Beispiel #1
0
    def get(self, request):
        """
        Retrieve permissions for all resources or for a particular resource.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest

        :return: Response containing a list of permissions for resource/s
        :rtype: django.http.HttpResponse
        """
        query_params = request.GET
        resource = query_params.get('resource', None)

        permissions = []
        if resource is None:
            permissions = factory.permission_query_manager().find_all()
        else:
            permission = factory.permission_query_manager().find_by_resource(resource)
            if permission is not None:
                permissions = [permission]

        for permission in permissions:
            # Isolate the database schema change to behind the api.  This should be transparent
            users = {}
            for item in permission['users']:
                users[item['username']] = item['permissions']
            permission['users'] = users
            permission_manager = factory.permission_manager()
            for user, ops in users.items():
                users[user] = [permission_manager.operation_value_to_name(o) for o in ops]

        return generate_json_response_with_pulp_encoder(permissions)
Beispiel #2
0
    def is_authorized(self, resource, login, operation):
        """
        Check to see if a user is authorized to perform an operation on a resource

        @type resource: str
        @param resource: pulp resource path

        @type login: str
        @param login: login of user to check permissions for

        @type operation: int
        @param operation: operation to be performed on resource

        @rtype: bool
        @return: True if the user is authorized for the operation on the resource,
                 False otherwise
        """
        if self.is_superuser(login):
            return True

        permission_query_manager = factory.permission_query_manager()

        parts = [p for p in resource.split('/') if p]
        while parts:
            current_resource = '/%s/' % '/'.join(parts)
            permission = permission_query_manager.find_by_resource(current_resource)
            if permission is not None:
                if operation in permission['users'].get(login, []):
                    return True
            parts = parts[:-1]

        permission = Permission.get_collection().find_one({'resource' : '/'})
        return (permission is not None and
                operation in permission['users'].get(login, []))
Beispiel #3
0
    def is_authorized(self, resource, login, operation):
        """
        Check to see if a user is authorized to perform an operation on a resource

        @type resource: str
        @param resource: pulp resource path

        @type login: str
        @param login: login of user to check permissions for

        @type operation: int
        @param operation: operation to be performed on resource

        @rtype: bool
        @return: True if the user is authorized for the operation on the resource,
                 False otherwise
        """
        if self.is_superuser(login):
            return True

        permission_query_manager = factory.permission_query_manager()

        parts = [p for p in resource.split('/') if p]
        while parts:
            current_resource = '/%s/' % '/'.join(parts)
            permission = permission_query_manager.find_by_resource(current_resource)
            if permission is not None:
                if operation in permission_query_manager.find_user_permission(permission, login):
                    return True
            parts = parts[:-1]

        permission = Permission.get_collection().find_one({'resource': '/'})
        return (permission is not None and
                operation in permission_query_manager.find_user_permission(permission, login))
Beispiel #4
0
    def test_syntactic_sugar_methods(self):
        """
        Tests the syntactic sugar methods for retrieving specific managers.
        """
        # Setup
        factory.initialize()

        # Test
        self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager))
        self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager))
        self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager))
        self.assertTrue(isinstance(factory.password_manager(), PasswordManager))
        self.assertTrue(isinstance(factory.permission_manager(), PermissionManager))
        self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager))
        self.assertTrue(isinstance(factory.role_manager(), RoleManager))
        self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager))
        self.assertTrue(isinstance(factory.user_manager(), UserManager))             
        self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager))
        self.assertTrue(isinstance(factory.repo_manager(), RepoManager))
        self.assertTrue(isinstance(factory.repo_unit_association_manager(), RepoUnitAssociationManager))
        self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager))
        self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager))
        self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager))
        self.assertTrue(isinstance(factory.content_manager(), ContentManager))
        self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager))
        self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager))
        self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager))
        self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
Beispiel #5
0
def is_authorized(resource, login, operation):
    """
    Check to see if a user is authorized to perform an operation on a resource.

