Example #1
0
    def get(self, request):
        """
        List all roles.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest

        :return: Response containing a list of roles
        :rtype: django.http.HttpResponse
        """
        role_query_manager = factory.role_query_manager()
        permissions_manager = factory.permission_manager()
        roles = role_query_manager.find_all()
        for role in roles:
            users = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])]
            role["users"] = users

            resource_permission = {}
            # isolate schema change
            if role["permissions"]:
                for item in role["permissions"]:
                    resource = item["resource"]
                    operations = item.get("permission", [])
                    resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations]

            role["permissions"] = resource_permission

            link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})}
            role.update(link)
        return generate_json_response_with_pulp_encoder(roles)
Example #2
0
    def get(self, request, role_id):
        """
        Retrieve a specific role.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest
        :param role_id: id for the requested role
        :type role_id: str

        :return: Response containing the role
        :rtype: django.http.HttpResponse
        :raises: MissingResource if role ID does not exist
        """
        role = factory.role_query_manager().find_by_id(role_id)
        if role is None:
            raise pulp_exceptions.MissingResource(role_id)
        role["users"] = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])]
        permissions_manager = factory.permission_manager()
        # isolate schema change
        resource_permission = {}
        for item in role["permissions"]:
            resource = item["resource"]
            operations = item.get("permission", [])
            resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations]
        role["permissions"] = resource_permission

        link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})}
        role.update(link)
        return generate_json_response_with_pulp_encoder(role)
Example #3
0
 def test_remove_user(self):
     user = self._create_user()
     r = self._create_role()
     self.role_manager.add_user_to_role(r['id'], user.login)
     self.role_manager.remove_user_from_role(r['id'], user.login)
     user_names = [u.login for u in user_controller.find_users_belonging_to_role(r['id'])]
     self.assertFalse(user.login in user_names)
Example #4
0
    def get(self, request, role_id):
        """
        List Users belonging to a role.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest
        :param role_id: id for the requested role
        :type role_id: str

        :return: Response containing the users
        :rtype: django.http.HttpResponse
        """
        role_users = user_controller.find_users_belonging_to_role(role_id)
        return generate_json_response_with_pulp_encoder(role_users)
Example #5
0
    def get(self, request, role_id):
        """
        List Users belonging to a role.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest
        :param role_id: id for the requested role
        :type role_id: str

        :return: Response containing the users
        :rtype: django.http.HttpResponse
        """
        role_users = user_controller.find_users_belonging_to_role(role_id)
        return generate_json_response_with_pulp_encoder(role_users)
Example #6
0
    def test_as_expected(self, mock_user_qs, mock_role):
        """
        Test finding the list of users with roles.
        """
        user_1 = mock.MagicMock()
        user_2 = mock.MagicMock()

        user_3 = mock.MagicMock()
        user_1.roles = ["role_1", "role_2"]
        user_2.roles = ["role_2", "role_3"]
        user_3.roles = ["role_3", "role_4"]
        mock_user_qs.return_value = [user_1, user_2, user_3]
        users_with_role = user_controller.find_users_belonging_to_role("role_2")
        self.assertEqual(sorted(users_with_role), sorted([user_1, user_2]))
Example #7
0
    def test_as_expected(self, mock_user_qs, mock_role):
        """
        Test finding the list of users with roles.
        """
        user_1 = mock.MagicMock()
        user_2 = mock.MagicMock()

        user_3 = mock.MagicMock()
        user_1.roles = ['role_1', 'role_2']
        user_2.roles = ['role_2', 'role_3']
        user_3.roles = ['role_3', 'role_4']
        mock_user_qs.return_value = [user_1, user_2, user_3]
        users_with_role = user_controller.find_users_belonging_to_role(
            'role_2')
        self.assertEqual(sorted(users_with_role), sorted([user_1, user_2]))
Example #8
0
    def remove_permissions_from_role(role_id, resource, operations):
        """
        Remove permissions from a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to revoke permissions from
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being revoked
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = user_controller.find_users_belonging_to_role(role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(role, user.roles)
            user_ops = _operations_not_granted_by_roles(resource,
                                                        operations,
                                                        other_roles)
            factory.permission_manager().revoke(resource, user.login, user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            role['permissions'].remove(resource_permission)

        Role.get_collection().save(role)
Example #9
0
    def remove_permissions_from_role(role_id, resource, operations):
        """
        Remove permissions from a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to revoke permissions from
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being revoked
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = user_controller.find_users_belonging_to_role(role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(
                role, user.roles)
            user_ops = _operations_not_granted_by_roles(
                resource, operations, other_roles)
            factory.permission_manager().revoke(resource, user.login, user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            role['permissions'].remove(resource_permission)

        Role.get_collection().save(role)
Example #10
0
    def add_permissions_to_role(role_id, resource, operations):
        """
        Add permissions to a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to grant permissions to
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being granted
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])
        if not role['permissions']:
            role['permissions'] = []

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not resource_permission:
            resource_permission = dict(resource=resource,
                                       permission=current_ops)
            role['permissions'].append(resource_permission)

        for o in operations:
            if o in current_ops:
                continue
            current_ops.append(o)

        users = user_controller.find_users_belonging_to_role(role_id)
        for user in users:
            factory.permission_manager().grant(resource, user.login,
                                               operations)

