u'distro_expire')
except NoResultFound:
distro_expire_perm = Permission(u'distro_expire')
session.add(distro_expire_perm)
# Create proxy_auth perm if not present
try:
proxy_auth_perm = Permission.by_name(u'proxy_auth')
except NoResultFound:
proxy_auth_perm = Permission(u'proxy_auth')
session.add(proxy_auth_perm)
# Create tag_distro perm if not present
try:
tag_distro_perm = Permission.by_name(u'tag_distro')
except NoResultFound:
tag_distro_perm = Permission(u'tag_distro')
admin.permissions.append(tag_distro_perm)
# Create stop_task perm if not present
try:
stop_task_perm = Permission.by_name(u'stop_task')
except NoResultFound:
stop_task_perm = Permission(u'stop_task')
lab_controller.permissions.append(stop_task_perm)
admin.permissions.append(stop_task_perm)
# Create secret_visible perm if not present
try:
secret_visible_perm = Permission.by_name(u'secret_visible')
except NoResultFound:
secret_visible_perm = Permission(u'secret_visible')
lab_controller.permissions.append(secret_visible_perm)
admin.permissions.append(secret_visible_perm)
#Setup Hypervisors Table
if Hypervisor.query.count() == 0:
for h in [u'KVM', u'Xen', u'HyperV', u'VMWare']:
session.add(Hypervisor(hypervisor=h))
#Setup kernel_type Table
if KernelType.query.count() == 0:
for type in [u'default', u'highbank', u'imx', u'omap', u'tegra']:
session.add(KernelType(kernel_type=type, uboot=False))
for type in [u'mvebu']:
session.add(KernelType(kernel_type=type, uboot=True))
#Setup base Architectures
if Arch.query.count() == 0:
for arch in [u'i386', u'x86_64', u'ia64', u'ppc', u'ppc64', u'ppc64le',
u's390', u's390x', u'armhfp', u'aarch64', u'arm']:
session.add(Arch(arch))
#Setup base power types
if PowerType.query.count() == 0:
for power_type in [u'apc_snmp', u'apc_snmp_then_etherwake',
u'bladecenter', u'bladepap', u'drac', u'ether_wake', u'hyper-v',
u'ilo', u'integrity', u'ipmilan', u'ipmitool', u'lpar', u'rsa',
u'virsh', u'wti']:
session.add(PowerType(power_type))
#Setup key types
if Key.query.count() == 0:
session.add(Key(u'DISKSPACE',True))
session.add(Key(u'COMMENT'))
session.add(Key(u'CPUFAMILY',True))
session.add(Key(u'CPUFLAGS'))
session.add(Key(u'CPUMODEL'))
session.add(Key(u'CPUMODELNUMBER', True))
session.add(Key(u'CPUSPEED',True))
session.add(Key(u'CPUVENDOR'))
session.add(Key(u'DISK',True))
session.add(Key(u'FORMFACTOR'))
session.add(Key(u'HVM'))
session.add(Key(u'MEMORY',True))
session.add(Key(u'MODEL'))
session.add(Key(u'MODULE'))
session.add(Key(u'NETWORK'))
session.add(Key(u'NR_DISKS',True))
session.add(Key(u'NR_ETH',True))
session.add(Key(u'NR_IB',True))
session.add(Key(u'PCIID'))
session.add(Key(u'PROCESSORS',True))
session.add(Key(u'RTCERT'))
session.add(Key(u'SCRATCH'))
session.add(Key(u'STORAGE'))
session.add(Key(u'USBID'))
session.add(Key(u'VENDOR'))
session.add(Key(u'XENCERT'))
session.add(Key(u'NETBOOT_METHOD'))
#Setup ack/nak reposnses
if Response.query.count() == 0:
session.add(Response(response=u'ack'))
session.add(Response(response=u'nak'))
if RetentionTag.query.count() == 0:
session.add(RetentionTag(tag=u'scratch', is_default=1, expire_in_days=30))
session.add(RetentionTag(tag=u'60days', needs_product=False, expire_in_days=60))
session.add(RetentionTag(tag=u'120days', needs_product=False, expire_in_days=120))
session.add(RetentionTag(tag=u'active', needs_product=True))
session.add(RetentionTag(tag=u'audit', needs_product=True))
config_items = [
# name, description, numeric
(u'root_password', u'Plaintext root password for provisioned systems', False),
(u'root_password_validity', u"Maximum number of days a user's root password is valid for", True),
(u'guest_name_prefix', u'Prefix for names of dynamic guests in OpenStack', False),
]
for name, description, numeric in config_items:
ConfigItem.lazy_create(name=name, description=description, numeric=numeric)
if ConfigItem.by_name(u'root_password').current_value() is None:
ConfigItem.by_name(u'root_password').set(u'beaker', user=admin.users[0])
session.commit()
session.close()
def _get_permission_by_name(permission_name):
try:
return Permission.by_name(permission_name)
except NoResultFound:
# Needs to return 400 as the resource exists but the given parameter is bad.
raise BadRequest400("Permission '%s' does not exist" % permission_name)
def _get_permission_by_name(permission_name):
try:
return Permission.by_name(permission_name)
except NoResultFound:
# Needs to return 400 as the resource exists but the given parameter is bad.
raise BadRequest400("Permission '%s' does not exist" % permission_name)
def get_permissions(self, input):
results = Permission.by_name(input, anywhere=True)
permission_names = [result.permission_name for result in results]
return dict(matches=permission_names)