def assert_layman_layer_access_rights(username, layername, roles_to_test):
with app.app_context():
access_rights = prime_db_schema.get_layer_info(
username, layername)['access_rights']
if users.get_user_infos(username):
roles_to_test['read'].add(username)
roles_to_test['write'].add(username)
assert set(access_rights['read']) == roles_to_test['read']
assert set(access_rights['write']) == roles_to_test['write']
def get():
app.logger.info(f"GET Users")
user_infos = users.get_user_infos()
infos = [{
"username": username,
"screen_name": info.get("preferred_username"),
"given_name": info.get("given_name"),
"family_name": info.get("family_name"),
"middle_name": info.get("middle_name"),
"name": info.get("name"),
} for username, info in user_infos.items()]
return jsonify(infos), 200
def authenticate():
user = None
username = request.headers.get(settings.LAYMAN_AUTHN_HTTP_HEADER_NAME,
None)
if username is None:
return user
user = users.get_user_infos(username).get(username)
if not user:
raise LaymanError(44,
f'Username {username} not recognized.',
sub_code=1)
user = {'username': username}
g.user = user
return user
def authenticate():
actor = None
actor_name = request.headers.get(settings.LAYMAN_AUTHN_HTTP_HEADER_NAME,
None)
if actor_name is None:
return actor
actor = users.get_user_infos(actor_name).get(actor_name)
if not actor:
raise LaymanError(44,
f'Username {actor_name} not recognized.',
sub_code=1)
actor = {'username': actor_name}
# pylint: disable=assigning-non-slot
g.user = actor
return actor
def assert_gs_layer_data_security(username, layername, expected_roles):
auth = settings.LAYMAN_GS_AUTH
with app.app_context():
is_personal_workspace = users.get_user_infos(username)
owner_and_everyone_roles = gs_common.layman_users_to_geoserver_roles(
{username, settings.RIGHTS_EVERYONE_ROLE})
owner_role_set = gs_common.layman_users_to_geoserver_roles({username})
for right_type in ['read', 'write']:
gs_expected_roles = gs_common.layman_users_to_geoserver_roles(
expected_roles[right_type])
gs_roles = gs_util.get_security_roles(
f'{username}.{layername}.{right_type[0]}', auth)
assert gs_expected_roles == gs_roles\
or (is_personal_workspace
and gs_expected_roles == owner_and_everyone_roles == gs_roles.union(owner_role_set)), right_type
def migrate_users_and_publications():
workspace_names = global_get_workspaces(use_cache=False)
layer_context = {
'sources_filter':
'layman.layer.filesystem.uuid, layman.layer.filesystem.input_chunk, '
'layman.layer.filesystem.input_file, layman.layer.filesystem.input_style, layman.layer.db.table, '
'layman.layer.qgis.wms, layman.layer.geoserver.wfs, layman.layer.geoserver.wms, '
'layman.layer.geoserver.sld, layman.layer.filesystem.thumbnail, layman.layer.micka.soap'
}
map_context = {
'sources_filter':
'layman.map.filesystem.uuid, layman.map.filesystem.input_file, layman.map.filesystem.thumbnail, '
'layman.map.micka.soap'
}
for workspace_name in workspace_names:
userinfo = get_authn_info(workspace_name)
id_workspace = workspaces.ensure_workspace(workspace_name)
if userinfo:
# It is personal workspace
iss_sub_infos = users.get_user_infos(
iss_sub={
'issuer_id': userinfo["iss_id"],
'sub': userinfo["sub"]
})
if iss_sub_infos:
username_in_conflict, iss_sub_info = iss_sub_infos.popitem()
raise LaymanError(
f"Two workspaces are registered as private workspaces of the same user. To migrate successfully, "
f"choose which workspace should be the only private workspace of the user, delete authn.txt file "
f"from the other workspace, and restart layman. The other workspace becomes public.",
data={
'user': iss_sub_info,
'workspaces': [workspace_name, username_in_conflict]
})
userinfo['issuer_id'] = userinfo['iss_id']
users.ensure_user(id_workspace, userinfo)
everyone_can_write = False
else:
# It is public workspace, so all publications are available to everybody
everyone_can_write = True
for (publ_type, infos_method,
context) in [(LAYER_TYPE, get_layer_infos, layer_context),
(MAP_TYPE, get_map_infos, map_context)]:
publications = infos_method(workspace_name)
for name in publications:
info = layman_util.get_publication_info(
workspace_name, publ_type, name, context)
insert_publications_sql = f'''insert into {DB_SCHEMA}.publications as p
(id_workspace, name, title, type, uuid, everyone_can_read, everyone_can_write) values
(%s, %s, %s, %s, %s, %s, %s)
returning id
;'''
data = (
id_workspace,
name,
info.get("title", name),
publ_type,
info["uuid"],
True,
everyone_can_write,
)
db_util.run_statement(insert_publications_sql, data)
def authorize(workspace, publication_type, publication_name, request_method,
actor_name):
is_multi_publication_request = not publication_name
publication_not_found_code = {
'layman.layer': 15,
'layman.map': 26,
}[publication_type]
if is_multi_publication_request:
if request_method.lower() in [
common.REQUEST_METHOD_GET, common.REQUEST_METHOD_DELETE
]:
if not workspaces.get_workspace_infos(workspace):
raise LaymanError(40) # Workspace not found
return
if request_method.lower() in [common.REQUEST_METHOD_POST]:
if actor_name == workspace:
return
if ((not users.get_user_infos(workspace)) # public workspace
and can_user_publish_in_public_workspace(actor_name)
): # actor can publish in public workspace
if workspaces.get_workspace_infos(
workspace): # workspaces exists
return
if can_user_create_public_workspace(
actor_name): # workspaces can be created by actor
# raises exception if new workspace is not correct
layman_util.check_workspace_name(workspace)
else:
raise LaymanError(30) # unauthorized request
else:
raise LaymanError(30) # unauthorized request
else:
raise LaymanError(31,
{'method': request_method}) # unsupported method
else:
if not workspaces.get_workspace_infos(workspace):
raise LaymanError(40) # Workspace not found
publ_info = layman_util.get_publication_infos(
workspace, publication_type).get(
(workspace, publication_type, publication_name))
if not publ_info:
raise LaymanError(publication_not_found_code)
user_can_read = is_user_in_access_rule(
actor_name, publ_info['access_rights']['read'])
if request_method.lower() in [common.REQUEST_METHOD_GET]:
if user_can_read:
return
raise LaymanError(publication_not_found_code)
if request_method.lower() in [
common.REQUEST_METHOD_PATCH,
common.REQUEST_METHOD_DELETE,
common.REQUEST_METHOD_POST,
common.REQUEST_METHOD_PUT,
]:
if is_user_in_access_rule(actor_name,
publ_info['access_rights']['write']):
return
if user_can_read:
raise LaymanError(30) # unauthorized request
raise LaymanError(publication_not_found_code)
raise LaymanError(31, {'method': request_method}) # unsupported method