def index(self):
templates = listdir(self.templatedir)
user = get_user_info()
index = "<h1>Secure Documentation</h1>"
index += "<div>\n"
index += "Hello <b>%s</b>!\n" % user['name']
index += "<ul>\n"
index += "<li>Your <b>DN</b>: %s</li>\n" % user['dn']
index += "<li>Your <b>Login</b>: %s</li>\n" % user['login']
index += "<li>Your <b>Authn Method</b>: %s</li>\n" % user['method']
index += "<li>Your roles:\n"
index += "<ul>\n"
for k, v in user['roles'].iteritems():
for t in ['group', 'site']:
for n in v[t]:
index += "<li><b>%s</b>: %s=%s</li>\n" % (k, t, n)
index += "</ul></li></ul>\n"
index += "<a href='CernDocs'>CERN docs</a>\n"
index += "<a href='UerjDocs'>UERJ docs</a>\n"
index += "</div>\n"
index += "<ol>"
for t in templates:
if '.tmpl' in t:
index = "%s\n<li><a href='%s'>%s</a></li>" % (
index, t.replace('.tmpl', ''), t.replace('.tmpl', ''))
index = "%s\n<li><a href='https://twiki.cern.ch/twiki/bin/view/CMS/DMWebtools'>twiki</a>" % (
index)
index = "%s\n</ol>" % (index)
return index
def _updateRequest(self, workload, request_args):
dn = get_user_info().get("dn", "unknown")
if "RequestStatus" not in request_args:
report = self._handleNoStatusUpdate(workload, request_args, dn)
else:
req_status = request_args["RequestStatus"]
if len(request_args) == 2 and req_status == "assignment-approved":
report = self._handleAssignmentApprovedTransition(
workload, request_args, dn)
elif len(request_args) > 1 and req_status == "assigned":
report = self._handleAssignmentStateTransition(
workload, request_args, dn)
elif len(request_args) == 1 or (len(request_args) == 2
and "cascade" in request_args):
report = self._handleOnlyStateTransition(
workload, request_args, dn)
else:
msg = "There are invalid arguments with this status transition: %s" % request_args
raise InvalidSpecParameterValue(msg)
if report == 'OK':
return {workload.name(): "OK"}
else:
return {workload.name(): "ERROR"}
def initialize_request_args(request, config):
"""
Request data class request is a dictionary representing
a being injected / created request. This method initializes
various request fields. This should be the ONLY method to
manipulate request arguments upon injection so that various
levels or arguments manipulation does not occur across several
modules and across about 7 various methods like in ReqMgr1.
request is changed here.
"""
# user information for cert. (which is converted to cherry py log in)
user = get_user_info()
request["Requestor"] = user["login"]
request["RequestorDN"] = user.get("dn", "unknown")
# service certificates carry @hostname, remove it if it exists
request["Requestor"] = request["Requestor"].split('@')[0]
# assign first starting status, should be 'new'
request["RequestStatus"] = REQUEST_START_STATE
request["RequestTransition"] = [{"Status": request["RequestStatus"],
"UpdateTime": int(time.time()), "DN": request["RequestorDN"]}]
request["RequestDate"] = list(time.gmtime()[:6])
# set the original priority when request is create
request["PriorityTransition"] = [{"Priority": request["RequestPriority"],
"UpdateTime": int(time.time()), "DN": request["RequestorDN"]}]
# update the information from config
request["CouchURL"] = config.couch_host
request["CouchWorkloadDBName"] = config.couch_reqmgr_db
request["CouchDBName"] = config.couch_config_cache_db
generateRequestName(request)
def index(self):
templates = listdir(self.templatedir)
user = get_user_info()
index = "<h1>Secure Documentation</h1>"
index += "<div>\n"
index += "Hello <b>%s</b>!\n" % user['name']
index += "<ul>\n"
index += "<li>Your <b>DN</b>: %s</li>\n" % user['dn']
index += "<li>Your <b>Login</b>: %s</li>\n" % user['login']
index += "<li>Your <b>Authn Method</b>: %s</li>\n" % user['method']
index += "<li>Your roles:\n"
index += "<ul>\n"
for k, v in user['roles'].iteritems():
for t in ['group','site']:
for n in v[t]:
index += "<li><b>%s</b>: %s=%s</li>\n" % (k, t, n)
index += "</ul></li></ul>\n"
index += "<a href='CernDocs'>CERN docs</a>\n"
index += "<a href='UerjDocs'>UERJ docs</a>\n"
index += "</div>\n"
index += "<ol>"
for t in templates:
if '.tmpl' in t:
index = "%s\n<li><a href='%s'>%s</a></li>" % (index,
t.replace('.tmpl', ''),
t.replace('.tmpl', ''))
index = "%s\n<li><a href='https://twiki.cern.ch/twiki/bin/view/CMS/DMWebtools'>twiki</a>" % (index)
index = "%s\n</ol>" % (index)
return index
def user():
"""
Return user name associated with this instance.
