def get_snapshots_data(self): """ Getter used by SnapshotsTable model. """ user_id = os_auth.get_user(self.request).id self.cache_user(user_id) owner = os_auth.get_user(self.request).project_id filters = {"owner": owner} snapshots_list = list() try: snapshots = api.glance.image_list_detailed(self.request) for snapshot in snapshots[0]: if snapshot.properties.get("image_type") == "snapshot": if (all( getattr(snapshot, attr) == value for (attr, value) in filters.items()) and snapshot.properties.get("user_id") == user_id): snapshot.user = self.users_cache[user_id] snapshots_list.append(snapshot) return snapshots_list except Exception: snapshots_list = [] exceptions.handle(self.request, _("Unable to retrieve snapshots"))
def has_permission(self, request, instance_id): """ Check if user have permission to access instances """ instance = api.nova.server_get(request, instance_id) user_id = os_auth.get_user(request).id tenant_id = os_auth.get_user(request).project_id roles = [str(role["name"]) for role in os_auth.get_user(request).roles] if instance.tenant_id == tenant_id and ( instance.user_id == user_id or settings.PROJECT_MANAGER_ROLE in roles): return True return False
def test_add_allowed_address_pair_button_disabled_to_other_tenant(self): # Current user tenant_id is 1 so select port whose tenant_id is # other than 1 for checking "Add Allowed Address Pair" button is not # displayed on the screen. user = auth_utils.get_user(self.request) # select port such that tenant_id is different from user's tenant_id. port = [p for p in self.ports.list() if p.tenant_id != user.tenant_id][0] self._stub_is_extension_supported({ 'allowed-address-pairs': False, 'mac-learning': False }) with mock.patch('openstack_auth.utils.get_user', return_value=user): url = reverse( 'horizon:project:networks:ports:addallowedaddresspairs', args=[port.id]) classes = 'btn data-table-action btn-default ajax-modal' link_name = "Add Allowed Address Pair" expected_string = \ '<a id="allowed_address_pairs__action_AddAllowedAddressPair" ' \ 'class="%s" href="%s" title="Add Allowed Address Pair">' \ '<span class="fa fa-plus"></span> %s</a>' \ % (classes, url, link_name) res = self.client.get( reverse('horizon:project:networks:ports:detail', args=[port.id])) self.assertNotIn(expected_string, res.context_data['tab_group'].render())
def test_delete_address_pair_button_disabled_to_other_tenant(self): # Current user tenant_id is 1 so select port whose tenant_id is # other than 1 for checking "Delete Allowed Address Pair" button is # not displayed on the screen. user = auth_utils.get_user(self.request) # select port such that tenant_id is different from user's tenant_id. port = [p for p in self.ports.list() if p.tenant_id != user.tenant_id][0] self._stub_is_extension_supported({ 'allowed-address-pairs': False, 'mac-learning': False }) with mock.patch('openstack_auth.utils.get_user', return_value=user): classes = 'data-table-action btn-danger btn' expected_string = \ '<button data-batch-action="true" ' \ 'id="allowed_address_pairs__action_delete" ' \ 'class="%s" name="action" help_text="This action cannot be ' \ 'undone." type="submit" ' \ 'value="allowed_address_pairs__delete">' \ '<span class="fa fa-trash"></span>' \ ' Delete</button>' % (classes) res = self.client.get( reverse('horizon:project:networks:ports:detail', args=[port.id])) self.assertNotIn(expected_string, res.context_data['tab_group'].render())
def has_role(request, name): """ Check if the current user has a given role """ for role in os_auth.get_user(request).roles: if role["name"] == name: return True return False
def get_user_role(self, user_id): try: user = auth_utils.get_user(self.request) except Exception: redirect = self.get_redirect_url() exceptions.handle(self.request, _('Unable to retrieve role list.'), redirect=redirect) role_names = [role['name'] for role in user.roles] return role_names
def allowed(self, request, user_alerts=None): """ Define if the current user is allowed to mark alerts as read. """ roles = os_auth.get_user(request).roles for r in roles: if r["name"] == settings.PROJECT_MANAGER_ROLE: return True return False
def check(actions, request, target={}): """Check user permission. Check if the user has permission to the action according to policy setting. :param actions: list of scope and action to do policy checks on, the composition of which is (scope, action) * scope: service type managing the policy for action * action: string representing the action to be checked this should be colon separated for clarity. i.e. | compute:create_instance | compute:attach_volume | volume:attach_volume for a policy action that requires a single action, actions should look like | "(("compute", "compute:create_instance"),)" for a multiple action check, actions should look like | "(("identity", "identity:list_users"), | ("identity", "identity:list_roles"))" :param request: django http request object. If not specified, credentials must be passed. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'tenant_id': object.tenant_id} :returns: boolean if the user has permission or not for the actions. """ user = auth_utils.get_user(request) credentials = _user_to_credentials(request, user) enforcer = _get_enforcer() for action in actions: scope, action = action[0], action[1] if scope in enforcer: # if any check fails return failure if not enforcer[scope].enforce(action, target, credentials): return False # if no policy for scope, allow action, underlying API will # ultimately block the action if not permitted, treat as though # allowed return True
