def get(self, request):
"""
List all roles.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:return: Response containing a list of roles
:rtype: django.http.HttpResponse
"""
role_query_manager = factory.role_query_manager()
permissions_manager = factory.permission_manager()
roles = role_query_manager.find_all()
for role in roles:
users = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])]
role["users"] = users
resource_permission = {}
# isolate schema change
if role["permissions"]:
for item in role["permissions"]:
resource = item["resource"]
operations = item.get("permission", [])
resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations]
role["permissions"] = resource_permission
link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})}
role.update(link)
return generate_json_response_with_pulp_encoder(roles)
def get(self, request, role_id):
"""
Retrieve a specific role.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:param role_id: id for the requested role
:type role_id: str
:return: Response containing the role
:rtype: django.http.HttpResponse
:raises: MissingResource if role ID does not exist
"""
role = factory.role_query_manager().find_by_id(role_id)
if role is None:
raise pulp_exceptions.MissingResource(role_id)
role["users"] = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])]
permissions_manager = factory.permission_manager()
# isolate schema change
resource_permission = {}
for item in role["permissions"]:
resource = item["resource"]
operations = item.get("permission", [])
resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations]
role["permissions"] = resource_permission
link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})}
role.update(link)
return generate_json_response_with_pulp_encoder(role)
def test_remove_user(self):
user = self._create_user()
r = self._create_role()
self.role_manager.add_user_to_role(r['id'], user.login)
self.role_manager.remove_user_from_role(r['id'], user.login)
user_names = [u.login for u in user_controller.find_users_belonging_to_role(r['id'])]
self.assertFalse(user.login in user_names)
def get(self, request, role_id):
"""
List Users belonging to a role.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:param role_id: id for the requested role
:type role_id: str
:return: Response containing the users
:rtype: django.http.HttpResponse
"""
role_users = user_controller.find_users_belonging_to_role(role_id)
return generate_json_response_with_pulp_encoder(role_users)
def get(self, request, role_id):
"""
List Users belonging to a role.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:param role_id: id for the requested role
:type role_id: str
:return: Response containing the users
:rtype: django.http.HttpResponse
"""
role_users = user_controller.find_users_belonging_to_role(role_id)
return generate_json_response_with_pulp_encoder(role_users)
def test_as_expected(self, mock_user_qs, mock_role):
"""
Test finding the list of users with roles.
"""
user_1 = mock.MagicMock()
user_2 = mock.MagicMock()
user_3 = mock.MagicMock()
user_1.roles = ["role_1", "role_2"]
user_2.roles = ["role_2", "role_3"]
user_3.roles = ["role_3", "role_4"]
mock_user_qs.return_value = [user_1, user_2, user_3]
users_with_role = user_controller.find_users_belonging_to_role("role_2")
self.assertEqual(sorted(users_with_role), sorted([user_1, user_2]))
def test_as_expected(self, mock_user_qs, mock_role):
"""
Test finding the list of users with roles.
"""
user_1 = mock.MagicMock()
user_2 = mock.MagicMock()
user_3 = mock.MagicMock()
user_1.roles = ['role_1', 'role_2']
user_2.roles = ['role_2', 'role_3']
user_3.roles = ['role_3', 'role_4']
mock_user_qs.return_value = [user_1, user_2, user_3]
users_with_role = user_controller.find_users_belonging_to_role(
'role_2')
self.assertEqual(sorted(users_with_role), sorted([user_1, user_2]))
def remove_permissions_from_role(role_id, resource, operations):
"""
Remove permissions from a role.
