def wrapper(*args, **kwargs):
# getting the tenant name
if get_tenant_from == 'header':
tenant_name = tenant_for_auth or request.headers.get(
CLOUDIFY_TENANT_HEADER)
elif get_tenant_from == 'param':
tenant_name = tenant_for_auth or kwargs['tenant_name']
elif get_tenant_from == 'data':
tenant_name = tenant_for_auth or get_json_and_verify_params({
'tenant_name': {
'type': unicode
}
}).get('tenant_name')
else:
tenant_name = tenant_for_auth
# finding tenant to add to the app config
if tenant_name:
try:
tenant = get_storage_manager().get(
Tenant, tenant_name, filters={'name': tenant_name})
utils.set_current_tenant(tenant)
except NotFoundError:
raise ForbiddenError(
'Authorization failed: Tried to authenticate with '
'invalid tenant name: {0}'.format(tenant_name))
# when running unittests, there is no authorization
if config.instance.test_mode:
return func(*args, **kwargs)
# extracting tenant roles for user in the tenant
tenant_roles = []
for t in current_user.all_tenants:
if (allow_all_tenants and request_use_all_tenants()) \
or t.name == tenant_name:
tenant_roles += current_user.all_tenants[t]
# joining user's system role with his tenant roles
user_roles = [role.name for role in tenant_roles] \
+ current_user.system_roles
# getting the roles allowed to perform requested action
action_roles = config.instance.authorization_permissions[action]
# checking if any of the user's roles is allowed to perform action
for user_role in user_roles:
if user_role in action_roles:
return func(*args, **kwargs)
# none of the user's role is allowed to perform the action
error_message = 'User `{0}` is not permitted to perform the ' \
'action {1}'.format(current_user.username, action)
if tenant_name:
error_message += ' in the tenant `{0}`'.format(tenant_name)
raise ForbiddenError(error_message)
def _validate_secret_modification_permitted(self, secret):
get_resource_manager().validate_modification_permitted(secret)
if secret.is_hidden_value and \
not self._is_hidden_value_permitted(secret):
raise ForbiddenError(
'User `{0}` is not permitted to modify the hidden value '
'secret `{1}`'.format(current_user.username, secret.key))
def _validate_secret_modification_permitted(self, secret):
if secret.is_hidden_value and \
not rest_utils.is_hidden_value_permitted(secret):
raise ForbiddenError(
'User `{0}` is not permitted to modify the hidden value '
'secret `{1}`'.format(current_user.username, secret.key)
)
def wrapper(*args, **kwargs):
# getting the tenant name
if get_tenant_from == 'header':
tenant_name = tenant_for_auth or request.headers.get(
CLOUDIFY_TENANT_HEADER)
elif get_tenant_from == 'param':
tenant_name = tenant_for_auth or kwargs['tenant_name']
elif get_tenant_from == 'data':
tenant_name = tenant_for_auth or get_json_and_verify_params({
'tenant_name': {
'type': text_type
}
}).get('tenant_name')
else:
tenant_name = tenant_for_auth
# finding tenant to add to the app config
if tenant_name:
try:
tenant = get_storage_manager().get(
Tenant, tenant_name, filters={'name': tenant_name})
utils.set_current_tenant(tenant)
except NotFoundError:
raise ForbiddenError(
'Authorization failed: Tried to authenticate with '
'invalid tenant name: {0}'.format(tenant_name))
if not current_user.active:
raise ForbiddenError('Authorization failed: '
'User `{0}` is deactivated'.format(
current_user.username))
# when running unittests, there is no authorization
if config.instance.test_mode:
return func(*args, **kwargs)
# checking if any of the user's roles is allowed to perform action
if is_user_action_allowed(action, tenant_name, allow_all_tenants):
return func(*args, **kwargs)
# none of the user's role is allowed to perform the action
error_message = 'User `{0}` is not permitted to perform the ' \
'action {1}'.format(current_user.username, action)
if tenant_name:
error_message += ' in the tenant `{0}`'.format(tenant_name)
raise ForbiddenError(error_message)
def _update_is_hidden_value(self, secret):
is_hidden_value = request.json.get('is_hidden_value')
if is_hidden_value is None:
return
is_hidden_value = rest_utils.verify_and_convert_bool(
'is_hidden_value', is_hidden_value)
# Only the creator of the secret and the admins can change a secret
# to be hidden value
if not self._is_hidden_value_permitted(secret):
raise ForbiddenError(
'User `{0}` is not permitted to modify the secret `{1}` '
'to be hidden value'.format(current_user.username, secret.key))
secret.is_hidden_value = is_hidden_value