Ejemplo n.º 1
0
    def test_insert_system_roles(self):
        role_dbs = get_all_roles()
        self.assertItemsEqual(role_dbs, [])

        insert_system_roles()

        role_dbs = get_all_roles()
        self.assertTrue(len(role_dbs), 3)

        role_names = [role_db.name for role_db in role_dbs]
        self.assertTrue('system_admin' in role_names)
        self.assertTrue('admin' in role_names)
        self.assertTrue('observer' in role_names)
Ejemplo n.º 2
0
    def test_insert_system_roles(self):
        role_dbs = get_all_roles()
        self.assertItemsEqual(role_dbs, [])

        insert_system_roles()

        role_dbs = get_all_roles()
        self.assertTrue(len(role_dbs), 3)

        role_names = [role_db.name for role_db in role_dbs]
        self.assertTrue('system_admin' in role_names)
        self.assertTrue('admin' in role_names)
        self.assertTrue('observer' in role_names)
Ejemplo n.º 3
0
    def validate(self, validate_role_exists=False):
        # Parent JSON schema validation
        super(UserRoleAssignmentFileFormatAPI, self).validate()

        # Custom validation
        if validate_role_exists:
            # Validate that the referenced roles exist in the db
            role_dbs = get_all_roles()
            role_names = [role_db.name for role_db in role_dbs]
            roles = self.roles

            for role in roles:
                if role not in role_names:
                    raise ValueError('Role "%s" doesn\'t exist in the database' % (role))
Ejemplo n.º 4
0
    def validate(self):
        # Parent JSON schema validation
        super(UserRoleAssignmentFileFormatAPI, self).validate()

        # Custom validation
        # TODO: Add an argument for validating role db existance
        return

        # Validate that the referenced roles exist in the db
        role_dbs = get_all_roles()
        role_names = [role_db.name for role_db in role_dbs]
        roles = self.roles

        for role in roles:
            if role not in role_names:
                raise ValueError('Role "%s" doesn\'t exist in the database' % (role))
Ejemplo n.º 5
0
    def sync_roles(self, role_definition_apis):
        """
        Synchronize all the role definitions in the database.

        :param role_dbs: RoleDB objects for the roles which are currently in the database.
        :type role_dbs: ``list`` of :class:`RoleDB`

        :param role_definition_apis: RoleDefinition API objects for the definitions loaded from
                                     the files.
        :type role_definition_apis: ``list`` of :class:RoleDefinitionFileFormatAPI`

        :rtype: ``tuple``
        """
        LOG.info('Synchronizing roles...')

        # Retrieve all the roles currently in the DB
        role_dbs = rbac_services.get_all_roles(exclude_system=True)

        role_db_names = [role_db.name for role_db in role_dbs]
        role_db_names = set(role_db_names)
        role_api_names = [
            role_definition_api.name
            for role_definition_api in role_definition_apis
        ]
        role_api_names = set(role_api_names)

        # A list of new roles which should be added to the database
        new_role_names = role_api_names.difference(role_db_names)

        # A list of roles which need to be updated in the database
        updated_role_names = role_db_names.intersection(role_api_names)

        # A list of roles which should be removed from the database
        removed_role_names = (role_db_names - role_api_names)

        LOG.debug('New roles: %r' % (new_role_names))
        LOG.debug('Updated roles: %r' % (updated_role_names))
        LOG.debug('Removed roles: %r' % (removed_role_names))

        # Build a list of roles to delete
        role_names_to_delete = updated_role_names.union(removed_role_names)
        role_dbs_to_delete = [
            role_db for role_db in role_dbs
            if role_db.name in role_names_to_delete
        ]

        # Build a list of roles to create
        role_names_to_create = new_role_names.union(updated_role_names)
        role_apis_to_create = [
            role_definition_api for role_definition_api in role_definition_apis
            if role_definition_api.name in role_names_to_create
        ]

        ########
        # 1. Remove obsolete roles and associated permission grants from the DB
        ########

        # Remove roles
        role_ids_to_delete = []
        for role_db in role_dbs_to_delete:
            role_ids_to_delete.append(role_db.id)

        LOG.debug('Deleting %s stale roles' % (len(role_ids_to_delete)))
        Role.query(id__in=role_ids_to_delete, system=False).delete()
        LOG.debug('Deleted %s stale roles' % (len(role_ids_to_delete)))

        # Remove associated permission grants
        permission_grant_ids_to_delete = []
        for role_db in role_dbs_to_delete:
            permission_grant_ids_to_delete.extend(role_db.permission_grants)

        LOG.debug('Deleting %s stale permission grants' %
                  (len(permission_grant_ids_to_delete)))
        PermissionGrant.query(id__in=permission_grant_ids_to_delete).delete()
        LOG.debug('Deleted %s stale permission grants' %
                  (len(permission_grant_ids_to_delete)))

        ########
        # 2. Add new / updated roles to the DB
        ########

        LOG.debug('Creating %s new roles' % (len(role_apis_to_create)))

        # Create new roles
        created_role_dbs = []
        for role_api in role_apis_to_create:
            role_db = rbac_services.create_role(
                name=role_api.name, description=role_api.description)

