def user_has_rule_action_permission(user_db, action_ref):
"""
Check that the currently logged-in has necessary permissions on the action used / referenced
inside the rule.
Note: Rules can reference actions which don't yet exist in the system.
"""
if not cfg.CONF.rbac.enable:
return True
action_db = action_utils.get_action_by_ref(ref=action_ref)
if not action_db:
# We allow rules to be created for actions which don't yet exist in the
# system
ref = ResourceReference.from_string_reference(ref=action_ref)
action_db = ActionDB(pack=ref.pack, name=ref.name, ref=action_ref)
rbac_backend = get_backend_instance(cfg.CONF.rbac.backend)
action_resolver = rbac_backend.get_resolver_for_resource_type(
ResourceType.ACTION)
has_action_permission = action_resolver.user_has_resource_db_permission(
user_db=user_db,
resource_db=action_db,
permission_type=PermissionType.ACTION_EXECUTE)
if has_action_permission:
return True
return False
def user_has_permission(user_db, permission_type):
"""
Check that the provided user has specified permission.
"""
if not cfg.CONF.rbac.enable:
return True
# TODO Verify permission type for the provided resource type
rbac_backend = get_backend_instance(cfg.CONF.rbac.backend)
resolver = rbac_backend.get_resolver_for_permission_type(
permission_type=permission_type)
result = resolver.user_has_permission(user_db=user_db,
permission_type=permission_type)
return result
def user_has_rule_trigger_permission(user_db, trigger):
"""
Check that the currently logged-in has necessary permissions on the trigger used / referenced
inside the rule.
"""
if not cfg.CONF.rbac.enable:
return True
rbac_backend = get_backend_instance(cfg.CONF.rbac.backend)
rules_resolver = rbac_backend.get_resolver_for_resource_type(
ResourceType.RULE)
has_trigger_permission = rules_resolver.user_has_trigger_permission(
user_db=user_db, trigger=trigger)
if has_trigger_permission:
return True
return False
def test_noop_backend(self):
backend = get_backend_instance(name='noop')
resolver = backend.get_resolver_for_permission_type(
permission_type=PermissionType.ACTION_VIEW)
self.assertTrue(resolver.user_has_permission(None, None))
self.assertTrue(
resolver.user_has_resource_api_permission(None, None, None))
self.assertTrue(
resolver.user_has_resource_db_permission(None, None, None))
resolver = backend.get_resolver_for_resource_type(
resource_type=ResourceType.ACTION)
self.assertTrue(resolver.user_has_permission(None, None))
self.assertTrue(
resolver.user_has_resource_api_permission(None, None, None))
self.assertTrue(
resolver.user_has_resource_db_permission(None, None, None))
remote_group_syncer = backend.get_remote_group_to_role_syncer()
self.assertEqual(remote_group_syncer.sync(None, None), [])