def get(self, request): """ List all roles. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :return: Response containing a list of roles :rtype: django.http.HttpResponse """ role_query_manager = factory.role_query_manager() permissions_manager = factory.permission_manager() roles = role_query_manager.find_all() for role in roles: users = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])] role["users"] = users resource_permission = {} # isolate schema change if role["permissions"]: for item in role["permissions"]: resource = item["resource"] operations = item.get("permission", []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role["permissions"] = resource_permission link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})} role.update(link) return generate_json_response_with_pulp_encoder(roles)
def get(self, request, role_id): """ Retrieve a specific role. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param role_id: id for the requested role :type role_id: str :return: Response containing the role :rtype: django.http.HttpResponse :raises: MissingResource if role ID does not exist """ role = factory.role_query_manager().find_by_id(role_id) if role is None: raise pulp_exceptions.MissingResource(role_id) role["users"] = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])] permissions_manager = factory.permission_manager() # isolate schema change resource_permission = {} for item in role["permissions"]: resource = item["resource"] operations = item.get("permission", []) resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations] role["permissions"] = resource_permission link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})} role.update(link) return generate_json_response_with_pulp_encoder(role)
def test_remove_user(self): user = self._create_user() r = self._create_role() self.role_manager.add_user_to_role(r['id'], user.login) self.role_manager.remove_user_from_role(r['id'], user.login) user_names = [u.login for u in user_controller.find_users_belonging_to_role(r['id'])] self.assertFalse(user.login in user_names)
def get(self, request, role_id): """ List Users belonging to a role. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param role_id: id for the requested role :type role_id: str :return: Response containing the users :rtype: django.http.HttpResponse """ role_users = user_controller.find_users_belonging_to_role(role_id) return generate_json_response_with_pulp_encoder(role_users)
def get(self, request, role_id): """ List Users belonging to a role. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param role_id: id for the requested role :type role_id: str :return: Response containing the users :rtype: django.http.HttpResponse """ role_users = user_controller.find_users_belonging_to_role(role_id) return generate_json_response_with_pulp_encoder(role_users)
def test_as_expected(self, mock_user_qs, mock_role): """ Test finding the list of users with roles. """ user_1 = mock.MagicMock() user_2 = mock.MagicMock() user_3 = mock.MagicMock() user_1.roles = ["role_1", "role_2"] user_2.roles = ["role_2", "role_3"] user_3.roles = ["role_3", "role_4"] mock_user_qs.return_value = [user_1, user_2, user_3] users_with_role = user_controller.find_users_belonging_to_role("role_2") self.assertEqual(sorted(users_with_role), sorted([user_1, user_2]))
def test_as_expected(self, mock_user_qs, mock_role): """ Test finding the list of users with roles. """ user_1 = mock.MagicMock() user_2 = mock.MagicMock() user_3 = mock.MagicMock() user_1.roles = ['role_1', 'role_2'] user_2.roles = ['role_2', 'role_3'] user_3.roles = ['role_3', 'role_4'] mock_user_qs.return_value = [user_1, user_2, user_3] users_with_role = user_controller.find_users_belonging_to_role( 'role_2') self.assertEqual(sorted(users_with_role), sorted([user_1, user_2]))
def remove_permissions_from_role(role_id, resource, operations): """ Remove permissions from a role. :param role_id: role identifier :type role_id: str :param resource: resource path to revoke permissions from :type resource: str :param operations: list or tuple :type operations: list of allowed operations being revoked :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = user_controller.find_users_belonging_to_role(role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles(role, user.roles) user_ops = _operations_not_granted_by_roles(resource, operations, other_roles) factory.permission_manager().revoke(resource, user.login, user_ops) # in no more allowed operations, remove the resource if not current_ops: role['permissions'].remove(resource_permission) Role.get_collection().save(role)
def remove_permissions_from_role(role_id, resource, operations): """ Remove permissions from a role. :param role_id: role identifier :type role_id: str :param resource: resource path to revoke permissions from :type resource: str :param operations: list or tuple :type operations: list of allowed operations being revoked :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not current_ops: return for o in operations: if o not in current_ops: continue current_ops.remove(o) users = user_controller.find_users_belonging_to_role(role_id) for user in users: other_roles = factory.role_query_manager().get_other_roles( role, user.roles) user_ops = _operations_not_granted_by_roles( resource, operations, other_roles) factory.permission_manager().revoke(resource, user.login, user_ops) # in no more allowed operations, remove the resource if not current_ops: role['permissions'].remove(resource_permission) Role.get_collection().save(role)
def add_permissions_to_role(role_id, resource, operations): """ Add permissions to a role. :param role_id: role identifier :type role_id: str :param resource: resource path to grant permissions to :type resource: str :param operations: list or tuple :type operations: list of allowed operations being granted :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) if not role['permissions']: role['permissions'] = [] resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not resource_permission: resource_permission = dict(resource=resource, permission=current_ops) role['permissions'].append(resource_permission) for o in operations: if o in current_ops: continue current_ops.append(o) users = user_controller.find_users_belonging_to_role(role_id) for user in users: factory.permission_manager().grant(resource, user.login, operations) Role.get_collection().save(role)