:param role_id: role identifier
:type role_id: str
:param resource: resource path to revoke permissions from
:type resource: str
:param operations: list or tuple
:type operations: list of allowed operations being revoked
:raise InvalidValue: if some params are invalid
:raise PulpDataException: if role is a superuser role
"""
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('super-users role cannot be changed'))
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise InvalidValue(['role_id'])
resource_permission = {}
current_ops = []
for item in role['permissions']:
if item['resource'] == resource:
resource_permission = item
current_ops = resource_permission['permission']
if not current_ops:
return
for o in operations:
if o not in current_ops:
continue
current_ops.remove(o)
users = user_controller.find_users_belonging_to_role(role_id)
for user in users:
other_roles = factory.role_query_manager().get_other_roles(role, user.roles)
user_ops = _operations_not_granted_by_roles(resource,
operations,
other_roles)
factory.permission_manager().revoke(resource, user.login, user_ops)
# in no more allowed operations, remove the resource
if not current_ops:
role['permissions'].remove(resource_permission)
Role.get_collection().save(role)
def remove_permissions_from_role(role_id, resource, operations):
"""
Remove permissions from a role.
:param role_id: role identifier
:type role_id: str
:param resource: resource path to revoke permissions from
:type resource: str
:param operations: list or tuple
:type operations: list of allowed operations being revoked
:raise InvalidValue: if some params are invalid
:raise PulpDataException: if role is a superuser role
"""
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('super-users role cannot be changed'))
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise InvalidValue(['role_id'])
resource_permission = {}
current_ops = []
for item in role['permissions']:
if item['resource'] == resource:
resource_permission = item
current_ops = resource_permission['permission']
if not current_ops:
return
for o in operations:
if o not in current_ops:
continue
current_ops.remove(o)
users = user_controller.find_users_belonging_to_role(role_id)
for user in users:
other_roles = factory.role_query_manager().get_other_roles(
role, user.roles)
user_ops = _operations_not_granted_by_roles(
resource, operations, other_roles)
factory.permission_manager().revoke(resource, user.login, user_ops)
# in no more allowed operations, remove the resource
if not current_ops:
role['permissions'].remove(resource_permission)
Role.get_collection().save(role)
def add_permissions_to_role(role_id, resource, operations):
"""
Add permissions to a role.
:param role_id: role identifier
:type role_id: str
:param resource: resource path to grant permissions to
:type resource: str
:param operations: list or tuple
:type operations: list of allowed operations being granted
:raise InvalidValue: if some params are invalid
:raise PulpDataException: if role is a superuser role
"""
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('super-users role cannot be changed'))
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise InvalidValue(['role_id'])
if not role['permissions']:
role['permissions'] = []
resource_permission = {}
current_ops = []
for item in role['permissions']:
if item['resource'] == resource:
resource_permission = item
current_ops = resource_permission['permission']
if not resource_permission:
resource_permission = dict(resource=resource,
permission=current_ops)
role['permissions'].append(resource_permission)
for o in operations:
if o in current_ops:
continue
current_ops.append(o)
users = user_controller.find_users_belonging_to_role(role_id)
for user in users:
factory.permission_manager().grant(resource, user.login,
operations)
Role.get_collection().save(role)
def add_permissions_to_role(role_id, resource, operations):
"""
Add permissions to a role.
:param role_id: role identifier
:type role_id: str
:param resource: resource path to grant permissions to
:type resource: str
:param operations: list or tuple
:type operations: list of allowed operations being granted
:raise InvalidValue: if some params are invalid
:raise PulpDataException: if role is a superuser role
"""
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('super-users role cannot be changed'))
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise InvalidValue(['role_id'])
if not role['permissions']:
role['permissions'] = []
resource_permission = {}
current_ops = []
for item in role['permissions']:
if item['resource'] == resource:
resource_permission = item
current_ops = resource_permission['permission']
if not resource_permission:
resource_permission = dict(resource=resource, permission=current_ops)
role['permissions'].append(resource_permission)
for o in operations:
if o in current_ops:
continue
current_ops.append(o)
users = user_controller.find_users_belonging_to_role(role_id)
for user in users:
factory.permission_manager().grant(resource, user.login, operations)
Role.get_collection().save(role)
def delete_role(role_id):
"""
Deletes the given role. This has the side-effect of revoking any permissions granted
to the role from the users in the role, unless those permissions are also granted
through another role the user is a memeber of.