def delete(self, request, obj_id): """ Action called to define if the current user is allowed to mark alerts as read. """ gerenuk_config = gerenuk.Config() gerenuk_config.load(settings.GERENUK_CONF) gerenuk_api = gerenuk.api.AlertsAPI(gerenuk_config) project = os_auth.get_user(request).project_id unread_alerts = gerenuk_api.get_unread_alerts(project) read_ids = list() for i in range(0, min(1, len(unread_alerts))): read_ids.append(unread_alerts[i]["id"]) gerenuk_api.tag_alerts_as_read([int(obj_id)])
def get_instances_data(self): """ Getter used by InstancesTable model. """ user_id = os_auth.get_user(self.request).id self.cache_user(user_id) instances_list = [] instances, self._more = api.nova.server_list(self.request) for instance in instances: if hasattr(instance, "user_id"): if (user_id == instance.user_id): instance.user = self.users_cache[user_id] instances_list.append(instance) return instances_list
def check(actions, request, target={}): """ Check if the user has permission to the action according to policy setting. :param actions: list of scope and action to do policy checks on, the composition of which is (scope, action) scope: service type managing the policy for action action: string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance compute:attach_volume volume:attach_volume for a policy action that requires a single action: actions should look like "(("compute", "compute:create_instance"),)" for a multiple action check: actions should look like "(("identity", "identity:list_users"), ("identity", "identity:list_roles"))" :param request: django http request object. If not specified, credentials must be passed. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'tenant_id': object.tenant_id} :returns: boolean if the user has permission or not for the actions. """ user = auth_utils.get_user(request) credentials = _user_to_credentials(request, user) enforcer = _get_enforcer() for action in actions: scope, action = action[0], action[1] if scope in enforcer: # if any check fails return failure if not enforcer[scope].enforce(action, target, credentials): return False # if no policy for scope, allow action, underlying API will # ultimately block the action if not permitted, treat as though # allowed return True
def test_check_credentials_default(self): policy.reset() enforcer = policy._get_enforcer() scope = enforcer['with_default'] user = utils.get_user() credentials = policy._user_to_credentials(user) target = { 'project_id': user.project_id, 'tenant_id': user.project_id, 'user_id': user.id, 'domain_id': user.user_domain_id, 'user.domain_id': user.user_domain_id, 'group.domain_id': user.user_domain_id, 'project.domain_id': user.user_domain_id, } is_valid = policy._check_credentials(scope, 'action', target, credentials) self.assertFalse(is_valid)
def get_data(self): """ Getter used by the InstancesTable model """ instances_list = [] instances, self._more = api.nova.server_list(self.request) users_cache = dict() # Get current user information current_user_id = os_auth.get_user(self.request).id # Add allowed instances to result list for instance in instances: if (hasattr(instance, "user_id") and instance.user_id == current_user_id): # Look for unkonw user user_id = instance.user_id self.cache_user(user_id) # Get info info = self.get_statistics(instance.id) instance.user = self.users_cache[user_id] try: instance.vcpu = str( float(info[instance.id]["vcpu"] ["weekly"])) + "% (last week)" except KeyError: try: instance.vcpu = str( float(info[instance.id]["vcpu"] ["daily"])) + "% (last day)" except KeyError: try: instance.vcpu = str( float(info[instance.id]["vcpu"] ["hourly"])) + "% (last hour)" except KeyError: instance.vcpu = "N/A" instances_list.append(instance) return instances_list
def get_volumes_data(self): """ Getter used by VolumesTable model. """ user_id = os_auth.get_user(self.request).id self.cache_user(user_id) filters = {"user_id": user_id} cinder = api.cinder.cinderclient(self.request) unfiltred_volumes = cinder.volumes.list() volumes_list = list() for volume in unfiltred_volumes: if all( getattr(volume, attr) == value for (attr, value) in filters.items()): volume.user = self.users_cache[user_id] volumes_list.append(volume) return volumes_list
def dispatch(self, request, url): if not url: url = '/' if request.method not in self.http_method_names: return http.HttpResponseNotAllowed(request.method) if not self._can_access_kibana(): error_msg = (_('User %s does not have sufficient ' 'privileges to access Kibana') % auth_utils.get_user(request)) LOG.error(error_msg) return http.HttpResponseForbidden(content=error_msg) # passing kbn version explicitly for kibana >= 4.3.x headers = { 'X-Auth-Token': request.user.token.id, 'kbn-version': request.META.get('HTTP_KBN_VERSION', '') } return self.read(request.method, url, request.body, headers)
