Example #1
0
        def wrapper(*args, **kwargs):

            # getting the tenant name
            if get_tenant_from == 'header':
                tenant_name = tenant_for_auth or request.headers.get(
                    CLOUDIFY_TENANT_HEADER)
            elif get_tenant_from == 'param':
                tenant_name = tenant_for_auth or kwargs['tenant_name']
            elif get_tenant_from == 'data':
                tenant_name = tenant_for_auth or get_json_and_verify_params({
                    'tenant_name': {
                        'type': unicode
                    }
                }).get('tenant_name')
            else:
                tenant_name = tenant_for_auth

            # finding tenant to add to the app config
            if tenant_name:
                try:
                    tenant = get_storage_manager().get(
                        Tenant, tenant_name, filters={'name': tenant_name})
                    utils.set_current_tenant(tenant)
                except NotFoundError:
                    raise ForbiddenError(
                        'Authorization failed: Tried to authenticate with '
                        'invalid tenant name: {0}'.format(tenant_name))

            # when running unittests, there is no authorization
            if config.instance.test_mode:
                return func(*args, **kwargs)

            # extracting tenant roles for user in the tenant
            tenant_roles = []
            for t in current_user.all_tenants:
                if (allow_all_tenants and request_use_all_tenants()) \
                        or t.name == tenant_name:
                    tenant_roles += current_user.all_tenants[t]

            # joining user's system role with his tenant roles
            user_roles = [role.name for role in tenant_roles] \
                + current_user.system_roles

            # getting the roles allowed to perform requested action
            action_roles = config.instance.authorization_permissions[action]

            # checking if any of the user's roles is allowed to perform action
            for user_role in user_roles:
                if user_role in action_roles:
                    return func(*args, **kwargs)

            # none of the user's role is allowed to perform the action
            error_message = 'User `{0}` is not permitted to perform the ' \
                            'action {1}'.format(current_user.username, action)
            if tenant_name:
                error_message += ' in the tenant `{0}`'.format(tenant_name)
            raise ForbiddenError(error_message)
Example #2
0
 def _validate_secret_modification_permitted(self, secret):
     get_resource_manager().validate_modification_permitted(secret)
     if secret.is_hidden_value and \
             not self._is_hidden_value_permitted(secret):
         raise ForbiddenError(
             'User `{0}` is not permitted to modify the hidden value '
             'secret `{1}`'.format(current_user.username, secret.key))
Example #3
0
 def _validate_secret_modification_permitted(self, secret):
     if secret.is_hidden_value and \
             not rest_utils.is_hidden_value_permitted(secret):
         raise ForbiddenError(
             'User `{0}` is not permitted to modify the hidden value '
             'secret `{1}`'.format(current_user.username, secret.key)
         )
        def wrapper(*args, **kwargs):

            # getting the tenant name
            if get_tenant_from == 'header':
                tenant_name = tenant_for_auth or request.headers.get(
                    CLOUDIFY_TENANT_HEADER)
            elif get_tenant_from == 'param':
                tenant_name = tenant_for_auth or kwargs['tenant_name']
            elif get_tenant_from == 'data':
                tenant_name = tenant_for_auth or get_json_and_verify_params({
                    'tenant_name': {
                        'type': text_type
                    }
                }).get('tenant_name')
            else:
                tenant_name = tenant_for_auth

            # finding tenant to add to the app config
            if tenant_name:
                try:
                    tenant = get_storage_manager().get(
                        Tenant, tenant_name, filters={'name': tenant_name})
                    utils.set_current_tenant(tenant)
                except NotFoundError:
                    raise ForbiddenError(
                        'Authorization failed: Tried to authenticate with '
                        'invalid tenant name: {0}'.format(tenant_name))

            if not current_user.active:
                raise ForbiddenError('Authorization failed: '
                                     'User `{0}` is deactivated'.format(
                                         current_user.username))

            # when running unittests, there is no authorization
            if config.instance.test_mode:
                return func(*args, **kwargs)

            # checking if any of the user's roles is allowed to perform action
            if is_user_action_allowed(action, tenant_name, allow_all_tenants):
                return func(*args, **kwargs)

            # none of the user's role is allowed to perform the action
            error_message = 'User `{0}` is not permitted to perform the ' \
                            'action {1}'.format(current_user.username, action)
            if tenant_name:
                error_message += ' in the tenant `{0}`'.format(tenant_name)
            raise ForbiddenError(error_message)
Example #5
0
 def _update_is_hidden_value(self, secret):
     is_hidden_value = request.json.get('is_hidden_value')
     if is_hidden_value is None:
         return
     is_hidden_value = rest_utils.verify_and_convert_bool(
         'is_hidden_value', is_hidden_value)
     # Only the creator of the secret and the admins can change a secret
     # to be hidden value
     if not self._is_hidden_value_permitted(secret):
         raise ForbiddenError(
             'User `{0}` is not permitted to modify the secret `{1}` '
             'to be hidden value'.format(current_user.username, secret.key))
     secret.is_hidden_value = is_hidden_value