def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type):
log_context = {
'user_db': user_db,
'pack_uid': pack_uid,
'resource_uid': resource_uid,
'resource_type': self.resource_type,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
self._log('Checking grants via system role permissions', extra=log_context)
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
permission_name='view')
all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
permission_name='all')
if permission_type == view_permission_type:
# Note: Some permissions such as "create", "modify", "delete" and "execute" also
# grant / imply "view" permission
permission_types = self.view_grant_permission_types[:] + [permission_type]
elif permission_type not in all_permission_type:
permission_types = [all_permission_type, permission_type]
else:
permission_types = [permission_type]
# Check direct grants on the specified resource
self._log('Checking direct grans on the specified resource', extra=log_context)
resource_types = [self.resource_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=resource_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the action', extra=log_context)
return True
# Check grants on the parent pack
self._log('Checking grants on the parent resource', extra=log_context)
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the action parent pack', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type):
log_context = {
'user_db': user_db,
'pack_uid': pack_uid,
'resource_uid': resource_uid,
'resource_type': self.resource_type,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
permission_name='view')
all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
permission_name='all')
if permission_type == view_permission_type:
# Note: Some permissions such as "create", "modify", "delete" and "execute" also
# grant / imply "view" permission
permission_types = self.view_grant_permission_types[:] + [permission_type]
elif permission_type not in all_permission_type:
permission_types = [all_permission_type, permission_type]
else:
permission_types = [permission_type]
# Check direct grants on the specified resource
resource_types = [self.resource_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=resource_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the action', extra=log_context)
return True
# Check grants on the parent pack
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the action parent pack', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def test_get_permission_type(self):
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
permission_name='view'),
PermissionType.ACTION_VIEW)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
permission_name='all'),
PermissionType.ACTION_ALL)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
permission_name='execute'),
PermissionType.ACTION_EXECUTE)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
permission_name='view'),
PermissionType.RULE_VIEW)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
permission_name='delete'),
PermissionType.RULE_DELETE)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
permission_name='view'),
PermissionType.SENSOR_VIEW)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
permission_name='all'),
PermissionType.SENSOR_ALL)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
permission_name='modify'),
PermissionType.SENSOR_MODIFY)
self.assertEqual(
PermissionType.get_permission_type(resource_type=ResourceType.RULE_ENFORCEMENT,
permission_name='view'),
PermissionType.RULE_ENFORCEMENT_VIEW)
def test_get_permission_type(self):
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
permission_name='view'),
PermissionType.ACTION_VIEW)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
permission_name='all'),
PermissionType.ACTION_ALL)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
permission_name='execute'),
PermissionType.ACTION_EXECUTE)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
permission_name='view'),
PermissionType.RULE_VIEW)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
permission_name='delete'),
PermissionType.RULE_DELETE)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
permission_name='view'),
PermissionType.SENSOR_VIEW)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
permission_name='all'),
PermissionType.SENSOR_ALL)
self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
permission_name='modify'),
PermissionType.SENSOR_MODIFY)
def _get_all_permission_type_for_resource(self, resource_db):
"""
Retrieve "ALL" permission type for the provided resource.
"""
resource_type = resource_db.get_resource_type()
permission_type = PermissionType.get_permission_type(
resource_type=resource_type, permission_name='all')
return permission_type
def _get_all_permission_type_for_resource(self, resource_db):
"""
Retrieve "ALL" permission type for the provided resource.