def dispatch(self, request, url): if not url: url = '/' if request.method not in self.http_method_names: return http.HttpResponseNotAllowed(request.method) if not self._can_access_kibana(): error_msg = (_('User %s does not have sufficient ' 'privileges to access Kibana') % auth_utils.get_user(request)) LOG.error(error_msg) return http.HttpResponseForbidden(content=error_msg) # passing kbn version explicitly for kibana >= 4.3.x headers = { 'X-Auth-Token': request.user.token.id, 'kbn-version': request.META.get('HTTP_KBN_VERSION', ''), 'Cookie': request.META.get('HTTP_COOKIE', '') } return self.read(request.method, url, request.body, headers)
def _add_project_user_role(self, request, project_id): try: role_list = {role.name: role.id for role in project_identity.role_list(request)} user = auth_utils.get_user(request) role_name_list = [role['name'] for role in user.roles] for role_name in role_name_list: if role_name in getattr(nec_set, 'DISINHERITED_ROLES', []): continue project_identity.add_project_user_role( request, project=project_id, user=user, role=role_list.get(role_name)) return True except Exception: exceptions.handle(request, ignore=True) return False finally: auth_utils.remove_project_cache(request.user.token.id)
def check(actions, request, target=None): """Check user permission. Check if the user has permission to the action according to policy setting. :param actions: list of scope and action to do policy checks on, the composition of which is (scope, action). Multiple actions are treated as a logical AND. * scope: service type managing the policy for action * action: string representing the action to be checked this should be colon separated for clarity. i.e. | compute:create_instance | compute:attach_volume | volume:attach_volume for a policy action that requires a single action, actions should look like | "(("compute", "compute:create_instance"),)" for a multiple action check, actions should look like | "(("identity", "identity:list_users"), | ("identity", "identity:list_roles"))" :param request: django http request object. If not specified, credentials must be passed. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': object.project_id} :returns: boolean if the user has permission or not for the actions. """ if target is None: target = {} user = auth_utils.get_user(request) # Several service policy engines default to a project id check for # ownership. Since the user is already scoped to a project, if a # different project id has not been specified use the currently scoped # project's id. # # The reason is the operator can edit the local copies of the service # policy file. If a rule is removed, then the default rule is used. We # don't want to block all actions because the operator did not fully # understand the implication of editing the policy file. Additionally, # the service APIs will correct us if we are too permissive. if target.get('project_id') is None: target['project_id'] = user.project_id if target.get('tenant_id') is None: target['tenant_id'] = target['project_id'] # same for user_id if target.get('user_id') is None: target['user_id'] = user.id domain_id_keys = [ 'domain_id', 'project.domain_id', 'user.domain_id', 'group.domain_id' ] # populates domain id keys with user's current domain id for key in domain_id_keys: if target.get(key) is None: target[key] = user.user_domain_id credentials = _user_to_credentials(user) domain_credentials = _domain_to_credentials(request, user) # if there is a domain token use the domain_id instead of the user's domain if domain_credentials: credentials['domain_id'] = domain_credentials.get('domain_id') enforcer = _get_enforcer() for action in actions: scope, action = action[0], action[1] if scope in enforcer: # this is for handling the v3 policy file and will only be # needed when a domain scoped token is present if scope == 'identity' and domain_credentials: # use domain credentials if not _check_credentials(enforcer[scope], action, target, domain_credentials): return False # use project credentials if not _check_credentials(enforcer[scope], action, target, credentials): return False # if no policy for scope, allow action, underlying API will # ultimately block the action if not permitted, treat as though # allowed return True
