def add_system_access_policy_rule(fqdn):
system = _get_system_by_FQDN(fqdn)
if not system.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system policy')
if system.custom_access_policy:
policy = system.custom_access_policy
else:
policy = system.custom_access_policy = SystemAccessPolicy()
rule = read_json_request(request)
if rule['user']:
user = User.by_user_name(rule['user'])
if not user:
raise BadRequest400("User '%s' does not exist" % rule['user'])
else:
user = None
if rule['group']:
try:
group = Group.by_name(rule['group'])
except NoResultFound:
raise BadRequest400("Group '%s' does not exist" % rule['group'])
else:
group = None
try:
permission = SystemPermission.from_string(rule['permission'])
except ValueError:
raise BadRequest400
new_rule = policy.add_rule(user=user, group=group,
everybody=rule['everybody'], permission=permission)
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Added',
new=repr(new_rule))
return '', 204
def save_system_access_policy(fqdn):
system = _get_system_by_FQDN(fqdn)
if not system.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system policy')
if system.custom_access_policy:
policy = system.custom_access_policy
else:
policy = system.custom_access_policy = SystemAccessPolicy()
data = read_json_request(request)
# Figure out what is added, what is removed.
# Rules are immutable, so if it has an id it is unchanged,
# if it has no id it is new.
kept_rule_ids = frozenset(r['id'] for r in data['rules'] if 'id' in r)
removed = []
for old_rule in policy.rules:
if old_rule.id not in kept_rule_ids:
removed.append(old_rule)
for old_rule in removed:
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Removed',
old=repr(old_rule))
policy.rules.remove(old_rule)
for rule in data['rules']:
if 'id' not in rule:
user = User.by_user_name(rule['user']) if rule['user'] else None
group = Group.by_name(rule['group']) if rule['group'] else None
permission = SystemPermission.from_string(rule['permission'])
new_rule = policy.add_rule(user=user, group=group,
everybody=rule['everybody'], permission=permission)
system.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Added',
new=repr(new_rule))
return '', 204
def save_system_access_policy(fqdn):
system = _get_system_by_FQDN(fqdn)
if not system.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system policy')
if system.custom_access_policy:
policy = system.custom_access_policy
else:
policy = system.custom_access_policy = SystemAccessPolicy()
data = read_json_request(request)
# Figure out what is added, what is removed.
# Rules are immutable, so if it has an id it is unchanged,
# if it has no id it is new.
kept_rule_ids = frozenset(r['id'] for r in data['rules'] if 'id' in r)
removed = []
for old_rule in policy.rules:
if old_rule.id not in kept_rule_ids:
removed.append(old_rule)
for old_rule in removed:
system.record_activity(user=identity.current.user,
service=u'HTTP',
field=u'Access Policy Rule',
action=u'Removed',
old=repr(old_rule))
policy.rules.remove(old_rule)
for rule in data['rules']:
if 'id' not in rule:
if rule['user']:
user = User.by_user_name(rule['user'])
if user is None:
raise BadRequest400('No such user %r' % rule['user'])
else:
user = None
try:
group = Group.by_name(rule['group']) if rule['group'] else None
except NoResultFound:
raise BadRequest400('No such group %r' % rule['group'])
permission = SystemPermission.from_string(rule['permission'])
new_rule = policy.add_rule(user=user,
group=group,
everybody=rule['everybody'],
permission=permission)
system.record_activity(user=identity.current.user,
service=u'HTTP',
field=u'Access Policy Rule',
action=u'Added',
new=repr(new_rule))
return jsonify(policy.__json__())
def add_access_policy_rule(pool_name):
"""
Adds a new rule to the access policy for a system pool. Each rule in the policy
grants a permission to a single user, a group of users, or to everybody.
See :ref:`system-access-policies-api` for a description of the expected JSON parameters.
:param pool_name: System pool's name.
"""
pool = _get_pool_by_name(pool_name)
if not pool.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system pool policy')
policy = pool.access_policy
rule = read_json_request(request)
if rule.get('user', None):
user = User.by_user_name(rule['user'])
if not user:
raise BadRequest400("User '%s' does not exist" % rule['user'])
else:
user = None
if rule.get('group', None):
try:
group = Group.by_name(rule['group'])
except NoResultFound:
raise BadRequest400("Group '%s' does not exist" % rule['group'])
else:
group = None
try:
permission = SystemPermission.from_string(rule['permission'])
except ValueError:
raise BadRequest400('Invalid permission')
new_rule = policy.add_rule(user=user,
group=group,
everybody=rule['everybody'],
permission=permission)
pool.record_activity(user=identity.current.user,
service=u'HTTP',
field=u'Access Policy Rule',
action=u'Added',
new=repr(new_rule))
return '', 204
def add_access_policy_rule(pool_name):
"""
Adds a new rule to the access policy for a system pool. Each rule in the policy
grants a permission to a single user, a group of users, or to everybody.
See :ref:`system-access-policies-api` for a description of the expected JSON parameters.
:param pool_name: System pool's name.
"""
pool = _get_pool_by_name(pool_name)
if not pool.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system pool policy')
policy = pool.access_policy
rule = read_json_request(request)
if rule.get('user', None):
user = User.by_user_name(rule['user'])
if not user:
raise BadRequest400("User '%s' does not exist" % rule['user'])
if user.removed:
raise BadRequest400('Cannot add deleted user %s to access policy' % user.user_name)
else:
user = None
if rule.get('group', None):
try:
group = Group.by_name(rule['group'])
except NoResultFound:
raise BadRequest400("Group '%s' does not exist" % rule['group'])
else:
group = None
try:
permission = SystemPermission.from_string(rule['permission'])
except ValueError:
raise BadRequest400('Invalid permission')
new_rule = policy.add_rule(user=user, group=group,
everybody=rule['everybody'],
permission=permission)
pool.record_activity(user=identity.current.user, service=u'HTTP',
field=u'Access Policy Rule', action=u'Added',
new=repr(new_rule))
return '', 204
def add_system_access_policy_rule(fqdn):
system = _get_system_by_FQDN(fqdn)
if not system.can_edit_policy(identity.current.user):
raise Forbidden403('Cannot edit system policy')
if system.custom_access_policy:
policy = system.custom_access_policy
else:
policy = system.custom_access_policy = SystemAccessPolicy()
rule = read_json_request(request)
if rule['user']:
user = User.by_user_name(rule['user'])
if not user:
raise BadRequest400("User '%s' does not exist" % rule['user'])
else:
user = None
if rule['group']:
try:
group = Group.by_name(rule['group'])
except NoResultFound:
raise BadRequest400("Group '%s' does not exist" % rule['group'])
else:
group = None
try:
permission = SystemPermission.from_string(rule['permission'])
except ValueError:
raise BadRequest400
new_rule = policy.add_rule(user=user,
group=group,
everybody=rule['everybody'],
permission=permission)
system.record_activity(user=identity.current.user,
service=u'HTTP',
field=u'Access Policy Rule',
action=u'Added',
new=repr(new_rule))
return '', 204
