def test_get_all_permission_grants_for_user(self):
user_db = self.users['1_custom_role']
role_db = self.roles['custom_role_1']
permission_grants = rbac_services.get_all_permission_grants_for_user(user_db=user_db)
self.assertItemsEqual(permission_grants, [])
# Grant some permissions
resource_db = self.resources['rule_1']
permission_types = [PermissionType.RULE_CREATE, PermissionType.RULE_MODIFY]
permission_grant = rbac_services.create_permission_grant_for_resource_db(
role_db=role_db,
resource_db=resource_db,
permission_types=permission_types)
# Retrieve all grants
permission_grants = rbac_services.get_all_permission_grants_for_user(user_db=user_db)
self.assertItemsEqual(permission_grants, [permission_grant])
# Retrieve all grants, filter on resource with no grants
permission_grants = rbac_services.get_all_permission_grants_for_user(user_db=user_db,
resource_types=[ResourceType.PACK])
self.assertItemsEqual(permission_grants, [])
# Retrieve all grants, filter on resource with grants
permission_grants = rbac_services.get_all_permission_grants_for_user(user_db=user_db,
resource_types=[ResourceType.RULE])
self.assertItemsEqual(permission_grants, [permission_grant])
def test_get_all_permission_grants_for_user(self):
user_db = self.users['1_custom_role']
role_db = self.roles['custom_role_1']
permission_grants = rbac_services.get_all_permission_grants_for_user(
user_db=user_db)
self.assertItemsEqual(permission_grants, [])
# Grant some permissions
resource_db = self.resources['rule_1']
permission_types = [
PermissionType.RULE_CREATE, PermissionType.RULE_MODIFY
]
permission_grant = rbac_services.create_permission_grant_for_resource_db(
role_db=role_db,
resource_db=resource_db,
permission_types=permission_types)
# Retrieve all grants
permission_grants = rbac_services.get_all_permission_grants_for_user(
user_db=user_db)
self.assertItemsEqual(permission_grants, [permission_grant])
# Retrieve all grants, filter on resource with no grants
permission_grants = rbac_services.get_all_permission_grants_for_user(
user_db=user_db, resource_types=[ResourceType.PACK])
self.assertItemsEqual(permission_grants, [])
# Retrieve all grants, filter on resource with grants
permission_grants = rbac_services.get_all_permission_grants_for_user(
user_db=user_db, resource_types=[ResourceType.RULE])
self.assertItemsEqual(permission_grants, [permission_grant])
def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type):
log_context = {
'user_db': user_db,
'pack_uid': pack_uid,
'resource_uid': resource_uid,
'resource_type': self.resource_type,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
self._log('Checking grants via system role permissions', extra=log_context)
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
permission_name='view')
all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
permission_name='all')
if permission_type == view_permission_type:
# Note: Some permissions such as "create", "modify", "delete" and "execute" also
# grant / imply "view" permission
permission_types = self.view_grant_permission_types[:] + [permission_type]
elif permission_type not in all_permission_type:
permission_types = [all_permission_type, permission_type]
else:
permission_types = [permission_type]
# Check direct grants on the specified resource
self._log('Checking direct grans on the specified resource', extra=log_context)
resource_types = [self.resource_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=resource_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the action', extra=log_context)
return True
# Check grants on the parent pack
self._log('Checking grants on the parent resource', extra=log_context)
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the action parent pack', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_permission(self, user_db, resource_db,
permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
rule_uid = resource_db.get_uid()
pack_uid = resource_db.get_pack_uid()
if permission_type == PermissionType.RULE_VIEW:
# Note: "create", "modify", "delete" and "execute" also grant / imply "view" permission
permission_types = [
PermissionType.RULE_ALL, PermissionType.RULE_CREATE,
PermissionType.RULE_MODIFY, PermissionType.RULE_DELETE,
permission_type
]
else:
permission_types = [PermissionType.RULE_ALL, permission_type]
# Check direct grants on the specified resource
resource_types = [ResourceType.RULE]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=rule_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the rule', extra=log_context)
return True