def check(actions, request, target=None): """Check user permission. Check if the user has permission to the action according to policy setting. :param actions: list of scope and action to do policy checks on, the composition of which is (scope, action) * scope: service type managing the policy for action * action: string representing the action to be checked this should be colon separated for clarity. i.e. | compute:create_instance | compute:attach_volume | volume:attach_volume for a policy action that requires a single action, actions should look like | "(("compute", "compute:create_instance"),)" for a multiple action check, actions should look like | "(("identity", "identity:list_users"), | ("identity", "identity:list_roles"))" :param request: django http request object. If not specified, credentials must be passed. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': object.project_id} :returns: boolean if the user has permission or not for the actions. """ if target is None: target = {} user = auth_utils.get_user(request) # Several service policy engines default to a project id check for # ownership. Since the user is already scoped to a project, if a # different project id has not been specified use the currently scoped # project's id. # # The reason is the operator can edit the local copies of the service # policy file. If a rule is removed, then the default rule is used. We # don't want to block all actions because the operator did not fully # understand the implication of editing the policy file. Additionally, # the service APIs will correct us if we are too permissive. if target.get('project_id') is None: target['project_id'] = user.project_id # same for user_id if target.get('user_id') is None: target['user_id'] = user.id # same for domain_id if target.get('domain_id') is None: target['domain_id'] = user.domain_id credentials = _user_to_credentials(request, user) enforcer = _get_enforcer() for action in actions: scope, action = action[0], action[1] if scope in enforcer: # if any check fails return failure if not enforcer[scope].enforce(action, target, credentials): # to match service implementations, if a rule is not found, # use the default rule for that service policy # # waiting to make the check because the first call to # enforce loads the rules if action not in enforcer[scope].rules: if not enforcer[scope].enforce('default', target, credentials): return False else: return False # if no policy for scope, allow action, underlying API will # ultimately block the action if not permitted, treat as though # allowed return True
def region_list(request): return auth_utils.get_user(request).available_services_regions
def post(self, *args, **kwargs): req = super(RequestFactoryWithMessages, self).post(*args, **kwargs) req.user = utils.get_user(req) req.session = [] req._messages = default_storage(req) return req
def check(actions, request, target={}): """Check user permission. Check if the user has permission to the action according to policy setting. :param actions: list of scope and action to do policy checks on, the composition of which is (scope, action) * scope: service type managing the policy for action * action: string representing the action to be checked this should be colon separated for clarity. i.e. | compute:create_instance | compute:attach_volume | volume:attach_volume for a policy action that requires a single action, actions should look like | "(("compute", "compute:create_instance"),)" for a multiple action check, actions should look like | "(("identity", "identity:list_users"), | ("identity", "identity:list_roles"))" :param request: django http request object. If not specified, credentials must be passed. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'tenant_id': object.tenant_id} :returns: boolean if the user has permission or not for the actions. """ user = auth_utils.get_user(request) # Several service policy engines default to a project id check for # ownership. Since the user is already scoped to a project, if a # different project id has not been specified use the currently scoped # project's id. # # The reason is the operator can edit the local copies of the service # policy file. If a rule is removed, then the default rule is used. We # don't want to block all actions because the operator did not fully # understand the implication of editing the policy file. Additionally, # the service APIs will correct us if we are too permissive. if 'project_id' not in target: target['project_id'] = user.project_id # same for user_id if 'user_id' not in target: target['user_id'] = user.id credentials = _user_to_credentials(request, user) enforcer = _get_enforcer() for action in actions: scope, action = action[0], action[1] if scope in enforcer: # if any check fails return failure if not enforcer[scope].enforce(action, target, credentials): # to match service implementations, if a rule is not found, # use the default rule for that service policy # # waiting to make the check because the first call to # enforce loads the rules if action not in enforcer[scope].rules: if not enforcer[scope].enforce('default', target, credentials): return False else: return False # if no policy for scope, allow action, underlying API will # ultimately block the action if not permitted, treat as though # allowed return True
def _get_user_roles(self): user = auth_utils.get_user(self.request) return [role['name'] for role in user.roles]
def post(self, *args, **kwargs): req = super().post(*args, **kwargs) req.user = utils.get_user(req) req.session = [] req._messages = default_storage(req) return req