def _check_permissions(self, msg): allowed = permissions.get(config.controller['permissions_path']) perms = permissions.check(allowed, self.sender, msg['collection'], msg['id']) if self.body['action'] not in perms: raise ValueError("You don't have permission to do that.")
def test_wrong_user(self): perm = permissions.process(self.line) user = '******' collection = 'packages' res_id = '/etc/httpd/httpd.conf' action = 'read' perms = permissions.check([perm], user, collection, res_id) self.assertFalse(action in perms)
def test_wrong_permission(self): perm = permissions.process(self.line) user = '******' collection = 'files' res_id = '/etc/httpd/httpd.conf' action = 'update' perms = permissions.check([perm], user, collection, res_id) self.assertFalse(action in perms)
def test_deny_wrong_res_id(self): perm = permissions.process(self.line) user = '******' collection = 'files' res_id = '/etc/hosts' action = 'read' perms = permissions.check([perm], user, collection, res_id) self.assertFalse(action in perms)
def test_allow_wildcard_res_id(self): perm = permissions.process(self.line) user = '******' collection = 'files' res_id = '/etc/httpd/httpd.conf' action = 'read' perms = permissions.check([perm], user, collection, res_id) self.assertTrue(action in perms)
def test_allow_space_in_res_id(self): self.line = """cortex files "/home/user/My Images/*" CRD""" perm = permissions.process(self.line) user = '******' collection = 'files' res_id = '/home/user/My Images/test.png' action = 'read' perms = permissions.check([perm], user, collection, res_id) self.assertTrue(action in perms)
def test_nothing_allowed(self): self.line = "* * * -" perm = permissions.process(self.line) user = '******' collection = 'files' res_id = '/etc/hosts' action = 'read' perms = permissions.check([perm], user, collection, res_id) self.assertFalse(action in perms)
def test_lines_order_matter_success(self): fp = self._get_fp('permissions.conf') perm_list = permissions.get(fp) user = '******' collection = 'files' res_id = '/etc/hosts' action = 'update' perms = permissions.check(perm_list, user, collection, res_id) self.assertTrue(action in perms)
def test_lines_order_matter_fail(self): fp = self._get_fp('permissions.conf') perm_list = permissions.get(fp) user = '******' collection = 'executables' res_id = 'rm -rf /' action = 'update' perms = permissions.check(perm_list, user, collection, res_id) self.assertFalse(action in perms)
def test_if_cannot_read_then_cannot_ping(self): self.line = "* files * -" perm = permissions.process(self.line) user = '******' collection = 'files' res_id = '' action = 'ping' perms = permissions.check([perm], user, collection, res_id) self.assertFalse(action in perms)
def test_allow_wildcard_collection(self): self.line = "cortex * * CRD" perm = permissions.process(self.line) user = '******' collection = 'packages' res_id = 'httpd' action = 'read' perms = permissions.check([perm], user, collection, res_id) self.assertTrue(action in perms)
def call_method(self, user_id, body, check_perm=True): """Reads the collection the message needs to reach and then calls the process method of that collection. It returns the response built by the collection. """ response = {} # Check if collection is specified and that the resource actually # exists. if not isinstance(body, dict): raise ResourceException("Bad message formatting") # Check if the message body contains filters. filters = body.get('filters') res_id = body.get('id') or '' if check_perm: perms = permissions.check(self.permissions, user_id, body.get('collection'), res_id) if body.get('action') not in perms: raise ResourceException("You don't have permission to do " "that.") if filters: if not self._check_filters(filters): raise ResourceException("Filters did not match") collection = body.get('collection') # Get a reference to the corresponding resource object. # Check if the object isn't already instantiated. try: instance = self.locator.get_instance(collection) # Call the resource's generic process method response = instance.process(body) # Check if it can be dumped in JSON format try: json.dumps(response) except UnicodeDecodeError, err: raise ResourceException("Problem when decoding payload.") except ResourceException, err: self.logger.debug("Resource exception: %s" % err) if response.get('status'): del response['status'] response['error'] = '%s' % err response['uuid'] = self.uuid
def call_method(self, user_id, body, check_perm=True): """Reads the collection the message needs to reach and then calls the process method of that collection. It returns the response built by the collection. """ response = {} # Check if collection is specified and that the resource actually # exists. if not isinstance(body, dict): raise ResourceException("Bad message formatting") # Check if the message body contains filters. filters = body.get('filters') if check_perm: perms = permissions.check(self.permissions, user_id, body.get('collection'), body.get('id')) if body.get('action') not in perms: raise ResourceException("You don't have permission to do " "that.") if filters: if not self._check_filters(filters): raise ResourceException("Filters did not match") collection = body.get('collection') # Get a reference to the corresponding resource object. # Check if the object isn't already instantiated. try: instance = self.locator.get_instance(collection) # Call the resource's generic process method response = instance.process(body) # Check if it can be dumped in JSON format try: json.dumps(response) except UnicodeDecodeError, err: raise ResourceException("Problem when decoding payload.") except ResourceException, err: self.logger.debug("Resource exception: %s" % err) if response.get('status'): del response['status'] response['error'] = '%s' % err response['uuid'] = self.uuid