def test_grantable_permissions(session, standard_graph, users, groups, grantable_permissions):
perm_grant, perm0, perm1, _ = grantable_permissions
assert not user_grantable_permissions(session, users["*****@*****.**"]), "start with none"
grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one")
assert not user_grantable_permissions(session, users["*****@*****.**"]), "grant on non-existent is fine"
grant_permission(groups["auditors"], perm_grant, argument=perm0.name)
grants = user_grantable_permissions(session, users["*****@*****.**"])
assert len(grants) == 1, "only specific permission grant"
assert grants[0][0].name == perm0.name, "only specific permission grant"
grant_permission(groups["auditors"], perm_grant, argument="grantable.*")
grants = user_grantable_permissions(session, users["*****@*****.**"])
assert len(grants) == 3, "wildcard grant should grab appropriat amount"
assert sorted([x[0].name for x in grants]) == ["grantable", "grantable.one", "grantable.two"]
args_by_perm = get_grantable_permissions(session, None)
assert args_by_perm[perm1.name] == ["*"], "wildcard grant reflected in list of grantable"
grant_permission(groups["auditors"], perm_grant, argument="{}/single_arg".format(perm1.name))
args_by_perm = get_grantable_permissions(session, None)
assert args_by_perm[perm1.name] == ["*"], "wildcard grant reflected cause no restricted perms"
args_by_perm = get_grantable_permissions(session, [perm1.name])
assert args_by_perm[perm1.name] == ["single_arg"], "least permissive argument shown cause of restricted perms"
def test_grantable_permissions(
session, standard_graph, users, groups, grantable_permissions # noqa: F811
):
perm_grant, perm0, perm1, _ = grantable_permissions
assert not user_grantable_permissions(session, users["*****@*****.**"]), "start with none"
grant_permission(groups["auditors"], perm_grant, argument="notgrantable.one")
assert not user_grantable_permissions(
session, users["*****@*****.**"]
), "grant on non-existent is fine"
grant_permission(groups["auditors"], perm_grant, argument=perm0.name)
grants = user_grantable_permissions(session, users["*****@*****.**"])
assert len(grants) == 1, "only specific permission grant"
assert grants[0][0].name == perm0.name, "only specific permission grant"
grant_permission(groups["auditors"], perm_grant, argument="grantable.*")
grants = user_grantable_permissions(session, users["*****@*****.**"])
assert len(grants) == 3, "wildcard grant should grab appropriat amount"
assert sorted([x[0].name for x in grants]) == ["grantable", "grantable.one", "grantable.two"]
args_by_perm = get_grantable_permissions(session, None)
assert args_by_perm[perm1.name] == ["*"], "wildcard grant reflected in list of grantable"
grant_permission(groups["auditors"], perm_grant, argument="{}/single_arg".format(perm1.name))
args_by_perm = get_grantable_permissions(session, None)
assert args_by_perm[perm1.name] == ["*"], "wildcard grant reflected cause no restricted perms"
args_by_perm = get_grantable_permissions(session, [perm1.name])
assert args_by_perm[perm1.name] == [
"single_arg"
], "least permissive argument shown cause of restricted perms"
def get(self, *args, **kwargs):
# type: (*Any, **Any) -> None
group_id = kwargs.get("group_id") # type: Optional[int]
name = kwargs.get("name") # type: Optional[str]
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
# Only members can request permissions
if not self.current_user.is_member(group.my_members()):
return self.forbidden()
args_by_perm = get_grantable_permissions(
self.session, settings().restricted_ownership_permissions
)
dropdown_form, text_form = GroupPermissionRequest._get_forms(args_by_perm, None)
self.render(
"group-permission-request.html",
dropdown_form=dropdown_form,
text_form=text_form,
group=group,
args_by_perm_json=json.dumps(args_by_perm),
dropdown_help=settings().permission_request_dropdown_help,
text_help=settings().permission_request_text_help,
)
def get(self, *args, **kwargs):
# type: (*Any, **Any) -> None
group_id = kwargs.get("group_id") # type: Optional[int]
name = kwargs.get("name") # type: Optional[str]
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
# Only members can request permissions
if not self.current_user.is_member(group.my_members()):
return self.forbidden()
args_by_perm = get_grantable_permissions(
self.session,
settings().restricted_ownership_permissions)
dropdown_form, text_form = GroupPermissionRequest._get_forms(
args_by_perm, None)
self.render(
"group-permission-request.html",
dropdown_form=dropdown_form,
text_form=text_form,
group=group,
args_by_perm_json=json.dumps(args_by_perm),
dropdown_help=settings().permission_request_dropdown_help,
text_help=settings().permission_request_text_help,
)
def _build_form(self, data):
# type: (Optional[int]) -> Tuple[PermissionRequestForm, Dict[str, List[str]]]
"""Build the permission request form given the request and POST data.