# Check grants on the parent pack
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the rule parent pack',
extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_permission(self, user_db, resource_db, permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
action_uid = resource_db.get_uid()
pack_uid = resource_db.get_pack_uid()
if permission_type == PermissionType.ACTION_VIEW:
# Note: "create", "modify", "delete" and "execute" also grant / imply "view" permission
permission_types = [
PermissionType.ACTION_ALL,
PermissionType.ACTION_CREATE,
PermissionType.ACTION_MODIFY,
PermissionType.ACTION_DELETE,
PermissionType.ACTION_EXECUTE,
permission_type
]
else:
permission_types = [PermissionType.ACTION_ALL, permission_type]
# Check direct grants on the specified resource
resource_types = [ResourceType.ACTION]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=action_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the action', extra=log_context)
return True
# Check grants on the parent pack
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the action parent pack', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type):
log_context = {
'user_db': user_db,
'pack_uid': pack_uid,
'resource_uid': resource_uid,
'resource_type': self.resource_type,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
permission_name='view')
all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
permission_name='all')
if permission_type == view_permission_type:
# Note: Some permissions such as "create", "modify", "delete" and "execute" also
# grant / imply "view" permission
permission_types = self.view_grant_permission_types[:] + [permission_type]
elif permission_type not in all_permission_type:
permission_types = [all_permission_type, permission_type]
else:
permission_types = [permission_type]
# Check direct grants on the specified resource
resource_types = [self.resource_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=resource_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the action', extra=log_context)
return True
# Check grants on the parent pack
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the action parent pack', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_global_permission(self, user_db, permission_type):
"""
Custom method for checking if user has a particular global permission which doesn't apply
to a specific resource but it's system-wide aka global permission.
"""
log_context = {
'user_db': user_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
permission_types = [permission_type]
# Check direct grants
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
webhook_uid = resource_db.get_uid()
# Check direct grants on the webhook
resource_types = [ResourceType.WEBHOOK]
permission_types = [PermissionType.WEBHOOK_ALL, permission_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=webhook_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the webhook', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_list_permission(self, user_db, permission_type):
"""
Common method for checking if a user has specific "list" resource permission (e.g.
rules_list, action_list, etc.).
"""
assert PermissionType.get_permission_name(permission_type) == 'list'
log_context = {
'user_db': user_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
permission_types = [permission_type]
# Check direct grants
permission_grants = get_all_permission_grants_for_user(
user_db=user_db, permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_db_permission(self, user_db, resource_db,
permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
resource_uid = resource_db.get_uid()
resource_types = [ResourceType.PACK]
permission_types = [permission_type]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=resource_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the pack', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_global_permission(self, user_db, permission_type):
"""
Custom method for checking if user has a particular global permission which doesn't apply
to a specific resource but it's system-wide aka global permission.
"""
log_context = {
'user_db': user_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
permission_types = [permission_type]
# Check direct grants
permission_grants = get_all_permission_grants_for_user(
user_db=user_db, permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_list_permission(self, user_db, permission_type):
"""
Common method for checking if a user has specific "list" resource permission (e.g.
rules_list, action_list, etc.).