    :param resource: pulp resource url
    :type  resource: str
    :param login: login of user to check permissions for
    :type  login: str
    :param operation: operation to be performed on resource
    :type  operation: int

    :return: True if the user is authorized for the operation on the resource, False otherwise
    :rtype: bool
    """
    user = model.User.objects.get_or_404(login=login)
    if user.is_superuser():
        return True

    permission_query_manager = manager_factory.permission_query_manager()

    # User is authorized if they have access to the resource or any of the its base resources.
    parts = [p for p in resource.split('/') if p]
    while parts:
        current_resource = '/%s/' % '/'.join(parts)
        permission = permission_query_manager.find_by_resource(current_resource)
        if permission is not None:
            if operation in permission_query_manager.find_user_permission(permission, login):
                return True
        parts = parts[:-1]

    permission = Permission.get_collection().find_one({'resource': '/'})
    return (permission is not None and
            operation in permission_query_manager.find_user_permission(permission, login))
Beispiel #6
0
    def test_syntactic_sugar_methods(self):
        """
        Tests the syntactic sugar methods for retrieving specific managers.
        """
        # Setup
        factory.initialize()

        # Test
        self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager))
        self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager))
        self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager))
        self.assertTrue(isinstance(factory.password_manager(), PasswordManager))
        self.assertTrue(isinstance(factory.permission_manager(), PermissionManager))
        self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager))
        self.assertTrue(isinstance(factory.role_manager(), RoleManager))
        self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager))
        self.assertTrue(isinstance(factory.user_manager(), UserManager))
        self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager))
        self.assertTrue(isinstance(factory.repo_manager(), RepoManager))
        self.assertTrue(isinstance(factory.repo_unit_association_manager(),
                                   RepoUnitAssociationManager))
        self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager))
        self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager))
        self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager))
        self.assertTrue(isinstance(factory.content_manager(), ContentManager))
        self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager))
        self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager))
        self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager))
        self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))
Beispiel #7
0
    def GET(self):
        query_params = web.input()
        resource = query_params.get('resource', None)

        permissions = []
        if resource is None:
            permissions = managers.permission_query_manager().find_all()
        else:
            permission = managers.permission_query_manager().find_by_resource(resource)
            if permission is not None:
                permissions = [permission]

        for permission in permissions:
            users = permission['users']
            for user, ops in users.items():
                users[user] = [operation_to_name(o) for o in ops]

        return self.ok(permissions)
Beispiel #8
0
    def GET(self):
        query_params = web.input()
        resource = query_params.get('resource', None)

        permissions = []
        if resource is None:
            permissions = managers.permission_query_manager().find_all()
        else:
            permission = managers.permission_query_manager().find_by_resource(
                resource)
            if permission is not None:
                permissions = [permission]

        for permission in permissions:
            users = permission['users']
            for user, ops in users.items():
                users[user] = [operation_to_name(o) for o in ops]

        return self.ok(permissions)
Beispiel #9
0
    def setUp(self):
        super(RoleManagerTests, self).setUp()

        self.alpha_num = string.letters + string.digits

        self.role_manager = manager_factory.role_manager()
        self.role_query_manager = manager_factory.role_query_manager()
        self.permission_manager = manager_factory.permission_manager()
        self.permission_query_manager = manager_factory.permission_query_manager()

        self.role_manager.ensure_super_user_role()
        manager_factory.principal_manager().clear_principal()
Beispiel #10
0
    def setUp(self):
        super(PermissionManagerTests, self).setUp()

        self.alpha_num = string.letters + string.digits

        self.role_manager = manager_factory.role_manager()
        self.role_query_manager = manager_factory.role_query_manager()
        self.permission_manager = manager_factory.permission_manager()
        self.permission_query_manager = manager_factory.permission_query_manager()

        self.role_manager.ensure_super_user_role()
        manager_factory.principal_manager().clear_principal()
Beispiel #11
0
    def setUp(self):
        super(AuthControllersTests, self).setUp()
        self.user_manager = manager_factory.user_manager()
        self.user_query_manager = manager_factory.user_query_manager()
        self.role_manager = manager_factory.role_manager()
        self.role_query_manager = manager_factory.role_query_manager()
        self.permission_manager = manager_factory.permission_manager()
        self.permission_query_manager = manager_factory.permission_query_manager()
        self.password_manager = manager_factory.password_manager()