def add_permissions_to_role(role_id, resource, operations): """ Add permissions to a role. :param role_id: role identifier :type role_id: str :param resource: resource path to grant permissions to :type resource: str :param operations: list or tuple :type operations: list of allowed operations being granted :raise InvalidValue: if some params are invalid :raise PulpDataException: if role is a superuser role """ if role_id == SUPER_USER_ROLE: raise PulpDataException(_('super-users role cannot be changed')) role = Role.get_collection().find_one({'id': role_id}) if role is None: raise InvalidValue(['role_id']) if not role['permissions']: role['permissions'] = [] resource_permission = {} current_ops = [] for item in role['permissions']: if item['resource'] == resource: resource_permission = item current_ops = resource_permission['permission'] if not resource_permission: resource_permission = dict(resource=resource, permission=current_ops) role['permissions'].append(resource_permission) for o in operations: if o in current_ops: continue current_ops.append(o) users = user_controller.find_users_belonging_to_role(role_id) for user in users: factory.permission_manager().grant(resource, user.login, operations) Role.get_collection().save(role)
def delete_role(role_id): """ Deletes the given role. This has the side-effect of revoking any permissions granted to the role from the users in the role, unless those permissions are also granted through another role the user is a memeber of. :param role_id: identifies the role being deleted :type role_id: str :raise InvalidValue: if any of the fields are unacceptable :raise MissingResource: if the given role does not exist :raise PulpDataException: if role is a superuser role """ # Raise exception if role id is invalid if role_id is None or not isinstance(role_id, basestring): raise InvalidValue(['role_id']) # Check whether role exists role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) # Make sure role is not a superuser role if role_id == SUPER_USER_ROLE: raise PulpDataException(_('Role %s cannot be changed') % role_id) # Remove respective roles from users users_with_role = user_controller.find_users_belonging_to_role(role_id) for item in role['permissions']: for user in users_with_role: other_roles = factory.role_query_manager().get_other_roles( role, user.roles) user_ops = _operations_not_granted_by_roles( item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], user.login, user_ops) for user in users_with_role: user.roles.remove(role_id) user.save() Role.get_collection().remove({'id': role_id})
def delete_role(role_id): """ Deletes the given role. This has the side-effect of revoking any permissions granted to the role from the users in the role, unless those permissions are also granted through another role the user is a memeber of. :param role_id: identifies the role being deleted :type role_id: str :raise InvalidValue: if any of the fields are unacceptable :raise MissingResource: if the given role does not exist :raise PulpDataException: if role is a superuser role """ # Raise exception if role id is invalid if role_id is None or not isinstance(role_id, basestring): raise InvalidValue(['role_id']) # Check whether role exists role = Role.get_collection().find_one({'id': role_id}) if role is None: raise MissingResource(role_id) # Make sure role is not a superuser role if role_id == SUPER_USER_ROLE: raise PulpDataException(_('Role %s cannot be changed') % role_id) # Remove respective roles from users users_with_role = user_controller.find_users_belonging_to_role(role_id) for item in role['permissions']: for user in users_with_role: other_roles = factory.role_query_manager().get_other_roles(role, user.roles) user_ops = _operations_not_granted_by_roles(item['resource'], item['permission'], other_roles) factory.permission_manager().revoke(item['resource'], user.login, user_ops) for user in users_with_role: user.roles.remove(role_id) user.save() Role.get_collection().remove({'id': role_id})
def get(self, request): """ List all roles. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :return: Response containing a list of roles :rtype: django.http.HttpResponse """ role_query_manager = factory.role_query_manager() permissions_manager = factory.permission_manager() roles = role_query_manager.find_all() for role in roles: users = [ u.login for u in user_controller.find_users_belonging_to_role( role['id']) ] role['users'] = users resource_permission = {} # isolate schema change if role['permissions']: for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [ permissions_manager.operation_value_to_name(o) for o in operations ] role['permissions'] = resource_permission link = { '_href': reverse('role_resource', kwargs={'role_id': role['id']}) } role.update(link) return generate_json_response_with_pulp_encoder(roles)
def get(self, request, role_id): """ Retrieve a specific role. :param request: WSGI request object :type request: django.core.handlers.wsgi.WSGIRequest :param role_id: id for the requested role :type role_id: str :return: Response containing the role :rtype: django.http.HttpResponse :raises: MissingResource if role ID does not exist """ role = factory.role_query_manager().find_by_id(role_id) if role is None: raise pulp_exceptions.MissingResource(role_id) role['users'] = [ u.login for u in user_controller.find_users_belonging_to_role(role['id']) ] permissions_manager = factory.permission_manager() # isolate schema change resource_permission = {} for item in role['permissions']: resource = item['resource'] operations = item.get('permission', []) resource_permission[resource] = [ permissions_manager.operation_value_to_name(o) for o in operations ] role['permissions'] = resource_permission link = { '_href': reverse('role_resource', kwargs={'role_id': role['id']}) } role.update(link) return generate_json_response_with_pulp_encoder(role)