"""
assert PermissionType.get_permission_name(permission_type) == 'list'
log_context = {
'user_db': user_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
permission_types = [permission_type]
# Check direct grants
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_permission(self, user_db, resource_db, permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
action_uid = resource_db.get_uid()
pack_uid = resource_db.get_pack_uid()
# Check direct grants on the specified resource
resource_types = [ResourceType.ACTION]
permission_types = [PermissionType.ACTION_ALL, permission_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=action_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the action', extra=log_context)
return True
# Check grants on the parent pack
resource_types = [ResourceType.PACK]
permission_types = [PermissionType.ACTION_ALL, permission_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the action parent pack', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_db_permission(self, user_db, resource_db,
permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
action = resource_db['action']
# TODO: Add utility methods for constructing uids from parts
pack_db = PackDB(ref=action['pack'])
action_uid = action['uid']
action_pack_uid = pack_db.get_uid()
# Note: "action_execute" also grants / implies "execution_re_run" and "execution_stop"
if permission_type == PermissionType.EXECUTION_VIEW:
action_permission_type = PermissionType.ACTION_VIEW
elif permission_type in [
PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP
]:
action_permission_type = PermissionType.ACTION_EXECUTE
elif permission_type == PermissionType.EXECUTION_ALL:
action_permission_type = PermissionType.ACTION_ALL
else:
raise ValueError('Invalid permission type: %s' % (permission_type))
# Check grants on the pack of the action to which execution belongs to
resource_types = [ResourceType.PACK]
permission_types = [PermissionType.ACTION_ALL, action_permission_type]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=action_pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the execution action parent pack',
extra=log_context)
return True
# Check grants on the action the execution belongs to
resource_types = [ResourceType.ACTION]
permission_types = [PermissionType.ACTION_ALL, action_permission_type]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=action_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the execution action',
extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_resource_permission(self, user_db, pack_uid, action_uid,
permission_type):
"""
:param pack_uid: UID of a pack this resource belongs to.
:type pack_uid: ``str``
:param action_uid: UID of an action to check the permissions for.
:type action_uid: ``str``
"""
log_context = {
'user_db': user_db,
'pack_uid': pack_uid,
'resource_uid': action_uid,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
if permission_type == PermissionType.ACTION_VIEW:
# Note: "create", "modify", "delete" and "execute" also grant / imply "view" permission
permission_types = [
PermissionType.ACTION_ALL, PermissionType.ACTION_CREATE,
PermissionType.ACTION_MODIFY, PermissionType.ACTION_DELETE,
PermissionType.ACTION_EXECUTE, permission_type
]
else:
permission_types = [PermissionType.ACTION_ALL, permission_type]
# Check direct grants on the specified resource
resource_types = [ResourceType.ACTION]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=action_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the action', extra=log_context)
return True
# Check grants on the parent pack
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the action parent pack',
extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_db_permission(self, user_db, resource_db,
permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role',
extra=log_context)
return True
# Check custom roles
rule_spec = getattr(resource_db, 'rule', None)
rule_uid = rule_spec.uid
rule_id = rule_spec.id
rule_pack = ResourceReference.get_pack(rule_spec.ref)
if not rule_uid or not rule_id or not rule_pack:
LOG.error(
'Rule UID or ID or PACK not present in enforcement object. ' +
('UID = %s, ID = %s, PACK = %s' %
(rule_uid, rule_id, rule_pack)) +
'Cannot assess access permissions without it. Defaulting to DENY.'
)
return False
# TODO: Add utility methods for constructing uids from parts
pack_db = PackDB(ref=rule_pack)
rule_pack_uid = pack_db.get_uid()
rule_permission_type = None
if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW:
rule_permission_type = PermissionType.RULE_VIEW
elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST:
rule_permission_type = PermissionType.RULE_LIST
else:
raise ValueError('Invalid permission type: %s' % (permission_type))
permission_types = [PermissionType.RULE_ALL, rule_permission_type]
view_permission_type = PermissionType.get_permission_type(
resource_type=ResourceType.RULE, permission_name='view')
if rule_permission_type == view_permission_type:
permission_types = (
RulePermissionsResolver.view_grant_permission_types[:] +
[rule_permission_type])
# Check grants on the pack of the rule to which enforcement belongs to
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=rule_pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the enforcement rule parent pack',
extra=log_context)
return True
# Check grants on the rule the enforcement belongs to
resource_types = [ResourceType.RULE]
permission_grants = get_all_permission_grants_for_user(
user_db=user_db,
resource_uid=rule_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the enforcement\'s rule.',
extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
rule_spec = getattr(resource_db, 'rule', None)
rule_uid = rule_spec.uid
rule_id = rule_spec.id
rule_pack = ResourceReference.get_pack(rule_spec.ref)
if not rule_uid or not rule_id or not rule_pack:
LOG.error('Rule UID or ID or PACK not present in enforcement object. ' +
('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) +
'Cannot assess access permissions without it. Defaulting to DENY.')