:param role_id: identifies the role being deleted
:type role_id: str
:raise InvalidValue: if any of the fields are unacceptable
:raise MissingResource: if the given role does not exist
:raise PulpDataException: if role is a superuser role
"""
# Raise exception if role id is invalid
if role_id is None or not isinstance(role_id, basestring):
raise InvalidValue(['role_id'])
# Check whether role exists
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise MissingResource(role_id)
# Make sure role is not a superuser role
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('Role %s cannot be changed') % role_id)
# Remove respective roles from users
users_with_role = user_controller.find_users_belonging_to_role(role_id)
for item in role['permissions']:
for user in users_with_role:
other_roles = factory.role_query_manager().get_other_roles(
role, user.roles)
user_ops = _operations_not_granted_by_roles(
item['resource'], item['permission'], other_roles)
factory.permission_manager().revoke(item['resource'],
user.login, user_ops)
for user in users_with_role:
user.roles.remove(role_id)
user.save()
Role.get_collection().remove({'id': role_id})
def delete_role(role_id):
"""
Deletes the given role. This has the side-effect of revoking any permissions granted
to the role from the users in the role, unless those permissions are also granted
through another role the user is a memeber of.
:param role_id: identifies the role being deleted
:type role_id: str
:raise InvalidValue: if any of the fields are unacceptable
:raise MissingResource: if the given role does not exist
:raise PulpDataException: if role is a superuser role
"""
# Raise exception if role id is invalid
if role_id is None or not isinstance(role_id, basestring):
raise InvalidValue(['role_id'])
# Check whether role exists
role = Role.get_collection().find_one({'id': role_id})
if role is None:
raise MissingResource(role_id)
# Make sure role is not a superuser role
if role_id == SUPER_USER_ROLE:
raise PulpDataException(_('Role %s cannot be changed') % role_id)
# Remove respective roles from users
users_with_role = user_controller.find_users_belonging_to_role(role_id)
for item in role['permissions']:
for user in users_with_role:
other_roles = factory.role_query_manager().get_other_roles(role, user.roles)
user_ops = _operations_not_granted_by_roles(item['resource'],
item['permission'], other_roles)
factory.permission_manager().revoke(item['resource'], user.login, user_ops)
for user in users_with_role:
user.roles.remove(role_id)
user.save()
Role.get_collection().remove({'id': role_id})
def get(self, request):
"""
List all roles.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:return: Response containing a list of roles
:rtype: django.http.HttpResponse
"""
role_query_manager = factory.role_query_manager()
permissions_manager = factory.permission_manager()
roles = role_query_manager.find_all()
for role in roles:
users = [
u.login for u in user_controller.find_users_belonging_to_role(
role['id'])
]
role['users'] = users
resource_permission = {}
# isolate schema change
if role['permissions']:
for item in role['permissions']:
resource = item['resource']
operations = item.get('permission', [])
resource_permission[resource] = [
permissions_manager.operation_value_to_name(o)
for o in operations
]
role['permissions'] = resource_permission
link = {
'_href': reverse('role_resource',
kwargs={'role_id': role['id']})
}
role.update(link)
return generate_json_response_with_pulp_encoder(roles)
def get(self, request, role_id):
"""
Retrieve a specific role.
:param request: WSGI request object
:type request: django.core.handlers.wsgi.WSGIRequest
:param role_id: id for the requested role
:type role_id: str
:return: Response containing the role
:rtype: django.http.HttpResponse
:raises: MissingResource if role ID does not exist
"""
role = factory.role_query_manager().find_by_id(role_id)
if role is None:
raise pulp_exceptions.MissingResource(role_id)
role['users'] = [
u.login
for u in user_controller.find_users_belonging_to_role(role['id'])
]
permissions_manager = factory.permission_manager()
# isolate schema change
resource_permission = {}
for item in role['permissions']:
resource = item['resource']
operations = item.get('permission', [])
resource_permission[resource] = [
permissions_manager.operation_value_to_name(o)
for o in operations
]
role['permissions'] = resource_permission
link = {
'_href': reverse('role_resource', kwargs={'role_id': role['id']})
}
role.update(link)
return generate_json_response_with_pulp_encoder(role)