            # Create associated permission grants
            permission_grants = getattr(role_api, 'permission_grants', [])
            for permission_grant in permission_grants:
                resource_uid = permission_grant.get('resource_uid', None)

                if resource_uid:
                    resource_type, _ = parse_uid(resource_uid)
                else:
                    resource_type = None

                permission_types = permission_grant['permission_types']
                assignment_db = rbac_services.create_permission_grant(
                    role_db=role_db,
                    resource_uid=resource_uid,
                    resource_type=resource_type,
                    permission_types=permission_types)

                role_db.permission_grants.append(str(assignment_db.id))
            created_role_dbs.append(role_db)

        LOG.debug('Created %s new roles' % (len(created_role_dbs)))
        LOG.info('Roles synchronized (%s created, %s updated, %s removed)' %
                 (len(new_role_names), len(updated_role_names),
                  len(removed_role_names)))

        return [created_role_dbs, role_dbs_to_delete]
Ejemplo n.º 6
0
 def test_get_all_roles(self):
     role_dbs = rbac_services.get_all_roles()
     self.assertEqual(len(role_dbs), len(self.roles) + 4)
Ejemplo n.º 7
0
    def sync_roles(self, role_definition_apis):
        """
        Synchronize all the role definitions in the database.

        :param role_dbs: RoleDB objects for the roles which are currently in the database.
        :type role_dbs: ``list`` of :class:`RoleDB`

        :param role_definition_apis: RoleDefinition API objects for the definitions loaded from
                                     the files.
        :type role_definition_apis: ``list`` of :class:RoleDefinitionFileFormatAPI`

        :rtype: ``tuple``
        """
        LOG.info("Synchronizing roles...")

        # Retrieve all the roles currently in the DB
        role_dbs = rbac_services.get_all_roles(exclude_system=True)

        role_db_names = [role_db.name for role_db in role_dbs]
        role_db_names = set(role_db_names)
        role_api_names = [role_definition_api.name for role_definition_api in role_definition_apis]
        role_api_names = set(role_api_names)

        # A list of new roles which should be added to the database
        new_role_names = role_api_names.difference(role_db_names)

        # A list of roles which need to be updated in the database
        updated_role_names = role_db_names.intersection(role_api_names)

        # A list of roles which should be removed from the database
        removed_role_names = role_db_names - role_api_names

        LOG.debug("New roles: %r" % (new_role_names))
        LOG.debug("Updated roles: %r" % (updated_role_names))
        LOG.debug("Removed roles: %r" % (removed_role_names))

        # Build a list of roles to delete
        role_names_to_delete = updated_role_names.union(removed_role_names)
        role_dbs_to_delete = [role_db for role_db in role_dbs if role_db.name in role_names_to_delete]

        # Build a list of roles to create
        role_names_to_create = new_role_names.union(updated_role_names)
        role_apis_to_create = [
            role_definition_api
            for role_definition_api in role_definition_apis
            if role_definition_api.name in role_names_to_create
        ]

        ########
        # 1. Remove obsolete roles and associated permission grants from the DB
        ########

        # Remove roles
        role_ids_to_delete = []
        for role_db in role_dbs_to_delete:
            role_ids_to_delete.append(role_db.id)

        LOG.debug("Deleting %s stale roles" % (len(role_ids_to_delete)))
        Role.query(id__in=role_ids_to_delete, system=False).delete()
        LOG.debug("Deleted %s stale roles" % (len(role_ids_to_delete)))

        # Remove associated permission grants
        permission_grant_ids_to_delete = []
        for role_db in role_dbs_to_delete:
            permission_grant_ids_to_delete.extend(role_db.permission_grants)

        LOG.debug("Deleting %s stale permission grants" % (len(permission_grant_ids_to_delete)))
        PermissionGrant.query(id__in=permission_grant_ids_to_delete).delete()
        LOG.debug("Deleted %s stale permission grants" % (len(permission_grant_ids_to_delete)))

        ########
        # 2. Add new / updated roles to the DB
        ########

        LOG.debug("Creating %s new roles" % (len(role_apis_to_create)))

        # Create new roles
        created_role_dbs = []
        for role_api in role_apis_to_create:
            role_db = rbac_services.create_role(name=role_api.name, description=role_api.description)

            # Create associated permission grants
            for permission_grant in role_api.permission_grants:
                resource_uid = permission_grant["resource_uid"]
                resource_type, _ = parse_uid(resource_uid)
                permission_types = permission_grant["permission_types"]
                assignment_db = rbac_services.create_permission_grant(
                    role_db=role_db,
                    resource_uid=resource_uid,
                    resource_type=resource_type,
                    permission_types=permission_types,
                )

                role_db.permission_grants.append(str(assignment_db.id))
            created_role_dbs.append(role_db)

        LOG.debug("Created %s new roles" % (len(created_role_dbs)))
        LOG.info(
            "Roles synchronized (%s created, %s updated, %s removed)"
            % (len(new_role_names), len(updated_role_names), len(removed_role_names))
        )

        return [created_role_dbs, role_dbs_to_delete]
Ejemplo n.º 8
0
 def test_get_all_roles(self):
     role_dbs = rbac_services.get_all_roles()
     self.assertEqual(len(role_dbs), len(self.roles))