def post(self, action): handler = getattr(self, "{}_handler".format(action), None) if handler is None: raise errors.ParamsInvalidError( "petition action {} invalid".format(action)) else: return handler(self.params.privilege_model, self.params.privilege_name)
def post(self): if self.user: username = self.user.username else: username = self.params.username if not username: raise errors.ParamsInvalidError('username must be passed') privilege = getattr(self.params.privilege_type, self.params.privilege_name, None) if not privilege: raise errors.ParamsInvalidError( "Invalid type of privilege: <%s %s>" % (self.params.privilege_type.name, self.params.privilege_name)) authorize(privilege, username, node_id=self.params.node_id, hostname=self.params.hostname) return self.write_json({"msg": "authorize succeed"})
def _generic_handler(self, privilege_model, privilege_name, action, from_statuses, to_status): """ :type privilege_model: loki.privilege.models.PrivilegeType :type privilege_name: str :type action: str :type from_statuses: list[loki.privilege.models.PrivilegeStatus] :type to_status: loki.privilege.models.PrivilegeStatus """ privileges = privilege_model.privileges if privilege_name == "admin": required_privilege = self.privilege_map[privileges.group] """ check grant_normal_privileges or grant_critical_privileges when applying admin privilege """ authorize(required_privilege, self.user.username, node_id=self.params.node_id) else: required_privilege = getattr(privileges, "admin") """ check corresponding admin privilege when applying other privileges """ authorize(required_privilege, self.user.username, node_id=self.params.node_id) try: status = PrivilegeStatus( privileges.get_matrix_by_name(privilege_name)) if status not in from_statuses: raise errors.OperationNotAllowed( "can't {} petition in {} status".format( action, status.name)) else: privileges.set_matrix_by_name(privilege_name, to_status) privilege_model.privileges = privileges privilege_model.modifier = self.user.username privilege_model.save() except AttributeError as e: raise errors.ParamsInvalidError(str(e)) else: return self.write_json(privilege_model.for_json())
def authorize(privilege, username, node_id=None, hostname=None): """ :type privilege: PrivilegeBase :type username: basestring :type node_id: int :type hostname: basestring """ if not node_id: if not hostname: raise errors.ParamsInvalidError( "must have parameter node_id or hostname") else: server = RawServer.query \ .options(load_only(RawServer.id)) \ .options(joinedload(RawServer.nodes).load_only("node_id")) \ .filter_by(hostname=hostname).first_or_404() nodes = [TreeNode(node.node_id) for node in server.nodes] else: nodes = [TreeNode(node_id)] node_ids = { n.id for n in chain(*[tree_node.parents for tree_node in nodes]) } node_ids |= {n.id for n in nodes} privilege_models = PrivilegeType.query \ .options(load_only(PrivilegeType._matrix)) \ .filter((PrivilegeType.node_id.in_(node_ids))) \ .filter_by(privilege_type=privilege.name, username=username) \ .all() if not privilege_models: # raise errors.DoesNotExist('You have not applied for this type of privilege.') raise errors.HasNoPermission( "Require {} privilege to access this resource, you havn't apply for it yet" .format(privilege)) if not any(p.has_privilege(privilege) for p in privilege_models): # raise errors.HasNoPermission("Privilege has not been applied for, is applying, is rejected or has been revoked.") raise errors.HasNoPermission( "Require {} privilege to access this resource".format(privilege))
def get(self, node_id): privilege_type = self.get_argument('type', None) status_str = self.get_argument('status', None) limit = int(self.get_argument('limit', 0)) index = int(self.get_argument('index', 1)) username = self.get_argument('username', None) privilege_types = PrivilegeType.query.options(undefer_group("audit")) \ .filter(~PrivilegeType.username.like(settings.AUTH_TOKEN_PREFIX + "%")) \ .order_by(PrivilegeType.ctime.desc()) if username: privilege_types = privilege_types.filter( PrivilegeType.username == username) node_id = int(node_id) if node_id != settings.TREE_ROOT_ID: node = TreeNode(node_id) node_ids = [n.id for n in node.offspring_treenode] privilege_types = privilege_types.filter( PrivilegeType.node_id.in_(node_ids)) if status_str: try: status = PrivilegeStatus[status_str] except KeyError: raise errors.ParamsInvalidError("status %s invalid" % status_str) status_mask = status.value * sum(2**i for i in xrange(0, 64, 4)) privilege_types = privilege_types.filter( PrivilegeType._matrix.op('&')(status_mask) != 0b0) if privilege_type: privilege_types = privilege_types.filter_by( privilege_type=privilege_type) if limit: count, privilege_types = privilege_types.paginator(limit, index) data = privilege_types.all() self.write_json( format_paginator_resposne(data, count, limit, index)) else: self.write_data(privilege_types.all())
def apply(self): privilege_type = self.params.privilege_type privilege_names = self.params.privilege_names if not privilege_names: raise errors.ParamsInvalidError("privilege_names is required") privilege_model = PrivilegeType.query.filter_by( node_id=self.params.node_id, username=self.user.username, privilege_type=privilege_type.name).first() if privilege_model: privilege = privilege_model.privileges for privilege_name in privilege_names: status = privilege.get_matrix_by_name(privilege_name) if status == PrivilegeStatus.applying: raise errors.OperationNotAllowed( "user %s have been applying <%s %s> on node id %s" % (self.user.username, privilege_type.name, privilege_name, self.params.node_id)) elif status == PrivilegeStatus.approved: raise errors.OperationNotAllowed( "user %s have been granted <%s %s> on node id %s" % (self.user.username, privilege_type.name, privilege_name, self.params.node_id)) else: privilege.set_matrix_by_name(privilege_name, PrivilegeStatus.applying) privilege_model.privileges = privilege else: privilege = privilege_type() for privilege_name in privilege_names: privilege.set_matrix_by_name(privilege_name, PrivilegeStatus.applying) privilege_model = PrivilegeType(node_id=self.params.node_id, username=self.user.username, privilege_cls=privilege) privilege_model.save() return self.write_json({"message": "apply privilege succeed"})
def apply_token(self): privilege_type = self.params.privilege_type privilege = privilege_type() for privilege_name in privilege.enum.__members__.keys(): if privilege_name == "admin": continue privilege.set_matrix_by_name(privilege_name, PrivilegeStatus.applying) prefixed_token = self.params.token if not prefixed_token: prefixed_token = encrypt_token(self.user.username) privilege_model = PrivilegeType(node_id=self.params.node_id, username=prefixed_token, privilege_cls=privilege) try: privilege_model.save() except IntegrityError: raise errors.ParamsInvalidError( 'Token has already been applied for this privilege') return self.write_json({"message": "apply token succeed"})