Normally all fields of the form will be editable. But if the URL
locks down a specific value for the group, permission, or argument,
then the specified fields will display those values and will be
grayed out and not editable.
"""
session = self.session
current_user = self.current_user
def pairs(seq):
# type: (Iterable[str]) -> List[Tuple[str, str]]
return [(item, item) for item in seq]
form = PermissionRequestForm(data)
group_names = {
g.groupname
for g, e in get_groups_by_user(session, current_user)
}
args_by_perm = get_grantable_permissions(
session,
settings().restricted_ownership_permissions)
permission_names = {p for p in args_by_perm}
group_param = self.get_argument("group", None)
if group_param is not None:
if group_param not in group_names:
raise HTTPError(
status_code=404,
reason="the group name in the URL is not one you belong to"
)
form.group_name.choices = pairs([group_param])
form.group_name.render_kw = {"readonly": "readonly"}
form.group_name.data = group_param
else:
form.group_name.choices = pairs([""] + sorted(group_names))
permission_param = self.get_argument("permission", None)
if permission_param is not None:
if permission_param not in permission_names:
raise HTTPError(
status_code=404,
reason="an unrecognized permission is specified in the URL"
)
form.permission.choices = pairs([permission_param])
form.permission.render_kw = {"readonly": "readonly"}
form.permission.data = permission_param
else:
form.permission.choices = pairs(sorted(permission_names))
argument_param = self.get_argument("argument", "")
if argument_param:
form.argument.render_kw = {"readonly": "readonly"}
form.argument.data = argument_param
return form, args_by_perm
def _build_form(self, data):
# type: (Optional[int]) -> Tuple[PermissionRequestForm, Dict[Permission, List[str]]]
"""Build the permission request form given the request and POST data.
Normally all fields of the form will be editable. But if the URL
locks down a specific value for the group, permission, or argument,
then the specified fields will display those values and will be
grayed out and not editable.
"""
session = self.session
current_user = self.current_user
def pairs(seq):
# type: (Iterable[str]) -> List[Tuple[str, str]]
return [(item, item) for item in seq]
form = PermissionRequestForm(data)
group_names = {g.groupname for g, e in get_groups_by_user(session, current_user)}
args_by_perm = get_grantable_permissions(
session, settings().restricted_ownership_permissions
)
permission_names = {p for p in args_by_perm}
group_param = self.get_argument("group", None)
if group_param is not None:
if group_param not in group_names:
raise HTTPError(
status_code=404, reason="the group name in the URL is not one you belong to"
)
form.group_name.choices = pairs([group_param])
form.group_name.render_kw = {"readonly": "readonly"}
else:
form.group_name.choices = pairs([""] + sorted(group_names))
permission_param = self.get_argument("permission", None)
if permission_param is not None:
if permission_param not in permission_names:
raise HTTPError(
status_code=404, reason="an unrecognized permission is specified in the URL"
)
form.permission_name.choices = pairs([permission_param])
form.permission_name.render_kw = {"readonly": "readonly"}
else:
form.permission_name.choices = pairs([""] + sorted(permission_names))
argument_param = self.get_argument("argument", "")
if argument_param:
form.argument.render_kw = {"readonly": "readonly"}
form.argument.data = argument_param
return form, args_by_perm
def get(self, group_id=None, name=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
args_by_perm = get_grantable_permissions(self.session,
settings.restricted_ownership_permissions)
dropdown_form, text_form = GroupPermissionRequest._get_forms(args_by_perm, None)
self.render("group-permission-request.html", dropdown_form=dropdown_form,
text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm),
dropdown_help=settings.permission_request_dropdown_help,
text_help=settings.permission_request_text_help)
def get(self, group_id=None, name=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
# Only members can request permissions
if not self.current_user.is_member(group.my_members()):
return self.forbidden()
args_by_perm = get_grantable_permissions(
self.session, settings.restricted_ownership_permissions)
dropdown_form, text_form = GroupPermissionRequest._get_forms(
args_by_perm, None)
self.render("group-permission-request.html",
dropdown_form=dropdown_form,
text_form=text_form,
group=group,
args_by_perm_json=json.dumps(args_by_perm),
dropdown_help=settings.permission_request_dropdown_help,
text_help=settings.permission_request_text_help)
def post(self, group_id=None, name=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
# only owner of group can request permissions for that group
role_index = self.current_user.my_role_index(group.my_members())
