def grant_permission_to_group(self, permission, argument, group):
# type: (str, str, str) -> None
sql_group = Group.get(self.session, name=group)
if not sql_group:
raise GroupNotFoundException(group)
sql_permission = Permission.get(self.session, name=permission)
if not sql_permission:
raise PermissionNotFoundException(permission)
mapping = PermissionMap(
permission_id=sql_permission.id, group_id=sql_group.id, argument=argument
)
mapping.add(self.session)
def post(self, name=None, mapping_id=None):
grantable = self.current_user.my_grantable_permissions()
if not grantable:
return self.forbidden()
mapping = PermissionMap.get(self.session, id=mapping_id)
if not mapping:
return self.notfound()
allowed = False
for perm in grantable:
if perm[0].name == mapping.permission.name:
if matches_glob(perm[1], mapping.argument):
allowed = True
if not allowed:
return self.forbidden()
permission = mapping.permission
group = mapping.group
mapping.delete(self.session)
Counter.incr(self.session, "updates")
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'revoke_permission',
'Revoked permission with argument: {}'.format(mapping.argument),
on_group_id=group.id, on_permission_id=permission.id)
return self.redirect('/groups/{}?refresh=yes'.format(group.name))
def get(self, name=None, mapping_id=None):
mapping = PermissionMap.get(self.session, id=mapping_id)
if not mapping:
return self.notfound()
if not self.check_access(self.session, mapping, self.current_user):
return self.forbidden()
self.render("permission-revoke.html", mapping=mapping)
def grant_permission(session, group_id, permission_id, argument=''):
"""
Grant a permission to this group. This will fail if the (permission, argument) has already
been granted to this group.
Args:
session(models.base.session.Session): database session
permission(Permission): a Permission object being granted
argument(str): must match constants.ARGUMENT_VALIDATION
Throws:
AssertError if argument does not match ARGUMENT_VALIDATION regex
"""
assert re.match(ARGUMENT_VALIDATION, argument), 'Permission argument does not match regex.'
mapping = PermissionMap(permission_id=permission_id, group_id=group_id, argument=argument)
mapping.add(session)
Counter.incr(session, "updates")
session.commit()
def grant_permission(session, group_id, permission_id, argument=''):
"""
Grant a permission to this group. This will fail if the (permission, argument) has already
been granted to this group.
Args:
session(models.base.session.Session): database session
permission(Permission): a Permission object being granted
argument(str): must match constants.ARGUMENT_VALIDATION
Throws:
AssertError if argument does not match ARGUMENT_VALIDATION regex
"""
assert re.match(ARGUMENT_VALIDATION, argument), 'Permission argument does not match regex.'
mapping = PermissionMap(permission_id=permission_id, group_id=group_id, argument=argument)
mapping.add(session)
Counter.incr(session, "updates")
session.commit()
def grant_permission(
session: Session, group_id: int, permission_id: int, argument: str = ""
) -> None:
"""Grant a permission to this group.
This will fail if the (permission, argument) has already been granted to this group.
Args:
session: Database session
group_id: ID of group to which to grant the permission
permission_id: ID of permission to grant
argument: Must match constants.ARGUMENT_VALIDATION
Throws:
AssertError if argument does not match ARGUMENT_VALIDATION regex
"""
assert re.match(ARGUMENT_VALIDATION + r"$", argument), "Invalid permission argument"
mapping = PermissionMap(permission_id=permission_id, group_id=group_id, argument=argument)
mapping.add(session)
Counter.incr(session, "updates")
session.commit()
def test_get_auditors_group(session, standard_graph): # noqa: F811
with pytest.raises(NoSuchGroup) as exc:
get_auditors_group(Mock(auditors_group=None), session)
assert str(exc.value) == "Please ask your admin to configure the `auditors_group` settings"
with pytest.raises(NoSuchGroup) as exc:
get_auditors_group(Mock(auditors_group="do-not-exist"), session)
assert str(exc.value) == "Please ask your admin to configure the default group for auditors"
# now should be able to get the group
auditors_group = get_auditors_group(Mock(auditors_group="auditors"), session)
assert auditors_group is not None
# revoke the permission and make sure we raise the
# GroupDoesNotHaveAuditPermission exception
perms = [p for p in auditors_group.my_permissions() if p.name == PERMISSION_AUDITOR]
assert len(perms) == 1
mapping = PermissionMap.get(session, id=perms[0].mapping_id)
mapping.delete(session)
with pytest.raises(GroupDoesNotHaveAuditPermission):
get_auditors_group(Mock(auditors_group="auditors"), session)
def test_get_auditors_group(session, standard_graph): # noqa: F811
with pytest.raises(NoSuchGroup) as exc:
get_auditors_group(Mock(auditors_group=None), session)
assert exc.value.message == "Please ask your admin to configure the `auditors_group` settings"
with pytest.raises(NoSuchGroup) as exc:
get_auditors_group(Mock(auditors_group="do-not-exist"), session)
assert exc.value.message == "Please ask your admin to configure the default group for auditors"
# now should be able to get the group
auditors_group = get_auditors_group(Mock(auditors_group="auditors"), session)
assert auditors_group is not None
# revoke the permission and make sure we raise the
# GroupDoesNotHaveAuditPermission exception
perms = [p for p in auditors_group.my_permissions() if p.name == PERMISSION_AUDITOR]
assert len(perms) == 1
mapping = PermissionMap.get(session, id=perms[0].mapping_id)
mapping.delete(session)
with pytest.raises(GroupDoesNotHaveAuditPermission):
get_auditors_group(Mock(auditors_group="auditors"), session)
def get(self, name=None, mapping_id=None):
grantable = self.current_user.my_grantable_permissions()
if not grantable:
return self.forbidden()
mapping = PermissionMap.get(self.session, id=mapping_id)
if not mapping:
return self.notfound()
allowed = False
for perm in grantable:
if perm[0].name == mapping.permission.name:
if matches_glob(perm[1], mapping.argument):
allowed = True
if not allowed:
return self.forbidden()
self.render("permission-revoke.html", mapping=mapping)
def post(self, name=None, mapping_id=None):
mapping = PermissionMap.get(self.session, id=mapping_id)
if not mapping:
return self.notfound()
if not self.check_access(self.session, mapping, self.current_user):
return self.forbidden()
permission = mapping.permission
group = mapping.group
mapping.delete(self.session)
Counter.incr(self.session, "updates")
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'revoke_permission',
'Revoked permission with argument: {}'.format(mapping.argument),
on_group_id=group.id, on_permission_id=permission.id)
return self.redirect('/groups/{}?refresh=yes'.format(group.name))