def test_test(self):
        auth = getUtility(IAuthentication, context=None)
        auth.registerPrincipal(User('user1'))
        auth.registerPrincipal(User('user2'))

        # setup some fake permissions to the test principals
        prinperG.grantPermissionToPrincipal('read', 'user1')
        prinperG.grantPermissionToPrincipal('zope.Nothing', 'user2')

        # set up interactions
        interaction_user1 = self._get_interaction('user1')
        interaction_user2 = self._get_interaction('user2')

        # get the object being secured
        compute = self.make_compute()
        eq_(compute.architecture, 'linux')

        # get the proxies for the corresponding interactions
        compute_proxy_user1 = proxy_factory(compute, interaction_user1)
        compute_proxy_user2 = proxy_factory(compute, interaction_user2)

        # check an authorized access
        eq_(compute_proxy_user1.architecture, 'linux')

        # check an unauthorized access
        with assert_raises(Unauthorized):
            eq_(compute_proxy_user2.architecture, 'linux')

        # check a default unauthorized access
        with assert_raises(Unauthorized):
            eq_(compute_proxy_user1.state, 'active')
    def test_test(self):
        auth = getUtility(IAuthentication, context=None)
        auth.registerPrincipal(User('user1'))
        auth.registerPrincipal(User('user2'))

        # setup some fake permissions to the test principals
        prinperG.grantPermissionToPrincipal('read', 'user1')
        prinperG.grantPermissionToPrincipal('zope.Nothing', 'user2')

        # set up interactions
        interaction_user1 = self._get_interaction('user1')
        interaction_user2 = self._get_interaction('user2')

        # get the object being secured
        compute = self.make_compute()
        eq_(compute.architecture, 'linux')

        # get the proxies for the corresponding interactions
        compute_proxy_user1 = proxy_factory(compute, interaction_user1)
        compute_proxy_user2 = proxy_factory(compute, interaction_user2)

        # check an authorized access
        eq_(compute_proxy_user1.architecture, 'linux')

        # check an unauthorized access
        with assert_raises(Unauthorized):
            eq_(compute_proxy_user2.architecture, 'linux')

        # check a default unauthorized access
        with assert_raises(Unauthorized):
            eq_(compute_proxy_user1.state, 'active')
Beispiel #3
0
    def handle_request(self, request):
        """Takes a request, maps it to a domain object and a corresponding IHttpRestView
        and returns the rendered output of that view.
        """
        principal = self.check_auth(request)

        oms_root = db.get_root()['oms_root']
        objs, unresolved_path = traverse_path(oms_root, request.path[1:])

        if not objs and unresolved_path:
            objs = [oms_root]

        obj = objs[-1]

        interaction = self.get_interaction(request, principal)
        request.interaction = interaction

        if self.use_security_proxy:
            obj = proxy_factory(obj, interaction)

        view = self.find_view(obj, unresolved_path, request)

        needs_rw_transaction = view.rw_transaction(request)

        # create a security proxy if we have a secured interaction
        if interaction:
            try:
                view = proxy_factory(view, interaction)
            except:
                # XXX: TODO: define a real exception for this proxy creation error
                # right now we want to ignore security when there are no declared rules
                # on how to secure a view
                pass

        def get_renderer(view, method):
            try:
                return getattr(view, method, None)
            except zope.security.interfaces.Unauthorized:
                raise Forbidden('User does not have permission to access this resource')

        for method in ('render_' + request.method,
                       'render_' + request.method.lower(),
                       'render'):
            renderer = get_renderer(view, method)
            if renderer:
                from opennode.oms.endpoint.httprest.auth import AuthView
                if isinstance(view, AuthView) and renderer.__name__ == 'render':
                    res = renderer(request, self.use_keystone_tokens)
                else:
                    res = renderer(request)
                return res if needs_rw_transaction else db.RollbackValue(res)

        raise NotImplementedError("Method %s is not implemented in %s\n" % (request.method, view))
    def handle_request(self, request):
        """Takes a request, maps it to a domain object and a corresponding IHttpRestView
        and returns the rendered output of that view.
        """
        token = self.get_token(request)

        oms_root = db.get_root()['oms_root']
        objs, unresolved_path = traverse_path(oms_root, request.path[1:])

        if not objs and unresolved_path:
            objs = [oms_root]

        obj = objs[-1]

        interaction = self.get_interaction(request, token)
        request.interaction = interaction

        if self.use_security_proxy:
            obj = proxy_factory(obj, interaction)

        view = self.find_view(obj, unresolved_path, request)

        needs_rw_transaction = view.rw_transaction(request)