if role_index not in OWNER_ROLE_INDICES:
return self.forbidden()
# check inputs
args_by_perm = get_grantable_permissions(self.session,
settings.restricted_ownership_permissions)
dropdown_form, text_form = GroupPermissionRequest._get_forms(args_by_perm,
self.request.arguments)
argument_type = self.request.arguments.get("argument_type")
if argument_type and argument_type[0] == "text":
form = text_form
elif argument_type and argument_type[0] == "dropdown":
form = dropdown_form
form.argument.choices = [(a, a) for a in args_by_perm[form.permission_name.data]]
else:
# someone messing with the form
self.log_message("unknown argument type", group_name=group.name,
argument_type=argument_type)
return self.forbidden()
if not form.validate():
return self.render(
"group-permission-request.html", dropdown_form=dropdown_form,
text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm),
alerts=self.get_form_alerts(form.errors),
dropdown_help=settings.permission_request_dropdown_help,
text_help=settings.permission_request_text_help,
)
permission = Permission.get(self.session, form.permission_name.data)
assert permission is not None, "our prefilled permission should exist or we have problems"
# save off request
try:
permissions.create_request(self.session, self.current_user, group,
permission, form.argument.data, form.reason.data)
except permissions.RequestAlreadyGranted:
alerts = [Alert("danger", "This group already has this permission and argument.")]
except permissions.RequestAlreadyExists:
alerts = [Alert("danger",
"Request for permission and argument already exists, please wait patiently.")]
except permissions.NoOwnersAvailable:
self.log_message("prefilled perm+arg have no owner", group_name=group.name,
permission_name=permission.name, argument=form.argument.data)
alerts = [Alert("danger", "No owners available for requested permission and argument."
" If this error persists please contact an adminstrator.")]
else:
alerts = None
if alerts:
return self.render(
"group-permission-request.html", dropdown_form=dropdown_form,
text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm),
alerts=alerts,
)
else:
return self.redirect("/groups/{}".format(group.name))
def post(self, group_id=None, name=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
# Only members can request permissions
if not self.current_user.is_member(group.my_members()):
return self.forbidden()
# check inputs
args_by_perm = get_grantable_permissions(
self.session, settings.restricted_ownership_permissions)
dropdown_form, text_form = GroupPermissionRequest._get_forms(
args_by_perm, self.request.arguments)
argument_type = self.request.arguments.get("argument_type")
if argument_type and argument_type[0] == "text":
form = text_form
elif argument_type and argument_type[0] == "dropdown":
form = dropdown_form
form.argument.choices = [
(a, a) for a in args_by_perm[form.permission_name.data]
]
else:
# someone messing with the form
self.log_message("unknown argument type",
group_name=group.name,
argument_type=argument_type)
return self.forbidden()
if not form.validate():
return self.render(
"group-permission-request.html",
dropdown_form=dropdown_form,
text_form=text_form,
group=group,
args_by_perm_json=json.dumps(args_by_perm),
alerts=self.get_form_alerts(form.errors),
dropdown_help=settings.permission_request_dropdown_help,
text_help=settings.permission_request_text_help,
)
permission = Permission.get(self.session, form.permission_name.data)
assert permission is not None, "our prefilled permission should exist or we have problems"
# save off request
try:
request = permissions.create_request(self.session,
self.current_user, group,
permission,
form.argument.data,
form.reason.data)
except permissions.RequestAlreadyGranted:
alerts = [
Alert("danger",
"This group already has this permission and argument.")
]
except permissions.RequestAlreadyExists:
alerts = [
Alert(
"danger",
"Request for permission and argument already exists, please wait patiently."
)
]
except permissions.NoOwnersAvailable:
self.log_message("prefilled perm+arg have no owner",
group_name=group.name,
permission_name=permission.name,
argument=form.argument.data)
alerts = [
Alert(
"danger",
"No owners available for requested permission and argument."
" If this error persists please contact an adminstrator.")
]
else:
alerts = None
if alerts:
return self.render(
"group-permission-request.html",
dropdown_form=dropdown_form,
text_form=text_form,
group=group,
args_by_perm_json=json.dumps(args_by_perm),
alerts=alerts,
)
else:
return self.redirect("/permissions/requests/{}".format(request.id))
def test_exclude_disabled_permissions(
session, standard_graph, graph, users, groups, permissions # noqa: F811
):
"""
Ensure that disabled permissions are excluded from various
functions/methods that return data from the models.