"""
resource_type = resource_db.get_resource_type()
permission_type = PermissionType.get_permission_type(resource_type=resource_type,
permission_name='all')
return permission_type
def test_get_permission_type(self):
self.assertEqual(
PermissionType.get_permission_type(
resource_type=ResourceType.ACTION, permission_name="view"),
PermissionType.ACTION_VIEW,
)
self.assertEqual(
PermissionType.get_permission_type(
resource_type=ResourceType.ACTION, permission_name="all"),
PermissionType.ACTION_ALL,
)
self.assertEqual(
PermissionType.get_permission_type(
resource_type=ResourceType.ACTION, permission_name="execute"),
PermissionType.ACTION_EXECUTE,
)
self.assertEqual(
PermissionType.get_permission_type(resource_type=ResourceType.RULE,
permission_name="view"),
PermissionType.RULE_VIEW,
)
self.assertEqual(
PermissionType.get_permission_type(resource_type=ResourceType.RULE,
permission_name="delete"),
PermissionType.RULE_DELETE,
)
self.assertEqual(
PermissionType.get_permission_type(
resource_type=ResourceType.SENSOR, permission_name="view"),
PermissionType.SENSOR_VIEW,
)
self.assertEqual(
PermissionType.get_permission_type(
resource_type=ResourceType.SENSOR, permission_name="all"),
PermissionType.SENSOR_ALL,
)
self.assertEqual(
PermissionType.get_permission_type(
resource_type=ResourceType.SENSOR, permission_name="modify"),
PermissionType.SENSOR_MODIFY,
)
self.assertEqual(
PermissionType.get_permission_type(
resource_type=ResourceType.RULE_ENFORCEMENT,
permission_name="view"),
PermissionType.RULE_ENFORCEMENT_VIEW,
)
def user_has_resource_db_permission(self, user_db, resource_db,
permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
rule_spec = getattr(resource_db, 'rule', None)
rule_uid = rule_spec.uid
rule_id = rule_spec.id
rule_pack = ResourceReference.get_pack(rule_spec.ref)
if not rule_uid or not rule_id or not rule_pack:
LOG.error(
'Rule UID or ID or PACK not present in enforcement object. ' +
('UID = %s, ID = %s, PACK = %s' %
(rule_uid, rule_id, rule_pack)) +
'Cannot assess access permissions without it. Defaulting to DENY.'
)
return False
# TODO: Add utility methods for constructing uids from parts
pack_db = PackDB(ref=rule_pack)
rule_pack_uid = pack_db.get_uid()
rule_permission_type = None
if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW:
rule_permission_type = PermissionType.RULE_VIEW
elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST:
rule_permission_type = PermissionType.RULE_LIST
else:
raise ValueError('Invalid permission type: %s' % (permission_type))
permission_types = [PermissionType.RULE_ALL, rule_permission_type]
view_permission_type = PermissionType.get_permission_type(
resource_type=ResourceType.RULE, permission_name='view')
if rule_permission_type == view_permission_type:
permission_types = (
RulePermissionsResolver.view_grant_permission_types[:] +
[rule_permission_type])
# Check grants on the pack of the rule to which enforcement belongs to
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=rule_pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the enforcement rule parent pack',
extra=log_context)
return True
# Check grants on the rule the enforcement belongs to
resource_types = [ResourceType.RULE]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=rule_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the enforcement\'s rule.',
extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
rule_spec = getattr(resource_db, 'rule', None)
rule_uid = rule_spec.uid
rule_id = rule_spec.id
rule_pack = ResourceReference.get_pack(rule_spec.ref)
if not rule_uid or not rule_id or not rule_pack:
LOG.error('Rule UID or ID or PACK not present in enforcement object. ' +
('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) +
'Cannot assess access permissions without it. Defaulting to DENY.')
return False
# TODO: Add utility methods for constructing uids from parts
pack_db = PackDB(ref=rule_pack)
rule_pack_uid = pack_db.get_uid()
rule_permission_type = None
if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW:
rule_permission_type = PermissionType.RULE_VIEW
elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST:
rule_permission_type = PermissionType.RULE_LIST
else:
raise ValueError('Invalid permission type: %s' % (permission_type))
permission_types = [PermissionType.RULE_ALL, rule_permission_type]
view_permission_type = PermissionType.get_permission_type(resource_type=ResourceType.RULE,
permission_name='view')
if rule_permission_type == view_permission_type:
permission_types = (RulePermissionsResolver.view_grant_permission_types[:] +
[rule_permission_type])
# Check grants on the pack of the rule to which enforcement belongs to
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=rule_pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the enforcement rule parent pack', extra=log_context)
return True
# Check grants on the rule the enforcement belongs to
resource_types = [ResourceType.RULE]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=rule_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the enforcement\'s rule.', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