        self.role_manager.ensure_super_user_role()
        self.user_manager.ensure_admin()
Beispiel #12
0
    def setUp(self):
        super(AuthControllersTests, self).setUp()
        self.user_manager = manager_factory.user_manager()
        self.user_query_manager = manager_factory.user_query_manager()
        self.role_manager = manager_factory.role_manager()
        self.role_query_manager = manager_factory.role_query_manager()
        self.permission_manager = manager_factory.permission_manager()
        self.permission_query_manager = manager_factory.permission_query_manager(
        )
        self.password_manager = manager_factory.password_manager()

        self.role_manager.ensure_super_user_role()
        self.user_manager.ensure_admin()
Beispiel #13
0
    def GET(self):
        query_params = web.input()
        resource = query_params.get('resource', None)

        permissions = []
        if resource is None:
            permissions = managers.permission_query_manager().find_all()
        else:
            permission = managers.permission_query_manager().find_by_resource(resource)
            if permission is not None:
                permissions = [permission]

        for permission in permissions:
            # Isolate the database schema change to behind the api.  This should be transparent
            users = {}
            for item in permission['users']:
                users[item['username']] = item['permissions']
            permission['users'] = users
            permission_manager = managers.permission_manager()
            for user, ops in users.items():
                users[user] = [permission_manager.operation_value_to_name(o) for o in ops]

        return self.ok(permissions)
Beispiel #14
0
    def revoke(resource, login, operations):
        """
        Revoke permission on a resource for a user and a set of operations.

        :param resource:   uri path representing a pulp resource
        :type  resource:   str
        :param login:      login of user to revoke permissions from
        :type  login:      str
        :param operations: list of allowed operations being revoked
        :type  operations: list or tuple of integers

        :raises InvalidValue: if some params are invalid
        """
        permission_query_manager = factory.permission_query_manager()
        # we don't revoke permissions from the system
        if login == system.SYSTEM_LOGIN:
            return

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise InvalidValue(['login'])

        permission = Permission.get_collection().find_one(
            {'resource': resource})
        if permission is None:
            return

        current_ops = permission_query_manager.find_user_permission(
            permission, user['login'])
        if not current_ops:
            return

        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        # delete the user from this permission if there are no more allowed operations
        if not current_ops:
            permission_query_manager.delete_user_permission(
                permission, user['login'])

        # delete the permission if there are no more users
        if not permission['users']:
            PermissionManager.delete_permission(resource)
            return

        Permission.get_collection().save(permission)
Beispiel #15
0
    def revoke_all_permissions_from_user(self, login):
        """
        Revoke all the permissions from a given user

        @type login: str
        @param login: login of the user to revoke all permissions from

        @rtype: bool
        @return: True on success
        """
        for permission in factory.permission_query_manager().find_all():
            if login not in permission['users']:
                continue
            del permission['users'][login]
            Permission.get_collection().save(permission, safe=True)
            
        return True
Beispiel #16
0
    def revoke_all_permissions_from_user(self, login):
        """
        Revoke all the permissions from a given user

        :param login: login of the user to revoke all permissions from
        :type login: str
        """
        permission_query_manager = factory.permission_query_manager()
        for permission in permission_query_manager.find_all():
            if permission_query_manager.get_user_permission(permission, login) is None:
                continue
            permission_query_manager.delete_user_permission(permission, login)
            if len(permission['users']) > 0:
                Permission.get_collection().save(permission, safe=True)
            else:
                # Delete entire permission if there are no more users
                Permission.get_collection().remove({'resource': permission['resource']}, safe=True)
Beispiel #17
0
    def revoke(resource, login, operations):
        """
        Revoke permission on a resource for a user and a set of operations.