        # create a security proxy if we have a secured interaction
        if interaction:
            try:
                view = proxy_factory(view, interaction)
            except:
                # XXX: TODO: define a real exception for this proxy creation error
                # right now we want to ignore security when there are no declared rules
                # on how to secure a view
                pass

        def get_renderer(view, method):
            try:
                return getattr(view, method, None)
            except zope.security.interfaces.Unauthorized, e:
                from opennode.oms.endpoint.httprest.auth import IHttpRestAuthenticationUtility
                auth_util = getUtility(IHttpRestAuthenticationUtility)
                if token or not auth_util.get_basic_auth_credentials(request) or \
                            (self.use_keystone_tokens and
                             not auth_util.get_keystone_auth_credentials(request)):
                    raise Forbidden(
                        'User does not have permission to access this resource'
                    )
                raise Unauthorized()
Beispiel #5
0
 def traverse(self, path):
     objs, unresolved_path = self.traverse_full(path)
     if not objs or unresolved_path:
         return
     elif self.protocol.use_security_proxy:
         return proxy_factory(objs[-1], self.protocol.interaction)
     else:
         return objs[-1]
 def traverse(self, path):
     objs, unresolved_path = self.traverse_full(path)
     if not objs or unresolved_path:
         return
     elif self.protocol.use_security_proxy:
         return proxy_factory(objs[-1], self.protocol.interaction)
     else:
         return objs[-1]
Beispiel #7
0
    def handle_request(self, request):
        """Takes a request, maps it to a domain object and a corresponding IHttpRestView
        and returns the rendered output of that view.
        """
        token = self.get_token(request)

        oms_root = db.get_root()['oms_root']
        objs, unresolved_path = traverse_path(oms_root, request.path[1:])

        if not objs and unresolved_path:
            objs = [oms_root]

        obj = objs[-1]

        interaction = self.get_interaction(request, token)
        request.interaction = interaction

        if self.use_security_proxy:
            obj = proxy_factory(obj, interaction)

        view = self.find_view(obj, unresolved_path, request)

        needs_rw_transaction = view.rw_transaction(request)

        # create a security proxy if we have a secured interaction
        if interaction:
            try:
                view = proxy_factory(view, interaction)
            except:
                # XXX: TODO: define a real exception for this proxy creation error
                # right now we want to ignore security when there are no declared rules
                # on how to secure a view
                pass

        def get_renderer(view, method):
            try:
                return getattr(view, method, None)
            except zope.security.interfaces.Unauthorized, e:
                from opennode.oms.endpoint.httprest.auth import IHttpRestAuthenticationUtility
                auth_util = getUtility(IHttpRestAuthenticationUtility)
                if token or not auth_util.get_basic_auth_credentials(request) or \
                            (self.use_keystone_tokens and 
                             not auth_util.get_keystone_auth_credentials(request)):
                    raise Forbidden('User does not have permission to access this resource')
                raise Unauthorized()
    def test_adapt(self):
        auth = getUtility(IAuthentication, context=None)
        auth.registerPrincipal(User('user1'))
        interaction = self._get_interaction('user1')

        # get the object being secured
        compute = self.make_compute()
        compute_proxy = proxy_factory(compute, interaction)

        eq_(IContainer(compute), IContainer(compute_proxy))
    def test_adapt(self):
        auth = getUtility(IAuthentication, context=None)
        auth.registerPrincipal(User('user1'))
        interaction = self._get_interaction('user1')

        # get the object being secured
        compute = self.make_compute()
        compute_proxy = proxy_factory(compute, interaction)

        eq_(IContainer(compute), IContainer(compute_proxy))
    def test_schema(self):
        auth = getUtility(IAuthentication, context=None)
        auth.registerPrincipal(User('userSchema'))
        prinperG.grantPermissionToPrincipal('read', 'userSchema')
        prinperG.grantPermissionToPrincipal('modify', 'userSchema')

        interaction = self._get_interaction('userSchema')

        # get the object being secured
        compute = self.make_compute()
        compute_proxy = proxy_factory(compute, interaction)

        eq_(model_to_dict(compute), model_to_dict(compute_proxy))
    def test_schema(self):
        auth = getUtility(IAuthentication, context=None)
        auth.registerPrincipal(User('userSchema'))
        prinperG.grantPermissionToPrincipal('read', 'userSchema')
        prinperG.grantPermissionToPrincipal('modify', 'userSchema')

        interaction = self._get_interaction('userSchema')

        # get the object being secured
        compute = self.make_compute()
        compute_proxy = proxy_factory(compute, interaction)

        eq_(model_to_dict(compute), model_to_dict(compute_proxy))
    def check_rights(self, obj, args):
        interaction = self.protocol.interaction
        obj = proxy_factory(obj, interaction)

        allowed = []
        denied = []
        for r in args.r:
            for i in r.split(','):
                i = i.strip()
                if i.startswith('@'):
                    i = i[1:]
                (allowed if interaction.checkPermission(i, obj) else denied).append(i)

        self.write("+%s:-%s\n" % (','.join('@' + i for i in allowed), ','.join('@' + i for i in denied)))
Beispiel #13
0
    def check_rights(self, obj, args):
        interaction = self.protocol.interaction
        obj = proxy_factory(obj, interaction)

        allowed = []
        denied = []
        for r in args.r:
            for i in r.split(','):
                i = i.strip()
                if i.startswith('@'):
                    i = i[1:]
                (allowed
                 if interaction.checkPermission(i, obj) else denied).append(i)

        self.write("+%s:-%s\n" %
                   (','.join('@' + i
                             for i in allowed), ','.join('@' + i
                                                         for i in denied)))
def sudo(obj):
    """ System utility to elevate privileges to certain object accesses """
    obj = getObject(obj) if type(obj) is Proxy else obj
    return checker.proxy_factory(obj, new_interaction('root'))
def sudo(obj):
    """ System utility to elevate privileges to certain object accesses """
    obj = getObject(obj) if type(obj) is Proxy else obj
    return checker.proxy_factory(obj, new_interaction('root'))