"""
perm_ssh = get_permission(session, "ssh")
perm_grant = create_permission(session, PERMISSION_GRANT)
session.commit()
# this user has grouper.permission.grant with argument "ssh/*"
grant_permission(groups["group-admins"], perm_grant, argument="ssh/*")
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert "ssh" == filter_grantable_permissions(session, grant_perms)[0][0].name
assert "ssh" in (p.name for p in get_all_permissions(session))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" in get_grantable_permissions(session, [])
assert "team-sre" in [g[0] for g in get_groups_by_permission(session, perm_ssh)]
assert get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" in get_owners_by_grantable_permission(session)
assert "ssh" in (x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"]))
assert user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" in (p["permission"] for p in graph.get_group_details("team-sre")["permissions"])
assert "ssh" in (pt.name for pt in graph.get_permissions())
assert "team-sre" in graph.get_permission_details("ssh")["groups"]
assert "ssh" in (p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"])
# now disable the ssh permission
disable_permission(session, "ssh", users["*****@*****.**"].id)
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert not filter_grantable_permissions(session, grant_perms)
assert "ssh" not in (p.name for p in get_all_permissions(session))
assert "ssh" not in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" not in get_grantable_permissions(session, [])
assert not get_groups_by_permission(session, perm_ssh)
assert not get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" not in get_owners_by_grantable_permission(session)
assert "ssh" not in (
x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"])
)
assert not user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" not in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" not in (
p["permission"] for p in graph.get_group_details("team-sre")["permissions"]
)
assert "ssh" not in (pt.name for pt in graph.get_permissions())
assert not graph.get_permission_details("ssh")["groups"]
assert "ssh" not in (
p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"]
)
def post(self, *args, **kwargs):
# type: (*Any, **Any) -> None
group_id = kwargs.get("group_id") # type: Optional[int]
name = kwargs.get("name") # type: Optional[str]
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
# Only members can request permissions
if not self.current_user.is_member(group.my_members()):
return self.forbidden()
# check inputs
args_by_perm = get_grantable_permissions(
self.session, settings().restricted_ownership_permissions
)
dropdown_form, text_form = GroupPermissionRequest._get_forms(
args_by_perm, self.request.arguments
)
argument_type = self.request.arguments.get("argument_type")
if argument_type and argument_type[0].decode() == "text":
form = text_form
elif argument_type and argument_type[0].decode() == "dropdown":
form = dropdown_form
form.argument.choices = [(a, a) for a in args_by_perm[form.permission_name.data]]
else:
# someone messing with the form
self.log_message(
"unknown argument type", group_name=group.name, argument_type=argument_type
)
return self.forbidden()
if not form.validate():
return self.render(
"group-permission-request.html",
dropdown_form=dropdown_form,
text_form=text_form,
group=group,
args_by_perm_json=json.dumps(args_by_perm),
alerts=self.get_form_alerts(form.errors),
dropdown_help=settings().permission_request_dropdown_help,
text_help=settings().permission_request_text_help,
)
permission = get_permission(self.session, form.permission_name.data)
assert permission is not None, "our prefilled permission should exist or we have problems"
# save off request
try:
request = permissions.create_request(
self.session,
self.current_user,
group,
permission,
form.argument.data,
form.reason.data,
)
except permissions.RequestAlreadyGranted:
alerts = [Alert("danger", "This group already has this permission and argument.")]
except permissions.RequestAlreadyExists:
alerts = [
Alert(
"danger",
"Request for permission and argument already exists, please wait patiently.",
)
]
except permissions.NoOwnersAvailable:
self.log_message(
"prefilled perm+arg have no owner",
group_name=group.name,
permission_name=permission.name,
argument=form.argument.data,
)
alerts = [
Alert(
"danger",
"No owners available for requested permission and argument."
" If this error persists please contact an adminstrator.",
)
]
except UserNotAuditor as e:
alerts = [Alert("danger", str(e))]
else:
alerts = []
if alerts:
return self.render(
"group-permission-request.html",
dropdown_form=dropdown_form,
text_form=text_form,
group=group,
args_by_perm_json=json.dumps(args_by_perm),
alerts=alerts,
)
else:
return self.redirect("/permissions/requests/{}".format(request.id))