return False
# TODO: Add utility methods for constructing uids from parts
pack_db = PackDB(ref=rule_pack)
rule_pack_uid = pack_db.get_uid()
rule_permission_type = None
if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW:
rule_permission_type = PermissionType.RULE_VIEW
elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST:
rule_permission_type = PermissionType.RULE_LIST
else:
raise ValueError('Invalid permission type: %s' % (permission_type))
permission_types = [PermissionType.RULE_ALL, rule_permission_type]
view_permission_type = PermissionType.get_permission_type(resource_type=ResourceType.RULE,
permission_name='view')
if rule_permission_type == view_permission_type:
permission_types = (RulePermissionsResolver.view_grant_permission_types[:] +
[rule_permission_type])
# Check grants on the pack of the rule to which enforcement belongs to
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=rule_pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the enforcement rule parent pack', extra=log_context)
return True
# Check grants on the rule the enforcement belongs to
resource_types = [ResourceType.RULE]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=rule_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the enforcement\'s rule.', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def _user_has_resource_permission(self, user_db, pack_uid, rule_uid, permission_type):
"""
:param pack_uid: UID of a pack this resource belongs to.
:type pack_uid: ``str``
:param rule_uid: UID of a rule to check the permissions for.
:type rule_uid: ``str``
"""
log_context = {
'user_db': user_db,
'pack_uid': pack_uid,
'resource_uid': rule_uid,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
if permission_type == PermissionType.RULE_VIEW:
# Note: "create", "modify", "delete" and "execute" also grant / imply "view" permission
permission_types = [
PermissionType.RULE_ALL,
PermissionType.RULE_CREATE,
PermissionType.RULE_MODIFY,
PermissionType.RULE_DELETE,
permission_type
]
else:
permission_types = [PermissionType.RULE_ALL, permission_type]
# Check direct grants on the specified resource
resource_types = [ResourceType.RULE]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=rule_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a direct grant on the rule', extra=log_context)
return True
# Check grants on the parent pack
resource_types = [ResourceType.PACK]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the rule parent pack', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
def user_has_resource_db_permission(self, user_db, resource_db, permission_type):
log_context = {
'user_db': user_db,
'resource_db': resource_db,
'permission_type': permission_type,
'resolver': self.__class__.__name__
}
self._log('Checking user resource permissions', extra=log_context)
# First check the system role permissions
has_system_role_permission = self._user_has_system_role_permission(
user_db=user_db, permission_type=permission_type)
if has_system_role_permission:
self._log('Found a matching grant via system role', extra=log_context)
return True
# Check custom roles
action = resource_db['action']
# TODO: Add utility methods for constructing uids from parts
pack_db = PackDB(ref=action['pack'])
action_uid = action['uid']
action_pack_uid = pack_db.get_uid()
# Note: "action_execute" also grants / implies "execution_re_run" and "execution_stop"
if permission_type == PermissionType.EXECUTION_VIEW:
action_permission_type = PermissionType.ACTION_VIEW
elif permission_type in [PermissionType.EXECUTION_RE_RUN,
PermissionType.EXECUTION_STOP]:
action_permission_type = PermissionType.ACTION_EXECUTE
elif permission_type == PermissionType.EXECUTION_ALL:
action_permission_type = PermissionType.ACTION_ALL
else:
raise ValueError('Invalid permission type: %s' % (permission_type))
# Check grants on the pack of the action to which execution belongs to
resource_types = [ResourceType.PACK]
permission_types = [PermissionType.ACTION_ALL, action_permission_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=action_pack_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the execution action parent pack', extra=log_context)
return True
# Check grants on the action the execution belongs to
resource_types = [ResourceType.ACTION]
permission_types = [PermissionType.ACTION_ALL, action_permission_type]
permission_grants = get_all_permission_grants_for_user(user_db=user_db,
resource_uid=action_uid,
resource_types=resource_types,
permission_types=permission_types)
if len(permission_grants) >= 1:
self._log('Found a grant on the execution action', extra=log_context)
return True
self._log('No matching grants found', extra=log_context)
return False