        Role.get_collection().save(role)
Example #11
0
    def add_permissions_to_role(role_id, resource, operations):
        """
        Add permissions to a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to grant permissions to
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being granted
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])
        if not role['permissions']:
            role['permissions'] = []

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not resource_permission:
            resource_permission = dict(resource=resource, permission=current_ops)
            role['permissions'].append(resource_permission)

        for o in operations:
            if o in current_ops:
                continue
            current_ops.append(o)

        users = user_controller.find_users_belonging_to_role(role_id)
        for user in users:
            factory.permission_manager().grant(resource, user.login, operations)

        Role.get_collection().save(role)
Example #12
0
    def delete_role(role_id):
        """
        Deletes the given role. This has the side-effect of revoking any permissions granted
        to the role from the users in the role, unless those permissions are also granted
        through another role the user is a memeber of.

        :param role_id:         identifies the role being deleted
        :type  role_id:         str
        :raise InvalidValue:    if any of the fields are unacceptable
        :raise MissingResource: if the given role does not exist
        :raise PulpDataException: if role is a superuser role
        """
        # Raise exception if role id is invalid
        if role_id is None or not isinstance(role_id, basestring):
            raise InvalidValue(['role_id'])

        # Check whether role exists
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        # Make sure role is not a superuser role
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('Role %s cannot be changed') % role_id)

        # Remove respective roles from users
        users_with_role = user_controller.find_users_belonging_to_role(role_id)

        for item in role['permissions']:
            for user in users_with_role:
                other_roles = factory.role_query_manager().get_other_roles(
                    role, user.roles)
                user_ops = _operations_not_granted_by_roles(
                    item['resource'], item['permission'], other_roles)
                factory.permission_manager().revoke(item['resource'],
                                                    user.login, user_ops)

        for user in users_with_role:
            user.roles.remove(role_id)
            user.save()

        Role.get_collection().remove({'id': role_id})
Example #13
0
    def delete_role(role_id):
        """
        Deletes the given role. This has the side-effect of revoking any permissions granted
        to the role from the users in the role, unless those permissions are also granted
        through another role the user is a memeber of.

        :param role_id:         identifies the role being deleted
        :type  role_id:         str
        :raise InvalidValue:    if any of the fields are unacceptable
        :raise MissingResource: if the given role does not exist
        :raise PulpDataException: if role is a superuser role
        """
        # Raise exception if role id is invalid
        if role_id is None or not isinstance(role_id, basestring):
            raise InvalidValue(['role_id'])

        # Check whether role exists
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        # Make sure role is not a superuser role
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('Role %s cannot be changed') % role_id)

        # Remove respective roles from users
        users_with_role = user_controller.find_users_belonging_to_role(role_id)

        for item in role['permissions']:
            for user in users_with_role:
                other_roles = factory.role_query_manager().get_other_roles(role, user.roles)
                user_ops = _operations_not_granted_by_roles(item['resource'],
                                                            item['permission'], other_roles)
                factory.permission_manager().revoke(item['resource'], user.login, user_ops)

        for user in users_with_role:
            user.roles.remove(role_id)
            user.save()

        Role.get_collection().remove({'id': role_id})
Example #14
0
    def get(self, request):
        """
        List all roles.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest

        :return: Response containing a list of roles
        :rtype: django.http.HttpResponse
        """
        role_query_manager = factory.role_query_manager()
        permissions_manager = factory.permission_manager()
        roles = role_query_manager.find_all()
        for role in roles:
            users = [
                u.login for u in user_controller.find_users_belonging_to_role(
                    role['id'])
            ]
            role['users'] = users

            resource_permission = {}
            # isolate schema change
            if role['permissions']:
                for item in role['permissions']:
                    resource = item['resource']
                    operations = item.get('permission', [])
                    resource_permission[resource] = [
                        permissions_manager.operation_value_to_name(o)
                        for o in operations
                    ]

            role['permissions'] = resource_permission

            link = {
                '_href': reverse('role_resource',
                                 kwargs={'role_id': role['id']})
            }
            role.update(link)
        return generate_json_response_with_pulp_encoder(roles)
Example #15
0
    def get(self, request, role_id):
        """
        Retrieve a specific role.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest
        :param role_id: id for the requested role
        :type role_id: str

        :return: Response containing the role
        :rtype: django.http.HttpResponse
        :raises: MissingResource if role ID does not exist
        """
        role = factory.role_query_manager().find_by_id(role_id)
        if role is None:
            raise pulp_exceptions.MissingResource(role_id)
        role['users'] = [
            u.login
            for u in user_controller.find_users_belonging_to_role(role['id'])
        ]
        permissions_manager = factory.permission_manager()
        # isolate schema change
        resource_permission = {}
        for item in role['permissions']:
            resource = item['resource']
            operations = item.get('permission', [])
            resource_permission[resource] = [
                permissions_manager.operation_value_to_name(o)
                for o in operations
            ]
        role['permissions'] = resource_permission

        link = {
            '_href': reverse('role_resource', kwargs={'role_id': role['id']})
        }
        role.update(link)
        return generate_json_response_with_pulp_encoder(role)