"""
try:
return get_user_info()['login']
except:
return 'testuser'
def authz_operator(username):
""" Check if the the user who is trying to access this resource (i.e.: user['login'], the cert username) is the
same as username. If not check if the user is a CRAB3 operator. {... 'operator': {'group': set(['crab3']) ... in request roles}
If the user is not an operator and is trying to access a file owned by another user than raise
"""
user = get_user_info()
if user['login'] != username and\
'crab3' not in user.get('roles', {}).get('operator', {}).get('group', set()):
err = "You are not allowed to access this resource. You need to be a CRAB3 operator in sitedb to access other user's files"
raise http_error(err)
def authz_operator(username):
""" Check if the the user who is trying to access this resource (i.e.: user['login'], the cert username) is the
same as username. If not check if the user is a CRAB3 operator. {... 'operator': {'group': set(['crab3']) ... in request roles}
If the user is not an operator and is trying to access a file owned by another user than raise
"""
user = get_user_info()
if user['login'] != username and\
'crab3' not in user.get('roles', {}).get('operator', {}).get('group', set()):
err = "You are not allowed to access this resource. You need to be a CRAB3 operator in sitedb to access other user's files"
raise http_error(err)
def quota_user_free(quotadir, infile):
"""Raise an exception if the input file overflow the user quota
:arg str quotadir: the user path where the file will be written
:arg file|cStringIO.StringIO infile: file object handler or cStringIO.StringIO
:return: Nothing"""
filesize, _ = file_size(infile.file)
quota = get_size(quotadir)
user = get_user_info()
quotaLimit = QUOTA_USER_LIMIT*10 if user['login'] in POWER_USERS_LIST else QUOTA_USER_LIMIT
if filesize + quota > quotaLimit:
excquota = ValueError("User %s has reached quota of %dB: additional file of %dB cannot be uploaded." \
% (user['login'], quota, filesize))
raise InvalidParameter("User quota limit reached; cannot upload the file", errobj=excquota, trace='')
def quota_user_free(quotadir, infile):
"""Raise an exception if the input file overflow the user quota
:arg str quotadir: the user path where the file will be written
:arg file|cStringIO.StringIO infile: file object handler or cStringIO.StringIO
:return: Nothing"""
filesize, _ = file_size(infile.file)
quota = get_size(quotadir)
user = get_user_info()
quotaLimit = QUOTA_USER_LIMIT * 10 if user[
'login'] in POWER_USERS_LIST else QUOTA_USER_LIMIT
if filesize + quota > quotaLimit:
excquota = ValueError("User %s has reached quota of %dB: additional file of %dB cannot be uploaded." \
% (user['login'], quota, filesize))
raise InvalidParameter(
"User quota limit reached; cannot upload the file",
errobj=excquota,
trace='')
def check_authorization(self, role, group, site, authzfunc):
"""Format the authorization rules into lists and verify if the given
user is allowed to access."""
if authzfunc == None:
authzfunc = self.defaultAuth
# TOFIX: put role, group and site into canonical form
# Turns arguments into lists
if role and isinstance(role, str):
role = [role]
if group and isinstance(group, str):
group = [group]
if site and isinstance(site, str):
site = [site]
# Finally checks if the user is allowed
if not authzfunc(get_user_info(), role, group, site):
# Authorization denied
raise cherrypy.HTTPError(403, "You are not allowed to access this resource, authz denied")
def check_authorization(self, role, group, site, authzfunc):
"""Format the authorization rules into lists and verify if the given
user is allowed to access."""
if authzfunc == None:
authzfunc = self.defaultAuth
# TOFIX: put role, group and site into canonical form
# Turns arguments into lists
if role and isinstance(role, str):
role = [role]
if group and isinstance(group, str):
group = [group]
if site and isinstance(site, str):
site = [site]
# Finally checks if the user is allowed
if not authzfunc(get_user_info(), role, group, site):
# Authorization denied
raise cherrypy.HTTPError(
403, "You are not allowed to access this resource.")
def authz_login_valid():
user = get_user_info()
if not user['login']:
err = "You are not allowed to access this resources"
raise http_error(err)
def user_dn():
"Return user DN"
try:
return get_user_info()['dn']
except:
return '/CN/bla/foo'
def authz_login_valid():
user = get_user_info()
if not user['login']:
err = "You are not allowed to access this resources"
raise http_error(err)