        :param resource:   uri path representing a pulp resource
        :type  resource:   str
        :param login:      login of user to revoke permissions from
        :type  login:      str
        :param operations: list of allowed operations being revoked
        :type  operations: list or tuple of integers

        :raises InvalidValue: if some params are invalid
        """
        permission_query_manager = factory.permission_query_manager()
        # we don't revoke permissions from the system
        if login == system.SYSTEM_LOGIN:
            return

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise InvalidValue(['login'])

        permission = Permission.get_collection().find_one({'resource': resource})
        if permission is None:
            return

        current_ops = permission_query_manager.find_user_permission(permission, user['login'])
        if not current_ops:
            return

        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        # delete the user from this permission if there are no more allowed operations
        if not current_ops:
            permission_query_manager.delete_user_permission(permission, user['login'])

        # delete the permission if there are no more users
        if not permission['users']:
            PermissionManager.delete_permission(resource)
            return

        Permission.get_collection().save(permission, safe=True)
Beispiel #18
0
    def revoke_all_permissions_from_user(self, login):
        """
        Revoke all the permissions from a given user

        @type login: str
        @param login: login of the user to revoke all permissions from

        @rtype: bool
        @return: True on success
        """
        for permission in factory.permission_query_manager().find_all():
            if login not in permission['users']:
                continue
            del permission['users'][login]
            if permission['users']:
                Permission.get_collection().save(permission, safe=True)
            else:
                # Delete entire permission if there are no more users
                Permission.get_collection().remove({'resource':permission['resource']}, safe=True)
Beispiel #19
0
    def revoke_all_permissions_from_user(self, login):
        """
        Revoke all the permissions from a given user

        @type login: str
        @param login: login of the user to revoke all permissions from

        @rtype: bool
        @return: True on success
        """
        for permission in factory.permission_query_manager().find_all():
            if login not in permission['users']:
                continue
            del permission['users'][login]
            if permission['users']:
                Permission.get_collection().save(permission, safe=True)
            else:
                # Delete entire permission if there are no more users
                Permission.get_collection().remove(
                    {'resource': permission['resource']}, safe=True)
Beispiel #20
0
    def grant(resource, login, operations):
        """
        Grant permission on a resource for a user and a set of operations.

        :param resource: uri path representing a pulp resource
        :type resource: str
        :param login: login of user to grant permissions to
        :type login: str
        :param operations:list of allowed operations being granted
        :type operations: list or tuple of integers

        :raises InvalidValue: if some params are invalid
        """
        # we don't grant permissions to the system
        if login == system.SYSTEM_LOGIN:
            return

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise InvalidValue(['login'])

        # Make sure resource is a valid string or unicode
        if not isinstance(resource, basestring):
            raise InvalidValue(resource)

        # Get or create permission if it doesn't already exist
        permission = Permission.get_collection().find_one({'resource': resource})
        if permission is None:
            permission = PermissionManager.create_permission(resource)

        current_ops = factory.permission_query_manager().find_user_permission(permission,
                                                                              user['login'],
                                                                              create=True)
        for o in operations:
            if o in current_ops:
                continue
            current_ops.append(o)

        Permission.get_collection().save(permission, safe=True)
Beispiel #21
0
def is_authorized(resource, login, operation):
    """
    Check to see if a user is authorized to perform an operation on a resource.

    :param resource: pulp resource url
    :type  resource: str
    :param login: login of user to check permissions for
    :type  login: str
    :param operation: operation to be performed on resource
    :type  operation: int

    :return: True if the user is authorized for the operation on the resource, False otherwise
    :rtype: bool
    """
    user = model.User.objects.get_or_404(login=login)
    if user.is_superuser():
        return True

    permission_query_manager = manager_factory.permission_query_manager()

    # User is authorized if they have access to the resource or any of the its base resources.
    parts = [p for p in resource.split('/') if p]
    while parts:
        current_resource = '/%s/' % '/'.join(parts)
        permission = permission_query_manager.find_by_resource(
            current_resource)
        if permission is not None:
            if operation in permission_query_manager.find_user_permission(
                    permission, login):
                return True
        parts = parts[:-1]

    permission = Permission.get_collection().find_one({'resource': '/'})
    return (permission is not None
            and operation in permission_query_manager.find_user_permission(
                permission, login))